dotfiles/modules/nixos/services/nextcloud.nix

192 lines
6.0 KiB
Nix
Raw Normal View History

2023-07-30 03:51:01 +00:00
{ config, pkgs, lib, ... }: {
2022-10-02 20:54:26 +00:00
config = lib.mkIf config.services.nextcloud.enable {
2022-10-02 20:54:26 +00:00
services.nextcloud = {
package = pkgs.nextcloud28; # Required to specify
2023-08-02 11:32:54 +00:00
configureRedis = true;
2023-03-03 20:54:27 +00:00
datadir = "/data/nextcloud";
2023-08-02 11:32:54 +00:00
database.createLocally = true;
2022-10-02 20:54:26 +00:00
https = true;
hostName = "localhost";
2022-10-04 12:29:29 +00:00
maxUploadSize = "50G";
2022-10-02 20:54:26 +00:00
config = {
adminpassFile = config.secrets.nextcloud.dest;
dbtype = "pgsql";
2022-10-02 20:54:26 +00:00
};
2024-02-10 01:37:21 +00:00
settings = {
default_phone_region = "US";
2024-01-10 04:11:11 +00:00
# Allow access when hitting either of these hosts or IPs
trusted_domains = [ config.hostnames.content ];
trusted_proxies = [ "127.0.0.1" ];
maintenance_window_start = 4; # Run jobs at 4am UTC
};
2023-08-02 12:26:45 +00:00
extraAppsEnable = true;
extraApps = with config.services.nextcloud.package.packages.apps; {
inherit calendar contacts;
2024-01-10 04:11:11 +00:00
# These apps are defined and pinned by overlay in flake.
news = pkgs.nextcloudApps.news;
external = pkgs.nextcloudApps.external;
cookbook = pkgs.nextcloudApps.cookbook;
2024-01-21 02:12:57 +00:00
snappymail = pkgs.nextcloudApps.snappymail;
2023-08-02 12:26:45 +00:00
};
phpOptions = {
"opcache.interned_strings_buffer" = "16";
"output_buffering" = "0";
};
2022-10-02 20:54:26 +00:00
};
# Don't let Nginx use main ports (using Caddy instead)
2023-07-30 03:51:01 +00:00
services.nginx.enable = false;
services.phpfpm.pools.nextcloud.settings = {
"listen.owner" = config.services.caddy.user;
"listen.group" = config.services.caddy.group;
};
users.users.caddy.extraGroups = [ "nextcloud" ];
2022-10-02 20:54:26 +00:00
# Point Caddy to Nginx
2022-12-21 21:18:03 +00:00
caddy.routes = [{
2023-07-07 16:16:07 +00:00
match = [{ host = [ config.hostnames.content ]; }];
2022-10-02 20:54:26 +00:00
handle = [{
2023-07-30 03:51:01 +00:00
handler = "subroute";
routes = [
# Sets variables and headers
{
handle = [
{
handler = "vars";
# Grab the webroot out of the written config
# The webroot is a symlinked combined Nextcloud directory
root =
config.services.nginx.virtualHosts.${config.services.nextcloud.hostName}.root;
2023-07-30 03:51:01 +00:00
}
{
handler = "headers";
response.set.Strict-Transport-Security =
[ "max-age=31536000;" ];
}
];
}
# Reroute carddav and caldav traffic
{
match =
[{ path = [ "/.well-known/carddav" "/.well-known/caldav" ]; }];
handle = [{
handler = "static_response";
headers = { Location = [ "/remote.php/dav" ]; };
status_code = 301;
}];
}
# Block traffic to sensitive files
{
match = [{
path = [
"/.htaccess"
"/data/*"
"/config/*"
"/db_structure"
"/.xml"
"/README"
"/3rdparty/*"
"/lib/*"
"/templates/*"
"/occ"
"/console.php"
];
}];
handle = [{
handler = "static_response";
status_code = 404;
}];
}
# Redirect index.php to the homepage
{
match = [{
file = { try_files = [ "{http.request.uri.path}/index.php" ]; };
not = [{ path = [ "*/" ]; }];
}];
handle = [{
handler = "static_response";
headers = { Location = [ "{http.request.orig_uri.path}/" ]; };
status_code = 308;
}];
}
# Rewrite paths to be relative
{
match = [{
file = {
split_path = [ ".php" ];
try_files = [
"{http.request.uri.path}"
"{http.request.uri.path}/index.php"
"index.php"
];
};
}];
handle = [{
handler = "rewrite";
uri = "{http.matchers.file.relative}";
}];
}
# Send all PHP traffic to Nextcloud PHP service
{
match = [{ path = [ "*.php" ]; }];
handle = [{
handler = "reverse_proxy";
transport = {
protocol = "fastcgi";
split_path = [ ".php" ];
};
upstreams = [{ dial = "unix//run/phpfpm/nextcloud.sock"; }];
}];
}
# Finally, send the rest to the file server
{ handle = [{ handler = "file_server"; }]; }
];
2022-10-02 20:54:26 +00:00
}];
2023-07-30 03:51:01 +00:00
terminal = true;
2022-10-02 20:54:26 +00:00
}];
2022-10-08 15:52:05 +00:00
# Create credentials file for nextcloud
secrets.nextcloud = {
2023-03-01 04:54:48 +00:00
source = ../../../private/nextcloud.age;
dest = "${config.secretsDirectory}/nextcloud";
owner = "nextcloud";
group = "nextcloud";
permissions = "0440";
};
systemd.services.nextcloud-secret = {
2022-10-08 15:52:05 +00:00
requiredBy = [ "nextcloud-setup.service" ];
before = [ "nextcloud-setup.service" ];
};
2023-03-03 20:54:27 +00:00
# Grant user access to Nextcloud directories
users.users.${config.user}.extraGroups = [ "nextcloud" ];
2022-10-08 15:52:05 +00:00
# Open to groups, allowing for backups
systemd.services.phpfpm-nextcloud.serviceConfig.StateDirectoryMode =
lib.mkForce "0770";
# Log metrics to prometheus
2023-07-30 03:51:01 +00:00
networking.hosts."127.0.0.1" = [ config.hostnames.content ];
services.prometheus.exporters.nextcloud = {
2023-07-16 13:50:58 +00:00
enable = config.prometheus.exporters.enable;
username = config.services.nextcloud.config.adminuser;
2023-07-30 03:51:01 +00:00
url = "https://${config.hostnames.content}";
passwordFile = config.services.nextcloud.config.adminpassFile;
};
2023-07-16 13:50:58 +00:00
prometheus.scrapeTargets = [
"127.0.0.1:${
builtins.toString config.services.prometheus.exporters.nextcloud.port
}"
];
# Allows nextcloud-exporter to read passwordFile
2023-07-16 13:50:58 +00:00
users.users.nextcloud-exporter.extraGroups =
lib.mkIf config.services.prometheus.exporters.nextcloud.enable
[ "nextcloud" ];
2022-10-02 20:54:26 +00:00
};
}