dotfiles/modules/services/nextcloud.nix

93 lines
2.2 KiB
Nix

{ config, pkgs, lib, ... }:
let adminpassFile = "/var/lib/nextcloud/creds";
in {
imports = [ ./caddy.nix ../shell/age.nix ];
options = {
nextcloudServer = lib.mkOption {
type = lib.types.str;
description = "Hostname for Nextcloud";
};
};
config = {
services.nextcloud = {
enable = true;
package = pkgs.nextcloud24; # Required to specify
https = true;
hostName = "localhost";
maxUploadSize = "50G";
config = {
adminpassFile = adminpassFile;
extraTrustedDomains = [ config.nextcloudServer ];
trustedProxies = [
# Cloudflare IPv4: https://www.cloudflare.com/ips-v4
"173.245.48.0/20"
"103.21.244.0/22"
"103.22.200.0/22"
"103.31.4.0/22"
"141.101.64.0/18"
"108.162.192.0/18"
"190.93.240.0/20"
"188.114.96.0/20"
"197.234.240.0/22"
"198.41.128.0/17"
"162.158.0.0/15"
"104.16.0.0/13"
"104.24.0.0/14"
"172.64.0.0/13"
"131.0.72.0/22"
# Cloudflare IPv6: https://www.cloudflare.com/ips-v6
"2400:cb00::/32"
"2606:4700::/32"
"2803:f800::/32"
"2405:b500::/32"
"2405:8100::/32"
"2a06:98c0::/29"
"2c0f:f248::/32"
];
};
};
# Don't let Nginx use main ports (using Caddy instead)
services.nginx.virtualHosts."localhost".listen = [{
addr = "127.0.0.1";
port = 8080;
}];
caddyRoutes = [{
match = [{ host = [ config.nextcloudServer ]; }];
handle = [{
handler = "reverse_proxy";
upstreams = [{ dial = "localhost:8080"; }];
}];
}];
# Create credentials files
system.activationScripts.nextcloud = {
deps = [ "age" ];
text = ''
if [ ! -f "${adminpassFile}" ]; then
$DRY_RUN_CMD mkdir --parents $VERBOSE_ARG $(dirname ${adminpassFile})
$DRY_RUN_CMD ${pkgs.age}/bin/age --decrypt \
--identity ${config.identityFile} \
--output ${adminpassFile} \
${builtins.toString ../../private/nextcloud.age}
$DRY_RUN_CMD chown nextcloud:nextcloud ${adminpassFile}
fi
'';
};
};
}