diff --git a/modules/servers/nextcloud.nix b/modules/servers/nextcloud.nix index e87f9e9..e929857 100644 --- a/modules/servers/nextcloud.nix +++ b/modules/servers/nextcloud.nix @@ -52,116 +52,138 @@ in "nodejs-14.21.3" "openssl-1.1.1v" ]; - users.groups.nextcloud = { inherit gid; }; - users.users.nextcloud = { - inherit uid; - isSystemUser = true; - group = "nextcloud"; - extraGroups = [ "render" ]; - packages = builtins.attrValues { - inherit exiftool pytensorflow; - inherit (pkgs) - ffmpeg - mediainfo - nodejs - perl - ; + users = { + groups.nextcloud = { inherit gid; }; + users.nextcloud = { + inherit uid; + isSystemUser = true; + group = "nextcloud"; + extraGroups = [ "render" ]; + packages = builtins.attrValues { + inherit exiftool pytensorflow; + inherit (pkgs) + ffmpeg + mediainfo + nodejs + perl + ; + }; }; }; - services.nextcloud = { - enable = true; - https = false; # vps - package = pkgs.nextcloud32; - appstoreEnable = true; - configureRedis = true; - extraAppsEnable = true; - enableImagemagick = true; - maxUploadSize = "4096M"; - hostName = cfg.host; - caching = { - redis = true; - memcached = true; - apcu = true; - }; - config = { - adminpassFile = config.sops.secrets.nextcloud-adminpass.path; - dbtype = "pgsql"; - dbhost = config.my.postgresSocket; - dbname = "nextcloud"; - }; - phpOptions = { - catch_workers_output = "yes"; - display_errors = "stderr"; - error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT"; - expose_php = "Off"; - preview_max_x = 2048; - preview_max_y = 2048; - short_open_tag = "Off"; - "opcache.enable_cli" = "1"; - "opcache.fast_shutdown" = "1"; - "opcache.interned_strings_buffer" = "16"; - "opcache.jit" = "1255"; - "opcache.jit_buffer_size" = "256M"; - "opcache.max_accelerated_files" = "10000"; - "opcache.huge_code_pages" = "1"; - "opcache.enable_file_override" = "1"; - "opcache.memory_consumption" = "256"; - "opcache.revalidate_freq" = "60"; - "opcache.save_comments" = "1"; - "opcache.validate_timestamps" = "0"; - "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt"; - }; - settings = { - log_type = "file"; - loglevel = 1; - trusted_proxies = [ - config.my.localhost - config.my.localhost6 - config.my.ips.router - config.my.ips.wg-vps + services = { + nextcloud = { + enable = true; + https = false; # vps + package = pkgs.nextcloud32; + appstoreEnable = true; + configureRedis = true; + extraAppsEnable = true; + enableImagemagick = true; + maxUploadSize = "4096M"; + hostName = cfg.host; + caching = { + redis = true; + memcached = true; + apcu = true; + }; + config = { + adminpassFile = config.sops.secrets.nextcloud-adminpass.path; + dbtype = "pgsql"; + dbhost = config.my.postgresSocket; + dbname = "nextcloud"; + }; + phpOptions = { + catch_workers_output = "yes"; + display_errors = "stderr"; + error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT"; + expose_php = "Off"; + preview_max_x = 2048; + preview_max_y = 2048; + short_open_tag = "Off"; + "opcache.enable_cli" = "1"; + "opcache.fast_shutdown" = "1"; + "opcache.interned_strings_buffer" = "16"; + "opcache.jit" = "1255"; + "opcache.jit_buffer_size" = "256M"; + "opcache.max_accelerated_files" = "10000"; + "opcache.huge_code_pages" = "1"; + "opcache.enable_file_override" = "1"; + "opcache.memory_consumption" = "256"; + "opcache.revalidate_freq" = "60"; + "opcache.save_comments" = "1"; + "opcache.validate_timestamps" = "0"; + "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt"; + }; + settings = { + log_type = "file"; + loglevel = 1; + trusted_proxies = [ + config.my.localhost + config.my.localhost6 + config.my.ips.router + config.my.ips.wg-vps + ]; + trusted_domains = [ + cfg.host + config.my.ips.${config.networking.hostName} + "localhost" + "cloud.rotehaare.art" + ]; + overwriteprotocol = "https"; + "overwrite.cli.url" = "${cfg.url}"; + forwarded_for_headers = [ "HTTP_X_FORWARDED_FOR" ]; + default_phone_region = "MX"; + allow_local_remote_servers = true; + mail_smtpmode = "sendmail"; + mail_sendmailmode = "pipe"; + preview_ffmpeg_path = "${pkgs.ffmpeg}/bin/ffmpeg"; + "memories.exiftool" = "${exiftool}/bin/exiftool"; + "memories.ffmpeg_path" = "${pkgs.ffmpeg}/bin/ffmpeg"; + "memories.ffprobe_path" = "${pkgs.ffmpeg}/bin/ffprobe"; + enabledPreviewProviders = [ + "OC\\Preview\\AVI" + "OC\\Preview\\BMP" + "OC\\Preview\\GIF" + "OC\\Preview\\HEIC" + "OC\\Preview\\Image" + "OC\\Preview\\JPEG" + "OC\\Preview\\Krita" + "OC\\Preview\\MKV" + "OC\\Preview\\MP3" + "OC\\Preview\\MP4" + "OC\\Preview\\MarkDown" + "OC\\Preview\\Movie" + "OC\\Preview\\OpenDocument" + "OC\\Preview\\PNG" + "OC\\Preview\\TIFF" + "OC\\Preview\\TXT" + "OC\\Preview\\XBitmap" + ]; + }; + phpExtraExtensions = all: [ + all.pdlib + all.bz2 ]; - trusted_domains = [ - cfg.host - config.my.ips.${config.networking.hostName} - "localhost" + }; + nginx.virtualHosts.${cfg.host} = { + forceSSL = false; + enableACME = false; + http2 = false; + serverAliases = [ + "cloud.servidos.lat" "cloud.rotehaare.art" ]; - overwriteprotocol = "https"; - "overwrite.cli.url" = "${cfg.url}"; - forwarded_for_headers = [ "HTTP_X_FORWARDED_FOR" ]; - default_phone_region = "MX"; - allow_local_remote_servers = true; - mail_smtpmode = "sendmail"; - mail_sendmailmode = "pipe"; - preview_ffmpeg_path = "${pkgs.ffmpeg}/bin/ffmpeg"; - "memories.exiftool" = "${exiftool}/bin/exiftool"; - "memories.ffmpeg_path" = "${pkgs.ffmpeg}/bin/ffmpeg"; - "memories.ffprobe_path" = "${pkgs.ffmpeg}/bin/ffprobe"; - enabledPreviewProviders = [ - "OC\\Preview\\AVI" - "OC\\Preview\\BMP" - "OC\\Preview\\GIF" - "OC\\Preview\\HEIC" - "OC\\Preview\\Image" - "OC\\Preview\\JPEG" - "OC\\Preview\\Krita" - "OC\\Preview\\MKV" - "OC\\Preview\\MP3" - "OC\\Preview\\MP4" - "OC\\Preview\\MarkDown" - "OC\\Preview\\Movie" - "OC\\Preview\\OpenDocument" - "OC\\Preview\\PNG" - "OC\\Preview\\TIFF" - "OC\\Preview\\TXT" - "OC\\Preview\\XBitmap" + listen = [ + { + addr = config.my.ips.wg-server; + port = 8081; + } + { + addr = config.my.localhost; + port = 8081; + } ]; }; - phpExtraExtensions = all: [ - all.pdlib - all.bz2 - ]; - }; virtualisation.oci-containers.containers = { go-vod = lib.mkIf config.my.servers.go-vod.enable { @@ -234,14 +256,14 @@ in }; }; }) - (lib.mkIf (cfg.enableProxy && config.my.enableProxy) { + (lib.mkIf (cfg.enableProxy && config.my.enableProxy && config.networking.hostName == "vps") { my.servers.nextcloud.useDefaultProxy = false; services.nginx.virtualHosts = { "${cfg.host}" = { - forceSSL = false; - enableACME = false; - http2 = false; - default = false; + forceSSL = true; + enableACME = true; + http2 = true; + default = true; serverAliases = [ "cloud.rotehaare.art" ]; extraConfig = '' add_header X-XSS-Protection "1; mode=block" always; @@ -250,22 +272,17 @@ in add_header X-Frame-Options "SAMEORIGIN" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header X-Permitted-Cross-Domain-Policies "none" always; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; ''; locations = { - "/".proxyWebsockets = true; - "~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+|.+/richdocumentscode/proxy).php(?:$|/)" = - { }; + "/" = { + proxyPass = cfg.local; + proxyWebsockets = true; + }; }; - listen = [ - { - addr = config.my.ips.wg-server; - port = 8081; - } - { - addr = config.my.localhost; - port = 8081; - } - ]; }; "${cfgC.host}" = lib.mkIf cfgC.enableProxy { forceSSL = true;