nextcloud nginx fixes
This commit is contained in:
Danilo Reyes
@@ -42,6 +42,7 @@ in
|
||||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
./nginx-nextcloud.nix
|
||||
../../config/base.nix
|
||||
];
|
||||
my = import ./toggles.nix { inherit config inputs; } // {
|
||||
|
||||
116
hosts/vps/nginx-nextcloud.nix
Normal file
116
hosts/vps/nginx-nextcloud.nix
Normal file
@@ -0,0 +1,116 @@
|
||||
{ config, lib, ... }:
|
||||
let
|
||||
cfg = config.my.servers.nextcloud;
|
||||
in
|
||||
{
|
||||
config = lib.mkIf (cfg.enableProxy && config.my.enableProxy) {
|
||||
services.nginx.virtualHosts.${cfg.host} = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
http2 = true;
|
||||
default = true;
|
||||
serverAliases = [ "cloud.rotehaare.art" ];
|
||||
extraConfig = ''
|
||||
index index.php index.html /index.php$request_uri;
|
||||
add_header X-Content-Type-Options nosniff always;
|
||||
add_header X-Robots-Tag "noindex, nofollow" always;
|
||||
add_header X-Permitted-Cross-Domain-Policies none always;
|
||||
add_header X-Frame-Options SAMEORIGIN always;
|
||||
add_header Referrer-Policy no-referrer always;
|
||||
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
|
||||
'';
|
||||
locations = {
|
||||
"= /robots.txt" = {
|
||||
priority = 100;
|
||||
extraConfig = ''
|
||||
allow all;
|
||||
access_log off;
|
||||
'';
|
||||
};
|
||||
"= /" = {
|
||||
priority = 100;
|
||||
proxyPass = cfg.local;
|
||||
proxyWebsockets = true;
|
||||
extraConfig = ''
|
||||
if ( $http_user_agent ~ ^DavClnt ) {
|
||||
return 302 /remote.php/webdav/$is_args$args;
|
||||
}
|
||||
'';
|
||||
};
|
||||
"= /.well-known/carddav" = {
|
||||
priority = 210;
|
||||
extraConfig = ''
|
||||
return 301 /remote.php/dav/;
|
||||
'';
|
||||
};
|
||||
"= /.well-known/caldav" = {
|
||||
priority = 210;
|
||||
extraConfig = ''
|
||||
return 301 /remote.php/dav/;
|
||||
'';
|
||||
};
|
||||
"~ ^/\\.well-known/(?!acme-challenge|pki-validation)" = {
|
||||
priority = 210;
|
||||
extraConfig = ''
|
||||
return 301 /index.php$request_uri;
|
||||
'';
|
||||
};
|
||||
"^~ /.well-known" = {
|
||||
priority = 210;
|
||||
extraConfig = ''
|
||||
try_files $uri $uri/ =404;
|
||||
'';
|
||||
};
|
||||
"~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)" = {
|
||||
priority = 450;
|
||||
extraConfig = ''
|
||||
return 404;
|
||||
'';
|
||||
};
|
||||
"~ ^/(?:\\.|autotest|occ|issue|indie|db_|console)" = {
|
||||
priority = 450;
|
||||
extraConfig = ''
|
||||
return 404;
|
||||
'';
|
||||
};
|
||||
"~ \\.php(?:$|/)" = {
|
||||
priority = 500;
|
||||
proxyPass = cfg.local;
|
||||
proxyWebsockets = true;
|
||||
extraConfig = ''
|
||||
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
|
||||
'';
|
||||
};
|
||||
"~ \\.(?:css|js|mjs|svg|gif|ico|jpg|jpeg|png|webp|wasm|tflite|map|html|ttf|bcmap|mp4|webm|ogg|flac)$" =
|
||||
{
|
||||
proxyPass = cfg.local;
|
||||
extraConfig = ''
|
||||
expires 6M;
|
||||
access_log off;
|
||||
'';
|
||||
};
|
||||
"~ ^\\/(?:updater|ocs-provider)(?:$|\\/)" = {
|
||||
proxyPass = cfg.local;
|
||||
extraConfig = ''
|
||||
try_files $uri/ =404;
|
||||
index index.php;
|
||||
'';
|
||||
};
|
||||
"/remote" = {
|
||||
priority = 1500;
|
||||
extraConfig = ''
|
||||
return 301 /remote.php$request_uri;
|
||||
'';
|
||||
};
|
||||
"/" = {
|
||||
priority = 1600;
|
||||
proxyPass = cfg.local;
|
||||
proxyWebsockets = true;
|
||||
extraConfig = ''
|
||||
try_files $uri $uri/ /index.php$request_uri;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -40,6 +40,7 @@ in
|
||||
servers =
|
||||
enableList mkEnabledProxySocketIp [
|
||||
"audiobookshelf"
|
||||
"collabora"
|
||||
"jellyfin"
|
||||
"nextcloud"
|
||||
"plausible"
|
||||
@@ -47,7 +48,6 @@ in
|
||||
]
|
||||
// enableList mkEnabledProxyIp [
|
||||
"bazarr"
|
||||
"collabora"
|
||||
"gitea"
|
||||
"homepage"
|
||||
"isso"
|
||||
|
||||
Reference in New Issue
Block a user