nextcloud nginx fixes

2026-02-06 22:23:16 -06:00
parent d7191f7a02
commit 661629924e
4 changed files with 162 additions and 72 deletions
--- a/hosts/vps/nginx-nextcloud.nix
+++ b/hosts/vps/nginx-nextcloud.nix
@@ -0,0 +1,116 @@
+{ config, lib, ... }:
+let
+  cfg = config.my.servers.nextcloud;
+in
+{
+  config = lib.mkIf (cfg.enableProxy && config.my.enableProxy) {
+    services.nginx.virtualHosts.${cfg.host} = {
+      forceSSL = true;
+      enableACME = true;
+      http2 = true;
+      default = true;
+      serverAliases = [ "cloud.rotehaare.art" ];
+      extraConfig = ''
+        index index.php index.html /index.php$request_uri;
+        add_header X-Content-Type-Options nosniff always;
+        add_header X-Robots-Tag "noindex, nofollow" always;
+        add_header X-Permitted-Cross-Domain-Policies none always;
+        add_header X-Frame-Options SAMEORIGIN always;
+        add_header Referrer-Policy no-referrer always;
+        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+      '';
+      locations = {
+        "= /robots.txt" = {
+          priority = 100;
+          extraConfig = ''
+            allow all;
+            access_log off;
+          '';
+        };
+        "= /" = {
+          priority = 100;
+          proxyPass = cfg.local;
+          proxyWebsockets = true;
+          extraConfig = ''
+            if ( $http_user_agent ~ ^DavClnt ) {
+              return 302 /remote.php/webdav/$is_args$args;
+            }
+          '';
+        };
+        "= /.well-known/carddav" = {
+          priority = 210;
+          extraConfig = ''
+            return 301 /remote.php/dav/;
+          '';
+        };
+        "= /.well-known/caldav" = {
+          priority = 210;
+          extraConfig = ''
+            return 301 /remote.php/dav/;
+          '';
+        };
+        "~ ^/\\.well-known/(?!acme-challenge|pki-validation)" = {
+          priority = 210;
+          extraConfig = ''
+            return 301 /index.php$request_uri;
+          '';
+        };
+        "^~ /.well-known" = {
+          priority = 210;
+          extraConfig = ''
+            try_files $uri $uri/ =404;
+          '';
+        };
+        "~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)" = {
+          priority = 450;
+          extraConfig = ''
+            return 404;
+          '';
+        };
+        "~ ^/(?:\\.|autotest|occ|issue|indie|db_|console)" = {
+          priority = 450;
+          extraConfig = ''
+            return 404;
+          '';
+        };
+        "~ \\.php(?:$|/)" = {
+          priority = 500;
+          proxyPass = cfg.local;
+          proxyWebsockets = true;
+          extraConfig = ''
+            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
+          '';
+        };
+        "~ \\.(?:css|js|mjs|svg|gif|ico|jpg|jpeg|png|webp|wasm|tflite|map|html|ttf|bcmap|mp4|webm|ogg|flac)$" =
+          {
+            proxyPass = cfg.local;
+            extraConfig = ''
+              expires 6M;
+              access_log off;
+            '';
+          };
+        "~ ^\\/(?:updater|ocs-provider)(?:$|\\/)" = {
+          proxyPass = cfg.local;
+          extraConfig = ''
+            try_files $uri/ =404;
+            index index.php;
+          '';
+        };
+        "/remote" = {
+          priority = 1500;
+          extraConfig = ''
+            return 301 /remote.php$request_uri;
+          '';
+        };
+        "/" = {
+          priority = 1600;
+          proxyPass = cfg.local;
+          proxyWebsockets = true;
+          extraConfig = ''
+            try_files $uri $uri/ /index.php$request_uri;
+          '';
+        };
+      };
+    };
+  };
+}