jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

nextcloud nginx fixes

Browse Source
This commit is contained in:
Danilo Reyes
2026-02-06 22:23:16 -06:00
parent d7191f7a02
commit 661629924e
4 changed files with 162 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
hosts/vps/configuration.nix
View File

@@ -42,6 +42,7 @@ in
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./nginx-nextcloud.nix
../../config/base.nix ../../config/base.nix
]; ];
my = import ./toggles.nix { inherit config inputs; } // { my = import ./toggles.nix { inherit config inputs; } // {

116
hosts/vps/nginx-nextcloud.nix Normal file
View File

@@ -0,0 +1,116 @@
{ config, lib, ... }:
let
cfg = config.my.servers.nextcloud;
in
{
config = lib.mkIf (cfg.enableProxy && config.my.enableProxy) {
services.nginx.virtualHosts.${cfg.host} = {
forceSSL = true;
enableACME = true;
http2 = true;
default = true;
serverAliases = [ "cloud.rotehaare.art" ];
extraConfig = ''
index index.php index.html /index.php$request_uri;
add_header X-Content-Type-Options nosniff always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-Permitted-Cross-Domain-Policies none always;
add_header X-Frame-Options SAMEORIGIN always;
add_header Referrer-Policy no-referrer always;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
'';
locations = {
"= /robots.txt" = {
priority = 100;
extraConfig = ''
allow all;
access_log off;
'';
};
"= /" = {
priority = 100;
proxyPass = cfg.local;
proxyWebsockets = true;
extraConfig = ''
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
'';
};
"= /.well-known/carddav" = {
priority = 210;
extraConfig = ''
return 301 /remote.php/dav/;
'';
};
"= /.well-known/caldav" = {
priority = 210;
extraConfig = ''
return 301 /remote.php/dav/;
'';
};
"~ ^/\\.well-known/(?!acme-challenge|pki-validation)" = {
priority = 210;
extraConfig = ''
return 301 /index.php$request_uri;
'';
};
"^~ /.well-known" = {
priority = 210;
extraConfig = ''
try_files $uri $uri/ =404;
'';
};
"~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)" = {
priority = 450;
extraConfig = ''
return 404;
'';
};
"~ ^/(?:\\.|autotest|occ|issue|indie|db_|console)" = {
priority = 450;
extraConfig = ''
return 404;
'';
};
"~ \\.php(?:$|/)" = {
priority = 500;
proxyPass = cfg.local;
proxyWebsockets = true;
extraConfig = ''
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
'';
};
"~ \\.(?:css|js|mjs|svg|gif|ico|jpg|jpeg|png|webp|wasm|tflite|map|html|ttf|bcmap|mp4|webm|ogg|flac)$" =
{
proxyPass = cfg.local;
extraConfig = ''
expires 6M;
access_log off;
'';
};
"~ ^\\/(?:updater|ocs-provider)(?:$|\\/)" = {
proxyPass = cfg.local;
extraConfig = ''
try_files $uri/ =404;
index index.php;
'';
};
"/remote" = {
priority = 1500;
extraConfig = ''
return 301 /remote.php$request_uri;
'';
};
"/" = {
priority = 1600;
proxyPass = cfg.local;
proxyWebsockets = true;
extraConfig = ''
try_files $uri $uri/ /index.php$request_uri;
'';
};
};
};
};
}

2
hosts/vps/toggles.nix
View File

@@ -40,6 +40,7 @@ in
servers = servers =
enableList mkEnabledProxySocketIp [ enableList mkEnabledProxySocketIp [
"audiobookshelf" "audiobookshelf"
"collabora"
"jellyfin" "jellyfin"
"nextcloud" "nextcloud"
"plausible" "plausible"
@@ -47,7 +48,6 @@ in
] ]
// enableList mkEnabledProxyIp [ // enableList mkEnabledProxyIp [
"bazarr" "bazarr"
"collabora"
"gitea" "gitea"
"homepage" "homepage"
"isso" "isso"

115
modules/servers/nextcloud.nix
View File

@@ -256,78 +256,51 @@ in
}; };
}; };
}) })
(lib.mkIf (cfg.enableProxy && config.my.enableProxy && config.networking.hostName == "vps") { (lib.mkIf (cfgC.enableProxy && config.my.enableProxy) {
services.nginx.virtualHosts = { services.nginx.virtualHosts.${cfgC.host} = {
"${cfg.host}" = { forceSSL = true;
forceSSL = true; enableACME = true;
enableACME = true; http2 = true;
http2 = true; locations = {
default = true; # static files
serverAliases = [ "cloud.rotehaare.art" ]; "^~ /browser" = {
extraConfig = '' proxyPass = cfgC.local;
add_header X-XSS-Protection "1; mode=block" always; extraConfig = commonProxyConfig;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
'';
locations = {
"/" = {
proxyPass = cfg.local;
proxyWebsockets = true;
};
}; };
}; # Legacy static files (for compatibility)
"${cfgC.host}" = lib.mkIf cfgC.enableProxy { "^~ /loleaflet" = {
forceSSL = true; proxyPass = cfgC.local;
enableACME = true; extraConfig = commonProxyConfig;
http2 = true; };
locations = { # WOPI discovery URL
# static files "^~ /hosting/discovery" = {
"^~ /browser" = { proxyPass = cfgC.local;
proxyPass = cfgC.local; extraConfig = commonProxyConfig;
extraConfig = commonProxyConfig; };
}; # Capabilities
# Legacy static files (for compatibility) "^~ /hosting/capabilities" = {
"^~ /loleaflet" = { proxyPass = cfgC.local;
proxyPass = cfgC.local; extraConfig = commonProxyConfig;
extraConfig = commonProxyConfig; };
}; # download, presentation, image upload and websocket
# WOPI discovery URL "~ ^/cool" = {
"^~ /hosting/discovery" = { proxyPass = cfgC.local;
proxyPass = cfgC.local; extraConfig = commonWebsocketConfig;
extraConfig = commonProxyConfig; };
}; # Legacy websocket (for compatibility)
# Capabilities "~ ^/lool" = {
"^~ /hosting/capabilities" = { proxyPass = cfgC.local;
proxyPass = cfgC.local; extraConfig = commonWebsocketConfig;
extraConfig = commonProxyConfig; };
}; # Admin Console websocket
# download, presentation, image upload and websocket "^~ /cool/adminws" = {
"~ ^/cool" = { proxyPass = cfgC.local;
proxyPass = cfgC.local; extraConfig = commonWebsocketConfig;
extraConfig = commonWebsocketConfig; };
}; # Legacy Admin Console websocket (for compatibility)
# Legacy websocket (for compatibility) "^~ /lool/adminws" = {
"~ ^/lool" = { proxyPass = cfgC.local;
proxyPass = cfgC.local; extraConfig = commonWebsocketConfig;
extraConfig = commonWebsocketConfig;
};
# Admin Console websocket
"^~ /cool/adminws" = {
proxyPass = cfgC.local;
extraConfig = commonWebsocketConfig;
};
# Legacy Admin Console websocket (for compatibility)
"^~ /lool/adminws" = {
proxyPass = cfgC.local;
extraConfig = commonWebsocketConfig;
};
}; };
}; };
}; };