NixOS/hosts/vps/nginx-nextcloud.nix

{ config, lib, ... }:
let
  cfg = config.my.servers.nextcloud;
in
{
  config = lib.mkIf (cfg.enableProxy && config.my.enableProxy) {
    services.nginx.virtualHosts.${cfg.host} = {
      forceSSL = true;
      enableACME = true;
      http2 = true;
      default = true;
      serverAliases = [ "cloud.rotehaare.art" ];
      extraConfig = ''
        index index.php index.html /index.php$request_uri;
        add_header X-Content-Type-Options nosniff always;
        add_header X-Robots-Tag "noindex, nofollow" always;
        add_header X-Permitted-Cross-Domain-Policies none always;
        add_header X-Frame-Options SAMEORIGIN always;
        add_header Referrer-Policy no-referrer always;
        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
      '';
      locations = {
        "= /robots.txt" = {
          priority = 100;
          extraConfig = ''
            allow all;
            access_log off;
          '';
        };
        "= /" = {
          priority = 100;
          proxyPass = cfg.local;
          proxyWebsockets = true;
          extraConfig = ''
            if ( $http_user_agent ~ ^DavClnt ) {
              return 302 /remote.php/webdav/$is_args$args;
            }
          '';
        };
        "= /.well-known/carddav" = {
          priority = 210;
          extraConfig = ''
            return 301 /remote.php/dav/;
          '';
        };
        "= /.well-known/caldav" = {
          priority = 210;
          extraConfig = ''
            return 301 /remote.php/dav/;
          '';
        };
        "~ ^/\\.well-known/(?!acme-challenge|pki-validation)" = {
          priority = 210;
          extraConfig = ''
            return 301 /index.php$request_uri;
          '';
        };
        "^~ /.well-known" = {
          priority = 210;
          extraConfig = ''
            try_files $uri $uri/ =404;
          '';
        };
        "~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)" = {
          priority = 450;
          extraConfig = ''
            return 404;
          '';
        };
        "~ ^/(?:\\.|autotest|occ|issue|indie|db_|console)" = {
          priority = 450;
          extraConfig = ''
            return 404;
          '';
        };
        "~ \\.php(?:$|/)" = {
          priority = 500;
          proxyPass = cfg.local;
          proxyWebsockets = true;
          extraConfig = ''
            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
          '';
        };
        "~ \\.(?:css|js|mjs|svg|gif|ico|jpg|jpeg|png|webp|wasm|tflite|map|html|ttf|bcmap|mp4|webm|ogg|flac)$" =
          {
            proxyPass = cfg.local;
            extraConfig = ''
              expires 6M;
              access_log off;
            '';
          };
        "~ ^\\/(?:updater|ocs-provider)(?:$|\\/)" = {
          proxyPass = cfg.local;
          extraConfig = ''
            try_files $uri/ =404;
            index index.php;
          '';
        };
        "/remote" = {
          priority = 1500;
          extraConfig = ''
            return 301 /remote.php$request_uri;
          '';
        };
        "/" = {
          priority = 1600;
          proxyPass = cfg.local;
          proxyWebsockets = true;
          extraConfig = ''
            try_files $uri $uri/ /index.php$request_uri;
          '';
        };
      };
    };
  };
}