feat: moved nginx to extra flake

flake.lock

@@ -974,12 +974,12 @@
         "pre-commit-hooks": "pre-commit-hooks_2"
       },
       "locked": {
-        "dirtyRev": "f4a871a401059ff0662ef86a059742d47d45a5bc-dirty",
-        "dirtyShortRev": "f4a871a-dirty",
-        "lastModified": 1703274528,
-        "narHash": "sha256-3bmxjxILyOrmjPYJvGZqcBgQPPgUd2cIxFAbvmag0kE=",
-        "type": "git",
-        "url": "file:///home/patrick/repos/nix/nixos-extra-modules"
+        "lastModified": 1703537346,
+        "narHash": "sha256-uHS8w7HzkPyPh4K2L0U13A0IUeSI9yugYXgK8xz+CyA=",
+        "owner": "oddlama",
+        "repo": "nixos-extra-modules",
+        "rev": "4daf3ffd02f7cfb1c9a3c8c95bec21dd078ab26f",
+        "type": "github"
       },
       "original": {
         "owner": "oddlama",

lib/containers.nix

@@ -7,7 +7,6 @@ inputs: _self: super: {
           {
             config = {
               imports = [
-                ../modules/services/nginx.nix
                 ../modules/config
               ];
               node.name = name;

modules/services/nextcloud.nix

@@ -7,15 +7,17 @@
 } @ attrs: let
   hostName = "nc.${config.secrets.secrets.global.domains.mail}";
 in {
-  imports = [./containers.nix ./nginx.nix ./ddclient.nix ./acme.nix];
+  imports = [./containers.nix ./ddclient.nix ./acme.nix];
   services.nginx = {
     enable = true;
+    recommendedSetup = true;
     upstreams.nextcloud = {
       servers."192.168.178.33:80" = {};
 
       extraConfig = ''
         zone nextcloud 64k ;
         keepalive 5 ;
+        client_max_body_size 4G ;
       '';
     };
     virtualHosts.${hostName} = {
@@ -34,6 +36,7 @@ in {
       pkgs,
       ...
     }: {
+      #TODO enable recommended nginx setup
       systemd.network.networks = {
         "lan01" = {
           address = ["192.168.178.33/24"];
@@ -57,7 +60,7 @@ in {
       services.nextcloud = {
         inherit hostName;
         enable = true;
-        package = pkgs.nextcloud27;
+        package = pkgs.nextcloud28;
         configureRedis = true;
         config.adminpassFile = "${pkgs.writeText "adminpass" "test123"}"; # DON'T DO THIS IN PRODUCTION - the password file will be world-readable in the Nix Store!
         extraApps = with config.services.nextcloud.package.packages.apps; {

modules/services/nginx.nix

@@ -1,102 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}: let
-  inherit
-    (lib)
-    mkBefore
-    mkIf
-    mkOption
-    types
-    ;
-in {
-  options.services.nginx.virtualHosts = mkOption {
-    type = types.attrsOf (types.submodule {
-      options.locations = mkOption {
-        type = types.attrsOf (types.submodule ({config, ...}: {
-          options = {
-            recommendedSecurityHeaders = mkOption {
-              type = types.bool;
-              default = true;
-              description = "Whether to add additional security headers to this location.";
-            };
-
-            X-Frame-Options = mkOption {
-              type = types.str;
-              default = "DENY";
-              description = "The value to use for X-Frame-Options";
-            };
-          };
-          config = mkIf config.recommendedSecurityHeaders {
-            extraConfig = mkBefore ''
-              # Enable HTTP Strict Transport Security (HSTS)
-              add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
-
-              # Minimize information leaked to other domains
-              add_header Referrer-Policy "origin-when-cross-origin";
-
-              add_header X-XSS-Protection "1; mode=block";
-              add_header X-Frame-Options "${config.X-Frame-Options}";
-              add_header X-Content-Type-Options "nosniff";
-            '';
-          };
-        }));
-      };
-    });
-  };
-
-  config = mkIf config.services.nginx.enable {
-    age.secrets."dhparams.pem" = {
-      generator.script = "dhparams";
-      mode = "440";
-      group = "nginx";
-    };
-    security.acme.acceptTerms = true;
-    security.acme.defaults.email = config.secrets.secrets.global.devEmail;
-
-    # Sensible defaults for nginx
-    services.nginx = {
-      recommendedBrotliSettings = true;
-      recommendedGzipSettings = true;
-      recommendedOptimisation = true;
-      recommendedProxySettings = true;
-      recommendedTlsSettings = true;
-
-      # SSL config
-      sslCiphers = "EECDH+AESGCM:EDH+AESGCM:!aNULL";
-      sslDhparam = config.age.secrets."dhparams.pem".path;
-      commonHttpConfig = ''
-        log_format json_combined escape=json '{'
-          '"time": $msec,'
-          '"remote_addr":"$remote_addr",'
-          '"status":$status,'
-          '"method":"$request_method",'
-          '"host":"$host",'
-          '"uri":"$request_uri",'
-          '"request_size":$request_length,'
-          '"response_size":$body_bytes_sent,'
-          '"response_time":$request_time,'
-          '"referrer":"$http_referer",'
-          '"user_agent":"$http_user_agent"'
-        '}';
-        error_log syslog:server=unix:/dev/log,nohostname;
-        access_log syslog:server=unix:/dev/log,nohostname json_combined;
-        ssl_ecdh_curve secp384r1;
-      '';
-
-      # Default host that rejects everything.
-      # This is selected when no matching host is found for a request.
-      virtualHosts.dummy = {
-        listenAddresses = ["127.0.0.1" "[::1]"];
-        default = true;
-        rejectSSL = true;
-        locations."/".extraConfig = ''
-          deny all;
-        '';
-      };
-    };
-
-    networking.firewall.allowedTCPPorts = [80 443];
-  };
-}

modules/services/radicale.nix

@@ -7,7 +7,7 @@
 } @ attrs: let
   hostName = "radicale.${config.secrets.secrets.global.domains.mail}";
 in {
-  imports = [./containers.nix ./nginx.nix ./ddclient.nix ./acme.nix];
+  imports = [./containers.nix ./ddclient.nix ./acme.nix];
   services.nginx = {
     enable = true;
     upstreams.radicale = {