nix-config/modules/services/nextcloud.nix

124 lines
3.2 KiB
Nix

{
lib,
stateVersion,
config,
#deadnix: skip
pkgs, # not unused needed for the usage of attrs later to contains pkgs
...
} @ attrs: let
hostName = "nc.${config.secrets.secrets.global.domains.mail}";
in {
imports = [./containers.nix ./ddclient.nix ./acme.nix];
services.nginx = {
enable = true;
recommendedSetup = true;
upstreams.nextcloud = {
servers."192.168.178.33:80" = {};
extraConfig = ''
zone nextcloud 64k ;
keepalive 5 ;
'';
};
virtualHosts.${hostName} = {
forceSSL = true;
useACMEHost = "mail";
locations."/".proxyPass = "http://nextcloud";
extraConfig = ''
client_max_body_size 4G ;
'';
};
};
containers.nextcloud = lib.containers.mkConfig "nextcloud" attrs {
zfs = {
enable = true;
pool = "panzer";
};
config = {
config,
pkgs,
...
}: {
#TODO enable recommended nginx setup
systemd.network.networks = {
"lan01" = {
address = ["192.168.178.33/24"];
gateway = ["192.168.178.1"];
matchConfig.Name = "lan01*";
dns = ["192.168.178.2"];
networkConfig = {
IPv6PrivacyExtensions = "yes";
MulticastDNS = true;
};
};
};
environment.persistence."/persist".directories = [
{
directory = config.services.nextcloud.home;
user = "nextcloud";
group = "nextcloud";
mode = "750";
}
];
services.nextcloud = {
inherit hostName;
enable = true;
package = pkgs.nextcloud28;
configureRedis = true;
config.adminpassFile = "${pkgs.writeText "adminpass" "test123"}"; # DON'T DO THIS IN PRODUCTION - the password file will be world-readable in the Nix Store!
config.adminuser = "admin";
extraApps = with config.services.nextcloud.package.packages.apps; {
inherit contacts calendar tasks notes maps;
};
# TODO increase outer nginx upload size as well
maxUploadSize = "2G";
extraAppsEnable = true;
database.createLocally = true;
phpOptions."opcache.interned_strings_buffer" = "32";
extraOptions = {
trusted_proxies = ["192.168.178.32"];
overwriteprotocol = "https";
enabledPreviewProviders = [
"OC\\Preview\\BMP"
"OC\\Preview\\GIF"
"OC\\Preview\\JPEG"
"OC\\Preview\\Krita"
"OC\\Preview\\MarkDown"
"OC\\Preview\\MP3"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\PNG"
"OC\\Preview\\TXT"
"OC\\Preview\\XBitmap"
"OC\\Preview\\HEIC"
];
};
config = {
defaultPhoneRegion = "DE";
dbtype = "pgsql";
};
};
system.stateVersion = stateVersion;
networking = {
firewall = {
enable = true;
allowedTCPPorts = [80];
};
# Use systemd-resolved inside the container
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
};
};
}
#wireguard
#samba/printer finding
#vaultwarden
#maddy
#kanidm
#remote backups
#immich