# Directly ripped from https://github.com/onny/nixos-nextcloud-testumgebung/blob/main/nextcloud-extras.nix { config, lib, ... }: let inherit (lib) optionalString escapeShellArg types concatStringsSep mapAttrsToList mkIf mkOption mkDefault mkForce ; cfg = config.services.nextcloud; fpm = config.services.phpfpm.pools.nextcloud; webserver = config.services.${cfg.webserver}; in { options = { services.nextcloud = { ensureUsers = mkOption { default = { }; description = lib.mdDoc '' List of user accounts which get automatically created if they don't exist yet. This option does not delete accounts which are not listed anymore. ''; example = { user1 = { passwordFile = /secrets/user1-localhost; email = "user1@localhost"; }; user2 = { passwordFile = /secrets/user2-localhost; email = "user2@localhost"; }; }; type = types.attrsOf ( types.submodule { options = { passwordFile = mkOption { type = types.path; example = "/path/to/file"; default = null; description = lib.mdDoc '' Specifies the path to a file containing the clear text password for the user. ''; }; email = mkOption { type = types.str; example = "user1@localhost"; default = null; }; }; } ); }; webserver = mkOption { type = types.enum [ "nginx" "caddy" ]; default = "nginx"; description = '' Whether to use nginx or caddy for virtual host management. Further nginx configuration can be done by adapting services.nginx.virtualHosts.<name>. See for further information. ''; }; }; }; config = mkIf cfg.enable { systemd.services.nextcloud-ensure-users = { enable = true; script = '' ${optionalString (cfg.ensureUsers != { }) '' ${concatStringsSep "\n" ( mapAttrsToList (name: cfg: '' if ${config.services.nextcloud.occ}/bin/nextcloud-occ user:info "${name}" | grep "user not found"; then export OC_PASS="$(cat ${escapeShellArg cfg.passwordFile})" ${config.services.nextcloud.occ}/bin/nextcloud-occ user:add --password-from-env "${name}" fi if ! ${config.services.nextcloud.occ}/bin/nextcloud-occ user:info "${name}" | grep "user not found"; then ${ optionalString (cfg.email != null) '' ${config.services.nextcloud.occ}/bin/nextcloud-occ user:setting "${name}" settings email "${cfg.email}" '' } fi '') cfg.ensureUsers )} ''} ''; wantedBy = [ "multi-user.target" ]; after = [ "nextcloud-setup.service" ]; }; services.phpfpm.pools.nextcloud.settings = { "listen.owner" = webserver.user; "listen.group" = webserver.group; }; users.groups.nextcloud.members = [ "nextcloud" webserver.user ]; services.nginx = lib.mkIf (cfg.webserver == "caddy") { enable = mkForce false; }; services.caddy = lib.mkIf (cfg.webserver == "caddy") { enable = mkDefault true; virtualHosts."${if cfg.https then "https" else "http"}://${cfg.hostName}" = { extraConfig = '' encode zstd gzip root * ${config.services.nginx.virtualHosts.${cfg.hostName}.root} redir /.well-known/carddav /remote.php/dav 301 redir /.well-known/caldav /remote.php/dav 301 redir /.well-known/* /index.php{uri} 301 redir /remote/* /remote.php{uri} 301 header { Strict-Transport-Security max-age=31536000 Permissions-Policy interest-cohort=() X-Content-Type-Options nosniff X-Frame-Options SAMEORIGIN Referrer-Policy no-referrer X-XSS-Protection "1; mode=block" X-Permitted-Cross-Domain-Policies none X-Robots-Tag "noindex, nofollow" -X-Powered-By } php_fastcgi unix/${fpm.socket} { root ${config.services.nginx.virtualHosts.${cfg.hostName}.root} env front_controller_active true env modHeadersAvailable true } @forbidden { path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/* path /.* /autotest* /occ* /issue* /indie* /db_* /console* not path /.well-known/* } error @forbidden 404 @immutable { path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite query v=* } header @immutable Cache-Control "max-age=15778463, immutable" @static { path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite not query v=* } header @static Cache-Control "max-age=15778463" @woff2 path *.woff2 header @woff2 Cache-Control "max-age=604800" file_server ''; }; }; }; }