182 lines
5.4 KiB
Nix
182 lines
5.4 KiB
Nix
# Directly ripped from https://github.com/onny/nixos-nextcloud-testumgebung/blob/main/nextcloud-extras.nix
|
|
|
|
{ config, lib, ... }:
|
|
let
|
|
|
|
inherit (lib)
|
|
optionalString
|
|
escapeShellArg
|
|
types
|
|
concatStringsSep
|
|
mapAttrsToList
|
|
mkIf
|
|
mkOption
|
|
mkDefault
|
|
mkForce
|
|
;
|
|
|
|
cfg = config.services.nextcloud;
|
|
fpm = config.services.phpfpm.pools.nextcloud;
|
|
webserver = config.services.${cfg.webserver};
|
|
|
|
in
|
|
{
|
|
|
|
options = {
|
|
services.nextcloud = {
|
|
|
|
ensureUsers = mkOption {
|
|
default = { };
|
|
description = lib.mdDoc ''
|
|
List of user accounts which get automatically created if they don't
|
|
exist yet. This option does not delete accounts which are not listed
|
|
anymore.
|
|
'';
|
|
example = {
|
|
user1 = {
|
|
passwordFile = /secrets/user1-localhost;
|
|
email = "user1@localhost";
|
|
};
|
|
user2 = {
|
|
passwordFile = /secrets/user2-localhost;
|
|
email = "user2@localhost";
|
|
};
|
|
};
|
|
type = types.attrsOf (
|
|
types.submodule {
|
|
options = {
|
|
passwordFile = mkOption {
|
|
type = types.path;
|
|
example = "/path/to/file";
|
|
default = null;
|
|
description = lib.mdDoc ''
|
|
Specifies the path to a file containing the
|
|
clear text password for the user.
|
|
'';
|
|
};
|
|
email = mkOption {
|
|
type = types.str;
|
|
example = "user1@localhost";
|
|
default = null;
|
|
};
|
|
};
|
|
}
|
|
);
|
|
};
|
|
|
|
webserver = mkOption {
|
|
type = types.enum [
|
|
"nginx"
|
|
"caddy"
|
|
];
|
|
default = "nginx";
|
|
description = ''
|
|
Whether to use nginx or caddy for virtual host management.
|
|
Further nginx configuration can be done by adapting <literal>services.nginx.virtualHosts.<name></literal>.
|
|
See <xref linkend="opt-services.nginx.virtualHosts"/> for further information.
|
|
'';
|
|
};
|
|
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
systemd.services.nextcloud-ensure-users = {
|
|
enable = true;
|
|
script = ''
|
|
${optionalString (cfg.ensureUsers != { }) ''
|
|
${concatStringsSep "\n" (
|
|
mapAttrsToList (name: cfg: ''
|
|
if ${config.services.nextcloud.occ}/bin/nextcloud-occ user:info "${name}" | grep "user not found"; then
|
|
export OC_PASS="$(cat ${escapeShellArg cfg.passwordFile})"
|
|
${config.services.nextcloud.occ}/bin/nextcloud-occ user:add --password-from-env "${name}"
|
|
fi
|
|
if ! ${config.services.nextcloud.occ}/bin/nextcloud-occ user:info "${name}" | grep "user not found"; then
|
|
${
|
|
optionalString (cfg.email != null) ''
|
|
${config.services.nextcloud.occ}/bin/nextcloud-occ user:setting "${name}" settings email "${cfg.email}"
|
|
''
|
|
}
|
|
fi
|
|
'') cfg.ensureUsers
|
|
)}
|
|
''}
|
|
'';
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "nextcloud-setup.service" ];
|
|
};
|
|
|
|
services.phpfpm.pools.nextcloud.settings = {
|
|
"listen.owner" = webserver.user;
|
|
"listen.group" = webserver.group;
|
|
};
|
|
|
|
users.groups.nextcloud.members = [
|
|
"nextcloud"
|
|
webserver.user
|
|
];
|
|
|
|
services.nginx = lib.mkIf (cfg.webserver == "caddy") { enable = mkForce false; };
|
|
|
|
services.caddy = lib.mkIf (cfg.webserver == "caddy") {
|
|
enable = mkDefault true;
|
|
virtualHosts."${if cfg.https then "https" else "http"}://${cfg.hostName}" = {
|
|
extraConfig = ''
|
|
encode zstd gzip
|
|
|
|
root * ${config.services.nginx.virtualHosts.${cfg.hostName}.root}
|
|
|
|
redir /.well-known/carddav /remote.php/dav 301
|
|
redir /.well-known/caldav /remote.php/dav 301
|
|
redir /.well-known/* /index.php{uri} 301
|
|
redir /remote/* /remote.php{uri} 301
|
|
|
|
header {
|
|
Strict-Transport-Security max-age=31536000
|
|
Permissions-Policy interest-cohort=()
|
|
X-Content-Type-Options nosniff
|
|
X-Frame-Options SAMEORIGIN
|
|
Referrer-Policy no-referrer
|
|
X-XSS-Protection "1; mode=block"
|
|
X-Permitted-Cross-Domain-Policies none
|
|
X-Robots-Tag "noindex, nofollow"
|
|
-X-Powered-By
|
|
}
|
|
|
|
php_fastcgi unix/${fpm.socket} {
|
|
root ${config.services.nginx.virtualHosts.${cfg.hostName}.root}
|
|
env front_controller_active true
|
|
env modHeadersAvailable true
|
|
}
|
|
|
|
@forbidden {
|
|
path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
|
|
path /.* /autotest* /occ* /issue* /indie* /db_* /console*
|
|
not path /.well-known/*
|
|
}
|
|
error @forbidden 404
|
|
|
|
@immutable {
|
|
path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
|
|
query v=*
|
|
}
|
|
header @immutable Cache-Control "max-age=15778463, immutable"
|
|
|
|
@static {
|
|
path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
|
|
not query v=*
|
|
}
|
|
header @static Cache-Control "max-age=15778463"
|
|
|
|
@woff2 path *.woff2
|
|
header @woff2 Cache-Control "max-age=604800"
|
|
|
|
file_server
|
|
'';
|
|
};
|
|
};
|
|
|
|
};
|
|
}
|