mirror of
https://github.com/kittywitch/nixfiles.git
synced 2026-02-10 04:49:19 -08:00
79 lines
2.8 KiB
Nix
79 lines
2.8 KiB
Nix
{ config, pkgs, lib, tf, kw, ... }: with lib; let
|
|
cfg = config.services.nextcloud;
|
|
in {
|
|
deploy.tf.dns.records.services_internal_cloud = {
|
|
inherit (config.network.dns) zone;
|
|
domain = "cloud.int";
|
|
cname = { inherit (config.network.addresses.yggdrasil) target; };
|
|
};
|
|
|
|
kw.secrets.variables =
|
|
mapListToAttrs
|
|
(field:
|
|
nameValuePair "nextcloud-${field}" {
|
|
path = "secrets/nextcloud";
|
|
inherit field;
|
|
}) [ "adminpass" "dbpass" ];
|
|
|
|
secrets.files.nextcloud-adminpass = {
|
|
text = ''
|
|
${tf.variables.nextcloud-adminpass.ref}
|
|
'';
|
|
owner = "nextcloud";
|
|
group = "nextcloud";
|
|
};
|
|
|
|
services.postgresql = {
|
|
enable = true;
|
|
ensureDatabases = [ "nextcloud" ];
|
|
ensureUsers = [{
|
|
name = "nextcloud";
|
|
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
|
|
}];
|
|
};
|
|
|
|
services.nextcloud = {
|
|
enable = true;
|
|
package = pkgs.nextcloud24;
|
|
config = {
|
|
dbtype = "pgsql";
|
|
dbhost = "/run/postgresql";
|
|
defaultPhoneRegion = "GB";
|
|
adminpassFile = config.secrets.files.nextcloud-adminpass.path;
|
|
extraTrustedDomains = [
|
|
"cloud.kittywit.ch"
|
|
];
|
|
};
|
|
https = true;
|
|
enableImagemagick = true;
|
|
home = "/mnt/zenc/nextcloud";
|
|
hostName = "cloud.kittywit.ch";
|
|
autoUpdateApps = {
|
|
enable = true;
|
|
};
|
|
};
|
|
|
|
services.nginx.virtualHosts."cloud.kittywit.ch".extraConfig = mkForce ''
|
|
index index.php index.html /index.php$request_uri;
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
add_header X-Robots-Tag none;
|
|
add_header X-Download-Options noopen;
|
|
add_header X-Permitted-Cross-Domain-Policies none;
|
|
add_header X-Frame-Options sameorigin;
|
|
add_header Referrer-Policy no-referrer;
|
|
client_max_body_size ${cfg.maxUploadSize};
|
|
fastcgi_buffers 64 4K;
|
|
fastcgi_hide_header X-Powered-By;
|
|
gzip on;
|
|
gzip_vary on;
|
|
gzip_comp_level 4;
|
|
gzip_min_length 256;
|
|
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
|
|
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
|
|
${optionalString cfg.webfinger ''
|
|
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
|
|
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
|
|
''}
|
|
'';
|
|
}
|