tlaternet-server/configuration/services/nextcloud.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

107 lines
2.7 KiB
Nix
Raw Permalink Normal View History

{ pkgs
, config
, ...
}:
let
2024-06-13 23:49:12 +01:00
# Update pending on rewrite of nextcloud news, though there is an
# alpha to switch to if it becomes necessary:
# https://github.com/nextcloud/news/issues/2610
2023-07-29 17:17:24 +01:00
nextcloud = pkgs.nextcloud27;
hostName = "nextcloud.${config.services.nginx.domain}";
in
{
services.nextcloud = {
inherit hostName;
package = nextcloud;
enable = true;
maxUploadSize = "2G";
https = true;
2023-07-29 17:17:39 +01:00
configureRedis = true;
config = {
dbtype = "pgsql";
dbhost = "/run/postgresql";
adminuser = "tlater";
adminpassFile = config.sops.secrets."nextcloud/tlater".path;
2024-06-13 23:49:12 +01:00
};
2024-06-13 23:49:12 +01:00
settings = {
default_phone_region = "AT";
overwriteprotocol = "https";
};
2023-12-29 15:11:46 +00:00
phpOptions = {
"opcache.interned_strings_buffer" = "16";
};
extraApps = {
2022-10-17 11:00:02 +01:00
inherit (pkgs.local) bookmarks calendar contacts cookbook news notes;
2021-04-12 01:42:46 +01:00
};
};
# Ensure that this service doesn't start before postgres is ready
systemd.services.nextcloud-setup.after = [ "postgresql.service" ];
# Set up SSL
services.nginx.virtualHosts."${hostName}" = {
forceSSL = true;
2024-04-16 00:08:13 +01:00
useACMEHost = "tlater.net";
2024-04-13 03:34:53 +01:00
# The upstream module already adds HSTS
2021-04-12 01:42:46 +01:00
};
2022-10-14 01:11:15 +01:00
# Block repeated failed login attempts
environment.etc = {
"fail2ban/filter.d/nextcloud.conf".text = ''
[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = \{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
journalmatch = SYSLOG_IDENTIFIER=Nextcloud
'';
};
services.fail2ban.jails = {
nextcloud = ''
enabled = true
# Nextcloud does some throttling already, so we need to set
# these to something bigger.
findtime = 43200
bantime = 86400
'';
};
services.backups.nextcloud = {
user = "nextcloud";
paths = [
"/var/lib/nextcloud/nextcloud-db.sql"
"/var/lib/nextcloud/data/"
"/var/lib/nextcloud/config/config.php"
];
preparation = {
packages = [
config.services.postgresql.package
config.services.nextcloud.occ
];
text = ''
nextcloud-occ maintenance:mode --on
pg_dump ${config.services.nextcloud.config.dbname} --file=/var/lib/nextcloud/nextcloud-db.sql
'';
};
cleanup = {
packages = [
pkgs.coreutils
config.services.nextcloud.occ
];
text = ''
rm /var/lib/nextcloud/nextcloud-db.sql
nextcloud-occ maintenance:mode --off
'';
};
};
2021-04-12 01:42:46 +01:00
}