tlaternet-server/configuration/services/nextcloud.nix

78 lines
1.8 KiB
Nix
Raw Normal View History

{
pkgs,
config,
options,
...
}: let
2023-07-29 17:17:24 +01:00
nextcloud = pkgs.nextcloud27;
hostName = "nextcloud.${config.services.nginx.domain}";
in {
services.nextcloud = {
inherit hostName;
package = nextcloud;
enableBrokenCiphersForSSE = false;
enable = true;
maxUploadSize = "2G";
https = true;
2023-07-29 17:17:39 +01:00
configureRedis = true;
config = {
overwriteProtocol = "https";
dbtype = "pgsql";
dbhost = "/run/postgresql";
adminuser = "tlater";
adminpassFile = config.sops.secrets."nextcloud/tlater".path;
defaultPhoneRegion = "AT";
};
phpOptions =
options.services.nextcloud.phpOptions.default
// {
"opcache.interned_strings_buffer" = "16";
};
extraApps = {
2022-10-17 11:00:02 +01:00
inherit (pkgs.local) bookmarks calendar contacts cookbook news notes;
2021-04-12 01:42:46 +01:00
};
};
2023-07-29 17:17:39 +01:00
services.redis.vmOverCommit = true;
# Ensure that this service doesn't start before postgres is ready
systemd.services.nextcloud-setup.after = ["postgresql.service"];
# Set up SSL
services.nginx.virtualHosts."${hostName}" = {
forceSSL = true;
enableACME = true;
2021-04-12 01:42:46 +01:00
};
2022-10-14 01:11:15 +01:00
# Block repeated failed login attempts
environment.etc = {
"fail2ban/filter.d/nextcloud.conf".text = ''
[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = \{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
journalmatch = SYSLOG_IDENTIFIER=Nextcloud
'';
};
services.fail2ban.jails = {
nextcloud = ''
enabled = true
# Nextcloud does some throttling already, so we need to set
# these to something bigger.
findtime = 43200
bantime = 86400
'';
};
2021-04-12 01:42:46 +01:00
}