tlaternet-server/configuration/services/nextcloud.nix

{
  pkgs,
  config,
  ...
}: let
  inherit (pkgs) fetchNextcloudApp;
  nextcloud = pkgs.nextcloud24;
  hostName = "nextcloud.${config.services.nginx.domain}";
in {
  services.nextcloud = {
    inherit hostName;

    package = nextcloud;
    enable = true;
    maxUploadSize = "2G";
    https = true;

    config = {
      overwriteProtocol = "https";

      dbtype = "pgsql";
      dbhost = "/run/postgresql";

      adminuser = "tlater";
      adminpassFile = config.sops.secrets."nextcloud/tlater".path;

      defaultPhoneRegion = "AT";
    };

    extraApps = {
      # TODO(tlater): Seems like this won't work anymore from
      # Nextcloud 25 onwards.
      #
      # Adopt whatever upstream does with this:
      # https://github.com/nextcloud/server/issues/4917
      apporder = pkgs.fetchNextcloudApp {
        name = "apporder";
        url = "https://github.com/juliushaertl/apporder/releases/download/v0.15.0/apporder.tar.gz";
        version = "0.15.0";
        sha256 = "sha256-p3VWxTYDCO2NePq6oLM8tBVqYkvoB7itqxp7IZwGDnE=";
      };

      bookmarks = pkgs.fetchNextcloudApp {
        name = "bookmarks";
        url = "https://github.com/nextcloud/bookmarks/releases/download/v11.0.4/bookmarks-11.0.4.tar.gz";
        version = "11.0.4";
        sha256 = "sha256-URqtzaCx8FEZHCDP1wSBUFNs+x50jesRtWi+xOU1oXM=";
      };

      calendar = pkgs.fetchNextcloudApp {
        name = "calendar";
        url = "https://github.com/nextcloud-releases/calendar/releases/download/v3.5.0/calendar-v3.5.0.tar.gz";
        version = "3.5.0";
        sha256 = "sha256-+LRGl9h40AQdWN9SW+NqGwTafAGwV07Af8nVs3pUCm0=";
      };

      contacts = pkgs.fetchNextcloudApp {
        name = "contacts";
        url = "https://github.com/nextcloud-releases/contacts/releases/download/v4.2.2/contacts-v4.2.2.tar.gz";
        version = "4.2.2";
        sha256 = "sha256-GTiyZsUHBXPgQ17DHAihmt2W/ZnAjDwfgwnujkRwk6A=";
      };

      cookbook = pkgs.fetchNextcloudApp {
        name = "cookbook";
        url = "https://github.com/nextcloud/cookbook/releases/download/v0.9.15/Cookbook-0.9.15.tar.gz";
        version = "0.9.15";
        sha256 = "sha256-v64rLGyMQOdStyivpJsKrNxwumVQvyK3CnHtZ+K+elE=";
      };

      news = pkgs.fetchNextcloudApp {
        name = "news";
        url = "https://github.com/nextcloud/news/releases/download/18.2.0/news.tar.gz";
        version = "18.2.0";
        sha256 = "sha256-eS0cFwJmYfGGJmA02AOWO/OXfqfyI71u2GataDj18DE=";
      };

      notes = pkgs.fetchNextcloudApp {
        name = "notes";
        url = "https://github.com/nextcloud/notes/releases/download/v4.5.1/notes.tar.gz";
        version = "4.5.1";
        sha256 = "sha256-rd3uVkVtARX4enRAWm1ivV468lboYZnYe7/zsqaHYpk=";
      };
    };

    # TODO(tlater): Add redis config. This will be much easier
    # starting with 22.11, since this will add an `extraOptions` where
    # the necessary redis config can go.
  };

  # Ensure that this service doesn't start before postgres is ready
  systemd.services.nextcloud-setup.after = ["postgresql.service"];

  # Set up SSL
  services.nginx.virtualHosts."${hostName}" = {
    forceSSL = true;
    enableACME = true;
  };

  # Block repeated failed login attempts
  environment.etc = {
    "fail2ban/filter.d/nextcloud.conf".text = ''
      [Definition]
      _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
      failregex = \{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
                  \{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
      datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
      journalmatch = SYSLOG_IDENTIFIER=Nextcloud
    '';
  };

  services.fail2ban.jails = {
    nextcloud = ''
      enabled = true

      # Nextcloud does some throttling already, so we need to set
      # these to something bigger.
      findtime = 43200
      bantime = 86400
    '';
  };
}