tlaternet-server/configuration/services/nextcloud.nix

123 lines
3.8 KiB
Nix
Raw Normal View History

{
pkgs,
config,
...
}: let
inherit (pkgs) fetchNextcloudApp;
2022-10-13 00:30:29 +01:00
nextcloud = pkgs.nextcloud24;
hostName = "nextcloud.${config.services.nginx.domain}";
in {
services.nextcloud = {
inherit hostName;
package = nextcloud;
enable = true;
maxUploadSize = "2G";
https = true;
config = {
overwriteProtocol = "https";
dbtype = "pgsql";
dbhost = "/run/postgresql";
adminuser = "tlater";
adminpassFile = config.sops.secrets."nextcloud/tlater".path;
defaultPhoneRegion = "AT";
};
extraApps = {
# TODO(tlater): Seems like this won't work anymore from
# Nextcloud 25 onwards.
#
# Adopt whatever upstream does with this:
# https://github.com/nextcloud/server/issues/4917
apporder = pkgs.fetchNextcloudApp {
name = "apporder";
url = "https://github.com/juliushaertl/apporder/releases/download/v0.15.0/apporder.tar.gz";
version = "0.15.0";
sha256 = "sha256-p3VWxTYDCO2NePq6oLM8tBVqYkvoB7itqxp7IZwGDnE=";
};
bookmarks = pkgs.fetchNextcloudApp {
name = "bookmarks";
url = "https://github.com/nextcloud/bookmarks/releases/download/v11.0.4/bookmarks-11.0.4.tar.gz";
version = "11.0.4";
sha256 = "sha256-URqtzaCx8FEZHCDP1wSBUFNs+x50jesRtWi+xOU1oXM=";
2021-04-12 01:42:46 +01:00
};
calendar = pkgs.fetchNextcloudApp {
name = "calendar";
url = "https://github.com/nextcloud-releases/calendar/releases/download/v3.5.0/calendar-v3.5.0.tar.gz";
version = "3.5.0";
sha256 = "sha256-+LRGl9h40AQdWN9SW+NqGwTafAGwV07Af8nVs3pUCm0=";
2021-04-12 01:42:46 +01:00
};
contacts = pkgs.fetchNextcloudApp {
name = "contacts";
url = "https://github.com/nextcloud-releases/contacts/releases/download/v4.2.2/contacts-v4.2.2.tar.gz";
version = "4.2.2";
sha256 = "sha256-GTiyZsUHBXPgQ17DHAihmt2W/ZnAjDwfgwnujkRwk6A=";
2021-04-12 01:42:46 +01:00
};
cookbook = pkgs.fetchNextcloudApp {
name = "cookbook";
url = "https://github.com/nextcloud/cookbook/releases/download/v0.9.15/Cookbook-0.9.15.tar.gz";
version = "0.9.15";
sha256 = "sha256-v64rLGyMQOdStyivpJsKrNxwumVQvyK3CnHtZ+K+elE=";
};
news = pkgs.fetchNextcloudApp {
name = "news";
url = "https://github.com/nextcloud/news/releases/download/18.2.0/news.tar.gz";
version = "18.2.0";
sha256 = "sha256-eS0cFwJmYfGGJmA02AOWO/OXfqfyI71u2GataDj18DE=";
};
notes = pkgs.fetchNextcloudApp {
name = "notes";
url = "https://github.com/nextcloud/notes/releases/download/v4.5.1/notes.tar.gz";
version = "4.5.1";
sha256 = "sha256-rd3uVkVtARX4enRAWm1ivV468lboYZnYe7/zsqaHYpk=";
2021-04-12 01:42:46 +01:00
};
};
# TODO(tlater): Add redis config. This will be much easier
# starting with 22.11, since this will add an `extraOptions` where
# the necessary redis config can go.
};
# Ensure that this service doesn't start before postgres is ready
systemd.services.nextcloud-setup.after = ["postgresql.service"];
# Set up SSL
services.nginx.virtualHosts."${hostName}" = {
forceSSL = true;
enableACME = true;
2021-04-12 01:42:46 +01:00
};
2022-10-14 01:11:15 +01:00
# Block repeated failed login attempts
environment.etc = {
"fail2ban/filter.d/nextcloud.conf".text = ''
[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = \{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
journalmatch = SYSLOG_IDENTIFIER=Nextcloud
'';
};
services.fail2ban.jails = {
nextcloud = ''
enabled = true
# Nextcloud does some throttling already, so we need to set
# these to something bigger.
findtime = 43200
bantime = 86400
'';
};
2021-04-12 01:42:46 +01:00
}