2024-06-28 19:12:55 +01:00
|
|
|
{ pkgs
|
|
|
|
, config
|
|
|
|
, ...
|
|
|
|
}:
|
|
|
|
let
|
2024-06-13 23:49:12 +01:00
|
|
|
# Update pending on rewrite of nextcloud news, though there is an
|
|
|
|
# alpha to switch to if it becomes necessary:
|
|
|
|
# https://github.com/nextcloud/news/issues/2610
|
2023-07-29 17:17:24 +01:00
|
|
|
nextcloud = pkgs.nextcloud27;
|
2022-10-12 18:04:06 +01:00
|
|
|
hostName = "nextcloud.${config.services.nginx.domain}";
|
2024-06-28 19:12:55 +01:00
|
|
|
in
|
|
|
|
{
|
2022-10-12 18:04:06 +01:00
|
|
|
services.nextcloud = {
|
|
|
|
inherit hostName;
|
|
|
|
|
|
|
|
package = nextcloud;
|
|
|
|
enable = true;
|
|
|
|
maxUploadSize = "2G";
|
|
|
|
https = true;
|
|
|
|
|
2023-07-29 17:17:39 +01:00
|
|
|
configureRedis = true;
|
|
|
|
|
2022-10-12 18:04:06 +01:00
|
|
|
config = {
|
|
|
|
dbtype = "pgsql";
|
|
|
|
dbhost = "/run/postgresql";
|
|
|
|
|
|
|
|
adminuser = "tlater";
|
|
|
|
adminpassFile = config.sops.secrets."nextcloud/tlater".path;
|
2024-06-13 23:49:12 +01:00
|
|
|
};
|
2022-10-12 18:04:06 +01:00
|
|
|
|
2024-06-13 23:49:12 +01:00
|
|
|
settings = {
|
|
|
|
default_phone_region = "AT";
|
|
|
|
overwriteprotocol = "https";
|
2022-10-12 18:04:06 +01:00
|
|
|
};
|
|
|
|
|
2023-12-29 15:11:46 +00:00
|
|
|
phpOptions = {
|
|
|
|
"opcache.interned_strings_buffer" = "16";
|
|
|
|
};
|
2023-07-28 11:06:48 +01:00
|
|
|
|
2022-10-12 18:04:06 +01:00
|
|
|
extraApps = {
|
2022-10-17 11:00:02 +01:00
|
|
|
inherit (pkgs.local) bookmarks calendar contacts cookbook news notes;
|
2021-04-12 01:42:46 +01:00
|
|
|
};
|
2022-10-12 18:04:06 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
# Ensure that this service doesn't start before postgres is ready
|
2024-06-28 19:12:55 +01:00
|
|
|
systemd.services.nextcloud-setup.after = [ "postgresql.service" ];
|
2022-10-12 18:04:06 +01:00
|
|
|
|
|
|
|
# Set up SSL
|
|
|
|
services.nginx.virtualHosts."${hostName}" = {
|
|
|
|
forceSSL = true;
|
2024-04-16 00:08:13 +01:00
|
|
|
useACMEHost = "tlater.net";
|
2024-04-13 03:34:53 +01:00
|
|
|
# The upstream module already adds HSTS
|
2021-04-12 01:42:46 +01:00
|
|
|
};
|
2022-10-14 01:11:15 +01:00
|
|
|
|
|
|
|
# Block repeated failed login attempts
|
|
|
|
environment.etc = {
|
|
|
|
"fail2ban/filter.d/nextcloud.conf".text = ''
|
|
|
|
[Definition]
|
|
|
|
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
|
|
|
|
failregex = \{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
|
|
|
|
\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
|
|
|
|
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
|
|
|
|
journalmatch = SYSLOG_IDENTIFIER=Nextcloud
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
services.fail2ban.jails = {
|
|
|
|
nextcloud = ''
|
|
|
|
enabled = true
|
|
|
|
|
|
|
|
# Nextcloud does some throttling already, so we need to set
|
|
|
|
# these to something bigger.
|
|
|
|
findtime = 43200
|
|
|
|
bantime = 86400
|
|
|
|
'';
|
|
|
|
};
|
2023-09-22 05:20:36 +01:00
|
|
|
|
|
|
|
services.backups.nextcloud = {
|
|
|
|
user = "nextcloud";
|
|
|
|
paths = [
|
|
|
|
"/var/lib/nextcloud/nextcloud-db.sql"
|
|
|
|
"/var/lib/nextcloud/data/"
|
|
|
|
"/var/lib/nextcloud/config/config.php"
|
|
|
|
];
|
|
|
|
preparation = {
|
|
|
|
packages = [
|
|
|
|
config.services.postgresql.package
|
|
|
|
config.services.nextcloud.occ
|
|
|
|
];
|
|
|
|
text = ''
|
|
|
|
nextcloud-occ maintenance:mode --on
|
|
|
|
pg_dump ${config.services.nextcloud.config.dbname} --file=/var/lib/nextcloud/nextcloud-db.sql
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
cleanup = {
|
|
|
|
packages = [
|
|
|
|
pkgs.coreutils
|
|
|
|
config.services.nextcloud.occ
|
|
|
|
];
|
|
|
|
text = ''
|
|
|
|
rm /var/lib/nextcloud/nextcloud-db.sql
|
|
|
|
nextcloud-occ maintenance:mode --off
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
2021-04-12 01:42:46 +01:00
|
|
|
}
|