{ pkgs, config, options, ... }: let nextcloud = pkgs.nextcloud26; hostName = "nextcloud.${config.services.nginx.domain}"; in { services.nextcloud = { inherit hostName; package = nextcloud; enableBrokenCiphersForSSE = false; enable = true; maxUploadSize = "2G"; https = true; config = { overwriteProtocol = "https"; dbtype = "pgsql"; dbhost = "/run/postgresql"; adminuser = "tlater"; adminpassFile = config.sops.secrets."nextcloud/tlater".path; defaultPhoneRegion = "AT"; }; phpOptions = options.services.nextcloud.phpOptions.default // { "opcache.interned_strings_buffer" = "16"; }; extraApps = { inherit (pkgs.local) bookmarks calendar contacts cookbook news notes; }; # TODO(tlater): Add redis config. This will be much easier # starting with 22.11, since this will add an `extraOptions` where # the necessary redis config can go. }; # Ensure that this service doesn't start before postgres is ready systemd.services.nextcloud-setup.after = ["postgresql.service"]; # Set up SSL services.nginx.virtualHosts."${hostName}" = { forceSSL = true; enableACME = true; }; # Block repeated failed login attempts environment.etc = { "fail2ban/filter.d/nextcloud.conf".text = '' [Definition] _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) failregex = \{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Login failed: \{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Trusted domain error. datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" journalmatch = SYSLOG_IDENTIFIER=Nextcloud ''; }; services.fail2ban.jails = { nextcloud = '' enabled = true # Nextcloud does some throttling already, so we need to set # these to something bigger. findtime = 43200 bantime = 86400 ''; }; }