tlaternet-server/configuration/services/nextcloud.nix

77 lines
2 KiB
Nix

{
pkgs,
config,
...
}: let
inherit (pkgs) fetchNextcloudApp;
nextcloud = pkgs.nextcloud24;
hostName = "nextcloud.${config.services.nginx.domain}";
in {
services.nextcloud = {
inherit hostName;
package = nextcloud;
enable = true;
maxUploadSize = "2G";
https = true;
config = {
overwriteProtocol = "https";
dbtype = "pgsql";
dbhost = "/run/postgresql";
adminuser = "tlater";
adminpassFile = config.sops.secrets."nextcloud/tlater".path;
defaultPhoneRegion = "AT";
};
extraApps = {
# TODO(tlater): Seems like this won't work anymore from
# Nextcloud 25 onwards.
#
# Adopt whatever upstream does with this:
# https://github.com/nextcloud/server/issues/4917
inherit (pkgs.local) apporder;
inherit (pkgs.local) bookmarks calendar contacts cookbook news notes;
};
# TODO(tlater): Add redis config. This will be much easier
# starting with 22.11, since this will add an `extraOptions` where
# the necessary redis config can go.
};
# Ensure that this service doesn't start before postgres is ready
systemd.services.nextcloud-setup.after = ["postgresql.service"];
# Set up SSL
services.nginx.virtualHosts."${hostName}" = {
forceSSL = true;
enableACME = true;
};
# Block repeated failed login attempts
environment.etc = {
"fail2ban/filter.d/nextcloud.conf".text = ''
[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = \{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
journalmatch = SYSLOG_IDENTIFIER=Nextcloud
'';
};
services.fail2ban.jails = {
nextcloud = ''
enabled = true
# Nextcloud does some throttling already, so we need to set
# these to something bigger.
findtime = 43200
bantime = 86400
'';
};
}