71 lines
1.8 KiB
Nix
71 lines
1.8 KiB
Nix
{
|
|
pkgs,
|
|
config,
|
|
...
|
|
}: let
|
|
nextcloud = pkgs.nextcloud25;
|
|
hostName = "nextcloud.${config.services.nginx.domain}";
|
|
in {
|
|
services.nextcloud = {
|
|
inherit hostName;
|
|
|
|
package = nextcloud;
|
|
enableBrokenCiphersForSSE = false;
|
|
enable = true;
|
|
maxUploadSize = "2G";
|
|
https = true;
|
|
|
|
config = {
|
|
overwriteProtocol = "https";
|
|
|
|
dbtype = "pgsql";
|
|
dbhost = "/run/postgresql";
|
|
|
|
adminuser = "tlater";
|
|
adminpassFile = config.sops.secrets."nextcloud/tlater".path;
|
|
|
|
defaultPhoneRegion = "AT";
|
|
};
|
|
|
|
extraApps = {
|
|
inherit (pkgs.local) bookmarks calendar contacts cookbook news notes;
|
|
};
|
|
|
|
# TODO(tlater): Add redis config. This will be much easier
|
|
# starting with 22.11, since this will add an `extraOptions` where
|
|
# the necessary redis config can go.
|
|
};
|
|
|
|
# Ensure that this service doesn't start before postgres is ready
|
|
systemd.services.nextcloud-setup.after = ["postgresql.service"];
|
|
|
|
# Set up SSL
|
|
services.nginx.virtualHosts."${hostName}" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
};
|
|
|
|
# Block repeated failed login attempts
|
|
environment.etc = {
|
|
"fail2ban/filter.d/nextcloud.conf".text = ''
|
|
[Definition]
|
|
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
|
|
failregex = \{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
|
|
\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
|
|
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
|
|
journalmatch = SYSLOG_IDENTIFIER=Nextcloud
|
|
'';
|
|
};
|
|
|
|
services.fail2ban.jails = {
|
|
nextcloud = ''
|
|
enabled = true
|
|
|
|
# Nextcloud does some throttling already, so we need to set
|
|
# these to something bigger.
|
|
findtime = 43200
|
|
bantime = 86400
|
|
'';
|
|
};
|
|
}
|