move nextcloud nginx configuration part to SP module

2025-01-08 17:11:02 +00:00 · 2023-11-15 23:43:59 +04:00 · 2023-11-15 23:43:59 +04:00 · f4fb0a9ce8
parent 41c3a0fc00
commit f4fb0a9ce8
2 changed files with 22 additions and 21 deletions
--- a/sp-modules/nextcloud/module.nix
+++ b/sp-modules/nextcloud/module.nix
@ -17,6 +17,7 @@
      secrets-filepath = "/etc/nixos/userdata/userdata.json";
      db-pass-filepath = "/var/lib/nextcloud/db-pass";
      admin-pass-filepath = "/var/lib/nextcloud/admin-pass";
+      hostName = "cloud.${cfg.domain}";
    in
    lib.mkIf cfg.nextcloud.enable
      {
@ -39,7 +40,7 @@
        services.nextcloud = {
          enable = true;
          package = pkgs.nextcloud25;
-          hostName = "cloud.${cfg.domain}";
+          inherit hostName;

          # Use HTTPS for links
          https = false;
@ -62,6 +63,26 @@
            adminuser = "admin";
          };
        };
+        services.nginx.virtualHosts.${hostName} = {
+          sslCertificate = "/var/lib/acme/${cfg.domain}/fullchain.pem";
+          sslCertificateKey = "/var/lib/acme/${cfg.domain}/key.pem";
+          forceSSL = true;
+          extraConfig = ''
+            add_header Strict-Transport-Security $hsts_header;
+            #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+            add_header 'Referrer-Policy' 'origin-when-cross-origin';
+            add_header X-Frame-Options DENY;
+            add_header X-Content-Type-Options nosniff;
+            add_header X-XSS-Protection "1; mode=block";
+            proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+            expires 10m;
+          '';
+          locations = {
+            "/" = {
+              proxyPass = "http://127.0.0.1:80/";
+            };
+          };
+        };
      }
    # FIXME do we really want to delete passwords on module deactivation!?
    //
--- a/webserver/nginx.nix
+++ b/webserver/nginx.nix
@ -69,26 +69,6 @@ in
          };
        };
      };
-      "cloud.${domain}" = {
-        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
-        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
-        forceSSL = true;
-        extraConfig = ''
-          add_header Strict-Transport-Security $hsts_header;
-          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-          add_header 'Referrer-Policy' 'origin-when-cross-origin';
-          add_header X-Frame-Options DENY;
-          add_header X-Content-Type-Options nosniff;
-          add_header X-XSS-Protection "1; mode=block";
-          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
-          expires 10m;
-        '';
-        locations = {
-          "/" = {
-            proxyPass = "http://127.0.0.1:80/";
-          };
-        };
-      };
      "password.${domain}" = {
        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";