{ config, lib, pkgs, ... }: { options.selfprivacy.modules.nextcloud = with lib; { enable = mkOption { type = types.nullOr types.bool; default = false; }; location = mkOption { type = types.nullOr types.str; default = "sda1"; }; }; config = let sp = config.selfprivacy; secrets-filepath = "/etc/selfprivacy/secrets.json"; db-pass-filepath = "/var/lib/nextcloud/db-pass"; admin-pass-filepath = "/var/lib/nextcloud/admin-pass"; hostName = "cloud.${sp.domain}"; in lib.mkIf sp.modules.nextcloud.enable { system.activationScripts.nextcloudSecrets = '' mkdir -p /var/lib/nextcloud ${pkgs.jq}/bin/jq < ${secrets-filepath} -r '.modules.nextcloud.databasePassword' > ${db-pass-filepath} chmod 0440 ${db-pass-filepath} chown nextcloud:nextcloud ${db-pass-filepath} ${pkgs.jq}/bin/jq < ${secrets-filepath} -r '.modules.nextcloud.adminPassword' > ${admin-pass-filepath} chmod 0440 ${admin-pass-filepath} chown nextcloud:nextcloud ${admin-pass-filepath} ''; fileSystems = lib.mkIf sp.useBinds { "/var/lib/nextcloud" = { device = "/volumes/${sp.modules.nextcloud.location}/nextcloud"; options = [ "bind" ]; }; }; services.nextcloud = { enable = true; package = pkgs.nextcloud25; inherit hostName; # Use HTTPS for links https = false; # auto-update Nextcloud Apps autoUpdateApps.enable = true; # set what time makes sense for you autoUpdateApps.startAt = "05:00:00"; config = { # further forces Nextcloud to use HTTPS overwriteProtocol = "https"; dbtype = "sqlite"; dbuser = "nextcloud"; dbhost = "/run/postgresql"; # nextcloud adds .s.PGSQL.5432 by itself dbname = "nextcloud"; dbpassFile = db-pass-filepath; adminpassFile = admin-pass-filepath; adminuser = "admin"; }; }; services.nginx.virtualHosts.${hostName} = { sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem"; sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem"; forceSSL = true; extraConfig = '' add_header Strict-Transport-Security $hsts_header; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; add_header 'Referrer-Policy' 'origin-when-cross-origin'; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; expires 10m; ''; locations = { "/" = { proxyPass = "http://127.0.0.1:80/"; }; }; }; } # FIXME do we really want to delete passwords on module deactivation!? // lib.mkIf (!sp.modules.nextcloud.enable) { system.activationScripts.nextcloudSecrets = lib.trivial.warn ( "nextcloud service is disabled, " + "${db-pass-filepath} and ${admin-pass-filepath} will be removed!" ) '' rm -f ${db-pass-filepath} rm -f ${admin-pass-filepath} ''; }; }