mirror of
https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git
synced 2024-11-26 21:01:31 +00:00
102 lines
3.4 KiB
Nix
102 lines
3.4 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
{
|
|
options.selfprivacy.modules.nextcloud = with lib; {
|
|
enable = mkOption {
|
|
type = types.nullOr types.bool;
|
|
default = false;
|
|
};
|
|
location = mkOption {
|
|
type = types.nullOr types.str;
|
|
default = "sda1";
|
|
};
|
|
};
|
|
|
|
config =
|
|
let
|
|
sp = config.selfprivacy;
|
|
secrets-filepath = "/etc/selfprivacy/secrets.json";
|
|
db-pass-filepath = "/var/lib/nextcloud/db-pass";
|
|
admin-pass-filepath = "/var/lib/nextcloud/admin-pass";
|
|
hostName = "cloud.${sp.domain}";
|
|
in
|
|
lib.mkIf sp.modules.nextcloud.enable
|
|
{
|
|
system.activationScripts.nextcloudSecrets = ''
|
|
mkdir -p /var/lib/nextcloud
|
|
${pkgs.jq}/bin/jq < ${secrets-filepath} -r '.nextcloud.databasePassword' > ${db-pass-filepath}
|
|
chmod 0440 ${db-pass-filepath}
|
|
chown nextcloud:nextcloud ${db-pass-filepath}
|
|
|
|
${pkgs.jq}/bin/jq < ${secrets-filepath} -r '.nextcloud.adminPassword' > ${admin-pass-filepath}
|
|
chmod 0440 ${admin-pass-filepath}
|
|
chown nextcloud:nextcloud ${admin-pass-filepath}
|
|
'';
|
|
fileSystems = lib.mkIf sp.useBinds {
|
|
"/var/lib/nextcloud" = {
|
|
device = "/volumes/${sp.modules.nextcloud.location}/nextcloud";
|
|
options = [ "bind" ];
|
|
};
|
|
};
|
|
services.nextcloud = {
|
|
enable = true;
|
|
package = pkgs.nextcloud25;
|
|
inherit hostName;
|
|
|
|
# Use HTTPS for links
|
|
https = false;
|
|
|
|
# auto-update Nextcloud Apps
|
|
autoUpdateApps.enable = true;
|
|
# set what time makes sense for you
|
|
autoUpdateApps.startAt = "05:00:00";
|
|
|
|
config = {
|
|
# further forces Nextcloud to use HTTPS
|
|
overwriteProtocol = "https";
|
|
|
|
dbtype = "sqlite";
|
|
dbuser = "nextcloud";
|
|
dbhost = "/run/postgresql"; # nextcloud adds .s.PGSQL.5432 by itself
|
|
dbname = "nextcloud";
|
|
dbpassFile = db-pass-filepath;
|
|
adminpassFile = admin-pass-filepath;
|
|
adminuser = "admin";
|
|
};
|
|
};
|
|
services.nginx.virtualHosts.${hostName} = {
|
|
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
|
|
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
|
|
forceSSL = true;
|
|
extraConfig = ''
|
|
add_header Strict-Transport-Security $hsts_header;
|
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
|
add_header X-Frame-Options DENY;
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
|
expires 10m;
|
|
'';
|
|
locations = {
|
|
"/" = {
|
|
proxyPass = "http://127.0.0.1:80/";
|
|
};
|
|
};
|
|
};
|
|
}
|
|
# FIXME do we really want to delete passwords on module deactivation!?
|
|
//
|
|
lib.mkIf (!sp.modules.nextcloud.enable) {
|
|
system.activationScripts.nextcloudSecrets =
|
|
lib.trivial.warn
|
|
(
|
|
"nextcloud service is disabled, " +
|
|
"${db-pass-filepath} and ${admin-pass-filepath} will be removed!"
|
|
)
|
|
''
|
|
rm -f ${db-pass-filepath}
|
|
rm -f ${admin-pass-filepath}
|
|
'';
|
|
};
|
|
}
|