feat(nextcloud): finishing touches and other chores

modules/server/acme/default.nix

@@ -4,7 +4,7 @@
   ...
 }: let
   inherit (lib) mkIf mkEnableOption;
-  cfg = config.server.caddy;
+  cfg = config.server.acme;
 
   getCloudflareCredentials = hostname:
     if hostname == "ziggy"
@@ -14,7 +14,7 @@
     else throw "Unknown hostname: ${hostname}";
 in {
   options = {
-    server.caddy.enable = mkEnableOption "Enables caddy";
+    server.acme.enable = mkEnableOption "Enables ACME";
   };
   config = mkIf cfg.enable {
     networking.firewall = let
@@ -40,13 +40,13 @@ in {
         environmentFile = getCloudflareCredentials config.networking.hostName;
       };
       certs.${config.server.domainPublic} = {
-        reloadServices = ["caddy.service"];
+        reloadServices = ["nginx.service"];
         domain = "${config.server.domainPublic}";
         extraDomainNames = ["*.${config.server.domainPublic}"];
         dnsProvider = "cloudflare";
         dnsResolver = "1.1.1.1:53";
         dnsPropagationCheck = true;
-        group = config.services.caddy.group;
+        group = config.services.nginx.group;
         environmentFile = getCloudflareCredentials config.networking.hostName;
       };
     };
@@ -67,17 +67,6 @@ in {
             redir https://{host}{uri}
           '';
         };
-
-        "http://${config.server.domainPublic}" = {
-          extraConfig = ''
-            redir https://{host}{uri}
-          '';
-        };
-        "http://*.${config.server.domainPublic}" = {
-          extraConfig = ''
-            redir https://{host}{uri}
-          '';
-        };
       };
     };
   };

modules/server/default.nix

@@ -102,17 +102,5 @@ in {
         ];
       };
     };
-
-    systemd.services.hd-idle = {
-      description = "External HD spin down daemon";
-      wantedBy = ["multi-user.target"];
-      serviceConfig = {
-        Type = "simple";
-        ExecStart = let
-          idleTime = toString 900;
-          hardDriveParameter = lib.strings.concatMapStringsSep " " (x: "-a ${x} -i ${idleTime}") hardDrives;
-        in "${pkgs.hd-idle}/bin/hd-idle -i 0 ${hardDriveParameter}";
-      };
-    };
   };
 }

modules/server/nextcloud/default.nix

@@ -57,12 +57,6 @@ in {
     };
   };
   config = lib.mkIf cfg.enable {
-    services.nginx.virtualHosts."nextcloud".listen = [
-      {
-        addr = "127.0.0.1";
-        port = 8083;
-      }
-    ];
     services.cloudflared = {
       enable = true;
       tunnels.${cfg.cloudflared.tunnelId} = {
@@ -89,22 +83,21 @@ in {
       caching = {
         redis = true;
       };
-      occ = {
-        maintenance = "install";
+      phpOptions = {
+        "opcache.jit" = "tracing";
+        "opcache.jit_buffer_size" = "100M";
+        "opcache.interned_strings_buffer" = "16";
+        "opcache.max_accelerated_files" = "10000";
+        "opcache.memory_consumption" = "1280";
       };
-      database.createLocally = true;
       maxUploadSize = "50G";
       settings = {
+        maintenance_window_start = "1";
         trusted_proxies = ["127.0.0.1"];
-        trusted_domains = ["cloud.${srv.domainPublic}" "192.168.88.14"];
+        trusted_domains = ["cloud.${srv.domainPublic}"];
         overwriteprotocol = "https";
         overwritehost = "cloud.${srv.domainPublic}";
         overwrite.cli.url = "https://cloud.${srv.domainPublic}";
-        # mail_smtpmode = "sendmail";
-        # mail_sendmailmode = "pipe";
-        # user_oidc = {
-        #   allow_multiple_user_backends = 0;
-        # };
         forwarded_for_headers = [
           "HTTP_CF_CONNECTING_IP"
         ];
@@ -131,11 +124,31 @@ in {
         adminpassFile = cfg.adminpassFile;
       };
     };
-    services.caddy.virtualHosts."${srv.domainPublic}" = {
-      useACMEHost = srv.domainPublic;
-      extraConfig = ''
-        reverse_proxy http://127.0.0.1:8083
-      '';
+    services = {
+      nginx = {
+        virtualHosts.nextcloud = {
+          useACMEHost = srv.domainPublic;
+          listen = [
+            {
+              addr = "127.0.0.1";
+              port = 8083;
+            }
+          ];
+          extraConfig = ''
+            add_header Referrer-Policy                      "no-referrer"   always;
+            add_header X-Content-Type-Options               "nosniff"       always;
+            add_header X-Download-Options                   "noopen"        always;
+            add_header X-Frame-Options                      "SAMEORIGIN"    always;
+            add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+            add_header X-Robots-Tag                         "none"          always;
+            add_header X-XSS-Protection                     "1; mode=block" always;
+            add_header Strict-Transport-Security "max-age=15552000; includeSubDomains;";
+
+            access_log /var/log/nginx/nextcloud.access.log;
+            error_log /var/log/nginx/nextcloud.error.log;
+          '';
+        };
+      };
     };
     server.postgresql.databases = [
       {