feat(nextcloud): finishing touches and other chores

2025-09-21 10:28:54 +02:00
parent c63daec95c
commit f861d363ca
7 changed files with 42 additions and 52 deletions
--- a/domainhash.txt
+++ b/domainhash.txt
@@ -0,0 +1 @@
 9077b11e97e76528abc8
--- a/hosts/sobotka/server.nix
+++ b/hosts/sobotka/server.nix
@@ -15,7 +15,7 @@
    unbound = {
      enable = true;
    };
-    caddy = {
+    acme = {
      enable = true;
    };
    homepage-dashboard = {
--- a/hosts/ziggy/server.nix
+++ b/hosts/ziggy/server.nix
@@ -1,5 +1,4 @@
-{ config, ... }:
+{config, ...}: {
 {
  server = {
    enable = true;
    email = "adam@cnst.dev";
@@ -12,7 +11,7 @@
    unbound = {
      enable = true;
    };
-    caddy = {
+    acme = {
      enable = true;
    };
    homepage-dashboard = {
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -123,7 +123,7 @@
    server = {
      imports = [
        ./server
-        ./server/caddy
+        ./server/acme
        ./server/fail2ban
        ./server/homepage-dashboard
        ./server/nextcloud
--- a/modules/server/caddy/default.nix
+++ b/modules/server/caddy/default.nix
@@ -4,7 +4,7 @@
  ...
 }: let
  inherit (lib) mkIf mkEnableOption;
-  cfg = config.server.caddy;
+  cfg = config.server.acme;
  getCloudflareCredentials = hostname:
    if hostname == "ziggy"
@@ -14,7 +14,7 @@
    else throw "Unknown hostname: ${hostname}";
 in {
  options = {
-    server.caddy.enable = mkEnableOption "Enables caddy";
+    server.acme.enable = mkEnableOption "Enables ACME";
  };
  config = mkIf cfg.enable {
    networking.firewall = let
@@ -40,13 +40,13 @@ in {
        environmentFile = getCloudflareCredentials config.networking.hostName;
      };
      certs.${config.server.domainPublic} = {
-        reloadServices = ["caddy.service"];
+        reloadServices = ["nginx.service"];
        domain = "${config.server.domainPublic}";
        extraDomainNames = ["*.${config.server.domainPublic}"];
        dnsProvider = "cloudflare";
        dnsResolver = "1.1.1.1:53";
        dnsPropagationCheck = true;
-        group = config.services.caddy.group;
+        group = config.services.nginx.group;
        environmentFile = getCloudflareCredentials config.networking.hostName;
      };
    };
@@ -67,17 +67,6 @@ in {
            redir https://{host}{uri}
          '';
        };
        "http://${config.server.domainPublic}" = {
          extraConfig = ''
            redir https://{host}{uri}
          '';
        };
        "http://*.${config.server.domainPublic}" = {
          extraConfig = ''
            redir https://{host}{uri}
          '';
        };
      };
    };
  };
--- a/modules/server/default.nix
+++ b/modules/server/default.nix
@@ -102,17 +102,5 @@ in {
        ];
      };
    };
    systemd.services.hd-idle = {
      description = "External HD spin down daemon";
      wantedBy = ["multi-user.target"];
      serviceConfig = {
        Type = "simple";
        ExecStart = let
          idleTime = toString 900;
          hardDriveParameter = lib.strings.concatMapStringsSep " " (x: "-a ${x} -i ${idleTime}") hardDrives;
        in "${pkgs.hd-idle}/bin/hd-idle -i 0 ${hardDriveParameter}";
      };
    };
  };
 }
--- a/modules/server/nextcloud/default.nix
+++ b/modules/server/nextcloud/default.nix
@@ -57,12 +57,6 @@ in {
    };
  };
  config = lib.mkIf cfg.enable {
    services.nginx.virtualHosts."nextcloud".listen = [
      {
        addr = "127.0.0.1";
        port = 8083;
      }
    ];
    services.cloudflared = {
      enable = true;
      tunnels.${cfg.cloudflared.tunnelId} = {
@@ -89,22 +83,21 @@ in {
      caching = {
        redis = true;
      };
-      occ = {
+      phpOptions = {
-        maintenance = "install";
+        "opcache.jit" = "tracing";
        "opcache.jit_buffer_size" = "100M";
        "opcache.interned_strings_buffer" = "16";
        "opcache.max_accelerated_files" = "10000";
        "opcache.memory_consumption" = "1280";
      };
      database.createLocally = true;
      maxUploadSize = "50G";
      settings = {
        maintenance_window_start = "1";
        trusted_proxies = ["127.0.0.1"];
-        trusted_domains = ["cloud.${srv.domainPublic}" "192.168.88.14"];
+        trusted_domains = ["cloud.${srv.domainPublic}"];
        overwriteprotocol = "https";
        overwritehost = "cloud.${srv.domainPublic}";
        overwrite.cli.url = "https://cloud.${srv.domainPublic}";
        # mail_smtpmode = "sendmail";
        # mail_sendmailmode = "pipe";
        # user_oidc = {
        #   allow_multiple_user_backends = 0;
        # };
        forwarded_for_headers = [
          "HTTP_CF_CONNECTING_IP"
        ];
@@ -131,11 +124,31 @@ in {
        adminpassFile = cfg.adminpassFile;
      };
    };
-    services.caddy.virtualHosts."${srv.domainPublic}" = {
+    services = {
-      useACMEHost = srv.domainPublic;
+      nginx = {
-      extraConfig = ''
+        virtualHosts.nextcloud = {
-        reverse_proxy http://127.0.0.1:8083
+          useACMEHost = srv.domainPublic;
-      '';
+          listen = [
            {
              addr = "127.0.0.1";
              port = 8083;
            }
          ];
          extraConfig = ''
            add_header Referrer-Policy                      "no-referrer"   always;
            add_header X-Content-Type-Options               "nosniff"       always;
            add_header X-Download-Options                   "noopen"        always;
            add_header X-Frame-Options                      "SAMEORIGIN"    always;
            add_header X-Permitted-Cross-Domain-Policies    "none"          always;
            add_header X-Robots-Tag                         "none"          always;
            add_header X-XSS-Protection                     "1; mode=block" always;
            add_header Strict-Transport-Security "max-age=15552000; includeSubDomains;";
            access_log /var/log/nginx/nextcloud.access.log;
            error_log /var/log/nginx/nextcloud.error.log;
          '';
        };
      };
    };
    server.postgresql.databases = [
      {