nixos-hypervisor/services/nextcloud/default.nix

{
  lib,
  config,
  pkgs,
  ...
}: let
  cfg = config.services.vm_nextcloud;
in {
  options.services.vm_nextcloud = {
    enable = lib.mkEnableOption "Enable minimal config";
    proxy_ip = lib.mkOption {
      type = lib.types.str;
      description = "The Nginx proxy IP address";
    };
    db_ip = lib.mkOption {
      type = lib.types.str;
      description = "Gitea database IP address";
    };
  };
  config = lib.mkIf cfg.enable {
    environment.etc = {
      "fail2ban/filter.d/nextcloud.conf".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
        [Definition]
        _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
        failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
                    ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Two-factor challenge failed:
                    ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
        datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
      '');
    };
    services = {
      fail2ban = {
        jails = {
          nextcloud = ''
            backend  = auto
            enabled  = true
            port     = http,https
            filter   = nextcloud
            maxretry = 3
            bantime = 86400
            findtime = 43200
            logpath  = /var/lib/nextcloud/data/nextcloud.log
          '';
        };
      };
      nextcloud = {
        enable = true;
        hostName = "${config.services.vm.vm_ip}";
        home = "/var/lib/nextcloud";
        maxUploadSize = "10240M";
        caching.redis = true;
        configureRedis = true;
        database.createLocally = false;
        phpOptions = {
          "opcache.interned_strings_buffer" = "16";
          "opcache.memory_consumption" = "512";
        };
        settings = {
          trusted_proxies = ["${cfg.proxy_ip}"];
          trusted_domains = ["${cfg.proxy_ip}"];
          overwriteprotocol = "http";
          overwrite.cli.url = "http://${cfg.proxy_ip}/cloud/";
          "overwritehost" = "${cfg.proxy_ip}";
          "overwritewebroot" = "/cloud";
          htaccess.RewriteBase = "/cloud";
          log_type = "file";
        };
        config = {
          dbhost = "${cfg.db_ip}:5432";
          dbname = "nextcloud";
          dbuser = "nextcloud";
          dbtype = "pgsql";
          dbpassFile = "/run/secrets/nextcloud/nextcloud-dbpass";
          adminuser = "tbarnouin";
          adminpassFile = "/run/secrets/nextcloud/nextcloud-adminpass";
        };
      };
    };
    networking.firewall.allowedTCPPorts = [80];
  };
}