nixos-config/hosts/voyager/services/nextcloud.nix

92 lines
2.4 KiB
Nix
Raw Normal View History

2024-01-03 02:35:57 +01:00
{ config, pkgs, lib, ... }:
let
2024-01-03 18:34:33 +01:00
cfg = config.services.nextcloud;
2024-01-03 02:35:57 +01:00
hostName = "cloud.feal.no";
in {
2024-01-03 18:34:33 +01:00
services.nextcloud = {
enable = true;
2024-05-31 21:54:34 +02:00
package = pkgs.nextcloud29;
2024-01-03 18:34:33 +01:00
inherit hostName;
home = "/tank/nextcloud";
2024-01-03 18:34:33 +01:00
https = true;
webfinger = true;
2024-01-03 02:35:57 +01:00
2024-01-03 18:34:33 +01:00
config = {
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "/run/postgresql";
dbname = "nextcloud";
adminuser = "ncadmin";
adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
2024-05-31 22:19:23 +02:00
};
settings = {
trusted_proxies = [ "192.168.10.175" ]; # defiant
default_phone_region = "NO";
2024-06-04 17:42:58 +02:00
log_type = "file";
2024-01-03 02:35:57 +01:00
};
phpOptions = {
"opcache.interned_strings_buffer" = "16";
"upload_max_filesize" = lib.mkForce "8G";
"post_max_size" = lib.mkForce "8G";
"memory_limit" = lib.mkForce "8G";
};
2024-01-03 02:35:57 +01:00
2024-01-03 18:34:33 +01:00
poolSettings = {
"pm" = "ondemand";
"pm.max_children" = 32;
"pm.process_idle_timeout" = "10s";
"pm.max_requests" = 500;
};
};
2024-01-03 02:35:57 +01:00
2024-01-03 18:34:33 +01:00
environment.systemPackages = [ cfg.occ ];
2024-01-03 02:35:57 +01:00
2024-01-03 18:34:33 +01:00
sops.secrets."nextcloud/adminpass" = {
mode = "0440";
owner = "nextcloud";
group = "nextcloud";
restartUnits = [ "phpfpm-nextcloud.service" ];
};
2024-01-03 02:35:57 +01:00
2024-01-03 18:34:33 +01:00
services.postgresql = {
ensureDatabases = [ "nextcloud" ];
ensureUsers = [ {
name = "nextcloud";
ensureDBOwnership = true;
} ];
};
2024-01-03 02:35:57 +01:00
2024-01-03 18:34:33 +01:00
systemd.services."nextcloud-setup" = {
requires = [ "postgresql.service" ];
after = [ "postgresql.service" ];
};
2024-01-03 02:35:57 +01:00
systemd.services."phpfpm-nextcloud" = {
requires = [ "tank-nextcloud.mount" ];
serviceConfig = {
WorkingDirectory = "/tank/nextcloud";
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ReadWritePaths = [ "/tank/nextcloud" "/run/phpfpm" "/run/systemd" ];
ReadPaths = [ "/run/secrets" "/nix/store" ];
RemoveIPC = true;
RestrictSUIDSGID = true;
UMask = "0007";
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
CapabilityBoundingSet = "~CAP_FSETID ~CAP_SETFCAP ~CAP_SETUID ~CAP_SETGID ~CAP_SETPCAP ~CAP_NET_ADMIN ~CAP_SYS_ADMIN ~CAP_SYS_PTRACE ";
};
2024-01-03 18:34:33 +01:00
};
2024-01-03 02:35:57 +01:00
}