From 5aa756b84220e2ca0eba10306a8423b0ad5bd84a Mon Sep 17 00:00:00 2001
From: Felix Albrigtsen <felixalbrigtsen@gmail.com>
Date: Mon, 3 Jun 2024 15:38:56 +0200
Subject: [PATCH] voyager: move nextcloud to zfs directly

---
 hosts/voyager/services/nextcloud.nix | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/hosts/voyager/services/nextcloud.nix b/hosts/voyager/services/nextcloud.nix
index 78c8db7..28b74f7 100644
--- a/hosts/voyager/services/nextcloud.nix
+++ b/hosts/voyager/services/nextcloud.nix
@@ -7,7 +7,7 @@ in {
     enable = true;
     package = pkgs.nextcloud29;
     inherit hostName;
-    home = "/var/lib/nextcloud";
+    home = "/tank/nextcloud";
     https = true;
     webfinger = true;
 
@@ -63,9 +63,9 @@ in {
   };
 
   systemd.services."phpfpm-nextcloud" = {
-    requires = [ "var-lib-nextcloud.mount" ];
+    requires = [ "tank-nextcloud.mount" ];
     serviceConfig = {
-      WorkingDirectory = "/var/lib/nextcloud";
+      WorkingDirectory = "/tank/nextcloud";
       NoNewPrivileges = true;
       PrivateDevices = true;
       PrivateMounts = true;
@@ -77,7 +77,8 @@ in {
       ProtectKernelModules = true;
       ProtectKernelTunables = true;
       ProtectProc = "invisible";
-      ReadWritePaths = [ "/var/lib/nextcloud" "/run/phpfpm" "/run/systemd" "/run/secrets" "/nix/store" ];
+      ReadWritePaths = [ "/tank/nextcloud" "/run/phpfpm" "/run/systemd" ];
+      ReadPaths = [ "/run/secrets" "/nix/store" ];
       RemoveIPC = true;
       RestrictSUIDSGID = true;
       UMask = "0007";
@@ -86,9 +87,4 @@ in {
       CapabilityBoundingSet = "~CAP_FSETID ~CAP_SETFCAP ~CAP_SETUID ~CAP_SETGID ~CAP_SETPCAP ~CAP_NET_ADMIN ~CAP_SYS_ADMIN ~CAP_SYS_PTRACE ";
     };
   };
-
-  fileSystems."/var/lib/nextcloud" = {
-    device = "/tank/nextcloud";
-    options = [ "bind "];
-  };
 }