voyager: move nextcloud to zfs directly

hosts/voyager/services/nextcloud.nix

@@ -7,7 +7,7 @@ in {
     enable = true;
     package = pkgs.nextcloud29;
     inherit hostName;
-    home = "/var/lib/nextcloud";
+    home = "/tank/nextcloud";
     https = true;
     webfinger = true;
 
@@ -63,9 +63,9 @@ in {
   };
 
   systemd.services."phpfpm-nextcloud" = {
-    requires = [ "var-lib-nextcloud.mount" ];
+    requires = [ "tank-nextcloud.mount" ];
     serviceConfig = {
-      WorkingDirectory = "/var/lib/nextcloud";
+      WorkingDirectory = "/tank/nextcloud";
       NoNewPrivileges = true;
       PrivateDevices = true;
       PrivateMounts = true;
@@ -77,7 +77,8 @@ in {
       ProtectKernelModules = true;
       ProtectKernelTunables = true;
       ProtectProc = "invisible";
-      ReadWritePaths = [ "/var/lib/nextcloud" "/run/phpfpm" "/run/systemd" "/run/secrets" "/nix/store" ];
+      ReadWritePaths = [ "/tank/nextcloud" "/run/phpfpm" "/run/systemd" ];
+      ReadPaths = [ "/run/secrets" "/nix/store" ];
       RemoveIPC = true;
       RestrictSUIDSGID = true;
       UMask = "0007";
@@ -86,9 +87,4 @@ in {
       CapabilityBoundingSet = "~CAP_FSETID ~CAP_SETFCAP ~CAP_SETUID ~CAP_SETGID ~CAP_SETPCAP ~CAP_NET_ADMIN ~CAP_SYS_ADMIN ~CAP_SYS_PTRACE ";
     };
   };
-
-  fileSystems."/var/lib/nextcloud" = {
-    device = "/tank/nextcloud";
-    options = [ "bind "];
-  };
 }