nextcloud: move out of container

hosts/defiant/services/nginx.nix

@@ -57,15 +57,7 @@
       extraConfig = ''
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
         server_tokens off;
-        gzip on;
-        gzip_vary on;
-        gzip_comp_level 4;
-        gzip_min_length 256;
-        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-        gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
-
 
         # HSTS settings
         # WARNING: Only add the preload option once you read about
@@ -75,7 +67,7 @@
         # could take several months.
         #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
       '';
-      locations."/".proxyPass = "http://nextcloud.home.feal.no/";
+      locations."/".proxyPass = "http://voyager.home.feal.no/";
     };
   };
 }

hosts/voyager/services/nextcloud.nix

@@ -1,80 +1,88 @@
 { config, pkgs, lib, ... }:
 let
-  cfg = config.containers.nextcloud.config.services.nextcloud;
+  cfg = config.services.nextcloud;
   hostName = "cloud.feal.no";
 in {
-  containers.nextcloud = {
-    autoStart = true;
-    ephemeral = true;
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud28;
+    inherit hostName;
+    home = "/var/lib/nextcloud";
+    https = true;
+    webfinger = true;
 
-    privateNetwork = true;
-    hostBridge = "br0";
-    localAddress = "192.168.10.171/24";
-
-    bindMounts = {
-      "/var/lib/nextcloud"  = { isReadOnly = false; hostPath = "/tank/nextcloud/nextcloud/";  };
-      "/var/lib/postgresql" = { isReadOnly = false; hostPath = "/tank/nextcloud/postgresql/"; };
-      "/srv/secrets/"       = { isReadOnly = true;  hostPath = "/tank/nextcloud/secrets/";    };
+    config = {
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbhost = "/run/postgresql";
+      dbname = "nextcloud";
+      adminuser = "ncadmin";
+      adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
+      trustedProxies = [ "192.168.10.175" ]; # defiant
+      defaultPhoneRegion = "NO";
     };
 
-    config = { config, pkgs, ... }: {
-      system.stateVersion = "23.11";
+    # phpOptions = {
+    #   "opcache.interned_strings_buffer" = "16";
+    #   "upload_max_filesize" = "4G";
+    #   "post_max_size" = "4G";
+    #   "memory_limit" = "4G";
+    # };
 
-      networking = {
-        firewall = {
-          enable = true;
-          allowedTCPPorts = [ 80 ];
-        };
-
-        defaultGateway = "192.168.10.1";
-      };
-      time.timeZone = "Europe/Oslo";
-
-      services.nextcloud = {
-        enable = true;
-        package = pkgs.nextcloud28;
-        inherit hostName;
-        home = "/var/lib/nextcloud";
-        https = true;
-
-        config = {
-          dbtype = "pgsql";
-          dbuser = "nextcloud";
-          dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
-          dbname = "nextcloud";
-          adminpassFile = "/srv/secrets/adminpass";
-          adminuser = "ncadmin";
-          trustedProxies = [ "192.168.10.175" ]; # defiant
-        };
-
-        # phpOptions = {
-        #   "opcache.interned_strings_buffer" = "16";
-        #   "upload_max_filesize" = "4G";
-        #   "post_max_size" = "4G";
-        #   "memory_limit" = "4G";
-        # };
-
-        poolSettings = {
-          "pm" = "ondemand";
-          "pm.max_children" = 32;
-          "pm.process_idle_timeout" = "10s";
-          "pm.max_requests" = 500;
-        };
-      };
-
-      services.postgresql = {
-        enable = true;
-        ensureDatabases = [ "nextcloud" ];
-        ensureUsers = [ {
-          name = "nextcloud";
-          ensureDBOwnership = true;
-        } ];
-      };
-
-      systemd.services."nextcloud-setup" = {
-        requires = [ "postgresql.service" ];
-        after = [ "postgresql.service" ];
-      };
+    poolSettings = {
+      "pm" = "ondemand";
+      "pm.max_children" = 32;
+      "pm.process_idle_timeout" = "10s";
+      "pm.max_requests" = 500;
     };
   };
+
+  environment.systemPackages = [ cfg.occ ];
+
+  sops.secrets."nextcloud/adminpass" = {
+    mode = "0440";
+    owner = "nextcloud";
+    group = "nextcloud";
+    restartUnits = [ "phpfpm-nextcloud.service" ];
+  };
+
+  services.postgresql = {
+    ensureDatabases = [ "nextcloud" ];
+    ensureUsers = [ {
+      name = "nextcloud";
+      ensureDBOwnership = true;
+    } ];
+  };
+
+  systemd.services."nextcloud-setup" = {
+    requires = [ "postgresql.service" ];
+    after = [ "postgresql.service" ];
+  };
+
+  systemd.services."phpfpm-nextcloud".serviceConfig = {
+    WorkingDirectory = "/var/lib/nextcloud";
+    NoNewPrivileges = true;
+    PrivateDevices = true;
+    PrivateMounts = true;
+    PrivateTmp = true;
+    ProtectClock = true;
+    ProtectHome = true;
+    ProtectHostname = true;
+    ProtectKernelLogs = true;
+    ProtectKernelModules = true;
+    ProtectKernelTunables = true;
+    ProtectProc = "invisible";
+    ReadWritePaths = [ "/var/lib/nextcloud" "/run/phpfpm" "/run/systemd" "/run/secrets" "/nix/store" ];
+    RemoveIPC = true;
+    RestrictSUIDSGID = true;
+    UMask = "0007";
+    SystemCallArchitectures = "native";
+    SystemCallFilter = "@system-service";
+    CapabilityBoundingSet = "~CAP_FSETID ~CAP_SETFCAP ~CAP_SETUID ~CAP_SETGID ~CAP_SETPCAP ~CAP_NET_ADMIN ~CAP_SYS_ADMIN ~CAP_SYS_PTRACE ";
+  };
+
+  fileSystems."/var/lib/nextcloud" = {
+    device = "/tank/nextcloud";
+    options = [ "bind "];
+  };
 }