{ config, lib, pkgs, namespace, ... }: with lib; let cfg = config.${namespace}.services.nextcloud; adminpass = config.sops.secrets."jallen-nas/nextcloud/adminpassword".path; secretsFile = config.sops.secrets."jallen-nas/nextcloud/smtp_settings".path; jwtSecretFile = config.sops.secrets."jallen-nas/onlyoffice-key".path; nextcloudUserId = config.users.users.nix-apps.uid; nextcloudGroupId = config.users.groups.jallen-nas.gid; hostAddress = "10.0.1.3"; localAddress = "10.0.2.18"; nextcloudPortExtHttp = 9988; nextcloudPortExtHttps = 9943; onlyofficePortExt = 9943; nextcloudPhotos = pkgs.${namespace}.nextcloud-app-photos; nextcloudPdfViewer = pkgs.${namespace}.nextcloud-app-pdfviewer; nextcloudAssist = pkgs.${namespace}.nextcloud-app-assistant; in { imports = [ ./options.nix ]; config = mkIf cfg.enable { containers.nextcloud = { autoStart = false; privateNetwork = true; hostAddress = hostAddress; localAddress = localAddress; specialArgs = { inherit namespace; }; bindMounts = { secrets = { hostPath = "/run/secrets/jallen-nas/nextcloud"; isReadOnly = true; mountPoint = "/run/secrets/jallen-nas/nextcloud"; }; secrets2 = { hostPath = "/run/secrets/jallen-nas/onlyoffice-key"; isReadOnly = true; mountPoint = "/run/secrets/jallen-nas/onlyoffice-key"; }; data = { hostPath = "/media/nas/main/nextcloud"; isReadOnly = false; mountPoint = "/data"; }; "/var/lib/nextcloud" = { hostPath = "/media/nas/main/nix-app-data/nextcloud"; isReadOnly = false; mountPoint = "/var/lib/nextcloud"; }; "/var/lib/onlyoffice" = { hostPath = "/media/nas/main/nix-app-data/onlyoffice"; isReadOnly = false; mountPoint = "/var/lib/onlyoffice"; }; }; config = { pkgs, lib, ... }: { nixpkgs.config.allowUnfree = true; networking.extraHosts = '' ${hostAddress} host.containers protonmail-bridge ''; # services.nginx.virtualHosts."cloud.mjallen.dev".listen = [ # { # addr = "0.0.0.0"; # port = 8080; # } # ]; services = { nextcloud = { enable = false; package = pkgs.nextcloud32; # datadir = "/data"; database.createLocally = true; hostName = "cloud.mjallen.dev"; appstoreEnable = false; caching.redis = true; configureRedis = true; enableImagemagick = true; https = true; secretFile = secretsFile; extraApps = { inherit (pkgs.nextcloud31Packages.apps) app_api bookmarks mail calendar contacts integration_openai integration_paperless maps oidc_login onlyoffice previewgenerator recognize richdocuments user_oidc ; inherit nextcloudPhotos nextcloudPdfViewer nextcloudAssist ; }; config = { adminuser = "mjallen"; adminpassFile = adminpass; dbhost = "localhost"; dbtype = "sqlite"; dbname = "nextcloud"; dbuser = "nextcloud"; }; settings = { loglevel = 3; allow_local_remote_servers = true; upgrade.disable-web = false; datadirectory = "/data"; trusted_domains = [ "${hostAddress}:${toString nextcloudPortExtHttp}" "${hostAddress}:${toString nextcloudPortExtHttps}" "${localAddress}:80" "${localAddress}:8080" "${localAddress}:443" "cloud.mjallen.dev" ]; opcache.interned_strings_buffer = 16; trusted_proxies = [ hostAddress ]; maintenance_window_start = 6; default_phone_region = "US"; enable_previews = true; enabledPreviewProviders = [ "OC\\Preview\\PNG" "OC\\Preview\\JPEG" "OC\\Preview\\GIF" "OC\\Preview\\BMP" "OC\\Preview\\XBitmap" "OC\\Preview\\MP3" "OC\\Preview\\TXT" "OC\\Preview\\MarkDown" "OC\\Preview\\OpenDocument" "OC\\Preview\\Krita" "OC\\Preview\\HEIC" "OC\\Preview\\Movie" "OC\\Preview\\MSOffice2003" "OC\\Preview\\MSOffice2007" "OC\\Preview\\MSOfficeDoc" ]; installed = true; user_oidc = { auto_provision = false; soft_auto_provision = false; allow_multiple_user_backends = false; # auto redirect to authentik for login }; social_login_auto_redirect = true; }; }; }; services.onlyoffice = { enable = true; port = onlyofficePortExt; hostname = "office.mjallen.dev"; jwtSecretFile = jwtSecretFile; }; # System packages environment.systemPackages = with pkgs; [ ffmpeg # libtensorflow-bin nextcloud32 nodejs onlyoffice-documentserver sqlite ]; # Create required users and groups users.users.nextcloud = { isSystemUser = true; uid = lib.mkForce nextcloudUserId; group = "nextcloud"; }; users.users.onlyoffice = { group = lib.mkForce "nextcloud"; }; users.groups = { nextcloud = { gid = lib.mkForce nextcloudGroupId; }; downloads = { }; }; # Create and set permissions for required directories system.activationScripts.nextcloud-dirs = '' mkdir -p /data chown -R nextcloud:nextcloud /data chown -R nextcloud:nextcloud /run/secrets/jallen-nas/nextcloud chown -R nextcloud:nextcloud /run/secrets/jallen-nas/onlyoffice-key chmod -R 775 /data chmod -R 750 /run/secrets/jallen-nas/nextcloud chmod -R 750 /run/secrets/jallen-nas/onlyoffice-key ''; hardware = { graphics = { enable = true; # setLdLibraryPath = true; }; }; programs = { nix-ld.enable = true; }; system.stateVersion = "23.11"; networking = { firewall = { enable = true; allowedTCPPorts = [ 8080 80 443 onlyofficePortExt ]; }; # Use systemd-resolved inside the container # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 useHostResolvConf = lib.mkForce false; }; services.resolved.enable = true; }; }; networking = { nat = { forwardPorts = [ { destination = "${localAddress}:443"; sourcePort = nextcloudPortExtHttps; } # { # destination = "${localAddress}:80"; # sourcePort = nextcloudPortExtHttp; # } { destination = "${localAddress}:8080"; sourcePort = nextcloudPortExtHttp; } { destination = "${localAddress}:8000"; sourcePort = 8000; } { destination = "${localAddress}:${toString onlyofficePortExt}"; sourcePort = onlyofficePortExt; } ]; }; }; }; }