tfc-nixos/modules/nextcloud.nix

{ config, lib, pkgs, unstable, ... }:

let
  dn = "staff.tfcconnection.org";
in
with lib;
{
  services = {
    nextcloud = {
      enable = true;
      hostName = dn;
      home = "/storage/nextcloud";
      # Need to manually increment with every major upgrade.
      package = pkgs.nextcloud31;
      # Let NixOS install and configure the database automatically.
      database.createLocally = true;
      # Let NixOS install and configure Redis caching automatically.
      configureRedis = true;
      # Increase the maximum file upload size.
      maxUploadSize = "25G";
      https = true;
      autoUpdateApps.enable = true;
      extraAppsEnable = true;
      appstoreEnable = true;
      webfinger = true;
      extraApps = with config.services.nextcloud.package.packages.apps; {
        # List of apps we want to install and are already packaged in
        # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json
        inherit calendar contacts collectives recognize deck integration_openai mail groupfolders memories user_oidc tasks app_api previewgenerator richdocuments;
        # Custom app example.
        # socialsharing_telegram = pkgs.fetchNextcloudApp rec {
        #   url =
        #     "https://github.com/nextcloud-releases/socialsharing/releases/download/v3.0.1/socialsharing_telegram-v3.0.1.tar.gz";
        #   license = "agpl3";
        #   sha256 = "sha256-8XyOslMmzxmX2QsVzYzIJKNw6rVWJ7uDhU1jaKJ0Q8k=";
        # };
      };
      settings = {
        overwriteWebroot = "staff.tfcconnection.org";
        overwriteProtocol = "https";
        default_phone_region = "US";
        trusted_domains = [ dn ];
        trusted_proxies = [ "127.0.0.1" "24.225.22.143" "0.0.0.0" ];
        maintenance_window_start = 1;
        preview_libreoffice_path = "${pkgs.libreoffice}/bin/libreoffice";
        log_type = "file";
        enabledPreviewProviders = [
          "OC\Preview\BMP"
          "OC\Preview\GIF"
          "OC\Preview\JPEG"
          "OC\Preview\Krita"
          "OC\Preview\MarkDown"
          "OC\Preview\MP3"
          "OC\Preview\OpenDocument"
          "OC\Preview\PNG"
          "OC\Preview\HEIC"
          "OC\Preview\SVG"
          "OC\Preview\MSOfficeDoc"
          "OC\Preview\MSOffice2007"
          "OC\Preview\Movie"
          "OC\Preview\Font"
          "OC\Preview\TXT"
          "OC\Preview\XBitmap"
        ];
        user_oidc = {
          auto_provision = true;
          soft_auto_provision = true;
          # disable_account_creation = true;
        };
      };
      config = {
        dbtype = "pgsql";
        adminuser = "admin";
        adminpassFile = "/post";
      };
      notify_push = {
        enable = true;
        package = unstable.nextcloud-notify_push;
      };
      # Suggested by Nextcloud's health check.
      phpOptions = {
        "opcache.interned_strings_buffer" = "32";
        "opcache.buffer" = "256";
      };
    };
  };
  services.nginx.virtualHosts.${dn} = {
    forceSSL = true;
    enableACME = true;
  };
  services.phpfpm.pools.nextcloud.settings = {
    "listen.owner" = config.services.nginx.user;
    "listen.group" = config.services.nginx.group;
  };
  # users.users.caddy.extraGroups = [ "nextcloud" ];
  users.users.chris.extraGroups = [ "nextcloud" ];
  systemd.services = {
    phpfpm-nextcloud.serviceConfig.StateDirectoryMode = lib.mkForce "0770";
    nextcloud-previews = {
      enable = true;
      serviceConfig = {
        Type = "oneshot";
        ExecStart = "${config.services.nextcloud.occ}/bin/nextcloud-occ preview:pre-generate";
      };
    };
  };
  systemd.timers = {
    nextcloud-previews = {
      enable = true;
      partOf = ["nextcloud-previews.service"];
      timerConfig = {
        OnCalendar = "*-*-* 00:02:30";
        Unit = "nextcloud-previews.service";
      };
      wantedBy = [ "timers.target" ];
    };
  };

  environment.systemPackages = with pkgs; [
    nextcloud31
    # for nextcloud memories
    unstable.exiftool
    unstable.exif
    ffmpeg_6
    nodejs_20
    unstable.perl540Packages.ImageExifTool
  ];



  #Collabora Containers
  virtualisation.oci-containers.containers.collabora = {
    image = "docker.io/collabora/code:latest";
    ports = [ "9980:9980/tcp" ];
    environment = {
      server_name = "office.tfcconnection.org";
      aliasgroup1 = "https://staff.tfcconnection.org:443";
      dictionaries = "en_US";
      username = "username";
      password = "password";
      extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
    };
    extraOptions = [ 
      "--pull=newer"
    ];  
  };

  #Collabora Virtual Hosts
  services.nginx.virtualHosts.${config.virtualisation.oci-containers.containers.collabora.environment.server_name} = {
    enableACME = true;
    forceSSL = true;

    extraConfig = ''
      # static files
      location ^~ /browser {
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Host $host;
      }

      # WOPI discovery URL
      location ^~ /hosting/discovery {
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Host $host;
      }

      # Capabilities
      location ^~ /hosting/capabilities {
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Host $host;
      }

     # main websocket
     location ~ ^/cool/(.*)/ws$ {
       proxy_pass http://127.0.0.1:9980;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "Upgrade";
       proxy_set_header Host $host;
       proxy_read_timeout 36000s;
     }

     # download, presentation and image upload
     location ~ ^/(c|l)ool {
       proxy_pass http://127.0.0.1:9980;
       proxy_set_header Host $host;
     }

     # Admin Console websocket
     location ^~ /cool/adminws {
       proxy_pass http://127.0.0.1:9980;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "Upgrade";
       proxy_set_header Host $host;
       proxy_read_timeout 36000s;
     }
    '';
  };
}