tfc-nixos/modules/nextcloud.nix

{ config, lib, pkgs, unstable, ... }:

let
  dn = "staff.tfcconnection.org";
in
with lib;
{
  # security.acme = {
  #   acceptTerms = true;
  #   # defaults = {
  #   #   email = "chris@tfcconnection.org";
  #   #   # dnsProvider = "cloudflare";
  #   #   # location of your CLOUDFLARE_DNS_API_TOKEN=[value]
  #   #   # https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#EnvironmentFile=
  #   #   environmentFile = "/REPLACE/WITH/YOUR/PATH";
  #   # };
  # };
  services = {
    # caddy = {
    #   virtualHosts = {
    #     "${dn}".extraConfig = ''
	  #       encode gzip
	  #       reverse_proxy localhost:8080
	        
    #       redir /.well-known/carddav /remote.php/dav 301
    #       redir /.well-known/caldav /remote.php/dav 301
    #       header {
    #               Strict-Transport-Security "max-age=15768000; includeSubDomains; reload;"
    #               Access-Control-Allow-Origin *
    #               Referrer-Policy no-referrer-when-downgrade
    #       }
    #       redir /.well-known/oidc-configuration /apps/oidc/openid-configuration 301
    #       handle_path /whiteboard/* {
    #           reverse_proxy http://127.0.0.1:3002
    #       }
    #   '';
    #   };
    # };
    nextcloud = {
      enable = true;
      hostName = dn;
      home = "/storage/nextcloud";
      # Need to manually increment with every major upgrade.
      package = pkgs.nextcloud31;
      # Let NixOS install and configure the database automatically.
      database.createLocally = true;
      # Let NixOS install and configure Redis caching automatically.
      configureRedis = true;
      # Increase the maximum file upload size.
      maxUploadSize = "25G";
      https = true;
      autoUpdateApps.enable = true;
      extraAppsEnable = true;
      appstoreEnable = true;
      extraApps = with config.services.nextcloud.package.packages.apps; {
        # List of apps we want to install and are already packaged in
        # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json
        inherit calendar contacts collectives deck integration_openai mail groupfolders memories tasks user_oidc app_api previewgenerator richdocuments;
        # Custom app example.
        # socialsharing_telegram = pkgs.fetchNextcloudApp rec {
        #   url =
        #     "https://github.com/nextcloud-releases/socialsharing/releases/download/v3.0.1/socialsharing_telegram-v3.0.1.tar.gz";
        #   license = "agpl3";
        #   sha256 = "sha256-8XyOslMmzxmX2QsVzYzIJKNw6rVWJ7uDhU1jaKJ0Q8k=";
        # };
      };
      settings = {
        overwriteProtocol = "https";
        default_phone_region = "US";
        trusted_domains = [ dn ];
        trusted_proxies = [ "127.0.0.1" ];
      };
      config = {
        dbtype = "pgsql";
        adminuser = "admin";
        adminpassFile = "/post";
      };
      notify_push = {
        enable = true;
      };
      # Suggested by Nextcloud's health check.
      phpOptions."opcache.interned_strings_buffer" = "16";
    };
  };
  services.nginx.virtualHosts.${dn} = {
    forceSSL = true;
    enableACME = true;
  };
  services.phpfpm.pools.nextcloud.settings = {
    "listen.owner" = config.services.nginx.user;
    "listen.group" = config.services.nginx.group;
  };
  # users.users.caddy.extraGroups = [ "nextcloud" ];
  users.users.chris.extraGroups = [ "nextcloud" ];
  systemd.services.phpfpm-nextcloud.serviceConfig.StateDirectoryMode =
    lib.mkForce "0770";


  environment.systemPackages = with pkgs; [
    nextcloud31
    # for nextcloud memories
    unstable.exiftool
    unstable.exif
    ffmpeg_6
    nodejs_20
    unstable.perl540Packages.ImageExifTool
  ];



  #Collabora Containers
  virtualisation.oci-containers.containers.collabora = {
    image = "docker.io/collabora/code:latest";
    ports = [ "9980:9980/tcp" ];
    environment = {
      server_name = "office.tfcconnection.org";
      aliasgroup1 = "https://staff.tfcconnection.org:443";
      dictionaries = "en_US";
      username = "username";
      password = "password";
      extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
    };
    extraOptions = [ 
      "--pull=newer"
    ];  
  };

  #Collabora Virtual Hosts
  services.nginx.virtualHosts.${config.virtualisation.oci-containers.containers.collabora.environment.server_name} = {
    enableACME = true;
    forceSSL = true;

    extraConfig = ''
      # static files
      location ^~ /browser {
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Host $host;
      }

      # WOPI discovery URL
      location ^~ /hosting/discovery {
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Host $host;
      }

      # Capabilities
      location ^~ /hosting/capabilities {
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Host $host;
      }

     # main websocket
     location ~ ^/cool/(.*)/ws$ {
       proxy_pass http://127.0.0.1:9980;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "Upgrade";
       proxy_set_header Host $host;
       proxy_read_timeout 36000s;
     }

     # download, presentation and image upload
     location ~ ^/(c|l)ool {
       proxy_pass http://127.0.0.1:9980;
       proxy_set_header Host $host;
     }

     # Admin Console websocket
     location ^~ /cool/adminws {
       proxy_pass http://127.0.0.1:9980;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "Upgrade";
       proxy_set_header Host $host;
       proxy_read_timeout 36000s;
     }
    '';
  };
}