diff --git a/machine-confs/idacloud.nix b/machine-confs/idacloud.nix index badb2c5..21f8ff4 100644 --- a/machine-confs/idacloud.nix +++ b/machine-confs/idacloud.nix @@ -2,6 +2,7 @@ { custom.nextcloud_domain = "idacloud.sinerva.eu"; services.nextcloud.settings.trusted_domains = [ "idacloud.vsinerva.fi" ]; + custom.collabora_domain = "idacollab.sinerva.eu"; imports = [ ../base.nix diff --git a/services/nextcloud.nix b/services/nextcloud.nix index 2213ae4..7ce932a 100644 --- a/services/nextcloud.nix +++ b/services/nextcloud.nix @@ -7,48 +7,108 @@ { imports = [ ./cert-store-client.nix ]; - options.custom.nextcloud_domain = lib.mkOption { - type = lib.types.str; - description = "Domain used by Nextcloud"; - }; + options.custom = { + nextcloud_domain = lib.mkOption { + type = lib.types.str; + description = "Domain used by Nextcloud"; + }; - config = { - networking.firewall.allowedTCPPorts = [ 443 ]; - - services = { - nextcloud = { - package = pkgs.nextcloud31; - enable = true; - hostName = config.custom.nextcloud_domain; - autoUpdateApps.enable = true; - https = true; - maxUploadSize = "512M"; # Default - config = { - adminpassFile = "/var/lib/nextcloud/adminpass"; - }; - settings = { - overwriteprotocol = "https"; - default_phone_region = "FI"; - maintenance_window_start = 1; - }; - phpOptions = { - "opcache.interned_strings_buffer" = 32; - }; - }; - - nginx = { - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedTlsSettings = true; - recommendedProxySettings = true; - - virtualHosts.${config.services.nextcloud.hostName} = { - forceSSL = true; - kTLS = true; - sslCertificate = "/mnt/acme/fullchain.pem"; - sslCertificateKey = "/mnt/acme/key.pem"; - }; - }; + collabora_domain = lib.mkOption { + type = with lib.types; nullOr str; + default = null; + description = "Domain used by Collabora Online"; }; }; + + config = lib.mkMerge [ + { + networking.firewall.allowedTCPPorts = [ 443 ]; + + services = { + nextcloud = { + package = pkgs.nextcloud31; + enable = true; + hostName = config.custom.nextcloud_domain; + autoUpdateApps.enable = true; + https = true; + maxUploadSize = "512M"; # Default + config = { + adminpassFile = "/var/lib/nextcloud/adminpass"; + }; + settings = { + overwriteprotocol = "https"; + default_phone_region = "FI"; + maintenance_window_start = 1; + }; + phpOptions = { + "opcache.interned_strings_buffer" = 32; + }; + }; + + nginx = { + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + recommendedProxySettings = true; + + virtualHosts.${config.services.nextcloud.hostName} = { + forceSSL = true; + kTLS = true; + sslCertificate = "/mnt/acme/fullchain.pem"; + sslCertificateKey = "/mnt/acme/key.pem"; + }; + }; + }; + } + ( + # Optional Collabora Client + lib.mkIf (config.custom.collabora_domain != null) { + services = { + collabora-online = { + enable = true; + port = 9980; # default + settings = { + ssl = { + enable = false; + termination = true; + }; + + net = { + listen = "loopback"; + post_allow.host = [ "::1" ]; + }; + + storage.wopi = { + "@allow" = true; + host = [ config.services.nextcloud.hostName ] ++ config.services.nextcloud.settings.trusted_domains; + }; + + server_name = config.custom.collabora_domain; + }; + }; + + nginx.virtualHosts.${config.services.collabora-online.settings.server_name} = { + forceSSL = true; + kTLS = true; + sslCertificate = "/mnt/acme/fullchain.pem"; + sslCertificateKey = "/mnt/acme/key.pem"; + locations."/" = { + proxyPass = "http://[::1]:${toString config.services.collabora-online.port}"; + proxyWebsockets = true; # collabora uses websockets + }; + }; + + nextcloud = { + appstoreEnable = true; + extraAppsEnable = true; + extraApps = with config.services.nextcloud.package.packages.apps; { + inherit + richdocuments + ; + }; + }; + }; + } + ) + ]; }