feat: nextcloud reverse proxy

flake.nix

@@ -237,6 +237,7 @@
                       system
                       nix-version
                       settings
+                      devices
                       ;
                   };
                   users."${username}" = {

system/dev/dn-pre7780/default.nix

@@ -13,8 +13,7 @@
     ./hardware-configuration.nix
     ./boot.nix
     ./sops-conf.nix
-    ./nextcloud.nix
-    ../../modules/presets/basic.nix
+    ./nginx.nix
     ../../modules/cuda.nix
     ../../modules/gaming.nix
     ../../modules/secure-boot.nix
@@ -22,6 +21,9 @@
     ../../modules/wine.nix
     ../../modules/wireguard.nix
     ../../modules/certbot.nix
+    (import ../../modules/nextcloud.nix {
+      hostname = "pre7780.net.dn";
+    })
   ];
 
   home-manager = {

system/dev/dn-pre7780/nextcloud.nix

@@ -1,159 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-let
-  acmeWebRoot = "/var/www/${config.services.nextcloud.hostName}/html/";
-
-  certScript = pkgs.writeShellScriptBin "certbot-nextcloud" ''
-    REQUESTS_CA_BUNDLE=./system/extra/ca.crt
-    ${pkgs.certbot}/bin/certbot certonly --webroot \
-    --webroot-path ${acmeWebRoot} -v \
-    -d ${config.services.nextcloud.hostName}\
-    --server https://ca.net.dn:8443/acme/acme/directory \
-    -m admin@mail.net.dn
-
-    chown nginx:nginx -R /etc/letsencrypt
-  '';
-in
-{
-  imports = [
-    "${
-      fetchTarball {
-        url = "https://github.com/onny/nixos-nextcloud-testumgebung/archive/fa6f062830b4bc3cedb9694c1dbf01d5fdf775ac.tar.gz";
-        sha256 = "0gzd0276b8da3ykapgqks2zhsqdv4jjvbv97dsxg0hgrhb74z0fs";
-      }
-    }/nextcloud-extras.nix"
-  ];
-
-  services.postgresql = {
-    enable = true;
-    authentication = lib.mkOverride 10 ''
-      #type database  DBuser  origin-address  auth-method
-      local all       all                     trust
-    '';
-    ensureUsers = [
-      {
-        name = "nextcloud";
-        ensureDBOwnership = true;
-      }
-    ];
-    ensureDatabases = [
-      "nextcloud"
-    ];
-  };
-
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
-
-  users.groups.windows = {
-    members = [ "nextcloud" ];
-  };
-
-  services.nextcloud = {
-    enable = true;
-    datadir = "/mnt/nextcloud";
-    package = pkgs.nextcloud31;
-    configureRedis = true;
-    hostName = "pre7780.net.dn";
-    https = true;
-
-    extraApps = {
-      inherit (config.services.nextcloud.package.packages.apps)
-        news
-        contacts
-        calendar
-        tasks
-        ;
-
-      memories = pkgs.fetchNextcloudApp {
-        sha256 = "sha256-BfxJDCGsiRJrZWkNJSQF3rSFm/G3zzQn7C6DCETSzw4=";
-        url = "https://github.com/pulsejet/memories/releases/download/v7.5.2/memories.tar.gz";
-        license = "agpl3Plus";
-      };
-
-      passwords =
-        (pkgs.fetchNextcloudApp {
-          sha256 = "sha256-Nu6WViFawQWby9CEEezAwoBNdp7O5O8a9IhDp/me/E0=";
-          url = "https://git.mdns.eu/api/v4/projects/45/packages/generic/passwords/2025.2.0/passwords.tar.gz";
-          license = "agpl3Plus";
-        }).overrideAttrs
-          (prev: {
-            unpackPhase = ''
-              cp $src passwords.tar.gz
-              tar -xf passwords.tar.gz
-              mv passwords/* ./
-              rm passwords.tar.gz
-              rm -r passwords
-            '';
-          });
-    };
-    extraAppsEnable = true;
-
-    database.createLocally = true;
-    config = {
-      adminpassFile = config.sops.secrets."nextcloud/adminPassword".path;
-      dbtype = "pgsql";
-    };
-
-    settings = {
-      enabledPreviewProviders = [
-        "OC\\Preview\\BMP"
-        "OC\\Preview\\GIF"
-        "OC\\Preview\\JPEG"
-        "OC\\Preview\\Krita"
-        "OC\\Preview\\MarkDown"
-        "OC\\Preview\\MP3"
-        "OC\\Preview\\OpenDocument"
-        "OC\\Preview\\PNG"
-        "OC\\Preview\\TXT"
-        "OC\\Preview\\XBitmap"
-        "OC\\Preview\\HEIC"
-      ];
-    };
-  };
-
-  environment.systemPackages = with pkgs; [
-    exiftool
-  ];
-
-  services.nginx = {
-    enable = true;
-    virtualHosts = {
-      ${config.services.nextcloud.hostName} = {
-        listen = lib.mkForce [
-          {
-            addr = "0.0.0.0";
-            port = 443;
-            ssl = true;
-          }
-          {
-            addr = "0.0.0.0";
-            port = 80;
-          }
-        ];
-
-        locations."^~ /.well-known/acme-challenge/" = {
-          root = "/var/www/${config.services.nextcloud.hostName}/html";
-          extraConfig = ''
-            default_type "text/plain";
-          '';
-        };
-
-        forceSSL = true;
-        sslCertificate = "/etc/letsencrypt/live/${config.services.nextcloud.hostName}/fullchain.pem";
-        sslCertificateKey = "/etc/letsencrypt/live/${config.services.nextcloud.hostName}/privkey.pem";
-
-        extraConfig = ''
-          ssl_protocols TLSv1.2 TLSv1.3;
-          ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384';
-          ssl_prefer_server_ciphers on;
-        '';
-      };
-    };
-  };
-}

system/dev/dn-pre7780/nginx.nix

@@ -0,0 +1,24 @@
+{ config, ... }:
+{
+  services.nginx = {
+    enable = true;
+    enableReload = true;
+
+    virtualHosts = {
+      ${config.services.nextcloud.hostName} = {
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+        ];
+
+        extraConfig = ''
+          ssl_protocols TLSv1.2 TLSv1.3;
+          ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384';
+          ssl_prefer_server_ciphers on;
+        '';
+      };
+    };
+  };
+}

system/dev/dn-server/default.nix

@@ -17,13 +17,17 @@
     ./networking.nix
     ./services.nix
     ./nginx.nix
-    ./nextcloud.nix
     ./step-ca.nix
     ../../modules/presets/minimal.nix
     ../../modules/bluetooth.nix
     ../../modules/cuda.nix
     ../../modules/gc.nix
     ../../modules/certbot.nix
+    (import ../../modules/nextcloud.nix {
+      hostname = "nextcloud.net.dn";
+      dataBackupPath = "/mnt/backup_dn";
+      dbBackupPath = "/mnt/backup_dn";
+    })
   ];
 
   environment.systemPackages = with pkgs; [

system/dev/dn-server/nextcloud.nix

@@ -1,199 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-let
-  acmeWebRoot = "/var/www/nextcloud.net.dn/html/";
-
-  certScript = pkgs.writeShellScriptBin "certbot-nextcloud" ''
-    ${pkgs.certbot}/bin/certbot certonly --webroot \
-    --webroot-path ${acmeWebRoot} -v \
-    -d nextcloud.net.dn \
-    --server https://ca.net.dn:8443/acme/acme/directory \
-    -m admin@mail.net.dn
-
-    chown nginx:nginx -R /etc/letsencrypt
-  '';
-in
-{
-  imports = [
-    "${
-      fetchTarball {
-        url = "https://github.com/onny/nixos-nextcloud-testumgebung/archive/fa6f062830b4bc3cedb9694c1dbf01d5fdf775ac.tar.gz";
-        sha256 = "0gzd0276b8da3ykapgqks2zhsqdv4jjvbv97dsxg0hgrhb74z0fs";
-      }
-    }/nextcloud-extras.nix"
-  ];
-
-  services.postgresql = {
-    enable = true;
-    authentication = lib.mkOverride 10 ''
-      #type database  DBuser  origin-address  auth-method
-      local all       all                     trust
-    '';
-    ensureUsers = [
-      {
-        name = "nextcloud";
-        ensureDBOwnership = true;
-      }
-    ];
-    ensureDatabases = [
-      "nextcloud"
-    ];
-  };
-
-  services.nextcloud = {
-    enable = true;
-    package = pkgs.nextcloud31;
-    configureRedis = true;
-    hostName = "nextcloud.net.dn";
-    https = true;
-    phpExtraExtensions =
-      all: with all; [
-        imagick
-      ];
-
-    extraApps = {
-      inherit (config.services.nextcloud.package.packages.apps)
-        news
-        contacts
-        calendar
-        tasks
-        ;
-
-      passwords =
-        (pkgs.fetchNextcloudApp {
-          sha256 = "sha256-Nu6WViFawQWby9CEEezAwoBNdp7O5O8a9IhDp/me/E0=";
-          url = "https://git.mdns.eu/api/v4/projects/45/packages/generic/passwords/2025.2.0/passwords.tar.gz";
-          license = "agpl3Plus";
-        }).overrideAttrs
-          (prev: {
-            unpackPhase = ''
-              cp $src passwords.tar.gz
-              tar -xf passwords.tar.gz
-              mv passwords/* ./
-              rm passwords.tar.gz
-              rm -r passwords
-            '';
-          });
-    };
-    extraAppsEnable = true;
-
-    database.createLocally = true;
-    config = {
-      adminpassFile = config.sops.secrets."nextcloud/adminPassword".path;
-      dbtype = "pgsql";
-    };
-
-    settings = {
-      log_type = "file";
-      enabledPreviewProviders = [
-        "OC\\Preview\\BMP"
-        "OC\\Preview\\GIF"
-        "OC\\Preview\\JPEG"
-        "OC\\Preview\\Krita"
-        "OC\\Preview\\MarkDown"
-        "OC\\Preview\\MP3"
-        "OC\\Preview\\OpenDocument"
-        "OC\\Preview\\PNG"
-        "OC\\Preview\\TXT"
-        "OC\\Preview\\XBitmap"
-        "OC\\Preview\\HEIC"
-      ];
-    };
-  };
-
-  environment.systemPackages = with pkgs; [
-    exiftool
-  ];
-
-  services.nginx = {
-    virtualHosts = {
-      ${config.services.nextcloud.hostName} = {
-        listen = lib.mkForce [
-          {
-            addr = "0.0.0.0";
-            port = 443;
-            ssl = true;
-          }
-          {
-            addr = "0.0.0.0";
-            port = 80;
-          }
-        ];
-
-        locations."^~ /.well-known/acme-challenge/" = {
-          root = "/var/www/nextcloud.net.dn/html";
-          extraConfig = ''
-            default_type "text/plain";
-          '';
-        };
-
-        forceSSL = true;
-        sslCertificate = "/etc/letsencrypt/live/nextcloud.net.dn/fullchain.pem";
-        sslCertificateKey = "/etc/letsencrypt/live/nextcloud.net.dn/privkey.pem";
-
-        extraConfig = ''
-          ssl_protocols TLSv1.2 TLSv1.3;
-          ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384';
-          ssl_prefer_server_ciphers on;
-        '';
-      };
-    };
-  };
-
-  systemd.timers."nextcloud-backup" = {
-    enable = true;
-    description = "Nextcloud backup";
-    timerConfig = {
-      OnCalendar = "*-*-* 03:00:00";
-      Persistent = true;
-      OnUnitActiveSec = "1d";
-      AccuracySec = "1h";
-      Unit = "nextcloud-backup.service";
-    };
-    wantedBy = [ "timers.target" ];
-  };
-
-  systemd.services."nextcloud-backup" = {
-    enable = true;
-    serviceConfig = {
-      User = "nextcloud";
-      ExecStart =
-        let
-          script = pkgs.writeShellScriptBin "backup" ''
-            nextcloudPath="/var/lib/nextcloud"
-            mountPoint="/mnt/backup_dn"
-            nextcloudBakPath="$mountPoint"
-            nextcloudDBBakPath="$mountPoint/nextcloud-db.bak.tar"
-
-            if [ ! -d "$nextcloudPath" ]; then
-              echo "nextcloud path not found: $nextcloudPath"
-              exit 1
-            fi
-
-            if [ ! -d "$mountPoint" ]; then
-              echo "Backup device is not mounted: $mountPoint"
-              exit 1
-            fi
-
-            if [ ! -d "$nextcloudBakPath" ]; then
-              mkdir -p "$nextcloudBakPath"
-            fi
-
-            echo "Start syncing..."
-            ${pkgs.rsync}/bin/rsync -rh --delete "$nextcloudPath" "$nextcloudBakPath"
-            echo "Data dir backup completed."
-
-            echo "Try backing up database (postgresql)"
-            ${pkgs.postgresql}/bin/pg_dump -F t nextcloud -f "$nextcloudDBBakPath"
-            echo "Database backup completed."
-          '';
-        in
-        "${script}/bin/backup";
-    };
-  };
-
-}

system/dev/dn-server/nginx.nix

@@ -1,9 +1,105 @@
 {
+  config,
+  lib,
+  pkgs,
+  settings,
+  devices,
   ...
 }:
+let
+  acmeWebRoot = "/var/www/${config.services.nextcloud.hostName}/html/";
+
+  certScript = pkgs.writeShellScriptBin "certbot-nextcloud" ''
+    ${pkgs.certbot}/bin/certbot certonly --webroot \
+    --webroot-path ${acmeWebRoot} -v \
+    -d ${config.services.neextcloud.hostName} \
+    --server https://ca.net.dn:8443/acme/acme/directory \
+    -m admin@mail.net.dn
+
+    chown nginx:nginx -R /etc/letsencrypt
+  '';
+
+  pre7780 = {
+    hostname = "pre7780.net.dn";
+    ip = "10.0.0.130";
+  };
+in
 {
   services.nginx = {
     enable = true;
     enableReload = true;
+
+    virtualHosts = {
+      # Nextcloud - Server
+
+      ${config.services.nextcloud.hostName} = {
+        listen = lib.mkForce [
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+        ];
+
+        locations."^~ /.well-known/acme-challenge/" = {
+          root = "/var/www/${config.services.nextcloud.hostName}/html";
+          extraConfig = ''
+            default_type "text/plain";
+          '';
+        };
+
+        forceSSL = true;
+        sslCertificate = "/etc/letsencrypt/live/${config.services.nextcloud.hostName}/fullchain.pem";
+        sslCertificateKey = "/etc/letsencrypt/live/${config.services.nextcloud.hostName}/privkey.pem";
+
+        extraConfig = ''
+          ssl_protocols TLSv1.2 TLSv1.3;
+          ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384';
+          ssl_prefer_server_ciphers on;
+        '';
+      };
+
+      pre7780Hostname = {
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+        ];
+
+        locations."/" = {
+          proxyPass = "http://${pre7780.ip}/";
+          extraConfig = ''
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+          '';
+        };
+
+        locations."^~ /.well-known/acme-challenge/" = {
+          root = "/var/www/${pre7780.hostname}/html";
+          extraConfig = ''
+            default_type "text/plain";
+          '';
+        };
+
+        extraConfig = ''
+          ssl_protocols TLSv1.2 TLSv1.3;
+          ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384';
+          ssl_prefer_server_ciphers on;
+        '';
+
+      };
+    };
   };
 }

system/modules/nextcloud.nix

@@ -0,0 +1,177 @@
+{
+  hostname,
+  dataBackupPath ? null,
+  dbBackupPath ? null,
+}:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
+  imports = [
+    "${
+      fetchTarball {
+        url = "https://github.com/onny/nixos-nextcloud-testumgebung/archive/fa6f062830b4bc3cedb9694c1dbf01d5fdf775ac.tar.gz";
+        sha256 = "0gzd0276b8da3ykapgqks2zhsqdv4jjvbv97dsxg0hgrhb74z0fs";
+      }
+    }/nextcloud-extras.nix"
+  ];
+
+  services.postgresql = {
+    enable = true;
+    authentication = lib.mkOverride 10 ''
+      #type database  DBuser  origin-address  auth-method
+      local all       all                     trust
+    '';
+    ensureUsers = [
+      {
+        name = "nextcloud";
+        ensureDBOwnership = true;
+      }
+    ];
+    ensureDatabases = [
+      "nextcloud"
+    ];
+  };
+
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud31;
+    configureRedis = true;
+    hostName = hostname;
+    https = true;
+    phpExtraExtensions =
+      all: with all; [
+        imagick
+      ];
+
+    maxUploadSize = "10240M";
+
+    extraApps = {
+      inherit (config.services.nextcloud.package.packages.apps)
+        contacts
+        calendar
+        tasks
+        ;
+
+      passwords =
+        (pkgs.fetchNextcloudApp {
+          sha256 = "sha256-Nu6WViFawQWby9CEEezAwoBNdp7O5O8a9IhDp/me/E0=";
+          url = "https://git.mdns.eu/api/v4/projects/45/packages/generic/passwords/2025.2.0/passwords.tar.gz";
+          license = "agpl3Plus";
+        }).overrideAttrs
+          (prev: {
+            unpackPhase = ''
+              cp $src passwords.tar.gz
+              tar -xf passwords.tar.gz
+              mv passwords/* ./
+              rm passwords.tar.gz
+              rm -r passwords
+            '';
+          });
+    };
+    extraAppsEnable = true;
+
+    database.createLocally = true;
+    config = {
+      adminpassFile = config.sops.secrets."nextcloud/adminPassword".path;
+      dbtype = "pgsql";
+    };
+
+    settings = {
+      log_type = "file";
+      enabledPreviewProviders = [
+        "OC\\Preview\\BMP"
+        "OC\\Preview\\GIF"
+        "OC\\Preview\\JPEG"
+        "OC\\Preview\\Krita"
+        "OC\\Preview\\MarkDown"
+        "OC\\Preview\\MP3"
+        "OC\\Preview\\OpenDocument"
+        "OC\\Preview\\PNG"
+        "OC\\Preview\\TXT"
+        "OC\\Preview\\XBitmap"
+        "OC\\Preview\\HEIC"
+      ];
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    exiftool
+  ];
+
+  systemd = {
+    timers = lib.mkIf (dataBackupPath != null || dbBackupPath != null) {
+      "nextcloud-backup" = {
+        enable = true;
+        description = "Nextcloud backup";
+        timerConfig = {
+          OnCalendar = "*-*-* 03:00:00";
+          Persistent = true;
+          OnUnitActiveSec = "1d";
+          AccuracySec = "1h";
+          Unit = "nextcloud-backup.service";
+        };
+        wantedBy = [ "timers.target" ];
+      };
+    };
+
+    services = lib.mkIf (dataBackupPath != null || dbBackupPath != null) {
+      "nextcloud-backup" = {
+        enable = true;
+        serviceConfig = {
+          User = "nextcloud";
+          ExecStart =
+            let
+              script = pkgs.writeShellScriptBin "backup" (
+                ''
+                  nextcloudPath="${config.services.nextcloud.datadir}"
+
+                  if [ ! -d "$nextcloudPath" ]; then
+                    echo "nextcloud path not found: $nextcloudPath"
+                    exit 1
+                  fi
+                ''
+                + (
+                  if dataBackupPath != null then
+                    ''
+                      backupPath="${dataBackupPath}"
+                      nextcloudBakPath="$backupPath"
+
+                      if [ ! -d "$backupPath" ]; then
+                        echo "Backup device is not mounted: $backupPath"
+                        exit 1
+                      fi
+
+                      echo "Start syncing..."
+                      ${pkgs.rsync}/bin/rsync -rh --delete "$nextcloudPath" "$nextcloudBakPath"
+                      echo "Data dir backup completed."
+                    ''
+                  else
+                    ""
+                )
+                + (
+                  if dbBackupPath != null then
+                    ''
+                      nextcloudDBBakPath="${dbBackupPath}/nextcloud-db.bak.tar"
+                      if [ ! -d "$nextcloudBakPath" ]; then
+                        mkdir -p "$nextcloudBakPath"
+                      fi
+
+                      echo "Try backing up database (postgresql)"
+                      ${pkgs.postgresql}/bin/pg_dump -F t nextcloud -f "$nextcloudDBBakPath"
+                      echo "Database backup completed."
+                    ''
+                  else
+                    ""
+                )
+              );
+            in
+            "${script}/bin/backup";
+        };
+      };
+    };
+  };
+}