nixos-config/modules/services/nextcloud.nix

{ config, ... }:
{
  security.acme = {
    acceptTerms = true;
    preliminarySelfsigned = false;
    defaults = {
      email = "ahwx@ahwx.org";
    };
  };

  services.nextcloud = {
    enable = true;
    home = "/var/nextcloud/home";
    https = true;
    configureRedis = false; # caching
    maxUploadSize = "10G";
    hostName = "cloud.liv.town";

    config = {
      adminuser = "liv";
      adminpassFile = "/var/nextcloud/AdminPass";
    };

    settings = {
      trusted_domains = [
        "cloud.liv.town"
      ];
      enabledPreviewProviders = [
        "OC\\Preview\\BMP"
        "OC\\Preview\\GIF"
        "OC\\Preview\\JPEG"
        "OC\\Preview\\Krita"
        "OC\\Preview\\MarkDown"
        "OC\\Preview\\MP3"
        "OC\\Preview\\OpenDocument"
        "OC\\Preview\\PNG"
        "OC\\Preview\\TXT"
        "OC\\Preview\\XBitmap"
        "OC\\Preview\\HEIC"
      ];
    };
  };

  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    # Hardened TLS and HSTS preloading
    appendHttpConfig = ''
      # Add HSTS header with preloading to HTTPS requests.
      # Do not add HSTS header to HTTP requests.
      map $scheme $hsts_header {
          https   "max-age=31536000; includeSubdomains; preload";
      }
      add_header Strict-Transport-Security $hsts_header;

      # Enable CSP for your services.
      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

      # Minimize information leaked to other domains
      add_header 'Referrer-Policy' 'origin-when-cross-origin';

      # Disable embedding as a frame
      add_header X-Frame-Options DENY;

      # Prevent injection of code in other mime types (XSS Attacks)
      add_header X-Content-Type-Options nosniff;

      # This might create errors
      # proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
    '';

    virtualHosts = {
      "${config.services.nextcloud.hostName}" = {
        enableACME = true;
        forceSSL = true;
        locations = {
          "/".proxyPass = "http://localhost:8080";
          "/".proxyWebsockets = true;
        };
      };
    };
  };
}