{ config, containerCfg, pkgs, lib, builder, name,... }: let version = "31"; serverCfg = config.syscfg.server; in { paths = [{ path="${serverCfg.dataPath}/nextcloud/www"; owner = "33:33"; mode = "0755"; }{ path="${serverCfg.dataPath}/nextcloud/data"; owner = "33:33"; mode = "0755"; backup = true; }]; containers = { server = builder.mkContainer { subdomain = containerCfg.subdomain; image = "nextcloud:${version}"; port = containerCfg.port; ip = containerCfg.ip; secret = name; extraEnv = { REDIS_HOST = builder.host; POSTGRES_HOST = builder.host; POSTGRES_USER = "nextcloud_user"; POSTGRES_DB = "nextcloud_db"; AUTHENTIK_POSTGRESQL__SSLMODE = "disable"; "NEXTCLOUD_TRUSTED_DOMAINS " = "${containerCfg.subdomain}.${serverCfg.hostDomain}"; "SMTP_HOST" = serverCfg.mailServer; "SMTP_NAME" = "mail_user"; "SMTP_PASSWORD" = "mail_password"; "MAIL_FROM_ADDRESS" = "${containerCfg.subdomain}@${serverCfg.hostDomain}"; "MAIL_DOMAIN" = serverCfg.mailDomain; "TRUSTED_PROXIES" = "10.10.0.0/16 192.168.0.0/16"; }; extraLabels = { "traefik.http.routers.${containerCfg.subdomain}.middlewares" = "sts_headers,${containerCfg.subdomain}-caldav"; "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.permanent" = "true"; "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.regex" = "https://(.*)/.well-known/(?:card|cal)dav"; "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.replacement" = "https://$1/remote.php/dav"; "traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000"; "traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" = "true"; }; extraOptions = [ "--tmpfs=/tmp:rw,noexec,nosuid,size=256m" ]; overrides = { ports = if containerCfg.pubPort!=null && containerCfg.port!=null then [ "${toString containerCfg.pubPort}:${toString containerCfg.port}" ] else []; volumes = [ "${serverCfg.dataPath}/nextcloud/www:/var/www/html" "${serverCfg.dataPath}/nextcloud/data:/var/www/html/data" ]; }; }; }; setup = { trigger="server"; script = pkgs.writeShellScript "setup" '' # Define the command wrapper OCC="${pkgs.podman}/bin/podman --events-backend=none exec -u www-data nextcloud-server php occ" echo "Waiting for Nextcloud container to start..." until $OCC status > /dev/null 2>&1; do sleep 2 done INSTALLED=$($OCC status --output=json | grep -o '"installed":false') if [ -z "$INSTALLED" ]; then echo "Running first-time setup..." # $OCC maintenance:install \ # --admin-user "admin" \ # --admin-pass "adminpassword" echo "Applying Settings..." $OCC config:system:set default_phone_region --value="CH" $OCC config:system:set overwriteprotocol --value="https" $OCC config:app:set core backgroundjobs_mode --value="cron" $OCC config:system:set maintenance_window_start --type=integer --value=1 $OCC config:system:set default_language --value="en" $OCC config:system:set default_locale --value="en_CH" echo "Applying Apps..." $OCC app:disable activity $OCC app:disable app_api $OCC app:disable comments $OCC app:disable firstrunwizard $OCC config:system:set show_first_run_wizard --type=bool --value=false $OCC app:disable nextcloud_announcements $OCC app:disable oauth2 $OCC app:disable recommendations $OCC app:disable sharebymail $OCC app:disable support $OCC app:disable updatenotification $OCC app:disable user_status $OCC app:install calendar || true $OCC app:install calendar || true $OCC app:install contacts || true $OCC app:install camerarawpreviews || true $OCC app:install cospend || true $OCC app:install deck || true $OCC app:install files_markdown || true $OCC app:install forms || true $OCC app:install groupfolders || true $OCC app:install ownpad || true $OCC app:install previewgenerator || true $OCC app:install richdocuments || true # $OCC app:install side_menu || true $OCC app:install spreed || true # $OCC app:install user_saml || true echo "Applying Apps Settings..." ${lib.optionalString (serverCfg.containers ? ethercalc) '' $OCC config:app:set ownpad ownpad_ethercalc_enable --value="yes" $OCC config:app:set ownpad ownpad_ethercalc_host --value="https:\/\/${serverCfg.containers.ethercalc.subdomain}.${serverCfg.hostDomain}" ''} ${lib.optionalString (serverCfg.containers ? etherpad) '' $OCC config:app:set ownpad ownpad_etherpad_enable --value="yes" $OCC config:app:set ownpad ownpad_etherpad_host --value="https:\/\/${serverCfg.containers.etherpad.subdomain}.${serverCfg.hostDomain}" ''} ${lib.optionalString (serverCfg.containers ? collabora) '' $OCC config:app:set richdocuments wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.hostDomain}/" $OCC config:app:set richdocuments public_wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.hostDomain}" ''} # configure side_menu ... # configure user_saml (HOW ?) $OCC config:system:set enabledPreviewProviders --value='["OC\\Preview\\Movie", "OC\\Preview\\PNG", "OC\\Preview\\JPEG", "OC\\Preview\\GIF", "OC\\Preview\\HEIC", "OC\\Preview\\RAW"]' --type=json echo "Applying Theme..." $OCC config:app:set theming url --value="https://${containerCfg.subdomain}.${serverCfg.hostDomain}" ${lib.optionalString (containerCfg.extra ? name) ''$OCC config:app:set theming name --value="${containerCfg.extra.name}"''} ${lib.optionalString (containerCfg.extra ? slogan) ''$OCC config:app:set theming slogan --value="${containerCfg.extra.slogan}"''} $OCC config:app:set theming color --value="${serverCfg.colorScheme.palette.base0C}" #$OCC theming:config logo {serverCfg.colorScheme.logo} #$OCC theming:config logoheader {serverCfg.colorScheme.logo} #$OCC theming:config background {serverCfg.colorScheme.bg} else echo "Nextcloud is already installed. Skipping setup." fi echo "Maintenance..." $OCC app:update --all $OCC maintenance:repair --include-expensive --no-interaction $OCC db:add-missing-indices --no-interaction echo "Completed Setup" ''; }; cron = [ "*/5 * * * * root ${pkgs.podman}/bin/podman --events-backend=none exec -u www-data nextcloud-server php -f /var/www/html/cron.php" ]; }