nixconfig/modules/server/containers/defs/nextcloud.nix

{ config, containerCfg, pkgs, lib, builder, name,... }:
let 
version = "31";
serverCfg = config.syscfg.server;
in {
  paths = [{
    path="${serverCfg.dataPath}/nextcloud/www";
    owner = "33:33";
    mode = "0755";
  }{
    path="${serverCfg.dataPath}/nextcloud/data";
    owner = "33:33";
    mode = "0755";
    backup = true;
  }];

  containers = {
    server = builder.mkContainer {
      subdomain = containerCfg.subdomain;
      image = "nextcloud:${version}";
      port = containerCfg.port;
      ip = containerCfg.ip;
      secret = name;
      extraEnv = {
        REDIS_HOST = builder.host;
        POSTGRES_HOST = builder.host;
        POSTGRES_USER = "nextcloud_user";
        POSTGRES_DB = "nextcloud_db";
        AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
        "NEXTCLOUD_TRUSTED_DOMAINS " = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
        "SMTP_HOST" = serverCfg.mailServer;
        "SMTP_NAME" = "mail_user";
        "SMTP_PASSWORD" = "mail_password";
        "MAIL_FROM_ADDRESS" = "${containerCfg.subdomain}@${serverCfg.hostDomain}";
        "MAIL_DOMAIN" = serverCfg.mailDomain;
        "TRUSTED_PROXIES" = "10.10.0.0/16 192.168.0.0/16";
      };
      extraLabels = {
        "traefik.http.routers.${containerCfg.subdomain}.middlewares" = "sts_headers,${containerCfg.subdomain}-caldav";
        "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.permanent" = "true";
        "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.regex" = "https://(.*)/.well-known/(?:card|cal)dav";
        "traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.replacement" = "https://$1/remote.php/dav";
        "traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000";
        "traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" = "true";
      };
      extraOptions = [
        "--tmpfs=/tmp:rw,noexec,nosuid,size=256m"
      ];
      overrides = {
        ports = if containerCfg.pubPort!=null && containerCfg.port!=null then [ "${toString containerCfg.pubPort}:${toString containerCfg.port}" ] else [];
        volumes = [
          "${serverCfg.dataPath}/nextcloud/www:/var/www/html"
          "${serverCfg.dataPath}/nextcloud/data:/var/www/html/data"
        ];
      };
    };
  };

  setup = {
    trigger="server";
    script = pkgs.writeShellScript "setup" ''
      # Define the command wrapper
      OCC="${pkgs.podman}/bin/podman --events-backend=none exec -u www-data nextcloud-server php occ"

      echo "Waiting for Nextcloud container to start..."
      until $OCC status > /dev/null 2>&1; do
        sleep 2
      done

      INSTALLED=$($OCC status --output=json | grep -o '"installed":false')
      if [ -z "$INSTALLED" ]; then
        echo "Running first-time setup..."
        
        # $OCC maintenance:install \
        #   --admin-user "admin" \
        #   --admin-pass "adminpassword"

        echo "Applying Settings..."
        
        $OCC config:system:set default_phone_region --value="CH"
        $OCC config:system:set overwriteprotocol --value="https"
        $OCC config:app:set core backgroundjobs_mode --value="cron"
        $OCC config:system:set maintenance_window_start --type=integer --value=1
        $OCC config:system:set default_language --value="en"
        $OCC config:system:set default_locale --value="en_CH"

        echo "Applying Apps..."
        $OCC app:disable activity
        $OCC app:disable app_api
        $OCC app:disable comments
        $OCC app:disable firstrunwizard
        $OCC config:system:set show_first_run_wizard --type=bool --value=false
        $OCC app:disable nextcloud_announcements
        $OCC app:disable oauth2
        $OCC app:disable recommendations
        $OCC app:disable sharebymail
        $OCC app:disable support
        $OCC app:disable updatenotification
        $OCC app:disable user_status

        $OCC app:install calendar || true
        $OCC app:install calendar || true
        $OCC app:install contacts || true
        $OCC app:install camerarawpreviews || true
        $OCC app:install cospend || true
        $OCC app:install deck || true
        $OCC app:install files_markdown || true
        $OCC app:install forms || true
        $OCC app:install groupfolders || true
        $OCC app:install ownpad || true
        $OCC app:install previewgenerator || true
        $OCC app:install richdocuments || true
        # $OCC app:install side_menu || true 
        $OCC app:install spreed || true
        # $OCC app:install user_saml || true

        echo "Applying Apps Settings..."
        ${lib.optionalString (serverCfg.containers ? ethercalc) ''
        $OCC config:app:set ownpad ownpad_ethercalc_enable --value="yes"
        $OCC config:app:set ownpad ownpad_ethercalc_host --value="https:\/\/${serverCfg.containers.ethercalc.subdomain}.${serverCfg.hostDomain}"
        ''}
        ${lib.optionalString (serverCfg.containers ? etherpad) ''
        $OCC config:app:set ownpad ownpad_etherpad_enable --value="yes"
        $OCC config:app:set ownpad ownpad_etherpad_host --value="https:\/\/${serverCfg.containers.etherpad.subdomain}.${serverCfg.hostDomain}"
        ''}
        ${lib.optionalString (serverCfg.containers ? collabora) ''
        $OCC config:app:set richdocuments wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.hostDomain}/"
        $OCC config:app:set richdocuments public_wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.hostDomain}"
        ''}
        # configure side_menu ...
        # configure user_saml (HOW ?)

        $OCC config:system:set enabledPreviewProviders --value='["OC\\Preview\\Movie", "OC\\Preview\\PNG", "OC\\Preview\\JPEG", "OC\\Preview\\GIF", "OC\\Preview\\HEIC", "OC\\Preview\\RAW"]' --type=json

        echo "Applying Theme..."
        $OCC config:app:set theming url --value="https://${containerCfg.subdomain}.${serverCfg.hostDomain}"
        ${lib.optionalString (containerCfg.extra ? name) ''$OCC config:app:set theming name --value="${containerCfg.extra.name}"''}
        ${lib.optionalString (containerCfg.extra ? slogan) ''$OCC config:app:set theming slogan --value="${containerCfg.extra.slogan}"''}
        $OCC config:app:set theming color --value="${serverCfg.colorScheme.palette.base0C}"

        #$OCC theming:config logo {serverCfg.colorScheme.logo}
        #$OCC theming:config logoheader {serverCfg.colorScheme.logo}
        #$OCC theming:config background {serverCfg.colorScheme.bg}
            
      else
          echo "Nextcloud is already installed. Skipping setup."
      fi

      echo "Maintenance..."
      $OCC app:update --all
      $OCC maintenance:repair --include-expensive --no-interaction
      $OCC db:add-missing-indices --no-interaction

      echo "Completed Setup"
    '';
  };

  cron = [ "*/5 * * * *  root  ${pkgs.podman}/bin/podman --events-backend=none exec -u www-data nextcloud-server php -f /var/www/html/cron.php" ];
}