nix-dotfiles/modules/nixos/nextcloud.nix

{ pkgs, config, ... }:
let
  hosts = import ../../hosts.nix;
in
{

  age.secrets = {
    nextcloud_admin_secret = { file = ../../secrets/nextcloud_admin_secret.age; owner = "nextcloud"; };
  };

  # services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
  #   enableACME = true;
  #   forceSSL = true;
  # };

  services.nextcloud = {
    enable = true;
    package = pkgs.nextcloud29;

    hostName = "my-nextcloud.bertof.net";
    maxUploadSize = "24G";
    caching.apcu = true;
    datadir = "/mnt/raid/nextcloud";

    database.createLocally = true;

    # extraApps = {
    #   inherit (pkgs.nextcloud28Packages.apps) mail calendar contacts;
    # };
    appstoreEnable = false;

    # autoUpdateApps.enable = true;
    # extraOptions.enabledPreviewProviders = [
    #   "OC\\Preview\\BMP"
    #   "OC\\Preview\\GIF"
    #   "OC\\Preview\\JPEG"
    #   "OC\\Preview\\Krita"
    #   "OC\\Preview\\MarkDown"
    #   "OC\\Preview\\MP3"
    #   "OC\\Preview\\OpenDocument"
    #   "OC\\Preview\\PNG"
    #   "OC\\Preview\\TXT"
    #   "OC\\Preview\\XBitmap"
    #   "OC\\Preview\\HEIC" # Enable preview of HEIC/HEIF images (others are default)
    #   "OC\\Preview\\EMF"
    # ];

    config = {
      trustedProxies = [
        # hosts.zerotier.ipv4."baldur.zto"
        # hosts.zerotier.ipv6."baldur.zto"
        hosts.tailscale.ipv4."baldur.tsn"
        hosts.tailscale.ipv6."baldur.tsn"
        # "baldur.zto"
        "baldur.tsn"
      ];
      dbtype = "pgsql";
      # extraTrustedDomains = [ "freya.tsn" ];
      adminpassFile = config.age.secrets.nextcloud_admin_secret.path;
      overwriteProtocol = "https";
      # objectstore.s3 = {
      #   enable = true;
      #   bucket = "nextcloud-storage";
      #   autocreate = false;
      #   key = "GK622e38479552cbbbba48fd04";
      #   secretFile = config.age.secrets.nextcloud_bucket_secret.path;
      #   hostname = "localhost";
      #   port = 3900;
      #   useSsl = false;
      #   region = "garage";
      #   usePathStyle = true;
      # };
    };
  };

  networking.firewall.allowedTCPPorts = [ 80 ];
}