nixos/hosts/hub/apps/nextcloud.nix

{
  services.postgresql = {
    ensureDatabases = [ "nextcloud" ];
    ensureUsers = [
      {
        name = "nextcloud";
        ensureDBOwnership = true;
      }
    ];
  };

  containers.nextcloud = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "192.168.0.1";
    localAddress = "192.168.0.3";
    config =
      {
        config,
        pkgs,
        lib,
        ...
      }:
      {
        environment.etc."nextcloud-admin-pass".text = "admin";
        nixpkgs.config.allowUnfree = true;
        services = {
          nextcloud = {
            enable = true;
            hostName = "nextcloud.thewordnerd.info";
            package = pkgs.nextcloud31;
            configureRedis = true;
            maxUploadSize = "16G";
            # autoUpdateApps.enable = true;
            notify_push = {
              enable = true;
              bendDomainToLocalhost = true;
            };
            webfinger = true;
            settings = {
              overwriteprotocol = "https";
              trusted_proxies = [
                "192.168.0.1"
              ];
              default_phone_region = "US";
              # loglevel = 0;
            };
            config = {
              dbtype = "pgsql";
              dbhost = "/run/postgresql";
              adminpassFile = "/etc/nextcloud-admin-pass";
            };
            phpOptions."opcache.interned_strings_buffer" = "23";
          };
          resolved.enable = true;
        };
        # IMPORTANT: Nextcloud container startup workaround
        # The nextcloud-setup service blocks container startup when it needs to perform upgrades,
        # creating a circular dependency: the network can't be configured until the container is ready,
        # but the container can't be ready without network access for the upgrade.
        # 
        # To upgrade Nextcloud when changing major versions:
        # 1. Uncomment the lines below to disable nextcloud-setup
        # 2. Run: nixos-rebuild switch
        # 3. Run: nixos-container run nextcloud -- nextcloud-occ upgrade
        # 4. Run: nixos-container run nextcloud -- nextcloud-occ maintenance:mode --off
        # 5. Comment out the lines below again
        # 6. Run: nixos-rebuild switch
        #
        # systemd.services.nextcloud-setup = {
        #   enable = false;
        # };
        programs.nix-ld.enable = true;
        networking = {
          firewall.allowedTCPPorts = [ 80 ];
          useHostResolvConf = lib.mkForce false;
        };
        # virtualisation.docker.enable = true;
        # users.users.nextcloud.extraGroups = [ "docker" ];
        environment.systemPackages = with pkgs; [
          poppler_utils
          # (pkgs.writeScriptBin "occ" ''
          #   #!${pkgs.bash}/bin/bash
          #   exec nextcloud-occ "$@"
          # '')
        ];
        programs.java.binfmt = true;
        system.stateVersion = "24.11";
      };
    # https://discourse.nixos.org/t/podman-docker-in-nixos-container-ideally-in-unprivileged-one/22909/12
    # additionalCapabilities = [
    # ''all" --system-call-filter="add_key keyctl bpf" --capability="all''
    # ];
    bindMounts = {
      "/run/postgresql" = {
        hostPath = "/run/postgresql";
      };
    };
  };

  services.caddy.virtualHosts."nextcloud.thewordnerd.info".extraConfig = ''
    reverse_proxy nextcloud
    header Strict-Transport-Security max-age=31536000;
  '';

  services.caddy.virtualHosts."collabora.thewordnerd.info".extraConfig = ''
    reverse_proxy nextcloud:9980
  '';
}