nixos/modules/server/nextcloud.nix

{
  config,
  lib,
  pkgs,
  inputs,
  xlib,
  ...
}:
let
  master = import inputs.nixpkgs-master {
    system = "x86_64-linux";
    # config.allowUnfree = true;
    # config.allowUnfreePredicate = true;
  };
in
{
  services = {
    nextcloud-whiteboard-server = {
      enable = true;
      settings = {
        NEXTCLOUD_URL = "http://nextcloud.private";
      };
      secrets = [ config.sops.secrets.nextcloud-whiteboard-jwt.path ];
    };
    nextcloud = {
      enable = true;
      package = pkgs.nextcloud33;
      hostName = "nextcloud.private";
      database.createLocally = true;
      home = "${xlib.dirs.services-mnt-folder}/nextcloud";
      configureRedis = true;
      caching = {
        redis = true;
        memcached = true;
      };
      maxUploadSize = "5G";
      config = {
        dbtype = "pgsql";
        dbuser = "nextcloud";
        dbname = "nextcloud";
        adminuser = "oqyude";
        adminpassFile = config.sops.secrets.nextcloud-adminpass.path;
      };
      settings = {
        log_type = "file";
        trusted_domains = [
          "100.64.0.0"
          "192.168.1.20"
          "localhost"
          "nextcloud.local"
          "nextcloud.private"
          "nextcloud.zeroq.su"
          "office.local"
          "office.zeroq.su"
        ];
        trusted_proxies = [
          "100.64.1.0"
          "109.248.161.5"
        ];
        overwriteprotocol = ""; # maybe no
      };
      extraAppsEnable = true;
      appstoreEnable = false;
      notify_push = {
        enable = false;
        bendDomainToLocalhost = true;
      };
      # phpPackage = pkgs.php85;
      extraApps = {
        inherit (config.services.nextcloud.package.packages.apps)
          # richdocuments
          # gpoddersync
          # integration_paperless
          # memories
          # news
          # nextpod
          # notify_push
          # phonetrack
          # repod
          # sociallogin
          bookmarks
          calendar
          collectives
          contacts
          cookbook
          cospend
          dav_push
          deck
          files_retention
          forms
          groupfolders
          impersonate
          mail
          music
          notes
          onlyoffice
          polls
          previewgenerator
          spreed
          tables
          tasks
          user_oidc
          user_saml
          whiteboard
          ;
        # inherit (pkgs.nextcloud31Packages.apps)
        #   # end_to_end_encryption
        #   # maps
        #   tasks
        #   ;
      };
    };
    # collabora-online = {
    #   enable = false;
    #   port = 9980;
    #   # package = master.collabora-online;
    #   settings = {
    #     server_name = "office.zeroq.su";
    #     ssl = {
    #       enable = false;
    #       termination = true;
    #       ssl_verification = false;
    #     };
    #     net = {
    #       listen = "0.0.0.0";
    #       post_allow.host = [
    #         "0.0.0.0"
    #       ];
    #     };
    #     storage.wopi = {
    #       "@allow" = true;
    #       host = [
    #         "0.0.0.0/0"
    #       ];
    #     };
    #   };
    # };
    onlyoffice = {
      enable = true;
      hostname = "office.local";
      port = 8090;
      allowLocalConnections = true;
      wopi = true;
      jwtSecretFile = config.sops.secrets.onlyoffice-jwt.path;
      securityNonceFile = config.sops.secrets.onlyoffice-nonce.path;
    };
  };

  # fonts.packages = [ work.corefonts ];

  #   networking.hosts = {
  #     "localhost" = [ "nextcloud-private.local" ];
  #   };

  #   systemd.services.nextcloud-config-collabora =
  #     let
  #       inherit (config.services.nextcloud) occ;
  #       wopi_url = "http://localhost:${toString config.services.collabora-online.port}";
  #       public_wopi_url = "https://office.zeroq.su";
  #       wopi_allowlist = lib.concatStringsSep "," [
  #         "0.0.0.0/0"
  #       ];
  #     in
  #     {
  #       wantedBy = [ "multi-user.target" ];
  #       after = [
  #         "nextcloud-setup.service"
  #         "coolwsd.service"
  #       ];
  #       requires = [ "coolwsd.service" ];
  #       script = ''
  #         ${occ}/bin/nextcloud-occ config:app:set richdocuments wopi_url --value ${lib.escapeShellArg wopi_url}
  #         ${occ}/bin/nextcloud-occ config:app:set richdocuments public_wopi_url --value ${lib.escapeShellArg public_wopi_url}
  #         ${occ}/bin/nextcloud-occ config:app:set richdocuments wopi_allowlist --value ${lib.escapeShellArg wopi_allowlist}
  #         ${occ}/bin/nextcloud-occ richdocuments:setup
  #       '';
  #       serviceConfig = {
  #         Type = "oneshot";
  #       };
  #     };

  systemd.tmpfiles.rules = [
    "z ${config.services.nextcloud.home} 0750 nextcloud nextcloud -"
  ];

  environment.systemPackages = [
    pkgs.nc4nix # Packaging helper for Nextcloud apps
  ];

  sops.secrets = {
    nextcloud-adminpass = {
      format = "yaml";
      key = "adminpass";
      sopsFile = ./secrets/nextcloud.yaml;
      owner = "nextcloud";
      group = "nextcloud";
      mode = "0650";
    };
    nextcloud-whiteboard-jwt = {
      format = "yaml";
      key = "whiteboard-jwt";
      sopsFile = ./secrets/nextcloud.yaml;
      owner = "nextcloud";
      group = "nextcloud";
      mode = "0650";
    };
    onlyoffice-nonce = {
      format = "yaml";
      key = "nonce";
      sopsFile = ./secrets/onlyoffice.yaml;
      owner = "onlyoffice";
      group = "onlyoffice";
      mode = "0650";
    };
    onlyoffice-jwt = {
      format = "yaml";
      key = "jwt";
      sopsFile = ./secrets/onlyoffice.yaml;
      owner = "onlyoffice";
      group = "onlyoffice";
      mode = "0650";
    };
  };
}