nextcloud refactor and collabora

2026-04-10 02:54:39 -07:00 · 2026-01-28 05:42:38 -08:00 · 2026-01-28 05:42:38 -08:00 · 4719cd64bc
commit 4719cd64bc
parent f917f8d0c8
1 changed files with 92 additions and 24 deletions
--- a/modules/nextcloud-setup.nix
+++ b/modules/nextcloud-setup.nix
@ -1,4 +1,3 @@
-# ~/nixconfig/modules/nextcloud-setup.nix
 {
  config,
  pkgs,
@ -7,47 +6,51 @@
 }:

 let
-  nextcloudExternalDomain = "cloud.death916.xyz"; # Domain used by NPM
+  # --- Configuration Variables ---
+  nextcloudExternalDomain = "cloud.death916.xyz";
+  collaboraExternalDomain = "office.death916.xyz"; # New: Domain for Collabora
+
  adminPassFilePath = "/etc/nixos/secrets/nextcloud_admin_password";
  dbPassFilePath = "/etc/nixos/secrets/nextcloud_db_password";
  nextcloudDataPath = "/storage/nextcloud-data";
-  nginxProxyManagerTailscaleIP = "100.117.212.36"; # IP of your NPM

-  internalNextcloudHttpPort = 80;
-
-  # --- For Direct Tailscale Access to homelab's Nextcloud ---
+  # Network / Proxy
+  nginxProxyManagerTailscaleIP = "100.117.212.36";
  homelabTailscaleIP = "100.65.36.116";
  homelabMagicDNSName = "homelab";
+
+  internalNextcloudHttpPort = 80;
+  collaboraPort = 9980;
 in
 {
-  # --- PostgreSQL & Redis setup ... (as before) ---
+  # --- Database & Cache ---
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_14;
    ensureDatabases = [ "nextcloud" ];
    ensureUsers = [ { name = "nextcloud"; } ];
  };
+
  services.redis.servers.nextcloud = {
    enable = true;
    user = "nextcloud";
    unixSocket = "/run/redis-nextcloud/redis.sock";
    port = 0;
  };
-  systemd.tmpfiles.rules = [ "d /run/redis-nextcloud 0750 nextcloud nextcloud - -" ];

-  # --- Nextcloud Service Configuration ---
+  # --- Nextcloud ---
  services.nextcloud = {
    enable = true;
    package = pkgs.nextcloud32;
-    extraApps = {
-      # inherit (config.services.nextcloud.package.packages.apps) richdocuments;
-    };
    hostName = nextcloudExternalDomain;
-
-    https = false; # NPM handles HTTPS. Nextcloud serves HTTP internally.
+    https = false; # Handled by NPM
    datadir = nextcloudDataPath;
    maxUploadSize = "2G";

+    extraApps = {
+      inherit (config.services.nextcloud.package.packages.apps) richdocuments;
+    };
+
    config = {
      dbtype = "pgsql";
      dbuser = "nextcloud";
@ -57,45 +60,110 @@ in
      adminuser = "death916";
      adminpassFile = adminPassFilePath;
    };
+
    extraOptions = {
      session_keepalive = true;
-      remember_login_cookie_lifetime = 7776000; # 90 days in seconds
+      remember_login_cookie_lifetime = 7776000;
    };

    settings = {
      trusted_domains = [
-        nextcloudExternalDomain # For access via NPM
-        homelabTailscaleIP # For direct access via Tailscale IP
-        homelabMagicDNSName # For direct access via Tailscale MagicDNS name
-        # "localhost"                   # If you run occ commands directly on homelab
+        nextcloudExternalDomain
+        homelabTailscaleIP
+        homelabMagicDNSName
      ];
-
-      # --- Trusted Proxies: For NPM path ---
      trusted_proxies = [ nginxProxyManagerTailscaleIP ];

      overwriteprotocol = "https";
      overwritehost = nextcloudExternalDomain;
-      "overwrite.cli.url" = "https://${nextcloudExternalDomain}"; # For occ commands
-
+      "overwrite.cli.url" = "https://${nextcloudExternalDomain}";
      overwritecondaddr = "^${nginxProxyManagerTailscaleIP}$";
+
      "memcache.local" = "\\OC\\Memcache\\APCu";
      "memcache.distributed" = "\\OC\\Memcache\\Redis";
      "memcache.locking" = "\\OC\\Memcache\\Redis";
      filelocking.enabled = true;
+
      redis = {
        host = "/run/redis-nextcloud/redis.sock";
        port = 0;
      };
    };
+
    caching.redis = true;
    phpOptions = lib.mkForce { "memory_limit" = "4G"; };
  };

+  # --- Collabora Online (Added) ---
+  services.collabora-online = {
+    enable = true;
+    port = collaboraPort;
+    settings = {
+      ssl = {
+        enable = false;
+        termination = true;
+      };
+      server_name = collaboraExternalDomain;
+
+      # Listening on any interface so your external NPM can reach it via Tailscale IP
+      net = {
+        listen = "any";
+        post_allow.host = [
+          "::1"
+          "127.0.0.1"
+          nginxProxyManagerTailscaleIP
+        ];
+      };
+
+      storage.wopi = {
+        "@allow" = true;
+        host = [ nextcloudExternalDomain ];
+      };
+    };
+  };
+
+  # --- Auto-configure Nextcloud to use Collabora ---
+  systemd.services.nextcloud-config-collabora =
+    let
+      inherit (config.services.nextcloud) occ;
+      wopi_url = "http://127.0.0.1:${toString collaboraPort}";
+      public_wopi_url = "https://${collaboraExternalDomain}";
+      wopi_allowlist = lib.concatStringsSep "," [
+        "127.0.0.1"
+        "::1"
+        nginxProxyManagerTailscaleIP
+      ];
+    in
+    {
+      wantedBy = [ "multi-user.target" ];
+      after = [
+        "nextcloud-setup.service"
+        "coolwsd.service"
+      ];
+      requires = [ "coolwsd.service" ];
+      script = ''
+        ${occ}/bin/nextcloud-occ config:app:set richdocuments wopi_url --value ${lib.escapeShellArg wopi_url}
+        ${occ}/bin/nextcloud-occ config:app:set richdocuments public_wopi_url --value ${lib.escapeShellArg public_wopi_url}
+        ${occ}/bin/nextcloud-occ config:app:set richdocuments wopi_allowlist --value ${lib.escapeShellArg wopi_allowlist}
+        ${occ}/bin/nextcloud-occ richdocuments:setup
+      '';
+      serviceConfig = {
+        Type = "oneshot";
+        User = "nextcloud";
+      };
+    };
+
+  # --- System & Networking ---
+  systemd.tmpfiles.rules = [ "d /run/redis-nextcloud 0750 nextcloud nextcloud - -" ];
+
  users.users.nextcloud = {
    isSystemUser = true;
    group = "nextcloud";
  };
  users.groups.nextcloud = { };

-  networking.firewall.allowedTCPPorts = [ internalNextcloudHttpPort ]; # Port 80
+  networking.firewall.allowedTCPPorts = [
+    internalNextcloudHttpPort
+    collaboraPort
+  ];
 }