nix/nixos/services/nextcloud.nix

{
  config,
  pkgs,
  ...
}: let
  nextcloud = config.services.nextcloud;
  secrets = config.sops.secrets;
  sops = config.sops;
in {
  sops.secrets = {
    "nextcloud/admin_password" = {
      owner = "nextcloud";
    };
    "nextcloud/oidc_client_secret" = {};
  };
  sops.templates = {
    "nextcloud/secrets.json" = {
      owner = "nextcloud";
      content = builtins.toJSON {
        oidc_login_client_secret = sops.placeholder."nextcloud/oidc_client_secret";
      };
    };
  };

  environment.systemPackages = with pkgs; [ffmpeg];

  services.nextcloud = {
    enable = true;
    https = true;
    hostName = "files.${config.networking.domain}";
    configureRedis = true;
    database.createLocally = true;
    config = {
      adminpassFile = secrets."nextcloud/admin_password".path;
      dbtype = "pgsql";
    };
    secretFile = sops.templates."nextcloud/secrets.json".path;
    settings = {
      trusted_proxies = ["192.168.1.1" "127.0.0.1"];
      maintenance_window_start = 2;
      default_phone_region = "GB";
      # https://github.com/pulsejet/nextcloud-oidc-login
      oidc_login_provider_url = "https://auth.tristans.cloud/application/o/nextcloud/";
      oidc_login_client_id = "Fo0OMWCHBlJNw5DsEI0IzeCk0HpU1TIZpy3D5Tix";
      oidc_login_button_text = "Log in with Authentik";
      oidc_login_use_id_token = true;
      oidc_login_attributes = {
        id = "preferred_username";
        name = "name";
        mail = "email";
        groups = "groups";
        is_admin = "NextcloudAdmin";
        login_filter = "groups";
      };
      oidc_login_filter_allowed_values = {
        "0" = "Nextcloud users";
      };
      oidc_login_use_external_storage = false;
      oidc_login_scope = "email openid profile NextcloudAdmin";
      oidc_login_proxy_ldap = false;
      oidc_login_disable_registration = false;
      oidc_login_redir_fallback = false;
      oidc_login_tls_verify = true;
      oidc_create_groups = true;
      oidc_login_webdav_enabled = true;
      oidc_login_public_key_caching_time = 604800;
      oidc_login_min_time_between_jwks_requests = 10;
      oidc_login_well_known_caching_time = 86400;
      datadirectory = "/mnt/storage/nextcloud";
    };
    maxUploadSize = "5G";
  };
  services.nginx.virtualHosts.${nextcloud.hostName} = {
    forceSSL = true;
    enableACME = true;
  };
}