From 6cf090e2f2cbffee3867389c1112ec7da5eb4911 Mon Sep 17 00:00:00 2001
From: matt1432 <matt@nelim.org>
Date: Wed, 24 Apr 2024 09:36:52 -0400
Subject: [PATCH] feat(nextcloud): get rid of errors in config

---
 .../nos/modules/arion/nextcloud/compose.nix   |  25 +++-
 .../nos/modules/arion/nextcloud/nginx.conf    | 122 ++++++++++--------
 2 files changed, 92 insertions(+), 55 deletions(-)

diff --git a/devices/nos/modules/arion/nextcloud/compose.nix b/devices/nos/modules/arion/nextcloud/compose.nix
index 34b80cf..5b4ec48 100644
--- a/devices/nos/modules/arion/nextcloud/compose.nix
+++ b/devices/nos/modules/arion/nextcloud/compose.nix
@@ -1,16 +1,18 @@
 {
   config,
   lib,
+  pkgs,
   ...
 }: let
   inherit (config.sops) secrets;
   inherit (config.arion) rwDataDir;
   inherit (lib) concatStrings;
 
+  mainContainerName = "app-server";
   rwPath = rwDataDir + "/nextcloud";
 in {
   arion.projects."nextcloud" = {
-    "app-server" = {
+    "${mainContainerName}" = {
       image = ./images/nextcloud.nix;
       restart = "always";
 
@@ -31,7 +33,7 @@ in {
         POSTGRES_HOST = "nextcloud-db";
         REDIS_HOST = "nextcloud-cache";
         REDIS_HOST_PASSWORD = "password";
-        TRUSTED_PROXIES = "cloud.nelim.org";
+        TRUSTED_PROXIES = "cloud.nelim.org nginx-server";
         NEXTCLOUD_INIT_HTACCESS = "true";
       };
     };
@@ -103,4 +105,23 @@ in {
       ];
     };
   };
+
+  # Cron job
+  systemd.timers.nextcloud-cron = {
+    description = "Timer For Nextcloud Cron";
+    wantedBy = ["timers.target"];
+
+    timerConfig.OnBootSec = "5m";
+    timerConfig.OnUnitActiveSec = "5m";
+  };
+  systemd.services.nextcloud-cron = {
+    description = "Nextcloud Cron";
+    requires = ["arion-nextcloud.service"];
+    after = ["arion-nextcloud.service"];
+
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${pkgs.docker}/bin/docker exec -u www-data ${mainContainerName} php -f /var/www/html/cron.php";
+    };
+  };
 }
diff --git a/devices/nos/modules/arion/nextcloud/nginx.conf b/devices/nos/modules/arion/nextcloud/nginx.conf
index 55b8068..5d82e1a 100644
--- a/devices/nos/modules/arion/nextcloud/nginx.conf
+++ b/devices/nos/modules/arion/nextcloud/nginx.conf
@@ -1,39 +1,38 @@
-user  www-data;
-worker_processes  1;
+user www-data;
+worker_processes 1;
 
-error_log  /var/log/nginx/error.log warn;
-pid        /var/run/nginx.pid;
+error_log /var/log/nginx/error.log warn;
+pid /var/run/nginx.pid;
 
 events {
-    worker_connections  1024;
+    worker_connections 1024;
 }
 
 http {
-
     upstream backend {
-      server app-server:9000;
-      #server unix:/var/run/php/php7.4-fpm.sock;
+        server app-server:9000;
+        #server unix:/var/run/php/php7.4-fpm.sock;
     }
 
     # Set the `immutable` cache control options only for assets with a cache busting `v` argument
     map $arg_v $asset_immutable {
-    "" "";
-    default "immutable";
+        "" "";
+        default "immutable";
     }
 
-    include       /etc/nginx/mime.types;
-    default_type  application/octet-stream;
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
 
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent "$http_referer" '
-                      '"$http_user_agent" "$http_x_forwarded_for"';
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+    '$status $body_bytes_sent "$http_referer" '
+    '"$http_user_agent" "$http_x_forwarded_for"';
 
-    access_log  /var/log/nginx/access.log  main;
+    access_log /var/log/nginx/access.log main;
 
-    sendfile        on;
+    sendfile on;
     #tcp_nopush     on;
 
-    keepalive_timeout  65;
+    keepalive_timeout 65;
 
     map $http_host $this_host {
         "" $host;
@@ -46,27 +45,27 @@ http {
     }
 
     map $http_x_forwarded_host $the_host {
-       default $http_x_forwarded_host;
-       "" $this_host;
+        default $http_x_forwarded_host;
+        "" $this_host;
     }
 
     server {
         listen 80;
-	    # The below allows for being behind a reverse proxy and allowing the Nextcloud app to connect
+        # The below allows for being behind a reverse proxy and allowing the Nextcloud app to connect
         server_tokens off;
 
         # Add headers to serve security related headers
         add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
         # HTTP response headers borrowed from Nextcloud `.htaccess`
-        add_header Referrer-Policy                      "no-referrer"   always;
-        add_header X-Content-Type-Options               "nosniff"       always;
-        add_header X-Download-Options                   "noopen"        always;
-        add_header X-Frame-Options                      "SAMEORIGIN"    always;
-        add_header X-Permitted-Cross-Domain-Policies    "none"          always;
-        add_header X-Robots-Tag                         "none"          always;
-        add_header X-XSS-Protection                     "1; mode=block" always;
+        add_header Referrer-Policy "no-referrer" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Download-Options "noopen" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Permitted-Cross-Domain-Policies "none" always;
+        add_header X-Robots-Tag "noindex, nofollow" always;
+        add_header X-XSS-Protection "1; mode=block" always;
 
-	    # Remove X-Powered-By, which is an information leak
+        # Remove X-Powered-By, which is an information leak
         fastcgi_hide_header X-Powered-By;
 
         root /var/www/html;
@@ -80,20 +79,28 @@ http {
 
         # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
         location = / {
-        if ( $http_user_agent ~ ^DavClnt ) {
+            if ( $http_user_agent ~ ^DavClnt ) {
                 return 302 /remote.php/webdav/$is_args$args;
             }
         }
 
         location ^~ /.well-known {
+            location = /.well-known/carddav {
+                return 301 /remote.php/dav/;
+            }
+            location = /.well-known/caldav {
+                return 301 /remote.php/dav/;
+            }
 
-            location = /.well-known/carddav { return 301 /remote.php/dav/; }
-            location = /.well-known/caldav  { return 301 /remote.php/dav/; }
             #location = /.well-known/webfinger { return 301 /index.php/.well-known/webfinger/; }
             #location = /.well-known/nodeinfo { return 301 /index.php/.well-known/nodeinfo/; }}
 
-            location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
-            location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
+            location /.well-known/acme-challenge {
+                try_files $uri $uri/ =404;
+            }
+            location /.well-known/pki-validation {
+                try_files $uri $uri/ =404;
+            }
 
             # Let Nextcloud's API for `/.well-known` URIs handle all other
             # requests by passing them to the front-end controller.
@@ -107,25 +114,29 @@ http {
         }
 
         # Rules borrowed from `.htaccess` to hide certain paths from clients
-        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
-        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) {
+            return 404;
+        }
+        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
+            return 404;
+        }
 
-	location ~* ^/ds-vpath/ {
-		rewrite /ds-vpath/(.*) /$1  break;
-                proxy_pass http://onlyoffice-document-server;
-                proxy_redirect     off;
+        location ~* ^/ds-vpath/ {
+            rewrite /ds-vpath/(.*) /$1 break;
+            proxy_pass http://onlyoffice-document-server;
+            proxy_redirect off;
 
-                client_max_body_size 10G;
+            client_max_body_size 10G;
 
-                proxy_http_version 1.1;
-                proxy_set_header Upgrade $http_upgrade;
-                proxy_set_header Connection "upgrade";
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
 
-                proxy_set_header Host $http_host;
-                proxy_set_header X-Real-IP $remote_addr;
-                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                proxy_set_header X-Forwarded-Host $the_host/ds-vpath;
-                proxy_set_header X-Forwarded-Proto $the_scheme;
+            proxy_set_header Host $http_host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $the_host/ds-vpath;
+            proxy_set_header X-Forwarded-Proto $the_scheme;
         }
 
         location ~ \.php(?:$|/) {
@@ -152,20 +163,25 @@ http {
             fastcgi_max_temp_file_size 0;
         }
 
-        location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
+        location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
             try_files $uri /index.php$request_uri;
             add_header Cache-Control "public, max-age=15778463, $asset_immutable";
-            access_log off;     # Optional: Don't log access to assets
+            access_log off; # Optional: Don't log access to assets
 
             location ~ \.wasm$ {
                 default_type application/wasm;
             }
+
+            location ~ \.mjs$ {
+                default_type text/javascript;
+            }
         }
 
+
         location ~ \.woff2?$ {
             try_files $uri /index.php$request_uri;
-            expires 7d;         # Cache-Control policy borrowed from `.htaccess`
-            access_log off;     # Optional: Don't log access to assets
+            expires 7d; # Cache-Control policy borrowed from `.htaccess`
+            access_log off; # Optional: Don't log access to assets
         }
 
         # Rule borrowed from `.htaccess`