dotfiles/nixos/mirai/services/nextcloud.nix

{
  config,
  pkgs,
  ...
}: {
  sops = {
    secrets."nextcloud/adminpass".owner = config.users.users.nextcloud.name;
    secrets."authelia/oidc/nextcloud/client_id".owner = config.users.users.nextcloud.name;
    secrets."authelia/oidc/nextcloud/client_secret".owner = config.users.users.nextcloud.name;
  };
  imports = [
    "${fetchTarball {
      url = "https://github.com/onny/nixos-nextcloud-testumgebung/archive/fa6f062830b4bc3cedb9694c1dbf01d5fdf775ac.tar.gz";
      sha256 = "0gzd0276b8da3ykapgqks2zhsqdv4jjvbv97dsxg0hgrhb74z0fs";
    }}/nextcloud-extras.nix"
  ];
  services = {
    nextcloud = {
      enable = true;
      package = pkgs.nextcloud31;
      extraApps = {
        inherit (config.services.nextcloud.package.packages.apps) contacts calendar bookmarks user_oidc;
      };
      extraAppsEnable = true;
      hostName = "cloud.darksailor.dev";
      config.adminuser = "servius";
      config.adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
      config.dbtype = "sqlite";
      configureRedis = true;
      https = true;
      caching = {
        redis = true;
        apcu = true;
        memcached = true;
      };
      webserver = "caddy";
      settings = {};
    };
    # caddy = {
    #   virtualHosts."cloud.darksailor.dev".extraConfig = ''
    #     reverse_proxy localhost:8080
    #   '';
    # };
    # nginx.virtualHosts."${config.services.nextcloud.hostName}".listen = [
    #   {
    #     addr = "127.0.0.1";
    #     port = 8080; # NOT an exposed port
    #   }
    # ];
    authelia.instances.darksailor = {
      settings = {
        definitions = {
          user_attributes = {
            is_nextcloud_admin = {
              expression = ''"nextcloud-admins" in groups"'';
            };
          };
        };
        identity_providers = {
          oidc = {
            claims_policies = {
              custom_claims = {
                is_nextcloud_admin = {};
              };
            };
            scopes = {
              nextcloud_userinfo = {
                claims = ["is_nextcloud_admin"];
              };
            };
            clients = [
              {
                client_name = "Nextcloud";
                client_id = "nextcloud";
                client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/nextcloud/client_secret".path}" }}'';
                public = false;
                authorization_policy = "one_factor";
                require_pkce = true;
                pkce_challenge_method = "S256";
                claims_policy = "nextcloud_userinfo";
                redirect_uris = [
                  "https://cloud.darksailor.dev/apps/oidc_login/oidc"
                ];
                scopes = [
                  "openid"
                  "profile"
                  "email"
                  "groups"
                  "nextcloud_userinfo"
                ];
                response_types = ["code"];
                grant_types = ["authorization_code"];
                # access_token_signed_response_alg = "none";
                userinfo_signed_response_alg = "none";
                token_endpoint_auth_method = "client_secret_basic";
              }
            ];
          };
        };
      };
    };
  };
}