Revert "nextcloud: use mkDefault for whole nginx config"

This breaks the Nextcloud vhost declaration when adding e.g. another vhost as the `services.nginx.virtualHosts` option has `{ nextcloud = ...; }` as *default* value which will be replaced by another `virtualHosts`-declaration with a higher (e.g. the default) priority. The following cases are now supported & covered by the module: * `nginx` is enabled with `nextcloud` enabled and other vhosts can be added / other options can be declared without having to care about the declaration's priority. * Settings in the `nextcloud`-vhost in `nginx` have to be altered using `mkForce` as this is the only way how we officially support `nginx` for `nextcloud` and customizations have to be done explicitly using `mkForce`. * `nginx` will be completely omitted if a user enables nextcloud and disables nginx using `services.nginx.enable = false;`. (because nginx will be enabled by this module using `mkDefault`). This reverts commit 128dbb31cca3ba479396c6b65946e2e6503c0f8d. Closes #95259
author: Maximilian Bosch <maximilian@mbosch.me> 2020-08-12 17:20:56 +0200
committer: Maximilian Bosch <maximilian@mbosch.me> 2020-08-12 18:28:45 +0200
commit: fddeb7cb73096786de8e59a8502cf3ae523bd694 (patch)
tree: 795d3b12839146d6dabec30a489ffdea7838c0b3 /nixos
parent: 5880dc0d10d396caf4cc64d4dbaccae26d45ad71 (diff)
1 files changed, 86 insertions, 88 deletions
diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix
index 0579e58d1d62..d9660852528a 100644
--- a/nixos/modules/services/web-apps/nextcloud.nix
+++ b/nixos/modules/services/web-apps/nextcloud.nix
@@ -531,81 +531,65 @@ in {
 
       environment.systemPackages = [ occ ];
 
-      services.nginx = mkDefault {
-        enable = true;
-        virtualHosts.${cfg.hostName} = {
-          root = cfg.package;
-          locations = {
-            "= /robots.txt" = {
-              priority = 100;
-              extraConfig = ''
-                allow all;
-                log_not_found off;
-                access_log off;
-              '';
-            };
-            "/" = {
-              priority = 200;
-              extraConfig = "rewrite ^ /index.php;";
-            };
-            "~ ^/store-apps" = {
-              priority = 201;
-              extraConfig = "root ${cfg.home};";
-            };
-            "= /.well-known/carddav" = {
-              priority = 210;
-              extraConfig = "return 301 $scheme://$host/remote.php/dav;";
-            };
-            "= /.well-known/caldav" = {
-              priority = 210;
-              extraConfig = "return 301 $scheme://$host/remote.php/dav;";
-            };
-            "~ ^\\/(?:build|tests|config|lib|3rdparty|templates|data)\\/" = {
-              priority = 300;
-              extraConfig = "deny all;";
-            };
-            "~ ^\\/(?:\\.|autotest|occ|issue|indie|db_|console)" = {
-              priority = 300;
-              extraConfig = "deny all;";
-            };
-            "~ ^\\/(?:index|remote|public|cron|core/ajax\\/update|status|ocs\\/v[12]|updater\\/.+|ocs-provider\\/.+|ocm-provider\\/.+)\\.php(?:$|\\/)" = {
-              priority = 500;
-              extraConfig = ''
-                include ${config.services.nginx.package}/conf/fastcgi.conf;
-                fastcgi_split_path_info ^(.+\.php)(\\/.*)$;
-                try_files $fastcgi_script_name =404;
-                fastcgi_param PATH_INFO $fastcgi_path_info;
-                fastcgi_param HTTPS ${if cfg.https then "on" else "off"};
-                fastcgi_param modHeadersAvailable true;
-                fastcgi_param front_controller_active true;
-                fastcgi_pass unix:${fpm.socket};
-                fastcgi_intercept_errors on;
-                fastcgi_request_buffering off;
-                fastcgi_read_timeout 120s;
-              '';
-            };
-            "~ ^\\/(?:updater|ocs-provider|ocm-provider)(?:$|\\/)".extraConfig = ''
-              try_files $uri/ =404;
-              index index.php;
-            '';
-            "~ \\.(?:css|js|woff2?|svg|gif)$".extraConfig = ''
-              try_files $uri /index.php$request_uri;
-              add_header Cache-Control "public, max-age=15778463";
-              add_header X-Content-Type-Options nosniff;
-              add_header X-XSS-Protection "1; mode=block";
-              add_header X-Robots-Tag none;
-              add_header X-Download-Options noopen;
-              add_header X-Permitted-Cross-Domain-Policies none;
-              add_header X-Frame-Options sameorigin;
-              add_header Referrer-Policy no-referrer;
+      services.nginx.enable = mkDefault true;
+      services.nginx.virtualHosts.${cfg.hostName} = {
+        root = cfg.package;
+        locations = {
+          "= /robots.txt" = {
+            priority = 100;
+            extraConfig = ''
+              allow all;
+              log_not_found off;
               access_log off;
             '';
-            "~ \\.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$".extraConfig = ''
-              try_files $uri /index.php$request_uri;
-              access_log off;
+          };
+          "/" = {
+            priority = 200;
+            extraConfig = "rewrite ^ /index.php;";
+          };
+          "~ ^/store-apps" = {
+            priority = 201;
+            extraConfig = "root ${cfg.home};";
+          };
+          "= /.well-known/carddav" = {
+            priority = 210;
+            extraConfig = "return 301 $scheme://$host/remote.php/dav;";
+          };
+          "= /.well-known/caldav" = {
+            priority = 210;
+            extraConfig = "return 301 $scheme://$host/remote.php/dav;";
+          };
+          "~ ^\\/(?:build|tests|config|lib|3rdparty|templates|data)\\/" = {
+            priority = 300;
+            extraConfig = "deny all;";
+          };
+          "~ ^\\/(?:\\.|autotest|occ|issue|indie|db_|console)" = {
+            priority = 300;
+            extraConfig = "deny all;";
+          };
+          "~ ^\\/(?:index|remote|public|cron|core/ajax\\/update|status|ocs\\/v[12]|updater\\/.+|ocs-provider\\/.+|ocm-provider\\/.+)\\.php(?:$|\\/)" = {
+            priority = 500;
+            extraConfig = ''
+              include ${config.services.nginx.package}/conf/fastcgi.conf;
+              fastcgi_split_path_info ^(.+\.php)(\\/.*)$;
+              try_files $fastcgi_script_name =404;
+              fastcgi_param PATH_INFO $fastcgi_path_info;
+              fastcgi_param HTTPS ${if cfg.https then "on" else "off"};
+              fastcgi_param modHeadersAvailable true;
+              fastcgi_param front_controller_active true;
+              fastcgi_pass unix:${fpm.socket};
+              fastcgi_intercept_errors on;
+              fastcgi_request_buffering off;
+              fastcgi_read_timeout 120s;
             '';
           };
-          extraConfig = ''
+          "~ ^\\/(?:updater|ocs-provider|ocm-provider)(?:$|\\/)".extraConfig = ''
+            try_files $uri/ =404;
+            index index.php;
+          '';
+          "~ \\.(?:css|js|woff2?|svg|gif)$".extraConfig = ''
+            try_files $uri /index.php$request_uri;
+            add_header Cache-Control "public, max-age=15778463";
             add_header X-Content-Type-Options nosniff;
             add_header X-XSS-Protection "1; mode=block";
             add_header X-Robots-Tag none;
@@ -613,25 +597,39 @@ in {
             add_header X-Permitted-Cross-Domain-Policies none;
             add_header X-Frame-Options sameorigin;
             add_header Referrer-Policy no-referrer;
-            add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
-            error_page 403 /core/templates/403.php;
-            error_page 404 /core/templates/404.php;
-            client_max_body_size ${cfg.maxUploadSize};
-            fastcgi_buffers 64 4K;
-            fastcgi_hide_header X-Powered-By;
-            gzip on;
-            gzip_vary on;
-            gzip_comp_level 4;
-            gzip_min_length 256;
-            gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-            gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
-
-            ${optionalString cfg.webfinger ''
-              rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
-              rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
-            ''}
+            access_log off;
+          '';
+          "~ \\.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$".extraConfig = ''
+            try_files $uri /index.php$request_uri;
+            access_log off;
           '';
         };
+        extraConfig = ''
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          add_header X-Robots-Tag none;
+          add_header X-Download-Options noopen;
+          add_header X-Permitted-Cross-Domain-Policies none;
+          add_header X-Frame-Options sameorigin;
+          add_header Referrer-Policy no-referrer;
+          add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+          error_page 403 /core/templates/403.php;
+          error_page 404 /core/templates/404.php;
+          client_max_body_size ${cfg.maxUploadSize};
+          fastcgi_buffers 64 4K;
+          fastcgi_hide_header X-Powered-By;
+          gzip on;
+          gzip_vary on;
+          gzip_comp_level 4;
+          gzip_min_length 256;
+          gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+          gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+          ${optionalString cfg.webfinger ''
+            rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+            rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
+          ''}
+        '';
       };
     }
   ]);
author	Maximilian Bosch <maximilian@mbosch.me>	2020-08-12 17:20:56 +0200
committer	Maximilian Bosch <maximilian@mbosch.me>	2020-08-12 18:28:45 +0200
commit	fddeb7cb73096786de8e59a8502cf3ae523bd694 (patch)
tree	795d3b12839146d6dabec30a489ffdea7838c0b3 /nixos
parent	5880dc0d10d396caf4cc64d4dbaccae26d45ad71 (diff)