From b03a6f141046f6b1dc204fe305cc64c4d610c36a Mon Sep 17 00:00:00 2001
From: William <baduhai@proton.me>
Date: Thu, 16 Oct 2025 14:28:08 -0300
Subject: [PATCH] nextcloud in; radicale+rclone out

---
 hosts/alexandria/nextcloud.nix     | 91 ++++++++++++++++++++++++++++++
 hosts/alexandria/nginx.nix         | 27 ++-------
 hosts/alexandria/radicale.nix      | 17 ------
 hosts/alexandria/rclone-webdav.nix | 82 ---------------------------
 secrets/nextcloud-adminpass.age    | 13 +++++
 secrets/nextcloud-secrets.json.age | 13 +++++
 6 files changed, 122 insertions(+), 121 deletions(-)
 create mode 100644 hosts/alexandria/nextcloud.nix
 delete mode 100644 hosts/alexandria/radicale.nix
 delete mode 100644 hosts/alexandria/rclone-webdav.nix
 create mode 100644 secrets/nextcloud-adminpass.age
 create mode 100644 secrets/nextcloud-secrets.json.age

diff --git a/hosts/alexandria/nextcloud.nix b/hosts/alexandria/nextcloud.nix
new file mode 100644
index 0000000..4392323
--- /dev/null
+++ b/hosts/alexandria/nextcloud.nix
@@ -0,0 +1,91 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+
+{
+  services = {
+    nextcloud = {
+      enable = true;
+      package = pkgs.nextcloud30;
+      datadir = "/data/nextcloud";
+      hostName = "cloud.baduhai.dev";
+      configureRedis = true;
+      https = true;
+      autoUpdateApps.enable = true;
+      secretFile = config.age.secrets."nextcloud-secrets.json".path;
+      database.createLocally = true;
+      maxUploadSize = "16G";
+      caching = {
+        apcu = true;
+        redis = true;
+      };
+      settings = {
+        trusted_proxies = [ "127.0.0.1" ];
+        default_phone_region = "BR";
+        maintenance_window_start = "4";
+        enabledPreviewProviders = [
+          "OC\\Preview\\BMP"
+          "OC\\Preview\\EMF"
+          "OC\\Preview\\Font"
+          "OC\\Preview\\GIF"
+          "OC\\Preview\\HEIC"
+          "OC\\Preview\\Illustrator"
+          "OC\\Preview\\JPEG"
+          "OC\\Preview\\Krita"
+          "OC\\Preview\\MarkDown"
+          "OC\\Preview\\Movie"
+          "OC\\Preview\\MP3"
+          "OC\\Preview\\MSOffice2003"
+          "OC\\Preview\\MSOffice2007"
+          "OC\\Preview\\MSOfficeDoc"
+          "OC\\Preview\\OpenDocument"
+          "OC\\Preview\\PDF"
+          "OC\\Preview\\Photoshop"
+          "OC\\Preview\\PNG"
+          "OC\\Preview\\Postscript"
+          "OC\\Preview\\SVG"
+          "OC\\Preview\\TIFF"
+          "OC\\Preview\\TXT"
+          "OC\\Preview\\XBitmap"
+        ];
+      };
+      config = {
+        dbtype = "pgsql";
+        adminpassFile = config.age.secrets.nextcloud-adminpass.path;
+      };
+      phpOptions = {
+        "opcache.interned_strings_buffer" = "16";
+      };
+    };
+
+    collabora-online = {
+      enable = true;
+      settings = {
+        ssl = {
+          enable = false;
+          termination = true;
+        };
+        net = {
+          listen = "unix";
+          frame_ancestors = "cloud.baduhai.dev";
+        };
+      };
+    };
+  };
+
+  age.secrets = {
+    "nextcloud-secrets.json" = {
+      file = ../../../secrets/nextcloud-secrets.json.age;
+      owner = "nextcloud";
+      group = "hosted";
+    };
+    nextcloud-adminpass = {
+      file = ../../../secrets/nextcloud-adminpass.age;
+      owner = "nextcloud";
+      group = "hosted";
+    };
+  };
+}
diff --git a/hosts/alexandria/nginx.nix b/hosts/alexandria/nginx.nix
index 8c20d5d..654035b 100644
--- a/hosts/alexandria/nginx.nix
+++ b/hosts/alexandria/nginx.nix
@@ -36,31 +36,14 @@
       in
       lib.mapAttrs (_: lib.recursiveUpdate commonVHostConfig) {
         "_".locations."/".return = "444";
-        "dav.baduhai.dev".locations = {
-          "/caldav" = {
-            proxyPass = "http://unix:/run/radicale/radicale.sock:/";
-            extraConfig = ''
-              proxy_set_header X-Script-Name /caldav;
-              proxy_pass_header Authorization;
-            '';
-          };
-          "/webdav" = {
-            proxyPass = "http://unix:/run/rclone-webdav/webdav.sock:/webdav/";
-            extraConfig = ''
-              proxy_set_header X-Script-Name /webdav;
-              proxy_pass_header Authorization;
-              proxy_connect_timeout 300; # Increase timeouts for large file uploads
-              proxy_send_timeout 300;
-              proxy_read_timeout 300;
-              client_max_body_size 10G; # Allow large file uploads
-              proxy_buffering off; # Buffer settings for better performance
-              proxy_request_buffering off;
-            '';
-          };
-        };
+        "cloud.baduhai.dev" = { };
         "git.baduhai.dev".locations."/".proxyPass =
           "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/";
         "jellyfin.baduhai.dev".locations."/".proxyPass = "http://127.0.0.1:8096/";
+        "office.baduhai.dev".locations."/" = {
+          proxyPass = "http://unix:/run/coolwsd/coolwsd.sock";
+          proxyWebsockets = true;
+        };
         "pass.baduhai.dev".locations."/".proxyPass =
           "http://unix:${config.services.vaultwarden.config.ROCKET_ADDRESS}:/";
         "speedtest.baduhai.dev".locations."/".proxyPass = "http://librespeed:80/";
diff --git a/hosts/alexandria/radicale.nix b/hosts/alexandria/radicale.nix
deleted file mode 100644
index d81a228..0000000
--- a/hosts/alexandria/radicale.nix
+++ /dev/null
@@ -1,17 +0,0 @@
-{ ... }:
-
-{
-  services.radicale = {
-    enable = true;
-    settings = {
-      server = {
-        hosts = [ "/run/radicale/radicale.sock" ];
-      };
-      auth = {
-        type = "htpasswd";
-        htpasswd_filename = "/etc/radicale/users";
-        htpasswd_encryption = "bcrypt";
-      };
-    };
-  };
-}
diff --git a/hosts/alexandria/rclone-webdav.nix b/hosts/alexandria/rclone-webdav.nix
deleted file mode 100644
index 8324d31..0000000
--- a/hosts/alexandria/rclone-webdav.nix
+++ /dev/null
@@ -1,82 +0,0 @@
-{ config, pkgs, ... }:
-
-let
-  rclone-webdav-start = pkgs.writeShellScript "rclone-webdav-start.sh" ''
-    #!/bin/bash
-
-    # Configuration
-    CREDS_FILE="/run/agenix/webdav"
-    SERVE_DIR="/data/webdav"
-    SOCKET_PATH="/run/rclone-webdav/webdav.sock"
-
-    # Check if credentials file exists
-    if [ ! -f "$CREDS_FILE" ]; then
-      echo "Error: Credentials file $CREDS_FILE not found"
-      exit 1
-    fi
-
-    # Read credentials from file (format: username:password)
-    CREDENTIALS=$(cat "$CREDS_FILE")
-    USERNAME=$(echo "$CREDENTIALS" | cut -d':' -f1)
-    PASSWORD=$(echo "$CREDENTIALS" | cut -d':' -f2)
-
-    # Validate credentials
-    if [ -z "$USERNAME" ] || [ -z "$PASSWORD" ]; then
-      echo "Error: Invalid credentials format. Expected username:password"
-      exit 1
-    fi
-
-    # Ensure serve directory exists
-    mkdir -p "$SERVE_DIR"
-
-    # Remove existing socket if it exists
-    rm -f "$SOCKET_PATH"
-
-    # Start rclone serve webdav
-    exec ${pkgs.rclone}/bin/rclone serve webdav "$SERVE_DIR" \
-      --addr unix://"$SOCKET_PATH" \
-      --user "$USERNAME" \
-      --pass "$PASSWORD" \
-      --config="" \
-      --baseurl "/webdav" \
-      --verbose
-  '';
-in
-
-{
-  age.secrets.webdav = {
-    file = ../../secrets/webdav.age;
-    owner = "user";
-    group = "users";
-  };
-
-  systemd.services.rclone-webdav = {
-    description = "RClone WebDAV Server";
-    after = [ "network.target" ];
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      Type = "exec";
-      User = "user";
-      Group = "nginx";
-      ExecStart = "${rclone-webdav-start}";
-      Restart = "always";
-      RestartSec = "10";
-      NoNewPrivileges = true;
-      PrivateTmp = true;
-      ProtectSystem = "strict";
-      ProtectHome = true;
-      ReadWritePaths = [
-        "/data/webdav"
-        "/run"
-      ];
-      RuntimeDirectory = "rclone-webdav";
-      RuntimeDirectoryMode = "0750";
-      UMask = "0002";
-    };
-    preStart = ''
-      mkdir -p /data/webdav
-      chown user:users /data/webdav
-      chmod 755 /data/webdav
-    '';
-  };
-}
diff --git a/secrets/nextcloud-adminpass.age b/secrets/nextcloud-adminpass.age
new file mode 100644
index 0000000..4adb2b1
--- /dev/null
+++ b/secrets/nextcloud-adminpass.age
@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 hi+lKA KUVC7m5ch8uuseBHHPCspWWdSAs+3YK+LvBL7h14UT8
+8h5Tu47UJ/6wJZaEjB0KhUKZ8yw3FgwWv9Dem4ivgVI
+-> ssh-ed25519 SP9f6A IDnNmcjBKTiNWnBPw7mAuycOfzvj1bGi30OLi/mN+AA
+xE9drPCFvOi8v74zqUuCOc9DOFnzfwFfoa0O84JHonA
+-> ssh-ed25519 8YSAiw vWnYElIL2jh/LmxZKFFGE/8H1o+bOnGsGxQ3UZ02FE8
+c6e/c1a1cUa6FPDaUYHeY50WB5E1cq398AgwVs421EA
+-> ssh-ed25519 3Chb7w iDSXb9BYJ/2EUJx77Uch3eFYukxTD5nHbdU+iTBWXkk
+QBrCOSmjKeX0giQxYGMHinOeTrDs9ZGmdjThxEvyXn0
+-> ssh-ed25519 J6tVTA tZ5yMoYaLdgs0WoaRju3h+zfKSCrYoYO7aDcmnNta3s
+seYPrbd8PmVZJKSltp4qI7i137be01ydWhkdOPP7Zzw
+--- LElLg1Mrmw0iExirSvb6KWSA8bugbVggM2RwZSWlWGM
+]ÑèÍ lÛ0ÉðêådNðnõÝ¾05‹‹é7ÛË8qÆˆKÜÆŒÅ_#Ì“aÔgXDC:LÕ6Ì¾R·é­§¶
\ No newline at end of file
diff --git a/secrets/nextcloud-secrets.json.age b/secrets/nextcloud-secrets.json.age
new file mode 100644
index 0000000..3860d4e
--- /dev/null
+++ b/secrets/nextcloud-secrets.json.age
@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 hi+lKA dt/gmE1ljEV6eiU4cyqy+v49mtjlm/qnkV3D5OCbUFI
+LkRedLe6Qf8J5MeH+DNVmeuFyHHjDeYyrjoyzPmqZyI
+-> ssh-ed25519 SP9f6A rossSD9Dk/BE9ujDcJY/CdVu5Pm5mLyKBFLpBERu+g0
+g6bnR5N9eC50gbd48rijisF6WLYBtoDi4CSLPBkfiw0
+-> ssh-ed25519 8YSAiw s+i/kWBUvnSEDN93MCO9QSIXnQi02zT+vdBVB8rbAV4
+n4mWFllh8dCW8DVP9R/m6KIuprZnLRbGQ/wjFmhEZx8
+-> ssh-ed25519 3Chb7w c0WkS3MPTAmcHTKMsfoL2mZKF9rJ/oU48noL00UEAjc
+AL0b7xrfd9Ll4v/o0dLkic+YsKBiQxyFFKggXsQfM04
+-> ssh-ed25519 J6tVTA ZM+AOwYRTovNJnwe2wdUm9KU6Lj44rgBvthwHSFwDng
+DJweE//ogMciRmy0GTj8zDRzItRtlfTkBynRSBDr3ks
+--- dNCLx3d9i125QQqdsQVnwdN9QMLU+MWx2KjYFKFv5lU
+š¨{ë·è6EjrTø‡ƒgä+‰ÑïI¹ªŸòº?¶ÖÊ*xu'´$ê>U4™ìQBDÄ "SI‘q›A|êøv5öxJdá‹üHÚ¾I6ÅÍ$«'Š7£(Üq{ô™ö[÷”.æ†áI*P†¸¨€<Ä¬ÑÇ/µ_|yûxÍ™Šp*þœxºùX
\ No newline at end of file