From b180ea43b5be6f8c81de8052bdc82118e882da4f Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Mon, 9 Mar 2026 10:34:22 +0100
Subject: [PATCH] Add Nextcloud service in tent

---
 m/tent/configuration.nix              |   1 +
 m/tent/nextcloud.nix                  |  71 ++++++++++++++++++++++++++
 secrets/secrets.nix                   |   1 +
 secrets/tent-nextcloud-admin-pass.age | Bin 0 -> 669 bytes
 4 files changed, 73 insertions(+)
 create mode 100644 m/tent/nextcloud.nix
 create mode 100644 secrets/tent-nextcloud-admin-pass.age

diff --git a/m/tent/configuration.nix b/m/tent/configuration.nix
index c3e126a3..2250a9c2 100644
--- a/m/tent/configuration.nix
+++ b/m/tent/configuration.nix
@@ -11,6 +11,7 @@
     ./nix-serve.nix
     ./gitlab-runner.nix
     ./gitea.nix
+    ./nextcloud.nix
     ../hut/public-inbox.nix
     ../hut/msmtp.nix
     ../module/p.nix
diff --git a/m/tent/nextcloud.nix b/m/tent/nextcloud.nix
new file mode 100644
index 00000000..f9b1fc5c
--- /dev/null
+++ b/m/tent/nextcloud.nix
@@ -0,0 +1,71 @@
+{ pkgs, config, ... }:
+{
+  age.secrets.tent-nextcloud-admin-pass.file = ../../secrets/tent-nextcloud-admin-pass.age;
+
+  services.nextcloud = {
+    package = pkgs.nextcloud32;
+    enable = true;
+    hostName = "localhost";
+    config.adminpassFile = config.age.secrets.tent-nextcloud-admin-pass.path;
+    config.dbtype = "sqlite";
+    extraApps = {
+      inherit (config.services.nextcloud.package.packages.apps)
+        news
+        contacts
+        calendar
+        tasks;
+        # The app richdocuments (i.e. office) is not enabled yet as there are
+        # problems with the WOPI protocol in a subdir.
+    };
+    extraAppsEnable = true;
+    settings = let
+      prot = "https";
+      host = "jungle.bsc.es";
+      dir = "/nextcloud";
+    in {
+      overwriteprotocol = prot;
+      overwritehost = host;
+      overwritewebroot = dir;
+      overwrite.cli.url = "${prot}://${host}${dir}/";
+      htaccess.RewriteBase = dir;
+    };
+  };
+
+  services.nginx.virtualHosts."${config.services.nextcloud.hostName}".listen = [ {
+    addr = "127.0.0.1";
+    port = 8066; # NOT an exposed port
+  } ];
+
+  services.nginx.virtualHosts."jungle.bsc.es".locations = {
+    "^~ /.well-known" = {
+      priority = 9000;
+      extraConfig = ''
+              absolute_redirect off;
+              location ~ ^/\\.well-known/(?:carddav|caldav)$ {
+                return 301 /nextcloud/remote.php/dav;
+              }
+              location ~ ^/\\.well-known/host-meta(?:\\.json)?$ {
+                return 301 /nextcloud/public.php?service=host-meta-json;
+              }
+              location ~ ^/\\.well-known/(?!acme-challenge|pki-validation) {
+                return 301 /nextcloud/index.php$request_uri;
+              }
+              try_files $uri $uri/ =404;
+      '';
+    };
+
+    "/nextcloud/" = {
+      priority = 9999;
+      extraConfig = ''
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-NginX-Proxy true;
+          proxy_set_header X-Forwarded-Proto http;
+          proxy_pass http://127.0.0.1:8066/; # tailing / is important!
+          proxy_set_header Host $host;
+          proxy_cache_bypass $http_upgrade;
+          proxy_redirect off;
+      '';
+    };
+  };
+}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 920d52dc..036df5b1 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -22,6 +22,7 @@ in
   "tent-gitlab-runner-pm-docker-token.age".publicKeys = tent;
   "tent-gitlab-runner-pm-shell-token.age".publicKeys = tent;
   "tent-gitlab-runner-bsc-docker-token.age".publicKeys = tent;
+  "tent-nextcloud-admin-pass.age".publicKeys = tent;
   "vpn-dac-login.age".publicKeys = tent;
   "vpn-dac-client-key.age".publicKeys = tent;
 
diff --git a/secrets/tent-nextcloud-admin-pass.age b/secrets/tent-nextcloud-admin-pass.age
new file mode 100644
index 0000000000000000000000000000000000000000..7d034789a165c28542f25982df917c01d1e7be47
GIT binary patch
literal 669
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCT4H}#1yEmv>}3r)@P
z&TxuwN={8GNi1-)@C+-hFwXQdb@nau4>fSlNb)estkCuf_2h~&D0j&YjY>;Q^mWO0
z*Z1-bwkV8pE-wo9Fb~c%$S5ffwJ-}wN;J!=azwW++1oVRqg)}>&@4F3$FIacI6KVT
z&nzv?r^G8cJ-;M8Gc+R2EYiHVq$JSH$Ir(-CzLBZG{8mQ#j`}aG}F}GEV8uJH7VWS
z&9t;AB|M<8$}uxN)7;P4JvYib+yLD+XUA}NlR$;sh-BXa@8ERTkP2r%^YYR(|Bzz;
zq=<5V!z9nL)Pksz@La#l6!)UUP){zu^x(wcg3zogvusaGce9X8&xnY~va}%A%tSMj
zs&ajOW0R=x;MC-@2v>C5Djdy?Egco|9Gx;NQ!^}#jZ@1V3(8FcEef-X3|#{vd@9{j
z9djK`^ou>+qFl`iJd(KrTrHFI{S19fbKQ#5gS123^fSu5qEhtJs{*|e%L6i;ynTu-
zLUKxcygkuv^9^=0PDxkD&j`;A3kmScu{84c^)EM%^ewGOD>W|<$g48(HuLpMOf4-p
zO3cel$qVE%t4t3~P4y1T^!3h;sPd{bEcW$wD@b+@GxP|wa1Ze?a>~yP^h+`fj56WU
z)zwunF)XXncl0n%@~||?s`RZY^EL^LwDb)v$n?#uFv|B0_e(P_bgRg+$Vuk9_=J1f
z?Op!-N7!Xq-flKfz3m&Y{%)vmuPnoN9l4*JULnnMN}E3`O|AVYSAOcf(T^Pf?}6P5

literal 0
HcmV?d00001

-- 
2.51.2