diff --git a/modules/services/nextcloud.nix b/modules/services/nextcloud.nix index 74990fe..3fda726 100644 --- a/modules/services/nextcloud.nix +++ b/modules/services/nextcloud.nix @@ -4,7 +4,7 @@ with lib; let # Version tagging - nextcloudVersion = "32.0.6"; + nextcloudVersion = "33.0.0"; redisVersion = "8.6-alpine"; databaseVersion = "11.8"; onlyofficeVersion = "9.2"; @@ -29,7 +29,7 @@ helper.mkPodmanService { WHITEBOARD_PASSWORD = "xkcdpass -n 10 -d -"; SMTP_PASSWORD = "cat ${config.numbus.mail.smtpPasswordPath}"; }; - middlewares = [ "secureHeaders" "nextcloud-dav" ]; + middlewares = [ "nextcloudSecureHeaders" ]; dirPermissions = [ "100032:100 ${cfg.dataDir}" "100032:100 ${cfg.configDir}" @@ -39,6 +39,7 @@ helper.mkPodmanService { "1000:100 ${cfg.configDir}/onlyoffice" "1000:100 ${cfg.configDir}/onlyoffice/log" "1000:100 ${cfg.configDir}/onlyoffice/cache" + "1000:100 ${cfg.configDir}/onlyoffice/data" "1000:100 ${cfg.configDir}/onlyoffice/database" ]; @@ -130,12 +131,21 @@ helper.mkPodmanService { image: docker.io/onlyoffice/documentserver:${onlyofficeVersion} environment: - JWT_SECRET=$ONLYOFFICE_PASSWORD + - REDIS_SERVER_HOST=nextcloud-redis + - REDIS_SERVER_PORT=6379 + - REDIS_SERVER_PASS=$REDIS_PASSWORD + - ADMINPANEL_ENABLED=false + - EXAMPLE_ENABLED=false + - METRICS_ENABLED=false ports: - "9980:80/tcp" volumes: - ${cfg.configDir}/onlyoffice/log:/var/log/onlyoffice - ${cfg.configDir}/onlyoffice/cache:/var/lib/onlyoffice + - ${cfg.configDir}/onlyoffice/data:/var/www/onlyoffice/Data - ${cfg.configDir}/onlyoffice/database:/var/lib/postgresql + security_opt: + - no-new-privileges:true cap_drop: - NET_RAW restart: unless-stopped @@ -201,6 +211,39 @@ helper.mkPodmanService { - url: "http://host.containers.internal:3002" ''; + environment.etc."traefik/rules/nextcloudSecureHeaders.yaml".text = '' + http: + middlewares: + nextcloudSecureHeaders: + headers: + FrameDeny: false + CustomFrameOptionsValue: "SAMEORIGIN" + AddVaryHeader: true + BrowserXssFilter: true + ContentTypeNosniff: true + ForceSTSHeader: true + STSSeconds: 315360000 + STSIncludeSubdomains: true + STSPreload: true + AccessControlAllowMethods: "GET,OPTIONS,PUT" + AccessControlAllowOriginList: + - origin-list-or-null + AccessControlMaxAge: 100 + ReferrerPolicy: same-origin + PermissionsPolicy: "vibrate=()" + ContentSecurityPolicy: >- + default-src https://onlyoffice.${config.numbus.services.domain} 'self'; + script-src https://onlyoffice.${config.numbus.services.domain} 'self' 'unsafe-inline'; + style-src 'self' 'unsafe-inline'; + connect-src 'self'; + img-src 'self' data:; + font-src 'self' data:; + frame-src https://onlyoffice.${config.numbus.services.domain} 'self'; + frame-ancestors https://onlyoffice.${config.numbus.services.domain} 'self'; + object-src 'none'; + base-uri 'self'; + ''; + systemd.services."${name}-quirk" = { description = "Podman container quirk : ${name}"; wantedBy = [ "multi-user.target" ];