diff options
Diffstat (limited to 'nixos/modules/services/web-apps/nextcloud.nix')
-rw-r--r-- | nixos/modules/services/web-apps/nextcloud.nix | 29 |
1 files changed, 18 insertions, 11 deletions
diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 6692d67081c5a..141ab98e29bfc 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -505,6 +505,12 @@ in { The nextcloud-occ program preconfigured to target this Nextcloud instance. ''; }; + + nginx.recommendedHttpHeaders = mkOption { + type = types.bool; + default = true; + description = "Enable additional recommended HTTP response headers"; + }; }; config = mkIf cfg.enable (mkMerge [ @@ -593,6 +599,8 @@ in { timerConfig.Unit = "nextcloud-cron.service"; }; + systemd.tmpfiles.rules = ["d ${cfg.home} 0750 nextcloud nextcloud"]; + systemd.services = { # When upgrading the Nextcloud package, Nextcloud can report errors such as # "The files of the app [all apps in /var/lib/nextcloud/apps] were not replaced correctly" @@ -714,8 +722,6 @@ in { before = [ "phpfpm-nextcloud.service" ]; path = [ occ ]; script = '' - chmod og+x ${cfg.home} - ${optionalString (c.dbpassFile != null) '' if [ ! -r "${c.dbpassFile}" ]; then echo "dbpassFile ${c.dbpassFile} is not readable by nextcloud:nextcloud! Aborting..." @@ -808,7 +814,6 @@ in { users.users.nextcloud = { home = "${cfg.home}"; group = "nextcloud"; - createHome = true; isSystemUser = true; }; users.groups.nextcloud.members = [ "nextcloud" config.services.nginx.user ]; @@ -904,14 +909,16 @@ in { }; extraConfig = '' index index.php index.html /index.php$request_uri; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header X-Frame-Options sameorigin; - add_header Referrer-Policy no-referrer; - add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; + ${optionalString (cfg.nginx.recommendedHttpHeaders) '' + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options sameorigin; + add_header Referrer-Policy no-referrer; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; + ''} client_max_body_size ${cfg.maxUploadSize}; fastcgi_buffers 64 4K; fastcgi_hide_header X-Powered-By; |