Add nextcloud config (working)

Fix nextcloud and add recommended security features

services/Vanguard.nix

@@ -10,6 +10,5 @@
     ./sshd
     ./traefik/sshd.nix
     ./syncthing/Vanguard.nix
-    ./traefik/syncthing.nix
   ];
 }

services/nextcloud/default.nix

@@ -9,8 +9,14 @@
     hostName = "cloud.xenia.me.uk";
     config = {
       adminuser = "xenia";
-      adminpassFile = "/etc/nextcloud/admin_secret.txt";
+      adminpassFile = "/secrets/nextcloud_admin.txt";
     };
+    extraOptions = {
+      trusted_proxies = ["192.168.1.166"];
+      overwriteprotocol = "https";
+    };
+    extraApps = with pkgs.nextcloud26Packages.apps; {inherit calendar contacts;};
+    extraAppsEnable = true;
   };
   services.nginx.virtualHosts.${config.services.nextcloud.hostName}.listen = [
     {

services/traefik/default.nix

@@ -33,25 +33,17 @@
         middlewares = ["auth"];
         tls = {certResolver = "default";};
       };
-      middlewares.auth.basicAuth.users = ["xenia:$apr1$LB0wVd6I$BHVPIyh.F5Ewt9/7PqAtS."];
+      middlewares = {
+        auth.basicAuth.users = ["xenia:$apr1$LB0wVd6I$BHVPIyh.F5Ewt9/7PqAtS."];
+        hsts.headers = {
+          stsSeconds = "31536000";
+          stsIncludeSubdomains = true;
+        };
+      };
     };
   };
   networking.firewall = {
     enable = true;
     allowedTCPPorts = [80 443 2222];
   };
-  services.fail2ban.jails = {
-    traefik-http = ''
-      enabled = true
-      filter = traefik-auth
-      ports = http,https,2222
-      backend = systemd
-    '';
-    traefik-ssh = ''
-      enabled = true
-      filter = sshd
-      ports = 2222
-      backend = systemd
-    '';
-  };
 }

services/traefik/nextcloud.nix

@@ -5,6 +5,7 @@
       rule = "Host(`cloud.xenia.me.uk`)";
       entryPoints = ["http" "https"];
       service = "nextcloud-webinterface";
+      middlewares = ["hsts"];
       tls = {certResolver = "default";};
     };
     services.nextcloud-webinterface.loadBalancer.servers = [{url = "http://localhost:8000";}];