Let's try postgres I guess

nixos/queen/configuration.nix

@@ -53,6 +53,8 @@
   #Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys
   sops.defaultSopsFile = ../../secrets/queen-Lillian.yaml;
   sops.age.keyFile = ./keys.txt;
+  sops.secrets."nextcloudadmin".mode = "0440";
+  sops.secrets."nextcloudadmin".owner = config.users.users.nextcloud.name;
   sops.secrets."nextclouddb".mode = "0440";
   sops.secrets."nextclouddb".owner = config.users.users.nextcloud.name;
 
@@ -91,7 +93,7 @@
     noto-fonts-emoji-blob-bin
     noto-fonts-emoji
     oh-my-zsh
-    mariadb_110
+    postgresql
     rsync
     wget
     zsh

nixos/queen/nextcloud.nix

@@ -1,108 +1,82 @@
-# Nextcloud
 {
   config,
-  lib,
   pkgs,
-  sops,
   ...
 }: {
-  sops.secrets.nextcloudadmin = {
+  # Enable Nginx
-    mode = "0440";
+  services.nginx = {
-    owner = config.users.users.nextcloud.name;
+    enable = true;
-    group = config.users.users.nextcloud.group;
+
+    # Use recommended settings
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    # Only allow PFS-enabled ciphers with AES256
+    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
+    # Setup Nextcloud virtual host to listen on ports
+    virtualHosts = {
+      "nextcloud.gladtherescake.eu" = {
+        ## Force HTTP redirect to HTTPS
+        forceSSL = true;
+        ## LetsEncrypt
+        enableACME = true;
+      };
+    };
   };
 
-  users.users.nextcloud.extraGroups = ["render" "users"];
+  # Actual Nextcloud Config
-
-  environment.systemPackages = with pkgs; [
-    unstable.exiftool
-    ffmpeg
-    nodejs_18
-  ];
-
-  # Allow using /dev/dri for Memories
-  systemd.services.phpfpm-nextcloud.serviceConfig = {
-    PrivateDevices = lib.mkForce false;
-  };
-
-  services.nginx.virtualHosts."nextcloud.gladtherescake.eu".listen = [
-    {
-      addr = "127.0.0.1";
-      port = 8180;
-    }
-  ];
-
   services.nextcloud = {
     enable = true;
-    package = pkgs.nextcloud27;
     hostName = "nextcloud.gladtherescake.eu";
-    database.createLocally = true;
+    # Enable built-in virtual host management
-    configureRedis = true;
+    # Takes care of somewhat complicated setup
-    appstoreEnable = true;
+    # See here: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/web-apps/nextcloud.nix#L529
+    nginx.enable = true;
+
+    # Use HTTPS for links
+    https = true;
+
+    # Auto-update Nextcloud Apps
+    autoUpdateApps.enable = true;
+    # Set what time makes sense for you
+    autoUpdateApps.startAt = "05:00:00";
+
     config = {
-      adminuser = "nextcloud";
+      # Further forces Nextcloud to use HTTPS
-      adminpassFile = "${config.sops.secrets.nextcloudadmin.path}";
+      overwriteProtocol = "https";
-      dbtype = "mysql";
-      defaultPhoneRegion = "US";
-      trustedProxies = ["127.0.0.1"];
-    };
 
-    extraOptions = {
+      # Nextcloud PostegreSQL database configuration, recommended over using SQLite
-      mail_smtpmode = "sendmail";
+      dbtype = "pgsql";
-      mail_sendmailmode = "pipe";
+      dbuser = "nextcloud";
-      mysql.utf8mb4 = true;
+      dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
-    };
+      dbname = "nextcloud";
+      dbpassFile = "/var/nextcloud-db-pass";
 
-    phpOptions = pkgs.lib.mkForce {
+      adminpassFile = "/var/nextcloud-admin-pass";
-      "opcache.interned_strings_buffer" = "16";
+      adminuser = "admin";
-      "upload_max_filesize" = "10G";
-      "post_max_size" = "10G";
-      "memory_limit" = "8G";
     };
   };
 
-  services.traefik.dynamicConfigOptions.http.routers.nextcloud = {
+  # Enable PostgreSQL
-    rule = "Host(`nextcloud.gladtherescake.eu`)";
+  services.postgresql = {
-    service = "nextcloud";
+    enable = true;
-    middlewares = ["headers"];
-    entrypoints = ["websecure"];
-    tls = {
-      certResolver = "le";
-    };
-  };
 
-  services.traefik.dynamicConfigOptions.http.services.nextcloud = {
+    # Ensure the database, user, and permissions always exist
-    loadBalancer = {
+    ensureDatabases = ["nextcloud"];
-      servers = [
+    ensureUsers = [
       {
-          url = "http://localhost:8180";
+        name = "nextcloud";
+        ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
       }
     ];
   };
-  };
 
-  systemd.timers."nextcloud-files-update" = {
+  # Ensure that postgres is running before running the setup
-    wantedBy = ["timers.target"];
+  systemd.services."nextcloud-setup" = {
-    timerConfig = {
+    requires = ["postgresql.service"];
-      OnBootSec = "2m";
+    after = ["postgresql.service"];
-      OnUnitActiveSec = "15m";
-      Unit = "nextcloud-files-update.service";
-    };
-  };
-
-  systemd.services."nextcloud-files-update" = {
-    bindsTo = ["mysql.service" "phpfpm-nextcloud.service"];
-    after = ["mysql.service" "phpfpm-nextcloud.service"];
-    script = ''
-
-      ${config.services.nextcloud.occ}/bin/nextcloud-occ files:scan -q --all
-      ${config.services.nextcloud.occ}/bin/nextcloud-occ preview:pre-generate
-    '';
-
-    serviceConfig = {
-      User = "nextcloud";
-    };
-
-    path = ["config.services.nextcloud" pkgs.perl];
   };
 }