diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/config/fonts/fontconfig.nix | 6 | ||||
-rw-r--r-- | nixos/modules/services/torrent/transmission.nix | 22 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/nextcloud.nix | 68 |
3 files changed, 55 insertions, 41 deletions
diff --git a/nixos/modules/config/fonts/fontconfig.nix b/nixos/modules/config/fonts/fontconfig.nix index a695957f71b..1b6848c652e 100644 --- a/nixos/modules/config/fonts/fontconfig.nix +++ b/nixos/modules/config/fonts/fontconfig.nix @@ -204,8 +204,10 @@ let ln -s ${renderConf} $dst/10-nixos-rendering.conf # 50-user.conf - ${optionalString (!cfg.includeUserConf) '' - rm $dst/50-user.conf + # Since latest fontconfig looks for default files inside the package, + # we had to move this one elsewhere to be able to exclude it here. + ${optionalString cfg.includeUserConf '' + ln -s ${pkg.out}/etc/fonts/conf.d.bak/50-user.conf $dst/50-user.conf ''} # local.conf (indirect priority 51) diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix index 92df46083ec..014a22bb5a8 100644 --- a/nixos/modules/services/torrent/transmission.nix +++ b/nixos/modules/services/torrent/transmission.nix @@ -11,6 +11,7 @@ let settingsDir = ".config/transmission-daemon"; downloadsDir = "Downloads"; incompleteDir = ".incomplete"; + watchDir = "watchdir"; # TODO: switch to configGen.json once RFC0042 is implemented settingsFile = pkgs.writeText "settings.json" (builtins.toJSON cfg.settings); in @@ -35,6 +36,8 @@ in download-dir = "${cfg.home}/${downloadsDir}"; incomplete-dir = "${cfg.home}/${incompleteDir}"; incomplete-dir-enabled = true; + watch-dir = "${cfg.home}/${watchDir}"; + watch-dir-enabled = false; message-level = 1; peer-port = 51413; peer-port-random-high = 65535; @@ -161,6 +164,9 @@ in { assertion = types.path.check cfg.settings.incomplete-dir; message = "`services.transmission.settings.incomplete-dir' must be an absolute path."; } + { assertion = types.path.check cfg.settings.watch-dir; + message = "`services.transmission.settings.watch-dir' must be an absolute path."; + } { assertion = cfg.settings.script-torrent-done-filename == "" || types.path.check cfg.settings.script-torrent-done-filename; message = "`services.transmission.settings.script-torrent-done-filename' must be an absolute path."; } @@ -220,14 +226,16 @@ in cfg.settings.download-dir ] ++ optional cfg.settings.incomplete-dir-enabled - cfg.settings.incomplete-dir; + cfg.settings.incomplete-dir + ++ + optional cfg.settings.watch-dir-enabled + cfg.settings.watch-dir + ; BindReadOnlyPaths = [ # No confinement done of /nix/store here like in systemd-confinement.nix, # an AppArmor profile is provided to get a confinement based upon paths and rights. builtins.storeDir - "-/etc/hosts" - "-/etc/ld-nix.so.preload" - "-/etc/localtime" + "/etc" ] ++ optional (cfg.settings.script-torrent-done-enabled && cfg.settings.script-torrent-done-filename != "") @@ -410,11 +418,17 @@ in ${optionalString cfg.settings.incomplete-dir-enabled '' rw ${cfg.settings.incomplete-dir}/**, ''} + ${optionalString cfg.settings.watch-dir-enabled '' + rw ${cfg.settings.watch-dir}/**, + ''} profile dirs { rw ${cfg.settings.download-dir}/**, ${optionalString cfg.settings.incomplete-dir-enabled '' rw ${cfg.settings.incomplete-dir}/**, ''} + ${optionalString cfg.settings.watch-dir-enabled '' + rw ${cfg.settings.watch-dir}/**, + ''} } ${optionalString (cfg.settings.script-torrent-done-enabled && diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index c2317880553..7da119758fc 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -554,36 +554,40 @@ in { ''; }; "/" = { - priority = 200; - extraConfig = "rewrite ^ /index.php;"; + priority = 900; + extraConfig = "try_files $uri $uri/ /index.php$request_uri;"; }; "~ ^/store-apps" = { priority = 201; extraConfig = "root ${cfg.home};"; }; - "= /.well-known/carddav" = { + "^~ /.well-known" = { priority = 210; - extraConfig = "return 301 $scheme://$host/remote.php/dav;"; - }; - "= /.well-known/caldav" = { - priority = 210; - extraConfig = "return 301 $scheme://$host/remote.php/dav;"; - }; - "~ ^\\/(?:build|tests|config|lib|3rdparty|templates|data)\\/" = { - priority = 300; - extraConfig = "deny all;"; - }; - "~ ^\\/(?:\\.|autotest|occ|issue|indie|db_|console)" = { - priority = 300; - extraConfig = "deny all;"; + extraConfig = '' + location = /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + location = /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + try_files $uri $uri/ =404; + ''; }; - "~ ^\\/(?:index|remote|public|cron|core/ajax\\/update|status|ocs\\/v[12]|updater\\/.+|ocs-provider\\/.+|ocm-provider\\/.+)\\.php(?:$|\\/)" = { + "~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)".extraConfig = '' + return 404; + ''; + "~ ^/(?:\\.|autotest|occ|issue|indie|db_|console)".extraConfig = '' + return 404; + ''; + "~ \\.php(?:$|/)" = { priority = 500; extraConfig = '' include ${config.services.nginx.package}/conf/fastcgi.conf; - fastcgi_split_path_info ^(.+\.php)(\\/.*)$; + fastcgi_split_path_info ^(.+?\.php)(\\/.*)$; + set $path_info $fastcgi_path_info; try_files $fastcgi_script_name =404; - fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param PATH_INFO $path_info; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param HTTPS ${if cfg.https then "on" else "off"}; fastcgi_param modHeadersAvailable true; fastcgi_param front_controller_active true; @@ -593,28 +597,24 @@ in { fastcgi_read_timeout 120s; ''; }; - "~ ^\\/(?:updater|ocs-provider|ocm-provider)(?:$|\\/)".extraConfig = '' - try_files $uri/ =404; - index index.php; - ''; - "~ \\.(?:css|js|woff2?|svg|gif)$".extraConfig = '' + "~ \\.(?:css|js|svg|gif|map)$".extraConfig = '' try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463"; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header X-Frame-Options sameorigin; - add_header Referrer-Policy no-referrer; + expires 6M; access_log off; ''; - "~ \\.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$".extraConfig = '' + "~ \\.woff2?$".extraConfig = '' try_files $uri /index.php$request_uri; + expires 7d; access_log off; ''; + "~ ^\\/(?:updater|ocs-provider|ocm-provider)(?:$|\\/)".extraConfig = '' + try_files $uri/ =404; + index index.php; + ''; }; extraConfig = '' + index index.php index.html /index.php$request_uri; + expires 1m; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; @@ -623,8 +623,6 @@ in { add_header X-Frame-Options sameorigin; add_header Referrer-Policy no-referrer; add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; - error_page 403 /core/templates/403.php; - error_page 404 /core/templates/404.php; client_max_body_size ${cfg.maxUploadSize}; fastcgi_buffers 64 4K; fastcgi_hide_header X-Powered-By; |