Nextcloud: Serve on 4431 with proxy protocol

base/defaults.nix

@@ -9,6 +9,7 @@
             settings = {
                 PasswordAuthentication = false;
                 KbdInteractiveAuthentication = false;
+                X11Forwarding = true;
             };
         };
 

hosts/Rupert.nix

@@ -17,13 +17,16 @@ in
         # ./open-pgsql.nix
     ];
 
-    nixpkgs.overlays = [
+    nixpkgs.overlays = let
+        libbluray = pkgs.libbluray.override {
+            withAACS = true;
+            withBDplus = true;
+        };
+    in
+    [
         (
             self: super: {
-                libbluray = super.libbluray.override {
+                vlc = super.vlc.override { inherit libbluray; };
-                    withAACS = true;
-                    withBDplus = true;
-                };
             }
         )
     ];
@@ -39,7 +42,7 @@ in
     hardware.graphics = {
         enable = true;
         extraPackages = with pkgs; [
-            (if (lib.versionOlder (lib.versions.majorMinor lib.version) "23.11") then vaapiIntel else intel-vaapi-driver)
+            intel-vaapi-driver
             libvdpau-va-gl
             vaapiVdpau
             # intel-media-driver
@@ -103,8 +106,9 @@ in
     services.openssh = {
         enable = true;
         settings = {
-            # ForwardX11 = true;
             PasswordAuthentication = false;
+            KbdInteractiveAuthentication = false;
+            X11Forwarding = true;
         };
     };
 
@@ -165,6 +169,7 @@ in
     };
     # Don’t start automatically
     systemd.services."beesd@backup-disk".wantedBy = lib.mkForce [];
+    systemd.services."beesd@data".serviceConfig.CPUQuota = "10%";
 
     security.acme = {
         defaults = {

hosts/mpd.nix

@@ -38,7 +38,7 @@ in
         '';
     };
 
-    hardware.pulseaudio = {
+    services.pulseaudio = {
         enable = true;
         systemWide = true;
         tcp.enable = true;

hosts/nextcloud.nix

@@ -6,7 +6,7 @@ in
     services.nextcloud = {
         enable = true;
         https = true;
-        package = pkgs.nextcloud30;
+        package = pkgs.nextcloud31;
         hostName = hostName;
         datadir = "/data/nextcloud";
         settings = {
@@ -16,6 +16,7 @@ in
             ];
             blacklisted_files = [];
             trashbin_retention_obligation = "auto, 14";
+            "simpleSignUpLink.shown" = false;
         };
         config = {
             dbtype = "pgsql";
@@ -48,13 +49,41 @@ in
         after = ["postgresql.service"];
     };
 
-    networking.firewall.allowedTCPPorts = [ 80 443 ];
+    networking.firewall.allowedTCPPorts = [ 80 443 4431 ];
 
     services.nginx = {
         virtualHosts.${hostName} = {
             forceSSL = true;
             enableACME = true;
         };
+        defaultListen = [
+            {
+                addr = "[::]";
+                port = 443;
+                ssl = true;
+            }
+            {
+                addr = "0.0.0.0";
+                port = 443;
+                ssl = true;
+            }
+            {
+                addr = "[::]";
+                port = 80;
+                ssl = false;
+            }
+            {
+                addr = "0.0.0.0";
+                port = 80;
+                ssl = false;
+            }
+            {
+                addr = "[::]";
+                port = 4431;
+                ssl = true;
+                proxyProtocol = true;
+            }
+        ];
     };
 
     users.extraGroups.music = {