From 2205f7ca57a09851d2c7430968cc8d9479260a26 Mon Sep 17 00:00:00 2001
From: Nathan <nathanblunkall5@gmail.com>
Date: Mon, 2 Feb 2026 10:34:05 -0600
Subject: [PATCH] nextcloud

---
 .../docker/nextcloud/default.nix               | 18 +++++++++++++++++-
 .../docker/traefik/config/traefik.yml          | 14 ++++++++++++++
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/system/virtualization/docker/nextcloud/default.nix b/system/virtualization/docker/nextcloud/default.nix
index b49bbe7..76ebaf3 100644
--- a/system/virtualization/docker/nextcloud/default.nix
+++ b/system/virtualization/docker/nextcloud/default.nix
@@ -44,10 +44,26 @@ in {
                 "traefik.http.routers.${name}.service" = "${name}";
                 "traefik.http.routers.${name}.tls.certResolver" = "cloudflare";
                 
-                "traefik.http.services.${name}.loadbalancer.server.port" = "80";
+                "traefik.http.routers.${name}.middlewares" = "nextcloud-chain";
+                
+                "traefik.http.middlewares.https-redirect.redirectScheme.scheme" = "https";
+
+                "traefik.http.middlewares.nextcloud-secure-headers.headers.hostsProxyHeaders" = "X-Forwarded-Host";
+                "traefik.http.middlewares.nextcloud-secure-headers.headers.referrerPolicy" = "same-origin";
+                
+                "traefik.http.middlewares.nextcloud-chain.chain.middlewares" = "https-redirect,nextcloud-secure-headers";
+
+                
+                "traefik.http.services.${name}.loadbalancer.server.port" = "11000";
             };
 
             environment = {
+                APPACHE_PORT = "11000";
+                APPACHE_IP = "0.0.0.0";
+                APPACHE_ADDITIONAL_NETWORK = "";
+
+                SKIP_DOMAIN_VALIDATION = "false";
+
                 TALK_PORT = "3479";
             };
         };
diff --git a/system/virtualization/docker/traefik/config/traefik.yml b/system/virtualization/docker/traefik/config/traefik.yml
index a22c5bf..e3974b9 100644
--- a/system/virtualization/docker/traefik/config/traefik.yml
+++ b/system/virtualization/docker/traefik/config/traefik.yml
@@ -26,6 +26,9 @@ entryPoints:
   websecure: 
     address: ":444"
     asDefault: true
+    transport:
+      respondingTimeouts:
+        readTimeout: 24h
     http:
       tls: 
         certResolver: "cloudflare"
@@ -33,6 +36,10 @@ entryPoints:
           main: "esotericbytes.com"
           sans:
             - "*.esotericbytes.com" 
+      encodedCharacters:  
+        allowEncodedSlash: true
+        allowEncodedQuestionMark: true
+        allowEncodedPercent: true
   
   local: 
     address: ":80"
@@ -45,6 +52,9 @@ entryPoints:
   localsecure: 
     address: ":443"
     asDefault: true
+    transport:
+      respondingTimeouts:
+        readTimeout: 24h
     http:
       tls: 
         certResolver: "cloudflare"
@@ -52,6 +62,10 @@ entryPoints:
           main: "esotericbytes.com"
           sans:
             - "*.esotericbytes.com" 
+      encodedCharacters:  
+        allowEncodedSlash: true
+        allowEncodedQuestionMark: true
+        allowEncodedPercent: true
   gitea-ssh:
     address: ":2222"