Is it important to disable nscd?

nextcloud-container.nix

@@ -144,86 +144,90 @@ in {
                 system.nssModules = lib.mkForce [ ];
                 systemd.services.nginx.serviceConfig.AmbientCapabilities =
                   lib.mkForce [ "CAP_NET_BIND_SERVICE" ];
-                services.nginx = {
+                services = {
-                  enable = true;
+                  nscd.enable = false;
-                  recommendedZstdSettings = true;
+                  nginx = {
-                  recommendedOptimisation = true;
+                    enable = true;
-                  recommendedGzipSettings = true;
+                    recommendedZstdSettings = true;
-                  recommendedProxySettings = true;
+                    recommendedOptimisation = true;
-                  upstreams.php-handler.extraConfig = "server nextcloud:9000;";
+                    recommendedGzipSettings = true;
-                  virtualHosts."localhost" = {
+                    recommendedProxySettings = true;
-                    extraConfig = ''
+                    upstreams.php-handler.extraConfig =
-                      add_header Referrer-Policy "no-referrer" always;
+                      "server nextcloud:9000;";
-                      add_header X-Content-Type-Options "nosniff" always;
+                    virtualHosts."localhost" = {
-                      add_header X-Download-Options "noopen" always;
+                      extraConfig = ''
-                      add_header X-Frame-Options "SAMEORIGIN" always;
+                        add_header Referrer-Policy "no-referrer" always;
-                      add_header X-Permitted-Cross-Domain-Policies "none" always;
+                        add_header X-Content-Type-Options "nosniff" always;
-                      add_header X-Robots-Tag "none" always;
+                        add_header X-Download-Options "noopen" always;
-                      add_header X-XSS-Protection "1; mode=block" always;
+                        add_header X-Frame-Options "SAMEORIGIN" always;
-                      fastcgi_hide_header X-Powered-By;
+                        add_header X-Permitted-Cross-Domain-Policies "none" always;
-                      client_max_body_size 10G;
+                        add_header X-Robots-Tag "none" always;
-                      fastcgi_buffers 64 4K;
+                        add_header X-XSS-Protection "1; mode=block" always;
-                    '';
+                        fastcgi_hide_header X-Powered-By;
-                    locations = {
+                        client_max_body_size 10G;
-                      "/robots.txt".extraConfig = ''
+                        fastcgi_buffers 64 4K;
-                        allow all;
-                        log_not_found off;
-                        access_log off;
                       '';
-                      "/.well-known/carddav" = {
+                      locations = {
-                        return =
+                        "/robots.txt".extraConfig = ''
-                          "301 $scheme://$host:$server_port/remote.hph/dav";
+                          allow all;
-                      };
+                          log_not_found off;
-                      "/.well-known/caldav" = {
-                        return =
-                          "301 $scheme://$host:$server_port/remote.hph/dav";
-                      };
-                      "/" = { extraConfig = "rewrite ^ /index.php"; };
-                      "~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/".extraConfig =
-                        "deny all;";
-                      "~ ^/(?:.|autotest|occ|issue|indie|db_|console)".extraConfig =
-                        "deny all;";
-                      "~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+).php(?:$|/)".extraConfig =
-                        ''
-                          fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
-                          set $path_info $fastcgi_path_info;
-                          try_files $fastcgi_script_name =404;
-                          include fastcgi_params;
-                          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-                          fastcgi_param PATH_INFO $path_info;
-                          # fastcgi_param HTTPS on;
-
-                          # Avoid sending the security headers twice
-                          fastcgi_param modHeadersAvailable true;
-
-                          # Enable pretty urls
-                          fastcgi_param front_controller_active true;
-                          fastcgi_pass php-handler;
-                          fastcgi_intercept_errors on;
-                          fastcgi_request_buffering off;
-                        '';
-                      "~ ^/(?:updater|oc[ms]-provider)(?:$|/)" = {
-                        index = "index.php";
-                        tryFiles = "$uri/ =404";
-                      };
-
-                      "~ .(?:css|js|woff2?|svg|gif|map)$" = {
-                        tryFiles = "$uri /index.php$request_uri";
-                        extraConfig = ''
-                          add_header Cache-Control "public, max-age=15778463";
-                          add_header Referrer-Policy "no-referrer" always;
-                          add_header X-Content-Type-Options "nosniff" always;
-                          add_header X-Download-Options "noopen" always;
-                          add_header X-Frame-Options "SAMEORIGIN" always;
-                          add_header X-Permitted-Cross-Domain-Policies "none" always;
-                          add_header X-Robots-Tag "none" always;
-                          add_header X-XSS-Protection "1; mode=block" always;
                           access_log off;
                         '';
-                      };
+                        "/.well-known/carddav" = {
-                      "~ .(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$" = {
+                          return =
-                        tryFiles = "$uri /index.php$request_uri";
+                            "301 $scheme://$host:$server_port/remote.hph/dav";
-                        extraConfig = "access_log off;";
+                        };
+                        "/.well-known/caldav" = {
+                          return =
+                            "301 $scheme://$host:$server_port/remote.hph/dav";
+                        };
+                        "/" = { extraConfig = "rewrite ^ /index.php"; };
+                        "~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/".extraConfig =
+                          "deny all;";
+                        "~ ^/(?:.|autotest|occ|issue|indie|db_|console)".extraConfig =
+                          "deny all;";
+                        "~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+).php(?:$|/)".extraConfig =
+                          ''
+                            fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+                            set $path_info $fastcgi_path_info;
+                            try_files $fastcgi_script_name =404;
+                            include fastcgi_params;
+                            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+                            fastcgi_param PATH_INFO $path_info;
+                            # fastcgi_param HTTPS on;
+
+                            # Avoid sending the security headers twice
+                            fastcgi_param modHeadersAvailable true;
+
+                            # Enable pretty urls
+                            fastcgi_param front_controller_active true;
+                            fastcgi_pass php-handler;
+                            fastcgi_intercept_errors on;
+                            fastcgi_request_buffering off;
+                          '';
+                        "~ ^/(?:updater|oc[ms]-provider)(?:$|/)" = {
+                          index = "index.php";
+                          tryFiles = "$uri/ =404";
+                        };
+
+                        "~ .(?:css|js|woff2?|svg|gif|map)$" = {
+                          tryFiles = "$uri /index.php$request_uri";
+                          extraConfig = ''
+                            add_header Cache-Control "public, max-age=15778463";
+                            add_header Referrer-Policy "no-referrer" always;
+                            add_header X-Content-Type-Options "nosniff" always;
+                            add_header X-Download-Options "noopen" always;
+                            add_header X-Frame-Options "SAMEORIGIN" always;
+                            add_header X-Permitted-Cross-Domain-Policies "none" always;
+                            add_header X-Robots-Tag "none" always;
+                            add_header X-XSS-Protection "1; mode=block" always;
+                            access_log off;
+                          '';
+                        };
+                        "~ .(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$" = {
+                          tryFiles = "$uri /index.php$request_uri";
+                          extraConfig = "access_log off;";
+                        };
                       };
                     };
                   };