https://aur.archlinux.org/packages/nextcloud-uwsgi-service/

.SRCINFO

pkgbase = nextcloud-uwsgi-service
	pkgdesc = run nextcloud as a DynamicUser=yes, socket activated uwsgi service
	pkgver = 0.4
	pkgrel = 1
	url = https://aur.archlinux.org/packages/nextcloud-uwsgi-service/
	arch = any
	license = MIT
	depends = nextcloud>=17.0.0
	depends = uwsgi-plugin-php
	depends = nginx
	depends = systemd
	depends = php-gd
	depends = php-sqlite
	depends = php-redis
	depends = php-xsl
	depends = php-igbinary
	optdepends = nextcloud-app-totp: TOTP 2FA support
	optdepends = nextcloud-app-u2f: U2F 2FA support
	options = !strip
	backup = etc/uwsgi/nextcloud.ini
	backup = etc/nginx/sites/nextcloud.conf
	backup = etc/php/nextcloud/php.ini
	source = nextcloud.ini
	source = nextcloud.conf
	source = nextcloud.service
	source = nextcloud.socket
	source = php.ini
	sha256sums = a6edafd6aa007a366490225fd18078d0b906678f5293546a66bf9dce1ceb4ccd
	sha256sums = e85b75c603e591608b8b481b0e166e8beff8648894912e2817e0cc14ebe244be
	sha256sums = 836af07eaa8ad53f71398677d02ce6670ebd2d39e9f0d8be9d159612898d6b41
	sha256sums = 28d9f6e00e5c283f5b479fd12262d0f5d20025681fc454407c6c91138a7a91dd
	sha256sums = 0779ec8c97508691aafc0b1428881e8160c90d4bf6f9e0378ed028614fad7939

pkgname = nextcloud-uwsgi-service

nextcloud.conf

server {
  listen       443 ssl http2;
  server_name  cloud.example.com;

  ssl_certificate      ssl/cloud.example.com.crt;
  ssl_certificate_key  ssl/cloud.example.com.key;

  root /usr/share/webapps/nextcloud;
  client_max_body_size 1G;

  add_header Strict-Transport-Security max-age=15768000;
  add_header Referrer-Policy "no-referrer";
  add_header X-Content-Type-Options "nosniff";
  add_header X-Download-Options noopen;
  add_header X-Frame-Options "SAMEORIGIN";
  add_header X-Permitted-Cross-Domain-Policies none;
  add_header X-Robots-Tag "none";
  add_header X-XSS-Protection "1; mode=block";

  rewrite ^/.well-known/carddav  $scheme://$host/remote.php/dav/ permanent;
  rewrite ^/.well-known/caldav   $scheme://$host/remote.php/dav/ permanent;

  # The following 2 rules are only needed with webfinger
  rewrite ^/.well-known/host-meta /public.php?service=host-meta  last;
  rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

  location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
    deny all;
  }
  location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
    deny all;
  }

  location ~ \.php(?:$|/) {
    include uwsgi_params;
    uwsgi_modifier1 14;
    uwsgi_pass unix:///run/nextcloud.sock;
  }

  error_page 403 /core/templates/403.php;
  error_page 404 /core/templates/404.php;
  index index.php;

  location / {
    try_files $uri $uri/ /index.php;
  }
}

nextcloud.ini

[uwsgi]
; default for local testing run it like "uwsgi --ini nextcloud.ini"
ini = :nextcloud
http-socket = :8000
http-socket-modifier1 = 14

; use uwsgi static file server
static-check = %(nextcloud_dir)
static-skip-ext = .php
static-skip-ext = .inc
offload-threads = 2

[service]
ini = :nextcloud
die-on-term = yes
logger = systemd
logformat = %(addr) (%(user)) (%(proto) %(status)) %(method) %(uri) => generated %(rsize) bytes in %(msecs) msecs %(headers) headers in %(hsize) bytes {%(vars) vars in %(pktsize) bytes} (%(switches) switches on core %(core))

# nginx will set security headers
env = modHeadersAvailable=true
# pretty urls
env = front_controller_active=true

[nextcloud]
master = true
processes = 4
plugins = php

nextcloud_dir = /usr/share/webapps/nextcloud
php-docroot = %(nextcloud_dir)
php-index = index.php

# recommended to only allow these php scripts:
php-allowed-ext = /index.php
php-allowed-ext = /cron.php
php-allowed-ext = /status.php
php-allowed-ext = /remote.php
php-allowed-ext = /public.php
php-allowed-ext = /core/templates/403.php
php-allowed-ext = /core/templates/404.php
php-allowed-ext = /core/ajax/update.php
php-allowed-ext = /ocs/v1.php
php-allowed-ext = /ocs/v2.php

nextcloud.service

[Unit]
Description=nextcloud uwsgi service
After=network.target redis.service
Before=nginx.service
Requires=nextcloud.socket

[Service]
Type=notify
DynamicUser=yes
User=nextcloud
Group=nextcloud
RuntimeDirectory=nextcloud
StateDirectory=nextcloud
WorkingDirectory=/var/lib/nextcloud/
Environment=NEXTCLOUD_CONFIG_DIR=/var/lib/nextcloud/config
Environment=PHP_INI_SCAN_DIR=:/etc/php/nextcloud
ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/nextcloud.ini:service --master-fifo /run/nextcloud/master-fifo
ExecReload=/bin/bash -c 'echo w > /run/nextcloud/master-fifo'
ExecStop=/bin/bash -c 'echo q > /run/nextcloud/master-fifo'
Restart=always
TimeoutSec=infinity

IPAccounting=yes
LockPersonality=yes
PrivateDevices=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target
Also=nextcloud.socket

nextcloud.socket

[Unit]
Description=nextcloud socket

[Socket]
ListenStream=/run/uwsgi/nextcloud.sock
SocketMode=0660
SocketGroup=http

[Install]
WantedBy=sockets.target

php.ini

extension=pdo_sqlite.so
extension=exif.so
extension=gmp.so
extension=iconv.so
extension=sockets.so
extension=xmlrpc.so
extension=xsl.so
extension=igbinary.so
extension=gd.so
extension=redis.so
zend_extension=opcache.so
extension=intl
extension=imagick.so

memory_limit=512M
open_basedir=
session.save_path=/tmp
post_max_size=1000M
upload_max_filesize=1000M
date.timezone=Europe/Berlin

PKGBUILD

# Maintainer: Damjan Georgievski <gdamjan@gmail.com>
pkgname=nextcloud-uwsgi-service
pkgver=0.4
pkgrel=1
pkgdesc="run nextcloud as a DynamicUser=yes, socket activated uwsgi service"
arch=('any')
url="https://aur.archlinux.org/packages/nextcloud-uwsgi-service/"
license=('MIT')
depends=('nextcloud>=17.0.0' 'uwsgi-plugin-php' 'nginx' 'systemd'
         'php-gd' 'php-sqlite' 'php-redis' 'php-xsl' 'php-igbinary'
         'php-intl' 'php-imagick')
optdepends=('nextcloud-app-totp: TOTP 2FA support'
            'nextcloud-app-u2f: U2F 2FA support'
            'certbot-nginx: TLS certificates for nginx')
makedepends=()
options=('!strip')
source=('nextcloud.ini'
        'nextcloud.conf'
        'nextcloud.service'
        'nextcloud.socket'
        'php.ini')
backup=('etc/uwsgi/nextcloud.ini'
        'etc/nginx/sites/nextcloud.conf'
        'etc/php/nextcloud/php.ini')

package() {
    install -m0644 -D "${srcdir}"/nextcloud.ini "${pkgdir}"/etc/uwsgi/nextcloud.ini
    install -m0644 -D "${srcdir}"/nextcloud.conf "${pkgdir}"/etc/nginx/sites/nextcloud.conf
    install -m0644 -D "${srcdir}"/nextcloud.service "${pkgdir}"/usr/lib/systemd/system/nextcloud.service
    install -m0644 -D "${srcdir}"/nextcloud.socket "${pkgdir}"/usr/lib/systemd/system/nextcloud.socket
    install -m0644 -D "${srcdir}"/php.ini "${pkgdir}"/etc/php/nextcloud/php.ini
}

sha256sums=('a6edafd6aa007a366490225fd18078d0b906678f5293546a66bf9dce1ceb4ccd'
            'e85b75c603e591608b8b481b0e166e8beff8648894912e2817e0cc14ebe244be'
            '836af07eaa8ad53f71398677d02ce6670ebd2d39e9f0d8be9d159612898d6b41'
            '28d9f6e00e5c283f5b479fd12262d0f5d20025681fc454407c6c91138a7a91dd'
            '0779ec8c97508691aafc0b1428881e8160c90d4bf6f9e0378ed028614fad7939')

TODO:

• more security in .service
• double check the nginx conf file
• php deps

nginx headers for increased security:
add_header X-Frame-Options "SAMEORIGIN";
add_header Referrer-Policy "origin";

Running occ in the same context as the service:

systemd-run --pipe \
  --setenv=NEXTCLOUD_CONFIG_DIR=/var/lib/nextcloud/config \
  --setenv=PHP_INI_SCAN_DIR=:/etc/php/nextcloud \
  --property=DynamicUser=yes \
  --property=User=nextcloud \
  --property=Group=nextcloud \
  --property=RuntimeDirectory=nextcloud \
  --property=StateDirectory=nextcloud \
  /usr/share/webapps/nextcloud/occ

nginx headers for increased security:
add_header X-Frame-Options "SAMEORIGIN";
add_header Referrer-Policy "origin";

done