2020-06-11 16:53:39 +02:00
|
|
|
{ pkgs, config, ... }:
|
2020-03-06 19:02:43 +01:00
|
|
|
let
|
|
|
|
|
|
|
|
hostAddress = "192.168.100.10";
|
|
|
|
containerAddress = "192.168.100.11";
|
2020-06-11 16:53:39 +02:00
|
|
|
#syncthingGid = config.users.groups.syncthing.gid;
|
2020-03-06 19:02:43 +01:00
|
|
|
|
|
|
|
in {
|
2020-03-03 20:09:31 +01:00
|
|
|
|
|
|
|
containers.nextcloud = {
|
2020-03-06 19:02:43 +01:00
|
|
|
|
|
|
|
# mount host folders
|
2020-03-03 20:09:31 +01:00
|
|
|
bindMounts = {
|
2020-03-06 14:58:47 +01:00
|
|
|
rootpassword = {
|
|
|
|
hostPath = toString <secrets/nextcloud/root_password>;
|
|
|
|
mountPoint = toString <secrets/nextcloud/root_password>;
|
|
|
|
isReadOnly = true;
|
|
|
|
};
|
|
|
|
databasepassword = {
|
|
|
|
hostPath = toString <secrets/nextcloud/database_password>;
|
|
|
|
mountPoint = toString <secrets/nextcloud/database_password>;
|
2020-03-03 20:09:31 +01:00
|
|
|
isReadOnly = true;
|
|
|
|
};
|
|
|
|
home = {
|
2020-03-06 14:58:47 +01:00
|
|
|
# make sure this folder exist on the host
|
2020-03-03 20:09:31 +01:00
|
|
|
hostPath = toString "/home/nextcloud";
|
|
|
|
mountPoint = "/var/lib/nextcloud";
|
|
|
|
isReadOnly = false;
|
|
|
|
};
|
2020-03-06 14:58:47 +01:00
|
|
|
db = {
|
|
|
|
# make sure this folder exist on the host
|
|
|
|
hostPath = toString "/home/nextcloud_db";
|
|
|
|
mountPoint = "/var/lib/mysql";
|
|
|
|
isReadOnly = false;
|
|
|
|
};
|
|
|
|
krops-lib = {
|
|
|
|
mountPoint = toString <krops-lib>;
|
|
|
|
hostPath = toString <krops-lib>;
|
|
|
|
isReadOnly = true;
|
|
|
|
};
|
2020-03-06 08:28:19 +01:00
|
|
|
modules = {
|
|
|
|
mountPoint = toString <modules>;
|
|
|
|
hostPath = toString <modules>;
|
|
|
|
isReadOnly = true;
|
2020-06-11 16:53:39 +02:00
|
|
|
};
|
|
|
|
# shared folders
|
|
|
|
samples = {
|
2020-11-21 18:56:11 +01:00
|
|
|
mountPoint =
|
|
|
|
toString config.services.syncthing.declarative.folders.samples.path;
|
|
|
|
hostPath =
|
|
|
|
toString config.services.syncthing.declarative.folders.samples.path;
|
2020-06-11 16:53:39 +02:00
|
|
|
isReadOnly = true;
|
|
|
|
};
|
|
|
|
movies = {
|
2020-11-21 18:56:11 +01:00
|
|
|
mountPoint =
|
|
|
|
toString config.services.syncthing.declarative.folders.movies.path;
|
|
|
|
hostPath =
|
|
|
|
toString config.services.syncthing.declarative.folders.movies.path;
|
2020-06-11 16:53:39 +02:00
|
|
|
isReadOnly = true;
|
|
|
|
};
|
|
|
|
music = {
|
|
|
|
mountPoint = toString
|
2020-11-21 18:56:11 +01:00
|
|
|
config.services.syncthing.declarative.folders.music-library.path;
|
2020-06-11 16:53:39 +02:00
|
|
|
hostPath = toString
|
2020-11-21 18:56:11 +01:00
|
|
|
config.services.syncthing.declarative.folders.music-library.path;
|
2020-06-11 16:53:39 +02:00
|
|
|
isReadOnly = true;
|
|
|
|
};
|
|
|
|
series = {
|
2020-11-21 18:56:11 +01:00
|
|
|
mountPoint =
|
|
|
|
toString config.services.syncthing.declarative.folders.series.path;
|
|
|
|
hostPath =
|
|
|
|
toString config.services.syncthing.declarative.folders.series.path;
|
2020-06-11 16:53:39 +02:00
|
|
|
isReadOnly = true;
|
2020-03-06 08:28:19 +01:00
|
|
|
};
|
2020-03-03 20:09:31 +01:00
|
|
|
};
|
|
|
|
|
2020-03-06 19:02:43 +01:00
|
|
|
# container network setup
|
|
|
|
# see also nating on host system.
|
2020-03-03 20:09:31 +01:00
|
|
|
privateNetwork = true;
|
2020-03-06 19:02:43 +01:00
|
|
|
hostAddress = hostAddress;
|
|
|
|
localAddress = containerAddress;
|
2020-03-03 20:09:31 +01:00
|
|
|
|
|
|
|
autoStart = true;
|
|
|
|
|
2020-03-06 19:02:43 +01:00
|
|
|
config = { config, pkgs, lib, ... }: {
|
2020-03-03 20:09:31 +01:00
|
|
|
|
2020-03-06 14:58:47 +01:00
|
|
|
imports = [ <modules> <krops-lib> ];
|
2020-03-06 08:28:19 +01:00
|
|
|
|
2020-03-06 19:02:43 +01:00
|
|
|
services.nginx = {
|
|
|
|
|
|
|
|
# Use recommended settings
|
|
|
|
recommendedGzipSettings = lib.mkDefault true;
|
|
|
|
recommendedOptimisation = lib.mkDefault true;
|
|
|
|
recommendedProxySettings = lib.mkDefault true;
|
|
|
|
recommendedTlsSettings = lib.mkDefault true;
|
|
|
|
|
|
|
|
# for graylog logging
|
|
|
|
commonHttpConfig = let
|
|
|
|
access_log_sink = "${hostAddress}:12304";
|
|
|
|
error_log_sink = "${hostAddress}:12305";
|
|
|
|
in ''
|
|
|
|
log_format graylog2_json escape=json '{ "timestamp": "$time_iso8601", '
|
|
|
|
'"facility": "nginx", '
|
2020-03-11 03:57:21 +01:00
|
|
|
'"src_addr": "$remote_addr", '
|
2020-03-06 19:02:43 +01:00
|
|
|
'"body_bytes_sent": $body_bytes_sent, '
|
|
|
|
'"request_time": $request_time, '
|
|
|
|
'"response_status": $status, '
|
|
|
|
'"request": "$request", '
|
|
|
|
'"request_method": "$request_method", '
|
|
|
|
'"host": "$host",'
|
|
|
|
'"upstream_cache_status": "$upstream_cache_status",'
|
|
|
|
'"upstream_addr": "$upstream_addr",'
|
|
|
|
'"http_x_forwarded_for": "$http_x_forwarded_for",'
|
|
|
|
'"http_referrer": "$http_referer", '
|
|
|
|
'"http_user_agent": "$http_user_agent" }';
|
|
|
|
|
|
|
|
access_log syslog:server=${access_log_sink} graylog2_json;
|
|
|
|
error_log syslog:server=${error_log_sink};
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2020-03-05 17:11:47 +01:00
|
|
|
# don't forget the database backup before doing this
|
|
|
|
# https://docs.nextcloud.com/server/stable/admin_manual/maintenance/backup.html
|
|
|
|
# https://docs.nextcloud.com/server/stable/admin_manual/maintenance/upgrade.html
|
|
|
|
# use snapshots in case of a rollback
|
2020-05-16 14:49:55 +02:00
|
|
|
#nixpkgs.config.packageOverrides = super: {
|
|
|
|
# nextcloud = super.nextcloud.overrideAttrs (old: rec {
|
|
|
|
# name = "nextcloud-${version}";
|
|
|
|
# version = "18.0.1";
|
|
|
|
# src = super.fetchurl {
|
|
|
|
# url =
|
|
|
|
# "https://download.nextcloud.com/server/releases/nextcloud-18.0.1.tar.bz2";
|
|
|
|
# sha256 = "1h0rxpdssn1hc65k41zbvww9r4f79vbd9bixc9ri5n7hp0say3vp";
|
|
|
|
# };
|
|
|
|
# });
|
|
|
|
#};
|
2020-03-05 17:11:47 +01:00
|
|
|
|
2020-03-03 20:09:31 +01:00
|
|
|
networking.firewall.allowedTCPPorts = [ 80 ];
|
|
|
|
networking.firewall.allowedUDPPorts = [ 80 ];
|
|
|
|
|
2020-03-06 14:58:47 +01:00
|
|
|
# nextcloud database
|
|
|
|
# ==================
|
|
|
|
#
|
|
|
|
# set user password:
|
|
|
|
# -----------------
|
|
|
|
# #> mysql
|
|
|
|
# mysql> ALTER USER 'nextcloud'@'localhost' IDENTIFIED BY 'nextcloud-password';
|
|
|
|
#
|
|
|
|
# recreate database:
|
|
|
|
# ------------------
|
|
|
|
# mysql> DROP DATABASE nextcloud;
|
|
|
|
# mysql> CREATE DATABASE nextcloud;
|
|
|
|
#
|
|
|
|
# migration:
|
|
|
|
# ----------
|
|
|
|
# nextcloud-occ db:convert-type --all-apps mysql nextcloud 127.0.0.1 nextcloud
|
|
|
|
#
|
|
|
|
# 4-byte stuff:
|
|
|
|
# -------------
|
|
|
|
# https://docs.nextcloud.com/server/18/admin_manual/configuration_database/mysql_4byte_support.html
|
|
|
|
# if you do this don't forget --default-character-set=utf8mb4 for mysqldump
|
|
|
|
services.mysql = {
|
|
|
|
enable = true;
|
|
|
|
package = pkgs.mysql;
|
2020-11-29 21:51:16 +01:00
|
|
|
# https://nixos.org/manual/nixos/stable/release-notes.html#sec-release-20.09-incompatibilities
|
2020-03-06 14:58:47 +01:00
|
|
|
ensureDatabases = [ "nextcloud" ];
|
|
|
|
ensureUsers = [{
|
|
|
|
name = "nextcloud";
|
|
|
|
ensurePermissions = { "nextcloud.*" = "ALL PRIVILEGES"; };
|
|
|
|
}];
|
|
|
|
extraOptions = ''
|
|
|
|
innodb_large_prefix=true
|
|
|
|
innodb_file_format=barracuda
|
|
|
|
innodb_file_per_table=1
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2021-03-03 06:45:08 +01:00
|
|
|
# in php
|
|
|
|
services.phpfpm.phpPackage = pkgs.php73;
|
|
|
|
|
2020-03-06 14:58:47 +01:00
|
|
|
# nextcloud setup
|
2020-05-16 02:25:06 +02:00
|
|
|
services.nextcloud = {
|
2020-03-03 20:09:31 +01:00
|
|
|
enable = true;
|
2021-03-23 07:37:08 +01:00
|
|
|
package = pkgs.nextcloud21;
|
2020-05-16 14:49:55 +02:00
|
|
|
#package = pkgs.nextcloud.overrideAttrs (old: rec {
|
|
|
|
# name = "nextcloud-${version}";
|
|
|
|
# version = "18.0.1";
|
|
|
|
# src = pkgs.fetchurl {
|
|
|
|
# url =
|
|
|
|
# "https://download.nextcloud.com/server/releases/nextcloud-18.0.1.tar.bz2";
|
|
|
|
# sha256 = "1h0rxpdssn1hc65k41zbvww9r4f79vbd9bixc9ri5n7hp0say3vp";
|
|
|
|
# };
|
|
|
|
#});
|
2020-03-03 20:09:31 +01:00
|
|
|
autoUpdateApps.enable = true;
|
2020-11-23 01:45:12 +01:00
|
|
|
#nginx.enable = true;
|
2020-03-05 06:55:08 +01:00
|
|
|
hostName = "nextcloud.ingolf-wagner.de";
|
2020-03-05 17:11:47 +01:00
|
|
|
#logLevel = 0;
|
2020-03-06 14:58:47 +01:00
|
|
|
https = true;
|
|
|
|
config = {
|
2021-03-03 06:45:08 +01:00
|
|
|
adminpassFile =
|
|
|
|
toString config.krops.userKeys."nextcloud_root".target;
|
2020-03-06 14:58:47 +01:00
|
|
|
overwriteProtocol = "https";
|
2020-03-06 19:02:43 +01:00
|
|
|
trustedProxies = [ "195.201.134.247" hostAddress ];
|
2020-03-06 14:58:47 +01:00
|
|
|
dbtype = "mysql";
|
2021-03-03 06:45:08 +01:00
|
|
|
dbpassFile =
|
|
|
|
toString config.krops.userKeys."nextcloud_database".target;
|
2020-03-06 14:58:47 +01:00
|
|
|
dbport = 3306;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
# provide password file for database with proper rights
|
2021-03-03 06:45:08 +01:00
|
|
|
krops.userKeys."nextcloud_database" = {
|
2020-03-06 14:58:47 +01:00
|
|
|
user = "nextcloud";
|
|
|
|
source = toString <secrets/nextcloud/database_password>;
|
2021-03-03 06:45:08 +01:00
|
|
|
requiredBy = [ "nginx.service" "nextcloud-setup.service" ];
|
|
|
|
};
|
|
|
|
krops.userKeys."nextcloud_root" = {
|
|
|
|
user = "nextcloud";
|
|
|
|
source = toString <secrets/nextcloud/root_password>;
|
|
|
|
requiredBy = [ "nginx.service" "nextcloud-setup.service" ];
|
2020-03-03 20:09:31 +01:00
|
|
|
};
|
|
|
|
|
2020-03-04 13:50:41 +01:00
|
|
|
environment.systemPackages = [ pkgs.smbclient ];
|
2020-03-06 19:02:43 +01:00
|
|
|
|
|
|
|
# send log to host systems graylog (use tinc or wireguard if host is not graylog)
|
|
|
|
services.SystemdJournal2Gelf.enable = true;
|
|
|
|
services.SystemdJournal2Gelf.graylogServer = "${hostAddress}:11201";
|
2020-03-03 20:09:31 +01:00
|
|
|
};
|
2020-03-03 17:14:21 +01:00
|
|
|
};
|
2020-03-03 18:45:35 +01:00
|
|
|
|
2020-03-03 23:20:34 +01:00
|
|
|
# give containers internet access
|
|
|
|
networking.nat.enable = true;
|
|
|
|
networking.nat.internalInterfaces = [ "ve-nextcloud" ];
|
2020-06-08 00:18:44 +02:00
|
|
|
networking.nat.externalInterface = "enp2s0f1";
|
2020-03-03 23:20:34 +01:00
|
|
|
|
|
|
|
# don't let networkmanager manger container network
|
|
|
|
networking.networkmanager.unmanaged = [ "interface-name:ve-*" ];
|
|
|
|
|
2020-03-06 19:02:43 +01:00
|
|
|
# open ports for logging
|
|
|
|
networking.firewall.interfaces."ve-nextcloud".allowedTCPPorts =
|
|
|
|
[ 11201 12304 12305 ];
|
|
|
|
networking.firewall.interfaces."ve-nextcloud".allowedUDPPorts =
|
|
|
|
[ 11201 12304 12305 ];
|
|
|
|
|
2020-03-03 20:09:31 +01:00
|
|
|
# host nginx setup
|
|
|
|
services.nginx = {
|
|
|
|
enable = true;
|
2020-03-04 07:37:03 +01:00
|
|
|
recommendedProxySettings = true;
|
2020-03-03 20:09:31 +01:00
|
|
|
virtualHosts = {
|
|
|
|
"nextcloud.workhorse.private" = {
|
2021-03-03 06:45:08 +01:00
|
|
|
serverAliases = [ "nextcloud.ingolf-wagner.de" ];
|
2020-03-03 20:09:31 +01:00
|
|
|
locations."/" = {
|
2020-03-06 19:02:43 +01:00
|
|
|
proxyPass = "http://${containerAddress}";
|
2020-03-03 20:09:31 +01:00
|
|
|
extraConfig = ''
|
2020-03-04 12:06:11 +01:00
|
|
|
# allow big uploads
|
|
|
|
# -----------------
|
2020-03-04 11:30:45 +01:00
|
|
|
client_max_body_size 0;
|
2020-03-03 20:09:31 +01:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
2020-03-03 18:45:35 +01:00
|
|
|
|
2021-03-21 18:23:32 +01:00
|
|
|
services.borgbackup.jobs = {
|
|
|
|
"nextcloud-to-media" = {
|
|
|
|
repo = "/media/syncthing/borg/nextcloud";
|
|
|
|
# make sure syncthing is capable of reading the files
|
|
|
|
postHook = ''
|
2021-03-23 07:37:08 +01:00
|
|
|
chown -R syncthing:syncthing /media/syncthing/borg
|
2021-03-21 18:23:32 +01:00
|
|
|
'';
|
|
|
|
compression = "lz4";
|
|
|
|
paths = [
|
|
|
|
"/home/nextcloud/data/tina/files/Documents"
|
|
|
|
"/home/nextcloud/data/tina/files/Pictures"
|
|
|
|
"/home/nextcloud/data/tina/files/Joplin"
|
|
|
|
"/home/nextcloud/data/tina/files/SofortUpload"
|
|
|
|
"/home/nextcloud/data/palo/files/Joplin"
|
|
|
|
"/home/nextcloud/data/palo/files/InstantUpload"
|
|
|
|
];
|
|
|
|
doInit = true;
|
|
|
|
encryption = {
|
|
|
|
mode = "repokey-blake2";
|
|
|
|
passCommand = "cat ${toString <secrets/backup/repo>}";
|
|
|
|
};
|
|
|
|
startAt = "0/3:00:00";
|
|
|
|
prune.keep = {
|
|
|
|
within = "2d"; # Keep all backups in the last 10 days.
|
|
|
|
daily = 10; # Keep 10 additional end of day archives
|
|
|
|
weekly = 8; # Keep 8 additional end of week archives.
|
|
|
|
month = 8; # Keep 8 additional end of month archives.
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2020-03-03 17:14:21 +01:00
|
|
|
}
|