nixos-config/configs/workhorse/nextcloud.nix

296 lines
9.7 KiB
Nix
Raw Normal View History

2020-06-11 16:53:39 +02:00
{ pkgs, config, ... }:
2020-03-06 19:02:43 +01:00
let
hostAddress = "192.168.100.10";
containerAddress = "192.168.100.11";
2020-06-11 16:53:39 +02:00
#syncthingGid = config.users.groups.syncthing.gid;
2020-03-06 19:02:43 +01:00
in {
2020-03-03 20:09:31 +01:00
containers.nextcloud = {
2020-03-06 19:02:43 +01:00
# mount host folders
2020-03-03 20:09:31 +01:00
bindMounts = {
2020-03-06 14:58:47 +01:00
rootpassword = {
hostPath = toString <secrets/nextcloud/root_password>;
mountPoint = toString <secrets/nextcloud/root_password>;
isReadOnly = true;
};
databasepassword = {
hostPath = toString <secrets/nextcloud/database_password>;
mountPoint = toString <secrets/nextcloud/database_password>;
2020-03-03 20:09:31 +01:00
isReadOnly = true;
};
home = {
2020-03-06 14:58:47 +01:00
# make sure this folder exist on the host
2020-03-03 20:09:31 +01:00
hostPath = toString "/home/nextcloud";
mountPoint = "/var/lib/nextcloud";
isReadOnly = false;
};
2020-03-06 14:58:47 +01:00
db = {
# make sure this folder exist on the host
hostPath = toString "/home/nextcloud_db";
mountPoint = "/var/lib/mysql";
isReadOnly = false;
};
krops-lib = {
mountPoint = toString <krops-lib>;
hostPath = toString <krops-lib>;
isReadOnly = true;
};
modules = {
mountPoint = toString <modules>;
hostPath = toString <modules>;
isReadOnly = true;
2020-06-11 16:53:39 +02:00
};
# shared folders
samples = {
2020-11-21 18:56:11 +01:00
mountPoint =
toString config.services.syncthing.declarative.folders.samples.path;
hostPath =
toString config.services.syncthing.declarative.folders.samples.path;
2020-06-11 16:53:39 +02:00
isReadOnly = true;
};
movies = {
2020-11-21 18:56:11 +01:00
mountPoint =
toString config.services.syncthing.declarative.folders.movies.path;
hostPath =
toString config.services.syncthing.declarative.folders.movies.path;
2020-06-11 16:53:39 +02:00
isReadOnly = true;
};
music = {
mountPoint = toString
2020-11-21 18:56:11 +01:00
config.services.syncthing.declarative.folders.music-library.path;
2020-06-11 16:53:39 +02:00
hostPath = toString
2020-11-21 18:56:11 +01:00
config.services.syncthing.declarative.folders.music-library.path;
2020-06-11 16:53:39 +02:00
isReadOnly = true;
};
series = {
2020-11-21 18:56:11 +01:00
mountPoint =
toString config.services.syncthing.declarative.folders.series.path;
hostPath =
toString config.services.syncthing.declarative.folders.series.path;
2020-06-11 16:53:39 +02:00
isReadOnly = true;
};
2020-03-03 20:09:31 +01:00
};
2020-03-06 19:02:43 +01:00
# container network setup
# see also nating on host system.
2020-03-03 20:09:31 +01:00
privateNetwork = true;
2020-03-06 19:02:43 +01:00
hostAddress = hostAddress;
localAddress = containerAddress;
2020-03-03 20:09:31 +01:00
autoStart = true;
2020-03-06 19:02:43 +01:00
config = { config, pkgs, lib, ... }: {
2020-03-03 20:09:31 +01:00
2020-03-06 14:58:47 +01:00
imports = [ <modules> <krops-lib> ];
2020-03-06 19:02:43 +01:00
services.nginx = {
# Use recommended settings
recommendedGzipSettings = lib.mkDefault true;
recommendedOptimisation = lib.mkDefault true;
recommendedProxySettings = lib.mkDefault true;
recommendedTlsSettings = lib.mkDefault true;
# for graylog logging
commonHttpConfig = let
access_log_sink = "${hostAddress}:12304";
error_log_sink = "${hostAddress}:12305";
in ''
log_format graylog2_json escape=json '{ "timestamp": "$time_iso8601", '
'"facility": "nginx", '
2020-03-11 03:57:21 +01:00
'"src_addr": "$remote_addr", '
2020-03-06 19:02:43 +01:00
'"body_bytes_sent": $body_bytes_sent, '
'"request_time": $request_time, '
'"response_status": $status, '
'"request": "$request", '
'"request_method": "$request_method", '
'"host": "$host",'
'"upstream_cache_status": "$upstream_cache_status",'
'"upstream_addr": "$upstream_addr",'
'"http_x_forwarded_for": "$http_x_forwarded_for",'
'"http_referrer": "$http_referer", '
'"http_user_agent": "$http_user_agent" }';
access_log syslog:server=${access_log_sink} graylog2_json;
error_log syslog:server=${error_log_sink};
'';
};
2020-03-05 17:11:47 +01:00
# don't forget the database backup before doing this
# https://docs.nextcloud.com/server/stable/admin_manual/maintenance/backup.html
# https://docs.nextcloud.com/server/stable/admin_manual/maintenance/upgrade.html
# use snapshots in case of a rollback
2020-05-16 14:49:55 +02:00
#nixpkgs.config.packageOverrides = super: {
# nextcloud = super.nextcloud.overrideAttrs (old: rec {
# name = "nextcloud-${version}";
# version = "18.0.1";
# src = super.fetchurl {
# url =
# "https://download.nextcloud.com/server/releases/nextcloud-18.0.1.tar.bz2";
# sha256 = "1h0rxpdssn1hc65k41zbvww9r4f79vbd9bixc9ri5n7hp0say3vp";
# };
# });
#};
2020-03-05 17:11:47 +01:00
2020-03-03 20:09:31 +01:00
networking.firewall.allowedTCPPorts = [ 80 ];
networking.firewall.allowedUDPPorts = [ 80 ];
2020-03-06 14:58:47 +01:00
# nextcloud database
# ==================
#
# set user password:
# -----------------
# #> mysql
# mysql> ALTER USER 'nextcloud'@'localhost' IDENTIFIED BY 'nextcloud-password';
#
# recreate database:
# ------------------
# mysql> DROP DATABASE nextcloud;
# mysql> CREATE DATABASE nextcloud;
#
# migration:
# ----------
# nextcloud-occ db:convert-type --all-apps mysql nextcloud 127.0.0.1 nextcloud
#
# 4-byte stuff:
# -------------
# https://docs.nextcloud.com/server/18/admin_manual/configuration_database/mysql_4byte_support.html
# if you do this don't forget --default-character-set=utf8mb4 for mysqldump
services.mysql = {
enable = true;
package = pkgs.mysql;
2020-11-29 21:51:16 +01:00
# https://nixos.org/manual/nixos/stable/release-notes.html#sec-release-20.09-incompatibilities
2020-03-06 14:58:47 +01:00
ensureDatabases = [ "nextcloud" ];
ensureUsers = [{
name = "nextcloud";
ensurePermissions = { "nextcloud.*" = "ALL PRIVILEGES"; };
}];
extraOptions = ''
innodb_large_prefix=true
innodb_file_format=barracuda
innodb_file_per_table=1
'';
};
2021-03-03 06:45:08 +01:00
# in php
services.phpfpm.phpPackage = pkgs.php73;
2020-03-06 14:58:47 +01:00
# nextcloud setup
2020-05-16 02:25:06 +02:00
services.nextcloud = {
2020-03-03 20:09:31 +01:00
enable = true;
2021-03-23 07:37:08 +01:00
package = pkgs.nextcloud21;
2020-05-16 14:49:55 +02:00
#package = pkgs.nextcloud.overrideAttrs (old: rec {
# name = "nextcloud-${version}";
# version = "18.0.1";
# src = pkgs.fetchurl {
# url =
# "https://download.nextcloud.com/server/releases/nextcloud-18.0.1.tar.bz2";
# sha256 = "1h0rxpdssn1hc65k41zbvww9r4f79vbd9bixc9ri5n7hp0say3vp";
# };
#});
2020-03-03 20:09:31 +01:00
autoUpdateApps.enable = true;
2020-11-23 01:45:12 +01:00
#nginx.enable = true;
hostName = "nextcloud.ingolf-wagner.de";
2020-03-05 17:11:47 +01:00
#logLevel = 0;
2020-03-06 14:58:47 +01:00
https = true;
config = {
2021-03-03 06:45:08 +01:00
adminpassFile =
toString config.krops.userKeys."nextcloud_root".target;
2020-03-06 14:58:47 +01:00
overwriteProtocol = "https";
2020-03-06 19:02:43 +01:00
trustedProxies = [ "195.201.134.247" hostAddress ];
2020-03-06 14:58:47 +01:00
dbtype = "mysql";
2021-03-03 06:45:08 +01:00
dbpassFile =
toString config.krops.userKeys."nextcloud_database".target;
2020-03-06 14:58:47 +01:00
dbport = 3306;
};
};
# provide password file for database with proper rights
2021-03-03 06:45:08 +01:00
krops.userKeys."nextcloud_database" = {
2020-03-06 14:58:47 +01:00
user = "nextcloud";
source = toString <secrets/nextcloud/database_password>;
2021-03-03 06:45:08 +01:00
requiredBy = [ "nginx.service" "nextcloud-setup.service" ];
};
krops.userKeys."nextcloud_root" = {
user = "nextcloud";
source = toString <secrets/nextcloud/root_password>;
requiredBy = [ "nginx.service" "nextcloud-setup.service" ];
2020-03-03 20:09:31 +01:00
};
2020-03-04 13:50:41 +01:00
environment.systemPackages = [ pkgs.smbclient ];
2020-03-06 19:02:43 +01:00
# send log to host systems graylog (use tinc or wireguard if host is not graylog)
services.SystemdJournal2Gelf.enable = true;
services.SystemdJournal2Gelf.graylogServer = "${hostAddress}:11201";
2020-03-03 20:09:31 +01:00
};
};
2020-03-03 18:45:35 +01:00
2020-03-03 23:20:34 +01:00
# give containers internet access
networking.nat.enable = true;
networking.nat.internalInterfaces = [ "ve-nextcloud" ];
2020-06-08 00:18:44 +02:00
networking.nat.externalInterface = "enp2s0f1";
2020-03-03 23:20:34 +01:00
# don't let networkmanager manger container network
networking.networkmanager.unmanaged = [ "interface-name:ve-*" ];
2020-03-06 19:02:43 +01:00
# open ports for logging
networking.firewall.interfaces."ve-nextcloud".allowedTCPPorts =
[ 11201 12304 12305 ];
networking.firewall.interfaces."ve-nextcloud".allowedUDPPorts =
[ 11201 12304 12305 ];
2020-03-03 20:09:31 +01:00
# host nginx setup
services.nginx = {
enable = true;
2020-03-04 07:37:03 +01:00
recommendedProxySettings = true;
2020-03-03 20:09:31 +01:00
virtualHosts = {
"nextcloud.workhorse.private" = {
2021-03-03 06:45:08 +01:00
serverAliases = [ "nextcloud.ingolf-wagner.de" ];
2020-03-03 20:09:31 +01:00
locations."/" = {
2020-03-06 19:02:43 +01:00
proxyPass = "http://${containerAddress}";
2020-03-03 20:09:31 +01:00
extraConfig = ''
# allow big uploads
# -----------------
client_max_body_size 0;
2020-03-03 20:09:31 +01:00
'';
};
};
};
};
2020-03-03 18:45:35 +01:00
services.borgbackup.jobs = {
"nextcloud-to-media" = {
repo = "/media/syncthing/borg/nextcloud";
# make sure syncthing is capable of reading the files
postHook = ''
2021-03-23 07:37:08 +01:00
chown -R syncthing:syncthing /media/syncthing/borg
'';
compression = "lz4";
paths = [
"/home/nextcloud/data/tina/files/Documents"
"/home/nextcloud/data/tina/files/Pictures"
"/home/nextcloud/data/tina/files/Joplin"
"/home/nextcloud/data/tina/files/SofortUpload"
"/home/nextcloud/data/palo/files/Joplin"
"/home/nextcloud/data/palo/files/InstantUpload"
];
doInit = true;
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${toString <secrets/backup/repo>}";
};
startAt = "0/3:00:00";
prune.keep = {
within = "2d"; # Keep all backups in the last 10 days.
daily = 10; # Keep 10 additional end of day archives
weekly = 8; # Keep 8 additional end of week archives.
month = 8; # Keep 8 additional end of month archives.
};
};
};
}