nixos-config/machines/orbi/media-nextcloud.nix

{
  pkgs,
  lib,
  config,
  factsGenerator,
  components,
  inputs,
  ...
}:

# don't forget the database backup before upgrading
# -------------------------------------------------
# https://docs.nextcloud.com/server/stable/admin_manual/maintenance/backup.html
# https://docs.nextcloud.com/server/stable/admin_manual/maintenance/upgrade.html

let
  # todo : let nextcloud run as media, this would make this part easier.
  nextcloudUid = config.ids.uids.transmission;
  nextcloudGid = config.ids.gids.transmission;
  nextcloudPort = 9080;
  nextcloudHostName = "nextcloud.ingolf-wagner.de";

  phpPackage = pkgs.php73;
  nextcloudPackage = pkgs.nextcloud29;
  mySQLPackage = pkgs.mysql;
in
{

  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
  networking.firewall.allowedUDPPorts = [
    80
    443
  ];

  verify.localCommands.nextcloud =
    let
      domain = "https://nextcloud.ingolf-wagner.de/login";
      curl = lib.getExe pkgs.curl;
      grep = lib.getExe pkgs.gnugrep;
    in
    ''
      if ${curl} -s -o /dev/null -w "%{http_code}" ${domain} | ${grep} -q "200"; then
        if ${curl} -s ${domain} | ${grep} -q "Login"; then
          echo "[ OK ] Die Seite hat Statuscode 200 und enthält den String 'Login'."
        else
          echo "[Fail] Der Statuscode ist 200, aber die Seite enthält den String 'Login' nicht."
        fi
      else
        echo "[Fail] Die Seite hat keinen Statuscode 200."
      fi
    '';

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts = {
      "${nextcloudHostName}" = {
        forceSSL = true;
        enableACME = true;
        locations = {
          "/" = {
            proxyPass = "http://localhost:${toString nextcloudPort}";
            extraConfig = ''
              sub_filter "http://${nextcloudHostName}" "https://${nextcloudHostName}";
              # used for view/edit office file via Office Online Server
              client_max_body_size 0;
              proxy_buffering off;  # to download files bigger than 1GB
            '';
          };
          "= /.well-known/carddav" = {
            priority = 210;
            extraConfig = "return 301 $scheme://$host/remote.php/dav;";
          };
          "= /.well-known/caldav" = {
            priority = 210;
            extraConfig = "return 301 $scheme://$host/remote.php/dav;";
          };
        };
      };
    };
  };

  clan.core.facts.services.nextcloud_root = factsGenerator.password {
    service = "nextcloud";
    name = "root";
  };
  clan.core.facts.services.nextcloud_database = factsGenerator.password {
    service = "nextcloud";
    name = "database";
  };

  # Container Setup
  # ===============
  #
  # running:
  # * nextcloud (php)
  # * mysql
  containers.nextcloud = {

    bindMounts = {
      rootpassword = {
        hostPath = config.clan.core.facts.services.nextcloud_root.secret."nextcloud.root".path;
        mountPoint = "/run/secrets/nextcloud.root.intput";
        isReadOnly = true;
      };
      databasepassword = {
        hostPath = config.clan.core.facts.services.nextcloud_database.secret."nextcloud.database".path;
        mountPoint = "/run/secrets/nextcloud.database.input";
        isReadOnly = true;
      };
      share = {
        hostPath = config.services.syncthing.settings.folders.share.path;
        mountPoint = "/media/share";
        isReadOnly = true;
      };
    };

    privateNetwork = false;
    autoStart = true;

    config =
      { config, lib, ... }:
      {
        nixpkgs.pkgs = pkgs;
        imports = [
          "${components}/monitor/container.nix"
          inputs.nix-topology.nixosModules.default
        ];
        system.stateVersion = "23.11";
        services.logrotate.checkConfig = false; # because uid 3000 does not exist in here

        # Configuring nameservers for containers is currently broken.
        # Therefore in some cases internet connectivity can be broken inside the containers.
        # A temporary workaround is to manually write the /etc/nixos/resolv.conf file like this:
        #environment.etc."resolv.conf".text = "nameserver 8.8.8.8";

        systemd.tmpfiles.settings.nextcloud = {
          "/run/secrets/nextcloud.root"."C+" = {
            user = "nextcloud";
            group = "nextcloud";
            mode = "400";
            argument = "/run/secrets/nextcloud.root.input";
          };
          "/run/secrets/nextcloud.database"."C+" = {
            user = "nextcloud";
            group = "nextcloud";
            mode = "400";
            argument = "/run/secrets/nextcloud.database.input";
          };
        };

        users.users.nextcloud.uid = nextcloudUid;
        users.groups.nextcloud = {
          gid = nextcloudGid;
          members = [ "nextcloud" ];
        };

        services.nginx = {
          defaultListen = [
            {
              addr = "0.0.0.0";
              port = nextcloudPort;
            }
          ];
          # Use recommended settings
          recommendedGzipSettings = lib.mkDefault true;
          recommendedOptimisation = lib.mkDefault true;
          recommendedProxySettings = lib.mkDefault true;
          recommendedTlsSettings = lib.mkDefault true;
        };

        # nextcloud database
        # ==================
        #
        # set user password:
        # -----------------
        # #> mysql
        # mysql> ALTER USER 'nextcloud'@'localhost' IDENTIFIED BY 'nextcloud-password';
        #
        # recreate database:
        # ------------------
        # mysql> DROP DATABASE nextcloud;
        # mysql> CREATE DATABASE nextcloud;
        #
        # migration:
        # ----------
        # nextcloud-occ db:convert-type --all-apps mysql nextcloud 127.0.0.1 nextcloud
        #
        # 4-byte stuff:
        # -------------
        # https://docs.nextcloud.com/server/18/admin_manual/configuration_database/mysql_4byte_support.html
        # if you do this don't forget --default-character-set=utf8mb4 for mysqldump
        services.mysql = {
          enable = true;
          package = mySQLPackage;
          # https://nixos.org/manual/nixos/stable/release-notes.html#sec-release-20.09-incompatibilities
          ensureDatabases = [ "nextcloud" ];
          ensureUsers = [
            {
              name = "nextcloud";
              ensurePermissions = {
                "nextcloud.*" = "ALL PRIVILEGES";
              };
            }
          ];
          settings.mysqld = {
            innodb_large_prefix = true;
            innodb_file_format = "barracuda";
            innodb_file_per_table = 1;
            innodb_read_only_compressed = 0;
          };
        };

        # Backup database
        # ---------------
        services.mysqlBackup = {
          enable = true;
          databases = config.services.mysql.ensureDatabases;
          singleTransaction = true;
        };
        systemd.services."mysql-backup".serviceConfig = {
          ExecStartPre = [ "+/run/current-system/sw/bin/nextcloud-occ maintenance:mode --on" ];
          ExecStopPost = [ "+/run/current-system/sw/bin/nextcloud-occ maintenance:mode --off" ];
        };

        # in php
        services.phpfpm = {
          phpPackage = phpPackage;
          phpOptions = ''
            opcache.revalidate_freq = 10
          '';
        };

        # nextcloud setup
        services.nextcloud = {
          enable = true;
          package = nextcloudPackage;
          autoUpdateApps.enable = true;
          hostName = nextcloudHostName;
          https = true;
          settings = {
            overwriteprotocol = "https";
            default_phone_region = "DE";
            loglevel = 2;
          };
          config = {
            adminpassFile = "/run/secrets/nextcloud.root";
            #overwriteProtocol = "https";
            dbtype = "mysql";
            dbpassFile = "/run/secrets/nextcloud.database";
            dbhost = "localhost:3306";
          };
        };
      };
  };

}
nix fmt 2024-08-29 03:26:04 +02:00			`{`
			`pkgs,`
:sparkles: add local command to verify 2024-09-15 01:32:21 +02:00			`lib,`
nix fmt 2024-08-29 03:26:04 +02:00			`config,`
			`factsGenerator,`
			`components,`
:wrench: add some topology information 2024-08-31 18:28:34 +02:00			`inputs,`
nix fmt 2024-08-29 03:26:04 +02:00			`...`
			`}:`
update robi and started with orbi 2023-12-09 17:15:50 +01:00
			`# don't forget the database backup before upgrading`
			`# -------------------------------------------------`
			`# https://docs.nextcloud.com/server/stable/admin_manual/maintenance/backup.html`
			`# https://docs.nextcloud.com/server/stable/admin_manual/maintenance/upgrade.html`

			`let`
fiddeling with nextcloud 2024-06-10 17:45:47 +02:00			`# todo : let nextcloud run as media, this would make this part easier.`
fix nextcloud permissions to allow shared folder 2024-06-11 10:39:06 +02:00			`nextcloudUid = config.ids.uids.transmission;`
fiddeling with nextcloud 2024-06-10 17:45:47 +02:00			`nextcloudGid = config.ids.gids.transmission;`
update nextcloud 2024-05-27 21:02:15 +02:00			`nextcloudPort = 9080;`
enabled nextcloud 2024-04-11 19:51:10 +02:00			`nextcloudHostName = "nextcloud.ingolf-wagner.de";`
update robi and started with orbi 2023-12-09 17:15:50 +01:00
working on nextcloud on orbi 2024-04-10 09:46:17 +02:00			`phpPackage = pkgs.php73;`
update nextcloud 2024-05-27 21:02:15 +02:00			`nextcloudPackage = pkgs.nextcloud29;`
working on nextcloud on orbi 2024-04-10 09:46:17 +02:00			`mySQLPackage = pkgs.mysql;`
update robi and started with orbi 2023-12-09 17:15:50 +01:00			`in`
			`{`

nix fmt 2024-08-29 03:26:04 +02:00			`networking.firewall.allowedTCPPorts = [`
			`80`
			`443`
			`];`
			`networking.firewall.allowedUDPPorts = [`
			`80`
			`443`
			`];`
update robi and started with orbi 2023-12-09 17:15:50 +01:00
:sparkles: add local command to verify 2024-09-15 01:32:21 +02:00			`verify.localCommands.nextcloud =`
			`let`
			`domain = "https://nextcloud.ingolf-wagner.de/login";`
			`curl = lib.getExe pkgs.curl;`
			`grep = lib.getExe pkgs.gnugrep;`
			`in`
			`''`
			`if ${curl} -s -o /dev/null -w "%{http_code}" ${domain} \| ${grep} -q "200"; then`
			`if ${curl} -s ${domain} \| ${grep} -q "Login"; then`
			`echo "[ OK ] Die Seite hat Statuscode 200 und enthält den String 'Login'."`
			`else`
			`echo "[Fail] Der Statuscode ist 200, aber die Seite enthält den String 'Login' nicht."`
			`fi`
			`else`
			`echo "[Fail] Die Seite hat keinen Statuscode 200."`
			`fi`
			`'';`

update robi and started with orbi 2023-12-09 17:15:50 +01:00			`services.nginx = {`
			`enable = true;`
			`recommendedProxySettings = true;`
			`virtualHosts = {`
working on nextcloud on orbi 2024-04-10 09:46:17 +02:00			`"${nextcloudHostName}" = {`
update robi and started with orbi 2023-12-09 17:15:50 +01:00			`forceSSL = true;`
			`enableACME = true;`
			`locations = {`
			`"/" = {`
working on nextcloud on orbi 2024-04-10 09:46:17 +02:00			`proxyPass = "http://localhost:${toString nextcloudPort}";`
update robi and started with orbi 2023-12-09 17:15:50 +01:00			`extraConfig = ''`
working on nextcloud on orbi 2024-04-10 09:46:17 +02:00			`sub_filter "http://${nextcloudHostName}" "https://${nextcloudHostName}";`
update robi and started with orbi 2023-12-09 17:15:50 +01:00			`# used for view/edit office file via Office Online Server`
			`client_max_body_size 0;`
			`proxy_buffering off; # to download files bigger than 1GB`
			`'';`
			`};`
			`"= /.well-known/carddav" = {`
			`priority = 210;`
			`extraConfig = "return 301 $scheme://$host/remote.php/dav;";`
			`};`
			`"= /.well-known/caldav" = {`
			`priority = 210;`
			`extraConfig = "return 301 $scheme://$host/remote.php/dav;";`
			`};`
			`};`
			`};`
			`};`
			`};`

nix fmt 2024-08-29 03:26:04 +02:00			`clan.core.facts.services.nextcloud_root = factsGenerator.password {`
			`service = "nextcloud";`
			`name = "root";`
			`};`
			`clan.core.facts.services.nextcloud_database = factsGenerator.password {`
			`service = "nextcloud";`
			`name = "database";`
			`};`
update robi and started with orbi 2023-12-09 17:15:50 +01:00
			`# Container Setup`
			`# ===============`
			`#`
			`# running:`
			`# * nextcloud (php)`
			`# * mysql`
			`containers.nextcloud = {`

			`bindMounts = {`
			`rootpassword = {`
clanCore -> clan.core 2024-06-19 13:19:55 +02:00			`hostPath = config.clan.core.facts.services.nextcloud_root.secret."nextcloud.root".path;`
fix nextcloud 2024-06-05 15:43:26 +02:00			`mountPoint = "/run/secrets/nextcloud.root.intput";`
update robi and started with orbi 2023-12-09 17:15:50 +01:00			`isReadOnly = true;`
			`};`
			`databasepassword = {`
clanCore -> clan.core 2024-06-19 13:19:55 +02:00			`hostPath = config.clan.core.facts.services.nextcloud_database.secret."nextcloud.database".path;`
fix nextcloud 2024-06-05 15:43:26 +02:00			`mountPoint = "/run/secrets/nextcloud.database.input";`
update robi and started with orbi 2023-12-09 17:15:50 +01:00			`isReadOnly = true;`
			`};`
fiddeling with nextcloud 2024-06-10 17:45:47 +02:00			`share = {`
			`hostPath = config.services.syncthing.settings.folders.share.path;`
			`mountPoint = "/media/share";`
			`isReadOnly = true;`
			`};`
update robi and started with orbi 2023-12-09 17:15:50 +01:00			`};`

working on nextcloud on orbi 2024-04-10 09:46:17 +02:00			`privateNetwork = false;`
update robi and started with orbi 2023-12-09 17:15:50 +01:00			`autoStart = true;`

nix fmt 2024-08-29 03:26:04 +02:00			`config =`
			`{ config, lib, ... }:`
			`{`
			`nixpkgs.pkgs = pkgs;`
:wrench: add some topology information 2024-08-31 18:28:34 +02:00			`imports = [`
			`"${components}/monitor/container.nix"`
			`inputs.nix-topology.nixosModules.default`
			`];`
nix fmt 2024-08-29 03:26:04 +02:00			`system.stateVersion = "23.11";`
			`services.logrotate.checkConfig = false; # because uid 3000 does not exist in here`

			`# Configuring nameservers for containers is currently broken.`
			`# Therefore in some cases internet connectivity can be broken inside the containers.`
			`# A temporary workaround is to manually write the /etc/nixos/resolv.conf file like this:`
			`#environment.etc."resolv.conf".text = "nameserver 8.8.8.8";`

			`systemd.tmpfiles.settings.nextcloud = {`
			`"/run/secrets/nextcloud.root"."C+" = {`
			`user = "nextcloud";`
			`group = "nextcloud";`
			`mode = "400";`
			`argument = "/run/secrets/nextcloud.root.input";`
			`};`
			`"/run/secrets/nextcloud.database"."C+" = {`
			`user = "nextcloud";`
			`group = "nextcloud";`
			`mode = "400";`
			`argument = "/run/secrets/nextcloud.database.input";`
			`};`
fix nextcloud 2024-06-05 15:43:26 +02:00			`};`
update robi and started with orbi 2023-12-09 17:15:50 +01:00
nix fmt 2024-08-29 03:26:04 +02:00			`users.users.nextcloud.uid = nextcloudUid;`
			`users.groups.nextcloud = {`
			`gid = nextcloudGid;`
			`members = [ "nextcloud" ];`
			`};`
update robi and started with orbi 2023-12-09 17:15:50 +01:00
nix fmt 2024-08-29 03:26:04 +02:00			`services.nginx = {`
			`defaultListen = [`
			`{`
			`addr = "0.0.0.0";`
			`port = nextcloudPort;`
			`}`
			`];`
			`# Use recommended settings`
			`recommendedGzipSettings = lib.mkDefault true;`
			`recommendedOptimisation = lib.mkDefault true;`
			`recommendedProxySettings = lib.mkDefault true;`
			`recommendedTlsSettings = lib.mkDefault true;`
update robi and started with orbi 2023-12-09 17:15:50 +01:00			`};`

nix fmt 2024-08-29 03:26:04 +02:00			`# nextcloud database`
			`# ==================`
			`#`
			`# set user password:`
			`# -----------------`
			`# #> mysql`
			`# mysql> ALTER USER 'nextcloud'@'localhost' IDENTIFIED BY 'nextcloud-password';`
			`#`
			`# recreate database:`
			`# ------------------`
			`# mysql> DROP DATABASE nextcloud;`
			`# mysql> CREATE DATABASE nextcloud;`
			`#`
			`# migration:`
			`# ----------`
			`# nextcloud-occ db:convert-type --all-apps mysql nextcloud 127.0.0.1 nextcloud`
			`#`
			`# 4-byte stuff:`
			`# -------------`
			`# https://docs.nextcloud.com/server/18/admin_manual/configuration_database/mysql_4byte_support.html`
			`# if you do this don't forget --default-character-set=utf8mb4 for mysqldump`
			`services.mysql = {`
			`enable = true;`
			`package = mySQLPackage;`
			`# https://nixos.org/manual/nixos/stable/release-notes.html#sec-release-20.09-incompatibilities`
			`ensureDatabases = [ "nextcloud" ];`
			`ensureUsers = [`
			`{`
			`name = "nextcloud";`
			`ensurePermissions = {`
			`"nextcloud.*" = "ALL PRIVILEGES";`
			`};`
			`}`
			`];`
			`settings.mysqld = {`
			`innodb_large_prefix = true;`
			`innodb_file_format = "barracuda";`
			`innodb_file_per_table = 1;`
			`innodb_read_only_compressed = 0;`
			`};`
			`};`
update robi and started with orbi 2023-12-09 17:15:50 +01:00
nix fmt 2024-08-29 03:26:04 +02:00			`# Backup database`
			`# ---------------`
			`services.mysqlBackup = {`
			`enable = true;`
			`databases = config.services.mysql.ensureDatabases;`
			`singleTransaction = true;`
			`};`
			`systemd.services."mysql-backup".serviceConfig = {`
			`ExecStartPre = [ "+/run/current-system/sw/bin/nextcloud-occ maintenance:mode --on" ];`
			`ExecStopPost = [ "+/run/current-system/sw/bin/nextcloud-occ maintenance:mode --off" ];`
			`};`
update robi and started with orbi 2023-12-09 17:15:50 +01:00
nix fmt 2024-08-29 03:26:04 +02:00			`# in php`
			`services.phpfpm = {`
			`phpPackage = phpPackage;`
			`phpOptions = ''`
			`opcache.revalidate_freq = 10`
			`'';`
update nextcloud 2024-05-27 21:02:15 +02:00			`};`
nix fmt 2024-08-29 03:26:04 +02:00
			`# nextcloud setup`
			`services.nextcloud = {`
			`enable = true;`
			`package = nextcloudPackage;`
			`autoUpdateApps.enable = true;`
			`hostName = nextcloudHostName;`
			`https = true;`
			`settings = {`
			`overwriteprotocol = "https";`
			`default_phone_region = "DE";`
			`loglevel = 2;`
			`};`
			`config = {`
			`adminpassFile = "/run/secrets/nextcloud.root";`
			`#overwriteProtocol = "https";`
			`dbtype = "mysql";`
			`dbpassFile = "/run/secrets/nextcloud.database";`
			`dbhost = "localhost:3306";`
			`};`
update robi and started with orbi 2023-12-09 17:15:50 +01:00			`};`
			`};`
			`};`

			`}`