diff --git a/configs/workhorse/nextcloud.nix b/configs/workhorse/nextcloud.nix index dce8641..7fd2e57 100644 --- a/configs/workhorse/nextcloud.nix +++ b/configs/workhorse/nextcloud.nix @@ -1,7 +1,14 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +let + + hostAddress = "192.168.100.10"; + containerAddress = "192.168.100.11"; + +in { - # setup nextcloud in a container containers.nextcloud = { + + # mount host folders bindMounts = { rootpassword = { hostPath = toString ; @@ -37,16 +44,51 @@ }; }; + # container network setup + # see also nating on host system. privateNetwork = true; - hostAddress = "192.168.100.10"; - localAddress = "192.168.100.11"; + hostAddress = hostAddress; + localAddress = containerAddress; autoStart = true; - config = { config, pkgs, ... }: { + config = { config, pkgs, lib, ... }: { imports = [ ]; + services.nginx = { + + # Use recommended settings + recommendedGzipSettings = lib.mkDefault true; + recommendedOptimisation = lib.mkDefault true; + recommendedProxySettings = lib.mkDefault true; + recommendedTlsSettings = lib.mkDefault true; + + # for graylog logging + commonHttpConfig = let + access_log_sink = "${hostAddress}:12304"; + error_log_sink = "${hostAddress}:12305"; + in '' + log_format graylog2_json escape=json '{ "timestamp": "$time_iso8601", ' + '"facility": "nginx", ' + '"remote_addr": "$remote_addr", ' + '"body_bytes_sent": $body_bytes_sent, ' + '"request_time": $request_time, ' + '"response_status": $status, ' + '"request": "$request", ' + '"request_method": "$request_method", ' + '"host": "$host",' + '"upstream_cache_status": "$upstream_cache_status",' + '"upstream_addr": "$upstream_addr",' + '"http_x_forwarded_for": "$http_x_forwarded_for",' + '"http_referrer": "$http_referer", ' + '"http_user_agent": "$http_user_agent" }'; + + access_log syslog:server=${access_log_sink} graylog2_json; + error_log syslog:server=${error_log_sink}; + ''; + }; + # don't forget the database backup before doing this # https://docs.nextcloud.com/server/stable/admin_manual/maintenance/backup.html # https://docs.nextcloud.com/server/stable/admin_manual/maintenance/upgrade.html @@ -113,7 +155,7 @@ config = { adminpassFile = toString ; overwriteProtocol = "https"; - trustedProxies = [ "195.201.134.247" "192.168.100.11" ]; + trustedProxies = [ "195.201.134.247" hostAddress ]; dbtype = "mysql"; dbpassFile = toString config.krops.userKeys."nextcloud".target; dbport = 3306; @@ -128,6 +170,10 @@ }; environment.systemPackages = [ pkgs.smbclient ]; + + # send log to host systems graylog (use tinc or wireguard if host is not graylog) + services.SystemdJournal2Gelf.enable = true; + services.SystemdJournal2Gelf.graylogServer = "${hostAddress}:11201"; }; }; @@ -139,6 +185,12 @@ # don't let networkmanager manger container network networking.networkmanager.unmanaged = [ "interface-name:ve-*" ]; + # open ports for logging + networking.firewall.interfaces."ve-nextcloud".allowedTCPPorts = + [ 11201 12304 12305 ]; + networking.firewall.interfaces."ve-nextcloud".allowedUDPPorts = + [ 11201 12304 12305 ]; + # host nginx setup services.nginx = { enable = true; @@ -150,7 +202,7 @@ # "nextcloud.gaykraft.com" ]; locations."/" = { - proxyPass = "http://192.168.100.11"; + proxyPass = "http://${containerAddress}"; extraConfig = '' # allow big uploads # ----------------- diff --git a/system/all/nginx.nix b/system/all/nginx.nix index dc7c124..861b795 100644 --- a/system/all/nginx.nix +++ b/system/all/nginx.nix @@ -4,14 +4,15 @@ let error_log_sink = "workhorse.private:12305"; in { - # for graylog logging services.nginx = { + # Use recommended settings recommendedGzipSettings = lib.mkDefault true; recommendedOptimisation = lib.mkDefault true; recommendedProxySettings = lib.mkDefault true; recommendedTlsSettings = lib.mkDefault true; + # for graylog logging commonHttpConfig = '' log_format graylog2_json escape=json '{ "timestamp": "$time_iso8601", ' '"facility": "nginx", '