setup nextcloud
This commit is contained in:
parent
86632e405c
commit
8e0775d85c
2 changed files with 218 additions and 129 deletions
|
@ -88,6 +88,7 @@ in
|
||||||
# Initial empty root password for easy login:
|
# Initial empty root password for easy login:
|
||||||
users.users.root.initialHashedPassword = "";
|
users.users.root.initialHashedPassword = "";
|
||||||
services.openssh.permitRootLogin = "prohibit-password";
|
services.openssh.permitRootLogin = "prohibit-password";
|
||||||
|
services.openssh.passwordAuthentication = false;
|
||||||
|
|
||||||
users.users.root.openssh.authorizedKeys.keys = [
|
users.users.root.openssh.authorizedKeys.keys = [
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw=="
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw=="
|
||||||
|
|
|
@ -1,34 +1,185 @@
|
||||||
{ pkgs, config, lib, ... }:
|
{ pkgs, config, ... }:
|
||||||
|
|
||||||
|
# don't forget the database backup before upgrading
|
||||||
|
# -------------------------------------------------
|
||||||
|
# https://docs.nextcloud.com/server/stable/admin_manual/maintenance/backup.html
|
||||||
|
# https://docs.nextcloud.com/server/stable/admin_manual/maintenance/upgrade.html
|
||||||
|
#
|
||||||
|
# ! use lvm snapshots to do rollback !
|
||||||
|
|
||||||
let
|
let
|
||||||
|
|
||||||
|
hostInterface = "enp3s0";
|
||||||
|
hostAddress = "192.168.100.10";
|
||||||
|
containerAddress = "192.168.100.11";
|
||||||
nextcloudUid = 1000;
|
nextcloudUid = 1000;
|
||||||
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
|
||||||
|
|
||||||
|
# Host Setup
|
||||||
|
# ==========
|
||||||
|
|
||||||
|
# give containers internet access
|
||||||
|
networking.nat.enable = true;
|
||||||
|
networking.nat.internalInterfaces = [ "ve-nextcloud" ];
|
||||||
|
networking.nat.externalInterface = hostInterface;
|
||||||
|
|
||||||
|
# don't let networkmanager manger container network
|
||||||
|
networking.networkmanager.unmanaged = [ "interface-name:ve-*" ];
|
||||||
|
|
||||||
|
# open ports for logging
|
||||||
|
#networking.firewall.interfaces."ve-nextcloud".allowedTCPPorts =
|
||||||
|
# [ 5044 12304 12305 ];
|
||||||
|
#networking.firewall.interfaces."ve-nextcloud".allowedUDPPorts =
|
||||||
|
# [ 5044 12304 12305 ];
|
||||||
|
|
||||||
|
# host nginx
|
||||||
|
# ----------
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
|
networking.firewall.allowedUDPPorts = [ 80 443 ];
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
virtualHosts = {
|
||||||
|
"nextcloud.ingolf-wagner.de" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
locations = {
|
||||||
|
"/" = {
|
||||||
|
proxyPass = "http://${containerAddress}";
|
||||||
|
extraConfig = ''
|
||||||
|
sub_filter "http://nextcloud.ingolf-wagner.de" "https://nextcloud.ingolf-wagner.de";
|
||||||
|
# used for view/edit office file via Office Online Server
|
||||||
|
client_max_body_size 0;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"= /.well-known/carddav" = {
|
||||||
|
priority = 210;
|
||||||
|
extraConfig = "return 301 $scheme://$host/remote.php/dav;";
|
||||||
|
};
|
||||||
|
"= /.well-known/caldav" = {
|
||||||
|
priority = 210;
|
||||||
|
extraConfig = "return 301 $scheme://$host/remote.php/dav;";
|
||||||
|
};
|
||||||
|
"~ .(?:css|js|svg|gif)$" = {
|
||||||
|
proxyPass = "http://${containerAddress}$request_uri";
|
||||||
|
extraConfig = ''
|
||||||
|
expires 6M; # Cache-Control policy borrowed from `.htaccess`
|
||||||
|
access_log off; # Optional: Don't log access to assets
|
||||||
|
sub_filter "http://nextcloud.ingolf-wagner.de" "https://nextcloud.ingolf-wagner.de";
|
||||||
|
sub_filter "nextcloud.workhorse.private" "nextcloud.ingolf-wagner.de";
|
||||||
|
# used for view/edit office file via Office Online Server
|
||||||
|
client_max_body_size 0;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"~ .woff2?$" = {
|
||||||
|
proxyPass = "http://${containerAddress}$request_uri";
|
||||||
|
extraConfig = ''
|
||||||
|
expires 7d; # Cache-Control policy borrowed from `.htaccess`
|
||||||
|
access_log off; # Optional: Don't log access to assets
|
||||||
|
sub_filter "http://nextcloud.ingolf-wagner.de" "https://nextcloud.ingolf-wagner.de";
|
||||||
|
sub_filter "nextcloud.workhorse.private" "nextcloud.ingolf-wagner.de";
|
||||||
|
# used for view/edit office file via Office Online Server
|
||||||
|
client_max_body_size 0;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
sops.secrets.nextcloud_database_password.owner = "nextcloud";
|
||||||
|
sops.secrets.nextcloud_root_password.owner = "nextcloud";
|
||||||
|
|
||||||
users.users.nextcloud = {
|
users.users.nextcloud = {
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
uid = nextcloudUid;
|
uid = nextcloudUid;
|
||||||
};
|
};
|
||||||
|
|
||||||
#networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
||||||
#networking.firewall.allowedUDPPorts = [ 80 443 ];
|
|
||||||
|
|
||||||
# host nginx setup
|
# Container Setup
|
||||||
|
# ===============
|
||||||
|
#
|
||||||
|
# running:
|
||||||
|
# * nextcloud (php)
|
||||||
|
# * mysql
|
||||||
|
containers.nextcloud = {
|
||||||
|
|
||||||
|
# mount host folders
|
||||||
|
bindMounts = {
|
||||||
|
rootpassword = {
|
||||||
|
hostPath = "/run/secrets/nextcloud_root_password";
|
||||||
|
mountPoint = "/run/secrets/nextcloud_root_password";
|
||||||
|
isReadOnly = true;
|
||||||
|
};
|
||||||
|
databasepassword = {
|
||||||
|
hostPath = "/run/secrets/nextcloud_database_password";
|
||||||
|
mountPoint = "/run/secrets/nextcloud_database_password";
|
||||||
|
isReadOnly = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
home = {
|
||||||
|
# make sure this folder exist on the host
|
||||||
|
hostPath = toString "/var/lib/nextcloud";
|
||||||
|
mountPoint = "/var/lib/nextcloud";
|
||||||
|
isReadOnly = false;
|
||||||
|
};
|
||||||
|
db = {
|
||||||
|
# make sure this folder exist on the host
|
||||||
|
hostPath = toString "/var/lib/nextcloud_mysql";
|
||||||
|
mountPoint = "/var/lib/mysql";
|
||||||
|
isReadOnly = false;
|
||||||
|
};
|
||||||
|
samples = {
|
||||||
|
mountPoint = toString config.services.syncthing.declarative.folders.samples.path;
|
||||||
|
hostPath = toString config.services.syncthing.declarative.folders.samples.path;
|
||||||
|
isReadOnly = true;
|
||||||
|
};
|
||||||
|
movies = {
|
||||||
|
mountPoint = toString config.services.syncthing.declarative.folders.movies.path;
|
||||||
|
hostPath = toString config.services.syncthing.declarative.folders.movies.path;
|
||||||
|
isReadOnly = true;
|
||||||
|
};
|
||||||
|
music = {
|
||||||
|
mountPoint = toString config.services.syncthing.declarative.folders.music-library.path;
|
||||||
|
hostPath = toString config.services.syncthing.declarative.folders.music-library.path;
|
||||||
|
isReadOnly = true;
|
||||||
|
};
|
||||||
|
series = {
|
||||||
|
mountPoint = toString config.services.syncthing.declarative.folders.series.path;
|
||||||
|
hostPath = toString config.services.syncthing.declarative.folders.series.path;
|
||||||
|
isReadOnly = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# container network setup
|
||||||
|
# see also nating on host system.
|
||||||
|
privateNetwork = true;
|
||||||
|
hostAddress = hostAddress;
|
||||||
|
localAddress = containerAddress;
|
||||||
|
|
||||||
|
autoStart = true;
|
||||||
|
|
||||||
|
config = { config, pkgs, lib, ... }: {
|
||||||
|
|
||||||
|
users.users.nextcloud.uid = nextcloudUid;
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
# Use recommended settings
|
||||||
recommendedGzipSettings = lib.mkDefault true;
|
recommendedGzipSettings = lib.mkDefault true;
|
||||||
recommendedOptimisation = lib.mkDefault true;
|
recommendedOptimisation = lib.mkDefault true;
|
||||||
|
recommendedProxySettings = lib.mkDefault true;
|
||||||
recommendedTlsSettings = lib.mkDefault true;
|
recommendedTlsSettings = lib.mkDefault true;
|
||||||
recommendedProxySettings = true;
|
|
||||||
#sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
|
|
||||||
|
|
||||||
#virtualHosts = {
|
|
||||||
# "nextcloud.ingolf-wagner.de" = {
|
|
||||||
# forceSSL = true;
|
|
||||||
# enableACME = true;
|
|
||||||
# };
|
|
||||||
#};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [ 80 ];
|
||||||
|
networking.firewall.allowedUDPPorts = [ 80 ];
|
||||||
|
|
||||||
# nextcloud database
|
# nextcloud database
|
||||||
# ==================
|
# ==================
|
||||||
#
|
#
|
||||||
|
@ -50,15 +201,6 @@ in
|
||||||
# -------------
|
# -------------
|
||||||
# https://docs.nextcloud.com/server/18/admin_manual/configuration_database/mysql_4byte_support.html
|
# https://docs.nextcloud.com/server/18/admin_manual/configuration_database/mysql_4byte_support.html
|
||||||
# if you do this don't forget --default-character-set=utf8mb4 for mysqldump
|
# if you do this don't forget --default-character-set=utf8mb4 for mysqldump
|
||||||
containers.nextcloudmysql = {
|
|
||||||
autoStart = true;
|
|
||||||
forwardPorts = [{
|
|
||||||
containerPort = 3336;
|
|
||||||
hostPort = 3336;
|
|
||||||
protocol = "tcp";
|
|
||||||
}];
|
|
||||||
|
|
||||||
config = { config, pkgs, lib, ... }: {
|
|
||||||
services.mysql = {
|
services.mysql = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.mysql;
|
package = pkgs.mysql;
|
||||||
|
@ -77,94 +219,40 @@ in
|
||||||
|
|
||||||
# Backup database
|
# Backup database
|
||||||
# ---------------
|
# ---------------
|
||||||
#services.mysqlBackup = {
|
services.mysqlBackup = {
|
||||||
# enable = true;
|
enable = true;
|
||||||
# databases = config.services.mysql.ensureDatabases;
|
databases = config.services.mysql.ensureDatabases;
|
||||||
# singleTransaction = true;
|
singleTransaction = true;
|
||||||
# location = "/var/lib/nextcloud/database_backups";
|
location = "/var/lib/nextcloud/database_backups";
|
||||||
#};
|
|
||||||
|
|
||||||
#systemd.services."mysql-backup".serviceConfig = {
|
|
||||||
# ExecStartPre = [ "+/run/current-system/sw/bin/nextcloud-occ maintenance:mode --on" ];
|
|
||||||
# ExecStopPost = [ "+/run/current-system/sw/bin/nextcloud-occ maintenance:mode --off" ];
|
|
||||||
#};
|
|
||||||
|
|
||||||
};
|
};
|
||||||
|
systemd.services."mysql-backup".serviceConfig = {
|
||||||
|
ExecStartPre = [ "+/run/current-system/sw/bin/nextcloud-occ maintenance:mode --on" ];
|
||||||
|
ExecStopPost = [ "+/run/current-system/sw/bin/nextcloud-occ maintenance:mode --off" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# in php
|
# in php
|
||||||
services.phpfpm.phpPackage = pkgs.php73;
|
services.phpfpm.phpPackage = pkgs.php73;
|
||||||
|
|
||||||
# nextcloud setup
|
# nextcloud setup
|
||||||
services.nextcloud = {
|
services.nextcloud = {
|
||||||
enable = false;
|
enable = true;
|
||||||
hostName = "nextcloud.ingolf-wagner.de";
|
|
||||||
package = pkgs.nextcloud22;
|
package = pkgs.nextcloud22;
|
||||||
autoUpdateApps.enable = true;
|
autoUpdateApps.enable = true;
|
||||||
autoUpdateApps.startAt = "05:00:00";
|
#nginx.enable = true;
|
||||||
|
hostName = "nextcloud.ingolf-wagner.de";
|
||||||
logLevel = 2;
|
logLevel = 2;
|
||||||
https = true;
|
https = true;
|
||||||
config = {
|
config = {
|
||||||
adminpassFile = config.sops.secrets.nextcloud_root_password.path;
|
adminpassFile = "/run/secrets/nextcloud_root_password";
|
||||||
overwriteProtocol = "https";
|
overwriteProtocol = "https";
|
||||||
|
trustedProxies = [ "144.76.13.147" hostAddress ];
|
||||||
dbtype = "mysql";
|
dbtype = "mysql";
|
||||||
dbpassFile = config.sops.secrets.nextcloud_database_password.path;
|
dbpassFile = "/run/secrets/nextcloud_database_password";
|
||||||
dbport = 3306;
|
dbport = 3306;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
};
|
||||||
sops.secrets.nextcloud_database_password.owner = "nextcloud";
|
};
|
||||||
sops.secrets.nextcloud_root_password.owner = "nextcloud";
|
|
||||||
|
|
||||||
|
|
||||||
#services.journalbeat = {
|
|
||||||
# enable = true;
|
|
||||||
# extraConfig = ''
|
|
||||||
# journalbeat.inputs:
|
|
||||||
# - paths: []
|
|
||||||
# # Position to start reading from journal. Valid values: head, tail, cursor
|
|
||||||
# seek: cursor
|
|
||||||
# # Fallback position if no cursor data is available.
|
|
||||||
# cursor_seek_fallback: tail
|
|
||||||
# output.logstash:
|
|
||||||
# # Boolean flag to enable or disable the output module.
|
|
||||||
# enabled: true
|
|
||||||
# # Graylog host and the beats input
|
|
||||||
# hosts: ["${hostAddress}:5044"]
|
|
||||||
|
|
||||||
# # If enabled only a subset of events in a batch of events is transferred per
|
|
||||||
# # transaction. The number of events to be sent increases up to `bulk_max_size`
|
|
||||||
# # if no error is encountered.
|
|
||||||
# slow_start: true
|
|
||||||
|
|
||||||
# # The number of seconds to wait before trying to reconnect to Graylog
|
|
||||||
# # after a network error. After waiting backoff.init seconds, the Beat
|
|
||||||
# # tries to reconnect. If the attempt fails, the backoff timer is increased
|
|
||||||
# # exponentially up to backoff.max. After a successful connection, the backoff
|
|
||||||
# # timer is reset. The default is 1s.
|
|
||||||
# backoff.init: 1s
|
|
||||||
|
|
||||||
# # The maximum number of seconds to wait before attempting to connect to
|
|
||||||
# # Graylog after a network error. The default is 60s.
|
|
||||||
# backoff.max: 60s
|
|
||||||
# '';
|
|
||||||
#};
|
|
||||||
|
|
||||||
# give containers internet access
|
|
||||||
#networking.nat.enable = true;
|
|
||||||
#networking.nat.internalInterfaces = [ "ve-nextcloud" ];
|
|
||||||
#networking.nat.externalInterface = "enp2s0f1";
|
|
||||||
|
|
||||||
# don't let networkmanager manger container network
|
|
||||||
#networking.networkmanager.unmanaged = [ "interface-name:ve-*" ];
|
|
||||||
|
|
||||||
# open ports for logging
|
|
||||||
#networking.firewall.interfaces."ve-nextcloud".allowedTCPPorts =
|
|
||||||
# [ 5044 12304 12305 ];
|
|
||||||
#networking.firewall.interfaces."ve-nextcloud".allowedUDPPorts =
|
|
||||||
# [ 5044 12304 12305 ];
|
|
||||||
|
|
||||||
|
|
||||||
# Backup Config
|
# Backup Config
|
||||||
|
|
Loading…
Reference in a new issue