working on nextcloud on orbi

2024-04-10 09:46:17 +02:00 · 2024-04-10 09:46:17 +02:00 · cc2a2a3a75
commit cc2a2a3a75
parent 362b209f8c
2 changed files with 42 additions and 125 deletions
--- a/nixos/machines/orbi/configuration.nix
+++ b/nixos/machines/orbi/configuration.nix
@ -13,7 +13,7 @@
    #./borg.nix
    #./codimd.nix
    #./gitea.nix
-    #./nextcloud.nix
+    ./nextcloud.nix
    #./packages.nix
    #./taskserver.nix
    #./vaultwarden.nix
--- a/nixos/machines/orbi/nextcloud.nix
+++ b/nixos/machines/orbi/nextcloud.nix
@ -4,38 +4,20 @@
 # -------------------------------------------------
 # https://docs.nextcloud.com/server/stable/admin_manual/maintenance/backup.html
 # https://docs.nextcloud.com/server/stable/admin_manual/maintenance/upgrade.html
 #
 # ! use lvm snapshots to do rollback !
 let
  hostInterface = "enp3s0";
  hostAddress = "192.168.100.10";
  containerAddress = "192.168.100.11";
  nextcloudUid = 1000;
-  borg_backup_folder = "/media/syncthing/nextcloud_backup/robi";
+  nextcloudGid = 1000;
  nextcloudPort = 8080;
  nextcloudHostName = "cloud.ingolf-wagner.de";
  phpPackage = pkgs.php73;
  nextcloudPackage = pkgs.nextcloud28;
  mySQLPackage = pkgs.mysql;
 in
 {
  # Host Setup
  # ==========
  # give containers internet access
  networking.nat.enable = true;
  networking.nat.internalInterfaces = [ "ve-nextcloud" ];
  networking.nat.externalInterface = hostInterface;
  # don't let networkmanager manger container network
  networking.networkmanager.unmanaged = [ "interface-name:ve-*" ];
  # open ports for logging
  #networking.firewall.interfaces."ve-nextcloud".allowedTCPPorts =
  #  [ 5044 12304 12305 ];
  #networking.firewall.interfaces."ve-nextcloud".allowedUDPPorts =
  #  [ 5044 12304 12305 ];
  # host nginx
  # ----------
@ -46,14 +28,14 @@ in
    enable = true;
    recommendedProxySettings = true;
    virtualHosts = {
-      "nextcloud.ingolf-wagner.de" = {
+      "${nextcloudHostName}" = {
        forceSSL = true;
        enableACME = true;
        locations = {
          "/" = {
-            proxyPass = "http://${containerAddress}";
+            proxyPass = "http://localhost:${toString nextcloudPort}";
            extraConfig = ''
-              sub_filter "http://nextcloud.ingolf-wagner.de" "https://nextcloud.ingolf-wagner.de";
+              sub_filter "http://${nextcloudHostName}" "https://${nextcloudHostName}";
              # used for view/edit office file via Office Online Server
              client_max_body_size 0;
              proxy_buffering off;  # to download files bigger than 1GB
@ -67,28 +49,6 @@ in
            priority = 210;
            extraConfig = "return 301 $scheme://$host/remote.php/dav;";
          };
          #"~ .(?:css|js|svg|gif)$" = {
          #  proxyPass = "http://${containerAddress}$request_uri";
          #  extraConfig = ''
          #    expires 6M;         # Cache-Control policy borrowed from `.htaccess`
          #    access_log off;     # Optional: Don't log access to assets
          #    sub_filter "http://nextcloud.ingolf-wagner.de" "https://nextcloud.ingolf-wagner.de";
          #    sub_filter "nextcloud.workhorse.private" "nextcloud.ingolf-wagner.de";
          #    # used for view/edit office file via Office Online Server
          #    client_max_body_size 0;
          #  '';
          #};
          #"~ .woff2?$" = {
          #  proxyPass = "http://${containerAddress}$request_uri";
          #  extraConfig = ''
          #    expires 7d;         # Cache-Control policy borrowed from `.htaccess`
          #    access_log off;     # Optional: Don't log access to assets
          #    sub_filter "http://nextcloud.ingolf-wagner.de" "https://nextcloud.ingolf-wagner.de";
          #    sub_filter "nextcloud.workhorse.private" "nextcloud.ingolf-wagner.de";
          #    # used for view/edit office file via Office Online Server
          #    client_max_body_size 0;
          #  '';
          #};
        };
      };
    };
@ -102,7 +62,7 @@ in
    uid = nextcloudUid;
    group = "nextcloud";
  };
-  users.groups.nextcloud = { };
+  users.groups.nextcloud.gid = nextcloudGid;
  # Container Setup
@ -126,34 +86,28 @@ in
        isReadOnly = true;
      };
-      home = {
+      #home = {
-        # make sure this folder exist on the host
+      #  # make sure this folder exist on the host
-        hostPath = toString "/var/lib/nextcloud";
+      #  hostPath = toString "/var/lib/nextcloud";
-        mountPoint = "/var/lib/nextcloud";
+      #  mountPoint = "/var/lib/nextcloud";
-        isReadOnly = false;
+      #  isReadOnly = false;
-      };
+      #};
-      db = {
+      #db = {
-        # make sure this folder exist on the host
+      #  # make sure this folder exist on the host
-        hostPath = toString "/var/lib/nextcloud_mysql";
+      #  hostPath = toString "/var/lib/nextcloud_mysql";
-        mountPoint = "/var/lib/mysql";
+      #  mountPoint = "/var/lib/mysql";
-        isReadOnly = false;
+      #  isReadOnly = false;
-      };
+      #};
-      media = {
+      #media = {
-        #mountPoint = toString config.services.syncthing.folders.media.path;
+      #  #mountPoint = toString config.services.syncthing.folders.media.path;
-        #hostPath = toString config.services.syncthing.folders.media.path;
+      #  #hostPath = toString config.services.syncthing.folders.media.path;
-        mountPoint = "/media/syncthing/media";
+      #  mountPoint = "/media/syncthing/media";
-        hostPath = "/media/media";
+      #  hostPath = "/media/media";
-        isReadOnly = true;
+      #  isReadOnly = true;
-      };
+      #};
    };
-    # container network setup
+    privateNetwork = false;
    # see also nating on host system.
    privateNetwork = true;
    hostAddress = hostAddress;
    localAddress = containerAddress;
    autoStart = true;
    config = { config, pkgs, lib, ... }: {
@ -161,13 +115,16 @@ in
      # Configuring nameservers for containers is currently broken.
      # Therefore in some cases internet connectivity can be broken inside the containers.
      # A temporary workaround is to manually write the /etc/nixos/resolv.conf file like this:
-      environment.etc."resolv.conf".text = "nameserver 8.8.8.8";
+      #environment.etc."resolv.conf".text = "nameserver 8.8.8.8";
-      system.stateVersion = "21.05";
+      system.stateVersion = "23.11";
      users.users.nextcloud.uid = nextcloudUid;
      services.nginx = {
        defaultListen = [
          { addr = "0.0.0.0"; port = nextcloudPort; }
        ];
        # Use recommended settings
        recommendedGzipSettings = lib.mkDefault true;
        recommendedOptimisation = lib.mkDefault true;
@ -175,8 +132,8 @@ in
        recommendedTlsSettings = lib.mkDefault true;
      };
-      networking.firewall.allowedTCPPorts = [ 80 ];
+      #networking.firewall.allowedTCPPorts = [ 80 ];
-      networking.firewall.allowedUDPPorts = [ 80 ];
+      #networking.firewall.allowedUDPPorts = [ 80 ];
      # nextcloud database
      # ==================
@ -201,7 +158,7 @@ in
      # if you do this don't forget --default-character-set=utf8mb4 for mysqldump
      services.mysql = {
        enable = true;
-        package = pkgs.mysql;
+        package = mySQLPackage;
        # https://nixos.org/manual/nixos/stable/release-notes.html#sec-release-20.09-incompatibilities
        ensureDatabases = [ "nextcloud" ];
        ensureUsers = [{
@ -222,7 +179,6 @@ in
        enable = true;
        databases = config.services.mysql.ensureDatabases;
        singleTransaction = true;
        location = "/var/lib/nextcloud/database_backups";
      };
      systemd.services."mysql-backup".serviceConfig = {
        ExecStartPre = [ "+/run/current-system/sw/bin/nextcloud-occ maintenance:mode --on" ];
@ -231,7 +187,7 @@ in
      # in php
      services.phpfpm = {
-        phpPackage = pkgs.php73;
+        phpPackage = phpPackage;
        phpOptions = ''
          opcache.revalidate_freq = 10
        '';
@ -240,17 +196,16 @@ in
      # nextcloud setup
      services.nextcloud = {
        enable = true;
-        package = pkgs.nextcloud27;
+        package = nextcloudPackage;
        autoUpdateApps.enable = true;
        # nginx.enable = true;
        # enableBrokenCiphersForSSE = false; # see https://github.com/NixOS/nixpkgs/pull/198470
-        hostName = "nextcloud.ingolf-wagner.de";
+        hostName = nextcloudHostName;
        logLevel = 2;
        https = true;
        config = {
          adminpassFile = "/run/secrets/nextcloud_root_password";
          overwriteProtocol = "https";
          trustedProxies = [ "144.76.13.147" hostAddress ];
          dbtype = "mysql";
          dbpassFile = "/run/secrets/nextcloud_database_password";
          dbport = 3306;
@ -260,42 +215,4 @@ in
    };
  };
  # Backup Config
  # -------------
  #backup.dirs = [
  #  "/home/nextcloud/config"
  #  "/home/nextcloud/database_backups" # created by mysqlBackup
  #];
  # Backup Files
  # ------------
  services.borgbackup.jobs = {
    "nextcloud-to-media" = {
      repo = borg_backup_folder;
      # make sure syncthing is capable of reading the files
      postHook = ''
        chown -R syncthing:syncthing ${borg_backup_folder}
      '';
      compression = "lz4";
      paths = [
        "/var/lib/nextcloud/data/tina/files"
        "/var/lib/nextcloud/data/palo/files"
        "/var/lib/nextcloud/data/palo-windows/files"
      ];
      doInit = true;
      encryption = {
        mode = "repokey-blake2";
        passCommand = "cat ${config.sops.secrets.backup_repository_passphrase.path}";
      };
      startAt = "0/3:00:00";
      prune.keep = {
        within = "2d"; # Keep all backups in the last 10 days.
        daily = 10; # Keep 10 additional end of day archives
        weekly = 8; # Keep 8 additional end of week archives.
        month = 8; # Keep 8 additional end of month archives.
      };
    };
  };
 }