{ pkgs, config, lib, ... }: let nextcloudUid = 1000; in { users.users.nextcloud = { isSystemUser = true; uid = nextcloudUid; }; #networking.firewall.allowedTCPPorts = [ 80 443 ]; #networking.firewall.allowedUDPPorts = [ 80 443 ]; # host nginx setup services.nginx = { enable = true; recommendedGzipSettings = lib.mkDefault true; recommendedOptimisation = lib.mkDefault true; recommendedTlsSettings = lib.mkDefault true; recommendedProxySettings = true; #sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; #virtualHosts = { # "nextcloud.ingolf-wagner.de" = { # forceSSL = true; # enableACME = true; # }; #}; }; # nextcloud database # ================== # # set user password: # ----------------- # #> mysql # mysql> ALTER USER 'nextcloud'@'localhost' IDENTIFIED BY 'nextcloud-password'; # # recreate database: # ------------------ # mysql> DROP DATABASE nextcloud; # mysql> CREATE DATABASE nextcloud; # # migration: # ---------- # nextcloud-occ db:convert-type --all-apps mysql nextcloud 127.0.0.1 nextcloud # # 4-byte stuff: # ------------- # https://docs.nextcloud.com/server/18/admin_manual/configuration_database/mysql_4byte_support.html # if you do this don't forget --default-character-set=utf8mb4 for mysqldump containers.nextcloudmysql = { autoStart = true; forwardPorts = [{ containerPort = 3336; hostPort = 3336; protocol = "tcp"; }]; config = { config, pkgs, lib, ... }: { services.mysql = { enable = true; package = pkgs.mysql; # https://nixos.org/manual/nixos/stable/release-notes.html#sec-release-20.09-incompatibilities ensureDatabases = [ "nextcloud" ]; ensureUsers = [{ name = "nextcloud"; ensurePermissions = { "nextcloud.*" = "ALL PRIVILEGES"; }; }]; settings.mysqld = { innodb_large_prefix = true; innodb_file_format = "barracuda"; innodb_file_per_table = 1; }; }; # Backup database # --------------- #services.mysqlBackup = { # enable = true; # databases = config.services.mysql.ensureDatabases; # singleTransaction = true; # location = "/var/lib/nextcloud/database_backups"; #}; #systemd.services."mysql-backup".serviceConfig = { # ExecStartPre = [ "+/run/current-system/sw/bin/nextcloud-occ maintenance:mode --on" ]; # ExecStopPost = [ "+/run/current-system/sw/bin/nextcloud-occ maintenance:mode --off" ]; #}; }; }; # in php services.phpfpm.phpPackage = pkgs.php73; # nextcloud setup services.nextcloud = { enable = false; hostName = "nextcloud.ingolf-wagner.de"; package = pkgs.nextcloud22; autoUpdateApps.enable = true; autoUpdateApps.startAt = "05:00:00"; logLevel = 2; https = true; config = { adminpassFile = config.sops.secrets.nextcloud_root_password.path; overwriteProtocol = "https"; dbtype = "mysql"; dbpassFile = config.sops.secrets.nextcloud_database_password.path; dbport = 3306; }; }; sops.secrets.nextcloud_database_password.owner = "nextcloud"; sops.secrets.nextcloud_root_password.owner = "nextcloud"; #services.journalbeat = { # enable = true; # extraConfig = '' # journalbeat.inputs: # - paths: [] # # Position to start reading from journal. Valid values: head, tail, cursor # seek: cursor # # Fallback position if no cursor data is available. # cursor_seek_fallback: tail # output.logstash: # # Boolean flag to enable or disable the output module. # enabled: true # # Graylog host and the beats input # hosts: ["${hostAddress}:5044"] # # If enabled only a subset of events in a batch of events is transferred per # # transaction. The number of events to be sent increases up to `bulk_max_size` # # if no error is encountered. # slow_start: true # # The number of seconds to wait before trying to reconnect to Graylog # # after a network error. After waiting backoff.init seconds, the Beat # # tries to reconnect. If the attempt fails, the backoff timer is increased # # exponentially up to backoff.max. After a successful connection, the backoff # # timer is reset. The default is 1s. # backoff.init: 1s # # The maximum number of seconds to wait before attempting to connect to # # Graylog after a network error. The default is 60s. # backoff.max: 60s # ''; #}; # give containers internet access #networking.nat.enable = true; #networking.nat.internalInterfaces = [ "ve-nextcloud" ]; #networking.nat.externalInterface = "enp2s0f1"; # don't let networkmanager manger container network #networking.networkmanager.unmanaged = [ "interface-name:ve-*" ]; # open ports for logging #networking.firewall.interfaces."ve-nextcloud".allowedTCPPorts = # [ 5044 12304 12305 ]; #networking.firewall.interfaces."ve-nextcloud".allowedUDPPorts = # [ 5044 12304 12305 ]; # Backup Config # ------------- #backup.dirs = [ # "/home/nextcloud/config" # "/home/nextcloud/database_backups" # created by mysqlBackup #]; # Backup Files # ------------ #services.borgbackup.jobs = { # "nextcloud-to-media" = { # repo = "/media/syncthing/borg/nextcloud"; # # make sure syncthing is capable of reading the files # postHook = '' # chown -R syncthing:syncthing /media/syncthing/borg/nextcloud # ''; # compression = "lz4"; # paths = [ # "/home/nextcloud/data/tina/files/Documents" # "/home/nextcloud/data/tina/files/Pictures" # "/home/nextcloud/data/tina/files/Joplin" # "/home/nextcloud/data/tina/files/SofortUpload" # "/home/nextcloud/data/palo/files/InstantUpload" # "/home/nextcloud/data/palo/files/Joplin" # "/home/nextcloud/data/palo/files/Pictures" # "/home/nextcloud/data/palo/files/Unterlagen" # "/home/nextcloud/data/palo/files/Video" # "/home/nextcloud/data/palo-windows/files/Kunstbuch" # ]; # doInit = true; # encryption = { # mode = "repokey-blake2"; # passCommand = # "cat ${config.sops.secrets.backup_repository_passphrase.path}"; # }; # startAt = "0/3:00:00"; # prune.keep = { # within = "2d"; # Keep all backups in the last 10 days. # daily = 10; # Keep 10 additional end of day archives # weekly = 8; # Keep 8 additional end of week archives. # month = 8; # Keep 8 additional end of month archives. # }; # }; #}; }