{ pkgs, config, ... }: # don't forget the database backup before upgrading # ------------------------------------------------- # https://docs.nextcloud.com/server/stable/admin_manual/maintenance/backup.html # https://docs.nextcloud.com/server/stable/admin_manual/maintenance/upgrade.html let nextcloudUid = 1000; nextcloudGid = 1000; nextcloudPort = 8080; nextcloudHostName = "nextcloud.ingolf-wagner.de"; phpPackage = pkgs.php73; nextcloudPackage = pkgs.nextcloud28; mySQLPackage = pkgs.mysql; in { networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedUDPPorts = [ 80 443 ]; services.nginx = { enable = true; recommendedProxySettings = true; virtualHosts = { "${nextcloudHostName}" = { forceSSL = true; enableACME = true; locations = { "/" = { proxyPass = "http://localhost:${toString nextcloudPort}"; extraConfig = '' sub_filter "http://${nextcloudHostName}" "https://${nextcloudHostName}"; # used for view/edit office file via Office Online Server client_max_body_size 0; proxy_buffering off; # to download files bigger than 1GB ''; }; "= /.well-known/carddav" = { priority = 210; extraConfig = "return 301 $scheme://$host/remote.php/dav;"; }; "= /.well-known/caldav" = { priority = 210; extraConfig = "return 301 $scheme://$host/remote.php/dav;"; }; }; }; }; }; sops.secrets.nextcloud_database_password.owner = "nextcloud"; sops.secrets.nextcloud_root_password.owner = "nextcloud"; users.users.nextcloud = { isSystemUser = true; uid = nextcloudUid; group = "nextcloud"; }; users.groups.nextcloud.gid = nextcloudGid; # Container Setup # =============== # # running: # * nextcloud (php) # * mysql containers.nextcloud = { # mount host folders bindMounts = { rootpassword = { hostPath = "/run/secrets/nextcloud_root_password"; mountPoint = "/run/secrets/nextcloud_root_password"; isReadOnly = true; }; databasepassword = { hostPath = "/run/secrets/nextcloud_database_password"; mountPoint = "/run/secrets/nextcloud_database_password"; isReadOnly = true; }; }; privateNetwork = false; autoStart = true; config = { config, pkgs, lib, ... }: { # Configuring nameservers for containers is currently broken. # Therefore in some cases internet connectivity can be broken inside the containers. # A temporary workaround is to manually write the /etc/nixos/resolv.conf file like this: #environment.etc."resolv.conf".text = "nameserver 8.8.8.8"; system.stateVersion = "23.11"; users.users.nextcloud.uid = nextcloudUid; services.nginx = { defaultListen = [ { addr = "0.0.0.0"; port = nextcloudPort; } ]; # Use recommended settings recommendedGzipSettings = lib.mkDefault true; recommendedOptimisation = lib.mkDefault true; recommendedProxySettings = lib.mkDefault true; recommendedTlsSettings = lib.mkDefault true; }; # nextcloud database # ================== # # set user password: # ----------------- # #> mysql # mysql> ALTER USER 'nextcloud'@'localhost' IDENTIFIED BY 'nextcloud-password'; # # recreate database: # ------------------ # mysql> DROP DATABASE nextcloud; # mysql> CREATE DATABASE nextcloud; # # migration: # ---------- # nextcloud-occ db:convert-type --all-apps mysql nextcloud 127.0.0.1 nextcloud # # 4-byte stuff: # ------------- # https://docs.nextcloud.com/server/18/admin_manual/configuration_database/mysql_4byte_support.html # if you do this don't forget --default-character-set=utf8mb4 for mysqldump services.mysql = { enable = true; package = mySQLPackage; # https://nixos.org/manual/nixos/stable/release-notes.html#sec-release-20.09-incompatibilities ensureDatabases = [ "nextcloud" ]; ensureUsers = [{ name = "nextcloud"; ensurePermissions = { "nextcloud.*" = "ALL PRIVILEGES"; }; }]; settings.mysqld = { innodb_large_prefix = true; innodb_file_format = "barracuda"; innodb_file_per_table = 1; innodb_read_only_compressed = 0; }; }; # Backup database # --------------- services.mysqlBackup = { enable = true; databases = config.services.mysql.ensureDatabases; singleTransaction = true; }; systemd.services."mysql-backup".serviceConfig = { ExecStartPre = [ "+/run/current-system/sw/bin/nextcloud-occ maintenance:mode --on" ]; ExecStopPost = [ "+/run/current-system/sw/bin/nextcloud-occ maintenance:mode --off" ]; }; # in php services.phpfpm = { phpPackage = phpPackage; phpOptions = '' opcache.revalidate_freq = 10 ''; }; # nextcloud setup services.nextcloud = { enable = true; package = nextcloudPackage; autoUpdateApps.enable = true; hostName = nextcloudHostName; logLevel = 2; https = true; config = { adminpassFile = "/run/secrets/nextcloud_root_password"; overwriteProtocol = "https"; dbtype = "mysql"; dbpassFile = "/run/secrets/nextcloud_database_password"; dbport = 3306; defaultPhoneRegion = "DE"; }; }; }; }; }