nixos-config/nixos/configs/robi/nextcloud.nix
2021-12-29 19:46:20 +01:00

215 lines
6.6 KiB
Nix

{ pkgs, config, lib, ... }:
let
nextcloudUid = 1000;
in
{
users.users.nextcloud = {
isSystemUser = true;
uid = nextcloudUid;
};
#networking.firewall.allowedTCPPorts = [ 80 443 ];
#networking.firewall.allowedUDPPorts = [ 80 443 ];
# host nginx setup
services.nginx = {
enable = true;
recommendedGzipSettings = lib.mkDefault true;
recommendedOptimisation = lib.mkDefault true;
recommendedTlsSettings = lib.mkDefault true;
recommendedProxySettings = true;
#sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
#virtualHosts = {
# "nextcloud.ingolf-wagner.de" = {
# forceSSL = true;
# enableACME = true;
# };
#};
};
# nextcloud database
# ==================
#
# set user password:
# -----------------
# #> mysql
# mysql> ALTER USER 'nextcloud'@'localhost' IDENTIFIED BY 'nextcloud-password';
#
# recreate database:
# ------------------
# mysql> DROP DATABASE nextcloud;
# mysql> CREATE DATABASE nextcloud;
#
# migration:
# ----------
# nextcloud-occ db:convert-type --all-apps mysql nextcloud 127.0.0.1 nextcloud
#
# 4-byte stuff:
# -------------
# https://docs.nextcloud.com/server/18/admin_manual/configuration_database/mysql_4byte_support.html
# if you do this don't forget --default-character-set=utf8mb4 for mysqldump
containers.nextcloudmysql = {
autoStart = true;
forwardPorts = [{
containerPort = 3336;
hostPort = 3336;
protocol = "tcp";
}];
config = { config, pkgs, lib, ... }: {
services.mysql = {
enable = true;
package = pkgs.mysql;
# https://nixos.org/manual/nixos/stable/release-notes.html#sec-release-20.09-incompatibilities
ensureDatabases = [ "nextcloud" ];
ensureUsers = [{
name = "nextcloud";
ensurePermissions = { "nextcloud.*" = "ALL PRIVILEGES"; };
}];
settings.mysqld = {
innodb_large_prefix = true;
innodb_file_format = "barracuda";
innodb_file_per_table = 1;
};
};
# Backup database
# ---------------
#services.mysqlBackup = {
# enable = true;
# databases = config.services.mysql.ensureDatabases;
# singleTransaction = true;
# location = "/var/lib/nextcloud/database_backups";
#};
#systemd.services."mysql-backup".serviceConfig = {
# ExecStartPre = [ "+/run/current-system/sw/bin/nextcloud-occ maintenance:mode --on" ];
# ExecStopPost = [ "+/run/current-system/sw/bin/nextcloud-occ maintenance:mode --off" ];
#};
};
};
# in php
services.phpfpm.phpPackage = pkgs.php73;
# nextcloud setup
services.nextcloud = {
enable = false;
hostName = "nextcloud.ingolf-wagner.de";
package = pkgs.nextcloud22;
autoUpdateApps.enable = true;
autoUpdateApps.startAt = "05:00:00";
logLevel = 2;
https = true;
config = {
adminpassFile = config.sops.secrets.nextcloud_root_password.path;
overwriteProtocol = "https";
dbtype = "mysql";
dbpassFile = config.sops.secrets.nextcloud_database_password.path;
dbport = 3306;
};
};
sops.secrets.nextcloud_database_password.owner = "nextcloud";
sops.secrets.nextcloud_root_password.owner = "nextcloud";
#services.journalbeat = {
# enable = true;
# extraConfig = ''
# journalbeat.inputs:
# - paths: []
# # Position to start reading from journal. Valid values: head, tail, cursor
# seek: cursor
# # Fallback position if no cursor data is available.
# cursor_seek_fallback: tail
# output.logstash:
# # Boolean flag to enable or disable the output module.
# enabled: true
# # Graylog host and the beats input
# hosts: ["${hostAddress}:5044"]
# # If enabled only a subset of events in a batch of events is transferred per
# # transaction. The number of events to be sent increases up to `bulk_max_size`
# # if no error is encountered.
# slow_start: true
# # The number of seconds to wait before trying to reconnect to Graylog
# # after a network error. After waiting backoff.init seconds, the Beat
# # tries to reconnect. If the attempt fails, the backoff timer is increased
# # exponentially up to backoff.max. After a successful connection, the backoff
# # timer is reset. The default is 1s.
# backoff.init: 1s
# # The maximum number of seconds to wait before attempting to connect to
# # Graylog after a network error. The default is 60s.
# backoff.max: 60s
# '';
#};
# give containers internet access
#networking.nat.enable = true;
#networking.nat.internalInterfaces = [ "ve-nextcloud" ];
#networking.nat.externalInterface = "enp2s0f1";
# don't let networkmanager manger container network
#networking.networkmanager.unmanaged = [ "interface-name:ve-*" ];
# open ports for logging
#networking.firewall.interfaces."ve-nextcloud".allowedTCPPorts =
# [ 5044 12304 12305 ];
#networking.firewall.interfaces."ve-nextcloud".allowedUDPPorts =
# [ 5044 12304 12305 ];
# Backup Config
# -------------
#backup.dirs = [
# "/home/nextcloud/config"
# "/home/nextcloud/database_backups" # created by mysqlBackup
#];
# Backup Files
# ------------
#services.borgbackup.jobs = {
# "nextcloud-to-media" = {
# repo = "/media/syncthing/borg/nextcloud";
# # make sure syncthing is capable of reading the files
# postHook = ''
# chown -R syncthing:syncthing /media/syncthing/borg/nextcloud
# '';
# compression = "lz4";
# paths = [
# "/home/nextcloud/data/tina/files/Documents"
# "/home/nextcloud/data/tina/files/Pictures"
# "/home/nextcloud/data/tina/files/Joplin"
# "/home/nextcloud/data/tina/files/SofortUpload"
# "/home/nextcloud/data/palo/files/InstantUpload"
# "/home/nextcloud/data/palo/files/Joplin"
# "/home/nextcloud/data/palo/files/Pictures"
# "/home/nextcloud/data/palo/files/Unterlagen"
# "/home/nextcloud/data/palo/files/Video"
# "/home/nextcloud/data/palo-windows/files/Kunstbuch"
# ];
# doInit = true;
# encryption = {
# mode = "repokey-blake2";
# passCommand =
# "cat ${config.sops.secrets.backup_repository_passphrase.path}";
# };
# startAt = "0/3:00:00";
# prune.keep = {
# within = "2d"; # Keep all backups in the last 10 days.
# daily = 10; # Keep 10 additional end of day archives
# weekly = 8; # Keep 8 additional end of week archives.
# month = 8; # Keep 8 additional end of month archives.
# };
# };
#};
}