nixos-config/nixos/machines/orbi/media-nextcloud.nix

{ pkgs, config, ... }:

# don't forget the database backup before upgrading
# -------------------------------------------------
# https://docs.nextcloud.com/server/stable/admin_manual/maintenance/backup.html
# https://docs.nextcloud.com/server/stable/admin_manual/maintenance/upgrade.html

let
  nextcloudUid = 1000;
  nextcloudGid = 1000;
  nextcloudPort = 8080;
  nextcloudHostName = "cloud.ingolf-wagner.de";

  phpPackage = pkgs.php73;
  nextcloudPackage = pkgs.nextcloud28;
  mySQLPackage = pkgs.mysql;
in
{


  # host nginx
  # ----------

  networking.firewall.allowedTCPPorts = [ 80 443 ];
  networking.firewall.allowedUDPPorts = [ 80 443 ];

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts = {
      "${nextcloudHostName}" = {
        forceSSL = true;
        enableACME = true;
        locations = {
          "/" = {
            proxyPass = "http://localhost:${toString nextcloudPort}";
            extraConfig = ''
              sub_filter "http://${nextcloudHostName}" "https://${nextcloudHostName}";
              # used for view/edit office file via Office Online Server
              client_max_body_size 0;
              proxy_buffering off;  # to download files bigger than 1GB
            '';
          };
          "= /.well-known/carddav" = {
            priority = 210;
            extraConfig = "return 301 $scheme://$host/remote.php/dav;";
          };
          "= /.well-known/caldav" = {
            priority = 210;
            extraConfig = "return 301 $scheme://$host/remote.php/dav;";
          };
        };
      };
    };
  };

  sops.secrets.nextcloud_database_password.owner = "nextcloud";
  sops.secrets.nextcloud_root_password.owner = "nextcloud";

  users.users.nextcloud = {
    isSystemUser = true;
    uid = nextcloudUid;
    group = "nextcloud";
  };
  users.groups.nextcloud.gid = nextcloudGid;


  # Container Setup
  # ===============
  #
  # running:
  # * nextcloud (php)
  # * mysql
  containers.nextcloud = {

    # mount host folders
    bindMounts = {
      rootpassword = {
        hostPath = "/run/secrets/nextcloud_root_password";
        mountPoint = "/run/secrets/nextcloud_root_password";
        isReadOnly = true;
      };
      databasepassword = {
        hostPath = "/run/secrets/nextcloud_database_password";
        mountPoint = "/run/secrets/nextcloud_database_password";
        isReadOnly = true;
      };

      #home = {
      #  # make sure this folder exist on the host
      #  hostPath = toString "/var/lib/nextcloud";
      #  mountPoint = "/var/lib/nextcloud";
      #  isReadOnly = false;
      #};
      #db = {
      #  # make sure this folder exist on the host
      #  hostPath = toString "/var/lib/nextcloud_mysql";
      #  mountPoint = "/var/lib/mysql";
      #  isReadOnly = false;
      #};
      #media = {
      #  #mountPoint = toString config.services.syncthing.folders.media.path;
      #  #hostPath = toString config.services.syncthing.folders.media.path;
      #  mountPoint = "/media/syncthing/media";
      #  hostPath = "/media/media";
      #  isReadOnly = true;
      #};
    };

    privateNetwork = false;
    autoStart = true;

    config = { config, pkgs, lib, ... }: {

      # Configuring nameservers for containers is currently broken.
      # Therefore in some cases internet connectivity can be broken inside the containers.
      # A temporary workaround is to manually write the /etc/nixos/resolv.conf file like this:
      #environment.etc."resolv.conf".text = "nameserver 8.8.8.8";

      system.stateVersion = "23.11";
      #system.stateVersion = "21.05";

      users.users.nextcloud.uid = nextcloudUid;

      services.nginx = {
        defaultListen = [
          { addr = "0.0.0.0"; port = nextcloudPort; }
        ];
        # Use recommended settings
        recommendedGzipSettings = lib.mkDefault true;
        recommendedOptimisation = lib.mkDefault true;
        recommendedProxySettings = lib.mkDefault true;
        recommendedTlsSettings = lib.mkDefault true;
      };

      #networking.firewall.allowedTCPPorts = [ 80 ];
      #networking.firewall.allowedUDPPorts = [ 80 ];

      # nextcloud database
      # ==================
      #
      # set user password:
      # -----------------
      # #> mysql
      # mysql> ALTER USER 'nextcloud'@'localhost' IDENTIFIED BY 'nextcloud-password';
      #
      # recreate database:
      # ------------------
      # mysql> DROP DATABASE nextcloud;
      # mysql> CREATE DATABASE nextcloud;
      #
      # migration:
      # ----------
      # nextcloud-occ db:convert-type --all-apps mysql nextcloud 127.0.0.1 nextcloud
      #
      # 4-byte stuff:
      # -------------
      # https://docs.nextcloud.com/server/18/admin_manual/configuration_database/mysql_4byte_support.html
      # if you do this don't forget --default-character-set=utf8mb4 for mysqldump
      services.mysql = {
        enable = true;
        package = mySQLPackage;
        # https://nixos.org/manual/nixos/stable/release-notes.html#sec-release-20.09-incompatibilities
        ensureDatabases = [ "nextcloud" ];
        ensureUsers = [{
          name = "nextcloud";
          ensurePermissions = { "nextcloud.*" = "ALL PRIVILEGES"; };
        }];
        settings.mysqld = {
          innodb_large_prefix = true;
          innodb_file_format = "barracuda";
          innodb_file_per_table = 1;
          innodb_read_only_compressed = 0;
        };
      };

      # Backup database
      # ---------------
      services.mysqlBackup = {
        enable = true;
        databases = config.services.mysql.ensureDatabases;
        singleTransaction = true;
      };
      systemd.services."mysql-backup".serviceConfig = {
        ExecStartPre = [ "+/run/current-system/sw/bin/nextcloud-occ maintenance:mode --on" ];
        ExecStopPost = [ "+/run/current-system/sw/bin/nextcloud-occ maintenance:mode --off" ];
      };

      # in php
      services.phpfpm = {
        phpPackage = phpPackage;
        phpOptions = ''
          opcache.revalidate_freq = 10
        '';
      };

      # nextcloud setup
      services.nextcloud = {
        enable = true;
        package = nextcloudPackage;
        autoUpdateApps.enable = true;
        # nginx.enable = true;
        # enableBrokenCiphersForSSE = false; # see https://github.com/NixOS/nixpkgs/pull/198470
        hostName = nextcloudHostName;
        logLevel = 2;
        https = true;
        config = {
          adminpassFile = "/run/secrets/nextcloud_root_password";
          overwriteProtocol = "https";
          dbtype = "mysql";
          dbpassFile = "/run/secrets/nextcloud_database_password";
          dbport = 3306;
          defaultPhoneRegion = "DE";
        };
      };
    };
  };

}