diff options
author | tv <tv@krebsco.de> | 2021-01-18 15:24:18 +0100 |
---|---|---|
committer | tv <tv@krebsco.de> | 2021-01-18 15:24:18 +0100 |
commit | ff6f5ef5e1cdbd27b2211c54643fa2754f888cbb (patch) | |
tree | b33763a7ac8040efe988f8bed2fe1c649cc155dd /makefu/2configs/deployment/owncloud.nix | |
parent | 7b7ebd8708885633c926c21a4b71d5d4ce8931cf (diff) | |
parent | 2a32b7731496615e43a06ec1049f6716c49a1999 (diff) |
Merge remote-tracking branch 'prism/master'
Diffstat (limited to 'makefu/2configs/deployment/owncloud.nix')
-rw-r--r-- | makefu/2configs/deployment/owncloud.nix | 280 |
1 files changed, 72 insertions, 208 deletions
diff --git a/makefu/2configs/deployment/owncloud.nix b/makefu/2configs/deployment/owncloud.nix index af6592b2b..571e56277 100644 --- a/makefu/2configs/deployment/owncloud.nix +++ b/makefu/2configs/deployment/owncloud.nix @@ -1,216 +1,80 @@ { lib, pkgs, config, ... }: with lib; -# imperative in config.php: -# #local memcache: -# 'memcache.local' => '\\OC\\Memcache\\APCu', -# #local locking: -# 'memcache.locking' => '\\OC\\Memcache\\Redis', -# 'redis' => -# array ( -# 'host' => 'localhost', -# 'port' => 6379, -# ), - +# services.redis.enable = true; +# to enable caching with redis first start up everything, then run: +# nextcloud-occ config:system:set redis 'host' --value 'localhost' --type string +# nextcloud-occ config:system:set redis 'port' --value 6379 --type integer +# nextcloud-occ config:system:set memcache.local --value '\OC\Memcache\Redis' --type string +# nextcloud-occ config:system:set memcache.locking --value '\OC\Memcache\Redis' --type string + +# services.memcached.enable = true; +# to enable caching with memcached run: +# nextcloud-occ config:system:set memcached_servers 0 0 --value 127.0.0.1 --type string +# nextcloud-occ config:system:set memcached_servers 0 1 --value 11211 --type integer +# nextcloud-occ config:system:set memcache.local --value '\OC\Memcache\APCu' --type string +# nextcloud-occ config:system:set memcache.distributed --value '\OC\Memcache\Memcached' --type string let - phpPackage = let - base = pkgs.php74; - in - base.buildEnv { - extensions = { enabled, all }: with all; - enabled ++ [ - apcu redis memcached imagick - ]; - }; - - # TODO: copy-paste from lass/2/websites/util.nix - nextcloud = pkgs.nextcloud20; - serveCloud = domains: - let - domain = head domains; - root = "/var/www/${domain}/"; - socket = "/var/run/${domain}-phpfpm.sock"; - in { - system.activationScripts."prepare-nextcloud-${domain}" = '' - if test ! -e ${root} ;then - echo "copying latest ${nextcloud.name} release to ${root}" - mkdir -p $(dirname "${root}") - cp -r ${nextcloud} "${root}" - chown -R nginx:nginx "${root}" - chmod 770 "${root}" - fi - ''; - services.nginx.virtualHosts."${domain}" = { - forceSSL = true; - enableACME = true; - serverAliases = domains; - extraConfig = '' - - # Add headers to serve security related headers - add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; - add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - - # Path to the root of your installation - root ${root}; - # set max upload size - client_max_body_size 10G; - fastcgi_buffers 64 4K; - fastcgi_read_timeout 120; - - # Disable gzip to avoid the removal of the ETag header - gzip off; - - # Uncomment if your server is build with the ngx_pagespeed module - # This module is currently not supported. - #pagespeed off; - - index index.php; - error_page 403 /core/templates/403.php; - error_page 404 /core/templates/404.php; - - rewrite ^/.well-known/carddav /remote.php/carddav/ permanent; - rewrite ^/.well-known/caldav /remote.php/caldav/ permanent; - - # The following 2 rules are only needed for the user_webfinger app. - # Uncomment it if you're planning to use this app. - rewrite ^/.well-known/host-meta /public.php?service=host-meta last; - rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; - ''; - locations."/robots.txt".extraConfig = '' - allow all; - log_not_found off; - access_log off; - ''; - locations."~ ^/(build|tests|config|lib|3rdparty|templates|data)/".extraConfig = '' - deny all; - ''; - - locations."~ ^/(?:autotest|occ|issue|indie|db_|console)".extraConfig = '' - deny all; - ''; - - locations."/".extraConfig = '' - rewrite ^/remote/(.*) /remote.php last; - rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; - try_files $uri $uri/ =404; - ''; - - locations."~ \.php(?:$|/)".extraConfig = '' - fastcgi_split_path_info ^(.+\.php)(/.+)$; - include ${pkgs.nginx}/conf/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param HTTPS on; - fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice - fastcgi_pass unix:${config.services.phpfpm.pools.${domain}.socket}; - fastcgi_intercept_errors on; - ''; - - # Adding the cache control header for js and css files - # Make sure it is BELOW the location ~ \.php(?:$|/) block - locations."~* \.(?:css|js)$".extraConfig = '' - add_header Cache-Control "public, max-age=7200"; - # Add headers to serve security related headers - add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Frame-Options SAMEORIGIN; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - - # Optional: Don't log access to assets - access_log off; - ''; - # Optional: Don't log access to other assets - locations."~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$".extraConfig = '' - access_log off; - ''; - }; - services.phpfpm.pools."${domain}" = { - user = "nginx"; - group = "nginx"; - phpPackage = phpPackage; - settings = { - "listen.owner" = "nginx"; - "pm" = "dynamic"; - "pm.max_children" = 32; - "pm.max_requests" = 500; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 2; - "pm.max_spare_servers" = 5; - "php_admin_value[error_log]" = "stderr"; - "php_admin_flag[log_errors]" = "on"; - "catch_workers_output" = true; - }; - phpEnv."PATH" = lib.makeBinPath [ phpPackage ]; - }; - services.phpfpm.phpOptions = '' - opcache.enable=1 - opcache.enable_cli=1 - opcache.interned_strings_buffer=8 - opcache.max_accelerated_files=10000 - opcache.memory_consumption=128 - opcache.save_comments=1 - opcache.revalidate_freq=1 - opcache.file_cache = .opcache - zend_extension=${phpPackage}/lib/php/extensions/opcache.so - - display_errors = on - display_startup_errors = on - always_populate_raw_post_data = -1 - error_reporting = E_ALL | E_STRICT - html_errors = On - date.timezone = "Europe/Berlin" - extension=${phpPackage}/lib/php/extensions/memcached.so - extension=${phpPackage}/lib/php/extensions/redis.so - extension=${phpPackage}/lib/php/extensions/apcu.so - ''; - - systemd.services."nextcloud-cron-${domain}" = { - serviceConfig = { - User = "nginx"; - ExecStart = "${phpPackage}/bin/php -f ${root}/cron.php"; - }; - startAt = "*:0/15"; - }; + adminpw = "/run/secret/nextcloud-admin-pw"; + dbpw = "/run/secret/nextcloud-db-pw"; +in { + + krebs.secret.files.nextcloud-db-pw = { + path = dbpw; + owner.name = "nextcloud"; + source-path = toString <secrets> + "/nextcloud-db-pw"; + }; + + krebs.secret.files.nextcloud-admin-pw = { + path = adminpw; + owner.name = "nextcloud"; + source-path = toString <secrets> + "/nextcloud-admin-pw"; + }; + + services.nginx.virtualHosts."o.euer.krebsco.de" = { + forceSSL = true; + enableACME = true; + }; + state = [ "${config.services.nextcloud.home}/config" ]; + services.nextcloud = { + enable = true; + package = pkgs.nextcloud20; + hostName = "o.euer.krebsco.de"; + # Use HTTPS for links + https = true; + # Auto-update Nextcloud Apps + autoUpdateApps.enable = true; + # Set what time makes sense for you + autoUpdateApps.startAt = "05:00:00"; + + caching.redis = true; + # caching.memcached = true; + config = { + # Further forces Nextcloud to use HTTPS + overwriteProtocol = "https"; + + # Nextcloud PostegreSQL database configuration, recommended over using SQLite + dbtype = "pgsql"; + dbuser = "nextcloud"; + dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself + dbname = "nextcloud"; + dbpassFile = dbpw; + adminpassFile = adminpw; + adminuser = "admin"; }; -in { - imports = [ - ( serveCloud [ "o.euer.krebsco.de" ] ) - ]; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; + }; services.redis.enable = true; - - #services.mysql = { - # enable = false; - # package = pkgs.mariadb; - # rootPassword = config.krebs.secret.files.mysql_rootPassword.path; - # initialDatabases = [ - # # Or use writeText instead of literalExample? - # #{ name = "nextcloud"; schema = literalExample "./nextcloud.sql"; } - # { - # name = "nextcloud"; - # schema = pkgs.writeText "nextcloud.sql" - # '' - # create user if not exists 'nextcloud'@'localhost' identified by 'password'; - # grant all privileges on nextcloud.* to 'nextcloud'@'localhost' identified by 'password'; - # ''; - # } - # ]; - #}; - - # dataDir is only defined after mysql is enabled - #krebs.secret.files.mysql_rootPassword = { - # path = "${config.services.mysql.dataDir}/mysql_rootPassword"; - # owner.name = "root"; - # source-path = toString <secrets> + "/mysql_rootPassword"; - #}; + systemd.services.redis.serviceConfig.LimitNOFILE=65536; + services.postgresql = { + enable = true; + # Ensure the database, user, and permissions always exist + ensureDatabases = [ "nextcloud" ]; + ensureUsers = [ { name = "nextcloud"; ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; } ]; + }; + + systemd.services."nextcloud-setup" = { + requires = ["postgresql.service"]; + after = ["postgresql.service"]; + }; } |