summaryrefslogtreecommitdiffstats
path: root/makefu/2configs/deployment
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2021-01-18 15:24:18 +0100
committertv <tv@krebsco.de>2021-01-18 15:24:18 +0100
commitff6f5ef5e1cdbd27b2211c54643fa2754f888cbb (patch)
treeb33763a7ac8040efe988f8bed2fe1c649cc155dd /makefu/2configs/deployment
parent7b7ebd8708885633c926c21a4b71d5d4ce8931cf (diff)
parent2a32b7731496615e43a06ec1049f6716c49a1999 (diff)
Merge remote-tracking branch 'prism/master'
Diffstat (limited to 'makefu/2configs/deployment')
-rw-r--r--makefu/2configs/deployment/owncloud.nix280
1 files changed, 72 insertions, 208 deletions
diff --git a/makefu/2configs/deployment/owncloud.nix b/makefu/2configs/deployment/owncloud.nix
index af6592b2b..571e56277 100644
--- a/makefu/2configs/deployment/owncloud.nix
+++ b/makefu/2configs/deployment/owncloud.nix
@@ -1,216 +1,80 @@
{ lib, pkgs, config, ... }:
with lib;
-# imperative in config.php:
-# #local memcache:
-# 'memcache.local' => '\\OC\\Memcache\\APCu',
-# #local locking:
-# 'memcache.locking' => '\\OC\\Memcache\\Redis',
-# 'redis' =>
-# array (
-# 'host' => 'localhost',
-# 'port' => 6379,
-# ),
-
+# services.redis.enable = true;
+# to enable caching with redis first start up everything, then run:
+# nextcloud-occ config:system:set redis 'host' --value 'localhost' --type string
+# nextcloud-occ config:system:set redis 'port' --value 6379 --type integer
+# nextcloud-occ config:system:set memcache.local --value '\OC\Memcache\Redis' --type string
+# nextcloud-occ config:system:set memcache.locking --value '\OC\Memcache\Redis' --type string
+
+# services.memcached.enable = true;
+# to enable caching with memcached run:
+# nextcloud-occ config:system:set memcached_servers 0 0 --value 127.0.0.1 --type string
+# nextcloud-occ config:system:set memcached_servers 0 1 --value 11211 --type integer
+# nextcloud-occ config:system:set memcache.local --value '\OC\Memcache\APCu' --type string
+# nextcloud-occ config:system:set memcache.distributed --value '\OC\Memcache\Memcached' --type string
let
- phpPackage = let
- base = pkgs.php74;
- in
- base.buildEnv {
- extensions = { enabled, all }: with all;
- enabled ++ [
- apcu redis memcached imagick
- ];
- };
-
- # TODO: copy-paste from lass/2/websites/util.nix
- nextcloud = pkgs.nextcloud20;
- serveCloud = domains:
- let
- domain = head domains;
- root = "/var/www/${domain}/";
- socket = "/var/run/${domain}-phpfpm.sock";
- in {
- system.activationScripts."prepare-nextcloud-${domain}" = ''
- if test ! -e ${root} ;then
- echo "copying latest ${nextcloud.name} release to ${root}"
- mkdir -p $(dirname "${root}")
- cp -r ${nextcloud} "${root}"
- chown -R nginx:nginx "${root}"
- chmod 770 "${root}"
- fi
- '';
- services.nginx.virtualHosts."${domain}" = {
- forceSSL = true;
- enableACME = true;
- serverAliases = domains;
- extraConfig = ''
-
- # Add headers to serve security related headers
- add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
- add_header X-Content-Type-Options nosniff;
- add_header X-Frame-Options "SAMEORIGIN";
- add_header X-XSS-Protection "1; mode=block";
- add_header X-Robots-Tag none;
- add_header X-Download-Options noopen;
- add_header X-Permitted-Cross-Domain-Policies none;
-
- # Path to the root of your installation
- root ${root};
- # set max upload size
- client_max_body_size 10G;
- fastcgi_buffers 64 4K;
- fastcgi_read_timeout 120;
-
- # Disable gzip to avoid the removal of the ETag header
- gzip off;
-
- # Uncomment if your server is build with the ngx_pagespeed module
- # This module is currently not supported.
- #pagespeed off;
-
- index index.php;
- error_page 403 /core/templates/403.php;
- error_page 404 /core/templates/404.php;
-
- rewrite ^/.well-known/carddav /remote.php/carddav/ permanent;
- rewrite ^/.well-known/caldav /remote.php/caldav/ permanent;
-
- # The following 2 rules are only needed for the user_webfinger app.
- # Uncomment it if you're planning to use this app.
- rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
- rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
- '';
- locations."/robots.txt".extraConfig = ''
- allow all;
- log_not_found off;
- access_log off;
- '';
- locations."~ ^/(build|tests|config|lib|3rdparty|templates|data)/".extraConfig = ''
- deny all;
- '';
-
- locations."~ ^/(?:autotest|occ|issue|indie|db_|console)".extraConfig = ''
- deny all;
- '';
-
- locations."/".extraConfig = ''
- rewrite ^/remote/(.*) /remote.php last;
- rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
- try_files $uri $uri/ =404;
- '';
-
- locations."~ \.php(?:$|/)".extraConfig = ''
- fastcgi_split_path_info ^(.+\.php)(/.+)$;
- include ${pkgs.nginx}/conf/fastcgi_params;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- fastcgi_param PATH_INFO $fastcgi_path_info;
- fastcgi_param HTTPS on;
- fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
- fastcgi_pass unix:${config.services.phpfpm.pools.${domain}.socket};
- fastcgi_intercept_errors on;
- '';
-
- # Adding the cache control header for js and css files
- # Make sure it is BELOW the location ~ \.php(?:$|/) block
- locations."~* \.(?:css|js)$".extraConfig = ''
- add_header Cache-Control "public, max-age=7200";
- # Add headers to serve security related headers
- add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
- add_header X-Content-Type-Options nosniff;
- add_header X-XSS-Protection "1; mode=block";
- add_header X-Robots-Tag none;
- add_header X-Frame-Options SAMEORIGIN;
- add_header X-Download-Options noopen;
- add_header X-Permitted-Cross-Domain-Policies none;
-
- # Optional: Don't log access to assets
- access_log off;
- '';
- # Optional: Don't log access to other assets
- locations."~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$".extraConfig = ''
- access_log off;
- '';
- };
- services.phpfpm.pools."${domain}" = {
- user = "nginx";
- group = "nginx";
- phpPackage = phpPackage;
- settings = {
- "listen.owner" = "nginx";
- "pm" = "dynamic";
- "pm.max_children" = 32;
- "pm.max_requests" = 500;
- "pm.start_servers" = 2;
- "pm.min_spare_servers" = 2;
- "pm.max_spare_servers" = 5;
- "php_admin_value[error_log]" = "stderr";
- "php_admin_flag[log_errors]" = "on";
- "catch_workers_output" = true;
- };
- phpEnv."PATH" = lib.makeBinPath [ phpPackage ];
- };
- services.phpfpm.phpOptions = ''
- opcache.enable=1
- opcache.enable_cli=1
- opcache.interned_strings_buffer=8
- opcache.max_accelerated_files=10000
- opcache.memory_consumption=128
- opcache.save_comments=1
- opcache.revalidate_freq=1
- opcache.file_cache = .opcache
- zend_extension=${phpPackage}/lib/php/extensions/opcache.so
-
- display_errors = on
- display_startup_errors = on
- always_populate_raw_post_data = -1
- error_reporting = E_ALL | E_STRICT
- html_errors = On
- date.timezone = "Europe/Berlin"
- extension=${phpPackage}/lib/php/extensions/memcached.so
- extension=${phpPackage}/lib/php/extensions/redis.so
- extension=${phpPackage}/lib/php/extensions/apcu.so
- '';
-
- systemd.services."nextcloud-cron-${domain}" = {
- serviceConfig = {
- User = "nginx";
- ExecStart = "${phpPackage}/bin/php -f ${root}/cron.php";
- };
- startAt = "*:0/15";
- };
+ adminpw = "/run/secret/nextcloud-admin-pw";
+ dbpw = "/run/secret/nextcloud-db-pw";
+in {
+
+ krebs.secret.files.nextcloud-db-pw = {
+ path = dbpw;
+ owner.name = "nextcloud";
+ source-path = toString <secrets> + "/nextcloud-db-pw";
+ };
+
+ krebs.secret.files.nextcloud-admin-pw = {
+ path = adminpw;
+ owner.name = "nextcloud";
+ source-path = toString <secrets> + "/nextcloud-admin-pw";
+ };
+
+ services.nginx.virtualHosts."o.euer.krebsco.de" = {
+ forceSSL = true;
+ enableACME = true;
+ };
+ state = [ "${config.services.nextcloud.home}/config" ];
+ services.nextcloud = {
+ enable = true;
+ package = pkgs.nextcloud20;
+ hostName = "o.euer.krebsco.de";
+ # Use HTTPS for links
+ https = true;
+ # Auto-update Nextcloud Apps
+ autoUpdateApps.enable = true;
+ # Set what time makes sense for you
+ autoUpdateApps.startAt = "05:00:00";
+
+ caching.redis = true;
+ # caching.memcached = true;
+ config = {
+ # Further forces Nextcloud to use HTTPS
+ overwriteProtocol = "https";
+
+ # Nextcloud PostegreSQL database configuration, recommended over using SQLite
+ dbtype = "pgsql";
+ dbuser = "nextcloud";
+ dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
+ dbname = "nextcloud";
+ dbpassFile = dbpw;
+ adminpassFile = adminpw;
+ adminuser = "admin";
};
-in {
- imports = [
- ( serveCloud [ "o.euer.krebsco.de" ] )
- ];
-
- networking.firewall.allowedTCPPorts = [ 80 443 ];
+ };
services.redis.enable = true;
-
- #services.mysql = {
- # enable = false;
- # package = pkgs.mariadb;
- # rootPassword = config.krebs.secret.files.mysql_rootPassword.path;
- # initialDatabases = [
- # # Or use writeText instead of literalExample?
- # #{ name = "nextcloud"; schema = literalExample "./nextcloud.sql"; }
- # {
- # name = "nextcloud";
- # schema = pkgs.writeText "nextcloud.sql"
- # ''
- # create user if not exists 'nextcloud'@'localhost' identified by 'password';
- # grant all privileges on nextcloud.* to 'nextcloud'@'localhost' identified by 'password';
- # '';
- # }
- # ];
- #};
-
- # dataDir is only defined after mysql is enabled
- #krebs.secret.files.mysql_rootPassword = {
- # path = "${config.services.mysql.dataDir}/mysql_rootPassword";
- # owner.name = "root";
- # source-path = toString <secrets> + "/mysql_rootPassword";
- #};
+ systemd.services.redis.serviceConfig.LimitNOFILE=65536;
+ services.postgresql = {
+ enable = true;
+ # Ensure the database, user, and permissions always exist
+ ensureDatabases = [ "nextcloud" ];
+ ensureUsers = [ { name = "nextcloud"; ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; } ];
+ };
+
+ systemd.services."nextcloud-setup" = {
+ requires = ["postgresql.service"];
+ after = ["postgresql.service"];
+ };
}