Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

ma deployment/owncloud: use upstream module

Browse Source
This commit is contained in:
makefu 2021-01-03 02:03:12 +01:00
parent 6a53d3e0fd
commit 4a11918603
No known key found for this signature in database
GPG Key ID: 36F7711F3FC0F225
1 changed files with 49 additions and 203 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

252
makefu/2configs/deployment/owncloud.nix
View File

@ -1,216 +1,62 @@
{ lib, pkgs, config, ... }:
with lib;
# imperative in config.php:
# #local memcache:
# 'memcache.local' => '\\OC\\Memcache\\APCu',
# #local locking:
# 'memcache.locking' => '\\OC\\Memcache\\Redis',
# 'redis' =>
# array (
# 'host' => 'localhost',
# 'port' => 6379,
# ),
let
phpPackage = let
base = pkgs.php74;
in
base.buildEnv {
extensions = { enabled, all }: with all;
enabled ++ [
apcu redis memcached imagick
];
};
adminpw = "/run/secret/nextcloud-admin-pw";
dbpw = "/run/secret/nextcloud-db-pw";
in {
krebs.secret.files.nextcloud-db-pw = {
path = dbpw;
owner.name = "nextcloud";
source-path = toString <secrets> + "/nextcloud-db-pw";
};
# TODO: copy-paste from lass/2/websites/util.nix
nextcloud = pkgs.nextcloud20;
serveCloud = domains:
let
domain = head domains;
root = "/var/www/${domain}/";
socket = "/var/run/${domain}-phpfpm.sock";
in {
system.activationScripts."prepare-nextcloud-${domain}" = ''
if test ! -e ${root} ;then
echo "copying latest ${nextcloud.name} release to ${root}"
mkdir -p $(dirname "${root}")
cp -r ${nextcloud} "${root}"
chown -R nginx:nginx "${root}"
chmod 770 "${root}"
fi
'';
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
serverAliases = domains;
extraConfig = ''
krebs.secret.files.nextcloud-admin-pw = {
path = adminpw;
owner.name = "nextcloud";
source-path = toString <secrets> + "/nextcloud-admin-pw";
};
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
services.nginx.virtualHosts."o.euer.krebsco.de" = {
forceSSL = true;
enableACME = true;
};
# Path to the root of your installation
root ${root};
# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;
fastcgi_read_timeout 120;
services.nextcloud = {
enable = true;
package = pkgs.nextcloud20;
hostName = "o.euer.krebsco.de";
# Use HTTPS for links
https = true;
# Auto-update Nextcloud Apps
autoUpdateApps.enable = true;
# Set what time makes sense for you
autoUpdateApps.startAt = "05:00:00";
# Disable gzip to avoid the removal of the ETag header
gzip off;
config = {
# Further forces Nextcloud to use HTTPS
overwriteProtocol = "https";
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
index index.php;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
rewrite ^/.well-known/carddav /remote.php/carddav/ permanent;
rewrite ^/.well-known/caldav /remote.php/caldav/ permanent;
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
'';
locations."/robots.txt".extraConfig = ''
allow all;
log_not_found off;
access_log off;
'';
locations."~ ^/(build|tests|config|lib|3rdparty|templates|data)/".extraConfig = ''
deny all;
'';
locations."~ ^/(?:autotest|occ|issue|indie|db_|console)".extraConfig = ''
deny all;
'';
locations."/".extraConfig = ''
rewrite ^/remote/(.*) /remote.php last;
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
try_files $uri $uri/ =404;
'';
locations."~ \.php(?:$|/)".extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_pass unix:${config.services.phpfpm.pools.${domain}.socket};
fastcgi_intercept_errors on;
'';
# Adding the cache control header for js and css files
# Make sure it is BELOW the location ~ \.php(?:$|/) block
locations."~* \.(?:css|js)$".extraConfig = ''
add_header Cache-Control "public, max-age=7200";
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
'';
# Optional: Don't log access to other assets
locations."~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$".extraConfig = ''
access_log off;
'';
};
services.phpfpm.pools."${domain}" = {
user = "nginx";
group = "nginx";
phpPackage = phpPackage;
settings = {
"listen.owner" = "nginx";
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 5;
"php_admin_value[error_log]" = "stderr";
"php_admin_flag[log_errors]" = "on";
"catch_workers_output" = true;
};
phpEnv."PATH" = lib.makeBinPath [ phpPackage ];
};
services.phpfpm.phpOptions = ''
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1
opcache.file_cache = .opcache
zend_extension=${phpPackage}/lib/php/extensions/opcache.so
display_errors = on
display_startup_errors = on
always_populate_raw_post_data = -1
error_reporting = E_ALL | E_STRICT
html_errors = On
date.timezone = "Europe/Berlin"
extension=${phpPackage}/lib/php/extensions/memcached.so
extension=${phpPackage}/lib/php/extensions/redis.so
extension=${phpPackage}/lib/php/extensions/apcu.so
'';
systemd.services."nextcloud-cron-${domain}" = {
serviceConfig = {
User = "nginx";
ExecStart = "${phpPackage}/bin/php -f ${root}/cron.php";
};
startAt = "*:0/15";
};
# Nextcloud PostegreSQL database configuration, recommended over using SQLite
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
dbname = "nextcloud";
dbpassFile = dbpw;
adminpassFile = adminpw;
adminuser = "admin";
};
in {
imports = [
( serveCloud [ "o.euer.krebsco.de" ] )
];
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.redis.enable = true;
services.postgresql = {
enable = true;
# Ensure the database, user, and permissions always exist
ensureDatabases = [ "nextcloud" ];
ensureUsers = [ { name = "nextcloud"; ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; } ];
};
#services.mysql = {
# enable = false;
# package = pkgs.mariadb;
# rootPassword = config.krebs.secret.files.mysql_rootPassword.path;
# initialDatabases = [
# # Or use writeText instead of literalExample?
# #{ name = "nextcloud"; schema = literalExample "./nextcloud.sql"; }
# {
# name = "nextcloud";
# schema = pkgs.writeText "nextcloud.sql"
# ''
# create user if not exists 'nextcloud'@'localhost' identified by 'password';
# grant all privileges on nextcloud.* to 'nextcloud'@'localhost' identified by 'password';
# '';
# }
# ];
#};
# dataDir is only defined after mysql is enabled
#krebs.secret.files.mysql_rootPassword = {
# path = "${config.services.mysql.dataDir}/mysql_rootPassword";
# owner.name = "root";
# source-path = toString <secrets> + "/mysql_rootPassword";
#};
systemd.services."nextcloud-setup" = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
};
}