ma deployment/owncloud: use upstream module
This commit is contained in:
parent
6a53d3e0fd
commit
4a11918603
@ -1,216 +1,62 @@
|
|||||||
{ lib, pkgs, config, ... }:
|
{ lib, pkgs, config, ... }:
|
||||||
with lib;
|
with lib;
|
||||||
|
|
||||||
# imperative in config.php:
|
|
||||||
# #local memcache:
|
|
||||||
# 'memcache.local' => '\\OC\\Memcache\\APCu',
|
|
||||||
# #local locking:
|
|
||||||
# 'memcache.locking' => '\\OC\\Memcache\\Redis',
|
|
||||||
# 'redis' =>
|
|
||||||
# array (
|
|
||||||
# 'host' => 'localhost',
|
|
||||||
# 'port' => 6379,
|
|
||||||
# ),
|
|
||||||
|
|
||||||
|
|
||||||
let
|
let
|
||||||
phpPackage = let
|
adminpw = "/run/secret/nextcloud-admin-pw";
|
||||||
base = pkgs.php74;
|
dbpw = "/run/secret/nextcloud-db-pw";
|
||||||
in
|
in {
|
||||||
base.buildEnv {
|
krebs.secret.files.nextcloud-db-pw = {
|
||||||
extensions = { enabled, all }: with all;
|
path = dbpw;
|
||||||
enabled ++ [
|
owner.name = "nextcloud";
|
||||||
apcu redis memcached imagick
|
source-path = toString <secrets> + "/nextcloud-db-pw";
|
||||||
];
|
};
|
||||||
};
|
|
||||||
|
|
||||||
# TODO: copy-paste from lass/2/websites/util.nix
|
krebs.secret.files.nextcloud-admin-pw = {
|
||||||
nextcloud = pkgs.nextcloud20;
|
path = adminpw;
|
||||||
serveCloud = domains:
|
owner.name = "nextcloud";
|
||||||
let
|
source-path = toString <secrets> + "/nextcloud-admin-pw";
|
||||||
domain = head domains;
|
};
|
||||||
root = "/var/www/${domain}/";
|
|
||||||
socket = "/var/run/${domain}-phpfpm.sock";
|
|
||||||
in {
|
|
||||||
system.activationScripts."prepare-nextcloud-${domain}" = ''
|
|
||||||
if test ! -e ${root} ;then
|
|
||||||
echo "copying latest ${nextcloud.name} release to ${root}"
|
|
||||||
mkdir -p $(dirname "${root}")
|
|
||||||
cp -r ${nextcloud} "${root}"
|
|
||||||
chown -R nginx:nginx "${root}"
|
|
||||||
chmod 770 "${root}"
|
|
||||||
fi
|
|
||||||
'';
|
|
||||||
services.nginx.virtualHosts."${domain}" = {
|
|
||||||
forceSSL = true;
|
|
||||||
enableACME = true;
|
|
||||||
serverAliases = domains;
|
|
||||||
extraConfig = ''
|
|
||||||
|
|
||||||
# Add headers to serve security related headers
|
services.nginx.virtualHosts."o.euer.krebsco.de" = {
|
||||||
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
|
forceSSL = true;
|
||||||
add_header X-Content-Type-Options nosniff;
|
enableACME = true;
|
||||||
add_header X-Frame-Options "SAMEORIGIN";
|
};
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
|
||||||
add_header X-Robots-Tag none;
|
|
||||||
add_header X-Download-Options noopen;
|
|
||||||
add_header X-Permitted-Cross-Domain-Policies none;
|
|
||||||
|
|
||||||
# Path to the root of your installation
|
services.nextcloud = {
|
||||||
root ${root};
|
enable = true;
|
||||||
# set max upload size
|
package = pkgs.nextcloud20;
|
||||||
client_max_body_size 10G;
|
hostName = "o.euer.krebsco.de";
|
||||||
fastcgi_buffers 64 4K;
|
# Use HTTPS for links
|
||||||
fastcgi_read_timeout 120;
|
https = true;
|
||||||
|
# Auto-update Nextcloud Apps
|
||||||
|
autoUpdateApps.enable = true;
|
||||||
|
# Set what time makes sense for you
|
||||||
|
autoUpdateApps.startAt = "05:00:00";
|
||||||
|
|
||||||
# Disable gzip to avoid the removal of the ETag header
|
config = {
|
||||||
gzip off;
|
# Further forces Nextcloud to use HTTPS
|
||||||
|
overwriteProtocol = "https";
|
||||||
|
|
||||||
# Uncomment if your server is build with the ngx_pagespeed module
|
# Nextcloud PostegreSQL database configuration, recommended over using SQLite
|
||||||
# This module is currently not supported.
|
dbtype = "pgsql";
|
||||||
#pagespeed off;
|
dbuser = "nextcloud";
|
||||||
|
dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
|
||||||
index index.php;
|
dbname = "nextcloud";
|
||||||
error_page 403 /core/templates/403.php;
|
dbpassFile = dbpw;
|
||||||
error_page 404 /core/templates/404.php;
|
adminpassFile = adminpw;
|
||||||
|
adminuser = "admin";
|
||||||
rewrite ^/.well-known/carddav /remote.php/carddav/ permanent;
|
|
||||||
rewrite ^/.well-known/caldav /remote.php/caldav/ permanent;
|
|
||||||
|
|
||||||
# The following 2 rules are only needed for the user_webfinger app.
|
|
||||||
# Uncomment it if you're planning to use this app.
|
|
||||||
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
|
|
||||||
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
|
|
||||||
'';
|
|
||||||
locations."/robots.txt".extraConfig = ''
|
|
||||||
allow all;
|
|
||||||
log_not_found off;
|
|
||||||
access_log off;
|
|
||||||
'';
|
|
||||||
locations."~ ^/(build|tests|config|lib|3rdparty|templates|data)/".extraConfig = ''
|
|
||||||
deny all;
|
|
||||||
'';
|
|
||||||
|
|
||||||
locations."~ ^/(?:autotest|occ|issue|indie|db_|console)".extraConfig = ''
|
|
||||||
deny all;
|
|
||||||
'';
|
|
||||||
|
|
||||||
locations."/".extraConfig = ''
|
|
||||||
rewrite ^/remote/(.*) /remote.php last;
|
|
||||||
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
|
|
||||||
try_files $uri $uri/ =404;
|
|
||||||
'';
|
|
||||||
|
|
||||||
locations."~ \.php(?:$|/)".extraConfig = ''
|
|
||||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
||||||
include ${pkgs.nginx}/conf/fastcgi_params;
|
|
||||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
||||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
|
||||||
fastcgi_param HTTPS on;
|
|
||||||
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
|
|
||||||
fastcgi_pass unix:${config.services.phpfpm.pools.${domain}.socket};
|
|
||||||
fastcgi_intercept_errors on;
|
|
||||||
'';
|
|
||||||
|
|
||||||
# Adding the cache control header for js and css files
|
|
||||||
# Make sure it is BELOW the location ~ \.php(?:$|/) block
|
|
||||||
locations."~* \.(?:css|js)$".extraConfig = ''
|
|
||||||
add_header Cache-Control "public, max-age=7200";
|
|
||||||
# Add headers to serve security related headers
|
|
||||||
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
|
|
||||||
add_header X-Content-Type-Options nosniff;
|
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
|
||||||
add_header X-Robots-Tag none;
|
|
||||||
add_header X-Frame-Options SAMEORIGIN;
|
|
||||||
add_header X-Download-Options noopen;
|
|
||||||
add_header X-Permitted-Cross-Domain-Policies none;
|
|
||||||
|
|
||||||
# Optional: Don't log access to assets
|
|
||||||
access_log off;
|
|
||||||
'';
|
|
||||||
# Optional: Don't log access to other assets
|
|
||||||
locations."~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$".extraConfig = ''
|
|
||||||
access_log off;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
services.phpfpm.pools."${domain}" = {
|
|
||||||
user = "nginx";
|
|
||||||
group = "nginx";
|
|
||||||
phpPackage = phpPackage;
|
|
||||||
settings = {
|
|
||||||
"listen.owner" = "nginx";
|
|
||||||
"pm" = "dynamic";
|
|
||||||
"pm.max_children" = 32;
|
|
||||||
"pm.max_requests" = 500;
|
|
||||||
"pm.start_servers" = 2;
|
|
||||||
"pm.min_spare_servers" = 2;
|
|
||||||
"pm.max_spare_servers" = 5;
|
|
||||||
"php_admin_value[error_log]" = "stderr";
|
|
||||||
"php_admin_flag[log_errors]" = "on";
|
|
||||||
"catch_workers_output" = true;
|
|
||||||
};
|
|
||||||
phpEnv."PATH" = lib.makeBinPath [ phpPackage ];
|
|
||||||
};
|
|
||||||
services.phpfpm.phpOptions = ''
|
|
||||||
opcache.enable=1
|
|
||||||
opcache.enable_cli=1
|
|
||||||
opcache.interned_strings_buffer=8
|
|
||||||
opcache.max_accelerated_files=10000
|
|
||||||
opcache.memory_consumption=128
|
|
||||||
opcache.save_comments=1
|
|
||||||
opcache.revalidate_freq=1
|
|
||||||
opcache.file_cache = .opcache
|
|
||||||
zend_extension=${phpPackage}/lib/php/extensions/opcache.so
|
|
||||||
|
|
||||||
display_errors = on
|
|
||||||
display_startup_errors = on
|
|
||||||
always_populate_raw_post_data = -1
|
|
||||||
error_reporting = E_ALL | E_STRICT
|
|
||||||
html_errors = On
|
|
||||||
date.timezone = "Europe/Berlin"
|
|
||||||
extension=${phpPackage}/lib/php/extensions/memcached.so
|
|
||||||
extension=${phpPackage}/lib/php/extensions/redis.so
|
|
||||||
extension=${phpPackage}/lib/php/extensions/apcu.so
|
|
||||||
'';
|
|
||||||
|
|
||||||
systemd.services."nextcloud-cron-${domain}" = {
|
|
||||||
serviceConfig = {
|
|
||||||
User = "nginx";
|
|
||||||
ExecStart = "${phpPackage}/bin/php -f ${root}/cron.php";
|
|
||||||
};
|
|
||||||
startAt = "*:0/15";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
in {
|
};
|
||||||
imports = [
|
|
||||||
( serveCloud [ "o.euer.krebsco.de" ] )
|
|
||||||
];
|
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
services.postgresql = {
|
||||||
services.redis.enable = true;
|
enable = true;
|
||||||
|
# Ensure the database, user, and permissions always exist
|
||||||
|
ensureDatabases = [ "nextcloud" ];
|
||||||
|
ensureUsers = [ { name = "nextcloud"; ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; } ];
|
||||||
|
};
|
||||||
|
|
||||||
#services.mysql = {
|
systemd.services."nextcloud-setup" = {
|
||||||
# enable = false;
|
requires = ["postgresql.service"];
|
||||||
# package = pkgs.mariadb;
|
after = ["postgresql.service"];
|
||||||
# rootPassword = config.krebs.secret.files.mysql_rootPassword.path;
|
};
|
||||||
# initialDatabases = [
|
|
||||||
# # Or use writeText instead of literalExample?
|
|
||||||
# #{ name = "nextcloud"; schema = literalExample "./nextcloud.sql"; }
|
|
||||||
# {
|
|
||||||
# name = "nextcloud";
|
|
||||||
# schema = pkgs.writeText "nextcloud.sql"
|
|
||||||
# ''
|
|
||||||
# create user if not exists 'nextcloud'@'localhost' identified by 'password';
|
|
||||||
# grant all privileges on nextcloud.* to 'nextcloud'@'localhost' identified by 'password';
|
|
||||||
# '';
|
|
||||||
# }
|
|
||||||
# ];
|
|
||||||
#};
|
|
||||||
|
|
||||||
# dataDir is only defined after mysql is enabled
|
|
||||||
#krebs.secret.files.mysql_rootPassword = {
|
|
||||||
# path = "${config.services.mysql.dataDir}/mysql_rootPassword";
|
|
||||||
# owner.name = "root";
|
|
||||||
# source-path = toString <secrets> + "/mysql_rootPassword";
|
|
||||||
#};
|
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user