From 43f35eb256a0e541e481f7dc7adcdec55e769ecf Mon Sep 17 00:00:00 2001 From: stuebinm Date: Fri, 12 Feb 2021 00:05:57 +0100 Subject: [PATCH] First draft for a nextcloud deployment on nix Things to note: - DO NOT DEPLOY THIS - use nixos-container for testing instead I've played around with nextcloud on NixOS, essentially following the examples given in the NixOS manual and searching through some of the other options. Nextcloud itself works fine with this setup, as does its database (postgres), and most of the other basic stuff. However, the nextcloud module as it currently exists appears to be fairly limited and incomplete in its capabilities, e.g. lack of options for redis or multiple php pools; in general, it lacks extraOptions-hooks. For redis the documentation even explicitely notes (in caching.redis) that redis requires additional options set in `config.php`, but it appears these cannot currently be set using nix. I guess we have as options: - I missed something and it does in fact work - we can wait for later versions; looks like 21.03 will add at least *some* more - we can fork the module and add options ourselves - we can configure it nextcloud by manually editing `config.php`, as it's not actually inside the nix store but at /var/lib/nextcloud/config (veto) See comments for additional notes and todos. --- hosts/hainich/services/nextcloud.nix | 82 ++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 hosts/hainich/services/nextcloud.nix diff --git a/hosts/hainich/services/nextcloud.nix b/hosts/hainich/services/nextcloud.nix new file mode 100644 index 0000000..477f8dd --- /dev/null +++ b/hosts/hainich/services/nextcloud.nix @@ -0,0 +1,82 @@ +# TODOs before actually using this +# - change root auth to use adminpassFile +# - figure out how to enable redis caching +# - figure out how to use multiple pools (do we need this?) +# - how to enable ldap? +# - move this into a container (only reason it's not in one already is +# to make testing easy; just run the following for a local test: +# `nixos-container create nextcloud --config-file nextcloud.nix` +# +# Additional notes: +# - there is a services.nextcloud.phpExtraExtensions, which may be +# useful for this, but it's only in nixos-unstable for now +# - there's a services.nextcloud.autoUpdateApps – do we trust nextcloud +# enough to enable it, or will everything break if we do? + +{ pkgs, ... }: +{ + + environment.systemPackages = [ pkgs.htop ]; + + services.nextcloud = { + enable = true; + + # must be set manually; may not be incremented by more than one at + # a time, otherwise nextcloud WILL break + package = pkgs.nextcloud20; + + hostName = "10.233.2.2"; + config = { + dbtype = "pgsql"; + dbuser = "nextcloud"; + dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself + dbname = "nextcloud"; + # there's also a adminpassFile option, but for testing this seems + # enough (less fiddling with getting the file into a nixos + # container for ad-hoc setups) + adminpass = "root"; + adminuser = "root"; + }; + + caching.redis = true; + + # multiple pools may be doable using services.phpfpm.pools, + # but i have not tried this yet. The nextcloud module defines a + # pool "nextcloud" + poolSettings = { + pm = "dynamic"; + "pm.max_children" = "32"; + "pm.max_requests" = "500"; + "pm.max_spare_servers" = "4"; + "pm.min_spare_servers" = "2"; + "pm.start_servers" = "2"; + }; + + }; + + # TODO: this needs extra stuff in config.php, which right now can't + # be configured using this module. Perhaps we could fork it? + services.redis = { + enable = true; + }; + + services.postgresql = { + enable = true; + ensureDatabases = [ "nextcloud" ]; + ensureUsers = [ + { # by default, postgres has unix sockets enabled, and allows a + # system user `nextcloud` to log in without other authentication + name = "nextcloud"; + ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; + } + ]; + }; + + # ensure that postgres is running *before* running the setup + systemd.services."nextcloud-setup" = { + requires = ["postgresql.service"]; + after = ["postgresql.service"]; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; +}