stuebinm
a04a3c917f
this appears to break nix in a way in which nix should not be possible to break.
140 lines
3.9 KiB
Nix
140 lines
3.9 KiB
Nix
# TODOs before actually using this
|
||
# - change root auth to use adminpassFile
|
||
# - figure out how to use multiple pools (do we need this?)
|
||
# - how to enable ldap?
|
||
#
|
||
# Additional notes:
|
||
# - there is a services.nextcloud.phpExtraExtensions, which may be
|
||
# useful for this, but it's only in nixos-unstable for now
|
||
# - there's a services.nextcloud.autoUpdateApps – do we trust nextcloud
|
||
# enough to enable it, or will everything break if we do?
|
||
|
||
|
||
|
||
{pkgs, config, ...}:
|
||
|
||
{
|
||
|
||
containers.nextcloud = {
|
||
|
||
autoStart = true;
|
||
privateNetwork = true;
|
||
hostAddress = "192.168.110.1";
|
||
localAddress = "192.168.110.10";
|
||
|
||
config = { pkgs, ... }: {
|
||
|
||
environment.systemPackages = [ pkgs.htop ];
|
||
|
||
imports = [ ../../../modules/nextcloud.nix ];
|
||
|
||
services.nextcloud-patched = {
|
||
enable = true;
|
||
|
||
# must be set manually; may not be incremented by more than one at
|
||
# a time, otherwise nextcloud WILL break
|
||
package = pkgs.nextcloud21;
|
||
|
||
hostName = "cloud2.infra4future.de";
|
||
config = {
|
||
dbtype = "pgsql";
|
||
dbuser = "nextcloud";
|
||
dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
|
||
dbname = "nextcloud";
|
||
# there's also a adminpassFile option, but for testing this seems
|
||
# enough (less fiddling with getting the file into a nixos
|
||
# container for ad-hoc setups)
|
||
adminpass = "lushfjwebrwhjebr";
|
||
adminuser = "root";
|
||
};
|
||
|
||
caching.redis = true;
|
||
|
||
# multiple pools may be doable using services.phpfpm.pools,
|
||
# but i have not tried this yet. The nextcloud module defines a
|
||
# pool "nextcloud"
|
||
poolSettings = {
|
||
pm = "dynamic";
|
||
"pm.max_children" = "32";
|
||
"pm.max_requests" = "500";
|
||
"pm.max_spare_servers" = "4";
|
||
"pm.min_spare_servers" = "2";
|
||
"pm.start_servers" = "2";
|
||
};
|
||
|
||
extraOptions = {
|
||
instanceid = "ocxlphb7fbju";
|
||
redis = {
|
||
host = "/run/redis/redis.sock";
|
||
port = 0;
|
||
dbindex = 0;
|
||
password = "secret";
|
||
timeout = 1.5;
|
||
};
|
||
datadirectory = "/mnt/ncdata";
|
||
mail_smtpmode = "smtp";
|
||
mail_smtpsecure = "ssl";
|
||
mail_sendmailmode = "smtp";
|
||
mail_from_address = "noreply";
|
||
mail_domain = "infra4future.de";
|
||
mail_smtpauthtype = "PLAIN";
|
||
mail_smtpauth = 1;
|
||
mail_smtphost = "mail.hacc.space";
|
||
mail_smtpport = 465;
|
||
mail_smtpname = "noreply@infra4future.de";
|
||
loglevel = 0;
|
||
};
|
||
|
||
# passwordsalt, secret, and mail_smtppassword go in here
|
||
secretFile = "/secret/secrets.json";
|
||
|
||
};
|
||
|
||
services.redis = {
|
||
enable = true;
|
||
unixSocket = "/var/run/redis/redis.sock";
|
||
};
|
||
|
||
services.postgresql = {
|
||
enable = true;
|
||
ensureDatabases = [ "nextcloud" ];
|
||
ensureUsers = [
|
||
{ # by default, postgres has unix sockets enabled, and allows a
|
||
# system user `nextcloud` to log in without other authentication
|
||
name = "nextcloud";
|
||
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
|
||
}
|
||
];
|
||
};
|
||
|
||
# ensure that postgres is running *before* running the setup
|
||
systemd.services."nextcloud-setup" = {
|
||
requires = ["postgresql.service"];
|
||
after = ["postgresql.service"];
|
||
};
|
||
|
||
networking.firewall.enable = false;
|
||
|
||
services.coredns = {
|
||
enable = true;
|
||
config = ''
|
||
.:53 {
|
||
forward . 1.1.1.1
|
||
}
|
||
'';
|
||
};
|
||
};
|
||
};
|
||
|
||
services.nginx.virtualHosts."cloud2.infra4future.de" = {
|
||
locations."/".proxyPass = "http://${config.containers.nextcloud.localAddress}:80";
|
||
enableACME = true;
|
||
forceSSL = true;
|
||
};
|
||
|
||
|
||
networking.nat.enable = true;
|
||
networking.nat.internalInterfaces = ["ve-nextcloud"];
|
||
networking.nat.externalInterface = "enp6s0";
|
||
|
||
}
|