haccfiles/hosts/hainich/services/nextcloud.nix
stuebinm a04a3c917f
nextcloud: add network to container
this appears to break nix in a way in which nix should not be possible to break.
2021-04-20 23:16:14 +02:00

140 lines
3.9 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# TODOs before actually using this
# - change root auth to use adminpassFile
# - figure out how to use multiple pools (do we need this?)
# - how to enable ldap?
#
# Additional notes:
# - there is a services.nextcloud.phpExtraExtensions, which may be
# useful for this, but it's only in nixos-unstable for now
# - there's a services.nextcloud.autoUpdateApps do we trust nextcloud
# enough to enable it, or will everything break if we do?
{pkgs, config, ...}:
{
containers.nextcloud = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.110.1";
localAddress = "192.168.110.10";
config = { pkgs, ... }: {
environment.systemPackages = [ pkgs.htop ];
imports = [ ../../../modules/nextcloud.nix ];
services.nextcloud-patched = {
enable = true;
# must be set manually; may not be incremented by more than one at
# a time, otherwise nextcloud WILL break
package = pkgs.nextcloud21;
hostName = "cloud2.infra4future.de";
config = {
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
dbname = "nextcloud";
# there's also a adminpassFile option, but for testing this seems
# enough (less fiddling with getting the file into a nixos
# container for ad-hoc setups)
adminpass = "lushfjwebrwhjebr";
adminuser = "root";
};
caching.redis = true;
# multiple pools may be doable using services.phpfpm.pools,
# but i have not tried this yet. The nextcloud module defines a
# pool "nextcloud"
poolSettings = {
pm = "dynamic";
"pm.max_children" = "32";
"pm.max_requests" = "500";
"pm.max_spare_servers" = "4";
"pm.min_spare_servers" = "2";
"pm.start_servers" = "2";
};
extraOptions = {
instanceid = "ocxlphb7fbju";
redis = {
host = "/run/redis/redis.sock";
port = 0;
dbindex = 0;
password = "secret";
timeout = 1.5;
};
datadirectory = "/mnt/ncdata";
mail_smtpmode = "smtp";
mail_smtpsecure = "ssl";
mail_sendmailmode = "smtp";
mail_from_address = "noreply";
mail_domain = "infra4future.de";
mail_smtpauthtype = "PLAIN";
mail_smtpauth = 1;
mail_smtphost = "mail.hacc.space";
mail_smtpport = 465;
mail_smtpname = "noreply@infra4future.de";
loglevel = 0;
};
# passwordsalt, secret, and mail_smtppassword go in here
secretFile = "/secret/secrets.json";
};
services.redis = {
enable = true;
unixSocket = "/var/run/redis/redis.sock";
};
services.postgresql = {
enable = true;
ensureDatabases = [ "nextcloud" ];
ensureUsers = [
{ # by default, postgres has unix sockets enabled, and allows a
# system user `nextcloud` to log in without other authentication
name = "nextcloud";
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
}
];
};
# ensure that postgres is running *before* running the setup
systemd.services."nextcloud-setup" = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
};
networking.firewall.enable = false;
services.coredns = {
enable = true;
config = ''
.:53 {
forward . 1.1.1.1
}
'';
};
};
};
services.nginx.virtualHosts."cloud2.infra4future.de" = {
locations."/".proxyPass = "http://${config.containers.nextcloud.localAddress}:80";
enableACME = true;
forceSSL = true;
};
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-nextcloud"];
networking.nat.externalInterface = "enp6s0";
}