haccfiles/hosts/hainich/services/nextcloud.nix

110 lines
3.1 KiB
Nix
Raw Permalink Normal View History

# TODOs before actually using this
# - change root auth to use adminpassFile
# - figure out how to use multiple pools (do we need this?)
# - how to enable ldap?
#
# Additional notes:
# - there is a services.nextcloud.phpExtraExtensions, which may be
# useful for this, but it's only in nixos-unstable for now
# - there's a services.nextcloud.autoUpdateApps do we trust nextcloud
# enough to enable it, or will everything break if we do?
{pkgs, config, ...}:
{
containers.nextcloud = {
autoStart = true;
privateNetwork = true;
hostAddress6 = "fd00::10:1";
localAddress6 = "fs00::10:2";
config = { pkgs, ... }: {
environment.systemPackages = [ pkgs.htop ];
imports = [ ./nextcloud-module.nix ];
services.nextcloud-patched = {
enable = true;
# must be set manually; may not be incremented by more than one at
# a time, otherwise nextcloud WILL break
package = pkgs.nextcloud21;
hostName = "cloud2.infra4future.de";
config = {
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
dbname = "nextcloud";
# there's also a adminpassFile option, but for testing this seems
# enough (less fiddling with getting the file into a nixos
# container for ad-hoc setups)
adminpass = "root";
adminuser = "root";
};
caching.redis = true;
# multiple pools may be doable using services.phpfpm.pools,
# but i have not tried this yet. The nextcloud module defines a
# pool "nextcloud"
poolSettings = {
pm = "dynamic";
"pm.max_children" = "32";
"pm.max_requests" = "500";
"pm.max_spare_servers" = "4";
"pm.min_spare_servers" = "2";
"pm.start_servers" = "2";
};
extraOptions = ''
'redis' => array(
'host' => '/run/redis/redis.sock',
'port' => 0,
'dbindex' => 0,
'password' => 'secret',
'timeout' => 1.5,
),
'';
};
services.redis = {
enable = true;
unixSocket = "/var/run/redis/redis.sock";
};
services.postgresql = {
enable = true;
ensureDatabases = [ "nextcloud" ];
ensureUsers = [
{ # by default, postgres has unix sockets enabled, and allows a
# system user `nextcloud` to log in without other authentication
name = "nextcloud";
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
}
];
};
# ensure that postgres is running *before* running the setup
systemd.services."nextcloud-setup" = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
};
};
services.nginx.virtualHosts."cloud2.infra4future.de" = {
locations."/".proxyPass = "http:[${config.containers.nextcloud.localAddress6}]";
enableACME = true;
forceSSL = true;
};
}