hosting/selfhostblocks
1
0
Fork 0
Code Issues Activity

add nextcloud integration with ldap to the manual and nextcloud demo.

Browse source 
refs #17
This commit is contained in:
ibizaman 2024-01-06 09:43:30 -08:00 committed by Pierre Penninckx
parent 4a7e42abaa
commit 0a34140e34
7 changed files with 292 additions and 68 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
demo/nextcloud/README.md
View file

@ -3,8 +3,9 @@
**This whole demo is highly insecure as all the private keys are available publicly. This is
only done for convenience as it is just a demo. Do not expose the VM to the internet.**
The [`flake.nix`](./flake.nix) file sets up a Nextcloud server in only about [15
lines](./flake.nix#L29-L45) of related code.
The [`flake.nix`](./flake.nix) file sets up a Nextcloud server in only about [25
lines](./flake.nix#L31-L55) of related code. It also defines a Nextcloud server that integrates with
a [LDAP server](./flake.nix#L76-L143).
This guide will show how to deploy this setup to a Virtual Machine, like showed
[here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules), in 4 commands.
@ -54,10 +55,18 @@ You can ssh into the VM with, but this is not required for the demo:
ssh -F ssh_config example
```
Finally, deploy with:
Finally, we can deploy. To deploy a basic Nextcloud with only the Preview Generator app enabled,
run:
```bash
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on basic
```
To deploy a Nextcloud configuration with the Preview Generator app and integrated with a LDAP
service, run:
```bash
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on ldap
```
The deploy will take a few minutes the first time and subsequent deploys will take around 15
@ -80,11 +89,31 @@ $ cat /etc/hosts
127.0.0.1 n.example.com
```
Go to [http://n.example.com:8080](http://n.example.com:8080) and login with:
If you deployed the `ldap` target host, add instead:
```nix
networking.hosts = {
"127.0.0.1" = [ "n.example.com" "ldap.example.com" ];
};
```
If you deployed the `basic` target host, go to
[http://n.example.com:8080](http://n.example.com:8080) and login with:
- username: `root`
- password: the value of the field `nextcloud.adminpass` in the `secrets.yaml` file which is `43bb4b8f82fc645ce3260b5db803c5a8`.
And that's the end of the demo. Otherwise if you deployed the `ldap` target host, go first to
[http://ldap.example.com:8080](http://ldap.example.com:8080) and login with:
- username: `admin`
- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is `c2e32e54ea3e0053eb30841f818a3d9a`.
Create the group `nextcloud_user` and a user assigned to that group.
Finally, go to [http://n.example.com:8080](http://n.example.com:8080) and login with the user and
password you just created above.
Nextcloud doesn't like being run without SSL protection, which this demo does not setup yet, so you
might see errors loading scripts.
@ -92,9 +121,9 @@ might see errors loading scripts.
### Files {#demo-nextcloud-files}
- [`flake.nix`](./flake.nix): nix entry point, defines one target host for
[colmena](https://colmena.cli.rs) to deploy to as well as the selfhostblock's config for
setting up the Nextcloud service.
- [`flake.nix`](./flake.nix): nix entry point, defines the target hosts for
[colmena](https://colmena.cli.rs) to deploy to as well as the selfhostblock's config for setting
up Nextcloud and the auxiliary services.
- [`configuration.nix`](./configuration.nix): defines all configuration required for colmena
to deploy to the VM. The file has comments if you're interested.
- [`hardware-configuration.nix`](./hardware-configuration.nix): defines VM specific layout.
@ -150,6 +179,9 @@ nextcloud:
adminpass: 43bb4b8f82fc645ce3260b5db803c5a8
onlyoffice:
jwt_secret: XYZ...
lldap:
user_password: c2e32e54ea3e0053eb30841f818a3d9a
jwt_secret: 3b19030938608881dc1d2cb2753d9778
```
To open the `secrets.yaml` file and optionnally edit it, run:

36
demo/nextcloud/flake.lock
View file

@ -35,11 +35,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1703255338,
"narHash": "sha256-Z6wfYJQKmDN9xciTwU3cOiOk+NElxdZwy/FiHctCzjU=",
"lastModified": 1704194953,
"narHash": "sha256-RtDKd8Mynhe5CFnVT8s0/0yqtWFMM9LmCzXv/YKxnq4=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "6df37dc6a77654682fe9f071c62b4242b5342e04",
"rev": "bd645e8668ec6612439a9ee7e71f7eac4099d4f6",
"type": "github"
},
"original": {
@ -51,11 +51,11 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1703351344,
"narHash": "sha256-9FEelzftkE9UaJ5nqxidaJJPEhe9TPhbypLHmc2Mysc=",
"lastModified": 1703950681,
"narHash": "sha256-veU5bE4eLOmi7aOzhE7LfZXcSOONRMay0BKv01WHojo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "7790e078f8979a9fcd543f9a47427eeaba38f268",
"rev": "0aad9113182747452dbfc68b93c86e168811fa6c",
"type": "github"
},
"original": {
@ -67,11 +67,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1703134684,
"narHash": "sha256-SQmng1EnBFLzS7WSRyPM9HgmZP2kLJcPAz+Ug/nug6o=",
"lastModified": 1703499205,
"narHash": "sha256-lF9rK5mSUfIZJgZxC3ge40tp1gmyyOXZ+lRY3P8bfbg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d6863cbcbbb80e71cecfc03356db1cda38919523",
"rev": "e1fa12d4f6c6fe19ccb59cac54b5b3f25e160870",
"type": "github"
},
"original": {
@ -111,12 +111,12 @@
"sops-nix": "sops-nix"
},
"locked": {
"lastModified": 1703575610,
"narHash": "sha256-W22MujiE5xxibKu9M7usXhGD04ntrLXegMxuY6FYCX4=",
"owner": "ibizaman",
"repo": "selfhostblocks",
"rev": "7a62b5b89c406fbf80ac6dfb678c0d5c62a771ea",
"type": "github"
"dirtyRev": "a634a42e48484e061b8fe6f8542ecb9c830f15ac-dirty",
"dirtyShortRev": "a634a42-dirty",
"lastModified": 1704528621,
"narHash": "sha256-wQ/vW3o89ryMIkqGx8XDSujRUnhpOfXrTBnJAp6IW8s=",
"type": "git",
"url": "file:///home/timi/Projects/selfhostblocks"
},
"original": {
"owner": "ibizaman",
@ -130,11 +130,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1703387502,
"narHash": "sha256-JnWuQmyanPtF8c5yAEFXVWzaIlMxA3EAZCh8XNvnVqE=",
"lastModified": 1703991717,
"narHash": "sha256-XfBg2dmDJXPQEB8EdNBnzybvnhswaiAkUeeDj7fa/hQ=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "e523e89763ff45f0a6cf15bcb1092636b1da9ed3",
"rev": "cfdbaf68d00bc2f9e071f17ae77be4b27ff72fa6",
"type": "github"
},
"original": {

94
demo/nextcloud/flake.nix
View file

@ -14,7 +14,7 @@
specialArgs = inputs;
};
myserver = { config, ... }: {
basic = { config, ... }: {
imports = [
./configuration.nix
selfhostblocks.inputs.sops-nix.nixosModules.default
@ -39,6 +39,10 @@
externalFqdn = "n.example.com:8080";
adminPassFile = config.sops.secrets."nextcloud/adminpass".path;
apps = {
previewgenerator.enable = true;
};
};
# Secret needed for services.nextcloud.config.adminpassFile.
@ -54,6 +58,94 @@
shb.nginx.accessLog = true;
shb.nginx.debugLog = false;
};
ldap = { config, ... }: {
imports = [
./configuration.nix
selfhostblocks.inputs.sops-nix.nixosModules.default
selfhostblocks.nixosModules.x86_64-linux.default
];
# Used by colmena to know which target host to deploy to.
deployment = {
targetHost = "example";
targetUser = "nixos";
targetPort = 2222;
};
shb.ldap = {
enable = true;
domain = "example.com";
subdomain = "ldap";
ldapPort = 3890;
webUIListenPort = 17170;
dcdomain = "dc=example,dc=com";
ldapUserPasswordFile = config.sops.secrets."lldap/user_password".path;
jwtSecretFile = config.sops.secrets."lldap/jwt_secret".path;
};
sops.secrets."lldap/user_password" = {
sopsFile = ./secrets.yaml;
mode = "0440";
owner = "lldap";
group = "lldap";
restartUnits = [ "lldap.service" ];
};
sops.secrets."lldap/jwt_secret" = {
sopsFile = ./secrets.yaml;
mode = "0440";
owner = "lldap";
group = "lldap";
restartUnits = [ "lldap.service" ];
};
shb.nextcloud = {
enable = true;
domain = "example.com";
subdomain = "n";
dataDir = "/var/lib/nextcloud";
tracing = null;
# This option is only needed because we do not access Nextcloud at the default port in the VM.
externalFqdn = "n.example.com:8080";
adminPassFile = config.sops.secrets."nextcloud/adminpass".path;
apps = {
previewgenerator.enable = true;
ldap = {
enable = true;
host = "127.0.0.1";
port = config.shb.ldap.ldapPort;
dcdomain = config.shb.ldap.dcdomain;
adminName = "admin";
adminPasswordFile = config.sops.secrets."nextcloud/ldap_admin_password".path;
userGroup = "nextcloud_user";
};
};
};
# Secret needed for services.nextcloud.config.adminpassFile.
sops.secrets."nextcloud/adminpass" = {
sopsFile = ./secrets.yaml;
mode = "0440";
owner = "nextcloud";
group = "nextcloud";
restartUnits = [ "phpfpm-nextcloud.service" ];
};
# Secret needed for LDAP app.
sops.secrets."nextcloud/ldap_admin_password" = {
sopsFile = ./secrets.yaml;
key = "lldap/user_password";
mode = "0400";
owner = "nextcloud";
group = "nextcloud";
restartUnits = [ "nextcloud-setup.service" ];
};
# Set to true for more debug info with `journalctl -f -u nginx`.
shb.nginx.accessLog = true;
shb.nginx.debugLog = false;
};
};
};
}

59
demo/nextcloud/secrets.yaml
View file

@ -1,7 +1,10 @@
nextcloud:
adminpass: ENC[AES256_GCM,data:3FXgVNzKAKrQxoDmRIq188YYrfiEEyYqU3lgwydXHp4=,iv:KoxmL9tLPBoIJT7rxkEhxrQqZFicbEm8qXbZMrnHSGY=,tag:nBt+8ciDRBiUzg3JEmiYnw==,type:str]
adminpass: ENC[AES256_GCM,data:667e6562Q1SSZRKLMgur1viGd8+MmjU6Oz/DzQ4GLHI=,iv:KoxmL9tLPBoIJT7rxkEhxrQqZFicbEm8qXbZMrnHSGY=,tag:5APQH+snOUJ8UPXaIdqR5w==,type:str]
onlyoffice:
jwt_secret: ENC[AES256_GCM,data:+6qLNuOaFYRT092i1mkboi4DswEbcv/5+fQ0TpTCMkToWtNoxce5FyLoYpJoJIG3Kg5rrpNkfUYDugG9/5KWFu+31h8i8JdsxyiG0GGjtMbaUCzgiUyL+apMxl4S2b6jS2tGoExZhbgDFErE3p/wM5JTic1DE5HsFQr/49JI78w=,iv:TFs+fTlMGWKTVJ3pUmXCpGskQ2h6uSLr+TlmG6OXQYg=,tag:/Z6oSecHHhZVx/jpbx4Wgw==,type:str]
jwt_secret: ENC[AES256_GCM,data:5TMDyySlsAHN1DfJLEJXt5jg7r2Gd8RVmLv4T44ye+2B71r6CWew8tcaYybFXT8aXrmVjOcBkVjBlFJ6B3ozkajtZC3teXCUzG+hlKGdN+Oyvd1+WXJO2USk1pREKc4kGwVvYr02lM1PEVLUokh/j/wmL1uFsAYM9482ik5veYg=,iv:TFs+fTlMGWKTVJ3pUmXCpGskQ2h6uSLr+TlmG6OXQYg=,tag:hYRtuqE7ygjHc6zHOz5kBQ==,type:str]
lldap:
user_password: ENC[AES256_GCM,data:qZO3L7IM9UJ7iR7Q2bdDfY1wmt3TEWLR8NK3rXdojN4=,iv:SljGhXi3SYoMNcR9onwqthOAyFX1D8KsegmWRypbblQ=,tag:KwJFHd85kkm8YGH3NtqanA==,type:str]
jwt_secret: ENC[AES256_GCM,data:oCrUTEYO8oETPd8XHq1DiLCSzeRAnrkty3gyo8dxk5c=,iv:vBOq4Mab3RE69rOA8ZbMX72Gm3KEng6HaCveZrXsIrU=,tag:JZUjCbo7CdCmJYJrrsosxQ==,type:str]
sops:
kms: []
gcp_kms: []
@ -11,32 +14,50 @@ sops:
- recipient: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArRFc0aGZxa1RaWmZ4SlRk
c2MweTlQdGNQZE1VTDhrTHUzZ2pocUJFWEhNCndjcHB2elp0Zk1MbEFKTzN6a3pI
amdmSERWRFU4dzY1ck5MUE14SXV2c1UKLS0tIFk2MktiV1ljb3E3aXBFdTVlNUk0
QWZUZWc4amJFVkkxb0tPc1FmeklTNFEK1Pqwg8AI2yw3y9dU9p6Mx2bhKb3lUPt7
WhyWZbRT4zKjkcUp2NazqMKM35ru5i0037praFJgz05zkStn6twMqA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBObnkzVkdmUnhyOG1vNE04
ZmExS1RkVE5qUm83aVk1bGtTbmo5bGhsc3pBCnNMWjN5cStVRWNlTUVmWi9BQ2py
NEswQS9xNGtPZGdQRWdzWDV1RnJNbGsKLS0tIC8yQW9ZazlNTm80d0l5bEo0M2lW
QnVXMUpXcUFZRWhpUHJjOFZjWGFYSFkKomaixOjgaD1LubawJVhWAgVqjOkpc9+2
xNHKlgBEXDnBeMK9BgPgYIRk8ce79rxuqwaOAPqrEmPsafvoxZq5Wg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ej98rmjug4j0psyr3ppwmddtu868mlhknjkcx4a7yjrgk480dfrs3ayjl9
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHckF2U0NLaXhsaGVtcms2
bWZWN1RLQXh3VXRHTzQyM20wTFd0NVA5WTFBCjZvcXlDQS81NXhFRmlHZVV4WHRT
VUhteXIyc1dtRE1OZmk1MmVaM3VzSkEKLS0tIGgrYzFaRkdwMnNEc1F1MGNwQjVx
U3RwYXR6elZ4YTFTNGk4dDVuaUhDUjQKfkIG0oDVqDfSZCxHOZThFlY2V0KpXwBY
D7eodJ26fjJBAaqbvZkWF/BMCKTpAs4cQEHIW70yu6c+kMdV10D9fA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBndGErUWt4M3BtR3dVT2lo
SmY1M0k0bkxEcGNxNkdYZDFVaUVIaFA0blhNCm9oWmVyRlJ4eVlxM2l0anhrMERz
RTZ1Z1dINDZZdGN3UUJweWRjRWUyT1UKLS0tIGl1dUNwU0ZSRFhwUENIbHhGT3VP
MTlZVFVtbEFnV1pJTTRjV2pqRnUrYW8KXTdes+gb8h7PL0l34rnRKtPvIr3tUJKZ
UfD+/e3I/+Gw4IpCvIpMoBBT0bxyyMJROKo4oP9GTIrbw5fHV9+bcg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j6scagnygyzr4q96l0a5ntwgjqj7xscx5sx4avy7fry3fzgcff8se0ylfq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2cm5oRXpPTER3a0djWVov
b2E3UjVNQnNKdFVxZnpkN0l6MjdkdDdXbkZrCk1nQ3Z3Y1psZmdRelJsZkRmV2Zk
WWVXMVplL0gxRDFlemhGQVp3eDhuajgKLS0tIGMxQVJjc0xkOVIrSzFYNXk0MHNM
aHg3S3MycVJTcVZvR0hYZ1RXelhqcWMKsb4tbh/q/XDdDmwkxLvaa5olDjYIGIVH
oZSqSF4ws7bRPTX8WAFFyoRw2kcZyc41WfBY1/8DcBKE/SHe5TKPEg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuTjZiZkl3QnUzYkxjSzYr
NDVEcWROZDNVV0tUbWVOTUhQWE5LenBrU2c4CmRHcTlkamtibVhOU1dTOTlIanFp
MUt1dnJpR2RUVGwwbTBaYnpXdE1XOHMKLS0tIGJ2YlRMQXpXVlpJRExOdUZ2MDJ6
WVJMRFMvYkFJenhlQjVGRlZsYlpLdFUKGQmMb2aZKvWnBp4hKAdBZnQMW+pLZC9t
FJCAxZpFEaq22Zthe2dvh1v8X51Jde7bkylL2Z6CcuCLYkPgHhOgCw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-22T07:04:41Z"
mac: ENC[AES256_GCM,data:J9EsLR+Rr23io0zx7NnHahds3Y4PNGgKoooLb4hXXeu/sORz+IWALhnF35SHsZaAAvwdCtjy5G7jrryRMKWGXy1uMs7WcsDGtI36Q9DVBuUav8gLWes0NEMv62nKrruS1zMcgYQdEPo7AL3sadbQxusEQNbhVfGxbiPXE9U3sfE=,iv:EpwwUnIhQeIHB13GBHFYELMeo36Qm45G382wQTcE8FM=,tag:Jb9C28oQjzsGVE1oFJzIBg==,type:str]
- recipient: age1ldwxeqq5a9umgj36afsyl0tn8nrl7ecaam36dc8gxjqy5r6vaursj2d94s
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRazRkcVBvT0NGYk1nUjdK
V1o5V3VaYjY4YTNmYlpQUkZNV1lZN0JSSXdBCngrdjd3T1RHK1dOQUd6alFVQkhm
blRPNlg5T2xQVThqNzAybkk5U2VrQmMKLS0tIGVOVFlpNlIzcG9BY0R5UVMrUTk0
YzM4cTdoOHFzUGREZnBBTkFHZ2hQNVkKvZefP0yX08wSaXSvNh5NH+lUu4GvDeVQ
ieagXUh5IYmpZ6W8+Ifz3DqbLTELpLCdL45yj8ChoVkEGGGt2XHiiw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wfqc4hyekue3z6dn0khtsszvy8wlkh07msany9mfdy0yn9rfxp9sjyz6ze
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByZHZEU3RnKzYrTWovSUNu
aUszcHFxMVBqMnpiV3d3d3lNQk40TjdSdTNnCjluSUNpeTg0QUUxYkhPeHRubFE4
cEVOcFU4eUwvZitwN3JESUFoWnlCcFEKLS0tIElTN2J2M3ZhUUgxbGlWY242YkNF
UlFuMGFVeElOdGVwL0NReXhFVDJOZzgKTROtZpvVl+d1wfuf7otaIo6nDdVzsQ9O
kT+S01M2kC2gX+oDAcD20cNJdwnD/ETCdTk93qxpX1jAtDiz1WBSmg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-06T09:06:26Z"
mac: ENC[AES256_GCM,data:pitmTT1egqTEOI4fEsaE/kpLOdPjO3AHwNIUB4MYp9E8GeD+AOkX7U/KwOailC245wqGNNzCDJn7PD/IZ93cOXcsdMuhKUg/QNogz337DIioeFxx+Vf50mFv44Lf1Vtu7MG80zOXVHrmls/hb+E4HL55OujWmEKXWodeECvgfpw=,iv:57716xGcpRNxGdnihH7qbr8/I7t0MWYIbh3PoxqDZBo=,tag:qqA7nEbSPrpWBwZyuOWN8g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

3
modules/blocks/backup/docs/default.md
View file

@ -211,8 +211,7 @@ shb.backup.instances.all = backupcfg repos ["/var/lib/myfolder1" "/var/lib/myfol
## Demo {#blocks-backup-demo}
Head over to the [Home Assistant demo](demo-homeassistant.html) for a demo that installs Home
Assistant on a VM with minimal manual steps.
[WIP]
## Monitoring {#blocks-backup-monitoring}

19
modules/services/nextcloud-server.nix
View file

@ -277,7 +277,21 @@ in
tracing = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Enable xdebug tracing.";
description = ''
Enable xdebug tracing.
To trigger writing a trace to `/var/log/xdebug`, add a the following header:
```
XDEBUG_TRACE <shb.nextcloud.tracing value>
```
The response will contain the following header:
```
x-xdebug-profile-filename /var/log/xdebug/cachegrind.out.63484
```
'';
default = null;
example = "debug_me";
};
@ -534,9 +548,6 @@ in
echo "Using configId $CONFIG_ID"
CONFIG="$(echo "$ALL_CONFIG" | jq ".$CONFIG_ID")"
# The following CLI commands follow
# https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md#nextcloud-config--the-cli-way

101
modules/services/nextcloud-server/docs/default.md
View file

@ -8,12 +8,10 @@ This NixOS module is a service that sets up a [Nextcloud Server](https://nextclo
- Declarative [Apps](#services-nextcloud-server-options-shb.nextcloud.apps) Configuration - no need
to configure those with the UI.
- LDAP app: enables app and sets up integration with an existing LDAP server. The defaults are
suited to work with [LLDAP](https://github.com/lldap/lldap) which is provided as a [building
block](./block-ldap.html).
- [Preview Generator](https://apps.nextcloud.com/apps/previewgenerator) app: enables app and sets
- [LDAP](#services-nextcloud-server-usage-ldap) app: enables app and sets up integration with an existing LDAP server.
- [Preview Generator](#services-nextcloud-server-usage-previewgenerator) app: enables app and sets
up required cron job.
- [Only Office](https://apps.nextcloud.com/apps/onlyoffice) app: enables app and sets up Only
- [Only Office](#services-nextcloud-server-usage-onlyoffice) app: enables app and sets up Only
Office service.
- Any other app through the
[shb.nextcloud.extraApps](#services-nextcloud-server-options-shb.nextcloud.extraApps) option.
@ -37,7 +35,9 @@ This NixOS module is a service that sets up a [Nextcloud Server](https://nextclo
## Usage {#services-nextcloud-server-usage}
### Minimal {#services-nextcloud-server-usage-minimal}
### Basic Configuration {#services-nextcloud-server-usage-basic}
This section corresponds to the `basic` target host defined in the [flake.nix](./flake.nix) file.
This will set up a Nextcloud service that runs on the NixOS target machine, reachable at
`http://nextcloud.example.com`. If the `shb.ssl` block is [enabled](block-ssl.html#usage), the
@ -69,6 +69,59 @@ sops.secrets."nextcloud/adminpass" = {
};
```
### With LDAP Support {#services-nextcloud-server-usage-ldap}
This section corresponds to the `ldap` target host defined in the [flake.nix](./flake.nix) file. The same information from the [basic](#services-nextcloud-server-usage-basic) section applies, so please read that first.
This target host uses the LDAP block provided by Self Host Blocks to setup a
[LLDAP](https://github.com/lldap/lldap) service.
```nix
shb.ldap = {
enable = true;
domain = "example.com";
subdomain = "ldap";
ldapPort = 3890;
webUIListenPort = 17170;
dcdomain = "dc=example,dc=com";
ldapUserPasswordFile = config.sops.secrets."lldap/user_password".path;
jwtSecretFile = config.sops.secrets."lldap/jwt_secret".path;
};
sops.secrets."lldap/user_password" = {
sopsFile = ./secrets.yaml;
mode = "0440";
owner = "lldap";
group = "lldap";
restartUnits = [ "lldap.service" ];
};
sops.secrets."lldap/jwt_secret" = {
sopsFile = ./secrets.yaml;
mode = "0440";
owner = "lldap";
group = "lldap";
restartUnits = [ "lldap.service" ];
};
```
We also need to configure the `nextcloud` Self Host Blocks service to talk to the LDAP server we
just defined:
```nix
shb.nextcloud.apps.ldap
enable = true;
host = "127.0.0.1";
port = config.shb.ldap.ldapPort;
dcdomain = config.shb.ldap.dcdomain;
adminName = "admin";
adminPasswordFile = config.sops.secrets."nextcloud/ldap_admin_password".path;
userGroup = "nextcloud_user";
};
```
It's nice to be able to reference a options that were defined in the ldap block.
### Tweak PHPFpm Config {#services-nextcloud-server-usage-phpfpm}
```nix
@ -108,21 +161,36 @@ shb.nextcloud.postgresSettings = {
TODO
### Enable OnlyOffice Server {#services-nextcloud-server-usage-onlyoffice}
### Enable Preview Generator App {#services-nextcloud-server-usage-previewgenerator}
The following snippets sets up an onlyoffice instance listening at `onlyoffice.example.com` that
only listens on the local nextwork.
The following snippet installs and enables the [Preview
Generator](https://apps.nextcloud.com/apps/previewgenerator) application as well as creates the
required cron job that generates previews every 10 minutes.
```nix
shb.nextcloud.onlyoffice = {
shb.nextcloud.apps.previewgenerator.enable = true;
```
Note that you still need to generate the previews for any pre-existing files with:
```bash
nextcloud-occ -vvv preview:generate-all
```
### Enable OnlyOffice App {#services-nextcloud-server-usage-onlyoffice}
The following snippet installs and enables the [Only
Office](https://apps.nextcloud.com/apps/onlyoffice) application as well as sets up an Only Office
instance listening at `onlyoffice.example.com` that only listens on the local network.
```nix
shb.nextcloud.apps.onlyoffice = {
enable = true;
subdomain = "onlyoffice";
localNextworkIPRange = "192.168.1.1/24";
};
```
You still need to install the OnlyOffice integration in Nextcloud UI. Setting up the integration
declaratively is WIP.
Also, you will need to explicitly allow the package `corefonts`:
```nix
@ -133,7 +201,8 @@ nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (pkgs.lib.getName pkg)
### Enable Monitoring {#services-nextcloud-server-server-usage-monitoring}
Enable the [monitoring block](./blocks-monitoring.html).
Enable the [monitoring block](./blocks-monitoring.html). The metrics will automatically appear in
the corresponding dashboards.
### Enable Tracing {#services-nextcloud-server-server-usage-tracing}
@ -151,8 +220,8 @@ how to look at the traces.
## Demo {#services-nextcloud-server-demo}
Head over to the [Nextcloud demo](demo-nextcloud.html) for a demo that installs Nextcloud on a VM
with minimal manual steps.
Head over to the [Nextcloud demo](demo-nextcloud-server.html) for a demo that installs Nextcloud with or
without LDAP integration on a VM with minimal manual steps.
## Maintenance {#services-nextcloud-server-maintenance}