From 0a34140e34053c1f489d22d4af6e4a499d4d2948 Mon Sep 17 00:00:00 2001 From: ibizaman Date: Sat, 6 Jan 2024 09:43:30 -0800 Subject: [PATCH] add nextcloud integration with ldap to the manual and nextcloud demo. refs #17 --- demo/nextcloud/README.md | 48 +++++++-- demo/nextcloud/flake.lock | 36 +++---- demo/nextcloud/flake.nix | 94 +++++++++++++++- demo/nextcloud/secrets.yaml | 59 ++++++---- modules/blocks/backup/docs/default.md | 3 +- modules/services/nextcloud-server.nix | 19 +++- .../services/nextcloud-server/docs/default.md | 101 +++++++++++++++--- 7 files changed, 292 insertions(+), 68 deletions(-) diff --git a/demo/nextcloud/README.md b/demo/nextcloud/README.md index a3b47a0..fedeac2 100644 --- a/demo/nextcloud/README.md +++ b/demo/nextcloud/README.md @@ -3,8 +3,9 @@ **This whole demo is highly insecure as all the private keys are available publicly. This is only done for convenience as it is just a demo. Do not expose the VM to the internet.** -The [`flake.nix`](./flake.nix) file sets up a Nextcloud server in only about [15 -lines](./flake.nix#L29-L45) of related code. +The [`flake.nix`](./flake.nix) file sets up a Nextcloud server in only about [25 +lines](./flake.nix#L31-L55) of related code. It also defines a Nextcloud server that integrates with +a [LDAP server](./flake.nix#L76-L143). This guide will show how to deploy this setup to a Virtual Machine, like showed [here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules), in 4 commands. @@ -54,10 +55,18 @@ You can ssh into the VM with, but this is not required for the demo: ssh -F ssh_config example ``` -Finally, deploy with: +Finally, we can deploy. To deploy a basic Nextcloud with only the Preview Generator app enabled, +run: ```bash -SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply +SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on basic +``` + +To deploy a Nextcloud configuration with the Preview Generator app and integrated with a LDAP +service, run: + +```bash +SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on ldap ``` The deploy will take a few minutes the first time and subsequent deploys will take around 15 @@ -80,11 +89,31 @@ $ cat /etc/hosts 127.0.0.1 n.example.com ``` -Go to [http://n.example.com:8080](http://n.example.com:8080) and login with: +If you deployed the `ldap` target host, add instead: + +```nix +networking.hosts = { + "127.0.0.1" = [ "n.example.com" "ldap.example.com" ]; +}; +``` + +If you deployed the `basic` target host, go to +[http://n.example.com:8080](http://n.example.com:8080) and login with: - username: `root` - password: the value of the field `nextcloud.adminpass` in the `secrets.yaml` file which is `43bb4b8f82fc645ce3260b5db803c5a8`. +And that's the end of the demo. Otherwise if you deployed the `ldap` target host, go first to +[http://ldap.example.com:8080](http://ldap.example.com:8080) and login with: + +- username: `admin` +- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is `c2e32e54ea3e0053eb30841f818a3d9a`. + +Create the group `nextcloud_user` and a user assigned to that group. + +Finally, go to [http://n.example.com:8080](http://n.example.com:8080) and login with the user and +password you just created above. + Nextcloud doesn't like being run without SSL protection, which this demo does not setup yet, so you might see errors loading scripts. @@ -92,9 +121,9 @@ might see errors loading scripts. ### Files {#demo-nextcloud-files} -- [`flake.nix`](./flake.nix): nix entry point, defines one target host for - [colmena](https://colmena.cli.rs) to deploy to as well as the selfhostblock's config for - setting up the Nextcloud service. +- [`flake.nix`](./flake.nix): nix entry point, defines the target hosts for + [colmena](https://colmena.cli.rs) to deploy to as well as the selfhostblock's config for setting + up Nextcloud and the auxiliary services. - [`configuration.nix`](./configuration.nix): defines all configuration required for colmena to deploy to the VM. The file has comments if you're interested. - [`hardware-configuration.nix`](./hardware-configuration.nix): defines VM specific layout. @@ -150,6 +179,9 @@ nextcloud: adminpass: 43bb4b8f82fc645ce3260b5db803c5a8 onlyoffice: jwt_secret: XYZ... +lldap: + user_password: c2e32e54ea3e0053eb30841f818a3d9a + jwt_secret: 3b19030938608881dc1d2cb2753d9778 ``` To open the `secrets.yaml` file and optionnally edit it, run: diff --git a/demo/nextcloud/flake.lock b/demo/nextcloud/flake.lock index 59b9b72..2f2ff26 100644 --- a/demo/nextcloud/flake.lock +++ b/demo/nextcloud/flake.lock @@ -35,11 +35,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1703255338, - "narHash": "sha256-Z6wfYJQKmDN9xciTwU3cOiOk+NElxdZwy/FiHctCzjU=", + "lastModified": 1704194953, + "narHash": "sha256-RtDKd8Mynhe5CFnVT8s0/0yqtWFMM9LmCzXv/YKxnq4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "6df37dc6a77654682fe9f071c62b4242b5342e04", + "rev": "bd645e8668ec6612439a9ee7e71f7eac4099d4f6", "type": "github" }, "original": { @@ -51,11 +51,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1703351344, - "narHash": "sha256-9FEelzftkE9UaJ5nqxidaJJPEhe9TPhbypLHmc2Mysc=", + "lastModified": 1703950681, + "narHash": "sha256-veU5bE4eLOmi7aOzhE7LfZXcSOONRMay0BKv01WHojo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7790e078f8979a9fcd543f9a47427eeaba38f268", + "rev": "0aad9113182747452dbfc68b93c86e168811fa6c", "type": "github" }, "original": { @@ -67,11 +67,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1703134684, - "narHash": "sha256-SQmng1EnBFLzS7WSRyPM9HgmZP2kLJcPAz+Ug/nug6o=", + "lastModified": 1703499205, + "narHash": "sha256-lF9rK5mSUfIZJgZxC3ge40tp1gmyyOXZ+lRY3P8bfbg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d6863cbcbbb80e71cecfc03356db1cda38919523", + "rev": "e1fa12d4f6c6fe19ccb59cac54b5b3f25e160870", "type": "github" }, "original": { @@ -111,12 +111,12 @@ "sops-nix": "sops-nix" }, "locked": { - "lastModified": 1703575610, - "narHash": "sha256-W22MujiE5xxibKu9M7usXhGD04ntrLXegMxuY6FYCX4=", - "owner": "ibizaman", - "repo": "selfhostblocks", - "rev": "7a62b5b89c406fbf80ac6dfb678c0d5c62a771ea", - "type": "github" + "dirtyRev": "a634a42e48484e061b8fe6f8542ecb9c830f15ac-dirty", + "dirtyShortRev": "a634a42-dirty", + "lastModified": 1704528621, + "narHash": "sha256-wQ/vW3o89ryMIkqGx8XDSujRUnhpOfXrTBnJAp6IW8s=", + "type": "git", + "url": "file:///home/timi/Projects/selfhostblocks" }, "original": { "owner": "ibizaman", @@ -130,11 +130,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1703387502, - "narHash": "sha256-JnWuQmyanPtF8c5yAEFXVWzaIlMxA3EAZCh8XNvnVqE=", + "lastModified": 1703991717, + "narHash": "sha256-XfBg2dmDJXPQEB8EdNBnzybvnhswaiAkUeeDj7fa/hQ=", "owner": "Mic92", "repo": "sops-nix", - "rev": "e523e89763ff45f0a6cf15bcb1092636b1da9ed3", + "rev": "cfdbaf68d00bc2f9e071f17ae77be4b27ff72fa6", "type": "github" }, "original": { diff --git a/demo/nextcloud/flake.nix b/demo/nextcloud/flake.nix index f175d54..0e55664 100644 --- a/demo/nextcloud/flake.nix +++ b/demo/nextcloud/flake.nix @@ -14,7 +14,7 @@ specialArgs = inputs; }; - myserver = { config, ... }: { + basic = { config, ... }: { imports = [ ./configuration.nix selfhostblocks.inputs.sops-nix.nixosModules.default @@ -39,6 +39,10 @@ externalFqdn = "n.example.com:8080"; adminPassFile = config.sops.secrets."nextcloud/adminpass".path; + + apps = { + previewgenerator.enable = true; + }; }; # Secret needed for services.nextcloud.config.adminpassFile. @@ -54,6 +58,94 @@ shb.nginx.accessLog = true; shb.nginx.debugLog = false; }; + + ldap = { config, ... }: { + imports = [ + ./configuration.nix + selfhostblocks.inputs.sops-nix.nixosModules.default + selfhostblocks.nixosModules.x86_64-linux.default + ]; + + # Used by colmena to know which target host to deploy to. + deployment = { + targetHost = "example"; + targetUser = "nixos"; + targetPort = 2222; + }; + + shb.ldap = { + enable = true; + domain = "example.com"; + subdomain = "ldap"; + ldapPort = 3890; + webUIListenPort = 17170; + dcdomain = "dc=example,dc=com"; + ldapUserPasswordFile = config.sops.secrets."lldap/user_password".path; + jwtSecretFile = config.sops.secrets."lldap/jwt_secret".path; + }; + sops.secrets."lldap/user_password" = { + sopsFile = ./secrets.yaml; + mode = "0440"; + owner = "lldap"; + group = "lldap"; + restartUnits = [ "lldap.service" ]; + }; + sops.secrets."lldap/jwt_secret" = { + sopsFile = ./secrets.yaml; + mode = "0440"; + owner = "lldap"; + group = "lldap"; + restartUnits = [ "lldap.service" ]; + }; + + shb.nextcloud = { + enable = true; + domain = "example.com"; + subdomain = "n"; + dataDir = "/var/lib/nextcloud"; + tracing = null; + + # This option is only needed because we do not access Nextcloud at the default port in the VM. + externalFqdn = "n.example.com:8080"; + + adminPassFile = config.sops.secrets."nextcloud/adminpass".path; + + apps = { + previewgenerator.enable = true; + ldap = { + enable = true; + host = "127.0.0.1"; + port = config.shb.ldap.ldapPort; + dcdomain = config.shb.ldap.dcdomain; + adminName = "admin"; + adminPasswordFile = config.sops.secrets."nextcloud/ldap_admin_password".path; + userGroup = "nextcloud_user"; + }; + }; + }; + + # Secret needed for services.nextcloud.config.adminpassFile. + sops.secrets."nextcloud/adminpass" = { + sopsFile = ./secrets.yaml; + mode = "0440"; + owner = "nextcloud"; + group = "nextcloud"; + restartUnits = [ "phpfpm-nextcloud.service" ]; + }; + # Secret needed for LDAP app. + sops.secrets."nextcloud/ldap_admin_password" = { + sopsFile = ./secrets.yaml; + key = "lldap/user_password"; + mode = "0400"; + owner = "nextcloud"; + group = "nextcloud"; + restartUnits = [ "nextcloud-setup.service" ]; + }; + + # Set to true for more debug info with `journalctl -f -u nginx`. + shb.nginx.accessLog = true; + shb.nginx.debugLog = false; + }; }; }; } diff --git a/demo/nextcloud/secrets.yaml b/demo/nextcloud/secrets.yaml index 19f89a3..3349475 100644 --- a/demo/nextcloud/secrets.yaml +++ b/demo/nextcloud/secrets.yaml @@ -1,7 +1,10 @@ nextcloud: - adminpass: ENC[AES256_GCM,data:3FXgVNzKAKrQxoDmRIq188YYrfiEEyYqU3lgwydXHp4=,iv:KoxmL9tLPBoIJT7rxkEhxrQqZFicbEm8qXbZMrnHSGY=,tag:nBt+8ciDRBiUzg3JEmiYnw==,type:str] + adminpass: ENC[AES256_GCM,data:667e6562Q1SSZRKLMgur1viGd8+MmjU6Oz/DzQ4GLHI=,iv:KoxmL9tLPBoIJT7rxkEhxrQqZFicbEm8qXbZMrnHSGY=,tag:5APQH+snOUJ8UPXaIdqR5w==,type:str] onlyoffice: - jwt_secret: ENC[AES256_GCM,data:+6qLNuOaFYRT092i1mkboi4DswEbcv/5+fQ0TpTCMkToWtNoxce5FyLoYpJoJIG3Kg5rrpNkfUYDugG9/5KWFu+31h8i8JdsxyiG0GGjtMbaUCzgiUyL+apMxl4S2b6jS2tGoExZhbgDFErE3p/wM5JTic1DE5HsFQr/49JI78w=,iv:TFs+fTlMGWKTVJ3pUmXCpGskQ2h6uSLr+TlmG6OXQYg=,tag:/Z6oSecHHhZVx/jpbx4Wgw==,type:str] + jwt_secret: ENC[AES256_GCM,data:5TMDyySlsAHN1DfJLEJXt5jg7r2Gd8RVmLv4T44ye+2B71r6CWew8tcaYybFXT8aXrmVjOcBkVjBlFJ6B3ozkajtZC3teXCUzG+hlKGdN+Oyvd1+WXJO2USk1pREKc4kGwVvYr02lM1PEVLUokh/j/wmL1uFsAYM9482ik5veYg=,iv:TFs+fTlMGWKTVJ3pUmXCpGskQ2h6uSLr+TlmG6OXQYg=,tag:hYRtuqE7ygjHc6zHOz5kBQ==,type:str] +lldap: + user_password: ENC[AES256_GCM,data:qZO3L7IM9UJ7iR7Q2bdDfY1wmt3TEWLR8NK3rXdojN4=,iv:SljGhXi3SYoMNcR9onwqthOAyFX1D8KsegmWRypbblQ=,tag:KwJFHd85kkm8YGH3NtqanA==,type:str] + jwt_secret: ENC[AES256_GCM,data:oCrUTEYO8oETPd8XHq1DiLCSzeRAnrkty3gyo8dxk5c=,iv:vBOq4Mab3RE69rOA8ZbMX72Gm3KEng6HaCveZrXsIrU=,tag:JZUjCbo7CdCmJYJrrsosxQ==,type:str] sops: kms: [] gcp_kms: [] @@ -11,32 +14,50 @@ sops: - recipient: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArRFc0aGZxa1RaWmZ4SlRk - c2MweTlQdGNQZE1VTDhrTHUzZ2pocUJFWEhNCndjcHB2elp0Zk1MbEFKTzN6a3pI - amdmSERWRFU4dzY1ck5MUE14SXV2c1UKLS0tIFk2MktiV1ljb3E3aXBFdTVlNUk0 - QWZUZWc4amJFVkkxb0tPc1FmeklTNFEK1Pqwg8AI2yw3y9dU9p6Mx2bhKb3lUPt7 - WhyWZbRT4zKjkcUp2NazqMKM35ru5i0037praFJgz05zkStn6twMqA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBObnkzVkdmUnhyOG1vNE04 + ZmExS1RkVE5qUm83aVk1bGtTbmo5bGhsc3pBCnNMWjN5cStVRWNlTUVmWi9BQ2py + NEswQS9xNGtPZGdQRWdzWDV1RnJNbGsKLS0tIC8yQW9ZazlNTm80d0l5bEo0M2lW + QnVXMUpXcUFZRWhpUHJjOFZjWGFYSFkKomaixOjgaD1LubawJVhWAgVqjOkpc9+2 + xNHKlgBEXDnBeMK9BgPgYIRk8ce79rxuqwaOAPqrEmPsafvoxZq5Wg== -----END AGE ENCRYPTED FILE----- - recipient: age1ej98rmjug4j0psyr3ppwmddtu868mlhknjkcx4a7yjrgk480dfrs3ayjl9 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHckF2U0NLaXhsaGVtcms2 - bWZWN1RLQXh3VXRHTzQyM20wTFd0NVA5WTFBCjZvcXlDQS81NXhFRmlHZVV4WHRT - VUhteXIyc1dtRE1OZmk1MmVaM3VzSkEKLS0tIGgrYzFaRkdwMnNEc1F1MGNwQjVx - U3RwYXR6elZ4YTFTNGk4dDVuaUhDUjQKfkIG0oDVqDfSZCxHOZThFlY2V0KpXwBY - D7eodJ26fjJBAaqbvZkWF/BMCKTpAs4cQEHIW70yu6c+kMdV10D9fA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBndGErUWt4M3BtR3dVT2lo + SmY1M0k0bkxEcGNxNkdYZDFVaUVIaFA0blhNCm9oWmVyRlJ4eVlxM2l0anhrMERz + RTZ1Z1dINDZZdGN3UUJweWRjRWUyT1UKLS0tIGl1dUNwU0ZSRFhwUENIbHhGT3VP + MTlZVFVtbEFnV1pJTTRjV2pqRnUrYW8KXTdes+gb8h7PL0l34rnRKtPvIr3tUJKZ + UfD+/e3I/+Gw4IpCvIpMoBBT0bxyyMJROKo4oP9GTIrbw5fHV9+bcg== -----END AGE ENCRYPTED FILE----- - recipient: age1j6scagnygyzr4q96l0a5ntwgjqj7xscx5sx4avy7fry3fzgcff8se0ylfq enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2cm5oRXpPTER3a0djWVov - b2E3UjVNQnNKdFVxZnpkN0l6MjdkdDdXbkZrCk1nQ3Z3Y1psZmdRelJsZkRmV2Zk - WWVXMVplL0gxRDFlemhGQVp3eDhuajgKLS0tIGMxQVJjc0xkOVIrSzFYNXk0MHNM - aHg3S3MycVJTcVZvR0hYZ1RXelhqcWMKsb4tbh/q/XDdDmwkxLvaa5olDjYIGIVH - oZSqSF4ws7bRPTX8WAFFyoRw2kcZyc41WfBY1/8DcBKE/SHe5TKPEg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuTjZiZkl3QnUzYkxjSzYr + NDVEcWROZDNVV0tUbWVOTUhQWE5LenBrU2c4CmRHcTlkamtibVhOU1dTOTlIanFp + MUt1dnJpR2RUVGwwbTBaYnpXdE1XOHMKLS0tIGJ2YlRMQXpXVlpJRExOdUZ2MDJ6 + WVJMRFMvYkFJenhlQjVGRlZsYlpLdFUKGQmMb2aZKvWnBp4hKAdBZnQMW+pLZC9t + FJCAxZpFEaq22Zthe2dvh1v8X51Jde7bkylL2Z6CcuCLYkPgHhOgCw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-22T07:04:41Z" - mac: ENC[AES256_GCM,data:J9EsLR+Rr23io0zx7NnHahds3Y4PNGgKoooLb4hXXeu/sORz+IWALhnF35SHsZaAAvwdCtjy5G7jrryRMKWGXy1uMs7WcsDGtI36Q9DVBuUav8gLWes0NEMv62nKrruS1zMcgYQdEPo7AL3sadbQxusEQNbhVfGxbiPXE9U3sfE=,iv:EpwwUnIhQeIHB13GBHFYELMeo36Qm45G382wQTcE8FM=,tag:Jb9C28oQjzsGVE1oFJzIBg==,type:str] + - recipient: age1ldwxeqq5a9umgj36afsyl0tn8nrl7ecaam36dc8gxjqy5r6vaursj2d94s + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRazRkcVBvT0NGYk1nUjdK + V1o5V3VaYjY4YTNmYlpQUkZNV1lZN0JSSXdBCngrdjd3T1RHK1dOQUd6alFVQkhm + blRPNlg5T2xQVThqNzAybkk5U2VrQmMKLS0tIGVOVFlpNlIzcG9BY0R5UVMrUTk0 + YzM4cTdoOHFzUGREZnBBTkFHZ2hQNVkKvZefP0yX08wSaXSvNh5NH+lUu4GvDeVQ + ieagXUh5IYmpZ6W8+Ifz3DqbLTELpLCdL45yj8ChoVkEGGGt2XHiiw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1wfqc4hyekue3z6dn0khtsszvy8wlkh07msany9mfdy0yn9rfxp9sjyz6ze + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByZHZEU3RnKzYrTWovSUNu + aUszcHFxMVBqMnpiV3d3d3lNQk40TjdSdTNnCjluSUNpeTg0QUUxYkhPeHRubFE4 + cEVOcFU4eUwvZitwN3JESUFoWnlCcFEKLS0tIElTN2J2M3ZhUUgxbGlWY242YkNF + UlFuMGFVeElOdGVwL0NReXhFVDJOZzgKTROtZpvVl+d1wfuf7otaIo6nDdVzsQ9O + kT+S01M2kC2gX+oDAcD20cNJdwnD/ETCdTk93qxpX1jAtDiz1WBSmg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-06T09:06:26Z" + mac: ENC[AES256_GCM,data:pitmTT1egqTEOI4fEsaE/kpLOdPjO3AHwNIUB4MYp9E8GeD+AOkX7U/KwOailC245wqGNNzCDJn7PD/IZ93cOXcsdMuhKUg/QNogz337DIioeFxx+Vf50mFv44Lf1Vtu7MG80zOXVHrmls/hb+E4HL55OujWmEKXWodeECvgfpw=,iv:57716xGcpRNxGdnihH7qbr8/I7t0MWYIbh3PoxqDZBo=,tag:qqA7nEbSPrpWBwZyuOWN8g==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/modules/blocks/backup/docs/default.md b/modules/blocks/backup/docs/default.md index 73507e9..c431b4f 100644 --- a/modules/blocks/backup/docs/default.md +++ b/modules/blocks/backup/docs/default.md @@ -211,8 +211,7 @@ shb.backup.instances.all = backupcfg repos ["/var/lib/myfolder1" "/var/lib/myfol ## Demo {#blocks-backup-demo} -Head over to the [Home Assistant demo](demo-homeassistant.html) for a demo that installs Home -Assistant on a VM with minimal manual steps. +[WIP] ## Monitoring {#blocks-backup-monitoring} diff --git a/modules/services/nextcloud-server.nix b/modules/services/nextcloud-server.nix index 149b698..be85b49 100644 --- a/modules/services/nextcloud-server.nix +++ b/modules/services/nextcloud-server.nix @@ -277,7 +277,21 @@ in tracing = lib.mkOption { type = lib.types.nullOr lib.types.str; - description = "Enable xdebug tracing."; + description = '' + Enable xdebug tracing. + + To trigger writing a trace to `/var/log/xdebug`, add a the following header: + + ``` + XDEBUG_TRACE + ``` + + The response will contain the following header: + + ``` + x-xdebug-profile-filename /var/log/xdebug/cachegrind.out.63484 + ``` + ''; default = null; example = "debug_me"; }; @@ -534,9 +548,6 @@ in echo "Using configId $CONFIG_ID" - CONFIG="$(echo "$ALL_CONFIG" | jq ".$CONFIG_ID")" - - # The following CLI commands follow # https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md#nextcloud-config--the-cli-way diff --git a/modules/services/nextcloud-server/docs/default.md b/modules/services/nextcloud-server/docs/default.md index 451f5c8..5ffcb37 100644 --- a/modules/services/nextcloud-server/docs/default.md +++ b/modules/services/nextcloud-server/docs/default.md @@ -8,12 +8,10 @@ This NixOS module is a service that sets up a [Nextcloud Server](https://nextclo - Declarative [Apps](#services-nextcloud-server-options-shb.nextcloud.apps) Configuration - no need to configure those with the UI. - - LDAP app: enables app and sets up integration with an existing LDAP server. The defaults are - suited to work with [LLDAP](https://github.com/lldap/lldap) which is provided as a [building - block](./block-ldap.html). - - [Preview Generator](https://apps.nextcloud.com/apps/previewgenerator) app: enables app and sets + - [LDAP](#services-nextcloud-server-usage-ldap) app: enables app and sets up integration with an existing LDAP server. + - [Preview Generator](#services-nextcloud-server-usage-previewgenerator) app: enables app and sets up required cron job. - - [Only Office](https://apps.nextcloud.com/apps/onlyoffice) app: enables app and sets up Only + - [Only Office](#services-nextcloud-server-usage-onlyoffice) app: enables app and sets up Only Office service. - Any other app through the [shb.nextcloud.extraApps](#services-nextcloud-server-options-shb.nextcloud.extraApps) option. @@ -37,7 +35,9 @@ This NixOS module is a service that sets up a [Nextcloud Server](https://nextclo ## Usage {#services-nextcloud-server-usage} -### Minimal {#services-nextcloud-server-usage-minimal} +### Basic Configuration {#services-nextcloud-server-usage-basic} + +This section corresponds to the `basic` target host defined in the [flake.nix](./flake.nix) file. This will set up a Nextcloud service that runs on the NixOS target machine, reachable at `http://nextcloud.example.com`. If the `shb.ssl` block is [enabled](block-ssl.html#usage), the @@ -69,6 +69,59 @@ sops.secrets."nextcloud/adminpass" = { }; ``` +### With LDAP Support {#services-nextcloud-server-usage-ldap} + +This section corresponds to the `ldap` target host defined in the [flake.nix](./flake.nix) file. The same information from the [basic](#services-nextcloud-server-usage-basic) section applies, so please read that first. + +This target host uses the LDAP block provided by Self Host Blocks to setup a +[LLDAP](https://github.com/lldap/lldap) service. + +```nix +shb.ldap = { + enable = true; + domain = "example.com"; + subdomain = "ldap"; + ldapPort = 3890; + webUIListenPort = 17170; + dcdomain = "dc=example,dc=com"; + ldapUserPasswordFile = config.sops.secrets."lldap/user_password".path; + jwtSecretFile = config.sops.secrets."lldap/jwt_secret".path; +}; + +sops.secrets."lldap/user_password" = { + sopsFile = ./secrets.yaml; + mode = "0440"; + owner = "lldap"; + group = "lldap"; + restartUnits = [ "lldap.service" ]; +}; + +sops.secrets."lldap/jwt_secret" = { + sopsFile = ./secrets.yaml; + mode = "0440"; + owner = "lldap"; + group = "lldap"; + restartUnits = [ "lldap.service" ]; +}; +``` + +We also need to configure the `nextcloud` Self Host Blocks service to talk to the LDAP server we +just defined: + +```nix +shb.nextcloud.apps.ldap + enable = true; + host = "127.0.0.1"; + port = config.shb.ldap.ldapPort; + dcdomain = config.shb.ldap.dcdomain; + adminName = "admin"; + adminPasswordFile = config.sops.secrets."nextcloud/ldap_admin_password".path; + userGroup = "nextcloud_user"; +}; +``` + +It's nice to be able to reference a options that were defined in the ldap block. + ### Tweak PHPFpm Config {#services-nextcloud-server-usage-phpfpm} ```nix @@ -108,21 +161,36 @@ shb.nextcloud.postgresSettings = { TODO -### Enable OnlyOffice Server {#services-nextcloud-server-usage-onlyoffice} +### Enable Preview Generator App {#services-nextcloud-server-usage-previewgenerator} -The following snippets sets up an onlyoffice instance listening at `onlyoffice.example.com` that -only listens on the local nextwork. +The following snippet installs and enables the [Preview +Generator](https://apps.nextcloud.com/apps/previewgenerator) application as well as creates the +required cron job that generates previews every 10 minutes. ```nix -shb.nextcloud.onlyoffice = { +shb.nextcloud.apps.previewgenerator.enable = true; +``` + +Note that you still need to generate the previews for any pre-existing files with: + +```bash +nextcloud-occ -vvv preview:generate-all +``` + +### Enable OnlyOffice App {#services-nextcloud-server-usage-onlyoffice} + +The following snippet installs and enables the [Only +Office](https://apps.nextcloud.com/apps/onlyoffice) application as well as sets up an Only Office +instance listening at `onlyoffice.example.com` that only listens on the local network. + +```nix +shb.nextcloud.apps.onlyoffice = { + enable = true; subdomain = "onlyoffice"; localNextworkIPRange = "192.168.1.1/24"; }; ``` -You still need to install the OnlyOffice integration in Nextcloud UI. Setting up the integration -declaratively is WIP. - Also, you will need to explicitly allow the package `corefonts`: ```nix @@ -133,7 +201,8 @@ nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (pkgs.lib.getName pkg) ### Enable Monitoring {#services-nextcloud-server-server-usage-monitoring} -Enable the [monitoring block](./blocks-monitoring.html). +Enable the [monitoring block](./blocks-monitoring.html). The metrics will automatically appear in +the corresponding dashboards. ### Enable Tracing {#services-nextcloud-server-server-usage-tracing} @@ -151,8 +220,8 @@ how to look at the traces. ## Demo {#services-nextcloud-server-demo} -Head over to the [Nextcloud demo](demo-nextcloud.html) for a demo that installs Nextcloud on a VM -with minimal manual steps. +Head over to the [Nextcloud demo](demo-nextcloud-server.html) for a demo that installs Nextcloud with or +without LDAP integration on a VM with minimal manual steps. ## Maintenance {#services-nextcloud-server-maintenance}