1
0
Fork 0

add nextcloud integration with ldap to the manual and nextcloud demo.

refs #17
This commit is contained in:
ibizaman 2024-01-06 09:43:30 -08:00 committed by Pierre Penninckx
parent 4a7e42abaa
commit 0a34140e34
7 changed files with 292 additions and 68 deletions

View file

@ -3,8 +3,9 @@
**This whole demo is highly insecure as all the private keys are available publicly. This is **This whole demo is highly insecure as all the private keys are available publicly. This is
only done for convenience as it is just a demo. Do not expose the VM to the internet.** only done for convenience as it is just a demo. Do not expose the VM to the internet.**
The [`flake.nix`](./flake.nix) file sets up a Nextcloud server in only about [15 The [`flake.nix`](./flake.nix) file sets up a Nextcloud server in only about [25
lines](./flake.nix#L29-L45) of related code. lines](./flake.nix#L31-L55) of related code. It also defines a Nextcloud server that integrates with
a [LDAP server](./flake.nix#L76-L143).
This guide will show how to deploy this setup to a Virtual Machine, like showed This guide will show how to deploy this setup to a Virtual Machine, like showed
[here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules), in 4 commands. [here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules), in 4 commands.
@ -54,10 +55,18 @@ You can ssh into the VM with, but this is not required for the demo:
ssh -F ssh_config example ssh -F ssh_config example
``` ```
Finally, deploy with: Finally, we can deploy. To deploy a basic Nextcloud with only the Preview Generator app enabled,
run:
```bash ```bash
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on basic
```
To deploy a Nextcloud configuration with the Preview Generator app and integrated with a LDAP
service, run:
```bash
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on ldap
``` ```
The deploy will take a few minutes the first time and subsequent deploys will take around 15 The deploy will take a few minutes the first time and subsequent deploys will take around 15
@ -80,11 +89,31 @@ $ cat /etc/hosts
127.0.0.1 n.example.com 127.0.0.1 n.example.com
``` ```
Go to [http://n.example.com:8080](http://n.example.com:8080) and login with: If you deployed the `ldap` target host, add instead:
```nix
networking.hosts = {
"127.0.0.1" = [ "n.example.com" "ldap.example.com" ];
};
```
If you deployed the `basic` target host, go to
[http://n.example.com:8080](http://n.example.com:8080) and login with:
- username: `root` - username: `root`
- password: the value of the field `nextcloud.adminpass` in the `secrets.yaml` file which is `43bb4b8f82fc645ce3260b5db803c5a8`. - password: the value of the field `nextcloud.adminpass` in the `secrets.yaml` file which is `43bb4b8f82fc645ce3260b5db803c5a8`.
And that's the end of the demo. Otherwise if you deployed the `ldap` target host, go first to
[http://ldap.example.com:8080](http://ldap.example.com:8080) and login with:
- username: `admin`
- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is `c2e32e54ea3e0053eb30841f818a3d9a`.
Create the group `nextcloud_user` and a user assigned to that group.
Finally, go to [http://n.example.com:8080](http://n.example.com:8080) and login with the user and
password you just created above.
Nextcloud doesn't like being run without SSL protection, which this demo does not setup yet, so you Nextcloud doesn't like being run without SSL protection, which this demo does not setup yet, so you
might see errors loading scripts. might see errors loading scripts.
@ -92,9 +121,9 @@ might see errors loading scripts.
### Files {#demo-nextcloud-files} ### Files {#demo-nextcloud-files}
- [`flake.nix`](./flake.nix): nix entry point, defines one target host for - [`flake.nix`](./flake.nix): nix entry point, defines the target hosts for
[colmena](https://colmena.cli.rs) to deploy to as well as the selfhostblock's config for [colmena](https://colmena.cli.rs) to deploy to as well as the selfhostblock's config for setting
setting up the Nextcloud service. up Nextcloud and the auxiliary services.
- [`configuration.nix`](./configuration.nix): defines all configuration required for colmena - [`configuration.nix`](./configuration.nix): defines all configuration required for colmena
to deploy to the VM. The file has comments if you're interested. to deploy to the VM. The file has comments if you're interested.
- [`hardware-configuration.nix`](./hardware-configuration.nix): defines VM specific layout. - [`hardware-configuration.nix`](./hardware-configuration.nix): defines VM specific layout.
@ -150,6 +179,9 @@ nextcloud:
adminpass: 43bb4b8f82fc645ce3260b5db803c5a8 adminpass: 43bb4b8f82fc645ce3260b5db803c5a8
onlyoffice: onlyoffice:
jwt_secret: XYZ... jwt_secret: XYZ...
lldap:
user_password: c2e32e54ea3e0053eb30841f818a3d9a
jwt_secret: 3b19030938608881dc1d2cb2753d9778
``` ```
To open the `secrets.yaml` file and optionnally edit it, run: To open the `secrets.yaml` file and optionnally edit it, run:

View file

@ -35,11 +35,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1703255338, "lastModified": 1704194953,
"narHash": "sha256-Z6wfYJQKmDN9xciTwU3cOiOk+NElxdZwy/FiHctCzjU=", "narHash": "sha256-RtDKd8Mynhe5CFnVT8s0/0yqtWFMM9LmCzXv/YKxnq4=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "6df37dc6a77654682fe9f071c62b4242b5342e04", "rev": "bd645e8668ec6612439a9ee7e71f7eac4099d4f6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -51,11 +51,11 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1703351344, "lastModified": 1703950681,
"narHash": "sha256-9FEelzftkE9UaJ5nqxidaJJPEhe9TPhbypLHmc2Mysc=", "narHash": "sha256-veU5bE4eLOmi7aOzhE7LfZXcSOONRMay0BKv01WHojo=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "7790e078f8979a9fcd543f9a47427eeaba38f268", "rev": "0aad9113182747452dbfc68b93c86e168811fa6c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -67,11 +67,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1703134684, "lastModified": 1703499205,
"narHash": "sha256-SQmng1EnBFLzS7WSRyPM9HgmZP2kLJcPAz+Ug/nug6o=", "narHash": "sha256-lF9rK5mSUfIZJgZxC3ge40tp1gmyyOXZ+lRY3P8bfbg=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "d6863cbcbbb80e71cecfc03356db1cda38919523", "rev": "e1fa12d4f6c6fe19ccb59cac54b5b3f25e160870",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -111,12 +111,12 @@
"sops-nix": "sops-nix" "sops-nix": "sops-nix"
}, },
"locked": { "locked": {
"lastModified": 1703575610, "dirtyRev": "a634a42e48484e061b8fe6f8542ecb9c830f15ac-dirty",
"narHash": "sha256-W22MujiE5xxibKu9M7usXhGD04ntrLXegMxuY6FYCX4=", "dirtyShortRev": "a634a42-dirty",
"owner": "ibizaman", "lastModified": 1704528621,
"repo": "selfhostblocks", "narHash": "sha256-wQ/vW3o89ryMIkqGx8XDSujRUnhpOfXrTBnJAp6IW8s=",
"rev": "7a62b5b89c406fbf80ac6dfb678c0d5c62a771ea", "type": "git",
"type": "github" "url": "file:///home/timi/Projects/selfhostblocks"
}, },
"original": { "original": {
"owner": "ibizaman", "owner": "ibizaman",
@ -130,11 +130,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1703387502, "lastModified": 1703991717,
"narHash": "sha256-JnWuQmyanPtF8c5yAEFXVWzaIlMxA3EAZCh8XNvnVqE=", "narHash": "sha256-XfBg2dmDJXPQEB8EdNBnzybvnhswaiAkUeeDj7fa/hQ=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "e523e89763ff45f0a6cf15bcb1092636b1da9ed3", "rev": "cfdbaf68d00bc2f9e071f17ae77be4b27ff72fa6",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -14,7 +14,7 @@
specialArgs = inputs; specialArgs = inputs;
}; };
myserver = { config, ... }: { basic = { config, ... }: {
imports = [ imports = [
./configuration.nix ./configuration.nix
selfhostblocks.inputs.sops-nix.nixosModules.default selfhostblocks.inputs.sops-nix.nixosModules.default
@ -39,6 +39,10 @@
externalFqdn = "n.example.com:8080"; externalFqdn = "n.example.com:8080";
adminPassFile = config.sops.secrets."nextcloud/adminpass".path; adminPassFile = config.sops.secrets."nextcloud/adminpass".path;
apps = {
previewgenerator.enable = true;
};
}; };
# Secret needed for services.nextcloud.config.adminpassFile. # Secret needed for services.nextcloud.config.adminpassFile.
@ -54,6 +58,94 @@
shb.nginx.accessLog = true; shb.nginx.accessLog = true;
shb.nginx.debugLog = false; shb.nginx.debugLog = false;
}; };
ldap = { config, ... }: {
imports = [
./configuration.nix
selfhostblocks.inputs.sops-nix.nixosModules.default
selfhostblocks.nixosModules.x86_64-linux.default
];
# Used by colmena to know which target host to deploy to.
deployment = {
targetHost = "example";
targetUser = "nixos";
targetPort = 2222;
};
shb.ldap = {
enable = true;
domain = "example.com";
subdomain = "ldap";
ldapPort = 3890;
webUIListenPort = 17170;
dcdomain = "dc=example,dc=com";
ldapUserPasswordFile = config.sops.secrets."lldap/user_password".path;
jwtSecretFile = config.sops.secrets."lldap/jwt_secret".path;
};
sops.secrets."lldap/user_password" = {
sopsFile = ./secrets.yaml;
mode = "0440";
owner = "lldap";
group = "lldap";
restartUnits = [ "lldap.service" ];
};
sops.secrets."lldap/jwt_secret" = {
sopsFile = ./secrets.yaml;
mode = "0440";
owner = "lldap";
group = "lldap";
restartUnits = [ "lldap.service" ];
};
shb.nextcloud = {
enable = true;
domain = "example.com";
subdomain = "n";
dataDir = "/var/lib/nextcloud";
tracing = null;
# This option is only needed because we do not access Nextcloud at the default port in the VM.
externalFqdn = "n.example.com:8080";
adminPassFile = config.sops.secrets."nextcloud/adminpass".path;
apps = {
previewgenerator.enable = true;
ldap = {
enable = true;
host = "127.0.0.1";
port = config.shb.ldap.ldapPort;
dcdomain = config.shb.ldap.dcdomain;
adminName = "admin";
adminPasswordFile = config.sops.secrets."nextcloud/ldap_admin_password".path;
userGroup = "nextcloud_user";
};
};
};
# Secret needed for services.nextcloud.config.adminpassFile.
sops.secrets."nextcloud/adminpass" = {
sopsFile = ./secrets.yaml;
mode = "0440";
owner = "nextcloud";
group = "nextcloud";
restartUnits = [ "phpfpm-nextcloud.service" ];
};
# Secret needed for LDAP app.
sops.secrets."nextcloud/ldap_admin_password" = {
sopsFile = ./secrets.yaml;
key = "lldap/user_password";
mode = "0400";
owner = "nextcloud";
group = "nextcloud";
restartUnits = [ "nextcloud-setup.service" ];
};
# Set to true for more debug info with `journalctl -f -u nginx`.
shb.nginx.accessLog = true;
shb.nginx.debugLog = false;
};
}; };
}; };
} }

View file

@ -1,7 +1,10 @@
nextcloud: nextcloud:
adminpass: ENC[AES256_GCM,data:3FXgVNzKAKrQxoDmRIq188YYrfiEEyYqU3lgwydXHp4=,iv:KoxmL9tLPBoIJT7rxkEhxrQqZFicbEm8qXbZMrnHSGY=,tag:nBt+8ciDRBiUzg3JEmiYnw==,type:str] adminpass: ENC[AES256_GCM,data:667e6562Q1SSZRKLMgur1viGd8+MmjU6Oz/DzQ4GLHI=,iv:KoxmL9tLPBoIJT7rxkEhxrQqZFicbEm8qXbZMrnHSGY=,tag:5APQH+snOUJ8UPXaIdqR5w==,type:str]
onlyoffice: onlyoffice:
jwt_secret: ENC[AES256_GCM,data:+6qLNuOaFYRT092i1mkboi4DswEbcv/5+fQ0TpTCMkToWtNoxce5FyLoYpJoJIG3Kg5rrpNkfUYDugG9/5KWFu+31h8i8JdsxyiG0GGjtMbaUCzgiUyL+apMxl4S2b6jS2tGoExZhbgDFErE3p/wM5JTic1DE5HsFQr/49JI78w=,iv:TFs+fTlMGWKTVJ3pUmXCpGskQ2h6uSLr+TlmG6OXQYg=,tag:/Z6oSecHHhZVx/jpbx4Wgw==,type:str] jwt_secret: ENC[AES256_GCM,data:5TMDyySlsAHN1DfJLEJXt5jg7r2Gd8RVmLv4T44ye+2B71r6CWew8tcaYybFXT8aXrmVjOcBkVjBlFJ6B3ozkajtZC3teXCUzG+hlKGdN+Oyvd1+WXJO2USk1pREKc4kGwVvYr02lM1PEVLUokh/j/wmL1uFsAYM9482ik5veYg=,iv:TFs+fTlMGWKTVJ3pUmXCpGskQ2h6uSLr+TlmG6OXQYg=,tag:hYRtuqE7ygjHc6zHOz5kBQ==,type:str]
lldap:
user_password: ENC[AES256_GCM,data:qZO3L7IM9UJ7iR7Q2bdDfY1wmt3TEWLR8NK3rXdojN4=,iv:SljGhXi3SYoMNcR9onwqthOAyFX1D8KsegmWRypbblQ=,tag:KwJFHd85kkm8YGH3NtqanA==,type:str]
jwt_secret: ENC[AES256_GCM,data:oCrUTEYO8oETPd8XHq1DiLCSzeRAnrkty3gyo8dxk5c=,iv:vBOq4Mab3RE69rOA8ZbMX72Gm3KEng6HaCveZrXsIrU=,tag:JZUjCbo7CdCmJYJrrsosxQ==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -11,32 +14,50 @@ sops:
- recipient: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7 - recipient: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArRFc0aGZxa1RaWmZ4SlRk YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBObnkzVkdmUnhyOG1vNE04
c2MweTlQdGNQZE1VTDhrTHUzZ2pocUJFWEhNCndjcHB2elp0Zk1MbEFKTzN6a3pI ZmExS1RkVE5qUm83aVk1bGtTbmo5bGhsc3pBCnNMWjN5cStVRWNlTUVmWi9BQ2py
amdmSERWRFU4dzY1ck5MUE14SXV2c1UKLS0tIFk2MktiV1ljb3E3aXBFdTVlNUk0 NEswQS9xNGtPZGdQRWdzWDV1RnJNbGsKLS0tIC8yQW9ZazlNTm80d0l5bEo0M2lW
QWZUZWc4amJFVkkxb0tPc1FmeklTNFEK1Pqwg8AI2yw3y9dU9p6Mx2bhKb3lUPt7 QnVXMUpXcUFZRWhpUHJjOFZjWGFYSFkKomaixOjgaD1LubawJVhWAgVqjOkpc9+2
WhyWZbRT4zKjkcUp2NazqMKM35ru5i0037praFJgz05zkStn6twMqA== xNHKlgBEXDnBeMK9BgPgYIRk8ce79rxuqwaOAPqrEmPsafvoxZq5Wg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1ej98rmjug4j0psyr3ppwmddtu868mlhknjkcx4a7yjrgk480dfrs3ayjl9 - recipient: age1ej98rmjug4j0psyr3ppwmddtu868mlhknjkcx4a7yjrgk480dfrs3ayjl9
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHckF2U0NLaXhsaGVtcms2 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBndGErUWt4M3BtR3dVT2lo
bWZWN1RLQXh3VXRHTzQyM20wTFd0NVA5WTFBCjZvcXlDQS81NXhFRmlHZVV4WHRT SmY1M0k0bkxEcGNxNkdYZDFVaUVIaFA0blhNCm9oWmVyRlJ4eVlxM2l0anhrMERz
VUhteXIyc1dtRE1OZmk1MmVaM3VzSkEKLS0tIGgrYzFaRkdwMnNEc1F1MGNwQjVx RTZ1Z1dINDZZdGN3UUJweWRjRWUyT1UKLS0tIGl1dUNwU0ZSRFhwUENIbHhGT3VP
U3RwYXR6elZ4YTFTNGk4dDVuaUhDUjQKfkIG0oDVqDfSZCxHOZThFlY2V0KpXwBY MTlZVFVtbEFnV1pJTTRjV2pqRnUrYW8KXTdes+gb8h7PL0l34rnRKtPvIr3tUJKZ
D7eodJ26fjJBAaqbvZkWF/BMCKTpAs4cQEHIW70yu6c+kMdV10D9fA== UfD+/e3I/+Gw4IpCvIpMoBBT0bxyyMJROKo4oP9GTIrbw5fHV9+bcg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1j6scagnygyzr4q96l0a5ntwgjqj7xscx5sx4avy7fry3fzgcff8se0ylfq - recipient: age1j6scagnygyzr4q96l0a5ntwgjqj7xscx5sx4avy7fry3fzgcff8se0ylfq
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2cm5oRXpPTER3a0djWVov YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuTjZiZkl3QnUzYkxjSzYr
b2E3UjVNQnNKdFVxZnpkN0l6MjdkdDdXbkZrCk1nQ3Z3Y1psZmdRelJsZkRmV2Zk NDVEcWROZDNVV0tUbWVOTUhQWE5LenBrU2c4CmRHcTlkamtibVhOU1dTOTlIanFp
WWVXMVplL0gxRDFlemhGQVp3eDhuajgKLS0tIGMxQVJjc0xkOVIrSzFYNXk0MHNM MUt1dnJpR2RUVGwwbTBaYnpXdE1XOHMKLS0tIGJ2YlRMQXpXVlpJRExOdUZ2MDJ6
aHg3S3MycVJTcVZvR0hYZ1RXelhqcWMKsb4tbh/q/XDdDmwkxLvaa5olDjYIGIVH WVJMRFMvYkFJenhlQjVGRlZsYlpLdFUKGQmMb2aZKvWnBp4hKAdBZnQMW+pLZC9t
oZSqSF4ws7bRPTX8WAFFyoRw2kcZyc41WfBY1/8DcBKE/SHe5TKPEg== FJCAxZpFEaq22Zthe2dvh1v8X51Jde7bkylL2Z6CcuCLYkPgHhOgCw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-22T07:04:41Z" - recipient: age1ldwxeqq5a9umgj36afsyl0tn8nrl7ecaam36dc8gxjqy5r6vaursj2d94s
mac: ENC[AES256_GCM,data:J9EsLR+Rr23io0zx7NnHahds3Y4PNGgKoooLb4hXXeu/sORz+IWALhnF35SHsZaAAvwdCtjy5G7jrryRMKWGXy1uMs7WcsDGtI36Q9DVBuUav8gLWes0NEMv62nKrruS1zMcgYQdEPo7AL3sadbQxusEQNbhVfGxbiPXE9U3sfE=,iv:EpwwUnIhQeIHB13GBHFYELMeo36Qm45G382wQTcE8FM=,tag:Jb9C28oQjzsGVE1oFJzIBg==,type:str] enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRazRkcVBvT0NGYk1nUjdK
V1o5V3VaYjY4YTNmYlpQUkZNV1lZN0JSSXdBCngrdjd3T1RHK1dOQUd6alFVQkhm
blRPNlg5T2xQVThqNzAybkk5U2VrQmMKLS0tIGVOVFlpNlIzcG9BY0R5UVMrUTk0
YzM4cTdoOHFzUGREZnBBTkFHZ2hQNVkKvZefP0yX08wSaXSvNh5NH+lUu4GvDeVQ
ieagXUh5IYmpZ6W8+Ifz3DqbLTELpLCdL45yj8ChoVkEGGGt2XHiiw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wfqc4hyekue3z6dn0khtsszvy8wlkh07msany9mfdy0yn9rfxp9sjyz6ze
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByZHZEU3RnKzYrTWovSUNu
aUszcHFxMVBqMnpiV3d3d3lNQk40TjdSdTNnCjluSUNpeTg0QUUxYkhPeHRubFE4
cEVOcFU4eUwvZitwN3JESUFoWnlCcFEKLS0tIElTN2J2M3ZhUUgxbGlWY242YkNF
UlFuMGFVeElOdGVwL0NReXhFVDJOZzgKTROtZpvVl+d1wfuf7otaIo6nDdVzsQ9O
kT+S01M2kC2gX+oDAcD20cNJdwnD/ETCdTk93qxpX1jAtDiz1WBSmg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-06T09:06:26Z"
mac: ENC[AES256_GCM,data:pitmTT1egqTEOI4fEsaE/kpLOdPjO3AHwNIUB4MYp9E8GeD+AOkX7U/KwOailC245wqGNNzCDJn7PD/IZ93cOXcsdMuhKUg/QNogz337DIioeFxx+Vf50mFv44Lf1Vtu7MG80zOXVHrmls/hb+E4HL55OujWmEKXWodeECvgfpw=,iv:57716xGcpRNxGdnihH7qbr8/I7t0MWYIbh3PoxqDZBo=,tag:qqA7nEbSPrpWBwZyuOWN8g==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

View file

@ -211,8 +211,7 @@ shb.backup.instances.all = backupcfg repos ["/var/lib/myfolder1" "/var/lib/myfol
## Demo {#blocks-backup-demo} ## Demo {#blocks-backup-demo}
Head over to the [Home Assistant demo](demo-homeassistant.html) for a demo that installs Home [WIP]
Assistant on a VM with minimal manual steps.
## Monitoring {#blocks-backup-monitoring} ## Monitoring {#blocks-backup-monitoring}

View file

@ -277,7 +277,21 @@ in
tracing = lib.mkOption { tracing = lib.mkOption {
type = lib.types.nullOr lib.types.str; type = lib.types.nullOr lib.types.str;
description = "Enable xdebug tracing."; description = ''
Enable xdebug tracing.
To trigger writing a trace to `/var/log/xdebug`, add a the following header:
```
XDEBUG_TRACE <shb.nextcloud.tracing value>
```
The response will contain the following header:
```
x-xdebug-profile-filename /var/log/xdebug/cachegrind.out.63484
```
'';
default = null; default = null;
example = "debug_me"; example = "debug_me";
}; };
@ -534,9 +548,6 @@ in
echo "Using configId $CONFIG_ID" echo "Using configId $CONFIG_ID"
CONFIG="$(echo "$ALL_CONFIG" | jq ".$CONFIG_ID")"
# The following CLI commands follow # The following CLI commands follow
# https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md#nextcloud-config--the-cli-way # https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md#nextcloud-config--the-cli-way

View file

@ -8,12 +8,10 @@ This NixOS module is a service that sets up a [Nextcloud Server](https://nextclo
- Declarative [Apps](#services-nextcloud-server-options-shb.nextcloud.apps) Configuration - no need - Declarative [Apps](#services-nextcloud-server-options-shb.nextcloud.apps) Configuration - no need
to configure those with the UI. to configure those with the UI.
- LDAP app: enables app and sets up integration with an existing LDAP server. The defaults are - [LDAP](#services-nextcloud-server-usage-ldap) app: enables app and sets up integration with an existing LDAP server.
suited to work with [LLDAP](https://github.com/lldap/lldap) which is provided as a [building - [Preview Generator](#services-nextcloud-server-usage-previewgenerator) app: enables app and sets
block](./block-ldap.html).
- [Preview Generator](https://apps.nextcloud.com/apps/previewgenerator) app: enables app and sets
up required cron job. up required cron job.
- [Only Office](https://apps.nextcloud.com/apps/onlyoffice) app: enables app and sets up Only - [Only Office](#services-nextcloud-server-usage-onlyoffice) app: enables app and sets up Only
Office service. Office service.
- Any other app through the - Any other app through the
[shb.nextcloud.extraApps](#services-nextcloud-server-options-shb.nextcloud.extraApps) option. [shb.nextcloud.extraApps](#services-nextcloud-server-options-shb.nextcloud.extraApps) option.
@ -37,7 +35,9 @@ This NixOS module is a service that sets up a [Nextcloud Server](https://nextclo
## Usage {#services-nextcloud-server-usage} ## Usage {#services-nextcloud-server-usage}
### Minimal {#services-nextcloud-server-usage-minimal} ### Basic Configuration {#services-nextcloud-server-usage-basic}
This section corresponds to the `basic` target host defined in the [flake.nix](./flake.nix) file.
This will set up a Nextcloud service that runs on the NixOS target machine, reachable at This will set up a Nextcloud service that runs on the NixOS target machine, reachable at
`http://nextcloud.example.com`. If the `shb.ssl` block is [enabled](block-ssl.html#usage), the `http://nextcloud.example.com`. If the `shb.ssl` block is [enabled](block-ssl.html#usage), the
@ -69,6 +69,59 @@ sops.secrets."nextcloud/adminpass" = {
}; };
``` ```
### With LDAP Support {#services-nextcloud-server-usage-ldap}
This section corresponds to the `ldap` target host defined in the [flake.nix](./flake.nix) file. The same information from the [basic](#services-nextcloud-server-usage-basic) section applies, so please read that first.
This target host uses the LDAP block provided by Self Host Blocks to setup a
[LLDAP](https://github.com/lldap/lldap) service.
```nix
shb.ldap = {
enable = true;
domain = "example.com";
subdomain = "ldap";
ldapPort = 3890;
webUIListenPort = 17170;
dcdomain = "dc=example,dc=com";
ldapUserPasswordFile = config.sops.secrets."lldap/user_password".path;
jwtSecretFile = config.sops.secrets."lldap/jwt_secret".path;
};
sops.secrets."lldap/user_password" = {
sopsFile = ./secrets.yaml;
mode = "0440";
owner = "lldap";
group = "lldap";
restartUnits = [ "lldap.service" ];
};
sops.secrets."lldap/jwt_secret" = {
sopsFile = ./secrets.yaml;
mode = "0440";
owner = "lldap";
group = "lldap";
restartUnits = [ "lldap.service" ];
};
```
We also need to configure the `nextcloud` Self Host Blocks service to talk to the LDAP server we
just defined:
```nix
shb.nextcloud.apps.ldap
enable = true;
host = "127.0.0.1";
port = config.shb.ldap.ldapPort;
dcdomain = config.shb.ldap.dcdomain;
adminName = "admin";
adminPasswordFile = config.sops.secrets."nextcloud/ldap_admin_password".path;
userGroup = "nextcloud_user";
};
```
It's nice to be able to reference a options that were defined in the ldap block.
### Tweak PHPFpm Config {#services-nextcloud-server-usage-phpfpm} ### Tweak PHPFpm Config {#services-nextcloud-server-usage-phpfpm}
```nix ```nix
@ -108,21 +161,36 @@ shb.nextcloud.postgresSettings = {
TODO TODO
### Enable OnlyOffice Server {#services-nextcloud-server-usage-onlyoffice} ### Enable Preview Generator App {#services-nextcloud-server-usage-previewgenerator}
The following snippets sets up an onlyoffice instance listening at `onlyoffice.example.com` that The following snippet installs and enables the [Preview
only listens on the local nextwork. Generator](https://apps.nextcloud.com/apps/previewgenerator) application as well as creates the
required cron job that generates previews every 10 minutes.
```nix ```nix
shb.nextcloud.onlyoffice = { shb.nextcloud.apps.previewgenerator.enable = true;
```
Note that you still need to generate the previews for any pre-existing files with:
```bash
nextcloud-occ -vvv preview:generate-all
```
### Enable OnlyOffice App {#services-nextcloud-server-usage-onlyoffice}
The following snippet installs and enables the [Only
Office](https://apps.nextcloud.com/apps/onlyoffice) application as well as sets up an Only Office
instance listening at `onlyoffice.example.com` that only listens on the local network.
```nix
shb.nextcloud.apps.onlyoffice = {
enable = true;
subdomain = "onlyoffice"; subdomain = "onlyoffice";
localNextworkIPRange = "192.168.1.1/24"; localNextworkIPRange = "192.168.1.1/24";
}; };
``` ```
You still need to install the OnlyOffice integration in Nextcloud UI. Setting up the integration
declaratively is WIP.
Also, you will need to explicitly allow the package `corefonts`: Also, you will need to explicitly allow the package `corefonts`:
```nix ```nix
@ -133,7 +201,8 @@ nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (pkgs.lib.getName pkg)
### Enable Monitoring {#services-nextcloud-server-server-usage-monitoring} ### Enable Monitoring {#services-nextcloud-server-server-usage-monitoring}
Enable the [monitoring block](./blocks-monitoring.html). Enable the [monitoring block](./blocks-monitoring.html). The metrics will automatically appear in
the corresponding dashboards.
### Enable Tracing {#services-nextcloud-server-server-usage-tracing} ### Enable Tracing {#services-nextcloud-server-server-usage-tracing}
@ -151,8 +220,8 @@ how to look at the traces.
## Demo {#services-nextcloud-server-demo} ## Demo {#services-nextcloud-server-demo}
Head over to the [Nextcloud demo](demo-nextcloud.html) for a demo that installs Nextcloud on a VM Head over to the [Nextcloud demo](demo-nextcloud-server.html) for a demo that installs Nextcloud with or
with minimal manual steps. without LDAP integration on a VM with minimal manual steps.
## Maintenance {#services-nextcloud-server-maintenance} ## Maintenance {#services-nextcloud-server-maintenance}