add nextcloud integration with ldap to the manual and nextcloud demo.
refs #17
This commit is contained in:
parent
4a7e42abaa
commit
0a34140e34
7 changed files with 292 additions and 68 deletions
|
@ -3,8 +3,9 @@
|
||||||
**This whole demo is highly insecure as all the private keys are available publicly. This is
|
**This whole demo is highly insecure as all the private keys are available publicly. This is
|
||||||
only done for convenience as it is just a demo. Do not expose the VM to the internet.**
|
only done for convenience as it is just a demo. Do not expose the VM to the internet.**
|
||||||
|
|
||||||
The [`flake.nix`](./flake.nix) file sets up a Nextcloud server in only about [15
|
The [`flake.nix`](./flake.nix) file sets up a Nextcloud server in only about [25
|
||||||
lines](./flake.nix#L29-L45) of related code.
|
lines](./flake.nix#L31-L55) of related code. It also defines a Nextcloud server that integrates with
|
||||||
|
a [LDAP server](./flake.nix#L76-L143).
|
||||||
|
|
||||||
This guide will show how to deploy this setup to a Virtual Machine, like showed
|
This guide will show how to deploy this setup to a Virtual Machine, like showed
|
||||||
[here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules), in 4 commands.
|
[here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules), in 4 commands.
|
||||||
|
@ -54,10 +55,18 @@ You can ssh into the VM with, but this is not required for the demo:
|
||||||
ssh -F ssh_config example
|
ssh -F ssh_config example
|
||||||
```
|
```
|
||||||
|
|
||||||
Finally, deploy with:
|
Finally, we can deploy. To deploy a basic Nextcloud with only the Preview Generator app enabled,
|
||||||
|
run:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply
|
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on basic
|
||||||
|
```
|
||||||
|
|
||||||
|
To deploy a Nextcloud configuration with the Preview Generator app and integrated with a LDAP
|
||||||
|
service, run:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on ldap
|
||||||
```
|
```
|
||||||
|
|
||||||
The deploy will take a few minutes the first time and subsequent deploys will take around 15
|
The deploy will take a few minutes the first time and subsequent deploys will take around 15
|
||||||
|
@ -80,11 +89,31 @@ $ cat /etc/hosts
|
||||||
127.0.0.1 n.example.com
|
127.0.0.1 n.example.com
|
||||||
```
|
```
|
||||||
|
|
||||||
Go to [http://n.example.com:8080](http://n.example.com:8080) and login with:
|
If you deployed the `ldap` target host, add instead:
|
||||||
|
|
||||||
|
```nix
|
||||||
|
networking.hosts = {
|
||||||
|
"127.0.0.1" = [ "n.example.com" "ldap.example.com" ];
|
||||||
|
};
|
||||||
|
```
|
||||||
|
|
||||||
|
If you deployed the `basic` target host, go to
|
||||||
|
[http://n.example.com:8080](http://n.example.com:8080) and login with:
|
||||||
|
|
||||||
- username: `root`
|
- username: `root`
|
||||||
- password: the value of the field `nextcloud.adminpass` in the `secrets.yaml` file which is `43bb4b8f82fc645ce3260b5db803c5a8`.
|
- password: the value of the field `nextcloud.adminpass` in the `secrets.yaml` file which is `43bb4b8f82fc645ce3260b5db803c5a8`.
|
||||||
|
|
||||||
|
And that's the end of the demo. Otherwise if you deployed the `ldap` target host, go first to
|
||||||
|
[http://ldap.example.com:8080](http://ldap.example.com:8080) and login with:
|
||||||
|
|
||||||
|
- username: `admin`
|
||||||
|
- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is `c2e32e54ea3e0053eb30841f818a3d9a`.
|
||||||
|
|
||||||
|
Create the group `nextcloud_user` and a user assigned to that group.
|
||||||
|
|
||||||
|
Finally, go to [http://n.example.com:8080](http://n.example.com:8080) and login with the user and
|
||||||
|
password you just created above.
|
||||||
|
|
||||||
Nextcloud doesn't like being run without SSL protection, which this demo does not setup yet, so you
|
Nextcloud doesn't like being run without SSL protection, which this demo does not setup yet, so you
|
||||||
might see errors loading scripts.
|
might see errors loading scripts.
|
||||||
|
|
||||||
|
@ -92,9 +121,9 @@ might see errors loading scripts.
|
||||||
|
|
||||||
### Files {#demo-nextcloud-files}
|
### Files {#demo-nextcloud-files}
|
||||||
|
|
||||||
- [`flake.nix`](./flake.nix): nix entry point, defines one target host for
|
- [`flake.nix`](./flake.nix): nix entry point, defines the target hosts for
|
||||||
[colmena](https://colmena.cli.rs) to deploy to as well as the selfhostblock's config for
|
[colmena](https://colmena.cli.rs) to deploy to as well as the selfhostblock's config for setting
|
||||||
setting up the Nextcloud service.
|
up Nextcloud and the auxiliary services.
|
||||||
- [`configuration.nix`](./configuration.nix): defines all configuration required for colmena
|
- [`configuration.nix`](./configuration.nix): defines all configuration required for colmena
|
||||||
to deploy to the VM. The file has comments if you're interested.
|
to deploy to the VM. The file has comments if you're interested.
|
||||||
- [`hardware-configuration.nix`](./hardware-configuration.nix): defines VM specific layout.
|
- [`hardware-configuration.nix`](./hardware-configuration.nix): defines VM specific layout.
|
||||||
|
@ -150,6 +179,9 @@ nextcloud:
|
||||||
adminpass: 43bb4b8f82fc645ce3260b5db803c5a8
|
adminpass: 43bb4b8f82fc645ce3260b5db803c5a8
|
||||||
onlyoffice:
|
onlyoffice:
|
||||||
jwt_secret: XYZ...
|
jwt_secret: XYZ...
|
||||||
|
lldap:
|
||||||
|
user_password: c2e32e54ea3e0053eb30841f818a3d9a
|
||||||
|
jwt_secret: 3b19030938608881dc1d2cb2753d9778
|
||||||
```
|
```
|
||||||
|
|
||||||
To open the `secrets.yaml` file and optionnally edit it, run:
|
To open the `secrets.yaml` file and optionnally edit it, run:
|
||||||
|
|
|
@ -35,11 +35,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1703255338,
|
"lastModified": 1704194953,
|
||||||
"narHash": "sha256-Z6wfYJQKmDN9xciTwU3cOiOk+NElxdZwy/FiHctCzjU=",
|
"narHash": "sha256-RtDKd8Mynhe5CFnVT8s0/0yqtWFMM9LmCzXv/YKxnq4=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "6df37dc6a77654682fe9f071c62b4242b5342e04",
|
"rev": "bd645e8668ec6612439a9ee7e71f7eac4099d4f6",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -51,11 +51,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs-stable": {
|
"nixpkgs-stable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1703351344,
|
"lastModified": 1703950681,
|
||||||
"narHash": "sha256-9FEelzftkE9UaJ5nqxidaJJPEhe9TPhbypLHmc2Mysc=",
|
"narHash": "sha256-veU5bE4eLOmi7aOzhE7LfZXcSOONRMay0BKv01WHojo=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "7790e078f8979a9fcd543f9a47427eeaba38f268",
|
"rev": "0aad9113182747452dbfc68b93c86e168811fa6c",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -67,11 +67,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs_2": {
|
"nixpkgs_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1703134684,
|
"lastModified": 1703499205,
|
||||||
"narHash": "sha256-SQmng1EnBFLzS7WSRyPM9HgmZP2kLJcPAz+Ug/nug6o=",
|
"narHash": "sha256-lF9rK5mSUfIZJgZxC3ge40tp1gmyyOXZ+lRY3P8bfbg=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "d6863cbcbbb80e71cecfc03356db1cda38919523",
|
"rev": "e1fa12d4f6c6fe19ccb59cac54b5b3f25e160870",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -111,12 +111,12 @@
|
||||||
"sops-nix": "sops-nix"
|
"sops-nix": "sops-nix"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1703575610,
|
"dirtyRev": "a634a42e48484e061b8fe6f8542ecb9c830f15ac-dirty",
|
||||||
"narHash": "sha256-W22MujiE5xxibKu9M7usXhGD04ntrLXegMxuY6FYCX4=",
|
"dirtyShortRev": "a634a42-dirty",
|
||||||
"owner": "ibizaman",
|
"lastModified": 1704528621,
|
||||||
"repo": "selfhostblocks",
|
"narHash": "sha256-wQ/vW3o89ryMIkqGx8XDSujRUnhpOfXrTBnJAp6IW8s=",
|
||||||
"rev": "7a62b5b89c406fbf80ac6dfb678c0d5c62a771ea",
|
"type": "git",
|
||||||
"type": "github"
|
"url": "file:///home/timi/Projects/selfhostblocks"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "ibizaman",
|
"owner": "ibizaman",
|
||||||
|
@ -130,11 +130,11 @@
|
||||||
"nixpkgs-stable": "nixpkgs-stable"
|
"nixpkgs-stable": "nixpkgs-stable"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1703387502,
|
"lastModified": 1703991717,
|
||||||
"narHash": "sha256-JnWuQmyanPtF8c5yAEFXVWzaIlMxA3EAZCh8XNvnVqE=",
|
"narHash": "sha256-XfBg2dmDJXPQEB8EdNBnzybvnhswaiAkUeeDj7fa/hQ=",
|
||||||
"owner": "Mic92",
|
"owner": "Mic92",
|
||||||
"repo": "sops-nix",
|
"repo": "sops-nix",
|
||||||
"rev": "e523e89763ff45f0a6cf15bcb1092636b1da9ed3",
|
"rev": "cfdbaf68d00bc2f9e071f17ae77be4b27ff72fa6",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
@ -14,7 +14,7 @@
|
||||||
specialArgs = inputs;
|
specialArgs = inputs;
|
||||||
};
|
};
|
||||||
|
|
||||||
myserver = { config, ... }: {
|
basic = { config, ... }: {
|
||||||
imports = [
|
imports = [
|
||||||
./configuration.nix
|
./configuration.nix
|
||||||
selfhostblocks.inputs.sops-nix.nixosModules.default
|
selfhostblocks.inputs.sops-nix.nixosModules.default
|
||||||
|
@ -39,6 +39,10 @@
|
||||||
externalFqdn = "n.example.com:8080";
|
externalFqdn = "n.example.com:8080";
|
||||||
|
|
||||||
adminPassFile = config.sops.secrets."nextcloud/adminpass".path;
|
adminPassFile = config.sops.secrets."nextcloud/adminpass".path;
|
||||||
|
|
||||||
|
apps = {
|
||||||
|
previewgenerator.enable = true;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# Secret needed for services.nextcloud.config.adminpassFile.
|
# Secret needed for services.nextcloud.config.adminpassFile.
|
||||||
|
@ -54,6 +58,94 @@
|
||||||
shb.nginx.accessLog = true;
|
shb.nginx.accessLog = true;
|
||||||
shb.nginx.debugLog = false;
|
shb.nginx.debugLog = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
ldap = { config, ... }: {
|
||||||
|
imports = [
|
||||||
|
./configuration.nix
|
||||||
|
selfhostblocks.inputs.sops-nix.nixosModules.default
|
||||||
|
selfhostblocks.nixosModules.x86_64-linux.default
|
||||||
|
];
|
||||||
|
|
||||||
|
# Used by colmena to know which target host to deploy to.
|
||||||
|
deployment = {
|
||||||
|
targetHost = "example";
|
||||||
|
targetUser = "nixos";
|
||||||
|
targetPort = 2222;
|
||||||
|
};
|
||||||
|
|
||||||
|
shb.ldap = {
|
||||||
|
enable = true;
|
||||||
|
domain = "example.com";
|
||||||
|
subdomain = "ldap";
|
||||||
|
ldapPort = 3890;
|
||||||
|
webUIListenPort = 17170;
|
||||||
|
dcdomain = "dc=example,dc=com";
|
||||||
|
ldapUserPasswordFile = config.sops.secrets."lldap/user_password".path;
|
||||||
|
jwtSecretFile = config.sops.secrets."lldap/jwt_secret".path;
|
||||||
|
};
|
||||||
|
sops.secrets."lldap/user_password" = {
|
||||||
|
sopsFile = ./secrets.yaml;
|
||||||
|
mode = "0440";
|
||||||
|
owner = "lldap";
|
||||||
|
group = "lldap";
|
||||||
|
restartUnits = [ "lldap.service" ];
|
||||||
|
};
|
||||||
|
sops.secrets."lldap/jwt_secret" = {
|
||||||
|
sopsFile = ./secrets.yaml;
|
||||||
|
mode = "0440";
|
||||||
|
owner = "lldap";
|
||||||
|
group = "lldap";
|
||||||
|
restartUnits = [ "lldap.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
shb.nextcloud = {
|
||||||
|
enable = true;
|
||||||
|
domain = "example.com";
|
||||||
|
subdomain = "n";
|
||||||
|
dataDir = "/var/lib/nextcloud";
|
||||||
|
tracing = null;
|
||||||
|
|
||||||
|
# This option is only needed because we do not access Nextcloud at the default port in the VM.
|
||||||
|
externalFqdn = "n.example.com:8080";
|
||||||
|
|
||||||
|
adminPassFile = config.sops.secrets."nextcloud/adminpass".path;
|
||||||
|
|
||||||
|
apps = {
|
||||||
|
previewgenerator.enable = true;
|
||||||
|
ldap = {
|
||||||
|
enable = true;
|
||||||
|
host = "127.0.0.1";
|
||||||
|
port = config.shb.ldap.ldapPort;
|
||||||
|
dcdomain = config.shb.ldap.dcdomain;
|
||||||
|
adminName = "admin";
|
||||||
|
adminPasswordFile = config.sops.secrets."nextcloud/ldap_admin_password".path;
|
||||||
|
userGroup = "nextcloud_user";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# Secret needed for services.nextcloud.config.adminpassFile.
|
||||||
|
sops.secrets."nextcloud/adminpass" = {
|
||||||
|
sopsFile = ./secrets.yaml;
|
||||||
|
mode = "0440";
|
||||||
|
owner = "nextcloud";
|
||||||
|
group = "nextcloud";
|
||||||
|
restartUnits = [ "phpfpm-nextcloud.service" ];
|
||||||
|
};
|
||||||
|
# Secret needed for LDAP app.
|
||||||
|
sops.secrets."nextcloud/ldap_admin_password" = {
|
||||||
|
sopsFile = ./secrets.yaml;
|
||||||
|
key = "lldap/user_password";
|
||||||
|
mode = "0400";
|
||||||
|
owner = "nextcloud";
|
||||||
|
group = "nextcloud";
|
||||||
|
restartUnits = [ "nextcloud-setup.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Set to true for more debug info with `journalctl -f -u nginx`.
|
||||||
|
shb.nginx.accessLog = true;
|
||||||
|
shb.nginx.debugLog = false;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,7 +1,10 @@
|
||||||
nextcloud:
|
nextcloud:
|
||||||
adminpass: ENC[AES256_GCM,data:3FXgVNzKAKrQxoDmRIq188YYrfiEEyYqU3lgwydXHp4=,iv:KoxmL9tLPBoIJT7rxkEhxrQqZFicbEm8qXbZMrnHSGY=,tag:nBt+8ciDRBiUzg3JEmiYnw==,type:str]
|
adminpass: ENC[AES256_GCM,data:667e6562Q1SSZRKLMgur1viGd8+MmjU6Oz/DzQ4GLHI=,iv:KoxmL9tLPBoIJT7rxkEhxrQqZFicbEm8qXbZMrnHSGY=,tag:5APQH+snOUJ8UPXaIdqR5w==,type:str]
|
||||||
onlyoffice:
|
onlyoffice:
|
||||||
jwt_secret: ENC[AES256_GCM,data:+6qLNuOaFYRT092i1mkboi4DswEbcv/5+fQ0TpTCMkToWtNoxce5FyLoYpJoJIG3Kg5rrpNkfUYDugG9/5KWFu+31h8i8JdsxyiG0GGjtMbaUCzgiUyL+apMxl4S2b6jS2tGoExZhbgDFErE3p/wM5JTic1DE5HsFQr/49JI78w=,iv:TFs+fTlMGWKTVJ3pUmXCpGskQ2h6uSLr+TlmG6OXQYg=,tag:/Z6oSecHHhZVx/jpbx4Wgw==,type:str]
|
jwt_secret: ENC[AES256_GCM,data:5TMDyySlsAHN1DfJLEJXt5jg7r2Gd8RVmLv4T44ye+2B71r6CWew8tcaYybFXT8aXrmVjOcBkVjBlFJ6B3ozkajtZC3teXCUzG+hlKGdN+Oyvd1+WXJO2USk1pREKc4kGwVvYr02lM1PEVLUokh/j/wmL1uFsAYM9482ik5veYg=,iv:TFs+fTlMGWKTVJ3pUmXCpGskQ2h6uSLr+TlmG6OXQYg=,tag:hYRtuqE7ygjHc6zHOz5kBQ==,type:str]
|
||||||
|
lldap:
|
||||||
|
user_password: ENC[AES256_GCM,data:qZO3L7IM9UJ7iR7Q2bdDfY1wmt3TEWLR8NK3rXdojN4=,iv:SljGhXi3SYoMNcR9onwqthOAyFX1D8KsegmWRypbblQ=,tag:KwJFHd85kkm8YGH3NtqanA==,type:str]
|
||||||
|
jwt_secret: ENC[AES256_GCM,data:oCrUTEYO8oETPd8XHq1DiLCSzeRAnrkty3gyo8dxk5c=,iv:vBOq4Mab3RE69rOA8ZbMX72Gm3KEng6HaCveZrXsIrU=,tag:JZUjCbo7CdCmJYJrrsosxQ==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -11,32 +14,50 @@ sops:
|
||||||
- recipient: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7
|
- recipient: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArRFc0aGZxa1RaWmZ4SlRk
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBObnkzVkdmUnhyOG1vNE04
|
||||||
c2MweTlQdGNQZE1VTDhrTHUzZ2pocUJFWEhNCndjcHB2elp0Zk1MbEFKTzN6a3pI
|
ZmExS1RkVE5qUm83aVk1bGtTbmo5bGhsc3pBCnNMWjN5cStVRWNlTUVmWi9BQ2py
|
||||||
amdmSERWRFU4dzY1ck5MUE14SXV2c1UKLS0tIFk2MktiV1ljb3E3aXBFdTVlNUk0
|
NEswQS9xNGtPZGdQRWdzWDV1RnJNbGsKLS0tIC8yQW9ZazlNTm80d0l5bEo0M2lW
|
||||||
QWZUZWc4amJFVkkxb0tPc1FmeklTNFEK1Pqwg8AI2yw3y9dU9p6Mx2bhKb3lUPt7
|
QnVXMUpXcUFZRWhpUHJjOFZjWGFYSFkKomaixOjgaD1LubawJVhWAgVqjOkpc9+2
|
||||||
WhyWZbRT4zKjkcUp2NazqMKM35ru5i0037praFJgz05zkStn6twMqA==
|
xNHKlgBEXDnBeMK9BgPgYIRk8ce79rxuqwaOAPqrEmPsafvoxZq5Wg==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age1ej98rmjug4j0psyr3ppwmddtu868mlhknjkcx4a7yjrgk480dfrs3ayjl9
|
- recipient: age1ej98rmjug4j0psyr3ppwmddtu868mlhknjkcx4a7yjrgk480dfrs3ayjl9
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHckF2U0NLaXhsaGVtcms2
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBndGErUWt4M3BtR3dVT2lo
|
||||||
bWZWN1RLQXh3VXRHTzQyM20wTFd0NVA5WTFBCjZvcXlDQS81NXhFRmlHZVV4WHRT
|
SmY1M0k0bkxEcGNxNkdYZDFVaUVIaFA0blhNCm9oWmVyRlJ4eVlxM2l0anhrMERz
|
||||||
VUhteXIyc1dtRE1OZmk1MmVaM3VzSkEKLS0tIGgrYzFaRkdwMnNEc1F1MGNwQjVx
|
RTZ1Z1dINDZZdGN3UUJweWRjRWUyT1UKLS0tIGl1dUNwU0ZSRFhwUENIbHhGT3VP
|
||||||
U3RwYXR6elZ4YTFTNGk4dDVuaUhDUjQKfkIG0oDVqDfSZCxHOZThFlY2V0KpXwBY
|
MTlZVFVtbEFnV1pJTTRjV2pqRnUrYW8KXTdes+gb8h7PL0l34rnRKtPvIr3tUJKZ
|
||||||
D7eodJ26fjJBAaqbvZkWF/BMCKTpAs4cQEHIW70yu6c+kMdV10D9fA==
|
UfD+/e3I/+Gw4IpCvIpMoBBT0bxyyMJROKo4oP9GTIrbw5fHV9+bcg==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
- recipient: age1j6scagnygyzr4q96l0a5ntwgjqj7xscx5sx4avy7fry3fzgcff8se0ylfq
|
- recipient: age1j6scagnygyzr4q96l0a5ntwgjqj7xscx5sx4avy7fry3fzgcff8se0ylfq
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2cm5oRXpPTER3a0djWVov
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuTjZiZkl3QnUzYkxjSzYr
|
||||||
b2E3UjVNQnNKdFVxZnpkN0l6MjdkdDdXbkZrCk1nQ3Z3Y1psZmdRelJsZkRmV2Zk
|
NDVEcWROZDNVV0tUbWVOTUhQWE5LenBrU2c4CmRHcTlkamtibVhOU1dTOTlIanFp
|
||||||
WWVXMVplL0gxRDFlemhGQVp3eDhuajgKLS0tIGMxQVJjc0xkOVIrSzFYNXk0MHNM
|
MUt1dnJpR2RUVGwwbTBaYnpXdE1XOHMKLS0tIGJ2YlRMQXpXVlpJRExOdUZ2MDJ6
|
||||||
aHg3S3MycVJTcVZvR0hYZ1RXelhqcWMKsb4tbh/q/XDdDmwkxLvaa5olDjYIGIVH
|
WVJMRFMvYkFJenhlQjVGRlZsYlpLdFUKGQmMb2aZKvWnBp4hKAdBZnQMW+pLZC9t
|
||||||
oZSqSF4ws7bRPTX8WAFFyoRw2kcZyc41WfBY1/8DcBKE/SHe5TKPEg==
|
FJCAxZpFEaq22Zthe2dvh1v8X51Jde7bkylL2Z6CcuCLYkPgHhOgCw==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2023-12-22T07:04:41Z"
|
- recipient: age1ldwxeqq5a9umgj36afsyl0tn8nrl7ecaam36dc8gxjqy5r6vaursj2d94s
|
||||||
mac: ENC[AES256_GCM,data:J9EsLR+Rr23io0zx7NnHahds3Y4PNGgKoooLb4hXXeu/sORz+IWALhnF35SHsZaAAvwdCtjy5G7jrryRMKWGXy1uMs7WcsDGtI36Q9DVBuUav8gLWes0NEMv62nKrruS1zMcgYQdEPo7AL3sadbQxusEQNbhVfGxbiPXE9U3sfE=,iv:EpwwUnIhQeIHB13GBHFYELMeo36Qm45G382wQTcE8FM=,tag:Jb9C28oQjzsGVE1oFJzIBg==,type:str]
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRazRkcVBvT0NGYk1nUjdK
|
||||||
|
V1o5V3VaYjY4YTNmYlpQUkZNV1lZN0JSSXdBCngrdjd3T1RHK1dOQUd6alFVQkhm
|
||||||
|
blRPNlg5T2xQVThqNzAybkk5U2VrQmMKLS0tIGVOVFlpNlIzcG9BY0R5UVMrUTk0
|
||||||
|
YzM4cTdoOHFzUGREZnBBTkFHZ2hQNVkKvZefP0yX08wSaXSvNh5NH+lUu4GvDeVQ
|
||||||
|
ieagXUh5IYmpZ6W8+Ifz3DqbLTELpLCdL45yj8ChoVkEGGGt2XHiiw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1wfqc4hyekue3z6dn0khtsszvy8wlkh07msany9mfdy0yn9rfxp9sjyz6ze
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByZHZEU3RnKzYrTWovSUNu
|
||||||
|
aUszcHFxMVBqMnpiV3d3d3lNQk40TjdSdTNnCjluSUNpeTg0QUUxYkhPeHRubFE4
|
||||||
|
cEVOcFU4eUwvZitwN3JESUFoWnlCcFEKLS0tIElTN2J2M3ZhUUgxbGlWY242YkNF
|
||||||
|
UlFuMGFVeElOdGVwL0NReXhFVDJOZzgKTROtZpvVl+d1wfuf7otaIo6nDdVzsQ9O
|
||||||
|
kT+S01M2kC2gX+oDAcD20cNJdwnD/ETCdTk93qxpX1jAtDiz1WBSmg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-01-06T09:06:26Z"
|
||||||
|
mac: ENC[AES256_GCM,data:pitmTT1egqTEOI4fEsaE/kpLOdPjO3AHwNIUB4MYp9E8GeD+AOkX7U/KwOailC245wqGNNzCDJn7PD/IZ93cOXcsdMuhKUg/QNogz337DIioeFxx+Vf50mFv44Lf1Vtu7MG80zOXVHrmls/hb+E4HL55OujWmEKXWodeECvgfpw=,iv:57716xGcpRNxGdnihH7qbr8/I7t0MWYIbh3PoxqDZBo=,tag:qqA7nEbSPrpWBwZyuOWN8g==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.8.1
|
version: 3.8.1
|
||||||
|
|
|
@ -211,8 +211,7 @@ shb.backup.instances.all = backupcfg repos ["/var/lib/myfolder1" "/var/lib/myfol
|
||||||
|
|
||||||
## Demo {#blocks-backup-demo}
|
## Demo {#blocks-backup-demo}
|
||||||
|
|
||||||
Head over to the [Home Assistant demo](demo-homeassistant.html) for a demo that installs Home
|
[WIP]
|
||||||
Assistant on a VM with minimal manual steps.
|
|
||||||
|
|
||||||
## Monitoring {#blocks-backup-monitoring}
|
## Monitoring {#blocks-backup-monitoring}
|
||||||
|
|
||||||
|
|
|
@ -277,7 +277,21 @@ in
|
||||||
|
|
||||||
tracing = lib.mkOption {
|
tracing = lib.mkOption {
|
||||||
type = lib.types.nullOr lib.types.str;
|
type = lib.types.nullOr lib.types.str;
|
||||||
description = "Enable xdebug tracing.";
|
description = ''
|
||||||
|
Enable xdebug tracing.
|
||||||
|
|
||||||
|
To trigger writing a trace to `/var/log/xdebug`, add a the following header:
|
||||||
|
|
||||||
|
```
|
||||||
|
XDEBUG_TRACE <shb.nextcloud.tracing value>
|
||||||
|
```
|
||||||
|
|
||||||
|
The response will contain the following header:
|
||||||
|
|
||||||
|
```
|
||||||
|
x-xdebug-profile-filename /var/log/xdebug/cachegrind.out.63484
|
||||||
|
```
|
||||||
|
'';
|
||||||
default = null;
|
default = null;
|
||||||
example = "debug_me";
|
example = "debug_me";
|
||||||
};
|
};
|
||||||
|
@ -534,9 +548,6 @@ in
|
||||||
|
|
||||||
echo "Using configId $CONFIG_ID"
|
echo "Using configId $CONFIG_ID"
|
||||||
|
|
||||||
CONFIG="$(echo "$ALL_CONFIG" | jq ".$CONFIG_ID")"
|
|
||||||
|
|
||||||
|
|
||||||
# The following CLI commands follow
|
# The following CLI commands follow
|
||||||
# https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md#nextcloud-config--the-cli-way
|
# https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md#nextcloud-config--the-cli-way
|
||||||
|
|
||||||
|
|
|
@ -8,12 +8,10 @@ This NixOS module is a service that sets up a [Nextcloud Server](https://nextclo
|
||||||
|
|
||||||
- Declarative [Apps](#services-nextcloud-server-options-shb.nextcloud.apps) Configuration - no need
|
- Declarative [Apps](#services-nextcloud-server-options-shb.nextcloud.apps) Configuration - no need
|
||||||
to configure those with the UI.
|
to configure those with the UI.
|
||||||
- LDAP app: enables app and sets up integration with an existing LDAP server. The defaults are
|
- [LDAP](#services-nextcloud-server-usage-ldap) app: enables app and sets up integration with an existing LDAP server.
|
||||||
suited to work with [LLDAP](https://github.com/lldap/lldap) which is provided as a [building
|
- [Preview Generator](#services-nextcloud-server-usage-previewgenerator) app: enables app and sets
|
||||||
block](./block-ldap.html).
|
|
||||||
- [Preview Generator](https://apps.nextcloud.com/apps/previewgenerator) app: enables app and sets
|
|
||||||
up required cron job.
|
up required cron job.
|
||||||
- [Only Office](https://apps.nextcloud.com/apps/onlyoffice) app: enables app and sets up Only
|
- [Only Office](#services-nextcloud-server-usage-onlyoffice) app: enables app and sets up Only
|
||||||
Office service.
|
Office service.
|
||||||
- Any other app through the
|
- Any other app through the
|
||||||
[shb.nextcloud.extraApps](#services-nextcloud-server-options-shb.nextcloud.extraApps) option.
|
[shb.nextcloud.extraApps](#services-nextcloud-server-options-shb.nextcloud.extraApps) option.
|
||||||
|
@ -37,7 +35,9 @@ This NixOS module is a service that sets up a [Nextcloud Server](https://nextclo
|
||||||
|
|
||||||
## Usage {#services-nextcloud-server-usage}
|
## Usage {#services-nextcloud-server-usage}
|
||||||
|
|
||||||
### Minimal {#services-nextcloud-server-usage-minimal}
|
### Basic Configuration {#services-nextcloud-server-usage-basic}
|
||||||
|
|
||||||
|
This section corresponds to the `basic` target host defined in the [flake.nix](./flake.nix) file.
|
||||||
|
|
||||||
This will set up a Nextcloud service that runs on the NixOS target machine, reachable at
|
This will set up a Nextcloud service that runs on the NixOS target machine, reachable at
|
||||||
`http://nextcloud.example.com`. If the `shb.ssl` block is [enabled](block-ssl.html#usage), the
|
`http://nextcloud.example.com`. If the `shb.ssl` block is [enabled](block-ssl.html#usage), the
|
||||||
|
@ -69,6 +69,59 @@ sops.secrets."nextcloud/adminpass" = {
|
||||||
};
|
};
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### With LDAP Support {#services-nextcloud-server-usage-ldap}
|
||||||
|
|
||||||
|
This section corresponds to the `ldap` target host defined in the [flake.nix](./flake.nix) file. The same information from the [basic](#services-nextcloud-server-usage-basic) section applies, so please read that first.
|
||||||
|
|
||||||
|
This target host uses the LDAP block provided by Self Host Blocks to setup a
|
||||||
|
[LLDAP](https://github.com/lldap/lldap) service.
|
||||||
|
|
||||||
|
```nix
|
||||||
|
shb.ldap = {
|
||||||
|
enable = true;
|
||||||
|
domain = "example.com";
|
||||||
|
subdomain = "ldap";
|
||||||
|
ldapPort = 3890;
|
||||||
|
webUIListenPort = 17170;
|
||||||
|
dcdomain = "dc=example,dc=com";
|
||||||
|
ldapUserPasswordFile = config.sops.secrets."lldap/user_password".path;
|
||||||
|
jwtSecretFile = config.sops.secrets."lldap/jwt_secret".path;
|
||||||
|
};
|
||||||
|
|
||||||
|
sops.secrets."lldap/user_password" = {
|
||||||
|
sopsFile = ./secrets.yaml;
|
||||||
|
mode = "0440";
|
||||||
|
owner = "lldap";
|
||||||
|
group = "lldap";
|
||||||
|
restartUnits = [ "lldap.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
sops.secrets."lldap/jwt_secret" = {
|
||||||
|
sopsFile = ./secrets.yaml;
|
||||||
|
mode = "0440";
|
||||||
|
owner = "lldap";
|
||||||
|
group = "lldap";
|
||||||
|
restartUnits = [ "lldap.service" ];
|
||||||
|
};
|
||||||
|
```
|
||||||
|
|
||||||
|
We also need to configure the `nextcloud` Self Host Blocks service to talk to the LDAP server we
|
||||||
|
just defined:
|
||||||
|
|
||||||
|
```nix
|
||||||
|
shb.nextcloud.apps.ldap
|
||||||
|
enable = true;
|
||||||
|
host = "127.0.0.1";
|
||||||
|
port = config.shb.ldap.ldapPort;
|
||||||
|
dcdomain = config.shb.ldap.dcdomain;
|
||||||
|
adminName = "admin";
|
||||||
|
adminPasswordFile = config.sops.secrets."nextcloud/ldap_admin_password".path;
|
||||||
|
userGroup = "nextcloud_user";
|
||||||
|
};
|
||||||
|
```
|
||||||
|
|
||||||
|
It's nice to be able to reference a options that were defined in the ldap block.
|
||||||
|
|
||||||
### Tweak PHPFpm Config {#services-nextcloud-server-usage-phpfpm}
|
### Tweak PHPFpm Config {#services-nextcloud-server-usage-phpfpm}
|
||||||
|
|
||||||
```nix
|
```nix
|
||||||
|
@ -108,21 +161,36 @@ shb.nextcloud.postgresSettings = {
|
||||||
|
|
||||||
TODO
|
TODO
|
||||||
|
|
||||||
### Enable OnlyOffice Server {#services-nextcloud-server-usage-onlyoffice}
|
### Enable Preview Generator App {#services-nextcloud-server-usage-previewgenerator}
|
||||||
|
|
||||||
The following snippets sets up an onlyoffice instance listening at `onlyoffice.example.com` that
|
The following snippet installs and enables the [Preview
|
||||||
only listens on the local nextwork.
|
Generator](https://apps.nextcloud.com/apps/previewgenerator) application as well as creates the
|
||||||
|
required cron job that generates previews every 10 minutes.
|
||||||
|
|
||||||
```nix
|
```nix
|
||||||
shb.nextcloud.onlyoffice = {
|
shb.nextcloud.apps.previewgenerator.enable = true;
|
||||||
|
```
|
||||||
|
|
||||||
|
Note that you still need to generate the previews for any pre-existing files with:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nextcloud-occ -vvv preview:generate-all
|
||||||
|
```
|
||||||
|
|
||||||
|
### Enable OnlyOffice App {#services-nextcloud-server-usage-onlyoffice}
|
||||||
|
|
||||||
|
The following snippet installs and enables the [Only
|
||||||
|
Office](https://apps.nextcloud.com/apps/onlyoffice) application as well as sets up an Only Office
|
||||||
|
instance listening at `onlyoffice.example.com` that only listens on the local network.
|
||||||
|
|
||||||
|
```nix
|
||||||
|
shb.nextcloud.apps.onlyoffice = {
|
||||||
|
enable = true;
|
||||||
subdomain = "onlyoffice";
|
subdomain = "onlyoffice";
|
||||||
localNextworkIPRange = "192.168.1.1/24";
|
localNextworkIPRange = "192.168.1.1/24";
|
||||||
};
|
};
|
||||||
```
|
```
|
||||||
|
|
||||||
You still need to install the OnlyOffice integration in Nextcloud UI. Setting up the integration
|
|
||||||
declaratively is WIP.
|
|
||||||
|
|
||||||
Also, you will need to explicitly allow the package `corefonts`:
|
Also, you will need to explicitly allow the package `corefonts`:
|
||||||
|
|
||||||
```nix
|
```nix
|
||||||
|
@ -133,7 +201,8 @@ nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (pkgs.lib.getName pkg)
|
||||||
|
|
||||||
### Enable Monitoring {#services-nextcloud-server-server-usage-monitoring}
|
### Enable Monitoring {#services-nextcloud-server-server-usage-monitoring}
|
||||||
|
|
||||||
Enable the [monitoring block](./blocks-monitoring.html).
|
Enable the [monitoring block](./blocks-monitoring.html). The metrics will automatically appear in
|
||||||
|
the corresponding dashboards.
|
||||||
|
|
||||||
### Enable Tracing {#services-nextcloud-server-server-usage-tracing}
|
### Enable Tracing {#services-nextcloud-server-server-usage-tracing}
|
||||||
|
|
||||||
|
@ -151,8 +220,8 @@ how to look at the traces.
|
||||||
|
|
||||||
## Demo {#services-nextcloud-server-demo}
|
## Demo {#services-nextcloud-server-demo}
|
||||||
|
|
||||||
Head over to the [Nextcloud demo](demo-nextcloud.html) for a demo that installs Nextcloud on a VM
|
Head over to the [Nextcloud demo](demo-nextcloud-server.html) for a demo that installs Nextcloud with or
|
||||||
with minimal manual steps.
|
without LDAP integration on a VM with minimal manual steps.
|
||||||
|
|
||||||
## Maintenance {#services-nextcloud-server-maintenance}
|
## Maintenance {#services-nextcloud-server-maintenance}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue