1
0
Fork 0

remove sops file dependency in nextcloud and ssl requirement

refs #24
This commit is contained in:
ibizaman 2023-12-22 23:16:53 -08:00 committed by Pierre Penninckx
parent 7804eb12dd
commit 40f0f233c2

View file

@ -21,16 +21,22 @@ in
example = "domain.com"; example = "domain.com";
}; };
externalFqdn = lib.mkOption {
description = "External fqdn used to access Nextcloud. Defaults to <subdomain>.<domain>. This should only be set if you include the port when accessing Nextcloud.";
type = lib.types.nullOr lib.types.str;
example = "nextcloud.domain.com:8080";
default = null;
};
dataDir = lib.mkOption { dataDir = lib.mkOption {
description = "Folder where Nextcloud will store all its data."; description = "Folder where Nextcloud will store all its data.";
type = lib.types.str; type = lib.types.str;
default = "/var/lib/nextcloud"; default = "/var/lib/nextcloud";
}; };
sopsFile = lib.mkOption { adminPassFile = lib.mkOption {
type = lib.types.path; type = lib.types.path;
description = "Sops file location"; description = "File containing the Nextcloud admin password.";
example = "secrets/nextcloud.yaml";
}; };
onlyoffice = lib.mkOption { onlyoffice = lib.mkOption {
@ -49,12 +55,18 @@ in
description = "Local network range, to restrict access to Open Office to only those IPs."; description = "Local network range, to restrict access to Open Office to only those IPs.";
example = "192.168.1.1/24"; example = "192.168.1.1/24";
}; };
jwtSecretFile = lib.mkOption {
type = lib.types.path;
description = "File containing the JWT secret.";
};
}; };
}); });
}; };
postgresSettings = lib.mkOption { postgresSettings = lib.mkOption {
type = lib.types.attrsOf lib.types.str; type = lib.types.nullOr (lib.types.attrsOf lib.types.str);
default = null;
description = "Settings for the PostgreSQL database. Go to https://pgtune.leopard.in.ua/ and copy the generated configuration here."; description = "Settings for the PostgreSQL database. Go to https://pgtune.leopard.in.ua/ and copy the generated configuration here.";
example = lib.literalExpression '' example = lib.literalExpression ''
{ {
@ -90,9 +102,10 @@ in
}; };
phpFpmPoolSettings = lib.mkOption { phpFpmPoolSettings = lib.mkOption {
type = lib.types.attrsOf lib.types.anything; type = lib.types.nullOr (lib.types.attrsOf lib.types.anything);
description = "Settings for PHPFPM."; description = "Settings for PHPFPM.";
default = lib.literalExpression '' default = null;
example = lib.literalExpression ''
{ {
"pm" = "dynamic"; "pm" = "dynamic";
"pm.max_children" = 50; "pm.max_children" = 50;
@ -114,10 +127,10 @@ in
}; };
tracing = lib.mkOption { tracing = lib.mkOption {
type = lib.types.bool; type = lib.types.nullOr lib.types.str;
description = "Enable xdebug tracing."; description = "Enable xdebug tracing.";
default = false; default = null;
example = true; example = "debug_me";
}; };
}; };
@ -160,7 +173,7 @@ in
config = { config = {
dbtype = "pgsql"; dbtype = "pgsql";
adminuser = "root"; adminuser = "root";
adminpassFile = "/run/secrets/nextcloud/adminpass"; adminpassFile = cfg.adminPassFile;
# Not using dbpassFile as we're using socket authentication. # Not using dbpassFile as we're using socket authentication.
defaultPhoneRegion = "US"; defaultPhoneRegion = "US";
trustedProxies = [ "127.0.0.1" ]; trustedProxies = [ "127.0.0.1" ];
@ -177,14 +190,18 @@ in
webfinger = true; webfinger = true;
# Very important for a bunch of scripts to load correctly. Otherwise you get Content-Security-Policy errors. See https://docs.nextcloud.com/server/13/admin_manual/configuration_server/harden_server.html#enable-http-strict-transport-security # Very important for a bunch of scripts to load correctly. Otherwise you get Content-Security-Policy errors. See https://docs.nextcloud.com/server/13/admin_manual/configuration_server/harden_server.html#enable-http-strict-transport-security
https = true; https = config.shb.ssl.enable;
extraOptions = { extraOptions = let
"overwrite.cli.url" = "https://" + fqdn; protocol = if config.shb.ssl.enable then "https" else "http";
"overwritehost" = fqdn; in {
"overwrite.cli.url" = "${protocol}://${fqdn}";
"overwritehost" = if (isNull cfg.externalFqdn) then fqdn else cfg.externalFqdn;
# 'trusted_domains' needed otherwise we get this issue https://help.nextcloud.com/t/the-polling-url-does-not-start-with-https-despite-the-login-url-started-with-https/137576/2 # 'trusted_domains' needed otherwise we get this issue https://help.nextcloud.com/t/the-polling-url-does-not-start-with-https-despite-the-login-url-started-with-https/137576/2
# TODO: could instead set extraTrustedDomains
"trusted_domains" = [ fqdn ]; "trusted_domains" = [ fqdn ];
"overwriteprotocol" = "https"; # Needed if behind a reverse_proxy # TODO: could instead set overwriteProtocol
"overwriteprotocol" = protocol; # Needed if behind a reverse_proxy
"overwritecondaddr" = ""; # We need to set it to empty otherwise overwriteprotocol does not work. "overwritecondaddr" = ""; # We need to set it to empty otherwise overwriteprotocol does not work.
"debug" = cfg.debug; "debug" = cfg.debug;
"filelocking.debug" = cfg.debug; "filelocking.debug" = cfg.debug;
@ -209,37 +226,28 @@ in
"redis.session.locking_enabled" = "1"; "redis.session.locking_enabled" = "1";
"redis.session.lock_retries" = "-1"; "redis.session.lock_retries" = "-1";
"redis.session.lock_wait_time" = "10000"; "redis.session.lock_wait_time" = "10000";
} // lib.optionalAttrs cfg.tracing { } // lib.optionalAttrs (! (isNull cfg.tracing)) {
# "xdebug.remote_enable" = "on"; # "xdebug.remote_enable" = "on";
# "xdebug.remote_host" = "127.0.0.1"; # "xdebug.remote_host" = "127.0.0.1";
# "xdebug.remote_port" = "9000"; # "xdebug.remote_port" = "9000";
# "xdebug.remote_handler" = "dbgp"; # "xdebug.remote_handler" = "dbgp";
"xdebug.trigger_value" = "debug_me"; "xdebug.trigger_value" = cfg.tracing;
"xdebug.mode" = "profile,trace"; "xdebug.mode" = "profile,trace";
"xdebug.output_dir" = "/var/log/xdebug"; "xdebug.output_dir" = "/var/log/xdebug";
"xdebug.start_with_request" = "trigger"; "xdebug.start_with_request" = "trigger";
}; };
poolSettings = cfg.phpFpmPoolSettings; poolSettings = lib.mkIf (! (isNull cfg.phpFpmPoolSettings)) cfg.phpFpmPoolSettings;
phpExtraExtensions = all: [ all.xdebug ]; phpExtraExtensions = all: [ all.xdebug ];
}; };
# Secret needed for services.nextcloud.config.adminpassFile.
sops.secrets."nextcloud/adminpass" = {
inherit (cfg) sopsFile;
mode = "0440";
owner = "nextcloud";
group = "nextcloud";
restartUnits = [ "phpfpm-nextcloud.service" ];
};
services.nginx.virtualHosts.${fqdn} = { services.nginx.virtualHosts.${fqdn} = {
# listen = [ { addr = "0.0.0.0"; port = 443; } ]; # listen = [ { addr = "0.0.0.0"; port = 443; } ];
sslCertificate = "/var/lib/acme/${cfg.domain}/cert.pem"; sslCertificate = lib.mkIf config.shb.ssl.enable "/var/lib/acme/${cfg.domain}/cert.pem";
sslCertificateKey = "/var/lib/acme/${cfg.domain}/key.pem"; sslCertificateKey = lib.mkIf config.shb.ssl.enable "/var/lib/acme/${cfg.domain}/key.pem";
forceSSL = true; forceSSL = lib.mkIf config.shb.ssl.enable true;
}; };
environment.systemPackages = [ environment.systemPackages = [
@ -250,7 +258,7 @@ in
pkgs.nodejs pkgs.nodejs
]; ];
services.postgresql.settings = cfg.postgresSettings; services.postgresql.settings = lib.mkIf (! (isNull cfg.postgresSettings)) cfg.postgresSettings;
systemd.services.phpfpm-nextcloud.serviceConfig = { systemd.services.phpfpm-nextcloud.serviceConfig = {
# Setup permissions needed for backups, as the backup user is member of the jellyfin group. # Setup permissions needed for backups, as the backup user is member of the jellyfin group.
@ -279,27 +287,18 @@ in
postgresHost = "/run/postgresql"; postgresHost = "/run/postgresql";
jwtSecretFile = "/run/secrets/nextcloud/onlyoffice/jwt_secret"; jwtSecretFile = cfg.onlyoffice.jwtSecretFile;
}; };
services.nginx.virtualHosts."${cfg.onlyoffice.subdomain}.${cfg.domain}" = { services.nginx.virtualHosts."${cfg.onlyoffice.subdomain}.${cfg.domain}" = {
sslCertificate = "/var/lib/acme/${cfg.domain}/cert.pem"; sslCertificate = lib.mkIf config.shb.ssl.enable "/var/lib/acme/${cfg.domain}/cert.pem";
sslCertificateKey = "/var/lib/acme/${cfg.domain}/key.pem"; sslCertificateKey = lib.mkIf config.shb.ssl.enable "/var/lib/acme/${cfg.domain}/key.pem";
forceSSL = true; forceSSL = lib.mkIf config.shb.ssl.enable true;
locations."/" = { locations."/" = {
extraConfig = '' extraConfig = ''
allow ${cfg.onlyoffice.localNetworkIPRange}; allow ${cfg.onlyoffice.localNetworkIPRange};
''; '';
}; };
}; };
# Secret needed for services.onlyoffice.jwtSecretFile
sops.secrets."nextcloud/onlyoffice/jwt_secret" = {
inherit (cfg) sopsFile;
mode = "0440";
owner = "onlyoffice";
group = "onlyoffice";
restartUnits = [ "onlyoffice-docservice.service" ];
};
})]; })];
} }