parent
7804eb12dd
commit
40f0f233c2
1 changed files with 44 additions and 45 deletions
|
@ -21,16 +21,22 @@ in
|
||||||
example = "domain.com";
|
example = "domain.com";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
externalFqdn = lib.mkOption {
|
||||||
|
description = "External fqdn used to access Nextcloud. Defaults to <subdomain>.<domain>. This should only be set if you include the port when accessing Nextcloud.";
|
||||||
|
type = lib.types.nullOr lib.types.str;
|
||||||
|
example = "nextcloud.domain.com:8080";
|
||||||
|
default = null;
|
||||||
|
};
|
||||||
|
|
||||||
dataDir = lib.mkOption {
|
dataDir = lib.mkOption {
|
||||||
description = "Folder where Nextcloud will store all its data.";
|
description = "Folder where Nextcloud will store all its data.";
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
default = "/var/lib/nextcloud";
|
default = "/var/lib/nextcloud";
|
||||||
};
|
};
|
||||||
|
|
||||||
sopsFile = lib.mkOption {
|
adminPassFile = lib.mkOption {
|
||||||
type = lib.types.path;
|
type = lib.types.path;
|
||||||
description = "Sops file location";
|
description = "File containing the Nextcloud admin password.";
|
||||||
example = "secrets/nextcloud.yaml";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
onlyoffice = lib.mkOption {
|
onlyoffice = lib.mkOption {
|
||||||
|
@ -49,12 +55,18 @@ in
|
||||||
description = "Local network range, to restrict access to Open Office to only those IPs.";
|
description = "Local network range, to restrict access to Open Office to only those IPs.";
|
||||||
example = "192.168.1.1/24";
|
example = "192.168.1.1/24";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
jwtSecretFile = lib.mkOption {
|
||||||
|
type = lib.types.path;
|
||||||
|
description = "File containing the JWT secret.";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
};
|
};
|
||||||
|
|
||||||
postgresSettings = lib.mkOption {
|
postgresSettings = lib.mkOption {
|
||||||
type = lib.types.attrsOf lib.types.str;
|
type = lib.types.nullOr (lib.types.attrsOf lib.types.str);
|
||||||
|
default = null;
|
||||||
description = "Settings for the PostgreSQL database. Go to https://pgtune.leopard.in.ua/ and copy the generated configuration here.";
|
description = "Settings for the PostgreSQL database. Go to https://pgtune.leopard.in.ua/ and copy the generated configuration here.";
|
||||||
example = lib.literalExpression ''
|
example = lib.literalExpression ''
|
||||||
{
|
{
|
||||||
|
@ -90,9 +102,10 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
phpFpmPoolSettings = lib.mkOption {
|
phpFpmPoolSettings = lib.mkOption {
|
||||||
type = lib.types.attrsOf lib.types.anything;
|
type = lib.types.nullOr (lib.types.attrsOf lib.types.anything);
|
||||||
description = "Settings for PHPFPM.";
|
description = "Settings for PHPFPM.";
|
||||||
default = lib.literalExpression ''
|
default = null;
|
||||||
|
example = lib.literalExpression ''
|
||||||
{
|
{
|
||||||
"pm" = "dynamic";
|
"pm" = "dynamic";
|
||||||
"pm.max_children" = 50;
|
"pm.max_children" = 50;
|
||||||
|
@ -114,10 +127,10 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
tracing = lib.mkOption {
|
tracing = lib.mkOption {
|
||||||
type = lib.types.bool;
|
type = lib.types.nullOr lib.types.str;
|
||||||
description = "Enable xdebug tracing.";
|
description = "Enable xdebug tracing.";
|
||||||
default = false;
|
default = null;
|
||||||
example = true;
|
example = "debug_me";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -160,7 +173,7 @@ in
|
||||||
config = {
|
config = {
|
||||||
dbtype = "pgsql";
|
dbtype = "pgsql";
|
||||||
adminuser = "root";
|
adminuser = "root";
|
||||||
adminpassFile = "/run/secrets/nextcloud/adminpass";
|
adminpassFile = cfg.adminPassFile;
|
||||||
# Not using dbpassFile as we're using socket authentication.
|
# Not using dbpassFile as we're using socket authentication.
|
||||||
defaultPhoneRegion = "US";
|
defaultPhoneRegion = "US";
|
||||||
trustedProxies = [ "127.0.0.1" ];
|
trustedProxies = [ "127.0.0.1" ];
|
||||||
|
@ -177,14 +190,18 @@ in
|
||||||
webfinger = true;
|
webfinger = true;
|
||||||
|
|
||||||
# Very important for a bunch of scripts to load correctly. Otherwise you get Content-Security-Policy errors. See https://docs.nextcloud.com/server/13/admin_manual/configuration_server/harden_server.html#enable-http-strict-transport-security
|
# Very important for a bunch of scripts to load correctly. Otherwise you get Content-Security-Policy errors. See https://docs.nextcloud.com/server/13/admin_manual/configuration_server/harden_server.html#enable-http-strict-transport-security
|
||||||
https = true;
|
https = config.shb.ssl.enable;
|
||||||
|
|
||||||
extraOptions = {
|
extraOptions = let
|
||||||
"overwrite.cli.url" = "https://" + fqdn;
|
protocol = if config.shb.ssl.enable then "https" else "http";
|
||||||
"overwritehost" = fqdn;
|
in {
|
||||||
# 'trusted_domains' needed otherwise we get this issue https://help.nextcloud.com/t/the-polling-url-does-not-start-with-https-despite-the-login-url-started-with-https/137576/2
|
"overwrite.cli.url" = "${protocol}://${fqdn}";
|
||||||
|
"overwritehost" = if (isNull cfg.externalFqdn) then fqdn else cfg.externalFqdn;
|
||||||
|
# 'trusted_domains' needed otherwise we get this issue https://help.nextcloud.com/t/the-polling-url-does-not-start-with-https-despite-the-login-url-started-with-https/137576/2
|
||||||
|
# TODO: could instead set extraTrustedDomains
|
||||||
"trusted_domains" = [ fqdn ];
|
"trusted_domains" = [ fqdn ];
|
||||||
"overwriteprotocol" = "https"; # Needed if behind a reverse_proxy
|
# TODO: could instead set overwriteProtocol
|
||||||
|
"overwriteprotocol" = protocol; # Needed if behind a reverse_proxy
|
||||||
"overwritecondaddr" = ""; # We need to set it to empty otherwise overwriteprotocol does not work.
|
"overwritecondaddr" = ""; # We need to set it to empty otherwise overwriteprotocol does not work.
|
||||||
"debug" = cfg.debug;
|
"debug" = cfg.debug;
|
||||||
"filelocking.debug" = cfg.debug;
|
"filelocking.debug" = cfg.debug;
|
||||||
|
@ -209,37 +226,28 @@ in
|
||||||
"redis.session.locking_enabled" = "1";
|
"redis.session.locking_enabled" = "1";
|
||||||
"redis.session.lock_retries" = "-1";
|
"redis.session.lock_retries" = "-1";
|
||||||
"redis.session.lock_wait_time" = "10000";
|
"redis.session.lock_wait_time" = "10000";
|
||||||
} // lib.optionalAttrs cfg.tracing {
|
} // lib.optionalAttrs (! (isNull cfg.tracing)) {
|
||||||
# "xdebug.remote_enable" = "on";
|
# "xdebug.remote_enable" = "on";
|
||||||
# "xdebug.remote_host" = "127.0.0.1";
|
# "xdebug.remote_host" = "127.0.0.1";
|
||||||
# "xdebug.remote_port" = "9000";
|
# "xdebug.remote_port" = "9000";
|
||||||
# "xdebug.remote_handler" = "dbgp";
|
# "xdebug.remote_handler" = "dbgp";
|
||||||
"xdebug.trigger_value" = "debug_me";
|
"xdebug.trigger_value" = cfg.tracing;
|
||||||
|
|
||||||
"xdebug.mode" = "profile,trace";
|
"xdebug.mode" = "profile,trace";
|
||||||
"xdebug.output_dir" = "/var/log/xdebug";
|
"xdebug.output_dir" = "/var/log/xdebug";
|
||||||
"xdebug.start_with_request" = "trigger";
|
"xdebug.start_with_request" = "trigger";
|
||||||
};
|
};
|
||||||
|
|
||||||
poolSettings = cfg.phpFpmPoolSettings;
|
poolSettings = lib.mkIf (! (isNull cfg.phpFpmPoolSettings)) cfg.phpFpmPoolSettings;
|
||||||
|
|
||||||
phpExtraExtensions = all: [ all.xdebug ];
|
phpExtraExtensions = all: [ all.xdebug ];
|
||||||
};
|
};
|
||||||
|
|
||||||
# Secret needed for services.nextcloud.config.adminpassFile.
|
|
||||||
sops.secrets."nextcloud/adminpass" = {
|
|
||||||
inherit (cfg) sopsFile;
|
|
||||||
mode = "0440";
|
|
||||||
owner = "nextcloud";
|
|
||||||
group = "nextcloud";
|
|
||||||
restartUnits = [ "phpfpm-nextcloud.service" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
services.nginx.virtualHosts.${fqdn} = {
|
services.nginx.virtualHosts.${fqdn} = {
|
||||||
# listen = [ { addr = "0.0.0.0"; port = 443; } ];
|
# listen = [ { addr = "0.0.0.0"; port = 443; } ];
|
||||||
sslCertificate = "/var/lib/acme/${cfg.domain}/cert.pem";
|
sslCertificate = lib.mkIf config.shb.ssl.enable "/var/lib/acme/${cfg.domain}/cert.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${cfg.domain}/key.pem";
|
sslCertificateKey = lib.mkIf config.shb.ssl.enable "/var/lib/acme/${cfg.domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = lib.mkIf config.shb.ssl.enable true;
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.systemPackages = [
|
environment.systemPackages = [
|
||||||
|
@ -250,7 +258,7 @@ in
|
||||||
pkgs.nodejs
|
pkgs.nodejs
|
||||||
];
|
];
|
||||||
|
|
||||||
services.postgresql.settings = cfg.postgresSettings;
|
services.postgresql.settings = lib.mkIf (! (isNull cfg.postgresSettings)) cfg.postgresSettings;
|
||||||
|
|
||||||
systemd.services.phpfpm-nextcloud.serviceConfig = {
|
systemd.services.phpfpm-nextcloud.serviceConfig = {
|
||||||
# Setup permissions needed for backups, as the backup user is member of the jellyfin group.
|
# Setup permissions needed for backups, as the backup user is member of the jellyfin group.
|
||||||
|
@ -279,27 +287,18 @@ in
|
||||||
|
|
||||||
postgresHost = "/run/postgresql";
|
postgresHost = "/run/postgresql";
|
||||||
|
|
||||||
jwtSecretFile = "/run/secrets/nextcloud/onlyoffice/jwt_secret";
|
jwtSecretFile = cfg.onlyoffice.jwtSecretFile;
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."${cfg.onlyoffice.subdomain}.${cfg.domain}" = {
|
services.nginx.virtualHosts."${cfg.onlyoffice.subdomain}.${cfg.domain}" = {
|
||||||
sslCertificate = "/var/lib/acme/${cfg.domain}/cert.pem";
|
sslCertificate = lib.mkIf config.shb.ssl.enable "/var/lib/acme/${cfg.domain}/cert.pem";
|
||||||
sslCertificateKey = "/var/lib/acme/${cfg.domain}/key.pem";
|
sslCertificateKey = lib.mkIf config.shb.ssl.enable "/var/lib/acme/${cfg.domain}/key.pem";
|
||||||
forceSSL = true;
|
forceSSL = lib.mkIf config.shb.ssl.enable true;
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
allow ${cfg.onlyoffice.localNetworkIPRange};
|
allow ${cfg.onlyoffice.localNetworkIPRange};
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# Secret needed for services.onlyoffice.jwtSecretFile
|
|
||||||
sops.secrets."nextcloud/onlyoffice/jwt_secret" = {
|
|
||||||
inherit (cfg) sopsFile;
|
|
||||||
mode = "0440";
|
|
||||||
owner = "onlyoffice";
|
|
||||||
group = "onlyoffice";
|
|
||||||
restartUnits = [ "onlyoffice-docservice.service" ];
|
|
||||||
};
|
|
||||||
})];
|
})];
|
||||||
}
|
}
|
||||||
|
|
Loading…
Add table
Reference in a new issue