move onlyoffice to new apps section
This commit is contained in:
parent
4a1291c075
commit
99f0f51406
1 changed files with 203 additions and 189 deletions
|
@ -54,31 +54,6 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
onlyoffice = lib.mkOption {
|
|
||||||
description = "If non null, set up an Only Office service.";
|
|
||||||
default = null;
|
|
||||||
type = lib.types.nullOr (lib.types.submodule {
|
|
||||||
options = {
|
|
||||||
subdomain = lib.mkOption {
|
|
||||||
type = lib.types.str;
|
|
||||||
description = "Subdomain under which Only Office will be served.";
|
|
||||||
default = "oo";
|
|
||||||
};
|
|
||||||
|
|
||||||
localNetworkIPRange = lib.mkOption {
|
|
||||||
type = lib.types.str;
|
|
||||||
description = "Local network range, to restrict access to Open Office to only those IPs.";
|
|
||||||
example = "192.168.1.1/24";
|
|
||||||
};
|
|
||||||
|
|
||||||
jwtSecretFile = lib.mkOption {
|
|
||||||
type = lib.types.path;
|
|
||||||
description = "File containing the JWT secret.";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
});
|
|
||||||
};
|
|
||||||
|
|
||||||
postgresSettings = lib.mkOption {
|
postgresSettings = lib.mkOption {
|
||||||
type = lib.types.nullOr (lib.types.attrsOf lib.types.str);
|
type = lib.types.nullOr (lib.types.attrsOf lib.types.str);
|
||||||
default = null;
|
default = null;
|
||||||
|
@ -134,6 +109,41 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
apps = lib.mkOption {
|
||||||
|
description = ''
|
||||||
|
Applications to enable in Nextcloud. Enabling an application here will also configure
|
||||||
|
various services needed for this application.
|
||||||
|
'';
|
||||||
|
type = lib.types.submodule {
|
||||||
|
options = {
|
||||||
|
onlyoffice = lib.mkOption {
|
||||||
|
description = "If non null, set up an Only Office service.";
|
||||||
|
default = null;
|
||||||
|
type = lib.types.nullOr (lib.types.submodule {
|
||||||
|
options = {
|
||||||
|
subdomain = lib.mkOption {
|
||||||
|
type = lib.types.str;
|
||||||
|
description = "Subdomain under which Only Office will be served.";
|
||||||
|
default = "oo";
|
||||||
|
};
|
||||||
|
|
||||||
|
localNetworkIPRange = lib.mkOption {
|
||||||
|
type = lib.types.str;
|
||||||
|
description = "Local network range, to restrict access to Open Office to only those IPs.";
|
||||||
|
example = "192.168.1.1/24";
|
||||||
|
};
|
||||||
|
|
||||||
|
jwtSecretFile = lib.mkOption {
|
||||||
|
type = lib.types.path;
|
||||||
|
description = "File containing the JWT secret.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
});
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
extraApps = lib.mkOption {
|
extraApps = lib.mkOption {
|
||||||
type = lib.types.raw;
|
type = lib.types.raw;
|
||||||
description = ''
|
description = ''
|
||||||
|
@ -170,187 +180,191 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkMerge [(lib.mkIf cfg.enable {
|
config = lib.mkMerge [
|
||||||
users.users = {
|
(lib.mkIf cfg.enable {
|
||||||
nextcloud = {
|
users.users = {
|
||||||
name = "nextcloud";
|
nextcloud = {
|
||||||
group = "nextcloud";
|
name = "nextcloud";
|
||||||
isSystemUser = true;
|
group = "nextcloud";
|
||||||
};
|
isSystemUser = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
users.groups = {
|
|
||||||
nextcloud = {
|
|
||||||
members = [ "backup" ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# LDAP is manually configured through
|
|
||||||
# https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md, see also
|
|
||||||
# https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
|
|
||||||
#
|
|
||||||
# Verify setup with:
|
|
||||||
# - On admin page
|
|
||||||
# - https://scan.nextcloud.com/
|
|
||||||
# - https://www.ssllabs.com/ssltest/
|
|
||||||
# As of writing this, we got no warning on admin page and A+ on both tests.
|
|
||||||
#
|
|
||||||
# Content-Security-Policy is hard. I spent so much trying to fix lingering issues with .js files
|
|
||||||
# not loading to realize those scripts are inserted by extensions. Doh.
|
|
||||||
services.nextcloud = {
|
|
||||||
enable = true;
|
|
||||||
package = pkgs.nextcloud27;
|
|
||||||
|
|
||||||
datadir = cfg.dataDir;
|
|
||||||
|
|
||||||
hostName = fqdn;
|
|
||||||
nginx.hstsMaxAge = 31536000; # Needs > 1 year for https://hstspreload.org to be happy
|
|
||||||
|
|
||||||
inherit (cfg) maxUploadSize;
|
|
||||||
|
|
||||||
config = {
|
|
||||||
dbtype = "pgsql";
|
|
||||||
adminuser = cfg.adminUser;
|
|
||||||
adminpassFile = toString cfg.adminPassFile;
|
|
||||||
# Not using dbpassFile as we're using socket authentication.
|
|
||||||
defaultPhoneRegion = "US";
|
|
||||||
trustedProxies = [ "127.0.0.1" ];
|
|
||||||
};
|
|
||||||
database.createLocally = true;
|
|
||||||
|
|
||||||
# Enable caching using redis https://nixos.wiki/wiki/Nextcloud#Caching.
|
|
||||||
configureRedis = true;
|
|
||||||
caching.apcu = false;
|
|
||||||
# https://docs.nextcloud.com/server/26/admin_manual/configuration_server/caching_configuration.html
|
|
||||||
caching.redis = true;
|
|
||||||
|
|
||||||
# Adds appropriate nginx rewrite rules.
|
|
||||||
webfinger = true;
|
|
||||||
|
|
||||||
# Very important for a bunch of scripts to load correctly. Otherwise you get Content-Security-Policy errors. See https://docs.nextcloud.com/server/13/admin_manual/configuration_server/harden_server.html#enable-http-strict-transport-security
|
|
||||||
https = config.shb.ssl.enable;
|
|
||||||
|
|
||||||
extraApps = cfg.extraApps pkgs.nextcloud27Packages.apps;
|
|
||||||
extraAppsEnable = true;
|
|
||||||
appstoreEnable = true;
|
|
||||||
|
|
||||||
extraOptions = let
|
|
||||||
protocol = if config.shb.ssl.enable then "https" else "http";
|
|
||||||
in {
|
|
||||||
"overwrite.cli.url" = "${protocol}://${fqdn}";
|
|
||||||
"overwritehost" = if (isNull cfg.externalFqdn) then fqdn else cfg.externalFqdn;
|
|
||||||
# 'trusted_domains' needed otherwise we get this issue https://help.nextcloud.com/t/the-polling-url-does-not-start-with-https-despite-the-login-url-started-with-https/137576/2
|
|
||||||
# TODO: could instead set extraTrustedDomains
|
|
||||||
"trusted_domains" = [ fqdn ];
|
|
||||||
# TODO: could instead set overwriteProtocol
|
|
||||||
"overwriteprotocol" = protocol; # Needed if behind a reverse_proxy
|
|
||||||
"overwritecondaddr" = ""; # We need to set it to empty otherwise overwriteprotocol does not work.
|
|
||||||
"debug" = cfg.debug;
|
|
||||||
"filelocking.debug" = cfg.debug;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
phpOptions = {
|
users.groups = {
|
||||||
# The OPcache interned strings buffer is nearly full with 8, bump to 16.
|
nextcloud = {
|
||||||
catch_workers_output = "yes";
|
members = [ "backup" ];
|
||||||
display_errors = "stderr";
|
};
|
||||||
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
|
|
||||||
expose_php = "Off";
|
|
||||||
"opcache.enable_cli" = "1";
|
|
||||||
"opcache.fast_shutdown" = "1";
|
|
||||||
"opcache.interned_strings_buffer" = "16";
|
|
||||||
"opcache.max_accelerated_files" = "10000";
|
|
||||||
"opcache.memory_consumption" = "128";
|
|
||||||
"opcache.revalidate_freq" = "1";
|
|
||||||
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
|
|
||||||
short_open_tag = "Off";
|
|
||||||
|
|
||||||
output_buffering = "Off";
|
|
||||||
|
|
||||||
# Needed to avoid corruption per https://docs.nextcloud.com/server/21/admin_manual/configuration_server/caching_configuration.html#id2
|
|
||||||
"redis.session.locking_enabled" = "1";
|
|
||||||
"redis.session.lock_retries" = "-1";
|
|
||||||
"redis.session.lock_wait_time" = "10000";
|
|
||||||
} // lib.optionalAttrs (! (isNull cfg.tracing)) {
|
|
||||||
# "xdebug.remote_enable" = "on";
|
|
||||||
# "xdebug.remote_host" = "127.0.0.1";
|
|
||||||
# "xdebug.remote_port" = "9000";
|
|
||||||
# "xdebug.remote_handler" = "dbgp";
|
|
||||||
"xdebug.trigger_value" = cfg.tracing;
|
|
||||||
|
|
||||||
"xdebug.mode" = "profile,trace";
|
|
||||||
"xdebug.output_dir" = "/var/log/xdebug";
|
|
||||||
"xdebug.start_with_request" = "trigger";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
poolSettings = lib.mkIf (! (isNull cfg.phpFpmPoolSettings)) cfg.phpFpmPoolSettings;
|
# LDAP is manually configured through
|
||||||
|
# https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md, see also
|
||||||
|
# https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
|
||||||
|
#
|
||||||
|
# Verify setup with:
|
||||||
|
# - On admin page
|
||||||
|
# - https://scan.nextcloud.com/
|
||||||
|
# - https://www.ssllabs.com/ssltest/
|
||||||
|
# As of writing this, we got no warning on admin page and A+ on both tests.
|
||||||
|
#
|
||||||
|
# Content-Security-Policy is hard. I spent so much trying to fix lingering issues with .js files
|
||||||
|
# not loading to realize those scripts are inserted by extensions. Doh.
|
||||||
|
services.nextcloud = {
|
||||||
|
enable = true;
|
||||||
|
package = pkgs.nextcloud27;
|
||||||
|
|
||||||
phpExtraExtensions = all: [ all.xdebug ];
|
datadir = cfg.dataDir;
|
||||||
};
|
|
||||||
|
|
||||||
services.nginx.virtualHosts.${fqdn} = {
|
hostName = fqdn;
|
||||||
# listen = [ { addr = "0.0.0.0"; port = 443; } ];
|
nginx.hstsMaxAge = 31536000; # Needs > 1 year for https://hstspreload.org to be happy
|
||||||
sslCertificate = lib.mkIf config.shb.ssl.enable "/var/lib/acme/${cfg.domain}/cert.pem";
|
|
||||||
sslCertificateKey = lib.mkIf config.shb.ssl.enable "/var/lib/acme/${cfg.domain}/key.pem";
|
|
||||||
forceSSL = lib.mkIf config.shb.ssl.enable true;
|
|
||||||
|
|
||||||
# From [1] this should fix downloading of big files. [2] seems to indicate that buffering
|
inherit (cfg) maxUploadSize;
|
||||||
# happens at multiple places anyway, so disabling one place should be okay.
|
|
||||||
# [1]: https://help.nextcloud.com/t/download-aborts-after-time-or-large-file/25044/6
|
config = {
|
||||||
# [2]: https://stackoverflow.com/a/50891625/1013628
|
dbtype = "pgsql";
|
||||||
extraConfig = ''
|
adminuser = cfg.adminUser;
|
||||||
|
adminpassFile = toString cfg.adminPassFile;
|
||||||
|
# Not using dbpassFile as we're using socket authentication.
|
||||||
|
defaultPhoneRegion = "US";
|
||||||
|
trustedProxies = [ "127.0.0.1" ];
|
||||||
|
};
|
||||||
|
database.createLocally = true;
|
||||||
|
|
||||||
|
# Enable caching using redis https://nixos.wiki/wiki/Nextcloud#Caching.
|
||||||
|
configureRedis = true;
|
||||||
|
caching.apcu = false;
|
||||||
|
# https://docs.nextcloud.com/server/26/admin_manual/configuration_server/caching_configuration.html
|
||||||
|
caching.redis = true;
|
||||||
|
|
||||||
|
# Adds appropriate nginx rewrite rules.
|
||||||
|
webfinger = true;
|
||||||
|
|
||||||
|
# Very important for a bunch of scripts to load correctly. Otherwise you get Content-Security-Policy errors. See https://docs.nextcloud.com/server/13/admin_manual/configuration_server/harden_server.html#enable-http-strict-transport-security
|
||||||
|
https = config.shb.ssl.enable;
|
||||||
|
|
||||||
|
extraApps = cfg.extraApps pkgs.nextcloud27Packages.apps;
|
||||||
|
extraAppsEnable = true;
|
||||||
|
appstoreEnable = true;
|
||||||
|
|
||||||
|
extraOptions = let
|
||||||
|
protocol = if config.shb.ssl.enable then "https" else "http";
|
||||||
|
in {
|
||||||
|
"overwrite.cli.url" = "${protocol}://${fqdn}";
|
||||||
|
"overwritehost" = if (isNull cfg.externalFqdn) then fqdn else cfg.externalFqdn;
|
||||||
|
# 'trusted_domains' needed otherwise we get this issue https://help.nextcloud.com/t/the-polling-url-does-not-start-with-https-despite-the-login-url-started-with-https/137576/2
|
||||||
|
# TODO: could instead set extraTrustedDomains
|
||||||
|
"trusted_domains" = [ fqdn ];
|
||||||
|
# TODO: could instead set overwriteProtocol
|
||||||
|
"overwriteprotocol" = protocol; # Needed if behind a reverse_proxy
|
||||||
|
"overwritecondaddr" = ""; # We need to set it to empty otherwise overwriteprotocol does not work.
|
||||||
|
"debug" = cfg.debug;
|
||||||
|
"filelocking.debug" = cfg.debug;
|
||||||
|
};
|
||||||
|
|
||||||
|
phpOptions = {
|
||||||
|
# The OPcache interned strings buffer is nearly full with 8, bump to 16.
|
||||||
|
catch_workers_output = "yes";
|
||||||
|
display_errors = "stderr";
|
||||||
|
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
|
||||||
|
expose_php = "Off";
|
||||||
|
"opcache.enable_cli" = "1";
|
||||||
|
"opcache.fast_shutdown" = "1";
|
||||||
|
"opcache.interned_strings_buffer" = "16";
|
||||||
|
"opcache.max_accelerated_files" = "10000";
|
||||||
|
"opcache.memory_consumption" = "128";
|
||||||
|
"opcache.revalidate_freq" = "1";
|
||||||
|
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
|
||||||
|
short_open_tag = "Off";
|
||||||
|
|
||||||
|
output_buffering = "Off";
|
||||||
|
|
||||||
|
# Needed to avoid corruption per https://docs.nextcloud.com/server/21/admin_manual/configuration_server/caching_configuration.html#id2
|
||||||
|
"redis.session.locking_enabled" = "1";
|
||||||
|
"redis.session.lock_retries" = "-1";
|
||||||
|
"redis.session.lock_wait_time" = "10000";
|
||||||
|
} // lib.optionalAttrs (! (isNull cfg.tracing)) {
|
||||||
|
# "xdebug.remote_enable" = "on";
|
||||||
|
# "xdebug.remote_host" = "127.0.0.1";
|
||||||
|
# "xdebug.remote_port" = "9000";
|
||||||
|
# "xdebug.remote_handler" = "dbgp";
|
||||||
|
"xdebug.trigger_value" = cfg.tracing;
|
||||||
|
|
||||||
|
"xdebug.mode" = "profile,trace";
|
||||||
|
"xdebug.output_dir" = "/var/log/xdebug";
|
||||||
|
"xdebug.start_with_request" = "trigger";
|
||||||
|
};
|
||||||
|
|
||||||
|
poolSettings = lib.mkIf (! (isNull cfg.phpFpmPoolSettings)) cfg.phpFpmPoolSettings;
|
||||||
|
|
||||||
|
phpExtraExtensions = all: [ all.xdebug ];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts.${fqdn} = {
|
||||||
|
# listen = [ { addr = "0.0.0.0"; port = 443; } ];
|
||||||
|
sslCertificate = lib.mkIf config.shb.ssl.enable "/var/lib/acme/${cfg.domain}/cert.pem";
|
||||||
|
sslCertificateKey = lib.mkIf config.shb.ssl.enable "/var/lib/acme/${cfg.domain}/key.pem";
|
||||||
|
forceSSL = lib.mkIf config.shb.ssl.enable true;
|
||||||
|
|
||||||
|
# From [1] this should fix downloading of big files. [2] seems to indicate that buffering
|
||||||
|
# happens at multiple places anyway, so disabling one place should be okay.
|
||||||
|
# [1]: https://help.nextcloud.com/t/download-aborts-after-time-or-large-file/25044/6
|
||||||
|
# [2]: https://stackoverflow.com/a/50891625/1013628
|
||||||
|
extraConfig = ''
|
||||||
proxy_buffering off;
|
proxy_buffering off;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.systemPackages = [
|
environment.systemPackages = [
|
||||||
# Needed for a few apps. Would be nice to avoid having to put that in the environment and instead override https://github.com/NixOS/nixpkgs/blob/261abe8a44a7e8392598d038d2e01f7b33cf26d0/nixos/modules/services/web-apps/nextcloud.nix#L1035
|
# Needed for a few apps. Would be nice to avoid having to put that in the environment and instead override https://github.com/NixOS/nixpkgs/blob/261abe8a44a7e8392598d038d2e01f7b33cf26d0/nixos/modules/services/web-apps/nextcloud.nix#L1035
|
||||||
pkgs.ffmpeg
|
pkgs.ffmpeg
|
||||||
|
|
||||||
# Needed for the recognize app.
|
# Needed for the recognize app.
|
||||||
pkgs.nodejs
|
pkgs.nodejs
|
||||||
];
|
];
|
||||||
|
|
||||||
services.postgresql.settings = lib.mkIf (! (isNull cfg.postgresSettings)) cfg.postgresSettings;
|
services.postgresql.settings = lib.mkIf (! (isNull cfg.postgresSettings)) cfg.postgresSettings;
|
||||||
|
|
||||||
systemd.services.phpfpm-nextcloud.serviceConfig = {
|
systemd.services.phpfpm-nextcloud.serviceConfig = {
|
||||||
# Setup permissions needed for backups, as the backup user is member of the jellyfin group.
|
# Setup permissions needed for backups, as the backup user is member of the jellyfin group.
|
||||||
UMask = lib.mkForce "0027";
|
UMask = lib.mkForce "0027";
|
||||||
};
|
};
|
||||||
systemd.services.phpfpm-nextcloud.preStart = ''
|
systemd.services.phpfpm-nextcloud.preStart = ''
|
||||||
mkdir -p /var/log/xdebug; chown -R nextcloud: /var/log/xdebug
|
mkdir -p /var/log/xdebug; chown -R nextcloud: /var/log/xdebug
|
||||||
'';
|
'';
|
||||||
|
|
||||||
systemd.services.nextcloud-cron.path = [
|
systemd.services.nextcloud-cron.path = [
|
||||||
pkgs.perl
|
pkgs.perl
|
||||||
];
|
|
||||||
|
|
||||||
# Sets up backup for Nextcloud.
|
|
||||||
shb.backup.instances.nextcloud = {
|
|
||||||
sourceDirectories = [
|
|
||||||
cfg.dataDir
|
|
||||||
];
|
];
|
||||||
excludePatterns = [".rnd"];
|
|
||||||
};
|
|
||||||
}) (lib.mkIf (!(isNull cfg.onlyoffice)) {
|
|
||||||
services.onlyoffice = {
|
|
||||||
enable = true;
|
|
||||||
hostname = "${cfg.onlyoffice.subdomain}.${cfg.domain}";
|
|
||||||
port = 13444;
|
|
||||||
|
|
||||||
postgresHost = "/run/postgresql";
|
# Sets up backup for Nextcloud.
|
||||||
|
shb.backup.instances.nextcloud = {
|
||||||
jwtSecretFile = cfg.onlyoffice.jwtSecretFile;
|
sourceDirectories = [
|
||||||
};
|
cfg.dataDir
|
||||||
|
];
|
||||||
services.nginx.virtualHosts."${cfg.onlyoffice.subdomain}.${cfg.domain}" = {
|
excludePatterns = [".rnd"];
|
||||||
sslCertificate = lib.mkIf config.shb.ssl.enable "/var/lib/acme/${cfg.domain}/cert.pem";
|
|
||||||
sslCertificateKey = lib.mkIf config.shb.ssl.enable "/var/lib/acme/${cfg.domain}/key.pem";
|
|
||||||
forceSSL = lib.mkIf config.shb.ssl.enable true;
|
|
||||||
locations."/" = {
|
|
||||||
extraConfig = ''
|
|
||||||
allow ${cfg.onlyoffice.localNetworkIPRange};
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
};
|
})
|
||||||
})];
|
|
||||||
|
(lib.mkIf (!(isNull cfg.apps.onlyoffice)) {
|
||||||
|
services.onlyoffice = {
|
||||||
|
enable = true;
|
||||||
|
hostname = "${cfg.apps.onlyoffice.subdomain}.${cfg.domain}";
|
||||||
|
port = 13444;
|
||||||
|
|
||||||
|
postgresHost = "/run/postgresql";
|
||||||
|
|
||||||
|
jwtSecretFile = cfg.apps.onlyoffice.jwtSecretFile;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."${cfg.apps.onlyoffice.subdomain}.${cfg.domain}" = {
|
||||||
|
sslCertificate = lib.mkIf config.shb.ssl.enable "/var/lib/acme/${cfg.domain}/cert.pem";
|
||||||
|
sslCertificateKey = lib.mkIf config.shb.ssl.enable "/var/lib/acme/${cfg.domain}/key.pem";
|
||||||
|
forceSSL = lib.mkIf config.shb.ssl.enable true;
|
||||||
|
locations."/" = {
|
||||||
|
extraConfig = ''
|
||||||
|
allow ${cfg.apps.onlyoffice.localNetworkIPRange};
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
})
|
||||||
|
];
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue