1
0
Fork 0
selfhostblocks/modules/services/nextcloud-server.nix
2024-01-19 10:48:10 -08:00

624 lines
22 KiB
Nix

{ config, pkgs, lib, ... }:
let
cfg = config.shb.nextcloud;
fqdn = "${cfg.subdomain}.${cfg.domain}";
contracts = pkgs.callPackage ../contracts {};
# Make sure to bump both nextcloudPkg and nextcloudApps at the same time.
nextcloudPkg = pkgs.nextcloud27;
nextcloudApps = pkgs.nextcloud27Packages.apps;
occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ";
in
{
options.shb.nextcloud = {
enable = lib.mkEnableOption "selfhostblocks.nextcloud-server";
subdomain = lib.mkOption {
type = lib.types.str;
description = "Subdomain under which Nextcloud will be served.";
example = "nextcloud";
};
domain = lib.mkOption {
description = "Domain to serve Nextcloud under.";
type = lib.types.str;
example = "domain.com";
};
ssl = lib.mkOption {
description = "Path to SSL files";
type = lib.types.nullOr contracts.ssl.certs;
default = null;
};
externalFqdn = lib.mkOption {
description = "External fqdn used to access Nextcloud. Defaults to <subdomain>.<domain>. This should only be set if you include the port when accessing Nextcloud.";
type = lib.types.nullOr lib.types.str;
example = "nextcloud.domain.com:8080";
default = null;
};
dataDir = lib.mkOption {
description = "Folder where Nextcloud will store all its data.";
type = lib.types.str;
default = "/var/lib/nextcloud";
};
adminUser = lib.mkOption {
type = lib.types.str;
description = "Username of the initial admin user.";
default = "root";
};
adminPassFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
description = "File containing the Nextcloud admin password. Required.";
default = null;
};
maxUploadSize = lib.mkOption {
default = "4G";
type = lib.types.str;
description = ''
The upload limit for files. This changes the relevant options
in php.ini and nginx if enabled.
'';
};
postgresSettings = lib.mkOption {
type = lib.types.nullOr (lib.types.attrsOf lib.types.str);
default = null;
description = "Settings for the PostgreSQL database. Go to https://pgtune.leopard.in.ua/ and copy the generated configuration here.";
example = lib.literalExpression ''
{
# From https://pgtune.leopard.in.ua/ with:
# DB Version: 14
# OS Type: linux
# DB Type: dw
# Total Memory (RAM): 7 GB
# CPUs num: 4
# Connections num: 100
# Data Storage: ssd
max_connections = "100";
shared_buffers = "1792MB";
effective_cache_size = "5376MB";
maintenance_work_mem = "896MB";
checkpoint_completion_target = "0.9";
wal_buffers = "16MB";
default_statistics_target = "500";
random_page_cost = "1.1";
effective_io_concurrency = "200";
work_mem = "4587kB";
huge_pages = "off";
min_wal_size = "4GB";
max_wal_size = "16GB";
max_worker_processes = "4";
max_parallel_workers_per_gather = "2";
max_parallel_workers = "4";
max_parallel_maintenance_workers = "2";
}
'';
};
phpFpmPoolSettings = lib.mkOption {
type = lib.types.nullOr (lib.types.attrsOf lib.types.anything);
description = "Settings for PHPFPM.";
default = null;
example = lib.literalExpression ''
{
"pm" = "dynamic";
"pm.max_children" = 50;
"pm.start_servers" = 25;
"pm.min_spare_servers" = 10;
"pm.max_spare_servers" = 20;
"pm.max_spawn_rate" = 50;
"pm.max_requests" = 50;
"pm.process_idle_timeout" = "20s";
}
'';
};
apps = lib.mkOption {
description = ''
Applications to enable in Nextcloud. Enabling an application here will also configure
various services needed for this application.
Enabled apps will automatically be installed, enabled and configured, so no need to do that
through the UI. You can still make changes but they will be overridden on next deploy. You
can still install and configure other apps through the UI.
'';
default = {};
type = lib.types.submodule {
options = {
onlyoffice = lib.mkOption {
description = ''
Only Office App. [Nextcloud App Store](https://apps.nextcloud.com/apps/onlyoffice)
Enabling this app will also start an OnlyOffice instance accessible at the given
subdomain from the given network range.
'';
default = {};
type = lib.types.submodule {
options = {
enable = lib.mkEnableOption "Nextcloud OnlyOffice App";
subdomain = lib.mkOption {
type = lib.types.str;
description = "Subdomain under which Only Office will be served.";
default = "oo";
};
ssl = lib.mkOption {
description = "Path to SSL files";
type = lib.types.nullOr contracts.ssl.certs;
default = null;
};
localNetworkIPRange = lib.mkOption {
type = lib.types.str;
description = "Local network range, to restrict access to Open Office to only those IPs.";
default = "192.168.1.1/24";
};
jwtSecretFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
description = "File containing the JWT secret. This option is required.";
default = null;
};
};
};
};
previewgenerator = lib.mkOption {
description = ''
Preview Generator App. [Nextcloud App Store](https://apps.nextcloud.com/apps/previewgenerator)
Enabling this app will create a cron job running every minute to generate thumbnails
for new and updated files.
To generate thumbnails for already existing files, run:
```
nextcloud-occ -vvv preview:generate-all
```
'';
default = {};
type = lib.types.submodule {
options = {
enable = lib.mkEnableOption "Nextcloud Preview Generator App";
debug = lib.mkOption {
type = lib.types.bool;
description = "Enable more verbose logging.";
default = false;
example = true;
};
};
};
};
ldap = lib.mkOption {
description = ''
LDAP Integration App. [Manual](https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html)
Enabling this app will create a new LDAP configuration or update one that exists with
the given host.
'';
default = {};
type = lib.types.nullOr (lib.types.submodule {
options = {
enable = lib.mkEnableOption "LDAP app.";
host = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = ''
Host serving the LDAP server.
'';
default = "127.0.0.1";
};
port = lib.mkOption {
type = lib.types.nullOr lib.types.port;
description = ''
Port of the service serving the LDAP server.
'';
default = 389;
};
dcdomain = lib.mkOption {
type = lib.types.str;
description = "dc domain for ldap.";
example = "dc=mydomain,dc=com";
};
adminName = lib.mkOption {
type = lib.types.str;
description = "Admin user of the LDAP server.";
default = "admin";
};
adminPasswordFile = lib.mkOption {
type = lib.types.path;
description = "File containing the admin password of the LDAP server.";
default = "";
};
userGroup = lib.mkOption {
type = lib.types.str;
description = "Group users must belong to to be able to login to Nextcloud.";
default = "nextcloud_user";
};
};
});
};
};
};
};
extraApps = lib.mkOption {
type = lib.types.raw;
description = ''
Extra apps to install. Should be a function returning an attrSet of appid to packages
generated by fetchNextcloudApp. The appid must be identical to the id value in the apps
appinfo/info.xml. You can still install apps through the appstore.
'';
default = null;
example = lib.literalExpression ''
apps: {
inherit (apps) mail calendar contact;
phonetrack = pkgs.fetchNextcloudApp {
name = "phonetrack";
sha256 = "0qf366vbahyl27p9mshfma1as4nvql6w75zy2zk5xwwbp343vsbc";
url = "https://gitlab.com/eneiluj/phonetrack-oc/-/wikis/uploads/931aaaf8dca24bf31a7e169a83c17235/phonetrack-0.6.9.tar.gz";
version = "0.6.9";
};
}
'';
};
debug = lib.mkOption {
type = lib.types.bool;
description = "Enable more verbose logging.";
default = false;
example = true;
};
tracing = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = ''
Enable xdebug tracing.
To trigger writing a trace to `/var/log/xdebug`, add a the following header:
```
XDEBUG_TRACE <shb.nextcloud.tracing value>
```
The response will contain the following header:
```
x-xdebug-profile-filename /var/log/xdebug/cachegrind.out.63484
```
'';
default = null;
example = "debug_me";
};
};
config = lib.mkMerge [
(lib.mkIf cfg.enable {
assertions = [
{
assertion = !(isNull cfg.adminPassFile);
message = "Must set shb.nextcloud.adminPassFile.";
}
];
users.users = {
nextcloud = {
name = "nextcloud";
group = "nextcloud";
isSystemUser = true;
};
};
users.groups = {
nextcloud = {
members = [ "backup" ];
};
};
# LDAP is manually configured through
# https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md, see also
# https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
#
# Verify setup with:
# - On admin page
# - https://scan.nextcloud.com/
# - https://www.ssllabs.com/ssltest/
# As of writing this, we got no warning on admin page and A+ on both tests.
#
# Content-Security-Policy is hard. I spent so much trying to fix lingering issues with .js files
# not loading to realize those scripts are inserted by extensions. Doh.
services.nextcloud = {
enable = true;
package = nextcloudPkg;
datadir = cfg.dataDir;
hostName = fqdn;
nginx.hstsMaxAge = 31536000; # Needs > 1 year for https://hstspreload.org to be happy
inherit (cfg) maxUploadSize;
config = {
dbtype = "pgsql";
adminuser = cfg.adminUser;
adminpassFile = toString cfg.adminPassFile;
# Not using dbpassFile as we're using socket authentication.
defaultPhoneRegion = "US";
trustedProxies = [ "127.0.0.1" ];
};
database.createLocally = true;
# Enable caching using redis https://nixos.wiki/wiki/Nextcloud#Caching.
configureRedis = true;
caching.apcu = false;
# https://docs.nextcloud.com/server/26/admin_manual/configuration_server/caching_configuration.html
caching.redis = true;
# Adds appropriate nginx rewrite rules.
webfinger = true;
# Very important for a bunch of scripts to load correctly. Otherwise you get Content-Security-Policy errors. See https://docs.nextcloud.com/server/13/admin_manual/configuration_server/harden_server.html#enable-http-strict-transport-security
https = !(isNull cfg.ssl);
extraApps = if isNull cfg.extraApps then {} else cfg.extraApps nextcloudApps;
extraAppsEnable = true;
appstoreEnable = true;
extraOptions = let
protocol = if !(isNull cfg.ssl) then "https" else "http";
in {
"overwrite.cli.url" = "${protocol}://${fqdn}";
"overwritehost" = if (isNull cfg.externalFqdn) then fqdn else cfg.externalFqdn;
# 'trusted_domains' needed otherwise we get this issue https://help.nextcloud.com/t/the-polling-url-does-not-start-with-https-despite-the-login-url-started-with-https/137576/2
# TODO: could instead set extraTrustedDomains
"trusted_domains" = [ fqdn ];
# TODO: could instead set overwriteProtocol
"overwriteprotocol" = protocol; # Needed if behind a reverse_proxy
"overwritecondaddr" = ""; # We need to set it to empty otherwise overwriteprotocol does not work.
"debug" = cfg.debug;
"filelocking.debug" = cfg.debug;
# Use persistent SQL connections.
"dbpersistent" = "true";
};
phpOptions = {
# The OPcache interned strings buffer is nearly full with 8, bump to 16.
catch_workers_output = "yes";
display_errors = "stderr";
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
expose_php = "Off";
"opcache.enable_cli" = "1";
"opcache.fast_shutdown" = "1";
"opcache.interned_strings_buffer" = "16";
"opcache.max_accelerated_files" = "10000";
"opcache.memory_consumption" = "128";
"opcache.revalidate_freq" = "1";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.cert";
short_open_tag = "Off";
output_buffering = "Off";
# Needed to avoid corruption per https://docs.nextcloud.com/server/21/admin_manual/configuration_server/caching_configuration.html#id2
"redis.session.locking_enabled" = "1";
"redis.session.lock_retries" = "-1";
"redis.session.lock_wait_time" = "10000";
} // lib.optionalAttrs (! (isNull cfg.tracing)) {
# "xdebug.remote_enable" = "on";
# "xdebug.remote_host" = "127.0.0.1";
# "xdebug.remote_port" = "9000";
# "xdebug.remote_handler" = "dbgp";
"xdebug.trigger_value" = cfg.tracing;
"xdebug.mode" = "profile,trace";
"xdebug.output_dir" = "/var/log/xdebug";
"xdebug.start_with_request" = "trigger";
};
poolSettings = lib.mkIf (! (isNull cfg.phpFpmPoolSettings)) cfg.phpFpmPoolSettings;
phpExtraExtensions = all: [ all.xdebug ];
};
services.nginx.virtualHosts.${fqdn} = {
# listen = [ { addr = "0.0.0.0"; port = 443; } ];
forceSSL = !(isNull cfg.ssl);
sslCertificate = lib.mkIf (!(isNull cfg.ssl)) cfg.ssl.paths.cert;
sslCertificateKey = lib.mkIf (!(isNull cfg.ssl)) cfg.ssl.paths.key;
# From [1] this should fix downloading of big files. [2] seems to indicate that buffering
# happens at multiple places anyway, so disabling one place should be okay.
# [1]: https://help.nextcloud.com/t/download-aborts-after-time-or-large-file/25044/6
# [2]: https://stackoverflow.com/a/50891625/1013628
extraConfig = ''
proxy_buffering off;
'';
};
environment.systemPackages = [
# Needed for a few apps. Would be nice to avoid having to put that in the environment and instead override https://github.com/NixOS/nixpkgs/blob/261abe8a44a7e8392598d038d2e01f7b33cf26d0/nixos/modules/services/web-apps/nextcloud.nix#L1035
pkgs.ffmpeg
# Needed for the recognize app.
pkgs.nodejs
];
services.postgresql.settings = lib.mkIf (! (isNull cfg.postgresSettings)) cfg.postgresSettings;
systemd.services.phpfpm-nextcloud.serviceConfig = {
# Setup permissions needed for backups, as the backup user is member of the jellyfin group.
UMask = lib.mkForce "0027";
};
systemd.services.phpfpm-nextcloud.preStart = ''
mkdir -p /var/log/xdebug; chown -R nextcloud: /var/log/xdebug
'';
systemd.services.nextcloud-cron.path = [
pkgs.perl
];
# Sets up backup for Nextcloud.
shb.backup.instances.nextcloud = {
sourceDirectories = [
cfg.dataDir
];
excludePatterns = [".rnd"];
};
})
(lib.mkIf cfg.apps.onlyoffice.enable {
assertions = [
{
assertion = !(isNull cfg.apps.onlyoffice.jwtSecretFile);
message = "Must set shb.nextcloud.apps.onlyoffice.jwtSecretFile.";
}
];
services.nextcloud.extraApps = {
inherit (nextcloudApps) onlyoffice;
};
services.onlyoffice = {
enable = true;
hostname = "${cfg.apps.onlyoffice.subdomain}.${cfg.domain}";
port = 13444;
postgresHost = "/run/postgresql";
jwtSecretFile = cfg.apps.onlyoffice.jwtSecretFile;
};
services.nginx.virtualHosts."${cfg.apps.onlyoffice.subdomain}.${cfg.domain}" = {
forceSSL = !(isNull cfg.ssl);
sslCertificate = lib.mkIf (!(isNull cfg.ssl)) cfg.ssl.paths.cert;
sslCertificateKey = lib.mkIf (!(isNull cfg.ssl)) cfg.ssl.paths.key;
locations."/" = {
extraConfig = ''
allow ${cfg.apps.onlyoffice.localNetworkIPRange};
'';
};
};
})
(lib.mkIf cfg.apps.previewgenerator.enable {
services.nextcloud.extraApps = {
inherit (nextcloudApps) previewgenerator;
};
# Configured as defined in https://github.com/nextcloud/previewgenerator
systemd.timers.nextcloud-cron-previewgenerator = {
wantedBy = [ "timers.target" ];
after = [ "nextcloud-setup.service" ];
timerConfig.OnBootSec = "10m";
timerConfig.OnUnitActiveSec = "10m";
timerConfig.Unit = "nextcloud-cron-previewgenerator.service";
};
systemd.services.nextcloud-cron-previewgenerator = {
environment.NEXTCLOUD_CONFIG_DIR = "${config.services.nextcloud.datadir}/config";
serviceConfig.Type = "oneshot";
serviceConfig.User = "nextcloud";
serviceConfig.ExecStart =
let
debug = if cfg.debug or cfg.apps.previewgenerator.debug then "-vvv" else "";
in
"${occ} ${debug} preview:pre-generate";
};
})
(lib.mkIf cfg.apps.ldap.enable {
systemd.services.nextcloud-setup.path = [ pkgs.jq ];
systemd.services.nextcloud-setup.script = ''
${occ} app:install user_ldap || :
${occ} app:enable user_ldap
# The following code tries to match an existing config or creates a new one.
# The criteria for matching is the ldapHost value.
ALL_CONFIG="$(${occ} ldap:show-config --output=json --show-password)"
MATCHING_CONFIG_IDs="$(echo "$ALL_CONFIG" | jq '[to_entries[] | select(.value.ldapHost=="127.0.0.1") | .key]')"
if [[ $(echo "$MATCHING_CONFIG_IDs" | jq 'length') > 0 ]]; then
CONFIG_ID="$(echo "$MATCHING_CONFIG_IDs" | jq --raw-output '.[0]')"
else
CONFIG_ID="$(${occ} ldap:create-empty-config --only-print-prefix)"
fi
echo "Using configId $CONFIG_ID"
# The following CLI commands follow
# https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md#nextcloud-config--the-cli-way
${occ} ldap:set-config "$CONFIG_ID" 'ldapHost' \
'${cfg.apps.ldap.host}'
${occ} ldap:set-config "$CONFIG_ID" 'ldapPort' \
'${toString cfg.apps.ldap.port}'
${occ} ldap:set-config "$CONFIG_ID" 'ldapAgentName' \
'uid=${cfg.apps.ldap.adminName},ou=people,${cfg.apps.ldap.dcdomain}'
${occ} ldap:set-config "$CONFIG_ID" 'ldapAgentPassword' \
"$(cat ${cfg.apps.ldap.adminPasswordFile})"
${occ} ldap:set-config "$CONFIG_ID" 'ldapBase' \
'${cfg.apps.ldap.dcdomain}'
${occ} ldap:set-config "$CONFIG_ID" 'ldapBaseGroups' \
'${cfg.apps.ldap.dcdomain}'
${occ} ldap:set-config "$CONFIG_ID" 'ldapBaseUsers' \
'${cfg.apps.ldap.dcdomain}'
${occ} ldap:set-config "$CONFIG_ID" 'ldapEmailAttribute' \
'mail'
${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilter' \
'(&(|(objectclass=groupOfUniqueNames))(|(cn=${cfg.apps.ldap.userGroup})))'
${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilterGroups' \
'${cfg.apps.ldap.userGroup}'
${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilterObjectclass' \
'groupOfUniqueNames'
${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupMemberAssocAttr' \
'uniqueMember'
${occ} ldap:set-config "$CONFIG_ID" 'ldapLoginFilter' \
'(&(&(objectclass=person)(memberOf=cn=${cfg.apps.ldap.userGroup},ou=groups,${cfg.apps.ldap.dcdomain}))(|(uid=%uid)(|(mail=%uid)(objectclass=%uid))))'
${occ} ldap:set-config "$CONFIG_ID" 'ldapLoginFilterAttributes' \
'mail;objectclass'
${occ} ldap:set-config "$CONFIG_ID" 'ldapUserDisplayName' \
'displayname'
${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilter' \
'(&(objectclass=person)(memberOf=cn=${cfg.apps.ldap.userGroup},ou=groups,${cfg.apps.ldap.dcdomain}))'
${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilterMode' \
'1'
${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilterObjectclass' \
'person'
${occ} ldap:test-config -- "$CONFIG_ID"
# Only one active at the same time
for configid in $(echo "$ALL_CONFIG" | jq --raw-output "keys[]"); do
echo "Deactivating $configid"
${occ} ldap:set-config "$configid" 'ldapConfigurationActive' \
'0'
done
${occ} ldap:set-config "$CONFIG_ID" 'ldapConfigurationActive' \
'1'
'';
})
];
}