Let's try postgres I guess

This commit is contained in:
Lillian-Violet 2023-11-23 14:55:06 +01:00
parent dc579e6c87
commit c858ce45d0
2 changed files with 65 additions and 89 deletions

View file

@ -53,6 +53,8 @@
#Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys #Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys
sops.defaultSopsFile = ../../secrets/queen-Lillian.yaml; sops.defaultSopsFile = ../../secrets/queen-Lillian.yaml;
sops.age.keyFile = ./keys.txt; sops.age.keyFile = ./keys.txt;
sops.secrets."nextcloudadmin".mode = "0440";
sops.secrets."nextcloudadmin".owner = config.users.users.nextcloud.name;
sops.secrets."nextclouddb".mode = "0440"; sops.secrets."nextclouddb".mode = "0440";
sops.secrets."nextclouddb".owner = config.users.users.nextcloud.name; sops.secrets."nextclouddb".owner = config.users.users.nextcloud.name;
@ -91,7 +93,7 @@
noto-fonts-emoji-blob-bin noto-fonts-emoji-blob-bin
noto-fonts-emoji noto-fonts-emoji
oh-my-zsh oh-my-zsh
mariadb_110 postgresql
rsync rsync
wget wget
zsh zsh

View file

@ -1,108 +1,82 @@
# Nextcloud
{ {
config, config,
lib,
pkgs, pkgs,
sops,
... ...
}: { }: {
sops.secrets.nextcloudadmin = { # Enable Nginx
mode = "0440"; services.nginx = {
owner = config.users.users.nextcloud.name; enable = true;
group = config.users.users.nextcloud.group;
# Use recommended settings
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Only allow PFS-enabled ciphers with AES256
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
# Setup Nextcloud virtual host to listen on ports
virtualHosts = {
"nextcloud.gladtherescake.eu" = {
## Force HTTP redirect to HTTPS
forceSSL = true;
## LetsEncrypt
enableACME = true;
};
};
}; };
users.users.nextcloud.extraGroups = ["render" "users"]; # Actual Nextcloud Config
environment.systemPackages = with pkgs; [
unstable.exiftool
ffmpeg
nodejs_18
];
# Allow using /dev/dri for Memories
systemd.services.phpfpm-nextcloud.serviceConfig = {
PrivateDevices = lib.mkForce false;
};
services.nginx.virtualHosts."nextcloud.gladtherescake.eu".listen = [
{
addr = "127.0.0.1";
port = 8180;
}
];
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
package = pkgs.nextcloud27;
hostName = "nextcloud.gladtherescake.eu"; hostName = "nextcloud.gladtherescake.eu";
database.createLocally = true; # Enable built-in virtual host management
configureRedis = true; # Takes care of somewhat complicated setup
appstoreEnable = true; # See here: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/web-apps/nextcloud.nix#L529
nginx.enable = true;
# Use HTTPS for links
https = true;
# Auto-update Nextcloud Apps
autoUpdateApps.enable = true;
# Set what time makes sense for you
autoUpdateApps.startAt = "05:00:00";
config = { config = {
adminuser = "nextcloud"; # Further forces Nextcloud to use HTTPS
adminpassFile = "${config.sops.secrets.nextcloudadmin.path}"; overwriteProtocol = "https";
dbtype = "mysql";
defaultPhoneRegion = "US";
trustedProxies = ["127.0.0.1"];
};
extraOptions = { # Nextcloud PostegreSQL database configuration, recommended over using SQLite
mail_smtpmode = "sendmail"; dbtype = "pgsql";
mail_sendmailmode = "pipe"; dbuser = "nextcloud";
mysql.utf8mb4 = true; dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
}; dbname = "nextcloud";
dbpassFile = "/var/nextcloud-db-pass";
phpOptions = pkgs.lib.mkForce { adminpassFile = "/var/nextcloud-admin-pass";
"opcache.interned_strings_buffer" = "16"; adminuser = "admin";
"upload_max_filesize" = "10G";
"post_max_size" = "10G";
"memory_limit" = "8G";
}; };
}; };
services.traefik.dynamicConfigOptions.http.routers.nextcloud = { # Enable PostgreSQL
rule = "Host(`nextcloud.gladtherescake.eu`)"; services.postgresql = {
service = "nextcloud"; enable = true;
middlewares = ["headers"];
entrypoints = ["websecure"];
tls = {
certResolver = "le";
};
};
services.traefik.dynamicConfigOptions.http.services.nextcloud = { # Ensure the database, user, and permissions always exist
loadBalancer = { ensureDatabases = ["nextcloud"];
servers = [ ensureUsers = [
{ {
url = "http://localhost:8180"; name = "nextcloud";
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
} }
]; ];
}; };
};
systemd.timers."nextcloud-files-update" = { # Ensure that postgres is running before running the setup
wantedBy = ["timers.target"]; systemd.services."nextcloud-setup" = {
timerConfig = { requires = ["postgresql.service"];
OnBootSec = "2m"; after = ["postgresql.service"];
OnUnitActiveSec = "15m";
Unit = "nextcloud-files-update.service";
};
};
systemd.services."nextcloud-files-update" = {
bindsTo = ["mysql.service" "phpfpm-nextcloud.service"];
after = ["mysql.service" "phpfpm-nextcloud.service"];
script = ''
${config.services.nextcloud.occ}/bin/nextcloud-occ files:scan -q --all
${config.services.nextcloud.occ}/bin/nextcloud-occ preview:pre-generate
'';
serviceConfig = {
User = "nextcloud";
};
path = ["config.services.nextcloud" pkgs.perl];
}; };
} }