diff --git a/nixos/queen/configuration.nix b/nixos/queen/configuration.nix index 6b9faf2..93d5944 100644 --- a/nixos/queen/configuration.nix +++ b/nixos/queen/configuration.nix @@ -53,9 +53,7 @@ #Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys sops.defaultSopsFile = ../../secrets/queen-Lillian.yaml; sops.age.keyFile = ./keys.txt; - sops.secrets."nextcloudadmin".mode = "0400"; - sops.secrets."nextcloudadmin".owner = config.users.users.nextcloud.name; - sops.secrets."nextclouddb".mode = "0400"; + sops.secrets."nextclouddb".mode = "0440"; sops.secrets."nextclouddb".owner = config.users.users.nextcloud.name; nix = { diff --git a/nixos/queen/nextcloud.nix b/nixos/queen/nextcloud.nix index 1346505..e7b6262 100644 --- a/nixos/queen/nextcloud.nix +++ b/nixos/queen/nextcloud.nix @@ -1,123 +1,108 @@ +# Nextcloud { - inputs, - outputs, - lib, config, + lib, pkgs, + sops, ... }: { - #this came from https://jacobneplokh.com/how-to-setup-nextcloud-on-nixos/ - services.nginx = { - enable = true; - - # Use recommended settings - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - - # Only allow PFS-enabled ciphers with AES256 - sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; - - # Setup Nextcloud virtual host to listen on ports - virtualHosts = { - "nextcloud.gladtherescake.eu" = { - ## Force HTTP redirect to HTTPS - forceSSL = true; - ## LetsEncrypt - enableACME = true; - }; - }; + sops.secrets.nextcloudadmin = { + mode = "0440"; + owner = config.users.users.nextcloud.name; + group = config.users.users.nextcloud.group; }; + users.users.nextcloud.extraGroups = ["render" "users"]; + + environment.systemPackages = with pkgs; [ + unstable.exiftool + ffmpeg + nodejs_18 + ]; + + # Allow using /dev/dri for Memories + systemd.services.phpfpm-nextcloud.serviceConfig = { + PrivateDevices = lib.mkForce false; + }; + + services.nginx.virtualHosts."nextcloud.gladtherescake.eu".listen = [ + { + addr = "127.0.0.1"; + port = 8180; + } + ]; + services.nextcloud = { enable = true; - hostName = "nextcloud.gladtherescake.eu"; - - # Use HTTPS for links - https = true; - - # Auto-update Nextcloud Apps - autoUpdateApps.enable = true; - # Set what time makes sense for you - autoUpdateApps.startAt = "05:00:00"; - - configureRedis = true; - package = pkgs.nextcloud27; - - #Directory for the data is /var/lib/nextcloud - + hostName = "nextcloud.gladtherescake.eu"; + database.createLocally = true; + configureRedis = true; + appstoreEnable = true; config = { - # Further forces Nextcloud to use HTTPS - overwriteProtocol = "https"; - - # Nextcloud PostegreSQL database configuration, recommended over using SQLite + adminuser = "nextcloud"; + adminpassFile = "${config.sops.secrets.nextcloudadmin.path}"; dbtype = "mysql"; - dbuser = "nextcloud"; - dbhost = "mysql"; - dbname = "NC"; - #dbpassFile = config.sops.secrets."nextclouddb".path; + defaultPhoneRegion = "US"; + trustedProxies = ["127.0.0.1"]; + }; - adminpassFile = config.sops.secrets."nextcloudadmin".path; - adminuser = "gladtherescake"; + extraOptions = { + mail_smtpmode = "sendmail"; + mail_sendmailmode = "pipe"; + mysql.utf8mb4 = true; + }; + + phpOptions = { + "opcache.interned_strings_buffer" = "16"; + "upload_max_filesize" = "10G"; + "post_max_size" = "10G"; + "memory_limit" = "8G"; }; }; - services.mysql = { - settings = { - server = { - skip_name_resolve = 1; - innodb_buffer_pool_size = "128M"; - innodb_buffer_pool_instances = 1; - innodb_flush_log_at_trx_commit = 2; - innodb_log_buffer_size = "32M"; - innodb_max_dirty_pages_pct = 90; - query_cache_type = 1; - query_cache_limit = "2M"; - query_cache_min_res_unit = "2k"; - query_cache_size = "64M"; - tmp_table_size = "64M"; - max_heap_table_size = "64M"; - slow_query_log = 1; - long_query_time = 1; - }; - mysqld = { - port = 3306; - character_set_server = "utf8mb4"; - collation_server = "utf8mb4_general_ci"; - transaction_isolation = "READ-COMMITTED"; - binlog_format = "ROW"; - innodb_large_prefix = "on"; - innodb_file_format = "barracuda"; - innodb_file_per_table = 1; - }; + services.traefik.dynamicConfigOptions.http.routers.nextcloud = { + rule = "Host(`nextcloud.gladtherescake.eu`)"; + service = "nextcloud"; + middlewares = ["headers"]; + entrypoints = ["websecure"]; + tls = { + certResolver = "le"; + }; + }; + + services.traefik.dynamicConfigOptions.http.services.nextcloud = { + loadBalancer = { + servers = [ + { + url = "http://localhost:8180"; + } + ]; + }; + }; + + systemd.timers."nextcloud-files-update" = { + wantedBy = ["timers.target"]; + timerConfig = { + OnBootSec = "2m"; + OnUnitActiveSec = "15m"; + Unit = "nextcloud-files-update.service"; + }; + }; + + systemd.services."nextcloud-files-update" = { + bindsTo = ["mysql.service" "phpfpm-nextcloud.service"]; + after = ["mysql.service" "phpfpm-nextcloud.service"]; + script = '' + + ${config.services.nextcloud.occ}/bin/nextcloud-occ files:scan -q --all + ${config.services.nextcloud.occ}/bin/nextcloud-occ preview:pre-generate + ''; + + serviceConfig = { + User = "nextcloud"; }; - enable = true; - - package = pkgs.mariadb_110; - - #Directory for the database is /var/lib/mysql - - # Ensure the database, user, and permissions always exist - ensureDatabases = ["NC"]; - ensureUsers = [ - { - name = "nextcloud"; - ensurePermissions = { - "NC.*" = "ALL PRIVILEGES"; - }; - } - ]; - }; - - systemd.services."sops-nix.service" = { - before = ["nextcloud-setup.service" "mysql.service"]; - }; - - systemd.services."nextcloud-setup" = { - requires = ["mysql.service"]; - after = ["mysql.service"]; + path = ["config.services.nextcloud" pkgs.perl]; }; }