Switch to using arion
This commit is contained in:
parent
668621dc63
commit
aa267912bc
|
@ -29,9 +29,20 @@ in {
|
||||||
description = "Directory at which to store server state data.";
|
description = "Directory at which to store server state data.";
|
||||||
};
|
};
|
||||||
|
|
||||||
images = {
|
hostname = mkOption {
|
||||||
nextcloud = mkOption { type = str; };
|
type = str;
|
||||||
postgres = mkOption { type = str; };
|
description = "Hostname at which the server is available.";
|
||||||
|
};
|
||||||
|
|
||||||
|
package = mkOption {
|
||||||
|
type = package;
|
||||||
|
description = "NextCloud package to use.";
|
||||||
|
};
|
||||||
|
|
||||||
|
extra-apps = mkOption {
|
||||||
|
type = listOf package;
|
||||||
|
description = "List of other apps to enable.";
|
||||||
|
default = [ ];
|
||||||
};
|
};
|
||||||
|
|
||||||
uids = {
|
uids = {
|
||||||
|
@ -39,6 +50,7 @@ in {
|
||||||
type = int;
|
type = int;
|
||||||
default = 740;
|
default = 740;
|
||||||
};
|
};
|
||||||
|
|
||||||
postgres = mkOption {
|
postgres = mkOption {
|
||||||
type = int;
|
type = int;
|
||||||
default = 741;
|
default = 741;
|
||||||
|
@ -60,14 +72,10 @@ in {
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
systemd = {
|
systemd = {
|
||||||
tmpfiles.rules = [
|
tmpfiles.rules = [
|
||||||
"d ${cfg.state-directory}/nextcloud 0700 nextcloud root - -"
|
"d ${cfg.state-directory}/home 0700 nextcloud root - -"
|
||||||
"d ${cfg.state-directory}/data 0700 nextcloud root - -"
|
"d ${cfg.state-directory}/data 0700 nextcloud root - -"
|
||||||
"d ${cfg.state-directory}/postgres 0700 nextcloud-postgres root - -"
|
"d ${cfg.state-directory}/postgres 0700 nextcloud root - -"
|
||||||
];
|
];
|
||||||
services.arion-nextcloud = {
|
|
||||||
after = [ "network-online.target" ];
|
|
||||||
requires = [ "network-online.target" ];
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users = {
|
users.users = {
|
||||||
|
@ -76,31 +84,14 @@ in {
|
||||||
group = "nextcloud";
|
group = "nextcloud";
|
||||||
uid = cfg.uids.nextcloud;
|
uid = cfg.uids.nextcloud;
|
||||||
};
|
};
|
||||||
nextcloud-postgres = {
|
|
||||||
isSystemUser = true;
|
|
||||||
group = "nextcloud";
|
|
||||||
uid = cfg.uids.postgres;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
fudo.secrets.host-secrets."${hostname}" = {
|
fudo.secrets.host-secrets."${hostname}" = {
|
||||||
nextcloudEnv = {
|
nextcloudAdminPasswd = {
|
||||||
source-file = mkEnvFile {
|
source-file =
|
||||||
POSTGRES_HOST = "postgres";
|
pkgs.lib.passwd.stablerandom-passwd-file "nextcloud-admin-passwd"
|
||||||
POSTGRES_DB = "nextcloud";
|
config.instance.build-seed;
|
||||||
POSTGRES_USER = "nextcloud";
|
target-file = "/run/nextcloud/admin.passwd";
|
||||||
POSTGRES_PASSWORD = readFile postgresPasswdFile;
|
|
||||||
TZ = cfg.timezone;
|
|
||||||
};
|
|
||||||
target-file = "/run/nextcloud/nextcloud.env";
|
|
||||||
};
|
|
||||||
nextcloudPostgresEnv = {
|
|
||||||
source-file = mkEnvFile {
|
|
||||||
POSTGRES_DB = "nextcloud";
|
|
||||||
POSTGRES_USER = "nextcloud";
|
|
||||||
POSTGRES_PASSWORD = readFile postgresPasswdFile;
|
|
||||||
};
|
|
||||||
target-file = "/run/nextcloud/postgres.env";
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -108,146 +99,45 @@ in {
|
||||||
image = { ... }: {
|
image = { ... }: {
|
||||||
project.name = "nextcloud";
|
project.name = "nextcloud";
|
||||||
services = {
|
services = {
|
||||||
nextcloud.service = {
|
nextcloud = { pkgs, lib, ... }: {
|
||||||
image = cfg.images.nextcloud;
|
|
||||||
restart = "always";
|
|
||||||
env_file = [ hostSecrets.nextcloudEnv.target-file ];
|
|
||||||
volumes = [
|
|
||||||
"${cfg.state-directory}/nextcloud:/var/www/html"
|
|
||||||
"${cfg.state-directory}/data:/data"
|
|
||||||
];
|
|
||||||
user = mkUserMap cfg.uids.nextcloud;
|
|
||||||
depends_on = [ "postgres" ];
|
|
||||||
};
|
|
||||||
postgres.service = {
|
|
||||||
image = cfg.images.postgres;
|
|
||||||
restart = "always";
|
|
||||||
command = "-c 'max_connections=300'";
|
|
||||||
env_file = [ hostSecrets.nextcloudPostgresEnv.target-file ];
|
|
||||||
volumes =
|
|
||||||
[ "${cfg.state-directory}/postgres:/var/lib/postgresql/data" ];
|
|
||||||
healthcheck = {
|
|
||||||
test = [ "CMD" "pg_isready" "-U" "nextcloud" "-d" "nextcloud" ];
|
|
||||||
start_period = "20s";
|
|
||||||
interval = "30s";
|
|
||||||
timeout = "3s";
|
|
||||||
retries = 5;
|
|
||||||
};
|
|
||||||
user = mkUserMap cfg.uids.postgres;
|
|
||||||
};
|
|
||||||
proxy = { lib, ... }: {
|
|
||||||
nixos = {
|
nixos = {
|
||||||
useSystemd = true;
|
useSystemd = true;
|
||||||
configuration = {
|
configuration = {
|
||||||
boot.tmpOnTmpfs = true;
|
boot.tmpOnTmpfs = true;
|
||||||
system.nssModules = lib.mkForce [ ];
|
system.nssModules = lib.mkForce [ ];
|
||||||
systemd.services.nginx.serviceConfig.AmbientCapabilities =
|
|
||||||
lib.mkForce [ "CAP_NET_BIND_SERVICE" ];
|
|
||||||
services = {
|
services = {
|
||||||
nscd.enable = false;
|
nscd.enable = false;
|
||||||
nginx = {
|
postgresql.enable = true;
|
||||||
|
nextcloud = {
|
||||||
enable = true;
|
enable = true;
|
||||||
recommendedOptimisation = true;
|
package = cfg.package;
|
||||||
recommendedGzipSettings = true;
|
hostName = cfg.hostname;
|
||||||
recommendedProxySettings = true;
|
home = "/var/lib/nextcloud/home";
|
||||||
upstreams.php-handler.extraConfig =
|
datadir = "/var/lib/nextcloud/data";
|
||||||
"server nextcloud:9000;";
|
configureRedis = true;
|
||||||
virtualHosts."localhost" = {
|
extraAppsEnable = true;
|
||||||
extraConfig = ''
|
extraApps = cfg.extra-apps;
|
||||||
add_header Referrer-Policy "no-referrer" always;
|
enableBrokenCiphersForSSE = false;
|
||||||
add_header X-Content-Type-Options "nosniff" always;
|
database.createLocally = true;
|
||||||
add_header X-Download-Options "noopen" always;
|
config = {
|
||||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
dbtype = "pgsql";
|
||||||
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
adminpassFile = "/run/nextcloud/admin.passwd";
|
||||||
add_header X-Robots-Tag "none" always;
|
|
||||||
add_header X-XSS-Protection "1; mode=block" always;
|
|
||||||
fastcgi_hide_header X-Powered-By;
|
|
||||||
client_max_body_size 10G;
|
|
||||||
fastcgi_buffers 64 4K;
|
|
||||||
'';
|
|
||||||
locations = {
|
|
||||||
"/robots.txt".extraConfig = ''
|
|
||||||
allow all;
|
|
||||||
log_not_found off;
|
|
||||||
access_log off;
|
|
||||||
'';
|
|
||||||
"/.well-known/carddav" = {
|
|
||||||
return =
|
|
||||||
"301 $scheme://$host:$server_port/remote.hph/dav";
|
|
||||||
};
|
|
||||||
"/.well-known/caldav" = {
|
|
||||||
return =
|
|
||||||
"301 $scheme://$host:$server_port/remote.hph/dav";
|
|
||||||
};
|
|
||||||
"/" = { extraConfig = "rewrite ^ /index.php;"; };
|
|
||||||
"~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/".extraConfig =
|
|
||||||
"deny all;";
|
|
||||||
"~ ^/(?:.|autotest|occ|issue|indie|db_|console)".extraConfig =
|
|
||||||
"deny all;";
|
|
||||||
"~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+)\\.php(?:$|/)" =
|
|
||||||
{
|
|
||||||
fastcgiParams = {
|
|
||||||
SCRIPT_FILENAME =
|
|
||||||
"$document_root$fastcgi_script_name";
|
|
||||||
PATH_INFO = "$path_info";
|
|
||||||
modHeadersAvailable = "true";
|
|
||||||
front_controller_active = "true";
|
|
||||||
};
|
|
||||||
extraConfig = ''
|
|
||||||
fastcgi_split_path_info ^(.+?\\.php)(\\/.*|)$;
|
|
||||||
set $path_info $fastcgi_path_info;
|
|
||||||
try_files $fastcgi_script_name =404;
|
|
||||||
|
|
||||||
# Enable pretty urls
|
|
||||||
fastcgi_pass php-handler;
|
|
||||||
fastcgi_intercept_errors on;
|
|
||||||
fastcgi_request_buffering off;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
"~ ^/(?:updater|oc[ms]-provider)(?:$|/)" = {
|
|
||||||
index = "index.php";
|
|
||||||
tryFiles = "$uri/ =404";
|
|
||||||
};
|
|
||||||
|
|
||||||
"~ .(?:css|js|woff2?|svg|gif|map)$" = {
|
|
||||||
tryFiles = "$uri /index.php$request_uri";
|
|
||||||
extraConfig = ''
|
|
||||||
add_header Cache-Control "public, max-age=15778463";
|
|
||||||
add_header Referrer-Policy "no-referrer" always;
|
|
||||||
add_header X-Content-Type-Options "nosniff" always;
|
|
||||||
add_header X-Download-Options "noopen" always;
|
|
||||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
||||||
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
|
||||||
add_header X-Robots-Tag "none" always;
|
|
||||||
add_header X-XSS-Protection "1; mode=block" always;
|
|
||||||
access_log off;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
"~ .(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$" = {
|
|
||||||
tryFiles = "$uri /index.php$request_uri";
|
|
||||||
extraConfig = "access_log off;";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
service = {
|
service = {
|
||||||
# useHostStore = true;
|
restart = "always";
|
||||||
ports = [ "${toString cfg.port}:80" ];
|
volumes = [
|
||||||
healthcheck = {
|
"${cfg.state-directory}/home:/var/lib/nextcloud/home"
|
||||||
test = [
|
"${cfg.state-directory}/data:/var/lib/nextcloud/data"
|
||||||
"CMD"
|
"${hostSecrets.nextcloudAdminPasswd.target-file}:/run/nextcloud/admin.passwd:ro,Z"
|
||||||
''
|
"${cfg.state-directory}/postgres:/var/lib/postgresql/data"
|
||||||
curl -sSf 'http://localhost/status.php' | grep '"installed":true' | grep '"maintenance":false' | grep '"needsDbUpgrade":false' || exit 1''
|
];
|
||||||
];
|
user = mkUserMap cfg.uids.nextcloud;
|
||||||
start_period = "20s";
|
depends_on = [ "postgres" ];
|
||||||
interval = "30s";
|
ports = [ "${cfg.port}:80" ];
|
||||||
timeout = "3s";
|
|
||||||
retries = 5;
|
|
||||||
};
|
|
||||||
depends_on = [ "nextcloud" ];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in New Issue