Created
February 6, 2019 03:36
-
-
Save dnicolodi/0402f55e6b7303d01e615220d13fd746 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
$CONFIG = array ( | |
'mail_domain' => '@mailDomain@', | |
'mail_smtpmode' => 'sendmail', | |
'datadirectory' => '@dataDir@', | |
'apps_paths' => | |
array ( | |
0 => | |
array ( | |
'path' => '@apps2Dir@', | |
'url' => '/apps2', | |
'writable' => true, | |
), | |
1 => | |
array ( | |
'path' => @appsDir@, | |
'url' => '/apps', | |
'writable' => false, | |
), | |
), | |
'trusted_domains' => | |
array ( | |
0 => '@domain@', | |
), | |
'overwrite.cli.url' => 'https://@domain@', | |
'overwritehost' => '@domain@', | |
'overwriteprotocol' => 'https', | |
'dbtype' => 'pgsql', | |
'dbname' => '@dbName@', | |
'dbhost' => 'localhost', | |
'dbport' => '', | |
'dbtableprefix' => 'oc_', | |
'dbuser' => '@userName@', | |
'dbpassword' => '@password@', | |
'mail_from_address' => 'repository-noreply', | |
'mail_smtpauthtype' => 'LOGIN', | |
'logfile' => '@homeDir@/nextcloud.log', | |
'loglevel' => 2, | |
'maintenance' => false, | |
'debug' => false, | |
'skeletondirectory' => '@homeDir@/skeleton', | |
'updater.release.channel' => 'production', | |
'filelocking.enabled' => true, | |
); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ config, pkgs, ... }: | |
let | |
unstable-pkgs = import <unstable> {}; | |
nextcloud-pkg = unstable-pkgs.nextcloud; | |
nc = rec { | |
homeDir = "/var/lib/nextcloud"; | |
configDir = "${homeDir}/etc"; | |
configFile = "${configDir}/config.php"; | |
dataDir = "${homeDir}/data"; | |
apps2Dir = "${homeDir}/apps2"; | |
mailDomain = "grinta.net"; | |
domain = "cloud.grinta.net"; | |
userName = "nextcloud"; | |
password = (pkgs.lib.readFile /etc/nixos/secret/nextcloud-postgres); | |
uwsgiSocket = "/run/uwsgi/nextcloud.sock"; | |
}; | |
ncConf = pkgs.stdenv.mkDerivation rec { | |
buildInputs = [ pkgs.makeWrapper ]; | |
name = "nextcloud-commands"; | |
php = pkgs.php + /bin/php; | |
occ = nextcloud-pkg + /occ; | |
inherit (nc) homeDir dataDir apps2Dir password domain mailDomain | |
userName; | |
dbName = userName; | |
appsDir = "$_ENV['NEXTCLOUD_PKG'] . '/apps'"; | |
installPhase = '' | |
mkdir -p $out/bin | |
makeWrapper $php $out/bin/nc-php --set NEXTCLOUD_CONFIG_DIR ${nc.configDir} | |
makeWrapper $php $out/bin/nc-cli --add-flags $occ --set NEXTCLOUD_CONFIG_DIR ${nc.configDir} | |
mkdir p $out/etc | |
substituteAll ${./config.php.template} $out/etc/config.php | |
''; | |
phases = ["installPhase"]; | |
}; | |
# stock "imagick" package depends on the "php" pkg but "uwsgi" | |
# depends on "php-embed", so here it is a new one with the right | |
# dependency | |
phpEmbedImagick = pkgs.phpPackages.imagick.overrideAttrs (old: { | |
buildInputs = [ pkgs.php-embed ] ++ (pkgs.lib.tail old.buildInputs); | |
}); | |
in { | |
environment.systemPackages = with pkgs; [ | |
ncConf | |
]; | |
services.postgresql = { | |
enable = true; | |
enableTCPIP = true; | |
}; | |
services.nginx = { | |
enable = true; | |
recommendedOptimisation = true; | |
virtualHosts."cloud.grinta.net" = { | |
listen = [ | |
{ addr = "0.0.0.0"; port = 18080; } | |
]; | |
root = "${nextcloud-pkg}"; | |
extraConfig = '' | |
add_header Strict-Transport-Security "max-age=15768000;"; | |
add_header X-Content-Type-Options nosniff; | |
add_header X-Download-Options noopen; | |
add_header X-Frame-Options "SAMEORIGIN"; | |
add_header X-Permitted-Cross-Domain-Policies none; | |
add_header X-Robots-Tag none; | |
add_header X-XSS-Protection "1; mode=block"; | |
index index.php; | |
client_max_body_size 10G; | |
# Enable gzip but do not remove ETag headers | |
gzip on; | |
gzip_vary on; | |
gzip_comp_level 4; | |
gzip_min_length 256; | |
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; | |
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; | |
rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect; | |
rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect; | |
rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect; | |
location = /robots.txt { | |
allow all; | |
log_not_found off; | |
access_log off; | |
} | |
# The following 2 rules are only needed for the user_webfinger app. | |
# Uncomment it if you're planning to use this app. | |
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last; | |
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json | |
# last; | |
location = /.well-known/carddav { | |
return 301 $scheme://$host/remote.php/dav; | |
} | |
location = /.well-known/caldav { | |
return 301 $scheme://$host/remote.php/dav; | |
} | |
location / { | |
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; | |
try_files $uri $uri/ =404; | |
#rewrite ^ /index.php$uri; | |
} | |
location ^~ /data { | |
internal; | |
} | |
location ^~ /apps2 { | |
root ${nc.homeDir}; | |
} | |
location ~ ^/(?:\.htaccess|config|db_structure\.xml|README) { | |
deny all; | |
} | |
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { | |
deny all; | |
} | |
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { | |
deny all; | |
} | |
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { | |
include ${config.services.nginx.package}/conf/uwsgi_params; | |
uwsgi_modifier1 14; | |
uwsgi_hide_header Strict-Transport-Security; | |
uwsgi_hide_header X-Content-Type-Options; | |
uwsgi_hide_header X-Download-Options; | |
uwsgi_hide_header X-Frame-Options; | |
uwsgi_hide_header X-Permitted-Cross-Domain-Policies; | |
uwsgi_hide_header X-Robots-Tag; | |
uwsgi_hide_header X-XSS-Protection; | |
uwsgi_param MOD_X_ACCEL_REDIRECT_ENABLED on; | |
uwsgi_max_temp_file_size 0; | |
uwsgi_pass unix:${nc.uwsgiSocket}; | |
} | |
location ~ ^/(?:updater|ocs-provider)(?:$|/) { | |
try_files $uri/ =404; | |
index index.php; | |
} | |
location ~ \.(?:css|js|woff|svg|gif)$ { | |
try_files $uri /index.php$uri$is_args$args; | |
add_header Cache-Control "public, max-age=15778463"; | |
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;"; | |
add_header X-Content-Type-Options nosniff; | |
add_header X-Frame-Options "SAMEORIGIN"; | |
add_header X-XSS-Protection "1; mode=block"; | |
add_header X-Robots-Tag none; | |
add_header X-Download-Options noopen; | |
add_header X-Permitted-Cross-Domain-Policies none; | |
access_log off; | |
} | |
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { | |
try_files $uri /index.php$uri$is_args$args; | |
# Optional: Don't log access to other assets | |
access_log off; | |
} | |
''; | |
}; | |
}; | |
services.uwsgi = { | |
enable = true; | |
user = "nginx"; | |
group = "nginx"; | |
plugins = [ "php" ]; | |
instance = { | |
type = "emperor"; | |
vassals = { | |
nextcloud = { | |
socket = nc.uwsgiSocket; | |
# the following value is to prevent connection errors from | |
# nginx (the default is 128) see also | |
# boot.kernel.sysctl."net.core.somaxconn" and: | |
# http://man7.org/linux/man-pages/man2/listen.2.html | |
# https://stackoverflow.com/questions/44581719/resource-temporarily-unavailable-using-uwsgi-nginx | |
listen = 1024; | |
master = true; | |
vacuum = true; | |
processes = 50; | |
cheaper = 5; | |
socket-modifier1 = 14; | |
php-allowed-ext = [ ".php" ".inc" ]; | |
php-index = "index.php"; | |
php-sapi-name = "apache"; # opcode caching tweak | |
php-set = [ | |
"date.timezone=Europe/Berlin" | |
"opcache.enable=1" | |
]; | |
php-ini = (pkgs.writeText "php.ini" '' | |
[PHP] | |
extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so | |
extension=${phpEmbedImagick}/lib/php/extensions/imagick.so | |
zend_extension=opcache.so | |
memory_limit=512M | |
[opcache] | |
opcache.enable=1 | |
opcache.enable_cli=1 | |
opcache.interned_strings_buffer=8 | |
opcache.max_accelerated_files=10000 | |
opcache.memory_consumption=128 | |
opcache.save_comments=1 | |
opcache.revalidate_freq=1 | |
''); | |
env = [ | |
"NEXTCLOUD_CONFIG_DIR=${nc.configDir}" | |
"NEXTCLOUD_PKG=${nextcloud-pkg}" | |
]; | |
plugins = [ "php" ]; | |
type = "normal"; | |
}; | |
}; | |
}; | |
}; | |
systemd.services."nextcloud_cron" = { | |
description = "Nextcloud cron"; | |
after = [ "network.target" ]; | |
script = '' | |
${ncConf}/bin/nc-php ${nextcloud-pkg}/cron.php | |
''; | |
serviceConfig.User = "nginx"; | |
}; | |
systemd.services."nextcloud-init-var" = { | |
after = [ "postgresql.service" ]; | |
before = [ "uwsgi.service" ]; | |
description = "Nextcloud Initialization"; | |
enable = true; | |
path = [ pkgs.sudo ]; | |
script = '' | |
mkdir -p ${nc.configDir} ${nc.dataDir} ${nc.apps2Dir} ${nc.homeDir}/skeleton | |
if ! [ -e ${nc.homeDir}/database-created ]; then | |
sudo -u postgres -- ${pkgs.postgresql}/bin/createuser --no-superuser --no-createdb --no-createrole ${nc.userName} | |
echo "ALTER USER ${nc.userName} WITH PASSWORD '${nc.password}'" | sudo -u postgres -- ${pkgs.postgresql}/bin/psql | |
sudo -u postgres -- ${pkgs.postgresql}/bin/createdb nextcloud -O ${nc.userName} | |
cp ${ncConf}/etc/config.php ${nc.configDir} | |
chown -R nginx.nginx ${nc.homeDir} | |
touch ${nc.homeDir}/database-created | |
else | |
sudo -u nginx -- ${ncConf}/bin/nc-cli upgrade | |
fi | |
''; | |
serviceConfig = { | |
Type = "oneshot"; | |
}; | |
wantedBy = [ "multi-user.target" ]; | |
}; | |
systemd.timers."nextcloud_cron" = { | |
enable = true; | |
description = "Nextcloud cron timer"; | |
wantedBy = [ "timers.target" ]; | |
partOf = [ "nextcloud_cron.service" ]; | |
timerConfig = { | |
RandomizedDelaySec = "5min"; | |
OnCalendar = "*-*-* *:00,30:00"; # every 1/2h | |
Persistent = true; | |
}; | |
}; | |
services.openssh.enable = false; | |
imports = [ <nixpkgs/nixos/modules/virtualisation/lxc-container.nix> ]; | |
# to make the directory tree bootable by systemd-nspawn | |
# /etc/os-release should not be an absolute symlink. this forces | |
# it to be a regular file | |
# https://github.com/NixOS/nixpkgs/issues/28833 | |
environment.etc."os-release".mode = "0444"; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment