Nextcloud: Difference between revisions

(21 intermediate revisions by 8 users not shown)

Line 3:

This article extends the documentation in the [https://nixos.org/manual/nixos/stable/#module-services-nextcloud NixOS manual].

== ~~Installation~~ ==

== Setup ==

A minimal example to get the latest Nextcloud version (for your specific NixOS release) running on localhost should look like this, replacing <code>PWD</code> with a 10+ char password that meets [https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_password_policy.html Nextcloud's default password policy].

Line 13:

hostName = "localhost";

config.adminpassFile = "/etc/nextcloud-admin-pass";

config.dbtype = "sqlite";

};

</nowiki>}}

</nowiki>|name=/etc/nixos/configuration.nix|lang=nix}}

After that you will be able to login into your Nextcloud instance at <code><nowiki>http://localhost</nowiki></code> with user <code>root</code> and password <code>PWD</code> as configured above.

Line 24:

Line 25:

=== Apps ===

[https://github.com/NixOS/nixpkgs/blob/~~master~~/pkgs/servers/nextcloud/packages/~~nextcloud-apps~~.json Some apps] which are already packaged on NixOS can be installed directly with the following example configuration

[https://github.com/NixOS/nixpkgs/blob/2852f35f477e0f55e68b5f5e6d5a92242c215efc/pkgs/servers/nextcloud/packages/31.json Some apps] (use the file named <code><version>.json</code>, where version is the installed Nextcloud version), which are already packaged on NixOS, can be installed directly with the following example configuration:

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

Line 50:

Line 51:

inherit (config.services.nextcloud.package.packages.apps) news contacts calendar tasks;

memories = pkgs.fetchNextcloudApp {

~~sha256 = "sha256-Xr1SRSmXo2r8yOGuoMyoXhD0oPVm/0/ISHlmNZpJYsg=";~~

url = "https://github.com/pulsejet/memories/releases/download/v6.2.2/memories.tar.gz";

hash = "sha256-Xr1SRSmXo2r8yOGuoMyoXhD0oPVm/0/ISHlmNZpJYsg=";

license = "agpl3Only";

};

Line 115:

Line 116:

</nowiki>}}

=== ~~Caching~~ ===

=== Data storage ===

Nextcloud stores metadata in the database and files either on a local filesystem, external storage, or in an object storage.

~~[[Redis]] can be enabled as~~ a ~~performant caching backend using following configuration. This will bring faster page loads to your Nextcloud instance.~~

~~{{file|/etc/nixos/configuration.nix|nix|<nowiki>~~

~~services.nextcloud = {~~

~~enable = true;~~

~~configureRedis = true;~~

[.~~..]~~

};

~~</nowiki>}}~~

~~Note that APCu will still~~ be ~~used~~ for ~~local caching, as recommended by Nextcloud upstream.~~

==== Local filesystem ====

Using a filesystem with snapshot support, such as btrfs or zfs, may be useful for backup purposes

=== ~~Object store~~ ===

==== External storage ====

https://docs.nextcloud.com/server/stable/admin_manual/configuration_files/external_storage_configuration_gui.html

==== Object store ====

In this example we'll configure a local S3-compatible object store using Minio and connect it to Nextcloud

{{file|~~/etc/nixos/configuration.nix~~|~~nix~~|<nowiki>

{{file|||<nowiki>

{ ... } let

Line 150:

Line 145:

enable = true;

bucket = "nextcloud";

~~autocreate~~ = true;

verify_bucket_exists = true;

key = accessKey;

secretFile = "${pkgs.writeText "secret" "test12345"}";

Line 171:

Line 166:

};

</nowiki>}}

</nowiki>|name=/etc/nixos/configuration.nix|lang=nix}}

We'll need to run two commands to create the bucket <code>nextcloud</code> by using the access key <code>nextcloud</code> and the secret key <code>test12345</code>.

mc ~~config host add~~ minio http://localhost:9000 ${accessKey} ${secretKey} --api s3v4

mc alias set minio http://localhost:9000 ${accessKey} ${secretKey} --api s3v4

mc mb minio/nextcloud

</syntaxhighlight>

Line 206:

Line 201:

=== Secrets management ===

Do not suply passwords, hashes or keys via ~~<code>extraOptions</code>~~ option, since they will be copied into the world-readable Nix store. Instead reference a JSON file containing secrets using the <code>secretFile</code> option.

Do not suply passwords, hashes or keys via the settings option, since they will be copied into the world-readable Nix store. Instead reference a JSON file containing secrets using the <code>secretFile</code> option.

<~~syntaxHighlight~~ lang="nix">

services.nextcloud = {

[...]

secretFile = "/etc/nextcloud-secrets.json";

};

</syntaxhighlight>

~~environment.etc."nextcloud-~~secrets.~~json".text = ''~~

Consider using a [[Comparison of secret managing schemes|secret management tool]] instead of referencing an unencrypted local secrets file.

{

~~"passwordsalt": "12345678910",~~

=== Dynamic configuration ===

~~"secret": "12345678910"~~,

Unfortunately, some options can only be set 'interactively' in the database (either through the nextcloud-occ command line tool or the web UI), and not via the configuration file. One way to manage them "semi-declaratively" is to register a systemd script to reset the options on each redeploy:

~~"instanceid": "10987654321"~~,

"~~redis~~": {

~~"password": "secret"~~

}

~~'';~~

~~</syntaxHighlight>~~

~~Consider using a~~ [[~~Comparison of secret managing schemes|secret management tool~~]] ~~instead of referencing an unencrypted local secrets file~~.

systemd.services.nextcloud-custom-config = {

path = [

config.services.nextcloud.occ

];

script = ''

nextcloud-occ theming:config name "My Cloud"

nextcloud-occ theming:config url "https://cloud.mine.com";

nextcloud-occ theming:config privacyUrl "https://www.mine.com/privacy";

nextcloud-occ theming:config color "#3253a5";

nextcloud-occ theming:config logo ${./logo.png}

'';

after = [ "nextcloud-setup.service" ];

wantedBy = [ "multi-user.target" ];

};

</syntaxHighlight>Of course this is not ideal: changes through the web interface or occ client are still possible but will be overwritten the next redeploy, and removing a line from the script will not remove it from the configuration.

== Maintenance ==

Line 248:

Line 252:

No password is required.

=== Migration ===

If you want to migrate your Nextcloud instance from one place to another, keep in mind:

* Distribution-agnostic instructions are at https://docs.nextcloud.com/server/stable/admin_manual/maintenance/migrating.html

* You can use the [https://search.nixos.org/options?show=services.nextcloud.secretFile services.nextcloud.secretFile] option to set secrets. Notably you'll likely want to inherit the following values from your old to your new instance:

** [https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html#instanceid instanceid]

** [https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html#passwordsalt passwordsalt]

** [https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html#secret secret]

* To be able to configure TLS for your new instance before you've updated your DNS record, you can use [[ACME#DNS challenge|ACME DNS Challenge]]. Don't forget to clear <code>acmeRoot</code>:

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {

forceSSL = true;

enableACME = true;

# force DNS-01 validation

acmeRoot = null;

};

</nowiki>}}

=== Backups ===

You should make backups of both the database and your storage.

For the database, [https://search.nixos.org/options?show=services.mysqlBackup services.mysqlBackup] or [https://search.nixos.org/options?show=services.postgresqlBackup services.postgresqlBackup] may come in handy. For local storage backups, periodically taking a snapshot of a snapshot-enabled filesystem such as btrfs or zfs may be a good first step. Remember to also make off-site copies.

== Clients ==

Line 305:

Line 333:

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

services.nginx.virtualHosts."~~localhost~~".listen = [ { addr = "127.0.0.1"; port = 8080; } ];

services.nginx.virtualHosts."${config.services.nextcloud.hostName}".listen = [ { addr = "127.0.0.1"; port = 8080; } ];

</nowiki>}}

=== Enable Two-factor authentication ===

Two-factor authentication can be enabled for your server via the administration interface in your browser. There is no way to declare this setting via nix configuration, so you should follow the [https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/two_factor-auth.html official documentation] to set up Two-factor authentication.

=== Enable HEIC image preview ===

HEIC image preview needs to be explicitly enabled. This is done by adjusting the <code>enabledPreviewProviders</code> option. Beside the default list of supported formats, add an additional line <code>"OC\\Preview\\HEIC"</code> for HEIC image support.

HEIC image preview needs to be explicitly enabled. This is done by adjusting the <code>enabledPreviewProviders</code> option. Beside the default list of supported formats, add an additional line <code>"OC\\Preview\\HEIC"</code> for HEIC image support. See also [https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#enabledpreviewproviders this list of preview providers] for additional file types.

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

services.nextcloud = {

~~extraOptions~~.enabledPreviewProviders = [

settings.enabledPreviewProviders = [

"OC\\Preview\\BMP"

"OC\\Preview\\GIF"

Line 330:

Line 362:

</nowiki>}}

=== Run ~~nextcloud~~ in a sub-directory ===

=== Run Nextcloud in a sub-directory ===

Say, you don't want to run nextcloud at <code>your.site/</code> but in a sub-directory <code>your.site/nextcloud/</code>. To do so, we are going to add more configurations to nextcloud and to nginx to [[Nginx#TLS_reverse_proxy|make]] it a [https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/ reverse-proxy].

Line 455:

Line 487:

</syntaxhighlight>

== ~~Plugins~~ ==

== App specific configuration ==

=== Whiteboard ===

The [https://github.com/nextcloud/whiteboard Whiteboard app] requires a running backend server which is also packaged in NixOS.<syntaxhighlight lang="nix">

environment.etc."nextcloud-whiteboard-secret".text = ''

JWT_SECRET_KEY=test123

'';

services.nextcloud-whiteboard-server = {

enable = true;

settings.NEXTCLOUD_URL = "http://localhost";

secrets = [ /etc/nextcloud-whiteboard-secret ];

};

</syntaxhighlight>After applying the configuration configure the Nextcloud app to use it<syntaxhighlight lang="bash">

nextcloud-occ config:app:set whiteboard collabBackendUrl --value="http://localhost:3002"

nextcloud-occ config:app:set whiteboard jwt_secret_key --value="test123"

</syntaxhighlight>

=== NextCloud Office ===

Line 471:

Line 519:

</syntaxhighlight>

==== ONLYOFFICE ====

=== ONLYOFFICE ===

You need to install both a document server and the [https://apps.nextcloud.com/apps/onlyoffice ONLYOFFICE Nextcloud plug-in]. There are several ways to install onlyoffice:

===== services.onlyoffice =====

~~Due to https://github.com/ONLYOFFICE/~~onlyoffice~~-nextcloud/issues/931 you need to apply the workaround from https://github.com/NixOS/nixpkgs/pull/338794~~.

Install the onlyoffice documentserver as described in [[ONLYOFFICE_DocumentServer]].

~~Then point~~ the app to the document server from within the Nextcloud UI ("Administration Settings" -> Administration -> ONLYOFFICE), and make sure the 'services.onlyoffice.jwtSecretFile points to a file containing the same key as entered in the configuration of the Nextcloud app.

Point the app to the document server from within the Nextcloud UI ("Administration Settings" -> Administration -> ONLYOFFICE), and make sure the 'services.onlyoffice.jwtSecretFile points to a file containing the same key as entered in the configuration of the Nextcloud app.

===== the documentserver_community Nextcloud app =====

@@ Line 3: / Line 3: @@
 This article extends the documentation in the [https://nixos.org/manual/nixos/stable/#module-services-nextcloud NixOS manual].
-== Installation ==
+== Setup ==
 A minimal example to get the latest Nextcloud version (for your specific NixOS release) running on localhost should look like this, replacing  <code>PWD</code> with a 10+ char password that meets [https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_password_policy.html Nextcloud's default password policy].
@@ Line 13: / Line 13: @@
    hostName = "localhost";
    config.adminpassFile = "/etc/nextcloud-admin-pass";
+  config.dbtype = "sqlite";
 };
-</nowiki>}}
+</nowiki>|name=/etc/nixos/configuration.nix|lang=nix}}
 After that you will be able to login into your Nextcloud instance at <code><nowiki>http://localhost</nowiki></code> with user <code>root</code> and password <code>PWD</code> as configured above.
@@ Line 24: / Line 25: @@
 === Apps ===
-[https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json Some apps] which are already packaged on NixOS can be installed directly with the following example configuration
+[https://github.com/NixOS/nixpkgs/blob/2852f35f477e0f55e68b5f5e6d5a92242c215efc/pkgs/servers/nextcloud/packages/31.json Some apps] (use the file named <code><version>.json</code>, where version is the installed Nextcloud version), which are already packaged on NixOS, can be installed directly with the following example configuration:
 {{file|/etc/nixos/configuration.nix|nix|<nowiki>
@@ Line 50: / Line 51: @@
      inherit (config.services.nextcloud.package.packages.apps) news contacts calendar tasks;
      memories = pkgs.fetchNextcloudApp {
-        sha256 = "sha256-Xr1SRSmXo2r8yOGuoMyoXhD0oPVm/0/ISHlmNZpJYsg=";
+      url = "https://github.com/pulsejet/memories/releases/download/v6.2.2/memories.tar.gz";
-        url = "https://github.com/pulsejet/memories/releases/download/v6.2.2/memories.tar.gz";
+      hash = "sha256-Xr1SRSmXo2r8yOGuoMyoXhD0oPVm/0/ISHlmNZpJYsg=";
-        license = "agpl3Only";
+      license = "agpl3Only";
      };
@@ Line 115: / Line 116: @@
 </nowiki>}}
-=== Caching ===
+=== Data storage ===
+Nextcloud stores metadata in the database and files either on a local filesystem, external storage, or in an object storage.
-[[Redis]] can be enabled as a performant caching backend using following configuration. This will bring faster page loads to your Nextcloud instance.
-{{file|/etc/nixos/configuration.nix|nix|<nowiki>
-services.nextcloud = {
-  enable = true;
-  configureRedis = true;
-  [...]
-};
-</nowiki>}}
-Note that APCu will still be used for local caching, as recommended by Nextcloud upstream.
+==== Local filesystem ====
+Using a filesystem with snapshot support, such as btrfs or zfs, may be useful for backup purposes
-=== Object store ===
+==== External storage ====
+https://docs.nextcloud.com/server/stable/admin_manual/configuration_files/external_storage_configuration_gui.html
+==== Object store ====
 In this example we'll configure a local S3-compatible object store using Minio and connect it to Nextcloud
-{{file|/etc/nixos/configuration.nix|nix|<nowiki>
+{{file|||<nowiki>
 { ... } let
@@ Line 150: / Line 145: @@
        enable = true;
        bucket = "nextcloud";
-       autocreate = true;
+       verify_bucket_exists = true;
        key = accessKey;
        secretFile = "${pkgs.writeText "secret" "test12345"}";
@@ Line 171: / Line 166: @@
 };
-</nowiki>}}
+</nowiki>|name=/etc/nixos/configuration.nix|lang=nix}}
 We'll need to run two commands to create the bucket <code>nextcloud</code> by using the access key <code>nextcloud</code> and the secret key <code>test12345</code>.
 <syntaxhighlight lang="bash">
-mc config host add minio http://localhost:9000 ${accessKey} ${secretKey} --api s3v4
+mc alias set minio http://localhost:9000 ${accessKey} ${secretKey} --api s3v4
 mc mb minio/nextcloud
 </syntaxhighlight>
@@ Line 206: / Line 201: @@
 === Secrets management ===
-Do not suply passwords, hashes or keys via <code>extraOptions</code> option, since they will be copied into the world-readable Nix store. Instead reference a JSON file containing secrets using the <code>secretFile</code> option.
+Do not suply passwords, hashes or keys via the settings option, since they will be copied into the world-readable Nix store. Instead reference a JSON file containing secrets using the <code>secretFile</code> option.
-<syntaxHighlight lang="nix">
+<syntaxhighlight lang="nix">
 services.nextcloud = {
    [...]
    secretFile = "/etc/nextcloud-secrets.json";
 };
+</syntaxhighlight>
-environment.etc."nextcloud-secrets.json".text = ''
+Consider using a  [[Comparison of secret managing schemes|secret management tool]] instead of referencing an unencrypted local secrets file.
-  {
-    "passwordsalt": "12345678910",
+=== Dynamic configuration ===
-    "secret": "12345678910",
+Unfortunately, some options can only be set 'interactively' in the database (either through the nextcloud-occ command line tool or the web UI), and not via the configuration file. One way to manage them "semi-declaratively" is to register a systemd script to reset the options on each redeploy:
-    "instanceid": "10987654321",
-    "redis": {
-      "password": "secret"
-    }
-  }
-'';
-</syntaxHighlight>
-Consider using a  [[Comparison of secret managing schemes|secret management tool]] instead of referencing an unencrypted local secrets file.
+<syntaxHighlight lang="nix">
+  systemd.services.nextcloud-custom-config = {
+    path = [
+      config.services.nextcloud.occ
+    ];
+    script = ''
+      nextcloud-occ theming:config name "My Cloud"
+      nextcloud-occ theming:config url "https://cloud.mine.com";
+      nextcloud-occ theming:config privacyUrl "https://www.mine.com/privacy";
+      nextcloud-occ theming:config color "#3253a5";
+      nextcloud-occ theming:config logo ${./logo.png}
+    '';
+    after = [ "nextcloud-setup.service" ];
+    wantedBy = [ "multi-user.target" ];
+  };
+</syntaxHighlight>Of course this is not ideal: changes through the web interface or occ client are still possible but will be overwritten the next redeploy, and removing a line from the script will not remove it from the configuration.
 == Maintenance ==
@@ Line 248: / Line 252: @@
 No password is required.
+=== Migration ===
+If you want to migrate your Nextcloud instance from one place to another, keep in mind:
+* Distribution-agnostic instructions are at https://docs.nextcloud.com/server/stable/admin_manual/maintenance/migrating.html
+* You can use the [https://search.nixos.org/options?show=services.nextcloud.secretFile services.nextcloud.secretFile] option to set secrets. Notably you'll likely want to inherit the following values from your old to your new instance:
+** [https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html#instanceid instanceid]
+** [https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html#passwordsalt passwordsalt]
+** [https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html#secret secret]
+* To be able to configure TLS for your new instance before you've updated your DNS record, you can use [[ACME#DNS challenge|ACME DNS Challenge]]. Don't forget to clear <code>acmeRoot</code>:
+{{file|/etc/nixos/configuration.nix|nix|<nowiki>
+services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
+  forceSSL = true;
+  enableACME = true;
+  # force DNS-01 validation
+  acmeRoot = null;
+};
+</nowiki>}}
+=== Backups ===
+You should make backups of both the database and your storage.
+For the database, [https://search.nixos.org/options?show=services.mysqlBackup services.mysqlBackup] or [https://search.nixos.org/options?show=services.postgresqlBackup services.postgresqlBackup] may come in handy. For local storage backups, periodically taking a snapshot of a snapshot-enabled filesystem such as btrfs or zfs may be a good first step. Remember to also make off-site copies.
 == Clients ==
@@ Line 305: / Line 333: @@
 {{file|/etc/nixos/configuration.nix|nix|<nowiki>
-services.nginx.virtualHosts."localhost".listen = [ { addr = "127.0.0.1"; port = 8080; } ];
+services.nginx.virtualHosts."${config.services.nextcloud.hostName}".listen = [ { addr = "127.0.0.1"; port = 8080; } ];
 </nowiki>}}
+=== Enable Two-factor authentication ===
+Two-factor authentication can be enabled for your server via the administration interface in your browser. There is no way to declare this setting via nix configuration, so you should follow the [https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/two_factor-auth.html official documentation] to set up Two-factor authentication.
 === Enable HEIC image preview ===
-HEIC image preview needs to be explicitly enabled. This is done by adjusting the <code>enabledPreviewProviders</code> option. Beside the default list of supported formats, add an additional line <code>"OC\\Preview\\HEIC"</code> for HEIC image support.
+HEIC image preview needs to be explicitly enabled. This is done by adjusting the <code>enabledPreviewProviders</code> option. Beside the default list of supported formats, add an additional line <code>"OC\\Preview\\HEIC"</code> for HEIC image support. See also [https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#enabledpreviewproviders this list of preview providers] for additional file types.
 {{file|/etc/nixos/configuration.nix|nix|<nowiki>
 services.nextcloud = {
-   extraOptions.enabledPreviewProviders = [
+   settings.enabledPreviewProviders = [
      "OC\\Preview\\BMP"
      "OC\\Preview\\GIF"
@@ Line 330: / Line 362: @@
 </nowiki>}}
-=== Run nextcloud in a sub-directory ===
+=== Run Nextcloud in a sub-directory ===
 Say, you don't want to run nextcloud at <code>your.site/</code> but in a sub-directory <code>your.site/nextcloud/</code>. To do so, we are going to add more configurations to nextcloud and to nginx to [[Nginx#TLS_reverse_proxy|make]] it a [https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/ reverse-proxy].
@@ Line 455: / Line 487: @@
 </syntaxhighlight>
-== Plugins ==
+== App specific configuration ==
+=== Whiteboard ===
+The [https://github.com/nextcloud/whiteboard Whiteboard app] requires a running backend server which is also packaged in NixOS.<syntaxhighlight lang="nix">
+environment.etc."nextcloud-whiteboard-secret".text = ''
+  JWT_SECRET_KEY=test123
+'';
+services.nextcloud-whiteboard-server = {
+  enable = true;
+  settings.NEXTCLOUD_URL = "http://localhost";
+  secrets = [ /etc/nextcloud-whiteboard-secret ];
+};
+</syntaxhighlight>After applying the configuration configure the Nextcloud app to use it<syntaxhighlight lang="bash">
+nextcloud-occ config:app:set whiteboard collabBackendUrl --value="http://localhost:3002"
+nextcloud-occ config:app:set whiteboard jwt_secret_key --value="test123"
+</syntaxhighlight>
 === NextCloud Office ===
@@ Line 471: / Line 519: @@
 </syntaxhighlight>
-==== ONLYOFFICE ====
+=== ONLYOFFICE ===
 You need to install both a document server and the [https://apps.nextcloud.com/apps/onlyoffice ONLYOFFICE Nextcloud plug-in]. There are several ways to install onlyoffice:
 ===== services.onlyoffice =====
-Due to https://github.com/ONLYOFFICE/onlyoffice-nextcloud/issues/931 you need to apply the workaround from https://github.com/NixOS/nixpkgs/pull/338794.
+Install the onlyoffice documentserver as described in [[ONLYOFFICE_DocumentServer]].
-Then point the app to the document server from within the Nextcloud UI ("Administration Settings" -> Administration -> ONLYOFFICE), and make sure the 'services.onlyoffice.jwtSecretFile points to a file containing the same key as entered in the configuration of the Nextcloud app.
+Point the app to the document server from within the Nextcloud UI ("Administration Settings" -> Administration -> ONLYOFFICE), and make sure the 'services.onlyoffice.jwtSecretFile points to a file containing the same key as entered in the configuration of the Nextcloud app.
 ===== the documentserver_community Nextcloud app =====