Nextcloud: Difference between revisions

(9 intermediate revisions by 5 users not shown)

Line 13:

hostName = "localhost";

config.adminpassFile = "/etc/nextcloud-admin-pass";

config.dbtype = "sqlite";

};

</nowiki>}}

</nowiki>|name=/etc/nixos/configuration.nix|lang=nix}}

After that you will be able to login into your Nextcloud instance at <code><nowiki>http://localhost</nowiki></code> with user <code>root</code> and password <code>PWD</code> as configured above.

Line 115:

Line 116:

</nowiki>}}

=== ~~Caching~~ ===

=== Data storage ===

Nextcloud stores metadata in the database and files either on a local filesystem, external storage, or in an object storage.

~~[[Redis]] can be enabled as~~ a ~~performant caching backend using following configuration. This will bring faster page loads to your Nextcloud instance.~~

~~{{file|/etc/nixos/configuration.nix|nix|<nowiki>~~

~~services.nextcloud = {~~

~~enable = true;~~

~~configureRedis = true;~~

[.~~..]~~

};

~~</nowiki>}}~~

~~Note that APCu will still~~ be ~~used~~ for ~~local caching, as recommended by Nextcloud upstream.~~

==== Local filesystem ====

Using a filesystem with snapshot support, such as btrfs or zfs, may be useful for backup purposes

=== ~~Object store~~ ===

==== External storage ====

https://docs.nextcloud.com/server/stable/admin_manual/configuration_files/external_storage_configuration_gui.html

==== Object store ====

In this example we'll configure a local S3-compatible object store using Minio and connect it to Nextcloud

{{file|~~/etc/nixos/configuration.nix~~|~~nix~~|<nowiki>

{{file|||<nowiki>

{ ... } let

Line 150:

Line 145:

enable = true;

bucket = "nextcloud";

~~autocreate~~ = true;

verify_bucket_exists = true;

key = accessKey;

secretFile = "${pkgs.writeText "secret" "test12345"}";

Line 171:

Line 166:

};

</nowiki>}}

</nowiki>|name=/etc/nixos/configuration.nix|lang=nix}}

We'll need to run two commands to create the bucket <code>nextcloud</code> by using the access key <code>nextcloud</code> and the secret key <code>test12345</code>.

Line 208:

Line 203:

Do not suply passwords, hashes or keys via the settings option, since they will be copied into the world-readable Nix store. Instead reference a JSON file containing secrets using the <code>secretFile</code> option.

<~~syntaxHighlight~~ lang="nix">

services.nextcloud = {

[...]

secretFile = "/etc/nextcloud-secrets.json";

};

</syntaxhighlight>

~~environment.etc."nextcloud-secrets.json".text = ''~~

{

~~"passwordsalt": "12345678910",~~

~~"secret": "12345678910",~~

~~"instanceid": "10987654321",~~

~~"redis": {~~

~~"password": "secret"~~

}

~~'';~~

</~~syntaxHighlight~~>

Consider using a [[Comparison of secret managing schemes|secret management tool]] instead of referencing an unencrypted local secrets file.

Line 268:

Line 252:

No password is required.

=== Migration ===

If you want to migrate your Nextcloud instance from one place to another, keep in mind:

* Distribution-agnostic instructions are at https://docs.nextcloud.com/server/stable/admin_manual/maintenance/migrating.html

* You can use the [https://search.nixos.org/options?show=services.nextcloud.secretFile services.nextcloud.secretFile] option to set secrets. Notably you'll likely want to inherit the following values from your old to your new instance:

** [https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html#instanceid instanceid]

** [https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html#passwordsalt passwordsalt]

** [https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html#secret secret]

* To be able to configure TLS for your new instance before you've updated your DNS record, you can use [[ACME#DNS challenge|ACME DNS Challenge]]. Don't forget to clear <code>acmeRoot</code>:

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {

forceSSL = true;

enableACME = true;

# force DNS-01 validation

acmeRoot = null;

};

</nowiki>}}

=== Backups ===

You should make backups of both the database and your storage.

For the database, [https://search.nixos.org/options?show=services.mysqlBackup services.mysqlBackup] or [https://search.nixos.org/options?show=services.postgresqlBackup services.postgresqlBackup] may come in handy. For local storage backups, periodically taking a snapshot of a snapshot-enabled filesystem such as btrfs or zfs may be a good first step. Remember to also make off-site copies.

== Clients ==

Line 327:

Line 335:

services.nginx.virtualHosts."${config.services.nextcloud.hostName}".listen = [ { addr = "127.0.0.1"; port = 8080; } ];

</nowiki>}}

=== Enable Two-factor authentication ===

Two-factor authentication can be enabled for your server via the administration interface in your browser. There is no way to declare this setting via nix configuration, so you should follow the [https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/two_factor-auth.html official documentation] to set up Two-factor authentication.

=== Enable HEIC image preview ===

@@ Line 13: / Line 13: @@
    hostName = "localhost";
    config.adminpassFile = "/etc/nextcloud-admin-pass";
+  config.dbtype = "sqlite";
 };
-</nowiki>}}
+</nowiki>|name=/etc/nixos/configuration.nix|lang=nix}}
 After that you will be able to login into your Nextcloud instance at <code><nowiki>http://localhost</nowiki></code> with user <code>root</code> and password <code>PWD</code> as configured above.
@@ Line 115: / Line 116: @@
 </nowiki>}}
-=== Caching ===
+=== Data storage ===
+Nextcloud stores metadata in the database and files either on a local filesystem, external storage, or in an object storage.
-[[Redis]] can be enabled as a performant caching backend using following configuration. This will bring faster page loads to your Nextcloud instance.
-{{file|/etc/nixos/configuration.nix|nix|<nowiki>
-services.nextcloud = {
-  enable = true;
-  configureRedis = true;
-  [...]
-};
-</nowiki>}}
-Note that APCu will still be used for local caching, as recommended by Nextcloud upstream.
+==== Local filesystem ====
+Using a filesystem with snapshot support, such as btrfs or zfs, may be useful for backup purposes
-=== Object store ===
+==== External storage ====
+https://docs.nextcloud.com/server/stable/admin_manual/configuration_files/external_storage_configuration_gui.html
+==== Object store ====
 In this example we'll configure a local S3-compatible object store using Minio and connect it to Nextcloud
-{{file|/etc/nixos/configuration.nix|nix|<nowiki>
+{{file|||<nowiki>
 { ... } let
@@ Line 150: / Line 145: @@
        enable = true;
        bucket = "nextcloud";
-       autocreate = true;
+       verify_bucket_exists = true;
        key = accessKey;
        secretFile = "${pkgs.writeText "secret" "test12345"}";
@@ Line 171: / Line 166: @@
 };
-</nowiki>}}
+</nowiki>|name=/etc/nixos/configuration.nix|lang=nix}}
 We'll need to run two commands to create the bucket <code>nextcloud</code> by using the access key <code>nextcloud</code> and the secret key <code>test12345</code>.
@@ Line 208: / Line 203: @@
 Do not suply passwords, hashes or keys via the settings option, since they will be copied into the world-readable Nix store. Instead reference a JSON file containing secrets using the <code>secretFile</code> option.
-<syntaxHighlight lang="nix">
+<syntaxhighlight lang="nix">
 services.nextcloud = {
    [...]
    secretFile = "/etc/nextcloud-secrets.json";
 };
+</syntaxhighlight>
-environment.etc."nextcloud-secrets.json".text = ''
-  {
-    "passwordsalt": "12345678910",
-    "secret": "12345678910",
-    "instanceid": "10987654321",
-    "redis": {
-      "password": "secret"
-    }
-  }
-'';
-</syntaxHighlight>
 Consider using a  [[Comparison of secret managing schemes|secret management tool]] instead of referencing an unencrypted local secrets file.
@@ Line 268: / Line 252: @@
 No password is required.
+=== Migration ===
+If you want to migrate your Nextcloud instance from one place to another, keep in mind:
+* Distribution-agnostic instructions are at https://docs.nextcloud.com/server/stable/admin_manual/maintenance/migrating.html
+* You can use the [https://search.nixos.org/options?show=services.nextcloud.secretFile services.nextcloud.secretFile] option to set secrets. Notably you'll likely want to inherit the following values from your old to your new instance:
+** [https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html#instanceid instanceid]
+** [https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html#passwordsalt passwordsalt]
+** [https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html#secret secret]
+* To be able to configure TLS for your new instance before you've updated your DNS record, you can use [[ACME#DNS challenge|ACME DNS Challenge]]. Don't forget to clear <code>acmeRoot</code>:
+{{file|/etc/nixos/configuration.nix|nix|<nowiki>
+services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
+  forceSSL = true;
+  enableACME = true;
+  # force DNS-01 validation
+  acmeRoot = null;
+};
+</nowiki>}}
+=== Backups ===
+You should make backups of both the database and your storage.
+For the database, [https://search.nixos.org/options?show=services.mysqlBackup services.mysqlBackup] or [https://search.nixos.org/options?show=services.postgresqlBackup services.postgresqlBackup] may come in handy. For local storage backups, periodically taking a snapshot of a snapshot-enabled filesystem such as btrfs or zfs may be a good first step. Remember to also make off-site copies.
 == Clients ==
@@ Line 327: / Line 335: @@
 services.nginx.virtualHosts."${config.services.nextcloud.hostName}".listen = [ { addr = "127.0.0.1"; port = 8080; } ];
 </nowiki>}}
+=== Enable Two-factor authentication ===
+Two-factor authentication can be enabled for your server via the administration interface in your browser. There is no way to declare this setting via nix configuration, so you should follow the [https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/two_factor-auth.html official documentation] to set up Two-factor authentication.
 === Enable HEIC image preview ===