Nextcloud: Difference between revisions

(3 intermediate revisions by the same user not shown)

Line 129:

Note that APCu will still be used for local caching, as recommended by Nextcloud upstream.

=== ~~Object store~~ ===

=== Data storage ===

Nextcloud stores metadata in the database and files either on a local filesystem, external storage, or in an object storage.

==== Local filesystem ====

Using a filesystem with snapshot support, such as btrfs or zfs, may be useful for backup purposes

==== External storage ====

https://docs.nextcloud.com/server/stable/admin_manual/configuration_files/external_storage_configuration_gui.html

==== Object store ====

In this example we'll configure a local S3-compatible object store using Minio and connect it to Nextcloud

Line 208:

Line 216:

Do not suply passwords, hashes or keys via the settings option, since they will be copied into the world-readable Nix store. Instead reference a JSON file containing secrets using the <code>secretFile</code> option.

<~~syntaxHighlight~~ lang="nix">

services.nextcloud = {

[...]

secretFile = "/etc/nextcloud-secrets.json";

};

</syntaxhighlight>

~~environment.etc."nextcloud-secrets.json".text = ''~~

{

~~"passwordsalt": "12345678910",~~

~~"secret": "12345678910",~~

~~"instanceid": "10987654321",~~

~~"redis": {~~

~~"password": "secret"~~

}

~~'';~~

</~~syntaxHighlight~~>

Consider using a [[Comparison of secret managing schemes|secret management tool]] instead of referencing an unencrypted local secrets file.

Line 277:

Line 274:

** [https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html#passwordsalt passwordsalt]

** [https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html#secret secret]

* To be able to configure TLS for your new instance before you've updated your DNS record, you can use [[ACME#DNS challenge|ACME DNS Challenge]].

* To be able to configure TLS for your new instance before you've updated your DNS record, you can use [[ACME#DNS challenge|ACME DNS Challenge]]. Don't forget to clear <code>acmeRoot</code>:

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {

forceSSL = true;

enableACME = true;

# force DNS-01 validation

acmeRoot = null;

};

</nowiki>}}

=== Backups ===

You should make backups of both the database and your storage.

For the database, [https://search.nixos.org/options?show=services.mysqlBackup services.mysqlBackup] or [https://search.nixos.org/options?show=services.postgresqlBackup services.postgresqlBackup] may come in handy. For local storage backups, periodically taking a snapshot of a snapshot-enabled filesystem such as btrfs or zfs may be a good first step. Remember to also make off-site copies.

== Clients ==

@@ Line 129: / Line 129: @@
 Note that APCu will still be used for local caching, as recommended by Nextcloud upstream.
-=== Object store ===
+=== Data storage ===
+Nextcloud stores metadata in the database and files either on a local filesystem, external storage, or in an object storage.
+==== Local filesystem ====
+Using a filesystem with snapshot support, such as btrfs or zfs, may be useful for backup purposes
+==== External storage ====
+https://docs.nextcloud.com/server/stable/admin_manual/configuration_files/external_storage_configuration_gui.html
+==== Object store ====
 In this example we'll configure a local S3-compatible object store using Minio and connect it to Nextcloud
@@ Line 208: / Line 216: @@
 Do not suply passwords, hashes or keys via the settings option, since they will be copied into the world-readable Nix store. Instead reference a JSON file containing secrets using the <code>secretFile</code> option.
-<syntaxHighlight lang="nix">
+<syntaxhighlight lang="nix">
 services.nextcloud = {
    [...]
    secretFile = "/etc/nextcloud-secrets.json";
 };
+</syntaxhighlight>
-environment.etc."nextcloud-secrets.json".text = ''
-  {
-    "passwordsalt": "12345678910",
-    "secret": "12345678910",
-    "instanceid": "10987654321",
-    "redis": {
-      "password": "secret"
-    }
-  }
-'';
-</syntaxHighlight>
 Consider using a  [[Comparison of secret managing schemes|secret management tool]] instead of referencing an unencrypted local secrets file.
@@ Line 277: / Line 274: @@
 ** [https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html#passwordsalt passwordsalt]
 ** [https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html#secret secret]
-* To be able to configure TLS for your new instance before you've updated your DNS record, you can use [[ACME#DNS challenge|ACME DNS Challenge]].
+* To be able to configure TLS for your new instance before you've updated your DNS record, you can use [[ACME#DNS challenge|ACME DNS Challenge]]. Don't forget to clear <code>acmeRoot</code>:
+{{file|/etc/nixos/configuration.nix|nix|<nowiki>
+services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
+  forceSSL = true;
+  enableACME = true;
+  # force DNS-01 validation
+  acmeRoot = null;
+};
+</nowiki>}}
+=== Backups ===
+You should make backups of both the database and your storage.
+For the database, [https://search.nixos.org/options?show=services.mysqlBackup services.mysqlBackup] or [https://search.nixos.org/options?show=services.postgresqlBackup services.postgresqlBackup] may come in handy. For local storage backups, periodically taking a snapshot of a snapshot-enabled filesystem such as btrfs or zfs may be a good first step. Remember to also make off-site copies.
 == Clients ==