{ lib, pkgs, config, myconfig, ... }:
let
nextcloud = pkgs.webapps.nextcloud.withApps (builtins.attrValues pkgs.webapps.nextcloud-apps);
env = myconfig.env.tools.nextcloud;
varDir = "/var/lib/nextcloud";
webappName = "tools_nextcloud";
apacheRoot = "/run/current-system/webapps/${webappName}";
cfg = config.myServices.websites.tools.cloud;
phpFpm = rec {
basedir = builtins.concatStringsSep ":" (
[ nextcloud varDir ]
++ builtins.attrValues pkgs.webapps.nextcloud-apps);
socket = "/var/run/phpfpm/nextcloud.sock";
phpConfig = ''
extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so
extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
zend_extension=${pkgs.php}/lib/php/extensions/opcache.so
'';
pool = ''
user = wwwrun
group = wwwrun
listen.owner = wwwrun
listen.group = wwwrun
pm = ondemand
pm.max_children = 60
pm.process_idle_timeout = 60
php_admin_value[output_buffering] = 0
php_admin_value[max_execution_time] = 1800
php_admin_value[zend_extension] = "opcache"
;already enabled by default?
;php_value[opcache.enable] = 1
php_value[opcache.enable_cli] = 1
php_value[opcache.interned_strings_buffer] = 8
php_value[opcache.max_accelerated_files] = 10000
php_value[opcache.memory_consumption] = 128
php_value[opcache.save_comments] = 1
php_value[opcache.revalidate_freq] = 1
php_admin_value[memory_limit] = 512M
php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:${basedir}:/proc/meminfo:/dev/urandom:/proc/self/fd:/tmp"
php_admin_value[session.save_path] = "${varDir}/phpSessions"
'';
};
in {
options.myServices.websites.tools.cloud = {
enable = lib.mkEnableOption "enable cloud website";
};
config = lib.mkIf cfg.enable {
services.websites.env.tools.modules = [ "proxy_fcgi" ];
services.websites.env.tools.vhostConfs.cloud = {
certName = "eldiron";
addToCerts = true;
hosts = ["cloud.immae.eu" ];
root = apacheRoot;
extraConfig = [
''
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
<Directory ${apacheRoot}>
AcceptPathInfo On
DirectoryIndex index.php
Options FollowSymlinks
Require all granted
AllowOverride all
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
</IfModule>
<FilesMatch "\.php$">
CGIPassAuth on
SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
</FilesMatch>
</Directory>
''
];
};
secrets.keys = [{
dest = "webapps/tools-nextcloud";
user = "wwwrun";
group = "wwwrun";
permissions = "0600";
text = ''
<?php
$CONFIG = array (
// FIXME: change this value when nextcloud starts getting slow
'instanceid' => '${env.instance_id}1',
'datadirectory' => '/var/lib/nextcloud/',
'passwordsalt' => '${env.password_salt}',
'debug' => false,
'dbtype' => 'pgsql',
'version' => '16.0.0.9',
'dbname' => '${env.postgresql.database}',
'dbhost' => '${env.postgresql.socket}',
'dbtableprefix' => 'oc_',
'dbuser' => '${env.postgresql.user}',
'dbpassword' => '${env.postgresql.password}',
'installed' => true,
'maxZipInputSize' => 0,
'allowZipDownload' => true,
'forcessl' => true,
'theme' => ${"''"},
'maintenance' => false,
'trusted_domains' =>
array (
0 => 'cloud.immae.eu',
),
'secret' => '${env.secret}',
'appstoreenabled' => false,
'appstore.experimental.enabled' => true,
'loglevel' => 2,
'trashbin_retention_obligation' => 'auto',
'htaccess.RewriteBase' => '/',
'mail_smtpmode' => 'sendmail',
'mail_smtphost' => '127.0.0.1',
'mail_smtpname' => ''',
'mail_smtppassword' => ''',
'mail_from_address' => 'nextcloud',
'mail_smtpauth' => false,
'mail_domain' => 'tools.immae.eu',
'memcache.local' => '\\OC\\Memcache\\APCu',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'filelocking.enabled' => true,
'redis' =>
array (
'host' => '${env.redis.socket}',
'port' => 0,
'dbindex' => ${env.redis.db_index},
),
'overwrite.cli.url' => 'https://cloud.immae.eu',
'ldapIgnoreNamingRules' => false,
'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',
'has_rebuilt_cache' => true,
);
'';
}];
users.users.root.packages = let
occ = pkgs.writeScriptBin "nextcloud-occ" ''
#! ${pkgs.stdenv.shell}
cd ${nextcloud}
NEXTCLOUD_CONFIG_DIR="${nextcloud}/config" \
exec \
sudo -u wwwrun ${pkgs.php}/bin/php \
-c ${pkgs.php}/etc/php.ini \
occ $*
'';
in [ occ ];
system.activationScripts.nextcloud = {
deps = [ "secrets" ];
text = let
confs = lib.attrsets.mapAttrs (n: v: pkgs.writeText "${n}.json" (builtins.toJSON v)) nextcloud.otherConfig;
in
''
install -m 0755 -o wwwrun -g wwwrun -d ${varDir}
install -m 0750 -o wwwrun -g wwwrun -d ${varDir}/phpSessions
${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v:
"install -D -m 0644 -o wwwrun -g wwwrun -T ${v} ${varDir}/config/${n}.json"
) confs)}
install -D -m 0600 -o wwwrun -g wwwrun -T /var/secrets/webapps/tools-nextcloud ${varDir}/config/config.php
'';
};
# FIXME: add a warning when config.php changes
system.extraSystemBuilderCmds = ''
mkdir -p $out/webapps
ln -s ${nextcloud} $out/webapps/${webappName}
'';
services.phpfpm.pools.nextcloud = {
listen = phpFpm.socket;
extraConfig = phpFpm.pool;
phpOptions = config.services.phpfpm.phpOptions + phpFpm.phpConfig;
};
services.cron = {
enable = true;
systemCronJobs = [
''
LOCALE_ARCHIVE=/run/current-system/sw/lib/locale/locale-archive
*/15 * * * * wwwrun ${pkgs.php}/bin/php -f ${nextcloud}/cron.php
''
];
};
};
}
