[Nix-dev] how to successfully install owncloud/nextcloud

schneefux+nixos_list at schneefux.xyz schneefux+nixos_list at schneefux.xyz
Sat Oct 22 22:51:10 CEST 2016


Sorry, I wrote two mails from different addresses because one was stuck
in the moderation queue.


> Funny that there are so much good solutions on user
> repositiories but nothing gets merged into master.
>
> owncloud/nextcloud is not some random exotic software should have some
> priority for nixos, and its not that kolab or other stuff is better
> integrated so that people could feel there is no need for that.

The Owncloud NixOS module hasn't been updated in a year, was written for
Owncloud 7 and requires Apache, PostgreSQL and phpfpm. I use neither of
those things.
In my opinion, you don't need a NixOS module for every possible
combination of web server, database and CGI as one module already has
more lines of code than a simple more flexible configuration.


> And it would be good if that
> part would work without doing stuff manualy and it would be basicly
stateless
> (more or less).
>
> Is that ssl stuff you do stateless? or is that even possible with ssl?
> You dont use the usual lets-encrypt script, its in nixos as package, too
> I belive, but you do that manualy? Or do you not even request a cert?

You don't have to do anything except `nixos-rebuild switch` if that's
what you mean… The state is saved in `/var/lib/acme`, so on a different
computer or a different domain you'll have a different SSL certificate.


> Sorry I am a bit of a ssl noob, got it 1 2x somehow running but makes
> not much sense to me :) ssh is much more easy to use than this, and I
> think its primary pitched to the needs of coorporations, not so much for
> normal users that want a small server, where compression is the primary
> purpose instead of identity proof.

SSL doesn't compress.
nginx's `gzip on;` does. Plus you probably want `expires 1d;` for
client-side caching.


> I mean why dont we do that then with ssh, why do we blindly trust that
> we connect to the right host, spoofing would be possible there to?

There is a way around that. You can enable certificate pinning and HTTP
public key pinning (here the example with nginx):
```nginx
  add_header Strict-Transport-Security "max-age=63072000;
includeSubDomains; preload";
  add_header Public-Key-Pins
'pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=";
pin-sha256="sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis=";
max-age=5184000; includeSubDomains';
```
The public key pin is only valid for Let's Encrypt certificates.


> Well whatever, webserver configuration sucks, I should not wonder if
> nixos cant dumb that down so that you add some lines of code and then
> nixos-rebuild switch just does everything automaticly, including the
> cert part.

Well… someone needs to write the code in their free time.


> Or does your solution do that?

Yes. :)

You might want to change some things. (Here's the gist again:
https://gist.github.com/schneefux/22b75d2bd3e4e754ba1684f1d1e93271)

I'll give you a quick walkthrough from top to bottom…
  * security.acme.…: Generate Let's Encrypt certificates readable by any
user that belongs to the group "ssl", add "nginx" to "ssl"
  * systemd.services.gendhparams: It is advised to generate fresh Diffie
Hellman parameters regularly but you don't need to.
  * services.mysql: Enable MariaDB.
  * systemd.services.nextcloudcron: Runs the Nextcloud cron and the
newsupdater. You don't need to, Nextcloud can use a builtin cron.
  * services.nginx:
    * gzip_*: Enable compression, compress as much as possible.
    * ssl_*, add_header_*, ssl_*: Recommended SSL settings to get an
A/A+ in the SSL Labs [test](https://www.ssllabs.com/ssltest/). You need
at least the ssl_certificate configuration.
    * server block
      * Redirect everything from cloud.yourdomain.net to HTTPS.
    * server block
      * Listen on the SSL port with HTTP2.
      * Serve files from the Nextcloud package root directory.
      * Then follows the recommended Nextcloud nginx configuration found
[here](https://docs.nextcloud.com/server/9/admin_manual/installation/nginx_nextcloud_9x.html).
        * Except that the include needs to be
${pkgs.nginx}/conf/fastcgi.conf and you need to pass `fastcgi_param
NEXTCLOUD_CONFIG_DIR=/var/lib/nextcloud/config`.
    * In the gist I used uwsgi instead of phpfpm. If you don't know what
you're doing, use phpfpm ;) See
[here](https://github.com/bjornfor/nixpkgs/blob/nixos-nextcloud/nixos/modules/services/web-servers/lighttpd/nextcloud.nix#L101)
on how to configure phpfpm.

Set `config.networking.domain` to your domain somewhere.
There may be typos in the gist.

On the command line, you need to create a MySQL user and table for
Nextcloud (or set
`services.mysql.initialDatabases = [ { name="nextcloud", schema="" } ];
 services.mysql.initialScript = "scriptthatcreatesnextclouduser.sql";`).
Then create `/var/lib/nextcloud`, drop your `config.php` there and don't
forget to set `'datadirectory' => '/var/lib/nextcloud/data'`.


> Thanks for your contributions/help, make nixos great (again) :)

You're welcome :)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20161022/b9cd4431/attachment.sig>


More information about the nix-dev mailing list