[Nix-dev] how to successfully install owncloud/nextcloud
Stefan Huchler
stefan.huchler at mail.de
Sun Oct 23 04:39:17 CEST 2016
schneefux+nixos_list at schneefux.xyz writes:
> The Owncloud NixOS module hasn't been updated in a year, was written for
> Owncloud 7 and requires Apache, PostgreSQL and phpfpm. I use neither of
> those things.
> In my opinion, you don't need a NixOS module for every possible
> combination of web server, database and CGI as one module already has
> more lines of code than a simple more flexible configuration.
I agree to that one version that works would be good enough, maybe one
variant / option with squlite wouldnt hurt, cause some people dont like
to make database dumbs or have to fight with password protection and
stuff like that.
But I would not have complained about that if it would just worked
magicly with a few lines of code paste into configuration.nix and a
nixos-rebuild, but maybe I fucked something up but it did not work here.
>> Is that ssl stuff you do stateless? or is that even possible with ssl?
>> You dont use the usual lets-encrypt script, its in nixos as package, too
>> I belive, but you do that manualy? Or do you not even request a cert?
>
> You don't have to do anything except `nixos-rebuild switch` if that's
> what you mean… The state is saved in `/var/lib/acme`, so on a different
> computer or a different domain you'll have a different SSL certificate.
But after the first initilation lets say the harddisk is defect and I
have only the configuration.nix and a db dump or sqlite file, do I have
to save the acme folder, or does letsencrypt give out a new key for the
domain? Or does it send you the old key after it checked somehow that
you are legit?
> SSL doesn't compress.
Sorry I meant encrypt.
> nginx's `gzip on;` does. Plus you probably want `expires 1d;` for
> client-side caching.
ok...
>> I mean why dont we do that then with ssh, why do we blindly trust that
>> we connect to the right host, spoofing would be possible there to?
>
> There is a way around that. You can enable certificate pinning and HTTP
> public key pinning (here the example with nginx):
> ```nginx
> add_header Strict-Transport-Security "max-age=63072000;
> includeSubDomains; preload";
> add_header Public-Key-Pins
> 'pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=";
> pin-sha256="sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis=";
> max-age=5184000; includeSubDomains';
> ```
> The public key pin is only valid for Let's Encrypt certificates.
and how does that relate with what I said about ssh?
> Well… someone needs to write the code in their free time.
I did not want to troll or something, its more frustration about
webservers and stuff like that, not about the nix contributors if thats
what you understood.
> Yes. :)
Great!
> You might want to change some things. (Here's the gist again:
> https://gist.github.com/schneefux/22b75d2bd3e4e754ba1684f1d1e93271)
>
> I'll give you a quick walkthrough from top to bottom…
thanks I have to read that again when I have more time and it gets more
relevant to me again.
> Set `config.networking.domain` to your domain somewhere.
> There may be typos in the gist.
Thats the problem I often want ssl activated when I use the servers
internaly. maybe dumb, should maybe probably use internaly http :)
> On the command line, you need to create a MySQL user and table for
> Nextcloud (or set
> `services.mysql.initialDatabases = [ { name="nextcloud", schema="" } ];
> services.mysql.initialScript =
> "scriptthatcreatesnextclouduser.sql";`).
does that create the users? why schema="" ahh sorry the script. yes that
sounds legit, would be nice if that sql file wolud be configurable or
included in nixos so dummies like me dont have to think to much :)
Especialy if you dont support all dbs it can be a bit tricky especialy
most other stuff is so easy in nixos :) OR put at least somethnig like
that as comment into the nix file :)
Well the problem was also that the default owncloud package used
postgres, I used in the past more mysql so I was not exactly shure about
the internals.
Maybe something in the wiki would be good? Don't know, if you dont have
time for that I understand that :)
> Then create `/var/lib/nextcloud`, drop your `config.php` there and don't
> forget to set `'datadirectory' => '/var/lib/nextcloud/data'`.
drop it? doesnt it install such version? you mean maybe rename and edit
it?
More information about the nix-dev
mailing list