forked from mirrors/nixpkgs
ef553788d0
The default, which is /tmp, has a few issues associated with it: One being that it makes it easy for users on the system to spoof a PostgreSQL server if it's not running, causing applications to connect to their provided sockets instead of just failing to connect. Another one is that it makes sandboxing of PostgreSQL and other services unnecessarily difficult. This is already the case if only PrivateTmp is used in a systemd service, so in order for such a service to be able to connect to PostgreSQL, a bind mount needs to be done from /tmp to some other path, so the service can access it. This pretty much defeats the whole purpose of PrivateTmp. We regularily run into issues with this in the past already (one example would be https://github.com/NixOS/nixpkgs/pull/24317) and with the new systemd-confinement mode upcoming in https://github.com/NixOS/nixpkgs/pull/57519, it makes it even more tedious to sandbox services. I've tested this change against all the postgresql NixOS VM tests and they still succeed and I also grepped through the source tree to replace other occasions where we might have /tmp hardcoded. Luckily there were very few occasions. Signed-off-by: aszlig <aszlig@nix.build> Cc: @ocharles, @thoughtpolice, @danbst
100 lines
5.1 KiB
XML
100 lines
5.1 KiB
XML
<chapter xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="module-services-nextcloud">
|
|
<title>Nextcloud</title>
|
|
|
|
<para>
|
|
<link xlink:href="https://nextcloud.com/">Nextcloud</link> is an open-source, self-hostable cloud
|
|
platform. The server setup can be automated using
|
|
<link linkend="opt-services.nextcloud.enable">services.nextcloud</link>. A desktop client is packaged
|
|
at <literal>pkgs.nextcloud-client</literal>.
|
|
</para>
|
|
|
|
<section xml:id="module-services-nextcloud-basic-usage">
|
|
<title>Basic usage</title>
|
|
<para>
|
|
Nextcloud is a PHP-based application which requires an HTTP server
|
|
(<literal><link linkend="opt-services.nextcloud.enable">services.nextcloud</link></literal> optionally supports
|
|
<literal><link linkend="opt-services.nginx.enable">services.nginx</link></literal>) and a database
|
|
(it's recommended to use <literal><link linkend="opt-services.postgresql.enable">services.postgresql</link></literal>).
|
|
</para>
|
|
<para>
|
|
A very basic configuration may look like this:
|
|
<programlisting>{ pkgs, ... }:
|
|
{
|
|
services.nextcloud = {
|
|
<link linkend="opt-services.nextcloud.enable">enable</link> = true;
|
|
<link linkend="opt-services.nextcloud.hostName">hostName</link> = "nextcloud.tld";
|
|
<link linkend="opt-services.nextcloud.nginx.enable">nginx.enable</link> = true;
|
|
config = {
|
|
<link linkend="opt-services.nextcloud.config.dbtype">dbtype</link> = "pgsql";
|
|
<link linkend="opt-services.nextcloud.config.dbuser">dbuser</link> = "nextcloud";
|
|
<link linkend="opt-services.nextcloud.config.dbhost">dbhost</link> = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
|
|
<link linkend="opt-services.nextcloud.config.dbname">dbname</link> = "nextcloud";
|
|
<link linkend="opt-services.nextcloud.config.adminpassFile">adminpassFile</link> = "/path/to/admin-pass-file";
|
|
<link linkend="opt-services.nextcloud.config.adminuser">adminuser</link> = "root";
|
|
};
|
|
};
|
|
|
|
services.postgresql = {
|
|
<link linkend="opt-services.postgresql.enable">enable</link> = true;
|
|
<link linkend="opt-services.postgresql.initialScript">initialScript</link> = pkgs.writeText "psql-init" ''
|
|
CREATE ROLE nextcloud WITH LOGIN;
|
|
CREATE DATABASE nextcloud WITH OWNER nextcloud;
|
|
'';
|
|
};
|
|
|
|
# ensure that postgres is running *before* running the setup
|
|
systemd.services."nextcloud-setup" = {
|
|
requires = ["postgresql.service"];
|
|
after = ["postgresql.service"];
|
|
};
|
|
|
|
<link linkend="opt-networking.firewall.allowedTCPPorts">networking.firewall.allowedTCPPorts</link> = [ 80 443 ];
|
|
}</programlisting>
|
|
</para>
|
|
<para>
|
|
The options <literal>hostName</literal> and <literal>nginx.enable</literal> are used internally to configure an
|
|
HTTP server using <literal><link xlink:href="https://php-fpm.org/">PHP-FPM</link></literal> and <literal>nginx</literal>.
|
|
The <literal>config</literal> attribute set is used for the <literal>config.php</literal> which is used
|
|
for the application's configuration.
|
|
<emphasis>Beware: this isn't entirely pure since the config is modified by the application's runtime!</emphasis>
|
|
</para>
|
|
<para>
|
|
In case the application serves multiple hosts (those are checked with
|
|
<literal><link xlink:href="http://php.net/manual/en/reserved.variables.server.php">$_SERVER['HTTP_HOST']</link></literal>)
|
|
those can be added using
|
|
<literal><link linkend="opt-services.nextcloud.config.extraTrustedDomains">services.nextcloud.config.extraTrustedDomains</link></literal>.
|
|
</para>
|
|
</section>
|
|
|
|
<section xml:id="module-services-nextcloud-pitfalls-during-upgrade">
|
|
<title>Pitfalls</title>
|
|
<para>
|
|
Unfortunately Nextcloud appears to be very stateful when it comes to managing its own configuration. The
|
|
config file lives in the home directory of the <literal>nextcloud</literal> user (by default
|
|
<literal>/var/lib/nextcloud/config/config.php</literal>) and is also used to track several
|
|
states of the application (e.g. whether installed or not).
|
|
</para>
|
|
<para>
|
|
Right now changes to the <literal>services.nextcloud.config</literal> attribute set won't take effect
|
|
after the first install
|
|
(except <literal><link linkend="opt-services.nextcloud.config.extraTrustedDomains">services.nextcloud.config.extraTrustedDomains</link></literal>) since the actual configuration
|
|
file is generated by the NextCloud installer which also sets up critical parts such as the database
|
|
structure.
|
|
</para>
|
|
<para>
|
|
<emphasis>Warning: don't delete <literal>config.php</literal>! This file tracks the application's state and a deletion can cause unwanted side-effects!</emphasis>
|
|
</para>
|
|
<para>
|
|
<emphasis>Warning: don't rerun <literal>nextcloud-occ maintenance:install</literal>! This command tries to install the application and can cause unwanted side-effects!</emphasis>
|
|
</para>
|
|
<para>
|
|
The issues are known and reported in <link xlink:href="https://github.com/NixOS/nixpkgs/issues/49783">#49783</link>, for now it's unfortunately necessary to manually work around these issues.
|
|
</para>
|
|
</section>
|
|
|
|
</chapter>
|