nextcloud: move out of container

2024-01-03 18:34:33 +01:00
parent acb9dfe9ee
commit ecc5325fc9
3 changed files with 82 additions and 80 deletions
--- a/hosts/voyager/services/nextcloud.nix
+++ b/hosts/voyager/services/nextcloud.nix
@@ -1,80 +1,88 @@
 { config, pkgs, lib, ... }:
 let
-  cfg = config.containers.nextcloud.config.services.nextcloud;
+  cfg = config.services.nextcloud;
  hostName = "cloud.feal.no";
 in {
-  containers.nextcloud = {
-    autoStart = true;
-    ephemeral = true;
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud28;
+    inherit hostName;
+    home = "/var/lib/nextcloud";
+    https = true;
+    webfinger = true;

-    privateNetwork = true;
-    hostBridge = "br0";
-    localAddress = "192.168.10.171/24";
-
-    bindMounts = {
-      "/var/lib/nextcloud"  = { isReadOnly = false; hostPath = "/tank/nextcloud/nextcloud/";  };
-      "/var/lib/postgresql" = { isReadOnly = false; hostPath = "/tank/nextcloud/postgresql/"; };
-      "/srv/secrets/"       = { isReadOnly = true;  hostPath = "/tank/nextcloud/secrets/";    };
+    config = {
+      dbtype = "pgsql";
+      dbuser = "nextcloud";
+      dbhost = "/run/postgresql";
+      dbname = "nextcloud";
+      adminuser = "ncadmin";
+      adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
+      trustedProxies = [ "192.168.10.175" ]; # defiant
+      defaultPhoneRegion = "NO";
    };

-    config = { config, pkgs, ... }: {
-      system.stateVersion = "23.11";
+    # phpOptions = {
+    #   "opcache.interned_strings_buffer" = "16";
+    #   "upload_max_filesize" = "4G";
+    #   "post_max_size" = "4G";
+    #   "memory_limit" = "4G";
+    # };

-      networking = {
-        firewall = {
-          enable = true;
-          allowedTCPPorts = [ 80 ];
-        };
-
-        defaultGateway = "192.168.10.1";
-      };
-      time.timeZone = "Europe/Oslo";
-
-      services.nextcloud = {
-        enable = true;
-        package = pkgs.nextcloud28;
-        inherit hostName;
-        home = "/var/lib/nextcloud";
-        https = true;
-
-        config = {
-          dbtype = "pgsql";
-          dbuser = "nextcloud";
-          dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
-          dbname = "nextcloud";
-          adminpassFile = "/srv/secrets/adminpass";
-          adminuser = "ncadmin";
-          trustedProxies = [ "192.168.10.175" ]; # defiant
-        };
-
-        # phpOptions = {
-        #   "opcache.interned_strings_buffer" = "16";
-        #   "upload_max_filesize" = "4G";
-        #   "post_max_size" = "4G";
-        #   "memory_limit" = "4G";
-        # };
-
-        poolSettings = {
-          "pm" = "ondemand";
-          "pm.max_children" = 32;
-          "pm.process_idle_timeout" = "10s";
-          "pm.max_requests" = 500;
-        };
-      };
-
-      services.postgresql = {
-        enable = true;
-        ensureDatabases = [ "nextcloud" ];
-        ensureUsers = [ {
-          name = "nextcloud";
-          ensureDBOwnership = true;
-        } ];
-      };
-
-      systemd.services."nextcloud-setup" = {
-        requires = [ "postgresql.service" ];
-        after = [ "postgresql.service" ];
-      };
+    poolSettings = {
+      "pm" = "ondemand";
+      "pm.max_children" = 32;
+      "pm.process_idle_timeout" = "10s";
+      "pm.max_requests" = 500;
    };
  };
+
+  environment.systemPackages = [ cfg.occ ];
+
+  sops.secrets."nextcloud/adminpass" = {
+    mode = "0440";
+    owner = "nextcloud";
+    group = "nextcloud";
+    restartUnits = [ "phpfpm-nextcloud.service" ];
+  };
+
+  services.postgresql = {
+    ensureDatabases = [ "nextcloud" ];
+    ensureUsers = [ {
+      name = "nextcloud";
+      ensureDBOwnership = true;
+    } ];
+  };
+
+  systemd.services."nextcloud-setup" = {
+    requires = [ "postgresql.service" ];
+    after = [ "postgresql.service" ];
+  };
+
+  systemd.services."phpfpm-nextcloud".serviceConfig = {
+    WorkingDirectory = "/var/lib/nextcloud";
+    NoNewPrivileges = true;
+    PrivateDevices = true;
+    PrivateMounts = true;
+    PrivateTmp = true;
+    ProtectClock = true;
+    ProtectHome = true;
+    ProtectHostname = true;
+    ProtectKernelLogs = true;
+    ProtectKernelModules = true;
+    ProtectKernelTunables = true;
+    ProtectProc = "invisible";
+    ReadWritePaths = [ "/var/lib/nextcloud" "/run/phpfpm" "/run/systemd" "/run/secrets" "/nix/store" ];
+    RemoveIPC = true;
+    RestrictSUIDSGID = true;
+    UMask = "0007";
+    SystemCallArchitectures = "native";
+    SystemCallFilter = "@system-service";
+    CapabilityBoundingSet = "~CAP_FSETID ~CAP_SETFCAP ~CAP_SETUID ~CAP_SETGID ~CAP_SETPCAP ~CAP_NET_ADMIN ~CAP_SYS_ADMIN ~CAP_SYS_PTRACE ";
+  };
+
+  fileSystems."/var/lib/nextcloud" = {
+    device = "/tank/nextcloud";
+    options = [ "bind "];
+  };
 }