From fe19171d857e101dc0189566b865a4f13ec84b57 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Tue, 10 Dec 2024 15:40:30 +0100 Subject: [PATCH] feat(nextcloud): Deploy collabora without docker --- machines/nixos/compute01/nextcloud.nix | 315 +++++++++++++------------ patches/default.nix | 6 + 2 files changed, 164 insertions(+), 157 deletions(-) diff --git a/machines/nixos/compute01/nextcloud.nix b/machines/nixos/compute01/nextcloud.nix index 4e2863b..39c7723 100644 --- a/machines/nixos/compute01/nextcloud.nix +++ b/machines/nixos/compute01/nextcloud.nix @@ -1,4 +1,9 @@ -{ config, pkgs, ... }: +{ + config, + pkgs, + nixpkgs, + ... +}: let host = "cloud.dgnum.eu"; @@ -7,182 +12,174 @@ let port = 9980; in { - services.nextcloud = { - enable = true; - hostName = host; - package = pkgs.nextcloud29; + services = { + nextcloud = { + enable = true; + hostName = host; - https = true; + package = pkgs.nextcloud29; - config = { - dbtype = "pgsql"; + https = true; - adminpassFile = config.age.secrets."nextcloud-adminpass_file".path; - adminuser = "thubrecht"; + config = { + dbtype = "pgsql"; - objectstore.s3 = { - enable = true; + adminpassFile = config.age.secrets."nextcloud-adminpass_file".path; + adminuser = "thubrecht"; - hostname = "s3.dgnum.eu"; - region = "garage"; - usePathStyle = true; - port = 443; + objectstore.s3 = { + enable = true; - bucket = "nextcloud-dgnum"; - key = "GKda5367c73ca607c349d83c35"; - verify_bucket_exists = false; - secretFile = config.age.secrets."nextcloud-s3_secret_file".path; + hostname = "s3.dgnum.eu"; + region = "garage"; + usePathStyle = true; + port = 443; + + bucket = "nextcloud-dgnum"; + key = "GKda5367c73ca607c349d83c35"; + verify_bucket_exists = false; + secretFile = config.age.secrets."nextcloud-s3_secret_file".path; + }; + }; + + maxUploadSize = "4G"; + + poolSettings = { + pm = "dynamic"; + "pm.max_children" = 64; + "pm.max_requests" = "500"; + "pm.max_spare_servers" = "8"; + "pm.min_spare_servers" = "4"; + "pm.start_servers" = "6"; + }; + + phpOptions = { + short_open_tag = "Off"; + expose_php = "Off"; + error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT"; + display_errors = "stderr"; + "opcache.enable_cli" = "1"; + "opcache.interned_strings_buffer" = "32"; + "opcache.max_accelerated_files" = "10000"; + "opcache.memory_consumption" = "128"; + "opcache.revalidate_freq" = "1"; + "opcache.fast_shutdown" = "0"; + "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt"; + catch_workers_output = "yes"; + }; + + database.createLocally = true; + configureRedis = true; + + autoUpdateApps.enable = true; + + settings = { + overwriteprotocol = "https"; + + overwritehost = host; + "overwrite.cli.url" = "https://${host}"; + updatechecker = false; + + default_phone_region = "FR"; + + trusted_proxies = [ "::1" ]; + + allow_local_remote_servers = true; + maintenance_window_start = 1; + + "memories.exiftool" = "${pkgs.lib.getExe pkgs.exiftool}"; + "memories.vod.ffmpeg" = "${pkgs.lib.getExe pkgs.ffmpeg-headless}"; + "memories.vod.ffprobe" = "${pkgs.ffmpeg-headless}/bin/ffprobe"; }; }; - maxUploadSize = "4G"; - - poolSettings = { - pm = "dynamic"; - "pm.max_children" = 64; - "pm.max_requests" = "500"; - "pm.max_spare_servers" = "8"; - "pm.min_spare_servers" = "4"; - "pm.start_servers" = "6"; - }; - - phpOptions = { - short_open_tag = "Off"; - expose_php = "Off"; - error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT"; - display_errors = "stderr"; - "opcache.enable_cli" = "1"; - "opcache.interned_strings_buffer" = "32"; - "opcache.max_accelerated_files" = "10000"; - "opcache.memory_consumption" = "128"; - "opcache.revalidate_freq" = "1"; - "opcache.fast_shutdown" = "0"; - "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt"; - catch_workers_output = "yes"; - }; - - database.createLocally = true; - configureRedis = true; - - autoUpdateApps.enable = true; - - settings = { - overwriteprotocol = "https"; - - overwritehost = host; - "overwrite.cli.url" = "https://${host}"; - updatechecker = false; - - default_phone_region = "FR"; - - trusted_proxies = [ "::1" ]; - - allow_local_remote_servers = true; - maintenance_window_start = 1; - - "memories.exiftool" = "${pkgs.lib.getExe pkgs.exiftool}"; - "memories.vod.ffmpeg" = "${pkgs.lib.getExe pkgs.ffmpeg-headless}"; - "memories.vod.ffprobe" = "${pkgs.ffmpeg-headless}/bin/ffprobe"; - }; - }; - - virtualisation = { - podman = { + collabora-online = { enable = true; - defaultNetwork.settings = { - dns_enable = true; - ipv6_enabled = true; - }; - }; - }; + inherit port; - virtualisation.oci-containers = { - containers.collabora = { - image = "collabora/code"; - imageFile = pkgs.dockerTools.pullImage { - imageName = "collabora/code"; - imageDigest = "sha256:07da8a191b37058514dfdf921ea8c2270c6634fa659acee774cf8594f86950e4"; - sha256 = "sha256-5oaz07NQScHUVN/HznzZGQ2bGrU/V1GhI+9btXHz0GM="; + package = nixpkgs.nixos.unstable.collabora-online; + + settings = { + server_name = "code.dgnum.eu"; + + ssl = { + enable = false; + termination = true; + }; + + remote_font_config.url = "https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json"; + + net.proto = "IPv4"; }; - ports = [ "${builtins.toString port}:${builtins.toString port}" ]; - environment = { - domain = "cloud.dgnum.eu"; - extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json"; + + aliasGroups = [ { host = "https://cloud.dgnum.eu"; } ]; + }; + + nginx.virtualHosts = { + ${host} = { + enableACME = true; + forceSSL = true; + + extraConfig = '' + proxy_max_temp_file_size 4096m; + ''; + }; + + "code.dgnum.eu" = { + forceSSL = true; + enableACME = true; + + extraConfig = '' + # static files + location ^~ /browser { + proxy_pass http://127.0.0.1:${builtins.toString port}; + proxy_set_header Host $host; + } + + # WOPI discovery URL + location ^~ /hosting/discovery { + proxy_pass http://127.0.0.1:${builtins.toString port}; + proxy_set_header Host $host; + } + + # Capabilities + location ^~ /hosting/capabilities { + proxy_pass http://127.0.0.1:${builtins.toString port}; + proxy_set_header Host $host; + } + + # main websocket + location ~ ^/cool/(.*)/ws$ { + proxy_pass http://127.0.0.1:${builtins.toString port}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + proxy_read_timeout 36000s; + } + + # download, presentation and image upload + location ~ ^/(c|l)ool { + proxy_pass http://127.0.0.1:${builtins.toString port}; + proxy_set_header Host $host; + } + + # Admin Console websocket + location ^~ /cool/adminws { + proxy_pass http://127.0.0.1:${builtins.toString port}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + proxy_read_timeout 36000s; + } + ''; }; - extraOptions = [ - "--network=host" - "--cap-add" - "MKNOD" - "--cap-add" - "SYS_ADMIN" - ]; }; }; dgn-web.internalPorts.collabora = port; - services.nginx.virtualHosts = { - ${host} = { - enableACME = true; - forceSSL = true; - - extraConfig = '' - proxy_max_temp_file_size 4096m; - ''; - }; - - "code.dgnum.eu" = { - forceSSL = true; - enableACME = true; - - extraConfig = '' - # static files - location ^~ /browser { - proxy_pass http://127.0.0.1:${builtins.toString port}; - proxy_set_header Host $host; - } - - # WOPI discovery URL - location ^~ /hosting/discovery { - proxy_pass http://127.0.0.1:${builtins.toString port}; - proxy_set_header Host $host; - } - - # Capabilities - location ^~ /hosting/capabilities { - proxy_pass http://127.0.0.1:${builtins.toString port}; - proxy_set_header Host $host; - } - - # main websocket - location ~ ^/cool/(.*)/ws$ { - proxy_pass http://127.0.0.1:${builtins.toString port}; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Host $host; - proxy_read_timeout 36000s; - } - - # download, presentation and image upload - location ~ ^/(c|l)ool { - proxy_pass http://127.0.0.1:${builtins.toString port}; - proxy_set_header Host $host; - } - - # Admin Console websocket - location ^~ /cool/adminws { - proxy_pass http://127.0.0.1:${builtins.toString port}; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Host $host; - proxy_read_timeout 36000s; - } - ''; - }; - }; - systemd.services = { nextcloud-preview = { description = "Generate preview for nextcloud media."; @@ -200,6 +197,10 @@ in networking.hosts = { "129.199.146.148" = [ "s3.dgnum.eu" ]; + "129.199.146.147" = [ + "code.dgnum.eu" + "cloud.dgnum.eu" + ]; }; age-secrets.autoMatch = [ "nextcloud" ]; diff --git a/patches/default.nix b/patches/default.nix index 41e21b0..c463d23 100644 --- a/patches/default.nix +++ b/patches/default.nix @@ -48,6 +48,12 @@ in excludes = [ ".git-blame-ignore-revs" ]; hash = "sha256-ca7CsPuWJqucC77ejsvoDAt+wxWLUP30IdXtZQVQrko="; } + + # Add Collabora Online + { + id = 330708; + hash = "sha256-655zkmch5VLXEUzhT6+b7QpywslDoIMZ8mY0II55Wlw="; + } ]; "nixos-unstable" = [ -- 2.47.0