+237

nixos/modules/services/web-apps/nextcloud.md

··· 1 1 + # Nextcloud {#module-services-nextcloud} 2 2 + 3 3 + [Nextcloud](https://nextcloud.com/) is an open-source, 4 4 + self-hostable cloud platform. The server setup can be automated using 5 5 + [services.nextcloud](#opt-services.nextcloud.enable). A 6 6 + desktop client is packaged at `pkgs.nextcloud-client`. 7 7 + 8 8 + The current default by NixOS is `nextcloud25` which is also the latest 9 9 + major version available. 10 10 + 11 11 + ## Basic usage {#module-services-nextcloud-basic-usage} 12 12 + 13 13 + Nextcloud is a PHP-based application which requires an HTTP server 14 14 + ([`services.nextcloud`](#opt-services.nextcloud.enable) 15 15 + optionally supports 16 16 + [`services.nginx`](#opt-services.nginx.enable)) 17 17 + and a database (it's recommended to use 18 18 + [`services.postgresql`](#opt-services.postgresql.enable)). 19 19 + 20 20 + A very basic configuration may look like this: 21 21 + ``` 22 22 + { pkgs, ... }: 23 23 + { 24 24 + services.nextcloud = { 25 25 + enable = true; 26 26 + hostName = "nextcloud.tld"; 27 27 + config = { 28 28 + dbtype = "pgsql"; 29 29 + dbuser = "nextcloud"; 30 30 + dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself 31 31 + dbname = "nextcloud"; 32 32 + adminpassFile = "/path/to/admin-pass-file"; 33 33 + adminuser = "root"; 34 34 + }; 35 35 + }; 36 36 + 37 37 + services.postgresql = { 38 38 + enable = true; 39 39 + ensureDatabases = [ "nextcloud" ]; 40 40 + ensureUsers = [ 41 41 + { name = "nextcloud"; 42 42 + ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; 43 43 + } 44 44 + ]; 45 45 + }; 46 46 + 47 47 + # ensure that postgres is running *before* running the setup 48 48 + systemd.services."nextcloud-setup" = { 49 49 + requires = ["postgresql.service"]; 50 50 + after = ["postgresql.service"]; 51 51 + }; 52 52 + 53 53 + networking.firewall.allowedTCPPorts = [ 80 443 ]; 54 54 + } 55 55 + ``` 56 56 + 57 57 + The `hostName` option is used internally to configure an HTTP 58 58 + server using [`PHP-FPM`](https://php-fpm.org/) 59 59 + and `nginx`. The `config` attribute set is 60 60 + used by the imperative installer and all values are written to an additional file 61 61 + to ensure that changes can be applied by changing the module's options. 62 62 + 63 63 + In case the application serves multiple domains (those are checked with 64 64 + [`$_SERVER['HTTP_HOST']`](http://php.net/manual/en/reserved.variables.server.php)) 65 65 + it's needed to add them to 66 66 + [`services.nextcloud.config.extraTrustedDomains`](#opt-services.nextcloud.config.extraTrustedDomains). 67 67 + 68 68 + Auto updates for Nextcloud apps can be enabled using 69 69 + [`services.nextcloud.autoUpdateApps`](#opt-services.nextcloud.autoUpdateApps.enable). 70 70 + 71 71 + ## Common problems {#module-services-nextcloud-pitfalls-during-upgrade} 72 72 + 73 73 + - **General notes.** 74 74 + Unfortunately Nextcloud appears to be very stateful when it comes to 75 75 + managing its own configuration. The config file lives in the home directory 76 76 + of the `nextcloud` user (by default 77 77 + `/var/lib/nextcloud/config/config.php`) and is also used to 78 78 + track several states of the application (e.g., whether installed or not). 79 79 + 80 80 + All configuration parameters are also stored in 81 81 + {file}`/var/lib/nextcloud/config/override.config.php` which is generated by 82 82 + the module and linked from the store to ensure that all values from 83 83 + {file}`config.php` can be modified by the module. 84 84 + However {file}`config.php` manages the application's state and shouldn't be 85 85 + touched manually because of that. 86 86 + 87 87 + ::: {.warning} 88 88 + Don't delete {file}`config.php`! This file 89 89 + tracks the application's state and a deletion can cause unwanted 90 90 + side-effects! 91 91 + ::: 92 92 + 93 93 + ::: {.warning} 94 94 + Don't rerun `nextcloud-occ maintenance:install`! 95 95 + This command tries to install the application 96 96 + and can cause unwanted side-effects! 97 97 + ::: 98 98 + - **Multiple version upgrades.** 99 99 + Nextcloud doesn't allow to move more than one major-version forward. E.g., if you're on 100 100 + `v16`, you cannot upgrade to `v18`, you need to upgrade to 101 101 + `v17` first. This is ensured automatically as long as the 102 102 + [stateVersion](#opt-system.stateVersion) is declared properly. In that case 103 103 + the oldest version available (one major behind the one from the previous NixOS 104 104 + release) will be selected by default and the module will generate a warning that reminds 105 105 + the user to upgrade to latest Nextcloud *after* that deploy. 106 106 + - **`Error: Command "upgrade" is not defined.`** 107 107 + This error usually occurs if the initial installation 108 108 + ({command}`nextcloud-occ maintenance:install`) has failed. After that, the application 109 109 + is not installed, but the upgrade is attempted to be executed. Further context can 110 110 + be found in [NixOS/nixpkgs#111175](https://github.com/NixOS/nixpkgs/issues/111175). 111 111 + 112 112 + First of all, it makes sense to find out what went wrong by looking at the logs 113 113 + of the installation via {command}`journalctl -u nextcloud-setup` and try to fix 114 114 + the underlying issue. 115 115 + 116 116 + - If this occurs on an *existing* setup, this is most likely because 117 117 + the maintenance mode is active. It can be deactivated by running 118 118 + {command}`nextcloud-occ maintenance:mode --off`. It's advisable though to 119 119 + check the logs first on why the maintenance mode was activated. 120 120 + - ::: {.warning} 121 121 + Only perform the following measures on 122 122 + *freshly installed instances!* 123 123 + ::: 124 124 + 125 125 + A re-run of the installer can be forced by *deleting* 126 126 + {file}`/var/lib/nextcloud/config/config.php`. This is the only time 127 127 + advisable because the fresh install doesn't have any state that can be lost. 128 128 + In case that doesn't help, an entire re-creation can be forced via 129 129 + {command}`rm -rf ~nextcloud/`. 130 130 + 131 131 + - **Server-side encryption.** 132 132 + Nextcloud supports [server-side encryption (SSE)](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html). 133 133 + This is not an end-to-end encryption, but can be used to encrypt files that will be persisted 134 134 + to external storage such as S3. Please note that this won't work anymore when using OpenSSL 3 135 135 + for PHP's openssl extension because this is implemented using the legacy cipher RC4. 136 136 + If [](#opt-system.stateVersion) is *above* `22.05`, 137 137 + this is disabled by default. To turn it on again and for further information please refer to 138 138 + [](#opt-services.nextcloud.enableBrokenCiphersForSSE). 139 139 + 140 140 + ## Using an alternative webserver as reverse-proxy (e.g. `httpd`) {#module-services-nextcloud-httpd} 141 141 + 142 142 + By default, `nginx` is used as reverse-proxy for `nextcloud`. 143 143 + However, it's possible to use e.g. `httpd` by explicitly disabling 144 144 + `nginx` using [](#opt-services.nginx.enable) and fixing the 145 145 + settings `listen.owner` &amp; `listen.group` in the 146 146 + [corresponding `phpfpm` pool](#opt-services.phpfpm.pools). 147 147 + 148 148 + An exemplary configuration may look like this: 149 149 + ``` 150 150 + { config, lib, pkgs, ... }: { 151 151 + services.nginx.enable = false; 152 152 + services.nextcloud = { 153 153 + enable = true; 154 154 + hostName = "localhost"; 155 155 + 156 156 + /* further, required options */ 157 157 + }; 158 158 + services.phpfpm.pools.nextcloud.settings = { 159 159 + "listen.owner" = config.services.httpd.user; 160 160 + "listen.group" = config.services.httpd.group; 161 161 + }; 162 162 + services.httpd = { 163 163 + enable = true; 164 164 + adminAddr = "webmaster@localhost"; 165 165 + extraModules = [ "proxy_fcgi" ]; 166 166 + virtualHosts."localhost" = { 167 167 + documentRoot = config.services.nextcloud.package; 168 168 + extraConfig = '' 169 169 + <Directory "${config.services.nextcloud.package}"> 170 170 + <FilesMatch "\.php$"> 171 171 + <If "-f %{REQUEST_FILENAME}"> 172 172 + SetHandler "proxy:unix:${config.services.phpfpm.pools.nextcloud.socket}|fcgi://localhost/" 173 173 + </If> 174 174 + </FilesMatch> 175 175 + <IfModule mod_rewrite.c> 176 176 + RewriteEngine On 177 177 + RewriteBase / 178 178 + RewriteRule ^index\.php$ - [L] 179 179 + RewriteCond %{REQUEST_FILENAME} !-f 180 180 + RewriteCond %{REQUEST_FILENAME} !-d 181 181 + RewriteRule . /index.php [L] 182 182 + </IfModule> 183 183 + DirectoryIndex index.php 184 184 + Require all granted 185 185 + Options +FollowSymLinks 186 186 + </Directory> 187 187 + ''; 188 188 + }; 189 189 + }; 190 190 + } 191 191 + ``` 192 192 + 193 193 + ## Installing Apps and PHP extensions {#installing-apps-php-extensions-nextcloud} 194 194 + 195 195 + Nextcloud apps are installed statefully through the web interface. 196 196 + Some apps may require extra PHP extensions to be installed. 197 197 + This can be configured with the [](#opt-services.nextcloud.phpExtraExtensions) setting. 198 198 + 199 199 + Alternatively, extra apps can also be declared with the [](#opt-services.nextcloud.extraApps) setting. 200 200 + When using this setting, apps can no longer be managed statefully because this can lead to Nextcloud updating apps 201 201 + that are managed by Nix. If you want automatic updates it is recommended that you use web interface to install apps. 202 202 + 203 203 + ## Maintainer information {#module-services-nextcloud-maintainer-info} 204 204 + 205 205 + As stated in the previous paragraph, we must provide a clean upgrade-path for Nextcloud 206 206 + since it cannot move more than one major version forward on a single upgrade. This chapter 207 207 + adds some notes how Nextcloud updates should be rolled out in the future. 208 208 + 209 209 + While minor and patch-level updates are no problem and can be done directly in the 210 210 + package-expression (and should be backported to supported stable branches after that), 211 211 + major-releases should be added in a new attribute (e.g. Nextcloud `v19.0.0` 212 212 + should be available in `nixpkgs` as `pkgs.nextcloud19`). 213 213 + To provide simple upgrade paths it's generally useful to backport those as well to stable 214 214 + branches. As long as the package-default isn't altered, this won't break existing setups. 215 215 + After that, the versioning-warning in the `nextcloud`-module should be 216 216 + updated to make sure that the 217 217 + [package](#opt-services.nextcloud.package)-option selects the latest version 218 218 + on fresh setups. 219 219 + 220 220 + If major-releases will be abandoned by upstream, we should check first if those are needed 221 221 + in NixOS for a safe upgrade-path before removing those. In that case we should keep those 222 222 + packages, but mark them as insecure in an expression like this (in 223 223 + `<nixpkgs/pkgs/servers/nextcloud/default.nix>`): 224 224 + ``` 225 225 + /* ... */ 226 226 + { 227 227 + nextcloud17 = generic { 228 228 + version = "17.0.x"; 229 229 + sha256 = "0000000000000000000000000000000000000000000000000000"; 230 230 + eol = true; 231 231 + }; 232 232 + } 233 233 + ``` 234 234 + 235 235 + Ideally we should make sure that it's possible to jump two NixOS versions forward: 236 236 + i.e. the warnings and the logic in the module should guard a user to upgrade from a 237 237 + Nextcloud on e.g. 19.09 to a Nextcloud on 20.09.

+2

nixos/modules/services/web-apps/nextcloud.nix

··· 1146 1146 } 1147 1147 ]); 1148 1148 1149 1149 + # Don't edit the docbook xml directly, edit the md and generate it: 1150 1150 + # `pandoc nextcloud.md -t docbook --top-level-division=chapter --extract-media=media -f markdown-smart --lua-filter ../../../../doc/build-aux/pandoc-filters/myst-reader/roles.lua --lua-filter ../../../../doc/build-aux/pandoc-filters/docbook-writer/rst-roles.lua > nextcloud.xml` 1149 1151 meta.doc = ./nextcloud.xml; 1150 1152 }

+261 -241

nixos/modules/services/web-apps/nextcloud.xml

··· 1 1 - <chapter xmlns="http://docbook.org/ns/docbook" 2 2 - xmlns:xlink="http://www.w3.org/1999/xlink" 3 3 - xmlns:xi="http://www.w3.org/2001/XInclude" 4 4 - version="5.0" 5 5 - xml:id="module-services-nextcloud"> 6 6 - <title>Nextcloud</title> 7 7 - <para> 8 8 - <link xlink:href="https://nextcloud.com/">Nextcloud</link> is an open-source, 9 9 - self-hostable cloud platform. The server setup can be automated using 10 10 - <link linkend="opt-services.nextcloud.enable">services.nextcloud</link>. A 11 11 - desktop client is packaged at <literal>pkgs.nextcloud-client</literal>. 12 12 - </para> 13 13 - <para> 14 14 - The current default by NixOS is <literal>nextcloud25</literal> which is also the latest 15 15 - major version available. 16 16 - </para> 17 17 - <section xml:id="module-services-nextcloud-basic-usage"> 18 18 - <title>Basic usage</title> 19 19 - 1 1 + <chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="module-services-nextcloud"> 2 2 + <title>Nextcloud</title> 20 3 <para> 21 21 - Nextcloud is a PHP-based application which requires an HTTP server 22 22 - (<link linkend="opt-services.nextcloud.enable"><literal>services.nextcloud</literal></link> 23 23 - optionally supports 24 24 - <link linkend="opt-services.nginx.enable"><literal>services.nginx</literal></link>) 25 25 - and a database (it's recommended to use 26 26 - <link linkend="opt-services.postgresql.enable"><literal>services.postgresql</literal></link>). 4 4 + <link xlink:href="https://nextcloud.com/">Nextcloud</link> is an 5 5 + open-source, self-hostable cloud platform. The server setup can be 6 6 + automated using 7 7 + <link linkend="opt-services.nextcloud.enable">services.nextcloud</link>. 8 8 + A desktop client is packaged at 9 9 + <literal>pkgs.nextcloud-client</literal>. 27 10 </para> 28 28 - 29 11 <para> 30 30 - A very basic configuration may look like this: 31 31 - <programlisting> 12 12 + The current default by NixOS is <literal>nextcloud25</literal> which 13 13 + is also the latest major version available. 14 14 + </para> 15 15 + <section xml:id="module-services-nextcloud-basic-usage"> 16 16 + <title>Basic usage</title> 17 17 + <para> 18 18 + Nextcloud is a PHP-based application which requires an HTTP server 19 19 + (<link linkend="opt-services.nextcloud.enable"><literal>services.nextcloud</literal></link> 20 20 + optionally supports 21 21 + <link linkend="opt-services.nginx.enable"><literal>services.nginx</literal></link>) 22 22 + and a database (it's recommended to use 23 23 + <link linkend="opt-services.postgresql.enable"><literal>services.postgresql</literal></link>). 24 24 + </para> 25 25 + <para> 26 26 + A very basic configuration may look like this: 27 27 + </para> 28 28 + <programlisting> 32 29 { pkgs, ... }: 33 30 { 34 31 services.nextcloud = { 35 32 enable = true; 36 36 - hostName = "nextcloud.tld"; 33 33 + hostName = &quot;nextcloud.tld&quot;; 37 34 config = { 38 38 - dbtype = "pgsql"; 39 39 - dbuser = "nextcloud"; 40 40 - dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself 41 41 - dbname = "nextcloud"; 42 42 - adminpassFile = "/path/to/admin-pass-file"; 43 43 - adminuser = "root"; 35 35 + dbtype = &quot;pgsql&quot;; 36 36 + dbuser = &quot;nextcloud&quot;; 37 37 + dbhost = &quot;/run/postgresql&quot;; # nextcloud will add /.s.PGSQL.5432 by itself 38 38 + dbname = &quot;nextcloud&quot;; 39 39 + adminpassFile = &quot;/path/to/admin-pass-file&quot;; 40 40 + adminuser = &quot;root&quot;; 44 41 }; 45 42 }; 46 43 47 44 services.postgresql = { 48 45 enable = true; 49 49 - ensureDatabases = [ "nextcloud" ]; 46 46 + ensureDatabases = [ &quot;nextcloud&quot; ]; 50 47 ensureUsers = [ 51 51 - { name = "nextcloud"; 52 52 - ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; 48 48 + { name = &quot;nextcloud&quot;; 49 49 + ensurePermissions.&quot;DATABASE nextcloud&quot; = &quot;ALL PRIVILEGES&quot;; 53 50 } 54 51 ]; 55 52 }; 56 53 57 54 # ensure that postgres is running *before* running the setup 58 58 - systemd.services."nextcloud-setup" = { 59 59 - requires = ["postgresql.service"]; 60 60 - after = ["postgresql.service"]; 55 55 + systemd.services.&quot;nextcloud-setup&quot; = { 56 56 + requires = [&quot;postgresql.service&quot;]; 57 57 + after = [&quot;postgresql.service&quot;]; 61 58 }; 62 59 63 60 networking.firewall.allowedTCPPorts = [ 80 443 ]; 64 61 } 65 62 </programlisting> 66 66 - </para> 67 67 - 68 68 - <para> 69 69 - The <literal>hostName</literal> option is used internally to configure an HTTP 70 70 - server using <link xlink:href="https://php-fpm.org/"><literal>PHP-FPM</literal></link> 71 71 - and <literal>nginx</literal>. The <literal>config</literal> attribute set is 72 72 - used by the imperative installer and all values are written to an additional file 73 73 - to ensure that changes can be applied by changing the module's options. 74 74 - </para> 75 75 - 76 76 - <para> 77 77 - In case the application serves multiple domains (those are checked with 78 78 - <link xlink:href="http://php.net/manual/en/reserved.variables.server.php"><literal>$_SERVER['HTTP_HOST']</literal></link>) 79 79 - it's needed to add them to 80 80 - <link linkend="opt-services.nextcloud.config.extraTrustedDomains"><literal>services.nextcloud.config.extraTrustedDomains</literal></link>. 81 81 - </para> 82 82 - 83 83 - <para> 84 84 - Auto updates for Nextcloud apps can be enabled using 85 85 - <link linkend="opt-services.nextcloud.autoUpdateApps.enable"><literal>services.nextcloud.autoUpdateApps</literal></link>. 86 86 - </para> 87 87 - 88 88 - </section> 89 89 - 90 90 - <section xml:id="module-services-nextcloud-pitfalls-during-upgrade"> 91 91 - <title>Common problems</title> 92 92 - <itemizedlist> 93 93 - <listitem> 94 94 - <formalpara> 95 95 - <title>General notes</title> 96 96 - <para> 97 97 - Unfortunately Nextcloud appears to be very stateful when it comes to 98 98 - managing its own configuration. The config file lives in the home directory 99 99 - of the <literal>nextcloud</literal> user (by default 100 100 - <literal>/var/lib/nextcloud/config/config.php</literal>) and is also used to 101 101 - track several states of the application (e.g., whether installed or not). 102 102 - </para> 103 103 - </formalpara> 63 63 + <para> 64 64 + The <literal>hostName</literal> option is used internally to 65 65 + configure an HTTP server using 66 66 + <link xlink:href="https://php-fpm.org/"><literal>PHP-FPM</literal></link> 67 67 + and <literal>nginx</literal>. The <literal>config</literal> 68 68 + attribute set is used by the imperative installer and all values 69 69 + are written to an additional file to ensure that changes can be 70 70 + applied by changing the module's options. 71 71 + </para> 104 72 <para> 105 105 - All configuration parameters are also stored in 106 106 - <filename>/var/lib/nextcloud/config/override.config.php</filename> which is generated by 107 107 - the module and linked from the store to ensure that all values from 108 108 - <filename>config.php</filename> can be modified by the module. 109 109 - However <filename>config.php</filename> manages the application's state and shouldn't be 110 110 - touched manually because of that. 73 73 + In case the application serves multiple domains (those are checked 74 74 + with 75 75 + <link xlink:href="http://php.net/manual/en/reserved.variables.server.php"><literal>$_SERVER['HTTP_HOST']</literal></link>) 76 76 + it's needed to add them to 77 77 + <link linkend="opt-services.nextcloud.config.extraTrustedDomains"><literal>services.nextcloud.config.extraTrustedDomains</literal></link>. 111 78 </para> 112 112 - <warning> 113 113 - <para>Don't delete <filename>config.php</filename>! This file 114 114 - tracks the application's state and a deletion can cause unwanted 115 115 - side-effects!</para> 116 116 - </warning> 117 117 - 118 118 - <warning> 119 119 - <para>Don't rerun <literal>nextcloud-occ 120 120 - maintenance:install</literal>! This command tries to install the application 121 121 - and can cause unwanted side-effects!</para> 122 122 - </warning> 123 123 - </listitem> 124 124 - <listitem> 125 125 - <formalpara> 126 126 - <title>Multiple version upgrades</title> 127 127 - <para> 128 128 - Nextcloud doesn't allow to move more than one major-version forward. E.g., if you're on 129 129 - <literal>v16</literal>, you cannot upgrade to <literal>v18</literal>, you need to upgrade to 130 130 - <literal>v17</literal> first. This is ensured automatically as long as the 131 131 - <link linkend="opt-system.stateVersion">stateVersion</link> is declared properly. In that case 132 132 - the oldest version available (one major behind the one from the previous NixOS 133 133 - release) will be selected by default and the module will generate a warning that reminds 134 134 - the user to upgrade to latest Nextcloud <emphasis>after</emphasis> that deploy. 135 135 - </para> 136 136 - </formalpara> 137 137 - </listitem> 138 138 - <listitem> 139 139 - <formalpara> 140 140 - <title><literal>Error: Command "upgrade" is not defined.</literal></title> 141 141 - <para> 142 142 - This error usually occurs if the initial installation 143 143 - (<command>nextcloud-occ maintenance:install</command>) has failed. After that, the application 144 144 - is not installed, but the upgrade is attempted to be executed. Further context can 145 145 - be found in <link xlink:href="https://github.com/NixOS/nixpkgs/issues/111175">NixOS/nixpkgs#111175</link>. 146 146 - </para> 147 147 - </formalpara> 148 79 <para> 149 149 - First of all, it makes sense to find out what went wrong by looking at the logs 150 150 - of the installation via <command>journalctl -u nextcloud-setup</command> and try to fix 151 151 - the underlying issue. 80 80 + Auto updates for Nextcloud apps can be enabled using 81 81 + <link linkend="opt-services.nextcloud.autoUpdateApps.enable"><literal>services.nextcloud.autoUpdateApps</literal></link>. 152 82 </para> 83 83 + </section> 84 84 + <section xml:id="module-services-nextcloud-pitfalls-during-upgrade"> 85 85 + <title>Common problems</title> 153 86 <itemizedlist> 154 154 - <listitem> 155 155 - <para> 156 156 - If this occurs on an <emphasis>existing</emphasis> setup, this is most likely because 157 157 - the maintenance mode is active. It can be deactivated by running 158 158 - <command>nextcloud-occ maintenance:mode --off</command>. It's advisable though to 159 159 - check the logs first on why the maintenance mode was activated. 160 160 - </para> 161 161 - </listitem> 162 162 - <listitem> 163 163 - <warning><para>Only perform the following measures on 164 164 - <emphasis>freshly installed instances!</emphasis></para></warning> 165 165 - <para> 166 166 - A re-run of the installer can be forced by <emphasis>deleting</emphasis> 167 167 - <filename>/var/lib/nextcloud/config/config.php</filename>. This is the only time 168 168 - advisable because the fresh install doesn't have any state that can be lost. 169 169 - In case that doesn't help, an entire re-creation can be forced via 170 170 - <command>rm -rf ~nextcloud/</command>. 171 171 - </para> 172 172 - </listitem> 87 87 + <listitem> 88 88 + <para> 89 89 + <emphasis role="strong">General notes.</emphasis> 90 90 + Unfortunately Nextcloud appears to be very stateful when it 91 91 + comes to managing its own configuration. The config file lives 92 92 + in the home directory of the <literal>nextcloud</literal> user 93 93 + (by default 94 94 + <literal>/var/lib/nextcloud/config/config.php</literal>) and 95 95 + is also used to track several states of the application (e.g., 96 96 + whether installed or not). 97 97 + </para> 98 98 + <para> 99 99 + All configuration parameters are also stored in 100 100 + <filename>/var/lib/nextcloud/config/override.config.php</filename> 101 101 + which is generated by the module and linked from the store to 102 102 + ensure that all values from <filename>config.php</filename> 103 103 + can be modified by the module. However 104 104 + <filename>config.php</filename> manages the application's 105 105 + state and shouldn't be touched manually because of that. 106 106 + </para> 107 107 + <warning> 108 108 + <para> 109 109 + Don't delete <filename>config.php</filename>! This file 110 110 + tracks the application's state and a deletion can cause 111 111 + unwanted side-effects! 112 112 + </para> 113 113 + </warning> 114 114 + <warning> 115 115 + <para> 116 116 + Don't rerun 117 117 + <literal>nextcloud-occ maintenance:install</literal>! This 118 118 + command tries to install the application and can cause 119 119 + unwanted side-effects! 120 120 + </para> 121 121 + </warning> 122 122 + </listitem> 123 123 + <listitem> 124 124 + <para> 125 125 + <emphasis role="strong">Multiple version upgrades.</emphasis> 126 126 + Nextcloud doesn't allow to move more than one major-version 127 127 + forward. E.g., if you're on <literal>v16</literal>, you cannot 128 128 + upgrade to <literal>v18</literal>, you need to upgrade to 129 129 + <literal>v17</literal> first. This is ensured automatically as 130 130 + long as the 131 131 + <link linkend="opt-system.stateVersion">stateVersion</link> is 132 132 + declared properly. In that case the oldest version available 133 133 + (one major behind the one from the previous NixOS release) 134 134 + will be selected by default and the module will generate a 135 135 + warning that reminds the user to upgrade to latest Nextcloud 136 136 + <emphasis>after</emphasis> that deploy. 137 137 + </para> 138 138 + </listitem> 139 139 + <listitem> 140 140 + <para> 141 141 + <emphasis role="strong"><literal>Error: Command &quot;upgrade&quot; is not defined.</literal></emphasis> 142 142 + This error usually occurs if the initial installation 143 143 + (<command>nextcloud-occ maintenance:install</command>) has 144 144 + failed. After that, the application is not installed, but the 145 145 + upgrade is attempted to be executed. Further context can be 146 146 + found in 147 147 + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/111175">NixOS/nixpkgs#111175</link>. 148 148 + </para> 149 149 + <para> 150 150 + First of all, it makes sense to find out what went wrong by 151 151 + looking at the logs of the installation via 152 152 + <command>journalctl -u nextcloud-setup</command> and try to 153 153 + fix the underlying issue. 154 154 + </para> 155 155 + <itemizedlist> 156 156 + <listitem> 157 157 + <para> 158 158 + If this occurs on an <emphasis>existing</emphasis> setup, 159 159 + this is most likely because the maintenance mode is 160 160 + active. It can be deactivated by running 161 161 + <command>nextcloud-occ maintenance:mode --off</command>. 162 162 + It's advisable though to check the logs first on why the 163 163 + maintenance mode was activated. 164 164 + </para> 165 165 + </listitem> 166 166 + <listitem> 167 167 + <warning> 168 168 + <para> 169 169 + Only perform the following measures on <emphasis>freshly 170 170 + installed instances!</emphasis> 171 171 + </para> 172 172 + </warning> 173 173 + <para> 174 174 + A re-run of the installer can be forced by 175 175 + <emphasis>deleting</emphasis> 176 176 + <filename>/var/lib/nextcloud/config/config.php</filename>. 177 177 + This is the only time advisable because the fresh install 178 178 + doesn't have any state that can be lost. In case that 179 179 + doesn't help, an entire re-creation can be forced via 180 180 + <command>rm -rf ~nextcloud/</command>. 181 181 + </para> 182 182 + </listitem> 183 183 + </itemizedlist> 184 184 + </listitem> 185 185 + <listitem> 186 186 + <para> 187 187 + <emphasis role="strong">Server-side encryption.</emphasis> 188 188 + Nextcloud supports 189 189 + <link xlink:href="https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html">server-side 190 190 + encryption (SSE)</link>. This is not an end-to-end encryption, 191 191 + but can be used to encrypt files that will be persisted to 192 192 + external storage such as S3. Please note that this won't work 193 193 + anymore when using OpenSSL 3 for PHP's openssl extension 194 194 + because this is implemented using the legacy cipher RC4. If 195 195 + <xref linkend="opt-system.stateVersion"></xref> is 196 196 + <emphasis>above</emphasis> <literal>22.05</literal>, this is 197 197 + disabled by default. To turn it on again and for further 198 198 + information please refer to 199 199 + <xref linkend="opt-services.nextcloud.enableBrokenCiphersForSSE"></xref>. 200 200 + </para> 201 201 + </listitem> 173 202 </itemizedlist> 174 174 - </listitem> 175 175 - <listitem> 176 176 - <formalpara> 177 177 - <title>Server-side encryption</title> 178 178 - <para> 179 179 - Nextcloud supports <link xlink:href="https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html">server-side encryption (SSE)</link>. 180 180 - This is not an end-to-end encryption, but can be used to encrypt files that will be persisted 181 181 - to external storage such as S3. Please note that this won't work anymore when using OpenSSL 3 182 182 - for PHP's openssl extension because this is implemented using the legacy cipher RC4. 183 183 - If <xref linkend="opt-system.stateVersion" /> is <emphasis>above</emphasis> <literal>22.05</literal>, 184 184 - this is disabled by default. To turn it on again and for further information please refer to 185 185 - <xref linkend="opt-services.nextcloud.enableBrokenCiphersForSSE" />. 186 186 - </para> 187 187 - </formalpara> 188 188 - </listitem> 189 189 - </itemizedlist> 190 190 - </section> 191 191 - 192 192 - <section xml:id="module-services-nextcloud-httpd"> 193 193 - <title>Using an alternative webserver as reverse-proxy (e.g. <literal>httpd</literal>)</title> 194 194 - <para> 195 195 - By default, <literal>nginx</literal> is used as reverse-proxy for <literal>nextcloud</literal>. 196 196 - However, it's possible to use e.g. <literal>httpd</literal> by explicitly disabling 197 197 - <literal>nginx</literal> using <xref linkend="opt-services.nginx.enable" /> and fixing the 198 198 - settings <literal>listen.owner</literal> &amp; <literal>listen.group</literal> in the 199 199 - <link linkend="opt-services.phpfpm.pools">corresponding <literal>phpfpm</literal> pool</link>. 200 200 - </para> 201 201 - <para> 202 202 - An exemplary configuration may look like this: 203 203 - <programlisting> 203 203 + </section> 204 204 + <section xml:id="module-services-nextcloud-httpd"> 205 205 + <title>Using an alternative webserver as reverse-proxy (e.g. 206 206 + <literal>httpd</literal>)</title> 207 207 + <para> 208 208 + By default, <literal>nginx</literal> is used as reverse-proxy for 209 209 + <literal>nextcloud</literal>. However, it's possible to use e.g. 210 210 + <literal>httpd</literal> by explicitly disabling 211 211 + <literal>nginx</literal> using 212 212 + <xref linkend="opt-services.nginx.enable"></xref> and fixing the 213 213 + settings <literal>listen.owner</literal> &amp; 214 214 + <literal>listen.group</literal> in the 215 215 + <link linkend="opt-services.phpfpm.pools">corresponding 216 216 + <literal>phpfpm</literal> pool</link>. 217 217 + </para> 218 218 + <para> 219 219 + An exemplary configuration may look like this: 220 220 + </para> 221 221 + <programlisting> 204 222 { config, lib, pkgs, ... }: { 205 223 services.nginx.enable = false; 206 224 services.nextcloud = { 207 225 enable = true; 208 208 - hostName = "localhost"; 226 226 + hostName = &quot;localhost&quot;; 209 227 210 228 /* further, required options */ 211 229 }; 212 230 services.phpfpm.pools.nextcloud.settings = { 213 213 - "listen.owner" = config.services.httpd.user; 214 214 - "listen.group" = config.services.httpd.group; 231 231 + &quot;listen.owner&quot; = config.services.httpd.user; 232 232 + &quot;listen.group&quot; = config.services.httpd.group; 215 233 }; 216 234 services.httpd = { 217 235 enable = true; 218 218 - adminAddr = "webmaster@localhost"; 219 219 - extraModules = [ "proxy_fcgi" ]; 220 220 - virtualHosts."localhost" = { 236 236 + adminAddr = &quot;webmaster@localhost&quot;; 237 237 + extraModules = [ &quot;proxy_fcgi&quot; ]; 238 238 + virtualHosts.&quot;localhost&quot; = { 221 239 documentRoot = config.services.nextcloud.package; 222 240 extraConfig = '' 223 223 - &lt;Directory "${config.services.nextcloud.package}"&gt; 224 224 - &lt;FilesMatch "\.php$"&gt; 225 225 - &lt;If "-f %{REQUEST_FILENAME}"&gt; 226 226 - SetHandler "proxy:unix:${config.services.phpfpm.pools.nextcloud.socket}|fcgi://localhost/" 241 241 + &lt;Directory &quot;${config.services.nextcloud.package}&quot;&gt; 242 242 + &lt;FilesMatch &quot;\.php$&quot;&gt; 243 243 + &lt;If &quot;-f %{REQUEST_FILENAME}&quot;&gt; 244 244 + SetHandler &quot;proxy:unix:${config.services.phpfpm.pools.nextcloud.socket}|fcgi://localhost/&quot; 227 245 &lt;/If&gt; 228 246 &lt;/FilesMatch&gt; 229 247 &lt;IfModule mod_rewrite.c&gt; ··· 243 261 }; 244 262 } 245 263 </programlisting> 246 246 - </para> 247 247 - </section> 248 248 - 249 249 - <section xml:id="installing-apps-php-extensions-nextcloud"> 250 250 - <title>Installing Apps and PHP extensions</title> 251 251 - 252 252 - <para> 253 253 - Nextcloud apps are installed statefully through the web interface. 254 254 - 255 255 - Some apps may require extra PHP extensions to be installed. 256 256 - This can be configured with the <xref linkend="opt-services.nextcloud.phpExtraExtensions" /> setting. 257 257 - </para> 258 258 - 259 259 - <para> 260 260 - Alternatively, extra apps can also be declared with the <xref linkend="opt-services.nextcloud.extraApps" /> setting. 261 261 - When using this setting, apps can no longer be managed statefully because this can lead to Nextcloud updating apps 262 262 - that are managed by Nix. If you want automatic updates it is recommended that you use web interface to install apps. 263 263 - </para> 264 264 - </section> 265 265 - 266 266 - <section xml:id="module-services-nextcloud-maintainer-info"> 267 267 - <title>Maintainer information</title> 268 268 - 269 269 - <para> 270 270 - As stated in the previous paragraph, we must provide a clean upgrade-path for Nextcloud 271 271 - since it cannot move more than one major version forward on a single upgrade. This chapter 272 272 - adds some notes how Nextcloud updates should be rolled out in the future. 273 273 - </para> 274 274 - 275 275 - <para> 276 276 - While minor and patch-level updates are no problem and can be done directly in the 277 277 - package-expression (and should be backported to supported stable branches after that), 278 278 - major-releases should be added in a new attribute (e.g. Nextcloud <literal>v19.0.0</literal> 279 279 - should be available in <literal>nixpkgs</literal> as <literal>pkgs.nextcloud19</literal>). 280 280 - To provide simple upgrade paths it's generally useful to backport those as well to stable 281 281 - branches. As long as the package-default isn't altered, this won't break existing setups. 282 282 - After that, the versioning-warning in the <literal>nextcloud</literal>-module should be 283 283 - updated to make sure that the 284 284 - <link linkend="opt-services.nextcloud.package">package</link>-option selects the latest version 285 285 - on fresh setups. 286 286 - </para> 287 287 - 288 288 - <para> 289 289 - If major-releases will be abandoned by upstream, we should check first if those are needed 290 290 - in NixOS for a safe upgrade-path before removing those. In that case we should keep those 291 291 - packages, but mark them as insecure in an expression like this (in 292 292 - <literal>&lt;nixpkgs/pkgs/servers/nextcloud/default.nix&gt;</literal>): 293 293 - <programlisting> 264 264 + </section> 265 265 + <section xml:id="installing-apps-php-extensions-nextcloud"> 266 266 + <title>Installing Apps and PHP extensions</title> 267 267 + <para> 268 268 + Nextcloud apps are installed statefully through the web interface. 269 269 + Some apps may require extra PHP extensions to be installed. This 270 270 + can be configured with the 271 271 + <xref linkend="opt-services.nextcloud.phpExtraExtensions"></xref> 272 272 + setting. 273 273 + </para> 274 274 + <para> 275 275 + Alternatively, extra apps can also be declared with the 276 276 + <xref linkend="opt-services.nextcloud.extraApps"></xref> setting. 277 277 + When using this setting, apps can no longer be managed statefully 278 278 + because this can lead to Nextcloud updating apps that are managed 279 279 + by Nix. If you want automatic updates it is recommended that you 280 280 + use web interface to install apps. 281 281 + </para> 282 282 + </section> 283 283 + <section xml:id="module-services-nextcloud-maintainer-info"> 284 284 + <title>Maintainer information</title> 285 285 + <para> 286 286 + As stated in the previous paragraph, we must provide a clean 287 287 + upgrade-path for Nextcloud since it cannot move more than one 288 288 + major version forward on a single upgrade. This chapter adds some 289 289 + notes how Nextcloud updates should be rolled out in the future. 290 290 + </para> 291 291 + <para> 292 292 + While minor and patch-level updates are no problem and can be done 293 293 + directly in the package-expression (and should be backported to 294 294 + supported stable branches after that), major-releases should be 295 295 + added in a new attribute (e.g. Nextcloud 296 296 + <literal>v19.0.0</literal> should be available in 297 297 + <literal>nixpkgs</literal> as 298 298 + <literal>pkgs.nextcloud19</literal>). To provide simple upgrade 299 299 + paths it's generally useful to backport those as well to stable 300 300 + branches. As long as the package-default isn't altered, this won't 301 301 + break existing setups. After that, the versioning-warning in the 302 302 + <literal>nextcloud</literal>-module should be updated to make sure 303 303 + that the 304 304 + <link linkend="opt-services.nextcloud.package">package</link>-option 305 305 + selects the latest version on fresh setups. 306 306 + </para> 307 307 + <para> 308 308 + If major-releases will be abandoned by upstream, we should check 309 309 + first if those are needed in NixOS for a safe upgrade-path before 310 310 + removing those. In that case we should keep those packages, but 311 311 + mark them as insecure in an expression like this (in 312 312 + <literal>&lt;nixpkgs/pkgs/servers/nextcloud/default.nix&gt;</literal>): 313 313 + </para> 314 314 + <programlisting> 294 315 /* ... */ 295 316 { 296 317 nextcloud17 = generic { 297 297 - version = "17.0.x"; 298 298 - sha256 = "0000000000000000000000000000000000000000000000000000"; 318 318 + version = &quot;17.0.x&quot;; 319 319 + sha256 = &quot;0000000000000000000000000000000000000000000000000000&quot;; 299 320 eol = true; 300 321 }; 301 322 } 302 323 </programlisting> 303 303 - </para> 304 304 - 305 305 - <para> 306 306 - Ideally we should make sure that it's possible to jump two NixOS versions forward: 307 307 - i.e. the warnings and the logic in the module should guard a user to upgrade from a 308 308 - Nextcloud on e.g. 19.09 to a Nextcloud on 20.09. 309 309 - </para> 310 310 - </section> 324 324 + <para> 325 325 + Ideally we should make sure that it's possible to jump two NixOS 326 326 + versions forward: i.e. the warnings and the logic in the module 327 327 + should guard a user to upgrade from a Nextcloud on e.g. 19.09 to a 328 328 + Nextcloud on 20.09. 329 329 + </para> 330 330 + </section> 311 331 </chapter>