death916/nixconfig
1
0
Fork 0
mirror of https://github.com/Death916/nixconfig.git synced 2026-04-11 04:48:25 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

local tailscale

Browse source
This commit is contained in:
death916 2025-05-12 12:55:35 +00:00
parent 80c270435b
commit 53a5637dff
1 changed files with 62 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

93
modules/nextcloud-setup.nix
View file

@ -2,27 +2,29 @@
{ config, pkgs, lib, ... }:
let
nextcloudExternalDomain = "cloud.death916.xyz";
nextcloudExternalDomain = "cloud.death916.xyz"; # Domain used by NPM
adminPassFilePath = "/etc/nixos/secrets/nextcloud_admin_password";
dbPassFilePath = "/etc/nixos/secrets/nextcloud_db_password";
nextcloudDataPath = "/storage/nextcloud-data";
nginxProxyManagerTailscaleIP = "100.117.212.36"; # IP of your NPM
#If services.nginx is not set, Nextcloud defaults to 80 (or you specify listen port)
# Port Nextcloud's internal webserver listens on (default 80 for HTTP).
# NPM forwards to <homelab_tailscale_ip>:<internalNextcloudHttpPort>
# Direct Tailscale clients will connect to <homelab_tailscale_ip_or_magicdns>:<internalNextcloudHttpPort>
internalNextcloudHttpPort = 80;
nginxProxyManagerTailscaleIP = "100.117.212.36";
# --- For Direct Tailscale Access to homelab's Nextcloud ---
homelabTailscaleIP = "100.65.36.116"; # REPLACE with homelab's actual Tailscale IP
homelabMagicDNSName = "homelab"; # Or homelab.your-tailnet-name.ts.net if you use the full name
in
{
# --- PostgreSQL Database ---
# --- PostgreSQL & Redis setup ... (as before) ---
services.postgresql = {
enable = true; package = pkgs.postgresql_14; ensureDatabases = [ "nextcloud" ];
ensureUsers = [ { name = "nextcloud"; } ];
};
# --- Redis for Caching and Locking ---
services.redis.servers.nextcloud = {
enable = true;
user = "nextcloud";
unixSocket = "/run/redis-nextcloud/redis.sock";
enable = true; user = "nextcloud"; unixSocket = "/run/redis-nextcloud/redis.sock";
port = 0;
};
systemd.tmpfiles.rules = [ "d /run/redis-nextcloud 0750 nextcloud nextcloud - -" ];
@ -30,40 +32,69 @@ in
# --- Nextcloud Service Configuration ---
services.nextcloud = {
enable = true;
package = pkgs.nextcloud31; # Or your preferred Nextcloud version
hostName = nextcloudExternalDomain;
https = false; # Let NPM Handle TLS
configureRedis = true;
package = pkgs.nextcloud31; # Verify this version
# For the path through NPM, hostName should match the external domain.
# For direct Tailscale access, users will use the Tailscale IP/MagicDNS name.
hostName = nextcloudExternalDomain;
https = false; # NPM handles HTTPS. Nextcloud serves HTTP internally.
datadir = nextcloudDataPath;
maxUploadSize = "2G"; # Example - can be adjusted
maxUploadSize = "2G";
config = { # settings for config.php
config = {
dbtype = "pgsql"; dbuser = "nextcloud"; dbhost = "/run/postgresql";
dbname = "nextcloud"; dbpassFile = dbPassFilePath;
adminuser = "death916"; adminpassFile = adminPassFilePath;
};
settings = {
trusted_domains = [ nextcloudExternalDomain "100.117.212.36" "homelab" ];
overwriteprotocol = "https"; # from Browser all traffic to Nextcloud will be HTTPS since Nginx terminates SSL
overwritehost = nextcloudExternalDomain; # Tell Nextcloud what your domain is
settings = {
# --- Trusted Domains: CRITICAL ---
# Add all ways Nextcloud will be accessed.
trusted_domains = [
nextcloudExternalDomain, # For access via NPM
homelabTailscaleIP, # For direct access via Tailscale IP
homelabMagicDNSName # For direct access via Tailscale MagicDNS name
# "localhost" # If you run occ commands directly on homelab
];
# --- Trusted Proxies: For NPM path ---
trusted_proxies = [ nginxProxyManagerTailscaleIP ];
overwrite.cli.url = "https://${nextcloudExternalDomain}";
# --- Overwrite Parameters: Primarily for the NPM path ---
# These tell Nextcloud how it looks when accessed via NPM (HTTPS, external domain).
# When accessed directly via Tailscale IP/MagicDNS name over HTTP, these *might*
# cause Nextcloud to generate HTTPS links, which could be an issue if you haven't
# set up HTTPS directly on the homelab Tailscale interface.
overwriteprotocol = "https";
overwritehost = nextcloudExternalDomain;
"overwrite.cli.url" = "https://${nextcloudExternalDomain}"; # For occ commands
trusted_proxies = [ nginxProxyManagerTailscaleIP ]; # list of IP addresses of reverse proxies that are allowed to connect to Nextcloud
"memcache.local" = "\\OC\\Memcache\\APCu"; # See NC recommended settings
"memcache.distributed" = "\\OC\\Memcache\\Redis"; # Distributed caching, as we also used redis
"memcache.locking" = "\\OC\\Memcache\\Redis"; # File locking using Redis, for performance
filelocking.enabled = true; # Finally enable file locking
};
phpOptions = lib.mkForce { "memory_limit" = "2G"; };
# If direct HTTP access over Tailscale leads to mixed content or redirect loops
# due to the above overwrite settings, you might need `overwritecondaddr`.
# Example: overwritecondaddr = "^${nginxProxyManagerTailscaleIP}$";
# This would apply the overwriteprotocol/host only if request comes from NPM.
# For simplicity, try without it first.
# Redis and other settings
"memcache.local" = "\\OC\\Memcache\\APCu";
"memcache.distributed" = "\\OC\\Memcache\\Redis";
"memcache.locking" = "\\OC\\Memcache\\Redis";
filelocking.enabled = true;
redis = { host = "/run/redis-nextcloud/redis.sock"; port = 0; };
};
caching.redis = true;
phpOptions = lib.mkForce { "memory_limit" = "2G"; };
};
users.users.nextcloud = { isSystemUser = true; group = "nextcloud"; };
users.groups.nextcloud = {};
users.groups.nextcloud = {};
# Firewall on homelab:
# Allows NPM (and direct Tailscale clients) to connect to Nextcloud's internal HTTP port.
# If `networking.firewall.trustedInterfaces = [ "tailscale0" ];` is in homelab.nix,
# this is mainly for Tailscale access.
networking.firewall.allowedTCPPorts = [ internalNextcloudHttpPort ]; # Port 80
}