mirror of
https://github.com/Death916/nixconfig.git
synced 2026-04-10 02:54:39 -07:00
local tailscale
This commit is contained in:
death916
parent
80c270435b
commit
53a5637dff
1 changed files with 62 additions and 31 deletions
|
|
@ -2,27 +2,29 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
nextcloudExternalDomain = "cloud.death916.xyz";
|
nextcloudExternalDomain = "cloud.death916.xyz"; # Domain used by NPM
|
||||||
adminPassFilePath = "/etc/nixos/secrets/nextcloud_admin_password";
|
adminPassFilePath = "/etc/nixos/secrets/nextcloud_admin_password";
|
||||||
dbPassFilePath = "/etc/nixos/secrets/nextcloud_db_password";
|
dbPassFilePath = "/etc/nixos/secrets/nextcloud_db_password";
|
||||||
nextcloudDataPath = "/storage/nextcloud-data";
|
nextcloudDataPath = "/storage/nextcloud-data";
|
||||||
|
nginxProxyManagerTailscaleIP = "100.117.212.36"; # IP of your NPM
|
||||||
|
|
||||||
#If services.nginx is not set, Nextcloud defaults to 80 (or you specify listen port)
|
# Port Nextcloud's internal webserver listens on (default 80 for HTTP).
|
||||||
|
# NPM forwards to <homelab_tailscale_ip>:<internalNextcloudHttpPort>
|
||||||
|
# Direct Tailscale clients will connect to <homelab_tailscale_ip_or_magicdns>:<internalNextcloudHttpPort>
|
||||||
internalNextcloudHttpPort = 80;
|
internalNextcloudHttpPort = 80;
|
||||||
nginxProxyManagerTailscaleIP = "100.117.212.36";
|
|
||||||
|
# --- For Direct Tailscale Access to homelab's Nextcloud ---
|
||||||
|
homelabTailscaleIP = "100.65.36.116"; # REPLACE with homelab's actual Tailscale IP
|
||||||
|
homelabMagicDNSName = "homelab"; # Or homelab.your-tailnet-name.ts.net if you use the full name
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
# --- PostgreSQL Database ---
|
# --- PostgreSQL & Redis setup ... (as before) ---
|
||||||
services.postgresql = {
|
services.postgresql = {
|
||||||
enable = true; package = pkgs.postgresql_14; ensureDatabases = [ "nextcloud" ];
|
enable = true; package = pkgs.postgresql_14; ensureDatabases = [ "nextcloud" ];
|
||||||
ensureUsers = [ { name = "nextcloud"; } ];
|
ensureUsers = [ { name = "nextcloud"; } ];
|
||||||
};
|
};
|
||||||
|
|
||||||
# --- Redis for Caching and Locking ---
|
|
||||||
services.redis.servers.nextcloud = {
|
services.redis.servers.nextcloud = {
|
||||||
enable = true;
|
enable = true; user = "nextcloud"; unixSocket = "/run/redis-nextcloud/redis.sock";
|
||||||
user = "nextcloud";
|
|
||||||
unixSocket = "/run/redis-nextcloud/redis.sock";
|
|
||||||
port = 0;
|
port = 0;
|
||||||
};
|
};
|
||||||
systemd.tmpfiles.rules = [ "d /run/redis-nextcloud 0750 nextcloud nextcloud - -" ];
|
systemd.tmpfiles.rules = [ "d /run/redis-nextcloud 0750 nextcloud nextcloud - -" ];
|
||||||
|
|
@ -30,40 +32,69 @@ in
|
||||||
# --- Nextcloud Service Configuration ---
|
# --- Nextcloud Service Configuration ---
|
||||||
services.nextcloud = {
|
services.nextcloud = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.nextcloud31; # Or your preferred Nextcloud version
|
package = pkgs.nextcloud31; # Verify this version
|
||||||
hostName = nextcloudExternalDomain;
|
|
||||||
https = false; # Let NPM Handle TLS
|
# For the path through NPM, hostName should match the external domain.
|
||||||
configureRedis = true;
|
# For direct Tailscale access, users will use the Tailscale IP/MagicDNS name.
|
||||||
|
hostName = nextcloudExternalDomain;
|
||||||
|
|
||||||
|
https = false; # NPM handles HTTPS. Nextcloud serves HTTP internally.
|
||||||
datadir = nextcloudDataPath;
|
datadir = nextcloudDataPath;
|
||||||
maxUploadSize = "2G"; # Example - can be adjusted
|
maxUploadSize = "2G";
|
||||||
|
|
||||||
config = { # settings for config.php
|
config = {
|
||||||
dbtype = "pgsql"; dbuser = "nextcloud"; dbhost = "/run/postgresql";
|
dbtype = "pgsql"; dbuser = "nextcloud"; dbhost = "/run/postgresql";
|
||||||
dbname = "nextcloud"; dbpassFile = dbPassFilePath;
|
dbname = "nextcloud"; dbpassFile = dbPassFilePath;
|
||||||
adminuser = "death916"; adminpassFile = adminPassFilePath;
|
adminuser = "death916"; adminpassFile = adminPassFilePath;
|
||||||
|
|
||||||
|
|
||||||
};
|
};
|
||||||
settings = {
|
|
||||||
trusted_domains = [ nextcloudExternalDomain "100.117.212.36" "homelab" ];
|
|
||||||
overwriteprotocol = "https"; # from Browser all traffic to Nextcloud will be HTTPS since Nginx terminates SSL
|
|
||||||
|
|
||||||
overwritehost = nextcloudExternalDomain; # Tell Nextcloud what your domain is
|
settings = {
|
||||||
|
# --- Trusted Domains: CRITICAL ---
|
||||||
|
# Add all ways Nextcloud will be accessed.
|
||||||
|
trusted_domains = [
|
||||||
|
nextcloudExternalDomain, # For access via NPM
|
||||||
|
homelabTailscaleIP, # For direct access via Tailscale IP
|
||||||
|
homelabMagicDNSName # For direct access via Tailscale MagicDNS name
|
||||||
|
# "localhost" # If you run occ commands directly on homelab
|
||||||
|
];
|
||||||
|
|
||||||
|
# --- Trusted Proxies: For NPM path ---
|
||||||
|
trusted_proxies = [ nginxProxyManagerTailscaleIP ];
|
||||||
|
|
||||||
overwrite.cli.url = "https://${nextcloudExternalDomain}";
|
# --- Overwrite Parameters: Primarily for the NPM path ---
|
||||||
|
# These tell Nextcloud how it looks when accessed via NPM (HTTPS, external domain).
|
||||||
|
# When accessed directly via Tailscale IP/MagicDNS name over HTTP, these *might*
|
||||||
|
# cause Nextcloud to generate HTTPS links, which could be an issue if you haven't
|
||||||
|
# set up HTTPS directly on the homelab Tailscale interface.
|
||||||
|
overwriteprotocol = "https";
|
||||||
|
overwritehost = nextcloudExternalDomain;
|
||||||
|
"overwrite.cli.url" = "https://${nextcloudExternalDomain}"; # For occ commands
|
||||||
|
|
||||||
trusted_proxies = [ nginxProxyManagerTailscaleIP ]; # list of IP addresses of reverse proxies that are allowed to connect to Nextcloud
|
# If direct HTTP access over Tailscale leads to mixed content or redirect loops
|
||||||
"memcache.local" = "\\OC\\Memcache\\APCu"; # See NC recommended settings
|
# due to the above overwrite settings, you might need `overwritecondaddr`.
|
||||||
"memcache.distributed" = "\\OC\\Memcache\\Redis"; # Distributed caching, as we also used redis
|
# Example: overwritecondaddr = "^${nginxProxyManagerTailscaleIP}$";
|
||||||
"memcache.locking" = "\\OC\\Memcache\\Redis"; # File locking using Redis, for performance
|
# This would apply the overwriteprotocol/host only if request comes from NPM.
|
||||||
filelocking.enabled = true; # Finally enable file locking
|
# For simplicity, try without it first.
|
||||||
|
|
||||||
};
|
|
||||||
phpOptions = lib.mkForce { "memory_limit" = "2G"; };
|
|
||||||
|
|
||||||
|
# Redis and other settings
|
||||||
|
"memcache.local" = "\\OC\\Memcache\\APCu";
|
||||||
|
"memcache.distributed" = "\\OC\\Memcache\\Redis";
|
||||||
|
"memcache.locking" = "\\OC\\Memcache\\Redis";
|
||||||
|
filelocking.enabled = true;
|
||||||
|
redis = { host = "/run/redis-nextcloud/redis.sock"; port = 0; };
|
||||||
|
};
|
||||||
|
|
||||||
|
caching.redis = true;
|
||||||
|
phpOptions = lib.mkForce { "memory_limit" = "2G"; };
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.nextcloud = { isSystemUser = true; group = "nextcloud"; };
|
users.users.nextcloud = { isSystemUser = true; group = "nextcloud"; };
|
||||||
users.groups.nextcloud = {};
|
users.groups.nextcloud = {};
|
||||||
|
|
||||||
|
# Firewall on homelab:
|
||||||
|
# Allows NPM (and direct Tailscale clients) to connect to Nextcloud's internal HTTP port.
|
||||||
|
# If `networking.firewall.trustedInterfaces = [ "tailscale0" ];` is in homelab.nix,
|
||||||
|
# this is mainly for Tailscale access.
|
||||||
|
networking.firewall.allowedTCPPorts = [ internalNextcloudHttpPort ]; # Port 80
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue