rarias/jungle
2
0
Fork 3
Code Issues 63 Pull Requests 10 Actions Packages Projects Releases Wiki Activity

Add Nextcloud service in tent #240

Open
rarias wants to merge 1 commits from add-nextcloud into master
pull from: add-nextcloud
merge into: rarias:master
Conversation 1 Commits 1 Files Changed 4 +73
4 changed files with 73 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
m/tent/configuration.nix
View File

@@ -11,6 +11,7 @@
./nix-serve.nix
./gitlab-runner.nix
./gitea.nix
./nextcloud.nix
../hut/public-inbox.nix
../hut/msmtp.nix
../module/p.nix

71
m/tent/nextcloud.nix Normal file
View File

@@ -0,0 +1,71 @@
{ pkgs, config, ... }:
{
age.secrets.tent-nextcloud-admin-pass.file = ../../secrets/tent-nextcloud-admin-pass.age;
services.nextcloud = {
package = pkgs.nextcloud32;
abonerib commented 2026-03-12 13:11:28 +01:00
Review
Copy Link

End of life for 32 is this September:

https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule

End of life for 32 is this September: https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule
enable = true;
hostName = "localhost";
config.adminpassFile = config.age.secrets.tent-nextcloud-admin-pass.path;
config.dbtype = "sqlite";
extraApps = {
inherit (config.services.nextcloud.package.packages.apps)
news
contacts
calendar
tasks;
# The app richdocuments (i.e. office) is not enabled yet as there are
# problems with the WOPI protocol in a subdir.
};
extraAppsEnable = true;
settings = let
prot = "https";
host = "jungle.bsc.es";
dir = "/nextcloud";
in {
overwriteprotocol = prot;
overwritehost = host;
overwritewebroot = dir;
overwrite.cli.url = "${prot}://${host}${dir}/";
htaccess.RewriteBase = dir;
};
};
services.nginx.virtualHosts."${config.services.nextcloud.hostName}".listen = [ {
addr = "127.0.0.1";
port = 8066; # NOT an exposed port
} ];
services.nginx.virtualHosts."jungle.bsc.es".locations = {
"^~ /.well-known" = {
abonerib commented 2026-03-12 13:08:57 +01:00
Review
Copy Link

Can't we use proxy_pass http://127.0.0.1:8066 (without the slash), since the localhost nginx has the same .well-known rule?

Can't we use `proxy_pass http://127.0.0.1:8066` (without the slash), since the localhost nginx has the same `.well-known` rule?
priority = 9000;
extraConfig = ''
absolute_redirect off;
location ~ ^/\\.well-known/(?:carddav|caldav)$ {
return 301 /nextcloud/remote.php/dav;
}
location ~ ^/\\.well-known/host-meta(?:\\.json)?$ {
return 301 /nextcloud/public.php?service=host-meta-json;
}
location ~ ^/\\.well-known/(?!acme-challenge|pki-validation) {
return 301 /nextcloud/index.php$request_uri;
}
try_files $uri $uri/ =404;
abonerib commented 2026-03-12 12:22:18 +01:00
Review
Copy Link

Noticed that the nextcloud 32 docs have the rules for acme/pki the other way around to what it's done in the NixOS module.

I am not sure if these are used, we can keep it in line with the NixOS version for now if it's not broken, but good to keep in mind:

# nextcloud docs
location ^~ /.well-known {
    # The rules in this block are an adaptation of the rules
    # in the Nextcloud `.htaccess` that concern `/.well-known`.

    location = /.well-known/carddav { return 301 /nextcloud/remote.php/dav/; }
    location = /.well-known/caldav  { return 301 /nextcloud/remote.php/dav/; }

    location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
    location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

    # Let Nextcloud's API for `/.well-known` URIs handle all other
    # requests by passing them to the front-end controller.
    return 301 /nextcloud/index.php$request_uri;
}

NixOS version taken from tent localhost:

# nix eval .#nixosConfigurations.tent.config.services.nginx.virtualHosts.localhost.locations --json | jq '."^~ /.well-known".extraConfig' --raw-output
absolute_redirect off;
location = /.well-known/carddav {
  return 301 /remote.php/dav/;
}
location = /.well-known/caldav {
  return 301 /remote.php/dav/;
}
location ~ ^/\.well-known/(?!acme-challenge|pki-validation) {
  return 301 /index.php$request_uri;
}
try_files $uri $uri/ =404;
Noticed that the [nextcloud 32 docs][1] have the rules for acme/pki the other way around to what it's done in the NixOS module. I am not sure if these are used, we can keep it in line with the NixOS version for now if it's not broken, but good to keep in mind: ```nginx # nextcloud docs location ^~ /.well-known { # The rules in this block are an adaptation of the rules # in the Nextcloud `.htaccess` that concern `/.well-known`. location = /.well-known/carddav { return 301 /nextcloud/remote.php/dav/; } location = /.well-known/caldav { return 301 /nextcloud/remote.php/dav/; } location /.well-known/acme-challenge { try_files $uri $uri/ =404; } location /.well-known/pki-validation { try_files $uri $uri/ =404; } # Let Nextcloud's API for `/.well-known` URIs handle all other # requests by passing them to the front-end controller. return 301 /nextcloud/index.php$request_uri; } ``` NixOS version taken from tent localhost: ```nginx # nix eval .#nixosConfigurations.tent.config.services.nginx.virtualHosts.localhost.locations --json | jq '."^~ /.well-known".extraConfig' --raw-output absolute_redirect off; location = /.well-known/carddav { return 301 /remote.php/dav/; } location = /.well-known/caldav { return 301 /remote.php/dav/; } location ~ ^/\.well-known/(?!acme-challenge|pki-validation) { return 301 /index.php$request_uri; } try_files $uri $uri/ =404; ``` [1]: https://docs.nextcloud.com/server/32/admin_manual/installation/nginx.html#nextcloud-in-a-subdir-of-the-nginx-webroot
'';
};
"/nextcloud/" = {
priority = 9999;
extraConfig = ''
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-Proto http;
proxy_pass http://127.0.0.1:8066/; # tailing / is important!
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
'';
};
};
}

1
secrets/secrets.nix
View File

@@ -22,6 +22,7 @@ in
"tent-gitlab-runner-pm-docker-token.age".publicKeys = tent;
"tent-gitlab-runner-pm-shell-token.age".publicKeys = tent;
"tent-gitlab-runner-bsc-docker-token.age".publicKeys = tent;
"tent-nextcloud-admin-pass.age".publicKeys = tent;
"vpn-dac-login.age".publicKeys = tent;
"vpn-dac-client-key.age".publicKeys = tent;

BIN
secrets/tent-nextcloud-admin-pass.age Normal file
View File

Binary file not shown.