I’ve just completed a nextcloud install module. I had alrady done in the past on a VPS with the default config but this time I wanted to get something cleaner/faster (replacing sqlite with postgres, enabling redis etc, similar to Nextcloud is slow / long loading times).
disclaimer: Without nixpkgs I would have never even tried to maintain this kind of infra by myself. The nixos module is fantastic it works out of the box etc.
Now I want to explore what’s possible to improve and how:
- via nextcloud modifications. I quite liked the warning in NixOS 23.05 manual | Nix & NixOS but then it raised the questions: are improvements on their way ? are nextcloud folks aware they could do things in a more declarative way (that incenditally would suit nix better) ? if yes, is this something they want to pursue ?
First of all I had this small issue nextcloud deployement fails with caching.apcu set to false · Issue #242675 · NixOS/nixpkgs · GitHub which looks solved at some point as I enabled redis. On the administrative checkup, I got greeted by
No memory cache has been configured. To enhance performance, please configure a memcache, if available. Further information can be found in the documentation
setting
# New option since NixOS 23.05
caching = {
apcu = true;
redis = true;
memcached = false;
};
fixed that. Is there any reason not to enable this by default ?
-
The administrative check mentioned
You have not set or verified your email server configuration, yet. Please head over to the Basic settings in order to set them. Afterwards, use the "Send email" button below the form to verify your settings.
. It refused to send the email because the root user had to configure an email first. My thinking is: should we mandate an email for the admin and send the validation email via occ ? -
The administrative check also had a warning about unset default_phone_region
. Could we convert this from the machine locale or set a default ? Solved by setting
config.defaultPhoneRegion = “FR”;` . -
In my config I disabled imageMagick because the module documentation mentions it has a positive effect on security so I set
enableImagemagick = false;
but then the administrative check mentions:The PHP module "imagick" is not enabled although the theming app is. For favicon generation to work correctly, you need to install and enable this module.
. Could the nix setting disable the theming app as well ? I am curious how to do it via nix anyway ? -
The administrative check also mentioned something that I am eager to fix but got scared to change:
The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.
Maybe this could be enabled along with https ?
- and one of the closest to my heart is: what’s the best way to declare users ?
At first I ran this service after nextcloud-setup:
systemd.services.nextcloud-add-user = {
path = [ config.services.nextcloud.occ ];
script = ''
export OC_PASS="$(cat /run/secrets/nextcloud/tetoPassword)"
nextcloud-occ user:add --password-from-env teto
${config.services.nextcloud.occ}/bin/nextcloud-occ user:setting teto settings email "${secrets.users.teto.email}"
'';
serviceConfig = {
Type = "oneshot";
User= "nextcloud";
};
# DONT run it automatically
# after = [ "nextcloud-setup.service" ];
# see https://discourse.nixos.org/t/disable-a-systemd-service-while-having-it-in-nixoss-conf/12732
wantedBy = lib.mkForce [ ];
};
but after the initial deployement it would fail . Right now I judged easier to launch the service manually but surely there is a better way ot check if user exists before making the change. This could improve Nextcloud - NixOS Wiki
Sorry for long message, curious what nextcloud maintainers think
Cheers