How to get beyond the current nextcloud module?

I’ve just completed a nextcloud install module. I had alrady done in the past on a VPS with the default config but this time I wanted to get something cleaner/faster (replacing sqlite with postgres, enabling redis etc, similar to Nextcloud is slow / long loading times).

disclaimer: Without nixpkgs I would have never even tried to maintain this kind of infra by myself. The nixos module is fantastic it works out of the box etc.

Now I want to explore what’s possible to improve and how:

• via nextcloud modifications. I quite liked the warning in NixOS 23.11 manual | Nix & NixOS but then it raised the questions: are improvements on their way ? are nextcloud folks aware they could do things in a more declarative way (that incenditally would suit nix better) ? if yes, is this something they want to pursue ?

First of all I had this small issue nextcloud deployement fails with caching.apcu set to false · Issue #242675 · NixOS/nixpkgs · GitHub which looks solved at some point as I enabled redis. On the administrative checkup, I got greeted by

No memory cache has been configured. To enhance performance, please configure a memcache, if available. Further information can be found in the documentation 

setting

    # New option since NixOS 23.05
    caching = {
      apcu = true;
      redis = true;
      memcached = false;
    };

fixed that. Is there any reason not to enable this by default ?

• The administrative check mentioned You have not set or verified your email server configuration, yet. Please head over to the Basic settings in order to set them. Afterwards, use the "Send email" button below the form to verify your settings.. It refused to send the email because the root user had to configure an email first. My thinking is: should we mandate an email for the admin and send the validation email via occ ?

• The administrative check also had a warning about unset default_phone_region. Could we convert this from the machine locale or set a default ? Solved by setting config.defaultPhoneRegion = “FR”;` .

• In my config I disabled imageMagick because the module documentation mentions it has a positive effect on security so I set enableImagemagick = false; but then the administrative check mentions: The PHP module "imagick" is not enabled although the theming app is. For favicon generation to work correctly, you need to install and enable this module.. Could the nix setting disable the theming app as well ? I am curious how to do it via nix anyway ?

• The administrative check also mentioned something that I am eager to fix but got scared to change:

The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.

Maybe this could be enabled along with https ?

• and one of the closest to my heart is: what’s the best way to declare users ?
  At first I ran this service after nextcloud-setup:

  systemd.services.nextcloud-add-user = {
    path = [ config.services.nextcloud.occ ];
    script = ''
      export OC_PASS="$(cat /run/secrets/nextcloud/tetoPassword)"
      nextcloud-occ user:add --password-from-env teto
      ${config.services.nextcloud.occ}/bin/nextcloud-occ user:setting teto settings email "${secrets.users.teto.email}"
    '';

    serviceConfig = {
      Type = "oneshot";
      User= "nextcloud";
    };
    # DONT run it automatically
    # after = [ "nextcloud-setup.service" ];

    # see https://discourse.nixos.org/t/disable-a-systemd-service-while-having-it-in-nixoss-conf/12732
    wantedBy = lib.mkForce [ ];
  };

but after the initial deployement it would fail . Right now I judged easier to launch the service manually but surely there is a better way ot check if user exists before making the change. This could improve Nextcloud - NixOS Wiki

Sorry for long message, curious what nextcloud maintainers think

Cheers

additional question: nextcloud seems to enable by default a bunch of plugins like “weather” / “user status”. I could not care less for those, disabling them from the administration panel works fine, but I would prefer to automate it via nix.

NB: I’ve just tested the “memories” app to handle albums on nextcloud, it worked fine so far (haven’t tested the AI face recognition). I 'll probably open a PR tomorrow https://apps.nextcloud.com/apps/memories

additional question: nextcloud seems to enable by default a bunch of plugins like “weather” / “user status”.

Not entirely sure. IIRC these apps are in a different directory, so one could disable them from the app search-path. Not sure how that would behave though, but feel free to try it out, not sure if I’d get to it soonish.

However I’d like to note one thing: I don’t want to have an approach as it was pursued with Wordpress in nixpkgs where every theme delivered by default etc. was removed at some point. This is just confusing when you’re used to non-Nix deployments (and the actual upstream defaults because of that!) and migrating to such a change is also rather unpleasant.

The administrative check also had a warning about unset default_phone_region. Could we convert this from the machine locale or set a default ? Solved by setting config.defaultPhoneRegion = “FR”;` .

I don’t think that machine locale is a good default: I guess almost every server will have en_US or something similar to that set, so this is wrong in most of the cases. Also, the warning is for exactly that purpose, to inform about such a problem.

It refused to send the email because the root user had to configure an email first. My thinking is: should we mandate an email for the admin and send the validation email via occ ?

You were logged in as root to be able to see these checks, correct? And Nextcloud is sending emails to that user when testing the feature with this button, so I don’t think that we should mandate this just to make a test work. Also, not only root, but an arbitrary user can become admin (relevant when e.g. syncing a user directory via LDAP to nextcloud).

and one of the closest to my heart is: what’s the best way to declare users ?

While the NixOS wiki isn’t an official source (and thus I’m not responsible for the nextcloud section there), I don’t think that this is a good idea: you’re running a service once and you can’t do that afterwords because the user already exists. Even worse, if you ever rotate your password, you have two options:

• either rotate it in your deployment (assuming that /run/secrets/... comes from e.g. sops-nix) even though this won’t have any effect
• or keep it as-is and have outdated information in your deployment, even though it’s supposed to be your source of truth.

My recommendation is to just create users manually if your instance is small enough to not use any sofisticated methods such as syncing your LDAP directory (which is the way to go IMHO if you have an amount of users where this is an actual problem) for the following reasons:

• If you ever have to setup a new Nextcloud, you’ll probably re-apply a database dump and restore your backup of /var/lib/nextcloud to regain your old state.
• Setting up such a service (which isn’t even a very nice solution IMHO) will take way more time than filling out a form once (and the benefit of being declarative isn’t provided in that case, so it’s not worth the hassle IMHO).

The administrative check also mentioned something that I am eager to fix but got scared to change:

How to you reverse-proxy nginx? Do you use the https settings from the module or do you use a reverse-proxy on another machine?

Could the nix setting disable the theming app as well ? I am curious how to do it via nix anyway ?

As mentioned above, feel free to explore ways to disable default apps. But given that imagemagick isn’t available, this won’t work by default, so this warning should be OK to ignore IMHO.