I’m renting a VPS and a Storage Box from Hetzner. The VPS runs NixOS and mounts the Storage Box with SSHFS, which is used to host the nextcloud data directory. Nextcloud runs in a NixOS container with Postgresql, Redis, and nginx. There is an nginx proxy on the main computer. For online office support, Collabora CODE runs in an OCI container. The NixOS container is ephemeral and uses bind mounts for persistent data. Although the host is not ephemeral, all the non-reproducible data is concentrated in a few places. The Nextcloud container has behind NAT, so I can have more services running parallelly in containers without unwanted interaction with the database, redis, or other services. The persistent data is separated for the container, so I can theoretically easily move a service to another VPS.
It is a flake based config, here are all the modules for my VPS starting with conf.nix.
There are some things I would like to improve on:
encrypt the root partition and enable remote unlock over SSH in initrd
transparently encrypt the entire network mount instead of relying on Nextcloud server side encryption
make the host ephemeral and put all the persistent files in /persistent including SSH keys
put more Nextcloud configuration in Nix
install more Nextcloud apps through Nix
This was my first time deploying any service on a VPS and I’m pretty happy with how it turned out. Suggestions, questions and critique are welcome!
Ah right now I got it.
If you want to protect your data from the provider or an attacker, the Nextcloud end to end encryption is probably your best bet since you don’t fully control the server.
This way even the server doesn’t know the data.
Encryption and decryption are performed on the Nextcloud server
In fact I even decrypted Nextcloud files by hand with the key files from a server once (because Nextcloud failed to decrypt everything on said server for… reasons. That’s a longer story).
This only makes sense if you use e.g. Amazon S3 as storage provider: then, you only store encrypted stuff in S3 and the keys are on the server under your control.
Unfortunately, this does not work for me. I get the same authorization problems as before. A very simple question. How does a network drive has to be mounted for “services.mysql.dataDir” to work, for example?
I don’t know what goes on under the hood in terms of sandboxing and permissions… I didn’t put the database on the network drive because it’s relatively small, just the next cloud data directory.
I know, but still I would prefer that anyone with physical access to the storage box can’t see any information. Right now there is still a directory structure, but the contents are encrypted. End to end is nice but it’s practical to have everything in there.
This is really frustrating and for me a showstopper. I want my important data on my redunant raid. My server has only a small ssd. The mysql database is the core of nextcloud. I also tried just to put the nextcloud.data on the network share. No success. But thanks anyway.
Databases really don’t like network shares because of locking issues that can lead to corruption.
When I looked into it a lot of guides recommended ISCSI or some Kubernetes grade storage.
Something like NFS or SMB is not recommended and I personally haven’t risked it yet myself.
Another mildly frustrating thing, some apps don’t work, I get 404 errors in the console. Examples are bookmarks, polls, collectives… They show up in the toolbar but their icon doesn’t load and if I click on it I get an empty page with the nextcloud background.
fair i see! i’ve been interested in deploying nixos to hetzner as well. i’m now tinkering a bit to do a declarative deploy there using terraform/opentofu.
Nice, let me know if it works out! I’ve been looking at NixOps but maybe at a later point. What’s annoying is the initial setup because Hetzner doesn’t offer a NixOS image so I have to do a manual install via the command line. Perhaps there’s also a better way to do it with disko.
i found hetzner configs both with and without disko, so maybe that can mostly add e.g. impermanence (if possible given in hetzner’s qemu setting?).
as mentioned on the wiki, it looks like some people have been using nixos-infect to install nixos there. that also seems the approach used by terranix-hcloud and teraflops to deploy nixos there now. for what it’s worth, here’s a few references on nixos on hetzner.
on hetzner images, they support hashicorp packer, which someone seems to have used with nixos there already before. a next step would seem for those deployment tools to switch to that.