summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authormakefu <github@syntax-fehler.de>2017-01-08 12:42:39 +0100
committermakefu <github@syntax-fehler.de>2017-01-08 12:45:14 +0100
commitd9b5974d02389eeaf3b29e0a60be9e9443b7585b (patch)
tree2ab3a45124e150522ad6f361f3691de70465e7ff
parent137cef757991c99aca9991e30c6ff680c3692910 (diff)
m 2 deployment: init owncloud
-rw-r--r--makefu/2configs/deployment/owncloud.nix145
1 files changed, 145 insertions, 0 deletions
diff --git a/makefu/2configs/deployment/owncloud.nix b/makefu/2configs/deployment/owncloud.nix
new file mode 100644
index 000000000..d692ef72d
--- /dev/null
+++ b/makefu/2configs/deployment/owncloud.nix
@@ -0,0 +1,145 @@
+{ lib, pkgs, config, ... }:
+with lib;
+
+let
+ # TODO: copy-paste from lass/2/websites/util.nix
+ serveCloud = domains:
+ let
+ domain = head domains;
+ root = "/var/www/${domain}/";
+ socket = "/var/run/${domain}-phpfpm.sock";
+ in {
+ system.activationScripts."prepare-nextcloud-${domain}" = ''
+ if test ! -e ${root} ;then
+ echo "copying latest ${pkgs.owncloud.name} release to ${root}"
+ mkdir -p $(dirname "${root}")
+ cp -r ${pkgs.owncloud} "${root}"
+ chown -R nginx:nginx "${root}"
+ chmod 770 "${root}"
+ fi
+ '';
+ services.nginx.virtualHosts."${domain}" = {
+ forceSSL = true;
+ enableACME = true;
+ enableSSL = true;
+ serverAliases = domains;
+ extraConfig = ''
+
+ # Add headers to serve security related headers
+ add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
+ add_header X-Content-Type-Options nosniff;
+ add_header X-Frame-Options "SAMEORIGIN";
+ add_header X-XSS-Protection "1; mode=block";
+ add_header X-Robots-Tag none;
+ add_header X-Download-Options noopen;
+ add_header X-Permitted-Cross-Domain-Policies none;
+
+ # Path to the root of your installation
+ root ${root};
+ # set max upload size
+ client_max_body_size 10G;
+ fastcgi_buffers 64 4K;
+ fastcgi_read_timeout 120;
+
+ # Disable gzip to avoid the removal of the ETag header
+ gzip off;
+
+ # Uncomment if your server is build with the ngx_pagespeed module
+ # This module is currently not supported.
+ #pagespeed off;
+
+ index index.php;
+ error_page 403 /core/templates/403.php;
+ error_page 404 /core/templates/404.php;
+
+ rewrite ^/.well-known/carddav /remote.php/carddav/ permanent;
+ rewrite ^/.well-known/caldav /remote.php/caldav/ permanent;
+
+ # The following 2 rules are only needed for the user_webfinger app.
+ # Uncomment it if you're planning to use this app.
+ rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+ rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
+ '';
+ locations."/robots.txt".extraConfig = ''
+ allow all;
+ log_not_found off;
+ access_log off;
+ '';
+ locations."~ ^/(build|tests|config|lib|3rdparty|templates|data)/".extraConfig = ''
+ deny all;
+ '';
+
+ locations."~ ^/(?:autotest|occ|issue|indie|db_|console)".extraConfig = ''
+ deny all;
+ '';
+
+ locations."/".extraConfig = ''
+ rewrite ^/remote/(.*) /remote.php last;
+ rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
+ try_files $uri $uri/ =404;
+ '';
+
+ locations."~ \.php(?:$|/)".extraConfig = ''
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+ include ${pkgs.nginx}/conf/fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_param PATH_INFO $fastcgi_path_info;
+ fastcgi_param HTTPS on;
+ fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
+ fastcgi_pass unix:${socket};
+ fastcgi_intercept_errors on;
+ '';
+
+ # Adding the cache control header for js and css files
+ # Make sure it is BELOW the location ~ \.php(?:$|/) block
+ locations."~* \.(?:css|js)$".extraConfig = ''
+ add_header Cache-Control "public, max-age=7200";
+ # Add headers to serve security related headers
+ add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
+ add_header X-Content-Type-Options nosniff;
+ add_header X-Frame-Options "SAMEORIGIN";
+ add_header X-XSS-Protection "1; mode=block";
+ add_header X-Robots-Tag none;
+ # Optional: Don't log access to assets
+ access_log off;
+ '';
+ # Optional: Don't log access to other assets
+ locations."~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$".extraConfig = ''
+ access_log off;
+ '';
+ };
+ services.phpfpm.poolConfigs."${domain}" = ''
+ listen = ${socket}
+ user = nginx
+ group = nginx
+ pm = dynamic
+ pm.max_children = 32
+ pm.max_requests = 500
+ pm.start_servers = 2
+ pm.min_spare_servers = 2
+ pm.max_spare_servers = 5
+ listen.owner = nginx
+ listen.group = nginx
+ php_admin_value[error_log] = 'stderr'
+ php_admin_flag[log_errors] = on
+ env[PATH] = ${lib.makeBinPath [ pkgs.php ]}
+ catch_workers_output = yes
+ '';
+ };
+in {
+ imports = [
+ ( serveCloud [ "o.euer.krebsco.de" ] )
+ ];
+
+ services.mysql = {
+ enable = true;
+ package = pkgs.mariadb;
+ rootPassword = config.krebs.secret.files.mysql_rootPassword.path;
+ };
+
+ krebs.secret.files.mysql_rootPassword = {
+ path = "${config.services.mysql.dataDir}/mysql_rootPassword";
+ owner.name = "root";
+ source-path = toString <secrets> + "/mysql_rootPassword";
+ };
+}