Re: [Nix-dev] how to successfully install owncloud/nextcloud
schneefux+nixos_l...@schneefux.xyz writes:
> The Owncloud NixOS module hasn't been updated in a year, was written for
> Owncloud 7 and requires Apache, PostgreSQL and phpfpm. I use neither of
> those things.
> In my opinion, you don't need a NixOS module for every possible
> combination of web server, database and CGI as one module already has
> more lines of code than a simple more flexible configuration.
I agree to that one version that works would be good enough, maybe one
variant / option with squlite wouldnt hurt, cause some people dont like
to make database dumbs or have to fight with password protection and
stuff like that.
But I would not have complained about that if it would just worked
magicly with a few lines of code paste into configuration.nix and a
nixos-rebuild, but maybe I fucked something up but it did not work here.
>> Is that ssl stuff you do stateless? or is that even possible with ssl?
>> You dont use the usual lets-encrypt script, its in nixos as package, too
>> I belive, but you do that manualy? Or do you not even request a cert?
>
> You don't have to do anything except `nixos-rebuild switch` if that's
> what you mean… The state is saved in `/var/lib/acme`, so on a different
> computer or a different domain you'll have a different SSL certificate.
But after the first initilation lets say the harddisk is defect and I
have only the configuration.nix and a db dump or sqlite file, do I have
to save the acme folder, or does letsencrypt give out a new key for the
domain? Or does it send you the old key after it checked somehow that
you are legit?
> SSL doesn't compress.
Sorry I meant encrypt.
> nginx's `gzip on;` does. Plus you probably want `expires 1d;` for
> client-side caching.
ok...
>> I mean why dont we do that then with ssh, why do we blindly trust that
>> we connect to the right host, spoofing would be possible there to?
>
> There is a way around that. You can enable certificate pinning and HTTP
> public key pinning (here the example with nginx):
> ```nginx
> add_header Strict-Transport-Security "max-age=63072000;
> includeSubDomains; preload";
> add_header Public-Key-Pins
> 'pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=";
> pin-sha256="sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis=";
> max-age=5184000; includeSubDomains';
> ```
> The public key pin is only valid for Let's Encrypt certificates.
and how does that relate with what I said about ssh?
> Well… someone needs to write the code in their free time.
I did not want to troll or something, its more frustration about
webservers and stuff like that, not about the nix contributors if thats
what you understood.
> Yes. :)
Great!
> You might want to change some things. (Here's the gist again:
> https://gist.github.com/schneefux/22b75d2bd3e4e754ba1684f1d1e93271)
>
> I'll give you a quick walkthrough from top to bottom…
thanks I have to read that again when I have more time and it gets more
relevant to me again.
> Set `config.networking.domain` to your domain somewhere.
> There may be typos in the gist.
Thats the problem I often want ssl activated when I use the servers
internaly. maybe dumb, should maybe probably use internaly http :)
> On the command line, you need to create a MySQL user and table for
> Nextcloud (or set
> `services.mysql.initialDatabases = [ { name="nextcloud", schema="" } ];
> services.mysql.initialScript =
> "scriptthatcreatesnextclouduser.sql";`).
does that create the users? why schema="" ahh sorry the script. yes that
sounds legit, would be nice if that sql file wolud be configurable or
included in nixos so dummies like me dont have to think to much :)
Especialy if you dont support all dbs it can be a bit tricky especialy
most other stuff is so easy in nixos :) OR put at least somethnig like
that as comment into the nix file :)
Well the problem was also that the default owncloud package used
postgres, I used in the past more mysql so I was not exactly shure about
the internals.
Maybe something in the wiki would be good? Don't know, if you dont have
time for that I understand that :)
> Then create `/var/lib/nextcloud`, drop your `config.php` there and don't
> forget to set `'datadirectory' => '/var/lib/nextcloud/data'`.
drop it? doesnt it install such version? you mean maybe rename and edit
it?
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] how to successfully install owncloud/nextcloud
Sorry, I wrote two mails from different addresses because one was stuck
in the moderation queue.
> Funny that there are so much good solutions on user
> repositiories but nothing gets merged into master.
>
> owncloud/nextcloud is not some random exotic software should have some
> priority for nixos, and its not that kolab or other stuff is better
> integrated so that people could feel there is no need for that.
The Owncloud NixOS module hasn't been updated in a year, was written for
Owncloud 7 and requires Apache, PostgreSQL and phpfpm. I use neither of
those things.
In my opinion, you don't need a NixOS module for every possible
combination of web server, database and CGI as one module already has
more lines of code than a simple more flexible configuration.
> And it would be good if that
> part would work without doing stuff manualy and it would be basicly
stateless
> (more or less).
>
> Is that ssl stuff you do stateless? or is that even possible with ssl?
> You dont use the usual lets-encrypt script, its in nixos as package, too
> I belive, but you do that manualy? Or do you not even request a cert?
You don't have to do anything except `nixos-rebuild switch` if that's
what you mean… The state is saved in `/var/lib/acme`, so on a different
computer or a different domain you'll have a different SSL certificate.
> Sorry I am a bit of a ssl noob, got it 1 2x somehow running but makes
> not much sense to me :) ssh is much more easy to use than this, and I
> think its primary pitched to the needs of coorporations, not so much for
> normal users that want a small server, where compression is the primary
> purpose instead of identity proof.
SSL doesn't compress.
nginx's `gzip on;` does. Plus you probably want `expires 1d;` for
client-side caching.
> I mean why dont we do that then with ssh, why do we blindly trust that
> we connect to the right host, spoofing would be possible there to?
There is a way around that. You can enable certificate pinning and HTTP
public key pinning (here the example with nginx):
```nginx
add_header Strict-Transport-Security "max-age=63072000;
includeSubDomains; preload";
add_header Public-Key-Pins
'pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=";
pin-sha256="sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis=";
max-age=5184000; includeSubDomains';
```
The public key pin is only valid for Let's Encrypt certificates.
> Well whatever, webserver configuration sucks, I should not wonder if
> nixos cant dumb that down so that you add some lines of code and then
> nixos-rebuild switch just does everything automaticly, including the
> cert part.
Well… someone needs to write the code in their free time.
> Or does your solution do that?
Yes. :)
You might want to change some things. (Here's the gist again:
https://gist.github.com/schneefux/22b75d2bd3e4e754ba1684f1d1e93271)
I'll give you a quick walkthrough from top to bottom…
* security.acme.…: Generate Let's Encrypt certificates readable by any
user that belongs to the group "ssl", add "nginx" to "ssl"
* systemd.services.gendhparams: It is advised to generate fresh Diffie
Hellman parameters regularly but you don't need to.
* services.mysql: Enable MariaDB.
* systemd.services.nextcloudcron: Runs the Nextcloud cron and the
newsupdater. You don't need to, Nextcloud can use a builtin cron.
* services.nginx:
* gzip_*: Enable compression, compress as much as possible.
* ssl_*, add_header_*, ssl_*: Recommended SSL settings to get an
A/A+ in the SSL Labs [test](https://www.ssllabs.com/ssltest/). You need
at least the ssl_certificate configuration.
* server block
* Redirect everything from cloud.yourdomain.net to HTTPS.
* server block
* Listen on the SSL port with HTTP2.
* Serve files from the Nextcloud package root directory.
* Then follows the recommended Nextcloud nginx configuration found
[here](https://docs.nextcloud.com/server/9/admin_manual/installation/nginx_nextcloud_9x.html).
* Except that the include needs to be
${pkgs.nginx}/conf/fastcgi.conf and you need to pass `fastcgi_param
NEXTCLOUD_CONFIG_DIR=/var/lib/nextcloud/config`.
* In the gist I used uwsgi instead of phpfpm. If you don't know what
you're doing, use phpfpm ;) See
[here](https://github.com/bjornfor/nixpkgs/blob/nixos-nextcloud/nixos/modules/services/web-servers/lighttpd/nextcloud.nix#L101)
on how to configure phpfpm.
Set `config.networking.domain` to your domain somewhere.
There may be typos in the gist.
On the command line, you need to create a MySQL user and table for
Nextcloud (or set
`services.mysql.initialDatabases = [ { name="nextcloud", schema="" } ];
services.mysql.initialScript = "scriptthatcreatesnextclouduser.sql";`).
Then create `/var/lib/nextcloud`, drop your `config.php` there and don't
forget to set `'datadirectory' => '/var/lib/nextcloud/data'`.
> Thanks for your contributions/help, make nixos great (again) :)
You're welcome :)
signature.asc
Description: OpenPGP digi
Re: [Nix-dev] how to successfully install owncloud/nextcloud
schneefux writes: >> I am using 16.09 but have serious problems getting owncloud running, >> first I find it irritating that only postgresql is supportet but ok I >> can accept that at least for now. > > here is how I use it with Let's encrypt, nginx and uwsgi: > https://gist.github.com/schneefux/22b75d2bd3e4e754ba1684f1d1e93271 > > I hope that helps. > > ~ schneefux Hi, yes I like it, yesterday I self-signed it for me manualy, on my pc just to play with it, I use it internaly only on my machine anyway ( cant replace the stupid cablerouter from my provider, last time I tried I had 4 days no internet. And there portforwarding is a nightmare dslite or something and a shitty firmware. But its for somebody else where I need ssl. And it would be good if that part would work without doing stuff manualy and it would be basicly stateless (more or less). Is that ssl stuff you do stateless? or is that even possible with ssl? You dont use the usual lets-encrypt script, its in nixos as package, too I belive, but you do that manualy? Or do you not even request a cert? Sorry I am a bit of a ssl noob, got it 1 2x somehow running but makes not much sense to me :) ssh is much more easy to use than this, and I think its primary pitched to the needs of coorporations, not so much for normal users that want a small server, where compression is the primary purpose instead of identity proof. I mean why dont we do that then with ssh, why do we blindly trust that we connect to the right host, spoofing would be possible there to? Well whatever, webserver configuration sucks, I should not wonder if nixos cant dumb that down so that you add some lines of code and then nixos-rebuild switch just does everything automaticly, including the cert part. Or does your solution do that? Sorry maybe I got a bit OT, just no real fan of the current web architecture, would prefer protocols like nntp and imap with client based keybindings / ui for webstuff over html/js/css stuff, but I guess for imap you have the same ssl problems :) funny enough you can still send from as example a google server over telnet a mail with a sender mail from somebody else at least that worked last time I checked. But hell I get even more OT now. Thanks for your contributions/help, make nixos great (again) :) ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] how to successfully install owncloud/nextcloud
On 18 October 2016 at 20:45, Stefan Huchler wrote: > Funny that there are so much good solutions on user > repositiories but nothing gets merged into master. > > owncloud/nextcloud is not some random exotic software should have some > priority for nixos, and its not that kolab or other stuff is better > integrated so that people could feel there is no need for that. PR for Nextcloud + Lighttpd: https://github.com/NixOS/nixpkgs/pull/19703 Best regards, Bjørn Forsman ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] how to successfully install owncloud/nextcloud
schneefux writes: > Hello Stefan, > > On 14.10.2016 17:14, Stefan Huchler wrote: >> I am using 16.09 but have serious problems getting owncloud running, >> first I find it irritating that only postgresql is supportet but ok I >> can accept that at least for now. > > here is how I use it with Let's encrypt, nginx and uwsgi - without the > NixOS Owncloud module: > https://gist.github.com/schneefux/22b75d2bd3e4e754ba1684f1d1e93271 > > I hope that helps. > > ~ schneefux Well I gone with the lighttpd solution for now, but nice to have another alternative. Funny that there are so much good solutions on user repositiories but nothing gets merged into master. owncloud/nextcloud is not some random exotic software should have some priority for nixos, and its not that kolab or other stuff is better integrated so that people could feel there is no need for that. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] how to successfully install owncloud/nextcloud
Hello Stefan, On 14.10.2016 17:14, Stefan Huchler wrote: > I am using 16.09 but have serious problems getting owncloud running, > first I find it irritating that only postgresql is supportet but ok I > can accept that at least for now. here is how I use it with Let's encrypt, nginx and uwsgi - without the NixOS Owncloud module: https://gist.github.com/schneefux/22b75d2bd3e4e754ba1684f1d1e93271 I hope that helps. ~ schneefux signature.asc Description: OpenPGP digital signature ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] how to successfully install owncloud/nextcloud
StartSSL/StartCom/Wocom has recently come under fire for some insecure
practices in handling of certificates. [0] There is a risk those certs
won't be trusted in major browsers in the near future. Also, their site is
sort of a pain.
LetEncrypt [1] is standing on much better security ground, and is generally
well liked by browsers (Mozilla had a hand in its creation). They are also
free. I'd recommend using them.
[0]:
https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/preview
[1]: https://letsencrypt.org/
On Fri, Oct 14, 2016 at 11:21 AM Bjørn Forsman
wrote:
> On 14 October 2016 at 20:06, Stefan Huchler
> wrote:
> > Hello Bjorn,
> >
> > thanks that looks interesting, worked and as easy as I expect it from
> > nixos :)
> >
> > One more thing how difficult would it be to add https?
>
> The most difficult part (IMHO) is getting the certificate : -)
>
> I use something like:
>
> services.lighttpd.extraConfig = ''
> # Lighttpd SSL/HTTPS documentation:
> # http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL
>
> $HTTP["host"] == "myserver.example" {
> $SERVER["socket"] == ":443" {
> ssl.engine = "enable"
> ssl.pemfile = "/etc/lighttpd/certs/myserver.example.pem"
> ssl.ca-file = "/etc/lighttpd/certs/1_Intermediate.crt"
> }
>
> # Force https scheme for nextcloud
> $HTTP["scheme"] == "http" {
> $HTTP["url"] =~ "^/nextcloud" {
> url.redirect = ("^/.*" => "https://myserver.example$0";)
> }
> }
> }
> '';
>
> You can get free certificate from startssl.com (that's what I use).
>
> Best regards,
> Bjørn Forsman
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] how to successfully install owncloud/nextcloud
On 14 October 2016 at 20:06, Stefan Huchler wrote:
> Hello Bjorn,
>
> thanks that looks interesting, worked and as easy as I expect it from
> nixos :)
>
> One more thing how difficult would it be to add https?
The most difficult part (IMHO) is getting the certificate : -)
I use something like:
services.lighttpd.extraConfig = ''
# Lighttpd SSL/HTTPS documentation:
# http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL
$HTTP["host"] == "myserver.example" {
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/certs/myserver.example.pem"
ssl.ca-file = "/etc/lighttpd/certs/1_Intermediate.crt"
}
# Force https scheme for nextcloud
$HTTP["scheme"] == "http" {
$HTTP["url"] =~ "^/nextcloud" {
url.redirect = ("^/.*" => "https://myserver.example$0";)
}
}
}
'';
You can get free certificate from startssl.com (that's what I use).
Best regards,
Bjørn Forsman
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] how to successfully install owncloud/nextcloud
Hello Bjorn,
thanks that looks interesting, worked and as easy as I expect it from
nixos :)
One more thing how difficult would it be to add https?
> As a workaround, if you can live with lighttpd + nextcloud + sqlite3,
> you can try this module:
>
> https://github.com/bjornfor/nixos-config/blob/master/modules/nextcloud.nix
>
> Use it like:
>
> services.lighttpd = {
> enable = true;
> nextcloud.enable = true;
> };
>
> It's on my "todo" to submit it to nixpkgs.
>
> Best regards,
> Bjørn Forsman
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] how to successfully install owncloud/nextcloud
On 14 October 2016 at 17:14, Stefan Huchler wrote:
> I am using 16.09 but have serious problems getting owncloud running,
> first I find it irritating that only postgresql is supportet but ok I
> can accept that at least for now.
As a workaround, if you can live with lighttpd + nextcloud + sqlite3,
you can try this module:
https://github.com/bjornfor/nixos-config/blob/master/modules/nextcloud.nix
Use it like:
services.lighttpd = {
enable = true;
nextcloud.enable = true;
};
It's on my "todo" to submit it to nixpkgs.
Best regards,
Bjørn Forsman
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] how to successfully install owncloud/nextcloud
I am using 16.09 but have serious problems getting owncloud running,
first I find it irritating that only postgresql is supportet but ok I
can accept that at least for now.
But I cant get it running, sadly there is no wiki entrence for that
either and no example code in any nix file. But the service extra
package modules are there so I guess that it worked for someone at one
point?
services.postgresql = {
enable = true;
authentication = "local all all trust";
};
services.httpd = {
enable = true;
adminAddr = "ad...@example.org";
extraSubservices = [ {
serviceType = "owncloud";
package = pkgs.owncloud91;
dbPassword = "test";
adminPassword = "test";
}
];
};
I maybe not used the package version first so it installed a older
version first? But I dont think thats the problem I deletet
/var/db/postgres and startet then postgres again to maybe reset in the
hope it would initialize successful but it did not, it seems like it
does not create automaticly the owncloud db, but even if I try to
manualy create that db it fails.
here the fail with fresh clean postgresql:
Oct 14 17:02:10 mars httpd-pre-start[28048]: chown: cannot access
'/var/lib/owncloud/owncloud.log': No such file or directory Oct 14
17:02:10 mars sudo[28296]: root : TTY=unknown ; PWD=/ ; USER=postgres ;
COMMAND=/nix/store/q16vp0nys9cbbai7mks7zw7wmyzfbwx4-postgresql-9.5.4/bin/psql
-h /tmp -U postgres -d owncloud -Atw -c INSERT INTO groups (gid)
values('admin'); INSERT INTO users (uid,password)
values('owncloud','a94a8fe5ccb19ba61c4c0873d391e987982fbbd3'); INSERT
INTO group_user (gid,uid) values('admin','owncloud');
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
