pyrox.dev
1# Nextcloud {#module-services-nextcloud}
2
3[Nextcloud](https://nextcloud.com/) is an open-source,
4self-hostable cloud platform. The server setup can be automated using
5[services.nextcloud](#opt-services.nextcloud.enable). A
6desktop client is packaged at `pkgs.nextcloud-client`.
7
8The current default by NixOS is `nextcloud26` which is also the latest
9major version available.
10
11## Basic usage {#module-services-nextcloud-basic-usage}
12
13Nextcloud is a PHP-based application which requires an HTTP server
14([`services.nextcloud`](#opt-services.nextcloud.enable)
15and optionally supports
16[`services.nginx`](#opt-services.nginx.enable)).
17
18For the database, you can set
19[`services.nextcloud.config.dbtype`](#opt-services.nextcloud.config.dbtype) to
20either `sqlite` (the default), `mysql`, or `pgsql`. The simplest is `sqlite`,
21which will be automatically created and managed by the application. For the
22last two, you can easily create a local database by setting
23[`services.nextcloud.database.createLocally`](#opt-services.nextcloud.database.createLocally)
24to `true`, Nextcloud will automatically be configured to connect to it through
25socket.
26
27A very basic configuration may look like this:
28```
29{ pkgs, ... }:
30{
31 services.nextcloud = {
32 enable = true;
33 hostName = "nextcloud.tld";
34 database.createLocally = true;
35 config = {
36 dbtype = "pgsql";
37 adminpassFile = "/path/to/admin-pass-file";
38 };
39 };
40
41 networking.firewall.allowedTCPPorts = [ 80 443 ];
42}
43```
44
45The `hostName` option is used internally to configure an HTTP
46server using [`PHP-FPM`](https://php-fpm.org/)
47and `nginx`. The `config` attribute set is
48used by the imperative installer and all values are written to an additional file
49to ensure that changes can be applied by changing the module's options.
50
51In case the application serves multiple domains (those are checked with
52[`$_SERVER['HTTP_HOST']`](http://php.net/manual/en/reserved.variables.server.php))
53it's needed to add them to
54[`services.nextcloud.config.extraTrustedDomains`](#opt-services.nextcloud.config.extraTrustedDomains).
55
56Auto updates for Nextcloud apps can be enabled using
57[`services.nextcloud.autoUpdateApps`](#opt-services.nextcloud.autoUpdateApps.enable).
58
59## Common problems {#module-services-nextcloud-pitfalls-during-upgrade}
60
61 - **General notes.**
62 Unfortunately Nextcloud appears to be very stateful when it comes to
63 managing its own configuration. The config file lives in the home directory
64 of the `nextcloud` user (by default
65 `/var/lib/nextcloud/config/config.php`) and is also used to
66 track several states of the application (e.g., whether installed or not).
67
68 All configuration parameters are also stored in
69 {file}`/var/lib/nextcloud/config/override.config.php` which is generated by
70 the module and linked from the store to ensure that all values from
71 {file}`config.php` can be modified by the module.
72 However {file}`config.php` manages the application's state and shouldn't be
73 touched manually because of that.
74
75 ::: {.warning}
76 Don't delete {file}`config.php`! This file
77 tracks the application's state and a deletion can cause unwanted
78 side-effects!
79 :::
80
81 ::: {.warning}
82 Don't rerun `nextcloud-occ maintenance:install`!
83 This command tries to install the application
84 and can cause unwanted side-effects!
85 :::
86 - **Multiple version upgrades.**
87 Nextcloud doesn't allow to move more than one major-version forward. E.g., if you're on
88 `v16`, you cannot upgrade to `v18`, you need to upgrade to
89 `v17` first. This is ensured automatically as long as the
90 [stateVersion](#opt-system.stateVersion) is declared properly. In that case
91 the oldest version available (one major behind the one from the previous NixOS
92 release) will be selected by default and the module will generate a warning that reminds
93 the user to upgrade to latest Nextcloud *after* that deploy.
94 - **`Error: Command "upgrade" is not defined.`**
95 This error usually occurs if the initial installation
96 ({command}`nextcloud-occ maintenance:install`) has failed. After that, the application
97 is not installed, but the upgrade is attempted to be executed. Further context can
98 be found in [NixOS/nixpkgs#111175](https://github.com/NixOS/nixpkgs/issues/111175).
99
100 First of all, it makes sense to find out what went wrong by looking at the logs
101 of the installation via {command}`journalctl -u nextcloud-setup` and try to fix
102 the underlying issue.
103
104 - If this occurs on an *existing* setup, this is most likely because
105 the maintenance mode is active. It can be deactivated by running
106 {command}`nextcloud-occ maintenance:mode --off`. It's advisable though to
107 check the logs first on why the maintenance mode was activated.
108 - ::: {.warning}
109 Only perform the following measures on
110 *freshly installed instances!*
111 :::
112
113 A re-run of the installer can be forced by *deleting*
114 {file}`/var/lib/nextcloud/config/config.php`. This is the only time
115 advisable because the fresh install doesn't have any state that can be lost.
116 In case that doesn't help, an entire re-creation can be forced via
117 {command}`rm -rf ~nextcloud/`.
118
119 - **Server-side encryption.**
120 Nextcloud supports [server-side encryption (SSE)](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html).
121 This is not an end-to-end encryption, but can be used to encrypt files that will be persisted
122 to external storage such as S3. Please note that this won't work anymore when using OpenSSL 3
123 for PHP's openssl extension and **Nextcloud 25 or older** because this is implemented using the
124 legacy cipher RC4. For Nextcloud26 this isn't relevant anymore, because Nextcloud has an RC4 implementation
125 written in native PHP and thus doesn't need `ext-openssl` for that anymore.
126 If [](#opt-system.stateVersion) is *above* `22.05`,
127 this is disabled by default. To turn it on again and for further information please refer to
128 [](#opt-services.nextcloud.enableBrokenCiphersForSSE).
129
130## Using an alternative webserver as reverse-proxy (e.g. `httpd`) {#module-services-nextcloud-httpd}
131
132By default, `nginx` is used as reverse-proxy for `nextcloud`.
133However, it's possible to use e.g. `httpd` by explicitly disabling
134`nginx` using [](#opt-services.nginx.enable) and fixing the
135settings `listen.owner` & `listen.group` in the
136[corresponding `phpfpm` pool](#opt-services.phpfpm.pools).
137
138An exemplary configuration may look like this:
139```
140{ config, lib, pkgs, ... }: {
141 services.nginx.enable = false;
142 services.nextcloud = {
143 enable = true;
144 hostName = "localhost";
145
146 /* further, required options */
147 };
148 services.phpfpm.pools.nextcloud.settings = {
149 "listen.owner" = config.services.httpd.user;
150 "listen.group" = config.services.httpd.group;
151 };
152 services.httpd = {
153 enable = true;
154 adminAddr = "webmaster@localhost";
155 extraModules = [ "proxy_fcgi" ];
156 virtualHosts."localhost" = {
157 documentRoot = config.services.nextcloud.package;
158 extraConfig = ''
159 <Directory "${config.services.nextcloud.package}">
160 <FilesMatch "\.php$">
161 <If "-f %{REQUEST_FILENAME}">
162 SetHandler "proxy:unix:${config.services.phpfpm.pools.nextcloud.socket}|fcgi://localhost/"
163 </If>
164 </FilesMatch>
165 <IfModule mod_rewrite.c>
166 RewriteEngine On
167 RewriteBase /
168 RewriteRule ^index\.php$ - [L]
169 RewriteCond %{REQUEST_FILENAME} !-f
170 RewriteCond %{REQUEST_FILENAME} !-d
171 RewriteRule . /index.php [L]
172 </IfModule>
173 DirectoryIndex index.php
174 Require all granted
175 Options +FollowSymLinks
176 </Directory>
177 '';
178 };
179 };
180}
181```
182
183## Installing Apps and PHP extensions {#installing-apps-php-extensions-nextcloud}
184
185Nextcloud apps are installed statefully through the web interface.
186Some apps may require extra PHP extensions to be installed.
187This can be configured with the [](#opt-services.nextcloud.phpExtraExtensions) setting.
188
189Alternatively, extra apps can also be declared with the [](#opt-services.nextcloud.extraApps) setting.
190When using this setting, apps can no longer be managed statefully because this can lead to Nextcloud updating apps
191that are managed by Nix. If you want automatic updates it is recommended that you use web interface to install apps.
192
193## Maintainer information {#module-services-nextcloud-maintainer-info}
194
195As stated in the previous paragraph, we must provide a clean upgrade-path for Nextcloud
196since it cannot move more than one major version forward on a single upgrade. This chapter
197adds some notes how Nextcloud updates should be rolled out in the future.
198
199While minor and patch-level updates are no problem and can be done directly in the
200package-expression (and should be backported to supported stable branches after that),
201major-releases should be added in a new attribute (e.g. Nextcloud `v19.0.0`
202should be available in `nixpkgs` as `pkgs.nextcloud19`).
203To provide simple upgrade paths it's generally useful to backport those as well to stable
204branches. As long as the package-default isn't altered, this won't break existing setups.
205After that, the versioning-warning in the `nextcloud`-module should be
206updated to make sure that the
207[package](#opt-services.nextcloud.package)-option selects the latest version
208on fresh setups.
209
210If major-releases will be abandoned by upstream, we should check first if those are needed
211in NixOS for a safe upgrade-path before removing those. In that case we should keep those
212packages, but mark them as insecure in an expression like this (in
213`<nixpkgs/pkgs/servers/nextcloud/default.nix>`):
214```
215/* ... */
216{
217 nextcloud17 = generic {
218 version = "17.0.x";
219 sha256 = "0000000000000000000000000000000000000000000000000000";
220 eol = true;
221 };
222}
223```
224
225Ideally we should make sure that it's possible to jump two NixOS versions forward:
226i.e. the warnings and the logic in the module should guard a user to upgrade from a
227Nextcloud on e.g. 19.09 to a Nextcloud on 20.09.