123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256 |
- <!DOCTYPE html><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><meta name="keywords" content="GNU, Emacs, Libre Software, Hurd, Guile, Guix" /><meta name="description" content="GNUcode.me is a website focusing on libre software projects, especially the GNU project." /><link type="application/atom+xml" rel="alternate" title="GNUcode.me -- Feed" href="/feed.xml" /><a rel="me" href="https://fosstodon.org/@thegnuguy"></a><link type="text/css" href="css/footer.min.css" rel="stylesheet"></link><link type="text/css" href="css/header.min.css" rel="stylesheet"></link><link type="text/css" href="css/main.min.css" rel="stylesheet"></link><title>Nextcloud and Guix System Server — GNUcode.me</title></head><body><header><nav><ul><li><a href="index.html">GNUcode.me</a></li><li><a href="services.html">Services</a></li><li><a href="about.html">About</a></li><li><a href="business-ideas.html">Business-ideas</a></li></ul></nav></header><h1>Nextcloud and Guix System Server</h1><main><section class="basic-section-padding"><article><h3>by Joshua Branson — February 22, 2023</h3><div><p>So I have wanted to run <a href="https://nextcloud.com/">nextcloud</a> for a while now. In my humble opinion, guix
- system makes maintaining websites super easy, so I would prefer to run nextcloud
- on guix system. Unfortunately, nextcloud will NOT be packaged in guix anytime
- soon for two reasons:</p><ol><li>Guix does not currently have a php build system or any php packages, though
- there is a 80% completed <a href="https://issues.guix.gnu.org/42338">work-in-progress issue.</a> So the php bits of nextcloud
- cannot be packaged properly.</li><li>Nextcloud has a lot of javascript dependencies, and javascript is <a href="https://dustycloud.org/blog/javascript-packaging-dystopia/">notoriously
- hard to package for guix.</a></li></ol><p>It seems like the easiest way to currently run nextcloud on guix system is by
- using the <a href="https://github.com/nextcloud/all-in-one">all in one docker image.</a> Please consider this a guide to set up
- running nextcloud on guix system via a linode, which currently costs me about $5
- per month.</p><p>Note, that while this is the easiest method to run nextcloud, apparently this
- all in one docker image has some security issues:</p><blockquote><p>The AIO image mounts the Docker socket, which is a security risk since it allows
- full access to other container as well as running any new container. It’s a bad
- idea and should be avoided.</p></blockquote><p>tl;dr Here are the 6 simple steps that you need to do:</p><ol><li><p>Set up a <a href="https://guix.gnu.org/en/cookbook/en/html_node/Running-Guix-on-a-Linode-Server.html#Running-Guix-on-a-Linode-Server">linode guix system server.</a> <code>info "Guix Cookbook" RET i linode RET</code>.</p></li><li><p>Buy a domain name. I use <a href="https://hover.com">hover.com</a>.</p></li><li><p>Point your domain name at your linode IP address.</p></li><li><p>Set up a basic nginx static website without encryption. This means that you
- don’t want to define <code>(service certbot-service-type)</code>.</p><pre><code>sudo mkdir -p /srv/www/html/yourdomainname.com
- # the command I did was this:
- sudo mkdir -p /srv/www/html/the-nx.com
- sudo chgrp -R users /srv
- sudo chmod -R g+rwx /srv</code></pre><p>Inside your newly created directory (<em>srv/www/html/yourdomainname.com</em>), put
- a simple HTML file and call it “index.html”. You could use this:</p><pre><code><!doctype html>
- <html class="no-js" lang="">
- <head>
- <meta charset="utf-8">
- <meta http-equiv="x-ua-compatible" content="ie=edge">
- <title>the nx</title>
- <meta name="description" content="">
- <meta name="viewport" content="width=device-width, initial-scale=1">
- <link rel="apple-touch-icon" href="/apple-touch-icon.png">
- </head>
- <body>
- <!--[if lt IE 8]>
- <p class="browserupgrade">
- You are using an <strong>outdated</strong> browser. Please
- <a href="http://browsehappy.com/">upgrade your browser</a> to improve
- your experience.
- </p>
- <![endif]-->
- <p>Hello!</p>
- </body>
- </html></code></pre><p>Now set up a basic nginx configuration for a static website without
- encryption. It will end up looking something like:</p><pre><code>(service nginx-service-type
- (nginx-configuration
- (server-blocks
- (list
- (nginx-server-configuration
- (server-name '("the-nx.com"))
- (listen (list "80" "[::]:80"))
- (root "/srv/www/html/the-nx.com"))))))</code></pre><p>Now you need to reconfigure so that the <code>nginx</code> user is created:</p><p><code>sudo guix system reconfigure config.scm</code></p><p>Now, nginx is running, but you will probably need to give nginx access to
- read the files in your /srv directory.</p><pre><code>sudo chown -R nginx /srv
- sudo chmod -R u-rwx /srv</code></pre><p>Open up a web browser and go to <a href="http://yourdomainname.com">http://yourdomainname.com</a> and check to see
- that you see a basic website.</p></li><li><p>Now you need to turn your basic static website, into a site that has https
- support. Now you need to edit your nginx config and add in a certbot config:</p><p>Before your <code>(operating-system ...)</code> declartion, define this bit of code:</p><pre><code>(define %nginx-deploy-hook
- (program-file
- "nginx-deploy-hook"
- #~(let ((pid (call-with-input-file "/var/run/nginx/pid" read)))
- (kill pid SIGHUP))))</code></pre><p>Also make sure that you add in a <code>certbot</code> service and a modified <code>nginx</code>
- service that look like this:</p><pre><code>(service certbot-service-type
- (certbot-configuration
- (email "mysubscriptions@member.fsf.org")
- (webroot "/srv/www/")
- (certificates
- (list
- (certificate-configuration
- (name "the-nx.com")
- (domains '("the-nx.com" "www.the-nx.com"))
- (deploy-hook %nginx-deploy-hook))))))
- (service nginx-service-type
- (nginx-configuration
- (server-blocks
- (list
- (nginx-server-configuration
- (server-name '("the-nx.com"))
- (listen (list "80"
- "443 ssl http2"
- "[::]:80"
- "[::80]:443 ssl http2"))
- (root "/srv/www/html/the-nx.com")
- (ssl-certificate "/etc/letsencrypt/live/the-nx.com/fullchain.pem")
- (ssl-certificate-key "/etc/letsencrypt/live/the-nx.com/privkey.pem")
- (locations
- (list
- (nginx-location-configuration ;; for certbot
- (uri "/.well-known")
- (body (list "root /srv/www;"))))))))))</code></pre><p>Now we will have to reconfigure again to set up certbot:</p><pre><code>sudo guix system reconfigure config.scm
- # tell certbot to set up our certificates
- sudo /var/lib/certbot/renew-certificates</code></pre><p>Now you should be able to go to <a href="https://yourdomainname.com">https://yourdomainname.com</a> and see your site
- in glorious encrypted mode!</p></li><li><p>Modify your guix config based on my <a href="https://notabug.org/jbranso/linode-guix-system-configuration/src/master/the-nx.com-current-config.scm">the-nx.com-current-config.scm</a>.
- You will need to enable these services <code>(dbus-service)</code>, <code>(service docker-service-type)</code>, <code>(elogind service)</code>, <code>(service certbot-service-type)</code>,
- and <code>(service nginx-service-type)</code>.</p></li></ol><p>I just ran this command, and my local nextcloud just started working.</p><pre><code>sudo docker run \
- --sig-proxy=false \
- --name nextcloud-aio-mastercontainer \
- --restart always \
- --publish 80:80 \
- --publish 8080:8080 \
- --publish 8443:8443 \
- --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
- --volume /var/run/docker.sock:/var/run/docker.sock:ro \
- nextcloud/all-in-one:latest</code></pre><p>The following is the same quick guide as above, but has more details:</p><p>I decided to create a new linode image following the linode cookbook guide, and
- I noticed a tiny error in the guide:</p><p><code>sudo apt-get install gpg</code> failed. It worked after I ran <code>sudo apt-get update</code>.</p><p>Also the basic config example needs to migrate to the new <swap-space> record.
- It gave me this warning message:</p><p>/root/config.scm:11:0: warning: List elements of the field ’swap-devices’ should
- now use the <swap-space> record, as the old method is deprecated. See “(guix)
- operating-system Reference” for more details.</p><p>The cookbook guide also should probably mention that you may need to login to
- the server for the first time using linode’s weblish, and set up the root passwd
- with <code>passwd</code>. Then set up your user password with <code>passwd <username></code>.</p><p>Now that we have a basic site set up, let’s set up certbot and the nginx services:</p><pre><code>(service certbot-service-type
- (certbot-configuration
- (email "mysubscriptions@member.fsf.org")
- (webroot "/srv/www/")
- (certificates
- (list
- (certificate-configuration
- (name "the-nx.com")
- (domains '("the-nx.com" "www.the-nx.com"))
- (deploy-hook %nginx-deploy-hook))))))
- (nginx-configuration
- (server-blocks
- (list
- (nginx-server-configuration
- (server-name '("the-nx.com"))
- (listen (list "80"
- "443 ssl http2"
- ;;"[::]:80"
- ;;"[::80]:443 ssl http2"
- ))
- (root "/srv/www/html/the-nx.com")
- (ssl-certificate "/etc/letsencrypt/live/the-nx.com/fullchain.pem")
- (ssl-certificate-key "/etc/letsencrypt/live/the-nx.com/privkey.pem")
- (locations
- (list
- (nginx-location-configuration ;; for certbot
- (uri "/.well-known")
- (body (list "root /srv/www;")))))))))</code></pre><p>Now let’s reconfigure and get a certbot certificate. <code>ssh</code> into the-nx.com and
- run these commands:</p><pre><code>sudo guix system reconfigure the-nx.com-current-config.scm
- # tell certbot to set up our certificates
- sudo /var/lib/certbot/renew-certificates</code></pre><p>So now my server has a valid certificate. It is time change the nginx
- configuration to proxy incoming requests to the docker all in one image.</p><p>Ok, maybe I can use sexpressions to tell nginx to redirect all incoming traffic
- to <code>the-nx.com</code> to the docker nextcloud image:</p><pre><code>(nginx-location-configuration
- (uri "/")
- (body
- (list
- "proxy_pass;\n"
- "proxy_set_header X-Real-IP $remote_addr;\n"
- "proxy_set_header Host $host;\n"
- "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n"
- "client_max_body_size 0;\n"
- "# Websocket\n"
- "proxy_http_version 1.1;\n"
- "proxy_set_header Upgrade $http_upgrade;\n")))</code></pre><p>I am going to deploy this image, and take a look at the generated nginx
- configuration file. I ran this command on my T400 laptop:</p><p><code>guix deploy the-nx.com-current-config.scm</code></p><p>Well, that’s super annoying. I do not know which nginx.conf file is the right
- one:</p><pre><code>find /gnu/store -name '*nginx.conf'
- /gnu/store/7m1ygzqk6njn5mywqmhwbydbb2z4b9li-nginx.conf
- /gnu/store/0gcfj61q4943h94jdqq7i9y0a0v9jr9q-nginx.conf
- /gnu/store/4mzrp39w5i4v94kxf98gxc13ws79l88n-nginx.conf
- /gnu/store/0nia2iqfw63ziasibbgq321wr9b3152n-nginx.conf
- /gnu/store/pf8d0sj1yf9b2ndsbc61yj3h6rp4pck2-nginx.conf
- /gnu/store/9nra62v41wsk08xf3msw5a1z35gji2gx-nginx-1.23.2/share/nginx/conf/nginx.conf
- /gnu/store/4b1szfyn0snwzf3lm1snvaapk6diz3yq-nginx.conf
- /gnu/store/fv5rg3nf5999vyg6qvp4sbgjysnkn1fc-nginx.conf
- /gnu/store/vmjwj2zwblcz4wx2whsmxdfc7zxcgjh5-nginx.conf
- /gnu/store/n3m2lihq9cjm6mxdln57q5nrbjgz53s6-nginx.conf
- /gnu/store/jnl72hx0papzb42kbd1f19qx35w76lmg-nginx-1.23.2/share/nginx/conf/nginx.conf</code></pre><p>I guess I will reboot, run <code>guix system delete-generations</code> and <code>guix gc</code>, and
- run the above command again:</p><pre><code>find /gnu/store -name '*nginx.conf'
- /gnu/store/7m1ygzqk6njn5mywqmhwbydbb2z4b9li-nginx.conf
- /gnu/store/jnl72hx0papzb42kbd1f19qx35w76lmg-nginx-1.23.2/share/nginx/conf/nginx.conf</code></pre><p>Well that looks promising. Let's check out my nginx.conf file.</p><pre><code>cat /gnu/store/i2mzdhg8wlbxv7iza8y4qk5v0vmvp27q-nginx.conf
- user nginx nginx;
- pid /var/run/nginx/pid;
- error_log /var/log/nginx/error.log info;
- events { }
- http {
- client_body_temp_path /var/run/nginx/client_body_temp;
- proxy_temp_path /var/run/nginx/proxy_temp;
- fastcgi_temp_path /var/run/nginx/fastcgi_temp;
- uwsgi_temp_path /var/run/nginx/uwsgi_temp;
- scgi_temp_path /var/run/nginx/scgi_temp;
- access_log /var/log/nginx/access.log;
- include /gnu/store/jnl72hx0papzb42kbd1f19qx35w76lmg-nginx-1.23.2/share/nginx/conf/mime.types;
- server {
- listen 443 ssl http2;
- server_name the-nx.com ;
- ssl_certificate /etc/letsencrypt/live/the-nx.com/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/the-nx.com/privkey.pem;
- root /srv/www/html/the-nx.com;
- index index.html ;
- server_tokens off;
- location /.well-known {
- root /srv/www;
- }
- location / {
- proxy_pass;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header Host $host;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- client_max_body_size 0;
- # Websocket
- proxy_http_version 1.1;
- proxy_set_header Upgrade $http_upgrade;
- }
- }
- server {
- listen 80;
- listen [::]:80;
- server_name the-nx.com www.the-nx.com ;
- root /srv/http;
- index index.html ;
- server_tokens off;
- location /.well-known {
- root /srv/www/;
- }
- location / {
- return 301 https://$host$request_uri;
- }
- }
- }</code></pre><p>The generated configuration seems pretty wonky, and I am suprised that nginx is
- still running, but it is still running. And I suppose that it should work.</p><p>I was able to get nextcloud to start with this command:</p><pre><code>sudo docker run --sig-proxy=false --name nextcloud-aio-mastercontainer \
- --restart always \
- --publish 8080:8080 \
- -e APACHE_PORT=9000 \
- --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
- --volume /var/run/docker.sock:/var/run/docker.sock:ro \
- nextcloud/all-in-one:latest</code></pre><p>So now I can login at the-nx.com:8080 and configure various stuff. Also I really
- need to set up a firewall. That’s probably a really good idea. Also what’s nice
- about this docker image is that it will start itself if you update the guix
- system server and reboot.</p><p>MORE BONUS CONTENT:</p><p>If you see this blog post, and you decide to set up your nextcloud on a guix
- system server, and if your nginx config doesn’t seem to be proxying requests to
- your docker container, then you may follow these steps to delete the docker
- image and start over:</p><p>This <a href="https://help.nextcloud.com/t/aio-this-site-can-t-provide-a-secure-connection/128478/5">page</a> has some good commands for deleting the docker image and starting
- over:</p><pre><code>sudo docker stop nextcloud-aio-mastercontainer && \\
- sudo docker rm nextcloud-aio-mastercontainer && \\
- sudo docker container prune -f && \\
- sudo docker volume prune -f && \\
- sudo docker pull nextcloud/all-in-one:latest</code></pre><p>Ok, so it looks like the nextcloud all in one documentation has a <a href="https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md">page</a> for
- understanding the reverse proxy.</p><p>It would also be nice to get my nextcloud image to sync my contacts. I probably just need to add in another nginx
- location line for that. That will be a project for another day.</p></div></article></section></main><footer><p>© 2020 Joshua Branson. The text on this site is free culture under the Creative Commons Attribution Share-Alike 4.0 International license.</p><p>This website is build with Haunt, a static site generator written in Guile Scheme. Source code is <a href="https://notabug.org/jbranso/gnucode.me">available.</a></p><p>The color theme of this website is based off of the famous <a href="#3f3f3f" target="_blank">zenburn</a> theme.</p></footer></body>