jbranso
/
gnucode.me


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256
							<!DOCTYPE html><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><meta name="keywords" content="GNU, Emacs, Libre Software, Hurd, Guile, Guix" /><meta name="description" content="GNUcode.me is a website focusing on libre software projects, especially the GNU project." /><link type="application/atom+xml" rel="alternate" title="GNUcode.me -- Feed" href="/feed.xml" /><a rel="me" href="https://fosstodon.org/@thegnuguy"></a><link type="text/css" href="css/footer.min.css" rel="stylesheet"></link><link type="text/css" href="css/header.min.css" rel="stylesheet"></link><link type="text/css" href="css/main.min.css" rel="stylesheet"></link><title>Nextcloud and Guix System Server — GNUcode.me</title></head><body><header><nav><ul><li><a href="index.html">GNUcode.me</a></li><li><a href="services.html">Services</a></li><li><a href="business-ideas.html">Business-ideas</a></li><li><a href="about.html">About</a></li></ul></nav></header><h1>Nextcloud and Guix System Server</h1><main><section class="basic-section-padding"><article><h3>by Joshua Branson — February 22, 2023</h3><div><p>So I have wanted to run <a href="https://nextcloud.com/">nextcloud</a> for a while now. In my humble opinion, guix
system makes maintaining websites super easy, so I would prefer to run nextcloud
on guix system. Unfortunately, nextcloud will NOT be packaged in guix anytime
soon for two reasons:</p><ol><li>Guix does not currently have a php build system or any php packages, though
there is a 80% completed <a href="https://issues.guix.gnu.org/42338">work-in-progress issue.</a> So the php bits of nextcloud
cannot be packaged properly.</li><li>Nextcloud has a lot of javascript dependencies, and javascript is <a href="https://dustycloud.org/blog/javascript-packaging-dystopia/">notoriously
hard to package for guix.</a></li></ol><p>It seems like the easiest way to currently run nextcloud on guix system is by
using the <a href="https://github.com/nextcloud/all-in-one">all in one docker image.</a> Please consider this a guide to set up
running nextcloud on guix system via a linode, which currently costs me about $5
per month.</p><p>Note, that while this is the easiest method to run nextcloud, apparently this
all in one docker image has some security issues:</p><blockquote><p>The AIO image mounts the Docker socket, which is a security risk since it allows
full access to other container as well as running any new container. It’s a bad
idea and should be avoided.</p></blockquote><p>tl;dr  Here are the 6 simple steps that you need to do:</p><ol><li><p>Set up a <a href="https://guix.gnu.org/en/cookbook/en/html_node/Running-Guix-on-a-Linode-Server.html#Running-Guix-on-a-Linode-Server">linode guix system server.</a>  <code>info &quot;Guix Cookbook&quot; RET i linode RET</code>.</p></li><li><p>Buy a domain name.  I use <a href="https://hover.com">hover.com</a>.</p></li><li><p>Point your domain name at your linode IP address.</p></li><li><p>Set up a basic nginx static website without encryption.  This means that you
don’t want to define <code>(service certbot-service-type)</code>.</p><pre><code>sudo mkdir -p /srv/www/html/yourdomainname.com
    
# the command I did was this:
sudo mkdir -p /srv/www/html/the-nx.com
    
sudo chgrp -R users /srv
sudo chmod -R g+rwx /srv</code></pre><p>Inside your newly created directory (<em>srv/www/html/yourdomainname.com</em>), put
a simple HTML file and call it “index.html”. You could use this:</p><pre><code>&lt;!doctype html&gt;
&lt;html class=&quot;no-js&quot; lang=&quot;&quot;&gt;
    &lt;head&gt;
        &lt;meta charset=&quot;utf-8&quot;&gt;
        &lt;meta http-equiv=&quot;x-ua-compatible&quot; content=&quot;ie=edge&quot;&gt;
        &lt;title&gt;the nx&lt;/title&gt;
        &lt;meta name=&quot;description&quot; content=&quot;&quot;&gt;
        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width, initial-scale=1&quot;&gt;
        &lt;link rel=&quot;apple-touch-icon&quot; href=&quot;/apple-touch-icon.png&quot;&gt;
    
    &lt;/head&gt;
    &lt;body&gt;
        &lt;!--[if lt IE 8]&gt;
            &lt;p class=&quot;browserupgrade&quot;&gt;
            You are using an &lt;strong&gt;outdated&lt;/strong&gt; browser. Please
            &lt;a href=&quot;http://browsehappy.com/&quot;&gt;upgrade your browser&lt;/a&gt; to improve
            your experience.
            &lt;/p&gt;
        &lt;![endif]--&gt;
    
        &lt;p&gt;Hello!&lt;/p&gt;
    &lt;/body&gt;
&lt;/html&gt;</code></pre><p>Now set up a basic nginx configuration for a static website without
encryption. It will end up looking something like:</p><pre><code>(service nginx-service-type
         (nginx-configuration
          (server-blocks
           (list
            (nginx-server-configuration
             (server-name '(&quot;the-nx.com&quot;))
             (listen (list &quot;80&quot; &quot;[::]:80&quot;))
             (root &quot;/srv/www/html/the-nx.com&quot;))))))</code></pre><p>Now you need to reconfigure so that the <code>nginx</code> user is created:</p><p><code>sudo guix system reconfigure config.scm</code></p><p>Now, nginx is running, but you will probably need to give nginx access to
read the files in your /srv directory.</p><pre><code>sudo chown -R nginx /srv
sudo chmod -R u-rwx /srv</code></pre><p>Open up a web browser and go to <a href="http://yourdomainname.com">http://yourdomainname.com</a> and check to see
that you see a basic website.</p></li><li><p>Now you need to turn your basic static website, into a site that has https
support.  Now you need to edit your nginx config and add in a certbot config:</p><p>Before your <code>(operating-system ...)</code> declartion, define this bit of code:</p><pre><code>(define %nginx-deploy-hook
  (program-file
   &quot;nginx-deploy-hook&quot;
   #~(let ((pid (call-with-input-file &quot;/var/run/nginx/pid&quot; read)))
       (kill pid SIGHUP))))</code></pre><p>Also make sure that you add in a <code>certbot</code> service and a modified <code>nginx</code>
service that look like this:</p><pre><code>(service certbot-service-type
         (certbot-configuration
          (email &quot;mysubscriptions@member.fsf.org&quot;)
          (webroot &quot;/srv/www/&quot;)
          (certificates
           (list
            (certificate-configuration
             (name &quot;the-nx.com&quot;)
             (domains '(&quot;the-nx.com&quot; &quot;www.the-nx.com&quot;))
             (deploy-hook %nginx-deploy-hook))))))
    
(service nginx-service-type
         (nginx-configuration
          (server-blocks
           (list
            (nginx-server-configuration
             (server-name '(&quot;the-nx.com&quot;))
             (listen (list &quot;80&quot;
                           &quot;443 ssl http2&quot;
                           &quot;[::]:80&quot;
                           &quot;[::80]:443 ssl http2&quot;))
             (root &quot;/srv/www/html/the-nx.com&quot;)
             (ssl-certificate &quot;/etc/letsencrypt/live/the-nx.com/fullchain.pem&quot;)
             (ssl-certificate-key &quot;/etc/letsencrypt/live/the-nx.com/privkey.pem&quot;)
             (locations
              (list
               (nginx-location-configuration ;; for certbot
                (uri &quot;/.well-known&quot;)
                (body (list &quot;root /srv/www;&quot;))))))))))</code></pre><p>Now we will have to reconfigure again to set up certbot:</p><pre><code>sudo guix system reconfigure config.scm
    
# tell certbot to set up our certificates
sudo /var/lib/certbot/renew-certificates</code></pre><p>Now you should be able to go to <a href="https://yourdomainname.com">https://yourdomainname.com</a> and see your site
in glorious encrypted mode!</p></li><li><p>Modify your guix config based on my <a href="https://notabug.org/jbranso/linode-guix-system-configuration/src/master/the-nx.com-current-config.scm">the-nx.com-current-config.scm</a>.
You will need to enable these services <code>(dbus-service)</code>, <code>(service docker-service-type)</code>, <code>(elogind service)</code>, <code>(service certbot-service-type)</code>,
and <code>(service nginx-service-type)</code>.</p></li></ol><p>I just ran this command, and my local nextcloud just started working.</p><pre><code>sudo docker run \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 80:80 \
--publish 8080:8080 \
--publish 8443:8443 \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
nextcloud/all-in-one:latest</code></pre><p>The following is the same quick guide as above, but has more details:</p><p>I decided to create a new linode image following the linode cookbook guide, and
I noticed a tiny error in the guide:</p><p><code>sudo apt-get install gpg</code> failed.  It worked after I ran <code>sudo apt-get update</code>.</p><p>Also the basic config example needs to migrate to the new &lt;swap-space&gt; record.
It gave me this warning message:</p><p>/root/config.scm:11:0: warning: List elements of the field ’swap-devices’ should
now use the &lt;swap-space&gt; record, as the old method is deprecated. See “(guix)
operating-system Reference” for more details.</p><p>The cookbook guide also should probably mention that you may need to login to
the server for the first time using linode’s weblish, and set up the root passwd
with <code>passwd</code>. Then set up your user password with <code>passwd &lt;username&gt;</code>.</p><p>Now that we have a basic site set up, let’s set up certbot and the nginx services:</p><pre><code>(service certbot-service-type
         (certbot-configuration
          (email &quot;mysubscriptions@member.fsf.org&quot;)
          (webroot &quot;/srv/www/&quot;)
          (certificates
           (list
            (certificate-configuration
             (name &quot;the-nx.com&quot;)
             (domains '(&quot;the-nx.com&quot; &quot;www.the-nx.com&quot;))
             (deploy-hook %nginx-deploy-hook))))))

(nginx-configuration
 (server-blocks
  (list
   (nginx-server-configuration
    (server-name '(&quot;the-nx.com&quot;))
    (listen (list &quot;80&quot;
                  &quot;443 ssl http2&quot;
                  ;;&quot;[::]:80&quot;
                  ;;&quot;[::80]:443 ssl http2&quot;
                  ))
    (root &quot;/srv/www/html/the-nx.com&quot;)
    (ssl-certificate &quot;/etc/letsencrypt/live/the-nx.com/fullchain.pem&quot;)
    (ssl-certificate-key &quot;/etc/letsencrypt/live/the-nx.com/privkey.pem&quot;)
    (locations
     (list
      (nginx-location-configuration ;; for certbot
       (uri &quot;/.well-known&quot;)
       (body (list &quot;root /srv/www;&quot;)))))))))</code></pre><p>Now let’s reconfigure and get a certbot certificate.  <code>ssh</code> into the-nx.com and
run these commands:</p><pre><code>sudo guix system reconfigure the-nx.com-current-config.scm

# tell certbot to set up our certificates
sudo /var/lib/certbot/renew-certificates</code></pre><p>So now my server has a valid certificate. It is time change the nginx
configuration to proxy incoming requests to the docker all in one image.</p><p>Ok, maybe I can use sexpressions to tell nginx to redirect all incoming traffic
to <code>the-nx.com</code> to the docker nextcloud image:</p><pre><code>(nginx-location-configuration
 (uri &quot;/&quot;)
 (body
  (list
   &quot;proxy_pass http://127.0.0.1:9000;\n&quot;
   &quot;proxy_set_header X-Real-IP $remote_addr;\n&quot;
   &quot;proxy_set_header Host $host;\n&quot;
   &quot;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n&quot;
   &quot;client_max_body_size 0;\n&quot;
   &quot;# Websocket\n&quot;
   &quot;proxy_http_version 1.1;\n&quot;
   &quot;proxy_set_header Upgrade $http_upgrade;\n&quot;)))</code></pre><p>I am going to deploy this image, and take a look at the generated nginx
configuration file.  I ran this command on my T400 laptop:</p><p><code>guix deploy the-nx.com-current-config.scm</code></p><p>Well, that’s super annoying. I do not know which nginx.conf file is the right
one:</p><pre><code>find /gnu/store -name '*nginx.conf'

/gnu/store/7m1ygzqk6njn5mywqmhwbydbb2z4b9li-nginx.conf
/gnu/store/0gcfj61q4943h94jdqq7i9y0a0v9jr9q-nginx.conf
/gnu/store/4mzrp39w5i4v94kxf98gxc13ws79l88n-nginx.conf
/gnu/store/0nia2iqfw63ziasibbgq321wr9b3152n-nginx.conf
/gnu/store/pf8d0sj1yf9b2ndsbc61yj3h6rp4pck2-nginx.conf
/gnu/store/9nra62v41wsk08xf3msw5a1z35gji2gx-nginx-1.23.2/share/nginx/conf/nginx.conf
/gnu/store/4b1szfyn0snwzf3lm1snvaapk6diz3yq-nginx.conf
/gnu/store/fv5rg3nf5999vyg6qvp4sbgjysnkn1fc-nginx.conf
/gnu/store/vmjwj2zwblcz4wx2whsmxdfc7zxcgjh5-nginx.conf
/gnu/store/n3m2lihq9cjm6mxdln57q5nrbjgz53s6-nginx.conf
/gnu/store/jnl72hx0papzb42kbd1f19qx35w76lmg-nginx-1.23.2/share/nginx/conf/nginx.conf</code></pre><p>I guess I will reboot, run <code>guix system delete-generations</code> and <code>guix gc</code>, and
run the above command again:</p><pre><code>find /gnu/store -name '*nginx.conf'

/gnu/store/7m1ygzqk6njn5mywqmhwbydbb2z4b9li-nginx.conf
/gnu/store/jnl72hx0papzb42kbd1f19qx35w76lmg-nginx-1.23.2/share/nginx/conf/nginx.conf</code></pre><p>Well that looks promising.  Let's check out my nginx.conf file.</p><pre><code>cat /gnu/store/i2mzdhg8wlbxv7iza8y4qk5v0vmvp27q-nginx.conf

user nginx nginx;
pid /var/run/nginx/pid;
error_log /var/log/nginx/error.log info;
events { }
http {
    client_body_temp_path /var/run/nginx/client_body_temp;
    proxy_temp_path /var/run/nginx/proxy_temp;
    fastcgi_temp_path /var/run/nginx/fastcgi_temp;
    uwsgi_temp_path /var/run/nginx/uwsgi_temp;
    scgi_temp_path /var/run/nginx/scgi_temp;
    access_log /var/log/nginx/access.log;
    include /gnu/store/jnl72hx0papzb42kbd1f19qx35w76lmg-nginx-1.23.2/share/nginx/conf/mime.types;

    server {
      listen 443 ssl http2;
      server_name the-nx.com ;
      ssl_certificate /etc/letsencrypt/live/the-nx.com/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/the-nx.com/privkey.pem;
      root /srv/www/html/the-nx.com;
      index index.html ;
      server_tokens off;

      location /.well-known {
        root /srv/www;
      }
      location / {
        proxy_pass http://127.0.0.1:9000;

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header Host $host;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        client_max_body_size 0;

        # Websocket

        proxy_http_version 1.1;

        proxy_set_header Upgrade $http_upgrade;

      }

    }
    server {
      listen 80;
      listen [::]:80;
      server_name the-nx.com www.the-nx.com ;
      root /srv/http;
      index index.html ;
      server_tokens off;

      location /.well-known {
        root /srv/www/;
      }
      location / {
        return 301 https://$host$request_uri;
      }

    }

}</code></pre><p>The generated configuration seems pretty wonky, and I am suprised that nginx is
still running, but it is still running.  And I suppose that it should work.</p><p>I was able to get nextcloud to start with this command:</p><pre><code>sudo docker run --sig-proxy=false --name nextcloud-aio-mastercontainer \
 --restart always \
 --publish 8080:8080 \
 -e APACHE_PORT=9000 \
 --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
 --volume /var/run/docker.sock:/var/run/docker.sock:ro  \
 nextcloud/all-in-one:latest</code></pre><p>So now I can login at the-nx.com:8080 and configure various stuff. Also I really
need to set up a firewall. That’s probably a really good idea.  Also what’s nice
about this docker image is that it will start itself if you update the guix
system server and reboot.</p><p>MORE BONUS CONTENT:</p><p>If you see this blog post, and you decide to set up your nextcloud on a guix
system server, and if your nginx config doesn’t seem to be proxying requests to
your docker container, then you may follow these steps to delete the docker
image and start over:</p><p>This <a href="https://help.nextcloud.com/t/aio-this-site-can-t-provide-a-secure-connection/128478/5">page</a> has some good commands for deleting the docker image and starting
over:</p><pre><code>sudo docker stop nextcloud-aio-mastercontainer &amp;&amp; \\
sudo docker rm nextcloud-aio-mastercontainer &amp;&amp; \\
sudo docker container prune -f &amp;&amp; \\
sudo docker volume prune -f &amp;&amp; \\
sudo docker pull nextcloud/all-in-one:latest</code></pre><p>Ok, so it looks like the nextcloud all in one documentation has a <a href="https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md">page</a> for
understanding the reverse proxy.</p><p>It would also be nice to get my nextcloud image to sync my contacts.  I probably just need to add in another nginx
location line for that.  That will be a project for another day.</p></div></article></section></main><footer><p>© 2020 Joshua Branson.  The text on this site is free culture under the Creative Commons Attribution Share-Alike 4.0 International license.</p><p>This website is build with Haunt, a static site generator written in Guile Scheme.  Source code is <a href="https://notabug.org/jbranso/gnucode.me">available.</a></p><p>The color theme of this website is based off of the famous <a href="#3f3f3f" target="_blank">zenburn</a> theme.</p></footer></body>