Providing file synchronization, a web interface to navigate through them, calendar, contacts, tasks, kanban and webmail, it presents itself as a complete GSuite self-hosted alternative.

Hosting Nextcloud has become easier over time, thanks to its docker-compose example setups and to the Snap for use mostly on Ubuntu systems. However, having a faster and more optimized setup can take some effort on these platforms. Thankfully, on NixOS it’s not hard at all, as I’ll show you.

{ self, config, lib, pkgs, ... }:

{
  services = {
    nginx.virtualHosts = {
      "cloud.example.com" = {
        forceSSL = true;
        enableACME = true;
      };

      "onlyoffice.example.com" = {
        forceSSL = true;
        enableACME = true;
      };
    };

    nextcloud = {
      enable = true;
      hostName = "cloud.example.com";

       # Need to manually increment with every major upgrade.
      package = pkgs.nextcloud27;

      # Let NixOS install and configure the database automatically.
      database.createLocally = true;

      # Let NixOS install and configure Redis caching automatically.
      configureRedis = true;

      # Increase the maximum file upload size to avoid problems uploading videos.
      maxUploadSize = "16G";
      https = true;
      enableBrokenCiphersForSSE = false;

      autoUpdateApps.enable = true;
      extraAppsEnable = true;
      extraApps = with config.services.nextcloud.package.packages.apps; {
        # List of apps we want to install and are already packaged in
        # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json
        inherit calendar contacts mail notes onlyoffice tasks;

        # Custom app installation example.
        cookbook = pkgs.fetchNextcloudApp rec {
          url =
            "https://github.com/nextcloud/cookbook/releases/download/v0.10.2/Cookbook-0.10.2.tar.gz";
          sha256 = "sha256-XgBwUr26qW6wvqhrnhhhhcN4wkI+eXDHnNSm1HDbP6M=";
        };
      };

      config = {
        overwriteProtocol = "https";
        defaultPhoneRegion = "PT";
        dbtype = "pgsql";
        adminuser = "admin";
        adminpassFile = "/path/to/nextcloud-admin-pass";
      };
    };

    onlyoffice = {
      enable = true;
      hostname = "onlyoffice.example.com";
    };
  };
}

You may want to proceed with caution while setting up the OnlyOffice server, which will allow for Google Docs-like functionality on our Nextcloud instance, by having it only accessible inside your VPN or by setting the services.onlyoffice.jwtSecretFile option if exposed to the public Internet.

With this snippet, a Nextcloud instance with a selection of pre-installed Apps, PostgreSQL as a database, Redis Caching and Let’s Encrypt certificates will be set up for you.

To connect to the OnlyOffice server, configure it appropriately in Administration settings > ONLYOFFICE > ONLYOFFICE Docs address.

Backups

In this configuration, we need to persist the /var/lib/nextcloud and /var/lib/postgresql directories.

For backing up, you could copy /var/lib/nextcloud to another computer and, for the database, dump it to a file and copy it to another computer as well, as described in the official Nextcloud documentation.

Conclusion

Once again, NixOS proves itself as an amazing self-hosting platform.

Nextcloud, in its default configuration, is sometimes known for running slow. Thanks to NixOS, we’ve optimized its performance and that’s quite impactful, as it’s my most used self-hosted application. Having all of these apps running on Nextcloud has enabled me to move on from GSuite to a mostly autonomous and self-hosted infrastructure.

In the future, I look forward to being able to use Collabora/Nextcloud Office instead of OnlyOffice, as it’s more aligned with Nextcloud’s philosophical goals and hasn’t done suspicious decisions in the past.

References

• https://nixos.wiki/wiki/Nextcloud
• https://nixos.wiki/wiki/Onlyoffice-Documentserver
• https://docs.nextcloud.com/server/latest/admin_manual/maintenance/backup.html
• https://docs.nextcloud.com/server/latest/admin_manual/maintenance/restore.html

{ config, lib, pkgs, ... }:

let
  domain = "example.com";

  # Auxiliary functions
  fetchPackage = { name, version, hash, isTheme }:
    pkgs.stdenv.mkDerivation rec {
      inherit name version hash;
      src = let type = if isTheme then "theme" else "plugin";
      in pkgs.fetchzip {
        inherit name version hash;
        url = "https://downloads.wordpress.org/${type}/${name}.${version}.zip";
      };
      installPhase = "mkdir -p $out; cp -R * $out/";
    };

  fetchPlugin = { name, version, hash }:
    (fetchPackage {
      name = name;
      version = version;
      hash = hash;
      isTheme = false;
    });

  fetchTheme = { name, version, hash }:
    (fetchPackage {
      name = name;
      version = version;
      hash = hash;
      isTheme = true;
    });

  # Plugins
  google-site-kit = (fetchPlugin {
    name = "google-site-kit";
    version = "1.103.0";
    hash = "sha256-8QZ4XTCKVdIVtbTV7Ka4HVMiUGkBYkxsw8ctWDV8gxs=";
  });

  # Themes
  astra = (fetchTheme {
    name = "astra";
    version = "4.1.5";
    hash = "sha256-X3Jv2kn0FCCOPgrID0ZU8CuSjm/Ia/d+om/ShP5IBgA=";
  });

in {
  services = {
    nginx.virtualHosts.${domain} = {
      enableACME = true;
      forceSSL = true;
    };

    wordpress = {
      webserver = "nginx";
      sites."${domain}" = {
        plugins = { inherit google-site-kit; };
        themes = { inherit astra; };
        settings = { WP_DEFAULT_THEME = "astra"; };
      };
    };
  };

  # As this is a root on tmpfs system, we use the impermanence
  # NixOS module to persist WordPress state between reboots.
  # You can omit the next two lines if using a regular configuration.
  environment.persistence."/persist".directories =
    [ "/var/lib/mysql" "/var/lib/wordpress" ];
}

I configure WordPress to use Nginx as the web server instead of httpd as it’s what I already use as a reverse proxy for my other self-hosted applications.

After deploying this configuration, you’ll be met with the famous 5-minute WordPress installation at your domain, with a MySQL database and Let’s Encrypt automatically configured for you. For demonstration, the Astra theme and the Google Site Kit plugin will also be automatically installed.

You’re then presented with the usual WordPress dashboard, where you’re free to enable the plugins we just installed and also do other miscellaneous configuration. In theory, these steps can also be declarative using the services.wordpress.sites.<domain>.extraConfig, although I had trouble doing that and was met with database connection errors when rebuilding the configuration.

Beyond the ease of installation, there may be advantages to using WordPress on NixOS instead of a docker-compose setup, for example. WordPress is known to quickly become a remote shell for intruders if not properly looked after and regularly updated. On NixOS, the only themes and plugins the WordPress instance will have access to will be the ones we explicitly set in the NixOS module, preventing the installation of plugins with malware by some distracted administrator through the Web interface. Thanks to the Nix store’s properties of immutability and restricted permissions, it’ll also be harder for malicious plugins to modify themselves when compared to normal setups.

Conclusion

Once again, NixOS made setting up another self-hosted service very easy.

This post will help you set up a basic WordPress instance, you’re then free to install more plugins and to optimize the website further. There are some suggestions on the relevant NixOS Wiki page.

Although I felt I learned something with this experience, I still prefer using simple Static Site Generators like Hugo for my personal projects. Using Hugo along with ox-hugo allows me to have a website that’s quite “declarative”, configured with plain text files, where I can do easy version control and deploy anywhere, many times for free. It also produces very fast sites without much effort, many times being close to a perfect score on the Lighthouse speed test. I also can be more relieved about security and maintenance as it’s just my webserver serving static files, without any backend or database to be exploited.

Nonetheless, about one third of the Web are WordPress websites and it’s useful to know how to set them up and configure them on NixOS.

References

• https://nixos.wiki/wiki/Wordpress

However, because they’re inside this private network, I’m not able to get Let’s Encrypt certificates through the usual HTTP-01 challenge, exactly because the home server is not accessible from the public Internet.

Because of this, and to prevent my browsers from screaming that I’m acessing my services through an “Insecure Connection” (even though the encrypted connection provided by Tailscale is plenty secure), I decided to set up wildcard certificates, provided by Let’s Encrypt.

NixOS configuration

As usual, the NixOS configuration part of this setup is not too difficult:

{ self, config, lib, pkgs, ... }:

{
  security.acme = {
    acceptTerms = true;
    defaults.email = "john.doe@example.com";

    certs."example.com" = {
      domain = "example.com";
      extraDomainNames = [ "*.example.com" ];
      dnsProvider = "ovh";
      dnsPropagationCheck = true;
      credentialsFile = /path/to/secrets/file;
    };
  };

  users.users.nginx.extraGroups = [ "acme" ];
}

In this example, I set my provider to OVH. You may want to change this to your provider of choice.

Also worthy of note is that we need to add the nginx user to the acme group, so that nginx can read the certificate files created by the acme service. Adjust this according to your preference of reverse proxy software.

OVH API credentials

The DNS-01 challenge, as the name implies, requires setting up DNS records to prove ownership of resources. Because of that, we’ll need to set up an API key for the acme NixOS module, so that it can set up these records automatically.

To create these credentials:

1. Go to https://eu.api.ovh.com/createToken/
2. Fill the form with the required information as shown below:
   • Account ID or email address: usual OVH login
   • Password: usual OVH password
   • Script Name: for example, “NixOS wildcard certificate”
   • Script description: for example, “NixOS wildcard certificate”
   • Validity: Unlimited
   • Rights: use the + button to add the following lines
     • POST : /domain/zone/*
     • DELETE : /domain/zone/*

After creating them, we’ll need to place them in the /path/to/secrets/file.

Be careful not to share these publicly. I personally use agenix for managing secrets in my NixOS configuration.

As per the OVH lego provider documentation, this file will include something like this:

OVH_ENDPOINT=ovh-eu
OVH_APPLICATION_KEY=<application-key>
OVH_APPLICATION_SECRET=<application-secret>
OVH_CONSUMER_KEY=<consumer-key>

DNS zone configuration

Initially, I tried to set up DNS like this:

• Create a wildcard CNAME record so that *.example.com points to home-server.tailnet.example.com.

However, with this setup, the acme service failed to fetch the certificate.

I ended up setting DNS this way instead:

• Create a wildcard A record so that *.example.com points to 100.64.0.1, my home-server’s Tailscale IP.

Now everything worked perfectly, although I feel that the CNAME method was more elegant, as it didn’t depend on the IP Tailscale assigned to my machine but only on its hostname and headscale’s MagicDNS.

Using the certificate

Now, after running nixos-rebuild switch and making sure that no errors showed up while getting the certificate, all that’s left is to start using it.

A simple nginx configuration that uses this certificate would like the following:

{ config, lib, pkgs, ... }:

{
  services.nginx = {
    enable = true;

    virtualHosts = {
      "some-service.example.com" = {
        forceSSL = true;
        useACMEHost = "example.com";
        locations."/".proxyPass = "http://127.0.0.1:12345";
      };
    };
  };
}

Closing remarks

Once again, NixOS made this process really straightforward.

I have read that Caddy makes this workflow really easy as well, if I weren’t using NixOS I’d probably be using that instead.

This setup is now ready to provide self-hosted services only accessible inside the headscale mesh-VPN and without the headache of using self-signed certificates or skipping the “Insecure Connection” warnings all the time. It also didn’t require port-forwarding on my router and having my services available to the hostile and chaotic public Internet.

Another subtle consequence of using wildcard certificates is that there’s improved privacy in what concerns certificate transparency. When someone searches for your domain at a service such as crt.sh, all they’ll see is that a wildcard certificate was emitted for that domain. This way, you’ll avoid having a public list of all the private services you’ve set up at home.

References

• https://nixos.org/manual/nixos/stable/index.html#module-security-acme-config-dns
• https://discourse.nixos.org/t/setup-a-wildcard-certificate-with-acme-on-a-custom-domain-name-hosted-by-powerdns/15055
• https://go-acme.github.io/lego/dns/ovh/
• https://yunohost.org/en/providers/registrar/ovh/autodns