Nextcloud server on guix

hi! i can see nextcloud client is a guix package, but the server isnt

i assume i just install docker, and then setup nextcloud server on it? or would it be better to use nix, or some other installation method?

Not sure if https://www.gnucode.me/nextcloud-and-guix-system-server.html is still the state or things but nextcloud, is in the end, just PHP code running in a webserver context and some cronjobs in the cli context so a quick hack or the docker img could be a way to go if you cant’ or won’t write a full guix package.

i saw that page, although the sentence ‘The AIO image mounts the Docker socket, which is a security risk since it allows full access to other container as well as running any new container. It’s a bad idea and should be avoided.’ put me off

do you know if this is still the case? i thought the whole point of docker was to isolate images to improve security and independently manage dependencies, but i guess it mounts the docker socket to gain some functionality it wouldn’t have otherwise?

For some the whole point of docker is to have the userland stable so that “runs on my machine” problems are gone.

This is fine if it’s the only thing you run.

I think the PHP side has improved so a proper Guix nextcloud server package could be feasible.

hm okay, thank you

you mean its fine if its the only docker image i run? because otherwise it would have elevated privileges to other docker images on my machine or something?

Yes, this is my understanding of the matter.

I am not that optimistic. If there is a connection to the docker daemon, it can launch other containers which can bind mount arbitrary folders of the host machine with permissions of the user the docker daemon runs at. So it is not just other containers which are at risk, but also the host machine.

I assume the AIO docker instance needs access to the docker port to do auto-updates of new versions. There is also the App API, which I do not use : I only use it for synching and for RSS feeds.

That is essentially how I do it on my NAS where I let it pull new images every few months. It runs unprivileged and has no access to the docker socket.

Good point!

So a properly packaged Nextcloud would be of high value.

sorry, so how do you run it then? do you use the aio image with unelevated privileges, or something else? and do you only switch it on every few months, or have it on constantly?

I have it on constantly running behind a firewall using an unprivileged container with folders bind mounted for storage. I use it as a Dropbox replacement to share my secrets for KeepassXC and general documents, like my org-mode todo files and my denote folder, among computers and mobile devices, and I use the RSS feed reader, but no other apps. I regularly pull new images and restart the container to keep up to date.

1 Like

okay, thanks!

is this an issue with other docker images too, or just the nextcloud one?