2025-02-03 02:03:20 +04:00
|
|
|
{ config, lib, pkgs, ... }:
|
2024-12-30 04:22:50 +04:00
|
|
|
let
|
|
|
|
|
inherit (import ./common.nix config)
|
|
|
|
|
admin-pass-filepath
|
|
|
|
|
db-pass-filepath
|
|
|
|
|
domain
|
|
|
|
|
override-config-fp
|
|
|
|
|
secrets-filepath
|
|
|
|
|
sp
|
|
|
|
|
;
|
|
|
|
|
|
2025-01-17 15:04:08 +04:00
|
|
|
hostName = "${cfg.subdomain}.${sp.domain}";
|
2025-02-03 00:57:08 +04:00
|
|
|
auth-passthru = config.selfprivacy.passthru.auth;
|
2025-01-17 15:04:08 +04:00
|
|
|
cfg = sp.modules.nextcloud;
|
2025-02-03 01:35:21 +04:00
|
|
|
is-auth-enabled = cfg.enableSso && config.selfprivacy.sso.enable;
|
2025-01-17 15:04:08 +04:00
|
|
|
ldap_scheme_and_host = "ldaps://${auth-passthru.ldap-host}";
|
2024-12-30 04:22:50 +04:00
|
|
|
|
|
|
|
|
occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ";
|
2025-01-17 15:04:08 +04:00
|
|
|
|
2024-12-30 04:22:50 +04:00
|
|
|
nextcloud-setup-group =
|
|
|
|
|
config.systemd.services.nextcloud-setup.serviceConfig.Group;
|
|
|
|
|
|
|
|
|
|
admins-group = "sp.nextcloud.admins";
|
|
|
|
|
users-group = "sp.nextcloud.users";
|
|
|
|
|
wildcard-group = "sp.nextcloud.*";
|
|
|
|
|
|
|
|
|
|
oauth-client-id = "nextcloud";
|
|
|
|
|
kanidm-service-account-name = "sp.${oauth-client-id}.service-account";
|
|
|
|
|
kanidm-service-account-token-name = "${oauth-client-id}-service-account-token";
|
|
|
|
|
kanidm-service-account-token-fp =
|
|
|
|
|
"/run/keys/${oauth-client-id}/kanidm-service-account-token"; # FIXME sync with auth module
|
2025-01-15 15:15:46 +04:00
|
|
|
# TODO rewrite to tmpfiles.d, but make sure the group exists first!
|
|
|
|
|
kanidmExecStartPreScriptRoot = pkgs.writeShellScript
|
|
|
|
|
"${oauth-client-id}-kanidm-ExecStartPre-root-script.sh"
|
2024-12-30 04:22:50 +04:00
|
|
|
''
|
|
|
|
|
# set-group-ID bit allows for kanidm user to create files,
|
|
|
|
|
mkdir -p -v --mode=u+rwx,g+rs,g-w,o-rwx /run/keys/${oauth-client-id}
|
|
|
|
|
chown kanidm:${nextcloud-setup-group} /run/keys/${oauth-client-id}
|
|
|
|
|
'';
|
2025-01-15 15:15:46 +04:00
|
|
|
kanidm-oauth-client-secret-fp =
|
|
|
|
|
"/run/keys/${oauth-client-id}/kanidm-oauth-client-secret";
|
|
|
|
|
kanidmExecStartPreScript = pkgs.writeShellScript
|
|
|
|
|
"${oauth-client-id}-kanidm-ExecStartPre-script.sh" ''
|
|
|
|
|
[ -f "${kanidm-oauth-client-secret-fp}" ] || \
|
|
|
|
|
"${lib.getExe pkgs.openssl}" rand -base64 -out "${kanidm-oauth-client-secret-fp}" 32
|
|
|
|
|
'';
|
2024-12-30 04:22:50 +04:00
|
|
|
kanidmExecStartPostScript = pkgs.writeShellScript
|
|
|
|
|
"${oauth-client-id}-kanidm-ExecStartPost-script.sh"
|
|
|
|
|
''
|
|
|
|
|
export HOME=$RUNTIME_DIRECTORY/client_home
|
|
|
|
|
readonly KANIDM="${pkgs.kanidm}/bin/kanidm"
|
|
|
|
|
|
|
|
|
|
# get Kanidm service account for mailserver
|
|
|
|
|
KANIDM_SERVICE_ACCOUNT="$($KANIDM service-account list --name idm_admin | grep -E "^name: ${kanidm-service-account-name}$")"
|
|
|
|
|
echo KANIDM_SERVICE_ACCOUNT: "$KANIDM_SERVICE_ACCOUNT"
|
|
|
|
|
if [ -n "$KANIDM_SERVICE_ACCOUNT" ]
|
|
|
|
|
then
|
|
|
|
|
echo "kanidm service account \"${kanidm-service-account-name}\" is found"
|
|
|
|
|
else
|
|
|
|
|
echo "kanidm service account \"${kanidm-service-account-name}\" is not found"
|
|
|
|
|
echo "creating new kanidm service account \"${kanidm-service-account-name}\""
|
2025-01-15 15:15:46 +04:00
|
|
|
if $KANIDM service-account create --name idm_admin "${kanidm-service-account-name}" "${kanidm-service-account-name}" idm_admin
|
2024-12-30 04:22:50 +04:00
|
|
|
then
|
2025-01-15 15:15:46 +04:00
|
|
|
echo "kanidm service account \"${kanidm-service-account-name}\" created"
|
2024-12-30 04:22:50 +04:00
|
|
|
else
|
|
|
|
|
echo "error: cannot create kanidm service account \"${kanidm-service-account-name}\""
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# add Kanidm service account to `idm_mail_servers` group
|
2025-01-15 15:15:46 +04:00
|
|
|
$KANIDM group add-members idm_mail_servers "${kanidm-service-account-name}"
|
2024-12-30 04:22:50 +04:00
|
|
|
|
|
|
|
|
# create a new read-only token for kanidm
|
2025-01-15 15:15:46 +04:00
|
|
|
if ! KANIDM_SERVICE_ACCOUNT_TOKEN_JSON="$($KANIDM service-account api-token generate --name idm_admin "${kanidm-service-account-name}" "${kanidm-service-account-token-name}" --output json)"
|
2024-12-30 04:22:50 +04:00
|
|
|
then
|
|
|
|
|
echo "error: kanidm CLI returns an error when trying to generate service-account api-token"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
if ! KANIDM_SERVICE_ACCOUNT_TOKEN="$(echo "$KANIDM_SERVICE_ACCOUNT_TOKEN_JSON" | ${lib.getExe pkgs.jq} -r .result)"
|
|
|
|
|
then
|
|
|
|
|
echo "error: cannot get service-account API token from JSON"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if ! install --mode=640 \
|
|
|
|
|
<(printf "%s" "$KANIDM_SERVICE_ACCOUNT_TOKEN") \
|
|
|
|
|
${kanidm-service-account-token-fp}
|
|
|
|
|
then
|
|
|
|
|
echo "error: cannot write token to \"${kanidm-service-account-token-fp}\""
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
'';
|
|
|
|
|
in
|
2023-11-15 22:26:04 +04:00
|
|
|
{
|
2023-11-16 04:00:11 +04:00
|
|
|
options.selfprivacy.modules.nextcloud = with lib; {
|
2024-12-18 15:40:15 +03:00
|
|
|
enable = (lib.mkOption {
|
2023-11-15 22:26:04 +04:00
|
|
|
default = false;
|
2024-12-18 15:40:15 +03:00
|
|
|
type = lib.types.bool;
|
|
|
|
|
description = "Enable Nextcloud";
|
|
|
|
|
}) // {
|
|
|
|
|
meta = {
|
|
|
|
|
type = "enable";
|
|
|
|
|
};
|
2023-11-15 22:26:04 +04:00
|
|
|
};
|
2024-12-18 15:40:15 +03:00
|
|
|
location = (lib.mkOption {
|
|
|
|
|
type = lib.types.str;
|
|
|
|
|
description = "Nextcloud location";
|
|
|
|
|
}) // {
|
|
|
|
|
meta = {
|
|
|
|
|
type = "location";
|
|
|
|
|
};
|
2023-11-15 22:26:04 +04:00
|
|
|
};
|
2024-12-18 15:40:15 +03:00
|
|
|
subdomain = (lib.mkOption {
|
2024-02-15 13:56:12 +04:00
|
|
|
default = "cloud";
|
|
|
|
|
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
2024-12-18 15:40:15 +03:00
|
|
|
description = "Subdomain";
|
|
|
|
|
}) // {
|
|
|
|
|
meta = {
|
|
|
|
|
widget = "subdomain";
|
|
|
|
|
type = "string";
|
|
|
|
|
regex = "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
|
|
|
|
weight = 0;
|
|
|
|
|
};
|
2024-02-15 13:56:12 +04:00
|
|
|
};
|
2024-12-18 15:40:15 +03:00
|
|
|
enableImagemagick = (lib.mkOption {
|
2024-11-29 16:18:20 +04:00
|
|
|
type = types.bool;
|
|
|
|
|
default = true;
|
2024-12-18 15:40:15 +03:00
|
|
|
description = "Enable ImageMagick";
|
|
|
|
|
}) // {
|
|
|
|
|
meta = {
|
|
|
|
|
type = "bool";
|
|
|
|
|
weight = 1;
|
|
|
|
|
};
|
2024-11-29 16:18:20 +04:00
|
|
|
};
|
2025-03-28 17:18:16 +03:00
|
|
|
enableSso = (lib.mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = lib.types.bool;
|
|
|
|
|
description = "Enable Single Sign-On";
|
|
|
|
|
}) // {
|
|
|
|
|
meta = {
|
|
|
|
|
type = "bool";
|
|
|
|
|
weight = 2;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
debug = (lib.mkOption {
|
2024-12-30 04:22:50 +04:00
|
|
|
default = false;
|
|
|
|
|
type = lib.types.bool;
|
2025-03-28 17:18:16 +03:00
|
|
|
description = "Enable debug logging";
|
|
|
|
|
}) // {
|
|
|
|
|
meta = {
|
|
|
|
|
type = "bool";
|
|
|
|
|
weight = 3;
|
|
|
|
|
};
|
2024-12-30 04:22:50 +04:00
|
|
|
};
|
2023-11-15 22:26:04 +04:00
|
|
|
};
|
|
|
|
|
|
2025-01-24 16:27:48 +04:00
|
|
|
# config = lib.mkIf sp.modules.nextcloud.enable
|
|
|
|
|
config = lib.mkIf sp.modules.nextcloud.enable (lib.mkMerge [
|
|
|
|
|
{
|
2025-02-03 01:51:19 +04:00
|
|
|
assertions = [
|
|
|
|
|
{
|
|
|
|
|
assertion = cfg.enableSso -> sp.sso.enable;
|
|
|
|
|
message =
|
|
|
|
|
"SSO cannot be enabled for Nextcloud when SSO is disabled globally.";
|
|
|
|
|
}
|
|
|
|
|
];
|
2025-01-24 16:27:48 +04:00
|
|
|
fileSystems = lib.mkIf sp.useBinds {
|
|
|
|
|
"/var/lib/nextcloud" = {
|
|
|
|
|
device = "/volumes/${cfg.location}/nextcloud";
|
|
|
|
|
options = [
|
|
|
|
|
"bind"
|
|
|
|
|
"x-systemd.required-by=nextcloud-setup.service"
|
|
|
|
|
"x-systemd.required-by=nextcloud-secrets.service"
|
|
|
|
|
"x-systemd.before=nextcloud-setup.service"
|
|
|
|
|
"x-systemd.before=nextcloud-secrets.service"
|
|
|
|
|
];
|
|
|
|
|
};
|
2023-11-29 08:19:04 +04:00
|
|
|
};
|
2025-01-17 15:04:08 +04:00
|
|
|
|
2025-01-24 16:27:48 +04:00
|
|
|
# for ExecStartPost script to have access to /run/keys/*
|
|
|
|
|
users.groups.keys.members =
|
|
|
|
|
lib.mkIf is-auth-enabled [ nextcloud-setup-group ];
|
|
|
|
|
|
|
|
|
|
# not needed, due to turnOffCertCheck=1 in used_ldap
|
|
|
|
|
# users.groups.${config.security.acme.certs.${domain}.group}.members =
|
|
|
|
|
# [ config.services.phpfpm.pools.nextcloud.user ];
|
|
|
|
|
|
|
|
|
|
systemd = {
|
|
|
|
|
services = {
|
|
|
|
|
phpfpm-nextcloud.serviceConfig.Slice = lib.mkForce "nextcloud.slice";
|
|
|
|
|
nextcloud-setup = {
|
|
|
|
|
serviceConfig.Slice = "nextcloud.slice";
|
|
|
|
|
serviceConfig.Group = config.services.phpfpm.pools.nextcloud.group;
|
|
|
|
|
};
|
|
|
|
|
kanidm.serviceConfig.ExecStartPre = lib.mkIf is-auth-enabled
|
|
|
|
|
(lib.mkAfter [
|
|
|
|
|
("-+" + kanidmExecStartPreScriptRoot)
|
|
|
|
|
("-" + kanidmExecStartPreScript)
|
|
|
|
|
]);
|
|
|
|
|
kanidm.serviceConfig.ExecStartPost = lib.mkIf is-auth-enabled
|
|
|
|
|
(lib.mkAfter [ ("-" + kanidmExecStartPostScript) ]);
|
|
|
|
|
nextcloud-cron.serviceConfig.Slice = "nextcloud.slice";
|
|
|
|
|
nextcloud-update-db.serviceConfig.Slice = "nextcloud.slice";
|
|
|
|
|
nextcloud-update-plugins.serviceConfig.Slice = "nextcloud.slice";
|
|
|
|
|
nextcloud-secrets = {
|
|
|
|
|
before = [ "nextcloud-setup.service" ];
|
|
|
|
|
requiredBy = [ "nextcloud-setup.service" ];
|
|
|
|
|
serviceConfig.Type = "oneshot";
|
|
|
|
|
path = with pkgs; [ coreutils jq ];
|
|
|
|
|
script = ''
|
|
|
|
|
databasePassword=$(jq -re '.modules.nextcloud.databasePassword' ${secrets-filepath})
|
|
|
|
|
adminPassword=$(jq -re '.modules.nextcloud.adminPassword' ${secrets-filepath})
|
|
|
|
|
|
|
|
|
|
install -C -m 0440 -o nextcloud -g nextcloud -DT \
|
|
|
|
|
<(printf "%s\n" "$databasePassword") \
|
|
|
|
|
${db-pass-filepath}
|
|
|
|
|
|
|
|
|
|
install -C -m 0440 -o nextcloud -g nextcloud -DT \
|
|
|
|
|
<(printf "%s\n" "$adminPassword") \
|
|
|
|
|
${admin-pass-filepath}
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
slices.nextcloud = {
|
|
|
|
|
description = "Nextcloud service slice";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
services.nextcloud = {
|
|
|
|
|
enable = true;
|
2025-03-31 19:37:38 +03:00
|
|
|
package = pkgs.nextcloud30;
|
2025-01-24 16:27:48 +04:00
|
|
|
inherit hostName;
|
|
|
|
|
|
|
|
|
|
# Use HTTPS for links
|
|
|
|
|
https = true;
|
|
|
|
|
|
|
|
|
|
# auto-update Nextcloud Apps
|
|
|
|
|
autoUpdateApps.enable = true;
|
|
|
|
|
# set what time makes sense for you
|
|
|
|
|
autoUpdateApps.startAt = "05:00:00";
|
|
|
|
|
|
|
|
|
|
phpOptions.display_errors = "Off";
|
|
|
|
|
|
|
|
|
|
settings = {
|
|
|
|
|
# further forces Nextcloud to use HTTPS
|
|
|
|
|
overwriteprotocol = "https";
|
|
|
|
|
} // lib.attrsets.optionalAttrs is-auth-enabled {
|
|
|
|
|
loglevel = 0;
|
|
|
|
|
# log_type = "file";
|
|
|
|
|
social_login_auto_redirect = false;
|
|
|
|
|
|
|
|
|
|
allow_local_remote_servers = true;
|
|
|
|
|
allow_user_to_change_display_name = false;
|
|
|
|
|
lost_password_link = "disabled";
|
|
|
|
|
allow_multiple_user_backends = false;
|
|
|
|
|
|
|
|
|
|
user_oidc = {
|
|
|
|
|
single_logout = true;
|
|
|
|
|
use_pkce = true;
|
|
|
|
|
auto_provision = true;
|
|
|
|
|
soft_auto_provision = true;
|
|
|
|
|
disable_account_creation = false;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
config = {
|
|
|
|
|
dbtype = "sqlite";
|
|
|
|
|
dbuser = "nextcloud";
|
|
|
|
|
dbname = "nextcloud";
|
|
|
|
|
dbpassFile = db-pass-filepath;
|
|
|
|
|
# TODO review whether admin user is needed at all - admin group works
|
|
|
|
|
adminpassFile = admin-pass-filepath;
|
|
|
|
|
adminuser = "admin";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
services.nginx.virtualHosts.${hostName} = {
|
|
|
|
|
useACMEHost = sp.domain;
|
|
|
|
|
forceSSL = true;
|
|
|
|
|
#locations."/".extraConfig = lib.mkIf is-auth-enabled ''
|
|
|
|
|
# # FIXME does not work
|
|
|
|
|
# rewrite ^/login$ /apps/user_oidc/login/1 last;
|
|
|
|
|
#'';
|
|
|
|
|
# show an error instead of a blank page on Nextcloud PHP/FastCGI error
|
|
|
|
|
locations."~ \\.php(?:$|/)".extraConfig = ''
|
|
|
|
|
error_page 500 502 503 504 ${pkgs.nginx}/html/50x.html;
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
# the following part is active only when "auth" module is enabled
|
2025-02-03 02:03:20 +04:00
|
|
|
(lib.mkIf is-auth-enabled {
|
|
|
|
|
systemd.services.nextcloud-setup = {
|
|
|
|
|
path = [ pkgs.jq ];
|
|
|
|
|
script = ''
|
|
|
|
|
set -o errexit
|
|
|
|
|
set -o nounset
|
|
|
|
|
${lib.strings.optionalString cfg.debug "set -o xtrace"}
|
|
|
|
|
|
|
|
|
|
${occ} app:install user_ldap || :
|
|
|
|
|
${occ} app:enable user_ldap
|
|
|
|
|
|
|
|
|
|
# The following code tries to match an existing config or creates a new one.
|
|
|
|
|
# The criteria for matching is the ldapHost value.
|
|
|
|
|
|
|
|
|
|
# remove broken link after previous nextcloud (un)installation
|
|
|
|
|
[[ ! -f "${override-config-fp}" && -L "${override-config-fp}" ]] && \
|
|
|
|
|
rm -v "${override-config-fp}"
|
|
|
|
|
|
|
|
|
|
ALL_CONFIG="$(${occ} ldap:show-config --output=json)"
|
|
|
|
|
|
|
|
|
|
MATCHING_CONFIG_IDs="$(jq '[to_entries[] | select(.value.ldapHost=="${ldap_scheme_and_host}") | .key]' <<<"$ALL_CONFIG")"
|
|
|
|
|
if [[ $(jq 'length' <<<"$MATCHING_CONFIG_IDs") > 0 ]]; then
|
|
|
|
|
CONFIG_ID="$(jq --raw-output '.[0]' <<<"$MATCHING_CONFIG_IDs")"
|
|
|
|
|
else
|
|
|
|
|
CONFIG_ID="$(${occ} ldap:create-empty-config --only-print-prefix)"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
echo "Using configId $CONFIG_ID"
|
|
|
|
|
|
|
|
|
|
# The following CLI commands follow
|
|
|
|
|
# https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md#nextcloud-config--the-cli-way
|
|
|
|
|
|
|
|
|
|
# StartTLS is not supported in Kanidm due to security risks, whereas
|
|
|
|
|
# user_ldap doesn't support SASL. Importing certificate doesn't
|
|
|
|
|
# help:
|
|
|
|
|
# ${occ} security:certificates:import "${config.security.acme.certs.${domain}.directory}/cert.pem"
|
|
|
|
|
${occ} ldap:set-config "$CONFIG_ID" 'turnOffCertCheck' '1'
|
|
|
|
|
|
|
|
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapHost' '${ldap_scheme_and_host}'
|
|
|
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapPort' '${toString auth-passthru.ldap-port}'
|
|
|
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapAgentName' 'dn=token'
|
|
|
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapAgentPassword' "$(<${kanidm-service-account-token-fp})"
|
|
|
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapBase' '${auth-passthru.ldap-base-dn}'
|
|
|
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapBaseGroups' '${auth-passthru.ldap-base-dn}'
|
|
|
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapBaseUsers' '${auth-passthru.ldap-base-dn}'
|
|
|
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapEmailAttribute' 'mail'
|
|
|
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilter' \
|
|
|
|
|
'(&(class=group)(${wildcard-group})'
|
|
|
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilterGroups' \
|
|
|
|
|
'(&(class=group)(${wildcard-group}))'
|
|
|
|
|
# ${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilterObjectclass' \
|
|
|
|
|
# 'groupOfUniqueNames'
|
|
|
|
|
# ${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupMemberAssocAttr' \
|
|
|
|
|
# 'uniqueMember'
|
|
|
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapLoginFilter' \
|
|
|
|
|
'(&(class=person)(memberof=${users-group})(uid=%uid))'
|
|
|
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapLoginFilterAttributes' \
|
|
|
|
|
'uid'
|
|
|
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapUserDisplayName' \
|
|
|
|
|
'displayname'
|
|
|
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilter' \
|
|
|
|
|
'(&(class=person)(memberof=${users-group})(name=%s))'
|
|
|
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilterMode' \
|
|
|
|
|
'1'
|
|
|
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilterObjectclass' \
|
|
|
|
|
'person'
|
|
|
|
|
|
|
|
|
|
${occ} ldap:test-config -- "$CONFIG_ID"
|
|
|
|
|
|
|
|
|
|
# delete all configs except "$CONFIG_ID"
|
|
|
|
|
for configid in $(jq --raw-output "keys[] | select(. != \"$CONFIG_ID\")" <<<"$ALL_CONFIG"); do
|
|
|
|
|
echo "Deactivating $configid"
|
|
|
|
|
${occ} ldap:set-config "$configid" 'ldapConfigurationActive' '0'
|
|
|
|
|
echo "Deactivated $configid"
|
|
|
|
|
echo "Deleting $configid"
|
|
|
|
|
${occ} ldap:delete-config "$configid"
|
|
|
|
|
echo "Deleted $configid"
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapConfigurationActive' '1'
|
|
|
|
|
|
|
|
|
|
############################################################################
|
|
|
|
|
# OIDC app
|
|
|
|
|
############################################################################
|
|
|
|
|
${occ} app:install user_oidc || :
|
|
|
|
|
${occ} app:enable user_oidc
|
|
|
|
|
|
|
|
|
|
${occ} user_oidc:provider ${auth-passthru.oauth2-provider-name} \
|
|
|
|
|
--clientid="${oauth-client-id}" \
|
|
|
|
|
--clientsecret="$(<${kanidm-oauth-client-secret-fp})" \
|
|
|
|
|
--discoveryuri="${auth-passthru.oauth2-discovery-url "nextcloud"}" \
|
|
|
|
|
--unique-uid=0 \
|
|
|
|
|
--scope="email openid profile" \
|
|
|
|
|
--mapping-uid=preferred_username \
|
|
|
|
|
--no-interaction \
|
|
|
|
|
--mapping-groups=groups \
|
|
|
|
|
--group-provisioning=1 \
|
|
|
|
|
-vvv
|
|
|
|
|
'';
|
|
|
|
|
# TODO consider passing oauth consumer service to auth module instead
|
|
|
|
|
after = [ auth-passthru.oauth2-systemd-service ];
|
|
|
|
|
requires = [ auth-passthru.oauth2-systemd-service ];
|
|
|
|
|
};
|
|
|
|
|
services.kanidm.provision = {
|
|
|
|
|
groups = {
|
|
|
|
|
"${admins-group}".members = [ auth-passthru.admins-group ];
|
|
|
|
|
"${users-group}".members =
|
|
|
|
|
[ admins-group auth-passthru.full-users-group ];
|
2024-07-30 19:19:06 +03:00
|
|
|
};
|
2025-02-03 02:03:20 +04:00
|
|
|
systems.oauth2.${oauth-client-id} = {
|
|
|
|
|
displayName = "Nextcloud";
|
|
|
|
|
originUrl = "https://${cfg.subdomain}.${domain}/apps/user_oidc/code";
|
|
|
|
|
originLanding = "https://${cfg.subdomain}.${domain}/";
|
|
|
|
|
basicSecretFile = kanidm-oauth-client-secret-fp;
|
|
|
|
|
# when true, name is passed to a service instead of name@domain
|
|
|
|
|
preferShortUsername = true;
|
|
|
|
|
allowInsecureClientDisablePkce = false;
|
|
|
|
|
scopeMaps.${users-group} = [ "email" "openid" "profile" ];
|
|
|
|
|
removeOrphanedClaimMaps = true;
|
|
|
|
|
claimMaps.groups = {
|
|
|
|
|
joinType = "array";
|
|
|
|
|
valuesByGroup.${admins-group} = [ "admin" ];
|
2025-01-24 16:27:48 +04:00
|
|
|
};
|
2023-11-15 22:26:04 +04:00
|
|
|
};
|
2025-02-03 02:03:20 +04:00
|
|
|
};
|
|
|
|
|
})
|
2025-01-24 16:27:48 +04:00
|
|
|
]);
|
2023-11-15 22:26:04 +04:00
|
|
|
}
|
