thary/sp-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix gitea,nextcloud,roundcube: evaluate without auth module

Browse Source
This commit is contained in:
Alexander Tomokhov
2025-01-24 16:27:48 +04:00
parent f795bc977f
commit 0c7a8d51b0
3 changed files with 490 additions and 454 deletions
Download Patch File Download Diff File Expand all files Collapse all files

308
sp-modules/nextcloud/module.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, lib, options, pkgs, ... }:
let
inherit (import ./common.nix config)
admin-pass-filepath
@@ -11,7 +11,7 @@ let
hostName = "${cfg.subdomain}.${sp.domain}";
auth-passthru = config.passthru.selfprivacy.auth;
is-auth-enabled = config.selfprivacy.modules.auth.enable or false;
is-auth-enabled = sp.modules.nextcloud.enableSso;
cfg = sp.modules.nextcloud;
ldap_scheme_and_host = "ldaps://${auth-passthru.ldap-host}";
@@ -104,6 +104,15 @@ in
type = "enable";
};
};
enableSso = (lib.mkOption {
default = false;
type = lib.types.bool;
description = "Enable SSO for Nextcloud";
}) // {
meta = {
type = "enable";
};
};
location = (lib.mkOption {
type = lib.types.str;
description = "Nextcloud location";
@@ -140,36 +149,139 @@ in
};
};
config = lib.mkIf sp.modules.nextcloud.enable {
fileSystems = lib.mkIf sp.useBinds {
"/var/lib/nextcloud" = {
device = "/volumes/${cfg.location}/nextcloud";
options = [
"bind"
"x-systemd.required-by=nextcloud-setup.service"
"x-systemd.required-by=nextcloud-secrets.service"
"x-systemd.before=nextcloud-setup.service"
"x-systemd.before=nextcloud-secrets.service"
];
# config = lib.mkIf sp.modules.nextcloud.enable
config = lib.mkIf sp.modules.nextcloud.enable (lib.mkMerge [
{
fileSystems = lib.mkIf sp.useBinds {
"/var/lib/nextcloud" = {
device = "/volumes/${cfg.location}/nextcloud";
options = [
"bind"
"x-systemd.required-by=nextcloud-setup.service"
"x-systemd.required-by=nextcloud-secrets.service"
"x-systemd.before=nextcloud-setup.service"
"x-systemd.before=nextcloud-secrets.service"
];
};
};
};
# for ExecStartPost script to have access to /run/keys/*
users.groups.keys.members =
lib.mkIf is-auth-enabled [ nextcloud-setup-group ];
# for ExecStartPost script to have access to /run/keys/*
users.groups.keys.members =
lib.mkIf is-auth-enabled [ nextcloud-setup-group ];
# not needed, due to turnOffCertCheck=1 in used_ldap
# users.groups.${config.security.acme.certs.${domain}.group}.members =
# [ config.services.phpfpm.pools.nextcloud.user ];
# not needed, due to turnOffCertCheck=1 in used_ldap
# users.groups.${config.security.acme.certs.${domain}.group}.members =
# [ config.services.phpfpm.pools.nextcloud.user ];
systemd = {
services = {
phpfpm-nextcloud.serviceConfig.Slice = lib.mkForce "nextcloud.slice";
nextcloud-setup = {
serviceConfig.Slice = "nextcloud.slice";
serviceConfig.Group = config.services.phpfpm.pools.nextcloud.group;
path = lib.mkIf is-auth-enabled [ pkgs.jq ];
script = lib.mkIf is-auth-enabled ''
systemd = {
services = {
phpfpm-nextcloud.serviceConfig.Slice = lib.mkForce "nextcloud.slice";
nextcloud-setup = {
serviceConfig.Slice = "nextcloud.slice";
serviceConfig.Group = config.services.phpfpm.pools.nextcloud.group;
};
kanidm.serviceConfig.ExecStartPre = lib.mkIf is-auth-enabled
(lib.mkAfter [
("-+" + kanidmExecStartPreScriptRoot)
("-" + kanidmExecStartPreScript)
]);
kanidm.serviceConfig.ExecStartPost = lib.mkIf is-auth-enabled
(lib.mkAfter [ ("-" + kanidmExecStartPostScript) ]);
nextcloud-cron.serviceConfig.Slice = "nextcloud.slice";
nextcloud-update-db.serviceConfig.Slice = "nextcloud.slice";
nextcloud-update-plugins.serviceConfig.Slice = "nextcloud.slice";
nextcloud-secrets = {
before = [ "nextcloud-setup.service" ];
requiredBy = [ "nextcloud-setup.service" ];
serviceConfig.Type = "oneshot";
path = with pkgs; [ coreutils jq ];
script = ''
databasePassword=$(jq -re '.modules.nextcloud.databasePassword' ${secrets-filepath})
adminPassword=$(jq -re '.modules.nextcloud.adminPassword' ${secrets-filepath})
install -C -m 0440 -o nextcloud -g nextcloud -DT \
<(printf "%s\n" "$databasePassword") \
${db-pass-filepath}
install -C -m 0440 -o nextcloud -g nextcloud -DT \
<(printf "%s\n" "$adminPassword") \
${admin-pass-filepath}
'';
};
};
slices.nextcloud = {
description = "Nextcloud service slice";
};
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud29;
inherit hostName;
# Use HTTPS for links
https = true;
# auto-update Nextcloud Apps
autoUpdateApps.enable = true;
# set what time makes sense for you
autoUpdateApps.startAt = "05:00:00";
phpOptions.display_errors = "Off";
settings = {
# further forces Nextcloud to use HTTPS
overwriteprotocol = "https";
} // lib.attrsets.optionalAttrs is-auth-enabled {
loglevel = 0;
# log_type = "file";
social_login_auto_redirect = false;
allow_local_remote_servers = true;
allow_user_to_change_display_name = false;
lost_password_link = "disabled";
allow_multiple_user_backends = false;
user_oidc = {
single_logout = true;
use_pkce = true;
auto_provision = true;
soft_auto_provision = true;
disable_account_creation = false;
};
};
config = {
dbtype = "sqlite";
dbuser = "nextcloud";
dbname = "nextcloud";
dbpassFile = db-pass-filepath;
# TODO review whether admin user is needed at all - admin group works
adminpassFile = admin-pass-filepath;
adminuser = "admin";
};
secretFile = lib.mkIf is-auth-enabled nextcloud-secret-file;
};
services.nginx.virtualHosts.${hostName} = {
useACMEHost = sp.domain;
forceSSL = true;
#locations."/".extraConfig = lib.mkIf is-auth-enabled ''
# # FIXME does not work
# rewrite ^/login$ /apps/user_oidc/login/1 last;
#'';
# show an error instead of a blank page on Nextcloud PHP/FastCGI error
locations."~ \\.php(?:$|/)".extraConfig = ''
error_page 500 502 503 504 ${pkgs.nginx}/html/50x.html;
'';
};
}
# the following part is active only when "auth" module is enabled
(lib.attrsets.optionalAttrs
(options.selfprivacy.modules ? "auth")
(lib.mkIf is-auth-enabled {
systemd.services.nextcloud-setup = {
path = [ pkgs.jq ];
script = ''
set -o errexit
set -o nounset
${lib.strings.optionalString cfg.debug "set -o xtrace"}
@@ -266,123 +378,29 @@ in
-vvv
'';
# TODO consider passing oauth consumer service to auth module instead
requires = lib.mkIf is-auth-enabled
[ auth-passthru.oauth2-systemd-service ];
requires = [ auth-passthru.oauth2-systemd-service ];
};
kanidm.serviceConfig.ExecStartPre = lib.mkIf is-auth-enabled
(lib.mkAfter [
("-+" + kanidmExecStartPreScriptRoot)
("-" + kanidmExecStartPreScript)
]);
kanidm.serviceConfig.ExecStartPost = lib.mkIf is-auth-enabled
(lib.mkAfter [ ("-" + kanidmExecStartPostScript) ]);
nextcloud-cron.serviceConfig.Slice = "nextcloud.slice";
nextcloud-update-db.serviceConfig.Slice = "nextcloud.slice";
nextcloud-update-plugins.serviceConfig.Slice = "nextcloud.slice";
nextcloud-secrets = {
before = [ "nextcloud-setup.service" ];
requiredBy = [ "nextcloud-setup.service" ];
serviceConfig.Type = "oneshot";
path = with pkgs; [ coreutils jq ];
script = ''
databasePassword=$(jq -re '.modules.nextcloud.databasePassword' ${secrets-filepath})
adminPassword=$(jq -re '.modules.nextcloud.adminPassword' ${secrets-filepath})
install -C -m 0440 -o nextcloud -g nextcloud -DT \
<(printf "%s\n" "$databasePassword") \
${db-pass-filepath}
install -C -m 0440 -o nextcloud -g nextcloud -DT \
<(printf "%s\n" "$adminPassword") \
${admin-pass-filepath}
'';
services.kanidm.provision = {
groups = {
"${admins-group}".members = [ "sp.admins" ];
"${users-group}".members = [ admins-group ];
};
systems.oauth2.${oauth-client-id} = {
displayName = "Nextcloud";
originUrl = "https://${cfg.subdomain}.${domain}/apps/user_oidc/code";
originLanding = "https://${cfg.subdomain}.${domain}/";
basicSecretFile = kanidm-oauth-client-secret-fp;
# when true, name is passed to a service instead of name@domain
preferShortUsername = true;
allowInsecureClientDisablePkce = false;
scopeMaps.${users-group} = [ "email" "openid" "profile" ];
removeOrphanedClaimMaps = true;
claimMaps.groups = {
joinType = "array";
valuesByGroup.${admins-group} = [ "admin" ];
};
};
};
};
slices.nextcloud = {
description = "Nextcloud service slice";
};
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud29;
inherit hostName;
# Use HTTPS for links
https = true;
# auto-update Nextcloud Apps
autoUpdateApps.enable = true;
# set what time makes sense for you
autoUpdateApps.startAt = "05:00:00";
phpOptions.display_errors = "Off";
settings = {
# further forces Nextcloud to use HTTPS
overwriteprotocol = "https";
} // lib.attrsets.optionalAttrs is-auth-enabled {
loglevel = 0;
# log_type = "file";
social_login_auto_redirect = false;
allow_local_remote_servers = true;
allow_user_to_change_display_name = false;
lost_password_link = "disabled";
allow_multiple_user_backends = false;
user_oidc = {
single_logout = true;
use_pkce = true;
auto_provision = true;
soft_auto_provision = true;
disable_account_creation = false;
};
};
config = {
dbtype = "sqlite";
dbuser = "nextcloud";
dbname = "nextcloud";
dbpassFile = db-pass-filepath;
# TODO review whether admin user is needed at all - admin group works
adminpassFile = admin-pass-filepath;
adminuser = "admin";
};
secretFile = lib.mkIf is-auth-enabled nextcloud-secret-file;
};
services.nginx.virtualHosts.${hostName} = {
useACMEHost = sp.domain;
forceSSL = true;
#locations."/".extraConfig = lib.mkIf is-auth-enabled ''
# # FIXME does not work
# rewrite ^/login$ /apps/user_oidc/login/1 last;
#'';
# show an error instead of a blank page on Nextcloud PHP/FastCGI error
locations."~ \\.php(?:$|/)".extraConfig = ''
error_page 500 502 503 504 ${pkgs.nginx}/html/50x.html;
'';
};
services.kanidm.provision = lib.mkIf is-auth-enabled {
groups = {
"${admins-group}".members = [ "sp.admins" ];
"${users-group}".members = [ admins-group ];
};
systems.oauth2.${oauth-client-id} = {
displayName = "Nextcloud";
originUrl = "https://${cfg.subdomain}.${domain}/apps/user_oidc/code";
originLanding = "https://${cfg.subdomain}.${domain}/";
basicSecretFile = kanidm-oauth-client-secret-fp;
# when true, name is passed to a service instead of name@domain
preferShortUsername = true;
allowInsecureClientDisablePkce = false;
scopeMaps.${users-group} = [ "email" "openid" "profile" ];
removeOrphanedClaimMaps = true;
claimMaps.groups = {
joinType = "array";
valuesByGroup.${admins-group} = [ "admin" ];
};
};
};
};
}))
]);
}