fix gitea,nextcloud,roundcube: evaluate without auth module

2025-01-24 16:27:48 +04:00
parent f795bc977f
commit 0c7a8d51b0
3 changed files with 490 additions and 454 deletions
--- a/sp-modules/gitea/module.nix
+++ b/sp-modules/gitea/module.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, options, pkgs, ... }:
 let
  sp = config.selfprivacy;
  stateDir =
@@ -14,7 +14,7 @@ let
    "gitea-light"
    "gitea-dark"
  ];
-  is-auth-enabled = config.selfprivacy.modules.auth.enable or false;
+  is-auth-enabled = sp.modules.auth.enable or false;
  oauth-client-id = "forgejo";
  auth-passthru = config.passthru.selfprivacy.auth;
  oauth2-provider-name = auth-passthru.oauth2-provider-name;
@@ -189,7 +189,8 @@ in
    };
  };
-  config = lib.mkIf cfg.enable {
+  config = lib.mkIf cfg.enable (lib.mkMerge [
    {
      fileSystems = lib.mkIf sp.useBinds {
        "/var/lib/gitea" = {
          device = "/volumes/${cfg.location}/gitea";
@@ -258,7 +259,51 @@ in
            DISABLE_REGISTRATION = cfg.disableRegistration;
            REQUIRE_SIGNIN_VIEW = cfg.requireSigninView;
          };
-      } // lib.attrsets.optionalAttrs is-auth-enabled {
+        };
      };
      users.users.gitea = {
        home = "${stateDir}";
        useDefaultShell = true;
        group = "gitea";
        isSystemUser = true;
      };
      users.groups.gitea = { };
      services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
        useACMEHost = sp.domain;
        forceSSL = true;
        extraConfig = ''
          add_header Strict-Transport-Security $hsts_header;
          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
          add_header 'Referrer-Policy' 'origin-when-cross-origin';
          add_header X-Frame-Options DENY;
          add_header X-Content-Type-Options nosniff;
          add_header X-XSS-Protection "1; mode=block";
          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
        '';
        locations = {
          "/" = {
            proxyPass = "http://127.0.0.1:3000";
          };
        };
      };
      systemd = {
        services.forgejo = {
          unitConfig.RequiresMountsFor = lib.mkIf sp.useBinds "/volumes/${cfg.location}/gitea";
          serviceConfig = {
            Slice = "gitea.slice";
          };
        };
        slices.gitea = {
          description = "Forgejo service slice";
        };
      };
    }
    # the following part is active only when "auth" module is enabled
    (lib.attrsets.optionalAttrs
      (options.selfprivacy.modules ? "auth")
      (lib.mkIf is-auth-enabled {
        services.forgejo.settings = {
          auth.DISABLE_LOGIN_FORM = true;
          service = {
            DISABLE_REGISTRATION = cfg.disableRegistration;
@@ -287,43 +332,7 @@ in
            NOTICE_ON_SUCCESS = true;
          };
        };
-    };
+        systemd.services.forgejo = {
    users.users.gitea = {
      home = "${stateDir}";
      useDefaultShell = true;
      group = "gitea";
      isSystemUser = true;
    };
    users.groups.gitea = { };
    services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
      useACMEHost = sp.domain;
      forceSSL = true;
      extraConfig = ''
        add_header Strict-Transport-Security $hsts_header;
        #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
        add_header 'Referrer-Policy' 'origin-when-cross-origin';
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
      '' + lib.strings.optionalString is-auth-enabled ''
        rewrite ^/user/login$ /user/oauth2/${oauth2-provider-name} last;
        # FIXME is it needed?
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      '';
      locations = {
        "/" = {
          proxyPass = "http://127.0.0.1:3000";
        };
      };
    };
    systemd = {
      services.forgejo = {
        unitConfig.RequiresMountsFor = lib.mkIf sp.useBinds "/volumes/${cfg.location}/gitea";
        serviceConfig = {
          Slice = "gitea.slice";
        };
          preStart =
            let
              exe = lib.getExe config.services.forgejo.package;
@@ -357,7 +366,7 @@ in
                --auto-discover-url '${auth-passthru.oauth2-discovery-url oauth-client-id}'
              '';
            in
-          lib.mkIf is-auth-enabled (lib.mkAfter ''
+            lib.mkAfter ''
              set -o xtrace
              # Check if LDAP is already configured
@@ -379,30 +388,30 @@ in
              else
                ${exe} admin auth add-oauth ${oauthConfigArgs}
              fi
-          ''
+            '';
          );
          # TODO consider passing oauth consumer service to auth module instead
-        requires = lib.mkIf is-auth-enabled
+          requires = [ auth-passthru.oauth2-systemd-service ];
          [ auth-passthru.oauth2-systemd-service ];
      };
      slices.gitea = {
        description = "Forgejo service slice";
      };
        };
        # for ExecStartPost script to have access to /run/keys/*
-    users.groups.keys.members =
+        users.groups.keys.members = [ config.services.forgejo.group ];
      lib.mkIf is-auth-enabled [ config.services.forgejo.group ];
-    systemd.services.kanidm.serviceConfig.ExecStartPre =
+        systemd.services.kanidm.serviceConfig.ExecStartPre = [
      lib.mkIf is-auth-enabled [
          ("-+" + kanidmExecStartPreScriptRoot)
          ("-" + kanidmExecStartPreScript)
        ];
        systemd.services.kanidm.serviceConfig.ExecStartPost =
-      lib.mkIf is-auth-enabled
+          lib.mkAfter [ ("-" + kanidmExecStartPostScript) ];
-        (lib.mkAfter [ ("-" + kanidmExecStartPostScript) ]);
+
-    services.kanidm.provision = lib.mkIf is-auth-enabled {
+        services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
          extraConfig = lib.mkAfter ''
            rewrite ^/user/login$ /user/oauth2/${oauth2-provider-name} last;
            # FIXME is it needed?
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          '';
        };
        services.kanidm.provision = {
          groups = {
            "${admins-group}".members = [ "sp.admins" ];
            "${users-group}".members = [ admins-group ];
@@ -434,5 +443,7 @@ in
            };
          };
        };
-  };
+      })
    )
  ]);
 }
--- a/sp-modules/nextcloud/module.nix
+++ b/sp-modules/nextcloud/module.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, options, pkgs, ... }:
 let
  inherit (import ./common.nix config)
    admin-pass-filepath
@@ -11,7 +11,7 @@ let
  hostName = "${cfg.subdomain}.${sp.domain}";
  auth-passthru = config.passthru.selfprivacy.auth;
-  is-auth-enabled = config.selfprivacy.modules.auth.enable or false;
+  is-auth-enabled = sp.modules.nextcloud.enableSso;
  cfg = sp.modules.nextcloud;
  ldap_scheme_and_host = "ldaps://${auth-passthru.ldap-host}";
@@ -104,6 +104,15 @@ in
        type = "enable";
      };
    };
    enableSso = (lib.mkOption {
      default = false;
      type = lib.types.bool;
      description = "Enable SSO for Nextcloud";
    }) // {
      meta = {
        type = "enable";
      };
    };
    location = (lib.mkOption {
      type = lib.types.str;
      description = "Nextcloud location";
@@ -140,7 +149,9 @@ in
    };
  };
-  config = lib.mkIf sp.modules.nextcloud.enable {
+  # config = lib.mkIf sp.modules.nextcloud.enable
  config = lib.mkIf sp.modules.nextcloud.enable (lib.mkMerge [
    {
      fileSystems = lib.mkIf sp.useBinds {
        "/var/lib/nextcloud" = {
          device = "/volumes/${cfg.location}/nextcloud";
@@ -168,8 +179,109 @@ in
          nextcloud-setup = {
            serviceConfig.Slice = "nextcloud.slice";
            serviceConfig.Group = config.services.phpfpm.pools.nextcloud.group;
-          path = lib.mkIf is-auth-enabled [ pkgs.jq ];
+          };
-          script = lib.mkIf is-auth-enabled ''
+          kanidm.serviceConfig.ExecStartPre = lib.mkIf is-auth-enabled
            (lib.mkAfter [
              ("-+" + kanidmExecStartPreScriptRoot)
              ("-" + kanidmExecStartPreScript)
            ]);
          kanidm.serviceConfig.ExecStartPost = lib.mkIf is-auth-enabled
            (lib.mkAfter [ ("-" + kanidmExecStartPostScript) ]);
          nextcloud-cron.serviceConfig.Slice = "nextcloud.slice";
          nextcloud-update-db.serviceConfig.Slice = "nextcloud.slice";
          nextcloud-update-plugins.serviceConfig.Slice = "nextcloud.slice";
          nextcloud-secrets = {
            before = [ "nextcloud-setup.service" ];
            requiredBy = [ "nextcloud-setup.service" ];
            serviceConfig.Type = "oneshot";
            path = with pkgs; [ coreutils jq ];
            script = ''
              databasePassword=$(jq -re '.modules.nextcloud.databasePassword' ${secrets-filepath})
              adminPassword=$(jq -re '.modules.nextcloud.adminPassword' ${secrets-filepath})
              install -C -m 0440 -o nextcloud -g nextcloud -DT \
              <(printf "%s\n" "$databasePassword") \
              ${db-pass-filepath}
              install -C -m 0440 -o nextcloud -g nextcloud -DT \
              <(printf "%s\n" "$adminPassword") \
              ${admin-pass-filepath}
            '';
          };
        };
        slices.nextcloud = {
          description = "Nextcloud service slice";
        };
      };
      services.nextcloud = {
        enable = true;
        package = pkgs.nextcloud29;
        inherit hostName;
        # Use HTTPS for links
        https = true;
        # auto-update Nextcloud Apps
        autoUpdateApps.enable = true;
        # set what time makes sense for you
        autoUpdateApps.startAt = "05:00:00";
        phpOptions.display_errors = "Off";
        settings = {
          # further forces Nextcloud to use HTTPS
          overwriteprotocol = "https";
        } // lib.attrsets.optionalAttrs is-auth-enabled {
          loglevel = 0;
          # log_type = "file";
          social_login_auto_redirect = false;
          allow_local_remote_servers = true;
          allow_user_to_change_display_name = false;
          lost_password_link = "disabled";
          allow_multiple_user_backends = false;
          user_oidc = {
            single_logout = true;
            use_pkce = true;
            auto_provision = true;
            soft_auto_provision = true;
            disable_account_creation = false;
          };
        };
        config = {
          dbtype = "sqlite";
          dbuser = "nextcloud";
          dbname = "nextcloud";
          dbpassFile = db-pass-filepath;
          # TODO review whether admin user is needed at all - admin group works
          adminpassFile = admin-pass-filepath;
          adminuser = "admin";
        };
        secretFile = lib.mkIf is-auth-enabled nextcloud-secret-file;
      };
      services.nginx.virtualHosts.${hostName} = {
        useACMEHost = sp.domain;
        forceSSL = true;
        #locations."/".extraConfig = lib.mkIf is-auth-enabled ''
        #  # FIXME does not work
        #  rewrite ^/login$ /apps/user_oidc/login/1 last;
        #'';
        # show an error instead of a blank page on Nextcloud PHP/FastCGI error
        locations."~ \\.php(?:$|/)".extraConfig = ''
          error_page 500 502 503 504 ${pkgs.nginx}/html/50x.html;
        '';
      };
    }
    # the following part is active only when "auth" module is enabled
    (lib.attrsets.optionalAttrs
      (options.selfprivacy.modules ? "auth")
      (lib.mkIf is-auth-enabled {
        systemd.services.nextcloud-setup = {
          path = [ pkgs.jq ];
          script = ''
            set -o errexit
            set -o nounset
            ${lib.strings.optionalString cfg.debug "set -o xtrace"}
@@ -266,104 +378,9 @@ in
            -vvv
          '';
          # TODO consider passing oauth consumer service to auth module instead
-          requires = lib.mkIf is-auth-enabled
+          requires = [ auth-passthru.oauth2-systemd-service ];
            [ auth-passthru.oauth2-systemd-service ];
        };
-        kanidm.serviceConfig.ExecStartPre = lib.mkIf is-auth-enabled
+        services.kanidm.provision = {
          (lib.mkAfter [
            ("-+" + kanidmExecStartPreScriptRoot)
            ("-" + kanidmExecStartPreScript)
          ]);
        kanidm.serviceConfig.ExecStartPost = lib.mkIf is-auth-enabled
          (lib.mkAfter [ ("-" + kanidmExecStartPostScript) ]);
        nextcloud-cron.serviceConfig.Slice = "nextcloud.slice";
        nextcloud-update-db.serviceConfig.Slice = "nextcloud.slice";
        nextcloud-update-plugins.serviceConfig.Slice = "nextcloud.slice";
        nextcloud-secrets = {
          before = [ "nextcloud-setup.service" ];
          requiredBy = [ "nextcloud-setup.service" ];
          serviceConfig.Type = "oneshot";
          path = with pkgs; [ coreutils jq ];
          script = ''
            databasePassword=$(jq -re '.modules.nextcloud.databasePassword' ${secrets-filepath})
            adminPassword=$(jq -re '.modules.nextcloud.adminPassword' ${secrets-filepath})
            install -C -m 0440 -o nextcloud -g nextcloud -DT \
            <(printf "%s\n" "$databasePassword") \
            ${db-pass-filepath}
            install -C -m 0440 -o nextcloud -g nextcloud -DT \
            <(printf "%s\n" "$adminPassword") \
            ${admin-pass-filepath}
          '';
        };
      };
      slices.nextcloud = {
        description = "Nextcloud service slice";
      };
    };
    services.nextcloud = {
      enable = true;
      package = pkgs.nextcloud29;
      inherit hostName;
      # Use HTTPS for links
      https = true;
      # auto-update Nextcloud Apps
      autoUpdateApps.enable = true;
      # set what time makes sense for you
      autoUpdateApps.startAt = "05:00:00";
      phpOptions.display_errors = "Off";
      settings = {
        # further forces Nextcloud to use HTTPS
        overwriteprotocol = "https";
      } // lib.attrsets.optionalAttrs is-auth-enabled {
        loglevel = 0;
        # log_type = "file";
        social_login_auto_redirect = false;
        allow_local_remote_servers = true;
        allow_user_to_change_display_name = false;
        lost_password_link = "disabled";
        allow_multiple_user_backends = false;
        user_oidc = {
          single_logout = true;
          use_pkce = true;
          auto_provision = true;
          soft_auto_provision = true;
          disable_account_creation = false;
        };
      };
      config = {
        dbtype = "sqlite";
        dbuser = "nextcloud";
        dbname = "nextcloud";
        dbpassFile = db-pass-filepath;
        # TODO review whether admin user is needed at all - admin group works
        adminpassFile = admin-pass-filepath;
        adminuser = "admin";
      };
      secretFile = lib.mkIf is-auth-enabled nextcloud-secret-file;
    };
    services.nginx.virtualHosts.${hostName} = {
      useACMEHost = sp.domain;
      forceSSL = true;
      #locations."/".extraConfig = lib.mkIf is-auth-enabled ''
      #  # FIXME does not work
      #  rewrite ^/login$ /apps/user_oidc/login/1 last;
      #'';
      # show an error instead of a blank page on Nextcloud PHP/FastCGI error
      locations."~ \\.php(?:$|/)".extraConfig = ''
        error_page 500 502 503 504 ${pkgs.nginx}/html/50x.html;
      '';
    };
    services.kanidm.provision = lib.mkIf is-auth-enabled {
          groups = {
            "${admins-group}".members = [ "sp.admins" ];
            "${users-group}".members = [ admins-group ];
@@ -384,5 +401,6 @@ in
            };
          };
        };
-  };
+      }))
  ]);
 }
--- a/sp-modules/roundcube/module.nix
+++ b/sp-modules/roundcube/module.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, options, pkgs, ... }:
 let
  domain = config.selfprivacy.domain;
  cfg = config.selfprivacy.modules.roundcube;
@@ -48,7 +48,8 @@ in
    };
  };
-  config = lib.mkIf cfg.enable {
+  config = lib.mkIf cfg.enable (lib.mkMerge [
    {
      services.roundcube = {
        enable = true;
        # this is the url of the vhost, not necessarily the same as the fqdn of
@@ -60,7 +61,22 @@ in
          $config['smtp_host'] = "tls://${config.mailserver.fqdn}";
          $config['smtp_user'] = "%u";
          $config['smtp_pass'] = "%p";
-      '' + lib.strings.optionalString is-auth-enabled ''
+        '';
      };
      services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
        forceSSL = true;
        useACMEHost = domain;
        enableACME = false;
      };
      systemd.slices.roundcube.description = "Roundcube service slice";
    }
    # the following part is active only when "auth" module is enabled
    (lib.attrsets.optionalAttrs
      (options.selfprivacy.modules ? "auth")
      (lib.mkIf is-auth-enabled {
        services.roundcube.extraConfig = lib.mkAfter ''
          $config['oauth_provider'] = 'generic';
          $config['oauth_provider_name'] = '${auth-passthru.oauth2-provider-name}';
          $config['oauth_client_id'] = '${oauth-client-id}';
@@ -76,25 +92,14 @@ in
          $config['oauth_verify_peer'] = false; # FIXME
          # $config['oauth_pkce'] = 'S256'; # FIXME
        '';
-    };
+        systemd.services.kanidm = {
    services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
      forceSSL = true;
      useACMEHost = domain;
      enableACME = false;
    };
    systemd.slices.roundcube.description = "Roundcube service slice";
    systemd.services.kanidm = lib.mkIf is-auth-enabled {
          serviceConfig.ExecStartPre = lib.mkAfter [
            ("-+" + kanidmExecStartPreScriptRoot)
            ("-" + kanidmExecStartPreScript)
          ];
          requires = [ auth-passthru.oauth2-systemd-service ];
        };
-
+        services.kanidm.provision = {
    services.kanidm.provision = lib.mkIf is-auth-enabled {
          groups = {
            "sp.roundcube.admins".members = [ "sp.admins" ];
            "sp.roundcube.users".members = [ "sp.roundcube.admins" ];
@@ -117,5 +122,7 @@ in
            removeOrphanedClaimMaps = true;
          };
        };
-  };
+      })
    )
  ]);
 }