thary/sp-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix gitea,nextcloud,roundcube: evaluate without auth module

Browse Source
This commit is contained in:
Alexander Tomokhov
2025-01-24 16:27:48 +04:00
parent f795bc977f
commit 0c7a8d51b0
3 changed files with 490 additions and 454 deletions
Download Patch File Download Diff File Expand all files Collapse all files

493
sp-modules/gitea/module.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: { config, lib, options, pkgs, ... }:
let let
sp = config.selfprivacy; sp = config.selfprivacy;
stateDir = stateDir =
@@ -14,7 +14,7 @@ let
"gitea-light" "gitea-light"
"gitea-dark" "gitea-dark"
]; ];
is-auth-enabled = config.selfprivacy.modules.auth.enable or false; is-auth-enabled = sp.modules.auth.enable or false;
oauth-client-id = "forgejo"; oauth-client-id = "forgejo";
auth-passthru = config.passthru.selfprivacy.auth; auth-passthru = config.passthru.selfprivacy.auth;
oauth2-provider-name = auth-passthru.oauth2-provider-name; oauth2-provider-name = auth-passthru.oauth2-provider-name;
@@ -189,250 +189,261 @@ in
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable (lib.mkMerge [
fileSystems = lib.mkIf sp.useBinds { {
"/var/lib/gitea" = { fileSystems = lib.mkIf sp.useBinds {
device = "/volumes/${cfg.location}/gitea"; "/var/lib/gitea" = {
options = [ "bind" ]; device = "/volumes/${cfg.location}/gitea";
}; options = [ "bind" ];
};
services.gitea.enable = false;
services.forgejo = {
enable = true;
package = pkgs.forgejo;
inherit stateDir;
user = "gitea";
group = "gitea";
database = {
type = "sqlite3";
host = "127.0.0.1";
name = "gitea";
user = "gitea";
path = "${stateDir}/data/gitea.db";
createDatabase = true;
};
# ssh = {
# enable = true;
# clonePort = 22;
# };
lfs = {
enable = cfg.enableLfs;
contentDir = "${stateDir}/lfs";
};
repositoryRoot = "${stateDir}/repositories";
# cookieSecure = true;
settings = {
DEFAULT = {
APP_NAME = "${cfg.appName}";
};
server = {
DOMAIN = "${cfg.subdomain}.${sp.domain}";
ROOT_URL = "https://${cfg.subdomain}.${sp.domain}/";
HTTP_ADDR = "0.0.0.0";
HTTP_PORT = 3000;
};
mailer = {
ENABLED = false;
};
ui = {
DEFAULT_THEME = cfg.defaultTheme;
SHOW_USER_EMAIL = false;
};
picture = {
DISABLE_GRAVATAR = true;
};
admin = {
ENABLE_KANBAN_BOARD = true;
};
repository = {
FORCE_PRIVATE = cfg.forcePrivate;
};
session = {
COOKIE_SECURE = true;
};
log = {
ROOT_PATH = "${stateDir}/log";
LEVEL = if cfg.debug then "Warn" else "Trace";
};
service = {
DISABLE_REGISTRATION = cfg.disableRegistration;
REQUIRE_SIGNIN_VIEW = cfg.requireSigninView;
};
} // lib.attrsets.optionalAttrs is-auth-enabled {
auth.DISABLE_LOGIN_FORM = true;
service = {
DISABLE_REGISTRATION = cfg.disableRegistration;
REQUIRE_SIGNIN_VIEW = cfg.requireSigninView;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
SHOW_REGISTRATION_BUTTON = false;
ENABLE_BASIC_AUTHENTICATION = false;
};
# disallow explore page and access to private repositories, but allow public
"service.explore".REQUIRE_SIGNIN_VIEW = true;
# TODO control via selfprivacy parameter
# "service.explore".DISABLE_USERS_PAGE = true;
oauth2_client = {
REDIRECT_URI = redirect-uri;
ACCOUNT_LINKING = "auto";
ENABLE_AUTO_REGISTRATION = true;
OPENID_CONNECT_SCOPES = "email openid profile";
};
# doesn't work if LDAP auth source is not active!
"cron.sync_external_users" = {
ENABLED = true;
RUN_AT_START = true;
NOTICE_ON_SUCCESS = true;
}; };
}; };
}; services.gitea.enable = false;
users.users.gitea = {
home = "${stateDir}";
useDefaultShell = true;
group = "gitea";
isSystemUser = true;
};
users.groups.gitea = { };
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
useACMEHost = sp.domain;
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'' + lib.strings.optionalString is-auth-enabled ''
rewrite ^/user/login$ /user/oauth2/${oauth2-provider-name} last;
# FIXME is it needed?
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
'';
locations = {
"/" = {
proxyPass = "http://127.0.0.1:3000";
};
};
};
systemd = {
services.forgejo = { services.forgejo = {
unitConfig.RequiresMountsFor = lib.mkIf sp.useBinds "/volumes/${cfg.location}/gitea"; enable = true;
serviceConfig = { package = pkgs.forgejo;
Slice = "gitea.slice"; inherit stateDir;
user = "gitea";
group = "gitea";
database = {
type = "sqlite3";
host = "127.0.0.1";
name = "gitea";
user = "gitea";
path = "${stateDir}/data/gitea.db";
createDatabase = true;
}; };
preStart = # ssh = {
let # enable = true;
exe = lib.getExe config.services.forgejo.package; # clonePort = 22;
# FIXME skip-tls-verify, bind-password # };
ldapConfigArgs = '' lfs = {
--name LDAP \ enable = cfg.enableLfs;
--active \ contentDir = "${stateDir}/lfs";
--security-protocol LDAPS \ };
--skip-tls-verify \ repositoryRoot = "${stateDir}/repositories";
--host '${auth-passthru.ldap-host}' \ # cookieSecure = true;
--port '${toString auth-passthru.ldap-port}' \ settings = {
--user-search-base '${auth-passthru.ldap-base-dn}' \ DEFAULT = {
--user-filter '(&(class=person)(memberof=${users-group})(name=%s))' \ APP_NAME = "${cfg.appName}";
--admin-filter '(&(class=person)(memberof=${admins-group}))' \ };
--username-attribute name \ server = {
--firstname-attribute name \ DOMAIN = "${cfg.subdomain}.${sp.domain}";
--surname-attribute displayname \ ROOT_URL = "https://${cfg.subdomain}.${sp.domain}/";
--email-attribute mail \ HTTP_ADDR = "0.0.0.0";
--public-ssh-key-attribute sshPublicKey \ HTTP_PORT = 3000;
--bind-dn 'dn=token' \ };
--bind-password "$(cat ${kanidm-service-account-token-fp})" \ mailer = {
--synchronize-users ENABLED = false;
};
ui = {
DEFAULT_THEME = cfg.defaultTheme;
SHOW_USER_EMAIL = false;
};
picture = {
DISABLE_GRAVATAR = true;
};
admin = {
ENABLE_KANBAN_BOARD = true;
};
repository = {
FORCE_PRIVATE = cfg.forcePrivate;
};
session = {
COOKIE_SECURE = true;
};
log = {
ROOT_PATH = "${stateDir}/log";
LEVEL = if cfg.debug then "Warn" else "Trace";
};
service = {
DISABLE_REGISTRATION = cfg.disableRegistration;
REQUIRE_SIGNIN_VIEW = cfg.requireSigninView;
};
};
};
users.users.gitea = {
home = "${stateDir}";
useDefaultShell = true;
group = "gitea";
isSystemUser = true;
};
users.groups.gitea = { };
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
useACMEHost = sp.domain;
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
locations = {
"/" = {
proxyPass = "http://127.0.0.1:3000";
};
};
};
systemd = {
services.forgejo = {
unitConfig.RequiresMountsFor = lib.mkIf sp.useBinds "/volumes/${cfg.location}/gitea";
serviceConfig = {
Slice = "gitea.slice";
};
};
slices.gitea = {
description = "Forgejo service slice";
};
};
}
# the following part is active only when "auth" module is enabled
(lib.attrsets.optionalAttrs
(options.selfprivacy.modules ? "auth")
(lib.mkIf is-auth-enabled {
services.forgejo.settings = {
auth.DISABLE_LOGIN_FORM = true;
service = {
DISABLE_REGISTRATION = cfg.disableRegistration;
REQUIRE_SIGNIN_VIEW = cfg.requireSigninView;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
SHOW_REGISTRATION_BUTTON = false;
ENABLE_BASIC_AUTHENTICATION = false;
};
# disallow explore page and access to private repositories, but allow public
"service.explore".REQUIRE_SIGNIN_VIEW = true;
# TODO control via selfprivacy parameter
# "service.explore".DISABLE_USERS_PAGE = true;
oauth2_client = {
REDIRECT_URI = redirect-uri;
ACCOUNT_LINKING = "auto";
ENABLE_AUTO_REGISTRATION = true;
OPENID_CONNECT_SCOPES = "email openid profile";
};
# doesn't work if LDAP auth source is not active!
"cron.sync_external_users" = {
ENABLED = true;
RUN_AT_START = true;
NOTICE_ON_SUCCESS = true;
};
};
systemd.services.forgejo = {
preStart =
let
exe = lib.getExe config.services.forgejo.package;
# FIXME skip-tls-verify, bind-password
ldapConfigArgs = ''
--name LDAP \
--active \
--security-protocol LDAPS \
--skip-tls-verify \
--host '${auth-passthru.ldap-host}' \
--port '${toString auth-passthru.ldap-port}' \
--user-search-base '${auth-passthru.ldap-base-dn}' \
--user-filter '(&(class=person)(memberof=${users-group})(name=%s))' \
--admin-filter '(&(class=person)(memberof=${admins-group}))' \
--username-attribute name \
--firstname-attribute name \
--surname-attribute displayname \
--email-attribute mail \
--public-ssh-key-attribute sshPublicKey \
--bind-dn 'dn=token' \
--bind-password "$(cat ${kanidm-service-account-token-fp})" \
--synchronize-users
'';
oauthConfigArgs = ''
--name "${oauth2-provider-name}" \
--provider openidConnect \
--key forgejo \
--secret "$(<${kanidm-oauth-client-secret-fp})" \
--group-claim-name groups \
--admin-group admins \
--auto-discover-url '${auth-passthru.oauth2-discovery-url oauth-client-id}'
'';
in
lib.mkAfter ''
set -o xtrace
# Check if LDAP is already configured
ldap_line="$(${exe} admin auth list | grep LDAP | head -n 1)"
if [[ -n "$ldap_line" ]]; then
# update ldap config
id="$(echo "$ldap_line" | ${pkgs.gawk}/bin/awk '{print $1}')"
${exe} admin auth update-ldap --id "$id" ${ldapConfigArgs}
else
# initially configure ldap
${exe} admin auth add-ldap ${ldapConfigArgs}
fi
oauth_line="$(${exe} admin auth list | grep "${oauth2-provider-name}" | head -n 1)"
if [[ -n "$oauth_line" ]]; then
id="$(echo "$oauth_line" | ${pkgs.gawk}/bin/awk '{print $1}')"
${exe} admin auth update-oauth --id "$id" ${oauthConfigArgs}
else
${exe} admin auth add-oauth ${oauthConfigArgs}
fi
''; '';
oauthConfigArgs = '' # TODO consider passing oauth consumer service to auth module instead
--name "${oauth2-provider-name}" \ requires = [ auth-passthru.oauth2-systemd-service ];
--provider openidConnect \
--key forgejo \
--secret "$(<${kanidm-oauth-client-secret-fp})" \
--group-claim-name groups \
--admin-group admins \
--auto-discover-url '${auth-passthru.oauth2-discovery-url oauth-client-id}'
'';
in
lib.mkIf is-auth-enabled (lib.mkAfter ''
set -o xtrace
# Check if LDAP is already configured
ldap_line="$(${exe} admin auth list | grep LDAP | head -n 1)"
if [[ -n "$ldap_line" ]]; then
# update ldap config
id="$(echo "$ldap_line" | ${pkgs.gawk}/bin/awk '{print $1}')"
${exe} admin auth update-ldap --id "$id" ${ldapConfigArgs}
else
# initially configure ldap
${exe} admin auth add-ldap ${ldapConfigArgs}
fi
oauth_line="$(${exe} admin auth list | grep "${oauth2-provider-name}" | head -n 1)"
if [[ -n "$oauth_line" ]]; then
id="$(echo "$oauth_line" | ${pkgs.gawk}/bin/awk '{print $1}')"
${exe} admin auth update-oauth --id "$id" ${oauthConfigArgs}
else
${exe} admin auth add-oauth ${oauthConfigArgs}
fi
''
);
# TODO consider passing oauth consumer service to auth module instead
requires = lib.mkIf is-auth-enabled
[ auth-passthru.oauth2-systemd-service ];
};
slices.gitea = {
description = "Forgejo service slice";
};
};
# for ExecStartPost script to have access to /run/keys/*
users.groups.keys.members =
lib.mkIf is-auth-enabled [ config.services.forgejo.group ];
systemd.services.kanidm.serviceConfig.ExecStartPre =
lib.mkIf is-auth-enabled [
("-+" + kanidmExecStartPreScriptRoot)
("-" + kanidmExecStartPreScript)
];
systemd.services.kanidm.serviceConfig.ExecStartPost =
lib.mkIf is-auth-enabled
(lib.mkAfter [ ("-" + kanidmExecStartPostScript) ]);
services.kanidm.provision = lib.mkIf is-auth-enabled {
groups = {
"${admins-group}".members = [ "sp.admins" ];
"${users-group}".members = [ admins-group ];
};
systems.oauth2.forgejo = {
displayName = "Forgejo";
originUrl = redirect-uri;
originLanding = "https://${cfg.subdomain}.${sp.domain}/";
basicSecretFile = kanidm-oauth-client-secret-fp;
# when true, name is passed to a service instead of name@domain
preferShortUsername = true;
allowInsecureClientDisablePkce = true; # FIXME is it needed?
scopeMaps = {
"${users-group}" = [
"email"
"openid"
"profile"
];
}; };
removeOrphanedClaimMaps = true;
# NOTE https://github.com/oddlama/kanidm-provision/issues/15 # for ExecStartPost script to have access to /run/keys/*
# add more scopes when a user is a member of specific group users.groups.keys.members = [ config.services.forgejo.group ];
# currently not possible due to https://github.com/kanidm/kanidm/issues/2882#issuecomment-2564490144
# supplementaryScopeMaps."${admins-group}" = systemd.services.kanidm.serviceConfig.ExecStartPre = [
# [ "read:admin" "write:admin" ]; ("-+" + kanidmExecStartPreScriptRoot)
claimMaps.groups = { ("-" + kanidmExecStartPreScript)
joinType = "array"; ];
valuesByGroup.${admins-group} = [ "admins" ]; systemd.services.kanidm.serviceConfig.ExecStartPost =
lib.mkAfter [ ("-" + kanidmExecStartPostScript) ];
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
extraConfig = lib.mkAfter ''
rewrite ^/user/login$ /user/oauth2/${oauth2-provider-name} last;
# FIXME is it needed?
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
'';
}; };
};
}; services.kanidm.provision = {
}; groups = {
"${admins-group}".members = [ "sp.admins" ];
"${users-group}".members = [ admins-group ];
};
systems.oauth2.forgejo = {
displayName = "Forgejo";
originUrl = redirect-uri;
originLanding = "https://${cfg.subdomain}.${sp.domain}/";
basicSecretFile = kanidm-oauth-client-secret-fp;
# when true, name is passed to a service instead of name@domain
preferShortUsername = true;
allowInsecureClientDisablePkce = true; # FIXME is it needed?
scopeMaps = {
"${users-group}" = [
"email"
"openid"
"profile"
];
};
removeOrphanedClaimMaps = true;
# NOTE https://github.com/oddlama/kanidm-provision/issues/15
# add more scopes when a user is a member of specific group
# currently not possible due to https://github.com/kanidm/kanidm/issues/2882#issuecomment-2564490144
# supplementaryScopeMaps."${admins-group}" =
# [ "read:admin" "write:admin" ];
claimMaps.groups = {
joinType = "array";
valuesByGroup.${admins-group} = [ "admins" ];
};
};
};
})
)
]);
} }

308
sp-modules/nextcloud/module.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: { config, lib, options, pkgs, ... }:
let let
inherit (import ./common.nix config) inherit (import ./common.nix config)
admin-pass-filepath admin-pass-filepath
@@ -11,7 +11,7 @@ let
hostName = "${cfg.subdomain}.${sp.domain}"; hostName = "${cfg.subdomain}.${sp.domain}";
auth-passthru = config.passthru.selfprivacy.auth; auth-passthru = config.passthru.selfprivacy.auth;
is-auth-enabled = config.selfprivacy.modules.auth.enable or false; is-auth-enabled = sp.modules.nextcloud.enableSso;
cfg = sp.modules.nextcloud; cfg = sp.modules.nextcloud;
ldap_scheme_and_host = "ldaps://${auth-passthru.ldap-host}"; ldap_scheme_and_host = "ldaps://${auth-passthru.ldap-host}";
@@ -104,6 +104,15 @@ in
type = "enable"; type = "enable";
}; };
}; };
enableSso = (lib.mkOption {
default = false;
type = lib.types.bool;
description = "Enable SSO for Nextcloud";
}) // {
meta = {
type = "enable";
};
};
location = (lib.mkOption { location = (lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "Nextcloud location"; description = "Nextcloud location";
@@ -140,36 +149,139 @@ in
}; };
}; };
config = lib.mkIf sp.modules.nextcloud.enable { # config = lib.mkIf sp.modules.nextcloud.enable
fileSystems = lib.mkIf sp.useBinds { config = lib.mkIf sp.modules.nextcloud.enable (lib.mkMerge [
"/var/lib/nextcloud" = { {
device = "/volumes/${cfg.location}/nextcloud"; fileSystems = lib.mkIf sp.useBinds {
options = [ "/var/lib/nextcloud" = {
"bind" device = "/volumes/${cfg.location}/nextcloud";
"x-systemd.required-by=nextcloud-setup.service" options = [
"x-systemd.required-by=nextcloud-secrets.service" "bind"
"x-systemd.before=nextcloud-setup.service" "x-systemd.required-by=nextcloud-setup.service"
"x-systemd.before=nextcloud-secrets.service" "x-systemd.required-by=nextcloud-secrets.service"
]; "x-systemd.before=nextcloud-setup.service"
"x-systemd.before=nextcloud-secrets.service"
];
};
}; };
};
# for ExecStartPost script to have access to /run/keys/* # for ExecStartPost script to have access to /run/keys/*
users.groups.keys.members = users.groups.keys.members =
lib.mkIf is-auth-enabled [ nextcloud-setup-group ]; lib.mkIf is-auth-enabled [ nextcloud-setup-group ];
# not needed, due to turnOffCertCheck=1 in used_ldap # not needed, due to turnOffCertCheck=1 in used_ldap
# users.groups.${config.security.acme.certs.${domain}.group}.members = # users.groups.${config.security.acme.certs.${domain}.group}.members =
# [ config.services.phpfpm.pools.nextcloud.user ]; # [ config.services.phpfpm.pools.nextcloud.user ];
systemd = { systemd = {
services = { services = {
phpfpm-nextcloud.serviceConfig.Slice = lib.mkForce "nextcloud.slice"; phpfpm-nextcloud.serviceConfig.Slice = lib.mkForce "nextcloud.slice";
nextcloud-setup = { nextcloud-setup = {
serviceConfig.Slice = "nextcloud.slice"; serviceConfig.Slice = "nextcloud.slice";
serviceConfig.Group = config.services.phpfpm.pools.nextcloud.group; serviceConfig.Group = config.services.phpfpm.pools.nextcloud.group;
path = lib.mkIf is-auth-enabled [ pkgs.jq ]; };
script = lib.mkIf is-auth-enabled '' kanidm.serviceConfig.ExecStartPre = lib.mkIf is-auth-enabled
(lib.mkAfter [
("-+" + kanidmExecStartPreScriptRoot)
("-" + kanidmExecStartPreScript)
]);
kanidm.serviceConfig.ExecStartPost = lib.mkIf is-auth-enabled
(lib.mkAfter [ ("-" + kanidmExecStartPostScript) ]);
nextcloud-cron.serviceConfig.Slice = "nextcloud.slice";
nextcloud-update-db.serviceConfig.Slice = "nextcloud.slice";
nextcloud-update-plugins.serviceConfig.Slice = "nextcloud.slice";
nextcloud-secrets = {
before = [ "nextcloud-setup.service" ];
requiredBy = [ "nextcloud-setup.service" ];
serviceConfig.Type = "oneshot";
path = with pkgs; [ coreutils jq ];
script = ''
databasePassword=$(jq -re '.modules.nextcloud.databasePassword' ${secrets-filepath})
adminPassword=$(jq -re '.modules.nextcloud.adminPassword' ${secrets-filepath})
install -C -m 0440 -o nextcloud -g nextcloud -DT \
<(printf "%s\n" "$databasePassword") \
${db-pass-filepath}
install -C -m 0440 -o nextcloud -g nextcloud -DT \
<(printf "%s\n" "$adminPassword") \
${admin-pass-filepath}
'';
};
};
slices.nextcloud = {
description = "Nextcloud service slice";
};
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud29;
inherit hostName;
# Use HTTPS for links
https = true;
# auto-update Nextcloud Apps
autoUpdateApps.enable = true;
# set what time makes sense for you
autoUpdateApps.startAt = "05:00:00";
phpOptions.display_errors = "Off";
settings = {
# further forces Nextcloud to use HTTPS
overwriteprotocol = "https";
} // lib.attrsets.optionalAttrs is-auth-enabled {
loglevel = 0;
# log_type = "file";
social_login_auto_redirect = false;
allow_local_remote_servers = true;
allow_user_to_change_display_name = false;
lost_password_link = "disabled";
allow_multiple_user_backends = false;
user_oidc = {
single_logout = true;
use_pkce = true;
auto_provision = true;
soft_auto_provision = true;
disable_account_creation = false;
};
};
config = {
dbtype = "sqlite";
dbuser = "nextcloud";
dbname = "nextcloud";
dbpassFile = db-pass-filepath;
# TODO review whether admin user is needed at all - admin group works
adminpassFile = admin-pass-filepath;
adminuser = "admin";
};
secretFile = lib.mkIf is-auth-enabled nextcloud-secret-file;
};
services.nginx.virtualHosts.${hostName} = {
useACMEHost = sp.domain;
forceSSL = true;
#locations."/".extraConfig = lib.mkIf is-auth-enabled ''
# # FIXME does not work
# rewrite ^/login$ /apps/user_oidc/login/1 last;
#'';
# show an error instead of a blank page on Nextcloud PHP/FastCGI error
locations."~ \\.php(?:$|/)".extraConfig = ''
error_page 500 502 503 504 ${pkgs.nginx}/html/50x.html;
'';
};
}
# the following part is active only when "auth" module is enabled
(lib.attrsets.optionalAttrs
(options.selfprivacy.modules ? "auth")
(lib.mkIf is-auth-enabled {
systemd.services.nextcloud-setup = {
path = [ pkgs.jq ];
script = ''
set -o errexit set -o errexit
set -o nounset set -o nounset
${lib.strings.optionalString cfg.debug "set -o xtrace"} ${lib.strings.optionalString cfg.debug "set -o xtrace"}
@@ -266,123 +378,29 @@ in
-vvv -vvv
''; '';
# TODO consider passing oauth consumer service to auth module instead # TODO consider passing oauth consumer service to auth module instead
requires = lib.mkIf is-auth-enabled requires = [ auth-passthru.oauth2-systemd-service ];
[ auth-passthru.oauth2-systemd-service ];
}; };
kanidm.serviceConfig.ExecStartPre = lib.mkIf is-auth-enabled services.kanidm.provision = {
(lib.mkAfter [ groups = {
("-+" + kanidmExecStartPreScriptRoot) "${admins-group}".members = [ "sp.admins" ];
("-" + kanidmExecStartPreScript) "${users-group}".members = [ admins-group ];
]); };
kanidm.serviceConfig.ExecStartPost = lib.mkIf is-auth-enabled systems.oauth2.${oauth-client-id} = {
(lib.mkAfter [ ("-" + kanidmExecStartPostScript) ]); displayName = "Nextcloud";
nextcloud-cron.serviceConfig.Slice = "nextcloud.slice"; originUrl = "https://${cfg.subdomain}.${domain}/apps/user_oidc/code";
nextcloud-update-db.serviceConfig.Slice = "nextcloud.slice"; originLanding = "https://${cfg.subdomain}.${domain}/";
nextcloud-update-plugins.serviceConfig.Slice = "nextcloud.slice"; basicSecretFile = kanidm-oauth-client-secret-fp;
nextcloud-secrets = { # when true, name is passed to a service instead of name@domain
before = [ "nextcloud-setup.service" ]; preferShortUsername = true;
requiredBy = [ "nextcloud-setup.service" ]; allowInsecureClientDisablePkce = false;
serviceConfig.Type = "oneshot"; scopeMaps.${users-group} = [ "email" "openid" "profile" ];
path = with pkgs; [ coreutils jq ]; removeOrphanedClaimMaps = true;
script = '' claimMaps.groups = {
databasePassword=$(jq -re '.modules.nextcloud.databasePassword' ${secrets-filepath}) joinType = "array";
adminPassword=$(jq -re '.modules.nextcloud.adminPassword' ${secrets-filepath}) valuesByGroup.${admins-group} = [ "admin" ];
};
install -C -m 0440 -o nextcloud -g nextcloud -DT \ };
<(printf "%s\n" "$databasePassword") \
${db-pass-filepath}
install -C -m 0440 -o nextcloud -g nextcloud -DT \
<(printf "%s\n" "$adminPassword") \
${admin-pass-filepath}
'';
}; };
}; }))
slices.nextcloud = { ]);
description = "Nextcloud service slice";
};
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud29;
inherit hostName;
# Use HTTPS for links
https = true;
# auto-update Nextcloud Apps
autoUpdateApps.enable = true;
# set what time makes sense for you
autoUpdateApps.startAt = "05:00:00";
phpOptions.display_errors = "Off";
settings = {
# further forces Nextcloud to use HTTPS
overwriteprotocol = "https";
} // lib.attrsets.optionalAttrs is-auth-enabled {
loglevel = 0;
# log_type = "file";
social_login_auto_redirect = false;
allow_local_remote_servers = true;
allow_user_to_change_display_name = false;
lost_password_link = "disabled";
allow_multiple_user_backends = false;
user_oidc = {
single_logout = true;
use_pkce = true;
auto_provision = true;
soft_auto_provision = true;
disable_account_creation = false;
};
};
config = {
dbtype = "sqlite";
dbuser = "nextcloud";
dbname = "nextcloud";
dbpassFile = db-pass-filepath;
# TODO review whether admin user is needed at all - admin group works
adminpassFile = admin-pass-filepath;
adminuser = "admin";
};
secretFile = lib.mkIf is-auth-enabled nextcloud-secret-file;
};
services.nginx.virtualHosts.${hostName} = {
useACMEHost = sp.domain;
forceSSL = true;
#locations."/".extraConfig = lib.mkIf is-auth-enabled ''
# # FIXME does not work
# rewrite ^/login$ /apps/user_oidc/login/1 last;
#'';
# show an error instead of a blank page on Nextcloud PHP/FastCGI error
locations."~ \\.php(?:$|/)".extraConfig = ''
error_page 500 502 503 504 ${pkgs.nginx}/html/50x.html;
'';
};
services.kanidm.provision = lib.mkIf is-auth-enabled {
groups = {
"${admins-group}".members = [ "sp.admins" ];
"${users-group}".members = [ admins-group ];
};
systems.oauth2.${oauth-client-id} = {
displayName = "Nextcloud";
originUrl = "https://${cfg.subdomain}.${domain}/apps/user_oidc/code";
originLanding = "https://${cfg.subdomain}.${domain}/";
basicSecretFile = kanidm-oauth-client-secret-fp;
# when true, name is passed to a service instead of name@domain
preferShortUsername = true;
allowInsecureClientDisablePkce = false;
scopeMaps.${users-group} = [ "email" "openid" "profile" ];
removeOrphanedClaimMaps = true;
claimMaps.groups = {
joinType = "array";
valuesByGroup.${admins-group} = [ "admin" ];
};
};
};
};
} }

143
sp-modules/roundcube/module.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: { config, lib, options, pkgs, ... }:
let let
domain = config.selfprivacy.domain; domain = config.selfprivacy.domain;
cfg = config.selfprivacy.modules.roundcube; cfg = config.selfprivacy.modules.roundcube;
@@ -48,74 +48,81 @@ in
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable (lib.mkMerge [
services.roundcube = { {
enable = true; services.roundcube = {
# this is the url of the vhost, not necessarily the same as the fqdn of enable = true;
# the mailserver # this is the url of the vhost, not necessarily the same as the fqdn of
hostName = "${cfg.subdomain}.${config.selfprivacy.domain}"; # the mailserver
extraConfig = '' hostName = "${cfg.subdomain}.${config.selfprivacy.domain}";
# starttls needed for authentication, so the fqdn required to match extraConfig = ''
# the certificate # starttls needed for authentication, so the fqdn required to match
$config['smtp_host'] = "tls://${config.mailserver.fqdn}"; # the certificate
$config['smtp_user'] = "%u"; $config['smtp_host'] = "tls://${config.mailserver.fqdn}";
$config['smtp_pass'] = "%p"; $config['smtp_user'] = "%u";
'' + lib.strings.optionalString is-auth-enabled '' $config['smtp_pass'] = "%p";
$config['oauth_provider'] = 'generic'; '';
$config['oauth_provider_name'] = '${auth-passthru.oauth2-provider-name}';
$config['oauth_client_id'] = '${oauth-client-id}';
$config['oauth_client_secret'] = "$(<${kanidm-oauth-client-secret-fp})";
$config['oauth_auth_uri'] = 'https://${auth-fqdn}/ui/oauth2';
$config['oauth_token_uri'] = 'https://${auth-fqdn}/oauth2/token';
$config['oauth_identity_uri'] = 'https://${auth-fqdn}/oauth2/openid/${oauth-client-id}/userinfo';
$config['oauth_scope'] = 'email profile openid'; # FIXME
$config['oauth_auth_parameters'] = [];
$config['oauth_identity_fields'] = ['email'];
$config['oauth_login_redirect'] = true;
$config['auto_create_user'] = true;
$config['oauth_verify_peer'] = false; # FIXME
# $config['oauth_pkce'] = 'S256'; # FIXME
'';
};
services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
forceSSL = true;
useACMEHost = domain;
enableACME = false;
};
systemd.slices.roundcube.description = "Roundcube service slice";
systemd.services.kanidm = lib.mkIf is-auth-enabled {
serviceConfig.ExecStartPre = lib.mkAfter [
("-+" + kanidmExecStartPreScriptRoot)
("-" + kanidmExecStartPreScript)
];
requires = [ auth-passthru.oauth2-systemd-service ];
};
services.kanidm.provision = lib.mkIf is-auth-enabled {
groups = {
"sp.roundcube.admins".members = [ "sp.admins" ];
"sp.roundcube.users".members = [ "sp.roundcube.admins" ];
}; };
systems.oauth2.roundcube = {
displayName = "Roundcube"; services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
originUrl = "https://${cfg.subdomain}.${domain}/index.php/login/oauth"; forceSSL = true;
originLanding = "https://${cfg.subdomain}.${domain}/"; useACMEHost = domain;
basicSecretFile = kanidm-oauth-client-secret-fp; enableACME = false;
# when true, name is passed to a service instead of name@domain };
preferShortUsername = false;
allowInsecureClientDisablePkce = true; # FIXME is it needed? systemd.slices.roundcube.description = "Roundcube service slice";
scopeMaps = { }
"sp.roundcube.users" = [ # the following part is active only when "auth" module is enabled
"email" (lib.attrsets.optionalAttrs
"openid" (options.selfprivacy.modules ? "auth")
"profile" (lib.mkIf is-auth-enabled {
services.roundcube.extraConfig = lib.mkAfter ''
$config['oauth_provider'] = 'generic';
$config['oauth_provider_name'] = '${auth-passthru.oauth2-provider-name}';
$config['oauth_client_id'] = '${oauth-client-id}';
$config['oauth_client_secret'] = "$(<${kanidm-oauth-client-secret-fp})";
$config['oauth_auth_uri'] = 'https://${auth-fqdn}/ui/oauth2';
$config['oauth_token_uri'] = 'https://${auth-fqdn}/oauth2/token';
$config['oauth_identity_uri'] = 'https://${auth-fqdn}/oauth2/openid/${oauth-client-id}/userinfo';
$config['oauth_scope'] = 'email profile openid'; # FIXME
$config['oauth_auth_parameters'] = [];
$config['oauth_identity_fields'] = ['email'];
$config['oauth_login_redirect'] = true;
$config['auto_create_user'] = true;
$config['oauth_verify_peer'] = false; # FIXME
# $config['oauth_pkce'] = 'S256'; # FIXME
'';
systemd.services.kanidm = {
serviceConfig.ExecStartPre = lib.mkAfter [
("-+" + kanidmExecStartPreScriptRoot)
("-" + kanidmExecStartPreScript)
]; ];
requires = [ auth-passthru.oauth2-systemd-service ];
}; };
removeOrphanedClaimMaps = true; services.kanidm.provision = {
}; groups = {
}; "sp.roundcube.admins".members = [ "sp.admins" ];
}; "sp.roundcube.users".members = [ "sp.roundcube.admins" ];
};
systems.oauth2.roundcube = {
displayName = "Roundcube";
originUrl = "https://${cfg.subdomain}.${domain}/index.php/login/oauth";
originLanding = "https://${cfg.subdomain}.${domain}/";
basicSecretFile = kanidm-oauth-client-secret-fp;
# when true, name is passed to a service instead of name@domain
preferShortUsername = false;
allowInsecureClientDisablePkce = true; # FIXME is it needed?
scopeMaps = {
"sp.roundcube.users" = [
"email"
"openid"
"profile"
];
};
removeOrphanedClaimMaps = true;
};
};
})
)
]);
} }