thary/sp-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix gitea,nextcloud,roundcube: evaluate without auth module

Browse Source
This commit is contained in:
Alexander Tomokhov
2025-01-24 16:27:48 +04:00
parent f795bc977f
commit 0c7a8d51b0
3 changed files with 490 additions and 454 deletions
Download Patch File Download Diff File Expand all files Collapse all files

127
sp-modules/gitea/module.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, lib, options, pkgs, ... }:
let
sp = config.selfprivacy;
stateDir =
@@ -14,7 +14,7 @@ let
"gitea-light"
"gitea-dark"
];
is-auth-enabled = config.selfprivacy.modules.auth.enable or false;
is-auth-enabled = sp.modules.auth.enable or false;
oauth-client-id = "forgejo";
auth-passthru = config.passthru.selfprivacy.auth;
oauth2-provider-name = auth-passthru.oauth2-provider-name;
@@ -189,7 +189,8 @@ in
};
};
config = lib.mkIf cfg.enable {
config = lib.mkIf cfg.enable (lib.mkMerge [
{
fileSystems = lib.mkIf sp.useBinds {
"/var/lib/gitea" = {
device = "/volumes/${cfg.location}/gitea";
@@ -258,7 +259,51 @@ in
DISABLE_REGISTRATION = cfg.disableRegistration;
REQUIRE_SIGNIN_VIEW = cfg.requireSigninView;
};
} // lib.attrsets.optionalAttrs is-auth-enabled {
};
};
users.users.gitea = {
home = "${stateDir}";
useDefaultShell = true;
group = "gitea";
isSystemUser = true;
};
users.groups.gitea = { };
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
useACMEHost = sp.domain;
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
locations = {
"/" = {
proxyPass = "http://127.0.0.1:3000";
};
};
};
systemd = {
services.forgejo = {
unitConfig.RequiresMountsFor = lib.mkIf sp.useBinds "/volumes/${cfg.location}/gitea";
serviceConfig = {
Slice = "gitea.slice";
};
};
slices.gitea = {
description = "Forgejo service slice";
};
};
}
# the following part is active only when "auth" module is enabled
(lib.attrsets.optionalAttrs
(options.selfprivacy.modules ? "auth")
(lib.mkIf is-auth-enabled {
services.forgejo.settings = {
auth.DISABLE_LOGIN_FORM = true;
service = {
DISABLE_REGISTRATION = cfg.disableRegistration;
@@ -287,43 +332,7 @@ in
NOTICE_ON_SUCCESS = true;
};
};
};
users.users.gitea = {
home = "${stateDir}";
useDefaultShell = true;
group = "gitea";
isSystemUser = true;
};
users.groups.gitea = { };
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
useACMEHost = sp.domain;
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'' + lib.strings.optionalString is-auth-enabled ''
rewrite ^/user/login$ /user/oauth2/${oauth2-provider-name} last;
# FIXME is it needed?
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
'';
locations = {
"/" = {
proxyPass = "http://127.0.0.1:3000";
};
};
};
systemd = {
services.forgejo = {
unitConfig.RequiresMountsFor = lib.mkIf sp.useBinds "/volumes/${cfg.location}/gitea";
serviceConfig = {
Slice = "gitea.slice";
};
systemd.services.forgejo = {
preStart =
let
exe = lib.getExe config.services.forgejo.package;
@@ -357,7 +366,7 @@ in
--auto-discover-url '${auth-passthru.oauth2-discovery-url oauth-client-id}'
'';
in
lib.mkIf is-auth-enabled (lib.mkAfter ''
lib.mkAfter ''
set -o xtrace
# Check if LDAP is already configured
@@ -379,30 +388,30 @@ in
else
${exe} admin auth add-oauth ${oauthConfigArgs}
fi
''
);
'';
# TODO consider passing oauth consumer service to auth module instead
requires = lib.mkIf is-auth-enabled
[ auth-passthru.oauth2-systemd-service ];
};
slices.gitea = {
description = "Forgejo service slice";
};
requires = [ auth-passthru.oauth2-systemd-service ];
};
# for ExecStartPost script to have access to /run/keys/*
users.groups.keys.members =
lib.mkIf is-auth-enabled [ config.services.forgejo.group ];
users.groups.keys.members = [ config.services.forgejo.group ];
systemd.services.kanidm.serviceConfig.ExecStartPre =
lib.mkIf is-auth-enabled [
systemd.services.kanidm.serviceConfig.ExecStartPre = [
("-+" + kanidmExecStartPreScriptRoot)
("-" + kanidmExecStartPreScript)
];
systemd.services.kanidm.serviceConfig.ExecStartPost =
lib.mkIf is-auth-enabled
(lib.mkAfter [ ("-" + kanidmExecStartPostScript) ]);
services.kanidm.provision = lib.mkIf is-auth-enabled {
lib.mkAfter [ ("-" + kanidmExecStartPostScript) ];
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
extraConfig = lib.mkAfter ''
rewrite ^/user/login$ /user/oauth2/${oauth2-provider-name} last;
# FIXME is it needed?
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
'';
};
services.kanidm.provision = {
groups = {
"${admins-group}".members = [ "sp.admins" ];
"${users-group}".members = [ admins-group ];
@@ -434,5 +443,7 @@ in
};
};
};
};
})
)
]);
}

224
sp-modules/nextcloud/module.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, lib, options, pkgs, ... }:
let
inherit (import ./common.nix config)
admin-pass-filepath
@@ -11,7 +11,7 @@ let
hostName = "${cfg.subdomain}.${sp.domain}";
auth-passthru = config.passthru.selfprivacy.auth;
is-auth-enabled = config.selfprivacy.modules.auth.enable or false;
is-auth-enabled = sp.modules.nextcloud.enableSso;
cfg = sp.modules.nextcloud;
ldap_scheme_and_host = "ldaps://${auth-passthru.ldap-host}";
@@ -104,6 +104,15 @@ in
type = "enable";
};
};
enableSso = (lib.mkOption {
default = false;
type = lib.types.bool;
description = "Enable SSO for Nextcloud";
}) // {
meta = {
type = "enable";
};
};
location = (lib.mkOption {
type = lib.types.str;
description = "Nextcloud location";
@@ -140,7 +149,9 @@ in
};
};
config = lib.mkIf sp.modules.nextcloud.enable {
# config = lib.mkIf sp.modules.nextcloud.enable
config = lib.mkIf sp.modules.nextcloud.enable (lib.mkMerge [
{
fileSystems = lib.mkIf sp.useBinds {
"/var/lib/nextcloud" = {
device = "/volumes/${cfg.location}/nextcloud";
@@ -168,8 +179,109 @@ in
nextcloud-setup = {
serviceConfig.Slice = "nextcloud.slice";
serviceConfig.Group = config.services.phpfpm.pools.nextcloud.group;
path = lib.mkIf is-auth-enabled [ pkgs.jq ];
script = lib.mkIf is-auth-enabled ''
};
kanidm.serviceConfig.ExecStartPre = lib.mkIf is-auth-enabled
(lib.mkAfter [
("-+" + kanidmExecStartPreScriptRoot)
("-" + kanidmExecStartPreScript)
]);
kanidm.serviceConfig.ExecStartPost = lib.mkIf is-auth-enabled
(lib.mkAfter [ ("-" + kanidmExecStartPostScript) ]);
nextcloud-cron.serviceConfig.Slice = "nextcloud.slice";
nextcloud-update-db.serviceConfig.Slice = "nextcloud.slice";
nextcloud-update-plugins.serviceConfig.Slice = "nextcloud.slice";
nextcloud-secrets = {
before = [ "nextcloud-setup.service" ];
requiredBy = [ "nextcloud-setup.service" ];
serviceConfig.Type = "oneshot";
path = with pkgs; [ coreutils jq ];
script = ''
databasePassword=$(jq -re '.modules.nextcloud.databasePassword' ${secrets-filepath})
adminPassword=$(jq -re '.modules.nextcloud.adminPassword' ${secrets-filepath})
install -C -m 0440 -o nextcloud -g nextcloud -DT \
<(printf "%s\n" "$databasePassword") \
${db-pass-filepath}
install -C -m 0440 -o nextcloud -g nextcloud -DT \
<(printf "%s\n" "$adminPassword") \
${admin-pass-filepath}
'';
};
};
slices.nextcloud = {
description = "Nextcloud service slice";
};
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud29;
inherit hostName;
# Use HTTPS for links
https = true;
# auto-update Nextcloud Apps
autoUpdateApps.enable = true;
# set what time makes sense for you
autoUpdateApps.startAt = "05:00:00";
phpOptions.display_errors = "Off";
settings = {
# further forces Nextcloud to use HTTPS
overwriteprotocol = "https";
} // lib.attrsets.optionalAttrs is-auth-enabled {
loglevel = 0;
# log_type = "file";
social_login_auto_redirect = false;
allow_local_remote_servers = true;
allow_user_to_change_display_name = false;
lost_password_link = "disabled";
allow_multiple_user_backends = false;
user_oidc = {
single_logout = true;
use_pkce = true;
auto_provision = true;
soft_auto_provision = true;
disable_account_creation = false;
};
};
config = {
dbtype = "sqlite";
dbuser = "nextcloud";
dbname = "nextcloud";
dbpassFile = db-pass-filepath;
# TODO review whether admin user is needed at all - admin group works
adminpassFile = admin-pass-filepath;
adminuser = "admin";
};
secretFile = lib.mkIf is-auth-enabled nextcloud-secret-file;
};
services.nginx.virtualHosts.${hostName} = {
useACMEHost = sp.domain;
forceSSL = true;
#locations."/".extraConfig = lib.mkIf is-auth-enabled ''
# # FIXME does not work
# rewrite ^/login$ /apps/user_oidc/login/1 last;
#'';
# show an error instead of a blank page on Nextcloud PHP/FastCGI error
locations."~ \\.php(?:$|/)".extraConfig = ''
error_page 500 502 503 504 ${pkgs.nginx}/html/50x.html;
'';
};
}
# the following part is active only when "auth" module is enabled
(lib.attrsets.optionalAttrs
(options.selfprivacy.modules ? "auth")
(lib.mkIf is-auth-enabled {
systemd.services.nextcloud-setup = {
path = [ pkgs.jq ];
script = ''
set -o errexit
set -o nounset
${lib.strings.optionalString cfg.debug "set -o xtrace"}
@@ -266,104 +378,9 @@ in
-vvv
'';
# TODO consider passing oauth consumer service to auth module instead
requires = lib.mkIf is-auth-enabled
[ auth-passthru.oauth2-systemd-service ];
requires = [ auth-passthru.oauth2-systemd-service ];
};
kanidm.serviceConfig.ExecStartPre = lib.mkIf is-auth-enabled
(lib.mkAfter [
("-+" + kanidmExecStartPreScriptRoot)
("-" + kanidmExecStartPreScript)
]);
kanidm.serviceConfig.ExecStartPost = lib.mkIf is-auth-enabled
(lib.mkAfter [ ("-" + kanidmExecStartPostScript) ]);
nextcloud-cron.serviceConfig.Slice = "nextcloud.slice";
nextcloud-update-db.serviceConfig.Slice = "nextcloud.slice";
nextcloud-update-plugins.serviceConfig.Slice = "nextcloud.slice";
nextcloud-secrets = {
before = [ "nextcloud-setup.service" ];
requiredBy = [ "nextcloud-setup.service" ];
serviceConfig.Type = "oneshot";
path = with pkgs; [ coreutils jq ];
script = ''
databasePassword=$(jq -re '.modules.nextcloud.databasePassword' ${secrets-filepath})
adminPassword=$(jq -re '.modules.nextcloud.adminPassword' ${secrets-filepath})
install -C -m 0440 -o nextcloud -g nextcloud -DT \
<(printf "%s\n" "$databasePassword") \
${db-pass-filepath}
install -C -m 0440 -o nextcloud -g nextcloud -DT \
<(printf "%s\n" "$adminPassword") \
${admin-pass-filepath}
'';
};
};
slices.nextcloud = {
description = "Nextcloud service slice";
};
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud29;
inherit hostName;
# Use HTTPS for links
https = true;
# auto-update Nextcloud Apps
autoUpdateApps.enable = true;
# set what time makes sense for you
autoUpdateApps.startAt = "05:00:00";
phpOptions.display_errors = "Off";
settings = {
# further forces Nextcloud to use HTTPS
overwriteprotocol = "https";
} // lib.attrsets.optionalAttrs is-auth-enabled {
loglevel = 0;
# log_type = "file";
social_login_auto_redirect = false;
allow_local_remote_servers = true;
allow_user_to_change_display_name = false;
lost_password_link = "disabled";
allow_multiple_user_backends = false;
user_oidc = {
single_logout = true;
use_pkce = true;
auto_provision = true;
soft_auto_provision = true;
disable_account_creation = false;
};
};
config = {
dbtype = "sqlite";
dbuser = "nextcloud";
dbname = "nextcloud";
dbpassFile = db-pass-filepath;
# TODO review whether admin user is needed at all - admin group works
adminpassFile = admin-pass-filepath;
adminuser = "admin";
};
secretFile = lib.mkIf is-auth-enabled nextcloud-secret-file;
};
services.nginx.virtualHosts.${hostName} = {
useACMEHost = sp.domain;
forceSSL = true;
#locations."/".extraConfig = lib.mkIf is-auth-enabled ''
# # FIXME does not work
# rewrite ^/login$ /apps/user_oidc/login/1 last;
#'';
# show an error instead of a blank page on Nextcloud PHP/FastCGI error
locations."~ \\.php(?:$|/)".extraConfig = ''
error_page 500 502 503 504 ${pkgs.nginx}/html/50x.html;
'';
};
services.kanidm.provision = lib.mkIf is-auth-enabled {
services.kanidm.provision = {
groups = {
"${admins-group}".members = [ "sp.admins" ];
"${users-group}".members = [ admins-group ];
@@ -384,5 +401,6 @@ in
};
};
};
};
}))
]);
}

41
sp-modules/roundcube/module.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, lib, options, pkgs, ... }:
let
domain = config.selfprivacy.domain;
cfg = config.selfprivacy.modules.roundcube;
@@ -48,7 +48,8 @@ in
};
};
config = lib.mkIf cfg.enable {
config = lib.mkIf cfg.enable (lib.mkMerge [
{
services.roundcube = {
enable = true;
# this is the url of the vhost, not necessarily the same as the fqdn of
@@ -60,7 +61,22 @@ in
$config['smtp_host'] = "tls://${config.mailserver.fqdn}";
$config['smtp_user'] = "%u";
$config['smtp_pass'] = "%p";
'' + lib.strings.optionalString is-auth-enabled ''
'';
};
services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
forceSSL = true;
useACMEHost = domain;
enableACME = false;
};
systemd.slices.roundcube.description = "Roundcube service slice";
}
# the following part is active only when "auth" module is enabled
(lib.attrsets.optionalAttrs
(options.selfprivacy.modules ? "auth")
(lib.mkIf is-auth-enabled {
services.roundcube.extraConfig = lib.mkAfter ''
$config['oauth_provider'] = 'generic';
$config['oauth_provider_name'] = '${auth-passthru.oauth2-provider-name}';
$config['oauth_client_id'] = '${oauth-client-id}';
@@ -76,25 +92,14 @@ in
$config['oauth_verify_peer'] = false; # FIXME
# $config['oauth_pkce'] = 'S256'; # FIXME
'';
};
services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
forceSSL = true;
useACMEHost = domain;
enableACME = false;
};
systemd.slices.roundcube.description = "Roundcube service slice";
systemd.services.kanidm = lib.mkIf is-auth-enabled {
systemd.services.kanidm = {
serviceConfig.ExecStartPre = lib.mkAfter [
("-+" + kanidmExecStartPreScriptRoot)
("-" + kanidmExecStartPreScript)
];
requires = [ auth-passthru.oauth2-systemd-service ];
};
services.kanidm.provision = lib.mkIf is-auth-enabled {
services.kanidm.provision = {
groups = {
"sp.roundcube.admins".members = [ "sp.admins" ];
"sp.roundcube.users".members = [ "sp.roundcube.admins" ];
@@ -117,5 +122,7 @@ in
removeOrphanedClaimMaps = true;
};
};
};
})
)
]);
}