thary/sp-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

nextcloud: disableMaintenanceModeAtStart option

Browse Source
This commit is contained in:
Alexander Tomokhov
2025-04-29 01:24:44 +04:00
parent 3a84cc7ed4
commit 8e924d3aaf
1 changed files with 107 additions and 87 deletions
Download Patch File Download Diff File Expand all files Collapse all files

194
sp-modules/nextcloud/module.nix
View File

@@ -93,6 +93,16 @@ in
weight = 4; weight = 4;
}; };
}; };
disableMaintenanceModeAtStart = (lib.mkOption {
type = types.bool;
default = false;
description = "Disable maintenance mode at Nextcloud service startup";
}) // {
meta = {
type = "bool";
weight = 5;
};
};
}; };
# config = lib.mkIf sp.modules.nextcloud.enable # config = lib.mkIf sp.modules.nextcloud.enable
@@ -222,109 +232,119 @@ in
# the following part is active only when "auth" module is enabled # the following part is active only when "auth" module is enabled
(lib.mkIf is-auth-enabled { (lib.mkIf is-auth-enabled {
systemd.services.nextcloud-setup = { systemd.services.nextcloud-setup = {
serviceConfig = {
Restart = "on-failure";
RestartSec = "60";
};
path = [ pkgs.jq ]; path = [ pkgs.jq ];
script = '' script = lib.mkMerge [
set -o errexit (lib.strings.optionalString cfg.disableMaintenanceModeAtStart (
set -o nounset lib.mkBefore "${occ} maintenance:mode --no-interaction --off"
${lib.strings.optionalString cfg.debug "set -o xtrace"} ))
''
set -o errexit
set -o nounset
${lib.strings.optionalString cfg.debug "set -o xtrace"}
${occ} app:install user_ldap || : ${occ} app:install user_ldap || :
${occ} app:enable user_ldap ${occ} app:enable user_ldap
# The following code tries to match an existing config or creates a new one. # The following code tries to match an existing config or creates a new one.
# The criteria for matching is the ldapHost value. # The criteria for matching is the ldapHost value.
# remove broken link after previous nextcloud (un)installation # remove broken link after previous nextcloud (un)installation
[[ ! -f "${override-config-fp}" && -L "${override-config-fp}" ]] && \ [[ ! -f "${override-config-fp}" && -L "${override-config-fp}" ]] && \
rm -v "${override-config-fp}" rm -v "${override-config-fp}"
ALL_CONFIG="$(${occ} ldap:show-config --output=json)" ALL_CONFIG="$(${occ} ldap:show-config --output=json)"
MATCHING_CONFIG_IDs="$(jq '[to_entries[] | select(.value.ldapHost=="${ldap_scheme_and_host}") | .key]' <<<"$ALL_CONFIG")" MATCHING_CONFIG_IDs="$(jq '[to_entries[] | select(.value.ldapHost=="${ldap_scheme_and_host}") | .key]' <<<"$ALL_CONFIG")"
if [[ $(jq 'length' <<<"$MATCHING_CONFIG_IDs") > 0 ]]; then if [[ $(jq 'length' <<<"$MATCHING_CONFIG_IDs") > 0 ]]; then
CONFIG_ID="$(jq --raw-output '.[0]' <<<"$MATCHING_CONFIG_IDs")" CONFIG_ID="$(jq --raw-output '.[0]' <<<"$MATCHING_CONFIG_IDs")"
else else
CONFIG_ID="$(${occ} ldap:create-empty-config --only-print-prefix)" CONFIG_ID="$(${occ} ldap:create-empty-config --only-print-prefix)"
fi fi
echo "Using configId $CONFIG_ID" echo "Using configId $CONFIG_ID"
# The following CLI commands follow # The following CLI commands follow
# https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md#nextcloud-config--the-cli-way # https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md#nextcloud-config--the-cli-way
# StartTLS is not supported in Kanidm due to security risks, whereas # StartTLS is not supported in Kanidm due to security risks, whereas
# user_ldap doesn't support SASL. Importing certificate doesn't # user_ldap doesn't support SASL. Importing certificate doesn't
# help: # help:
# ${occ} security:certificates:import "${config.security.acme.certs.${domain}.directory}/cert.pem" # ${occ} security:certificates:import "${config.security.acme.certs.${domain}.directory}/cert.pem"
${occ} ldap:set-config "$CONFIG_ID" 'turnOffCertCheck' '1' ${occ} ldap:set-config "$CONFIG_ID" 'turnOffCertCheck' '1'
${occ} ldap:set-config "$CONFIG_ID" 'ldapHost' '${ldap_scheme_and_host}' ${occ} ldap:set-config "$CONFIG_ID" 'ldapHost' '${ldap_scheme_and_host}'
${occ} ldap:set-config "$CONFIG_ID" 'ldapPort' '${toString auth-passthru.ldap-port}' ${occ} ldap:set-config "$CONFIG_ID" 'ldapPort' '${toString auth-passthru.ldap-port}'
${occ} ldap:set-config "$CONFIG_ID" 'ldapAgentName' 'dn=token' ${occ} ldap:set-config "$CONFIG_ID" 'ldapAgentName' 'dn=token'
${occ} ldap:set-config "$CONFIG_ID" 'ldapAgentPassword' "$(<${serviceAccountTokenFP})" ${occ} ldap:set-config "$CONFIG_ID" 'ldapAgentPassword' "$(<${serviceAccountTokenFP})"
${occ} ldap:set-config "$CONFIG_ID" 'ldapBase' '${auth-passthru.ldap-base-dn}' ${occ} ldap:set-config "$CONFIG_ID" 'ldapBase' '${auth-passthru.ldap-base-dn}'
${occ} ldap:set-config "$CONFIG_ID" 'ldapBaseGroups' '${auth-passthru.ldap-base-dn}' ${occ} ldap:set-config "$CONFIG_ID" 'ldapBaseGroups' '${auth-passthru.ldap-base-dn}'
${occ} ldap:set-config "$CONFIG_ID" 'ldapBaseUsers' '${auth-passthru.ldap-base-dn}' ${occ} ldap:set-config "$CONFIG_ID" 'ldapBaseUsers' '${auth-passthru.ldap-base-dn}'
${occ} ldap:set-config "$CONFIG_ID" 'ldapEmailAttribute' 'mail' ${occ} ldap:set-config "$CONFIG_ID" 'ldapEmailAttribute' 'mail'
${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilter' \ ${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilter' \
'(&(class=group)(${wildcardGroup})' '(&(class=group)(${wildcardGroup})'
${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilterGroups' \ ${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilterGroups' \
'(&(class=group)(${wildcardGroup}))' '(&(class=group)(${wildcardGroup}))'
# ${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilterObjectclass' \ # ${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilterObjectclass' \
# 'groupOfUniqueNames' # 'groupOfUniqueNames'
# ${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupMemberAssocAttr' \ # ${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupMemberAssocAttr' \
# 'uniqueMember' # 'uniqueMember'
${occ} ldap:set-config "$CONFIG_ID" 'ldapLoginFilter' \ ${occ} ldap:set-config "$CONFIG_ID" 'ldapLoginFilter' \
'(&(class=person)(memberof=${usersGroup})(uid=%uid))' '(&(class=person)(memberof=${usersGroup})(uid=%uid))'
${occ} ldap:set-config "$CONFIG_ID" 'ldapLoginFilterAttributes' \ ${occ} ldap:set-config "$CONFIG_ID" 'ldapLoginFilterAttributes' \
'uid' 'uid'
${occ} ldap:set-config "$CONFIG_ID" 'ldapUserDisplayName' \ ${occ} ldap:set-config "$CONFIG_ID" 'ldapUserDisplayName' \
'displayname' 'displayname'
${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilter' \ ${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilter' \
'(&(class=person)(memberof=${usersGroup})(name=%s))' '(&(class=person)(memberof=${usersGroup})(name=%s))'
${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilterMode' \ ${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilterMode' \
'1' '1'
${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilterObjectclass' \ ${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilterObjectclass' \
'person' 'person'
${occ} ldap:test-config -- "$CONFIG_ID" ${occ} ldap:test-config -- "$CONFIG_ID"
# delete all configs except "$CONFIG_ID" # delete all configs except "$CONFIG_ID"
for configid in $(jq --raw-output "keys[] | select(. != \"$CONFIG_ID\")" <<<"$ALL_CONFIG"); do for configid in $(jq --raw-output "keys[] | select(. != \"$CONFIG_ID\")" <<<"$ALL_CONFIG"); do
echo "Deactivating $configid" echo "Deactivating $configid"
${occ} ldap:set-config "$configid" 'ldapConfigurationActive' '0' ${occ} ldap:set-config "$configid" 'ldapConfigurationActive' '0'
echo "Deactivated $configid" echo "Deactivated $configid"
echo "Deleting $configid" echo "Deleting $configid"
${occ} ldap:delete-config "$configid" ${occ} ldap:delete-config "$configid"
echo "Deleted $configid" echo "Deleted $configid"
done done
${occ} ldap:set-config "$CONFIG_ID" 'ldapConfigurationActive' '1' ${occ} ldap:set-config "$CONFIG_ID" 'ldapConfigurationActive' '1'
############################################################################ ############################################################################
# OIDC app # OIDC app
############################################################################ ############################################################################
${occ} app:install user_oidc || : ${occ} app:install user_oidc || :
${occ} app:enable user_oidc ${occ} app:enable user_oidc
${occ} user_oidc:provider ${auth-passthru.oauth2-provider-name} \ ${occ} user_oidc:provider ${auth-passthru.oauth2-provider-name} \
--clientid="${oauthClientID}" \ --clientid="${oauthClientID}" \
--clientsecret="$(<${oauthClientSecretFP})" \ --clientsecret="$(<${oauthClientSecretFP})" \
--discoveryuri="${auth-passthru.oauth2-discovery-url "nextcloud"}" \ --discoveryuri="${auth-passthru.oauth2-discovery-url "nextcloud"}" \
--unique-uid=0 \ --unique-uid=0 \
--scope="email openid profile" \ --scope="email openid profile" \
--mapping-uid=preferred_username \ --mapping-uid=preferred_username \
--no-interaction \ --no-interaction \
--mapping-groups=groups \ --mapping-groups=groups \
--group-provisioning=1 \ --group-provisioning=1 \
-vvv -vvv
'' + lib.optionalString deleteNextcloudAdmin '' ''
if [[ ! -f /var/lib/nextcloud/.admin-user-deleted ]]; then (lib.optionalString deleteNextcloudAdmin ''
${occ} user:delete admin if [[ ! -f /var/lib/nextcloud/.admin-user-deleted ]]; then
touch /var/lib/nextcloud/.admin-user-deleted ${occ} user:delete admin
fi touch /var/lib/nextcloud/.admin-user-deleted
''; fi
'')
];
}; };
selfprivacy.auth.clients."${oauthClientID}" = { selfprivacy.auth.clients."${oauthClientID}" = {
inherit adminsGroup usersGroup; inherit adminsGroup usersGroup;