thary/sp-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix nextcloud: get rid of extra user_ldap configs; other fixes

Browse Source
This commit is contained in:
Alexander Tomokhov
2025-01-17 15:04:08 +04:00
parent 56fe5690c1
commit f43ec2686d
3 changed files with 32 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
sp-modules/nextcloud/cleanup-module.nix
View File

@@ -19,7 +19,7 @@ in
'' ''
rm -f -v ${db-pass-filepath} rm -f -v ${db-pass-filepath}
rm -f -v ${admin-pass-filepath} rm -f -v ${admin-pass-filepath}
[ ! -f "${override-config-fp}" && -L "${override-config-fp}" ] && \ [[ ! -f "${override-config-fp}" && -L "${override-config-fp}" ]] && \
rm -v "${override-config-fp}" rm -v "${override-config-fp}"
''; '';
}; };

2
sp-modules/nextcloud/config-paths-needed.json
View File

@@ -1,11 +1,13 @@
[ [
[ "passthru", "selfprivacy", "auth" ], [ "passthru", "selfprivacy", "auth" ],
[ "security", "acme", "certs" ],
[ "selfprivacy", "domain" ], [ "selfprivacy", "domain" ],
[ "selfprivacy", "modules", "auth", "enable" ], [ "selfprivacy", "modules", "auth", "enable" ],
[ "selfprivacy", "modules", "nextcloud" ], [ "selfprivacy", "modules", "nextcloud" ],
[ "selfprivacy", "useBinds" ], [ "selfprivacy", "useBinds" ],
[ "services", "nextcloud" ], [ "services", "nextcloud" ],
[ "services", "phpfpm", "pools", "nextcloud", "group" ], [ "services", "phpfpm", "pools", "nextcloud", "group" ],
[ "services", "phpfpm", "pools", "nextcloud", "user" ],
[ "systemd", "services", "nextcloud" ], [ "systemd", "services", "nextcloud" ],
[ "systemd", "services", "nextcloud-setup" ] [ "systemd", "services", "nextcloud-setup" ]
] ]

48
sp-modules/nextcloud/module.nix
View File

@@ -8,14 +8,15 @@ let
secrets-filepath secrets-filepath
sp sp
; ;
hostName = "${cfg.subdomain}.${sp.domain}"; hostName = "${cfg.subdomain}.${sp.domain}";
auth-passthru = config.passthru.selfprivacy.auth; auth-passthru = config.passthru.selfprivacy.auth;
is-auth-enabled = config.selfprivacy.modules.auth.enable; is-auth-enabled = config.selfprivacy.modules.auth.enable;
cfg = sp.modules.nextcloud;
ldap_scheme_and_host = "ldaps://${auth-passthru.ldap-host}";
occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ"; occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ";
cfg = sp.modules.nextcloud;
nextcloud-secret-file = "/var/lib/nextcloud/secrets.json"; nextcloud-secret-file = "/var/lib/nextcloud/secrets.json";
nextcloud-setup-group = nextcloud-setup-group =
config.systemd.services.nextcloud-setup.serviceConfig.Group; config.systemd.services.nextcloud-setup.serviceConfig.Group;
@@ -152,9 +153,15 @@ in
]; ];
}; };
}; };
# for ExecStartPost script to have access to /run/keys/* # for ExecStartPost script to have access to /run/keys/*
users.groups.keys.members = users.groups.keys.members =
lib.mkIf is-auth-enabled [ nextcloud-setup-group ]; lib.mkIf is-auth-enabled [ nextcloud-setup-group ];
# not needed, due to turnOffCertCheck=1 in used_ldap
# users.groups.${config.security.acme.certs.${domain}.group}.members =
# [ config.services.phpfpm.pools.nextcloud.user ];
systemd = { systemd = {
services = { services = {
phpfpm-nextcloud.serviceConfig.Slice = lib.mkForce "nextcloud.slice"; phpfpm-nextcloud.serviceConfig.Slice = lib.mkForce "nextcloud.slice";
@@ -163,6 +170,8 @@ in
serviceConfig.Group = config.services.phpfpm.pools.nextcloud.group; serviceConfig.Group = config.services.phpfpm.pools.nextcloud.group;
path = lib.mkIf is-auth-enabled [ pkgs.jq ]; path = lib.mkIf is-auth-enabled [ pkgs.jq ];
script = lib.mkIf is-auth-enabled '' script = lib.mkIf is-auth-enabled ''
set -o errexit
set -o nounset
${lib.strings.optionalString cfg.debug "set -o xtrace"} ${lib.strings.optionalString cfg.debug "set -o xtrace"}
${occ} app:install user_ldap || : ${occ} app:install user_ldap || :
@@ -172,15 +181,14 @@ in
# The criteria for matching is the ldapHost value. # The criteria for matching is the ldapHost value.
# remove broken link after previous nextcloud (un)installation # remove broken link after previous nextcloud (un)installation
[ ! -f "${override-config-fp}" && -L "${override-config-fp}" ] && \ [[ ! -f "${override-config-fp}" && -L "${override-config-fp}" ]] && \
rm -v "${override-config-fp}" rm -v "${override-config-fp}"
ALL_CONFIG="$(${occ} ldap:show-config --output=json --show-password)" ALL_CONFIG="$(${occ} ldap:show-config --output=json)"
# TODO investigate this! MATCHING_CONFIG_IDs="$(jq '[to_entries[] | select(.value.ldapHost=="${ldap_scheme_and_host}") | .key]' <<<"$ALL_CONFIG")"
MATCHING_CONFIG_IDs="$(echo "$ALL_CONFIG" | jq '[to_entries[] | select(.value.ldapHost=="${auth-passthru.ldap-host}") | .key]')" if [[ $(jq 'length' <<<"$MATCHING_CONFIG_IDs") > 0 ]]; then
if [[ $(echo "$MATCHING_CONFIG_IDs" | jq 'length') > 0 ]]; then CONFIG_ID="$(jq --raw-output '.[0]' <<<"$MATCHING_CONFIG_IDs")"
CONFIG_ID="$(echo "$MATCHING_CONFIG_IDs" | jq --raw-output '.[0]')"
else else
CONFIG_ID="$(${occ} ldap:create-empty-config --only-print-prefix)" CONFIG_ID="$(${occ} ldap:create-empty-config --only-print-prefix)"
fi fi
@@ -190,10 +198,13 @@ in
# The following CLI commands follow # The following CLI commands follow
# https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md#nextcloud-config--the-cli-way # https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md#nextcloud-config--the-cli-way
# FIXME # StartTLS is not supported in Kanidm due to security risks, whereas
# user_ldap doesn't support SASL. Importing certificate doesn't
# help:
# ${occ} security:certificates:import "${config.security.acme.certs.${domain}.directory}/cert.pem"
${occ} ldap:set-config "$CONFIG_ID" 'turnOffCertCheck' '1' ${occ} ldap:set-config "$CONFIG_ID" 'turnOffCertCheck' '1'
${occ} ldap:set-config "$CONFIG_ID" 'ldapHost' 'ldaps://${auth-passthru.ldap-host}' ${occ} ldap:set-config "$CONFIG_ID" 'ldapHost' '${ldap_scheme_and_host}'
${occ} ldap:set-config "$CONFIG_ID" 'ldapPort' '${toString auth-passthru.ldap-port}' ${occ} ldap:set-config "$CONFIG_ID" 'ldapPort' '${toString auth-passthru.ldap-port}'
${occ} ldap:set-config "$CONFIG_ID" 'ldapAgentName' 'dn=token' ${occ} ldap:set-config "$CONFIG_ID" 'ldapAgentName' 'dn=token'
${occ} ldap:set-config "$CONFIG_ID" 'ldapAgentPassword' "$(<${kanidm-service-account-token-fp})" ${occ} ldap:set-config "$CONFIG_ID" 'ldapAgentPassword' "$(<${kanidm-service-account-token-fp})"
@@ -224,18 +235,17 @@ in
${occ} ldap:test-config -- "$CONFIG_ID" ${occ} ldap:test-config -- "$CONFIG_ID"
# Only one active at the same time # delete all configs except "$CONFIG_ID"
for configid in $(jq --raw-output "keys[] | select(. != \"$CONFIG_ID\")" <<<"$ALL_CONFIG"); do
# TODO investigate this! It takes a minute to deactivate all.
for configid in $(echo "$ALL_CONFIG" | jq --raw-output "keys[]"); do
echo "Deactivating $configid" echo "Deactivating $configid"
${occ} ldap:set-config "$configid" 'ldapConfigurationActive' \ ${occ} ldap:set-config "$configid" 'ldapConfigurationActive' '0'
'0'
echo "Deactivated $configid" echo "Deactivated $configid"
echo "Deleting $configid"
${occ} ldap:delete-config "$configid"
echo "Deleted $configid"
done done
${occ} ldap:set-config "$CONFIG_ID" 'ldapConfigurationActive' \ ${occ} ldap:set-config "$CONFIG_ID" 'ldapConfigurationActive' '1'
'1'
############################################################################ ############################################################################
# OIDC app # OIDC app