frieder.hannenheim/fruitbasket
1
0
Fork 0
forked from wurzel/fruitbasket
Code Pull requests Activity

nextcloud: configure ldap automatically via nextcloud-occ cli

Browse source
This commit is contained in:
Lyn Fugmann 2023-08-23 20:56:24 +02:00
parent b4d8a71c65
commit 46040f8d31
Signed by untrusted user: fugi
GPG key ID: 4472A20091BFA792
1 changed files with 52 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

71
modules/nextcloud.nix
View file

@ -4,23 +4,22 @@ let
in in
{ {
sops.secrets = { sops.secrets = {
nextcloud_adminpass = { nextcloud_adminpass.owner = "nextcloud";
nextcloud_ldap_search = {
key = "portunus/search-password";
owner = "nextcloud"; owner = "nextcloud";
group = "nextcloud";
}; };
}; };
services = { services = {
postgresql = { postgresql = {
enable = true; enable = true;
ensureUsers = [ ensureUsers = [{
{ name = "nextcloud";
name = "nextcloud"; ensurePermissions = {
ensurePermissions = { "DATABASE nextcloud" = "ALL PRIVILEGES";
"DATABASE nextcloud" = "ALL PRIVILEGES"; };
}; }];
}
];
ensureDatabases = [ "nextcloud" ]; ensureDatabases = [ "nextcloud" ];
}; };
@ -28,7 +27,7 @@ in
enable = true; enable = true;
package = pkgs.nextcloud26; # Use current latest nextcloud package package = pkgs.nextcloud26; # Use current latest nextcloud package
enableBrokenCiphersForSSE = false; # disable the openssl warning enableBrokenCiphersForSSE = false; # disable the openssl warning
hostName = "${domain}"; hostName = domain;
https = true; # Use https for all urls https = true; # Use https for all urls
phpExtraExtensions = all: [ phpExtraExtensions = all: [
all.ldap # Enable ldap php extension all.ldap # Enable ldap php extension
@ -44,14 +43,9 @@ in
}; };
# Enable ACME and force SSL # Enable ACME and force SSL
nginx = { nginx.virtualHosts.${domain} = {
recommendedProxySettings = true; enableACME = true;
virtualHosts = { forceSSL = true;
"${domain}" = {
enableACME = true;
forceSSL = true;
};
};
}; };
}; };
@ -60,4 +54,43 @@ in
requires = [ "postgresql.service" ]; requires = [ "postgresql.service" ];
after = [ "postgresql.service" ]; after = [ "postgresql.service" ];
}; };
# configure some settings automatically
systemd.services."phpfpm-nextcloud" =
let
occ = lib.getExe config.services.nextcloud.occ;
ldapConfig = rec {
ldapAgentName = "uid=search,ou=users,${ldapBase}";
ldapBase = config.services.portunus.ldap.suffix;
ldapBaseGroups = "ou=groups,${ldapBase}";
ldapBaseUsers = "ou=users,${ldapBase}";
ldapConfigurationActive = "1";
ldapEmailAttribute = "mail";
ldapGroupFilterObjectclass = "groupOfNames";
ldapGroupMemberAssocAttr = "member";
ldapHost = "localhost";
ldapPort = "389";
ldapUserDisplayName = "cn";
ldapUserFilterObjectclass = "inetOrgPerson";
# generated by nextcloud
ldapGroupFilter = "(&(|(objectclass=groupOfNames)))";
ldapUserFilter = "(|(objectclass=inetOrgPerson))";
ldapLoginFilter = "(&(|(objectclass=inetOrgPerson))(uid=%uid))";
};
in
{
preStart = ''
# enable included LDAP app
${occ} app:enable user_ldap
# set up new LDAP config if it does not exist
if ! ${occ} ldap:show-config s01 > /dev/null; then
${occ} ldap:create-empty-config
fi
# update LDAP config
${lib.concatLines (lib.mapAttrsToList (name: value: "${occ} ldap:set-config s01 '${name}' '${value}'") ldapConfig)}
${occ} ldap:set-config s01 'ldapAgentPassword' $(cat ${config.sops.secrets.nextcloud_ldap_search.path})
'';
};
} }