From 91e5639123caf3a231e70760421bcde8b14b131f Mon Sep 17 00:00:00 2001 From: Fugi Date: Wed, 23 Aug 2023 22:12:06 +0200 Subject: [PATCH] nextcloud: refactor - simplify database config - run the whole preStart script as sudo, to reduce log clutter --- modules/nextcloud.nix | 23 ++++++----------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix index 4a2d077..44e1016 100644 --- a/modules/nextcloud.nix +++ b/modules/nextcloud.nix @@ -12,17 +12,6 @@ in }; services = { - postgresql = { - enable = true; - ensureUsers = [{ - name = "nextcloud"; - ensurePermissions = { - "DATABASE nextcloud" = "ALL PRIVILEGES"; - }; - }]; - ensureDatabases = [ "nextcloud" ]; - }; - nextcloud = { enable = true; package = pkgs.nextcloud26; # Use current latest nextcloud package @@ -34,12 +23,10 @@ in ]; config = { dbtype = "pgsql"; - dbuser = "nextcloud"; - dbhost = "/run/postgresql"; - dbname = "nextcloud"; adminpassFile = config.sops.secrets.nextcloud_adminpass.path; adminuser = "root"; }; + database.createLocally = true; }; # Enable ACME and force SSL @@ -77,9 +64,7 @@ in ldapUserFilter = "(|(objectclass=inetOrgPerson))"; ldapLoginFilter = "(&(|(objectclass=inetOrgPerson))(uid=%uid))"; }; - in - { - preStart = '' + preStart = pkgs.writeScript "nextcloud-preStart" '' # enable included LDAP app ${occ} app:enable user_ldap @@ -92,5 +77,9 @@ in ${lib.concatLines (lib.mapAttrsToList (name: value: "${occ} ldap:set-config s01 '${name}' '${value}'") ldapConfig)} ${occ} ldap:set-config s01 'ldapAgentPassword' $(cat ${config.sops.secrets.nextcloud_ldap_search.path}) ''; + in + { + # run the whole preStart as nextcloud user, so that the log won't be cluttered by lots of sudo calls + serviceConfig.ExecStartPre = "/run/wrappers/bin/sudo -u nextcloud --preserve-env=NEXTCLOUD_CONFIG_DIR --preserve-env=OC_PASS ${preStart}"; }; }