nixos-config/hosts/nuc/modules/seafile/default.nix

57 lines
1.9 KiB
Nix

{ config, pkgs, ... }:
let
domain = "seafile.${config.networking.domain}";
in
{
age.secrets."seafile/oidc-secret" = {
file = ../../../../secrets/nuc/seafile/oidc-secret.age;
mode = "0440";
group = "seafile";
};
services.seafile = {
enable = true;
adminEmail = "admin@rfive.de";
initialAdminPassword = "unused garbage";
ccnetSettings.General.SERVICE_URL = "https://${domain}";
ccnetSettings.General.FILE_SERVER_ROOT = "https://${domain}/seafhttp";
seafileSettings.fileserver.port = 8083;
seahubExtraConf = ''
ENABLE_OAUTH = True
OAUTH_ENABLE_INSECURE_TRANSPORT = True
OAUTH_CLIENT_ID = "seafile"
with open('${config.age.secrets."seafile/oidc-secret".path}') as f:
OAUTH_CLIENT_SECRET = f.readline().rstrip()
OAUTH_REDIRECT_URL = 'https://seafile.rfive.de/oauth/callback/'
OAUTH_PROVIDER_DOMAIN = 'seafile.rfive.de'
OAUTH_AUTHORIZATION_URL = 'https://auth.rfive.de/realms/master/protocol/openid-connect/auth'
OAUTH_TOKEN_URL = 'https://auth.rfive.de/realms/master/protocol/openid-connect/token'
OAUTH_USER_INFO_URL = 'https://auth.rfive.de/realms/master/protocol/openid-connect/userinfo'
OAUTH_SCOPE = [ "openid", "profile", "email"]
OAUTH_ATTRIBUTE_MAP = {
"id": (False, "not used"),
"name": (False, "full name"),
"email": (True, "email"),
}
'';
};
services.nginx.virtualHosts."${domain}" = {
locations."/" = {
proxyPass = "http://unix:/run/seahub/gunicorn.sock";
};
locations."/seafhttp" = {
proxyPass = "http://127.0.0.1:${toString config.services.seafile.seafileSettings.fileserver.port}";
extraConfig = ''
rewrite ^/seafhttp(.*)$ $1 break;
'';
};
locations."/media" = {
root = pkgs.seahub;
};
locations."/accounts/login" = {
return = "301 /oauth/login";
};
};
}