From 46040f8d311e4388a36e65e756c4191e21b7c80a Mon Sep 17 00:00:00 2001
From: Fugi <me@fugi.dev>
Date: Wed, 23 Aug 2023 20:56:24 +0200
Subject: [PATCH 1/4] nextcloud: configure ldap automatically via nextcloud-occ
 cli

---
 modules/nextcloud.nix | 71 +++++++++++++++++++++++++++++++------------
 1 file changed, 52 insertions(+), 19 deletions(-)

diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix
index 8cf37ee..4a2d077 100644
--- a/modules/nextcloud.nix
+++ b/modules/nextcloud.nix
@@ -4,23 +4,22 @@ let
 in
 {
   sops.secrets = {
-    nextcloud_adminpass = {
+    nextcloud_adminpass.owner = "nextcloud";
+    nextcloud_ldap_search = {
+      key = "portunus/search-password";
       owner = "nextcloud";
-      group = "nextcloud";
     };
   };
 
   services = {
     postgresql = {
       enable = true;
-      ensureUsers = [
-        {
-          name = "nextcloud";
-          ensurePermissions = {
-            "DATABASE nextcloud" = "ALL PRIVILEGES";
-          };
-        }
-      ];
+      ensureUsers = [{
+        name = "nextcloud";
+        ensurePermissions = {
+          "DATABASE nextcloud" = "ALL PRIVILEGES";
+        };
+      }];
       ensureDatabases = [ "nextcloud" ];
     };
 
@@ -28,7 +27,7 @@ in
       enable = true;
       package = pkgs.nextcloud26; # Use current latest nextcloud package
       enableBrokenCiphersForSSE = false; # disable the openssl warning
-      hostName = "${domain}";
+      hostName = domain;
       https = true; # Use https for all urls
       phpExtraExtensions = all: [
         all.ldap # Enable ldap php extension
@@ -44,14 +43,9 @@ in
     };
 
     # Enable ACME and force SSL
-    nginx = {
-      recommendedProxySettings = true;
-      virtualHosts = {
-        "${domain}" = {
-          enableACME = true;
-          forceSSL = true;
-        };
-      };
+    nginx.virtualHosts.${domain} = {
+      enableACME = true;
+      forceSSL = true;
     };
   };
 
@@ -60,4 +54,43 @@ in
     requires = [ "postgresql.service" ];
     after = [ "postgresql.service" ];
   };
+
+  # configure some settings automatically
+  systemd.services."phpfpm-nextcloud" =
+    let
+      occ = lib.getExe config.services.nextcloud.occ;
+      ldapConfig = rec {
+        ldapAgentName = "uid=search,ou=users,${ldapBase}";
+        ldapBase = config.services.portunus.ldap.suffix;
+        ldapBaseGroups = "ou=groups,${ldapBase}";
+        ldapBaseUsers = "ou=users,${ldapBase}";
+        ldapConfigurationActive = "1";
+        ldapEmailAttribute = "mail";
+        ldapGroupFilterObjectclass = "groupOfNames";
+        ldapGroupMemberAssocAttr = "member";
+        ldapHost = "localhost";
+        ldapPort = "389";
+        ldapUserDisplayName = "cn";
+        ldapUserFilterObjectclass = "inetOrgPerson";
+        # generated by nextcloud
+        ldapGroupFilter = "(&(|(objectclass=groupOfNames)))";
+        ldapUserFilter = "(|(objectclass=inetOrgPerson))";
+        ldapLoginFilter = "(&(|(objectclass=inetOrgPerson))(uid=%uid))";
+      };
+    in
+    {
+      preStart = ''
+        # enable included LDAP app
+        ${occ} app:enable user_ldap
+
+        # set up new LDAP config if it does not exist
+        if ! ${occ} ldap:show-config s01 > /dev/null; then
+          ${occ} ldap:create-empty-config
+        fi
+
+        # update LDAP config
+        ${lib.concatLines (lib.mapAttrsToList (name: value: "${occ} ldap:set-config s01 '${name}' '${value}'") ldapConfig)}
+        ${occ} ldap:set-config s01 'ldapAgentPassword' $(cat ${config.sops.secrets.nextcloud_ldap_search.path})
+      '';
+    };
 }

From 91e5639123caf3a231e70760421bcde8b14b131f Mon Sep 17 00:00:00 2001
From: Fugi <me@fugi.dev>
Date: Wed, 23 Aug 2023 22:12:06 +0200
Subject: [PATCH 2/4] nextcloud: refactor

- simplify database config
- run the whole preStart script as sudo, to reduce log clutter
---
 modules/nextcloud.nix | 23 ++++++-----------------
 1 file changed, 6 insertions(+), 17 deletions(-)

diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix
index 4a2d077..44e1016 100644
--- a/modules/nextcloud.nix
+++ b/modules/nextcloud.nix
@@ -12,17 +12,6 @@ in
   };
 
   services = {
-    postgresql = {
-      enable = true;
-      ensureUsers = [{
-        name = "nextcloud";
-        ensurePermissions = {
-          "DATABASE nextcloud" = "ALL PRIVILEGES";
-        };
-      }];
-      ensureDatabases = [ "nextcloud" ];
-    };
-
     nextcloud = {
       enable = true;
       package = pkgs.nextcloud26; # Use current latest nextcloud package
@@ -34,12 +23,10 @@ in
       ];
       config = {
         dbtype = "pgsql";
-        dbuser = "nextcloud";
-        dbhost = "/run/postgresql";
-        dbname = "nextcloud";
         adminpassFile = config.sops.secrets.nextcloud_adminpass.path;
         adminuser = "root";
       };
+      database.createLocally = true;
     };
 
     # Enable ACME and force SSL
@@ -77,9 +64,7 @@ in
         ldapUserFilter = "(|(objectclass=inetOrgPerson))";
         ldapLoginFilter = "(&(|(objectclass=inetOrgPerson))(uid=%uid))";
       };
-    in
-    {
-      preStart = ''
+      preStart = pkgs.writeScript "nextcloud-preStart" ''
         # enable included LDAP app
         ${occ} app:enable user_ldap
 
@@ -92,5 +77,9 @@ in
         ${lib.concatLines (lib.mapAttrsToList (name: value: "${occ} ldap:set-config s01 '${name}' '${value}'") ldapConfig)}
         ${occ} ldap:set-config s01 'ldapAgentPassword' $(cat ${config.sops.secrets.nextcloud_ldap_search.path})
       '';
+    in
+    {
+      # run the whole preStart as nextcloud user, so that the log won't be cluttered by lots of sudo calls
+      serviceConfig.ExecStartPre = "/run/wrappers/bin/sudo -u nextcloud --preserve-env=NEXTCLOUD_CONFIG_DIR --preserve-env=OC_PASS ${preStart}";
     };
 }

From 2ea2341e1b3a73a4c6b383a5affd69e553429c0a Mon Sep 17 00:00:00 2001
From: Fugi <me@fugi.dev>
Date: Wed, 23 Aug 2023 22:52:53 +0200
Subject: [PATCH 3/4] nextcloud: change ldap user filter to posixAccount

---
 modules/nextcloud.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix
index 44e1016..8122694 100644
--- a/modules/nextcloud.nix
+++ b/modules/nextcloud.nix
@@ -58,11 +58,11 @@ in
         ldapHost = "localhost";
         ldapPort = "389";
         ldapUserDisplayName = "cn";
-        ldapUserFilterObjectclass = "inetOrgPerson";
+        ldapUserFilterObjectclass = "posixAccount";
         # generated by nextcloud
         ldapGroupFilter = "(&(|(objectclass=groupOfNames)))";
-        ldapUserFilter = "(|(objectclass=inetOrgPerson))";
-        ldapLoginFilter = "(&(|(objectclass=inetOrgPerson))(uid=%uid))";
+        ldapUserFilter = "(|(objectclass=posixAccount))";
+        ldapLoginFilter = "(&(|(objectclass=posixAccount))(uid=%uid))";
       };
       preStart = pkgs.writeScript "nextcloud-preStart" ''
         # enable included LDAP app

From 39b54503d4ef58e3647deaea3606362b92f9de45 Mon Sep 17 00:00:00 2001
From: Fugi <me@fugi.dev>
Date: Wed, 30 Aug 2023 14:01:49 +0200
Subject: [PATCH 4/4] nextcloud: pin to version 25 for migration

---
 modules/nextcloud.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix
index 8122694..b1dd2b4 100644
--- a/modules/nextcloud.nix
+++ b/modules/nextcloud.nix
@@ -14,7 +14,7 @@ in
   services = {
     nextcloud = {
       enable = true;
-      package = pkgs.nextcloud26; # Use current latest nextcloud package
+      package = pkgs.nextcloud25;
       enableBrokenCiphersForSSE = false; # disable the openssl warning
       hostName = domain;
       https = true; # Use https for all urls
@@ -26,6 +26,7 @@ in
         adminpassFile = config.sops.secrets.nextcloud_adminpass.path;
         adminuser = "root";
       };
+      # postgres database is configured automatically
       database.createLocally = true;
     };