wurzel/fruitbasket
9
1
Fork 0
Code Issues 5 Pull requests Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/nextcloud'

Browse source
This commit is contained in:
quitte 2023-08-31 21:27:58 +02:00
parent c65ab4ac25 39b54503d4
commit 202381d181
1 changed files with 51 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

75
modules/nextcloud.nix
View file

@ -4,60 +4,83 @@ let
in in
{ {
sops.secrets = { sops.secrets = {
nextcloud_adminpass = { nextcloud_adminpass.owner = "nextcloud";
nextcloud_ldap_search = {
key = "portunus/search-password";
owner = "nextcloud"; owner = "nextcloud";
group = "nextcloud";
}; };
}; };
services = { services = {
postgresql = {
enable = true;
ensureUsers = [
{
name = "nextcloud";
ensurePermissions = {
"DATABASE nextcloud" = "ALL PRIVILEGES";
};
}
];
ensureDatabases = [ "nextcloud" ];
};
nextcloud = { nextcloud = {
enable = true; enable = true;
package = pkgs.nextcloud26; # Use current latest nextcloud package package = pkgs.nextcloud25;
enableBrokenCiphersForSSE = false; # disable the openssl warning enableBrokenCiphersForSSE = false; # disable the openssl warning
hostName = "${domain}"; hostName = domain;
https = true; # Use https for all urls https = true; # Use https for all urls
phpExtraExtensions = all: [ phpExtraExtensions = all: [
all.ldap # Enable ldap php extension all.ldap # Enable ldap php extension
]; ];
config = { config = {
dbtype = "pgsql"; dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "/run/postgresql";
dbname = "nextcloud";
adminpassFile = config.sops.secrets.nextcloud_adminpass.path; adminpassFile = config.sops.secrets.nextcloud_adminpass.path;
adminuser = "root"; adminuser = "root";
}; };
# postgres database is configured automatically
database.createLocally = true;
}; };
# Enable ACME and force SSL # Enable ACME and force SSL
nginx = { nginx.virtualHosts.${domain} = {
recommendedProxySettings = true;
virtualHosts = {
"${domain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
}; };
}; };
};
};
# ensure that postgres is running *before* running the setup # ensure that postgres is running *before* running the setup
systemd.services."nextcloud-setup" = { systemd.services."nextcloud-setup" = {
requires = [ "postgresql.service" ]; requires = [ "postgresql.service" ];
after = [ "postgresql.service" ]; after = [ "postgresql.service" ];
}; };
# configure some settings automatically
systemd.services."phpfpm-nextcloud" =
let
occ = lib.getExe config.services.nextcloud.occ;
ldapConfig = rec {
ldapAgentName = "uid=search,ou=users,${ldapBase}";
ldapBase = config.services.portunus.ldap.suffix;
ldapBaseGroups = "ou=groups,${ldapBase}";
ldapBaseUsers = "ou=users,${ldapBase}";
ldapConfigurationActive = "1";
ldapEmailAttribute = "mail";
ldapGroupFilterObjectclass = "groupOfNames";
ldapGroupMemberAssocAttr = "member";
ldapHost = "localhost";
ldapPort = "389";
ldapUserDisplayName = "cn";
ldapUserFilterObjectclass = "posixAccount";
# generated by nextcloud
ldapGroupFilter = "(&(|(objectclass=groupOfNames)))";
ldapUserFilter = "(|(objectclass=posixAccount))";
ldapLoginFilter = "(&(|(objectclass=posixAccount))(uid=%uid))";
};
preStart = pkgs.writeScript "nextcloud-preStart" ''
# enable included LDAP app
${occ} app:enable user_ldap
# set up new LDAP config if it does not exist
if ! ${occ} ldap:show-config s01 > /dev/null; then
${occ} ldap:create-empty-config
fi
# update LDAP config
${lib.concatLines (lib.mapAttrsToList (name: value: "${occ} ldap:set-config s01 '${name}' '${value}'") ldapConfig)}
${occ} ldap:set-config s01 'ldapAgentPassword' $(cat ${config.sops.secrets.nextcloud_ldap_search.path})
'';
in
{
# run the whole preStart as nextcloud user, so that the log won't be cluttered by lots of sudo calls
serviceConfig.ExecStartPre = "/run/wrappers/bin/sudo -u nextcloud --preserve-env=NEXTCLOUD_CONFIG_DIR --preserve-env=OC_PASS ${preStart}";
};
} }