nextcloud: configure ldap automatically via nextcloud-occ cli

2023-08-23 20:56:24 +02:00 · 2023-08-23 20:56:24 +02:00 · 46040f8d31
parent b4d8a71c65
commit 46040f8d31
1 changed files with 52 additions and 19 deletions
--- a/modules/nextcloud.nix
+++ b/modules/nextcloud.nix
@ -4,23 +4,22 @@ let
 in
 {
  sops.secrets = {
-    nextcloud_adminpass = {
+    nextcloud_adminpass.owner = "nextcloud";
+    nextcloud_ldap_search = {
+      key = "portunus/search-password";
      owner = "nextcloud";
-      group = "nextcloud";
    };
  };

  services = {
    postgresql = {
      enable = true;
-      ensureUsers = [
-        {
-          name = "nextcloud";
-          ensurePermissions = {
-            "DATABASE nextcloud" = "ALL PRIVILEGES";
-          };
-        }
-      ];
+      ensureUsers = [{
+        name = "nextcloud";
+        ensurePermissions = {
+          "DATABASE nextcloud" = "ALL PRIVILEGES";
+        };
+      }];
      ensureDatabases = [ "nextcloud" ];
    };

@ -28,7 +27,7 @@ in
      enable = true;
      package = pkgs.nextcloud26; # Use current latest nextcloud package
      enableBrokenCiphersForSSE = false; # disable the openssl warning
-      hostName = "${domain}";
+      hostName = domain;
      https = true; # Use https for all urls
      phpExtraExtensions = all: [
        all.ldap # Enable ldap php extension
@ -44,14 +43,9 @@ in
    };

    # Enable ACME and force SSL
-    nginx = {
-      recommendedProxySettings = true;
-      virtualHosts = {
-        "${domain}" = {
-          enableACME = true;
-          forceSSL = true;
-        };
-      };
+    nginx.virtualHosts.${domain} = {
+      enableACME = true;
+      forceSSL = true;
    };
  };

@ -60,4 +54,43 @@ in
    requires = [ "postgresql.service" ];
    after = [ "postgresql.service" ];
  };
+
+  # configure some settings automatically
+  systemd.services."phpfpm-nextcloud" =
+    let
+      occ = lib.getExe config.services.nextcloud.occ;
+      ldapConfig = rec {
+        ldapAgentName = "uid=search,ou=users,${ldapBase}";
+        ldapBase = config.services.portunus.ldap.suffix;
+        ldapBaseGroups = "ou=groups,${ldapBase}";
+        ldapBaseUsers = "ou=users,${ldapBase}";
+        ldapConfigurationActive = "1";
+        ldapEmailAttribute = "mail";
+        ldapGroupFilterObjectclass = "groupOfNames";
+        ldapGroupMemberAssocAttr = "member";
+        ldapHost = "localhost";
+        ldapPort = "389";
+        ldapUserDisplayName = "cn";
+        ldapUserFilterObjectclass = "inetOrgPerson";
+        # generated by nextcloud
+        ldapGroupFilter = "(&(|(objectclass=groupOfNames)))";
+        ldapUserFilter = "(|(objectclass=inetOrgPerson))";
+        ldapLoginFilter = "(&(|(objectclass=inetOrgPerson))(uid=%uid))";
+      };
+    in
+    {
+      preStart = ''
+        # enable included LDAP app
+        ${occ} app:enable user_ldap
+
+        # set up new LDAP config if it does not exist
+        if ! ${occ} ldap:show-config s01 > /dev/null; then
+          ${occ} ldap:create-empty-config
+        fi
+
+        # update LDAP config
+        ${lib.concatLines (lib.mapAttrsToList (name: value: "${occ} ldap:set-config s01 '${name}' '${value}'") ldapConfig)}
+        ${occ} ldap:set-config s01 'ldapAgentPassword' $(cat ${config.sops.secrets.nextcloud_ldap_search.path})
+      '';
+    };
 }