ibizaman
Pierre Penninckx
parent
db6d8f7f38
commit
4a7e42abaa
3 changed files with 145 additions and 6 deletions
|
|
@ -2,13 +2,12 @@
|
|||
|
||||
| Service | Backup | Reverse Proxy | SSO | LDAP | Monitoring | Profiling |
|
||||
|-----------------------|--------|---------------|-----|-------|------------|-----------|
|
||||
| [Nextcloud Server][1] | P (1) | Y | N | P (2) | Y | P (3) |
|
||||
| [Nextcloud Server][1] | P (1) | Y | N | Y | Y | P (2) |
|
||||
|
||||
Legend: **N**: no but WIP; **P**: partial; **Y**: yes
|
||||
|
||||
1. Does not backup the database yet.
|
||||
2. Works but requires manually setting up the integration.
|
||||
3. Works but the traces are not exported to Grafana yet.
|
||||
2. Works but the traces are not exported to Grafana yet.
|
||||
|
||||
[1]: services-nextcloud.html
|
||||
|
||||
|
|
|
|||
|
|
@ -8,6 +8,8 @@ let
|
|||
# Make sure to bump both nextcloudPkg and nextcloudApps at the same time.
|
||||
nextcloudPkg = pkgs.nextcloud27;
|
||||
nextcloudApps = pkgs.nextcloud27Packages.apps;
|
||||
|
||||
occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ";
|
||||
in
|
||||
{
|
||||
options.shb.nextcloud = {
|
||||
|
|
@ -186,6 +188,61 @@ in
|
|||
};
|
||||
};
|
||||
};
|
||||
|
||||
ldap = lib.mkOption {
|
||||
description = ''
|
||||
LDAP Integration App. [Manual](https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html)
|
||||
|
||||
Enabling this app will create a new LDAP configuration or update one that exists with
|
||||
the given host.
|
||||
'';
|
||||
default = {};
|
||||
type = lib.types.nullOr (lib.types.submodule {
|
||||
options = {
|
||||
enable = lib.mkEnableOption "LDAP app.";
|
||||
|
||||
host = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.str;
|
||||
description = ''
|
||||
Host serving the LDAP server.
|
||||
'';
|
||||
default = "127.0.0.1";
|
||||
};
|
||||
|
||||
port = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.port;
|
||||
description = ''
|
||||
Port of the service serving the LDAP server.
|
||||
'';
|
||||
default = 389;
|
||||
};
|
||||
|
||||
dcdomain = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "dc domain for ldap.";
|
||||
example = "dc=mydomain,dc=com";
|
||||
};
|
||||
|
||||
adminName = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "Admin user of the LDAP server.";
|
||||
default = "admin";
|
||||
};
|
||||
|
||||
adminPasswordFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = "File containing the admin password of the LDAP server.";
|
||||
default = "";
|
||||
};
|
||||
|
||||
userGroup = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "Group users must belong to to be able to login to Nextcloud.";
|
||||
default = "nextcloud_user";
|
||||
};
|
||||
};
|
||||
});
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
@ -453,8 +510,86 @@ in
|
|||
let
|
||||
debug = if cfg.debug or cfg.apps.previewgenerator.debug then "-vvv" else "";
|
||||
in
|
||||
"${config.services.nextcloud.occ}/bin/nextcloud-occ ${debug} preview:pre-generate";
|
||||
"${occ} ${debug} preview:pre-generate";
|
||||
};
|
||||
})
|
||||
|
||||
(lib.mkIf cfg.apps.ldap.enable {
|
||||
systemd.services.nextcloud-setup.path = [ pkgs.jq ];
|
||||
systemd.services.nextcloud-setup.script = ''
|
||||
${occ} app:install user_ldap || :
|
||||
${occ} app:enable user_ldap
|
||||
|
||||
# The following code tries to match an existing config or creates a new one.
|
||||
# The criteria for matching is the ldapHost value.
|
||||
|
||||
ALL_CONFIG="$(${occ} ldap:show-config --output=json --show-password)"
|
||||
|
||||
MATCHING_CONFIG_IDs="$(echo "$ALL_CONFIG" | jq '[to_entries[] | select(.value.ldapHost=="127.0.0.1") | .key]')"
|
||||
if [[ $(echo "$MATCHING_CONFIG_IDs" | jq 'length') > 0 ]]; then
|
||||
CONFIG_ID="$(echo "$MATCHING_CONFIG_IDs" | jq --raw-output '.[0]')"
|
||||
else
|
||||
CONFIG_ID="$(${occ} ldap:create-empty-config --only-print-prefix)"
|
||||
fi
|
||||
|
||||
echo "Using configId $CONFIG_ID"
|
||||
|
||||
CONFIG="$(echo "$ALL_CONFIG" | jq ".$CONFIG_ID")"
|
||||
|
||||
|
||||
# The following CLI commands follow
|
||||
# https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md#nextcloud-config--the-cli-way
|
||||
|
||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapHost' \
|
||||
'${cfg.apps.ldap.host}'
|
||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapPort' \
|
||||
'${toString cfg.apps.ldap.port}'
|
||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapAgentName' \
|
||||
'uid=${cfg.apps.ldap.adminName},ou=people,${cfg.apps.ldap.dcdomain}'
|
||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapAgentPassword' \
|
||||
"$(cat ${cfg.apps.ldap.adminPasswordFile})"
|
||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapBase' \
|
||||
'${cfg.apps.ldap.dcdomain}'
|
||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapBaseGroups' \
|
||||
'${cfg.apps.ldap.dcdomain}'
|
||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapBaseUsers' \
|
||||
'${cfg.apps.ldap.dcdomain}'
|
||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapEmailAttribute' \
|
||||
'mail'
|
||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilter' \
|
||||
'(&(|(objectclass=groupOfUniqueNames))(|(cn=${cfg.apps.ldap.userGroup})))'
|
||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilterGroups' \
|
||||
'${cfg.apps.ldap.userGroup}'
|
||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilterObjectclass' \
|
||||
'groupOfUniqueNames'
|
||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupMemberAssocAttr' \
|
||||
'uniqueMember'
|
||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapLoginFilter' \
|
||||
'(&(&(objectclass=person)(memberOf=cn=${cfg.apps.ldap.userGroup},ou=groups,${cfg.apps.ldap.dcdomain}))(|(uid=%uid)(|(mail=%uid)(objectclass=%uid))))'
|
||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapLoginFilterAttributes' \
|
||||
'mail;objectclass'
|
||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapUserDisplayName' \
|
||||
'displayname'
|
||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilter' \
|
||||
'(&(objectclass=person)(memberOf=cn=${cfg.apps.ldap.userGroup},ou=groups,${cfg.apps.ldap.dcdomain}))'
|
||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilterMode' \
|
||||
'1'
|
||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilterObjectclass' \
|
||||
'person'
|
||||
|
||||
${occ} ldap:test-config -- "$CONFIG_ID"
|
||||
|
||||
# Only one active at the same time
|
||||
|
||||
for configid in $(echo "$ALL_CONFIG" | jq --raw-output "keys[]"); do
|
||||
echo "Deactivating $configid"
|
||||
${occ} ldap:set-config "$configid" 'ldapConfigurationActive' \
|
||||
'0'
|
||||
done
|
||||
|
||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapConfigurationActive' \
|
||||
'1'
|
||||
'';
|
||||
})
|
||||
];
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,12 +6,17 @@ This NixOS module is a service that sets up a [Nextcloud Server](https://nextclo
|
|||
|
||||
## Features {#services-nextcloud-server-features}
|
||||
|
||||
- Declarative Apps Configuration - no need to configure through the UI.
|
||||
- Declarative [Apps](#services-nextcloud-server-options-shb.nextcloud.apps) Configuration - no need
|
||||
to configure those with the UI.
|
||||
- LDAP app: enables app and sets up integration with an existing LDAP server. The defaults are
|
||||
suited to work with [LLDAP](https://github.com/lldap/lldap) which is provided as a [building
|
||||
block](./block-ldap.html).
|
||||
- [Preview Generator](https://apps.nextcloud.com/apps/previewgenerator) app: enables app and sets
|
||||
up required cron job.
|
||||
- [Only Office](https://apps.nextcloud.com/apps/onlyoffice) app: enables app and sets up Only
|
||||
Office service.
|
||||
- Any other app through the `shb.nextcloud.extraApps` option.
|
||||
- Any other app through the
|
||||
[shb.nextcloud.extraApps](#services-nextcloud-server-options-shb.nextcloud.extraApps) option.
|
||||
- [Demo](./demo-nextcloud-server.html)
|
||||
- Demo deploying a Nextcloud server with [Colmena](https://colmena.cli.rs/) and with proper
|
||||
secrets management with [sops-nix](https://github.com/Mic92/sops-nix).
|
||||
|
|
|
|||
Loading…
Reference in a new issue