From 4a7e42abaa33d951aae28e443687e397a3b6474b Mon Sep 17 00:00:00 2001 From: ibizaman Date: Sat, 6 Jan 2024 00:03:56 -0800 Subject: [PATCH] add declarative configuration of LDAP in Nextcloud refs #17 --- docs/services.md | 5 +- modules/services/nextcloud-server.nix | 137 +++++++++++++++++- .../services/nextcloud-server/docs/default.md | 9 +- 3 files changed, 145 insertions(+), 6 deletions(-) diff --git a/docs/services.md b/docs/services.md index eb82b7f..dc4b0a7 100644 --- a/docs/services.md +++ b/docs/services.md @@ -2,13 +2,12 @@ | Service | Backup | Reverse Proxy | SSO | LDAP | Monitoring | Profiling | |-----------------------|--------|---------------|-----|-------|------------|-----------| -| [Nextcloud Server][1] | P (1) | Y | N | P (2) | Y | P (3) | +| [Nextcloud Server][1] | P (1) | Y | N | Y | Y | P (2) | Legend: **N**: no but WIP; **P**: partial; **Y**: yes 1. Does not backup the database yet. -2. Works but requires manually setting up the integration. -3. Works but the traces are not exported to Grafana yet. +2. Works but the traces are not exported to Grafana yet. [1]: services-nextcloud.html diff --git a/modules/services/nextcloud-server.nix b/modules/services/nextcloud-server.nix index 3dc78d5..149b698 100644 --- a/modules/services/nextcloud-server.nix +++ b/modules/services/nextcloud-server.nix @@ -8,6 +8,8 @@ let # Make sure to bump both nextcloudPkg and nextcloudApps at the same time. nextcloudPkg = pkgs.nextcloud27; nextcloudApps = pkgs.nextcloud27Packages.apps; + + occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ"; in { options.shb.nextcloud = { @@ -186,6 +188,61 @@ in }; }; }; + + ldap = lib.mkOption { + description = '' + LDAP Integration App. [Manual](https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html) + + Enabling this app will create a new LDAP configuration or update one that exists with + the given host. + ''; + default = {}; + type = lib.types.nullOr (lib.types.submodule { + options = { + enable = lib.mkEnableOption "LDAP app."; + + host = lib.mkOption { + type = lib.types.nullOr lib.types.str; + description = '' + Host serving the LDAP server. + ''; + default = "127.0.0.1"; + }; + + port = lib.mkOption { + type = lib.types.nullOr lib.types.port; + description = '' + Port of the service serving the LDAP server. + ''; + default = 389; + }; + + dcdomain = lib.mkOption { + type = lib.types.str; + description = "dc domain for ldap."; + example = "dc=mydomain,dc=com"; + }; + + adminName = lib.mkOption { + type = lib.types.str; + description = "Admin user of the LDAP server."; + default = "admin"; + }; + + adminPasswordFile = lib.mkOption { + type = lib.types.path; + description = "File containing the admin password of the LDAP server."; + default = ""; + }; + + userGroup = lib.mkOption { + type = lib.types.str; + description = "Group users must belong to to be able to login to Nextcloud."; + default = "nextcloud_user"; + }; + }; + }); + }; }; }; }; @@ -453,8 +510,86 @@ in let debug = if cfg.debug or cfg.apps.previewgenerator.debug then "-vvv" else ""; in - "${config.services.nextcloud.occ}/bin/nextcloud-occ ${debug} preview:pre-generate"; + "${occ} ${debug} preview:pre-generate"; }; }) + + (lib.mkIf cfg.apps.ldap.enable { + systemd.services.nextcloud-setup.path = [ pkgs.jq ]; + systemd.services.nextcloud-setup.script = '' + ${occ} app:install user_ldap || : + ${occ} app:enable user_ldap + + # The following code tries to match an existing config or creates a new one. + # The criteria for matching is the ldapHost value. + + ALL_CONFIG="$(${occ} ldap:show-config --output=json --show-password)" + + MATCHING_CONFIG_IDs="$(echo "$ALL_CONFIG" | jq '[to_entries[] | select(.value.ldapHost=="127.0.0.1") | .key]')" + if [[ $(echo "$MATCHING_CONFIG_IDs" | jq 'length') > 0 ]]; then + CONFIG_ID="$(echo "$MATCHING_CONFIG_IDs" | jq --raw-output '.[0]')" + else + CONFIG_ID="$(${occ} ldap:create-empty-config --only-print-prefix)" + fi + + echo "Using configId $CONFIG_ID" + + CONFIG="$(echo "$ALL_CONFIG" | jq ".$CONFIG_ID")" + + + # The following CLI commands follow + # https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md#nextcloud-config--the-cli-way + + ${occ} ldap:set-config "$CONFIG_ID" 'ldapHost' \ + '${cfg.apps.ldap.host}' + ${occ} ldap:set-config "$CONFIG_ID" 'ldapPort' \ + '${toString cfg.apps.ldap.port}' + ${occ} ldap:set-config "$CONFIG_ID" 'ldapAgentName' \ + 'uid=${cfg.apps.ldap.adminName},ou=people,${cfg.apps.ldap.dcdomain}' + ${occ} ldap:set-config "$CONFIG_ID" 'ldapAgentPassword' \ + "$(cat ${cfg.apps.ldap.adminPasswordFile})" + ${occ} ldap:set-config "$CONFIG_ID" 'ldapBase' \ + '${cfg.apps.ldap.dcdomain}' + ${occ} ldap:set-config "$CONFIG_ID" 'ldapBaseGroups' \ + '${cfg.apps.ldap.dcdomain}' + ${occ} ldap:set-config "$CONFIG_ID" 'ldapBaseUsers' \ + '${cfg.apps.ldap.dcdomain}' + ${occ} ldap:set-config "$CONFIG_ID" 'ldapEmailAttribute' \ + 'mail' + ${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilter' \ + '(&(|(objectclass=groupOfUniqueNames))(|(cn=${cfg.apps.ldap.userGroup})))' + ${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilterGroups' \ + '${cfg.apps.ldap.userGroup}' + ${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilterObjectclass' \ + 'groupOfUniqueNames' + ${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupMemberAssocAttr' \ + 'uniqueMember' + ${occ} ldap:set-config "$CONFIG_ID" 'ldapLoginFilter' \ + '(&(&(objectclass=person)(memberOf=cn=${cfg.apps.ldap.userGroup},ou=groups,${cfg.apps.ldap.dcdomain}))(|(uid=%uid)(|(mail=%uid)(objectclass=%uid))))' + ${occ} ldap:set-config "$CONFIG_ID" 'ldapLoginFilterAttributes' \ + 'mail;objectclass' + ${occ} ldap:set-config "$CONFIG_ID" 'ldapUserDisplayName' \ + 'displayname' + ${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilter' \ + '(&(objectclass=person)(memberOf=cn=${cfg.apps.ldap.userGroup},ou=groups,${cfg.apps.ldap.dcdomain}))' + ${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilterMode' \ + '1' + ${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilterObjectclass' \ + 'person' + + ${occ} ldap:test-config -- "$CONFIG_ID" + + # Only one active at the same time + + for configid in $(echo "$ALL_CONFIG" | jq --raw-output "keys[]"); do + echo "Deactivating $configid" + ${occ} ldap:set-config "$configid" 'ldapConfigurationActive' \ + '0' + done + + ${occ} ldap:set-config "$CONFIG_ID" 'ldapConfigurationActive' \ + '1' + ''; + }) ]; } diff --git a/modules/services/nextcloud-server/docs/default.md b/modules/services/nextcloud-server/docs/default.md index b3674c1..451f5c8 100644 --- a/modules/services/nextcloud-server/docs/default.md +++ b/modules/services/nextcloud-server/docs/default.md @@ -6,12 +6,17 @@ This NixOS module is a service that sets up a [Nextcloud Server](https://nextclo ## Features {#services-nextcloud-server-features} -- Declarative Apps Configuration - no need to configure through the UI. +- Declarative [Apps](#services-nextcloud-server-options-shb.nextcloud.apps) Configuration - no need + to configure those with the UI. + - LDAP app: enables app and sets up integration with an existing LDAP server. The defaults are + suited to work with [LLDAP](https://github.com/lldap/lldap) which is provided as a [building + block](./block-ldap.html). - [Preview Generator](https://apps.nextcloud.com/apps/previewgenerator) app: enables app and sets up required cron job. - [Only Office](https://apps.nextcloud.com/apps/onlyoffice) app: enables app and sets up Only Office service. - - Any other app through the `shb.nextcloud.extraApps` option. + - Any other app through the + [shb.nextcloud.extraApps](#services-nextcloud-server-options-shb.nextcloud.extraApps) option. - [Demo](./demo-nextcloud-server.html) - Demo deploying a Nextcloud server with [Colmena](https://colmena.cli.rs/) and with proper secrets management with [sops-nix](https://github.com/Mic92/sops-nix).