use hardcoded configID for nextcloud LDAP configuration
This makes more sense and is less brittle.
This commit is contained in:
parent
a4c4ee1670
commit
f9cb785cf8
2 changed files with 48 additions and 45 deletions
|
@ -38,6 +38,7 @@
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
- Made Nextcloud LDAP setup use a hardcoded configID. This makes the detection of an existing config much more robust.
|
||||||
|
|
||||||
# 0.1.0
|
# 0.1.0
|
||||||
|
|
||||||
|
|
|
@ -384,6 +384,15 @@ in
|
||||||
description = "Group users must belong to to be able to login to Nextcloud.";
|
description = "Group users must belong to to be able to login to Nextcloud.";
|
||||||
default = "nextcloud_user";
|
default = "nextcloud_user";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
configID = lib.mkOption {
|
||||||
|
type = lib.types.int;
|
||||||
|
description = ''
|
||||||
|
Multiple LDAP configs can co-exist with only one active at a time.This option
|
||||||
|
sets the config ID used by Self Host Blocks.
|
||||||
|
'';
|
||||||
|
default = 50;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
};
|
};
|
||||||
|
@ -794,75 +803,68 @@ in
|
||||||
|
|
||||||
(lib.mkIf cfg.apps.ldap.enable {
|
(lib.mkIf cfg.apps.ldap.enable {
|
||||||
systemd.services.nextcloud-setup.path = [ pkgs.jq ];
|
systemd.services.nextcloud-setup.path = [ pkgs.jq ];
|
||||||
systemd.services.nextcloud-setup.script = ''
|
systemd.services.nextcloud-setup.script =
|
||||||
|
let
|
||||||
|
cfg' = cfg.apps.ldap;
|
||||||
|
cID = "s" + toString cfg'.configID;
|
||||||
|
in ''
|
||||||
${occ} app:install user_ldap || :
|
${occ} app:install user_ldap || :
|
||||||
${occ} app:enable user_ldap
|
${occ} app:enable user_ldap
|
||||||
|
|
||||||
# The following code tries to match an existing config or creates a new one.
|
${occ} config:app:set user_ldap ${cID}ldap_configuration_active --value=0
|
||||||
# The criteria for matching is the ldapHost value.
|
|
||||||
|
|
||||||
ALL_CONFIG="$(${occ} ldap:show-config --output=json --show-password)"
|
|
||||||
|
|
||||||
MATCHING_CONFIG_IDs="$(echo "$ALL_CONFIG" | jq '[to_entries[] | select(.value.ldapHost=="127.0.0.1") | .key]')"
|
|
||||||
if [[ $(echo "$MATCHING_CONFIG_IDs" | jq 'length') > 0 ]]; then
|
|
||||||
CONFIG_ID="$(echo "$MATCHING_CONFIG_IDs" | jq --raw-output '.[0]')"
|
|
||||||
else
|
|
||||||
CONFIG_ID="$(${occ} ldap:create-empty-config --only-print-prefix)"
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "Using configId $CONFIG_ID"
|
|
||||||
|
|
||||||
# The following CLI commands follow
|
# The following CLI commands follow
|
||||||
# https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md#nextcloud-config--the-cli-way
|
# https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md#nextcloud-config--the-cli-way
|
||||||
|
|
||||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapHost' \
|
${occ} ldap:set-config "${cID}" 'ldapHost' \
|
||||||
'${cfg.apps.ldap.host}'
|
'${cfg'.host}'
|
||||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapPort' \
|
${occ} ldap:set-config "${cID}" 'ldapPort' \
|
||||||
'${toString cfg.apps.ldap.port}'
|
'${toString cfg'.port}'
|
||||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapAgentName' \
|
${occ} ldap:set-config "${cID}" 'ldapAgentName' \
|
||||||
'uid=${cfg.apps.ldap.adminName},ou=people,${cfg.apps.ldap.dcdomain}'
|
'uid=${cfg'.adminName},ou=people,${cfg'.dcdomain}'
|
||||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapAgentPassword' \
|
${occ} ldap:set-config "${cID}" 'ldapAgentPassword' \
|
||||||
"$(cat ${cfg.apps.ldap.adminPasswordFile})"
|
"$(cat ${cfg'.adminPasswordFile})"
|
||||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapBase' \
|
${occ} ldap:set-config "${cID}" 'ldapBase' \
|
||||||
'${cfg.apps.ldap.dcdomain}'
|
'${cfg'.dcdomain}'
|
||||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapBaseGroups' \
|
${occ} ldap:set-config "${cID}" 'ldapBaseGroups' \
|
||||||
'${cfg.apps.ldap.dcdomain}'
|
'${cfg'.dcdomain}'
|
||||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapBaseUsers' \
|
${occ} ldap:set-config "${cID}" 'ldapBaseUsers' \
|
||||||
'${cfg.apps.ldap.dcdomain}'
|
'${cfg'.dcdomain}'
|
||||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapEmailAttribute' \
|
${occ} ldap:set-config "${cID}" 'ldapEmailAttribute' \
|
||||||
'mail'
|
'mail'
|
||||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilter' \
|
${occ} ldap:set-config "${cID}" 'ldapGroupFilter' \
|
||||||
'(&(|(objectclass=groupOfUniqueNames))(|(cn=${cfg.apps.ldap.userGroup})))'
|
'(&(|(objectclass=groupOfUniqueNames))(|(cn=${cfg'.userGroup})))'
|
||||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilterGroups' \
|
${occ} ldap:set-config "${cID}" 'ldapGroupFilterGroups' \
|
||||||
'${cfg.apps.ldap.userGroup}'
|
'${cfg'.userGroup}'
|
||||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilterObjectclass' \
|
${occ} ldap:set-config "${cID}" 'ldapGroupFilterObjectclass' \
|
||||||
'groupOfUniqueNames'
|
'groupOfUniqueNames'
|
||||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupMemberAssocAttr' \
|
${occ} ldap:set-config "${cID}" 'ldapGroupMemberAssocAttr' \
|
||||||
'uniqueMember'
|
'uniqueMember'
|
||||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapLoginFilter' \
|
${occ} ldap:set-config "${cID}" 'ldapLoginFilter' \
|
||||||
'(&(&(objectclass=person)(memberOf=cn=${cfg.apps.ldap.userGroup},ou=groups,${cfg.apps.ldap.dcdomain}))(|(uid=%uid)(|(mail=%uid)(objectclass=%uid))))'
|
'(&(&(objectclass=person)(memberOf=cn=${cfg'.userGroup},ou=groups,${cfg'.dcdomain}))(|(uid=%uid)(|(mail=%uid)(objectclass=%uid))))'
|
||||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapLoginFilterAttributes' \
|
${occ} ldap:set-config "${cID}" 'ldapLoginFilterAttributes' \
|
||||||
'mail;objectclass'
|
'mail;objectclass'
|
||||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapUserDisplayName' \
|
${occ} ldap:set-config "${cID}" 'ldapUserDisplayName' \
|
||||||
'displayname'
|
'displayname'
|
||||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilter' \
|
${occ} ldap:set-config "${cID}" 'ldapUserFilter' \
|
||||||
'(&(objectclass=person)(memberOf=cn=${cfg.apps.ldap.userGroup},ou=groups,${cfg.apps.ldap.dcdomain}))'
|
'(&(objectclass=person)(memberOf=cn=${cfg'.userGroup},ou=groups,${cfg'.dcdomain}))'
|
||||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilterMode' \
|
${occ} ldap:set-config "${cID}" 'ldapUserFilterMode' \
|
||||||
'1'
|
'1'
|
||||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilterObjectclass' \
|
${occ} ldap:set-config "${cID}" 'ldapUserFilterObjectclass' \
|
||||||
'person'
|
'person'
|
||||||
|
|
||||||
${occ} ldap:test-config -- "$CONFIG_ID"
|
${occ} ldap:test-config -- "${cID}"
|
||||||
|
|
||||||
# Only one active at the same time
|
# Only one active at the same time
|
||||||
|
|
||||||
|
ALL_CONFIG="$(${occ} ldap:show-config --output=json)"
|
||||||
for configid in $(echo "$ALL_CONFIG" | jq --raw-output "keys[]"); do
|
for configid in $(echo "$ALL_CONFIG" | jq --raw-output "keys[]"); do
|
||||||
echo "Deactivating $configid"
|
echo "Deactivating $configid"
|
||||||
${occ} ldap:set-config "$configid" 'ldapConfigurationActive' \
|
${occ} ldap:set-config "$configid" 'ldapConfigurationActive' \
|
||||||
'0'
|
'0'
|
||||||
done
|
done
|
||||||
|
|
||||||
${occ} ldap:set-config "$CONFIG_ID" 'ldapConfigurationActive' \
|
${occ} ldap:set-config "${cID}" 'ldapConfigurationActive' \
|
||||||
'1'
|
'1'
|
||||||
'';
|
'';
|
||||||
})
|
})
|
||||||
|
|
Loading…
Reference in a new issue