1
0
Fork 0
selfhostblocks/modules/services/nextcloud-server.nix

1031 lines
38 KiB
Nix

{ config, pkgs, lib, ... }:
let
cfg = config.shb.nextcloud;
fqdn = "${cfg.subdomain}.${cfg.domain}";
fqdnWithPort = if isNull cfg.port then fqdn else "${fqdn}:${toString cfg.port}";
protocol = if !(isNull cfg.ssl) then "https" else "http";
ssoFqdnWithPort = if isNull cfg.apps.sso.port then cfg.apps.sso.endpoint else "${cfg.apps.sso.endpoint}:${toString cfg.apps.sso.port}";
contracts = pkgs.callPackage ../contracts {};
# Make sure to bump both nextcloudPkg and nextcloudApps at the same time.
nextcloudPkg = version: builtins.getAttr ("nextcloud" + builtins.toString version) pkgs;
nextcloudApps = version: (builtins.getAttr ("nextcloud" + builtins.toString version + "Packages") pkgs).apps;
occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ";
in
{
options.shb.nextcloud = {
enable = lib.mkEnableOption "selfhostblocks.nextcloud-server";
subdomain = lib.mkOption {
type = lib.types.str;
description = ''
Subdomain under which Nextcloud will be served.
```
<subdomain>.<domain>[:<port>]
```
'';
example = "nextcloud";
};
domain = lib.mkOption {
description = ''
Domain under which Nextcloud is served.
```
<subdomain>.<domain>[:<port>]
```
'';
type = lib.types.str;
example = "domain.com";
};
port = lib.mkOption {
description = ''
Port under which Nextcloud will be served. If null is given, then the port is omitted.
```
<subdomain>.<domain>[:<port>]
```
'';
type = lib.types.nullOr lib.types.port;
default = null;
};
ssl = lib.mkOption {
description = "Path to SSL files";
type = lib.types.nullOr contracts.ssl.certs;
default = null;
};
externalFqdn = lib.mkOption {
description = "External fqdn used to access Nextcloud. Defaults to <subdomain>.<domain>. This should only be set if you include the port when accessing Nextcloud.";
type = lib.types.nullOr lib.types.str;
example = "nextcloud.domain.com:8080";
default = null;
};
version = lib.mkOption {
description = "Nextcloud version to choose from.";
type = lib.types.enum [ 28 29 ];
default = 28;
};
dataDir = lib.mkOption {
description = "Folder where Nextcloud will store all its data.";
type = lib.types.str;
default = "/var/lib/nextcloud";
};
mountPointServices = lib.mkOption {
description = "If given, all the systemd services and timers will depend on the specified mount point systemd services.";
type = lib.types.listOf lib.types.str;
default = [];
example = lib.literalExpression ''["var.mount"]'';
};
adminUser = lib.mkOption {
type = lib.types.str;
description = "Username of the initial admin user.";
default = "root";
};
adminPassFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
description = "File containing the Nextcloud admin password. Required.";
default = null;
};
maxUploadSize = lib.mkOption {
default = "4G";
type = lib.types.str;
description = ''
The upload limit for files. This changes the relevant options
in php.ini and nginx if enabled.
'';
};
defaultPhoneRegion = lib.mkOption {
type = lib.types.str;
description = ''
Two letters region defining default region.
'';
example = "US";
};
postgresSettings = lib.mkOption {
type = lib.types.nullOr (lib.types.attrsOf lib.types.str);
default = null;
description = "Settings for the PostgreSQL database. Go to https://pgtune.leopard.in.ua/ and copy the generated configuration here.";
example = lib.literalExpression ''
{
# From https://pgtune.leopard.in.ua/ with:
# DB Version: 14
# OS Type: linux
# DB Type: dw
# Total Memory (RAM): 7 GB
# CPUs num: 4
# Connections num: 100
# Data Storage: ssd
max_connections = "100";
shared_buffers = "1792MB";
effective_cache_size = "5376MB";
maintenance_work_mem = "896MB";
checkpoint_completion_target = "0.9";
wal_buffers = "16MB";
default_statistics_target = "500";
random_page_cost = "1.1";
effective_io_concurrency = "200";
work_mem = "4587kB";
huge_pages = "off";
min_wal_size = "4GB";
max_wal_size = "16GB";
max_worker_processes = "4";
max_parallel_workers_per_gather = "2";
max_parallel_workers = "4";
max_parallel_maintenance_workers = "2";
}
'';
};
phpFpmPoolSettings = lib.mkOption {
type = lib.types.nullOr (lib.types.attrsOf lib.types.anything);
description = "Settings for PHPFPM.";
default = null;
example = lib.literalExpression ''
{
"pm" = "dynamic";
"pm.max_children" = 50;
"pm.start_servers" = 25;
"pm.min_spare_servers" = 10;
"pm.max_spare_servers" = 20;
"pm.max_spawn_rate" = 50;
"pm.max_requests" = 50;
"pm.process_idle_timeout" = "20s";
}
'';
};
apps = lib.mkOption {
description = ''
Applications to enable in Nextcloud. Enabling an application here will also configure
various services needed for this application.
Enabled apps will automatically be installed, enabled and configured, so no need to do that
through the UI. You can still make changes but they will be overridden on next deploy. You
can still install and configure other apps through the UI.
'';
default = {};
type = lib.types.submodule {
options = {
onlyoffice = lib.mkOption {
description = ''
Only Office App. [Nextcloud App Store](https://apps.nextcloud.com/apps/onlyoffice)
Enabling this app will also start an OnlyOffice instance accessible at the given
subdomain from the given network range.
'';
default = {};
type = lib.types.submodule {
options = {
enable = lib.mkEnableOption "Nextcloud OnlyOffice App";
subdomain = lib.mkOption {
type = lib.types.str;
description = "Subdomain under which Only Office will be served.";
default = "oo";
};
ssl = lib.mkOption {
description = "Path to SSL files";
type = lib.types.nullOr contracts.ssl.certs;
default = null;
};
localNetworkIPRange = lib.mkOption {
type = lib.types.str;
description = "Local network range, to restrict access to Open Office to only those IPs.";
default = "192.168.1.1/24";
};
jwtSecretFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
description = ''
File containing the JWT secret. This option is required.
Must be readable by the nextcloud system user.
'';
default = null;
};
};
};
};
previewgenerator = lib.mkOption {
description = ''
Preview Generator App. [Nextcloud App Store](https://apps.nextcloud.com/apps/previewgenerator)
Enabling this app will create a cron job running every minute to generate thumbnails
for new and updated files.
To generate thumbnails for already existing files, run:
```
nextcloud-occ -vvv preview:generate-all
```
'';
default = {};
type = lib.types.submodule {
options = {
enable = lib.mkEnableOption "Nextcloud Preview Generator App";
recommendedSettings = lib.mkOption {
type = lib.types.bool;
description = ''
Better defaults than the defaults. Taken from [this article](http://web.archive.org/web/20200513043150/https://ownyourbits.com/2019/06/29/understanding-and-improving-nextcloud-previews/).
Sets the following options:
```
nextcloud-occ config:app:set previewgenerator squareSizes --value="32 256"
nextcloud-occ config:app:set previewgenerator widthSizes --value="256 384"
nextcloud-occ config:app:set previewgenerator heightSizes --value="256"
nextcloud-occ config:system:set preview_max_x --value 2048
nextcloud-occ config:system:set preview_max_y --value 2048
nextcloud-occ config:system:set jpeg_quality --value 60
nextcloud-occ config:app:set preview jpeg_quality --value="60"
```
'';
default = true;
example = false;
};
debug = lib.mkOption {
type = lib.types.bool;
description = "Enable more verbose logging.";
default = false;
example = true;
};
};
};
};
externalStorage = lib.mkOption {
# TODO: would be nice to have quota include external storage but it's not supported for root:
# https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_configuration.html#setting-storage-quotas
description = ''
External Storage App. [Manual](https://docs.nextcloud.com/server/28/go.php?to=admin-external-storage)
Set `userLocalMount` to automatically add a local directory as an external storage.
Use this option if you want to store user data in another folder or another hard drive
altogether.
In the `directory` option, you can use either `$user` and/or `$home` which will be
replaced by the user's name and home directory.
Recommended use of this option is to have the Nextcloud's `dataDir` on a SSD and the
`userLocalRooDirectory` on a HDD. Indeed, a SSD is much quicker than a spinning hard
drive, which is well suited for randomly accessing small files like thumbnails. On the
other side, a spinning hard drive can store more data which is well suited for storing
user data.
'';
default = {};
type = lib.types.submodule {
options = {
enable = lib.mkEnableOption "Nextcloud External Storage App";
userLocalMount = lib.mkOption {
default = null;
description = "If set, adds a local mount as external storage.";
type = lib.types.nullOr (lib.types.submodule {
options = {
directory = lib.mkOption {
type = lib.types.str;
description = ''
Local directory on the filesystem to mount. Use `$user` and/or `$home`
which will be replaced by the user's name and home directory.
'';
example = "/srv/nextcloud/$user";
};
mountName = lib.mkOption {
type = lib.types.str;
description = ''
Path of the mount in Nextcloud. Use `/` to mount as the root.
'';
default = "";
example = [ "home" "/" ];
};
};
});
};
};
};
};
ldap = lib.mkOption {
description = ''
LDAP Integration App. [Manual](https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html)
Enabling this app will create a new LDAP configuration or update one that exists with
the given host.
'';
default = {};
type = lib.types.nullOr (lib.types.submodule {
options = {
enable = lib.mkEnableOption "LDAP app.";
host = lib.mkOption {
type = lib.types.str;
description = ''
Host serving the LDAP server.
'';
default = "127.0.0.1";
};
port = lib.mkOption {
type = lib.types.port;
description = ''
Port of the service serving the LDAP server.
'';
default = 389;
};
dcdomain = lib.mkOption {
type = lib.types.str;
description = "dc domain for ldap.";
example = "dc=mydomain,dc=com";
};
adminName = lib.mkOption {
type = lib.types.str;
description = "Admin user of the LDAP server.";
default = "admin";
};
adminPasswordFile = lib.mkOption {
type = lib.types.path;
description = ''
File containing the admin password of the LDAP server.
Must be readable by the nextcloud system user.
'';
default = "";
};
userGroup = lib.mkOption {
type = lib.types.str;
description = "Group users must belong to to be able to login to Nextcloud.";
default = "nextcloud_user";
};
configID = lib.mkOption {
type = lib.types.int;
description = ''
Multiple LDAP configs can co-exist with only one active at a time.This option
sets the config ID used by Self Host Blocks.
'';
default = 50;
};
};
});
};
sso = lib.mkOption {
description = ''
SSO Integration App. [Manual](https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/oidc_auth.html)
Enabling this app will create a new LDAP configuration or update one that exists with
the given host.
'';
default = {};
type = lib.types.submodule {
options = {
enable = lib.mkEnableOption "SSO app.";
endpoint = lib.mkOption {
type = lib.types.str;
description = "OIDC endpoint for SSO.";
example = "https://authelia.example.com";
};
port = lib.mkOption {
description = "If given, adds a port to the endpoint.";
type = lib.types.nullOr lib.types.port;
default = null;
};
provider = lib.mkOption {
type = lib.types.enum [ "Authelia" ];
description = "OIDC provider name, used for display.";
default = "Authelia";
};
clientID = lib.mkOption {
type = lib.types.str;
description = "Client ID for the OIDC endpoint.";
default = "nextcloud";
};
authorization_policy = lib.mkOption {
type = lib.types.enum [ "one_factor" "two_factor" ];
description = "Require one factor (password) or two factor (device) authentication.";
default = "one_factor";
};
secretFile = lib.mkOption {
type = lib.types.path;
description = ''
File containing the secret for the OIDC endpoint.
Must be readable by the nextcloud system user.
'';
default = "";
};
secretFileForAuthelia = lib.mkOption {
type = lib.types.path;
description = ''
File containing the secret for the OIDC endpoint, must be readable by the Authelia user.
Must be readable by the authelia system user.
'';
default = "";
};
fallbackDefaultAuth = lib.mkOption {
type = lib.types.bool;
description = ''
Fallback to normal Nextcloud auth if something goes wrong with the SSO app.
Usually, you want to enable this to transfer existing users to LDAP and then you
can disabled it.
'';
default = false;
};
};
};
};
};
};
};
extraApps = lib.mkOption {
type = lib.types.raw;
description = ''
Extra apps to install. Should be a function returning an attrSet of appid to packages
generated by fetchNextcloudApp. The appid must be identical to the id value in the apps
appinfo/info.xml. You can still install apps through the appstore.
'';
default = null;
example = lib.literalExpression ''
apps: {
inherit (apps) mail calendar contact;
phonetrack = pkgs.fetchNextcloudApp {
name = "phonetrack";
sha256 = "0qf366vbahyl27p9mshfma1as4nvql6w75zy2zk5xwwbp343vsbc";
url = "https://gitlab.com/eneiluj/phonetrack-oc/-/wikis/uploads/931aaaf8dca24bf31a7e169a83c17235/phonetrack-0.6.9.tar.gz";
version = "0.6.9";
};
}
'';
};
backup = lib.mkOption {
type = contracts.backup;
description = ''
Backup configuration. This is an output option.
Use it to initialize a block implementing the "backup" contract.
For example, with the restic block:
```
shb.restic.instances."nextcloud" = {
enable = true;
# Options specific to Restic.
} // config.shb.nextcloud.backup;
```
'';
readOnly = true;
default = {
user = "nextcloud";
sourceDirectories = [
cfg.dataDir
];
excludePatterns = [".rnd"];
};
};
debug = lib.mkOption {
type = lib.types.bool;
description = "Enable more verbose logging.";
default = false;
example = true;
};
tracing = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = ''
Enable xdebug tracing.
To trigger writing a trace to `/var/log/xdebug`, add a the following header:
```
XDEBUG_TRACE <shb.nextcloud.tracing value>
```
The response will contain the following header:
```
x-xdebug-profile-filename /var/log/xdebug/cachegrind.out.63484
```
'';
default = null;
example = "debug_me";
};
autoDisableMaintenanceModeOnStart = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Upon starting the service, disable maintenance mode if set.
This is useful if a deploy failed and you try to redeploy.
'';
};
alwaysApplyExpensiveMigrations = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Run `occ maintenance:repair --include-expensive` on service start.
Larger instances should disable this and run the command at a convenient time
but Self Host Blocks assumes that it will not be the case for most users.
'';
};
};
config = lib.mkMerge [
(lib.mkIf cfg.enable {
assertions = [
{
assertion = !(isNull cfg.adminPassFile);
message = "Must set shb.nextcloud.adminPassFile.";
}
];
users.users = {
nextcloud = {
name = "nextcloud";
group = "nextcloud";
isSystemUser = true;
};
};
# LDAP is manually configured through
# https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md, see also
# https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
#
# Verify setup with:
# - On admin page
# - https://scan.nextcloud.com/
# - https://www.ssllabs.com/ssltest/
# As of writing this, we got no warning on admin page and A+ on both tests.
#
# Content-Security-Policy is hard. I spent so much trying to fix lingering issues with .js files
# not loading to realize those scripts are inserted by extensions. Doh.
services.nextcloud = {
enable = true;
package = nextcloudPkg cfg.version;
datadir = cfg.dataDir;
hostName = fqdn;
nginx.hstsMaxAge = 31536000; # Needs > 1 year for https://hstspreload.org to be happy
inherit (cfg) maxUploadSize;
config = {
dbtype = "pgsql";
adminuser = cfg.adminUser;
adminpassFile = toString cfg.adminPassFile;
};
database.createLocally = true;
# Enable caching using redis https://nixos.wiki/wiki/Nextcloud#Caching.
configureRedis = true;
caching.apcu = false;
# https://docs.nextcloud.com/server/26/admin_manual/configuration_server/caching_configuration.html
caching.redis = true;
# Adds appropriate nginx rewrite rules.
webfinger = true;
# Very important for a bunch of scripts to load correctly. Otherwise you get Content-Security-Policy errors. See https://docs.nextcloud.com/server/13/admin_manual/configuration_server/harden_server.html#enable-http-strict-transport-security
https = !(isNull cfg.ssl);
extraApps = if isNull cfg.extraApps then {} else cfg.extraApps (nextcloudApps cfg.version);
extraAppsEnable = true;
appstoreEnable = true;
settings = let
protocol = if !(isNull cfg.ssl) then "https" else "http";
in {
"default_phone_region" = cfg.defaultPhoneRegion;
"overwrite.cli.url" = "${protocol}://${fqdn}";
"overwritehost" = fqdnWithPort;
# 'trusted_domains' needed otherwise we get this issue https://help.nextcloud.com/t/the-polling-url-does-not-start-with-https-despite-the-login-url-started-with-https/137576/2
# TODO: could instead set extraTrustedDomains
"trusted_domains" = [ fqdn ];
"trusted_proxies" = [ "127.0.0.1" ];
# TODO: could instead set overwriteProtocol
"overwriteprotocol" = protocol; # Needed if behind a reverse_proxy
"overwritecondaddr" = ""; # We need to set it to empty otherwise overwriteprotocol does not work.
"debug" = cfg.debug;
"filelocking.debug" = cfg.debug;
# Use persistent SQL connections.
"dbpersistent" = "true";
# https://help.nextcloud.com/t/very-slow-sync-for-small-files/11064/13
"chunkSize" = "5120MB";
};
phpOptions = {
# The OPcache interned strings buffer is nearly full with 8, bump to 16.
catch_workers_output = "yes";
display_errors = "stderr";
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
expose_php = "Off";
"opcache.enable_cli" = "1";
"opcache.fast_shutdown" = "1";
"opcache.interned_strings_buffer" = "16";
"opcache.max_accelerated_files" = "10000";
"opcache.memory_consumption" = "128";
"opcache.revalidate_freq" = "1";
short_open_tag = "Off";
# https://docs.nextcloud.com/server/stable/admin_manual/configuration_files/big_file_upload_configuration.html#configuring-php
# > Output Buffering must be turned off [...] or PHP will return memory-related errors.
output_buffering = "Off";
# Needed to avoid corruption per https://docs.nextcloud.com/server/21/admin_manual/configuration_server/caching_configuration.html#id2
"redis.session.locking_enabled" = "1";
"redis.session.lock_retries" = "-1";
"redis.session.lock_wait_time" = "10000";
} // lib.optionalAttrs (! (isNull cfg.tracing)) {
# "xdebug.remote_enable" = "on";
# "xdebug.remote_host" = "127.0.0.1";
# "xdebug.remote_port" = "9000";
# "xdebug.remote_handler" = "dbgp";
"xdebug.trigger_value" = cfg.tracing;
"xdebug.mode" = "profile,trace";
"xdebug.output_dir" = "/var/log/xdebug";
"xdebug.start_with_request" = "trigger";
};
poolSettings = lib.mkIf (! (isNull cfg.phpFpmPoolSettings)) cfg.phpFpmPoolSettings;
phpExtraExtensions = all: [ all.xdebug ];
};
services.nginx.virtualHosts.${fqdn} = {
# listen = [ { addr = "0.0.0.0"; port = 443; } ];
forceSSL = !(isNull cfg.ssl);
sslCertificate = lib.mkIf (!(isNull cfg.ssl)) cfg.ssl.paths.cert;
sslCertificateKey = lib.mkIf (!(isNull cfg.ssl)) cfg.ssl.paths.key;
# From [1] this should fix downloading of big files. [2] seems to indicate that buffering
# happens at multiple places anyway, so disabling one place should be okay.
# [1]: https://help.nextcloud.com/t/download-aborts-after-time-or-large-file/25044/6
# [2]: https://stackoverflow.com/a/50891625/1013628
extraConfig = ''
proxy_buffering off;
'';
};
environment.systemPackages = [
# Needed for a few apps. Would be nice to avoid having to put that in the environment and instead override https://github.com/NixOS/nixpkgs/blob/261abe8a44a7e8392598d038d2e01f7b33cf26d0/nixos/modules/services/web-apps/nextcloud.nix#L1035
pkgs.ffmpeg-headless
# Needed for the recognize app.
pkgs.nodejs
];
services.postgresql.settings = lib.mkIf (! (isNull cfg.postgresSettings)) cfg.postgresSettings;
systemd.services.phpfpm-nextcloud.preStart = ''
mkdir -p /var/log/xdebug; chown -R nextcloud: /var/log/xdebug
'';
systemd.services.phpfpm-nextcloud.requires = cfg.mountPointServices;
systemd.services.phpfpm-nextcloud.after = cfg.mountPointServices;
systemd.services.nextcloud-cron.path = [
pkgs.perl
];
systemd.timers.nextcloud-cron.requires = cfg.mountPointServices;
systemd.timers.nextcloud-cron.after = cfg.mountPointServices;
systemd.services.nextcloud-setup.requires = cfg.mountPointServices;
systemd.services.nextcloud-setup.after = cfg.mountPointServices;
})
(lib.mkIf (cfg.enable && cfg.apps.onlyoffice.enable) {
assertions = [
{
assertion = !(isNull cfg.apps.onlyoffice.jwtSecretFile);
message = "Must set shb.nextcloud.apps.onlyoffice.jwtSecretFile.";
}
];
services.nextcloud.extraApps = {
inherit ((nextcloudApps cfg.version)) onlyoffice;
};
services.onlyoffice = {
enable = true;
hostname = "${cfg.apps.onlyoffice.subdomain}.${cfg.domain}";
port = 13444;
postgresHost = "/run/postgresql";
jwtSecretFile = cfg.apps.onlyoffice.jwtSecretFile;
};
services.nginx.virtualHosts."${cfg.apps.onlyoffice.subdomain}.${cfg.domain}" = {
forceSSL = !(isNull cfg.ssl);
sslCertificate = lib.mkIf (!(isNull cfg.ssl)) cfg.ssl.paths.cert;
sslCertificateKey = lib.mkIf (!(isNull cfg.ssl)) cfg.ssl.paths.key;
locations."/" = {
extraConfig = ''
allow ${cfg.apps.onlyoffice.localNetworkIPRange};
'';
};
};
})
(lib.mkIf (cfg.enable && cfg.apps.previewgenerator.enable) {
services.nextcloud.extraApps = {
inherit ((nextcloudApps cfg.version)) previewgenerator;
};
# Values taken from
# http://web.archive.org/web/20200513043150/https://ownyourbits.com/2019/06/29/understanding-and-improving-nextcloud-previews/
systemd.services.nextcloud-setup.script = lib.mkIf cfg.apps.previewgenerator.recommendedSettings ''
${occ} config:app:set previewgenerator squareSizes --value="32 256"
${occ} config:app:set previewgenerator widthSizes --value="256 384"
${occ} config:app:set previewgenerator heightSizes --value="256"
${occ} config:system:set preview_max_x --value 2048
${occ} config:system:set preview_max_y --value 2048
${occ} config:system:set jpeg_quality --value 60
${occ} config:app:set preview jpeg_quality --value="60"
'';
# Configured as defined in https://github.com/nextcloud/previewgenerator
systemd.timers.nextcloud-cron-previewgenerator = {
wantedBy = [ "timers.target" ];
requires = cfg.mountPointServices;
after = [ "nextcloud-setup.service" ] ++ cfg.mountPointServices;
timerConfig.OnBootSec = "10m";
timerConfig.OnUnitActiveSec = "10m";
timerConfig.Unit = "nextcloud-cron-previewgenerator.service";
};
systemd.services.nextcloud-cron-previewgenerator = {
environment.NEXTCLOUD_CONFIG_DIR = "${config.services.nextcloud.datadir}/config";
serviceConfig.Type = "oneshot";
serviceConfig.User = "nextcloud";
serviceConfig.ExecStart =
let
debug = if cfg.debug or cfg.apps.previewgenerator.debug then "-vvv" else "";
in
"${occ} ${debug} preview:pre-generate";
};
})
(lib.mkIf (cfg.enable && cfg.apps.externalStorage.enable) {
systemd.services.nextcloud-setup.script = ''
${occ} app:install files_external || :
${occ} app:enable files_external
'' + lib.optionalString (cfg.apps.externalStorage.userLocalMount != "") (
let
cfg' = cfg.apps.externalStorage.userLocalMount;
escape = x: builtins.replaceStrings ["/"] [''\\\/''] x;
in
''
${occ} files_external:list \
| grep '${escape cfg'.mountName}' \
| grep '${escape cfg'.directory}' \
|| ${occ} files_external:create \
'${cfg'.mountName}' \
local \
null::null \
--config datadir='${cfg'.directory}'
'');
})
(lib.mkIf (cfg.enable && cfg.apps.ldap.enable) {
systemd.services.nextcloud-setup.path = [ pkgs.jq ];
systemd.services.nextcloud-setup.script =
let
cfg' = cfg.apps.ldap;
cID = "s" + toString cfg'.configID;
in ''
${occ} app:install user_ldap || :
${occ} app:enable user_ldap
${occ} config:app:set user_ldap ${cID}ldap_configuration_active --value=0
# The following CLI commands follow
# https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md#nextcloud-config--the-cli-way
${occ} ldap:set-config "${cID}" 'ldapHost' \
'${cfg'.host}'
${occ} ldap:set-config "${cID}" 'ldapPort' \
'${toString cfg'.port}'
${occ} ldap:set-config "${cID}" 'ldapAgentName' \
'uid=${cfg'.adminName},ou=people,${cfg'.dcdomain}'
${occ} ldap:set-config "${cID}" 'ldapAgentPassword' \
"$(cat ${cfg'.adminPasswordFile})"
${occ} ldap:set-config "${cID}" 'ldapBase' \
'${cfg'.dcdomain}'
${occ} ldap:set-config "${cID}" 'ldapBaseGroups' \
'${cfg'.dcdomain}'
${occ} ldap:set-config "${cID}" 'ldapBaseUsers' \
'${cfg'.dcdomain}'
${occ} ldap:set-config "${cID}" 'ldapEmailAttribute' \
'mail'
${occ} ldap:set-config "${cID}" 'ldapGroupFilter' \
'(&(|(objectclass=groupOfUniqueNames))(|(cn=${cfg'.userGroup})))'
${occ} ldap:set-config "${cID}" 'ldapGroupFilterGroups' \
'${cfg'.userGroup}'
${occ} ldap:set-config "${cID}" 'ldapGroupFilterObjectclass' \
'groupOfUniqueNames'
${occ} ldap:set-config "${cID}" 'ldapGroupMemberAssocAttr' \
'uniqueMember'
${occ} ldap:set-config "${cID}" 'ldapLoginFilter' \
'(&(&(objectclass=person)(memberOf=cn=${cfg'.userGroup},ou=groups,${cfg'.dcdomain}))(|(uid=%uid)(|(mail=%uid)(objectclass=%uid))))'
${occ} ldap:set-config "${cID}" 'ldapLoginFilterAttributes' \
'mail;objectclass'
${occ} ldap:set-config "${cID}" 'ldapUserDisplayName' \
'displayname'
${occ} ldap:set-config "${cID}" 'ldapUserFilter' \
'(&(objectclass=person)(memberOf=cn=${cfg'.userGroup},ou=groups,${cfg'.dcdomain}))'
${occ} ldap:set-config "${cID}" 'ldapUserFilterMode' \
'1'
${occ} ldap:set-config "${cID}" 'ldapUserFilterObjectclass' \
'person'
# Makes the user_id used when creating a user through LDAP which means the ID used in
# Nextcloud is compatible with the one returned by a (possibly added in the future) SSO
# provider.
${occ} ldap:set-config "${cID}" 'ldapExpertUsernameAttr' \
'user_id'
${occ} ldap:test-config -- "${cID}"
# Only one active at the same time
ALL_CONFIG="$(${occ} ldap:show-config --output=json)"
for configid in $(echo "$ALL_CONFIG" | jq --raw-output "keys[]"); do
echo "Deactivating $configid"
${occ} ldap:set-config "$configid" 'ldapConfigurationActive' \
'0'
done
${occ} ldap:set-config "${cID}" 'ldapConfigurationActive' \
'1'
'';
})
(let
scopes = [
"openid"
"profile"
"email"
"groups"
];
in lib.mkIf (cfg.enable && cfg.apps.sso.enable) {
assertions = [
{
assertion = cfg.apps.sso.enable -> cfg.apps.ldap.enable;
message = "SSO app requires LDAP app to work correctly.";
}
];
systemd.services.nextcloud-setup.script =
''
${occ} app:install oidc_login || :
${occ} app:enable oidc_login
'';
systemd.services.nextcloud-setup.preStart =
''
mkdir -p ${cfg.dataDir}/config
cat <<EOF > "${cfg.dataDir}/config/secretFile"
{
"oidc_login_client_secret": "$(cat ${cfg.apps.sso.secretFile})"
}
EOF
'';
services.nextcloud = {
secretFile = "${cfg.dataDir}/config/secretFile";
# See all options at https://github.com/pulsejet/nextcloud-oidc-login
settings = {
allow_user_to_change_display_name = false;
lost_password_link = "disabled";
oidc_login_provider_url = ssoFqdnWithPort;
oidc_login_client_id = cfg.apps.sso.clientID;
# Automatically redirect the login page to the provider.
oidc_login_auto_redirect = !cfg.apps.sso.fallbackDefaultAuth;
# Authelia at least does not support this.
oidc_login_end_session_redirect = false;
# Redirect to this page after logging out the user
oidc_login_logout_url = ssoFqdnWithPort;
oidc_login_button_text = "Log in with ${cfg.apps.sso.provider}";
oidc_login_hide_password_form = false;
oidc_login_use_id_token = true;
oidc_login_attributes = {
id = "preferred_username";
name = "name";
mail = "email";
groups = "groups";
};
oidc_login_default_group = "oidc";
oidc_login_use_external_storage = false;
oidc_login_scope = lib.concatStringsSep " " scopes;
oidc_login_proxy_ldap = false;
# Enable creation of users new to Nextcloud from OIDC login. A user may be known to the
# IdP but not (yet) known to Nextcloud. This setting controls what to do in this case.
# * 'true' (default): if the user authenticates to the IdP but is not known to Nextcloud,
# then they will be returned to the login screen and not allowed entry;
# * 'false': if the user authenticates but is not yet known to Nextcloud, then the user
# will be automatically created; note that with this setting, you will be allowing (or
# relying on) a third-party (the IdP) to create new users
oidc_login_disable_registration = false;
oidc_login_redir_fallback = cfg.apps.sso.fallbackDefaultAuth;
# oidc_login_alt_login_page = "assets/login.php";
oidc_login_tls_verify = true;
# If you get your groups from the oidc_login_attributes, you might want to create them if
# they are not already existing, Default is `false`. This creates groups for all groups
# the user is associated with in LDAP. It's too much.
oidc_create_groups = false;
# Enable use of WebDAV via OIDC bearer token.
oidc_login_webdav_enabled = true;
oidc_login_password_authentication = false;
oidc_login_public_key_caching_time = 86400;
oidc_login_min_time_between_jwks_requests = 10;
oidc_login_well_known_caching_time = 86400;
# If true, nextcloud will download user avatars on login. This may lead to security issues
# as the server does not control which URLs will be requested. Use with care.
oidc_login_update_avatar = false;
};
};
shb.authelia.oidcClients = lib.mkIf (cfg.apps.sso.provider == "Authelia") [
{
client_id = cfg.apps.sso.clientID;
client_name = "Nextcloud";
client_secret.source = cfg.apps.sso.secretFileForAuthelia;
public = false;
authorization_policy = cfg.apps.sso.authorization_policy;
redirect_uris = [ "${protocol}://${fqdnWithPort}/apps/oidc_login/oidc" ];
inherit scopes;
userinfo_signing_algorithm = "none";
}
];
})
(lib.mkIf (cfg.enable && cfg.autoDisableMaintenanceModeOnStart) {
systemd.services.nextcloud-setup.preStart =
lib.mkBefore ''
if [[ -e /var/lib/nextcloud/config/config.php ]]; then
${occ} maintenance:mode --no-interaction --quiet --off
fi
'';
})
(lib.mkIf (cfg.enable && cfg.alwaysApplyExpensiveMigrations) {
systemd.services.nextcloud-setup.script =
''
if [[ -e /var/lib/nextcloud/config/config.php ]]; then
${occ} maintenance:repair --include-expensive
fi
'';
})
];
}