56dece4190
I don't remember why I hardcoded this, but the default works fine.
832 lines
30 KiB
Nix
832 lines
30 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
let
|
|
cfg = config.shb.nextcloud;
|
|
|
|
fqdn = "${cfg.subdomain}.${cfg.domain}";
|
|
fqdnWithPort = if isNull cfg.port then fqdn else "${fqdn}:${toString cfg.port}";
|
|
protocol = if !(isNull cfg.ssl) then "https" else "http";
|
|
|
|
ssoFqdnWithPort = if isNull cfg.apps.sso.port then cfg.apps.sso.endpoint else "${cfg.apps.sso.endpoint}:${toString cfg.apps.sso.port}";
|
|
|
|
contracts = pkgs.callPackage ../contracts {};
|
|
|
|
# Make sure to bump both nextcloudPkg and nextcloudApps at the same time.
|
|
nextcloudPkg = pkgs.nextcloud27;
|
|
nextcloudApps = pkgs.nextcloud27Packages.apps;
|
|
|
|
occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ";
|
|
in
|
|
{
|
|
options.shb.nextcloud = {
|
|
enable = lib.mkEnableOption "selfhostblocks.nextcloud-server";
|
|
|
|
subdomain = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = ''
|
|
Subdomain under which Nextcloud will be served.
|
|
|
|
```
|
|
<subdomain>.<domain>[:<port>]
|
|
```
|
|
'';
|
|
example = "nextcloud";
|
|
};
|
|
|
|
domain = lib.mkOption {
|
|
description = ''
|
|
Domain under which Nextcloud is served.
|
|
|
|
```
|
|
<subdomain>.<domain>[:<port>]
|
|
```
|
|
'';
|
|
type = lib.types.str;
|
|
example = "domain.com";
|
|
};
|
|
|
|
port = lib.mkOption {
|
|
description = ''
|
|
Port under which Nextcloud will be served. If null is given, then the port is omitted.
|
|
|
|
```
|
|
<subdomain>.<domain>[:<port>]
|
|
```
|
|
'';
|
|
type = lib.types.nullOr lib.types.port;
|
|
default = null;
|
|
};
|
|
|
|
ssl = lib.mkOption {
|
|
description = "Path to SSL files";
|
|
type = lib.types.nullOr contracts.ssl.certs;
|
|
default = null;
|
|
};
|
|
|
|
externalFqdn = lib.mkOption {
|
|
description = "External fqdn used to access Nextcloud. Defaults to <subdomain>.<domain>. This should only be set if you include the port when accessing Nextcloud.";
|
|
type = lib.types.nullOr lib.types.str;
|
|
example = "nextcloud.domain.com:8080";
|
|
default = null;
|
|
};
|
|
|
|
dataDir = lib.mkOption {
|
|
description = "Folder where Nextcloud will store all its data.";
|
|
type = lib.types.str;
|
|
default = "/var/lib/nextcloud";
|
|
};
|
|
|
|
adminUser = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = "Username of the initial admin user.";
|
|
default = "root";
|
|
};
|
|
|
|
adminPassFile = lib.mkOption {
|
|
type = lib.types.nullOr lib.types.path;
|
|
description = "File containing the Nextcloud admin password. Required.";
|
|
default = null;
|
|
};
|
|
|
|
maxUploadSize = lib.mkOption {
|
|
default = "4G";
|
|
type = lib.types.str;
|
|
description = ''
|
|
The upload limit for files. This changes the relevant options
|
|
in php.ini and nginx if enabled.
|
|
'';
|
|
};
|
|
|
|
postgresSettings = lib.mkOption {
|
|
type = lib.types.nullOr (lib.types.attrsOf lib.types.str);
|
|
default = null;
|
|
description = "Settings for the PostgreSQL database. Go to https://pgtune.leopard.in.ua/ and copy the generated configuration here.";
|
|
example = lib.literalExpression ''
|
|
{
|
|
# From https://pgtune.leopard.in.ua/ with:
|
|
|
|
# DB Version: 14
|
|
# OS Type: linux
|
|
# DB Type: dw
|
|
# Total Memory (RAM): 7 GB
|
|
# CPUs num: 4
|
|
# Connections num: 100
|
|
# Data Storage: ssd
|
|
|
|
max_connections = "100";
|
|
shared_buffers = "1792MB";
|
|
effective_cache_size = "5376MB";
|
|
maintenance_work_mem = "896MB";
|
|
checkpoint_completion_target = "0.9";
|
|
wal_buffers = "16MB";
|
|
default_statistics_target = "500";
|
|
random_page_cost = "1.1";
|
|
effective_io_concurrency = "200";
|
|
work_mem = "4587kB";
|
|
huge_pages = "off";
|
|
min_wal_size = "4GB";
|
|
max_wal_size = "16GB";
|
|
max_worker_processes = "4";
|
|
max_parallel_workers_per_gather = "2";
|
|
max_parallel_workers = "4";
|
|
max_parallel_maintenance_workers = "2";
|
|
}
|
|
'';
|
|
};
|
|
|
|
phpFpmPoolSettings = lib.mkOption {
|
|
type = lib.types.nullOr (lib.types.attrsOf lib.types.anything);
|
|
description = "Settings for PHPFPM.";
|
|
default = null;
|
|
example = lib.literalExpression ''
|
|
{
|
|
"pm" = "dynamic";
|
|
"pm.max_children" = 50;
|
|
"pm.start_servers" = 25;
|
|
"pm.min_spare_servers" = 10;
|
|
"pm.max_spare_servers" = 20;
|
|
"pm.max_spawn_rate" = 50;
|
|
"pm.max_requests" = 50;
|
|
"pm.process_idle_timeout" = "20s";
|
|
}
|
|
'';
|
|
};
|
|
|
|
apps = lib.mkOption {
|
|
description = ''
|
|
Applications to enable in Nextcloud. Enabling an application here will also configure
|
|
various services needed for this application.
|
|
|
|
Enabled apps will automatically be installed, enabled and configured, so no need to do that
|
|
through the UI. You can still make changes but they will be overridden on next deploy. You
|
|
can still install and configure other apps through the UI.
|
|
'';
|
|
default = {};
|
|
type = lib.types.submodule {
|
|
options = {
|
|
onlyoffice = lib.mkOption {
|
|
description = ''
|
|
Only Office App. [Nextcloud App Store](https://apps.nextcloud.com/apps/onlyoffice)
|
|
|
|
Enabling this app will also start an OnlyOffice instance accessible at the given
|
|
subdomain from the given network range.
|
|
'';
|
|
default = {};
|
|
type = lib.types.submodule {
|
|
options = {
|
|
enable = lib.mkEnableOption "Nextcloud OnlyOffice App";
|
|
|
|
subdomain = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = "Subdomain under which Only Office will be served.";
|
|
default = "oo";
|
|
};
|
|
|
|
ssl = lib.mkOption {
|
|
description = "Path to SSL files";
|
|
type = lib.types.nullOr contracts.ssl.certs;
|
|
default = null;
|
|
};
|
|
|
|
localNetworkIPRange = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = "Local network range, to restrict access to Open Office to only those IPs.";
|
|
default = "192.168.1.1/24";
|
|
};
|
|
|
|
jwtSecretFile = lib.mkOption {
|
|
type = lib.types.nullOr lib.types.path;
|
|
description = ''
|
|
File containing the JWT secret. This option is required.
|
|
|
|
Must be readable by the nextcloud system user.
|
|
'';
|
|
default = null;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
previewgenerator = lib.mkOption {
|
|
description = ''
|
|
Preview Generator App. [Nextcloud App Store](https://apps.nextcloud.com/apps/previewgenerator)
|
|
|
|
Enabling this app will create a cron job running every minute to generate thumbnails
|
|
for new and updated files.
|
|
|
|
To generate thumbnails for already existing files, run:
|
|
|
|
```
|
|
nextcloud-occ -vvv preview:generate-all
|
|
```
|
|
'';
|
|
default = {};
|
|
type = lib.types.submodule {
|
|
options = {
|
|
enable = lib.mkEnableOption "Nextcloud Preview Generator App";
|
|
|
|
debug = lib.mkOption {
|
|
type = lib.types.bool;
|
|
description = "Enable more verbose logging.";
|
|
default = false;
|
|
example = true;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
ldap = lib.mkOption {
|
|
description = ''
|
|
LDAP Integration App. [Manual](https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html)
|
|
|
|
Enabling this app will create a new LDAP configuration or update one that exists with
|
|
the given host.
|
|
'';
|
|
default = {};
|
|
type = lib.types.nullOr (lib.types.submodule {
|
|
options = {
|
|
enable = lib.mkEnableOption "LDAP app.";
|
|
|
|
host = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = ''
|
|
Host serving the LDAP server.
|
|
'';
|
|
default = "127.0.0.1";
|
|
};
|
|
|
|
port = lib.mkOption {
|
|
type = lib.types.port;
|
|
description = ''
|
|
Port of the service serving the LDAP server.
|
|
'';
|
|
default = 389;
|
|
};
|
|
|
|
dcdomain = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = "dc domain for ldap.";
|
|
example = "dc=mydomain,dc=com";
|
|
};
|
|
|
|
adminName = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = "Admin user of the LDAP server.";
|
|
default = "admin";
|
|
};
|
|
|
|
adminPasswordFile = lib.mkOption {
|
|
type = lib.types.path;
|
|
description = ''
|
|
File containing the admin password of the LDAP server.
|
|
|
|
Must be readable by the nextcloud system user.
|
|
'';
|
|
default = "";
|
|
};
|
|
|
|
userGroup = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = "Group users must belong to to be able to login to Nextcloud.";
|
|
default = "nextcloud_user";
|
|
};
|
|
};
|
|
});
|
|
};
|
|
|
|
sso = lib.mkOption {
|
|
description = ''
|
|
SSO Integration App. [Manual](https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/oidc_auth.html)
|
|
|
|
Enabling this app will create a new LDAP configuration or update one that exists with
|
|
the given host.
|
|
'';
|
|
default = {};
|
|
type = lib.types.submodule {
|
|
options = {
|
|
enable = lib.mkEnableOption "SSO app.";
|
|
|
|
endpoint = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = "OIDC endpoint for SSO.";
|
|
example = "https://authelia.example.com";
|
|
};
|
|
|
|
port = lib.mkOption {
|
|
description = "If given, adds a port to the endpoint.";
|
|
type = lib.types.nullOr lib.types.port;
|
|
default = null;
|
|
};
|
|
|
|
provider = lib.mkOption {
|
|
type = lib.types.enum [ "Authelia" ];
|
|
description = "OIDC provider name, used for display.";
|
|
default = "Authelia";
|
|
};
|
|
|
|
clientID = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = "Client ID for the OIDC endpoint.";
|
|
default = "nextcloud";
|
|
};
|
|
|
|
authorization_policy = lib.mkOption {
|
|
type = lib.types.enum [ "one_factor" "two_factor" ];
|
|
description = "Require one factor (password) or two factor (device) authentication.";
|
|
default = "one_factor";
|
|
};
|
|
|
|
secretFile = lib.mkOption {
|
|
type = lib.types.path;
|
|
description = ''
|
|
File containing the secret for the OIDC endpoint.
|
|
|
|
Must be readable by the nextcloud system user.
|
|
'';
|
|
default = "";
|
|
};
|
|
|
|
secretFileForAuthelia = lib.mkOption {
|
|
type = lib.types.path;
|
|
description = ''
|
|
File containing the secret for the OIDC endpoint, must be readable by the Authelia user.
|
|
|
|
Must be readable by the authelia system user.
|
|
'';
|
|
default = "";
|
|
};
|
|
|
|
fallbackDefaultAuth = lib.mkOption {
|
|
type = lib.types.bool;
|
|
description = ''
|
|
Fallback to normal Nextcloud auth if something goes wrong with the SSO app.
|
|
Usually, you want to enable this to transfer existing users to LDAP and then you
|
|
can disabled it.
|
|
'';
|
|
default = false;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
extraApps = lib.mkOption {
|
|
type = lib.types.raw;
|
|
description = ''
|
|
Extra apps to install. Should be a function returning an attrSet of appid to packages
|
|
generated by fetchNextcloudApp. The appid must be identical to the “id” value in the apps
|
|
appinfo/info.xml. You can still install apps through the appstore.
|
|
'';
|
|
default = null;
|
|
example = lib.literalExpression ''
|
|
apps: {
|
|
inherit (apps) mail calendar contact;
|
|
phonetrack = pkgs.fetchNextcloudApp {
|
|
name = "phonetrack";
|
|
sha256 = "0qf366vbahyl27p9mshfma1as4nvql6w75zy2zk5xwwbp343vsbc";
|
|
url = "https://gitlab.com/eneiluj/phonetrack-oc/-/wikis/uploads/931aaaf8dca24bf31a7e169a83c17235/phonetrack-0.6.9.tar.gz";
|
|
version = "0.6.9";
|
|
};
|
|
}
|
|
'';
|
|
};
|
|
|
|
debug = lib.mkOption {
|
|
type = lib.types.bool;
|
|
description = "Enable more verbose logging.";
|
|
default = false;
|
|
example = true;
|
|
};
|
|
|
|
tracing = lib.mkOption {
|
|
type = lib.types.nullOr lib.types.str;
|
|
description = ''
|
|
Enable xdebug tracing.
|
|
|
|
To trigger writing a trace to `/var/log/xdebug`, add a the following header:
|
|
|
|
```
|
|
XDEBUG_TRACE <shb.nextcloud.tracing value>
|
|
```
|
|
|
|
The response will contain the following header:
|
|
|
|
```
|
|
x-xdebug-profile-filename /var/log/xdebug/cachegrind.out.63484
|
|
```
|
|
'';
|
|
default = null;
|
|
example = "debug_me";
|
|
};
|
|
};
|
|
|
|
config = lib.mkMerge [
|
|
(lib.mkIf cfg.enable {
|
|
assertions = [
|
|
{
|
|
assertion = !(isNull cfg.adminPassFile);
|
|
message = "Must set shb.nextcloud.adminPassFile.";
|
|
}
|
|
];
|
|
|
|
users.users = {
|
|
nextcloud = {
|
|
name = "nextcloud";
|
|
group = "nextcloud";
|
|
isSystemUser = true;
|
|
};
|
|
};
|
|
|
|
users.groups = {
|
|
nextcloud = {
|
|
members = [ "backup" ];
|
|
};
|
|
};
|
|
|
|
# LDAP is manually configured through
|
|
# https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md, see also
|
|
# https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
|
|
#
|
|
# Verify setup with:
|
|
# - On admin page
|
|
# - https://scan.nextcloud.com/
|
|
# - https://www.ssllabs.com/ssltest/
|
|
# As of writing this, we got no warning on admin page and A+ on both tests.
|
|
#
|
|
# Content-Security-Policy is hard. I spent so much trying to fix lingering issues with .js files
|
|
# not loading to realize those scripts are inserted by extensions. Doh.
|
|
services.nextcloud = {
|
|
enable = true;
|
|
package = nextcloudPkg;
|
|
|
|
datadir = cfg.dataDir;
|
|
|
|
hostName = fqdn;
|
|
nginx.hstsMaxAge = 31536000; # Needs > 1 year for https://hstspreload.org to be happy
|
|
|
|
inherit (cfg) maxUploadSize;
|
|
|
|
config = {
|
|
dbtype = "pgsql";
|
|
adminuser = cfg.adminUser;
|
|
adminpassFile = toString cfg.adminPassFile;
|
|
# Not using dbpassFile as we're using socket authentication.
|
|
defaultPhoneRegion = "US";
|
|
trustedProxies = [ "127.0.0.1" ];
|
|
};
|
|
database.createLocally = true;
|
|
|
|
# Enable caching using redis https://nixos.wiki/wiki/Nextcloud#Caching.
|
|
configureRedis = true;
|
|
caching.apcu = false;
|
|
# https://docs.nextcloud.com/server/26/admin_manual/configuration_server/caching_configuration.html
|
|
caching.redis = true;
|
|
|
|
# Adds appropriate nginx rewrite rules.
|
|
webfinger = true;
|
|
|
|
# Very important for a bunch of scripts to load correctly. Otherwise you get Content-Security-Policy errors. See https://docs.nextcloud.com/server/13/admin_manual/configuration_server/harden_server.html#enable-http-strict-transport-security
|
|
https = !(isNull cfg.ssl);
|
|
|
|
extraApps = if isNull cfg.extraApps then {} else cfg.extraApps nextcloudApps;
|
|
extraAppsEnable = true;
|
|
appstoreEnable = true;
|
|
|
|
extraOptions = let
|
|
protocol = if !(isNull cfg.ssl) then "https" else "http";
|
|
in {
|
|
"overwrite.cli.url" = "${protocol}://${fqdn}";
|
|
"overwritehost" = fqdnWithPort;
|
|
# 'trusted_domains' needed otherwise we get this issue https://help.nextcloud.com/t/the-polling-url-does-not-start-with-https-despite-the-login-url-started-with-https/137576/2
|
|
# TODO: could instead set extraTrustedDomains
|
|
"trusted_domains" = [ fqdn ];
|
|
# TODO: could instead set overwriteProtocol
|
|
"overwriteprotocol" = protocol; # Needed if behind a reverse_proxy
|
|
"overwritecondaddr" = ""; # We need to set it to empty otherwise overwriteprotocol does not work.
|
|
"debug" = cfg.debug;
|
|
"filelocking.debug" = cfg.debug;
|
|
|
|
# Use persistent SQL connections.
|
|
"dbpersistent" = "true";
|
|
};
|
|
|
|
phpOptions = {
|
|
# The OPcache interned strings buffer is nearly full with 8, bump to 16.
|
|
catch_workers_output = "yes";
|
|
display_errors = "stderr";
|
|
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
|
|
expose_php = "Off";
|
|
"opcache.enable_cli" = "1";
|
|
"opcache.fast_shutdown" = "1";
|
|
"opcache.interned_strings_buffer" = "16";
|
|
"opcache.max_accelerated_files" = "10000";
|
|
"opcache.memory_consumption" = "128";
|
|
"opcache.revalidate_freq" = "1";
|
|
short_open_tag = "Off";
|
|
|
|
output_buffering = "Off";
|
|
|
|
# Needed to avoid corruption per https://docs.nextcloud.com/server/21/admin_manual/configuration_server/caching_configuration.html#id2
|
|
"redis.session.locking_enabled" = "1";
|
|
"redis.session.lock_retries" = "-1";
|
|
"redis.session.lock_wait_time" = "10000";
|
|
} // lib.optionalAttrs (! (isNull cfg.tracing)) {
|
|
# "xdebug.remote_enable" = "on";
|
|
# "xdebug.remote_host" = "127.0.0.1";
|
|
# "xdebug.remote_port" = "9000";
|
|
# "xdebug.remote_handler" = "dbgp";
|
|
"xdebug.trigger_value" = cfg.tracing;
|
|
|
|
"xdebug.mode" = "profile,trace";
|
|
"xdebug.output_dir" = "/var/log/xdebug";
|
|
"xdebug.start_with_request" = "trigger";
|
|
};
|
|
|
|
poolSettings = lib.mkIf (! (isNull cfg.phpFpmPoolSettings)) cfg.phpFpmPoolSettings;
|
|
|
|
phpExtraExtensions = all: [ all.xdebug ];
|
|
};
|
|
|
|
services.nginx.virtualHosts.${fqdn} = {
|
|
# listen = [ { addr = "0.0.0.0"; port = 443; } ];
|
|
forceSSL = !(isNull cfg.ssl);
|
|
sslCertificate = lib.mkIf (!(isNull cfg.ssl)) cfg.ssl.paths.cert;
|
|
sslCertificateKey = lib.mkIf (!(isNull cfg.ssl)) cfg.ssl.paths.key;
|
|
|
|
# From [1] this should fix downloading of big files. [2] seems to indicate that buffering
|
|
# happens at multiple places anyway, so disabling one place should be okay.
|
|
# [1]: https://help.nextcloud.com/t/download-aborts-after-time-or-large-file/25044/6
|
|
# [2]: https://stackoverflow.com/a/50891625/1013628
|
|
extraConfig = ''
|
|
proxy_buffering off;
|
|
'';
|
|
};
|
|
|
|
environment.systemPackages = [
|
|
# Needed for a few apps. Would be nice to avoid having to put that in the environment and instead override https://github.com/NixOS/nixpkgs/blob/261abe8a44a7e8392598d038d2e01f7b33cf26d0/nixos/modules/services/web-apps/nextcloud.nix#L1035
|
|
pkgs.ffmpeg
|
|
|
|
# Needed for the recognize app.
|
|
pkgs.nodejs
|
|
];
|
|
|
|
services.postgresql.settings = lib.mkIf (! (isNull cfg.postgresSettings)) cfg.postgresSettings;
|
|
|
|
systemd.services.phpfpm-nextcloud.serviceConfig = {
|
|
# Setup permissions needed for backups, as the backup user is member of the jellyfin group.
|
|
UMask = lib.mkForce "0027";
|
|
};
|
|
systemd.services.phpfpm-nextcloud.preStart = ''
|
|
mkdir -p /var/log/xdebug; chown -R nextcloud: /var/log/xdebug
|
|
'';
|
|
|
|
systemd.services.nextcloud-cron.path = [
|
|
pkgs.perl
|
|
];
|
|
|
|
# Sets up backup for Nextcloud.
|
|
shb.backup.instances.nextcloud = {
|
|
sourceDirectories = [
|
|
cfg.dataDir
|
|
];
|
|
excludePatterns = [".rnd"];
|
|
};
|
|
})
|
|
|
|
(lib.mkIf cfg.apps.onlyoffice.enable {
|
|
assertions = [
|
|
{
|
|
assertion = !(isNull cfg.apps.onlyoffice.jwtSecretFile);
|
|
message = "Must set shb.nextcloud.apps.onlyoffice.jwtSecretFile.";
|
|
}
|
|
];
|
|
|
|
services.nextcloud.extraApps = {
|
|
inherit (nextcloudApps) onlyoffice;
|
|
};
|
|
|
|
services.onlyoffice = {
|
|
enable = true;
|
|
hostname = "${cfg.apps.onlyoffice.subdomain}.${cfg.domain}";
|
|
port = 13444;
|
|
|
|
postgresHost = "/run/postgresql";
|
|
|
|
jwtSecretFile = cfg.apps.onlyoffice.jwtSecretFile;
|
|
};
|
|
|
|
services.nginx.virtualHosts."${cfg.apps.onlyoffice.subdomain}.${cfg.domain}" = {
|
|
forceSSL = !(isNull cfg.ssl);
|
|
sslCertificate = lib.mkIf (!(isNull cfg.ssl)) cfg.ssl.paths.cert;
|
|
sslCertificateKey = lib.mkIf (!(isNull cfg.ssl)) cfg.ssl.paths.key;
|
|
|
|
locations."/" = {
|
|
extraConfig = ''
|
|
allow ${cfg.apps.onlyoffice.localNetworkIPRange};
|
|
'';
|
|
};
|
|
};
|
|
})
|
|
|
|
(lib.mkIf cfg.apps.previewgenerator.enable {
|
|
services.nextcloud.extraApps = {
|
|
inherit (nextcloudApps) previewgenerator;
|
|
};
|
|
|
|
# Configured as defined in https://github.com/nextcloud/previewgenerator
|
|
systemd.timers.nextcloud-cron-previewgenerator = {
|
|
wantedBy = [ "timers.target" ];
|
|
after = [ "nextcloud-setup.service" ];
|
|
timerConfig.OnBootSec = "10m";
|
|
timerConfig.OnUnitActiveSec = "10m";
|
|
timerConfig.Unit = "nextcloud-cron-previewgenerator.service";
|
|
};
|
|
|
|
systemd.services.nextcloud-cron-previewgenerator = {
|
|
environment.NEXTCLOUD_CONFIG_DIR = "${config.services.nextcloud.datadir}/config";
|
|
serviceConfig.Type = "oneshot";
|
|
serviceConfig.User = "nextcloud";
|
|
serviceConfig.ExecStart =
|
|
let
|
|
debug = if cfg.debug or cfg.apps.previewgenerator.debug then "-vvv" else "";
|
|
in
|
|
"${occ} ${debug} preview:pre-generate";
|
|
};
|
|
})
|
|
|
|
(lib.mkIf cfg.apps.ldap.enable {
|
|
systemd.services.nextcloud-setup.path = [ pkgs.jq ];
|
|
systemd.services.nextcloud-setup.script = ''
|
|
${occ} app:install user_ldap || :
|
|
${occ} app:enable user_ldap
|
|
|
|
# The following code tries to match an existing config or creates a new one.
|
|
# The criteria for matching is the ldapHost value.
|
|
|
|
ALL_CONFIG="$(${occ} ldap:show-config --output=json --show-password)"
|
|
|
|
MATCHING_CONFIG_IDs="$(echo "$ALL_CONFIG" | jq '[to_entries[] | select(.value.ldapHost=="127.0.0.1") | .key]')"
|
|
if [[ $(echo "$MATCHING_CONFIG_IDs" | jq 'length') > 0 ]]; then
|
|
CONFIG_ID="$(echo "$MATCHING_CONFIG_IDs" | jq --raw-output '.[0]')"
|
|
else
|
|
CONFIG_ID="$(${occ} ldap:create-empty-config --only-print-prefix)"
|
|
fi
|
|
|
|
echo "Using configId $CONFIG_ID"
|
|
|
|
# The following CLI commands follow
|
|
# https://github.com/lldap/lldap/blob/main/example_configs/nextcloud.md#nextcloud-config--the-cli-way
|
|
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapHost' \
|
|
'${cfg.apps.ldap.host}'
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapPort' \
|
|
'${toString cfg.apps.ldap.port}'
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapAgentName' \
|
|
'uid=${cfg.apps.ldap.adminName},ou=people,${cfg.apps.ldap.dcdomain}'
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapAgentPassword' \
|
|
"$(cat ${cfg.apps.ldap.adminPasswordFile})"
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapBase' \
|
|
'${cfg.apps.ldap.dcdomain}'
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapBaseGroups' \
|
|
'${cfg.apps.ldap.dcdomain}'
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapBaseUsers' \
|
|
'${cfg.apps.ldap.dcdomain}'
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapEmailAttribute' \
|
|
'mail'
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilter' \
|
|
'(&(|(objectclass=groupOfUniqueNames))(|(cn=${cfg.apps.ldap.userGroup})))'
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilterGroups' \
|
|
'${cfg.apps.ldap.userGroup}'
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupFilterObjectclass' \
|
|
'groupOfUniqueNames'
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapGroupMemberAssocAttr' \
|
|
'uniqueMember'
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapLoginFilter' \
|
|
'(&(&(objectclass=person)(memberOf=cn=${cfg.apps.ldap.userGroup},ou=groups,${cfg.apps.ldap.dcdomain}))(|(uid=%uid)(|(mail=%uid)(objectclass=%uid))))'
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapLoginFilterAttributes' \
|
|
'mail;objectclass'
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapUserDisplayName' \
|
|
'displayname'
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilter' \
|
|
'(&(objectclass=person)(memberOf=cn=${cfg.apps.ldap.userGroup},ou=groups,${cfg.apps.ldap.dcdomain}))'
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilterMode' \
|
|
'1'
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapUserFilterObjectclass' \
|
|
'person'
|
|
|
|
${occ} ldap:test-config -- "$CONFIG_ID"
|
|
|
|
# Only one active at the same time
|
|
|
|
for configid in $(echo "$ALL_CONFIG" | jq --raw-output "keys[]"); do
|
|
echo "Deactivating $configid"
|
|
${occ} ldap:set-config "$configid" 'ldapConfigurationActive' \
|
|
'0'
|
|
done
|
|
|
|
${occ} ldap:set-config "$CONFIG_ID" 'ldapConfigurationActive' \
|
|
'1'
|
|
'';
|
|
})
|
|
|
|
(lib.mkIf cfg.apps.sso.enable {
|
|
assertions = [
|
|
{
|
|
assertion = cfg.apps.sso.enable -> cfg.apps.ldap.enable;
|
|
message = "SSO app requires LDAP app to work correctly.";
|
|
}
|
|
];
|
|
|
|
systemd.services.nextcloud-setup.script =
|
|
''
|
|
${occ} app:install oidc_login || :
|
|
${occ} app:enable oidc_login
|
|
'';
|
|
|
|
systemd.services.nextcloud-setup.preStart =
|
|
''
|
|
mkdir -p ${cfg.dataDir}/config
|
|
cat <<EOF > "${cfg.dataDir}/config/secretFile"
|
|
{
|
|
"oidc_login_client_secret": "$(cat ${cfg.apps.sso.secretFile})"
|
|
}
|
|
EOF
|
|
'';
|
|
|
|
services.nextcloud = {
|
|
secretFile = "${cfg.dataDir}/config/secretFile";
|
|
|
|
# See all options at https://github.com/pulsejet/nextcloud-oidc-login
|
|
extraOptions = {
|
|
allow_user_to_change_display_name = false;
|
|
lost_password_link = "disabled";
|
|
oidc_login_provider_url = ssoFqdnWithPort;
|
|
oidc_login_client_id = cfg.apps.sso.clientID;
|
|
|
|
# Automatically redirect the login page to the provider.
|
|
oidc_login_auto_redirect = !cfg.apps.sso.fallbackDefaultAuth;
|
|
# Authelia at least does not support this.
|
|
oidc_login_end_session_redirect = false;
|
|
# Redirect to this page after logging out the user
|
|
oidc_login_logout_url = ssoFqdnWithPort;
|
|
oidc_login_button_text = "Log in with ${cfg.apps.sso.provider}";
|
|
oidc_login_hide_password_form = false;
|
|
oidc_login_use_id_token = true;
|
|
oidc_login_attributes = {
|
|
id = "preferred_username";
|
|
name = "name";
|
|
mail = "email";
|
|
groups = "groups";
|
|
};
|
|
oidc_login_default_group = "oidc";
|
|
oidc_login_use_external_storage = false;
|
|
oidc_login_scope = "openid profile email groups";
|
|
oidc_login_proxy_ldap = false;
|
|
# Enable creation of users new to Nextcloud from OIDC login. A user may be known to the
|
|
# IdP but not (yet) known to Nextcloud. This setting controls what to do in this case.
|
|
# * 'true' (default): if the user authenticates to the IdP but is not known to Nextcloud,
|
|
# then they will be returned to the login screen and not allowed entry;
|
|
# * 'false': if the user authenticates but is not yet known to Nextcloud, then the user
|
|
# will be automatically created; note that with this setting, you will be allowing (or
|
|
# relying on) a third-party (the IdP) to create new users
|
|
oidc_login_disable_registration = false;
|
|
oidc_login_redir_fallback = cfg.apps.sso.fallbackDefaultAuth;
|
|
# oidc_login_alt_login_page = "assets/login.php";
|
|
oidc_login_tls_verify = true;
|
|
# If you get your groups from the oidc_login_attributes, you might want to create them if
|
|
# they are not already existing, Default is `false`.
|
|
oidc_create_groups = true;
|
|
# Enable use of WebDAV via OIDC bearer token.
|
|
oidc_login_webdav_enabled = true;
|
|
oidc_login_password_authentication = false;
|
|
oidc_login_public_key_caching_time = 86400;
|
|
oidc_login_min_time_between_jwks_requests = 10;
|
|
oidc_login_well_known_caching_time = 86400;
|
|
# If true, nextcloud will download user avatars on login. This may lead to security issues
|
|
# as the server does not control which URLs will be requested. Use with care.
|
|
oidc_login_update_avatar = false;
|
|
};
|
|
};
|
|
|
|
shb.authelia.oidcClients = lib.mkIf (cfg.apps.sso.provider == "Authelia") [
|
|
{
|
|
id = cfg.apps.sso.clientID;
|
|
description = "Nextcloud";
|
|
secretFile = cfg.apps.sso.secretFileForAuthelia;
|
|
public = "false";
|
|
authorization_policy = cfg.apps.sso.authorization_policy;
|
|
redirect_uris = [ "${protocol}://${fqdnWithPort}/apps/oidc_login/oidc" ];
|
|
scopes = [
|
|
"openid"
|
|
"profile"
|
|
"email"
|
|
"groups"
|
|
];
|
|
userinfo_signing_algorithm = "none";
|
|
}
|
|
];
|
|
})
|
|
];
|
|
}
|