Skip to content

Commit

Permalink
use more contracts in nextcloud and update docs
Browse files Browse the repository at this point in the history
  • Loading branch information
ibizaman committed Nov 13, 2024
1 parent 17c8b0a commit 45017ee
Show file tree
Hide file tree
Showing 6 changed files with 349 additions and 230 deletions.
6 changes: 6 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,13 @@ any reverse proxy you want or any database you want,
without requiring work from maintainers of the services you want to self host.
(See [manual][contracts] for a complete explanation)

Two videos exist of me presenting the topic,
the first at [NixCon North America in spring of 2024][NixConNA2024]
and the second at [NixCon in Berlin in fall of 2024][NixConBerlin2024].

[contracts]: https://shb.skarabox.com/contracts.html
[NixConNA2024]: https://www.youtube.com/watch?v=lw7PgphB9qM
[NixConBerlin2024]: https://www.youtube.com/watch?v=CP0hR6w1csc

### More Benefits of SHB

Expand Down
9 changes: 9 additions & 0 deletions docs/contracts.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,15 @@ In practice, a contract is a set of options that any user of a contract expects
values of these options dictate the behavior of the implementation. This is enforced with NixOS VM
tests.

## Videos {#contracts-videos}

Two videos exist of me presenting the topic,
the first at [NixCon North America in spring of 2024][NixConNA2024]
and the second at [NixCon in Berlin in fall of 2024][NixConBerlin2024].

[NixConNA2024]: https://www.youtube.com/watch?v=lw7PgphB9qM
[NixConBerlin2024]: https://www.youtube.com/watch?v=CP0hR6w1csc

## Provided contracts {#contracts-provided}

Self Host Blocks is a proving ground of contracts. This repository adds a layer on top of services
Expand Down
20 changes: 10 additions & 10 deletions docs/usage.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -279,15 +279,15 @@ One way to setup secrets management using `sops-nix`:
selfhostblocks.inputs.sops-nix.nixosModules.default
];
```
6. Reference the secrets in nix:
6. Set default sops file:
```bash
sops.defaultSopsFile = ./secrets.yaml;
```
Setting the default this way makes all sops instances use that same file.
7. Reference the secrets in nix:
```nix
shb.nextcloud.adminPassFile = config.sops.secrets."nextcloud/adminpass".path;
sops.secrets."nextcloud/adminpass" = {
sopsFile = ./secrets.yaml;
mode = "0440";
owner = "nextcloud";
group = "nextcloud";
restartUnits = [ "phpfpm-nextcloud.service" ];
};
shb.nextcloud.adminPass.result.path = config.sops.secrets."nextcloud/adminpass".path;
sops.secrets."nextcloud/adminpass" = config.shb.nextcloud.adminPass.request;
```
The above snippet uses the [secrets contract](./contracts-secret.html) to ease configuration.
82 changes: 38 additions & 44 deletions modules/services/nextcloud-server.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,10 +95,11 @@ in
default = "root";
};

adminPassFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
description = "File containing the Nextcloud admin password. Required.";
default = null;
adminPass = contracts.secret.mkOption {
description = "Nextcloud admin password.";
mode = "0400";
owner = "nextcloud";
restartUnits = [ "phpfpm-nextcloud.service" ];
};

maxUploadSize = lib.mkOption {
Expand All @@ -121,7 +122,11 @@ in
postgresSettings = lib.mkOption {
type = lib.types.nullOr (lib.types.attrsOf lib.types.str);
default = null;
description = "Settings for the PostgreSQL database. Go to https://pgtune.leopard.in.ua/ and copy the generated configuration here.";
description = ''
Settings for the PostgreSQL database.
Go to https://pgtune.leopard.in.ua/ and copy the generated configuration here.
'';
example = lib.literalExpression ''
{
# From https://pgtune.leopard.in.ua/ with:
Expand Down Expand Up @@ -369,14 +374,11 @@ in
default = "admin";
};

adminPasswordFile = lib.mkOption {
type = lib.types.path;
description = ''
File containing the admin password of the LDAP server.
Must be readable by the nextcloud system user.
'';
default = "";
adminPassword = contracts.secret.mkOption {
description = "LDAP server admin password.";
mode = "0400";
owner = "nextcloud";
restartUnits = [ "phpfpm-nextcloud.service" ];
};

userGroup = lib.mkOption {
Expand Down Expand Up @@ -439,24 +441,17 @@ in
default = "one_factor";
};

secretFile = lib.mkOption {
type = lib.types.path;
description = ''
File containing the secret for the OIDC endpoint.
Must be readable by the nextcloud system user.
'';
default = "";
secret = contracts.secret.mkOption {
description = "OIDC shared secret.";
mode = "0400";
owner = "nextcloud";
restartUnits = [ "phpfpm-nextcloud.service" ];
};

secretFileForAuthelia = lib.mkOption {
type = lib.types.path;
description = ''
File containing the secret for the OIDC endpoint, must be readable by the Authelia user.
Must be readable by the authelia system user.
'';
default = "";
secretForAuthelia = contracts.secret.mkOption {
description = "OIDC shared secret. Content must be the same as `secretFile` option.";
mode = "0400";
owner = "authelia";
};

fallbackDefaultAuth = lib.mkOption {
Expand All @@ -478,9 +473,15 @@ in
extraApps = lib.mkOption {
type = lib.types.raw;
description = ''
Extra apps to install. Should be a function returning an attrSet of appid to packages
generated by fetchNextcloudApp. The appid must be identical to the “id” value in the apps
appinfo/info.xml. You can still install apps through the appstore.
Extra apps to install.
Should be a function returning an `attrSet` of `appid` as keys to `packages` as values,
like generated by `fetchNextcloudApp`.
The appid must be identical to the `id` value in the apps'
`appinfo/info.xml`.
Search in [nixpkgs](https://github.com/NixOS/nixpkgs/tree/master/pkgs/servers/nextcloud/packages) for the `NN.json` files for existing apps.
You can still install apps through the appstore.
'';
default = null;
example = lib.literalExpression ''
Expand Down Expand Up @@ -576,13 +577,6 @@ in

config = lib.mkMerge [
(lib.mkIf cfg.enable {
assertions = [
{
assertion = !(isNull cfg.adminPassFile);
message = "Must set shb.nextcloud.adminPassFile.";
}
];

users.users = {
nextcloud = {
name = "nextcloud";
Expand Down Expand Up @@ -617,7 +611,7 @@ in
config = {
dbtype = "pgsql";
adminuser = cfg.adminUser;
adminpassFile = toString cfg.adminPassFile;
adminpassFile = cfg.adminPass.result.path;
};
database.createLocally = true;

Expand Down Expand Up @@ -819,7 +813,7 @@ in
systemd.services.nextcloud-setup.script = ''
${occ} app:install files_external || :
${occ} app:enable files_external
'' + lib.optionalString (cfg.apps.externalStorage.userLocalMount != "") (
'' + lib.optionalString (cfg.apps.externalStorage.userLocalMount != null) (
let
cfg' = cfg.apps.externalStorage.userLocalMount;

Expand Down Expand Up @@ -859,7 +853,7 @@ in
${occ} ldap:set-config "${cID}" 'ldapAgentName' \
'uid=${cfg'.adminName},ou=people,${cfg'.dcdomain}'
${occ} ldap:set-config "${cID}" 'ldapAgentPassword' \
"$(cat ${cfg'.adminPasswordFile})"
"$(cat ${cfg'.adminPassword.result.path})"
${occ} ldap:set-config "${cID}" 'ldapBase' \
'${cfg'.dcdomain}'
${occ} ldap:set-config "${cID}" 'ldapBaseGroups' \
Expand Down Expand Up @@ -936,7 +930,7 @@ in
mkdir -p ${cfg.dataDir}/config
cat <<EOF > "${cfg.dataDir}/config/secretFile"
{
"oidc_login_client_secret": "$(cat ${cfg.apps.sso.secretFile})"
"oidc_login_client_secret": "$(cat ${cfg.apps.sso.secret.result.path})"
}
EOF
'';
Expand Down Expand Up @@ -1001,7 +995,7 @@ in
{
client_id = cfg.apps.sso.clientID;
client_name = "Nextcloud";
client_secret.source = cfg.apps.sso.secretFileForAuthelia;
client_secret.source = cfg.apps.sso.secretForAuthelia.result.path;
public = false;
authorization_policy = cfg.apps.sso.authorization_policy;
redirect_uris = [ "${protocol}://${fqdnWithPort}/apps/oidc_login/oidc" ];
Expand Down
Loading

0 comments on commit 45017ee

Please sign in to comment.