nixos/ocis: init at 5.0.0 (427bf67b) · Commits · nix / nixpkgs

nixos/doc/manual/release-notes/rl-2405.section.md

+2 −0

Original line number	Diff line number	Diff line
		@@ -72,6 +72,8 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi

		<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

		- [ownCloud Infinite Scale Stack](https://owncloud.com/infinite-scale-4-0/), a modern and scalable rewrite of ownCloud.

		- [Handheld Daemon](https://github.com/hhd-dev/hhd), support for gaming handhelds like the Legion Go, ROG Ally, and GPD Win. Available as [services.handheld-daemon](#opt-services.handheld-daemon.enable).

		- [Guix](https://guix.gnu.org), a functional package manager inspired by Nix. Available as [services.guix](#opt-services.guix.enable).

nixos/modules/module-list.nix

+1 −0

Original line number	Diff line number	Diff line
		@@ -1362,6 +1362,7 @@
		./services/web-apps/nexus.nix
		./services/web-apps/nifi.nix
		./services/web-apps/node-red.nix
		./services/web-apps/ocis.nix
		./services/web-apps/onlyoffice.nix
		./services/web-apps/openvscode-server.nix
		./services/web-apps/mobilizon.nix

nixos/modules/services/web-apps/ocis.md

0 → 100644

+113 −0

Original line number	Diff line number	Diff line
		# ownCloud Infinite Scale {#module-services-ocis}

		[ownCloud Infinite Scale](https://owncloud.dev/ocis/) (oCIS) is an open-source,
		modern file-sync and sharing platform. It is a ground-up rewrite of the well-known PHP based ownCloud server.

		The server setup can be automated using
		[services.ocis](#opt-services.ocis.enable). The desktop client is packaged at
		`pkgs.owncloud-client`.

		## Basic usage {#module-services-ocis-basic-usage}

		oCIS is a golang application and does not require an HTTP server (such as nginx)
		in front of it, though you may optionally use one if you will.

		oCIS is configured using a combination of yaml and environment variables. It is
		recommended to familiarize yourself with upstream's available configuration
		options and deployment instructions:

		* [Getting Started](https://owncloud.dev/ocis/getting-started/)
		* [Configuration](https://owncloud.dev/ocis/config/)
		* [Basic Setup](https://owncloud.dev/ocis/deployment/basic-remote-setup/)

		A very basic configuration may look like this:
		```
		{ pkgs, ... }:
		{
		services.ocis = {
		enable = true;
		configDir = "/etc/ocis/config";
		};
		}
		```

		This will start the oCIS server and make it available at `https://localhost:9200`

		However to make this configuration work you will need generate a configuration.
		You can do this with:

		```console
		$ nix-shell -p ocis-bin
		$ mkdir scratch/
		$ cd scratch/
		$ ocis init --config-path . --admin-password "changeme"
		```

		You may need to pass `--insecure true` or provide the `OCIS_INSECURE = true;` to
		[`services.ocis.environment`][mod-envFile], if TLS certificates are generated
		and managed externally (e.g. if you are using oCIS behind reverse proxy).

		If you want to manage the config file in your nix configuration, then it is
		encouraged to use a secrets manager like sops-nix or agenix.

		Be careful not to write files containing secrets to the globally readable nix
		store.

		Please note that current NixOS module for oCIS is configured to run in `fullstack`
		mode, which starts all the services for owncloud on single instance. This will
		start multiple ocis services and listen on multiple other ports.

		Current known services and their ports are as below:

		\| Service \| Group \| Port \|
		\|--------------------\|---------\|-------\|
		\| gateway \| api \| 9142 \|
		\| sharing \| api \| 9150 \|
		\| app-registry \| api \| 9242 \|
		\| ocdav \| web \| 45023 \|
		\| auth-machine \| api \| 9166 \|
		\| storage-system \| api \| 9215 \|
		\| webdav \| web \| 9115 \|
		\| webfinger \| web \| 46871 \|
		\| storage-system \| web \| 9216 \|
		\| web \| web \| 9100 \|
		\| eventhistory \| api \| 33177 \|
		\| ocs \| web \| 9110 \|
		\| storage-publiclink \| api \| 9178 \|
		\| settings \| web \| 9190 \|
		\| ocm \| api \| 9282 \|
		\| settings \| api \| 9191 \|
		\| ocm \| web \| 9280 \|
		\| app-provider \| api \| 9164 \|
		\| storage-users \| api \| 9157 \|
		\| auth-service \| api \| 9199 \|
		\| thumbnails \| web \| 9186 \|
		\| thumbnails \| api \| 9185 \|
		\| storage-shares \| api \| 9154 \|
		\| sse \| sse \| 46833 \|
		\| userlog \| userlog \| 45363 \|
		\| search \| api \| 9220 \|
		\| proxy \| web \| 9200 \|
		\| idp \| web \| 9130 \|
		\| frontend \| web \| 9140 \|
		\| groups \| api \| 9160 \|
		\| graph \| graph \| 9120 \|
		\| users \| api \| 9144 \|
		\| auth-basic \| api \| 9146 \|

		## Configuration via environment variables

		You can also eschew the config file entirely and pass everything to oCIS via
		environment variables. For this make use of
		[`services.ocis.environment`][mod-env] for non-sensitive
		values, and
		[`services.ocis.environmentFile`][mod-envFile] for
		sensitive values.

		Configuration in (`services.ocis.environment`)[mod-env] overrides those from
		[`services.ocis.environmentFile`][mod-envFile] and will have highest
		precedence


		[mod-env]: #opt-services.ocis.environment
		[mod-envFile]: #opt-services.ocis.environmentFile

nixos/modules/services/web-apps/ocis.nix

0 → 100644

+201 −0

Original line number	Diff line number	Diff line
		{
		config,
		lib,
		pkgs,
		...
		}:

		let
		inherit (lib) types;
		cfg = config.services.ocis;
		defaultUser = "ocis";
		defaultGroup = defaultUser;
		in
		{
		options = {
		services.ocis = {
		enable = lib.mkEnableOption "ownCloud Infinite Scale";

		package = lib.mkPackageOption pkgs "ocis-bin" { };

		configDir = lib.mkOption {
		type = types.nullOr types.path;
		default = null;
		example = "/var/lib/ocis/config";
		description = lib.mdDoc ''
		Path to directory containing oCIS config file.

		Example config can be generated by `ocis init --config-path fileName --admin-password "adminPass"`.
		Add `--insecure true` if SSL certificates are generated and managed externally (e.g. using oCIS behind reverse proxy).

		Note: This directory must contain at least a `ocis.yaml`. Ensure
		[user](#opt-services.ocis.user) has read/write access to it. In some
		circumstances you may need to add additional oCIS configuration files (e.g.,
		`proxy.yaml`) to this directory.
		'';
		};

		environmentFile = lib.mkOption {
		type = types.nullOr types.path;
		default = null;
		example = "/run/keys/ocis.env";
		description = lib.mdDoc ''
		An environment file as defined in {manpage}`systemd.exec(5)`.

		Configuration provided in this file will override those from [configDir](#opt-services.ocis.configDir)/ocis.yaml.
		'';
		};

		user = lib.mkOption {
		type = types.str;
		default = defaultUser;
		example = "yourUser";
		description = lib.mdDoc ''
		The user to run oCIS as.
		By default, a user named `${defaultUser}` will be created whose home
		directory is [stateDir](#opt-services.ocis.stateDir).
		'';
		};

		group = lib.mkOption {
		type = types.str;
		default = defaultGroup;
		example = "yourGroup";
		description = lib.mdDoc ''
		The group to run oCIS under.
		By default, a group named `${defaultGroup}` will be created.
		'';
		};

		address = lib.mkOption {
		type = types.str;
		default = "127.0.0.1";
		description = "Web interface address.";
		};

		port = lib.mkOption {
		type = types.port;
		default = 9200;
		description = "Web interface port.";
		};

		url = lib.mkOption {
		type = types.str;
		default = "https://localhost:9200";
		example = "https://some-hostname-or-ip:9200";
		description = "Web interface address.";
		};

		stateDir = lib.mkOption {
		default = "/var/lib/ocis";
		type = types.str;
		description = "ownCloud data directory.";
		};

		environment = lib.mkOption {
		type = types.attrsOf types.str;
		default = { };
		description = lib.mdDoc ''
		Extra config options.

		See [the documentation](https://doc.owncloud.com/ocis/next/deployment/services/services.html) for available options.
		See [notes for environment variables](https://doc.owncloud.com/ocis/next/deployment/services/env-var-note.html) for more information.

		Note that all the attributes here will be copied to /nix/store/ and will be world readable. Options like _PASSWORD or _SECRET should be part of [environmentFile](#opt-services.ocis.environmentFile) instead, and are only provided here for illustrative purpose.

		Configuration here will override those from [environmentFile](#opt-services.ocis.environmentFile) and will have highest precedence, at the cost of security. Do NOT put security sensitive stuff here.
		'';
		example = {
		OCIS_INSECURE = "false";
		OCIS_LOG_LEVEL = "error";
		OCIS_JWT_SECRET = "super_secret";
		OCIS_TRANSFER_SECRET = "foo";
		OCIS_MACHINE_AUTH_API_KEY = "foo";
		OCIS_SYSTEM_USER_ID = "123";
		OCIS_MOUNT_ID = "123";
		OCIS_STORAGE_USERS_MOUNT_ID = "123";
		GATEWAY_STORAGE_USERS_MOUNT_ID = "123";
		CS3_ALLOW_INSECURE = "true";
		OCIS_INSECURE_BACKENDS = "true";
		TLS_INSECURE = "true";
		TLS_SKIP_VERIFY_CLIENT_CERT = "true";
		WEBDAV_ALLOW_INSECURE = "true";
		IDP_TLS = "false";
		GRAPH_APPLICATION_ID = "1234";
		IDM_IDPSVC_PASSWORD = "password";
		IDM_REVASVC_PASSWORD = "password";
		IDM_SVC_PASSWORD = "password";
		IDP_ISS = "https://localhost:9200";
		OCIS_LDAP_BIND_PASSWORD = "password";
		OCIS_SERVICE_ACCOUNT_ID = "foo";
		OCIS_SERVICE_ACCOUNT_SECRET = "foo";
		OCIS_SYSTEM_USER_API_KEY = "foo";
		STORAGE_USERS_MOUNT_ID = "123";
		};
		};
		};
		};

		config = lib.mkIf cfg.enable {
		users.users.${defaultUser} = lib.mkIf (cfg.user == defaultUser) {
		group = cfg.group;
		home = cfg.stateDir;
		isSystemUser = true;
		createHome = true;
		description = "ownCloud Infinite Scale daemon user";
		};

		users.groups = lib.mkIf (cfg.group == defaultGroup) { ${defaultGroup} = { }; };

		systemd = {
		services.ocis = {
		description = "ownCloud Infinite Scale Stack";
		wantedBy = [ "multi-user.target" ];
		environment = {
		PROXY_HTTP_ADDR = "${cfg.address}:${toString cfg.port}";
		OCIS_URL = cfg.url;
		OCIS_CONFIG_DIR = if (cfg.configDir == null) then "${cfg.stateDir}/config" else cfg.configDir;
		OCIS_BASE_DATA_PATH = cfg.stateDir;
		} // cfg.environment;
		serviceConfig = {
		Type = "simple";
		ExecStart = "${lib.getExe cfg.package} server";
		WorkingDirectory = cfg.stateDir;
		User = cfg.user;
		Group = cfg.group;
		Restart = "always";
		EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile;
		ReadWritePaths = [ cfg.stateDir ];
		ReadOnlyPaths = [ cfg.configDir ];
		MemoryDenyWriteExecute = true;
		NoNewPrivileges = true;
		PrivateTmp = true;
		PrivateDevices = true;
		ProtectSystem = "strict";
		ProtectHome = true;
		ProtectControlGroups = true;
		ProtectKernelModules = true;
		ProtectKernelTunables = true;
		ProtectKernelLogs = true;
		RestrictAddressFamilies = [
		"AF_UNIX"
		"AF_INET"
		"AF_INET6"
		"AF_NETLINK"
		];
		RestrictNamespaces = true;
		RestrictRealtime = true;
		RestrictSUIDSGID = true;
		LockPersonality = true;
		SystemCallArchitectures = "native";
		};
		};
		};
		};

		meta.maintainers = with lib.maintainers; [
		bhankas
		danth
		ramblurr
		];
		}

nixos/tests/all-tests.nix

+1 −0

Original line number	Diff line number	Diff line
		@@ -648,6 +648,7 @@ in {
		nvmetcfg = handleTest ./nvmetcfg.nix {};
		nzbget = handleTest ./nzbget.nix {};
		nzbhydra2 = handleTest ./nzbhydra2.nix {};
		ocis = handleTest ./ocis.nix {};
		oh-my-zsh = handleTest ./oh-my-zsh.nix {};
		ollama = handleTest ./ollama.nix {};
		ombi = handleTest ./ombi.nix {};