Unverified Commit cfcd8678 authored by kraftnix's avatar kraftnix Committed by provokateurin
Browse files

nixos/nextcloud: add secrets option 

Uses existing `nix_read_secret` and LoadCredential to read contents of a
file into an entry in `config.php`
parent 74a942bf

nixos/modules/services/web-apps/nextcloud.nix

+23 −1
Original line number Diff line number Diff line
@@ -120,7 +120,8 @@ let 
    ++ (lib.optional (

      cfg.config.objectstore.s3.sseCKeyFile != null

    ) "s3_sse_c_key:${cfg.config.objectstore.s3.sseCKeyFile}")

    ++ (lib.optional (cfg.secretFile != null) "secret_file:${cfg.secretFile}");

    ++ (lib.optional (cfg.secretFile != null) "secret_file:${cfg.secretFile}")

    ++ (lib.mapAttrsToList (credential: file: "${credential}:${file}") cfg.secrets);



  requiresRuntimeSystemdCredentials = (lib.length runtimeSystemdCredentials) != 0;
@@ -296,6 +297,9 @@ let 
        ) "'dbtableprefix' => '${toString c.dbtableprefix}',"}

        ${lib.optionalString (c.dbpassFile != null) "'dbpassword' => nix_read_secret('dbpass'),"}

        'dbtype' => '${c.dbtype}',

        ${lib.concatStringsSep "\n" (

          lib.mapAttrsToList (name: credential: "'${name}' => nix_read_secret('${name}'),") cfg.secrets

        )}

        ${objectstoreConfig}

      ];
@@ -390,6 +394,24 @@ in 
      '';

      example = "/mnt/nextcloud-file";

    };

    secrets = lib.mkOption {

      type = lib.types.attrsOf (

        lib.types.pathWith {

          inStore = false;

          absolute = true;

        }

      );

      default = { };

      description = ''

        Secret files to read into entries in `config.php`.

        This uses `nix_read_secret` and LoadCredential to read the contents of the file into the entry in `config.php`.

      '';

      example = lib.literalExpression ''

        {

          oidc_login_client_secret = "/run/secrets/nextcloud_oidc_secret";

        }

      '';

    };

    extraApps = lib.mkOption {

      type = lib.types.attrsOf lib.types.package;

      default = { };

nixos/tests/nextcloud/basic.nix

+6 −0
Original line number Diff line number Diff line
@@ -63,8 +63,11 @@ runTest ( 
            };

            phpExtraExtensions = all: [ all.bz2 ];

            nginx.enableFastcgiRequestBuffering = true;

            secrets.mysecret = "/etc/nextcloud/mysecretfile";

          };



          environment.etc."nextcloud/mysecretfile".text = "foobar";



          specialisation.withoutMagick.configuration = {

            services.nextcloud.enableImagemagick = false;

          };
@@ -116,6 +119,9 @@ runTest ( 
            client_hash = client.succeed("nix-hash testfile.bin").strip()

            nextcloud_hash = nextcloud.succeed("nix-hash /var/lib/nextcloud-data/data/root/files/testfile.bin").strip()

            t.assertEqual(client_hash, nextcloud_hash)



        with subtest("secrets"):

            assert "foobar" == nextcloud.succeed("nextcloud-occ config:system:get mysecret").strip()

      '';

  }

)