pyrox.dev / nixpkgs
lol
fork atom

nixos/nextcloud: use LoadCredential to read services.nextcloud.secretFile

This patch adds support for using systemd's LoadCredential
feature to read in a json file at a path defined in the
services.nextcloud.secretFile option.

This is a follow up to 2ce1e841032eac4913f2cd3dce416da3d5c799ef.

networkException 23468ad1 866d0db0

options
unified split
Changed files
+23 -15
nixos
modules
services
web-apps
nextcloud.nix
tests
nextcloud
with-declarative-redis-and-secrets.nix
+17 -8
nixos/modules/services/web-apps/nextcloud.nix 
···

       
116

       
116

       
 

       
    ++ (lib.optional (cfg.config.objectstore.s3.enable) "s3_secret:${cfg.config.objectstore.s3.secretFile}")


     

       
117

       
117

       
 

       
    ++ (lib.optional (


     

       
118

       
118

       
 

       
      cfg.config.objectstore.s3.sseCKeyFile != null


     

       
119

       

       
-

       
    ) "s3_sse_c_key:${cfg.config.objectstore.s3.sseCKeyFile}");


     

       

       
119

       
+

       
    ) "s3_sse_c_key:${cfg.config.objectstore.s3.sseCKeyFile}")


     

       

       
120

       
+

       
    ++ (lib.optional (cfg.secretFile != null) "secret_file:${cfg.secretFile}");


     

       
120

       
121

       
 

       



     

       
121

       
122

       
 

       
  requiresRuntimeSystemdCredentials = (lib.length runtimeSystemdCredentials) != 0;


     

       
122

       
123

       
 

       



     
···

       
195

       
196

       
 

       
  overrideConfig =


     

       
196

       
197

       
 

       
    let


     

       
197

       
198

       
 

       
      c = cfg.config;


     

       
198

       

       
-

       
      requiresReadSecretFunction = c.dbpassFile != null || c.objectstore.s3.enable;


     

       
199

       
199

       
 

       
      objectstoreConfig =


     

       
200

       
200

       
 

       
        let


     

       
201

       
201

       
 

       
          s3 = c.objectstore.s3;


     
···

       
232

       
232

       
 

       
    in


     

       
233

       
233

       
 

       
    pkgs.writeText "nextcloud-config.php" ''


     

       
234

       
234

       
 

       
      <?php


     

       
235

       

       
-

       
      ${optionalString requiresReadSecretFunction ''


     

       

       
235

       
+

       
      ${optionalString requiresRuntimeSystemdCredentials ''


     

       
236

       
236

       
 

       
        function nix_read_secret($credential_name) {


     

       
237

       
237

       
 

       
          $credentials_directory = getenv("CREDENTIALS_DIRECTORY");


     

       
238

       
238

       
 

       
          if (!$credentials_directory) {


     
···

       
253

       
253

       
 

       
          }


     

       
254

       
254

       
 

       



     

       
255

       
255

       
 

       
          return trim(file_get_contents($credential_path));


     

       
256

       

       
-

       
        }''}


     

       

       
256

       
+

       
        }


     

       

       
257

       
+

       



     

       

       
258

       
+

       
        function nix_read_secret_and_decode_json_file($credential_name) {


     

       

       
259

       
+

       
          $decoded = json_decode(nix_read_secret($credential_name), true);


     

       

       
260

       
+

       



     

       

       
261

       
+

       
          if (json_last_error() !== JSON_ERROR_NONE) {


     

       

       
262

       
+

       
            error_log(sprintf("Cannot decode %s, because: %s", $file, json_last_error_msg()));


     

       

       
263

       
+

       
            exit(1);


     

       

       
264

       
+

       
          }


     

       

       
265

       
+

       



     

       

       
266

       
+

       
          return $decoded;


     

       

       
267

       
+

       
        }


     

       

       
268

       
+

       
      ''}


     

       
257

       
269

       
 

       
      function nix_decode_json_file($file, $error) {


     

       
258

       
270

       
 

       
        if (!file_exists($file)) {


     

       
259

       
271

       
 

       
          throw new \RuntimeException(sprintf($error, $file));


     
···

       
287

       
299

       
 

       
      ));


     

       
288

       
300

       
 

       



     

       
289

       
301

       
 

       
      ${optionalString (cfg.secretFile != null) ''


     

       
290

       

       
-

       
        $CONFIG = array_replace_recursive($CONFIG, nix_decode_json_file(


     

       
291

       

       
-

       
          "${cfg.secretFile}",


     

       
292

       

       
-

       
          "Cannot start Nextcloud, secrets file %s set by NixOS doesn't exist!"


     

       
293

       

       
-

       
        ));


     

       

       
302

       
+

       
        $CONFIG = array_replace_recursive($CONFIG, nix_read_secret_and_decode_json_file('secret_file'));


     

       
294

       
303

       
 

       
      ''}


     

       
295

       
304

       
 

       
    '';


     

       
296

       
305

       
 

       
in
+6 -7
nixos/tests/nextcloud/with-declarative-redis-and-secrets.nix 
···

       
84

       
84

       
 

       
          # This file is meant to contain secret options which should


     

       
85

       
85

       
 

       
          # not go into the nix store. Here it is just used to set the


     

       
86

       
86

       
 

       
          # redis password.


     

       
87

       

       
-

       
          environment.etc."nextcloud-secrets.json".text = ''


     

       
88

       

       
-

       
            {


     

       
89

       

       
-

       
              "redis": {


     

       
90

       

       
-

       
                "password": "secret"


     

       
91

       

       
-

       
              }


     

       
92

       

       
-

       
            }


     

       
93

       

       
-

       
          '';


     

       

       
87

       
+

       
          environment.etc."nextcloud-secrets.json" = {


     

       

       
88

       
+

       
            mode = "0600";


     

       

       
89

       
+

       
            text = builtins.toJSON {


     

       

       
90

       
+

       
              redis.password = "secret";


     

       

       
91

       
+

       
            };


     

       

       
92

       
+

       
          };


     

       
94

       
93

       
 

       
        };


     

       
95

       
94

       
 

       
    };


     

       
96

       
95