nextcloud: fix secrets extraction

This commit is contained in:
Alexander Tomokhov 2023-11-29 08:19:04 +04:00
parent 364a5c8076
commit 1a5a4be306
2 changed files with 61 additions and 58 deletions

View file

@ -12,8 +12,8 @@ in
"${db-pass-filepath} and ${admin-pass-filepath} will be removed!"
)
''
rm -f ${db-pass-filepath}
rm -f ${admin-pass-filepath}
rm -f -v ${db-pass-filepath}
rm -f -v ${admin-pass-filepath}
'';
};
}

View file

@ -16,70 +16,73 @@
inherit (import ./common.nix config)
sp secrets-filepath db-pass-filepath admin-pass-filepath hostName;
in
lib.mkIf sp.modules.nextcloud.enable
{
system.activationScripts.nextcloudSecrets = ''
lib.mkIf sp.modules.nextcloud.enable {
fileSystems = lib.mkIf sp.useBinds {
"/var/lib/nextcloud" = {
device = "/volumes/${sp.modules.nextcloud.location}/nextcloud";
options = [ "bind" ];
};
};
systemd.services.nextcloud-secrets = {
before = [ "nextcloud-setup.service" ];
requiredBy = [ "nextcloud-setup.service" ];
serviceConfig.Type = "oneshot";
path = with pkgs; [ coreutils jq ];
script = ''
install -m 0440 -o nextcloud -g nextcloud -DT \
<(${pkgs.jq}/bin/jq < \
${secrets-filepath} -r '.modules.nextcloud.databasePassword') \
<(jq < ${secrets-filepath} -r '.modules.nextcloud.databasePassword') \
${db-pass-filepath}
install -m 0440 -o nextcloud -g nextcloud -DT \
<(${pkgs.jq}/bin/jq < \
${secrets-filepath} -r '.modules.nextcloud.adminPassword') \
<(jq < ${secrets-filepath} -r '.modules.nextcloud.adminPassword') \
${admin-pass-filepath}
'';
fileSystems = lib.mkIf sp.useBinds {
"/var/lib/nextcloud" = {
device = "/volumes/${sp.modules.nextcloud.location}/nextcloud";
options = [ "bind" ];
};
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud25;
inherit hostName;
# Use HTTPS for links
https = false;
# auto-update Nextcloud Apps
autoUpdateApps.enable = true;
# set what time makes sense for you
autoUpdateApps.startAt = "05:00:00";
config = {
# further forces Nextcloud to use HTTPS
overwriteProtocol = "https";
dbtype = "sqlite";
dbuser = "nextcloud";
dbhost = "/run/postgresql"; # nextcloud adds .s.PGSQL.5432 by itself
dbname = "nextcloud";
dbpassFile = db-pass-filepath;
adminpassFile = admin-pass-filepath;
adminuser = "admin";
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud25;
inherit hostName;
# Use HTTPS for links
https = false;
# auto-update Nextcloud Apps
autoUpdateApps.enable = true;
# set what time makes sense for you
autoUpdateApps.startAt = "05:00:00";
config = {
# further forces Nextcloud to use HTTPS
overwriteProtocol = "https";
dbtype = "sqlite";
dbuser = "nextcloud";
dbhost = "/run/postgresql"; # nextcloud adds .s.PGSQL.5432 by itself
dbname = "nextcloud";
dbpassFile = db-pass-filepath;
adminpassFile = admin-pass-filepath;
adminuser = "admin";
};
};
services.nginx.virtualHosts.${hostName} = {
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
locations = {
"/" = {
proxyPass = "http://127.0.0.1:80/";
};
};
services.nginx.virtualHosts.${hostName} = {
sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
expires 10m;
'';
locations = {
"/" = {
proxyPass = "http://127.0.0.1:80/";
};
};
};
};
}