nextcloud: fix secrets extraction

sp-modules/nextcloud/cleanup-module.nix

@@ -12,8 +12,8 @@ in
           "${db-pass-filepath} and ${admin-pass-filepath} will be removed!"
         )
         ''
-          rm -f ${db-pass-filepath}
-          rm -f ${admin-pass-filepath}
+          rm -f -v ${db-pass-filepath}
+          rm -f -v ${admin-pass-filepath}
         '';
   };
 }

sp-modules/nextcloud/module.nix

@@ -16,25 +16,28 @@
       inherit (import ./common.nix config)
         sp secrets-filepath db-pass-filepath admin-pass-filepath hostName;
     in
-    lib.mkIf sp.modules.nextcloud.enable
-      {
-        system.activationScripts.nextcloudSecrets = ''
-          install -m 0440 -o nextcloud -g nextcloud -DT \
-          <(${pkgs.jq}/bin/jq < \
-            ${secrets-filepath} -r '.modules.nextcloud.databasePassword') \
-          ${db-pass-filepath}
-
-          install -m 0440 -o nextcloud -g nextcloud -DT \
-          <(${pkgs.jq}/bin/jq < \
-            ${secrets-filepath} -r '.modules.nextcloud.adminPassword') \
-          ${admin-pass-filepath}
-        '';
+    lib.mkIf sp.modules.nextcloud.enable {
       fileSystems = lib.mkIf sp.useBinds {
         "/var/lib/nextcloud" = {
           device = "/volumes/${sp.modules.nextcloud.location}/nextcloud";
           options = [ "bind" ];
         };
       };
+      systemd.services.nextcloud-secrets = {
+        before = [ "nextcloud-setup.service" ];
+        requiredBy = [ "nextcloud-setup.service" ];
+        serviceConfig.Type = "oneshot";
+        path = with pkgs; [ coreutils jq ];
+        script = ''
+          install -m 0440 -o nextcloud -g nextcloud -DT \
+          <(jq < ${secrets-filepath} -r '.modules.nextcloud.databasePassword') \
+          ${db-pass-filepath}
+
+          install -m 0440 -o nextcloud -g nextcloud -DT \
+          <(jq < ${secrets-filepath} -r '.modules.nextcloud.adminPassword') \
+          ${admin-pass-filepath}
+        '';
+      };
       services.nextcloud = {
         enable = true;
         package = pkgs.nextcloud25;