nextcloud and sops-nix

2024-02-22 17:16:38 +00:00 · 2024-02-22 17:16:38 +00:00 · c32ab6ba1f
commit c32ab6ba1f
parent a49f3d34ab
10 changed files with 175 additions and 119 deletions
--- a/nixos/services/grafana.nix
+++ b/nixos/services/grafana.nix
@ -1,9 +1,8 @@
 {config, ...}: let
  cfg = config.services.grafana;
-  secrets = config.age.secrets;
+  secrets = config.sops.secrets;
 in {
-  age.secrets.grafana_oidc_client_secret = {
-    file = ../../secrets/grafana/oidc/client_secret.age;
+  sops.secrets."grafana/oidc_client_secret" = {
    owner = "grafana";
  };
  services.grafana = {
@ -16,7 +15,7 @@ in {
        enabled = true;
        name = "authentik";
        client_id = "TNMLGFxpovO0jPptxD0nYmjnuytXd1MphjFS20uE";
-        client_secret = "$__file{${secrets.grafana_oidc_client_secret.path}}";
+        client_secret = "$__file{${secrets."grafana/oidc_client_secret".path}}";
        scopes = toString ["openid" "profile" "email"];
        auth_url = "https://auth.tristans.cloud/application/o/authorize/";
        token_url = "https://auth.tristans.cloud/application/o/token/";
--- a/nixos/services/nextcloud.nix
+++ b/nixos/services/nextcloud.nix
@ -0,0 +1,69 @@
+{config, pkgs, ...}:
+let
+  nextcloud = config.services.nextcloud;
+  secrets = config.sops.secrets;
+  sops = config.sops;
+in {
+  sops.secrets = {
+    "nextcloud/admin_password" = {
+      owner = "nextcloud";
+    };
+    "nextcloud/oidc_client_secret" = {};
+  };
+  sops.templates = {
+    "nextcloud/secrets.json" = {
+      owner = "nextcloud";
+      content = builtins.toJSON {
+        oidc_login_client_secret = sops.placeholder."nextcloud/oidc_client_secret";
+      };
+    };
+  };
+
+  environment.systemPackages = with pkgs; [ ffmpeg ];
+
+  services.nextcloud = {
+    enable = true;
+    https = true;
+    configureRedis = true;
+    config = {
+      adminpassFile = secrets."nextcloud/admin_password".path;
+    };
+    secretFile = sops.templates."nextcloud/secrets.json".path;
+    settings = {
+      trusted_proxies = ["192.168.1.2"];
+      maintenance_window_start = 2;
+      default_phone_region = "GB";
+      # https://github.com/pulsejet/nextcloud-oidc-login
+      oidc_login_provider_url = "https://auth.tristans.cloud/application/o/nextcloud/";
+      oidc_login_client_id = "Fo0OMWCHBlJNw5DsEI0IzeCk0HpU1TIZpy3D5Tix";
+      oidc_login_button_text = "Log in with Authentik";
+      oidc_login_use_id_token = true;
+      oidc_login_attributes = {
+        id = "preferred_username";
+        name = "name";
+        mail = "email";
+        groups = "groups";
+        is_admin = "NextcloudAdmin";
+        login_filter = "groups";
+      };
+      oidc_login_filter_allowed_values = {
+        "0" = "Nextcloud users";
+      };
+      oidc_login_use_external_storage = false;
+      oidc_login_scope = "email openid profile NextcloudAdmin";
+      oidc_login_proxy_ldap = false;
+      oidc_login_disable_registration = false;
+      oidc_login_redir_fallback = false;
+      oidc_login_tls_verify = true;
+      oidc_create_groups = true;
+      oidc_login_webdav_enabled = true;
+      oidc_login_public_key_caching_time = 604800;
+      oidc_login_min_time_between_jwks_requests = 10;
+      oidc_login_well_known_caching_time = 86400;
+    };
+  };
+  services.nginx.virtualHosts.${nextcloud.hostName} = {
+    forceSSL = true;
+    enableACME = true;
+  };
+}