nixpkgs/nixos/modules/services/web-apps/nextcloud-notify_push.nix

{
  config,
  options,
  lib,
  pkgs,
  ...
}:

let
  cfg = config.services.nextcloud.notify_push;
  cfgN = config.services.nextcloud;
in
{
  options.services.nextcloud.notify_push =
    {
      enable = lib.mkEnableOption "Notify push";

      package = lib.mkOption {
        type = lib.types.package;
        default = pkgs.nextcloud-notify_push;
        defaultText = lib.literalMD "pkgs.nextcloud-notify_push";
        description = "Which package to use for notify_push";
      };

      socketPath = lib.mkOption {
        type = lib.types.str;
        default = "/run/nextcloud-notify_push/sock";
        description = "Socket path to use for notify_push";
      };

      logLevel = lib.mkOption {
        type = lib.types.enum [
          "error"
          "warn"
          "info"
          "debug"
          "trace"
        ];
        default = "error";
        description = "Log level";
      };

      nextcloudUrl = lib.mkOption {
        type = lib.types.str;
        default = "http${lib.optionalString cfgN.https "s"}://${cfgN.hostName}";
        defaultText = lib.literalExpression ''"http''${lib.optionalString config.services.nextcloud.https "s"}://''${config.services.nextcloud.hostName}"'';
        description = "Configure the nextcloud URL notify_push tries to connect to.";
      };

      bendDomainToLocalhost = lib.mkOption {
        type = lib.types.bool;
        default = false;
        description = ''
          Whether to add an entry to `/etc/hosts` for the configured nextcloud domain to point to `localhost` and add `localhost `to nextcloud's `trusted_proxies` config option.

          This is useful when nextcloud's domain is not a static IP address and when the reverse proxy cannot be bypassed because the backend connection is done via unix socket.
        '';
      };
    }
    // (lib.genAttrs
      [
        "dbtype"
        "dbname"
        "dbuser"
        "dbpassFile"
        "dbhost"
        "dbport"
        "dbtableprefix"
      ]
      (
        opt:
        options.services.nextcloud.config.${opt}
        // {
          default = config.services.nextcloud.config.${opt};
          defaultText = lib.literalExpression "config.services.nextcloud.config.${opt}";
        }
      )
    );

  config = lib.mkIf cfg.enable {
    systemd.services = {
      nextcloud-notify_push = {
        description = "Push daemon for Nextcloud clients";
        documentation = [ "https://github.com/nextcloud/notify_push" ];
        after = [
          "nextcloud-setup.service"
          "phpfpm-nextcloud.service"
          "redis-nextcloud.service"
        ];
        requires = [
          "nextcloud-setup.service"
        ];
        wantedBy = [ "multi-user.target" ];
        environment = {
          NEXTCLOUD_URL = cfg.nextcloudUrl;
          SOCKET_PATH = cfg.socketPath;
          DATABASE_PREFIX = cfg.dbtableprefix;
          LOG = cfg.logLevel;
        };
        script =
          let
            dbType = if cfg.dbtype == "pgsql" then "postgresql" else cfg.dbtype;
            dbUser = lib.optionalString (cfg.dbuser != null) cfg.dbuser;
            dbPass = lib.optionalString (cfg.dbpassFile != null) ":$DATABASE_PASSWORD";
            dbHostHasPrefix = prefix: lib.hasPrefix prefix (toString cfg.dbhost);
            isPostgresql = dbType == "postgresql";
            isMysql = dbType == "mysql";
            isSocket = (isPostgresql && dbHostHasPrefix "/") || (isMysql && dbHostHasPrefix "localhost:/");
            dbHost = lib.optionalString (cfg.dbhost != null) (
              if isSocket then lib.optionalString isMysql "@localhost" else "@${cfg.dbhost}"
            );
            dbOpts = lib.optionalString (cfg.dbhost != null && isSocket) (
              if isPostgresql then
                "?host=${cfg.dbhost}"
              else if isMysql then
                "?socket=${lib.removePrefix "localhost:" cfg.dbhost}"
              else
                throw "unsupported dbtype"
            );
            dbName = lib.optionalString (cfg.dbname != null) "/${cfg.dbname}";
            dbUrl = "${dbType}://${dbUser}${dbPass}${dbHost}${dbName}${dbOpts}";
          in
          lib.optionalString (cfg.dbpassFile != null) ''
            export DATABASE_PASSWORD="$(<"$CREDENTIALS_DIRECTORY/dbpass")"
          ''
          + ''
            export DATABASE_URL="${dbUrl}"
            exec ${cfg.package}/bin/notify_push '${cfgN.datadir}/config/config.php'
          '';
        serviceConfig = {
          User = "nextcloud";
          Group = "nextcloud";
          RuntimeDirectory = [ "nextcloud-notify_push" ];
          Restart = "on-failure";
          RestartSec = "5s";
          Type = "notify";
          LoadCredential = lib.optional (cfg.dbpassFile != null) "dbpass:${cfg.dbpassFile}";
        };
      };

      nextcloud-notify_push_setup = {
        wantedBy = [ "multi-user.target" ];
        requiredBy = [ "nextcloud-notify_push.service" ];
        after = [ "nextcloud-notify_push.service" ];
        serviceConfig = {
          Type = "oneshot";
          User = "nextcloud";
          Group = "nextcloud";
          ExecStart = "${lib.getExe cfgN.occ} notify_push:setup ${cfg.nextcloudUrl}/push";
          LoadCredential = config.systemd.services.nextcloud-cron.serviceConfig.LoadCredential;
          RestartMode = "direct";
          Restart = "on-failure";
        };
      };
    };

    networking.hosts = lib.mkIf cfg.bendDomainToLocalhost {
      "127.0.0.1" = [ cfgN.hostName ];
      "::1" = [ cfgN.hostName ];
    };

    services = lib.mkMerge [
      {
        nginx.virtualHosts.${cfgN.hostName}.locations."^~ /push/" = {
          proxyPass = "http://unix:${cfg.socketPath}";
          proxyWebsockets = true;
          recommendedProxySettings = true;
          extraConfig = # nginx
            ''
              # disable in case it was configured on a higher level
              keepalive_timeout 0;
              proxy_buffering off;
            '';
        };
      }

      (lib.mkIf cfg.bendDomainToLocalhost {
        nextcloud.settings.trusted_proxies = [
          "127.0.0.1"
          "::1"
        ];
      })
    ];
  };
}
nixos/nextcloud-notify_push: add database options 2023-01-02 18:30:38 +01:00			`{`
			`config,`
			`options,`
			`lib,`
			`pkgs,`
			`...`
			`}:`
nixos/nextcloud-notify_push: init 2022-12-13 21:08:00 +01:00
			`let`
			`cfg = config.services.nextcloud.notify_push;`
nixos/nextcloud-notify_push: add bendDomainToLocalhost 2023-02-19 04:02:54 +01:00			`cfgN = config.services.nextcloud;`
nixos/nextcloud-notify_push: init 2022-12-13 21:08:00 +01:00			`in`
			`{`
			`options.services.nextcloud.notify_push =`
			`{`
			`enable = lib.mkEnableOption "Notify push";`
nixos/nextcloud-notify_push: add database options 2023-01-02 18:30:38 +01:00
nixos/nextcloud-notify_push: init 2022-12-13 21:08:00 +01:00			`package = lib.mkOption {`
			`type = lib.types.package;`
			`default = pkgs.nextcloud-notify_push;`
			`defaultText = lib.literalMD "pkgs.nextcloud-notify_push";`
			`description = "Which package to use for notify_push";`
			`};`
nixos/nextcloud-notify_push: add database options 2023-01-02 18:30:38 +01:00
nixos/nextcloud-notify_push: init 2022-12-13 21:08:00 +01:00			`socketPath = lib.mkOption {`
			`type = lib.types.str;`
			`default = "/run/nextcloud-notify_push/sock";`
			`description = "Socket path to use for notify_push";`
			`};`
nixos/nextcloud-notify_push: add database options 2023-01-02 18:30:38 +01:00
nixos/nextcloud-notify_push: init 2022-12-13 21:08:00 +01:00			`logLevel = lib.mkOption {`
			`type = lib.types.enum [`
			`"error"`
			`"warn"`
			`"info"`
			`"debug"`
			`"trace"`
			`];`
			`default = "error";`
			`description = "Log level";`
			`};`
nixos/nextcloud-notify_push: add bendDomainToLocalhost 2023-02-19 04:02:54 +01:00
nixos/nextcloud-notify_push: add nextcloudUrl option to have better control over the URL for when bendDomainToLocalhost is not good enough 2024-12-15 21:18:57 +01:00			`nextcloudUrl = lib.mkOption {`
			`type = lib.types.str;`
			`default = "http${lib.optionalString cfgN.https "s"}://${cfgN.hostName}";`
			`defaultText = lib.literalExpression ''"http''${lib.optionalString config.services.nextcloud.https "s"}://''${config.services.nextcloud.hostName}"'';`
			`description = "Configure the nextcloud URL notify_push tries to connect to.";`
			`};`

nixos/nextcloud-notify_push: add bendDomainToLocalhost 2023-02-19 04:02:54 +01:00			`bendDomainToLocalhost = lib.mkOption {`
			`type = lib.types.bool;`
			`default = false;`
			`description = ''`
nixos: fix typos 2023-05-19 22:11:38 -04:00			Whether to add an entry to `/etc/hosts` for the configured nextcloud domain to point to `localhost` and add `localhost `to nextcloud's `trusted_proxies` config option.
nixos/nextcloud-notify_push: add bendDomainToLocalhost 2023-02-19 04:02:54 +01:00
			`This is useful when nextcloud's domain is not a static IP address and when the reverse proxy cannot be bypassed because the backend connection is done via unix socket.`
			`'';`
			`};`
nixos/nextcloud-notify_push: add database options 2023-01-02 18:30:38 +01:00			`}`
nixos/nextcloud-notify_push: use lib.genAttrs 2023-02-21 13:26:33 +01:00			`// (lib.genAttrs`
			`[`
			`"dbtype"`
			`"dbname"`
			`"dbuser"`
			`"dbpassFile"`
			`"dbhost"`
			`"dbport"`
			`"dbtableprefix"`
			`]`
			`(`
			`opt:`
			`options.services.nextcloud.config.${opt}`
			`// {`
			`default = config.services.nextcloud.config.${opt};`
nixos/nextcloud-notify_push: fix defaultText rendering 2024-10-30 23:48:18 +01:00			`defaultText = lib.literalExpression "config.services.nextcloud.config.${opt}";`
nixos/nextcloud-notify_push: use lib.genAttrs 2023-02-21 13:26:33 +01:00			`}`
nixos/nextcloud-notify_push: add database options 2023-01-02 18:30:38 +01:00			`)`
			`);`
nixos/nextcloud-notify_push: init 2022-12-13 21:08:00 +01:00
			`config = lib.mkIf cfg.enable {`
nixos/nextcloud: use LoadCredential to read secrets This patch adds support for using systemd's LoadCredential feature to read various secret files used by nextcloud service units. Previously credentials had to be readable by the nextcloud user, this is now no longer required. The nextcloud-occ wrapper script has been adjusted to use systemd-run for loading credentials when being called from outside a service. In detail this change touches various details of the module: - The nix_read_secret() php function now takes the name of a file relative to the path specified in the CREDENTIALS_DIRECTORY environment variable. - The nix_read_secret() now exits with error code 1 instead of throwing a RuntimeException as this will properly error out the nextcloud-occ script - Only the nextcloud-setup service unit has the adminpass credential added in addition to the other credentials - Uses of ExecCondition= in nextcloud-cron and nextcloud-update-db have been replaced by a shell conditional as ExecCondition currently doesn't support credentials - The phpfpm-nextcloud service now runs a preStart script to make the credentials it gets readable by the nextcloud user as the unit runs as root but the php process itself as nextcloud. - To invoke occ notify_push:setup when using nextcloud notify_push a new service has been added that replaces the preStart script in nextcloud-notify_push.service. This has been done as the main executable only needs the database password credential. Co-authored-by: lassulus <lassulus@lassul.us> 2024-12-22 19:18:15 +01:00			`systemd.services = {`
			`nextcloud-notify_push = {`
			`description = "Push daemon for Nextcloud clients";`
			`documentation = [ "https://github.com/nextcloud/notify_push" ];`
			`after = [`
nixos/nextcloud-notify_push: add nextcloud-setup without it notify might start to early and then fail 5 times before nextcloud is even ready. 2025-03-23 00:22:45 +01:00			`"nextcloud-setup.service"`
nixos/nextcloud: use LoadCredential to read secrets This patch adds support for using systemd's LoadCredential feature to read various secret files used by nextcloud service units. Previously credentials had to be readable by the nextcloud user, this is now no longer required. The nextcloud-occ wrapper script has been adjusted to use systemd-run for loading credentials when being called from outside a service. In detail this change touches various details of the module: - The nix_read_secret() php function now takes the name of a file relative to the path specified in the CREDENTIALS_DIRECTORY environment variable. - The nix_read_secret() now exits with error code 1 instead of throwing a RuntimeException as this will properly error out the nextcloud-occ script - Only the nextcloud-setup service unit has the adminpass credential added in addition to the other credentials - Uses of ExecCondition= in nextcloud-cron and nextcloud-update-db have been replaced by a shell conditional as ExecCondition currently doesn't support credentials - The phpfpm-nextcloud service now runs a preStart script to make the credentials it gets readable by the nextcloud user as the unit runs as root but the php process itself as nextcloud. - To invoke occ notify_push:setup when using nextcloud notify_push a new service has been added that replaces the preStart script in nextcloud-notify_push.service. This has been done as the main executable only needs the database password credential. Co-authored-by: lassulus <lassulus@lassul.us> 2024-12-22 19:18:15 +01:00			`"phpfpm-nextcloud.service"`
			`"redis-nextcloud.service"`
			`];`
nixos/nextcloud-notify_push: add nextcloud-setup without it notify might start to early and then fail 5 times before nextcloud is even ready. 2025-03-23 00:22:45 +01:00			`requires = [`
			`"nextcloud-setup.service"`
			`];`
nixos/nextcloud: use LoadCredential to read secrets This patch adds support for using systemd's LoadCredential feature to read various secret files used by nextcloud service units. Previously credentials had to be readable by the nextcloud user, this is now no longer required. The nextcloud-occ wrapper script has been adjusted to use systemd-run for loading credentials when being called from outside a service. In detail this change touches various details of the module: - The nix_read_secret() php function now takes the name of a file relative to the path specified in the CREDENTIALS_DIRECTORY environment variable. - The nix_read_secret() now exits with error code 1 instead of throwing a RuntimeException as this will properly error out the nextcloud-occ script - Only the nextcloud-setup service unit has the adminpass credential added in addition to the other credentials - Uses of ExecCondition= in nextcloud-cron and nextcloud-update-db have been replaced by a shell conditional as ExecCondition currently doesn't support credentials - The phpfpm-nextcloud service now runs a preStart script to make the credentials it gets readable by the nextcloud user as the unit runs as root but the php process itself as nextcloud. - To invoke occ notify_push:setup when using nextcloud notify_push a new service has been added that replaces the preStart script in nextcloud-notify_push.service. This has been done as the main executable only needs the database password credential. Co-authored-by: lassulus <lassulus@lassul.us> 2024-12-22 19:18:15 +01:00			`wantedBy = [ "multi-user.target" ];`
			`environment = {`
			`NEXTCLOUD_URL = cfg.nextcloudUrl;`
			`SOCKET_PATH = cfg.socketPath;`
			`DATABASE_PREFIX = cfg.dbtableprefix;`
			`LOG = cfg.logLevel;`
			`};`
			`script =`
			`let`
			`dbType = if cfg.dbtype == "pgsql" then "postgresql" else cfg.dbtype;`
			`dbUser = lib.optionalString (cfg.dbuser != null) cfg.dbuser;`
			`dbPass = lib.optionalString (cfg.dbpassFile != null) ":$DATABASE_PASSWORD";`
			`dbHostHasPrefix = prefix: lib.hasPrefix prefix (toString cfg.dbhost);`
			`isPostgresql = dbType == "postgresql";`
			`isMysql = dbType == "mysql";`
			`isSocket = (isPostgresql && dbHostHasPrefix "/") \|\| (isMysql && dbHostHasPrefix "localhost:/");`
			`dbHost = lib.optionalString (cfg.dbhost != null) (`
			`if isSocket then lib.optionalString isMysql "@localhost" else "@${cfg.dbhost}"`
			`);`
			`dbOpts = lib.optionalString (cfg.dbhost != null && isSocket) (`
			`if isPostgresql then`
			`"?host=${cfg.dbhost}"`
			`else if isMysql then`
			`"?socket=${lib.removePrefix "localhost:" cfg.dbhost}"`
			`else`
			`throw "unsupported dbtype"`
			`);`
			`dbName = lib.optionalString (cfg.dbname != null) "/${cfg.dbname}";`
			`dbUrl = "${dbType}://${dbUser}${dbPass}${dbHost}${dbName}${dbOpts}";`
			`in`
			`lib.optionalString (cfg.dbpassFile != null) ''`
			`export DATABASE_PASSWORD="$(<"$CREDENTIALS_DIRECTORY/dbpass")"`
			`''`
			`+ ''`
			`export DATABASE_URL="${dbUrl}"`
			`exec ${cfg.package}/bin/notify_push '${cfgN.datadir}/config/config.php'`
			`'';`
			`serviceConfig = {`
			`User = "nextcloud";`
			`Group = "nextcloud";`
			`RuntimeDirectory = [ "nextcloud-notify_push" ];`
			`Restart = "on-failure";`
			`RestartSec = "5s";`
			`Type = "notify";`
			`LoadCredential = lib.optional (cfg.dbpassFile != null) "dbpass:${cfg.dbpassFile}";`
			`};`
nixos/nextcloud-notify_push: add nextcloudUrl option to have better control over the URL for when bendDomainToLocalhost is not good enough 2024-12-15 21:18:57 +01:00			`};`
nixos/nextcloud: use LoadCredential to read secrets This patch adds support for using systemd's LoadCredential feature to read various secret files used by nextcloud service units. Previously credentials had to be readable by the nextcloud user, this is now no longer required. The nextcloud-occ wrapper script has been adjusted to use systemd-run for loading credentials when being called from outside a service. In detail this change touches various details of the module: - The nix_read_secret() php function now takes the name of a file relative to the path specified in the CREDENTIALS_DIRECTORY environment variable. - The nix_read_secret() now exits with error code 1 instead of throwing a RuntimeException as this will properly error out the nextcloud-occ script - Only the nextcloud-setup service unit has the adminpass credential added in addition to the other credentials - Uses of ExecCondition= in nextcloud-cron and nextcloud-update-db have been replaced by a shell conditional as ExecCondition currently doesn't support credentials - The phpfpm-nextcloud service now runs a preStart script to make the credentials it gets readable by the nextcloud user as the unit runs as root but the php process itself as nextcloud. - To invoke occ notify_push:setup when using nextcloud notify_push a new service has been added that replaces the preStart script in nextcloud-notify_push.service. This has been done as the main executable only needs the database password credential. Co-authored-by: lassulus <lassulus@lassul.us> 2024-12-22 19:18:15 +01:00
			`nextcloud-notify_push_setup = {`
			`wantedBy = [ "multi-user.target" ];`
			`requiredBy = [ "nextcloud-notify_push.service" ];`
			`after = [ "nextcloud-notify_push.service" ];`
			`serviceConfig = {`
			`Type = "oneshot";`
			`User = "nextcloud";`
			`Group = "nextcloud";`
			`ExecStart = "${lib.getExe cfgN.occ} notify_push:setup ${cfg.nextcloudUrl}/push";`
			`LoadCredential = config.systemd.services.nextcloud-cron.serviceConfig.LoadCredential;`
nixos/nextcloud-notify_push: use RestartMode=direct `nextcloud-notify_push.service` requires `nextcloud-notify_push-setup.service`. If the latter fails (e.g. because of Nextcloud not being there yet), the push service would also fail with result 'dependency'. RestartMode=direct doesn't put a unit into failed state IF it's about to be restarted again. That way, `nextcloud-notify_push` will await several restart attempts. Only if the unit fails due to a rate-limit (i.e. too many restarts), the push service will also fail. If the startup is still too slow, it may make sense for administrators to configure higher intervals between the start attempts with RestartSec. 2025-03-05 17:08:52 +01:00			`RestartMode = "direct";`
			`Restart = "on-failure";`
nixos/nextcloud: use LoadCredential to read secrets This patch adds support for using systemd's LoadCredential feature to read various secret files used by nextcloud service units. Previously credentials had to be readable by the nextcloud user, this is now no longer required. The nextcloud-occ wrapper script has been adjusted to use systemd-run for loading credentials when being called from outside a service. In detail this change touches various details of the module: - The nix_read_secret() php function now takes the name of a file relative to the path specified in the CREDENTIALS_DIRECTORY environment variable. - The nix_read_secret() now exits with error code 1 instead of throwing a RuntimeException as this will properly error out the nextcloud-occ script - Only the nextcloud-setup service unit has the adminpass credential added in addition to the other credentials - Uses of ExecCondition= in nextcloud-cron and nextcloud-update-db have been replaced by a shell conditional as ExecCondition currently doesn't support credentials - The phpfpm-nextcloud service now runs a preStart script to make the credentials it gets readable by the nextcloud user as the unit runs as root but the php process itself as nextcloud. - To invoke occ notify_push:setup when using nextcloud notify_push a new service has been added that replaces the preStart script in nextcloud-notify_push.service. This has been done as the main executable only needs the database password credential. Co-authored-by: lassulus <lassulus@lassul.us> 2024-12-22 19:18:15 +01:00			`};`
nixos/nextcloud-notify_push: init 2022-12-13 21:08:00 +01:00			`};`
nixos/nextcloud-notify_push: add nextcloudUrl option to have better control over the URL for when bendDomainToLocalhost is not good enough 2024-12-15 21:18:57 +01:00			`};`
nixos/nextcloud-notify_push: init 2022-12-13 21:08:00 +01:00
nixos/nextcloud-notify_push: add bendDomainToLocalhost 2023-02-19 04:02:54 +01:00			`networking.hosts = lib.mkIf cfg.bendDomainToLocalhost {`
			`"127.0.0.1" = [ cfgN.hostName ];`
			`"::1" = [ cfgN.hostName ];`
nixos/nextcloud-notify_push: init 2022-12-13 21:08:00 +01:00			`};`
nixos/nextcloud-notify_push: add bendDomainToLocalhost 2023-02-19 04:02:54 +01:00
			`services = lib.mkMerge [`
			`{`
			`nginx.virtualHosts.${cfgN.hostName}.locations."^~ /push/" = {`
			`proxyPass = "http://unix:${cfg.socketPath}";`
			`proxyWebsockets = true;`
			`recommendedProxySettings = true;`
nixos/nextcloud-notify_push: turn off keepalive_timeout, proxy_buffering Just a safe guard in case it was configured in a higher level as otherwise notify_push would break. 2024-12-13 15:19:15 +01:00			`extraConfig = # nginx`
			`''`
			`# disable in case it was configured on a higher level`
			`keepalive_timeout 0;`
			`proxy_buffering off;`
			`'';`
nixos/nextcloud-notify_push: add bendDomainToLocalhost 2023-02-19 04:02:54 +01:00			`};`
			`}`

			`(lib.mkIf cfg.bendDomainToLocalhost {`
nixos/nextcloud: Rename extraOptions to settings 2024-01-26 11:59:56 +01:00			`nextcloud.settings.trusted_proxies = [`
			`"127.0.0.1"`
			`"::1"`
			`];`
nixos/nextcloud-notify_push: add bendDomainToLocalhost 2023-02-19 04:02:54 +01:00			`})`
			`];`
nixos/nextcloud-notify_push: init 2022-12-13 21:08:00 +01:00			`};`
			`}`