nixos/nextcloud: use LoadCredential to read services.nextcloud.secretFile

This patch adds support for using systemd's LoadCredential feature to read in a json file at a path defined in the services.nextcloud.secretFile option. This is a follow up to 2ce1e84103.
2025-06-10 19:55:41 +03:00 · 2025-05-10 20:36:01 +02:00 · 2025-05-10 20:36:01 +02:00 · 23468ad19f
commit 23468ad19f
parent 866d0db009
2 changed files with 23 additions and 15 deletions
--- a/nixos/modules/services/web-apps/nextcloud.nix
+++ b/nixos/modules/services/web-apps/nextcloud.nix
@ -116,7 +116,8 @@ let
    ++ (lib.optional (cfg.config.objectstore.s3.enable) "s3_secret:${cfg.config.objectstore.s3.secretFile}")
    ++ (lib.optional (
      cfg.config.objectstore.s3.sseCKeyFile != null
-    ) "s3_sse_c_key:${cfg.config.objectstore.s3.sseCKeyFile}");
+    ) "s3_sse_c_key:${cfg.config.objectstore.s3.sseCKeyFile}")
+    ++ (lib.optional (cfg.secretFile != null) "secret_file:${cfg.secretFile}");

  requiresRuntimeSystemdCredentials = (lib.length runtimeSystemdCredentials) != 0;

@ -195,7 +196,6 @@ let
  overrideConfig =
    let
      c = cfg.config;
-      requiresReadSecretFunction = c.dbpassFile != null || c.objectstore.s3.enable;
      objectstoreConfig =
        let
          s3 = c.objectstore.s3;
@ -232,7 +232,7 @@ let
    in
    pkgs.writeText "nextcloud-config.php" ''
      <?php
-      ${optionalString requiresReadSecretFunction ''
+      ${optionalString requiresRuntimeSystemdCredentials ''
        function nix_read_secret($credential_name) {
          $credentials_directory = getenv("CREDENTIALS_DIRECTORY");
          if (!$credentials_directory) {
@ -253,7 +253,19 @@ let
          }

          return trim(file_get_contents($credential_path));
-        }''}
+        }
+
+        function nix_read_secret_and_decode_json_file($credential_name) {
+          $decoded = json_decode(nix_read_secret($credential_name), true);
+
+          if (json_last_error() !== JSON_ERROR_NONE) {
+            error_log(sprintf("Cannot decode %s, because: %s", $file, json_last_error_msg()));
+            exit(1);
+          }
+
+          return $decoded;
+        }
+      ''}
      function nix_decode_json_file($file, $error) {
        if (!file_exists($file)) {
          throw new \RuntimeException(sprintf($error, $file));
@ -287,10 +299,7 @@ let
      ));

      ${optionalString (cfg.secretFile != null) ''
-        $CONFIG = array_replace_recursive($CONFIG, nix_decode_json_file(
-          "${cfg.secretFile}",
-          "Cannot start Nextcloud, secrets file %s set by NixOS doesn't exist!"
-        ));
+        $CONFIG = array_replace_recursive($CONFIG, nix_read_secret_and_decode_json_file('secret_file'));
      ''}
    '';
 in
--- a/nixos/tests/nextcloud/with-declarative-redis-and-secrets.nix
+++ b/nixos/tests/nextcloud/with-declarative-redis-and-secrets.nix
@ -84,13 +84,12 @@ runTest (
          # This file is meant to contain secret options which should
          # not go into the nix store. Here it is just used to set the
          # redis password.
-          environment.etc."nextcloud-secrets.json".text = ''
-            {
-              "redis": {
-                "password": "secret"
-              }
-            }
-          '';
+          environment.etc."nextcloud-secrets.json" = {
+            mode = "0600";
+            text = builtins.toJSON {
+              redis.password = "secret";
+            };
+          };
        };
    };