movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-12 12:45:27 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/nextcloud: use LoadCredential to read services.nextcloud.secretFile

Browse source 
This patch adds support for using systemd's LoadCredential
feature to read in a json file at a path defined in the
services.nextcloud.secretFile option.

This is a follow up to 2ce1e84103.
This commit is contained in:
networkException 2025-05-10 20:36:01 +02:00
parent 866d0db009
commit 23468ad19f
No known key found for this signature in database
GPG key ID: E3877443AE684391
2 changed files with 23 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

25
nixos/modules/services/web-apps/nextcloud.nix
View file

@ -116,7 +116,8 @@ let
++ (lib.optional (cfg.config.objectstore.s3.enable) "s3_secret:${cfg.config.objectstore.s3.secretFile}") ++ (lib.optional (cfg.config.objectstore.s3.enable) "s3_secret:${cfg.config.objectstore.s3.secretFile}")
++ (lib.optional ( ++ (lib.optional (
cfg.config.objectstore.s3.sseCKeyFile != null cfg.config.objectstore.s3.sseCKeyFile != null
) "s3_sse_c_key:${cfg.config.objectstore.s3.sseCKeyFile}"); ) "s3_sse_c_key:${cfg.config.objectstore.s3.sseCKeyFile}")
++ (lib.optional (cfg.secretFile != null) "secret_file:${cfg.secretFile}");
requiresRuntimeSystemdCredentials = (lib.length runtimeSystemdCredentials) != 0; requiresRuntimeSystemdCredentials = (lib.length runtimeSystemdCredentials) != 0;
@ -195,7 +196,6 @@ let
overrideConfig = overrideConfig =
let let
c = cfg.config; c = cfg.config;
requiresReadSecretFunction = c.dbpassFile != null || c.objectstore.s3.enable;
objectstoreConfig = objectstoreConfig =
let let
s3 = c.objectstore.s3; s3 = c.objectstore.s3;
@ -232,7 +232,7 @@ let
in in
pkgs.writeText "nextcloud-config.php" '' pkgs.writeText "nextcloud-config.php" ''
<?php <?php
${optionalString requiresReadSecretFunction '' ${optionalString requiresRuntimeSystemdCredentials ''
function nix_read_secret($credential_name) { function nix_read_secret($credential_name) {
$credentials_directory = getenv("CREDENTIALS_DIRECTORY"); $credentials_directory = getenv("CREDENTIALS_DIRECTORY");
if (!$credentials_directory) { if (!$credentials_directory) {
@ -253,7 +253,19 @@ let
} }
return trim(file_get_contents($credential_path)); return trim(file_get_contents($credential_path));
}''} }
function nix_read_secret_and_decode_json_file($credential_name) {
$decoded = json_decode(nix_read_secret($credential_name), true);
if (json_last_error() !== JSON_ERROR_NONE) {
error_log(sprintf("Cannot decode %s, because: %s", $file, json_last_error_msg()));
exit(1);
}
return $decoded;
}
''}
function nix_decode_json_file($file, $error) { function nix_decode_json_file($file, $error) {
if (!file_exists($file)) { if (!file_exists($file)) {
throw new \RuntimeException(sprintf($error, $file)); throw new \RuntimeException(sprintf($error, $file));
@ -287,10 +299,7 @@ let
)); ));
${optionalString (cfg.secretFile != null) '' ${optionalString (cfg.secretFile != null) ''
$CONFIG = array_replace_recursive($CONFIG, nix_decode_json_file( $CONFIG = array_replace_recursive($CONFIG, nix_read_secret_and_decode_json_file('secret_file'));
"${cfg.secretFile}",
"Cannot start Nextcloud, secrets file %s set by NixOS doesn't exist!"
));
''} ''}
''; '';
in in

13
nixos/tests/nextcloud/with-declarative-redis-and-secrets.nix
View file

@ -84,13 +84,12 @@ runTest (
# This file is meant to contain secret options which should # This file is meant to contain secret options which should
# not go into the nix store. Here it is just used to set the # not go into the nix store. Here it is just used to set the
# redis password. # redis password.
environment.etc."nextcloud-secrets.json".text = '' environment.etc."nextcloud-secrets.json" = {
{ mode = "0600";
"redis": { text = builtins.toJSON {
"password": "secret" redis.password = "secret";
} };
} };
'';
}; };
}; };