Merge: nixos/nextcloud: use LoadCredential to read secrets (#367433)

2025-07-13 21:50:33 +03:00 · 2025-03-07 10:58:29 +01:00 · 2025-03-07 10:58:29 +01:00 · 6c4f93e113
commit 6c4f93e113
parent 092bfe6a8a 432d274c81
8 changed files with 240 additions and 131 deletions
--- a/nixos/modules/services/web-apps/nextcloud-notify_push.nix
+++ b/nixos/modules/services/web-apps/nextcloud-notify_push.nix
@ -78,60 +78,75 @@ in
    );

  config = lib.mkIf cfg.enable {
-    systemd.services.nextcloud-notify_push = {
-      description = "Push daemon for Nextcloud clients";
-      documentation = [ "https://github.com/nextcloud/notify_push" ];
-      after = [
-        "phpfpm-nextcloud.service"
-        "redis-nextcloud.service"
-      ];
-      wantedBy = [ "multi-user.target" ];
-      environment = {
-        NEXTCLOUD_URL = cfg.nextcloudUrl;
-        SOCKET_PATH = cfg.socketPath;
-        DATABASE_PREFIX = cfg.dbtableprefix;
-        LOG = cfg.logLevel;
+    systemd.services = {
+      nextcloud-notify_push = {
+        description = "Push daemon for Nextcloud clients";
+        documentation = [ "https://github.com/nextcloud/notify_push" ];
+        after = [
+          "phpfpm-nextcloud.service"
+          "redis-nextcloud.service"
+        ];
+        wantedBy = [ "multi-user.target" ];
+        environment = {
+          NEXTCLOUD_URL = cfg.nextcloudUrl;
+          SOCKET_PATH = cfg.socketPath;
+          DATABASE_PREFIX = cfg.dbtableprefix;
+          LOG = cfg.logLevel;
+        };
+        script =
+          let
+            dbType = if cfg.dbtype == "pgsql" then "postgresql" else cfg.dbtype;
+            dbUser = lib.optionalString (cfg.dbuser != null) cfg.dbuser;
+            dbPass = lib.optionalString (cfg.dbpassFile != null) ":$DATABASE_PASSWORD";
+            dbHostHasPrefix = prefix: lib.hasPrefix prefix (toString cfg.dbhost);
+            isPostgresql = dbType == "postgresql";
+            isMysql = dbType == "mysql";
+            isSocket = (isPostgresql && dbHostHasPrefix "/") || (isMysql && dbHostHasPrefix "localhost:/");
+            dbHost = lib.optionalString (cfg.dbhost != null) (
+              if isSocket then lib.optionalString isMysql "@localhost" else "@${cfg.dbhost}"
+            );
+            dbOpts = lib.optionalString (cfg.dbhost != null && isSocket) (
+              if isPostgresql then
+                "?host=${cfg.dbhost}"
+              else if isMysql then
+                "?socket=${lib.removePrefix "localhost:" cfg.dbhost}"
+              else
+                throw "unsupported dbtype"
+            );
+            dbName = lib.optionalString (cfg.dbname != null) "/${cfg.dbname}";
+            dbUrl = "${dbType}://${dbUser}${dbPass}${dbHost}${dbName}${dbOpts}";
+          in
+          lib.optionalString (cfg.dbpassFile != null) ''
+            export DATABASE_PASSWORD="$(<"$CREDENTIALS_DIRECTORY/dbpass")"
+          ''
+          + ''
+            export DATABASE_URL="${dbUrl}"
+            exec ${cfg.package}/bin/notify_push '${cfgN.datadir}/config/config.php'
+          '';
+        serviceConfig = {
+          User = "nextcloud";
+          Group = "nextcloud";
+          RuntimeDirectory = [ "nextcloud-notify_push" ];
+          Restart = "on-failure";
+          RestartSec = "5s";
+          Type = "notify";
+          LoadCredential = lib.optional (cfg.dbpassFile != null) "dbpass:${cfg.dbpassFile}";
+        };
      };
-      postStart = ''
-        ${cfgN.occ}/bin/nextcloud-occ notify_push:setup ${cfg.nextcloudUrl}/push
-      '';
-      script =
-        let
-          dbType = if cfg.dbtype == "pgsql" then "postgresql" else cfg.dbtype;
-          dbUser = lib.optionalString (cfg.dbuser != null) cfg.dbuser;
-          dbPass = lib.optionalString (cfg.dbpassFile != null) ":$DATABASE_PASSWORD";
-          dbHostHasPrefix = prefix: lib.hasPrefix prefix (toString cfg.dbhost);
-          isPostgresql = dbType == "postgresql";
-          isMysql = dbType == "mysql";
-          isSocket = (isPostgresql && dbHostHasPrefix "/") || (isMysql && dbHostHasPrefix "localhost:/");
-          dbHost = lib.optionalString (cfg.dbhost != null) (
-            if isSocket then lib.optionalString isMysql "@localhost" else "@${cfg.dbhost}"
-          );
-          dbOpts = lib.optionalString (cfg.dbhost != null && isSocket) (
-            if isPostgresql then
-              "?host=${cfg.dbhost}"
-            else if isMysql then
-              "?socket=${lib.removePrefix "localhost:" cfg.dbhost}"
-            else
-              throw "unsupported dbtype"
-          );
-          dbName = lib.optionalString (cfg.dbname != null) "/${cfg.dbname}";
-          dbUrl = "${dbType}://${dbUser}${dbPass}${dbHost}${dbName}${dbOpts}";
-        in
-        lib.optionalString (dbPass != "") ''
-          export DATABASE_PASSWORD="$(<"${cfg.dbpassFile}")"
-        ''
-        + ''
-          export DATABASE_URL="${dbUrl}"
-          exec ${cfg.package}/bin/notify_push '${cfgN.datadir}/config/config.php'
-        '';
-      serviceConfig = {
-        User = "nextcloud";
-        Group = "nextcloud";
-        RuntimeDirectory = [ "nextcloud-notify_push" ];
-        Restart = "on-failure";
-        RestartSec = "5s";
-        Type = "notify";
+
+      nextcloud-notify_push_setup = {
+        wantedBy = [ "multi-user.target" ];
+        requiredBy = [ "nextcloud-notify_push.service" ];
+        after = [ "nextcloud-notify_push.service" ];
+        serviceConfig = {
+          Type = "oneshot";
+          User = "nextcloud";
+          Group = "nextcloud";
+          ExecStart = "${lib.getExe cfgN.occ} notify_push:setup ${cfg.nextcloudUrl}/push";
+          LoadCredential = config.systemd.services.nextcloud-cron.serviceConfig.LoadCredential;
+          RestartMode = "direct";
+          Restart = "on-failure";
+        };
      };
    };