nextcloud: add option for secret configs via a json file

2021-03-25 20:57:02 +01:00 · 2021-03-25 20:57:02 +01:00 · 7a41044210
commit 7a41044210
parent b458d59693
2 changed files with 39 additions and 11 deletions
--- a/hosts/hainich/services/nextcloud.nix
+++ b/hosts/hainich/services/nextcloud.nix
@ -62,15 +62,17 @@
          "pm.start_servers" = "2";
        };

-        extraOptions = ''
-          'redis' => array(
-            'host' => '/run/redis/redis.sock',
-            'port' => 0,
-            'dbindex' => 0,
-            'password' => 'secret',
-            'timeout' => 1.5,
-          ),
-        '';
+        extraOptions = {
+          redis = {
+            host = "/run/redis/redis.sock";
+            port = 0;
+            dbindex = 0;
+            password = "secret";
+            timeout = 1.5;
+          };
+        };
+
+        secretFile = "/secret/secrets.json";

      };

--- a/modules/nextcloud.nix
+++ b/modules/nextcloud.nix
@ -341,12 +341,21 @@ in {
    };

    extraOptions = mkOption {
-      type = types.str;
+      type = types.attrs;
      default = "";
      description = ''
        Extra options which should be appended to nextcloud's config.php file
      '';
    };
+
+    secretFile = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = ''
+        Secret options which will be appended to nextcloud's config.php file (written in JSON, in the same
+        form as the `extraOptions` option).
+      '';
+    };
  };

  config = mkIf cfg.enable (mkMerge [
@ -445,6 +454,19 @@ in {
                return trim(file_get_contents($file));
              }
            ''}
+            ${optionalString (cfg.secretFile != null) ''
+              function nix_read_secrets() {
+                $file = "${cfg.secretFile}";
+                if (!file_exists($file)) {
+                  throw new \RuntimeException(sprintf(
+                    "Cannot start Nextcloud, secrets file %s set by NixOS doesn't exist!",
+                    $file
+                  ));
+                }
+
+                return json_decode(file_get_contents($file));
+              }
+            ''}
            $CONFIG = [
              'apps_paths' => [
                [ 'path' => '${cfg.home}/apps', 'url' => '/apps', 'writable' => false ],
@ -467,8 +489,12 @@ in {
              'trusted_domains' => ${writePhpArrary ([ cfg.hostName ] ++ c.extraTrustedDomains)},
              'trusted_proxies' => ${writePhpArrary (c.trustedProxies)},
              ${optionalString (c.defaultPhoneRegion != null) "'default_phone_region' => '${c.defaultPhoneRegion}',"}
-              ${optionalString (cfg.extraOptions != "") cfg.extraOptions}
            ];
+
+            $EXTRACONFIG = json_decode('${builtins.toJSON cfg.extraOptions}', true);
+
+            array_push($CONFIG, $EXTRACONFIG);
+            ${optionalString (cfg.secretFile != null) "array_push($CONFIG, nix_read_secrets());"}
          '';
          occInstallCmd = let
            dbpass = if c.dbpassFile != null