From 7a41044210addce700d8bbd18fb6657ce3218f31 Mon Sep 17 00:00:00 2001
From: stuebinm <stuebinm@disroot.org>
Date: Thu, 25 Mar 2021 20:57:02 +0100
Subject: [PATCH] nextcloud: add option for secret configs via a json file

---
 hosts/hainich/services/nextcloud.nix | 20 ++++++++++---------
 modules/nextcloud.nix                | 30 ++++++++++++++++++++++++++--
 2 files changed, 39 insertions(+), 11 deletions(-)

diff --git a/hosts/hainich/services/nextcloud.nix b/hosts/hainich/services/nextcloud.nix
index c467ee3..c9c23c8 100644
--- a/hosts/hainich/services/nextcloud.nix
+++ b/hosts/hainich/services/nextcloud.nix
@@ -62,15 +62,17 @@
           "pm.start_servers" = "2";
         };
 
-        extraOptions = ''
-          'redis' => array(
-            'host' => '/run/redis/redis.sock',
-            'port' => 0,
-            'dbindex' => 0,
-            'password' => 'secret',
-            'timeout' => 1.5,
-          ),
-        '';
+        extraOptions = {
+          redis = {
+            host = "/run/redis/redis.sock";
+            port = 0;
+            dbindex = 0;
+            password = "secret";
+            timeout = 1.5;
+          };
+        };
+
+        secretFile = "/secret/secrets.json";
 
       };
 
diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix
index 53a8f67..df5dc66 100644
--- a/modules/nextcloud.nix
+++ b/modules/nextcloud.nix
@@ -341,12 +341,21 @@ in {
     };
 
     extraOptions = mkOption {
-      type = types.str;
+      type = types.attrs;
       default = "";
       description = ''
         Extra options which should be appended to nextcloud's config.php file
       '';
     };
+
+    secretFile = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = ''
+        Secret options which will be appended to nextcloud's config.php file (written in JSON, in the same
+        form as the `extraOptions` option).
+      '';
+    };
   };
 
   config = mkIf cfg.enable (mkMerge [
@@ -445,6 +454,19 @@ in {
                 return trim(file_get_contents($file));
               }
             ''}
+            ${optionalString (cfg.secretFile != null) ''
+              function nix_read_secrets() {
+                $file = "${cfg.secretFile}";
+                if (!file_exists($file)) {
+                  throw new \RuntimeException(sprintf(
+                    "Cannot start Nextcloud, secrets file %s set by NixOS doesn't exist!",
+                    $file
+                  ));
+                }
+
+                return json_decode(file_get_contents($file));
+              }
+            ''}
             $CONFIG = [
               'apps_paths' => [
                 [ 'path' => '${cfg.home}/apps', 'url' => '/apps', 'writable' => false ],
@@ -467,8 +489,12 @@ in {
               'trusted_domains' => ${writePhpArrary ([ cfg.hostName ] ++ c.extraTrustedDomains)},
               'trusted_proxies' => ${writePhpArrary (c.trustedProxies)},
               ${optionalString (c.defaultPhoneRegion != null) "'default_phone_region' => '${c.defaultPhoneRegion}',"}
-              ${optionalString (cfg.extraOptions != "") cfg.extraOptions}
             ];
+
+            $EXTRACONFIG = json_decode('${builtins.toJSON cfg.extraOptions}', true);
+
+            array_push($CONFIG, $EXTRACONFIG);
+            ${optionalString (cfg.secretFile != null) "array_push($CONFIG, nix_read_secrets());"}
           '';
           occInstallCmd = let
             dbpass = if c.dbpassFile != null