| blob | 0266eb6ad29c52c5139f1a32f72b0d74bcf3fae0 |
1 {
2 config,
3 lib,
4 pkgs,
5 ...
6 }:
8 let
9 inherit (lib) types;
10 cfg = config.services.ocis;
11 defaultUser = "ocis";
12 defaultGroup = defaultUser;
13 in
14 {
15 options = {
16 services.ocis = {
17 enable = lib.mkEnableOption "ownCloud Infinite Scale";
19 package = lib.mkPackageOption pkgs "ocis-bin" { };
21 configDir = lib.mkOption {
22 type = types.nullOr types.path;
23 default = null;
24 example = "/var/lib/ocis/config";
25 description = ''
26 Path to directory containing oCIS config file.
28 Example config can be generated by `ocis init --config-path fileName --admin-password "adminPass"`.
29 Add `--insecure true` if SSL certificates are generated and managed externally (e.g. using oCIS behind reverse proxy).
31 Note: This directory must contain at least a `ocis.yaml`. Ensure
32 [user](#opt-services.ocis.user) has read/write access to it. In some
33 circumstances you may need to add additional oCIS configuration files (e.g.,
34 `proxy.yaml`) to this directory.
35 '';
36 };
38 environmentFile = lib.mkOption {
39 type = types.nullOr types.path;
40 default = null;
41 example = "/run/keys/ocis.env";
42 description = ''
43 An environment file as defined in {manpage}`systemd.exec(5)`.
45 Configuration provided in this file will override those from [configDir](#opt-services.ocis.configDir)/ocis.yaml.
46 '';
47 };
49 user = lib.mkOption {
50 type = types.str;
51 default = defaultUser;
52 example = "yourUser";
53 description = ''
54 The user to run oCIS as.
55 By default, a user named `${defaultUser}` will be created whose home
56 directory is [stateDir](#opt-services.ocis.stateDir).
57 '';
58 };
60 group = lib.mkOption {
61 type = types.str;
62 default = defaultGroup;
63 example = "yourGroup";
64 description = ''
65 The group to run oCIS under.
66 By default, a group named `${defaultGroup}` will be created.
67 '';
68 };
70 address = lib.mkOption {
71 type = types.str;
72 default = "127.0.0.1";
73 description = "Web interface address.";
74 };
76 port = lib.mkOption {
77 type = types.port;
78 default = 9200;
79 description = "Web interface port.";
80 };
82 url = lib.mkOption {
83 type = types.str;
84 default = "https://localhost:9200";
85 example = "https://some-hostname-or-ip:9200";
86 description = "Web interface address.";
87 };
89 stateDir = lib.mkOption {
90 default = "/var/lib/ocis";
91 type = types.str;
92 description = "ownCloud data directory.";
93 };
95 environment = lib.mkOption {
96 type = types.attrsOf types.str;
97 default = { };
98 description = ''
99 Extra config options.
101 See [the documentation](https://doc.owncloud.com/ocis/next/deployment/services/services.html) for available options.
102 See [notes for environment variables](https://doc.owncloud.com/ocis/next/deployment/services/env-var-note.html) for more information.
104 Note that all the attributes here will be copied to /nix/store/ and will be world readable. Options like *_PASSWORD or *_SECRET should be part of [environmentFile](#opt-services.ocis.environmentFile) instead, and are only provided here for illustrative purpose.
106 Configuration here will override those from [environmentFile](#opt-services.ocis.environmentFile) and will have highest precedence, at the cost of security. Do NOT put security sensitive stuff here.
107 '';
108 example = {
109 OCIS_INSECURE = "false";
110 OCIS_LOG_LEVEL = "error";
111 OCIS_JWT_SECRET = "super_secret";
112 OCIS_TRANSFER_SECRET = "foo";
113 OCIS_MACHINE_AUTH_API_KEY = "foo";
114 OCIS_SYSTEM_USER_ID = "123";
115 OCIS_MOUNT_ID = "123";
116 OCIS_STORAGE_USERS_MOUNT_ID = "123";
117 GATEWAY_STORAGE_USERS_MOUNT_ID = "123";
118 CS3_ALLOW_INSECURE = "true";
119 OCIS_INSECURE_BACKENDS = "true";
120 TLS_INSECURE = "true";
121 TLS_SKIP_VERIFY_CLIENT_CERT = "true";
122 WEBDAV_ALLOW_INSECURE = "true";
123 IDP_TLS = "false";
124 GRAPH_APPLICATION_ID = "1234";
125 IDM_IDPSVC_PASSWORD = "password";
126 IDM_REVASVC_PASSWORD = "password";
127 IDM_SVC_PASSWORD = "password";
128 IDP_ISS = "https://localhost:9200";
129 OCIS_LDAP_BIND_PASSWORD = "password";
130 OCIS_SERVICE_ACCOUNT_ID = "foo";
131 OCIS_SERVICE_ACCOUNT_SECRET = "foo";
132 OCIS_SYSTEM_USER_API_KEY = "foo";
133 STORAGE_USERS_MOUNT_ID = "123";
134 };
135 };
136 };
137 };
139 config = lib.mkIf cfg.enable {
140 users.users.${defaultUser} = lib.mkIf (cfg.user == defaultUser) {
141 group = cfg.group;
142 home = cfg.stateDir;
143 isSystemUser = true;
144 createHome = true;
145 description = "ownCloud Infinite Scale daemon user";
146 };
148 users.groups = lib.mkIf (cfg.group == defaultGroup) { ${defaultGroup} = { }; };
150 systemd = {
151 services.ocis = {
152 description = "ownCloud Infinite Scale Stack";
153 wantedBy = [ "multi-user.target" ];
154 environment = {
155 PROXY_HTTP_ADDR = "${cfg.address}:${toString cfg.port}";
156 OCIS_URL = cfg.url;
157 OCIS_CONFIG_DIR = if (cfg.configDir == null) then "${cfg.stateDir}/config" else cfg.configDir;
158 OCIS_BASE_DATA_PATH = cfg.stateDir;
159 } // cfg.environment;
160 serviceConfig = {
161 Type = "simple";
162 ExecStart = "${lib.getExe cfg.package} server";
163 WorkingDirectory = cfg.stateDir;
164 User = cfg.user;
165 Group = cfg.group;
166 Restart = "always";
167 EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile;
168 ReadWritePaths = [ cfg.stateDir ];
169 ReadOnlyPaths = [ cfg.configDir ];
170 MemoryDenyWriteExecute = true;
171 NoNewPrivileges = true;
172 PrivateTmp = true;
173 PrivateDevices = true;
174 ProtectSystem = "strict";
175 ProtectHome = true;
176 ProtectControlGroups = true;
177 ProtectKernelModules = true;
178 ProtectKernelTunables = true;
179 ProtectKernelLogs = true;
180 RestrictAddressFamilies = [
181 "AF_UNIX"
182 "AF_INET"
183 "AF_INET6"
184 "AF_NETLINK"
185 ];
186 RestrictNamespaces = true;
187 RestrictRealtime = true;
188 RestrictSUIDSGID = true;
189 LockPersonality = true;
190 SystemCallArchitectures = "native";
191 };
192 };
193 };
194 };
196 meta.maintainers = with lib.maintainers; [
197 bhankas
198 danth
199 ramblurr
200 ];
201 }