diff --git a/hosts/voyager/services/nextcloud.nix b/hosts/voyager/services/nextcloud.nix index 5f56e6d..4e2ad49 100644 --- a/hosts/voyager/services/nextcloud.nix +++ b/hosts/voyager/services/nextcloud.nix @@ -21,11 +21,34 @@ in { }; settings = { - trusted_proxies = [ "192.168.10.175" ]; # defiant default_phone_region = "NO"; log_type = "file"; + overwriteprotocol = "https"; + trusted_proxies = [ "192.168.10.175" ]; # defiant + + # Docs: https://github.com/pulsejet/nextcloud-oidc-login + oidc_login_auto_redirect = true; + oidc_login_button_text = "Log in with KeyCloak"; + oidc_login_client_id = "nextcloud"; + oidc_login_client_secret = "dont_put_secrets_here_use_secretFile"; + oidc_login_code_challenge_method = "S256"; + oidc_login_end_session_redirect' = true; + oidc_login_logout_url = "https://cloud.feal.no/apps/oidc_login/oidc"; + oidc_login_provider_url = "https://iam.feal.no/realms/feal.no"; + oidc_login_redir_fallback = true; + + oidc_login_attributes = { + id = "preferred_username"; + mail = "email"; + name = "name"; + login_filter = "nextcloud-roles"; + }; + oidc_login_filter_allowed_values = [ "nextcloud-user" ]; + oidc_login_disable_registration = false; }; + secretFile = config.sops.secrets."nextcloud/secretsjson".path; + phpOptions = { "opcache.interned_strings_buffer" = "16"; "upload_max_filesize" = lib.mkForce "8G"; @@ -49,6 +72,12 @@ in { group = "nextcloud"; restartUnits = [ "phpfpm-nextcloud.service" ]; }; + sops.secrets."nextcloud/secretsjson" = { + mode = "0440"; + owner = "nextcloud"; + group = "nextcloud"; + restartUnits = [ "phpfpm-nextcloud.service" ]; + }; services.postgresql = { ensureDatabases = [ "nextcloud" ]; @@ -79,7 +108,7 @@ in { ProtectKernelTunables = true; ProtectProc = "invisible"; ReadWritePaths = [ "/tank/nextcloud" "/run/phpfpm" "/run/systemd" ]; - ReadPaths = [ "/run/secrets" "/nix/store" ]; + ReadOnlyPaths = [ "/run/secrets" "/nix/store" ]; RemoveIPC = true; RestrictSUIDSGID = true; UMask = "0007"; diff --git a/secrets/voyager/voyager.yaml b/secrets/voyager/voyager.yaml index 93f49d3..d356d35 100644 --- a/secrets/voyager/voyager.yaml +++ b/secrets/voyager/voyager.yaml @@ -12,6 +12,7 @@ transmission: vpncreds: ENC[AES256_GCM,data:KWm6AGlJze0Of9Nkz0moaQCAXMwylsZ+BIZR4BnbuDRbjKRMJSWCOFBSbG3esGprLhoCnYwc9mghSeoP2AQRAT++sERpxX3JTHF9QuauNmhRWb1xLsOfQAu6vsA/0dTshQr8ivhJSnEz57rasdOraovYjVsRXd7cuclajPoS4nl3+1/IrSkAlxNzx8F0PMmyOrvoPVMmqQ4PcKFfkXc1f59O2iJ19Bmt/x5yIxU=,iv:VAYlqL8Pb5J4g+W3QClrgRftYw5UofXmG9cfEsZdLr4=,tag:zJIxYaGEedFjM8IsBfnQog==,type:str] nextcloud: adminpass: ENC[AES256_GCM,data:r2Z6KsQ1hP90/Bf8J804a5D7BTS7,iv:f3TkiPVxw8lAPcyStWqOZuhF4p/5nUPkzL2j/yjsnyg=,tag:c2JWdxZUjkHQWNWDILBrRQ==,type:str] + secretsjson: ENC[AES256_GCM,data:xvUdDoTaTum/gkDBujSfHeunAmwmYhZMY7zY72Ct9wly9gpcbNrJNiwuWSgBP3uYtwArce+n6co33OYZvV8rs/Q=,iv:6nLq9ZxgBHKbjD8I1PbjWf/9XthTSrm3lOwx/YX+Tc4=,tag:UN+c2fjUHK1lpyRsTBpOUw==,type:str] borg: transmission: ENC[AES256_GCM,data:VGP23BjX6rjMbcEMA6O7UEX6,iv:C0ehtDSO0eMkIYbwi9wYAKncOBrNCiJB4S5tJ1rxctI=,tag:RNcGwihAxOwCt3XOSoCvfw==,type:str] postgres: ENC[AES256_GCM,data:nA+Ga56rG8XippMmHsOLEik=,iv:41llHBWEU7ESiUetJC/SkcjHG+beXs/ur8QTmxDGFE8=,tag:92n88ZtrDQWz0gYZmuWD8g==,type:str] @@ -50,8 +51,8 @@ sops: NENEM2VLRDBzTWM0ckdPVThaeE0xL2MKTAvsDKgaoj0Fz9CoNbP6s1kROlDbbXtB 4rFRGN+WZJrBioz5nN4kR7mVFKa4w6z6Pu3D5WLyK7UQQkZJ64avdw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-29T10:10:29Z" - mac: ENC[AES256_GCM,data:hfiomMGmIvm2HFxrvRXB4lIjOpaMlP//35PT2AG9PKqR4MIuBR9jZDHoGUnddjfESNH7++YUvND7Qafxax8AMiCYEhUUfgn2rkO/ycVvI8y9cIQQv8OMzmPZF82Uu9loWoq4dnR/kHkQKWv7XhoGzqI4Z/ObfxESwPqSr6mAlsI=,iv:VnY/WLmVwrSt0jHs0uDzr8iP4BYOSlwLGn0g4QYnxIo=,tag:r+8hvmFS7aIdEvepKQV33Q==,type:str] + lastmodified: "2024-06-12T18:57:43Z" + mac: ENC[AES256_GCM,data:46xA8exSUbaEJBufvzt5TbUXQa4956sGQUh9hS8a1nhXasDkdwTtGgSfZq/ENcL/VoEz0ORVJ43OwVE+TV1j9aOzwck96c/KDKTp4iEVbRfcsK/PMccf2FJke3TUmSV6f1hFBpGHpdujghHQTiGct+XQNuuI3RPXYLEYPJrqyeY=,iv:fzQL+ymHTP6XET9YlaCaW1ZGUJaZzCM0neGzMveoSt4=,tag:rsDV5tkU5pTlq4YTel6V1g==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1