nixpkgs/nixos/modules/services/web-apps/ocis.nix

{
  config,
  lib,
  pkgs,
  ...
}:

let
  inherit (lib) types;
  cfg = config.services.ocis;
  defaultUser = "ocis";
  defaultGroup = defaultUser;
in
{
  options = {
    services.ocis = {
      enable = lib.mkEnableOption "ownCloud Infinite Scale";

      package = lib.mkPackageOption pkgs "ocis-bin" { };

      configDir = lib.mkOption {
        type = types.nullOr types.path;
        default = null;
        example = "/var/lib/ocis/config";
        description = ''
          Path to directory containing oCIS config file.

          Example config can be generated by `ocis init --config-path fileName --admin-password "adminPass"`.
          Add `--insecure true` if SSL certificates are generated and managed externally (e.g. using oCIS behind reverse proxy).

          Note: This directory must contain at least a `ocis.yaml`. Ensure
          [user](#opt-services.ocis.user) has read/write access to it. In some
          circumstances you may need to add additional oCIS configuration files (e.g.,
          `proxy.yaml`) to this directory.
        '';
      };

      environmentFile = lib.mkOption {
        type = types.nullOr types.path;
        default = null;
        example = "/run/keys/ocis.env";
        description = ''
          An environment file as defined in {manpage}`systemd.exec(5)`.

          Configuration provided in this file will override those from [configDir](#opt-services.ocis.configDir)/ocis.yaml.
        '';
      };

      user = lib.mkOption {
        type = types.str;
        default = defaultUser;
        example = "yourUser";
        description = ''
          The user to run oCIS as.
          By default, a user named `${defaultUser}` will be created whose home
          directory is [stateDir](#opt-services.ocis.stateDir).
        '';
      };

      group = lib.mkOption {
        type = types.str;
        default = defaultGroup;
        example = "yourGroup";
        description = ''
          The group to run oCIS under.
          By default, a group named `${defaultGroup}` will be created.
        '';
      };

      address = lib.mkOption {
        type = types.str;
        default = "127.0.0.1";
        description = "Web interface address.";
      };

      port = lib.mkOption {
        type = types.port;
        default = 9200;
        description = "Web interface port.";
      };

      url = lib.mkOption {
        type = types.str;
        default = "https://localhost:9200";
        example = "https://some-hostname-or-ip:9200";
        description = "Web interface address.";
      };

      stateDir = lib.mkOption {
        default = "/var/lib/ocis";
        type = types.str;
        description = "ownCloud data directory.";
      };

      environment = lib.mkOption {
        type = types.attrsOf types.str;
        default = { };
        description = ''
          Extra config options.

          See [the documentation](https://doc.owncloud.com/ocis/next/deployment/services/services.html) for available options.
          See [notes for environment variables](https://doc.owncloud.com/ocis/next/deployment/services/env-var-note.html) for more information.

          Note that all the attributes here will be copied to /nix/store/ and will be world readable. Options like *_PASSWORD or *_SECRET should be part of     [environmentFile](#opt-services.ocis.environmentFile) instead, and are only provided here for illustrative purpose.

          Configuration here will override those from [environmentFile](#opt-services.ocis.environmentFile) and will have highest precedence, at the cost of security. Do NOT put security sensitive stuff here.
        '';
        example = {
          OCIS_INSECURE = "false";
          OCIS_LOG_LEVEL = "error";
          OCIS_JWT_SECRET = "super_secret";
          OCIS_TRANSFER_SECRET = "foo";
          OCIS_MACHINE_AUTH_API_KEY = "foo";
          OCIS_SYSTEM_USER_ID = "123";
          OCIS_MOUNT_ID = "123";
          OCIS_STORAGE_USERS_MOUNT_ID = "123";
          GATEWAY_STORAGE_USERS_MOUNT_ID = "123";
          CS3_ALLOW_INSECURE = "true";
          OCIS_INSECURE_BACKENDS = "true";
          TLS_INSECURE = "true";
          TLS_SKIP_VERIFY_CLIENT_CERT = "true";
          WEBDAV_ALLOW_INSECURE = "true";
          IDP_TLS = "false";
          GRAPH_APPLICATION_ID = "1234";
          IDM_IDPSVC_PASSWORD = "password";
          IDM_REVASVC_PASSWORD = "password";
          IDM_SVC_PASSWORD = "password";
          IDP_ISS = "https://localhost:9200";
          OCIS_LDAP_BIND_PASSWORD = "password";
          OCIS_SERVICE_ACCOUNT_ID = "foo";
          OCIS_SERVICE_ACCOUNT_SECRET = "foo";
          OCIS_SYSTEM_USER_API_KEY = "foo";
          STORAGE_USERS_MOUNT_ID = "123";
        };
      };
    };
  };

  config = lib.mkIf cfg.enable {
    users.users.${defaultUser} = lib.mkIf (cfg.user == defaultUser) {
      group = cfg.group;
      home = cfg.stateDir;
      isSystemUser = true;
      createHome = true;
      description = "ownCloud Infinite Scale daemon user";
    };

    users.groups = lib.mkIf (cfg.group == defaultGroup) { ${defaultGroup} = { }; };

    systemd = {
      services.ocis = {
        description = "ownCloud Infinite Scale Stack";
        wantedBy = [ "multi-user.target" ];
        environment = {
          PROXY_HTTP_ADDR = "${cfg.address}:${toString cfg.port}";
          OCIS_URL = cfg.url;
          OCIS_CONFIG_DIR = if (cfg.configDir == null) then "${cfg.stateDir}/config" else cfg.configDir;
          OCIS_BASE_DATA_PATH = cfg.stateDir;
        } // cfg.environment;
        serviceConfig = {
          Type = "simple";
          ExecStart = "${lib.getExe cfg.package} server";
          WorkingDirectory = cfg.stateDir;
          User = cfg.user;
          Group = cfg.group;
          Restart = "always";
          EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile;
          ReadWritePaths = [ cfg.stateDir ];
          ReadOnlyPaths = [ cfg.configDir ];
          MemoryDenyWriteExecute = true;
          NoNewPrivileges = true;
          PrivateTmp = true;
          PrivateDevices = true;
          ProtectSystem = "strict";
          ProtectHome = true;
          ProtectControlGroups = true;
          ProtectKernelModules = true;
          ProtectKernelTunables = true;
          ProtectKernelLogs = true;
          RestrictAddressFamilies = [
            "AF_UNIX"
            "AF_INET"
            "AF_INET6"
            "AF_NETLINK"
          ];
          RestrictNamespaces = true;
          RestrictRealtime = true;
          RestrictSUIDSGID = true;
          LockPersonality = true;
          SystemCallArchitectures = "native";
        };
      };
    };
  };

  meta.maintainers = with lib.maintainers; [
    bhankas
    danth
    ramblurr
  ];
}
nixos/ocis: init at 5.0.0 Co-authored-by: Casey Link <unnamedrambler@gmail.com> 2024-03-18 12:29:16 +00:00			`{`
			`config,`
			`lib,`
			`pkgs,`
			`...`
			`}:`

			`let`
			`inherit (lib) types;`
			`cfg = config.services.ocis;`
			`defaultUser = "ocis";`
			`defaultGroup = defaultUser;`
			`in`
			`{`
			`options = {`
			`services.ocis = {`
			`enable = lib.mkEnableOption "ownCloud Infinite Scale";`

			`package = lib.mkPackageOption pkgs "ocis-bin" { };`

			`configDir = lib.mkOption {`
			`type = types.nullOr types.path;`
			`default = null;`
			`example = "/var/lib/ocis/config";`
nixos: remove all uses of lib.mdDoc these changes were generated with nixq 0.0.2, by running nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/.nix nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/.nix nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix two mentions of the mdDoc function remain in nixos/, both of which are inside of comments. Since lib.mdDoc is already defined as just id, this commit is a no-op as far as Nix (and the built manual) is concerned. 2024-04-13 12:54:15 +00:00			`description = ''`
nixos/ocis: init at 5.0.0 Co-authored-by: Casey Link <unnamedrambler@gmail.com> 2024-03-18 12:29:16 +00:00			`Path to directory containing oCIS config file.`

			Example config can be generated by `ocis init --config-path fileName --admin-password "adminPass"`.
			Add `--insecure true` if SSL certificates are generated and managed externally (e.g. using oCIS behind reverse proxy).

			Note: This directory must contain at least a `ocis.yaml`. Ensure
			`[user](#opt-services.ocis.user) has read/write access to it. In some`
			`circumstances you may need to add additional oCIS configuration files (e.g.,`
			`proxy.yaml`) to this directory.
			`'';`
			`};`

			`environmentFile = lib.mkOption {`
			`type = types.nullOr types.path;`
			`default = null;`
			`example = "/run/keys/ocis.env";`
nixos: remove all uses of lib.mdDoc these changes were generated with nixq 0.0.2, by running nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/.nix nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/.nix nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix two mentions of the mdDoc function remain in nixos/, both of which are inside of comments. Since lib.mdDoc is already defined as just id, this commit is a no-op as far as Nix (and the built manual) is concerned. 2024-04-13 12:54:15 +00:00			`description = ''`
nixos/ocis: init at 5.0.0 Co-authored-by: Casey Link <unnamedrambler@gmail.com> 2024-03-18 12:29:16 +00:00			An environment file as defined in {manpage}`systemd.exec(5)`.

			`Configuration provided in this file will override those from [configDir](#opt-services.ocis.configDir)/ocis.yaml.`
			`'';`
			`};`

			`user = lib.mkOption {`
			`type = types.str;`
			`default = defaultUser;`
			`example = "yourUser";`
nixos: remove all uses of lib.mdDoc these changes were generated with nixq 0.0.2, by running nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/.nix nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/.nix nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix two mentions of the mdDoc function remain in nixos/, both of which are inside of comments. Since lib.mdDoc is already defined as just id, this commit is a no-op as far as Nix (and the built manual) is concerned. 2024-04-13 12:54:15 +00:00			`description = ''`
nixos/ocis: init at 5.0.0 Co-authored-by: Casey Link <unnamedrambler@gmail.com> 2024-03-18 12:29:16 +00:00			`The user to run oCIS as.`
			By default, a user named `${defaultUser}` will be created whose home
			`directory is [stateDir](#opt-services.ocis.stateDir).`
			`'';`
			`};`

			`group = lib.mkOption {`
			`type = types.str;`
			`default = defaultGroup;`
			`example = "yourGroup";`
nixos: remove all uses of lib.mdDoc these changes were generated with nixq 0.0.2, by running nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/.nix nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/.nix nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix two mentions of the mdDoc function remain in nixos/, both of which are inside of comments. Since lib.mdDoc is already defined as just id, this commit is a no-op as far as Nix (and the built manual) is concerned. 2024-04-13 12:54:15 +00:00			`description = ''`
nixos/ocis: init at 5.0.0 Co-authored-by: Casey Link <unnamedrambler@gmail.com> 2024-03-18 12:29:16 +00:00			`The group to run oCIS under.`
			By default, a group named `${defaultGroup}` will be created.
			`'';`
			`};`

			`address = lib.mkOption {`
			`type = types.str;`
			`default = "127.0.0.1";`
			`description = "Web interface address.";`
			`};`

			`port = lib.mkOption {`
			`type = types.port;`
			`default = 9200;`
			`description = "Web interface port.";`
			`};`

			`url = lib.mkOption {`
			`type = types.str;`
			`default = "https://localhost:9200";`
			`example = "https://some-hostname-or-ip:9200";`
			`description = "Web interface address.";`
			`};`

			`stateDir = lib.mkOption {`
			`default = "/var/lib/ocis";`
			`type = types.str;`
			`description = "ownCloud data directory.";`
			`};`

			`environment = lib.mkOption {`
			`type = types.attrsOf types.str;`
			`default = { };`
nixos: remove all uses of lib.mdDoc these changes were generated with nixq 0.0.2, by running nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/.nix nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/.nix nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix two mentions of the mdDoc function remain in nixos/, both of which are inside of comments. Since lib.mdDoc is already defined as just id, this commit is a no-op as far as Nix (and the built manual) is concerned. 2024-04-13 12:54:15 +00:00			`description = ''`
nixos/ocis: init at 5.0.0 Co-authored-by: Casey Link <unnamedrambler@gmail.com> 2024-03-18 12:29:16 +00:00			`Extra config options.`

			`See [the documentation](https://doc.owncloud.com/ocis/next/deployment/services/services.html) for available options.`
			`See [notes for environment variables](https://doc.owncloud.com/ocis/next/deployment/services/env-var-note.html) for more information.`

			`Note that all the attributes here will be copied to /nix/store/ and will be world readable. Options like _PASSWORD or _SECRET should be part of [environmentFile](#opt-services.ocis.environmentFile) instead, and are only provided here for illustrative purpose.`

			`Configuration here will override those from [environmentFile](#opt-services.ocis.environmentFile) and will have highest precedence, at the cost of security. Do NOT put security sensitive stuff here.`
			`'';`
			`example = {`
			`OCIS_INSECURE = "false";`
			`OCIS_LOG_LEVEL = "error";`
			`OCIS_JWT_SECRET = "super_secret";`
			`OCIS_TRANSFER_SECRET = "foo";`
			`OCIS_MACHINE_AUTH_API_KEY = "foo";`
			`OCIS_SYSTEM_USER_ID = "123";`
			`OCIS_MOUNT_ID = "123";`
			`OCIS_STORAGE_USERS_MOUNT_ID = "123";`
			`GATEWAY_STORAGE_USERS_MOUNT_ID = "123";`
			`CS3_ALLOW_INSECURE = "true";`
			`OCIS_INSECURE_BACKENDS = "true";`
			`TLS_INSECURE = "true";`
			`TLS_SKIP_VERIFY_CLIENT_CERT = "true";`
			`WEBDAV_ALLOW_INSECURE = "true";`
			`IDP_TLS = "false";`
			`GRAPH_APPLICATION_ID = "1234";`
			`IDM_IDPSVC_PASSWORD = "password";`
			`IDM_REVASVC_PASSWORD = "password";`
			`IDM_SVC_PASSWORD = "password";`
			`IDP_ISS = "https://localhost:9200";`
			`OCIS_LDAP_BIND_PASSWORD = "password";`
			`OCIS_SERVICE_ACCOUNT_ID = "foo";`
			`OCIS_SERVICE_ACCOUNT_SECRET = "foo";`
			`OCIS_SYSTEM_USER_API_KEY = "foo";`
			`STORAGE_USERS_MOUNT_ID = "123";`
			`};`
			`};`
			`};`
			`};`

			`config = lib.mkIf cfg.enable {`
			`users.users.${defaultUser} = lib.mkIf (cfg.user == defaultUser) {`
			`group = cfg.group;`
			`home = cfg.stateDir;`
			`isSystemUser = true;`
			`createHome = true;`
			`description = "ownCloud Infinite Scale daemon user";`
			`};`

			`users.groups = lib.mkIf (cfg.group == defaultGroup) { ${defaultGroup} = { }; };`

			`systemd = {`
			`services.ocis = {`
			`description = "ownCloud Infinite Scale Stack";`
			`wantedBy = [ "multi-user.target" ];`
			`environment = {`
			`PROXY_HTTP_ADDR = "${cfg.address}:${toString cfg.port}";`
			`OCIS_URL = cfg.url;`
			`OCIS_CONFIG_DIR = if (cfg.configDir == null) then "${cfg.stateDir}/config" else cfg.configDir;`
			`OCIS_BASE_DATA_PATH = cfg.stateDir;`
			`} // cfg.environment;`
			`serviceConfig = {`
			`Type = "simple";`
			`ExecStart = "${lib.getExe cfg.package} server";`
			`WorkingDirectory = cfg.stateDir;`
			`User = cfg.user;`
			`Group = cfg.group;`
			`Restart = "always";`
			`EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile;`
			`ReadWritePaths = [ cfg.stateDir ];`
			`ReadOnlyPaths = [ cfg.configDir ];`
			`MemoryDenyWriteExecute = true;`
			`NoNewPrivileges = true;`
			`PrivateTmp = true;`
			`PrivateDevices = true;`
			`ProtectSystem = "strict";`
			`ProtectHome = true;`
			`ProtectControlGroups = true;`
			`ProtectKernelModules = true;`
			`ProtectKernelTunables = true;`
			`ProtectKernelLogs = true;`
			`RestrictAddressFamilies = [`
			`"AF_UNIX"`
			`"AF_INET"`
			`"AF_INET6"`
			`"AF_NETLINK"`
			`];`
			`RestrictNamespaces = true;`
			`RestrictRealtime = true;`
			`RestrictSUIDSGID = true;`
			`LockPersonality = true;`
			`SystemCallArchitectures = "native";`
			`};`
			`};`
			`};`
			`};`

			`meta.maintainers = with lib.maintainers; [`
			`bhankas`
			`danth`
			`ramblurr`
			`];`
			`}`