From 5f4d5fcfa4e633682c8e1c06cd4872316fdaac51 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Wed, 6 Jul 2022 00:08:29 +0200 Subject: [PATCH] services/nextcloud: apply suggestions --- nixos/modules/services/web-apps/nextcloud.nix | 4 +- nixos/tests/nextcloud/default.nix | 6 +- ...=> with-declarative-redis-and-secrets.nix} | 14 ++- nixos/tests/nextcloud/with-secrets.nix | 113 ------------------ 4 files changed, 16 insertions(+), 121 deletions(-) rename nixos/tests/nextcloud/{with-declarative-redis.nix => with-declarative-redis-and-secrets.nix} (87%) delete mode 100644 nixos/tests/nextcloud/with-secrets.nix diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index f931dba5897c..b2dd3514890c 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -555,7 +555,7 @@ in { description = '' Extra options which should be appended to nextcloud's config.php file. ''; - example = literalExample '' { + example = literalExpression '' { redis = { host = "/run/redis/redis.sock"; port = 0; @@ -575,7 +575,7 @@ in { {"redis":{"password":"secret"}}. ''; }; - + nginx = { recommendedHttpHeaders = mkOption { type = types.bool; diff --git a/nixos/tests/nextcloud/default.nix b/nixos/tests/nextcloud/default.nix index 3df773fc0f82..9e378fe6a52d 100644 --- a/nixos/tests/nextcloud/default.nix +++ b/nixos/tests/nextcloud/default.nix @@ -16,11 +16,7 @@ foldl inherit system pkgs; nextcloudVersion = ver; }; - "with-declarative-redis${toString ver}" = import ./with-declarative-redis.nix { - inherit system pkgs; - nextcloudVersion = ver; - }; - "with-secrets${toString ver}" = import ./with-secrets.nix { + "with-declarative-redis-and-secrets${toString ver}" = import ./with-declarative-redis-and-secrets.nix { inherit system pkgs; nextcloudVersion = ver; }; diff --git a/nixos/tests/nextcloud/with-declarative-redis.nix b/nixos/tests/nextcloud/with-declarative-redis-and-secrets.nix similarity index 87% rename from nixos/tests/nextcloud/with-declarative-redis.nix rename to nixos/tests/nextcloud/with-declarative-redis-and-secrets.nix index 5e27adee085f..fda05bacb4fe 100644 --- a/nixos/tests/nextcloud/with-declarative-redis.nix +++ b/nixos/tests/nextcloud/with-declarative-redis-and-secrets.nix @@ -32,13 +32,14 @@ in { ${adminpass} ''); }; + secretFile = "/etc/nextcloud-secrets.json"; extraOptions.redis = { host = "/run/redis/redis.sock"; port = 0; dbindex = 0; - password = "secret"; timeout = 1.5; + # password handled via secretfile below }; extraOptions.memcache = { local = "\OC\Memcache\Redis"; @@ -66,6 +67,17 @@ in { } ]; }; + + # This file is meant to contain secret options which should + # not go into the nix store. Here it is just used to set the + # databyse type to postgres. + environment.etc."nextcloud-secrets.json".text = '' + { + "redis": { + "password": "secret" + } + } + ''; }; }; diff --git a/nixos/tests/nextcloud/with-secrets.nix b/nixos/tests/nextcloud/with-secrets.nix deleted file mode 100644 index 3697b4b29c3c..000000000000 --- a/nixos/tests/nextcloud/with-secrets.nix +++ /dev/null @@ -1,113 +0,0 @@ -import ../make-test-python.nix ({ pkgs, ...}: let - adminpass = "hunter2"; - adminuser = "custom-admin-username"; -in { - name = "nextcloud-with-secrets-file"; - meta = with pkgs.lib.maintainers; { - maintainers = [ eqyiel ]; - }; - - nodes = { - # The only thing the client needs to do is download a file. - client = { ... }: {}; - - nextcloud = { config, pkgs, ... }: { - networking.firewall.allowedTCPPorts = [ 80 ]; - - services.nextcloud = { - enable = true; - hostName = "nextcloud"; - caching = { - apcu = false; - memcached = false; - }; - config = { - dbtype = "pgsql"; - dbname = "nextcloud"; - dbuser = "nextcloud"; - dbhost = "/run/postgresql"; - inherit adminuser; - adminpassFile = toString (pkgs.writeText "admin-pass-file" '' - ${adminpass} - ''); - }; - secretFile = "/etc/nextcloud-secrets.json"; - }; - - systemd.services.nextcloud-setup= { - requires = ["postgresql.service"]; - after = [ - "postgresql.service" - ]; - }; - - services.redis = { - enable = true; - }; - - services.postgresql = { - enable = true; - ensureDatabases = [ "nextcloud" ]; - ensureUsers = [ - { name = "nextcloud"; - ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; - } - ]; - }; - - # This file is meant to contain secret options which should - # not go into the nix store. Here it is just used to set the - # databyse type to postgres. - environment.etc."nextcloud-secrets.json".text = '' - { - "redis": { - "host": "/run/redis/redis.sock", - "port": 0, - "dbindex": 0, - "password": "secret", - "timeout": 1.5 - }, - "memcache": { - "local": "\\OC\\Memcache\\Redis", - "locking": "\\OC\\Memcache\\Redis" - } - } - ''; - }; - }; - - testScript = let - withRcloneEnv = pkgs.writeScript "with-rclone-env" '' - #!${pkgs.runtimeShell} - export RCLONE_CONFIG_NEXTCLOUD_TYPE=webdav - export RCLONE_CONFIG_NEXTCLOUD_URL="http://nextcloud/remote.php/webdav/" - export RCLONE_CONFIG_NEXTCLOUD_VENDOR="nextcloud" - export RCLONE_CONFIG_NEXTCLOUD_USER="${adminuser}" - export RCLONE_CONFIG_NEXTCLOUD_PASS="$(${pkgs.rclone}/bin/rclone obscure ${adminpass})" - "''${@}" - ''; - copySharedFile = pkgs.writeScript "copy-shared-file" '' - #!${pkgs.runtimeShell} - echo 'hi' | ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file - ''; - - diffSharedFile = pkgs.writeScript "diff-shared-file" '' - #!${pkgs.runtimeShell} - diff <(echo 'hi') <(${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file) - ''; - in '' - start_all() - nextcloud.wait_for_unit("multi-user.target") - nextcloud.succeed("curl -sSf http://nextcloud/login") - nextcloud.succeed( - "${withRcloneEnv} ${copySharedFile}" - ) - client.wait_for_unit("multi-user.target") - client.succeed( - "${withRcloneEnv} ${diffSharedFile}" - ) - - # redis cache should not be empty - nextcloud.fail("redis-cli KEYS * | grep -q 'empty array'") - ''; -})