voyager/nexctcloud: authenticate with keycloak

2024-06-13 08:34:13 +02:00
parent 6653de02e5
commit 70959b5092
2 changed files with 34 additions and 4 deletions
--- a/hosts/voyager/services/nextcloud.nix
+++ b/hosts/voyager/services/nextcloud.nix
@@ -21,11 +21,34 @@ in {
    };

    settings = {
-      trusted_proxies = [ "192.168.10.175" ]; # defiant
      default_phone_region = "NO";
      log_type = "file";
+      overwriteprotocol = "https";
+      trusted_proxies = [ "192.168.10.175" ]; # defiant
+
+      # Docs: https://github.com/pulsejet/nextcloud-oidc-login
+      oidc_login_auto_redirect = true;
+      oidc_login_button_text = "Log in with KeyCloak";
+      oidc_login_client_id = "nextcloud";
+      oidc_login_client_secret = "dont_put_secrets_here_use_secretFile";
+      oidc_login_code_challenge_method = "S256";
+      oidc_login_end_session_redirect' = true;
+      oidc_login_logout_url = "https://cloud.feal.no/apps/oidc_login/oidc";
+      oidc_login_provider_url = "https://iam.feal.no/realms/feal.no";
+      oidc_login_redir_fallback = true;
+
+      oidc_login_attributes = {
+        id = "preferred_username";
+        mail = "email";
+        name = "name";
+        login_filter = "nextcloud-roles";
+      };
+      oidc_login_filter_allowed_values = [ "nextcloud-user" ];
+      oidc_login_disable_registration = false;
    };

+    secretFile = config.sops.secrets."nextcloud/secretsjson".path;
+
    phpOptions = {
      "opcache.interned_strings_buffer" = "16";
      "upload_max_filesize" = lib.mkForce "8G";
@@ -49,6 +72,12 @@ in {
    group = "nextcloud";
    restartUnits = [ "phpfpm-nextcloud.service" ];
  };
+  sops.secrets."nextcloud/secretsjson" = {
+    mode = "0440";
+    owner = "nextcloud";
+    group = "nextcloud";
+    restartUnits = [ "phpfpm-nextcloud.service" ];
+  };

  services.postgresql = {
    ensureDatabases = [ "nextcloud" ];
@@ -79,7 +108,7 @@ in {
      ProtectKernelTunables = true;
      ProtectProc = "invisible";
      ReadWritePaths = [ "/tank/nextcloud" "/run/phpfpm" "/run/systemd" ];
-      ReadPaths = [ "/run/secrets" "/nix/store" ];
+      ReadOnlyPaths = [ "/run/secrets" "/nix/store" ];
      RemoveIPC = true;
      RestrictSUIDSGID = true;
      UMask = "0007";