nextcloud improve user/group handling
- remove optons cfg.user, cfg.groups - add option `serverUser` which is required when not using nginx - add `serverUser` to nextcloud group - set user/group to "nextcloud" for nextcloud services - make setup-service non-root
This commit is contained in:
DavHau
parent
07076e9fe0
commit
6ee3004132
@ -7,6 +7,7 @@ let
|
|||||||
fpm = config.services.phpfpm.pools.nextcloud;
|
fpm = config.services.phpfpm.pools.nextcloud;
|
||||||
|
|
||||||
group = if cfg.nginx.enable then config.services.nginx.group else cfg.group;
|
group = if cfg.nginx.enable then config.services.nginx.group else cfg.group;
|
||||||
|
serverUser = if cfg.nginx.enable then config.services.nginx.user else cfg.serverUser;
|
||||||
|
|
||||||
phpPackage =
|
phpPackage =
|
||||||
let
|
let
|
||||||
@ -35,8 +36,8 @@ let
|
|||||||
#! ${pkgs.runtimeShell}
|
#! ${pkgs.runtimeShell}
|
||||||
cd ${cfg.package}
|
cd ${cfg.package}
|
||||||
sudo=exec
|
sudo=exec
|
||||||
if [[ "$USER" != ${cfg.user} ]]; then
|
if [[ "$USER" != nextcloud ]]; then
|
||||||
sudo='exec /run/wrappers/bin/sudo -u ${cfg.user} --preserve-env=NEXTCLOUD_CONFIG_DIR --preserve-env=OC_PASS'
|
sudo='exec /run/wrappers/bin/sudo -u nextcloud --preserve-env=NEXTCLOUD_CONFIG_DIR --preserve-env=OC_PASS'
|
||||||
fi
|
fi
|
||||||
export NEXTCLOUD_CONFIG_DIR="${cfg.home}/config"
|
export NEXTCLOUD_CONFIG_DIR="${cfg.home}/config"
|
||||||
$sudo \
|
$sudo \
|
||||||
@ -73,18 +74,9 @@ in {
|
|||||||
description = "Which package to use for the Nextcloud instance.";
|
description = "Which package to use for the Nextcloud instance.";
|
||||||
relatedPackages = [ "nextcloud17" "nextcloud18" "nextcloud19" ];
|
relatedPackages = [ "nextcloud17" "nextcloud18" "nextcloud19" ];
|
||||||
};
|
};
|
||||||
user = mkOption {
|
serverUser = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "nextcloud";
|
description = "Must be set to the user of the webserver if nginx is not used.";
|
||||||
description = "User of the nextcloud service";
|
|
||||||
};
|
|
||||||
group = mkOption {
|
|
||||||
type = with types; nullOr str;
|
|
||||||
description = ''
|
|
||||||
Set group for nextcloud related services.
|
|
||||||
This option cannot be used if <xref linkend="opt-services.nextcloud.nginx.enable"/> is set.
|
|
||||||
In this case <xref linkend="opt-services.nginx.group"/> is used instead.";
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
|
|
||||||
maxUploadSize = mkOption {
|
maxUploadSize = mkOption {
|
||||||
@ -182,7 +174,7 @@ in {
|
|||||||
};
|
};
|
||||||
dbuser = mkOption {
|
dbuser = mkOption {
|
||||||
type = types.nullOr types.str;
|
type = types.nullOr types.str;
|
||||||
default = cfg.user;
|
default = "nextcloud";
|
||||||
description = "Database user.";
|
description = "Database user.";
|
||||||
};
|
};
|
||||||
dbpass = mkOption {
|
dbpass = mkOption {
|
||||||
@ -337,8 +329,11 @@ in {
|
|||||||
&& !(acfg.adminpass != null && acfg.adminpassFile != null));
|
&& !(acfg.adminpass != null && acfg.adminpassFile != null));
|
||||||
message = "Please specify exactly one of adminpass or adminpassFile";
|
message = "Please specify exactly one of adminpass or adminpassFile";
|
||||||
}
|
}
|
||||||
{ assertion = cfg.nginx.enable -> (group == config.services.nginx.group);
|
{ assertion = cfg.nginx.enable -> (cfg.serverUser == null);
|
||||||
message = "Nextcloud group cannot be set if nginx is used";
|
message = "serverUser cannot be set if nginx is used";
|
||||||
|
}
|
||||||
|
{ assertion = ! cfg.nginx.enable -> ( hasAttr cfg.serverUser config.users.users);
|
||||||
|
message = "configured serverUser '${cfg.serverUser}' doesn't exist";
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
@ -486,7 +481,7 @@ in {
|
|||||||
script = ''
|
script = ''
|
||||||
chmod og+x ${cfg.home}
|
chmod og+x ${cfg.home}
|
||||||
ln -sf ${cfg.package}/apps ${cfg.home}/
|
ln -sf ${cfg.package}/apps ${cfg.home}/
|
||||||
install -o ${cfg.user} -g ${group} -d ${cfg.home}/config ${cfg.home}/data ${cfg.home}/store-apps
|
install -o nextcloud -g nextcloud -d ${cfg.home}/config ${cfg.home}/data ${cfg.home}/store-apps
|
||||||
ln -sf ${overrideConfig} ${cfg.home}/config/override.config.php
|
ln -sf ${overrideConfig} ${cfg.home}/config/override.config.php
|
||||||
|
|
||||||
# Do not install if already installed
|
# Do not install if already installed
|
||||||
@ -500,25 +495,26 @@ in {
|
|||||||
${occSetTrustedDomainsCmd}
|
${occSetTrustedDomainsCmd}
|
||||||
'';
|
'';
|
||||||
serviceConfig.Type = "oneshot";
|
serviceConfig.Type = "oneshot";
|
||||||
|
serviceConfig.User = "nextcloud";
|
||||||
};
|
};
|
||||||
nextcloud-cron = {
|
nextcloud-cron = {
|
||||||
environment.NEXTCLOUD_CONFIG_DIR = "${cfg.home}/config";
|
environment.NEXTCLOUD_CONFIG_DIR = "${cfg.home}/config";
|
||||||
serviceConfig.Type = "oneshot";
|
serviceConfig.Type = "oneshot";
|
||||||
serviceConfig.User = cfg.user;
|
serviceConfig.User = "nextcloud";
|
||||||
serviceConfig.ExecStart = "${phpPackage}/bin/php -f ${cfg.package}/cron.php";
|
serviceConfig.ExecStart = "${phpPackage}/bin/php -f ${cfg.package}/cron.php";
|
||||||
};
|
};
|
||||||
nextcloud-update-plugins = mkIf cfg.autoUpdateApps.enable {
|
nextcloud-update-plugins = mkIf cfg.autoUpdateApps.enable {
|
||||||
serviceConfig.Type = "oneshot";
|
serviceConfig.Type = "oneshot";
|
||||||
serviceConfig.ExecStart = "${occ}/bin/nextcloud-occ app:update --all";
|
serviceConfig.ExecStart = "${occ}/bin/nextcloud-occ app:update --all";
|
||||||
serviceConfig.User = cfg.user;
|
serviceConfig.User = "nextcloud";
|
||||||
startAt = cfg.autoUpdateApps.startAt;
|
startAt = cfg.autoUpdateApps.startAt;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.phpfpm = {
|
services.phpfpm = {
|
||||||
pools.nextcloud = {
|
pools.nextcloud = {
|
||||||
user = cfg.user;
|
user = "nextcloud";
|
||||||
inherit group;
|
group = "nextcloud";
|
||||||
phpOptions = phpOptionsStr;
|
phpOptions = phpOptionsStr;
|
||||||
phpPackage = phpPackage;
|
phpPackage = phpPackage;
|
||||||
phpEnv = {
|
phpEnv = {
|
||||||
@ -526,18 +522,19 @@ in {
|
|||||||
PATH = "/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:/usr/bin:/bin";
|
PATH = "/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:/usr/bin:/bin";
|
||||||
};
|
};
|
||||||
settings = mapAttrs (name: mkDefault) {
|
settings = mapAttrs (name: mkDefault) {
|
||||||
"listen.owner" = cfg.user;
|
"listen.owner" = serverUser;
|
||||||
"listen.group" = group;
|
"listen.group" = config.users.users.${serverUser}.group;
|
||||||
} // cfg.poolSettings;
|
} // cfg.poolSettings;
|
||||||
extraConfig = cfg.poolConfig;
|
extraConfig = cfg.poolConfig;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
users.extraUsers.${cfg.user} = {
|
users.users.nextcloud = {
|
||||||
home = "${cfg.home}";
|
home = "${cfg.home}";
|
||||||
inherit group;
|
group = "nextcloud";
|
||||||
createHome = true;
|
createHome = true;
|
||||||
};
|
};
|
||||||
|
users.groups.nextcloud.members = [ "nextcloud" "${serverUser}" ];
|
||||||
|
|
||||||
environment.systemPackages = [ occ ];
|
environment.systemPackages = [ occ ];
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user