Seafile: read secret using python

secrets/default.nix

@@ -8,6 +8,7 @@
 
   serviceUser = x: config.systemd.services.${x}.serviceConfig.User;
   abstrServiceUser = x: config.services.${x}.user;
+  abstrServiceGroup = x: config.services.${x}.group;
 in {
   age.secrets = {
     password.file = ./password.age;
@@ -41,5 +42,10 @@ in {
       file = ./immich-oidc.age;
       owner = abstrServiceUser "immich";
     };
+    seafile-oidc = mkIf server {
+      file = ./seafile-oidc.age;
+      owner = abstrServiceUser "seafile";
+      mode = "400";
+    };
   };
 }

secrets/seafile-oidc.age

@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 GQzYWA N2jnATED5CQTDflLzW2wnIarM0nc8hTJAQ9G9Q5M+2U
+jV9R8GqaqQe4TeXa6mqhZGLWAVPoGpTHuh42tCnTwds
+-> ssh-ed25519 MfR7VA VAlild/90Vofo0zXd42NapS1sHluYLPGP5lMC+JSIFo
+VdPZvpRpC0JA8ba+HI5F3lOuR8qZAlFZt8AQEytqOEs
+-> ssh-ed25519 +cvRTg hW1dt51t+g4MOCPxwP2o7RuIpi16q0b7c5CA4EAxs3o
+UwDgBrgetix+6FuAowZaG6Aq+J1CDZdsjIn9v38g9I8
+-> ssh-ed25519 WCPLrA QksEezxLik0zl+3YiDtM95LQqNeZKAHaqdlmKTOj0XY
+Thj7Gbkw5uti1pzMd0jZ2d4EzIY4QA7MJbC/gPdvIbo
+-> ssh-ed25519 7/ziYw kffVPB2i78R1mlidzoBV15sDVeEWWt40bhrIgtm/Zws
+fFukgot++DcOQd8qrkzD6xh6zFhVnZNmqNF4i33vLLw
+-> ssh-ed25519 VQy60Q 84xB7sxEOT3B8CUb7GZCsbJd69gy0yaBYjgrPN8xox0
+qE+5vjNdy67rZPc8QynIvLZzTqyoofMSMnFC3z7hoXQ
+--- 7mWx4K+zrpZqGRcoLBWXF+Sod/EmnodV74lvYrc4+d4
+:ÑÔ('0v2ös‘¾£
_[Xöà½r±î77w´VƽÆôjb݉¤°‘H's+oCd¦X²¯ËªŠGW’™S~4·¨HA\ÓJ•‡MÂÍñx¸­.¢¼ÛÏÈ45ÿ1Öê

secrets/secrets.nix

@@ -22,4 +22,5 @@ in {
   "zitadel-key.age".publicKeys = keys;
   "forgejo-mailpass.age".publicKeys = keys;
   "immich-oidc.age".publicKeys = keys;
+  "seafile-oidc.age".publicKeys = keys;
 }

system/server/seafile.nix

@@ -2,68 +2,19 @@
   config,
   inputs,
   pkgs,
+  lib,
   ...
 }: let
+  inherit (lib) mkIf mkForce;
+  cfg = config.niksos.server;
+
   url = "files.jsw.tf";
   httpsUrl = "https://" + url;
   authUrl = config.services.zitadel.settings.ExternalDomain;
   httpsAuthUrl = "https://" + authUrl;
-  oidcSubstitute = "*@#OPENIDCLIENTSECRET#@*";
-  config-dir = "/run/immich-conf";
 in {
-  services.seafile = {
-    enable = config.niksos.server;
-    seahubPackage = inputs.nixpkgs-stable.legacyPackages.${pkgs.system}.seahub;
-
-    adminEmail = "jsw@jsw.tf";
-    initialAdminPassword = "ChangeMeTheFuckNow!";
-
-    gc.enable = true;
-
-    ccnetSettings.General.SERVICE_URL = httpsUrl;
-    seahubExtraConf = ''
-      ALLOWED_HOSTS = ['.${url}']
-      CSRF_COOKIE_SECURE = True
-      CSRF_COOKIE_SAMESITE = 'Strict'
-      CSRF_TRUSTED_ORIGINS = ['${httpsUrl}']
-
-      SITE_NAME = "JSW Cloud"
-      SITE_TITLE = "JSW Cloud"
-
-      ENABLE_OAUTH = True
-      OAUTH_CREATE_UNKNOWN_USER = True
-      OAUTH_ACTIVATE_USER_AFTER_CREATION = True
-      OAUTH_ENABLE_INSECURE_TRANSPORT = False
-      OAUTH_CLIENT_ID = "329743411726844274"
-      OAUTH_CLIENT_SECRET = "${oidcSubstitute}"
-      OAUTH_REDIRECT_URL = '${httpsUrl}/oauth/callback/'
-      OAUTH_PROVIDER_DOMAIN = '${authUrl}'
-      OAUTH_PROVIDER = 'JSW Auth'
-      OAUTH_AUTHORIZATION_URL = '${httpsAuthUrl}/oauth/v2/authorize'
-      OAUTH_TOKEN_URL = '${httpsAuthUrl}/oauth/v2/token'
-      OAUTH_USER_INFO_URL = '${httpsAuthUrl}/oidc/v1/userinfo'
-      OAUTH_SCOPE = ["user",]
-      OAUTH_ATTRIBUTE_MAP = {
-          "id": (True, "email"),
-          "name": (False, "name"),
-          "email": (False, "contact_email"),
-          "uid": (True, "uid"),
-      }
-    '';
-    seafileSettings = {
-      quota.default = 30;
-      history.keep_days = 40;
-      library_trash.expire_days = 14;
-      fileserver = {
-        host = "unix:/run/seafile/server.sock";
-        web_token_expire_time = 14400; # 4 hours
-        max_download_dir_size = 100000; # 100gb max download size.
-      };
-    };
-  };
-
-  services.caddy.virtualHosts.${url} = {
-    extraConfig = ''
+  config = mkIf cfg {
+    services.caddy.virtualHosts.${url}.extraConfig = ''
            handle_path /seafhttp/* {
       reverse_proxy * unix//run/seafile/server.sock
            }
@@ -71,5 +22,96 @@ in {
       reverse_proxy * unix//run/seahub/gunicorn.sock
            }
     '';
+
+    services.seafile = {
+      enable = config.niksos.server;
+      seahubPackage = inputs.nixpkgs-stable.legacyPackages.${pkgs.system}.seahub;
+
+      adminEmail = "jsw@jsw.tf";
+      initialAdminPassword = "ChangeMeTheFuckNow!";
+
+      gc.enable = true;
+
+      ccnetSettings.General.SERVICE_URL = httpsUrl;
+      seahubExtraConf = ''
+        ALLOWED_HOSTS = ['.${url}']
+        CSRF_COOKIE_SECURE = True
+        CSRF_COOKIE_SAMESITE = 'Strict'
+        CSRF_TRUSTED_ORIGINS = ['${httpsUrl}']
+
+        SITE_NAME = "JSW Cloud"
+        SITE_TITLE = "JSW Cloud"
+
+        ENABLE_OAUTH = True
+        OAUTH_CREATE_UNKNOWN_USER = True
+        OAUTH_ACTIVATE_USER_AFTER_CREATION = True
+        OAUTH_ENABLE_INSECURE_TRANSPORT = False
+        OAUTH_CLIENT_ID = "329743411726844274"
+
+        with open("${config.age.secrets.seafile-oidc.path}") as f:
+          OAUTH_CLIENT_SECRET = f.read()
+
+        OAUTH_REDIRECT_URL = '${httpsUrl}/oauth/callback/'
+        OAUTH_PROVIDER = '${authUrl}'
+        OAUTH_AUTHORIZATION_URL = '${httpsAuthUrl}/oauth/v2/authorize'
+        OAUTH_TOKEN_URL = '${httpsAuthUrl}/oauth/v2/token'
+        OAUTH_USER_INFO_URL = '${httpsAuthUrl}/oidc/v1/userinfo'
+        OAUTH_SCOPE = ["openid", "profile", "email"]
+        OAUTH_ATTRIBUTE_MAP = {
+            "sub": (True, "uid"),
+            "name": (True, "name"),
+            "email": (True, "contact_email")
+        }
+      '';
+      seafileSettings = {
+        quota.default = 30;
+        history.keep_days = 40;
+        library_trash.expire_days = 14;
+        fileserver = {
+          host = "unix:/run/seafile/server.sock";
+          web_token_expire_time = 14400; # 4 hours
+          max_download_dir_size = 100000; # 100gb max download size.
+        };
+      };
+    };
+
+    # environment.etc."seafile/seahub_settings.py" = {
+    #   text = mkForce null; # NOTE: If breaky, check https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/seafile.nix#L22. Using hardcoded values instead of the ones in the module so if there changes, things might break.
+    #   source = config.age.secrets.seafile-seahubconf.path;
+    #   user = "seafile";
+    #   group = "seafile";
+    # };
+
+    #NOTE: Overwriting parts of services so that it uses a different root. When upgrading. Please check the following two things:
+    ## * If seafile still uses seafile_settings.py to store openid settings.systemd
+    ## * If the service scripts / settings have changed.systemd
+    ## * Better even, rewrite this entire part.
+    systemd.services = let
+      config-dir = "/run/seafile";
+      replaceSecretBin = lib.getExe pkgs.replace-secret;
+      seafRoot = "/var/lib/seafile";
+      ccnetDir = "${seafRoot}/ccnet";
+      sfCfg = config.services.seafile;
+    in {
+      seaf-server = {
+        # preStart = ''
+        #   umask 077
+        #   cp -f '/etc/seafile' '${config-dir}'
+        #   chmod u+w -R '${config-dir}'
+        #   ${replaceSecretBin} '${oidcSubstitute}' '${config.age.secrets.seafile-oidc.path}' '${config-dir}/seahub_settings.py'
+        # '';
+        # serviceConfig.ExecStart = mkForce ''
+        #   ${lib.getExe sfCfg.seahubPackage.seafile-server} \
+        #   --foreground \
+        #   -F '${config-dir} \
+        #   -c ${ccnetDir} \
+        #   -d ${sfCfg.dataDir} \
+        #   -l /var/log/seafile/server.log \
+        #   -P /run/seafile/server.pid \
+        #   -p /run/seafile
+        # '';
+      };
+      # seahub.environment.SEAFILE_CENTRAL_CONF_DIR = mkForce config-dir;
+    };
   };
 }