diff --git a/secrets/default.nix b/secrets/default.nix index 141308e..319a835 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -8,6 +8,7 @@ serviceUser = x: config.systemd.services.${x}.serviceConfig.User; abstrServiceUser = x: config.services.${x}.user; + abstrServiceGroup = x: config.services.${x}.group; in { age.secrets = { password.file = ./password.age; @@ -41,5 +42,10 @@ in { file = ./immich-oidc.age; owner = abstrServiceUser "immich"; }; + seafile-oidc = mkIf server { + file = ./seafile-oidc.age; + owner = abstrServiceUser "seafile"; + mode = "400"; + }; }; } diff --git a/secrets/seafile-oidc.age b/secrets/seafile-oidc.age new file mode 100644 index 0000000..70db7a2 --- /dev/null +++ b/secrets/seafile-oidc.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> ssh-ed25519 GQzYWA N2jnATED5CQTDflLzW2wnIarM0nc8hTJAQ9G9Q5M+2U +jV9R8GqaqQe4TeXa6mqhZGLWAVPoGpTHuh42tCnTwds +-> ssh-ed25519 MfR7VA VAlild/90Vofo0zXd42NapS1sHluYLPGP5lMC+JSIFo +VdPZvpRpC0JA8ba+HI5F3lOuR8qZAlFZt8AQEytqOEs +-> ssh-ed25519 +cvRTg hW1dt51t+g4MOCPxwP2o7RuIpi16q0b7c5CA4EAxs3o +UwDgBrgetix+6FuAowZaG6Aq+J1CDZdsjIn9v38g9I8 +-> ssh-ed25519 WCPLrA QksEezxLik0zl+3YiDtM95LQqNeZKAHaqdlmKTOj0XY +Thj7Gbkw5uti1pzMd0jZ2d4EzIY4QA7MJbC/gPdvIbo +-> ssh-ed25519 7/ziYw kffVPB2i78R1mlidzoBV15sDVeEWWt40bhrIgtm/Zws +fFukgot++DcOQd8qrkzD6xh6zFhVnZNmqNF4i33vLLw +-> ssh-ed25519 VQy60Q 84xB7sxEOT3B8CUb7GZCsbJd69gy0yaBYjgrPN8xox0 +qE+5vjNdy67rZPc8QynIvLZzTqyoofMSMnFC3z7hoXQ +--- 7mWx4K+zrpZqGRcoLBWXF+Sod/EmnodV74lvYrc4+d4 +:ÑÔ('0v2ös‘¾£ _[Xöà ½r±î77w´VƽÆôjb݉¤°‘H's+oCd¦X²¯ËªŠGW’™S~4·¨HA\ÓJ•‡MÂÍñx¸­.¢¼ÛÏÈ45ÿ1Öê \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index df90563..d60c431 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -22,4 +22,5 @@ in { "zitadel-key.age".publicKeys = keys; "forgejo-mailpass.age".publicKeys = keys; "immich-oidc.age".publicKeys = keys; + "seafile-oidc.age".publicKeys = keys; } diff --git a/system/server/seafile.nix b/system/server/seafile.nix index 914d683..50234c2 100644 --- a/system/server/seafile.nix +++ b/system/server/seafile.nix @@ -2,68 +2,19 @@ config, inputs, pkgs, + lib, ... }: let + inherit (lib) mkIf mkForce; + cfg = config.niksos.server; + url = "files.jsw.tf"; httpsUrl = "https://" + url; authUrl = config.services.zitadel.settings.ExternalDomain; httpsAuthUrl = "https://" + authUrl; - oidcSubstitute = "*@#OPENIDCLIENTSECRET#@*"; - config-dir = "/run/immich-conf"; in { - services.seafile = { - enable = config.niksos.server; - seahubPackage = inputs.nixpkgs-stable.legacyPackages.${pkgs.system}.seahub; - - adminEmail = "jsw@jsw.tf"; - initialAdminPassword = "ChangeMeTheFuckNow!"; - - gc.enable = true; - - ccnetSettings.General.SERVICE_URL = httpsUrl; - seahubExtraConf = '' - ALLOWED_HOSTS = ['.${url}'] - CSRF_COOKIE_SECURE = True - CSRF_COOKIE_SAMESITE = 'Strict' - CSRF_TRUSTED_ORIGINS = ['${httpsUrl}'] - - SITE_NAME = "JSW Cloud" - SITE_TITLE = "JSW Cloud" - - ENABLE_OAUTH = True - OAUTH_CREATE_UNKNOWN_USER = True - OAUTH_ACTIVATE_USER_AFTER_CREATION = True - OAUTH_ENABLE_INSECURE_TRANSPORT = False - OAUTH_CLIENT_ID = "329743411726844274" - OAUTH_CLIENT_SECRET = "${oidcSubstitute}" - OAUTH_REDIRECT_URL = '${httpsUrl}/oauth/callback/' - OAUTH_PROVIDER_DOMAIN = '${authUrl}' - OAUTH_PROVIDER = 'JSW Auth' - OAUTH_AUTHORIZATION_URL = '${httpsAuthUrl}/oauth/v2/authorize' - OAUTH_TOKEN_URL = '${httpsAuthUrl}/oauth/v2/token' - OAUTH_USER_INFO_URL = '${httpsAuthUrl}/oidc/v1/userinfo' - OAUTH_SCOPE = ["user",] - OAUTH_ATTRIBUTE_MAP = { - "id": (True, "email"), - "name": (False, "name"), - "email": (False, "contact_email"), - "uid": (True, "uid"), - } - ''; - seafileSettings = { - quota.default = 30; - history.keep_days = 40; - library_trash.expire_days = 14; - fileserver = { - host = "unix:/run/seafile/server.sock"; - web_token_expire_time = 14400; # 4 hours - max_download_dir_size = 100000; # 100gb max download size. - }; - }; - }; - - services.caddy.virtualHosts.${url} = { - extraConfig = '' + config = mkIf cfg { + services.caddy.virtualHosts.${url}.extraConfig = '' handle_path /seafhttp/* { reverse_proxy * unix//run/seafile/server.sock } @@ -71,5 +22,96 @@ in { reverse_proxy * unix//run/seahub/gunicorn.sock } ''; + + services.seafile = { + enable = config.niksos.server; + seahubPackage = inputs.nixpkgs-stable.legacyPackages.${pkgs.system}.seahub; + + adminEmail = "jsw@jsw.tf"; + initialAdminPassword = "ChangeMeTheFuckNow!"; + + gc.enable = true; + + ccnetSettings.General.SERVICE_URL = httpsUrl; + seahubExtraConf = '' + ALLOWED_HOSTS = ['.${url}'] + CSRF_COOKIE_SECURE = True + CSRF_COOKIE_SAMESITE = 'Strict' + CSRF_TRUSTED_ORIGINS = ['${httpsUrl}'] + + SITE_NAME = "JSW Cloud" + SITE_TITLE = "JSW Cloud" + + ENABLE_OAUTH = True + OAUTH_CREATE_UNKNOWN_USER = True + OAUTH_ACTIVATE_USER_AFTER_CREATION = True + OAUTH_ENABLE_INSECURE_TRANSPORT = False + OAUTH_CLIENT_ID = "329743411726844274" + + with open("${config.age.secrets.seafile-oidc.path}") as f: + OAUTH_CLIENT_SECRET = f.read() + + OAUTH_REDIRECT_URL = '${httpsUrl}/oauth/callback/' + OAUTH_PROVIDER = '${authUrl}' + OAUTH_AUTHORIZATION_URL = '${httpsAuthUrl}/oauth/v2/authorize' + OAUTH_TOKEN_URL = '${httpsAuthUrl}/oauth/v2/token' + OAUTH_USER_INFO_URL = '${httpsAuthUrl}/oidc/v1/userinfo' + OAUTH_SCOPE = ["openid", "profile", "email"] + OAUTH_ATTRIBUTE_MAP = { + "sub": (True, "uid"), + "name": (True, "name"), + "email": (True, "contact_email") + } + ''; + seafileSettings = { + quota.default = 30; + history.keep_days = 40; + library_trash.expire_days = 14; + fileserver = { + host = "unix:/run/seafile/server.sock"; + web_token_expire_time = 14400; # 4 hours + max_download_dir_size = 100000; # 100gb max download size. + }; + }; + }; + + # environment.etc."seafile/seahub_settings.py" = { + # text = mkForce null; # NOTE: If breaky, check https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/seafile.nix#L22. Using hardcoded values instead of the ones in the module so if there changes, things might break. + # source = config.age.secrets.seafile-seahubconf.path; + # user = "seafile"; + # group = "seafile"; + # }; + + #NOTE: Overwriting parts of services so that it uses a different root. When upgrading. Please check the following two things: + ## * If seafile still uses seafile_settings.py to store openid settings.systemd + ## * If the service scripts / settings have changed.systemd + ## * Better even, rewrite this entire part. + systemd.services = let + config-dir = "/run/seafile"; + replaceSecretBin = lib.getExe pkgs.replace-secret; + seafRoot = "/var/lib/seafile"; + ccnetDir = "${seafRoot}/ccnet"; + sfCfg = config.services.seafile; + in { + seaf-server = { + # preStart = '' + # umask 077 + # cp -f '/etc/seafile' '${config-dir}' + # chmod u+w -R '${config-dir}' + # ${replaceSecretBin} '${oidcSubstitute}' '${config.age.secrets.seafile-oidc.path}' '${config-dir}/seahub_settings.py' + # ''; + # serviceConfig.ExecStart = mkForce '' + # ${lib.getExe sfCfg.seahubPackage.seafile-server} \ + # --foreground \ + # -F '${config-dir} \ + # -c ${ccnetDir} \ + # -d ${sfCfg.dataDir} \ + # -l /var/log/seafile/server.log \ + # -P /run/seafile/server.pid \ + # -p /run/seafile + # ''; + }; + # seahub.environment.SEAFILE_CENTRAL_CONF_DIR = mkForce config-dir; + }; }; }