2025-07-24 21:45:32 +00:00
4 changed files with 110 additions and 54 deletions
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -41,5 +41,9 @@ in {
      file = ./immich-oidc.age;
      owner = abstrServiceUser "immich";
    };
+    seafile-oidc = mkIf server {
+      file = ./seafile-oidc.age;
+      owner = abstrServiceUser "seafile";
+    };
  };
 }
--- a/secrets/seafile-oidc.age
+++ b/secrets/seafile-oidc.age
@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-ed25519 GQzYWA bJyIAsI/6hAeQQ9gFYIEY3bYkSZ/1aC+8w3rBYWVHCU
+H38Px7xdB/MFhXdBZxu016/7tuzuk7+mRTv1wyQT+d4
+-> ssh-ed25519 MfR7VA +iGb3WpMd0LbGj8wLBWJOHtiDAcuhxNaKboABUJjqlk
+y6Q1+lV4Zg3Bzz4VvTW+/4SxAy5A5tzOL7O/ra9V0ns
+-> ssh-ed25519 +cvRTg sFXk188eoPOlJdh2LicBCwTvgRerU+Ou5JNvAawfPmU
+elcMDCCJWkPWpmGMHTNgOMoZIAGqZmw3V4J2Q1opyU0
+-> ssh-ed25519 WCPLrA mQMjG0AtKkKIQlSV5FDMhKiLovREAvFmEAye3pfAbSg
+GK8mibNENVSXiQjmKqVuuyAe7b3VpPQ5tqbj/70vwOk
+-> ssh-ed25519 7/ziYw U61nqCBxz9bH4aljZqD2zPd7kJxBQlK8O8eH0QD+8Cc
+CCrpXNbLeNkRSeMmMjlEQK4ffyWm/bTozNZ5yfnXssw
+-> ssh-ed25519 VQy60Q CiiIktgZ0Q5KPSGu/jwPHwNAVaD7dA7T/FKw8H0K3ws
+ZeTiGA0sSeGS1IJrQMBIh28vUnHupYUrnZBsz+9I4yM
+--- qMzO4grI7h5bkEI4d/ruuyMS7RVvZtFsfJT07M8W9W0
+è€Í>q@|6bŸ1<yQ6<51>çÙM‘¼E; (o2WÃ“³
+×|èª¬¸æj<C3A6>UEÖ<45>›è§ÿÝ)ý7JX|;â?.dˆ#i’Ì	ekw¯q¿Q¹Kú§¦¶©¼ì
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -22,4 +22,5 @@ in {
  "zitadel-key.age".publicKeys = keys;
  "forgejo-mailpass.age".publicKeys = keys;
  "immich-oidc.age".publicKeys = keys;
+  "seafile-oidc.age".publicKeys = keys;
 }
--- a/system/server/seafile.nix
+++ b/system/server/seafile.nix
@ -2,15 +2,28 @@
  config,
  inputs,
  pkgs,
+  lib,
  ...
 }: let
+  inherit (lib) mkIf mkForce;
+  cfg = config.niksos.server;
+
  url = "files.jsw.tf";
  httpsUrl = "https://" + url;
  authUrl = config.services.zitadel.settings.ExternalDomain;
  httpsAuthUrl = "https://" + authUrl;
  oidcSubstitute = "*@#OPENIDCLIENTSECRET#@*";
-  config-dir = "/run/immich-conf";
 in {
+  config = mkIf cfg {
+    services.caddy.virtualHosts.${url}.extraConfig = ''
+           handle_path /seafhttp/* {
+      reverse_proxy * unix//run/seafile/server.sock
+           }
+           handle_path /* {
+      reverse_proxy * unix//run/seahub/gunicorn.sock
+           }
+    '';
+
    services.seafile = {
      enable = config.niksos.server;
      seahubPackage = inputs.nixpkgs-stable.legacyPackages.${pkgs.system}.seahub;
@ -62,14 +75,36 @@ in {
      };
    };

-  services.caddy.virtualHosts.${url} = {
-    extraConfig = ''
-           handle_path /seafhttp/* {
-      reverse_proxy * unix//run/seafile/server.sock
-           }
-           handle_path /* {
-      reverse_proxy * unix//run/seahub/gunicorn.sock
-           }
+    #NOTE: Overwriting parts of services so that it uses a different root. When upgrading. Please check the following two things:
+    ## * If seafile still uses seafile_settings.py to store openid settings.systemd
+    ## * If the service scripts / settings have changed.systemd
+    ## * Better even, rewrite this entire part.
+    systemd.services = let
+      config-dir = "/run/seafile";
+      replaceSecretBin = lib.getExe pkgs.replace-secret;
+      seafRoot = "/var/lib/seafile";
+      ccnetDir = "${seafRoot}/ccnet";
+      sfCfg = config.services.seafile;
+    in {
+      seaf-server = {
+        preStart = ''
+          umask 077
+          cp -f '/etc/seafile' '${config-dir}'
+          chmod u+w -R '${config-dir}'
+          ${replaceSecretBin} '${oidcSubstitute}' '${config.age.secrets.seafile-oidc.path}' '${config-dir}/seahub_settings.py'
+        '';
+        serviceConfig.ExecStart = mkForce ''
+          ${lib.getExe sfCfg.seahubPackage.seafile-server} \
+          --foreground \
+          -F '${config-dir} \
+          -c ${ccnetDir} \
+          -d ${sfCfg.dataDir} \
+          -l /var/log/seafile/server.log \
+          -P /run/seafile/server.pid \
+          -p /run/seafile
        '';
      };
+      seahub.environment.SEAFILE_CENTRAL_CONF_DIR = mkForce config-dir;
+    };
+  };
 }