jsw/NiksOS
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
NiksOS/system/server/seafile.nix
Jurn Wubben 5fdfd7f004 Seafile: read secret using python
2025-07-21 13:35:40 +02:00

117 lines
4 KiB
Nix
Raw Blame History

{
config,
inputs,
pkgs,
lib,
...
}: let
inherit (lib) mkIf mkForce;
cfg = config.niksos.server;
url = "files.jsw.tf";
httpsUrl = "https://" + url;
authUrl = config.services.zitadel.settings.ExternalDomain;
httpsAuthUrl = "https://" + authUrl;
in {
config = mkIf cfg {
services.caddy.virtualHosts.${url}.extraConfig = ''
handle_path /seafhttp/* {
reverse_proxy * unix//run/seafile/server.sock
}
handle_path /* {
reverse_proxy * unix//run/seahub/gunicorn.sock
}
'';
services.seafile = {
enable = config.niksos.server;
seahubPackage = inputs.nixpkgs-stable.legacyPackages.${pkgs.system}.seahub;
adminEmail = "jsw@jsw.tf";
initialAdminPassword = "ChangeMeTheFuckNow!";
gc.enable = true;
ccnetSettings.General.SERVICE_URL = httpsUrl;
seahubExtraConf = ''
ALLOWED_HOSTS = ['.${url}']
CSRF_COOKIE_SECURE = True
CSRF_COOKIE_SAMESITE = 'Strict'
CSRF_TRUSTED_ORIGINS = ['${httpsUrl}']
SITE_NAME = "JSW Cloud"
SITE_TITLE = "JSW Cloud"
ENABLE_OAUTH = True
OAUTH_CREATE_UNKNOWN_USER = True
OAUTH_ACTIVATE_USER_AFTER_CREATION = True
OAUTH_ENABLE_INSECURE_TRANSPORT = False
OAUTH_CLIENT_ID = "329743411726844274"
with open("${config.age.secrets.seafile-oidc.path}") as f:
OAUTH_CLIENT_SECRET = f.read()
OAUTH_REDIRECT_URL = '${httpsUrl}/oauth/callback/'
OAUTH_PROVIDER = '${authUrl}'
OAUTH_AUTHORIZATION_URL = '${httpsAuthUrl}/oauth/v2/authorize'
OAUTH_TOKEN_URL = '${httpsAuthUrl}/oauth/v2/token'
OAUTH_USER_INFO_URL = '${httpsAuthUrl}/oidc/v1/userinfo'
OAUTH_SCOPE = ["openid", "profile", "email"]
OAUTH_ATTRIBUTE_MAP = {
"sub": (True, "uid"),
"name": (True, "name"),
"email": (True, "contact_email")
}
'';
seafileSettings = {
quota.default = 30;
history.keep_days = 40;
library_trash.expire_days = 14;
fileserver = {
host = "unix:/run/seafile/server.sock";
web_token_expire_time = 14400; # 4 hours
max_download_dir_size = 100000; # 100gb max download size.
};
};
};
# environment.etc."seafile/seahub_settings.py" = {
# text = mkForce null; # NOTE: If breaky, check https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/seafile.nix#L22. Using hardcoded values instead of the ones in the module so if there changes, things might break.
# source = config.age.secrets.seafile-seahubconf.path;
# user = "seafile";
# group = "seafile";
# };
#NOTE: Overwriting parts of services so that it uses a different root. When upgrading. Please check the following two things:
## * If seafile still uses seafile_settings.py to store openid settings.systemd
## * If the service scripts / settings have changed.systemd
## * Better even, rewrite this entire part.
systemd.services = let
config-dir = "/run/seafile";
replaceSecretBin = lib.getExe pkgs.replace-secret;
seafRoot = "/var/lib/seafile";
ccnetDir = "${seafRoot}/ccnet";
sfCfg = config.services.seafile;
in {
seaf-server = {
# preStart = ''
# umask 077
# cp -f '/etc/seafile' '${config-dir}'
# chmod u+w -R '${config-dir}'
# ${replaceSecretBin} '${oidcSubstitute}' '${config.age.secrets.seafile-oidc.path}' '${config-dir}/seahub_settings.py'
# '';
# serviceConfig.ExecStart = mkForce ''
# ${lib.getExe sfCfg.seahubPackage.seafile-server} \
# --foreground \
# -F '${config-dir} \
# -c ${ccnetDir} \
# -d ${sfCfg.dataDir} \
# -l /var/log/seafile/server.log \
# -P /run/seafile/server.pid \
# -p /run/seafile
# '';
};
# seahub.environment.SEAFILE_CENTRAL_CONF_DIR = mkForce config-dir;
};
};
}
Reference in a new issue View git blame Copy permalink