117 lines
4 KiB
Nix
117 lines
4 KiB
Nix
{
|
|
config,
|
|
inputs,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}: let
|
|
inherit (lib) mkIf mkForce;
|
|
cfg = config.niksos.server;
|
|
|
|
url = "files.jsw.tf";
|
|
httpsUrl = "https://" + url;
|
|
authUrl = config.services.zitadel.settings.ExternalDomain;
|
|
httpsAuthUrl = "https://" + authUrl;
|
|
in {
|
|
config = mkIf cfg {
|
|
services.caddy.virtualHosts.${url}.extraConfig = ''
|
|
handle_path /seafhttp/* {
|
|
reverse_proxy * unix//run/seafile/server.sock
|
|
}
|
|
handle_path /* {
|
|
reverse_proxy * unix//run/seahub/gunicorn.sock
|
|
}
|
|
'';
|
|
|
|
services.seafile = {
|
|
enable = config.niksos.server;
|
|
seahubPackage = inputs.nixpkgs-stable.legacyPackages.${pkgs.system}.seahub;
|
|
|
|
adminEmail = "jsw@jsw.tf";
|
|
initialAdminPassword = "ChangeMeTheFuckNow!";
|
|
|
|
gc.enable = true;
|
|
|
|
ccnetSettings.General.SERVICE_URL = httpsUrl;
|
|
seahubExtraConf = ''
|
|
ALLOWED_HOSTS = ['.${url}']
|
|
CSRF_COOKIE_SECURE = True
|
|
CSRF_COOKIE_SAMESITE = 'Strict'
|
|
CSRF_TRUSTED_ORIGINS = ['${httpsUrl}']
|
|
|
|
SITE_NAME = "JSW Cloud"
|
|
SITE_TITLE = "JSW Cloud"
|
|
|
|
ENABLE_OAUTH = True
|
|
OAUTH_CREATE_UNKNOWN_USER = True
|
|
OAUTH_ACTIVATE_USER_AFTER_CREATION = True
|
|
OAUTH_ENABLE_INSECURE_TRANSPORT = False
|
|
OAUTH_CLIENT_ID = "329743411726844274"
|
|
|
|
with open("${config.age.secrets.seafile-oidc.path}") as f:
|
|
OAUTH_CLIENT_SECRET = f.read()
|
|
|
|
OAUTH_REDIRECT_URL = '${httpsUrl}/oauth/callback/'
|
|
OAUTH_PROVIDER = '${authUrl}'
|
|
OAUTH_AUTHORIZATION_URL = '${httpsAuthUrl}/oauth/v2/authorize/'
|
|
OAUTH_TOKEN_URL = '${httpsAuthUrl}/oauth/v2/token/'
|
|
OAUTH_USER_INFO_URL = '${httpsAuthUrl}/oidc/v1/userinfo/'
|
|
OAUTH_SCOPE = ["openid", "profile", "email"]
|
|
OAUTH_ATTRIBUTE_MAP = {
|
|
"sub": (True, "uid"),
|
|
"name": (True, "name"),
|
|
"email": (True, "contact_email")
|
|
}
|
|
'';
|
|
seafileSettings = {
|
|
quota.default = 30;
|
|
history.keep_days = 40;
|
|
library_trash.expire_days = 14;
|
|
fileserver = {
|
|
host = "unix:/run/seafile/server.sock";
|
|
web_token_expire_time = 14400; # 4 hours
|
|
max_download_dir_size = 100000; # 100gb max download size.
|
|
};
|
|
};
|
|
};
|
|
|
|
# environment.etc."seafile/seahub_settings.py" = {
|
|
# text = mkForce null; # NOTE: If breaky, check https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/seafile.nix#L22. Using hardcoded values instead of the ones in the module so if there changes, things might break.
|
|
# source = config.age.secrets.seafile-seahubconf.path;
|
|
# user = "seafile";
|
|
# group = "seafile";
|
|
# };
|
|
|
|
#NOTE: Overwriting parts of services so that it uses a different root. When upgrading. Please check the following two things:
|
|
## * If seafile still uses seafile_settings.py to store openid settings.systemd
|
|
## * If the service scripts / settings have changed.systemd
|
|
## * Better even, rewrite this entire part.
|
|
systemd.services = let
|
|
config-dir = "/run/seafile";
|
|
replaceSecretBin = lib.getExe pkgs.replace-secret;
|
|
seafRoot = "/var/lib/seafile";
|
|
ccnetDir = "${seafRoot}/ccnet";
|
|
sfCfg = config.services.seafile;
|
|
in {
|
|
seaf-server = {
|
|
# preStart = ''
|
|
# umask 077
|
|
# cp -f '/etc/seafile' '${config-dir}'
|
|
# chmod u+w -R '${config-dir}'
|
|
# ${replaceSecretBin} '${oidcSubstitute}' '${config.age.secrets.seafile-oidc.path}' '${config-dir}/seahub_settings.py'
|
|
# '';
|
|
# serviceConfig.ExecStart = mkForce ''
|
|
# ${lib.getExe sfCfg.seahubPackage.seafile-server} \
|
|
# --foreground \
|
|
# -F '${config-dir} \
|
|
# -c ${ccnetDir} \
|
|
# -d ${sfCfg.dataDir} \
|
|
# -l /var/log/seafile/server.log \
|
|
# -P /run/seafile/server.pid \
|
|
# -p /run/seafile
|
|
# '';
|
|
};
|
|
# seahub.environment.SEAFILE_CENTRAL_CONF_DIR = mkForce config-dir;
|
|
};
|
|
};
|
|
}
|