feat: add nextcloud to kanidm

modules/nixos/server/forgejo.nix

@@ -19,7 +19,7 @@ in
       kanidm-forgejo-client = {
         owner = "forgejo";
         group = "forgejo";
-        mode = "440";
+        mode = "0440";
       };
     };
 

modules/nixos/server/kanidm.nix

@@ -16,14 +16,15 @@ in
     users.groups.kanidm = { };
 
     sops.secrets = {
-      "kanidm-self-signed-crt" = { sopsFile = certsSopsFile; owner = "kanidm"; group = "kanidm"; mode = "440"; };
-      "kanidm-self-signed-key" = { sopsFile = certsSopsFile; owner = "kanidm"; group = "kanidm"; mode = "440"; };
-      "kanidm-admin-pw" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
-      "kanidm-idm-admin-pw" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
-      "kanidm-immich" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
-      "kanidm-paperless" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
-      "kanidm-forgejo" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
-      "kanidm-grafana" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
+      "kanidm-self-signed-crt" = { sopsFile = certsSopsFile; owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+      "kanidm-self-signed-key" = { sopsFile = certsSopsFile; owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+      "kanidm-admin-pw" = { owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+      "kanidm-idm-admin-pw" = { owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+      "kanidm-immich" = { owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+      "kanidm-paperless" = { owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+      "kanidm-forgejo" = { owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+      "kanidm-grafana" = { owner = "kanidm"; group = "kanidm"; mode = "0440"; };
+      "kanidm-nextcloud" = { owner = "kanidm"; group = "kanidm"; mode = "0440"; };
     };
 
     services.kanidm = {
@@ -56,6 +57,8 @@ in
           "grafana.editors" = { };
           "grafana.admins" = { };
           "grafana.server-admins" = { };
+          "nextcloud.access" = { };
+          "nextcloud.admins" = { };
         };
         persons = {
           swarsel = {
@@ -67,6 +70,7 @@ in
               "paperless.access"
               "grafana.access"
               "forgejo.access"
+              "nextcloud.access"
             ];
             displayName = "Swarsel";
           };
@@ -142,6 +146,25 @@ in
                 };
               };
             };
+            nextcloud = {
+              displayName = "Nextcloud";
+              originUrl = " https://stash.swarsel.win/apps/sociallogin/custom_oidc/kanidm";
+              originLanding = "https://stash.swarsel.win/";
+              basicSecretFile = config.sops.secrets.kanidm-nextcloud.path;
+              allowInsecureClientDisablePkce = true;
+              scopeMaps."nextcloud.access" = [
+                "openid"
+                "email"
+                "profile"
+              ];
+              preferShortUsername = true;
+              claimMaps.groups = {
+                joinType = "array";
+                valuesByGroup = {
+                  "nextcloud.admins" = [ "admin" ];
+                };
+              };
+            };
           };
         };
       };
@@ -151,7 +174,7 @@ in
 
     services.nginx = {
       virtualHosts = {
-        "sso.swarsel.win" = {
+        "${kanidmDomain}" = {
           enableACME = true;
           forceSSL = true;
           acmeRoot = null;

modules/nixos/server/monitoring.nix

@@ -16,7 +16,7 @@ in
       kanidm-grafana-client = {
         owner = "grafana";
         group = "grafana";
-        mode = "440";
+        mode = "0440";
       };
     };
 
@@ -168,7 +168,7 @@ in
 
       nginx = {
         virtualHosts = {
-          "status.swarsel.win" = {
+          "${grafanaDomain}" = {
             enableACME = true;
             forceSSL = true;
             acmeRoot = null;

modules/nixos/server/navidrome.nix

@@ -30,8 +30,7 @@ in
 
 
     hardware = {
-      # opengl.enable = true;
-      enableAllFirmware = true;
+      enableAllFirmware = lib.mkForce true;
     };
 
     networking.firewall.allowedTCPPorts = [ 4040 ];

modules/nixos/server/nextcloud.nix

@@ -1,27 +1,38 @@
 { pkgs, lib, config, ... }:
+let
+  nextcloudDomain = "stash.swarsel.win";
+in
 {
   options.swarselsystems.modules.server.nextcloud = lib.mkEnableOption "enable nextcloud on server";
   config = lib.mkIf config.swarselsystems.modules.server.nextcloud {
 
-    sops.secrets.nextcloudadminpass = {
-      owner = "nextcloud";
-      group = "nextcloud";
-      mode = "0440";
+    sops.secrets = {
+      nextcloudadminpass = {
+        owner = "nextcloud";
+        group = "nextcloud";
+        mode = "0440";
+      };
+      kanidm-nextcloud-client = {
+        owner = "nextcloud";
+        group = "nextcloud";
+        mode = "0440";
+      };
     };
 
     services = {
       nextcloud = {
         enable = true;
         package = pkgs.nextcloud31;
-        hostName = "stash.swarsel.win";
+        hostName = nextcloudDomain;
         home = "/Vault/apps/nextcloud";
         datadir = "/Vault/data/nextcloud";
         https = true;
         configureRedis = true;
         maxUploadSize = "4G";
         extraApps = {
-          inherit (pkgs.nextcloud30Packages.apps) mail calendar contacts cospend phonetrack polls tasks;
+          inherit (pkgs.nextcloud30Packages.apps) mail calendar contacts cospend phonetrack polls tasks sociallogin;
         };
+        extraAppsEnable = true;
         config = {
           adminuser = "admin";
           adminpassFile = config.sops.secrets.nextcloudadminpass.path;
@@ -31,7 +42,7 @@
 
       nginx = {
         virtualHosts = {
-          "stash.swarsel.win" = {
+          "${nextcloudDomain}" = {
             enableACME = true;
             forceSSL = true;
             acmeRoot = null;

modules/nixos/server/paperless.nix

@@ -12,7 +12,7 @@
       kanidm-paperless-client = {
         owner = "paperless";
         group = "paperless";
-        mode = "440";
+        mode = "0440";
       };
     };
 
@@ -35,7 +35,7 @@
           };
           PAPERLESS_TIKA_ENABLED = "true";
           PAPERLESS_TIKA_ENDPOINT = "http://localhost:9998";
-          PAPERLESS_TIKA_GOTENBERG_ENDPOINT = "http://localhost:3001";
+          PAPERLESS_TIKA_GOTENBERG_ENDPOINT = "http://localhost:3002";
           PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
           PAPERLESS_SOCIALACCOUNT_PROVIDERS = builtins.toJSON {
             openid_connect = {
@@ -45,7 +45,7 @@
                   provider_id = "kanidm";
                   name = "Kanidm";
                   client_id = "paperless";
-                  # secret will be added dynamically
+                  # secret will be added by paperless-web.service (see below)
                   #secret = "";
                   settings.server_url = "https://sso.swarsel.win/oauth2/openid/${client_id}/.well-known/openid-configuration";
                 }
@@ -65,7 +65,7 @@
 
       gotenberg = {
         enable = true;
-        port = 3001;
+        port = 3002;
         bindIP = "127.0.0.1";
       };
     };
@@ -91,6 +91,10 @@
               proxyPass = "http://localhost:28981";
               extraConfig = ''
                 client_max_body_size    0;
+                proxy_connect_timeout   300;
+                proxy_send_timeout      300;
+                proxy_read_timeout      300;
+                send_timeout            300;
               '';
             };
           };