nixos/opencloud: init module

Co-authored-by: Christoph Heiss <[email protected]>

Author: K900

nixos/doc/manual/redirects.json

@@ -50,6 +50,12 @@
   "module-services-crab-hole-upstream-options": [
     "index.html#module-services-crab-hole-upstream-options"
   ],
+  "module-services-opencloud": [
+    "index.html#module-services-opencloud"
+  ],
+  "module-services-opencloud-basic-usage": [
+    "index.html#module-services-opencloud-basic-usage"
+  ],
   "module-services-strfry": [
     "index.html#module-services-strfry"
   ],

nixos/doc/manual/release-notes/rl-2505.section.md

@@ -200,6 +200,8 @@ Alongside many enhancements to NixOS modules and general system improvements, th
 
 - [`g3proxy`](https://github.com/bytedance/g3), an open source enterprise forward proxy from ByteDance, similar to Squid or tinyproxy. Available as [services.g3proxy](#opt-services.g3proxy.enable).
 
+- [OpenCloud](https://opencloud.eu/), an open-source, modern file-sync and sharing platform. It is a fork of oCIS, a ground-up rewrite of the well-known PHP-based NextCloud server. Available as [services.opencloud](#opt-services.opencloud.enable).
+
 - [echoip](https://github.com/mpolden/echoip), a simple service for looking up your IP address. Available as [services.echoip](#opt-services.echoip.enable).
 
 - [whoami](https://github.com/traefik/whoami), a tiny Go server that prints OS information and HTTP request to output. Available as [services.whoami](#opt-services.whoami.enable).

nixos/modules/module-list.nix

@@ -1610,6 +1610,7 @@
   ./services/web-apps/oncall.nix
   ./services/web-apps/onlyoffice.nix
   ./services/web-apps/open-web-calendar.nix
+  ./services/web-apps/opencloud.nix
   ./services/web-apps/openvscode-server.nix
   ./services/web-apps/openwebrx.nix
   ./services/web-apps/outline.nix

nixos/modules/services/web-apps/opencloud.md

@@ -0,0 +1,64 @@
+# OpenCloud {#module-services-opencloud}
+
+[OpenCloud](https://opencloud.eu/en) is an open-source, modern file-sync and
+sharing platform. It is a fork of oCIS, a ground-up rewrite of the well-known
+PHP-based NextCloud server.
+
+The service can be configured using a combination of [](#opt-services.opencloud.settings),
+[](#opt-services.opencloud.environment) and [](#opt-services.opencloud.environmentFile).
+
+## Basic usage {#module-services-opencloud-basic-usage}
+
+OpenCloud is configured using a combination of YAML and environment
+variables. The full documentation can be found at
+[OpenCloud Admin Docs](https://docs.opencloud.eu/docs/admin/intro).
+
+The general flow of configuring OpenCloud is:
+- configure services with `services.opencloud.settings.<service>` when possible
+- configure global settings that affect multiple services via `services.opencloud.environment`
+- allow NixOS to provision a default `opencloud.yaml` for you, containing default credentials
+  for communication between the microservices
+- provide additional secrets via `environmentFile`, provisioned out of band
+
+Please note that current NixOS module for OpenCloud is configured to run in
+`fullstack` mode, which starts all the services for OpenCloud in a single
+instance, in so called supervised mode. This will start multiple OpenCloud
+services and listen on multiple other ports.
+
+Current known services and their ports are as below:
+
+| Service            | Group   |  Port |
+|--------------------|---------|-------|
+| gateway            | api     |  9142 |
+| sharing            | api     |  9150 |
+| app-registry       | api     |  9242 |
+| ocdav              | web     | 45023 |
+| auth-machine       | api     |  9166 |
+| storage-system     | api     |  9215 |
+| webdav             | web     |  9115 |
+| webfinger          | web     | 46871 |
+| storage-system     | web     |  9216 |
+| web                | web     |  9100 |
+| eventhistory       | api     | 33177 |
+| ocs                | web     |  9110 |
+| storage-publiclink | api     |  9178 |
+| settings           | web     |  9190 |
+| ocm                | api     |  9282 |
+| settings           | api     |  9191 |
+| ocm                | web     |  9280 |
+| app-provider       | api     |  9164 |
+| storage-users      | api     |  9157 |
+| auth-service       | api     |  9199 |
+| thumbnails         | web     |  9186 |
+| thumbnails         | api     |  9185 |
+| storage-shares     | api     |  9154 |
+| sse                | sse     | 46833 |
+| userlog            | userlog | 45363 |
+| search             | api     |  9220 |
+| proxy              | web     |  9200 |
+| idp                | web     |  9130 |
+| frontend           | web     |  9140 |
+| groups             | api     |  9160 |
+| graph              | graph   |  9120 |
+| users              | api     |  9144 |
+| auth-basic         | api     |  9146 |

nixos/modules/services/web-apps/opencloud.nix

@@ -0,0 +1,242 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  inherit (lib) types;
+  cfg = config.services.opencloud;
+
+  defaultUser = "opencloud";
+  defaultGroup = defaultUser;
+
+  settingsFormat = pkgs.formats.yaml { };
+in
+{
+  options = {
+    services.opencloud = {
+      enable = lib.mkEnableOption "OpenCloud";
+
+      package = lib.mkPackageOption pkgs "opencloud" { };
+      webPackage = lib.mkPackageOption pkgs [ "opencloud" "web" ] { };
+      idpWebPackage = lib.mkPackageOption pkgs [ "opencloud" "idp-web" ] { };
+
+      user = lib.mkOption {
+        type = types.str;
+        default = defaultUser;
+        example = "mycloud";
+        description = ''
+          The user to run OpenCloud as.
+          By default, a user named `${defaultUser}` will be created whose home
+          directory is [](#opt-services.opencloud.stateDir).
+        '';
+      };
+
+      group = lib.mkOption {
+        type = types.str;
+        default = defaultGroup;
+        example = "mycloud";
+        description = ''
+          The group to run OpenCloud under.
+          By default, a group named `${defaultGroup}` will be created.
+        '';
+      };
+
+      address = lib.mkOption {
+        type = types.str;
+        default = "127.0.0.1";
+        description = "Web server bind address.";
+      };
+
+      port = lib.mkOption {
+        type = types.port;
+        default = 9200;
+        description = "Web server port.";
+      };
+
+      url = lib.mkOption {
+        type = types.str;
+        default = "https://localhost:9200";
+        example = "https://cloud.example.com";
+        description = "Web interface root public URL, including scheme and port (if non-default).";
+      };
+
+      stateDir = lib.mkOption {
+        default = "/var/lib/opencloud";
+        type = types.str;
+        description = "OpenCloud data directory.";
+      };
+
+      settings = lib.mkOption {
+        type = lib.types.attrsOf settingsFormat.type;
+        default = { };
+        description = ''
+          Additional YAML configuration for OpenCloud services.
+
+          Every item in this attrset will be mapped to a .yaml file in /etc/opencloud.
+
+          The possible config options are currently not well documented, see source code:
+          https://github.com/opencloud-eu/opencloud/blob/main/pkg/config/config.go
+        '';
+      };
+
+      environmentFile = lib.mkOption {
+        type = types.nullOr types.path;
+        default = null;
+        example = "/run/keys/opencloud.env";
+        description = ''
+          An environment file as defined in {manpage}`systemd.exec(5)`.
+
+          Use this to inject secrets, e.g. database or auth credentials out of band.
+
+          Configuration provided here will override `settings` and `environment`.
+        '';
+      };
+
+      environment = lib.mkOption {
+        type = types.attrsOf types.str;
+        default = {
+          OC_INSECURE = "true";
+        };
+        description = ''
+          Extra environment variables to set for the service.
+
+          Use this to set configuration that may affect multiple microservices.
+
+          Configuration provided here will override `settings`.
+        '';
+        example = {
+          OC_INSECURE = "false";
+          OC_LOG_LEVEL = "error";
+        };
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users.${defaultUser} = lib.mkIf (cfg.user == defaultUser) {
+      group = cfg.group;
+      home = cfg.stateDir;
+      isSystemUser = true;
+      createHome = true;
+      description = "OpenCloud daemon user";
+    };
+
+    users.groups = lib.mkIf (cfg.group == defaultGroup) { ${defaultGroup} = { }; };
+
+    systemd = {
+      services =
+        let
+          environment = {
+            PROXY_HTTP_ADDR = "${cfg.address}:${toString cfg.port}";
+            OC_URL = cfg.url;
+            OC_BASE_DATA_PATH = cfg.stateDir;
+            WEB_ASSET_CORE_PATH = "${cfg.webPackage}";
+            IDP_ASSET_PATH = "${cfg.idpWebPackage}/assets";
+            OC_CONFIG_DIR = "/etc/opencloud";
+          } // cfg.environment;
+          commonServiceConfig = {
+            EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile;
+            MemoryDenyWriteExecute = true;
+            NoNewPrivileges = true;
+            PrivateTmp = true;
+            PrivateDevices = true;
+            ProtectSystem = "strict";
+            ProtectHome = true;
+            ProtectControlGroups = true;
+            ProtectKernelModules = true;
+            ProtectKernelTunables = true;
+            ProtectKernelLogs = true;
+            RestrictAddressFamilies = [
+              "AF_UNIX"
+              "AF_INET"
+              "AF_INET6"
+            ];
+            RestrictNamespaces = true;
+            RestrictRealtime = true;
+            RestrictSUIDSGID = true;
+            LockPersonality = true;
+            SystemCallArchitectures = "native";
+          };
+        in
+        {
+          opencloud-init-config = lib.mkIf (cfg.settings.opencloud or { } == { }) {
+            description = "Provision initial OpenCloud config";
+            before = [ "opencloud.service" ];
+            wantedBy = [ "multi-user.target" ];
+
+            inherit environment;
+
+            serviceConfig = {
+              Type = "oneshot";
+              ReadWritePaths = [ "/etc/opencloud" ];
+            } // commonServiceConfig;
+
+            path = [ cfg.package ];
+            script = ''
+              set -x
+              config="''${OC_CONFIG_DIR}/opencloud.yaml"
+              if [ ! -e "$config" ]; then
+                echo "Provisioning initial OpenCloud config..."
+                opencloud init --insecure "''${OC_INSECURE:false}" --config-path "''${OC_CONFIG_DIR}"
+                chown ${cfg.user}:${cfg.group} "$config"
+              fi
+            '';
+          };
+
+          opencloud = {
+            description = "OpenCloud - a secure and private way to store, access, and share your files";
+            after = [ "network.target" ];
+            wantedBy = [ "multi-user.target" ];
+
+            inherit environment;
+
+            serviceConfig = {
+              Type = "simple";
+              ExecStart = "${lib.getExe cfg.package} server";
+              WorkingDirectory = cfg.stateDir;
+              User = cfg.user;
+              Group = cfg.group;
+              Restart = "always";
+              ReadWritePaths = [ cfg.stateDir ];
+            } // commonServiceConfig;
+
+            restartTriggers = lib.mapAttrsToList (
+              name: _: config.environment.etc."opencloud/${name}.yaml".source
+            ) cfg.settings;
+          };
+        };
+    };
+
+    systemd.tmpfiles.settings."10-opencloud" = {
+      ${cfg.stateDir}.d = {
+        inherit (cfg) user group;
+        mode = "0750";
+      };
+      "${cfg.stateDir}/idm".d = {
+        inherit (cfg) user group;
+        mode = "0750";
+      };
+    };
+
+    environment.etc =
+      (lib.mapAttrs' (name: value: {
+        name = "opencloud/${name}.yaml";
+        value.source = settingsFormat.generate "${name}.yaml" value;
+      }) cfg.settings)
+      // {
+        # ensure /etc/opencloud gets created, so we can provision the config
+        "opencloud/.keep".text = "";
+      };
+  };
+
+  meta = {
+    doc = ./opencloud.md;
+    maintainers = with lib.maintainers; [
+      christoph-heiss
+      k900
+    ];
+  };
+}

nixos/tests/all-tests.nix

@@ -975,6 +975,7 @@ in
   ombi = handleTest ./ombi.nix { };
   openarena = handleTest ./openarena.nix { };
   openbao = runTest ./openbao.nix;
+  opencloud = runTest ./opencloud.nix;
   openldap = handleTest ./openldap.nix { };
   opensearch = discoverTests (import ./opensearch.nix);
   openresty-lua = handleTest ./openresty-lua.nix { };