Merge pull request #296679 from bhankas/ocis

ocis-bin: init at 5.0.0

2 files changed, 314 insertions, 0 deletions

diff --git a/nixos/modules/services/web-apps/ocis.md b/nixos/modules/services/web-apps/ocis.md
new file mode 100644
index 000000000000..9156e927ed2d
--- /dev/null
+++ b/nixos/modules/services/web-apps/ocis.md
@@ -0,0 +1,113 @@
+# ownCloud Infinite Scale {#module-services-ocis}
+
+[ownCloud Infinite Scale](https://owncloud.dev/ocis/) (oCIS) is an open-source,
+modern file-sync and sharing platform. It is a ground-up rewrite of the well-known PHP based ownCloud server.
+
+The server setup can be automated using
+[services.ocis](#opt-services.ocis.enable). The desktop client is packaged at
+`pkgs.owncloud-client`.
+
+## Basic usage {#module-services-ocis-basic-usage}
+
+oCIS is a golang application and does not require an HTTP server (such as nginx)
+in front of it, though you may optionally use one if you will.
+
+oCIS is configured using a combination of yaml and environment variables. It is
+recommended to familiarize yourself with upstream's available configuration
+options and deployment instructions:
+
+* [Getting Started](https://owncloud.dev/ocis/getting-started/)
+* [Configuration](https://owncloud.dev/ocis/config/)
+* [Basic Setup](https://owncloud.dev/ocis/deployment/basic-remote-setup/)
+
+A very basic configuration may look like this:
+```
+{ pkgs, ... }:
+{
+  services.ocis = {
+    enable = true;
+    configDir = "/etc/ocis/config";
+  };
+}
+```
+
+This will start the oCIS server and make it available at `https://localhost:9200`
+
+However to make this configuration work you will need generate a configuration.
+You can do this with:
+
+```console
+$ nix-shell -p ocis-bin
+$ mkdir scratch/
+$ cd scratch/
+$ ocis init --config-path . --admin-password "changeme"
+```
+
+You may need to pass `--insecure true` or provide the `OCIS_INSECURE = true;` to
+[`services.ocis.environment`][mod-envFile], if TLS certificates are generated
+and managed externally (e.g. if you are using oCIS behind reverse proxy).
+
+If you want to manage the config file in your nix configuration, then it is
+encouraged to use a secrets manager like sops-nix or agenix.
+
+Be careful not to write files containing secrets to the globally readable nix
+store.
+
+Please note that current NixOS module for oCIS is configured to run in `fullstack`
+mode, which starts all the services for owncloud on single instance. This will
+start multiple ocis services and listen on multiple other ports.
+
+Current known services and their ports are as below:
+
+| Service            | Group   |  Port |
+|--------------------|---------|-------|
+| gateway            | api     |  9142 |
+| sharing            | api     |  9150 |
+| app-registry       | api     |  9242 |
+| ocdav              | web     | 45023 |
+| auth-machine       | api     |  9166 |
+| storage-system     | api     |  9215 |
+| webdav             | web     |  9115 |
+| webfinger          | web     | 46871 |
+| storage-system     | web     |  9216 |
+| web                | web     |  9100 |
+| eventhistory       | api     | 33177 |
+| ocs                | web     |  9110 |
+| storage-publiclink | api     |  9178 |
+| settings           | web     |  9190 |
+| ocm                | api     |  9282 |
+| settings           | api     |  9191 |
+| ocm                | web     |  9280 |
+| app-provider       | api     |  9164 |
+| storage-users      | api     |  9157 |
+| auth-service       | api     |  9199 |
+| thumbnails         | web     |  9186 |
+| thumbnails         | api     |  9185 |
+| storage-shares     | api     |  9154 |
+| sse                | sse     | 46833 |
+| userlog            | userlog | 45363 |
+| search             | api     |  9220 |
+| proxy              | web     |  9200 |
+| idp                | web     |  9130 |
+| frontend           | web     |  9140 |
+| groups             | api     |  9160 |
+| graph              | graph   |  9120 |
+| users              | api     |  9144 |
+| auth-basic         | api     |  9146 |
+
+## Configuration via environment variables
+
+You can also eschew the config file entirely and pass everything to oCIS via
+environment variables. For this make use of
+[`services.ocis.environment`][mod-env] for non-sensitive
+values, and
+[`services.ocis.environmentFile`][mod-envFile] for
+sensitive values.
+
+Configuration in (`services.ocis.environment`)[mod-env] overrides those from
+[`services.ocis.environmentFile`][mod-envFile] and will have highest
+precedence
+
+
+[mod-env]: #opt-services.ocis.environment
+[mod-envFile]: #opt-services.ocis.environmentFile
diff --git a/nixos/modules/services/web-apps/ocis.nix b/nixos/modules/services/web-apps/ocis.nix
new file mode 100644
index 000000000000..b3ffec9ad9c1
--- /dev/null
+++ b/nixos/modules/services/web-apps/ocis.nix
@@ -0,0 +1,201 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  inherit (lib) types;
+  cfg = config.services.ocis;
+  defaultUser = "ocis";
+  defaultGroup = defaultUser;
+in
+{
+  options = {
+    services.ocis = {
+      enable = lib.mkEnableOption "ownCloud Infinite Scale";
+
+      package = lib.mkPackageOption pkgs "ocis-bin" { };
+
+      configDir = lib.mkOption {
+        type = types.nullOr types.path;
+        default = null;
+        example = "/var/lib/ocis/config";
+        description = lib.mdDoc ''
+          Path to directory containing oCIS config file.
+
+          Example config can be generated by `ocis init --config-path fileName --admin-password "adminPass"`.
+          Add `--insecure true` if SSL certificates are generated and managed externally (e.g. using oCIS behind reverse proxy).
+
+          Note: This directory must contain at least a `ocis.yaml`. Ensure
+          [user](#opt-services.ocis.user) has read/write access to it. In some
+          circumstances you may need to add additional oCIS configuration files (e.g.,
+          `proxy.yaml`) to this directory.
+        '';
+      };
+
+      environmentFile = lib.mkOption {
+        type = types.nullOr types.path;
+        default = null;
+        example = "/run/keys/ocis.env";
+        description = lib.mdDoc ''
+          An environment file as defined in {manpage}`systemd.exec(5)`.
+
+          Configuration provided in this file will override those from [configDir](#opt-services.ocis.configDir)/ocis.yaml.
+        '';
+      };
+
+      user = lib.mkOption {
+        type = types.str;
+        default = defaultUser;
+        example = "yourUser";
+        description = lib.mdDoc ''
+          The user to run oCIS as.
+          By default, a user named `${defaultUser}` will be created whose home
+          directory is [stateDir](#opt-services.ocis.stateDir).
+        '';
+      };
+
+      group = lib.mkOption {
+        type = types.str;
+        default = defaultGroup;
+        example = "yourGroup";
+        description = lib.mdDoc ''
+          The group to run oCIS under.
+          By default, a group named `${defaultGroup}` will be created.
+        '';
+      };
+
+      address = lib.mkOption {
+        type = types.str;
+        default = "127.0.0.1";
+        description = "Web interface address.";
+      };
+
+      port = lib.mkOption {
+        type = types.port;
+        default = 9200;
+        description = "Web interface port.";
+      };
+
+      url = lib.mkOption {
+        type = types.str;
+        default = "https://localhost:9200";
+        example = "https://some-hostname-or-ip:9200";
+        description = "Web interface address.";
+      };
+
+      stateDir = lib.mkOption {
+        default = "/var/lib/ocis";
+        type = types.str;
+        description = "ownCloud data directory.";
+      };
+
+      environment = lib.mkOption {
+        type = types.attrsOf types.str;
+        default = { };
+        description = lib.mdDoc ''
+          Extra config options.
+
+          See [the documentation](https://doc.owncloud.com/ocis/next/deployment/services/services.html) for available options.
+          See [notes for environment variables](https://doc.owncloud.com/ocis/next/deployment/services/env-var-note.html) for more information.
+
+          Note that all the attributes here will be copied to /nix/store/ and will be world readable. Options like *_PASSWORD or *_SECRET should be part of     [environmentFile](#opt-services.ocis.environmentFile) instead, and are only provided here for illustrative purpose.
+
+          Configuration here will override those from [environmentFile](#opt-services.ocis.environmentFile) and will have highest precedence, at the cost of security. Do NOT put security sensitive stuff here.
+        '';
+        example = {
+          OCIS_INSECURE = "false";
+          OCIS_LOG_LEVEL = "error";
+          OCIS_JWT_SECRET = "super_secret";
+          OCIS_TRANSFER_SECRET = "foo";
+          OCIS_MACHINE_AUTH_API_KEY = "foo";
+          OCIS_SYSTEM_USER_ID = "123";
+          OCIS_MOUNT_ID = "123";
+          OCIS_STORAGE_USERS_MOUNT_ID = "123";
+          GATEWAY_STORAGE_USERS_MOUNT_ID = "123";
+          CS3_ALLOW_INSECURE = "true";
+          OCIS_INSECURE_BACKENDS = "true";
+          TLS_INSECURE = "true";
+          TLS_SKIP_VERIFY_CLIENT_CERT = "true";
+          WEBDAV_ALLOW_INSECURE = "true";
+          IDP_TLS = "false";
+          GRAPH_APPLICATION_ID = "1234";
+          IDM_IDPSVC_PASSWORD = "password";
+          IDM_REVASVC_PASSWORD = "password";
+          IDM_SVC_PASSWORD = "password";
+          IDP_ISS = "https://localhost:9200";
+          OCIS_LDAP_BIND_PASSWORD = "password";
+          OCIS_SERVICE_ACCOUNT_ID = "foo";
+          OCIS_SERVICE_ACCOUNT_SECRET = "foo";
+          OCIS_SYSTEM_USER_API_KEY = "foo";
+          STORAGE_USERS_MOUNT_ID = "123";
+        };
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users.${defaultUser} = lib.mkIf (cfg.user == defaultUser) {
+      group = cfg.group;
+      home = cfg.stateDir;
+      isSystemUser = true;
+      createHome = true;
+      description = "ownCloud Infinite Scale daemon user";
+    };
+
+    users.groups = lib.mkIf (cfg.group == defaultGroup) { ${defaultGroup} = { }; };
+
+    systemd = {
+      services.ocis = {
+        description = "ownCloud Infinite Scale Stack";
+        wantedBy = [ "multi-user.target" ];
+        environment = {
+          PROXY_HTTP_ADDR = "${cfg.address}:${toString cfg.port}";
+          OCIS_URL = cfg.url;
+          OCIS_CONFIG_DIR = if (cfg.configDir == null) then "${cfg.stateDir}/config" else cfg.configDir;
+          OCIS_BASE_DATA_PATH = cfg.stateDir;
+        } // cfg.environment;
+        serviceConfig = {
+          Type = "simple";
+          ExecStart = "${lib.getExe cfg.package} server";
+          WorkingDirectory = cfg.stateDir;
+          User = cfg.user;
+          Group = cfg.group;
+          Restart = "always";
+          EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile;
+          ReadWritePaths = [ cfg.stateDir ];
+          ReadOnlyPaths = [ cfg.configDir ];
+          MemoryDenyWriteExecute = true;
+          NoNewPrivileges = true;
+          PrivateTmp = true;
+          PrivateDevices = true;
+          ProtectSystem = "strict";
+          ProtectHome = true;
+          ProtectControlGroups = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectKernelLogs = true;
+          RestrictAddressFamilies = [
+            "AF_UNIX"
+            "AF_INET"
+            "AF_INET6"
+            "AF_NETLINK"
+          ];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          LockPersonality = true;
+          SystemCallArchitectures = "native";
+        };
+      };
+    };
+  };
+
+  meta.maintainers = with lib.maintainers; [
+    bhankas
+    danth
+    ramblurr
+  ];
+}