Cloonar/nixos
2
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

feat: remove ocis

Browse source
This commit is contained in:
Dominik Polakovics Polakovics 2026-04-16 16:04:40 +02:00
parent 541d2fc43d
commit 6cc1748c51
3 changed files with 0 additions and 180 deletions
Download patch file Download diff file Expand all files Collapse all files

6
hosts/web-arm/configuration.nix
View file

@ -11,7 +11,6 @@
./modules/bitwarden
./modules/authelia.nix
./modules/collabora.nix
./modules/ocis.nix
./modules/nextcloud
./modules/rustdesk.nix
./modules/postgresql.nix
@ -55,11 +54,6 @@
"openssl-1.1.1w"
];
# oCIS (ownCloud Infinite Scale) has an unfree license
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"ocis_5-bin"
];
environment.systemPackages = with pkgs; [
vim
davfs2

81
hosts/web-arm/modules/authelia.nix
View file

@ -169,14 +169,6 @@ in {
oidc = {
## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
## See: https://www.authelia.com/c/oidc
lifespans = {
custom = {
ocis = {
access_token = "2 days";
refresh_token = "3 days";
};
};
};
cors = {
endpoints = [
"authorization"
@ -297,79 +289,6 @@ in {
];
userinfo_signing_algorithm = "none";
}
# oCIS (ownCloud Infinite Scale) - web client (public, PKCE)
{
id = "ocis";
description = "ownCloud Infinite Scale";
lifespan = "ocis";
public = true;
authorization_policy = "internal";
require_pkce = true;
pkce_challenge_method = "S256";
redirect_uris = [
"https://files.cloonar.com/"
"https://files.cloonar.com/oidc-callback.html"
"https://files.cloonar.com/oidc-silent-redirect.html"
"https://files.cloonar.com/apps/openidconnect/redirect"
];
scopes = [ "openid" "offline_access" "groups" "profile" "email" ];
response_types = [ "code" ];
grant_types = [ "authorization_code" "refresh_token" ];
access_token_signed_response_alg = "none";
userinfo_signing_algorithm = "none";
token_endpoint_auth_method = "none";
}
# oCIS Desktop - static credentials hardcoded in the oCIS desktop app
{
id = "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69";
description = "ownCloud Infinite Scale (Desktop)";
secret = "$pbkdf2-sha512$310000$NR4tztBecptj1ZiITK/Ktw$GkFNBfq1B3T1lDTKMci1aO8iulQFNlEtfydLwTrNTKIfrQFjM7EiOBaHGOBC7ohPaNfYCRAYYzcP2fDQf5XRGQ";
public = false;
authorization_policy = "internal";
require_pkce = true;
pkce_challenge_method = "S256";
redirect_uris = [ "http://127.0.0.1" "http://localhost" ];
scopes = [ "openid" "offline_access" "groups" "profile" "email" ];
response_types = [ "code" ];
grant_types = [ "authorization_code" "refresh_token" ];
access_token_signed_response_alg = "none";
userinfo_signing_algorithm = "none";
token_endpoint_auth_method = "client_secret_basic";
}
# oCIS Android - static credentials hardcoded in the oCIS Android app
{
id = "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD";
description = "ownCloud Infinite Scale (Android)";
secret = "$pbkdf2-sha512$310000$NjEumkph77Gql.CH0Oq3zg$I9ubOZ3VRCXPbHpW1U4bQmvLgP5DdiFeGgple2nIjtUJsFgkdiV/hcCt1h6adr1uvJSJAtHDRnMhYf3Zp2BpcQ";
public = false;
authorization_policy = "internal";
require_pkce = true;
pkce_challenge_method = "S256";
redirect_uris = [ "oc://android.owncloud.com" ];
scopes = [ "openid" "offline_access" "groups" "profile" "email" ];
response_types = [ "code" ];
grant_types = [ "authorization_code" "refresh_token" ];
access_token_signed_response_alg = "none";
userinfo_signing_algorithm = "none";
token_endpoint_auth_method = "client_secret_basic";
}
# oCIS iOS - static credentials hardcoded in the oCIS iOS app
{
id = "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1";
description = "ownCloud Infinite Scale (iOS)";
secret = "$pbkdf2-sha512$310000$.nIk0IUua7n8VAUoR85yyA$6UhT/gi7spH/0PRqTa6clz7QMRSmP/FZ0BDIumJupM4V2Ai6MgGKdzlEaNTc2IDqpGL3NxF626g4zAHFRgD7Zg";
public = false;
authorization_policy = "internal";
require_pkce = true;
pkce_challenge_method = "S256";
redirect_uris = [ "oc://ios.owncloud.com" "oc.ios://ios.owncloud.com" ];
scopes = [ "openid" "offline_access" "groups" "profile" "email" ];
response_types = [ "code" ];
grant_types = [ "authorization_code" "refresh_token" ];
access_token_signed_response_alg = "none";
userinfo_signing_algorithm = "none";
token_endpoint_auth_method = "client_secret_basic";
}
];
};
};

93
hosts/web-arm/modules/ocis.nix
View file

@ -1,93 +0,0 @@
{ config, lib, pkgs, ... }:
{
sops.secrets.ocis-admin-password = {
owner = "ocis";
};
# Upstream services.ocis module adds ReadOnlyPaths = [ configDir ] to the
# systemd unit, which makes systemd fail the namespace setup if the path
# does not exist, and it never runs `ocis init` to populate ocis.yaml with
# the service's internal secrets. Run init in a separate oneshot so the
# sandbox restrictions of ocis.service don't block writes to configDir.
systemd.services.ocis-init = {
description = "Initialize oCIS config (one-shot)";
before = [ "ocis.service" ];
requiredBy = [ "ocis.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
User = "ocis";
Group = "ocis";
StateDirectory = "ocis";
LoadCredential = "admin-password:${config.sops.secrets.ocis-admin-password.path}";
};
script = ''
install -d -m 0700 /var/lib/ocis/config
if [ ! -f /var/lib/ocis/config/ocis.yaml ]; then
${lib.getExe pkgs.ocis_5-bin} init \
--config-path /var/lib/ocis/config \
--admin-password "$(cat "$CREDENTIALS_DIRECTORY/admin-password")" \
--insecure true
fi
'';
};
services.ocis = {
enable = true;
url = "https://files.cloonar.com";
address = "127.0.0.1";
port = 9200;
stateDir = "/var/lib/ocis";
configDir = "/var/lib/ocis/config";
environment = {
# Proxy - SSL terminated at nginx
PROXY_TLS = "false";
OCIS_INSECURE = "false";
# OIDC - Authelia
PROXY_OIDC_ISSUER = "https://auth.cloonar.com";
PROXY_OIDC_REWRITE_WELLKNOWN = "true";
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD = "none";
PROXY_OIDC_SKIP_USER_INFO = "false";
WEB_OIDC_CLIENT_ID = "ocis";
# Auto-provision user accounts from OIDC claims
PROXY_AUTOPROVISION_ACCOUNTS = "true";
PROXY_AUTOPROVISION_CLAIM_USERNAME = "preferred_username";
PROXY_AUTOPROVISION_CLAIM_EMAIL = "email";
PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME = "name";
PROXY_AUTOPROVISION_CLAIM_GROUPS = "groups";
# Disable demo users
IDM_CREATE_DEMO_USERS = "false";
# Move internal services off their defaults where Prometheus exporters
# already bind on this host:
# - node-exporter owns 9100 (oCIS web default)
# - blackbox-exporter owns 9115 (oCIS webdav default)
WEB_HTTP_ADDR = "127.0.0.1:19100";
WEBDAV_HTTP_ADDR = "127.0.0.1:19115";
};
};
# Nginx reverse proxy
services.nginx.virtualHosts."files.cloonar.com" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
locations."/" = {
proxyPass = "http://127.0.0.1:9200";
proxyWebsockets = true;
extraConfig = ''
client_max_body_size 10G;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
'';
};
};
}