diff --git a/hosts/web-arm/configuration.nix b/hosts/web-arm/configuration.nix index 6d5849a..17927db 100644 --- a/hosts/web-arm/configuration.nix +++ b/hosts/web-arm/configuration.nix @@ -11,7 +11,6 @@ ./modules/bitwarden ./modules/authelia.nix ./modules/collabora.nix - ./modules/ocis.nix ./modules/nextcloud ./modules/rustdesk.nix ./modules/postgresql.nix @@ -55,11 +54,6 @@ "openssl-1.1.1w" ]; - # oCIS (ownCloud Infinite Scale) has an unfree license - nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ - "ocis_5-bin" - ]; - environment.systemPackages = with pkgs; [ vim davfs2 diff --git a/hosts/web-arm/modules/authelia.nix b/hosts/web-arm/modules/authelia.nix index ca73718..f16d583 100644 --- a/hosts/web-arm/modules/authelia.nix +++ b/hosts/web-arm/modules/authelia.nix @@ -169,14 +169,6 @@ in { oidc = { ## The other portions of the mandatory OpenID Connect 1.0 configuration go here. ## See: https://www.authelia.com/c/oidc - lifespans = { - custom = { - ocis = { - access_token = "2 days"; - refresh_token = "3 days"; - }; - }; - }; cors = { endpoints = [ "authorization" @@ -297,79 +289,6 @@ in { ]; userinfo_signing_algorithm = "none"; } - # oCIS (ownCloud Infinite Scale) - web client (public, PKCE) - { - id = "ocis"; - description = "ownCloud Infinite Scale"; - lifespan = "ocis"; - public = true; - authorization_policy = "internal"; - require_pkce = true; - pkce_challenge_method = "S256"; - redirect_uris = [ - "https://files.cloonar.com/" - "https://files.cloonar.com/oidc-callback.html" - "https://files.cloonar.com/oidc-silent-redirect.html" - "https://files.cloonar.com/apps/openidconnect/redirect" - ]; - scopes = [ "openid" "offline_access" "groups" "profile" "email" ]; - response_types = [ "code" ]; - grant_types = [ "authorization_code" "refresh_token" ]; - access_token_signed_response_alg = "none"; - userinfo_signing_algorithm = "none"; - token_endpoint_auth_method = "none"; - } - # oCIS Desktop - static credentials hardcoded in the oCIS desktop app - { - id = "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69"; - description = "ownCloud Infinite Scale (Desktop)"; - secret = "$pbkdf2-sha512$310000$NR4tztBecptj1ZiITK/Ktw$GkFNBfq1B3T1lDTKMci1aO8iulQFNlEtfydLwTrNTKIfrQFjM7EiOBaHGOBC7ohPaNfYCRAYYzcP2fDQf5XRGQ"; - public = false; - authorization_policy = "internal"; - require_pkce = true; - pkce_challenge_method = "S256"; - redirect_uris = [ "http://127.0.0.1" "http://localhost" ]; - scopes = [ "openid" "offline_access" "groups" "profile" "email" ]; - response_types = [ "code" ]; - grant_types = [ "authorization_code" "refresh_token" ]; - access_token_signed_response_alg = "none"; - userinfo_signing_algorithm = "none"; - token_endpoint_auth_method = "client_secret_basic"; - } - # oCIS Android - static credentials hardcoded in the oCIS Android app - { - id = "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD"; - description = "ownCloud Infinite Scale (Android)"; - secret = "$pbkdf2-sha512$310000$NjEumkph77Gql.CH0Oq3zg$I9ubOZ3VRCXPbHpW1U4bQmvLgP5DdiFeGgple2nIjtUJsFgkdiV/hcCt1h6adr1uvJSJAtHDRnMhYf3Zp2BpcQ"; - public = false; - authorization_policy = "internal"; - require_pkce = true; - pkce_challenge_method = "S256"; - redirect_uris = [ "oc://android.owncloud.com" ]; - scopes = [ "openid" "offline_access" "groups" "profile" "email" ]; - response_types = [ "code" ]; - grant_types = [ "authorization_code" "refresh_token" ]; - access_token_signed_response_alg = "none"; - userinfo_signing_algorithm = "none"; - token_endpoint_auth_method = "client_secret_basic"; - } - # oCIS iOS - static credentials hardcoded in the oCIS iOS app - { - id = "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1"; - description = "ownCloud Infinite Scale (iOS)"; - secret = "$pbkdf2-sha512$310000$.nIk0IUua7n8VAUoR85yyA$6UhT/gi7spH/0PRqTa6clz7QMRSmP/FZ0BDIumJupM4V2Ai6MgGKdzlEaNTc2IDqpGL3NxF626g4zAHFRgD7Zg"; - public = false; - authorization_policy = "internal"; - require_pkce = true; - pkce_challenge_method = "S256"; - redirect_uris = [ "oc://ios.owncloud.com" "oc.ios://ios.owncloud.com" ]; - scopes = [ "openid" "offline_access" "groups" "profile" "email" ]; - response_types = [ "code" ]; - grant_types = [ "authorization_code" "refresh_token" ]; - access_token_signed_response_alg = "none"; - userinfo_signing_algorithm = "none"; - token_endpoint_auth_method = "client_secret_basic"; - } ]; }; }; diff --git a/hosts/web-arm/modules/ocis.nix b/hosts/web-arm/modules/ocis.nix deleted file mode 100644 index 90c0253..0000000 --- a/hosts/web-arm/modules/ocis.nix +++ /dev/null @@ -1,93 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - sops.secrets.ocis-admin-password = { - owner = "ocis"; - }; - - # Upstream services.ocis module adds ReadOnlyPaths = [ configDir ] to the - # systemd unit, which makes systemd fail the namespace setup if the path - # does not exist, and it never runs `ocis init` to populate ocis.yaml with - # the service's internal secrets. Run init in a separate oneshot so the - # sandbox restrictions of ocis.service don't block writes to configDir. - systemd.services.ocis-init = { - description = "Initialize oCIS config (one-shot)"; - before = [ "ocis.service" ]; - requiredBy = [ "ocis.service" ]; - wantedBy = [ "multi-user.target" ]; - - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - User = "ocis"; - Group = "ocis"; - StateDirectory = "ocis"; - LoadCredential = "admin-password:${config.sops.secrets.ocis-admin-password.path}"; - }; - - script = '' - install -d -m 0700 /var/lib/ocis/config - if [ ! -f /var/lib/ocis/config/ocis.yaml ]; then - ${lib.getExe pkgs.ocis_5-bin} init \ - --config-path /var/lib/ocis/config \ - --admin-password "$(cat "$CREDENTIALS_DIRECTORY/admin-password")" \ - --insecure true - fi - ''; - }; - - services.ocis = { - enable = true; - url = "https://files.cloonar.com"; - address = "127.0.0.1"; - port = 9200; - stateDir = "/var/lib/ocis"; - configDir = "/var/lib/ocis/config"; - environment = { - # Proxy - SSL terminated at nginx - PROXY_TLS = "false"; - OCIS_INSECURE = "false"; - - # OIDC - Authelia - PROXY_OIDC_ISSUER = "https://auth.cloonar.com"; - PROXY_OIDC_REWRITE_WELLKNOWN = "true"; - PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD = "none"; - PROXY_OIDC_SKIP_USER_INFO = "false"; - WEB_OIDC_CLIENT_ID = "ocis"; - - # Auto-provision user accounts from OIDC claims - PROXY_AUTOPROVISION_ACCOUNTS = "true"; - PROXY_AUTOPROVISION_CLAIM_USERNAME = "preferred_username"; - PROXY_AUTOPROVISION_CLAIM_EMAIL = "email"; - PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME = "name"; - PROXY_AUTOPROVISION_CLAIM_GROUPS = "groups"; - - # Disable demo users - IDM_CREATE_DEMO_USERS = "false"; - - # Move internal services off their defaults where Prometheus exporters - # already bind on this host: - # - node-exporter owns 9100 (oCIS web default) - # - blackbox-exporter owns 9115 (oCIS webdav default) - WEB_HTTP_ADDR = "127.0.0.1:19100"; - WEBDAV_HTTP_ADDR = "127.0.0.1:19115"; - }; - }; - - # Nginx reverse proxy - services.nginx.virtualHosts."files.cloonar.com" = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - - locations."/" = { - proxyPass = "http://127.0.0.1:9200"; - proxyWebsockets = true; - extraConfig = '' - client_max_body_size 10G; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - ''; - }; - }; -}