feat: initial ocis integration

hosts/web-arm/configuration.nix

@@ -11,6 +11,7 @@
     ./modules/bitwarden
     ./modules/authelia.nix
     ./modules/collabora.nix
+    ./modules/ocis.nix
     ./modules/nextcloud
     ./modules/rustdesk.nix
     ./modules/postgresql.nix
@@ -54,6 +55,11 @@
     "openssl-1.1.1w"
   ];
 
+  # oCIS (ownCloud Infinite Scale) has an unfree license
+  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+    "ocis_5-bin"
+  ];
+
   environment.systemPackages = with pkgs; [
     vim
     davfs2

hosts/web-arm/modules/authelia.nix

@@ -58,8 +58,7 @@ in {
     };
     settings = {
       theme = "dark";
-      default_redirection_url = "https://cloonar.com";
-  
+
       # log = {
       #   level = "debug";
       #   format = "text";
@@ -117,27 +116,24 @@ in {
       };
   
       session = {
-        name = "authelia_session";
-        expiration = "12h";
-        inactivity = "45m";
-        remember_me_duration = "1M";
-        domain = "cloonar.com";
         redis = {
           host = "/run/redis-authelia/redis.sock";
         };
-        # todo: enable with 4.38
-        # cookies = [
-        #   {
-        #     domain = "cloonar.com";
-        #   }
-        #   {
-        #     domain = "cloonar.dev";
-        #   }
-        #   {
-        #     domain = "gbv-aktuell.at";
-        #     same_site = "strict";
-        #   }
-        # ];
+        # Authelia 4.38+ replaced top-level session.domain with per-cookie
+        # entries. Each entry needs an authelia_url, so only cloonar.com is
+        # configured here — adding cloonar.dev / gbv-aktuell.at would require
+        # separate Authelia endpoints on those domains.
+        cookies = [
+          {
+            name = "authelia_session";
+            domain = "cloonar.com";
+            authelia_url = "https://auth.cloonar.com";
+            default_redirection_url = "https://cloonar.com";
+            expiration = "12h";
+            inactivity = "45m";
+            remember_me = "1M";
+          }
+        ];
       };
   
       regulation = {
@@ -368,6 +364,7 @@ in {
               pkce_challenge_method = "S256";
               redirect_uris = [ "oc://ios.owncloud.com" "oc.ios://ios.owncloud.com" ];
               scopes = [ "openid" "offline_access" "groups" "profile" "email" ];
+              response_types = [ "code" ];
               grant_types = [ "authorization_code" "refresh_token" ];
               access_token_signed_response_alg = "none";
               userinfo_signing_algorithm = "none";

hosts/web-arm/modules/ocis.nix

@@ -0,0 +1,93 @@
+{ config, lib, pkgs, ... }:
+
+{
+  sops.secrets.ocis-admin-password = {
+    owner = "ocis";
+  };
+
+  # Upstream services.ocis module adds ReadOnlyPaths = [ configDir ] to the
+  # systemd unit, which makes systemd fail the namespace setup if the path
+  # does not exist, and it never runs `ocis init` to populate ocis.yaml with
+  # the service's internal secrets. Run init in a separate oneshot so the
+  # sandbox restrictions of ocis.service don't block writes to configDir.
+  systemd.services.ocis-init = {
+    description = "Initialize oCIS config (one-shot)";
+    before = [ "ocis.service" ];
+    requiredBy = [ "ocis.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      User = "ocis";
+      Group = "ocis";
+      StateDirectory = "ocis";
+      LoadCredential = "admin-password:${config.sops.secrets.ocis-admin-password.path}";
+    };
+
+    script = ''
+      install -d -m 0700 /var/lib/ocis/config
+      if [ ! -f /var/lib/ocis/config/ocis.yaml ]; then
+        ${lib.getExe pkgs.ocis_5-bin} init \
+          --config-path /var/lib/ocis/config \
+          --admin-password "$(cat "$CREDENTIALS_DIRECTORY/admin-password")" \
+          --insecure true
+      fi
+    '';
+  };
+
+  services.ocis = {
+    enable = true;
+    url = "https://files.cloonar.com";
+    address = "127.0.0.1";
+    port = 9200;
+    stateDir = "/var/lib/ocis";
+    configDir = "/var/lib/ocis/config";
+    environment = {
+      # Proxy - SSL terminated at nginx
+      PROXY_TLS = "false";
+      OCIS_INSECURE = "false";
+
+      # OIDC - Authelia
+      PROXY_OIDC_ISSUER = "https://auth.cloonar.com";
+      PROXY_OIDC_REWRITE_WELLKNOWN = "true";
+      PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD = "none";
+      PROXY_OIDC_SKIP_USER_INFO = "false";
+      WEB_OIDC_CLIENT_ID = "ocis";
+
+      # Auto-provision user accounts from OIDC claims
+      PROXY_AUTOPROVISION_ACCOUNTS = "true";
+      PROXY_AUTOPROVISION_CLAIM_USERNAME = "preferred_username";
+      PROXY_AUTOPROVISION_CLAIM_EMAIL = "email";
+      PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME = "name";
+      PROXY_AUTOPROVISION_CLAIM_GROUPS = "groups";
+
+      # Disable demo users
+      IDM_CREATE_DEMO_USERS = "false";
+
+      # Move internal services off their defaults where Prometheus exporters
+      # already bind on this host:
+      #   - node-exporter owns 9100 (oCIS web default)
+      #   - blackbox-exporter owns 9115 (oCIS webdav default)
+      WEB_HTTP_ADDR = "127.0.0.1:19100";
+      WEBDAV_HTTP_ADDR = "127.0.0.1:19115";
+    };
+  };
+
+  # Nginx reverse proxy
+  services.nginx.virtualHosts."files.cloonar.com" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:9200";
+      proxyWebsockets = true;
+      extraConfig = ''
+        client_max_body_size 10G;
+        proxy_read_timeout 600s;
+        proxy_send_timeout 600s;
+      '';
+    };
+  };
+}