From 1a5a4be3067315fb06b1dd4d2c99c1bbe930feff Mon Sep 17 00:00:00 2001
From: Alexander Tomokhov <alexoundos@gmail.com>
Date: Wed, 29 Nov 2023 08:19:04 +0400
Subject: [PATCH] nextcloud: fix secrets extraction

---
 sp-modules/nextcloud/cleanup-module.nix |   4 +-
 sp-modules/nextcloud/module.nix         | 115 ++++++++++++------------
 2 files changed, 61 insertions(+), 58 deletions(-)

diff --git a/sp-modules/nextcloud/cleanup-module.nix b/sp-modules/nextcloud/cleanup-module.nix
index d3f916f..24d8fd5 100644
--- a/sp-modules/nextcloud/cleanup-module.nix
+++ b/sp-modules/nextcloud/cleanup-module.nix
@@ -12,8 +12,8 @@ in
           "${db-pass-filepath} and ${admin-pass-filepath} will be removed!"
         )
         ''
-          rm -f ${db-pass-filepath}
-          rm -f ${admin-pass-filepath}
+          rm -f -v ${db-pass-filepath}
+          rm -f -v ${admin-pass-filepath}
         '';
   };
 }
diff --git a/sp-modules/nextcloud/module.nix b/sp-modules/nextcloud/module.nix
index d9c7f85..82934d6 100644
--- a/sp-modules/nextcloud/module.nix
+++ b/sp-modules/nextcloud/module.nix
@@ -16,70 +16,73 @@
       inherit (import ./common.nix config)
         sp secrets-filepath db-pass-filepath admin-pass-filepath hostName;
     in
-    lib.mkIf sp.modules.nextcloud.enable
-      {
-        system.activationScripts.nextcloudSecrets = ''
+    lib.mkIf sp.modules.nextcloud.enable {
+      fileSystems = lib.mkIf sp.useBinds {
+        "/var/lib/nextcloud" = {
+          device = "/volumes/${sp.modules.nextcloud.location}/nextcloud";
+          options = [ "bind" ];
+        };
+      };
+      systemd.services.nextcloud-secrets = {
+        before = [ "nextcloud-setup.service" ];
+        requiredBy = [ "nextcloud-setup.service" ];
+        serviceConfig.Type = "oneshot";
+        path = with pkgs; [ coreutils jq ];
+        script = ''
           install -m 0440 -o nextcloud -g nextcloud -DT \
-          <(${pkgs.jq}/bin/jq < \
-            ${secrets-filepath} -r '.modules.nextcloud.databasePassword') \
+          <(jq < ${secrets-filepath} -r '.modules.nextcloud.databasePassword') \
           ${db-pass-filepath}
 
           install -m 0440 -o nextcloud -g nextcloud -DT \
-          <(${pkgs.jq}/bin/jq < \
-            ${secrets-filepath} -r '.modules.nextcloud.adminPassword') \
+          <(jq < ${secrets-filepath} -r '.modules.nextcloud.adminPassword') \
           ${admin-pass-filepath}
         '';
-        fileSystems = lib.mkIf sp.useBinds {
-          "/var/lib/nextcloud" = {
-            device = "/volumes/${sp.modules.nextcloud.location}/nextcloud";
-            options = [ "bind" ];
-          };
+      };
+      services.nextcloud = {
+        enable = true;
+        package = pkgs.nextcloud25;
+        inherit hostName;
+
+        # Use HTTPS for links
+        https = false;
+
+        # auto-update Nextcloud Apps
+        autoUpdateApps.enable = true;
+        # set what time makes sense for you
+        autoUpdateApps.startAt = "05:00:00";
+
+        config = {
+          # further forces Nextcloud to use HTTPS
+          overwriteProtocol = "https";
+
+          dbtype = "sqlite";
+          dbuser = "nextcloud";
+          dbhost = "/run/postgresql"; # nextcloud adds .s.PGSQL.5432 by itself
+          dbname = "nextcloud";
+          dbpassFile = db-pass-filepath;
+          adminpassFile = admin-pass-filepath;
+          adminuser = "admin";
         };
-        services.nextcloud = {
-          enable = true;
-          package = pkgs.nextcloud25;
-          inherit hostName;
-
-          # Use HTTPS for links
-          https = false;
-
-          # auto-update Nextcloud Apps
-          autoUpdateApps.enable = true;
-          # set what time makes sense for you
-          autoUpdateApps.startAt = "05:00:00";
-
-          config = {
-            # further forces Nextcloud to use HTTPS
-            overwriteProtocol = "https";
-
-            dbtype = "sqlite";
-            dbuser = "nextcloud";
-            dbhost = "/run/postgresql"; # nextcloud adds .s.PGSQL.5432 by itself
-            dbname = "nextcloud";
-            dbpassFile = db-pass-filepath;
-            adminpassFile = admin-pass-filepath;
-            adminuser = "admin";
-          };
-        };
-        services.nginx.virtualHosts.${hostName} = {
-          sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
-          sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
-          forceSSL = true;
-          extraConfig = ''
-            add_header Strict-Transport-Security $hsts_header;
-            #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-            add_header 'Referrer-Policy' 'origin-when-cross-origin';
-            add_header X-Frame-Options DENY;
-            add_header X-Content-Type-Options nosniff;
-            add_header X-XSS-Protection "1; mode=block";
-            proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
-            expires 10m;
-          '';
-          locations = {
-            "/" = {
-              proxyPass = "http://127.0.0.1:80/";
-            };
+      };
+      services.nginx.virtualHosts.${hostName} = {
+        sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
+        forceSSL = true;
+        extraConfig = ''
+          add_header Strict-Transport-Security $hsts_header;
+          #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+          add_header 'Referrer-Policy' 'origin-when-cross-origin';
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+          expires 10m;
+        '';
+        locations = {
+          "/" = {
+            proxyPass = "http://127.0.0.1:80/";
           };
         };
       };
+    };
 }