Nixops deploy secrets to Nextcloud

the nix module nextcloud has the options


Which seem perfect to use with nixops’ deployment.keys. option

deployment.keys.nextcloud-db-pass.text = builtins.readFile ./nextcloud-db-pass.key;
deployment.keys.nextcloud-db-pass.user = "nextcloud"; = "nextcloud";
deployment.keys.nextcloud-admin-pass.text = builtins.readFile ./nextcloud-admin-pass.key;
deployment.keys.nextcloud-admin-pass.user = "nextcloud"; = "nextcloud";
services.nextcloud.config.dbpassFile = "/run/keys/nextcloud-db-pass";
services.nextcloud.config.adminpassFile = "/run/keys/nextcloud-admin-pass";

But this results in nextcloud complaining about these files not existing?

"Cannot start Nextcloud, dbpass file nextcloud-db-pass set by NixOS doesn't exist!",

So I added this:"nextcloud-setup" = {
        requires = [
        after = [

But Nextcloud still complains that these files do not exists. Is this just a permission error or am I missing something else?

I think I had the same issue (though I’m using sops-nix instead of deployment.keys).

The issue for me was that the nextcloud user didn’t have permission to the parent directory of the keys. I had to add:

  users.users.nextcloud.extraGroups = [ ];

for nextcloud to be able to see the keys.

Looks like nixops uses the keys user for /run/keys, so I bet the above snippet will work for you as well.

1 Like

ah yes that worked flawlessly, thank you so much!

1 Like

Actually I consider this a bug. Back when I worked on this, I apparently ignored that case which was definitely a mistake. Will provide an improvement.


Error message updated in