Nixops deploy secrets to Nextcloud

ZerataX · December 8, 2020, 9:52pm

the nix module nextcloud has the options

services.nextcloud.config.dbpassFile
services.nextcloud.config.adminpassFile

Which seem perfect to use with nixops’ deployment.keys. option

deployment.keys.nextcloud-db-pass.text = builtins.readFile ./nextcloud-db-pass.key;
deployment.keys.nextcloud-db-pass.user = "nextcloud";
deployment.keys.nextcloud-db-pass.group = "nextcloud";
deployment.keys.nextcloud-admin-pass.text = builtins.readFile ./nextcloud-admin-pass.key;
deployment.keys.nextcloud-admin-pass.user = "nextcloud";
deployment.keys.nextcloud-admin-pass.group = "nextcloud";
services.nextcloud.config.dbpassFile = "/run/keys/nextcloud-db-pass";
services.nextcloud.config.adminpassFile = "/run/keys/nextcloud-admin-pass";

But this results in nextcloud complaining about these files not existing?

"Cannot start Nextcloud, dbpass file nextcloud-db-pass set by NixOS doesn't exist!",

So I added this:

systemd.services."nextcloud-setup" = {
        requires = [
            "nextcloud-db-pass-key.service"
            "nextcloud-admin-pass-key.service"
        ];
        after = [
            "nextcloud-db-pass-key.service"
            "nextcloud-admin-pass-key.service"
        ];
    };

But Nextcloud still complains that these files do not exists. Is this just a permission error or am I missing something else?

mattchrist · December 9, 2020, 1:40pm

I think I had the same issue (though I’m using sops-nix instead of deployment.keys).

The issue for me was that the nextcloud user didn’t have permission to the parent directory of the keys. I had to add:

  users.users.nextcloud.extraGroups = [ config.users.groups.keys.name ];

for nextcloud to be able to see the keys.

Looks like nixops uses the keys user for /run/keys, so I bet the above snippet will work for you as well.

ZerataX · December 9, 2020, 2:27pm

ah yes that worked flawlessly, thank you so much!

Ma27 · December 9, 2020, 5:02pm

Actually I consider this a bug. Back when I worked on this, I apparently ignored that case which was definitely a mistake. Will provide an improvement.

Ma27 · December 9, 2020, 6:58pm

Error message updated in nixos/nextcloud: improve error message for invalid `dbpassFile` by Ma27 · Pull Request #106473 · NixOS/nixpkgs · GitHub.