nixos/nextcloud: use LoadCredential to read secrets

[networkException]

This pull request adds support for using systemd's LoadCredential= feature to read various secret files used by nextcloud service units.

Previously credentials had to be readable by the nextcloud user, this is now no longer required.

The nextcloud-occ wrapper script has been adjusted to use systemd-run for loading credentials when being called from outside a service.

See the individual commits for more details.

Depends on #365442
Continuation of #152141

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[networkException]

This should be generally well tested already so reviews are encouraged, undrafting when

• I've run the tests against master in addition to nixos-unstable
• I've tested this on my deployment
• nixos/tests/nextcloud: fix notify_push test; nixos/nextcloud-notify_push: add nextcloudUrl option #365442 is merged

[Ma27]

Thanks!
Will try to review in the upcoming days.

[Ma27]

Can you explain why you added a fixme for that?

[networkException]

Maybe a note is better, I added this after removing the explicit (somewhat duplicate) variable from the nextcloud-update-db service

[Ma27]

I think the comment is good for clarification, but I don't really see this as something super-actionable, so I think I'd prefer NOTE: here.

[networkException]

Changed in https://github.com/NixOS/nixpkgs/compare/db42190f5e64dd4c8ce24b138d1195b3e307b1e3..e08ac4cf2a450205b8c7484139cb2d6989d16936

[networkException]

Rebased onto master and checked that the test still pass

[Ma27]

So the code mostly looks reasonable to me and the tests are passing.
I guess I'll pick it to my personal nixpkgs branch, deploy my private instance and see how it turns out.

[Ma27]

Works as expected, thanks 👍

No approval yet though because

• I think a brief entry in the release notes makes sense (I'm probably not the only one with a heavily configured Nextcloud and I had to adjust some parts of my config. Doesn't need much detail in this case, but I'd like to see it mentioned nonetheless)
• The notify_push thing I don't know much abotu is still unresolved (https://github.com/NixOS/nixpkgs/pull/367433/files#r1895052681): cc @SuperSandro2000 @dasJ @helsinki-Jo

Also cc @britter @dotlambda you may also be interested in taking a look.

[networkException]

Rebased onto master again, tests still pass

[networkException]

I had to adjust some parts of my config

What did you need to change?

[Ma27]

What did you need to change?

adminpassFile was set to a /run/credentials/... path already and this broke nextcloud-setup in the credentials setup phase.

Also, I had another service for generating previews for new images as a systemd timer and inherited ExecCOndition from nextcloud-setup which broke evaluation.

[Ma27]

I deploy my Nextcloud with these patches on top for ~2 months now. I'm getting 'eepy now, so I'll merge tomorrow afternoon.

If people still have reservations about this, please speak up.

[SuperSandro2000]

I just cherry-picked that into my local nixos-unstable fork and shellcheck fails. I will do a follow up PR that fixes that.

[SuperSandro2000]

#387913

[Ma27]

I just cherry-picked that into my local nixos-unstable fork and shellcheck fails. I will do a follow up PR that fixes that.

Where is the shellcheck even running? Tests were all building fwiw.

[SuperSandro2000]

I have systemd.enableStrictShellChecks
https://search.nixos.org/options?channel=unstable&show=systemd.enableStrictShellChecks&from=0&size=50&sort=relevance&type=packages&query=shellcheck enabled globally, so it didn't trigger when you build it.

[Ma27]

Oof... that sounds like an invitation for random build failures whenever one updates their systems.
To be clear: I've seen the missing quotes, but I decided to not start another feedback cycle for that given that (1) it is guaranteed that CREDENTIALS_DIRECTORY exists and (2) the quotes do not improve the error reporting if it it doesn't.

I mean, I'll merge since it doesn't hurt and will fix people's setup with this option, but... I'm not sure if this option is a good idea in the first place.

[SuperSandro2000]

I have it on since a while and after the initial fixes I barely get any regressions. Maybe every 2 to 4 weeks. It is surprising. 😂

[eyJhb]

This PR breaks the following use-case here, where I utilize nextcloud-setup to reset the admin users password. I can't even do it by hand anymore, as the OC_PASS is no longer being preserved.

Are there any good ways to mitigate this?

EDIT: I've made a issue here #412675