feat(home-server): switch from Nextcloud to OpenCloud

hosts/home-server/default.nix

@@ -43,7 +43,7 @@ in
     ../../services/matrix
     ../../services/miniflux.nix
     ../../services/paperless.nix
-    ../../services/nextcloud.nix
+    ../../services/opencloud.nix
     ../../services/collabora-office.nix
     ../../services/calibre-web.nix
   ];

services/authelia.nix

@@ -162,6 +162,17 @@ in
         username = smtpAccount.user;
         sender = smtpAccount.from;
       };
+      identity_providers.oidc.cors = {
+        endpoints = [
+          "authorization"
+          "token"
+          "revocation"
+          "introspection"
+          "userinfo"
+        ];
+        allowed_origins_from_client_redirect_uris = true;
+      };
+      # To generate new secret digests: `authelia crypto hash generate argon2`
       identity_providers.oidc.clients = [
         {
           id = "miniflux";
@@ -186,6 +197,69 @@ in
             "profile"
           ];
         }
+        {
+          id = "opencloud";
+          description = "OpenCloud";
+          public = true;
+          redirect_uris = [
+            "https://cloud.felschr.com/"
+            "https://cloud.felschr.com/oidc-callback.html"
+            "https://cloud.felschr.com/oidc-silent-redirect.html"
+          ];
+          scopes = [
+            "openid"
+            "email"
+            "profile"
+            "groups"
+            "offline_access"
+          ];
+          grant_types = [
+            "refresh_token"
+            "authorization_code"
+          ];
+          userinfo_signing_algorithm = "none";
+        }
+        {
+          id = "OpenCloudAndroid";
+          description = "OpenCloud Android";
+          public = true;
+          redirect_uris = [ "oc://android.opencloud.eu" ];
+          scopes = [
+            "openid"
+            "email"
+            "profile"
+            "groups"
+            "offline_access"
+          ];
+          grant_types = [
+            "refresh_token"
+            "authorization_code"
+          ];
+          response_modes = [ "form_post" ];
+          userinfo_signed_response_alg = "none";
+        }
+        {
+          id = "OpenCloudDesktop";
+          description = "OpenCloud Desktop";
+          public = true;
+          redirect_uris = [
+            "http://127.0.0.1"
+            "http://localhost"
+          ];
+          scopes = [
+            "openid"
+            "email"
+            "profile"
+            "groups"
+            "offline_access"
+          ];
+          grant_types = [
+            "refresh_token"
+            "authorization_code"
+          ];
+          response_modes = [ "form_post" ];
+          userinfo_signed_response_alg = "none";
+        }
         {
           id = "jellyfin";
           description = "Jellyfin";

services/opencloud.nix

@@ -0,0 +1,72 @@
+{
+  inputs,
+  config,
+  pkgs,
+  ...
+}:
+
+let
+  host = "cloud.felschr.com";
+
+  cfg = config.services.opencloud;
+in
+{
+  imports = [
+    "${inputs.nixpkgs-unstable}/nixos/modules/services/web-apps/opencloud.nix"
+  ];
+
+  # required when using unstable NixOS module
+  documentation.nixos.enable = false;
+
+  services.opencloud = {
+    enable = true;
+    package = pkgs.unstable.opencloud;
+    webPackage = pkgs.unstable.opencloud.web;
+    idpWebPackage = pkgs.unstable.opencloud.idp-web;
+    url = "https://${host}";
+    settings = {
+      api = {
+        graph_assign_default_user_role = true;
+        graph_username_match = "none";
+      };
+      proxy = {
+        auto_provision_accounts = true;
+        oidc.rewrite_well_known = true;
+        oidc.access_token_verify_method = "none";
+        role_assignment = {
+          # driver = "oidc"; # HINT currently broken for Android & Desktop app
+          driver = "default";
+          oidc_role_mapper.role_claim = "groups";
+        };
+        csp_config_file_location = "/etc/opencloud/csp.yaml";
+      };
+      csp = {
+        directives = {
+          connect-src = [
+            "https://cloud.felschr.com/"
+            "https://auth.felschr.com/"
+          ];
+          frame-src = [
+            "https://cloud.felschr.com/"
+            "https://auth.felschr.com/"
+          ];
+        };
+      };
+      web.web.config.oidc.client_id = "opencloud";
+      web.web.config.oidc.scope = "openid profile email groups";
+    };
+    environment = {
+      OC_INSECURE = "false";
+      PROXY_TLS = "false";
+      PROXY_INSECURE_BACKENDS = "true";
+      OC_EXCLUDE_RUN_SERVICES = "idp";
+      OC_OIDC_ISSUER = "https://auth.felschr.com";
+    };
+  };
+
+  services.nginx.virtualHosts.${host} = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".proxyPass = "http://${cfg.address}:${toString cfg.port}";
+  };
+}