From a10111a7910c7b9e26ed98199789c00ec7292606 Mon Sep 17 00:00:00 2001
From: eyjhb <eyjhbb@gmail.com>
Date: Fri, 14 Mar 2025 16:41:44 +0100
Subject: [PATCH] nextcloud: moved admin into own ldap group

---
 machines/gerd/services/lldap/default.nix        | 2 +-
 machines/gerd/services/lldap/module/default.nix | 1 +
 machines/gerd/services/lldap/provision.nix      | 1 +
 machines/gerd/services/nextcloud.nix            | 4 ++--
 4 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/machines/gerd/services/lldap/default.nix b/machines/gerd/services/lldap/default.nix
index 9115f69..7a599b9 100644
--- a/machines/gerd/services/lldap/default.nix
+++ b/machines/gerd/services/lldap/default.nix
@@ -275,7 +275,7 @@ in {
       user_id = name;
       display_name = name; # required for nextcloud
       membermail = mkProvisionEmail name;
-      groups = [ lconfig.groups.admin lconfig.groups.member ];
+      groups = with lconfig.groups; [ admin nextcloud_admin member ];
       membermaildiskquota = 100*1024*1024; # mb
       nextcloudquota = 100*1024*1024; # mb
     });
diff --git a/machines/gerd/services/lldap/module/default.nix b/machines/gerd/services/lldap/module/default.nix
index 04032c4..34206d7 100644
--- a/machines/gerd/services/lldap/module/default.nix
+++ b/machines/gerd/services/lldap/module/default.nix
@@ -162,5 +162,6 @@ in {
         ${pythonEnv}/bin/python -m bootstrap.main ${configFile}
       '';
     };
+    systemd.services.lldap.restartTriggers = [ configFile ];
   };
 }
diff --git a/machines/gerd/services/lldap/provision.nix b/machines/gerd/services/lldap/provision.nix
index e5a3af9..fc48c32 100644
--- a/machines/gerd/services/lldap/provision.nix
+++ b/machines/gerd/services/lldap/provision.nix
@@ -36,6 +36,7 @@
         "base_member" = {};
         "system_service" = {};
         "system_mail" = {};
+        "nextcloud_admin" = {};
       };
 
       # attributes
diff --git a/machines/gerd/services/nextcloud.nix b/machines/gerd/services/nextcloud.nix
index a3387aa..81bf6b2 100644
--- a/machines/gerd/services/nextcloud.nix
+++ b/machines/gerd/services/nextcloud.nix
@@ -49,7 +49,7 @@ let
       ldapGroupFilter = config.mine.shared.lib.ldap.mkFilter (lconfig: llib:
         llib.mkAnd [
           (llib.mkOC lconfig.oc.groupOfUniqueNames)
-          (llib.mkOr [ "cn=${lconfig.groups.admin}" "cn=${lconfig.groups.member}"])
+          (llib.mkOr [ "cn=${lconfig.groups.nextcloud_admin}" "cn=${lconfig.groups.member}"])
         ]
       );
       ldapGroupFilterGroups = "admin;user";
@@ -86,7 +86,7 @@ let
     done
 
     # promote ldap admin group to admins
-    ${occ} ldap:promote-group ${config.mine.shared.settings.ldap.groups.admin} --yes -n
+    ${occ} ldap:promote-group ${config.mine.shared.settings.ldap.groups.nextcloud_admin} --yes -n
   '';
 
   # script for resetting nextcloud admin password on each startup