{ description = "Empty Template"; inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; flake-utils.url = "github:numtide/flake-utils"; scim2-cli.url = "github:hrenard/scim2-cli"; }; outputs = { nixpkgs, flake-utils, scim2-cli, ... }: flake-utils.lib.eachDefaultSystem ( system: let pkgs = nixpkgs.legacyPackages.${system}; config = pkgs.writeText "config.php" '' true, 'logfile' => getenv('NEXTCLOUD_DATA_DIR').'/nextcloud.log', 'apps_paths' => [ [ 'path'=> '${pkgs.nextcloud28}/apps', 'url' => '/apps', 'writable' => false, ], [ 'path'=> getenv('NEXTCLOUD_DATA_DIR').'/apps', 'url' => '/apps', 'writable' => true, ], ], ]; ''; occ = pkgs.writeShellApplication { name = "occ"; runtimeInputs = with pkgs; [ nextcloud28 php ]; text = '' NEXTCLOUD_DATA_DIR="$(mktemp -d)" export NEXTCLOUD_DATA_DIR="$NEXTCLOUD_DATA_DIR" export NEXTCLOUD_CONFIG_DIR="$NEXTCLOUD_DATA_DIR/config" mkdir "$NEXTCLOUD_CONFIG_DIR" mkdir "$NEXTCLOUD_DATA_DIR/apps" cp ${config} "$NEXTCLOUD_CONFIG_DIR/config.php" exec php ${pkgs.nextcloud28}/occ "$@" ''; }; src = ./.; version = builtins.readFile ( pkgs.runCommand "version" { } '' ${pkgs.coreutils}/bin/cat ${src}/appinfo/info.xml | ${pkgs.xq-xml}/bin/xq -x "info/version" | ${pkgs.coreutils}/bin/tr -d '\n' > $out '' ); vendor = pkgs.stdenv.mkDerivation { pname = "scimserviceprovider-vendor"; inherit src version; doCheck = false; dontFixup = true; nativeBuildInputs = with pkgs; [ cacert php php.packages.composer rsync ]; buildPhase = '' runHook preBuild export COMPOSER_MIRROR_PATH_REPOS=1 export COMPOSER_CACHE_DIR=/dev/null export COMPOSER_HTACCESS_PROTECT=0 composer install --no-interaction --no-dev runHook postBuild ''; installPhase = '' runHook preInstall mkdir $out rsync -av --progress vendor/ $out --exclude .git runHook postInstall ''; outputHashAlgo = "sha256"; outputHashMode = "recursive"; outputHash = "sha256-fPSCufyPWf1G1XH3NsbuWSbKBBw/AM6j6Vd9lX+6qIQ="; #outputHash = pkgs.lib.fakeHash; }; scimserviceprovider = pkgs.stdenv.mkDerivation { pname = "scimserviceprovider"; inherit src version; installPhase = '' runHook preInstall mkdir $out cp -r appinfo $out/ cp -r lib $out/ cp LICENSE $out/ ln -sv ${vendor} $out/vendor runHook postInstall ''; }; scimserviceproviderArchive = "${scimserviceprovider.pname}-v${scimserviceprovider.version}.tar.gz"; scimserviceproviderArchiveSignature = "${scimserviceprovider.pname}-v${scimserviceprovider.version}.tar.gz.sign"; make = pkgs.writeShellApplication { name = "make"; runtimeInputs = with pkgs; [ coreutils gnutar openssl occ ]; text = '' SCIMSERVICEPROVIDER_CRT_PATH="$HOME/.nextcloud/certificates/scimserviceprovider.crt" SCIMSERVICEPROVIDER_KEY_PATH="$HOME/.nextcloud/certificates/scimserviceprovider.key" CI=''${CI:-false} if [ "$CI" = true ]; then echo "Loading CI secrets" SCIMSERVICEPROVIDER_CRT_PATH="$PWD/scimserviceprovider.crt" SCIMSERVICEPROVIDER_KEY_PATH="$PWD/scimserviceprovider.key" echo -n "$SCIMSERVICEPROVIDER_CRT" | base64 -d > "$SCIMSERVICEPROVIDER_CRT_PATH" echo -n "$SCIMSERVICEPROVIDER_KEY" | base64 -d > "$SCIMSERVICEPROVIDER_KEY_PATH" fi rm -rf build mkdir -p build/scimserviceprovider cd build cp -Lr --no-preserve=all ${scimserviceprovider}/* scimserviceprovider/ occ integrity:sign-app --privateKey="$SCIMSERVICEPROVIDER_KEY_PATH" --certificate="$SCIMSERVICEPROVIDER_CRT_PATH" --path="$PWD/scimserviceprovider" tar czf ${scimserviceproviderArchive} scimserviceprovider openssl dgst -sha512 -sign "$SCIMSERVICEPROVIDER_KEY_PATH" "$PWD/${scimserviceproviderArchive}" | openssl base64 -A > "$PWD/${scimserviceproviderArchiveSignature}" ''; }; publish = pkgs.writeShellApplication { name = "publish"; runtimeInputs = with pkgs; [ coreutils curl ]; text = '' printf '{"download":"https://forge.libre.sh/libre.sh/scimserviceprovider/releases/download/${scimserviceprovider.version}/${scimserviceproviderArchive}","signature":"%s"}' "$(cat artifact/${scimserviceproviderArchiveSignature})" | curl --fail-with-body -s -X POST https://apps.nextcloud.com/api/v1/apps/releases -H "Authorization: Token $NC_STORE_TOKEN" -H "Content-Type: application/json" -d @- ''; }; release = pkgs.writeShellApplication { name = "publish"; runtimeInputs = with pkgs; [ coreutils findutils tea git-cliff ]; text = '' export XDG_CONFIG_HOME=$PWD/.config export GITEA_SERVER_TOKEN="$GITHUB_TOKEN" tea login add --url "$GITHUB_SERVER_URL" # shellcheck disable=SC2046 tea release create $(find artifact/ -type f -printf "--asset %p ") --note "$(git-cliff -s all --tag "$GITHUB_REF_NAME")" --repo "$GITHUB_REPOSITORY" --tag "$GITHUB_REF_NAME" --title "$GITHUB_REF_NAME" ''; }; in { packages.default = scimserviceprovider; packages.scimserviceprovider = scimserviceprovider; packages.vendor = vendor; packages.occ = occ; packages.make = make; packages.publish = publish; packages.release = release; checks.compliance = pkgs.testers.runNixOSTest { name = "compliance"; nodes.machine = { config, pkgs, ... }: { environment.systemPackages = [ scim2-cli.packages.${system}.default config.services.nextcloud.occ ]; services.nextcloud = { enable = true; hostName = "localhost"; extraApps = { inherit scimserviceprovider; }; config = { adminpassFile = "${(pkgs.writeText "ncpass" ''P@ssw0rd'')}"; }; }; nix.settings.experimental-features = [ "nix-command" "flakes" ]; system.stateVersion = "24.11"; }; testScript = '' machine.wait_for_unit("nginx.service") machine.wait_for_unit("phpfpm-nextcloud.service") result = machine.execute("scim2 --url http://localhost/index.php/apps/scimserviceprovider --header 'Authorization: Basic cm9vdDpQQHNzdzByZA==' test -v")[1] if "ERROR" in result: raise Exception(result) ''; }; devShells.default = pkgs.mkShell { buildInputs = [ occ make ]; }; } ); }