From 9a0dee2e9c26c8288da18b0e975299fd6f314515 Mon Sep 17 00:00:00 2001
From: provokateurin <kate@provokateurin.de>
Date: Wed, 3 Sep 2025 08:53:32 +0200
Subject: [PATCH] nixos/nextcloud: Pass OC_PASS and NC_PASS environment
 variables to nextcloud-occ

(cherry picked from commit ba24e7fa23b0e084f1f0648a3a18d1b8e8bafe11)
---
 nixos/modules/services/web-apps/nextcloud.md  | 4 ++--
 nixos/modules/services/web-apps/nextcloud.nix | 6 ++++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/services/web-apps/nextcloud.md b/nixos/modules/services/web-apps/nextcloud.md
index 05300487cc9a..324fcc98f7e4 100644
--- a/nixos/modules/services/web-apps/nextcloud.md
+++ b/nixos/modules/services/web-apps/nextcloud.md
@@ -65,8 +65,8 @@ The management command [`occ`](https://docs.nextcloud.com/server/stable/admin_ma
 invoked by using the `nextcloud-occ` wrapper that's globally available on a system with Nextcloud enabled.
 
 It requires elevated permissions to become the `nextcloud` user. Given the way the privilege
-escalation is implemented, parameters passed via the environment to Nextcloud (e.g. `OC_PASS`) are
-currently ignored.
+escalation is implemented, parameters passed via the environment to Nextcloud are
+currently ignored, except for `OC_PASS` and `NC_PASS`.
 
 Custom service units that need to run `nextcloud-occ` either need elevated privileges
 or the systemd configuration from `nextcloud-setup.service` (recommended):
diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix
index 672ed62a50c4..8c3212b7b2f1 100644
--- a/nixos/modules/services/web-apps/nextcloud.nix
+++ b/nixos/modules/services/web-apps/nextcloud.nix
@@ -165,17 +165,23 @@ let
             --wait \
             --collect \
             --service-type=exec \
+            --setenv OC_PASS \
+            --setenv NC_PASS \
             --quiet \
             ${command}
         elif [[ "$USER" != nextcloud ]]; then
           if [[ -x /run/wrappers/bin/sudo ]]; then
             exec /run/wrappers/bin/sudo \
               --preserve-env=CREDENTIALS_DIRECTORY \
+              --preserve-env=OC_PASS \
+              --preserve-env=NC_PASS \
               --user=nextcloud \
               ${command}
           else
             exec ${lib.getExe' pkgs.util-linux "runuser"} \
               --whitelist-environment=CREDENTIALS_DIRECTORY \
+              --whitelist-environment=OC_PASS \
+              --whitelist-environment=NC_PASS \
               --user=nextcloud \
               ${command}
           fi