My nix-darwin and NixOS config
fix: grant nextcloud user polkit permission to start transient units
nextcloud-occ uses systemd-run internally to isolate PHP execution as the
nextcloud user. On a headless server with no interactive session, polkit
denies this by default, causing nextcloud-files-scan to fail daily since
at least 2025-03-13. Add a targeted polkit rule allowing the nextcloud
user to manage transient units only.
+17
+17
modules/server/nextcloud.nix
+17
modules/server/nextcloud.nix
···
219
219
"request_terminate_timeout" = "3600";
220
220
};
221
221
222
+
# nextcloud-occ internally calls systemd-run to execute as the nextcloud user,
223
+
# which requires polkit permission to start transient units. On a headless
224
+
# server with no interactive session polkit denies this by default — this rule
225
+
# grants the nextcloud system user the minimum necessary permission.
226
+
security.polkit.enable = true;
227
+
security.polkit.extraConfig = ''
228
+
polkit.addRule(function(action, subject) {
229
+
if (
230
+
(action.id === "org.freedesktop.systemd1.manage-units" ||
231
+
action.id === "org.freedesktop.systemd1.manage-unit-files") &&
232
+
subject.user === "nextcloud"
233
+
) {
234
+
return polkit.Result.YES;
235
+
}
236
+
});
237
+
'';
238
+
222
239
# Periodically scan the data directory so files added directly to /srv
223
240
# or written by co-located services (Immich, Jellyfin) are picked up by Nextcloud.
224
241
systemd.services.nextcloud-files-scan = {