diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 0a6647e0cab7..6f92c0ca5e58 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -9,6 +9,11 @@ with lib; let cfg = config.services.nextcloud; + + overridePackage = cfg.package.override { + inherit (config.security.pki) caBundle; + }; + fpm = config.services.phpfpm.pools.nextcloud; jsonFormat = pkgs.formats.json { }; @@ -51,13 +56,13 @@ let }; webroot = - pkgs.runCommand "${cfg.package.name or "nextcloud"}-with-apps" + pkgs.runCommand "${overridePackage.name or "nextcloud"}-with-apps" { preferLocalBuild = true; } '' mkdir $out - ln -sfv "${cfg.package}"/* "$out" + ln -sfv "${overridePackage}"/* "$out" ${concatStrings ( mapAttrsToList ( name: store: @@ -185,8 +190,8 @@ let mysqlLocal = cfg.database.createLocally && cfg.config.dbtype == "mysql"; pgsqlLocal = cfg.database.createLocally && cfg.config.dbtype == "pgsql"; - nextcloudGreaterOrEqualThan = versionAtLeast cfg.package.version; - nextcloudOlderThan = versionOlder cfg.package.version; + nextcloudGreaterOrEqualThan = versionAtLeast overridePackage.version; + nextcloudOlderThan = versionOlder overridePackage.version; # https://github.com/nextcloud/documentation/pull/11179 ocmProviderIsNotAStaticDirAnymore = @@ -1028,12 +1033,12 @@ in If you have an existing installation with a custom table prefix, make sure it is set correctly in `config.php` and remove the option from your NixOS config. '') - ++ (optional (versionOlder cfg.package.version "26") (upgradeWarning 25 "23.05")) - ++ (optional (versionOlder cfg.package.version "27") (upgradeWarning 26 "23.11")) - ++ (optional (versionOlder cfg.package.version "28") (upgradeWarning 27 "24.05")) - ++ (optional (versionOlder cfg.package.version "29") (upgradeWarning 28 "24.11")) - ++ (optional (versionOlder cfg.package.version "30") (upgradeWarning 29 "24.11")) - ++ (optional (versionOlder cfg.package.version "31") (upgradeWarning 30 "25.05")); + ++ (optional (versionOlder overridePackage.version "26") (upgradeWarning 25 "23.05")) + ++ (optional (versionOlder overridePackage.version "27") (upgradeWarning 26 "23.11")) + ++ (optional (versionOlder overridePackage.version "28") (upgradeWarning 27 "24.05")) + ++ (optional (versionOlder overridePackage.version "29") (upgradeWarning 28 "24.11")) + ++ (optional (versionOlder overridePackage.version "30") (upgradeWarning 29 "24.11")) + ++ (optional (versionOlder overridePackage.version "31") (upgradeWarning 30 "25.05")); services.nextcloud.package = with pkgs; @@ -1386,6 +1391,8 @@ in datadirectory = lib.mkDefault "${datadir}/data"; trusted_domains = [ cfg.hostName ]; "upgrade.disable-web" = true; + # NixOS already provides its own integrity check and the nix store is read-only, therefore Nextcloud does not need to do its own integrity checks. + "integrity.check.disabled" = true; }) (lib.mkIf cfg.configureRedis { "memcache.distributed" = ''\OC\Memcache\Redis''; diff --git a/nixos/tests/nextcloud/with-objectstore.nix b/nixos/tests/nextcloud/with-objectstore.nix index 802c070b879d..53800b8238bc 100644 --- a/nixos/tests/nextcloud/with-objectstore.nix +++ b/nixos/tests/nextcloud/with-objectstore.nix @@ -26,11 +26,13 @@ runTest ( nodes = { nextcloud = - { config, pkgs, ... }: { - networking.firewall.allowedTCPPorts = [ 9000 ]; - environment.systemPackages = [ pkgs.minio-client ]; - + config, + pkgs, + nodes, + ... + }: + { services.nextcloud.config.dbtype = "sqlite"; services.nextcloud.config.objectstore.s3 = { @@ -39,13 +41,66 @@ runTest ( autocreate = true; key = accessKey; secretFile = "${pkgs.writeText "secretKey" secretKey}"; - hostname = "nextcloud"; - useSsl = false; - port = 9000; + hostname = "acme.test"; + useSsl = true; + port = 443; usePathStyle = true; region = "us-east-1"; }; + security.pki.certificates = [ + (builtins.readFile ../common/acme/server/ca.cert.pem) + ]; + + environment.systemPackages = [ pkgs.minio-client ]; + + # The dummy certs are for acme.test, so we pretend that's the FQDN + # of the minio VM. + networking.extraHosts = '' + ${nodes.minio.networking.primaryIPAddress} acme.test + ''; + }; + + client = + { nodes, ... }: + { + security.pki.certificates = [ + (builtins.readFile ../common/acme/server/ca.cert.pem) + ]; + networking.extraHosts = '' + ${nodes.minio.networking.primaryIPAddress} acme.test + ''; + }; + + minio = + { ... }: + { + security.pki.certificates = [ + (builtins.readFile ../common/acme/server/ca.cert.pem) + ]; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + + virtualHosts."acme.test" = { + onlySSL = true; + sslCertificate = ../common/acme/server/acme.test.cert.pem; + sslCertificateKey = ../common/acme/server/acme.test.key.pem; + locations."/".proxyPass = "http://127.0.0.1:9000"; + }; + }; + + networking.extraHosts = '' + 127.0.0.1 acme.test + ''; + + networking.firewall.allowedTCPPorts = [ + 9000 + 80 + 443 + ]; + services.minio = { enable = true; listenAddress = "0.0.0.0:9000"; @@ -56,18 +111,22 @@ runTest ( }; test-helpers.init = '' - nextcloud.wait_for_open_port(9000) + minio.start() + minio.wait_for_open_port(9000) + minio.wait_for_unit("nginx.service") + minio.wait_for_open_port(443) ''; test-helpers.extraTests = { nodes, ... }: '' + with subtest("File is not on the filesystem"): nextcloud.succeed("test ! -e ${nodes.nextcloud.services.nextcloud.home}/data/root/files/test-shared-file") with subtest("Check if file is in S3"): nextcloud.succeed( - "mc config host add minio http://localhost:9000 ${accessKey} ${secretKey} --api s3v4" + "mc config host add minio https://acme.test ${accessKey} ${secretKey} --api s3v4" ) files = nextcloud.succeed('mc ls minio/nextcloud|sort').strip().split('\n') @@ -100,8 +159,8 @@ runTest ( with subtest("Test download from S3"): client.succeed( "env AWS_ACCESS_KEY_ID=${accessKey} AWS_SECRET_ACCESS_KEY=${secretKey} " - + f"${lib.getExe pkgs.awscli2} s3 cp s3://nextcloud/{file} test --endpoint-url http://nextcloud:9000 " - + "--region us-east-1" + + f"${lib.getExe pkgs.awscli2} s3 cp s3://nextcloud/{file} test --endpoint-url https://acme.test " + + "--region us-east-1 --ca-bundle /etc/ssl/certs/ca-bundle.crt" ) client.succeed("test hi = $(cat test)") diff --git a/pkgs/servers/nextcloud/default.nix b/pkgs/servers/nextcloud/default.nix index 31c253cbb62e..b9e36faa4446 100644 --- a/pkgs/servers/nextcloud/default.nix +++ b/pkgs/servers/nextcloud/default.nix @@ -3,6 +3,8 @@ stdenvNoCC, fetchurl, nixosTests, + cacert, + caBundle ? "${cacert}/etc/ssl/certs/ca-bundle.crt", nextcloud30Packages, nextcloud31Packages, }: @@ -32,6 +34,10 @@ let inherit packages; }; + postPatch = '' + cp ${caBundle} resources/config/ca-bundle.crt + ''; + installPhase = '' runHook preInstall mkdir -p $out/