Merge: Use cacert in Nextcloud (#406252)

nixos/modules/services/web-apps/nextcloud.nix

@@ -9,6 +9,11 @@ with lib;
 
 let
   cfg = config.services.nextcloud;
+
+  overridePackage = cfg.package.override {
+    inherit (config.security.pki) caBundle;
+  };
+
   fpm = config.services.phpfpm.pools.nextcloud;
 
   jsonFormat = pkgs.formats.json { };
@@ -51,13 +56,13 @@ let
   };
 
   webroot =
-    pkgs.runCommand "${cfg.package.name or "nextcloud"}-with-apps"
+    pkgs.runCommand "${overridePackage.name or "nextcloud"}-with-apps"
       {
         preferLocalBuild = true;
       }
       ''
         mkdir $out
-        ln -sfv "${cfg.package}"/* "$out"
+        ln -sfv "${overridePackage}"/* "$out"
         ${concatStrings (
           mapAttrsToList (
             name: store:
@@ -185,8 +190,8 @@ let
   mysqlLocal = cfg.database.createLocally && cfg.config.dbtype == "mysql";
   pgsqlLocal = cfg.database.createLocally && cfg.config.dbtype == "pgsql";
 
-  nextcloudGreaterOrEqualThan = versionAtLeast cfg.package.version;
+  nextcloudGreaterOrEqualThan = versionAtLeast overridePackage.version;
-  nextcloudOlderThan = versionOlder cfg.package.version;
+  nextcloudOlderThan = versionOlder overridePackage.version;
 
   # https://github.com/nextcloud/documentation/pull/11179
   ocmProviderIsNotAStaticDirAnymore =
@@ -1028,12 +1033,12 @@ in
           If you have an existing installation with a custom table prefix, make sure it is
           set correctly in `config.php` and remove the option from your NixOS config.
         '')
-        ++ (optional (versionOlder cfg.package.version "26") (upgradeWarning 25 "23.05"))
+        ++ (optional (versionOlder overridePackage.version "26") (upgradeWarning 25 "23.05"))
-        ++ (optional (versionOlder cfg.package.version "27") (upgradeWarning 26 "23.11"))
+        ++ (optional (versionOlder overridePackage.version "27") (upgradeWarning 26 "23.11"))
-        ++ (optional (versionOlder cfg.package.version "28") (upgradeWarning 27 "24.05"))
+        ++ (optional (versionOlder overridePackage.version "28") (upgradeWarning 27 "24.05"))
-        ++ (optional (versionOlder cfg.package.version "29") (upgradeWarning 28 "24.11"))
+        ++ (optional (versionOlder overridePackage.version "29") (upgradeWarning 28 "24.11"))
-        ++ (optional (versionOlder cfg.package.version "30") (upgradeWarning 29 "24.11"))
+        ++ (optional (versionOlder overridePackage.version "30") (upgradeWarning 29 "24.11"))
-        ++ (optional (versionOlder cfg.package.version "31") (upgradeWarning 30 "25.05"));
+        ++ (optional (versionOlder overridePackage.version "31") (upgradeWarning 30 "25.05"));
 
       services.nextcloud.package =
         with pkgs;
@@ -1386,6 +1391,8 @@ in
             datadirectory = lib.mkDefault "${datadir}/data";
             trusted_domains = [ cfg.hostName ];
             "upgrade.disable-web" = true;
+            # NixOS already provides its own integrity check and the nix store is read-only, therefore Nextcloud does not need to do its own integrity checks.
+            "integrity.check.disabled" = true;
           })
           (lib.mkIf cfg.configureRedis {
             "memcache.distributed" = ''\OC\Memcache\Redis'';

nixos/tests/nextcloud/with-objectstore.nix

@@ -26,11 +26,13 @@ runTest (
 
     nodes = {
       nextcloud =
-        { config, pkgs, ... }:
         {
-          networking.firewall.allowedTCPPorts = [ 9000 ];
+          config,
-          environment.systemPackages = [ pkgs.minio-client ];
+          pkgs,
-
+          nodes,
+          ...
+        }:
+        {
           services.nextcloud.config.dbtype = "sqlite";
 
           services.nextcloud.config.objectstore.s3 = {
@@ -39,13 +41,66 @@ runTest (
             autocreate = true;
             key = accessKey;
             secretFile = "${pkgs.writeText "secretKey" secretKey}";
-            hostname = "nextcloud";
+            hostname = "acme.test";
-            useSsl = false;
+            useSsl = true;
-            port = 9000;
+            port = 443;
             usePathStyle = true;
             region = "us-east-1";
           };
 
+          security.pki.certificates = [
+            (builtins.readFile ../common/acme/server/ca.cert.pem)
+          ];
+
+          environment.systemPackages = [ pkgs.minio-client ];
+
+          # The dummy certs are for acme.test, so we pretend that's the FQDN
+          # of the minio VM.
+          networking.extraHosts = ''
+            ${nodes.minio.networking.primaryIPAddress} acme.test
+          '';
+        };
+
+      client =
+        { nodes, ... }:
+        {
+          security.pki.certificates = [
+            (builtins.readFile ../common/acme/server/ca.cert.pem)
+          ];
+          networking.extraHosts = ''
+            ${nodes.minio.networking.primaryIPAddress} acme.test
+          '';
+        };
+
+      minio =
+        { ... }:
+        {
+          security.pki.certificates = [
+            (builtins.readFile ../common/acme/server/ca.cert.pem)
+          ];
+
+          services.nginx = {
+            enable = true;
+            recommendedProxySettings = true;
+
+            virtualHosts."acme.test" = {
+              onlySSL = true;
+              sslCertificate = ../common/acme/server/acme.test.cert.pem;
+              sslCertificateKey = ../common/acme/server/acme.test.key.pem;
+              locations."/".proxyPass = "http://127.0.0.1:9000";
+            };
+          };
+
+          networking.extraHosts = ''
+            127.0.0.1 acme.test
+          '';
+
+          networking.firewall.allowedTCPPorts = [
+            9000
+            80
+            443
+          ];
+
           services.minio = {
             enable = true;
             listenAddress = "0.0.0.0:9000";
@@ -56,18 +111,22 @@ runTest (
     };
 
     test-helpers.init = ''
-      nextcloud.wait_for_open_port(9000)
+      minio.start()
+      minio.wait_for_open_port(9000)
+      minio.wait_for_unit("nginx.service")
+      minio.wait_for_open_port(443)
     '';
 
     test-helpers.extraTests =
       { nodes, ... }:
       ''
+
         with subtest("File is not on the filesystem"):
             nextcloud.succeed("test ! -e ${nodes.nextcloud.services.nextcloud.home}/data/root/files/test-shared-file")
 
         with subtest("Check if file is in S3"):
             nextcloud.succeed(
-                "mc config host add minio http://localhost:9000 ${accessKey} ${secretKey} --api s3v4"
+                "mc config host add minio https://acme.test ${accessKey} ${secretKey} --api s3v4"
             )
             files = nextcloud.succeed('mc ls minio/nextcloud|sort').strip().split('\n')
 
@@ -100,8 +159,8 @@ runTest (
         with subtest("Test download from S3"):
             client.succeed(
                 "env AWS_ACCESS_KEY_ID=${accessKey} AWS_SECRET_ACCESS_KEY=${secretKey} "
-                + f"${lib.getExe pkgs.awscli2} s3 cp s3://nextcloud/{file} test --endpoint-url http://nextcloud:9000 "
+                + f"${lib.getExe pkgs.awscli2} s3 cp s3://nextcloud/{file} test --endpoint-url https://acme.test "
-                + "--region us-east-1"
+                + "--region us-east-1 --ca-bundle /etc/ssl/certs/ca-bundle.crt"
             )
 
             client.succeed("test hi = $(cat test)")

pkgs/servers/nextcloud/default.nix

@@ -3,6 +3,8 @@
   stdenvNoCC,
   fetchurl,
   nixosTests,
+  cacert,
+  caBundle ? "${cacert}/etc/ssl/certs/ca-bundle.crt",
   nextcloud30Packages,
   nextcloud31Packages,
 }:
@@ -32,6 +34,10 @@ let
         inherit packages;
       };
 
+      postPatch = ''
+        cp ${caBundle} resources/config/ca-bundle.crt
+      '';
+
       installPhase = ''
         runHook preInstall
         mkdir -p $out/