movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-14 06:00:33 +03:00
Code Activity

Merge pull request #259967 from Ma27/nextcloud-cleanups

Browse source 
nextcloud: 27.1.0 -> 27.1.2, update nginx, drop nextcloud25
This commit is contained in:
Maximilian Bosch 2023-10-13 16:40:40 +02:00 committed by GitHub
commit 35f6dbe7fc
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 87 additions and 700 deletions
Download patch file Download diff file Expand all files Collapse all files

2
nixos/doc/manual/release-notes/rl-2211.section.md
View file

@ -130,7 +130,7 @@ In addition to numerous new and upgraded packages, this release includes the fol
don't lose access to their files.
In any other case, it's safe to use OpenSSL 3 for PHP's OpenSSL extension. This can be done by setting
[](#opt-services.nextcloud.enableBrokenCiphersForSSE) to `false`.
`services.nextcloud.enableBrokenCiphersForSSE` to `false`.
- The `coq` package and versioned variants starting at `coq_8_14` no
longer include CoqIDE, which is now available through

8
nixos/modules/services/web-apps/nextcloud.md
View file

@ -119,13 +119,7 @@ Auto updates for Nextcloud apps can be enabled using
- **Server-side encryption.**
Nextcloud supports [server-side encryption (SSE)](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html).
This is not an end-to-end encryption, but can be used to encrypt files that will be persisted
to external storage such as S3. Please note that this won't work anymore when using OpenSSL 3
for PHP's openssl extension and **Nextcloud 25 or older** because this is implemented using the
legacy cipher RC4. For Nextcloud26 this isn't relevant anymore, because Nextcloud has an RC4 implementation
written in native PHP and thus doesn't need `ext-openssl` for that anymore.
If [](#opt-system.stateVersion) is *above* `22.05`,
this is disabled by default. To turn it on again and for further information please refer to
[](#opt-services.nextcloud.enableBrokenCiphersForSSE).
to external storage such as S3.
## Using an alternative webserver as reverse-proxy (e.g. `httpd`) {#module-services-nextcloud-httpd}

122
nixos/modules/services/web-apps/nextcloud.nix
View file

@ -27,13 +27,7 @@ let
phpPackage = cfg.phpPackage.buildEnv {
extensions = { enabled, all }:
(with all;
# disable default openssl extension
(lib.filter (e: e.pname != "php-openssl") enabled)
# use OpenSSL 1.1 for RC4 Nextcloud encryption if user
# has acknowledged the brokenness of the ciphers (RC4).
# TODO: remove when https://github.com/nextcloud/server/issues/32003 is fixed.
++ (if cfg.enableBrokenCiphersForSSE then [ cfg.phpPackage.extensions.openssl-legacy ] else [ cfg.phpPackage.extensions.openssl ])
(with all; enabled
++ optional cfg.enableImagemagick imagick
# Optionally enabled depending on caching settings
++ optional cfg.caching.apcu apcu
@ -66,6 +60,9 @@ let
mysqlLocal = cfg.database.createLocally && cfg.config.dbtype == "mysql";
pgsqlLocal = cfg.database.createLocally && cfg.config.dbtype == "pgsql";
# https://github.com/nextcloud/documentation/pull/11179
ocmProviderIsNotAStaticDirAnymore = versionAtLeast cfg.package.version "27.1.2";
in {
imports = [
@ -87,6 +84,10 @@ in {
Further details about this can be found in the `Nextcloud`-section of the NixOS-manual
(which can be opened e.g. by running `nixos-help`).
'')
(mkRemovedOptionModule [ "services" "nextcloud" "enableBrokenCiphersForSSE" ] ''
This option has no effect since there's no supported Nextcloud version packaged here
using OpenSSL for RC4 SSE.
'')
(mkRemovedOptionModule [ "services" "nextcloud" "disableImagemagick" ] ''
Use services.nextcloud.enableImagemagick instead.
'')
@ -95,39 +96,6 @@ in {
options.services.nextcloud = {
enable = mkEnableOption (lib.mdDoc "nextcloud");
enableBrokenCiphersForSSE = mkOption {
type = types.bool;
default = versionOlder stateVersion "22.11";
defaultText = literalExpression "versionOlder system.stateVersion \"22.11\"";
description = lib.mdDoc ''
This option enables using the OpenSSL PHP extension linked against OpenSSL 1.1
rather than latest OpenSSL ( 3), this is not recommended unless you need
it for server-side encryption (SSE). SSE uses the legacy RC4 cipher which is
considered broken for several years now. See also [RFC7465](https://datatracker.ietf.org/doc/html/rfc7465).
This cipher has been disabled in OpenSSL 3 and requires
a specific legacy profile to re-enable it.
If you deploy Nextcloud using OpenSSL  3 for PHP and have
server-side encryption configured, you will not be able to access
your files anymore. Enabling this option can restore access to your files.
Upon testing we didn't encounter any data corruption when turning
this on and off again, but this cannot be guaranteed for
each Nextcloud installation.
It is `true` by default for systems with a [](#opt-system.stateVersion) below
`22.11` to make sure that existing installations won't break on update. On newer
NixOS systems you have to explicitly enable it on your own.
Please note that this only provides additional value when using
external storage such as S3 since it's not an end-to-end encryption.
If this is not the case,
it is advised to [disable server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption) and set this to `false`.
In the future, Nextcloud may move to AES-256-GCM, by then,
this option will be removed.
'';
};
hostName = mkOption {
type = types.str;
description = lib.mdDoc "FQDN for the nextcloud instance.";
@ -225,7 +193,7 @@ in {
package = mkOption {
type = types.package;
description = lib.mdDoc "Which package to use for the Nextcloud instance.";
relatedPackages = [ "nextcloud25" "nextcloud26" "nextcloud27" ];
relatedPackages = [ "nextcloud26" "nextcloud27" ];
};
phpPackage = mkOption {
type = types.package;
@ -740,28 +708,7 @@ in {
'')
++ (optional (versionOlder cfg.package.version "25") (upgradeWarning 24 "22.11"))
++ (optional (versionOlder cfg.package.version "26") (upgradeWarning 25 "23.05"))
++ (optional (versionOlder cfg.package.version "27") (upgradeWarning 26 "23.11"))
++ (optional cfg.enableBrokenCiphersForSSE ''
You're using PHP's openssl extension built against OpenSSL 1.1 for Nextcloud.
This is only necessary if you're using Nextcloud's server-side encryption.
Please keep in mind that it's using the broken RC4 cipher.
If you don't use that feature, you can switch to OpenSSL 3 and get
rid of this warning by declaring
services.nextcloud.enableBrokenCiphersForSSE = false;
If you need to use server-side encryption you can ignore this warning.
Otherwise you'd have to disable server-side encryption first in order
to be able to safely disable this option and get rid of this warning.
See <https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption> on how to achieve this.
For more context, here is the implementing pull request: https://github.com/NixOS/nixpkgs/pull/198470
'')
++ (optional (cfg.enableBrokenCiphersForSSE && versionAtLeast cfg.package.version "26") ''
Nextcloud26 supports RC4 without requiring legacy OpenSSL, so
`services.nextcloud.enableBrokenCiphersForSSE` can be set to `false`.
'');
++ (optional (versionOlder cfg.package.version "27") (upgradeWarning 26 "23.11"));
services.nextcloud.package = with pkgs;
mkDefault (
@ -1136,10 +1083,6 @@ in {
}
'';
};
"/" = {
priority = 900;
extraConfig = "rewrite ^ /index.php;";
};
"~ ^/store-apps" = {
priority = 201;
extraConfig = "root ${cfg.home};";
@ -1164,15 +1107,23 @@ in {
try_files $uri $uri/ =404;
'';
};
"~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)".extraConfig = ''
return 404;
'';
"~ ^/(?:\\.(?!well-known)|autotest|occ|issue|indie|db_|console)".extraConfig = ''
return 404;
'';
"~ ^\\/(?:index|remote|public|cron|core\\/ajax\\/update|status|ocs\\/v[12]|updater\\/.+|oc[ms]-provider\\/.+|.+\\/richdocumentscode\\/proxy)\\.php(?:$|\\/)" = {
"~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)" = {
priority = 450;
extraConfig = ''
return 404;
'';
};
"~ ^/(?:\\.|autotest|occ|issue|indie|db_|console)" = {
priority = 450;
extraConfig = ''
return 404;
'';
};
"~ \\.php(?:$|/)" = {
priority = 500;
extraConfig = ''
# legacy support (i.e. static files and directories in cfg.package)
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[s${optionalString (!ocmProviderIsNotAStaticDirAnymore) "m"}]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
include ${config.services.nginx.package}/conf/fastcgi.conf;
fastcgi_split_path_info ^(.+?\.php)(\\/.*)$;
set $path_info $fastcgi_path_info;
@ -1188,19 +1139,30 @@ in {
fastcgi_read_timeout ${builtins.toString cfg.fastcgiTimeout}s;
'';
};
"~ \\.(?:css|js|woff2?|svg|gif|map)$".extraConfig = ''
"~ \\.(?:css|js|mjs|svg|gif|png|jpg|jpeg|ico|wasm|tflite|map|html|ttf|bcmap|mp4|webm)$".extraConfig = ''
try_files $uri /index.php$request_uri;
expires 6M;
access_log off;
location ~ \.wasm$ {
default_type application/wasm;
}
'';
"~ ^\\/(?:updater|ocs-provider|ocm-provider)(?:$|\\/)".extraConfig = ''
"~ ^\\/(?:updater|ocs-provider${optionalString (!ocmProviderIsNotAStaticDirAnymore) "|ocm-provider"})(?:$|\\/)".extraConfig = ''
try_files $uri/ =404;
index index.php;
'';
"~ \\.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$".extraConfig = ''
try_files $uri /index.php$request_uri;
access_log off;
'';
"/remote" = {
priority = 1500;
extraConfig = ''
return 301 /remote.php$request_uri;
'';
};
"/" = {
priority = 1600;
extraConfig = ''
try_files $uri $uri/ /index.php$request_uri;
'';
};
};
extraConfig = ''
index index.php index.html /index.php$request_uri;

6
nixos/tests/nextcloud/default.nix
View file

@ -8,10 +8,6 @@ with pkgs.lib;
foldl
(matrix: ver: matrix // {
"basic${toString ver}" = import ./basic.nix { inherit system pkgs; nextcloudVersion = ver; };
"openssl-sse${toString ver}" = import ./openssl-sse.nix {
inherit system pkgs;
nextcloudVersion = ver;
};
"with-postgresql-and-redis${toString ver}" = import ./with-postgresql-and-redis.nix {
inherit system pkgs;
nextcloudVersion = ver;
@ -26,4 +22,4 @@ foldl
};
})
{ }
[ 25 26 27 ]
[ 26 27 ]

109
nixos/tests/nextcloud/openssl-sse.nix
View file

@ -1,109 +0,0 @@
args@{ pkgs, nextcloudVersion ? 25, ... }:
(import ../make-test-python.nix ({ pkgs, ...}: let
adminuser = "root";
adminpass = "notproduction";
nextcloudBase = {
networking.firewall.allowedTCPPorts = [ 80 ];
system.stateVersion = "22.05"; # stateVersions <22.11 use openssl 1.1 by default
services.nextcloud = {
enable = true;
config.adminpassFile = "${pkgs.writeText "adminpass" adminpass}";
database.createLocally = true;
package = pkgs.${"nextcloud" + (toString nextcloudVersion)};
};
};
in {
name = "nextcloud-openssl";
meta = with pkgs.lib.maintainers; {
maintainers = [ ma27 ];
};
nodes.nextcloudwithopenssl1 = {
imports = [ nextcloudBase ];
services.nextcloud.hostName = "nextcloudwithopenssl1";
};
nodes.nextcloudwithopenssl3 = {
imports = [ nextcloudBase ];
services.nextcloud = {
hostName = "nextcloudwithopenssl3";
enableBrokenCiphersForSSE = false;
};
};
testScript = { nodes, ... }: let
withRcloneEnv = host: pkgs.writeScript "with-rclone-env" ''
#!${pkgs.runtimeShell}
export RCLONE_CONFIG_NEXTCLOUD_TYPE=webdav
export RCLONE_CONFIG_NEXTCLOUD_URL="http://${host}/remote.php/dav/files/${adminuser}"
export RCLONE_CONFIG_NEXTCLOUD_VENDOR="nextcloud"
export RCLONE_CONFIG_NEXTCLOUD_USER="${adminuser}"
export RCLONE_CONFIG_NEXTCLOUD_PASS="$(${pkgs.rclone}/bin/rclone obscure ${adminpass})"
"''${@}"
'';
withRcloneEnv1 = withRcloneEnv "nextcloudwithopenssl1";
withRcloneEnv3 = withRcloneEnv "nextcloudwithopenssl3";
copySharedFile1 = pkgs.writeScript "copy-shared-file" ''
#!${pkgs.runtimeShell}
echo 'hi' | ${withRcloneEnv1} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file
'';
copySharedFile3 = pkgs.writeScript "copy-shared-file" ''
#!${pkgs.runtimeShell}
echo 'bye' | ${withRcloneEnv3} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file2
'';
openssl1-node = nodes.nextcloudwithopenssl1.system.build.toplevel;
openssl3-node = nodes.nextcloudwithopenssl3.system.build.toplevel;
in ''
nextcloudwithopenssl1.start()
nextcloudwithopenssl1.wait_for_unit("multi-user.target")
nextcloudwithopenssl1.succeed("nextcloud-occ status")
nextcloudwithopenssl1.succeed("curl -sSf http://nextcloudwithopenssl1/login")
nextcloud_version = ${toString nextcloudVersion}
with subtest("With OpenSSL 1 SSE can be enabled and used"):
nextcloudwithopenssl1.succeed("nextcloud-occ app:enable encryption")
nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable")
with subtest("Upload file and ensure it's encrypted"):
nextcloudwithopenssl1.succeed("${copySharedFile1}")
nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file")
nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi")
with subtest("Switch to OpenSSL 3"):
nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test")
nextcloudwithopenssl1.wait_for_open_port(80)
nextcloudwithopenssl1.succeed("nextcloud-occ status")
with subtest("Existing encrypted files cannot be read, but new files can be added"):
# This will succeed starting NC26 because of their custom implementation of openssl_seal
read_existing_file_test = nextcloudwithopenssl1.fail if nextcloud_version < 26 else nextcloudwithopenssl1.succeed
read_existing_file_test("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file >&2")
nextcloudwithopenssl1.succeed("nextcloud-occ encryption:disable")
nextcloudwithopenssl1.succeed("${copySharedFile3}")
nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2")
nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye")
with subtest("Switch back to OpenSSL 1.1 and ensure that encrypted files are readable again"):
nextcloudwithopenssl1.succeed("${openssl1-node}/bin/switch-to-configuration test")
nextcloudwithopenssl1.wait_for_open_port(80)
nextcloudwithopenssl1.succeed("nextcloud-occ status")
nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable")
nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye")
nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi")
nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file")
nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2")
with subtest("Ensure that everything can be decrypted"):
nextcloudwithopenssl1.succeed("echo y | nextcloud-occ encryption:decrypt-all >&2")
nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye")
nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi")
nextcloudwithopenssl1.succeed("grep -vE '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file")
with subtest("Switch to OpenSSL 3 ensure that all files are usable now"):
nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test")
nextcloudwithopenssl1.wait_for_open_port(80)
nextcloudwithopenssl1.succeed("nextcloud-occ status")
nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye")
nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi")
nextcloudwithopenssl1.shutdown()
'';
})) args