Nextcloud manages the CA bundle on its own by default, but we patch this
out and replace it with the system-wide bundle.
Since this was originally designed for the objectstore feature, this
test ensures that an S3 behind a reverse proxy with TLS and its own CA
works fine.
This patch adds support for using systemd's LoadCredential
feature to read in a json file at a path defined in the
services.nextcloud.secretFile option.
This is a follow up to 2ce1e84103.
Format all Nix files using the officially approved formatter,
making the CI check introduced in the previous commit succeed:
nix-build ci -A fmt.check
This is the next step of the of the [implementation](https://github.com/NixOS/nixfmt/issues/153)
of the accepted [RFC 166](https://github.com/NixOS/rfcs/pull/166).
This commit will lead to merge conflicts for a number of PRs,
up to an estimated ~1100 (~33%) among the PRs with activity in the past 2
months, but that should be lower than what it would be without the previous
[partial treewide format](https://github.com/NixOS/nixpkgs/pull/322537).
Merge conflicts caused by this commit can now automatically be resolved while rebasing using the
[auto-rebase script](8616af08d9/maintainers/scripts/auto-rebase).
If you run into any problems regarding any of this, please reach out to the
[formatting team](https://nixos.org/community/teams/formatting/) by
pinging @NixOS/nix-formatting.
Currently failing with
error: cannot coerce a set to a string: { __functionArgs = «thunk»; __functor = «thunk»; }
This comes from the `extraTests` option I added to the test modules to
compose certain tests a little nicer. It's of type
either (functionTo ...) str
and it seems like the `functionTo` part now returns a functor (i.e. an
attr-set that can be invoked as function). This is caught by
`lib.isFunction`, but `builtins.isFunction` returns `false`.
Hence, switching to the former fixes this.
* Create a dedicated team. Before, information was inconsistent between
e.g. tests and package, module had none at all.
* Add maintainership from us to all trivially packaged apps. This is
only to make sure that we take care of them building and installing
and that's about it.
This patch changes the implementation of the subtests to
check for redis' cache being non empty to only run redis-cli
and jq in a shell and assert the returned length in python.
This fixes jq "len" simply not compiling and makes sure
regressions get noticed.
This patch adds a subtest and corresponding configuration to
with-declarative-redis-and-secrets to test for nextcloud notify_push
to be working, just as in with-postgresql-and-redis.
As notify_push needs to connect to the database, including it
in this test checks that it can read the dbpassFile properly.
After final improvements to the official formatter implementation,
this commit now performs the first treewide reformat of Nix files using it.
This is part of the implementation of RFC 166.
Only "inactive" files are reformatted, meaning only files that
aren't being touched by any PR with activity in the past 2 months.
This is to avoid conflicts for PRs that might soon be merged.
Later we can do a full treewide reformat to get the rest,
which should not cause as many conflicts.
A CI check has already been running for some time to ensure that new and
already-formatted files are formatted, so the files being reformatted here
should also stay formatted.
This commit was automatically created and can be verified using
nix-build a08b3a4d19.tar.gz \
--argstr baseRev b32a094368
result/bin/apply-formatting $NIXPKGS_PATH
Just noticed that I apparently disabled this test while restructuring
the Nextcloud tests[1] effectively disabling the test.
This patch re-adds it and adjusts the code accordingly.
I also noticed that the old check whether the cache is actually used
(`test "[]" = "$(redis-cli --json KEYS "*")"`) was broken because the
`nextcloud.fail()` hid the fact that the `redis-cli` invocation was
failing due to a missing password. Fixed the subtest accordingly.
[1] 0b31ada92b
Closes#320381
Installation with a custom dbtableprefix is not allowed anymore for a
while[1] and we shouldn't advertise it as such.
The option is deprecated for now since I'm not sure if there are some
weird corner-cases where removing the option directly would break
existing installations from before <20 with a custom dbtableprefix. The
migration-path for such a case is as follows:
* Check if /var/lib/nextcloud/config/config.php has the correct
dbtableprefix set and if not, take care of it.
* Remove `dbtableprefix` from the NixOS configuration. It's effectively
state anyways.
After a bit of time to switch (perhaps after the next release
branchoff), the option can be removed.
[1] https://github.com/nextcloud/server/issues/24836
The tests had very much duplication and some if it was even wrong! For
instance, `withRcloneEnv` in the MySQL test didn't have the `"$@"` at
the bottom to execute commands passed to it. Because of that, the MySQL
testcase never checked whether files can be uploaded.
Since tests are just another module-system I decided to abstract away
common things by using it:
* Define a base module with
* an empty `client` node and a `nextcloud` node with defaults
shared among all tests.
* rclone scripts that are used by all tests.
* a `testScript` checking upload/download. Additional checks can be
added via `test-helpers.extraTests`.
* Make common information such as admin user & password shared via
options.
Also, changed the following things:
* The `name` of the final derivation also includes the Nextcloud major
it was tested against.
* Improved the objecstore test by making sure the file was actually
uploaded into the bucket.
* Make sure `withRcloneEnv` actually invokes the command it gets as
`argv`. Until no, nothing was uploaded. This mistake was copied from
the MySQL test that appears to have the same issue (will be addressed
in the next commit).
* Test upload/download through with rclone once to see if Nextcloud
interaction with S3 works fine.
* Make sure we actually have something in the bucket (until now with an
`ls` and no real check, will do some larger cleanups and make this
better in the next commit).
* Use actual AWS-style access keys.
PR #277382 didn't fix just an issue with .mjs files for the `forms` app,
but an underlying, more problematic issue: for `/nix-apps` &
`/store-apps`, the fcgi config for PHP and the block for assets were
never reached.
That meant that e.g. `/nix-apps/notes/lib/AppInfo/Application.php`
returned the PHP source code as text/plain. Considering that there was
never a fundamental change to how this config's structure, I'm pretty
sure that the issue was pretty much there since the module exists.
After consulting the NixOS security team we agreed that this is most
likely harmless because you'd have to use private apps with secrets in
the raw PHP code of said app. However, this is still problematic because
one important assumption - that PHP code is never sent to the browser -
is broken which is why we decided on not mentioning this impact in the
previous PR from December 2023.
To make sure that we don't regress our nginx config, I decided to add
the reproducer which fails on 8bbbb228b4
as testcase to our integration tests.
Starting with Rclone v1.63, which is used in the Nextcloud tests for
synchronization, the client relies on the correct WebDAV endpoint url,
see https://github.com/rclone/rclone/issues/7103
* Ensure that the redis cache is actually used in the "trivial" case
(`with-postgresql-and-redis`)
* Test against all Nextcloud versions we've packaged
* Actually set a secret to make sure that the provided secret is
properly read by Nextcloud.
* Add myself as maintainer to the secret-test to make sure that I don't
miss any more changes like this that could break the functionality of
that feature.
It's supposed to be `memcache.distributed`, not an associative PHP array
named `memcache` with a key `distributed`.
This was probably never caught because the initial `grep -q` check in
the test was invalid: `redis-cli` prints nothing if no keys can be found
when not writing to a tty apparently.
