Follow-up on #169733
For `data`, Nextcloud checks on its own if everything is readable.
However, for `config` it's crucial that the ownership is actually
correct: otherwise, systemd-tmpfiles will refuse any operations inside
because of unsafe path transitions.
This can result in a subtly broken setup by the `override.config.php`
not being updated, but also not part of the system closure anymore
(another override.config.php is referenced now) which means it'll be
GCed eventually even though Nextcloud relies on it.
If this precondition is not met, the following error will be printed:
nextcloud-setup-start[972]: /var/lib/nextcloud/config is not owned by user 'nextcloud'!
nextcloud-setup-start[972]: Please check the logs via 'journalctl -u systemd-tmpfiles-setup'
nextcloud-setup-start[972]: and make sure there are no unsafe path transitions.
nextcloud-setup-start[972]: (https://nixos.org/manual/nixos/stable/#module-services-nextcloud-pitfalls-during-upgrade)
There was a systemd-tmpfiles warning about not being able to remove the
'plugins' directory. Squash this warning through removal of unnecessary
systemd-tmpfiles options, and write a test for it.
Add the {option}`services.mattermost.pluginsBundle` option to allow
overriding the plugin directory and also using it for tests. Update
wording in option documentation so it is more clear.
Use formats.json instead of builtins.toJSON so module merging works.
Make the tests go faster by pipelining shutdowns of nodes.
Format all Nix files using the officially approved formatter,
making the CI check introduced in the previous commit succeed:
nix-build ci -A fmt.check
This is the next step of the of the [implementation](https://github.com/NixOS/nixfmt/issues/153)
of the accepted [RFC 166](https://github.com/NixOS/rfcs/pull/166).
This commit will lead to merge conflicts for a number of PRs,
up to an estimated ~1100 (~33%) among the PRs with activity in the past 2
months, but that should be lower than what it would be without the previous
[partial treewide format](https://github.com/NixOS/nixpkgs/pull/322537).
Merge conflicts caused by this commit can now automatically be resolved while rebasing using the
[auto-rebase script](8616af08d9/maintainers/scripts/auto-rebase).
If you run into any problems regarding any of this, please reach out to the
[formatting team](https://nixos.org/community/teams/formatting/) by
pinging @NixOS/nix-formatting.
Previously, `http://` scheme was hard coded into the caddy config if
`webserver = "caddy"` was chosen. This is fine for local testing, but is
problematic if you want your nixos host to be public facing.
In the public facing case, you generally want to be using TLS. But since
the wordpress module generates the caddyfile rule, the user's nixos
config cannot easily change it to also allow https.
An alternative would be to reverse proxy an https rule to the generated
http rule, but that's somewhat questionable as there's not an internal
http endpoint to proxy to. It might be possible but I couldn't figure
it out.
So simplify by omitting the scheme. This causes caddy to use https by
default and 301 redirect any http requests to the https endpoint. Caddy
will just do the right thing if it's being hosted on a local/internal
hostname (self sign certificates).
This should be backwards compatible with previous default if users are
using reasonable browsers/tools.
Signed-off-by: Daniel Xu <dxu@dxuuu.xyz>
