diff options
author | Maximilian Bosch <maximilian@mbosch.me> | 2023-10-13 16:40:40 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-10-13 16:40:40 +0200 |
commit | 35f6dbe7fc8c1f8f0535006c63dd62014f99ee97 (patch) | |
tree | 85ce58169a0b5b08a48a9bdb016afb88f3ed6412 /nixos | |
parent | 5bdf6eccd7509040429383523a0cc9abdaf49508 (diff) | |
parent | 391a1245b6d9b04abb8c42d9145593a15e4e2d56 (diff) | |
download | nixlib-35f6dbe7fc8c1f8f0535006c63dd62014f99ee97.tar nixlib-35f6dbe7fc8c1f8f0535006c63dd62014f99ee97.tar.gz nixlib-35f6dbe7fc8c1f8f0535006c63dd62014f99ee97.tar.bz2 nixlib-35f6dbe7fc8c1f8f0535006c63dd62014f99ee97.tar.lz nixlib-35f6dbe7fc8c1f8f0535006c63dd62014f99ee97.tar.xz nixlib-35f6dbe7fc8c1f8f0535006c63dd62014f99ee97.tar.zst nixlib-35f6dbe7fc8c1f8f0535006c63dd62014f99ee97.zip |
Merge pull request #259967 from Ma27/nextcloud-cleanups
nextcloud: 27.1.0 -> 27.1.2, update nginx, drop nextcloud25
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2211.section.md | 2 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/nextcloud.md | 8 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/nextcloud.nix | 122 | ||||
-rw-r--r-- | nixos/tests/nextcloud/default.nix | 6 | ||||
-rw-r--r-- | nixos/tests/nextcloud/openssl-sse.nix | 109 |
5 files changed, 45 insertions, 202 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md index 97a305573501..37079c20967b 100644 --- a/nixos/doc/manual/release-notes/rl-2211.section.md +++ b/nixos/doc/manual/release-notes/rl-2211.section.md @@ -130,7 +130,7 @@ In addition to numerous new and upgraded packages, this release includes the fol don't lose access to their files. In any other case, it's safe to use OpenSSL 3 for PHP's OpenSSL extension. This can be done by setting - [](#opt-services.nextcloud.enableBrokenCiphersForSSE) to `false`. + `services.nextcloud.enableBrokenCiphersForSSE` to `false`. - The `coq` package and versioned variants starting at `coq_8_14` no longer include CoqIDE, which is now available through diff --git a/nixos/modules/services/web-apps/nextcloud.md b/nixos/modules/services/web-apps/nextcloud.md index cbd7b5b3d066..a25bed30e47f 100644 --- a/nixos/modules/services/web-apps/nextcloud.md +++ b/nixos/modules/services/web-apps/nextcloud.md @@ -119,13 +119,7 @@ Auto updates for Nextcloud apps can be enabled using - **Server-side encryption.** Nextcloud supports [server-side encryption (SSE)](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html). This is not an end-to-end encryption, but can be used to encrypt files that will be persisted - to external storage such as S3. Please note that this won't work anymore when using OpenSSL 3 - for PHP's openssl extension and **Nextcloud 25 or older** because this is implemented using the - legacy cipher RC4. For Nextcloud26 this isn't relevant anymore, because Nextcloud has an RC4 implementation - written in native PHP and thus doesn't need `ext-openssl` for that anymore. - If [](#opt-system.stateVersion) is *above* `22.05`, - this is disabled by default. To turn it on again and for further information please refer to - [](#opt-services.nextcloud.enableBrokenCiphersForSSE). + to external storage such as S3. ## Using an alternative webserver as reverse-proxy (e.g. `httpd`) {#module-services-nextcloud-httpd} diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index e0a7e7d4859c..f9713cac47e9 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -27,13 +27,7 @@ let phpPackage = cfg.phpPackage.buildEnv { extensions = { enabled, all }: - (with all; - # disable default openssl extension - (lib.filter (e: e.pname != "php-openssl") enabled) - # use OpenSSL 1.1 for RC4 Nextcloud encryption if user - # has acknowledged the brokenness of the ciphers (RC4). - # TODO: remove when https://github.com/nextcloud/server/issues/32003 is fixed. - ++ (if cfg.enableBrokenCiphersForSSE then [ cfg.phpPackage.extensions.openssl-legacy ] else [ cfg.phpPackage.extensions.openssl ]) + (with all; enabled ++ optional cfg.enableImagemagick imagick # Optionally enabled depending on caching settings ++ optional cfg.caching.apcu apcu @@ -66,6 +60,9 @@ let mysqlLocal = cfg.database.createLocally && cfg.config.dbtype == "mysql"; pgsqlLocal = cfg.database.createLocally && cfg.config.dbtype == "pgsql"; + # https://github.com/nextcloud/documentation/pull/11179 + ocmProviderIsNotAStaticDirAnymore = versionAtLeast cfg.package.version "27.1.2"; + in { imports = [ @@ -87,6 +84,10 @@ in { Further details about this can be found in the `Nextcloud`-section of the NixOS-manual (which can be opened e.g. by running `nixos-help`). '') + (mkRemovedOptionModule [ "services" "nextcloud" "enableBrokenCiphersForSSE" ] '' + This option has no effect since there's no supported Nextcloud version packaged here + using OpenSSL for RC4 SSE. + '') (mkRemovedOptionModule [ "services" "nextcloud" "disableImagemagick" ] '' Use services.nextcloud.enableImagemagick instead. '') @@ -95,39 +96,6 @@ in { options.services.nextcloud = { enable = mkEnableOption (lib.mdDoc "nextcloud"); - enableBrokenCiphersForSSE = mkOption { - type = types.bool; - default = versionOlder stateVersion "22.11"; - defaultText = literalExpression "versionOlder system.stateVersion \"22.11\""; - description = lib.mdDoc '' - This option enables using the OpenSSL PHP extension linked against OpenSSL 1.1 - rather than latest OpenSSL (≥ 3), this is not recommended unless you need - it for server-side encryption (SSE). SSE uses the legacy RC4 cipher which is - considered broken for several years now. See also [RFC7465](https://datatracker.ietf.org/doc/html/rfc7465). - - This cipher has been disabled in OpenSSL ≥ 3 and requires - a specific legacy profile to re-enable it. - - If you deploy Nextcloud using OpenSSL ≥ 3 for PHP and have - server-side encryption configured, you will not be able to access - your files anymore. Enabling this option can restore access to your files. - Upon testing we didn't encounter any data corruption when turning - this on and off again, but this cannot be guaranteed for - each Nextcloud installation. - - It is `true` by default for systems with a [](#opt-system.stateVersion) below - `22.11` to make sure that existing installations won't break on update. On newer - NixOS systems you have to explicitly enable it on your own. - - Please note that this only provides additional value when using - external storage such as S3 since it's not an end-to-end encryption. - If this is not the case, - it is advised to [disable server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption) and set this to `false`. - - In the future, Nextcloud may move to AES-256-GCM, by then, - this option will be removed. - ''; - }; hostName = mkOption { type = types.str; description = lib.mdDoc "FQDN for the nextcloud instance."; @@ -225,7 +193,7 @@ in { package = mkOption { type = types.package; description = lib.mdDoc "Which package to use for the Nextcloud instance."; - relatedPackages = [ "nextcloud25" "nextcloud26" "nextcloud27" ]; + relatedPackages = [ "nextcloud26" "nextcloud27" ]; }; phpPackage = mkOption { type = types.package; @@ -740,28 +708,7 @@ in { '') ++ (optional (versionOlder cfg.package.version "25") (upgradeWarning 24 "22.11")) ++ (optional (versionOlder cfg.package.version "26") (upgradeWarning 25 "23.05")) - ++ (optional (versionOlder cfg.package.version "27") (upgradeWarning 26 "23.11")) - ++ (optional cfg.enableBrokenCiphersForSSE '' - You're using PHP's openssl extension built against OpenSSL 1.1 for Nextcloud. - This is only necessary if you're using Nextcloud's server-side encryption. - Please keep in mind that it's using the broken RC4 cipher. - - If you don't use that feature, you can switch to OpenSSL 3 and get - rid of this warning by declaring - - services.nextcloud.enableBrokenCiphersForSSE = false; - - If you need to use server-side encryption you can ignore this warning. - Otherwise you'd have to disable server-side encryption first in order - to be able to safely disable this option and get rid of this warning. - See <https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption> on how to achieve this. - - For more context, here is the implementing pull request: https://github.com/NixOS/nixpkgs/pull/198470 - '') - ++ (optional (cfg.enableBrokenCiphersForSSE && versionAtLeast cfg.package.version "26") '' - Nextcloud26 supports RC4 without requiring legacy OpenSSL, so - `services.nextcloud.enableBrokenCiphersForSSE` can be set to `false`. - ''); + ++ (optional (versionOlder cfg.package.version "27") (upgradeWarning 26 "23.11")); services.nextcloud.package = with pkgs; mkDefault ( @@ -1136,10 +1083,6 @@ in { } ''; }; - "/" = { - priority = 900; - extraConfig = "rewrite ^ /index.php;"; - }; "~ ^/store-apps" = { priority = 201; extraConfig = "root ${cfg.home};"; @@ -1164,15 +1107,23 @@ in { try_files $uri $uri/ =404; ''; }; - "~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)".extraConfig = '' - return 404; - ''; - "~ ^/(?:\\.(?!well-known)|autotest|occ|issue|indie|db_|console)".extraConfig = '' - return 404; - ''; - "~ ^\\/(?:index|remote|public|cron|core\\/ajax\\/update|status|ocs\\/v[12]|updater\\/.+|oc[ms]-provider\\/.+|.+\\/richdocumentscode\\/proxy)\\.php(?:$|\\/)" = { + "~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)" = { + priority = 450; + extraConfig = '' + return 404; + ''; + }; + "~ ^/(?:\\.|autotest|occ|issue|indie|db_|console)" = { + priority = 450; + extraConfig = '' + return 404; + ''; + }; + "~ \\.php(?:$|/)" = { priority = 500; extraConfig = '' + # legacy support (i.e. static files and directories in cfg.package) + rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[s${optionalString (!ocmProviderIsNotAStaticDirAnymore) "m"}]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; include ${config.services.nginx.package}/conf/fastcgi.conf; fastcgi_split_path_info ^(.+?\.php)(\\/.*)$; set $path_info $fastcgi_path_info; @@ -1188,19 +1139,30 @@ in { fastcgi_read_timeout ${builtins.toString cfg.fastcgiTimeout}s; ''; }; - "~ \\.(?:css|js|woff2?|svg|gif|map)$".extraConfig = '' + "~ \\.(?:css|js|mjs|svg|gif|png|jpg|jpeg|ico|wasm|tflite|map|html|ttf|bcmap|mp4|webm)$".extraConfig = '' try_files $uri /index.php$request_uri; expires 6M; access_log off; + location ~ \.wasm$ { + default_type application/wasm; + } ''; - "~ ^\\/(?:updater|ocs-provider|ocm-provider)(?:$|\\/)".extraConfig = '' + "~ ^\\/(?:updater|ocs-provider${optionalString (!ocmProviderIsNotAStaticDirAnymore) "|ocm-provider"})(?:$|\\/)".extraConfig = '' try_files $uri/ =404; index index.php; ''; - "~ \\.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$".extraConfig = '' - try_files $uri /index.php$request_uri; - access_log off; - ''; + "/remote" = { + priority = 1500; + extraConfig = '' + return 301 /remote.php$request_uri; + ''; + }; + "/" = { + priority = 1600; + extraConfig = '' + try_files $uri $uri/ /index.php$request_uri; + ''; + }; }; extraConfig = '' index index.php index.html /index.php$request_uri; diff --git a/nixos/tests/nextcloud/default.nix b/nixos/tests/nextcloud/default.nix index b9f35b398cfe..19d04b28b4f9 100644 --- a/nixos/tests/nextcloud/default.nix +++ b/nixos/tests/nextcloud/default.nix @@ -8,10 +8,6 @@ with pkgs.lib; foldl (matrix: ver: matrix // { "basic${toString ver}" = import ./basic.nix { inherit system pkgs; nextcloudVersion = ver; }; - "openssl-sse${toString ver}" = import ./openssl-sse.nix { - inherit system pkgs; - nextcloudVersion = ver; - }; "with-postgresql-and-redis${toString ver}" = import ./with-postgresql-and-redis.nix { inherit system pkgs; nextcloudVersion = ver; @@ -26,4 +22,4 @@ foldl }; }) { } - [ 25 26 27 ] + [ 26 27 ] diff --git a/nixos/tests/nextcloud/openssl-sse.nix b/nixos/tests/nextcloud/openssl-sse.nix deleted file mode 100644 index d6ea39c6155a..000000000000 --- a/nixos/tests/nextcloud/openssl-sse.nix +++ /dev/null @@ -1,109 +0,0 @@ -args@{ pkgs, nextcloudVersion ? 25, ... }: - -(import ../make-test-python.nix ({ pkgs, ...}: let - adminuser = "root"; - adminpass = "notproduction"; - nextcloudBase = { - networking.firewall.allowedTCPPorts = [ 80 ]; - system.stateVersion = "22.05"; # stateVersions <22.11 use openssl 1.1 by default - services.nextcloud = { - enable = true; - config.adminpassFile = "${pkgs.writeText "adminpass" adminpass}"; - database.createLocally = true; - package = pkgs.${"nextcloud" + (toString nextcloudVersion)}; - }; - }; -in { - name = "nextcloud-openssl"; - meta = with pkgs.lib.maintainers; { - maintainers = [ ma27 ]; - }; - nodes.nextcloudwithopenssl1 = { - imports = [ nextcloudBase ]; - services.nextcloud.hostName = "nextcloudwithopenssl1"; - }; - nodes.nextcloudwithopenssl3 = { - imports = [ nextcloudBase ]; - services.nextcloud = { - hostName = "nextcloudwithopenssl3"; - enableBrokenCiphersForSSE = false; - }; - }; - testScript = { nodes, ... }: let - withRcloneEnv = host: pkgs.writeScript "with-rclone-env" '' - #!${pkgs.runtimeShell} - export RCLONE_CONFIG_NEXTCLOUD_TYPE=webdav - export RCLONE_CONFIG_NEXTCLOUD_URL="http://${host}/remote.php/dav/files/${adminuser}" - export RCLONE_CONFIG_NEXTCLOUD_VENDOR="nextcloud" - export RCLONE_CONFIG_NEXTCLOUD_USER="${adminuser}" - export RCLONE_CONFIG_NEXTCLOUD_PASS="$(${pkgs.rclone}/bin/rclone obscure ${adminpass})" - "''${@}" - ''; - withRcloneEnv1 = withRcloneEnv "nextcloudwithopenssl1"; - withRcloneEnv3 = withRcloneEnv "nextcloudwithopenssl3"; - copySharedFile1 = pkgs.writeScript "copy-shared-file" '' - #!${pkgs.runtimeShell} - echo 'hi' | ${withRcloneEnv1} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file - ''; - copySharedFile3 = pkgs.writeScript "copy-shared-file" '' - #!${pkgs.runtimeShell} - echo 'bye' | ${withRcloneEnv3} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file2 - ''; - openssl1-node = nodes.nextcloudwithopenssl1.system.build.toplevel; - openssl3-node = nodes.nextcloudwithopenssl3.system.build.toplevel; - in '' - nextcloudwithopenssl1.start() - nextcloudwithopenssl1.wait_for_unit("multi-user.target") - nextcloudwithopenssl1.succeed("nextcloud-occ status") - nextcloudwithopenssl1.succeed("curl -sSf http://nextcloudwithopenssl1/login") - nextcloud_version = ${toString nextcloudVersion} - - with subtest("With OpenSSL 1 SSE can be enabled and used"): - nextcloudwithopenssl1.succeed("nextcloud-occ app:enable encryption") - nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable") - - with subtest("Upload file and ensure it's encrypted"): - nextcloudwithopenssl1.succeed("${copySharedFile1}") - nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file") - nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") - - with subtest("Switch to OpenSSL 3"): - nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test") - nextcloudwithopenssl1.wait_for_open_port(80) - nextcloudwithopenssl1.succeed("nextcloud-occ status") - - with subtest("Existing encrypted files cannot be read, but new files can be added"): - # This will succeed starting NC26 because of their custom implementation of openssl_seal - read_existing_file_test = nextcloudwithopenssl1.fail if nextcloud_version < 26 else nextcloudwithopenssl1.succeed - read_existing_file_test("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file >&2") - nextcloudwithopenssl1.succeed("nextcloud-occ encryption:disable") - nextcloudwithopenssl1.succeed("${copySharedFile3}") - nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2") - nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") - - with subtest("Switch back to OpenSSL 1.1 and ensure that encrypted files are readable again"): - nextcloudwithopenssl1.succeed("${openssl1-node}/bin/switch-to-configuration test") - nextcloudwithopenssl1.wait_for_open_port(80) - nextcloudwithopenssl1.succeed("nextcloud-occ status") - nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable") - nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") - nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") - nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file") - nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2") - - with subtest("Ensure that everything can be decrypted"): - nextcloudwithopenssl1.succeed("echo y | nextcloud-occ encryption:decrypt-all >&2") - nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") - nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") - nextcloudwithopenssl1.succeed("grep -vE '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file") - - with subtest("Switch to OpenSSL 3 ensure that all files are usable now"): - nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test") - nextcloudwithopenssl1.wait_for_open_port(80) - nextcloudwithopenssl1.succeed("nextcloud-occ status") - nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") - nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") - - nextcloudwithopenssl1.shutdown() - ''; -})) args |