From efc5c80e18def8a81f06e1da8bd584f3fa8a5ab8 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Sat, 7 Oct 2023 16:16:42 +0200 Subject: nextcloud25: remove EOL of Nextcloud v25 is scheduled by the end of this month. --- nixos/modules/services/web-apps/nextcloud.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos/modules/services/web-apps') diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index e0a7e7d4859c..5f09179faed8 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -225,7 +225,7 @@ in { package = mkOption { type = types.package; description = lib.mdDoc "Which package to use for the Nextcloud instance."; - relatedPackages = [ "nextcloud25" "nextcloud26" "nextcloud27" ]; + relatedPackages = [ "nextcloud26" "nextcloud27" ]; }; phpPackage = mkOption { type = types.package; -- cgit 1.4.1 From 8702ae01109216bddb9b05e3dae2fe6fb15ce117 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Mon, 9 Oct 2023 10:47:17 +0200 Subject: nixos/nextcloud: drop enableBrokenCiphersForSSE MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 🎉 --- nixos/doc/manual/release-notes/rl-2211.section.md | 2 +- nixos/modules/services/web-apps/nextcloud.md | 8 +-- nixos/modules/services/web-apps/nextcloud.nix | 68 ++--------------------- 3 files changed, 8 insertions(+), 70 deletions(-) (limited to 'nixos/modules/services/web-apps') diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md index 97a305573501..37079c20967b 100644 --- a/nixos/doc/manual/release-notes/rl-2211.section.md +++ b/nixos/doc/manual/release-notes/rl-2211.section.md @@ -130,7 +130,7 @@ In addition to numerous new and upgraded packages, this release includes the fol don't lose access to their files. In any other case, it's safe to use OpenSSL 3 for PHP's OpenSSL extension. This can be done by setting - [](#opt-services.nextcloud.enableBrokenCiphersForSSE) to `false`. + `services.nextcloud.enableBrokenCiphersForSSE` to `false`. - The `coq` package and versioned variants starting at `coq_8_14` no longer include CoqIDE, which is now available through diff --git a/nixos/modules/services/web-apps/nextcloud.md b/nixos/modules/services/web-apps/nextcloud.md index cbd7b5b3d066..a25bed30e47f 100644 --- a/nixos/modules/services/web-apps/nextcloud.md +++ b/nixos/modules/services/web-apps/nextcloud.md @@ -119,13 +119,7 @@ Auto updates for Nextcloud apps can be enabled using - **Server-side encryption.** Nextcloud supports [server-side encryption (SSE)](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html). This is not an end-to-end encryption, but can be used to encrypt files that will be persisted - to external storage such as S3. Please note that this won't work anymore when using OpenSSL 3 - for PHP's openssl extension and **Nextcloud 25 or older** because this is implemented using the - legacy cipher RC4. For Nextcloud26 this isn't relevant anymore, because Nextcloud has an RC4 implementation - written in native PHP and thus doesn't need `ext-openssl` for that anymore. - If [](#opt-system.stateVersion) is *above* `22.05`, - this is disabled by default. To turn it on again and for further information please refer to - [](#opt-services.nextcloud.enableBrokenCiphersForSSE). + to external storage such as S3. ## Using an alternative webserver as reverse-proxy (e.g. `httpd`) {#module-services-nextcloud-httpd} diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 5f09179faed8..241b2b9b8216 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -27,13 +27,7 @@ let phpPackage = cfg.phpPackage.buildEnv { extensions = { enabled, all }: - (with all; - # disable default openssl extension - (lib.filter (e: e.pname != "php-openssl") enabled) - # use OpenSSL 1.1 for RC4 Nextcloud encryption if user - # has acknowledged the brokenness of the ciphers (RC4). - # TODO: remove when https://github.com/nextcloud/server/issues/32003 is fixed. - ++ (if cfg.enableBrokenCiphersForSSE then [ cfg.phpPackage.extensions.openssl-legacy ] else [ cfg.phpPackage.extensions.openssl ]) + (with all; enabled ++ optional cfg.enableImagemagick imagick # Optionally enabled depending on caching settings ++ optional cfg.caching.apcu apcu @@ -87,6 +81,10 @@ in { Further details about this can be found in the `Nextcloud`-section of the NixOS-manual (which can be opened e.g. by running `nixos-help`). '') + (mkRemovedOptionModule [ "services" "nextcloud" "enableBrokenCiphersForSSE" ] '' + This option has no effect since there's no supported Nextcloud version packaged here + using OpenSSL for RC4 SSE. + '') (mkRemovedOptionModule [ "services" "nextcloud" "disableImagemagick" ] '' Use services.nextcloud.enableImagemagick instead. '') @@ -95,39 +93,6 @@ in { options.services.nextcloud = { enable = mkEnableOption (lib.mdDoc "nextcloud"); - enableBrokenCiphersForSSE = mkOption { - type = types.bool; - default = versionOlder stateVersion "22.11"; - defaultText = literalExpression "versionOlder system.stateVersion \"22.11\""; - description = lib.mdDoc '' - This option enables using the OpenSSL PHP extension linked against OpenSSL 1.1 - rather than latest OpenSSL (≥ 3), this is not recommended unless you need - it for server-side encryption (SSE). SSE uses the legacy RC4 cipher which is - considered broken for several years now. See also [RFC7465](https://datatracker.ietf.org/doc/html/rfc7465). - - This cipher has been disabled in OpenSSL ≥ 3 and requires - a specific legacy profile to re-enable it. - - If you deploy Nextcloud using OpenSSL ≥ 3 for PHP and have - server-side encryption configured, you will not be able to access - your files anymore. Enabling this option can restore access to your files. - Upon testing we didn't encounter any data corruption when turning - this on and off again, but this cannot be guaranteed for - each Nextcloud installation. - - It is `true` by default for systems with a [](#opt-system.stateVersion) below - `22.11` to make sure that existing installations won't break on update. On newer - NixOS systems you have to explicitly enable it on your own. - - Please note that this only provides additional value when using - external storage such as S3 since it's not an end-to-end encryption. - If this is not the case, - it is advised to [disable server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption) and set this to `false`. - - In the future, Nextcloud may move to AES-256-GCM, by then, - this option will be removed. - ''; - }; hostName = mkOption { type = types.str; description = lib.mdDoc "FQDN for the nextcloud instance."; @@ -740,28 +705,7 @@ in { '') ++ (optional (versionOlder cfg.package.version "25") (upgradeWarning 24 "22.11")) ++ (optional (versionOlder cfg.package.version "26") (upgradeWarning 25 "23.05")) - ++ (optional (versionOlder cfg.package.version "27") (upgradeWarning 26 "23.11")) - ++ (optional cfg.enableBrokenCiphersForSSE '' - You're using PHP's openssl extension built against OpenSSL 1.1 for Nextcloud. - This is only necessary if you're using Nextcloud's server-side encryption. - Please keep in mind that it's using the broken RC4 cipher. - - If you don't use that feature, you can switch to OpenSSL 3 and get - rid of this warning by declaring - - services.nextcloud.enableBrokenCiphersForSSE = false; - - If you need to use server-side encryption you can ignore this warning. - Otherwise you'd have to disable server-side encryption first in order - to be able to safely disable this option and get rid of this warning. - See on how to achieve this. - - For more context, here is the implementing pull request: https://github.com/NixOS/nixpkgs/pull/198470 - '') - ++ (optional (cfg.enableBrokenCiphersForSSE && versionAtLeast cfg.package.version "26") '' - Nextcloud26 supports RC4 without requiring legacy OpenSSL, so - `services.nextcloud.enableBrokenCiphersForSSE` can be set to `false`. - ''); + ++ (optional (versionOlder cfg.package.version "27") (upgradeWarning 26 "23.11")); services.nextcloud.package = with pkgs; mkDefault ( -- cgit 1.4.1 From ad57ad1ff5de0ce095d9627ce5ce70c318dd3881 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Mon, 9 Oct 2023 11:27:40 +0200 Subject: nixos/nextcloud: update / clean up the nginx configuration First of all, a few cleanups were made to make it more readable: * Reordered the sections by their priority so what you're reading in Nix is also what you get in the final nginx.conf. * Unified media/asset locations Most notably, this fixes the Your web server is not properly set up to resolve "/ocm-provider/". warning since 27.1.2 where `ocm-provider` was moved from a static directory in the source tarball to a dynamic HTTP route[1]. Additionally, the following things were fixed: * The 404 checks for build/tests/etc. are now guaranteed to be before the `.php` location match and it's not implicitly relied upon Nix's internal attribute sorting anymore. * `.wasm` files are supported properly and a correct `Content-Type` is set. * For "legacy" routes (e.g. `ocs-provider`/`cron`/etc) a `rewrite` rule inside the location for fastcgi is used as recommended by upstream[2]. This also makes it easier to understand the purpose of the location itself (i.e. use fastcgi for PHP code). [1] https://github.com/nextcloud/documentation/pull/11179 [2] https://docs.nextcloud.com/server/27/admin_manual/installation/nginx.html --- nixos/modules/services/web-apps/nextcloud.nix | 52 ++++++++++++++++++--------- 1 file changed, 35 insertions(+), 17 deletions(-) (limited to 'nixos/modules/services/web-apps') diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 241b2b9b8216..f9713cac47e9 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -60,6 +60,9 @@ let mysqlLocal = cfg.database.createLocally && cfg.config.dbtype == "mysql"; pgsqlLocal = cfg.database.createLocally && cfg.config.dbtype == "pgsql"; + # https://github.com/nextcloud/documentation/pull/11179 + ocmProviderIsNotAStaticDirAnymore = versionAtLeast cfg.package.version "27.1.2"; + in { imports = [ @@ -1080,10 +1083,6 @@ in { } ''; }; - "/" = { - priority = 900; - extraConfig = "rewrite ^ /index.php;"; - }; "~ ^/store-apps" = { priority = 201; extraConfig = "root ${cfg.home};"; @@ -1108,15 +1107,23 @@ in { try_files $uri $uri/ =404; ''; }; - "~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)".extraConfig = '' - return 404; - ''; - "~ ^/(?:\\.(?!well-known)|autotest|occ|issue|indie|db_|console)".extraConfig = '' - return 404; - ''; - "~ ^\\/(?:index|remote|public|cron|core\\/ajax\\/update|status|ocs\\/v[12]|updater\\/.+|oc[ms]-provider\\/.+|.+\\/richdocumentscode\\/proxy)\\.php(?:$|\\/)" = { + "~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)" = { + priority = 450; + extraConfig = '' + return 404; + ''; + }; + "~ ^/(?:\\.|autotest|occ|issue|indie|db_|console)" = { + priority = 450; + extraConfig = '' + return 404; + ''; + }; + "~ \\.php(?:$|/)" = { priority = 500; extraConfig = '' + # legacy support (i.e. static files and directories in cfg.package) + rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[s${optionalString (!ocmProviderIsNotAStaticDirAnymore) "m"}]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; include ${config.services.nginx.package}/conf/fastcgi.conf; fastcgi_split_path_info ^(.+?\.php)(\\/.*)$; set $path_info $fastcgi_path_info; @@ -1132,19 +1139,30 @@ in { fastcgi_read_timeout ${builtins.toString cfg.fastcgiTimeout}s; ''; }; - "~ \\.(?:css|js|woff2?|svg|gif|map)$".extraConfig = '' + "~ \\.(?:css|js|mjs|svg|gif|png|jpg|jpeg|ico|wasm|tflite|map|html|ttf|bcmap|mp4|webm)$".extraConfig = '' try_files $uri /index.php$request_uri; expires 6M; access_log off; + location ~ \.wasm$ { + default_type application/wasm; + } ''; - "~ ^\\/(?:updater|ocs-provider|ocm-provider)(?:$|\\/)".extraConfig = '' + "~ ^\\/(?:updater|ocs-provider${optionalString (!ocmProviderIsNotAStaticDirAnymore) "|ocm-provider"})(?:$|\\/)".extraConfig = '' try_files $uri/ =404; index index.php; ''; - "~ \\.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$".extraConfig = '' - try_files $uri /index.php$request_uri; - access_log off; - ''; + "/remote" = { + priority = 1500; + extraConfig = '' + return 301 /remote.php$request_uri; + ''; + }; + "/" = { + priority = 1600; + extraConfig = '' + try_files $uri $uri/ /index.php$request_uri; + ''; + }; }; extraConfig = '' index index.php index.html /index.php$request_uri; -- cgit 1.4.1