nixos/nextcloud: support SSE-C for S3 primary storage

Add configuration option to enable [server-side encryption with
customer-provided keys][1] (SSE-C) when using S3 as primary storage in
Nextcloud.

[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html
This commit is contained in:
Nicola Squartini 2023-02-22 18:57:07 +01:00
parent 3a558d658f
commit a2eeaddea2
No known key found for this signature in database
GPG key ID: C847B6AEB0544167
2 changed files with 24 additions and 0 deletions

View file

@ -184,6 +184,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- `mastodon` now supports connection to a remote `PostgreSQL` database.
- `nextcloud` has an option to enable SSE-C in S3.
- `services.peertube` now requires you to specify the secret file `secrets.secretsFile`. It can be generated by running `openssl rand -hex 32`.
Before upgrading, read the release notes for PeerTube:
- [Release v5.0.0](https://github.com/Chocobozzz/PeerTube/releases/tag/v5.0.0)

View file

@ -514,6 +514,27 @@ in {
`http://hostname.domain/bucket` instead.
'';
};
sseCKeyFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/var/nextcloud-objectstore-s3-sse-c-key";
description = lib.mdDoc ''
If provided this is the full path to a file that contains the key
to enable [server-side encryption with customer-provided keys][1]
(SSE-C).
The file must contain a random 32-byte key encoded as a base64
string, e.g. generated with the command
```
openssl rand 32 | base64
```
Must be readable by user `nextcloud`.
[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html
'';
};
};
};
};
@ -773,6 +794,7 @@ in {
'use_ssl' => ${boolToString s3.useSsl},
${optionalString (s3.region != null) "'region' => '${s3.region}',"}
'use_path_style' => ${boolToString s3.usePathStyle},
${optionalString (s3.sseCKeyFile != null) "'sse_c_key' => nix_read_secret('${s3.sseCKeyFile}'),"}
],
]
'';