nixos/nextcloud: support SSE-C for S3 primary storage

Add configuration option to enable [server-side encryption with customer-provided keys][1] (SSE-C) when using S3 as primary storage in Nextcloud. [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html
2023-02-22 18:57:07 +01:00 · 2023-02-22 18:57:07 +01:00 · a2eeaddea2
commit a2eeaddea2
parent 3a558d658f
2 changed files with 24 additions and 0 deletions
--- a/nixos/doc/manual/release-notes/rl-2305.section.md
+++ b/nixos/doc/manual/release-notes/rl-2305.section.md
@ -184,6 +184,8 @@ In addition to numerous new and upgraded packages, this release has the followin

 - `mastodon` now supports connection to a remote `PostgreSQL` database.

+- `nextcloud` has an option to enable SSE-C in S3.
+
 - `services.peertube` now requires you to specify the secret file `secrets.secretsFile`. It can be generated by running `openssl rand -hex 32`.
  Before upgrading, read the release notes for PeerTube:
    - [Release v5.0.0](https://github.com/Chocobozzz/PeerTube/releases/tag/v5.0.0)
--- a/nixos/modules/services/web-apps/nextcloud.nix
+++ b/nixos/modules/services/web-apps/nextcloud.nix
@ -514,6 +514,27 @@ in {
              `http://hostname.domain/bucket` instead.
            '';
          };
+          sseCKeyFile = mkOption {
+            type = types.nullOr types.path;
+            default = null;
+            example = "/var/nextcloud-objectstore-s3-sse-c-key";
+            description = lib.mdDoc ''
+              If provided this is the full path to a file that contains the key
+              to enable [server-side encryption with customer-provided keys][1]
+              (SSE-C).
+
+              The file must contain a random 32-byte key encoded as a base64
+              string, e.g. generated with the command
+
+              ```
+              openssl rand 32 | base64
+              ```
+
+              Must be readable by user `nextcloud`.
+
+              [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html
+            '';
+          };
        };
      };
    };
@ -773,6 +794,7 @@ in {
                'use_ssl' => ${boolToString s3.useSsl},
                ${optionalString (s3.region != null) "'region' => '${s3.region}',"}
                'use_path_style' => ${boolToString s3.usePathStyle},
+                ${optionalString (s3.sseCKeyFile != null) "'sse_c_key' => nix_read_secret('${s3.sseCKeyFile}'),"}
              ],
            ]
          '';