Commit graph

65 commits

Author SHA1 Message Date
Maximilian Bosch
fddeb7cb73
Revert "nextcloud: use mkDefault for whole nginx config"
This breaks the Nextcloud vhost declaration when adding e.g. another
vhost as the `services.nginx.virtualHosts` option has `{ nextcloud =
...; }` as *default* value which will be replaced by another
`virtualHosts`-declaration with a higher (e.g. the default) priority.

The following cases are now supported & covered by the module:

* `nginx` is enabled with `nextcloud` enabled and other vhosts can be
  added / other options can be declared without having to care
  about the declaration's priority.

* Settings in the `nextcloud`-vhost in `nginx` have to be altered using
  `mkForce` as this is the only way how we officially support `nginx`
  for `nextcloud` and customizations have to be done explicitly using
  `mkForce`.

* `nginx` will be completely omitted if a user enables nextcloud
  and disables nginx using `services.nginx.enable = false;`. (because
  nginx will be enabled by this module using `mkDefault`).

This reverts commit 128dbb31cc.
Closes #95259
2020-08-12 18:28:45 +02:00
DavHau
128dbb31cc nextcloud: use mkDefault for whole nginx config 2020-08-05 11:50:26 +07:00
DavHau
ca916e8cb3 nextcloud: deprecate nginx, use chgrp, mkDefault for nginx, fix tests 2020-08-03 14:21:45 +07:00
DavHau
b90a70d53f
nextcloud: shorten nginx group reference
Co-authored-by: Aaron Andersen <aaron@fosslib.net>
2020-07-27 20:20:13 +07:00
DavHau
5823ed7841 nextcloud: fix group permissions on startup 2020-07-27 12:41:42 +07:00
DavHau
fd9eb16b24 nextcloud: restrict web server support to nginx only 2020-07-27 12:06:04 +07:00
DavHau
6ee3004132 nextcloud improve user/group handling
- remove optons cfg.user, cfg.groups
- add option `serverUser` which is required when not using nginx
- add `serverUser` to nextcloud group
- set user/group to "nextcloud" for nextcloud services
- make setup-service non-root
2020-07-26 15:54:23 +07:00
DavHau
07076e9fe0 nextcloud: configurable user and group, enabled nginx, improve setup 2020-07-21 08:23:45 +00:00
Maximilian Bosch
c9462630bd
Merge pull request #91149 from nlewo/nextcloud-expose-occ
nixos/nextcloud: add occ internal option
2020-06-20 19:28:25 +02:00
Maximilian Bosch
f326e5a35e
nixos/nextcloud: update upgrade-path for nextcloud19
Enhance the heuristics to make sure that a user doesn't accidentally
upgrade across two major versions of Nextcloud (e.g. from v17 to v19).

The original idea/discussion has been documented in the nixpkgs manual[1].

This includes the following changes:

* `nextcloud19` will be selected automatically when having a stateVersion
  greater or equal than 20.09. For existing setups, the package has to
  be selected manually to avoid accidental upgrades.

* When using `nextcloud18` or older, a warning will be thrown which recommends
  upgrading to `nextcloud19`.

* Added a brief paragraph about `nextcloud19` in the NixOS 19.09 release
  notes.

* Restart `phpfpm` if the Nextcloud-package (`cfg.package`) changes[2].

[1] https://nixos.org/nixos/manual/index.html#module-services-nextcloud-maintainer-info
[2] https://github.com/NixOS/nixpkgs/pull/89427#issuecomment-638885727
2020-06-20 11:30:11 +02:00
Antoine Eiche
7d994ad445 nixos/nextcloud: add occ internal option
This option exposes the prefconfigured nextcloud-occ
program. nextcloud-occ can then be used in other systemd services or
added in environment.systemPackages.

The nextcloud test shows how it can be add in
environment.systemPackages.
2020-06-20 09:59:27 +02:00
Maximilian Bosch
a2a5aa2634
nextcloud19: init at 19.0.0
https://nextcloud.com/blog/nextcloud-hub-brings-productivity-to-home-office/
2020-06-19 22:16:52 +02:00
Antoine Eiche
cb682317b0 nixos/nextcloud: preserve OC_PASS env variable in the occ wrapper
The OC_PASS environment variable can be used to create a user with
`occ user:add --password-from-env`. It is currently not possible to
use the `nextcloud-occ` to "non-interactively" create a user since
this variable is ignored by sudo.
2020-06-07 20:47:11 +02:00
talyz
2ba7926959
php.buildEnv: Provide a list of currently enabled extensions
Rework withExtensions / buildEnv to handle currently enabled
extensions better and make them compatible with override. They now
accept a function with the named arguments enabled and all, where
enabled is a list of currently enabled extensions and all is the set
of all extensions. This gives us several nice properties:

 - You always get the right version of the list of currently enabled
   extensions

 - Invocations chain

 - It works well with overridden PHP packages - you always get the
   correct versions of extensions

As a contrived example of what's possible, you can add ImageMagick,
then override the version and disable fpm, then disable cgi, and
lastly remove the zip extension like this:

{ pkgs ? (import <nixpkgs>) {} }:
with pkgs;

let
  phpWithImagick = php74.withExtensions ({ all, enabled }: enabled ++ [ all.imagick ]);

  phpWithImagickWithoutFpm743 = phpWithImagick.override {
    version = "7.4.3";
    sha256 = "wVF7pJV4+y3MZMc6Ptx21PxQfEp6xjmYFYTMfTtMbRQ=";
    fpmSupport = false;
  };

  phpWithImagickWithoutFpmZip743 = phpWithImagickWithoutFpm743.withExtensions (
    { enabled, all }:
      lib.filter (e: e != all.zip) enabled);

  phpWithImagickWithoutFpmZipCgi743 = phpWithImagickWithoutFpmZip743.override {
    cgiSupport = false;
  };
in
  phpWithImagickWithoutFpmZipCgi743
2020-04-26 16:43:05 +02:00
worldofpeace
15d5a2adc1
Merge pull request #84849 from samueldr/fix/nextcloud-upgrade-wording
nextcloud: Review installation upgrade warning wording
2020-04-10 22:55:20 -04:00
Samuel Dionne-Riel
a1efbdb600 nextcloud: Review installation upgrade warning wording
The new wording does not assume the user is upgrading.

This is because a user could be setting up a new installation on 20.03
on a server that has a 19.09 or before stateVersion!!

The new wording ensures that confusion is reduced by stating that they
do not have to care about the assumed 16→17 transition.

Then, the wording explains that they should, and how to upgrade to
version 18.

It also reviews the confusing wording about "multiple" upgrades.

* * *

The only thing we cannot really do is stop a fresh install of 17 if
there was no previous install, as it cannot be detected. That makes a
useless upgrade forced for new users with old state versions.

It is also important to state that they must set their package to
Nextcloud 18, as future upgrades to Nextcloud will not allow an uprade
from 17!

I assume future warning messages will exist specifically stating what to
do to go from 18 to 19, then 19 to 20, etc...
2020-04-09 16:52:25 -04:00
Jörg Thalheim
cf3328e7e3
treewide: use runtimeShell in nixos/
This is needed for cross-compilation.
2020-04-07 07:26:47 +01:00
Elis Hirwing
3b6539896b
Merge pull request #83896 from etu/slim-down-default-php-v3
PHP: Make the default package more sane [v3]
2020-04-05 20:00:03 +02:00
talyz
5ace72cd6c
nixos/nextcloud: Use php.enabledExtensions 2020-04-05 16:46:44 +02:00
talyz
4ff523f691
php: Simplify php-packages import, rename exts -> extensions 2020-04-05 16:45:41 +02:00
Elis Hirwing
a2099156ec
php: split php.packages to php.packages and php.extensions
So now we have only packages for human interaction in php.packages and
only extensions in php.extensions. With this php.packages.exts have
been merged into the same attribute set as all the other extensions to
make it flat and nice.

The nextcloud module have been updated to reflect this change as well
as the documentation.
2020-04-05 16:45:17 +02:00
Elis Hirwing
fc1034a1fa
nixos/nextcloud: upgrade to php74 2020-04-05 16:44:48 +02:00
talyz
ed20aae86c
nixos/nextcloud: Get nextcloud working 2020-04-05 16:44:42 +02:00
Antoine Eiche
24ee2e8dc0 nixos/nextcloud: add bcmap, mp4 and webm in nginx configuration
This is used by the `firstrunwizard` and has been added in the nginx
configuration documentation of the latest
manual (cda627b7c8/admin_manual/installation/nginx.rst).
2020-03-29 09:34:52 +02:00
Maximilian Bosch
702f645aa8
nixos/nextcloud: implement a safe upgrade-path between 19.09 and 20.03
It's impossible to move two major-versions forward when upgrading
Nextcloud. This is an issue when comming from 19.09 (using Nextcloud 16)
and trying to upgrade to 20.03 (using Nextcloud 18 by default).

This patch implements the measurements discussed in #82056 and #82353 to
improve the update process and to circumvent similar issues in the
future:

* `pkgs.nextcloud` has been removed in favor of versioned attributes
  (currently `pkgs.nextcloud17` and `pkgs.nextcloud18`). With that
  approach we can safely backport major-releases in the future to
  simplify those upgrade-paths and we can select one of the
  major-releases as default depending on the configuration (helpful to
  decide whether e.g. `pkgs.nextcloud17` or `pkgs.nextcloud18` should be
  used on 20.03 and `master` atm).

* If `system.stateVersion` is older than `20.03`, `nextcloud17` will be
  used (which is one major-release behind v16 from 19.09). When using a
  package older than the latest major-release available (currently v18),
  the evaluation will cause a warning which describes the issue and
  suggests next steps.

  To make those package-selections easier, a new option to define the
  package to be used for the service (namely
  `services.nextcloud.package`) was introduced.

* If `pkgs.nextcloud` exists (e.g. due to an overlay which was used to
  provide more recent Nextcloud versions on older NixOS-releases), an
  evaluation error will be thrown by default: this is to make sure that
  `services.nextcloud.package` doesn't use an older version by accident
  after checking the state-version. If `pkgs.nextcloud` is added
  manually, it needs to be declared explicitly in
  `services.nextcloud.package`.

* The `nixos/nextcloud`-documentation contains a
  "Maintainer information"-chapter  which describes how to roll out new
  Nextcloud releases and how to deal with old (and probably unsafe)
  versions.

Closes #82056
2020-03-25 22:07:29 +01:00
Aaron Andersen
4d67db3101
Merge pull request #80849 from BBBSnowball/pull-load-imagick-once
nixos/nextcloud: avoid loading imagick extension more than once
2020-02-26 17:17:55 -05:00
Pascal Bach
119a7aae50 nixos/nextcloud: prevent warning about missing X-Frame-Option 2020-02-24 22:07:24 +01:00
Benjamin Koch
db32158bbd nixos/nextcloud: avoid loading imagick extension more than once
This avoids the following error message:
  Module 'imagick' already loaded at Unknown#0
2020-02-23 00:40:49 +00:00
Lennart
4e6e94417c nixos/nextcloud: added trusted_proxies setting (#77480) 2020-01-11 15:43:43 +01:00
Daniel Frank
6d671372b5
nextcloud module: https is important not only for proxies 2019-12-31 13:01:46 +01:00
Janne Heß
d21f5cf36f nixos/nextcloud: Do not run sudo if not needed
Only use sudo if we are currently not running as the nextcloud user.
This is problematic when occ is called from a systemd service with
NoNewPrivileges=true
2019-12-07 21:10:34 +01:00
Jean-Philippe Braun
4ea4408b9c nixos/nextcloud: add occ in path of nextcloud-setup
This makes possible to use nextcloud-occ for setting extra
configuration options.

Example:

  systemd.services.nextcloud-setup = {
    script = mkAfter ''
      nextcloud-occ config:system:set redis 'host' --value '/var/run/redis/redis.sock' --type string
      nextcloud-occ config:system:set redis 'port' --value 0 --type integer
    '';
  };
2019-11-19 23:59:26 +01:00
Aaron Andersen
33474166e3
Merge pull request #69436 from tshaynik/fix/nextcloud-nginx-sts
nixos/nextcloud: add Strict-Transport-Security
2019-10-26 12:34:36 -04:00
Will Dietz
f6c45bff6d
nixos/nextcloud: update config for "urgent security issue"
https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/
2019-10-25 06:50:29 -05:00
Daniel KT
4590a2380e nixos/nextcloud: add Strict-Transport-Security
This commit adds a Strict-Transport-Security header to
the nginx config file generated by the nextcloud module.

The Strict-Transport-Security header is recommended in
official guide for hardening Nextcloud installations:
https://docs.nextcloud.com/server/16/admin_manual/installation/harden_server.html

Further, if it is not set, we see a warning in the security scan results
in the Nextcloud admin panel:

```
The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips

```
2019-09-25 16:56:53 -04:00
Averell Dalton
56e5dddf7c nextcloud: fix deprecation warning 2019-09-12 14:19:42 +02:00
Frederik Rietdijk
5061fe0c2c Merge staging-next into staging 2019-08-28 08:26:42 +02:00
volth
35d68ef143 treewide: remove redundant quotes 2019-08-26 21:40:19 +00:00
Aaron Andersen
400c6aac71 nixos/phpfpm: deprecate extraConfig options in favor of settings options 2019-08-23 07:56:27 -04:00
Aaron Andersen
62b774a700 nixos/phpfpm: add socket option to replace the listen option 2019-08-23 07:56:21 -04:00
Maximilian Bosch
c5e515f5c7
nixos/nextcloud: fix inclusion of trusted_domains in override config
Regression I caused with 3944aa051c, sorry
for this! The Nextcloud installer broke back then because
`trusted_domains` was an empty value by default (a.k.a an empty array)
which seemed to break the config merger of Nextcloud as Nextcloud
doesn't do recursive merging and now no domain was trusted because of
that, hence Nextcloud was unreachable for the `curl` call.
2019-07-23 13:29:43 +02:00
Maximilian Bosch
3944aa051c
nixos/nextcloud: write config to additional config file
One of the main problems of the Nextcloud module is that it's currently
not possible to alter e.g. database configuration after the initial
setup as it's written by their imperative installer to a file.

After some research[1] it turned out that it's possible to override all values
with an additional config file. The documentation has been
slightly updated to remain up-to-date, but the warnings should
remain there as the imperative configuration is still used and may cause
unwanted side-effects.

Also simplified the postgresql test which uses `ensure{Databases,Users}` to
configure the database.

Fixes #49783

[1] https://github.com/NixOS/nixpkgs/issues/49783#issuecomment-483063922
2019-07-22 18:29:52 +02:00
Aaron Andersen
278d867a9b Revert "Merge pull request #63156 from Izorkin/phpfpm-rootless"
This reverts commit b5478fd1a2, reversing
changes made to dbb00bfcbf.
2019-06-28 21:47:43 -04:00
Elis Hirwing
b5478fd1a2
Merge pull request #63156 from Izorkin/phpfpm-rootless
phpfpm: do not run anything as root
2019-06-27 19:13:53 +02:00
volth
f3282c8d1e treewide: remove unused variables (#63177)
* treewide: remove unused variables

* making ofborg happy
2019-06-16 19:59:05 +00:00
Izorkin
5b1a4730bc nixos/nextcloud: fix work with phpfpm-rootless mode 2019-06-16 12:33:51 +03:00
Malte Brandy
ab5926ba67 nixos/nextcloud: Improve autoUpdateApps description string 2019-05-22 19:07:42 +02:00
Malte Brandy
49f05a1760
nixos/nextcloud: Add options services.nextcloud.autoUpdateApps
nixos/nextcloud: Add documentation for nextcloud app installation and updates

nixos/nextcloud: Enable autoUpdateApps in nextcloud test

nixos/nextcloud: Fix typo in nixos/modules/services/web-apps/nextcloud.xml

Co-Authored-By: Florian Klink <flokli@flokli.de>

nixos/nextcloud: Escape html in option description

nixos/nextcloud: Fix autoUpdateApps URL in documentation.

Co-Authored-By: Florian Klink <flokli@flokli.de>
2019-05-21 13:24:23 +02:00
Will Dietz
27d78f4c6c nextcloud: use same php package throughout!
`phpPackage` is 7.3 by default, but `pkgs.php` is 7.2,
so this saves the need for an extra copy of php
for the purpose of running nextcloud's cron;
more importantly this fixes problems with extensions
not loading since they are built against a different php.
2019-04-06 10:34:14 -05:00
aszlig
ef553788d0
postgresql: Move socket dir to /run/postgresql
The default, which is /tmp, has a few issues associated with it:

One being that it makes it easy for users on the system to spoof a
PostgreSQL server if it's not running, causing applications to connect
to their provided sockets instead of just failing to connect.

Another one is that it makes sandboxing of PostgreSQL and other services
unnecessarily difficult. This is already the case if only PrivateTmp is
used in a systemd service, so in order for such a service to be able to
connect to PostgreSQL, a bind mount needs to be done from /tmp to some
other path, so the service can access it. This pretty much defeats the
whole purpose of PrivateTmp.

We regularily run into issues with this in the past already (one example
would be https://github.com/NixOS/nixpkgs/pull/24317) and with the new
systemd-confinement mode upcoming in
https://github.com/NixOS/nixpkgs/pull/57519, it makes it even more
tedious to sandbox services.

I've tested this change against all the postgresql NixOS VM tests and
they still succeed and I also grepped through the source tree to replace
other occasions where we might have /tmp hardcoded. Luckily there were
very few occasions.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @ocharles, @thoughtpolice, @danbst
2019-03-15 04:52:35 +01:00