From 07076e9fe015489fcd1c67f37c0d750442c6f975 Mon Sep 17 00:00:00 2001 From: DavHau Date: Tue, 21 Jul 2020 07:05:07 +0000 Subject: [PATCH 1/7] nextcloud: configurable user and group, enabled nginx, improve setup --- nixos/modules/services/web-apps/nextcloud.nix | 46 +++++++++++++------ 1 file changed, 31 insertions(+), 15 deletions(-) diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 328561dc800..4c5e51a8285 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -6,6 +6,8 @@ let cfg = config.services.nextcloud; fpm = config.services.phpfpm.pools.nextcloud; + group = if cfg.nginx.enable then config.services.nginx.group else cfg.group; + phpPackage = let base = pkgs.php74; @@ -33,8 +35,8 @@ let #! ${pkgs.runtimeShell} cd ${cfg.package} sudo=exec - if [[ "$USER" != nextcloud ]]; then - sudo='exec /run/wrappers/bin/sudo -u nextcloud --preserve-env=NEXTCLOUD_CONFIG_DIR --preserve-env=OC_PASS' + if [[ "$USER" != ${cfg.user} ]]; then + sudo='exec /run/wrappers/bin/sudo -u ${cfg.user} --preserve-env=NEXTCLOUD_CONFIG_DIR --preserve-env=OC_PASS' fi export NEXTCLOUD_CONFIG_DIR="${cfg.home}/config" $sudo \ @@ -71,6 +73,19 @@ in { description = "Which package to use for the Nextcloud instance."; relatedPackages = [ "nextcloud17" "nextcloud18" "nextcloud19" ]; }; + user = mkOption { + type = types.str; + default = "nextcloud"; + description = "User of the nextcloud service"; + }; + group = mkOption { + type = with types; nullOr str; + description = '' + Set group for nextcloud related services. + This option cannot be used if is set. + In this case is used instead."; + ''; + }; maxUploadSize = mkOption { default = "512M"; @@ -93,7 +108,7 @@ in { nginx.enable = mkOption { type = types.bool; - default = false; + default = true; description = '' Whether to enable nginx virtual host management. Further nginx configuration can be done by adapting services.nginx.virtualHosts.<name>. @@ -167,7 +182,7 @@ in { }; dbuser = mkOption { type = types.nullOr types.str; - default = "nextcloud"; + default = cfg.user; description = "Database user."; }; dbpass = mkOption { @@ -322,6 +337,9 @@ in { && !(acfg.adminpass != null && acfg.adminpassFile != null)); message = "Please specify exactly one of adminpass or adminpassFile"; } + { assertion = cfg.nginx.enable -> (group == config.services.nginx.group); + message = "Nextcloud group cannot be set if nginx is used"; + } ]; warnings = [] @@ -468,11 +486,9 @@ in { script = '' chmod og+x ${cfg.home} ln -sf ${cfg.package}/apps ${cfg.home}/ - mkdir -p ${cfg.home}/config ${cfg.home}/data ${cfg.home}/store-apps + install -o ${cfg.user} -g ${group} -d ${cfg.home}/config ${cfg.home}/data ${cfg.home}/store-apps ln -sf ${overrideConfig} ${cfg.home}/config/override.config.php - chown -R nextcloud:nginx ${cfg.home}/config ${cfg.home}/data ${cfg.home}/store-apps - # Do not install if already installed if [[ ! -e ${cfg.home}/config/config.php ]]; then ${occInstallCmd} @@ -488,21 +504,21 @@ in { nextcloud-cron = { environment.NEXTCLOUD_CONFIG_DIR = "${cfg.home}/config"; serviceConfig.Type = "oneshot"; - serviceConfig.User = "nextcloud"; + serviceConfig.User = cfg.user; serviceConfig.ExecStart = "${phpPackage}/bin/php -f ${cfg.package}/cron.php"; }; nextcloud-update-plugins = mkIf cfg.autoUpdateApps.enable { serviceConfig.Type = "oneshot"; serviceConfig.ExecStart = "${occ}/bin/nextcloud-occ app:update --all"; - serviceConfig.User = "nextcloud"; + serviceConfig.User = cfg.user; startAt = cfg.autoUpdateApps.startAt; }; }; services.phpfpm = { pools.nextcloud = { - user = "nextcloud"; - group = "nginx"; + user = cfg.user; + inherit group; phpOptions = phpOptionsStr; phpPackage = phpPackage; phpEnv = { @@ -510,16 +526,16 @@ in { PATH = "/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:/usr/bin:/bin"; }; settings = mapAttrs (name: mkDefault) { - "listen.owner" = "nginx"; - "listen.group" = "nginx"; + "listen.owner" = cfg.user; + "listen.group" = group; } // cfg.poolSettings; extraConfig = cfg.poolConfig; }; }; - users.extraUsers.nextcloud = { + users.extraUsers.${cfg.user} = { home = "${cfg.home}"; - group = "nginx"; + inherit group; createHome = true; }; From 6ee30041327343137bab79cf924eac1a17ad0d5c Mon Sep 17 00:00:00 2001 From: DavHau Date: Sun, 26 Jul 2020 15:54:23 +0700 Subject: [PATCH 2/7] nextcloud improve user/group handling - remove optons cfg.user, cfg.groups - add option `serverUser` which is required when not using nginx - add `serverUser` to nextcloud group - set user/group to "nextcloud" for nextcloud services - make setup-service non-root --- nixos/modules/services/web-apps/nextcloud.nix | 47 +++++++++---------- 1 file changed, 22 insertions(+), 25 deletions(-) diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 4c5e51a8285..0a184b45827 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -7,6 +7,7 @@ let fpm = config.services.phpfpm.pools.nextcloud; group = if cfg.nginx.enable then config.services.nginx.group else cfg.group; + serverUser = if cfg.nginx.enable then config.services.nginx.user else cfg.serverUser; phpPackage = let @@ -35,8 +36,8 @@ let #! ${pkgs.runtimeShell} cd ${cfg.package} sudo=exec - if [[ "$USER" != ${cfg.user} ]]; then - sudo='exec /run/wrappers/bin/sudo -u ${cfg.user} --preserve-env=NEXTCLOUD_CONFIG_DIR --preserve-env=OC_PASS' + if [[ "$USER" != nextcloud ]]; then + sudo='exec /run/wrappers/bin/sudo -u nextcloud --preserve-env=NEXTCLOUD_CONFIG_DIR --preserve-env=OC_PASS' fi export NEXTCLOUD_CONFIG_DIR="${cfg.home}/config" $sudo \ @@ -73,18 +74,9 @@ in { description = "Which package to use for the Nextcloud instance."; relatedPackages = [ "nextcloud17" "nextcloud18" "nextcloud19" ]; }; - user = mkOption { + serverUser = mkOption { type = types.str; - default = "nextcloud"; - description = "User of the nextcloud service"; - }; - group = mkOption { - type = with types; nullOr str; - description = '' - Set group for nextcloud related services. - This option cannot be used if is set. - In this case is used instead."; - ''; + description = "Must be set to the user of the webserver if nginx is not used."; }; maxUploadSize = mkOption { @@ -182,7 +174,7 @@ in { }; dbuser = mkOption { type = types.nullOr types.str; - default = cfg.user; + default = "nextcloud"; description = "Database user."; }; dbpass = mkOption { @@ -337,8 +329,11 @@ in { && !(acfg.adminpass != null && acfg.adminpassFile != null)); message = "Please specify exactly one of adminpass or adminpassFile"; } - { assertion = cfg.nginx.enable -> (group == config.services.nginx.group); - message = "Nextcloud group cannot be set if nginx is used"; + { assertion = cfg.nginx.enable -> (cfg.serverUser == null); + message = "serverUser cannot be set if nginx is used"; + } + { assertion = ! cfg.nginx.enable -> ( hasAttr cfg.serverUser config.users.users); + message = "configured serverUser '${cfg.serverUser}' doesn't exist"; } ]; @@ -486,7 +481,7 @@ in { script = '' chmod og+x ${cfg.home} ln -sf ${cfg.package}/apps ${cfg.home}/ - install -o ${cfg.user} -g ${group} -d ${cfg.home}/config ${cfg.home}/data ${cfg.home}/store-apps + install -o nextcloud -g nextcloud -d ${cfg.home}/config ${cfg.home}/data ${cfg.home}/store-apps ln -sf ${overrideConfig} ${cfg.home}/config/override.config.php # Do not install if already installed @@ -500,25 +495,26 @@ in { ${occSetTrustedDomainsCmd} ''; serviceConfig.Type = "oneshot"; + serviceConfig.User = "nextcloud"; }; nextcloud-cron = { environment.NEXTCLOUD_CONFIG_DIR = "${cfg.home}/config"; serviceConfig.Type = "oneshot"; - serviceConfig.User = cfg.user; + serviceConfig.User = "nextcloud"; serviceConfig.ExecStart = "${phpPackage}/bin/php -f ${cfg.package}/cron.php"; }; nextcloud-update-plugins = mkIf cfg.autoUpdateApps.enable { serviceConfig.Type = "oneshot"; serviceConfig.ExecStart = "${occ}/bin/nextcloud-occ app:update --all"; - serviceConfig.User = cfg.user; + serviceConfig.User = "nextcloud"; startAt = cfg.autoUpdateApps.startAt; }; }; services.phpfpm = { pools.nextcloud = { - user = cfg.user; - inherit group; + user = "nextcloud"; + group = "nextcloud"; phpOptions = phpOptionsStr; phpPackage = phpPackage; phpEnv = { @@ -526,18 +522,19 @@ in { PATH = "/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:/usr/bin:/bin"; }; settings = mapAttrs (name: mkDefault) { - "listen.owner" = cfg.user; - "listen.group" = group; + "listen.owner" = serverUser; + "listen.group" = config.users.users.${serverUser}.group; } // cfg.poolSettings; extraConfig = cfg.poolConfig; }; }; - users.extraUsers.${cfg.user} = { + users.users.nextcloud = { home = "${cfg.home}"; - inherit group; + group = "nextcloud"; createHome = true; }; + users.groups.nextcloud.members = [ "nextcloud" "${serverUser}" ]; environment.systemPackages = [ occ ]; } From fd9eb16b249aad1d5e231b8329035abfab5fc0eb Mon Sep 17 00:00:00 2001 From: DavHau Date: Mon, 27 Jul 2020 12:06:04 +0700 Subject: [PATCH 3/7] nextcloud: restrict web server support to nginx only --- nixos/modules/services/web-apps/nextcloud.nix | 229 ++++++++---------- 1 file changed, 100 insertions(+), 129 deletions(-) diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 0a184b45827..61722e6627d 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -6,9 +6,6 @@ let cfg = config.services.nextcloud; fpm = config.services.phpfpm.pools.nextcloud; - group = if cfg.nginx.enable then config.services.nginx.group else cfg.group; - serverUser = if cfg.nginx.enable then config.services.nginx.user else cfg.serverUser; - phpPackage = let base = pkgs.php74; @@ -74,10 +71,6 @@ in { description = "Which package to use for the Nextcloud instance."; relatedPackages = [ "nextcloud17" "nextcloud18" "nextcloud19" ]; }; - serverUser = mkOption { - type = types.str; - description = "Must be set to the user of the webserver if nginx is not used."; - }; maxUploadSize = mkOption { default = "512M"; @@ -98,16 +91,6 @@ in { ''; }; - nginx.enable = mkOption { - type = types.bool; - default = true; - description = '' - Whether to enable nginx virtual host management. - Further nginx configuration can be done by adapting services.nginx.virtualHosts.<name>. - See for further information. - ''; - }; - webfinger = mkOption { type = types.bool; default = false; @@ -329,12 +312,6 @@ in { && !(acfg.adminpass != null && acfg.adminpassFile != null)); message = "Please specify exactly one of adminpass or adminpassFile"; } - { assertion = cfg.nginx.enable -> (cfg.serverUser == null); - message = "serverUser cannot be set if nginx is used"; - } - { assertion = ! cfg.nginx.enable -> ( hasAttr cfg.serverUser config.users.users); - message = "configured serverUser '${cfg.serverUser}' doesn't exist"; - } ]; warnings = [] @@ -522,8 +499,8 @@ in { PATH = "/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:/usr/bin:/bin"; }; settings = mapAttrs (name: mkDefault) { - "listen.owner" = serverUser; - "listen.group" = config.users.users.${serverUser}.group; + "listen.owner" = config.services.nginx.user; + "listen.group" = config.users.users.${config.services.nginx.user}.group; } // cfg.poolSettings; extraConfig = cfg.poolConfig; }; @@ -534,117 +511,111 @@ in { group = "nextcloud"; createHome = true; }; - users.groups.nextcloud.members = [ "nextcloud" "${serverUser}" ]; + users.groups.nextcloud.members = [ "nextcloud" config.services.nginx.user ]; environment.systemPackages = [ occ ]; - } - - (mkIf cfg.nginx.enable { - services.nginx = { - enable = true; - virtualHosts = { - ${cfg.hostName} = { - root = cfg.package; - locations = { - "= /robots.txt" = { - priority = 100; - extraConfig = '' - allow all; - log_not_found off; - access_log off; - ''; - }; - "/" = { - priority = 200; - extraConfig = "rewrite ^ /index.php;"; - }; - "~ ^/store-apps" = { - priority = 201; - extraConfig = "root ${cfg.home};"; - }; - "= /.well-known/carddav" = { - priority = 210; - extraConfig = "return 301 $scheme://$host/remote.php/dav;"; - }; - "= /.well-known/caldav" = { - priority = 210; - extraConfig = "return 301 $scheme://$host/remote.php/dav;"; - }; - "~ ^\\/(?:build|tests|config|lib|3rdparty|templates|data)\\/" = { - priority = 300; - extraConfig = "deny all;"; - }; - "~ ^\\/(?:\\.|autotest|occ|issue|indie|db_|console)" = { - priority = 300; - extraConfig = "deny all;"; - }; - "~ ^\\/(?:index|remote|public|cron|core/ajax\\/update|status|ocs\\/v[12]|updater\\/.+|ocs-provider\\/.+|ocm-provider\\/.+)\\.php(?:$|\\/)" = { - priority = 500; - extraConfig = '' - include ${config.services.nginx.package}/conf/fastcgi.conf; - fastcgi_split_path_info ^(.+\.php)(\\/.*)$; - try_files $fastcgi_script_name =404; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param HTTPS ${if cfg.https then "on" else "off"}; - fastcgi_param modHeadersAvailable true; - fastcgi_param front_controller_active true; - fastcgi_pass unix:${fpm.socket}; - fastcgi_intercept_errors on; - fastcgi_request_buffering off; - fastcgi_read_timeout 120s; - ''; - }; - "~ ^\\/(?:updater|ocs-provider|ocm-provider)(?:$|\\/)".extraConfig = '' - try_files $uri/ =404; - index index.php; - ''; - "~ \\.(?:css|js|woff2?|svg|gif)$".extraConfig = '' - try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463"; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header X-Frame-Options sameorigin; - add_header Referrer-Policy no-referrer; - access_log off; - ''; - "~ \\.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$".extraConfig = '' - try_files $uri /index.php$request_uri; - access_log off; - ''; - }; + + services.nginx.enable = true; + services.nginx.virtualHosts.${cfg.hostName} = { + root = cfg.package; + locations = { + "= /robots.txt" = { + priority = 100; extraConfig = '' - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header X-Frame-Options sameorigin; - add_header Referrer-Policy no-referrer; - add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; - error_page 403 /core/templates/403.php; - error_page 404 /core/templates/404.php; - client_max_body_size ${cfg.maxUploadSize}; - fastcgi_buffers 64 4K; - fastcgi_hide_header X-Powered-By; - gzip on; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 256; - gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; - - ${optionalString cfg.webfinger '' - rewrite ^/.well-known/host-meta /public.php?service=host-meta last; - rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; - ''} + allow all; + log_not_found off; + access_log off; ''; }; + "/" = { + priority = 200; + extraConfig = "rewrite ^ /index.php;"; + }; + "~ ^/store-apps" = { + priority = 201; + extraConfig = "root ${cfg.home};"; + }; + "= /.well-known/carddav" = { + priority = 210; + extraConfig = "return 301 $scheme://$host/remote.php/dav;"; + }; + "= /.well-known/caldav" = { + priority = 210; + extraConfig = "return 301 $scheme://$host/remote.php/dav;"; + }; + "~ ^\\/(?:build|tests|config|lib|3rdparty|templates|data)\\/" = { + priority = 300; + extraConfig = "deny all;"; + }; + "~ ^\\/(?:\\.|autotest|occ|issue|indie|db_|console)" = { + priority = 300; + extraConfig = "deny all;"; + }; + "~ ^\\/(?:index|remote|public|cron|core/ajax\\/update|status|ocs\\/v[12]|updater\\/.+|ocs-provider\\/.+|ocm-provider\\/.+)\\.php(?:$|\\/)" = { + priority = 500; + extraConfig = '' + include ${config.services.nginx.package}/conf/fastcgi.conf; + fastcgi_split_path_info ^(.+\.php)(\\/.*)$; + try_files $fastcgi_script_name =404; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTPS ${if cfg.https then "on" else "off"}; + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; + fastcgi_pass unix:${fpm.socket}; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + fastcgi_read_timeout 120s; + ''; + }; + "~ ^\\/(?:updater|ocs-provider|ocm-provider)(?:$|\\/)".extraConfig = '' + try_files $uri/ =404; + index index.php; + ''; + "~ \\.(?:css|js|woff2?|svg|gif)$".extraConfig = '' + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options sameorigin; + add_header Referrer-Policy no-referrer; + access_log off; + ''; + "~ \\.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$".extraConfig = '' + try_files $uri /index.php$request_uri; + access_log off; + ''; }; + extraConfig = '' + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options sameorigin; + add_header Referrer-Policy no-referrer; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; + error_page 403 /core/templates/403.php; + error_page 404 /core/templates/404.php; + client_max_body_size ${cfg.maxUploadSize}; + fastcgi_buffers 64 4K; + fastcgi_hide_header X-Powered-By; + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + ${optionalString cfg.webfinger '' + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + ''} + ''; }; - }) + } ]); meta.doc = ./nextcloud.xml; From 5823ed784112361aed298cf865f29b51cd4a3f0a Mon Sep 17 00:00:00 2001 From: DavHau Date: Mon, 27 Jul 2020 12:41:42 +0700 Subject: [PATCH 4/7] nextcloud: fix group permissions on startup --- nixos/modules/services/web-apps/nextcloud.nix | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 61722e6627d..14858e2456e 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -458,7 +458,17 @@ in { script = '' chmod og+x ${cfg.home} ln -sf ${cfg.package}/apps ${cfg.home}/ - install -o nextcloud -g nextcloud -d ${cfg.home}/config ${cfg.home}/data ${cfg.home}/store-apps + + # create nextcloud directories. + # if the directories exist already with wrong permissions, we fix that + for dir in ${cfg.home}/config ${cfg.home}/data ${cfg.home}/store-apps; do + if [ ! -e $dir ]; then + install -o nextcloud -g nextcloud -d $dir + elif [ $(stat -c "%G" $dir) != "nextcloud" ]; then + chown -R nextcloud:nextcloud $dir + fi + done + ln -sf ${overrideConfig} ${cfg.home}/config/override.config.php # Do not install if already installed From b90a70d53f5cf9812c95f38e096fd99081aea93f Mon Sep 17 00:00:00 2001 From: DavHau Date: Mon, 27 Jul 2020 20:20:13 +0700 Subject: [PATCH 5/7] nextcloud: shorten nginx group reference Co-authored-by: Aaron Andersen --- nixos/modules/services/web-apps/nextcloud.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 14858e2456e..44be27e9bd7 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -510,7 +510,7 @@ in { }; settings = mapAttrs (name: mkDefault) { "listen.owner" = config.services.nginx.user; - "listen.group" = config.users.users.${config.services.nginx.user}.group; + "listen.group" = config.services.nginx.group; } // cfg.poolSettings; extraConfig = cfg.poolConfig; }; From ca916e8cb3220ba43a43d10f72ccb4b88077a461 Mon Sep 17 00:00:00 2001 From: DavHau Date: Mon, 3 Aug 2020 14:04:46 +0700 Subject: [PATCH 6/7] nextcloud: deprecate nginx, use chgrp, mkDefault for nginx, fix tests --- nixos/modules/services/web-apps/nextcloud.nix | 12 +++++++++--- nixos/tests/nextcloud/basic.nix | 1 - nixos/tests/nextcloud/with-mysql-and-memcached.nix | 1 - nixos/tests/nextcloud/with-postgresql-and-redis.nix | 1 - 4 files changed, 9 insertions(+), 6 deletions(-) diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 44be27e9bd7..d9660852528 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -45,6 +45,12 @@ let inherit (config.system) stateVersion; in { + + imports = [ + ( mkRemovedOptionModule [ "services" "nextcloud" "nginx" "enable" ] + "The nextcloud module dropped support for other webservers than nginx.") + ]; + options.services.nextcloud = { enable = mkEnableOption "nextcloud"; hostName = mkOption { @@ -465,7 +471,7 @@ in { if [ ! -e $dir ]; then install -o nextcloud -g nextcloud -d $dir elif [ $(stat -c "%G" $dir) != "nextcloud" ]; then - chown -R nextcloud:nextcloud $dir + chgrp -R nextcloud $dir fi done @@ -524,8 +530,8 @@ in { users.groups.nextcloud.members = [ "nextcloud" config.services.nginx.user ]; environment.systemPackages = [ occ ]; - - services.nginx.enable = true; + + services.nginx.enable = mkDefault true; services.nginx.virtualHosts.${cfg.hostName} = { root = cfg.package; locations = { diff --git a/nixos/tests/nextcloud/basic.nix b/nixos/tests/nextcloud/basic.nix index a8fa0cae6f0..72fb020dca7 100644 --- a/nixos/tests/nextcloud/basic.nix +++ b/nixos/tests/nextcloud/basic.nix @@ -33,7 +33,6 @@ in { services.nextcloud = { enable = true; - nginx.enable = true; hostName = "nextcloud"; config = { # Don't inherit adminuser since "root" is supposed to be the default diff --git a/nixos/tests/nextcloud/with-mysql-and-memcached.nix b/nixos/tests/nextcloud/with-mysql-and-memcached.nix index 8db630be893..bec3815a3e1 100644 --- a/nixos/tests/nextcloud/with-mysql-and-memcached.nix +++ b/nixos/tests/nextcloud/with-mysql-and-memcached.nix @@ -17,7 +17,6 @@ in { services.nextcloud = { enable = true; hostName = "nextcloud"; - nginx.enable = true; https = true; caching = { apcu = true; diff --git a/nixos/tests/nextcloud/with-postgresql-and-redis.nix b/nixos/tests/nextcloud/with-postgresql-and-redis.nix index 95219cac9be..40a208115c3 100644 --- a/nixos/tests/nextcloud/with-postgresql-and-redis.nix +++ b/nixos/tests/nextcloud/with-postgresql-and-redis.nix @@ -17,7 +17,6 @@ in { services.nextcloud = { enable = true; hostName = "nextcloud"; - nginx.enable = true; caching = { apcu = false; redis = true; From 128dbb31cca3ba479396c6b65946e2e6503c0f8d Mon Sep 17 00:00:00 2001 From: DavHau Date: Wed, 5 Aug 2020 11:50:26 +0700 Subject: [PATCH 7/7] nextcloud: use mkDefault for whole nginx config --- nixos/modules/services/web-apps/nextcloud.nix | 176 +++++++++--------- 1 file changed, 89 insertions(+), 87 deletions(-) diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index d9660852528..0579e58d1d6 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -531,65 +531,81 @@ in { environment.systemPackages = [ occ ]; - services.nginx.enable = mkDefault true; - services.nginx.virtualHosts.${cfg.hostName} = { - root = cfg.package; - locations = { - "= /robots.txt" = { - priority = 100; - extraConfig = '' - allow all; - log_not_found off; + services.nginx = mkDefault { + enable = true; + virtualHosts.${cfg.hostName} = { + root = cfg.package; + locations = { + "= /robots.txt" = { + priority = 100; + extraConfig = '' + allow all; + log_not_found off; + access_log off; + ''; + }; + "/" = { + priority = 200; + extraConfig = "rewrite ^ /index.php;"; + }; + "~ ^/store-apps" = { + priority = 201; + extraConfig = "root ${cfg.home};"; + }; + "= /.well-known/carddav" = { + priority = 210; + extraConfig = "return 301 $scheme://$host/remote.php/dav;"; + }; + "= /.well-known/caldav" = { + priority = 210; + extraConfig = "return 301 $scheme://$host/remote.php/dav;"; + }; + "~ ^\\/(?:build|tests|config|lib|3rdparty|templates|data)\\/" = { + priority = 300; + extraConfig = "deny all;"; + }; + "~ ^\\/(?:\\.|autotest|occ|issue|indie|db_|console)" = { + priority = 300; + extraConfig = "deny all;"; + }; + "~ ^\\/(?:index|remote|public|cron|core/ajax\\/update|status|ocs\\/v[12]|updater\\/.+|ocs-provider\\/.+|ocm-provider\\/.+)\\.php(?:$|\\/)" = { + priority = 500; + extraConfig = '' + include ${config.services.nginx.package}/conf/fastcgi.conf; + fastcgi_split_path_info ^(.+\.php)(\\/.*)$; + try_files $fastcgi_script_name =404; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTPS ${if cfg.https then "on" else "off"}; + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; + fastcgi_pass unix:${fpm.socket}; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + fastcgi_read_timeout 120s; + ''; + }; + "~ ^\\/(?:updater|ocs-provider|ocm-provider)(?:$|\\/)".extraConfig = '' + try_files $uri/ =404; + index index.php; + ''; + "~ \\.(?:css|js|woff2?|svg|gif)$".extraConfig = '' + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options sameorigin; + add_header Referrer-Policy no-referrer; + access_log off; + ''; + "~ \\.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$".extraConfig = '' + try_files $uri /index.php$request_uri; access_log off; ''; }; - "/" = { - priority = 200; - extraConfig = "rewrite ^ /index.php;"; - }; - "~ ^/store-apps" = { - priority = 201; - extraConfig = "root ${cfg.home};"; - }; - "= /.well-known/carddav" = { - priority = 210; - extraConfig = "return 301 $scheme://$host/remote.php/dav;"; - }; - "= /.well-known/caldav" = { - priority = 210; - extraConfig = "return 301 $scheme://$host/remote.php/dav;"; - }; - "~ ^\\/(?:build|tests|config|lib|3rdparty|templates|data)\\/" = { - priority = 300; - extraConfig = "deny all;"; - }; - "~ ^\\/(?:\\.|autotest|occ|issue|indie|db_|console)" = { - priority = 300; - extraConfig = "deny all;"; - }; - "~ ^\\/(?:index|remote|public|cron|core/ajax\\/update|status|ocs\\/v[12]|updater\\/.+|ocs-provider\\/.+|ocm-provider\\/.+)\\.php(?:$|\\/)" = { - priority = 500; - extraConfig = '' - include ${config.services.nginx.package}/conf/fastcgi.conf; - fastcgi_split_path_info ^(.+\.php)(\\/.*)$; - try_files $fastcgi_script_name =404; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param HTTPS ${if cfg.https then "on" else "off"}; - fastcgi_param modHeadersAvailable true; - fastcgi_param front_controller_active true; - fastcgi_pass unix:${fpm.socket}; - fastcgi_intercept_errors on; - fastcgi_request_buffering off; - fastcgi_read_timeout 120s; - ''; - }; - "~ ^\\/(?:updater|ocs-provider|ocm-provider)(?:$|\\/)".extraConfig = '' - try_files $uri/ =404; - index index.php; - ''; - "~ \\.(?:css|js|woff2?|svg|gif)$".extraConfig = '' - try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463"; + extraConfig = '' add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; @@ -597,39 +613,25 @@ in { add_header X-Permitted-Cross-Domain-Policies none; add_header X-Frame-Options sameorigin; add_header Referrer-Policy no-referrer; - access_log off; - ''; - "~ \\.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$".extraConfig = '' - try_files $uri /index.php$request_uri; - access_log off; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; + error_page 403 /core/templates/403.php; + error_page 404 /core/templates/404.php; + client_max_body_size ${cfg.maxUploadSize}; + fastcgi_buffers 64 4K; + fastcgi_hide_header X-Powered-By; + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + ${optionalString cfg.webfinger '' + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + ''} ''; }; - extraConfig = '' - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header X-Frame-Options sameorigin; - add_header Referrer-Policy no-referrer; - add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; - error_page 403 /core/templates/403.php; - error_page 404 /core/templates/404.php; - client_max_body_size ${cfg.maxUploadSize}; - fastcgi_buffers 64 4K; - fastcgi_hide_header X-Powered-By; - gzip on; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 256; - gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; - - ${optionalString cfg.webfinger '' - rewrite ^/.well-known/host-meta /public.php?service=host-meta last; - rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; - ''} - ''; }; } ]);