public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #93584 from DavHau/nextcloud-improvements

Browse Source 
nextcloud: restrict web server support to nginx; stop sharing nginx user/group; improve setup service
This commit is contained in:
Maximilian Bosch 2020-08-06 19:00:21 +02:00 committed by GitHub
commit 50d8cdb3ca
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 112 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

222
nixos/modules/services/web-apps/nextcloud.nix
View File

@ -45,6 +45,12 @@ let
inherit (config.system) stateVersion; inherit (config.system) stateVersion;
in { in {
imports = [
( mkRemovedOptionModule [ "services" "nextcloud" "nginx" "enable" ]
"The nextcloud module dropped support for other webservers than nginx.")
];
options.services.nextcloud = { options.services.nextcloud = {
enable = mkEnableOption "nextcloud"; enable = mkEnableOption "nextcloud";
hostName = mkOption { hostName = mkOption {
@ -91,16 +97,6 @@ in {
''; '';
}; };
nginx.enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable nginx virtual host management.
Further nginx configuration can be done by adapting <literal>services.nginx.virtualHosts.&lt;name&gt;</literal>.
See <xref linkend="opt-services.nginx.virtualHosts"/> for further information.
'';
};
webfinger = mkOption { webfinger = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
@ -468,10 +464,18 @@ in {
script = '' script = ''
chmod og+x ${cfg.home} chmod og+x ${cfg.home}
ln -sf ${cfg.package}/apps ${cfg.home}/ ln -sf ${cfg.package}/apps ${cfg.home}/
mkdir -p ${cfg.home}/config ${cfg.home}/data ${cfg.home}/store-apps
ln -sf ${overrideConfig} ${cfg.home}/config/override.config.php
chown -R nextcloud:nginx ${cfg.home}/config ${cfg.home}/data ${cfg.home}/store-apps # create nextcloud directories.
# if the directories exist already with wrong permissions, we fix that
for dir in ${cfg.home}/config ${cfg.home}/data ${cfg.home}/store-apps; do
if [ ! -e $dir ]; then
install -o nextcloud -g nextcloud -d $dir
elif [ $(stat -c "%G" $dir) != "nextcloud" ]; then
chgrp -R nextcloud $dir
fi
done
ln -sf ${overrideConfig} ${cfg.home}/config/override.config.php
# Do not install if already installed # Do not install if already installed
if [[ ! -e ${cfg.home}/config/config.php ]]; then if [[ ! -e ${cfg.home}/config/config.php ]]; then
@ -484,6 +488,7 @@ in {
${occSetTrustedDomainsCmd} ${occSetTrustedDomainsCmd}
''; '';
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";
serviceConfig.User = "nextcloud";
}; };
nextcloud-cron = { nextcloud-cron = {
environment.NEXTCLOUD_CONFIG_DIR = "${cfg.home}/config"; environment.NEXTCLOUD_CONFIG_DIR = "${cfg.home}/config";
@ -502,7 +507,7 @@ in {
services.phpfpm = { services.phpfpm = {
pools.nextcloud = { pools.nextcloud = {
user = "nextcloud"; user = "nextcloud";
group = "nginx"; group = "nextcloud";
phpOptions = phpOptionsStr; phpOptions = phpOptionsStr;
phpPackage = phpPackage; phpPackage = phpPackage;
phpEnv = { phpEnv = {
@ -510,99 +515,82 @@ in {
PATH = "/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:/usr/bin:/bin"; PATH = "/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:/usr/bin:/bin";
}; };
settings = mapAttrs (name: mkDefault) { settings = mapAttrs (name: mkDefault) {
"listen.owner" = "nginx"; "listen.owner" = config.services.nginx.user;
"listen.group" = "nginx"; "listen.group" = config.services.nginx.group;
} // cfg.poolSettings; } // cfg.poolSettings;
extraConfig = cfg.poolConfig; extraConfig = cfg.poolConfig;
}; };
}; };
users.extraUsers.nextcloud = { users.users.nextcloud = {
home = "${cfg.home}"; home = "${cfg.home}";
group = "nginx"; group = "nextcloud";
createHome = true; createHome = true;
}; };
users.groups.nextcloud.members = [ "nextcloud" config.services.nginx.user ];
environment.systemPackages = [ occ ]; environment.systemPackages = [ occ ];
}
(mkIf cfg.nginx.enable { services.nginx = mkDefault {
services.nginx = {
enable = true; enable = true;
virtualHosts = { virtualHosts.${cfg.hostName} = {
${cfg.hostName} = { root = cfg.package;
root = cfg.package; locations = {
locations = { "= /robots.txt" = {
"= /robots.txt" = { priority = 100;
priority = 100; extraConfig = ''
extraConfig = '' allow all;
allow all; log_not_found off;
log_not_found off;
access_log off;
'';
};
"/" = {
priority = 200;
extraConfig = "rewrite ^ /index.php;";
};
"~ ^/store-apps" = {
priority = 201;
extraConfig = "root ${cfg.home};";
};
"= /.well-known/carddav" = {
priority = 210;
extraConfig = "return 301 $scheme://$host/remote.php/dav;";
};
"= /.well-known/caldav" = {
priority = 210;
extraConfig = "return 301 $scheme://$host/remote.php/dav;";
};
"~ ^\\/(?:build|tests|config|lib|3rdparty|templates|data)\\/" = {
priority = 300;
extraConfig = "deny all;";
};
"~ ^\\/(?:\\.|autotest|occ|issue|indie|db_|console)" = {
priority = 300;
extraConfig = "deny all;";
};
"~ ^\\/(?:index|remote|public|cron|core/ajax\\/update|status|ocs\\/v[12]|updater\\/.+|ocs-provider\\/.+|ocm-provider\\/.+)\\.php(?:$|\\/)" = {
priority = 500;
extraConfig = ''
include ${config.services.nginx.package}/conf/fastcgi.conf;
fastcgi_split_path_info ^(.+\.php)(\\/.*)$;
try_files $fastcgi_script_name =404;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS ${if cfg.https then "on" else "off"};
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass unix:${fpm.socket};
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_read_timeout 120s;
'';
};
"~ ^\\/(?:updater|ocs-provider|ocm-provider)(?:$|\\/)".extraConfig = ''
try_files $uri/ =404;
index index.php;
'';
"~ \\.(?:css|js|woff2?|svg|gif)$".extraConfig = ''
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options sameorigin;
add_header Referrer-Policy no-referrer;
access_log off;
'';
"~ \\.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$".extraConfig = ''
try_files $uri /index.php$request_uri;
access_log off; access_log off;
''; '';
}; };
extraConfig = '' "/" = {
priority = 200;
extraConfig = "rewrite ^ /index.php;";
};
"~ ^/store-apps" = {
priority = 201;
extraConfig = "root ${cfg.home};";
};
"= /.well-known/carddav" = {
priority = 210;
extraConfig = "return 301 $scheme://$host/remote.php/dav;";
};
"= /.well-known/caldav" = {
priority = 210;
extraConfig = "return 301 $scheme://$host/remote.php/dav;";
};
"~ ^\\/(?:build|tests|config|lib|3rdparty|templates|data)\\/" = {
priority = 300;
extraConfig = "deny all;";
};
"~ ^\\/(?:\\.|autotest|occ|issue|indie|db_|console)" = {
priority = 300;
extraConfig = "deny all;";
};
"~ ^\\/(?:index|remote|public|cron|core/ajax\\/update|status|ocs\\/v[12]|updater\\/.+|ocs-provider\\/.+|ocm-provider\\/.+)\\.php(?:$|\\/)" = {
priority = 500;
extraConfig = ''
include ${config.services.nginx.package}/conf/fastcgi.conf;
fastcgi_split_path_info ^(.+\.php)(\\/.*)$;
try_files $fastcgi_script_name =404;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS ${if cfg.https then "on" else "off"};
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass unix:${fpm.socket};
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_read_timeout 120s;
'';
};
"~ ^\\/(?:updater|ocs-provider|ocm-provider)(?:$|\\/)".extraConfig = ''
try_files $uri/ =404;
index index.php;
'';
"~ \\.(?:css|js|woff2?|svg|gif)$".extraConfig = ''
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none; add_header X-Robots-Tag none;
@ -610,28 +598,42 @@ in {
add_header X-Permitted-Cross-Domain-Policies none; add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options sameorigin; add_header X-Frame-Options sameorigin;
add_header Referrer-Policy no-referrer; add_header Referrer-Policy no-referrer;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; access_log off;
error_page 403 /core/templates/403.php; '';
error_page 404 /core/templates/404.php; "~ \\.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$".extraConfig = ''
client_max_body_size ${cfg.maxUploadSize}; try_files $uri /index.php$request_uri;
fastcgi_buffers 64 4K; access_log off;
fastcgi_hide_header X-Powered-By;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
${optionalString cfg.webfinger ''
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
''}
''; '';
}; };
extraConfig = ''
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options sameorigin;
add_header Referrer-Policy no-referrer;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
client_max_body_size ${cfg.maxUploadSize};
fastcgi_buffers 64 4K;
fastcgi_hide_header X-Powered-By;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
${optionalString cfg.webfinger ''
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
''}
'';
}; };
}; };
}) }
]); ]);
meta.doc = ./nextcloud.xml; meta.doc = ./nextcloud.xml;

1
nixos/tests/nextcloud/basic.nix
View File

@ -33,7 +33,6 @@ in {
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
nginx.enable = true;
hostName = "nextcloud"; hostName = "nextcloud";
config = { config = {
# Don't inherit adminuser since "root" is supposed to be the default # Don't inherit adminuser since "root" is supposed to be the default

1
nixos/tests/nextcloud/with-mysql-and-memcached.nix
View File

@ -17,7 +17,6 @@ in {
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
hostName = "nextcloud"; hostName = "nextcloud";
nginx.enable = true;
https = true; https = true;
caching = { caching = {
apcu = true; apcu = true;

1
nixos/tests/nextcloud/with-postgresql-and-redis.nix
View File

@ -17,7 +17,6 @@ in {
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
hostName = "nextcloud"; hostName = "nextcloud";
nginx.enable = true;
caching = { caching = {
apcu = false; apcu = false;
redis = true; redis = true;