Merge pull request #93584 from DavHau/nextcloud-improvements

nextcloud: restrict web server support to nginx; stop sharing nginx user/group; improve setup service
2020-08-06 19:00:21 +02:00 · 2020-08-06 19:00:21 +02:00 · 50d8cdb3ca
commit 50d8cdb3ca
parent cecc4ce361 128dbb31cc
4 changed files with 112 additions and 113 deletions
--- a/nixos/modules/services/web-apps/nextcloud.nix
+++ b/nixos/modules/services/web-apps/nextcloud.nix
@ -45,6 +45,12 @@ let
  inherit (config.system) stateVersion;

 in {
+
+  imports = [
+    ( mkRemovedOptionModule [ "services" "nextcloud" "nginx" "enable" ]
+      "The nextcloud module dropped support for other webservers than nginx.")
+  ];
+
  options.services.nextcloud = {
    enable = mkEnableOption "nextcloud";
    hostName = mkOption {
@ -91,16 +97,6 @@ in {
      '';
    };

-    nginx.enable = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Whether to enable nginx virtual host management.
-        Further nginx configuration can be done by adapting <literal>services.nginx.virtualHosts.&lt;name&gt;</literal>.
-        See <xref linkend="opt-services.nginx.virtualHosts"/> for further information.
-      '';
-    };
-
    webfinger = mkOption {
      type = types.bool;
      default = false;
@ -468,10 +464,18 @@ in {
          script = ''
            chmod og+x ${cfg.home}
            ln -sf ${cfg.package}/apps ${cfg.home}/
-            mkdir -p ${cfg.home}/config ${cfg.home}/data ${cfg.home}/store-apps
-            ln -sf ${overrideConfig} ${cfg.home}/config/override.config.php

-            chown -R nextcloud:nginx ${cfg.home}/config ${cfg.home}/data ${cfg.home}/store-apps
+            # create nextcloud directories.
+            # if the directories exist already with wrong permissions, we fix that
+            for dir in ${cfg.home}/config ${cfg.home}/data ${cfg.home}/store-apps; do
+              if [ ! -e $dir ]; then
+                install -o nextcloud -g nextcloud -d $dir
+              elif [ $(stat -c "%G" $dir) != "nextcloud" ]; then
+                chgrp -R nextcloud $dir
+              fi
+            done
+
+            ln -sf ${overrideConfig} ${cfg.home}/config/override.config.php

            # Do not install if already installed
            if [[ ! -e ${cfg.home}/config/config.php ]]; then
@ -484,6 +488,7 @@ in {
            ${occSetTrustedDomainsCmd}
          '';
          serviceConfig.Type = "oneshot";
+          serviceConfig.User = "nextcloud";
        };
        nextcloud-cron = {
          environment.NEXTCLOUD_CONFIG_DIR = "${cfg.home}/config";
@ -502,7 +507,7 @@ in {
      services.phpfpm = {
        pools.nextcloud = {
          user = "nextcloud";
-          group = "nginx";
+          group = "nextcloud";
          phpOptions = phpOptionsStr;
          phpPackage = phpPackage;
          phpEnv = {
@ -510,27 +515,25 @@ in {
            PATH = "/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:/usr/bin:/bin";
          };
          settings = mapAttrs (name: mkDefault) {
-            "listen.owner" = "nginx";
-            "listen.group" = "nginx";
+            "listen.owner" = config.services.nginx.user;
+            "listen.group" = config.services.nginx.group;
          } // cfg.poolSettings;
          extraConfig = cfg.poolConfig;
        };
      };

-      users.extraUsers.nextcloud = {
+      users.users.nextcloud = {
        home = "${cfg.home}";
-        group = "nginx";
+        group = "nextcloud";
        createHome = true;
      };
+      users.groups.nextcloud.members = [ "nextcloud" config.services.nginx.user ];

      environment.systemPackages = [ occ ];
-    }

-    (mkIf cfg.nginx.enable {
-      services.nginx = {
+      services.nginx = mkDefault {
        enable = true;
-        virtualHosts = {
-          ${cfg.hostName} = {
+        virtualHosts.${cfg.hostName} = {
          root = cfg.package;
          locations = {
            "= /robots.txt" = {
@ -630,8 +633,7 @@ in {
          '';
        };
      };
-      };
-    })
+    }
  ]);

  meta.doc = ./nextcloud.xml;
--- a/nixos/tests/nextcloud/basic.nix
+++ b/nixos/tests/nextcloud/basic.nix
@ -33,7 +33,6 @@ in {

      services.nextcloud = {
        enable = true;
-        nginx.enable = true;
        hostName = "nextcloud";
        config = {
          # Don't inherit adminuser since "root" is supposed to be the default
--- a/nixos/tests/nextcloud/with-mysql-and-memcached.nix
+++ b/nixos/tests/nextcloud/with-mysql-and-memcached.nix
@ -17,7 +17,6 @@ in {
      services.nextcloud = {
        enable = true;
        hostName = "nextcloud";
-        nginx.enable = true;
        https = true;
        caching = {
          apcu = true;
--- a/nixos/tests/nextcloud/with-postgresql-and-redis.nix
+++ b/nixos/tests/nextcloud/with-postgresql-and-redis.nix
@ -17,7 +17,6 @@ in {
      services.nextcloud = {
        enable = true;
        hostName = "nextcloud";
-        nginx.enable = true;
        caching = {
          apcu = false;
          redis = true;