+17

nixos/doc/manual/from_md/release-notes/rl-2211.section.xml

··· 631 631 </listitem> 632 632 <listitem> 633 633 <para> 634 634 + The <literal>openssl</literal>-extension for the PHP 635 635 + interpreter used by Nextcloud is built against OpenSSL 1.1 if 636 636 + <xref linkend="opt-system.stateVersion" /> is below 637 637 + <literal>22.11</literal>. This is to make sure that people 638 638 + using 639 639 + <link xlink:href="https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html">server-side 640 640 + encryption</link> don’t loose access to their files. 641 641 + </para> 642 642 + <para> 643 643 + In any other case it’s safe to use OpenSSL 3 for PHP’s openssl 644 644 + extension. This can be done by setting 645 645 + <xref linkend="opt-services.nextcloud.enableBrokenCiphersForSSE" /> 646 646 + to <literal>false</literal>. 647 647 + </para> 648 648 + </listitem> 649 649 + <listitem> 650 650 + <para> 634 651 The <literal>coq</literal> package and versioned variants 635 652 starting at <literal>coq_8_14</literal> no longer include 636 653 CoqIDE, which is now available through

+7

nixos/doc/manual/release-notes/rl-2211.section.md

··· 204 204 205 205 - The `p4` package now only includes the open-source Perforce Helix Core command-line client and APIs. It no longer installs the unfree Helix Core Server binaries `p4d`, `p4broker`, and `p4p`. To install the Helix Core Server binaries, use the `p4d` package instead. 206 206 207 207 + - The `openssl`-extension for the PHP interpreter used by Nextcloud is built against OpenSSL 1.1 if 208 208 + [](#opt-system.stateVersion) is below `22.11`. This is to make sure that people using [server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html) 209 209 + don't loose access to their files. 210 210 + 211 211 + In any other case it's safe to use OpenSSL 3 for PHP's openssl extension. This can be done by setting 212 212 + [](#opt-services.nextcloud.enableBrokenCiphersForSSE) to `false`. 213 213 + 207 214 - The `coq` package and versioned variants starting at `coq_8_14` no 208 215 longer include CoqIDE, which is now available through 209 216 `coqPackages.coqide`. It is still possible to get CoqIDE as part of

+57 -1

nixos/modules/services/web-apps/nextcloud.nix

··· 13 13 phpPackage = cfg.phpPackage.buildEnv { 14 14 extensions = { enabled, all }: 15 15 (with all; 16 16 - enabled 16 16 + # disable default openssl extension 17 17 + (lib.filter (e: e.pname != "php-openssl") enabled) 18 18 + # use OpenSSL 1.1 for RC4 Nextcloud encryption if user 19 19 + # has acknowledged the brokeness of the ciphers (RC4). 20 20 + # TODO: remove when https://github.com/nextcloud/server/issues/32003 is fixed. 21 21 + ++ (if cfg.enableBrokenCiphersForSSE then [ cfg.phpPackage.extensions.openssl-legacy ] else [ cfg.phpPackage.extensions.openssl ]) 17 22 ++ optional cfg.enableImagemagick imagick 18 23 # Optionally enabled depending on caching settings 19 24 ++ optional cfg.caching.apcu apcu ··· 80 85 81 86 options.services.nextcloud = { 82 87 enable = mkEnableOption (lib.mdDoc "nextcloud"); 88 88 + 89 89 + enableBrokenCiphersForSSE = mkOption { 90 90 + type = types.bool; 91 91 + default = versionOlder stateVersion "22.11"; 92 92 + defaultText = literalExpression "versionOlder system.stateVersion \"22.11\""; 93 93 + description = lib.mdDoc '' 94 94 + This option enables using the OpenSSL PHP extension linked against OpenSSL 1.1 95 95 + rather than latest OpenSSL (≥ 3), this is not recommended unless you need 96 96 + it for server-side encryption (SSE). SSE uses the legacy RC4 cipher which is 97 97 + considered broken for several years now. See also [RFC7465](https://datatracker.ietf.org/doc/html/rfc7465). 98 98 + 99 99 + This cipher has been disabled in OpenSSL ≥ 3 and requires 100 100 + a specific legacy profile to re-enable it. 101 101 + 102 102 + If you deploy Nextcloud using OpenSSL ≥ 3 for PHP and have 103 103 + server-side encryption configured, you will not be able to access 104 104 + your files anymore. Enabling this option can restore access to your files. 105 105 + Upon testing we didn't encounter any data corruption when turning 106 106 + this on and off again, but this cannot be guaranteed for 107 107 + each Nextcloud installation. 108 108 + 109 109 + It is `true` by default for systems with a [](#opt-system.stateVersion) below 110 110 + `22.11` to make sure that existing installations won't break on update. On newer 111 111 + NixOS systems you have to explicitly enable it on your own. 112 112 + 113 113 + Please note that this only provides additional value when using 114 114 + external storage such as S3 since it's not an end-to-end encryption. 115 115 + If this is not the case, 116 116 + it is advised to [disable server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption) and set this to `false`. 117 117 + 118 118 + In the future, Nextcloud may move to AES-256-GCM, by then, 119 119 + this option will be removed. 120 120 + ''; 121 121 + }; 83 122 hostName = mkOption { 84 123 type = types.str; 85 124 description = lib.mdDoc "FQDN for the nextcloud instance."; ··· 649 688 ++ (optional (versionOlder cfg.package.version "23") (upgradeWarning 22 "22.05")) 650 689 ++ (optional (versionOlder cfg.package.version "24") (upgradeWarning 23 "22.05")) 651 690 ++ (optional (versionOlder cfg.package.version "25") (upgradeWarning 24 "22.11")) 691 691 + ++ (optional cfg.enableBrokenCiphersForSSE '' 692 692 + You're using PHP's openssl extension built against OpenSSL 1.1 for Nextcloud. 693 693 + This is only necessary if you're using Nextcloud's server-side encryption. 694 694 + Please keep in mind that it's using the broken RC4 cipher. 695 695 + 696 696 + If you don't use that feature, you can switch to OpenSSL 3 and get 697 697 + rid of this warning by declaring 698 698 + 699 699 + services.nextcloud.enableBrokenCiphersForSSE = false; 700 700 + 701 701 + If you need to use server-side encryption you can ignore this waring. 702 702 + Otherwise you'd have to disable server-side encryption first in order 703 703 + to be able to safely disable this option and get rid of this warning. 704 704 + See <https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption> on how to achieve this. 705 705 + 706 706 + For more context, here is the implementing pull request: https://github.com/NixOS/nixpkgs/pull/198470 707 707 + '') 652 708 ++ (optional isUnsupportedMariadb '' 653 709 You seem to be using MariaDB at an unsupported version (i.e. at least 10.6)! 654 710 Please note that this isn't supported officially by Nextcloud. You can either

+14

nixos/modules/services/web-apps/nextcloud.xml

··· 170 170 </listitem> 171 171 </itemizedlist> 172 172 </listitem> 173 173 + <listitem> 174 174 + <formalpara> 175 175 + <title>Server-side encryption</title> 176 176 + <para> 177 177 + Nextcloud supports <link xlink:href="https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html">server-side encryption (SSE)</link>. 178 178 + This is not an end-to-end encryption, but can be used to encrypt files that will be persisted 179 179 + to external storage such as S3. Please note that this won't work anymore when using OpenSSL 3 180 180 + for PHP's openssl extension because this is implemented using the legacy cipher RC4. 181 181 + If <xref linkend="opt-system.stateVersion" /> is <emphasis>above</emphasis> <literal>22.05</literal>, 182 182 + this is disabled by default. To turn it on again and for further information please refer to 183 183 + <xref linkend="opt-services.nextcloud.enableBrokenCiphersForSSE" />. 184 184 + </para> 185 185 + </formalpara> 186 186 + </listitem> 173 187 </itemizedlist> 174 188 </section> 175 189

+7

nixos/tests/nextcloud/basic.nix

··· 37 37 "d /var/lib/nextcloud-data 0750 nextcloud nginx - -" 38 38 ]; 39 39 40 40 + system.stateVersion = "22.11"; # stateVersion >=21.11 to make sure that we use OpenSSL3 41 41 + 40 42 services.nextcloud = { 41 43 enable = true; 42 44 datadir = "/var/lib/nextcloud-data"; ··· 99 101 # This is just to ensure the nextcloud-occ program is working 100 102 nextcloud.succeed("nextcloud-occ status") 101 103 nextcloud.succeed("curl -sSf http://nextcloud/login") 104 104 + # Ensure that no OpenSSL 1.1 is used. 105 105 + nextcloud.succeed( 106 106 + "${nodes.nextcloud.services.phpfpm.pools.nextcloud.phpPackage}/bin/php -i | grep 'OpenSSL Library Version' | awk -F'=>' '{ print $2 }' | awk '{ print $2 }' | grep -v 1.1" 107 107 + ) 102 108 nextcloud.succeed( 103 109 "${withRcloneEnv} ${copySharedFile}" 104 110 ) ··· 108 114 "${withRcloneEnv} ${diffSharedFile}" 109 115 ) 110 116 assert "hi" in client.succeed("cat /mnt/dav/test-shared-file") 117 117 + nextcloud.succeed("grep -vE '^HBEGIN:oc_encryption_module' /var/lib/nextcloud-data/data/root/files/test-shared-file") 111 118 ''; 112 119 })) args

+4

nixos/tests/nextcloud/default.nix

··· 8 8 foldl 9 9 (matrix: ver: matrix // { 10 10 "basic${toString ver}" = import ./basic.nix { inherit system pkgs; nextcloudVersion = ver; }; 11 11 + "openssl-sse${toString ver}" = import ./openssl-sse.nix { 12 12 + inherit system pkgs; 13 13 + nextcloudVersion = ver; 14 14 + }; 11 15 "with-postgresql-and-redis${toString ver}" = import ./with-postgresql-and-redis.nix { 12 16 inherit system pkgs; 13 17 nextcloudVersion = ver;

+105

nixos/tests/nextcloud/openssl-sse.nix

··· 1 1 + args@{ pkgs, nextcloudVersion ? 25, ... }: 2 2 + 3 3 + (import ../make-test-python.nix ({ pkgs, ...}: let 4 4 + adminuser = "root"; 5 5 + adminpass = "notproduction"; 6 6 + nextcloudBase = { 7 7 + networking.firewall.allowedTCPPorts = [ 80 ]; 8 8 + system.stateVersion = "22.05"; # stateVersions <22.11 use openssl 1.1 by default 9 9 + services.nextcloud = { 10 10 + enable = true; 11 11 + config.adminpassFile = "${pkgs.writeText "adminpass" adminpass}"; 12 12 + package = pkgs.${"nextcloud" + (toString nextcloudVersion)}; 13 13 + }; 14 14 + }; 15 15 + in { 16 16 + name = "nextcloud-openssl"; 17 17 + meta = with pkgs.lib.maintainers; { 18 18 + maintainers = [ ma27 ]; 19 19 + }; 20 20 + nodes.nextcloudwithopenssl1 = { 21 21 + imports = [ nextcloudBase ]; 22 22 + services.nextcloud.hostName = "nextcloudwithopenssl1"; 23 23 + }; 24 24 + nodes.nextcloudwithopenssl3 = { 25 25 + imports = [ nextcloudBase ]; 26 26 + services.nextcloud = { 27 27 + hostName = "nextcloudwithopenssl3"; 28 28 + enableBrokenCiphersForSSE = false; 29 29 + }; 30 30 + }; 31 31 + testScript = { nodes, ... }: let 32 32 + withRcloneEnv = host: pkgs.writeScript "with-rclone-env" '' 33 33 + #!${pkgs.runtimeShell} 34 34 + export RCLONE_CONFIG_NEXTCLOUD_TYPE=webdav 35 35 + export RCLONE_CONFIG_NEXTCLOUD_URL="http://${host}/remote.php/webdav/" 36 36 + export RCLONE_CONFIG_NEXTCLOUD_VENDOR="nextcloud" 37 37 + export RCLONE_CONFIG_NEXTCLOUD_USER="${adminuser}" 38 38 + export RCLONE_CONFIG_NEXTCLOUD_PASS="$(${pkgs.rclone}/bin/rclone obscure ${adminpass})" 39 39 + "''${@}" 40 40 + ''; 41 41 + withRcloneEnv1 = withRcloneEnv "nextcloudwithopenssl1"; 42 42 + withRcloneEnv3 = withRcloneEnv "nextcloudwithopenssl3"; 43 43 + copySharedFile1 = pkgs.writeScript "copy-shared-file" '' 44 44 + #!${pkgs.runtimeShell} 45 45 + echo 'hi' | ${withRcloneEnv1} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file 46 46 + ''; 47 47 + copySharedFile3 = pkgs.writeScript "copy-shared-file" '' 48 48 + #!${pkgs.runtimeShell} 49 49 + echo 'bye' | ${withRcloneEnv3} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file2 50 50 + ''; 51 51 + openssl1-node = nodes.nextcloudwithopenssl1.config.system.build.toplevel; 52 52 + openssl3-node = nodes.nextcloudwithopenssl3.config.system.build.toplevel; 53 53 + in '' 54 54 + nextcloudwithopenssl1.start() 55 55 + nextcloudwithopenssl1.wait_for_unit("multi-user.target") 56 56 + nextcloudwithopenssl1.succeed("nextcloud-occ status") 57 57 + nextcloudwithopenssl1.succeed("curl -sSf http://nextcloudwithopenssl1/login") 58 58 + 59 59 + with subtest("With OpenSSL 1 SSE can be enabled and used"): 60 60 + nextcloudwithopenssl1.succeed("nextcloud-occ app:enable encryption") 61 61 + nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable") 62 62 + 63 63 + with subtest("Upload file and ensure it's encrypted"): 64 64 + nextcloudwithopenssl1.succeed("${copySharedFile1}") 65 65 + nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file") 66 66 + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") 67 67 + 68 68 + with subtest("Switch to OpenSSL 3"): 69 69 + nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test") 70 70 + nextcloudwithopenssl1.wait_for_open_port(80) 71 71 + nextcloudwithopenssl1.succeed("nextcloud-occ status") 72 72 + 73 73 + with subtest("Existing encrypted files cannot be read, but new files can be added"): 74 74 + nextcloudwithopenssl1.fail("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file >&2") 75 75 + nextcloudwithopenssl1.succeed("nextcloud-occ encryption:disable") 76 76 + nextcloudwithopenssl1.succeed("${copySharedFile3}") 77 77 + nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2") 78 78 + nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") 79 79 + 80 80 + with subtest("Switch back to OpenSSL 1.1 and ensure that encrypted files are readable again"): 81 81 + nextcloudwithopenssl1.succeed("${openssl1-node}/bin/switch-to-configuration test") 82 82 + nextcloudwithopenssl1.wait_for_open_port(80) 83 83 + nextcloudwithopenssl1.succeed("nextcloud-occ status") 84 84 + nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable") 85 85 + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") 86 86 + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") 87 87 + nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file") 88 88 + nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2") 89 89 + 90 90 + with subtest("Ensure that everything can be decrypted"): 91 91 + nextcloudwithopenssl1.succeed("echo y | nextcloud-occ encryption:decrypt-all >&2") 92 92 + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") 93 93 + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") 94 94 + nextcloudwithopenssl1.succeed("grep -vE '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file") 95 95 + 96 96 + with subtest("Switch to OpenSSL 3 ensure that all files are usable now"): 97 97 + nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test") 98 98 + nextcloudwithopenssl1.wait_for_open_port(80) 99 99 + nextcloudwithopenssl1.succeed("nextcloud-occ status") 100 100 + nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") 101 101 + nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") 102 102 + 103 103 + nextcloudwithopenssl1.shutdown() 104 104 + ''; 105 105 + })) args

+1 -1

pkgs/development/interpreters/php/generic.nix

··· 91 91 [ ] 92 92 allExtensionFunctions; 93 93 94 94 - getExtName = ext: lib.removePrefix "php-" (builtins.parseDrvName ext.name).name; 94 94 + getExtName = ext: ext.extensionName; 95 95 96 96 # Recursively get a list of all internal dependencies 97 97 # for a list of extensions.

+15 -4

pkgs/top-level/php-packages.nix

··· 73 73 # will mark the extension as a zend extension or not. 74 74 mkExtension = lib.makeOverridable 75 75 ({ name 76 76 - , configureFlags ? [ "--enable-${name}" ] 76 76 + , configureFlags ? [ "--enable-${extName}" ] 77 77 , internalDeps ? [ ] 78 78 , postPhpize ? "" 79 79 , buildInputs ? [ ] 80 80 , zendExtension ? false 81 81 , doCheck ? true 82 82 + , extName ? name 82 83 , ... 83 84 }@args: stdenv.mkDerivation ((builtins.removeAttrs args [ "name" ]) // { 84 85 pname = "php-${name}"; 85 85 - extensionName = name; 86 86 + extensionName = extName; 86 87 87 88 outputs = [ "out" "dev" ]; 88 89 ··· 105 106 106 107 cdToExtensionRootPhase = '' 107 108 # Go to extension source root. 108 108 - cd "ext/${name}" 109 109 + cd "ext/${extName}" 109 110 ''; 110 111 111 112 preConfigure = '' ··· 141 142 runHook preInstall 142 143 143 144 mkdir -p $out/lib/php/extensions 144 144 - cp modules/${name}.so $out/lib/php/extensions/${name}.so 145 145 + cp modules/${extName}.so $out/lib/php/extensions/${extName}.so 145 146 mkdir -p $dev/include 146 147 ${rsync}/bin/rsync -r --filter="+ */" \ 147 148 --filter="+ *.h" \ ··· 413 414 { 414 415 name = "openssl"; 415 416 buildInputs = if (lib.versionAtLeast php.version "8.1") then [ openssl ] else [ openssl_1_1 ]; 417 417 + configureFlags = [ "--with-openssl" ]; 418 418 + doCheck = false; 419 419 + } 420 420 + # This provides a legacy OpenSSL PHP extension 421 421 + # For situations where OpenSSL 3 do not support a set of features 422 422 + # without a specific openssl.cnf file 423 423 + { 424 424 + name = "openssl-legacy"; 425 425 + extName = "openssl"; 426 426 + buildInputs = [ openssl_1_1 ]; 416 427 configureFlags = [ "--with-openssl" ]; 417 428 doCheck = false; 418 429 }