+17

nixos/doc/manual/from_md/release-notes/rl-2211.section.xml

··· 631 </listitem> 632 <listitem> 633 <para> 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 634 The <literal>coq</literal> package and versioned variants 635 starting at <literal>coq_8_14</literal> no longer include 636 CoqIDE, which is now available through

··· 631 </listitem> 632 <listitem> 633 <para> 634 + The <literal>openssl</literal>-extension for the PHP 635 + interpreter used by Nextcloud is built against OpenSSL 1.1 if 636 + <xref linkend="opt-system.stateVersion" /> is below 637 + <literal>22.11</literal>. This is to make sure that people 638 + using 639 + <link xlink:href="https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html">server-side 640 + encryption</link> don’t loose access to their files. 641 + </para> 642 + <para> 643 + In any other case it’s safe to use OpenSSL 3 for PHP’s openssl 644 + extension. This can be done by setting 645 + <xref linkend="opt-services.nextcloud.enableBrokenCiphersForSSE" /> 646 + to <literal>false</literal>. 647 + </para> 648 + </listitem> 649 + <listitem> 650 + <para> 651 The <literal>coq</literal> package and versioned variants 652 starting at <literal>coq_8_14</literal> no longer include 653 CoqIDE, which is now available through

+7

nixos/doc/manual/release-notes/rl-2211.section.md

··· 204 205 - The `p4` package now only includes the open-source Perforce Helix Core command-line client and APIs. It no longer installs the unfree Helix Core Server binaries `p4d`, `p4broker`, and `p4p`. To install the Helix Core Server binaries, use the `p4d` package instead. 206 0 0 0 0 0 0 0 207 - The `coq` package and versioned variants starting at `coq_8_14` no 208 longer include CoqIDE, which is now available through 209 `coqPackages.coqide`. It is still possible to get CoqIDE as part of

··· 204 205 - The `p4` package now only includes the open-source Perforce Helix Core command-line client and APIs. It no longer installs the unfree Helix Core Server binaries `p4d`, `p4broker`, and `p4p`. To install the Helix Core Server binaries, use the `p4d` package instead. 206 207 + - The `openssl`-extension for the PHP interpreter used by Nextcloud is built against OpenSSL 1.1 if 208 + [](#opt-system.stateVersion) is below `22.11`. This is to make sure that people using [server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html) 209 + don't loose access to their files. 210 + 211 + In any other case it's safe to use OpenSSL 3 for PHP's openssl extension. This can be done by setting 212 + [](#opt-services.nextcloud.enableBrokenCiphersForSSE) to `false`. 213 + 214 - The `coq` package and versioned variants starting at `coq_8_14` no 215 longer include CoqIDE, which is now available through 216 `coqPackages.coqide`. It is still possible to get CoqIDE as part of

+57 -1

nixos/modules/services/web-apps/nextcloud.nix

··· 13 phpPackage = cfg.phpPackage.buildEnv { 14 extensions = { enabled, all }: 15 (with all; 16 - enabled 0 0 0 0 0 17 ++ optional cfg.enableImagemagick imagick 18 # Optionally enabled depending on caching settings 19 ++ optional cfg.caching.apcu apcu ··· 80 81 options.services.nextcloud = { 82 enable = mkEnableOption (lib.mdDoc "nextcloud"); 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 83 hostName = mkOption { 84 type = types.str; 85 description = lib.mdDoc "FQDN for the nextcloud instance."; ··· 649 ++ (optional (versionOlder cfg.package.version "23") (upgradeWarning 22 "22.05")) 650 ++ (optional (versionOlder cfg.package.version "24") (upgradeWarning 23 "22.05")) 651 ++ (optional (versionOlder cfg.package.version "25") (upgradeWarning 24 "22.11")) 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 652 ++ (optional isUnsupportedMariadb '' 653 You seem to be using MariaDB at an unsupported version (i.e. at least 10.6)! 654 Please note that this isn't supported officially by Nextcloud. You can either

··· 13 phpPackage = cfg.phpPackage.buildEnv { 14 extensions = { enabled, all }: 15 (with all; 16 + # disable default openssl extension 17 + (lib.filter (e: e.pname != "php-openssl") enabled) 18 + # use OpenSSL 1.1 for RC4 Nextcloud encryption if user 19 + # has acknowledged the brokeness of the ciphers (RC4). 20 + # TODO: remove when https://github.com/nextcloud/server/issues/32003 is fixed. 21 + ++ (if cfg.enableBrokenCiphersForSSE then [ cfg.phpPackage.extensions.openssl-legacy ] else [ cfg.phpPackage.extensions.openssl ]) 22 ++ optional cfg.enableImagemagick imagick 23 # Optionally enabled depending on caching settings 24 ++ optional cfg.caching.apcu apcu ··· 85 86 options.services.nextcloud = { 87 enable = mkEnableOption (lib.mdDoc "nextcloud"); 88 + 89 + enableBrokenCiphersForSSE = mkOption { 90 + type = types.bool; 91 + default = versionOlder stateVersion "22.11"; 92 + defaultText = literalExpression "versionOlder system.stateVersion \"22.11\""; 93 + description = lib.mdDoc '' 94 + This option enables using the OpenSSL PHP extension linked against OpenSSL 1.1 95 + rather than latest OpenSSL (≥ 3), this is not recommended unless you need 96 + it for server-side encryption (SSE). SSE uses the legacy RC4 cipher which is 97 + considered broken for several years now. See also [RFC7465](https://datatracker.ietf.org/doc/html/rfc7465). 98 + 99 + This cipher has been disabled in OpenSSL ≥ 3 and requires 100 + a specific legacy profile to re-enable it. 101 + 102 + If you deploy Nextcloud using OpenSSL ≥ 3 for PHP and have 103 + server-side encryption configured, you will not be able to access 104 + your files anymore. Enabling this option can restore access to your files. 105 + Upon testing we didn't encounter any data corruption when turning 106 + this on and off again, but this cannot be guaranteed for 107 + each Nextcloud installation. 108 + 109 + It is `true` by default for systems with a [](#opt-system.stateVersion) below 110 + `22.11` to make sure that existing installations won't break on update. On newer 111 + NixOS systems you have to explicitly enable it on your own. 112 + 113 + Please note that this only provides additional value when using 114 + external storage such as S3 since it's not an end-to-end encryption. 115 + If this is not the case, 116 + it is advised to [disable server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption) and set this to `false`. 117 + 118 + In the future, Nextcloud may move to AES-256-GCM, by then, 119 + this option will be removed. 120 + ''; 121 + }; 122 hostName = mkOption { 123 type = types.str; 124 description = lib.mdDoc "FQDN for the nextcloud instance."; ··· 688 ++ (optional (versionOlder cfg.package.version "23") (upgradeWarning 22 "22.05")) 689 ++ (optional (versionOlder cfg.package.version "24") (upgradeWarning 23 "22.05")) 690 ++ (optional (versionOlder cfg.package.version "25") (upgradeWarning 24 "22.11")) 691 + ++ (optional cfg.enableBrokenCiphersForSSE '' 692 + You're using PHP's openssl extension built against OpenSSL 1.1 for Nextcloud. 693 + This is only necessary if you're using Nextcloud's server-side encryption. 694 + Please keep in mind that it's using the broken RC4 cipher. 695 + 696 + If you don't use that feature, you can switch to OpenSSL 3 and get 697 + rid of this warning by declaring 698 + 699 + services.nextcloud.enableBrokenCiphersForSSE = false; 700 + 701 + If you need to use server-side encryption you can ignore this waring. 702 + Otherwise you'd have to disable server-side encryption first in order 703 + to be able to safely disable this option and get rid of this warning. 704 + See <https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption> on how to achieve this. 705 + 706 + For more context, here is the implementing pull request: https://github.com/NixOS/nixpkgs/pull/198470 707 + '') 708 ++ (optional isUnsupportedMariadb '' 709 You seem to be using MariaDB at an unsupported version (i.e. at least 10.6)! 710 Please note that this isn't supported officially by Nextcloud. You can either

+14

nixos/modules/services/web-apps/nextcloud.xml

··· 170 </listitem> 171 </itemizedlist> 172 </listitem> 0 0 0 0 0 0 0 0 0 0 0 0 0 0 173 </itemizedlist> 174 </section> 175

··· 170 </listitem> 171 </itemizedlist> 172 </listitem> 173 + <listitem> 174 + <formalpara> 175 + <title>Server-side encryption</title> 176 + <para> 177 + Nextcloud supports <link xlink:href="https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html">server-side encryption (SSE)</link>. 178 + This is not an end-to-end encryption, but can be used to encrypt files that will be persisted 179 + to external storage such as S3. Please note that this won't work anymore when using OpenSSL 3 180 + for PHP's openssl extension because this is implemented using the legacy cipher RC4. 181 + If <xref linkend="opt-system.stateVersion" /> is <emphasis>above</emphasis> <literal>22.05</literal>, 182 + this is disabled by default. To turn it on again and for further information please refer to 183 + <xref linkend="opt-services.nextcloud.enableBrokenCiphersForSSE" />. 184 + </para> 185 + </formalpara> 186 + </listitem> 187 </itemizedlist> 188 </section> 189

+7

nixos/tests/nextcloud/basic.nix

··· 37 "d /var/lib/nextcloud-data 0750 nextcloud nginx - -" 38 ]; 39 0 0 40 services.nextcloud = { 41 enable = true; 42 datadir = "/var/lib/nextcloud-data"; ··· 99 # This is just to ensure the nextcloud-occ program is working 100 nextcloud.succeed("nextcloud-occ status") 101 nextcloud.succeed("curl -sSf http://nextcloud/login") 0 0 0 0 102 nextcloud.succeed( 103 "${withRcloneEnv} ${copySharedFile}" 104 ) ··· 108 "${withRcloneEnv} ${diffSharedFile}" 109 ) 110 assert "hi" in client.succeed("cat /mnt/dav/test-shared-file") 0 111 ''; 112 })) args

··· 37 "d /var/lib/nextcloud-data 0750 nextcloud nginx - -" 38 ]; 39 40 + system.stateVersion = "22.11"; # stateVersion >=21.11 to make sure that we use OpenSSL3 41 + 42 services.nextcloud = { 43 enable = true; 44 datadir = "/var/lib/nextcloud-data"; ··· 101 # This is just to ensure the nextcloud-occ program is working 102 nextcloud.succeed("nextcloud-occ status") 103 nextcloud.succeed("curl -sSf http://nextcloud/login") 104 + # Ensure that no OpenSSL 1.1 is used. 105 + nextcloud.succeed( 106 + "${nodes.nextcloud.services.phpfpm.pools.nextcloud.phpPackage}/bin/php -i | grep 'OpenSSL Library Version' | awk -F'=>' '{ print $2 }' | awk '{ print $2 }' | grep -v 1.1" 107 + ) 108 nextcloud.succeed( 109 "${withRcloneEnv} ${copySharedFile}" 110 ) ··· 114 "${withRcloneEnv} ${diffSharedFile}" 115 ) 116 assert "hi" in client.succeed("cat /mnt/dav/test-shared-file") 117 + nextcloud.succeed("grep -vE '^HBEGIN:oc_encryption_module' /var/lib/nextcloud-data/data/root/files/test-shared-file") 118 ''; 119 })) args

+4

nixos/tests/nextcloud/default.nix

··· 8 foldl 9 (matrix: ver: matrix // { 10 "basic${toString ver}" = import ./basic.nix { inherit system pkgs; nextcloudVersion = ver; }; 0 0 0 0 11 "with-postgresql-and-redis${toString ver}" = import ./with-postgresql-and-redis.nix { 12 inherit system pkgs; 13 nextcloudVersion = ver;

··· 8 foldl 9 (matrix: ver: matrix // { 10 "basic${toString ver}" = import ./basic.nix { inherit system pkgs; nextcloudVersion = ver; }; 11 + "openssl-sse${toString ver}" = import ./openssl-sse.nix { 12 + inherit system pkgs; 13 + nextcloudVersion = ver; 14 + }; 15 "with-postgresql-and-redis${toString ver}" = import ./with-postgresql-and-redis.nix { 16 inherit system pkgs; 17 nextcloudVersion = ver;

+105

nixos/tests/nextcloud/openssl-sse.nix

··· 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

··· 1 + args@{ pkgs, nextcloudVersion ? 25, ... }: 2 + 3 + (import ../make-test-python.nix ({ pkgs, ...}: let 4 + adminuser = "root"; 5 + adminpass = "notproduction"; 6 + nextcloudBase = { 7 + networking.firewall.allowedTCPPorts = [ 80 ]; 8 + system.stateVersion = "22.05"; # stateVersions <22.11 use openssl 1.1 by default 9 + services.nextcloud = { 10 + enable = true; 11 + config.adminpassFile = "${pkgs.writeText "adminpass" adminpass}"; 12 + package = pkgs.${"nextcloud" + (toString nextcloudVersion)}; 13 + }; 14 + }; 15 + in { 16 + name = "nextcloud-openssl"; 17 + meta = with pkgs.lib.maintainers; { 18 + maintainers = [ ma27 ]; 19 + }; 20 + nodes.nextcloudwithopenssl1 = { 21 + imports = [ nextcloudBase ]; 22 + services.nextcloud.hostName = "nextcloudwithopenssl1"; 23 + }; 24 + nodes.nextcloudwithopenssl3 = { 25 + imports = [ nextcloudBase ]; 26 + services.nextcloud = { 27 + hostName = "nextcloudwithopenssl3"; 28 + enableBrokenCiphersForSSE = false; 29 + }; 30 + }; 31 + testScript = { nodes, ... }: let 32 + withRcloneEnv = host: pkgs.writeScript "with-rclone-env" '' 33 + #!${pkgs.runtimeShell} 34 + export RCLONE_CONFIG_NEXTCLOUD_TYPE=webdav 35 + export RCLONE_CONFIG_NEXTCLOUD_URL="http://${host}/remote.php/webdav/" 36 + export RCLONE_CONFIG_NEXTCLOUD_VENDOR="nextcloud" 37 + export RCLONE_CONFIG_NEXTCLOUD_USER="${adminuser}" 38 + export RCLONE_CONFIG_NEXTCLOUD_PASS="$(${pkgs.rclone}/bin/rclone obscure ${adminpass})" 39 + "''${@}" 40 + ''; 41 + withRcloneEnv1 = withRcloneEnv "nextcloudwithopenssl1"; 42 + withRcloneEnv3 = withRcloneEnv "nextcloudwithopenssl3"; 43 + copySharedFile1 = pkgs.writeScript "copy-shared-file" '' 44 + #!${pkgs.runtimeShell} 45 + echo 'hi' | ${withRcloneEnv1} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file 46 + ''; 47 + copySharedFile3 = pkgs.writeScript "copy-shared-file" '' 48 + #!${pkgs.runtimeShell} 49 + echo 'bye' | ${withRcloneEnv3} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file2 50 + ''; 51 + openssl1-node = nodes.nextcloudwithopenssl1.config.system.build.toplevel; 52 + openssl3-node = nodes.nextcloudwithopenssl3.config.system.build.toplevel; 53 + in '' 54 + nextcloudwithopenssl1.start() 55 + nextcloudwithopenssl1.wait_for_unit("multi-user.target") 56 + nextcloudwithopenssl1.succeed("nextcloud-occ status") 57 + nextcloudwithopenssl1.succeed("curl -sSf http://nextcloudwithopenssl1/login") 58 + 59 + with subtest("With OpenSSL 1 SSE can be enabled and used"): 60 + nextcloudwithopenssl1.succeed("nextcloud-occ app:enable encryption") 61 + nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable") 62 + 63 + with subtest("Upload file and ensure it's encrypted"): 64 + nextcloudwithopenssl1.succeed("${copySharedFile1}") 65 + nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file") 66 + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") 67 + 68 + with subtest("Switch to OpenSSL 3"): 69 + nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test") 70 + nextcloudwithopenssl1.wait_for_open_port(80) 71 + nextcloudwithopenssl1.succeed("nextcloud-occ status") 72 + 73 + with subtest("Existing encrypted files cannot be read, but new files can be added"): 74 + nextcloudwithopenssl1.fail("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file >&2") 75 + nextcloudwithopenssl1.succeed("nextcloud-occ encryption:disable") 76 + nextcloudwithopenssl1.succeed("${copySharedFile3}") 77 + nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2") 78 + nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") 79 + 80 + with subtest("Switch back to OpenSSL 1.1 and ensure that encrypted files are readable again"): 81 + nextcloudwithopenssl1.succeed("${openssl1-node}/bin/switch-to-configuration test") 82 + nextcloudwithopenssl1.wait_for_open_port(80) 83 + nextcloudwithopenssl1.succeed("nextcloud-occ status") 84 + nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable") 85 + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") 86 + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") 87 + nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file") 88 + nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2") 89 + 90 + with subtest("Ensure that everything can be decrypted"): 91 + nextcloudwithopenssl1.succeed("echo y | nextcloud-occ encryption:decrypt-all >&2") 92 + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") 93 + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") 94 + nextcloudwithopenssl1.succeed("grep -vE '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file") 95 + 96 + with subtest("Switch to OpenSSL 3 ensure that all files are usable now"): 97 + nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test") 98 + nextcloudwithopenssl1.wait_for_open_port(80) 99 + nextcloudwithopenssl1.succeed("nextcloud-occ status") 100 + nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") 101 + nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") 102 + 103 + nextcloudwithopenssl1.shutdown() 104 + ''; 105 + })) args

+1 -1

pkgs/development/interpreters/php/generic.nix

··· 91 [ ] 92 allExtensionFunctions; 93 94 - getExtName = ext: lib.removePrefix "php-" (builtins.parseDrvName ext.name).name; 95 96 # Recursively get a list of all internal dependencies 97 # for a list of extensions.

··· 91 [ ] 92 allExtensionFunctions; 93 94 + getExtName = ext: ext.extensionName; 95 96 # Recursively get a list of all internal dependencies 97 # for a list of extensions.

+15 -4

pkgs/top-level/php-packages.nix

··· 73 # will mark the extension as a zend extension or not. 74 mkExtension = lib.makeOverridable 75 ({ name 76 - , configureFlags ? [ "--enable-${name}" ] 77 , internalDeps ? [ ] 78 , postPhpize ? "" 79 , buildInputs ? [ ] 80 , zendExtension ? false 81 , doCheck ? true 0 82 , ... 83 }@args: stdenv.mkDerivation ((builtins.removeAttrs args [ "name" ]) // { 84 pname = "php-${name}"; 85 - extensionName = name; 86 87 outputs = [ "out" "dev" ]; 88 ··· 105 106 cdToExtensionRootPhase = '' 107 # Go to extension source root. 108 - cd "ext/${name}" 109 ''; 110 111 preConfigure = '' ··· 141 runHook preInstall 142 143 mkdir -p $out/lib/php/extensions 144 - cp modules/${name}.so $out/lib/php/extensions/${name}.so 145 mkdir -p $dev/include 146 ${rsync}/bin/rsync -r --filter="+ */" \ 147 --filter="+ *.h" \ ··· 413 { 414 name = "openssl"; 415 buildInputs = if (lib.versionAtLeast php.version "8.1") then [ openssl ] else [ openssl_1_1 ]; 0 0 0 0 0 0 0 0 0 0 416 configureFlags = [ "--with-openssl" ]; 417 doCheck = false; 418 }

··· 73 # will mark the extension as a zend extension or not. 74 mkExtension = lib.makeOverridable 75 ({ name 76 + , configureFlags ? [ "--enable-${extName}" ] 77 , internalDeps ? [ ] 78 , postPhpize ? "" 79 , buildInputs ? [ ] 80 , zendExtension ? false 81 , doCheck ? true 82 + , extName ? name 83 , ... 84 }@args: stdenv.mkDerivation ((builtins.removeAttrs args [ "name" ]) // { 85 pname = "php-${name}"; 86 + extensionName = extName; 87 88 outputs = [ "out" "dev" ]; 89 ··· 106 107 cdToExtensionRootPhase = '' 108 # Go to extension source root. 109 + cd "ext/${extName}" 110 ''; 111 112 preConfigure = '' ··· 142 runHook preInstall 143 144 mkdir -p $out/lib/php/extensions 145 + cp modules/${extName}.so $out/lib/php/extensions/${extName}.so 146 mkdir -p $dev/include 147 ${rsync}/bin/rsync -r --filter="+ */" \ 148 --filter="+ *.h" \ ··· 414 { 415 name = "openssl"; 416 buildInputs = if (lib.versionAtLeast php.version "8.1") then [ openssl ] else [ openssl_1_1 ]; 417 + configureFlags = [ "--with-openssl" ]; 418 + doCheck = false; 419 + } 420 + # This provides a legacy OpenSSL PHP extension 421 + # For situations where OpenSSL 3 do not support a set of features 422 + # without a specific openssl.cnf file 423 + { 424 + name = "openssl-legacy"; 425 + extName = "openssl"; 426 + buildInputs = [ openssl_1_1 ]; 427 configureFlags = [ "--with-openssl" ]; 428 doCheck = false; 429 }