lol
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge: Use cacert in Nextcloud (#406252)

authored by

Maximilian Bosch and committed by
GitHub
26126c75 59176734

+93 -21
+17 -10
nixos/modules/services/web-apps/nextcloud.nix
··· 9 9 10 10 let 11 11 cfg = config.services.nextcloud; 12 + 13 + overridePackage = cfg.package.override { 14 + inherit (config.security.pki) caBundle; 15 + }; 16 + 12 17 fpm = config.services.phpfpm.pools.nextcloud; 13 18 14 19 jsonFormat = pkgs.formats.json { }; ··· 51 56 }; 52 57 53 58 webroot = 54 - pkgs.runCommand "${cfg.package.name or "nextcloud"}-with-apps" 59 + pkgs.runCommand "${overridePackage.name or "nextcloud"}-with-apps" 55 60 { 56 61 preferLocalBuild = true; 57 62 } 58 63 '' 59 64 mkdir $out 60 - ln -sfv "${cfg.package}"/* "$out" 65 + ln -sfv "${overridePackage}"/* "$out" 61 66 ${concatStrings ( 62 67 mapAttrsToList ( 63 68 name: store: ··· 185 190 mysqlLocal = cfg.database.createLocally && cfg.config.dbtype == "mysql"; 186 191 pgsqlLocal = cfg.database.createLocally && cfg.config.dbtype == "pgsql"; 187 192 188 - nextcloudGreaterOrEqualThan = versionAtLeast cfg.package.version; 189 - nextcloudOlderThan = versionOlder cfg.package.version; 193 + nextcloudGreaterOrEqualThan = versionAtLeast overridePackage.version; 194 + nextcloudOlderThan = versionOlder overridePackage.version; 190 195 191 196 # https://github.com/nextcloud/documentation/pull/11179 192 197 ocmProviderIsNotAStaticDirAnymore = ··· 1028 1033 If you have an existing installation with a custom table prefix, make sure it is 1029 1034 set correctly in `config.php` and remove the option from your NixOS config. 1030 1035 '') 1031 - ++ (optional (versionOlder cfg.package.version "26") (upgradeWarning 25 "23.05")) 1032 - ++ (optional (versionOlder cfg.package.version "27") (upgradeWarning 26 "23.11")) 1033 - ++ (optional (versionOlder cfg.package.version "28") (upgradeWarning 27 "24.05")) 1034 - ++ (optional (versionOlder cfg.package.version "29") (upgradeWarning 28 "24.11")) 1035 - ++ (optional (versionOlder cfg.package.version "30") (upgradeWarning 29 "24.11")) 1036 - ++ (optional (versionOlder cfg.package.version "31") (upgradeWarning 30 "25.05")); 1036 + ++ (optional (versionOlder overridePackage.version "26") (upgradeWarning 25 "23.05")) 1037 + ++ (optional (versionOlder overridePackage.version "27") (upgradeWarning 26 "23.11")) 1038 + ++ (optional (versionOlder overridePackage.version "28") (upgradeWarning 27 "24.05")) 1039 + ++ (optional (versionOlder overridePackage.version "29") (upgradeWarning 28 "24.11")) 1040 + ++ (optional (versionOlder overridePackage.version "30") (upgradeWarning 29 "24.11")) 1041 + ++ (optional (versionOlder overridePackage.version "31") (upgradeWarning 30 "25.05")); 1037 1042 1038 1043 services.nextcloud.package = 1039 1044 with pkgs; ··· 1386 1391 datadirectory = lib.mkDefault "${datadir}/data"; 1387 1392 trusted_domains = [ cfg.hostName ]; 1388 1393 "upgrade.disable-web" = true; 1394 + # NixOS already provides its own integrity check and the nix store is read-only, therefore Nextcloud does not need to do its own integrity checks. 1395 + "integrity.check.disabled" = true; 1389 1396 }) 1390 1397 (lib.mkIf cfg.configureRedis { 1391 1398 "memcache.distributed" = ''\OC\Memcache\Redis'';
+70 -11
nixos/tests/nextcloud/with-objectstore.nix
··· 26 26 27 27 nodes = { 28 28 nextcloud = 29 - { config, pkgs, ... }: 30 29 { 31 - networking.firewall.allowedTCPPorts = [ 9000 ]; 32 - environment.systemPackages = [ pkgs.minio-client ]; 33 - 30 + config, 31 + pkgs, 32 + nodes, 33 + ... 34 + }: 35 + { 34 36 services.nextcloud.config.dbtype = "sqlite"; 35 37 36 38 services.nextcloud.config.objectstore.s3 = { ··· 39 41 autocreate = true; 40 42 key = accessKey; 41 43 secretFile = "${pkgs.writeText "secretKey" secretKey}"; 42 - hostname = "nextcloud"; 43 - useSsl = false; 44 - port = 9000; 44 + hostname = "acme.test"; 45 + useSsl = true; 46 + port = 443; 45 47 usePathStyle = true; 46 48 region = "us-east-1"; 47 49 }; 48 50 51 + security.pki.certificates = [ 52 + (builtins.readFile ../common/acme/server/ca.cert.pem) 53 + ]; 54 + 55 + environment.systemPackages = [ pkgs.minio-client ]; 56 + 57 + # The dummy certs are for acme.test, so we pretend that's the FQDN 58 + # of the minio VM. 59 + networking.extraHosts = '' 60 + ${nodes.minio.networking.primaryIPAddress} acme.test 61 + ''; 62 + }; 63 + 64 + client = 65 + { nodes, ... }: 66 + { 67 + security.pki.certificates = [ 68 + (builtins.readFile ../common/acme/server/ca.cert.pem) 69 + ]; 70 + networking.extraHosts = '' 71 + ${nodes.minio.networking.primaryIPAddress} acme.test 72 + ''; 73 + }; 74 + 75 + minio = 76 + { ... }: 77 + { 78 + security.pki.certificates = [ 79 + (builtins.readFile ../common/acme/server/ca.cert.pem) 80 + ]; 81 + 82 + services.nginx = { 83 + enable = true; 84 + recommendedProxySettings = true; 85 + 86 + virtualHosts."acme.test" = { 87 + onlySSL = true; 88 + sslCertificate = ../common/acme/server/acme.test.cert.pem; 89 + sslCertificateKey = ../common/acme/server/acme.test.key.pem; 90 + locations."/".proxyPass = "http://127.0.0.1:9000"; 91 + }; 92 + }; 93 + 94 + networking.extraHosts = '' 95 + 127.0.0.1 acme.test 96 + ''; 97 + 98 + networking.firewall.allowedTCPPorts = [ 99 + 9000 100 + 80 101 + 443 102 + ]; 103 + 49 104 services.minio = { 50 105 enable = true; 51 106 listenAddress = "0.0.0.0:9000"; ··· 56 111 }; 57 112 58 113 test-helpers.init = '' 59 - nextcloud.wait_for_open_port(9000) 114 + minio.start() 115 + minio.wait_for_open_port(9000) 116 + minio.wait_for_unit("nginx.service") 117 + minio.wait_for_open_port(443) 60 118 ''; 61 119 62 120 test-helpers.extraTests = 63 121 { nodes, ... }: 64 122 '' 123 + 65 124 with subtest("File is not on the filesystem"): 66 125 nextcloud.succeed("test ! -e ${nodes.nextcloud.services.nextcloud.home}/data/root/files/test-shared-file") 67 126 68 127 with subtest("Check if file is in S3"): 69 128 nextcloud.succeed( 70 - "mc config host add minio http://localhost:9000 ${accessKey} ${secretKey} --api s3v4" 129 + "mc config host add minio https://acme.test ${accessKey} ${secretKey} --api s3v4" 71 130 ) 72 131 files = nextcloud.succeed('mc ls minio/nextcloud|sort').strip().split('\n') 73 132 ··· 100 159 with subtest("Test download from S3"): 101 160 client.succeed( 102 161 "env AWS_ACCESS_KEY_ID=${accessKey} AWS_SECRET_ACCESS_KEY=${secretKey} " 103 - + f"${lib.getExe pkgs.awscli2} s3 cp s3://nextcloud/{file} test --endpoint-url http://nextcloud:9000 " 104 - + "--region us-east-1" 162 + + f"${lib.getExe pkgs.awscli2} s3 cp s3://nextcloud/{file} test --endpoint-url https://acme.test " 163 + + "--region us-east-1 --ca-bundle /etc/ssl/certs/ca-bundle.crt" 105 164 ) 106 165 107 166 client.succeed("test hi = $(cat test)")
+6
pkgs/servers/nextcloud/default.nix
··· 3 3 stdenvNoCC, 4 4 fetchurl, 5 5 nixosTests, 6 + cacert, 7 + caBundle ? "${cacert}/etc/ssl/certs/ca-bundle.crt", 6 8 nextcloud30Packages, 7 9 nextcloud31Packages, 8 10 }: ··· 31 33 ) nixosTests.nextcloud; 32 34 inherit packages; 33 35 }; 36 + 37 + postPatch = '' 38 + cp ${caBundle} resources/config/ca-bundle.crt 39 + ''; 34 40 35 41 installPhase = '' 36 42 runHook preInstall