nixos/nextcloud: fixup openssl compat change (35b146ca) · Commits · nix / nixpkgs

nixos/doc/manual/from_md/release-notes/rl-2211.section.xml

+1 −2

Original line number	Diff line number	Diff line
		@@ -610,8 +610,7 @@
		<listitem>
		<para>
		The <literal>openssl</literal>-extension for the PHP
		interpreter used by <literal>services.nextcloud</literal> is
		built against OpenSSL 1.1 if
		interpreter used by Nextcloud is built against OpenSSL 1.1 if
		<xref linkend="opt-system.stateVersion" /> is below
		<literal>22.11</literal>. This is to make sure that people
		using

nixos/doc/manual/release-notes/rl-2211.section.md

+1 −1

Original line number	Diff line number	Diff line
		@@ -196,7 +196,7 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).

		- The `p4` package now only includes the open-source Perforce Helix Core command-line client and APIs. It no longer installs the unfree Helix Core Server binaries `p4d`, `p4broker`, and `p4p`. To install the Helix Core Server binaries, use the `p4d` package instead.

		- The `openssl`-extension for the PHP interpreter used by `services.nextcloud` is built against OpenSSL 1.1 if
		- The `openssl`-extension for the PHP interpreter used by Nextcloud is built against OpenSSL 1.1 if
		[](#opt-system.stateVersion) is below `22.11`. This is to make sure that people using [server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html)
		don't loose access to their files.

nixos/modules/services/web-apps/nextcloud.nix

+18 −13

Original line number	Diff line number	Diff line
		@@ -14,7 +14,7 @@ let
		extensions = { enabled, all }:
		(with all;
		# disable default openssl extension
		(lib.filter (e: e.pname != "openssl") enabled)
		(lib.filter (e: e.pname != "php-openssl") enabled)
		# use OpenSSL 1.1 for RC4 Nextcloud encryption if user
		# has acknowledged the brokeness of the ciphers (RC4).
		# TODO: remove when https://github.com/nextcloud/server/issues/32003 is fixed.
		@@ -91,26 +91,29 @@ in {
		default = versionOlder stateVersion "22.11";
		defaultText = literalExpression "versionOlder system.stateVersion \"22.11\"";
		description = lib.mdDoc ''
		This option uses OpenSSL PHP extension linked against OpenSSL 1.1 rather
		than latest OpenSSL (≥ 3), this is not recommended except if you need
		it.

		Server-side encryption in Nextcloud uses RC4 ciphers, a broken cipher
		since ~2004.
		This option enables using the OpenSSL PHP extension linked against OpenSSL 1.1
		rather than latest OpenSSL (≥ 3), this is not recommended unless you need
		it for server-side encryption (SSE). SSE uses the legacy RC4 cipher which is
		considered broken for several years now. See also [RFC7465](https://datatracker.ietf.org/doc/html/rfc7465).

		This cipher has been disabled in OpenSSL ≥ 3 and requires
		a specific legacy profile to re-enable it.

		If you upgrade to a Nextcloud using OpenSSL ≥ 3 and have
		If you deploy Nextcloud using OpenSSL ≥ 3 for PHP and have
		server-side encryption configured, you will not be able to access
		your files anymore. Enabling this option can restore access to your files.
		Upon testing we didn't encounter any data corruption when turning
		this on and off again, but this cannot be guaranteed for
		each Nextcloud installation.

		Unless you are using external storage,
		it is advised to [disable server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption) as it is unclear
		it provides any amount of security beyond encryption for external storage.
		It is `true` by default for systems with a [](#opt-system.stateVersion) below
		`22.11` to make sure that existing installations won't break on update. On newer
		NixOS systems you have to explicitly enable it on your own.

		Please note that this only provides additional value when using
		external storage such as S3 since it's not an end-to-end encryption.
		If this is not the case,
		it is advised to [disable server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption) and set this to `false`.

		In the future, Nextcloud may move to AES-256-GCM, by then,
		this option will be removed.
		@@ -690,12 +693,14 @@ in {
		This is only necessary if you're using Nextcloud's server-side encryption.
		Please keep in mind that it's using the broken RC4 cipher.

		If you don't use that feature, you can switch to OpenSSL 3 by declaring
		If you don't use that feature, you can switch to OpenSSL 3 and get
		rid of this warning by declaring

		services.nextcloud.enableBrokenCiphersForSSE = false;

		If you need to use server-side encryption you can ignore this waring.
		Otherwise you'd have to disable server-side encryption first in order
		to be able to safely disable this option and get rid of that warning.
		to be able to safely disable this option and get rid of this warning.
		See <https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption> on how to achieve this.

		For more context, here is the implementing pull request: https://github.com/NixOS/nixpkgs/pull/198470

nixos/modules/services/web-apps/nextcloud.xml

+14 −0

Original line number	Diff line number	Diff line
		@@ -170,6 +170,20 @@
		</listitem>
		</itemizedlist>
		</listitem>
		<listitem>
		<formalpara>
		<title>Server-side encryption</title>
		<para>
		Nextcloud supports <link xlink:href="https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html">server-side encryption (SSE)</link>.
		This is not an end-to-end encryption, but can be used to encrypt files that will be persisted
		to external storage such as S3. Please note that this won't work anymore when using OpenSSL 3
		for PHP's openssl extension because this is implemented using the legacy cipher RC4.
		If <xref linkend="opt-system.stateVersion" /> is <emphasis>above</emphasis> <literal>22.05</literal>,
		this is disabled by default. To turn it on again and for further information please refer to
		<xref linkend="opt-services.nextcloud.enableBrokenCiphersForSSE" />.
		</para>
		</formalpara>
		</listitem>
		</itemizedlist>
		</section>

nixos/tests/nextcloud/basic.nix

+6 −2

Original line number	Diff line number	Diff line
		@@ -37,13 +37,12 @@ in {
		"d /var/lib/nextcloud-data 0750 nextcloud nginx - -"
		];

		system.stateVersion = "22.11";
		system.stateVersion = "22.11"; # stateVersion >=21.11 to make sure that we use OpenSSL3

		services.nextcloud = {
		enable = true;
		datadir = "/var/lib/nextcloud-data";
		hostName = "nextcloud";
		enableBrokenCiphersForSSE = args.enableBrokenCiphersForSSE or false;
		config = {
		# Don't inherit adminuser since "root" is supposed to be the default
		adminpassFile = "${pkgs.writeText "adminpass" adminpass}"; # Don't try this at home!
		@@ -102,6 +101,10 @@ in {
		# This is just to ensure the nextcloud-occ program is working
		nextcloud.succeed("nextcloud-occ status")
		nextcloud.succeed("curl -sSf http://nextcloud/login")
		# Ensure that no OpenSSL 1.1 is used.
		nextcloud.succeed(
		"${nodes.nextcloud.services.phpfpm.pools.nextcloud.phpPackage}/bin/php -i \| grep 'OpenSSL Library Version' \| awk -F'=>' '{ print $2 }' \| awk '{ print $2 }' \| grep -v 1.1"
		)
		nextcloud.succeed(
		"${withRcloneEnv} ${copySharedFile}"
		)
		@@ -111,5 +114,6 @@ in {
		"${withRcloneEnv} ${diffSharedFile}"
		)
		assert "hi" in client.succeed("cat /mnt/dav/test-shared-file")
		nextcloud.succeed("grep -vE '^HBEGIN:oc_encryption_module' /var/lib/nextcloud-data/data/root/files/test-shared-file")
		'';
		})) args