Unverified Commit 39dcdc5c authored by Maximilian Bosch's avatar Maximilian Bosch
Browse files

nixos/nextcloud: check if ownership of config is correct 

Follow-up on #169733

For `data`, Nextcloud checks on its own if everything is readable.
However, for `config` it's crucial that the ownership is actually
correct: otherwise, systemd-tmpfiles will refuse any operations inside
because of unsafe path transitions.

This can result in a subtly broken setup by the `override.config.php`
not being updated, but also not part of the system closure anymore
(another override.config.php is referenced now) which means it'll be
GCed eventually even though Nextcloud relies on it.

If this precondition is not met, the following error will be printed:

    nextcloud-setup-start[972]: /var/lib/nextcloud/config is not owned by user 'nextcloud'!
    nextcloud-setup-start[972]: Please check the logs via 'journalctl -u systemd-tmpfiles-setup'
    nextcloud-setup-start[972]: and make sure there are no unsafe path transitions.
    nextcloud-setup-start[972]: (https://nixos.org/manual/nixos/stable/#module-services-nextcloud-pitfalls-during-upgrade)
parent 1f0082fe

nixos/modules/services/web-apps/nextcloud.nix

+9 −0
Original line number Diff line number Diff line
@@ -1173,6 +1173,15 @@ in 
                exit 1

              fi



              # Check if systemd-tmpfiles setup worked correctly

              if [[ ! -O "${datadir}/config" ]]; then

                echo "${datadir}/config is not owned by user 'nextcloud'!"

                echo "Please check the logs via 'journalctl -u systemd-tmpfiles-setup'"

                echo "and make sure there are no unsafe path transitions."

                echo "(https://nixos.org/manual/nixos/stable/#module-services-nextcloud-pitfalls-during-upgrade)"

                exit 1

              fi



              ${concatMapStrings

                (name: ''

                  if [ -d "${cfg.home}"/${name} ]; then