pyrox.dev / nixpkgs
lol
fork atom

nixos/nextcloud: fixup openssl compat change

Upon testing the change itself I realized that it doesn't build properly
because

* the `pname` of a php extension is `php-<name>`, not `<name>`.
* calling the extension `openssl-legacy` resulted in PHP trying to compile
`ext/openssl-legacy` which broke since it doesn't exist:

source root is php-8.1.12
setting SOURCE_DATE_EPOCH to timestamp 1666719000 of file php-8.1.12/win32/wsyslog.c
patching sources
cdToExtensionRootPhase
/nix/store/48mnkga4kh84xyiqwzx8v7iv090i7z66-stdenv-linux/setup: line 1399: cd: ext/openssl-legacy: No such file or directory

I didn't encounter that one before because I was mostly interested in
having a sane behavior for everyone not using this "feature" and the
documentation around this. My findings about the behavior with turning
openssl1.1 on/off are still valid because I tested this on `master` with
manually replacing `openssl` by `openssl_1_1` in `php-packages.nix`.

To work around the issue I had to slightly modify the extension
build-system for PHP:

* The attribute `extensionName` is now relevant to determine the output
paths (e.g. `lib/openssl.so`). This is not a behavioral change for
existing extensions because then `extensionName==name`.

However when specifying `extName` in `php-packages.nix` this value is
overridden and it is made sure that the extension called `extName` NOT
`name` (i.e. `openssl` vs `openssl-legacy`) is built and installed.

The `name` still has to be kept to keep the legacy openssl available
as `php.extensions.openssl-legacy`.

Additionally I implemented a small VM test to check the behavior with
server-side encryption:

* For `stateVersion` below 22.11, OpenSSL 1.1 is used (in `basic.nix`
it's checked that OpenSSL 3 is used). With that the "default"
behavior of the module is checked.

* It is ensured that the PHP interpreter for Nextcloud's php-fpm
actually loads the correct openssl extension.

* It is tested that (encrypted) files remain usable when (temporarily)
installing OpenSSL3 (of course then they're not decryptable, but on a
rollback that should still be possible).

Finally, a few more documentation changes:

* I also mentioned the issue in `nextcloud.xml` to make sure the issue
is at least mentioned in the manual section about Nextcloud. Not too
much detail here, but the relevant option `enableBrokenCiphersForSSE`
is referenced.

* I fixed a few minor wording issues to also give the full context
(we're talking about Nextcloud; we're talking about the PHP extension
**only**; please check if you really need this even though it's
enabled by default).

This is because I felt that sometimes it might be hard to understand
what's going on when e.g. an eval-warning appears without telling where
exactly it comes from.

Maximilian Bosch 35b146ca 61128cba

options
unified split
Changed files
+153 -25
nixos
doc
manual
from_md
release-notes
rl-2211.section.xml
release-notes
rl-2211.section.md
modules
services
web-apps
nextcloud.nix
nextcloud.xml
tests
nextcloud
basic.nix
default.nix
openssl-sse.nix
pkgs
development
interpreters
php
generic.nix
top-level
php-packages.nix
+1 -2
nixos/doc/manual/from_md/release-notes/rl-2211.section.xml 
···

       
610

       
610

       
 

       
      <listitem>


     

       
611

       
611

       
 

       
        <para>


     

       
612

       
612

       
 

       
          The <literal>openssl</literal>-extension for the PHP


     

       
613

       

       
-

       
          interpreter used by <literal>services.nextcloud</literal> is


     

       
614

       

       
-

       
          built against OpenSSL 1.1 if


     

       

       
613

       
+

       
          interpreter used by Nextcloud is built against OpenSSL 1.1 if


     

       
615

       
614

       
 

       
          <xref linkend="opt-system.stateVersion" /> is below


     

       
616

       
615

       
 

       
          <literal>22.11</literal>. This is to make sure that people


     

       
617

       
616

       
 

       
          using
+1 -1
nixos/doc/manual/release-notes/rl-2211.section.md 
···

       
196

       
196

       
 

       



     

       
197

       
197

       
 

       
- The `p4` package now only includes the open-source Perforce Helix Core command-line client and APIs. It no longer installs the unfree Helix Core Server binaries `p4d`, `p4broker`, and `p4p`. To install the Helix Core Server binaries, use the `p4d` package instead.


     

       
198

       
198

       
 

       



     

       
199

       

       
-

       
- The `openssl`-extension for the PHP interpreter used by `services.nextcloud` is built against OpenSSL 1.1 if


     

       

       
199

       
+

       
- The `openssl`-extension for the PHP interpreter used by Nextcloud is built against OpenSSL 1.1 if


     

       
200

       
200

       
 

       
  [](#opt-system.stateVersion) is below `22.11`. This is to make sure that people using [server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html)


     

       
201

       
201

       
 

       
  don't loose access to their files.


     

       
202

       
202
+18 -13
nixos/modules/services/web-apps/nextcloud.nix 
···

       
14

       
14

       
 

       
    extensions = { enabled, all }:


     

       
15

       
15

       
 

       
      (with all;


     

       
16

       
16

       
 

       
        # disable default openssl extension


     

       
17

       

       
-

       
        (lib.filter (e: e.pname != "openssl") enabled)


     

       

       
17

       
+

       
        (lib.filter (e: e.pname != "php-openssl") enabled)


     

       
18

       
18

       
 

       
        # use OpenSSL 1.1 for RC4 Nextcloud encryption if user


     

       
19

       
19

       
 

       
        # has acknowledged the brokeness of the ciphers (RC4).


     

       
20

       
20

       
 

       
        # TODO: remove when https://github.com/nextcloud/server/issues/32003 is fixed.


     
···

       
91

       
91

       
 

       
      default = versionOlder stateVersion "22.11";


     

       
92

       
92

       
 

       
      defaultText = literalExpression "versionOlder system.stateVersion \"22.11\"";


     

       
93

       
93

       
 

       
      description = lib.mdDoc ''


     

       
94

       

       
-

       
        This option uses OpenSSL PHP extension linked against OpenSSL 1.1 rather


     

       
95

       

       
-

       
        than latest OpenSSL (≥ 3), this is not recommended except if you need


     

       
96

       

       
-

       
        it.


     

       
97

       

       
-

       



     

       
98

       

       
-

       
        Server-side encryption in Nextcloud uses RC4 ciphers, a broken cipher


     

       
99

       

       
-

       
        since ~2004.


     

       

       
94

       
+

       
        This option enables using the OpenSSL PHP extension linked against OpenSSL 1.1


     

       

       
95

       
+

       
        rather than latest OpenSSL (≥ 3), this is not recommended unless you need


     

       

       
96

       
+

       
        it for server-side encryption (SSE). SSE uses the legacy RC4 cipher which is


     

       

       
97

       
+

       
        considered broken for several years now. See also [RFC7465](https://datatracker.ietf.org/doc/html/rfc7465).


     

       
100

       
98

       
 

       



     

       
101

       
99

       
 

       
        This cipher has been disabled in OpenSSL ≥ 3 and requires


     

       
102

       
100

       
 

       
        a specific legacy profile to re-enable it.


     

       
103

       
101

       
 

       



     

       
104

       

       
-

       
        If you upgrade to a Nextcloud using OpenSSL ≥ 3 and have


     

       

       
102

       
+

       
        If you deploy Nextcloud using OpenSSL ≥ 3 for PHP and have


     

       
105

       
103

       
 

       
        server-side encryption configured, you will not be able to access


     

       
106

       
104

       
 

       
        your files anymore. Enabling this option can restore access to your files.


     

       
107

       
105

       
 

       
        Upon testing we didn't encounter any data corruption when turning


     

       
108

       
106

       
 

       
        this on and off again, but this cannot be guaranteed for


     

       
109

       
107

       
 

       
        each Nextcloud installation.


     

       
110

       
108

       
 

       



     

       
111

       

       
-

       
        Unless you are using external storage,


     

       
112

       

       
-

       
        it is advised to [disable server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption) as it is unclear


     

       
113

       

       
-

       
        it provides any amount of security beyond encryption for external storage.


     

       

       
109

       
+

       
        It is `true` by default for systems with a [](#opt-system.stateVersion) below


     

       

       
110

       
+

       
        `22.11` to make sure that existing installations won't break on update. On newer


     

       

       
111

       
+

       
        NixOS systems you have to explicitly enable it on your own.


     

       

       
112

       
+

       



     

       

       
113

       
+

       
        Please note that this only provides additional value when using


     

       

       
114

       
+

       
        external storage such as S3 since it's not an end-to-end encryption.


     

       

       
115

       
+

       
        If this is not the case,


     

       

       
116

       
+

       
        it is advised to [disable server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption) and set this to `false`.


     

       
114

       
117

       
 

       



     

       
115

       
118

       
 

       
        In the future, Nextcloud may move to AES-256-GCM, by then,


     

       
116

       
119

       
 

       
        this option will be removed.


     
···

       
690

       
693

       
 

       
          This is only necessary if you're using Nextcloud's server-side encryption.


     

       
691

       
694

       
 

       
          Please keep in mind that it's using the broken RC4 cipher.


     

       
692

       
695

       
 

       



     

       
693

       

       
-

       
          If you don't use that feature, you can switch to OpenSSL 3 by declaring


     

       

       
696

       
+

       
          If you don't use that feature, you can switch to OpenSSL 3 and get


     

       

       
697

       
+

       
          rid of this warning by declaring


     

       
694

       
698

       
 

       



     

       
695

       
699

       
 

       
            services.nextcloud.enableBrokenCiphersForSSE = false;


     

       
696

       
700

       
 

       



     

       

       
701

       
+

       
          If you need to use server-side encryption you can ignore this waring.


     

       
697

       
702

       
 

       
          Otherwise you'd have to disable server-side encryption first in order


     

       
698

       

       
-

       
          to be able to safely disable this option and get rid of that warning.


     

       

       
703

       
+

       
          to be able to safely disable this option and get rid of this warning.


     

       
699

       
704

       
 

       
          See <https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption> on how to achieve this.


     

       
700

       
705

       
 

       



     

       
701

       
706

       
 

       
          For more context, here is the implementing pull request: https://github.com/NixOS/nixpkgs/pull/198470
+14
nixos/modules/services/web-apps/nextcloud.xml 
···

       
170

       
170

       
 

       
     </listitem>


     

       
171

       
171

       
 

       
    </itemizedlist>


     

       
172

       
172

       
 

       
   </listitem>


     

       

       
173

       
+

       
   <listitem>


     

       

       
174

       
+

       
    <formalpara>


     

       

       
175

       
+

       
     <title>Server-side encryption</title>


     

       

       
176

       
+

       
     <para>


     

       

       
177

       
+

       
      Nextcloud supports <link xlink:href="https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html">server-side encryption (SSE)</link>.


     

       

       
178

       
+

       
      This is not an end-to-end encryption, but can be used to encrypt files that will be persisted


     

       

       
179

       
+

       
      to external storage such as S3. Please note that this won't work anymore when using OpenSSL 3


     

       

       
180

       
+

       
      for PHP's openssl extension because this is implemented using the legacy cipher RC4.


     

       

       
181

       
+

       
      If <xref linkend="opt-system.stateVersion" /> is <emphasis>above</emphasis> <literal>22.05</literal>,


     

       

       
182

       
+

       
      this is disabled by default. To turn it on again and for further information please refer to


     

       

       
183

       
+

       
      <xref linkend="opt-services.nextcloud.enableBrokenCiphersForSSE" />.


     

       

       
184

       
+

       
     </para>


     

       

       
185

       
+

       
    </formalpara>


     

       

       
186

       
+

       
   </listitem>


     

       
173

       
187

       
 

       
  </itemizedlist>


     

       
174

       
188

       
 

       
 </section>


     

       
175

       
189
+6 -2
nixos/tests/nextcloud/basic.nix 
···

       
37

       
37

       
 

       
        "d /var/lib/nextcloud-data 0750 nextcloud nginx - -"


     

       
38

       
38

       
 

       
      ];


     

       
39

       
39

       
 

       



     

       
40

       

       
-

       
      system.stateVersion = "22.11";


     

       

       
40

       
+

       
      system.stateVersion = "22.11"; # stateVersion >=21.11 to make sure that we use OpenSSL3


     

       
41

       
41

       
 

       



     

       
42

       
42

       
 

       
      services.nextcloud = {


     

       
43

       
43

       
 

       
        enable = true;


     

       
44

       
44

       
 

       
        datadir = "/var/lib/nextcloud-data";


     

       
45

       
45

       
 

       
        hostName = "nextcloud";


     

       
46

       

       
-

       
        enableBrokenCiphersForSSE = args.enableBrokenCiphersForSSE or false;


     

       
47

       
46

       
 

       
        config = {


     

       
48

       
47

       
 

       
          # Don't inherit adminuser since "root" is supposed to be the default


     

       
49

       
48

       
 

       
          adminpassFile = "${pkgs.writeText "adminpass" adminpass}"; # Don't try this at home!


     
···

       
102

       
101

       
 

       
    # This is just to ensure the nextcloud-occ program is working


     

       
103

       
102

       
 

       
    nextcloud.succeed("nextcloud-occ status")


     

       
104

       
103

       
 

       
    nextcloud.succeed("curl -sSf http://nextcloud/login")


     

       

       
104

       
+

       
    # Ensure that no OpenSSL 1.1 is used.


     

       

       
105

       
+

       
    nextcloud.succeed(


     

       

       
106

       
+

       
        "${nodes.nextcloud.services.phpfpm.pools.nextcloud.phpPackage}/bin/php -i | grep 'OpenSSL Library Version' | awk -F'=>' '{ print $2 }' | awk '{ print $2 }' | grep -v 1.1"


     

       

       
107

       
+

       
    )


     

       
105

       
108

       
 

       
    nextcloud.succeed(


     

       
106

       
109

       
 

       
        "${withRcloneEnv} ${copySharedFile}"


     

       
107

       
110

       
 

       
    )


     
···

       
111

       
114

       
 

       
        "${withRcloneEnv} ${diffSharedFile}"


     

       
112

       
115

       
 

       
    )


     

       
113

       
116

       
 

       
    assert "hi" in client.succeed("cat /mnt/dav/test-shared-file")


     

       

       
117

       
+

       
    nextcloud.succeed("grep -vE '^HBEGIN:oc_encryption_module' /var/lib/nextcloud-data/data/root/files/test-shared-file")


     

       
114

       
118

       
 

       
  '';


     

       
115

       
119

       
 

       
})) args
+1 -2
nixos/tests/nextcloud/default.nix 
···

       
8

       
8

       
 

       
foldl


     

       
9

       
9

       
 

       
  (matrix: ver: matrix // {


     

       
10

       
10

       
 

       
    "basic${toString ver}" = import ./basic.nix { inherit system pkgs; nextcloudVersion = ver; };


     

       
11

       

       
-

       
    "with-legacy-openssl${toString ver}" = import ./basic.nix {


     

       

       
11

       
+

       
    "openssl-sse${toString ver}" = import ./openssl-sse.nix {


     

       
12

       
12

       
 

       
      inherit system pkgs;


     

       
13

       
13

       
 

       
      nextcloudVersion = ver;


     

       
14

       

       
-

       
      enableBrokenCiphersForSSE = true;


     

       
15

       
14

       
 

       
    };


     

       
16

       
15

       
 

       
    "with-postgresql-and-redis${toString ver}" = import ./with-postgresql-and-redis.nix {


     

       
17

       
16

       
 

       
      inherit system pkgs;
+105
nixos/tests/nextcloud/openssl-sse.nix 
···

       

       
1

       
+

       
args@{ pkgs, nextcloudVersion ? 25, ... }:


     

       

       
2

       
+

       



     

       

       
3

       
+

       
(import ../make-test-python.nix ({ pkgs, ...}: let


     

       

       
4

       
+

       
  adminuser = "root";


     

       

       
5

       
+

       
  adminpass = "notproduction";


     

       

       
6

       
+

       
  nextcloudBase = {


     

       

       
7

       
+

       
    networking.firewall.allowedTCPPorts = [ 80 ];


     

       

       
8

       
+

       
    system.stateVersion = "22.05"; # stateVersions <22.11 use openssl 1.1 by default


     

       

       
9

       
+

       
    services.nextcloud = {


     

       

       
10

       
+

       
      enable = true;


     

       

       
11

       
+

       
      config.adminpassFile = "${pkgs.writeText "adminpass" adminpass}";


     

       

       
12

       
+

       
      package = pkgs.${"nextcloud" + (toString nextcloudVersion)};


     

       

       
13

       
+

       
    };


     

       

       
14

       
+

       
  };


     

       

       
15

       
+

       
in {


     

       

       
16

       
+

       
  name = "nextcloud-openssl";


     

       

       
17

       
+

       
  meta = with pkgs.lib.maintainers; {


     

       

       
18

       
+

       
    maintainers = [ ma27 ];


     

       

       
19

       
+

       
  };


     

       

       
20

       
+

       
  nodes.nextcloudwithopenssl1 = {


     

       

       
21

       
+

       
    imports = [ nextcloudBase ];


     

       

       
22

       
+

       
    services.nextcloud.hostName = "nextcloudwithopenssl1";


     

       

       
23

       
+

       
  };


     

       

       
24

       
+

       
  nodes.nextcloudwithopenssl3 = {


     

       

       
25

       
+

       
    imports = [ nextcloudBase ];


     

       

       
26

       
+

       
    services.nextcloud = {


     

       

       
27

       
+

       
      hostName = "nextcloudwithopenssl3";


     

       

       
28

       
+

       
      enableBrokenCiphersForSSE = false;


     

       

       
29

       
+

       
    };


     

       

       
30

       
+

       
  };


     

       

       
31

       
+

       
  testScript = { nodes, ... }: let


     

       

       
32

       
+

       
    withRcloneEnv = host: pkgs.writeScript "with-rclone-env" ''


     

       

       
33

       
+

       
      #!${pkgs.runtimeShell}


     

       

       
34

       
+

       
      export RCLONE_CONFIG_NEXTCLOUD_TYPE=webdav


     

       

       
35

       
+

       
      export RCLONE_CONFIG_NEXTCLOUD_URL="http://${host}/remote.php/webdav/"


     

       

       
36

       
+

       
      export RCLONE_CONFIG_NEXTCLOUD_VENDOR="nextcloud"


     

       

       
37

       
+

       
      export RCLONE_CONFIG_NEXTCLOUD_USER="${adminuser}"


     

       

       
38

       
+

       
      export RCLONE_CONFIG_NEXTCLOUD_PASS="$(${pkgs.rclone}/bin/rclone obscure ${adminpass})"


     

       

       
39

       
+

       
      "''${@}"


     

       

       
40

       
+

       
    '';


     

       

       
41

       
+

       
    withRcloneEnv1 = withRcloneEnv "nextcloudwithopenssl1";


     

       

       
42

       
+

       
    withRcloneEnv3 = withRcloneEnv "nextcloudwithopenssl3";


     

       

       
43

       
+

       
    copySharedFile1 = pkgs.writeScript "copy-shared-file" ''


     

       

       
44

       
+

       
      #!${pkgs.runtimeShell}


     

       

       
45

       
+

       
      echo 'hi' | ${withRcloneEnv1} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file


     

       

       
46

       
+

       
    '';


     

       

       
47

       
+

       
    copySharedFile3 = pkgs.writeScript "copy-shared-file" ''


     

       

       
48

       
+

       
      #!${pkgs.runtimeShell}


     

       

       
49

       
+

       
      echo 'bye' | ${withRcloneEnv3} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file2


     

       

       
50

       
+

       
    '';


     

       

       
51

       
+

       
    openssl1-node = nodes.nextcloudwithopenssl1.config.system.build.toplevel;


     

       

       
52

       
+

       
    openssl3-node = nodes.nextcloudwithopenssl3.config.system.build.toplevel;


     

       

       
53

       
+

       
  in ''


     

       

       
54

       
+

       
    nextcloudwithopenssl1.start()


     

       

       
55

       
+

       
    nextcloudwithopenssl1.wait_for_unit("multi-user.target")


     

       

       
56

       
+

       
    nextcloudwithopenssl1.succeed("nextcloud-occ status")


     

       

       
57

       
+

       
    nextcloudwithopenssl1.succeed("curl -sSf http://nextcloudwithopenssl1/login")


     

       

       
58

       
+

       



     

       

       
59

       
+

       
    with subtest("With OpenSSL 1 SSE can be enabled and used"):


     

       

       
60

       
+

       
        nextcloudwithopenssl1.succeed("nextcloud-occ app:enable encryption")


     

       

       
61

       
+

       
        nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable")


     

       

       
62

       
+

       



     

       

       
63

       
+

       
    with subtest("Upload file and ensure it's encrypted"):


     

       

       
64

       
+

       
        nextcloudwithopenssl1.succeed("${copySharedFile1}")


     

       

       
65

       
+

       
        nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file")


     

       

       
66

       
+

       
        nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi")


     

       

       
67

       
+

       



     

       

       
68

       
+

       
    with subtest("Switch to OpenSSL 3"):


     

       

       
69

       
+

       
        nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test")


     

       

       
70

       
+

       
        nextcloudwithopenssl1.wait_for_open_port(80)


     

       

       
71

       
+

       
        nextcloudwithopenssl1.succeed("nextcloud-occ status")


     

       

       
72

       
+

       



     

       

       
73

       
+

       
    with subtest("Existing encrypted files cannot be read, but new files can be added"):


     

       

       
74

       
+

       
        nextcloudwithopenssl1.fail("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file >&2")


     

       

       
75

       
+

       
        nextcloudwithopenssl1.succeed("nextcloud-occ encryption:disable")


     

       

       
76

       
+

       
        nextcloudwithopenssl1.succeed("${copySharedFile3}")


     

       

       
77

       
+

       
        nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2")


     

       

       
78

       
+

       
        nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye")


     

       

       
79

       
+

       



     

       

       
80

       
+

       
    with subtest("Switch back to OpenSSL 1.1 and ensure that encrypted files are readable again"):


     

       

       
81

       
+

       
        nextcloudwithopenssl1.succeed("${openssl1-node}/bin/switch-to-configuration test")


     

       

       
82

       
+

       
        nextcloudwithopenssl1.wait_for_open_port(80)


     

       

       
83

       
+

       
        nextcloudwithopenssl1.succeed("nextcloud-occ status")


     

       

       
84

       
+

       
        nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable")


     

       

       
85

       
+

       
        nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye")


     

       

       
86

       
+

       
        nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi")


     

       

       
87

       
+

       
        nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file")


     

       

       
88

       
+

       
        nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2")


     

       

       
89

       
+

       



     

       

       
90

       
+

       
    with subtest("Ensure that everything can be decrypted"):


     

       

       
91

       
+

       
        nextcloudwithopenssl1.succeed("echo y | nextcloud-occ encryption:decrypt-all >&2")


     

       

       
92

       
+

       
        nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye")


     

       

       
93

       
+

       
        nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi")


     

       

       
94

       
+

       
        nextcloudwithopenssl1.succeed("grep -vE '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file")


     

       

       
95

       
+

       



     

       

       
96

       
+

       
    with subtest("Switch to OpenSSL 3 ensure that all files are usable now"):


     

       

       
97

       
+

       
        nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test")


     

       

       
98

       
+

       
        nextcloudwithopenssl1.wait_for_open_port(80)


     

       

       
99

       
+

       
        nextcloudwithopenssl1.succeed("nextcloud-occ status")


     

       

       
100

       
+

       
        nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye")


     

       

       
101

       
+

       
        nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi")


     

       

       
102

       
+

       



     

       

       
103

       
+

       
    nextcloudwithopenssl1.shutdown()


     

       

       
104

       
+

       
  '';


     

       

       
105

       
+

       
})) args
+1 -1
pkgs/development/interpreters/php/generic.nix 
···

       
91

       
91

       
 

       
              [ ]


     

       
92

       
92

       
 

       
              allExtensionFunctions;


     

       
93

       
93

       
 

       



     

       
94

       

       
-

       
          getExtName = ext: lib.removePrefix "php-" (builtins.parseDrvName ext.name).name;


     

       

       
94

       
+

       
          getExtName = ext: ext.extensionName;


     

       
95

       
95

       
 

       



     

       
96

       
96

       
 

       
          # Recursively get a list of all internal dependencies


     

       
97

       
97

       
 

       
          # for a list of extensions.
+6 -4
pkgs/top-level/php-packages.nix 
···

       
71

       
71

       
 

       
  # will mark the extension as a zend extension or not.


     

       
72

       
72

       
 

       
  mkExtension = lib.makeOverridable


     

       
73

       
73

       
 

       
    ({ name


     

       
74

       

       
-

       
    , configureFlags ? [ "--enable-${name}" ]


     

       

       
74

       
+

       
    , configureFlags ? [ "--enable-${extName}" ]


     

       
75

       
75

       
 

       
    , internalDeps ? [ ]


     

       
76

       
76

       
 

       
    , postPhpize ? ""


     

       
77

       
77

       
 

       
    , buildInputs ? [ ]


     

       
78

       
78

       
 

       
    , zendExtension ? false


     

       
79

       
79

       
 

       
    , doCheck ? true


     

       

       
80

       
+

       
    , extName ? name


     

       
80

       
81

       
 

       
    , ...


     

       
81

       
82

       
 

       
    }@args: stdenv.mkDerivation ((builtins.removeAttrs args [ "name" ]) // {


     

       
82

       
83

       
 

       
      pname = "php-${name}";


     

       
83

       

       
-

       
      extensionName = name;


     

       

       
84

       
+

       
      extensionName = extName;


     

       
84

       
85

       
 

       



     

       
85

       
86

       
 

       
      outputs = [ "out" "dev" ];


     

       
86

       
87

       
 

       



     
···

       
103

       
104

       
 

       



     

       
104

       
105

       
 

       
      cdToExtensionRootPhase = ''


     

       
105

       
106

       
 

       
        # Go to extension source root.


     

       
106

       

       
-

       
        cd "ext/${name}"


     

       

       
107

       
+

       
        cd "ext/${extName}"


     

       
107

       
108

       
 

       
      '';


     

       
108

       
109

       
 

       



     

       
109

       
110

       
 

       
      preConfigure = ''


     
···

       
139

       
140

       
 

       
        runHook preInstall


     

       
140

       
141

       
 

       



     

       
141

       
142

       
 

       
        mkdir -p $out/lib/php/extensions


     

       
142

       

       
-

       
        cp modules/${name}.so $out/lib/php/extensions/${name}.so


     

       

       
143

       
+

       
        cp modules/${extName}.so $out/lib/php/extensions/${extName}.so


     

       
143

       
144

       
 

       
        mkdir -p $dev/include


     

       
144

       
145

       
 

       
        ${rsync}/bin/rsync -r --filter="+ */" \


     

       
145

       
146

       
 

       
                              --filter="+ *.h" \


     
···

       
419

       
420

       
 

       
        # without a specific openssl.cnf file


     

       
420

       
421

       
 

       
        {


     

       
421

       
422

       
 

       
          name = "openssl-legacy";


     

       

       
423

       
+

       
          extName = "openssl";


     

       
422

       
424

       
 

       
          buildInputs = [ openssl_1_1 ];


     

       
423

       
425

       
 

       
          configureFlags = [ "--with-openssl" ];


     

       
424

       
426

       
 

       
          doCheck = false;