pyrox.dev / nixpkgs
lol
fork atom

nixos/nextcloud: minor docs cleanup for openssl change

* s/NextCloud/Nextcloud/g
* `enableBrokenCiphersForSSE` should be enabled by default for any NixOS
installation from before 22.11 to make sure existing installations
don't run into the issue. Not the other way round.
* Update release notes to reflect on that.
* Improve wording of the warning a bit: explain which option to change
to get rid of it.
* Ensure that basic tests w/o `enableBrokenCiphersForSSE` run with
OpenSSL 3.

Maximilian Bosch 61128cba 394d4de8

options
unified split
Changed files
+43 -29
nixos
doc
manual
from_md
release-notes
rl-2211.section.xml
release-notes
rl-2211.section.md
modules
services
web-apps
nextcloud.nix
tests
nextcloud
basic.nix
+14 -12
nixos/doc/manual/from_md/release-notes/rl-2211.section.xml 
···

       
609

       
609

       
 

       
      </listitem>


     

       
610

       
610

       
 

       
      <listitem>


     

       
611

       
611

       
 

       
        <para>


     

       
612

       

       
-

       
          The NextCloud NixOS module uses OpenSSL 3.x for its PHP’s


     

       
613

       

       
-

       
          openssl extension, this breaks RC4-based server-side


     

       
614

       

       
-

       
          encryption in NextCloud, making all your files unreadable upon


     

       
615

       

       
-

       
          upgrade. Upon testing, we could not trigger any cases of


     

       
616

       

       
-

       
          <emphasis role="strong">data loss</emphasis>, but we


     

       
617

       

       
-

       
          <emphasis role="strong">cannot guarantee</emphasis> that for


     

       
618

       

       
-

       
          every accidental OpenSSL upgrade. To restore functionality,


     

       
619

       

       
-

       
          <link linkend="opt-services.nextcloud.enableBrokenCiphersForSSE"><literal>services.nextcloud.enableBrokenCiphersForSSE</literal></link>


     

       
620

       

       
-

       
          has to be set to <literal>true</literal>. NextCloud is


     

       
621

       

       
-

       
          planning to implement AES-256-GCM server-side encryption in


     

       
622

       

       
-

       
          the future through


     

       
623

       

       
-

       
          <link xlink:href="https://github.com/nextcloud/server/pull/25551">https://github.com/nextcloud/server/pull/25551</link>.


     

       

       
612

       
+

       
          The <literal>openssl</literal>-extension for the PHP


     

       

       
613

       
+

       
          interpreter used by <literal>services.nextcloud</literal> is


     

       

       
614

       
+

       
          built against OpenSSL 1.1 if


     

       

       
615

       
+

       
          <xref linkend="opt-system.stateVersion" /> is below


     

       

       
616

       
+

       
          <literal>22.11</literal>. This is to make sure that people


     

       

       
617

       
+

       
          using


     

       

       
618

       
+

       
          <link xlink:href="https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html">server-side


     

       

       
619

       
+

       
          encryption</link> don’t loose access to their files.


     

       

       
620

       
+

       
        </para>


     

       

       
621

       
+

       
        <para>


     

       

       
622

       
+

       
          In any other case it’s safe to use OpenSSL 3 for PHP’s openssl


     

       

       
623

       
+

       
          extension. This can be done by setting


     

       

       
624

       
+

       
          <xref linkend="opt-services.nextcloud.enableBrokenCiphersForSSE" />


     

       

       
625

       
+

       
          to <literal>false</literal>.


     

       
624

       
626

       
 

       
        </para>


     

       
625

       
627

       
 

       
      </listitem>


     

       
626

       
628

       
 

       
      <listitem>
+6 -1
nixos/doc/manual/release-notes/rl-2211.section.md 
···

       
196

       
196

       
 

       



     

       
197

       
197

       
 

       
- The `p4` package now only includes the open-source Perforce Helix Core command-line client and APIs. It no longer installs the unfree Helix Core Server binaries `p4d`, `p4broker`, and `p4p`. To install the Helix Core Server binaries, use the `p4d` package instead.


     

       
198

       
198

       
 

       



     

       
199

       

       
-

       
- The NextCloud NixOS module uses OpenSSL 3.x for its PHP's openssl extension, this breaks RC4-based server-side encryption in NextCloud, making all your files unreadable upon upgrade. Upon testing, we could not trigger any cases of **data loss**, but we **cannot guarantee** that for every accidental OpenSSL upgrade. To restore functionality, [`services.nextcloud.enableBrokenCiphersForSSE`](#opt-services.nextcloud.enableBrokenCiphersForSSE) has to be set to `true`. NextCloud is planning to implement AES-256-GCM server-side encryption in the future through <https://github.com/nextcloud/server/pull/25551>.


     

       

       
199

       
+

       
- The `openssl`-extension for the PHP interpreter used by `services.nextcloud` is built against OpenSSL 1.1 if


     

       

       
200

       
+

       
  [](#opt-system.stateVersion) is below `22.11`. This is to make sure that people using [server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html)


     

       

       
201

       
+

       
  don't loose access to their files.


     

       

       
202

       
+

       



     

       

       
203

       
+

       
  In any other case it's safe to use OpenSSL 3 for PHP's openssl extension. This can be done by setting


     

       

       
204

       
+

       
  [](#opt-services.nextcloud.enableBrokenCiphersForSSE) to `false`.


     

       
200

       
205

       
 

       



     

       
201

       
206

       
 

       
- The `coq` package and versioned variants starting at `coq_8_14` no


     

       
202

       
207

       
 

       
  longer include CoqIDE, which is now available through
+21 -16
nixos/modules/services/web-apps/nextcloud.nix 
···

       
15

       
15

       
 

       
      (with all;


     

       
16

       
16

       
 

       
        # disable default openssl extension


     

       
17

       
17

       
 

       
        (lib.filter (e: e.pname != "openssl") enabled)


     

       
18

       

       
-

       
        # use OpenSSL 1.1 for RC4 NextCloud encryption if user


     

       

       
18

       
+

       
        # use OpenSSL 1.1 for RC4 Nextcloud encryption if user


     

       
19

       
19

       
 

       
        # has acknowledged the brokeness of the ciphers (RC4).


     

       
20

       
20

       
 

       
        # TODO: remove when https://github.com/nextcloud/server/issues/32003 is fixed.


     

       
21

       
21

       
 

       
        ++ (if cfg.enableBrokenCiphersForSSE then [ cfg.phpPackage.extensions.openssl-legacy ] else [ cfg.phpPackage.extensions.openssl ])


     
···

       
88

       
88

       
 

       



     

       
89

       
89

       
 

       
    enableBrokenCiphersForSSE = mkOption {


     

       
90

       
90

       
 

       
      type = types.bool;


     

       
91

       

       
-

       
      # Workaround can be removed at backport-time for 22.11.


     

       
92

       

       
-

       
      default = !(versionOlder stateVersion "22.11");


     

       

       
91

       
+

       
      default = versionOlder stateVersion "22.11";


     

       

       
92

       
+

       
      defaultText = literalExpression "versionOlder system.stateVersion \"22.11\"";


     

       
93

       
93

       
 

       
      description = lib.mdDoc ''


     

       
94

       

       
-

       
        This option uses OpenSSL PHP extension linked against OpenSSL 1.x rather


     

       

       
94

       
+

       
        This option uses OpenSSL PHP extension linked against OpenSSL 1.1 rather


     

       
95

       
95

       
 

       
        than latest OpenSSL (≥ 3), this is not recommended except if you need


     

       
96

       
96

       
 

       
        it.


     

       
97

       
97

       
 

       



     

       
98

       

       
-

       
        Server-side encryption in NextCloud uses RC4 ciphers, a broken cipher


     

       

       
98

       
+

       
        Server-side encryption in Nextcloud uses RC4 ciphers, a broken cipher


     

       
99

       
99

       
 

       
        since ~2004.


     

       
100

       
100

       
 

       



     

       
101

       
101

       
 

       
        This cipher has been disabled in OpenSSL ≥ 3 and requires


     

       
102

       
102

       
 

       
        a specific legacy profile to re-enable it.


     

       
103

       
103

       
 

       



     

       
104

       

       
-

       
        If you upgrade to a NextCloud using OpenSSL ≥ 3 and have


     

       

       
104

       
+

       
        If you upgrade to a Nextcloud using OpenSSL ≥ 3 and have


     

       
105

       
105

       
 

       
        server-side encryption configured, you will not be able to access


     

       
106

       

       
-

       
        your files anymore, enabling this option can restore access to your files.


     

       

       
106

       
+

       
        your files anymore. Enabling this option can restore access to your files.


     

       

       
107

       
+

       
        Upon testing we didn't encounter any data corruption when turning


     

       

       
108

       
+

       
        this on and off again, but this cannot be guaranteed for


     

       

       
109

       
+

       
        each Nextcloud installation.


     

       
107

       
110

       
 

       



     

       
108

       
111

       
 

       
        Unless you are using external storage,


     

       
109

       
112

       
 

       
        it is advised to [disable server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption) as it is unclear


     

       
110

       
113

       
 

       
        it provides any amount of security beyond encryption for external storage.


     

       
111

       

       
-

       
        If you know more about this feature and is keen on it,


     

       
112

       

       
-

       
        please chime in <https://github.com/NixOS/nixpkgs/pull/198470> or open


     

       
113

       

       
-

       
        an issue in nixpkgs.


     

       
114

       
114

       
 

       



     

       
115

       

       
-

       
        In the future, NextCloud may move to AES-256-GCM, by then,


     

       
116

       

       
-

       
        this option will be deprecated.


     

       

       
115

       
+

       
        In the future, Nextcloud may move to AES-256-GCM, by then,


     

       

       
116

       
+

       
        this option will be removed.


     

       
117

       
117

       
 

       
      '';


     

       
118

       
118

       
 

       
    };


     

       
119

       
119

       
 

       
    hostName = mkOption {


     
···

       
686

       
686

       
 

       
        ++ (optional (versionOlder cfg.package.version "24") (upgradeWarning 23 "22.05"))


     

       
687

       
687

       
 

       
        ++ (optional (versionOlder cfg.package.version "25") (upgradeWarning 24 "22.11"))


     

       
688

       
688

       
 

       
        ++ (optional cfg.enableBrokenCiphersForSSE ''


     

       
689

       

       
-

       
          You're using PHP's openssl extension built against OpenSSL 1.1.


     

       
690

       

       
-

       
          This is only necessary if you're using NextCloud's server-side encryption.


     

       

       
689

       
+

       
          You're using PHP's openssl extension built against OpenSSL 1.1 for Nextcloud.


     

       

       
690

       
+

       
          This is only necessary if you're using Nextcloud's server-side encryption.


     

       
691

       
691

       
 

       
          Please keep in mind that it's using the broken RC4 cipher.


     

       
692

       
692

       
 

       



     

       
693

       

       
-

       
          In order to disable this option and remove this warning,


     

       
694

       

       
-

       
          server-side encryption has to be disabled, see <https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption> on how to achieve this.


     

       

       
693

       
+

       
          If you don't use that feature, you can switch to OpenSSL 3 by declaring


     

       

       
694

       
+

       



     

       

       
695

       
+

       
            services.nextcloud.enableBrokenCiphersForSSE = false;


     

       

       
696

       
+

       



     

       

       
697

       
+

       
          Otherwise you'd have to disable server-side encryption first in order


     

       

       
698

       
+

       
          to be able to safely disable this option and get rid of that warning.


     

       

       
699

       
+

       
          See <https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption> on how to achieve this.


     

       
695

       
700

       
 

       



     

       
696

       
701

       
 

       
          For more context, here is the implementing pull request: https://github.com/NixOS/nixpkgs/pull/198470


     

       
697

       
702

       
 

       
        '')
+2
nixos/tests/nextcloud/basic.nix 
···

       
37

       
37

       
 

       
        "d /var/lib/nextcloud-data 0750 nextcloud nginx - -"


     

       
38

       
38

       
 

       
      ];


     

       
39

       
39

       
 

       



     

       

       
40

       
+

       
      system.stateVersion = "22.11";


     

       

       
41

       
+

       



     

       
40

       
42

       
 

       
      services.nextcloud = {


     

       
41

       
43

       
 

       
        enable = true;


     

       
42

       
44

       
 

       
        datadir = "/var/lib/nextcloud-data";