nextcloud doesn't create the needed groups

[teto]

Issue description

I tried the new nextcloud service on nixos-unstable but seems like it lacks an assert or forgets to create group for nginx since this simple config

{ config, lib, pkgs,  ... }:
let
  secrets = import ../secrets.nix;
in
{
  services.nextcloud = {
    enable = true;
    # TODO update later
    hostName = "toto.com";
    # nginx.enable = true;
    config = {
      adminpass = secrets.nextcloud.password;
    };
    maxUploadSize = "512M";
  };
}

generates a deployment failure (deployed via nixops):

mptcp-server> Oct 23 22:10:40 mptcp systemd[1]: Starting PHP FastCGI Process Manager service for pool nextcloud...
mptcp-server> Oct 23 22:10:40 mptcp php-fpm[8850]: [ERROR] [pool nextcloud] cannot get gid for group 'nginx'
mptcp-server> Oct 23 22:10:40 mptcp php-fpm[8850]: [ERROR] [pool nextcloud] cannot get gid for group 'nginx'
mptcp-server> Oct 23 22:10:40 mptcp php-fpm[8850]: [ERROR] FPM initialization failed
mptcp-server> Oct 23 22:10:40 mptcp php-fpm[8850]: [ERROR] FPM initialization failed

Technical details

 - system: `"x86_64-linux"`
 - host os: `Linux 4.14.73, NixOS, 19.03.git.50dfcd2 (Koi)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.1.3`
 - channels(teto): `""`
 - channels(root): `"nixos-unstable-18.03pre130932.cc4677c36ee"`
 - nixpkgs: `/home/teto/nixpkgs`

[eqyiel]

This could be fixed by making these configurable:

nixpkgs/nixos/modules/services/web-apps/nextcloud.nix

Lines 361 to 364 in 7deafa3

	listen.owner = nginx
	listen.group = nginx
	user = nextcloud
	group = nginx

[flokli]

Right, this should be configurable and default to nginx if enabled, complaining if nginx is disabled and it's still set to nginx.

Could one of you prepare a PR for that, possibly also editing tests, adding a variant with another webserver?

[teto]

@flokli couldn't it default to another group than nginx and use nginx only if activated ?
I was just trying out the module with the hope it would be straigthforward to setup so I don't think I will contribute in the short future.

[flokli]

@teto it might work, but this would mean when enabling nginx, seafile's php would suddenly be executed as another user, yielding weird results due to wrong ownership of files in users data directories - I'd like to avoid that…

Examples, like the VM tests, currently also enable nginx - We could also think about enabling nginx automatically when enabling nextcloud, or make that configurable (and default to true).

Do you use apache as webserver, or why don't you use nginx?

[teto]

I've enabled nginx and deployed nextcloud on one of my machine. A quick run in journalctl shows no error (and nextcloud yet I can't access the webUI. Is there anything required to enable the webui ?

           └─phpfpm.slice
             └─phpfpm-nextcloud.service
               ├─683 php-fpm: master process (/nix/store/1645dgx0032hqsf0m923miz55nsd86fv-phpfpm-nextcloud.conf)
               ├─690 php-fpm: pool nextcloud
               └─691 php-fpm: pool nextcloud

I've used a fake domainName "toto.com" since my server has no domain. Could that be it ? should I address it by its IP instead ?

[flokli]

@teto if nextcloud is enabled, the nextcloud module creates a services.nginx.virtualHosts with name ${cfg.hostName} pointing to the nextcloud installation.

[teto]

That might be a bit out of scope but I tried installing nextcloud on several machines and while it seems to work locally (as in wget http://localhost), it doesn't answer to remote connections. I ran wireshark and the server returns no answer. journalctl -b0 shows my connection attempts are blocked:

Nov 09 14:08:27 gitolite kernel: refused connection: IN=ens3 OUT= MAC=00:16:3e:df:e6:ca:d0:72:dc:39:7b:7f:08:00 SRC=IP_SRC DST=IP_DEST LEN=72 TOS=0x00 PREC=0x00 TTL=57 ID=27873 DF PROTO=TCP SPT=40968 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 
Nov 09 14:08:28 gitolite kernel: refused connection: IN=ens3 OUT= MAC=00:16:3e:df:e6:ca:d0:72:dc:39:7b:7f:08:00 SRC=IP_SRC DST=IP_DEST LEN=72 TOS=0x00 PREC=0x00 TTL=57 ID=6728 DF PROTO=TCP SPT=40970 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 
Nov 09 14:08:28 gitolite kernel: refused connection: IN=ens3 OUT= MAC=00:16:3e:df:e6:ca:d0:72:dc:39:7b:7f:08:00 SRC=IP_SRC DST=IP_DEST LEN=72 TOS=0x00 PREC=0x00 TTL=57 ID=27874 DF PROTO=TCP SPT=40968 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0

I looked for an nginx.firewall = enable option but that doesn't seem the case. There is a firewallfilter but I would rather enable it via a boolean than using scary iptables parameters.

[flokli]

@teto about that issue, you need to open port 80/443 in the firewall, see https://nixos.org/nixos/manual/index.html#sec-firewall :

networking.firewall.allowedTCPPorts = [ 80 443 ];

[teto]

@flokli That solved it thanks. I've added a setting for it. Feel free to close it but I like the added coupling between the module and the firewall ports opening: #50256.
Btw I am so glad I switched to nixos. The ease of installation of programs as complex as nextcloud is spectacular (and I expect the maintenance a lot easier as well). This is the kind of selfhosted program I've always wanted to do but didn't want to commit the required time because of software complexity back on ubuntu.

[flokli]

@teto what's your opinion on the missing nginx group issue in case nginx is not enabled?

While looking at roundcube, we just went with enabling nginx as soon as the roundcube module is enabled, i think this can (and should) be done here too.

[teto]

@flokli no strong opinion there. Having it work by default is an improvement but what if you disable nginx (a cornercase I admit) ? you will end up with the same error.

[flokli]

@teto you won't easily be able to disable nginx, as it'll be enabled by the nextcloud module automatically.

[flokli]

cc @adisbladis

[flokli]

@Ma27 @aanderse what do you think about this one?

[Ma27]

you won't easily be able to disable nginx, as it'll be enabled by the nextcloud module automatically.

That's not right AFAICS. You can declare services.nextcloud.nginx.enable = false.

So, as far as I understand, this issue is about the case where nextcloud is enabled, but nginx is disabled (and therefore phpfpm tries to use the non-existing nginx group), right?

In that case we could make nextcloud's group configurable (and set nginx as default) and throw an eval-error if services.nginx is disabled and no alternative value is declared, right? But @aanderse is IMHO more experienced with phpfpm and probably has a better idea :)

[aanderse]

We still don't have a good answer to running php web applications in a more generalized fashion (ie. web server agnostic, or at least supporting multiple web servers), so I would suggest at this point if we can't fully support it we don't support it at all. If someone wants to write a httpd (or whatever) endpoint for nextcloud then we can add and support that, but as it stands there isn't much of a point to do this... is there?

[flokli]

The universal web service idea is tracked in #22067, I think we should move the discussion around that into this.

As nextcloud currently doesn't really work without nginx, we should probably just flip the default of services.nextcloud.nginx.enable to true, and update the option description to say it's currently not really possible to do it differently, so people will know they might run into problems when still disabling it. WDYT?