Nextcloud: add openFirewall setting

[teto]

Motivation for this change

adding openFirewall setting as is done for sshd so that the firewall ports get coupled with nextcloud (they get removed along with nextcloud => more secure).
#48881

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Fits CONTRIBUTING.md.

---

[GrahamcOfBorg]

Success on aarch64-linux (full log)

Attempted: nextcloud

Partial log (click to expand)

these paths will be fetched (39.44 MiB download, 164.62 MiB unpacked):
  /nix/store/a5n80ax9jwrzqm7snlmrdiib6h6z2wwg-nextcloud-14.0.3
copying path '/nix/store/a5n80ax9jwrzqm7snlmrdiib6h6z2wwg-nextcloud-14.0.3' from 'https://cache.nixos.org'...
/nix/store/a5n80ax9jwrzqm7snlmrdiib6h6z2wwg-nextcloud-14.0.3

[GrahamcOfBorg]

Success on x86_64-linux (full log)

Attempted: nextcloud

Partial log (click to expand)

these paths will be fetched (39.44 MiB download, 164.62 MiB unpacked):
  /nix/store/q437s4v9456ppvfyq8wndp5c6rdq563g-nextcloud-14.0.3
copying path '/nix/store/q437s4v9456ppvfyq8wndp5c6rdq563g-nextcloud-14.0.3' from 'https://cache.nixos.org'...
/nix/store/q437s4v9456ppvfyq8wndp5c6rdq563g-nextcloud-14.0.3

[Ekleog]

There appear to be two schools regarding addition of settings like openFirewall.

Basically, the drawback such options have is that they slow down all evaluations, even if the module is never used. Ideally this wouldn't be the case and such options could be accepted without thinking twice about it, but… It may be a better idea to just document the required allowedTCPPorts in services.nextcloud.enable.

[Ekleog]

I'm pretty sure we don't want openFirewall to default to true: sshd is the exception to the rule, and while it could make sense to provide the openFirewall option, having it defaulting to opening the firewall would be unexpected and potentially a source of security issues (because people wouldn't expect their nextcloud to be opened to the whole internet).

[teto]

Oh my bad I definitely wanted to set it to false but forgot.

[Ekleog]

I think this may be better placed in services.nginx, as it would open the firewall for all of nginx, and not only for opensmtpd.

[teto]

IMO it would make sense th have the setting for both modules (with nextcloud passing it to nginx if nginx is enabled). Now if that slows evaluation, that looks bad xD

[teto]

Basically, the drawback such options have is that they slow down all evaluations, even if the module is never used

Is there any documentation so that I can better understand the problem ? I had hoped that lazy evaluation would get rid of these. Is there any hope for the situation to change, for instance with a new nix module format like the one presented at nixcon ? Hypothetically, assuming this is not a problem, coupling the firewall configuration with the module enabling seems fitting to the nix philosophy (since the firewall can be seen as a dependency).

[Ekleog]

There are ways towards not evaluating all modules all the time that are in discussion, eg. NixOS/rfcs#22 … hopefully, some day :)

[fpletz]

Sorry, but I don't think this approach is useful. Enabling the nextcloud module does not produce a listening TCP socket by default at all. Even if php-fpm would be configure to open a TCP socket, you would talk FastCGI to it so the HTTP ports don't make any sense in this module. You would put an HTTP server like nginx in front of it which would serve the HTTP ports 80 and 443 and that service should rather have the option to open the firewall than the nextcloud module.