nextcloud: restrict web server support to nginx; stop sharing nginx user/group; improve setup service

[DavHau]

Things done

(This description is heavily outdated. Plans changed a lot due to the discussions. See below)

• user and group used by all nextcloud related services are now unified and configurable. If nginx is enabled, the group will be forced to nginx and an error is raised if group is set manually.
• nginx is enabled by default now. (In favor of having a working default configuration)
• phpfpm also uses configured nextcloud user + group
• In the setup service instead of mkdir + chown now install is used to setup the directories.
  This has the disadvantage that the group of nextcloud cannot be changed anymore on an existing installation without having to fix the ownership of files manually. But it think chowning all files on every single startup is bad since it's a very intense operation and can take very long depending on the amount of files stored. Also the chown operation itself might not be allowed depending on the filesystem. I for example use a sshfs mount for my nextcloud files where this fails

fixes #69261
fixes #48881

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

[aanderse]

Here are some initial thoughts I had which might be a starting point for further discussion.

[aanderse]

Another possibility here would be to keep running nextcloud services (including php-fpm) as a non web server user (like the current nextcloud user) and instead add the nextcloud group to your web servers extraGroups option, like so:

mkIf cfg.nginx.enable {
  users.users.nginx.extraGroups = [ cfg.group ]; # in other words "nextcloud"
}

The reason for this is that the nginx user (and group) likely has access to very sensitive files, such as certificates. If nginx can read nextcloud files (which you want) that is much less of a risk than having nextcloud able to read nginx files - a serious security concern. This obviously requires that your nextcloud files are g+r.

[DavHau]

Sounds like a good idea. The files created by nextcloud seem to be g+r, so this shouldn't be an issue.

[DavHau]

I wonder how to best change the user/group of nextcloud without breaking existing installations. It would require a one time service run as root which changes the ownership. And I would need to have some state file to save that this setup has been completed.
Alternatively I could leave the default user.group to be nginx if system.stateVersion <= 20.03, but i don't really like that approach.

[DavHau]

Forget about it. Since it looks like the user will still be nextcloud, only the group needs to be changed from nginx to nextcloud which is easy to do in the current setup. Also no state needs to be stored.

[Ma27]

Did anyone of you test what happens when deploying this configuration to an existing Nextcloud instance? Also, what's supposed to happen if cfg.user changes (or someone switches e.g. from nginx to httpd?).

[DavHau]

please check 6ee3004.

• removed optons cfg.user, cfg.groups
• add option serverUser which is required when not using nginx
• add serverUser to nextcloud group
• set user/group to "nextcloud" for nextcloud services
• make setup-service non-root

Did not yet implement a solution for fixing group ownership of files for existing installations. Your suggestions are welcome.

[aanderse]

@DavHau for context how are you trying to run nextcloud? caddy?

[DavHau]

Sorry my description of what I changed was not very precise.

All nextcloud services now use the user and group "nextcloud" (hard-coded). The web server user must therefore be part of the the nextcloud group.

The webserver user can be configured via cfg.serverUser.
This user will be automatically added to the nextcloud group and it will be used for listen.owner of phpfpm. Also its group will automatically be used for listen.group

cfg.serverUserdefaults to the nginx user if nginx is enabled. Otherwise it must be specified manually.

An example configuration using nginx would be:
(if nothing specified nginx will be enabled and its user added to the nextcloud group)

{ pkgs, ... }:
{
  networking.firewall.allowedTCPPorts = [80];
  services.nextcloud = {
    enable = true;
    hostName = "10.233.1.2";
    config.adminpass = "test";
    package = pkgs.nextcloud19;
  };
}

A configuration for an alternative webserver could look like this:

{ pkgs, ... }:
{
  networking.firewall.allowedTCPPorts = [80];
  services.nextcloud = {
    enable = true;
    hostName = "10.233.1.2";
    config.adminpass = "test";
    package = pkgs.nextcloud19;
    
    # disable nginx and set serverUser
    nginx.enable = false;
    serverUser = "caddy";

    # caddy config
    ...
  };
}

[aanderse]

@DavHau by having a configurable web server user in this module it seems we're just circling back around to #93070.

@Ma27 I suggest we remove the nginx.enable option entirely and just take it as a given: this module is for nginx only.

[DavHau]

• removed option nextcloud.nginx.enable. Nginx is now the only supported web server.
• modified nextcloud-setup service to fix group ownership of nextcloud files if they don't match.
  All installations prior to this PR will be fixed by this. (changed from nginx -> nextcloud).

[aanderse]

Looking good 👍

[Ma27]

The implementation seems fine: nginx is in most of the services in our tree that serve HTTP the default choice and now it's possible here to opt-out by disabling it.
Also did a brief test of the altered functionality and it appears fine to me.

However there are a few things I'd like to get resolved before merging this:

• We should mention this in our release-notes. When having a big library in your nextcloud, the chown will take some time, so admins should be aware of this before deploying the new config.

• Removed options must be documented with mkRemovedOptionModule.

• The nextcloud-specific tests don't evaluate because of the removed nginx.enable option.

[DavHau]

Things done:

• deprecated services.nextcloud.nginx.enable option via mkRemovedOptionModule
• replaced chown with chgrp
• fixed tests by removing use of option services.nextcloud.nginx.enable
• use mkDefault for services.nginx.enable

We should mention this in our release-notes. When having a big library in your nextcloud, the chown will take some time, so admins should be aware of this before deploying the new config.

I don't think this will be necessary. Up until this point the setup service always did a chown an all nextcloud files on each startup. Therefore the new implementation doesn't bring any performance drawbacks compared to the old one.

[aanderse]

In general, LGTM 👍 I have not tested and don't use this module, though, so need someone like @Ma27 to approve as well.

[Ma27]

LGTM 👍

• Did anyone test this with live data yet? I just checked whether the "migration" to the new config works fine in a temporary VM network.
• We should mention this in the release notes. The rollout of the new config can take quite long due to the recursive chgrp.

[ajs124]

This broke then manual: log. Plz fix, kthxbye. Or wait for a 10-12h, then I'll probably get around to it myself.

[aszlig]

@ajs124: Fixed in 1365b9a.

[DavHau]

Thanks @ajs124 .
@Ma27 I thought we still wanted to improve the phrase The nextcloud module dropped support for other webservers than nginx..
But now the PR has already been merged. Should I make another commit ontop of this PR and repopen it?

[Ma27]

@aszlig @ajs124 sorry for that!
@DavHau yeah feel free to do that :) Otherwise I'll take care of this next week.

[Ma27]

Just for the record, this PR caused another regression in #95259 which got fixed in fddeb7c.

I'm fully aware that I merged this too early which is why I want to openly apologize to everyone who went into trouble because of the (now fixed) regressions I caused with the merge!

[GaetanLepage]

Hello,

I have read the manual on how to use a different webserver for nextcloud.
However, I don't really get why, to prevent nginx being configured for nextcloud, it is now necessary to completely disable nginx.
What if, I want to have the nginx service enabled for something else while still wanting to use, let's say httpd, as the web server for nextcloud ?

Thank you in advance for the clarification :)