nixos/nextcloud: minor docs cleanup for openssl change

* s/NextCloud/Nextcloud/g * `enableBrokenCiphersForSSE` should be enabled by default for any NixOS installation from before 22.11 to make sure existing installations don't run into the issue. Not the other way round. * Update release notes to reflect on that. * Improve wording of the warning a bit: explain which option to change to get rid of it. * Ensure that basic tests w/o `enableBrokenCiphersForSSE` run with OpenSSL 3.
2022-11-08 22:52:27 +01:00 · 2022-11-08 22:52:27 +01:00 · 61128cba67
parent 394d4de877
commit 61128cba67
4 changed files with 43 additions and 29 deletions
--- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
@ -609,18 +609,20 @@
      </listitem>
      <listitem>
        <para>
-          The NextCloud NixOS module uses OpenSSL 3.x for its PHP’s
-          openssl extension, this breaks RC4-based server-side
-          encryption in NextCloud, making all your files unreadable upon
-          upgrade. Upon testing, we could not trigger any cases of
-          <emphasis role="strong">data loss</emphasis>, but we
-          <emphasis role="strong">cannot guarantee</emphasis> that for
-          every accidental OpenSSL upgrade. To restore functionality,
-          <link linkend="opt-services.nextcloud.enableBrokenCiphersForSSE"><literal>services.nextcloud.enableBrokenCiphersForSSE</literal></link>
-          has to be set to <literal>true</literal>. NextCloud is
-          planning to implement AES-256-GCM server-side encryption in
-          the future through
-          <link xlink:href="https://github.com/nextcloud/server/pull/25551">https://github.com/nextcloud/server/pull/25551</link>.
+          The <literal>openssl</literal>-extension for the PHP
+          interpreter used by <literal>services.nextcloud</literal> is
+          built against OpenSSL 1.1 if
+          <xref linkend="opt-system.stateVersion" /> is below
+          <literal>22.11</literal>. This is to make sure that people
+          using
+          <link xlink:href="https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html">server-side
+          encryption</link> don’t loose access to their files.
+        </para>
+        <para>
+          In any other case it’s safe to use OpenSSL 3 for PHP’s openssl
+          extension. This can be done by setting
+          <xref linkend="opt-services.nextcloud.enableBrokenCiphersForSSE" />
+          to <literal>false</literal>.
        </para>
      </listitem>
      <listitem>
--- a/nixos/doc/manual/release-notes/rl-2211.section.md
+++ b/nixos/doc/manual/release-notes/rl-2211.section.md
@ -196,7 +196,12 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).

 - The `p4` package now only includes the open-source Perforce Helix Core command-line client and APIs. It no longer installs the unfree Helix Core Server binaries `p4d`, `p4broker`, and `p4p`. To install the Helix Core Server binaries, use the `p4d` package instead.

- The NextCloud NixOS module uses OpenSSL 3.x for its PHP's openssl extension, this breaks RC4-based server-side encryption in NextCloud, making all your files unreadable upon upgrade. Upon testing, we could not trigger any cases of **data loss**, but we **cannot guarantee** that for every accidental OpenSSL upgrade. To restore functionality, [`services.nextcloud.enableBrokenCiphersForSSE`](#opt-services.nextcloud.enableBrokenCiphersForSSE) has to be set to `true`. NextCloud is planning to implement AES-256-GCM server-side encryption in the future through <https://github.com/nextcloud/server/pull/25551>.
+- The `openssl`-extension for the PHP interpreter used by `services.nextcloud` is built against OpenSSL 1.1 if
+  [](#opt-system.stateVersion) is below `22.11`. This is to make sure that people using [server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html)
+  don't loose access to their files.
+
+  In any other case it's safe to use OpenSSL 3 for PHP's openssl extension. This can be done by setting
+  [](#opt-services.nextcloud.enableBrokenCiphersForSSE) to `false`.

 - The `coq` package and versioned variants starting at `coq_8_14` no
  longer include CoqIDE, which is now available through
--- a/nixos/modules/services/web-apps/nextcloud.nix
+++ b/nixos/modules/services/web-apps/nextcloud.nix
@ -15,7 +15,7 @@ let
      (with all;
        # disable default openssl extension
        (lib.filter (e: e.pname != "openssl") enabled)
-        # use OpenSSL 1.1 for RC4 NextCloud encryption if user
+        # use OpenSSL 1.1 for RC4 Nextcloud encryption if user
        # has acknowledged the brokeness of the ciphers (RC4).
        # TODO: remove when https://github.com/nextcloud/server/issues/32003 is fixed.
        ++ (if cfg.enableBrokenCiphersForSSE then [ cfg.phpPackage.extensions.openssl-legacy ] else [ cfg.phpPackage.extensions.openssl ])
@ -88,32 +88,32 @@ in {

    enableBrokenCiphersForSSE = mkOption {
      type = types.bool;
-      # Workaround can be removed at backport-time for 22.11.
-      default = !(versionOlder stateVersion "22.11");
+      default = versionOlder stateVersion "22.11";
+      defaultText = literalExpression "versionOlder system.stateVersion \"22.11\"";
      description = lib.mdDoc ''
-        This option uses OpenSSL PHP extension linked against OpenSSL 1.x rather
+        This option uses OpenSSL PHP extension linked against OpenSSL 1.1 rather
        than latest OpenSSL (≥ 3), this is not recommended except if you need
        it.

-        Server-side encryption in NextCloud uses RC4 ciphers, a broken cipher
+        Server-side encryption in Nextcloud uses RC4 ciphers, a broken cipher
        since ~2004.

        This cipher has been disabled in OpenSSL ≥ 3 and requires
        a specific legacy profile to re-enable it.

-        If you upgrade to a NextCloud using OpenSSL ≥ 3 and have
+        If you upgrade to a Nextcloud using OpenSSL ≥ 3 and have
        server-side encryption configured, you will not be able to access
-        your files anymore, enabling this option can restore access to your files.
+        your files anymore. Enabling this option can restore access to your files.
+        Upon testing we didn't encounter any data corruption when turning
+        this on and off again, but this cannot be guaranteed for
+        each Nextcloud installation.

        Unless you are using external storage,
        it is advised to [disable server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption) as it is unclear
        it provides any amount of security beyond encryption for external storage.
-        If you know more about this feature and is keen on it,
-        please chime in <https://github.com/NixOS/nixpkgs/pull/198470> or open
-        an issue in nixpkgs.

-        In the future, NextCloud may move to AES-256-GCM, by then,
-        this option will be deprecated.
+        In the future, Nextcloud may move to AES-256-GCM, by then,
+        this option will be removed.
      '';
    };
    hostName = mkOption {
@ -686,12 +686,17 @@ in {
        ++ (optional (versionOlder cfg.package.version "24") (upgradeWarning 23 "22.05"))
        ++ (optional (versionOlder cfg.package.version "25") (upgradeWarning 24 "22.11"))
        ++ (optional cfg.enableBrokenCiphersForSSE ''
-          You're using PHP's openssl extension built against OpenSSL 1.1.
-          This is only necessary if you're using NextCloud's server-side encryption.
+          You're using PHP's openssl extension built against OpenSSL 1.1 for Nextcloud.
+          This is only necessary if you're using Nextcloud's server-side encryption.
          Please keep in mind that it's using the broken RC4 cipher.

-          In order to disable this option and remove this warning,
-          server-side encryption has to be disabled, see <https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption> on how to achieve this.
+          If you don't use that feature, you can switch to OpenSSL 3 by declaring
+
+            services.nextcloud.enableBrokenCiphersForSSE = false;
+
+          Otherwise you'd have to disable server-side encryption first in order
+          to be able to safely disable this option and get rid of that warning.
+          See <https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption> on how to achieve this.

          For more context, here is the implementing pull request: https://github.com/NixOS/nixpkgs/pull/198470
        '')
--- a/nixos/tests/nextcloud/basic.nix
+++ b/nixos/tests/nextcloud/basic.nix
@ -37,6 +37,8 @@ in {
        "d /var/lib/nextcloud-data 0750 nextcloud nginx - -"
      ];

+      system.stateVersion = "22.11";
+
      services.nextcloud = {
        enable = true;
        datadir = "/var/lib/nextcloud-data";