nextcloud26: init at 26.0.0beta1
Because nextcloud ships their prerelease versions on a different url, we are not parsing the version string to detect which path to use. We also enabled and validated this change via nixos module testing.
This commit is contained in:
Colin Arnott
parent
6173948c03
commit
aefbc9623b
|
|
@ -26,4 +26,4 @@ foldl
|
|||
};
|
||||
})
|
||||
{ }
|
||||
[ 24 25 ]
|
||||
[ 24 25 26 ]
|
||||
|
|
|
|||
|
|
@ -2,17 +2,18 @@
|
|||
|
||||
let
|
||||
generic = {
|
||||
version, sha256,
|
||||
version, hash,
|
||||
eol ? false, extraVulnerabilities ? []
|
||||
}: let
|
||||
major = lib.versions.major version;
|
||||
prerelease = builtins.length (lib.versions.splitVersion version) > 3;
|
||||
in stdenv.mkDerivation rec {
|
||||
pname = "nextcloud";
|
||||
inherit version;
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://download.nextcloud.com/server/releases/${pname}-${version}.tar.bz2";
|
||||
inherit sha256;
|
||||
url = "https://download.nextcloud.com/server/${if prerelease then "prereleases" else "release"}/${pname}-${version}.tar.bz2";
|
||||
inherit hash;
|
||||
};
|
||||
|
||||
patches = [ (./patches + "/v${major}/0001-Setup-remove-custom-dbuser-creation-behavior.patch") ];
|
||||
|
|
@ -51,14 +52,19 @@ in {
|
|||
|
||||
nextcloud24 = generic {
|
||||
version = "24.0.9";
|
||||
sha256 = "580a3384c9c09aefb8e9b41553d21a6e20001799549dbd25b31dea211d97dd1e";
|
||||
hash = "sha256-WAozhMnAmu+46bQVU9IabiAAF5lUnb0lsx3qIR2X3R4=";
|
||||
};
|
||||
|
||||
nextcloud25 = generic {
|
||||
version = "25.0.3";
|
||||
sha256 = "4b2b1423736ef92469096fe24f61c24cad87a34e07c1c7a81b385d3ea25c00ec";
|
||||
hash = "sha256-SysUI3Nu+SRpCW/iT2HCTK2Ho04HwceoGzhdPqJcAOw=";
|
||||
};
|
||||
|
||||
# tip: get the sha with:
|
||||
# curl 'https://download.nextcloud.com/server/releases/nextcloud-${version}.tar.bz2.sha256'
|
||||
nextcloud26 = generic {
|
||||
version = "26.0.0beta1";
|
||||
hash = "sha256-EfSfn0KjQzciHa3VcrDhGC/aZUw/KDjihXs+qVIcYX0=";
|
||||
};
|
||||
|
||||
# tip: get hash with:
|
||||
# nix hash to-sri --type sha256 $(curl https://download.nextcloud.com/server/releases/nextcloud-${version}.tar.bz2.sha256 | cut -d' ' -f1)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,149 @@
|
|||
From fc3e14155b3c4300b691ab46579830e725457a54 Mon Sep 17 00:00:00 2001
|
||||
From: Maximilian Bosch <maximilian@mbosch.me>
|
||||
Date: Sat, 10 Sep 2022 15:18:05 +0200
|
||||
Subject: [PATCH] Setup: remove custom dbuser creation behavior
|
||||
|
||||
Both PostgreSQL and MySQL can be authenticated against from Nextcloud by
|
||||
supplying a database password. Now, during setup the following things
|
||||
happen:
|
||||
|
||||
* When using postgres and the db user has elevated permissions, a new
|
||||
unprivileged db user is created and the settings `dbuser`/`dbpass` are
|
||||
altered in `config.php`.
|
||||
|
||||
* When using MySQL, the password is **always** regenerated since
|
||||
24.0.5/23.0.9[1].
|
||||
|
||||
I consider both cases problematic: the reason why people do configuration
|
||||
management is to have it as single source of truth! So, IMHO any
|
||||
application that silently alters config and thus causes deployed
|
||||
nodes to diverge from the configuration is harmful for that.
|
||||
|
||||
I guess it was sheer luck that it worked for so long in NixOS because
|
||||
nobody has apparently used password authentication with a privileged
|
||||
user to operate Nextcloud (which is a good thing in fact).
|
||||
|
||||
[1] https://github.com/nextcloud/server/pull/33513
|
||||
---
|
||||
lib/private/Setup/MySQL.php | 53 --------------------------------
|
||||
lib/private/Setup/PostgreSQL.php | 37 ----------------------
|
||||
2 files changed, 90 deletions(-)
|
||||
|
||||
diff --git a/lib/private/Setup/MySQL.php b/lib/private/Setup/MySQL.php
|
||||
index e3004c269bc..bc958e84e44 100644
|
||||
--- a/lib/private/Setup/MySQL.php
|
||||
+++ b/lib/private/Setup/MySQL.php
|
||||
@@ -141,62 +141,6 @@
|
||||
$rootUser = $this->dbUser;
|
||||
$rootPassword = $this->dbPassword;
|
||||
|
||||
- //create a random password so we don't need to store the admin password in the config file
|
||||
- $saveSymbols = str_replace(['\"', '\\', '\'', '`'], '', ISecureRandom::CHAR_SYMBOLS);
|
||||
- $password = $this->random->generate(22, ISecureRandom::CHAR_ALPHANUMERIC . $saveSymbols)
|
||||
- . $this->random->generate(2, ISecureRandom::CHAR_UPPER)
|
||||
- . $this->random->generate(2, ISecureRandom::CHAR_LOWER)
|
||||
- . $this->random->generate(2, ISecureRandom::CHAR_DIGITS)
|
||||
- . $this->random->generate(2, $saveSymbols)
|
||||
- ;
|
||||
- $this->dbPassword = str_shuffle($password);
|
||||
-
|
||||
- try {
|
||||
- //user already specified in config
|
||||
- $oldUser = $this->config->getValue('dbuser', false);
|
||||
-
|
||||
- //we don't have a dbuser specified in config
|
||||
- if ($this->dbUser !== $oldUser) {
|
||||
- //add prefix to the admin username to prevent collisions
|
||||
- $adminUser = substr('oc_' . $username, 0, 16);
|
||||
-
|
||||
- $i = 1;
|
||||
- while (true) {
|
||||
- //this should be enough to check for admin rights in mysql
|
||||
- $query = 'SELECT user FROM mysql.user WHERE user=?';
|
||||
- $result = $connection->executeQuery($query, [$adminUser]);
|
||||
-
|
||||
- //current dbuser has admin rights
|
||||
- $data = $result->fetchAll();
|
||||
- $result->closeCursor();
|
||||
- //new dbuser does not exist
|
||||
- if (count($data) === 0) {
|
||||
- //use the admin login data for the new database user
|
||||
- $this->dbUser = $adminUser;
|
||||
- $this->createDBUser($connection);
|
||||
-
|
||||
- break;
|
||||
- } else {
|
||||
- //repeat with different username
|
||||
- $length = strlen((string)$i);
|
||||
- $adminUser = substr('oc_' . $username, 0, 16 - $length) . $i;
|
||||
- $i++;
|
||||
- }
|
||||
- }
|
||||
- } else {
|
||||
- // Reuse existing password if a database config is already present
|
||||
- $this->dbPassword = $rootPassword;
|
||||
- }
|
||||
- } catch (\Exception $ex) {
|
||||
- $this->logger->info('Can not create a new MySQL user, will continue with the provided user.', [
|
||||
- 'exception' => $ex,
|
||||
- 'app' => 'mysql.setup',
|
||||
- ]);
|
||||
- // Restore the original credentials
|
||||
- $this->dbUser = $rootUser;
|
||||
- $this->dbPassword = $rootPassword;
|
||||
- }
|
||||
-
|
||||
$this->config->setValues([
|
||||
'dbuser' => $this->dbUser,
|
||||
'dbpassword' => $this->dbPassword,
|
||||
diff --git a/lib/private/Setup/PostgreSQL.php b/lib/private/Setup/PostgreSQL.php
|
||||
index af816c7ad04..e49e5508e15 100644
|
||||
--- a/lib/private/Setup/PostgreSQL.php
|
||||
+++ b/lib/private/Setup/PostgreSQL.php
|
||||
@@ -45,43 +45,6 @@ class PostgreSQL extends AbstractDatabase {
|
||||
$connection = $this->connect([
|
||||
'dbname' => 'postgres'
|
||||
]);
|
||||
- //check for roles creation rights in postgresql
|
||||
- $builder = $connection->getQueryBuilder();
|
||||
- $builder->automaticTablePrefix(false);
|
||||
- $query = $builder
|
||||
- ->select('rolname')
|
||||
- ->from('pg_roles')
|
||||
- ->where($builder->expr()->eq('rolcreaterole', new Literal('TRUE')))
|
||||
- ->andWhere($builder->expr()->eq('rolname', $builder->createNamedParameter($this->dbUser)));
|
||||
-
|
||||
- try {
|
||||
- $result = $query->execute();
|
||||
- $canCreateRoles = $result->rowCount() > 0;
|
||||
- } catch (DatabaseException $e) {
|
||||
- $canCreateRoles = false;
|
||||
- }
|
||||
-
|
||||
- if ($canCreateRoles) {
|
||||
- $connectionMainDatabase = $this->connect();
|
||||
- //use the admin login data for the new database user
|
||||
-
|
||||
- //add prefix to the postgresql user name to prevent collisions
|
||||
- $this->dbUser = 'oc_' . strtolower($username);
|
||||
- //create a new password so we don't need to store the admin config in the config file
|
||||
- $this->dbPassword = \OC::$server->getSecureRandom()->generate(30, ISecureRandom::CHAR_ALPHANUMERIC);
|
||||
-
|
||||
- $this->createDBUser($connection);
|
||||
-
|
||||
- // Go to the main database and grant create on the public schema
|
||||
- // The code below is implemented to make installing possible with PostgreSQL version 15:
|
||||
- // https://www.postgresql.org/docs/release/15.0/
|
||||
- // From the release notes: For new databases having no need to defend against insider threats, granting CREATE permission will yield the behavior of prior releases
|
||||
- // Therefore we assume that the database is only used by one user/service which is Nextcloud
|
||||
- // Additional services should get installed in a separate database in order to stay secure
|
||||
- // Also see https://www.postgresql.org/docs/15/ddl-schemas.html#DDL-SCHEMAS-PATTERNS
|
||||
- $connectionMainDatabase->executeQuery('GRANT CREATE ON SCHEMA public TO ' . addslashes($this->dbUser));
|
||||
- $connectionMainDatabase->close();
|
||||
- }
|
||||
|
||||
$this->config->setValues([
|
||||
'dbuser' => $this->dbUser,
|
||||
--
|
||||
2.38.1
|
||||
|
||||
|
|
@ -9960,7 +9960,7 @@ with pkgs;
|
|||
grocy = callPackage ../servers/grocy { };
|
||||
|
||||
inherit (callPackage ../servers/nextcloud {})
|
||||
nextcloud23 nextcloud24 nextcloud25;
|
||||
nextcloud23 nextcloud24 nextcloud25 nextcloud26;
|
||||
|
||||
nextcloud23Packages = ( callPackage ../servers/nextcloud/packages {
|
||||
apps = lib.importJSON ../servers/nextcloud/packages/23.json;
|
||||
|
|
|
|||
Loading…
Reference in a new issue