mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-22 23:13:19 +00:00
nixos/nextcloud: fixup openssl compat change
Upon testing the change itself I realized that it doesn't build properly because * the `pname` of a php extension is `php-<name>`, not `<name>`. * calling the extension `openssl-legacy` resulted in PHP trying to compile `ext/openssl-legacy` which broke since it doesn't exist: source root is php-8.1.12 setting SOURCE_DATE_EPOCH to timestamp 1666719000 of file php-8.1.12/win32/wsyslog.c patching sources cdToExtensionRootPhase /nix/store/48mnkga4kh84xyiqwzx8v7iv090i7z66-stdenv-linux/setup: line 1399: cd: ext/openssl-legacy: No such file or directory I didn't encounter that one before because I was mostly interested in having a sane behavior for everyone not using this "feature" and the documentation around this. My findings about the behavior with turning openssl1.1 on/off are still valid because I tested this on `master` with manually replacing `openssl` by `openssl_1_1` in `php-packages.nix`. To work around the issue I had to slightly modify the extension build-system for PHP: * The attribute `extensionName` is now relevant to determine the output paths (e.g. `lib/openssl.so`). This is not a behavioral change for existing extensions because then `extensionName==name`. However when specifying `extName` in `php-packages.nix` this value is overridden and it is made sure that the extension called `extName` NOT `name` (i.e. `openssl` vs `openssl-legacy`) is built and installed. The `name` still has to be kept to keep the legacy openssl available as `php.extensions.openssl-legacy`. Additionally I implemented a small VM test to check the behavior with server-side encryption: * For `stateVersion` below 22.11, OpenSSL 1.1 is used (in `basic.nix` it's checked that OpenSSL 3 is used). With that the "default" behavior of the module is checked. * It is ensured that the PHP interpreter for Nextcloud's php-fpm actually loads the correct openssl extension. * It is tested that (encrypted) files remain usable when (temporarily) installing OpenSSL3 (of course then they're not decryptable, but on a rollback that should still be possible). Finally, a few more documentation changes: * I also mentioned the issue in `nextcloud.xml` to make sure the issue is at least mentioned in the manual section about Nextcloud. Not too much detail here, but the relevant option `enableBrokenCiphersForSSE` is referenced. * I fixed a few minor wording issues to also give the full context (we're talking about Nextcloud; we're talking about the PHP extension **only**; please check if you really need this even though it's enabled by default). This is because I felt that sometimes it might be hard to understand what's going on when e.g. an eval-warning appears without telling where exactly it comes from.
This commit is contained in:
parent
61128cba67
commit
35b146ca31
@ -610,8 +610,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
The <literal>openssl</literal>-extension for the PHP
|
The <literal>openssl</literal>-extension for the PHP
|
||||||
interpreter used by <literal>services.nextcloud</literal> is
|
interpreter used by Nextcloud is built against OpenSSL 1.1 if
|
||||||
built against OpenSSL 1.1 if
|
|
||||||
<xref linkend="opt-system.stateVersion" /> is below
|
<xref linkend="opt-system.stateVersion" /> is below
|
||||||
<literal>22.11</literal>. This is to make sure that people
|
<literal>22.11</literal>. This is to make sure that people
|
||||||
using
|
using
|
||||||
|
@ -196,7 +196,7 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
|
|||||||
|
|
||||||
- The `p4` package now only includes the open-source Perforce Helix Core command-line client and APIs. It no longer installs the unfree Helix Core Server binaries `p4d`, `p4broker`, and `p4p`. To install the Helix Core Server binaries, use the `p4d` package instead.
|
- The `p4` package now only includes the open-source Perforce Helix Core command-line client and APIs. It no longer installs the unfree Helix Core Server binaries `p4d`, `p4broker`, and `p4p`. To install the Helix Core Server binaries, use the `p4d` package instead.
|
||||||
|
|
||||||
- The `openssl`-extension for the PHP interpreter used by `services.nextcloud` is built against OpenSSL 1.1 if
|
- The `openssl`-extension for the PHP interpreter used by Nextcloud is built against OpenSSL 1.1 if
|
||||||
[](#opt-system.stateVersion) is below `22.11`. This is to make sure that people using [server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html)
|
[](#opt-system.stateVersion) is below `22.11`. This is to make sure that people using [server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html)
|
||||||
don't loose access to their files.
|
don't loose access to their files.
|
||||||
|
|
||||||
|
@ -14,7 +14,7 @@ let
|
|||||||
extensions = { enabled, all }:
|
extensions = { enabled, all }:
|
||||||
(with all;
|
(with all;
|
||||||
# disable default openssl extension
|
# disable default openssl extension
|
||||||
(lib.filter (e: e.pname != "openssl") enabled)
|
(lib.filter (e: e.pname != "php-openssl") enabled)
|
||||||
# use OpenSSL 1.1 for RC4 Nextcloud encryption if user
|
# use OpenSSL 1.1 for RC4 Nextcloud encryption if user
|
||||||
# has acknowledged the brokeness of the ciphers (RC4).
|
# has acknowledged the brokeness of the ciphers (RC4).
|
||||||
# TODO: remove when https://github.com/nextcloud/server/issues/32003 is fixed.
|
# TODO: remove when https://github.com/nextcloud/server/issues/32003 is fixed.
|
||||||
@ -91,26 +91,29 @@ in {
|
|||||||
default = versionOlder stateVersion "22.11";
|
default = versionOlder stateVersion "22.11";
|
||||||
defaultText = literalExpression "versionOlder system.stateVersion \"22.11\"";
|
defaultText = literalExpression "versionOlder system.stateVersion \"22.11\"";
|
||||||
description = lib.mdDoc ''
|
description = lib.mdDoc ''
|
||||||
This option uses OpenSSL PHP extension linked against OpenSSL 1.1 rather
|
This option enables using the OpenSSL PHP extension linked against OpenSSL 1.1
|
||||||
than latest OpenSSL (≥ 3), this is not recommended except if you need
|
rather than latest OpenSSL (≥ 3), this is not recommended unless you need
|
||||||
it.
|
it for server-side encryption (SSE). SSE uses the legacy RC4 cipher which is
|
||||||
|
considered broken for several years now. See also [RFC7465](https://datatracker.ietf.org/doc/html/rfc7465).
|
||||||
Server-side encryption in Nextcloud uses RC4 ciphers, a broken cipher
|
|
||||||
since ~2004.
|
|
||||||
|
|
||||||
This cipher has been disabled in OpenSSL ≥ 3 and requires
|
This cipher has been disabled in OpenSSL ≥ 3 and requires
|
||||||
a specific legacy profile to re-enable it.
|
a specific legacy profile to re-enable it.
|
||||||
|
|
||||||
If you upgrade to a Nextcloud using OpenSSL ≥ 3 and have
|
If you deploy Nextcloud using OpenSSL ≥ 3 for PHP and have
|
||||||
server-side encryption configured, you will not be able to access
|
server-side encryption configured, you will not be able to access
|
||||||
your files anymore. Enabling this option can restore access to your files.
|
your files anymore. Enabling this option can restore access to your files.
|
||||||
Upon testing we didn't encounter any data corruption when turning
|
Upon testing we didn't encounter any data corruption when turning
|
||||||
this on and off again, but this cannot be guaranteed for
|
this on and off again, but this cannot be guaranteed for
|
||||||
each Nextcloud installation.
|
each Nextcloud installation.
|
||||||
|
|
||||||
Unless you are using external storage,
|
It is `true` by default for systems with a [](#opt-system.stateVersion) below
|
||||||
it is advised to [disable server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption) as it is unclear
|
`22.11` to make sure that existing installations won't break on update. On newer
|
||||||
it provides any amount of security beyond encryption for external storage.
|
NixOS systems you have to explicitly enable it on your own.
|
||||||
|
|
||||||
|
Please note that this only provides additional value when using
|
||||||
|
external storage such as S3 since it's not an end-to-end encryption.
|
||||||
|
If this is not the case,
|
||||||
|
it is advised to [disable server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption) and set this to `false`.
|
||||||
|
|
||||||
In the future, Nextcloud may move to AES-256-GCM, by then,
|
In the future, Nextcloud may move to AES-256-GCM, by then,
|
||||||
this option will be removed.
|
this option will be removed.
|
||||||
@ -690,12 +693,14 @@ in {
|
|||||||
This is only necessary if you're using Nextcloud's server-side encryption.
|
This is only necessary if you're using Nextcloud's server-side encryption.
|
||||||
Please keep in mind that it's using the broken RC4 cipher.
|
Please keep in mind that it's using the broken RC4 cipher.
|
||||||
|
|
||||||
If you don't use that feature, you can switch to OpenSSL 3 by declaring
|
If you don't use that feature, you can switch to OpenSSL 3 and get
|
||||||
|
rid of this warning by declaring
|
||||||
|
|
||||||
services.nextcloud.enableBrokenCiphersForSSE = false;
|
services.nextcloud.enableBrokenCiphersForSSE = false;
|
||||||
|
|
||||||
|
If you need to use server-side encryption you can ignore this waring.
|
||||||
Otherwise you'd have to disable server-side encryption first in order
|
Otherwise you'd have to disable server-side encryption first in order
|
||||||
to be able to safely disable this option and get rid of that warning.
|
to be able to safely disable this option and get rid of this warning.
|
||||||
See <https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption> on how to achieve this.
|
See <https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption> on how to achieve this.
|
||||||
|
|
||||||
For more context, here is the implementing pull request: https://github.com/NixOS/nixpkgs/pull/198470
|
For more context, here is the implementing pull request: https://github.com/NixOS/nixpkgs/pull/198470
|
||||||
|
@ -170,6 +170,20 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
<listitem>
|
||||||
|
<formalpara>
|
||||||
|
<title>Server-side encryption</title>
|
||||||
|
<para>
|
||||||
|
Nextcloud supports <link xlink:href="https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html">server-side encryption (SSE)</link>.
|
||||||
|
This is not an end-to-end encryption, but can be used to encrypt files that will be persisted
|
||||||
|
to external storage such as S3. Please note that this won't work anymore when using OpenSSL 3
|
||||||
|
for PHP's openssl extension because this is implemented using the legacy cipher RC4.
|
||||||
|
If <xref linkend="opt-system.stateVersion" /> is <emphasis>above</emphasis> <literal>22.05</literal>,
|
||||||
|
this is disabled by default. To turn it on again and for further information please refer to
|
||||||
|
<xref linkend="opt-services.nextcloud.enableBrokenCiphersForSSE" />.
|
||||||
|
</para>
|
||||||
|
</formalpara>
|
||||||
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
@ -37,13 +37,12 @@ in {
|
|||||||
"d /var/lib/nextcloud-data 0750 nextcloud nginx - -"
|
"d /var/lib/nextcloud-data 0750 nextcloud nginx - -"
|
||||||
];
|
];
|
||||||
|
|
||||||
system.stateVersion = "22.11";
|
system.stateVersion = "22.11"; # stateVersion >=21.11 to make sure that we use OpenSSL3
|
||||||
|
|
||||||
services.nextcloud = {
|
services.nextcloud = {
|
||||||
enable = true;
|
enable = true;
|
||||||
datadir = "/var/lib/nextcloud-data";
|
datadir = "/var/lib/nextcloud-data";
|
||||||
hostName = "nextcloud";
|
hostName = "nextcloud";
|
||||||
enableBrokenCiphersForSSE = args.enableBrokenCiphersForSSE or false;
|
|
||||||
config = {
|
config = {
|
||||||
# Don't inherit adminuser since "root" is supposed to be the default
|
# Don't inherit adminuser since "root" is supposed to be the default
|
||||||
adminpassFile = "${pkgs.writeText "adminpass" adminpass}"; # Don't try this at home!
|
adminpassFile = "${pkgs.writeText "adminpass" adminpass}"; # Don't try this at home!
|
||||||
@ -102,6 +101,10 @@ in {
|
|||||||
# This is just to ensure the nextcloud-occ program is working
|
# This is just to ensure the nextcloud-occ program is working
|
||||||
nextcloud.succeed("nextcloud-occ status")
|
nextcloud.succeed("nextcloud-occ status")
|
||||||
nextcloud.succeed("curl -sSf http://nextcloud/login")
|
nextcloud.succeed("curl -sSf http://nextcloud/login")
|
||||||
|
# Ensure that no OpenSSL 1.1 is used.
|
||||||
|
nextcloud.succeed(
|
||||||
|
"${nodes.nextcloud.services.phpfpm.pools.nextcloud.phpPackage}/bin/php -i | grep 'OpenSSL Library Version' | awk -F'=>' '{ print $2 }' | awk '{ print $2 }' | grep -v 1.1"
|
||||||
|
)
|
||||||
nextcloud.succeed(
|
nextcloud.succeed(
|
||||||
"${withRcloneEnv} ${copySharedFile}"
|
"${withRcloneEnv} ${copySharedFile}"
|
||||||
)
|
)
|
||||||
@ -111,5 +114,6 @@ in {
|
|||||||
"${withRcloneEnv} ${diffSharedFile}"
|
"${withRcloneEnv} ${diffSharedFile}"
|
||||||
)
|
)
|
||||||
assert "hi" in client.succeed("cat /mnt/dav/test-shared-file")
|
assert "hi" in client.succeed("cat /mnt/dav/test-shared-file")
|
||||||
|
nextcloud.succeed("grep -vE '^HBEGIN:oc_encryption_module' /var/lib/nextcloud-data/data/root/files/test-shared-file")
|
||||||
'';
|
'';
|
||||||
})) args
|
})) args
|
||||||
|
@ -8,10 +8,9 @@ with pkgs.lib;
|
|||||||
foldl
|
foldl
|
||||||
(matrix: ver: matrix // {
|
(matrix: ver: matrix // {
|
||||||
"basic${toString ver}" = import ./basic.nix { inherit system pkgs; nextcloudVersion = ver; };
|
"basic${toString ver}" = import ./basic.nix { inherit system pkgs; nextcloudVersion = ver; };
|
||||||
"with-legacy-openssl${toString ver}" = import ./basic.nix {
|
"openssl-sse${toString ver}" = import ./openssl-sse.nix {
|
||||||
inherit system pkgs;
|
inherit system pkgs;
|
||||||
nextcloudVersion = ver;
|
nextcloudVersion = ver;
|
||||||
enableBrokenCiphersForSSE = true;
|
|
||||||
};
|
};
|
||||||
"with-postgresql-and-redis${toString ver}" = import ./with-postgresql-and-redis.nix {
|
"with-postgresql-and-redis${toString ver}" = import ./with-postgresql-and-redis.nix {
|
||||||
inherit system pkgs;
|
inherit system pkgs;
|
||||||
|
105
nixos/tests/nextcloud/openssl-sse.nix
Normal file
105
nixos/tests/nextcloud/openssl-sse.nix
Normal file
@ -0,0 +1,105 @@
|
|||||||
|
args@{ pkgs, nextcloudVersion ? 25, ... }:
|
||||||
|
|
||||||
|
(import ../make-test-python.nix ({ pkgs, ...}: let
|
||||||
|
adminuser = "root";
|
||||||
|
adminpass = "notproduction";
|
||||||
|
nextcloudBase = {
|
||||||
|
networking.firewall.allowedTCPPorts = [ 80 ];
|
||||||
|
system.stateVersion = "22.05"; # stateVersions <22.11 use openssl 1.1 by default
|
||||||
|
services.nextcloud = {
|
||||||
|
enable = true;
|
||||||
|
config.adminpassFile = "${pkgs.writeText "adminpass" adminpass}";
|
||||||
|
package = pkgs.${"nextcloud" + (toString nextcloudVersion)};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
name = "nextcloud-openssl";
|
||||||
|
meta = with pkgs.lib.maintainers; {
|
||||||
|
maintainers = [ ma27 ];
|
||||||
|
};
|
||||||
|
nodes.nextcloudwithopenssl1 = {
|
||||||
|
imports = [ nextcloudBase ];
|
||||||
|
services.nextcloud.hostName = "nextcloudwithopenssl1";
|
||||||
|
};
|
||||||
|
nodes.nextcloudwithopenssl3 = {
|
||||||
|
imports = [ nextcloudBase ];
|
||||||
|
services.nextcloud = {
|
||||||
|
hostName = "nextcloudwithopenssl3";
|
||||||
|
enableBrokenCiphersForSSE = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
testScript = { nodes, ... }: let
|
||||||
|
withRcloneEnv = host: pkgs.writeScript "with-rclone-env" ''
|
||||||
|
#!${pkgs.runtimeShell}
|
||||||
|
export RCLONE_CONFIG_NEXTCLOUD_TYPE=webdav
|
||||||
|
export RCLONE_CONFIG_NEXTCLOUD_URL="http://${host}/remote.php/webdav/"
|
||||||
|
export RCLONE_CONFIG_NEXTCLOUD_VENDOR="nextcloud"
|
||||||
|
export RCLONE_CONFIG_NEXTCLOUD_USER="${adminuser}"
|
||||||
|
export RCLONE_CONFIG_NEXTCLOUD_PASS="$(${pkgs.rclone}/bin/rclone obscure ${adminpass})"
|
||||||
|
"''${@}"
|
||||||
|
'';
|
||||||
|
withRcloneEnv1 = withRcloneEnv "nextcloudwithopenssl1";
|
||||||
|
withRcloneEnv3 = withRcloneEnv "nextcloudwithopenssl3";
|
||||||
|
copySharedFile1 = pkgs.writeScript "copy-shared-file" ''
|
||||||
|
#!${pkgs.runtimeShell}
|
||||||
|
echo 'hi' | ${withRcloneEnv1} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file
|
||||||
|
'';
|
||||||
|
copySharedFile3 = pkgs.writeScript "copy-shared-file" ''
|
||||||
|
#!${pkgs.runtimeShell}
|
||||||
|
echo 'bye' | ${withRcloneEnv3} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file2
|
||||||
|
'';
|
||||||
|
openssl1-node = nodes.nextcloudwithopenssl1.config.system.build.toplevel;
|
||||||
|
openssl3-node = nodes.nextcloudwithopenssl3.config.system.build.toplevel;
|
||||||
|
in ''
|
||||||
|
nextcloudwithopenssl1.start()
|
||||||
|
nextcloudwithopenssl1.wait_for_unit("multi-user.target")
|
||||||
|
nextcloudwithopenssl1.succeed("nextcloud-occ status")
|
||||||
|
nextcloudwithopenssl1.succeed("curl -sSf http://nextcloudwithopenssl1/login")
|
||||||
|
|
||||||
|
with subtest("With OpenSSL 1 SSE can be enabled and used"):
|
||||||
|
nextcloudwithopenssl1.succeed("nextcloud-occ app:enable encryption")
|
||||||
|
nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable")
|
||||||
|
|
||||||
|
with subtest("Upload file and ensure it's encrypted"):
|
||||||
|
nextcloudwithopenssl1.succeed("${copySharedFile1}")
|
||||||
|
nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file")
|
||||||
|
nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi")
|
||||||
|
|
||||||
|
with subtest("Switch to OpenSSL 3"):
|
||||||
|
nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test")
|
||||||
|
nextcloudwithopenssl1.wait_for_open_port(80)
|
||||||
|
nextcloudwithopenssl1.succeed("nextcloud-occ status")
|
||||||
|
|
||||||
|
with subtest("Existing encrypted files cannot be read, but new files can be added"):
|
||||||
|
nextcloudwithopenssl1.fail("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file >&2")
|
||||||
|
nextcloudwithopenssl1.succeed("nextcloud-occ encryption:disable")
|
||||||
|
nextcloudwithopenssl1.succeed("${copySharedFile3}")
|
||||||
|
nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2")
|
||||||
|
nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye")
|
||||||
|
|
||||||
|
with subtest("Switch back to OpenSSL 1.1 and ensure that encrypted files are readable again"):
|
||||||
|
nextcloudwithopenssl1.succeed("${openssl1-node}/bin/switch-to-configuration test")
|
||||||
|
nextcloudwithopenssl1.wait_for_open_port(80)
|
||||||
|
nextcloudwithopenssl1.succeed("nextcloud-occ status")
|
||||||
|
nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable")
|
||||||
|
nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye")
|
||||||
|
nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi")
|
||||||
|
nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file")
|
||||||
|
nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2")
|
||||||
|
|
||||||
|
with subtest("Ensure that everything can be decrypted"):
|
||||||
|
nextcloudwithopenssl1.succeed("echo y | nextcloud-occ encryption:decrypt-all >&2")
|
||||||
|
nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye")
|
||||||
|
nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi")
|
||||||
|
nextcloudwithopenssl1.succeed("grep -vE '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file")
|
||||||
|
|
||||||
|
with subtest("Switch to OpenSSL 3 ensure that all files are usable now"):
|
||||||
|
nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test")
|
||||||
|
nextcloudwithopenssl1.wait_for_open_port(80)
|
||||||
|
nextcloudwithopenssl1.succeed("nextcloud-occ status")
|
||||||
|
nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye")
|
||||||
|
nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi")
|
||||||
|
|
||||||
|
nextcloudwithopenssl1.shutdown()
|
||||||
|
'';
|
||||||
|
})) args
|
@ -91,7 +91,7 @@ let
|
|||||||
[ ]
|
[ ]
|
||||||
allExtensionFunctions;
|
allExtensionFunctions;
|
||||||
|
|
||||||
getExtName = ext: lib.removePrefix "php-" (builtins.parseDrvName ext.name).name;
|
getExtName = ext: ext.extensionName;
|
||||||
|
|
||||||
# Recursively get a list of all internal dependencies
|
# Recursively get a list of all internal dependencies
|
||||||
# for a list of extensions.
|
# for a list of extensions.
|
||||||
|
@ -71,16 +71,17 @@ lib.makeScope pkgs.newScope (self: with self; {
|
|||||||
# will mark the extension as a zend extension or not.
|
# will mark the extension as a zend extension or not.
|
||||||
mkExtension = lib.makeOverridable
|
mkExtension = lib.makeOverridable
|
||||||
({ name
|
({ name
|
||||||
, configureFlags ? [ "--enable-${name}" ]
|
, configureFlags ? [ "--enable-${extName}" ]
|
||||||
, internalDeps ? [ ]
|
, internalDeps ? [ ]
|
||||||
, postPhpize ? ""
|
, postPhpize ? ""
|
||||||
, buildInputs ? [ ]
|
, buildInputs ? [ ]
|
||||||
, zendExtension ? false
|
, zendExtension ? false
|
||||||
, doCheck ? true
|
, doCheck ? true
|
||||||
|
, extName ? name
|
||||||
, ...
|
, ...
|
||||||
}@args: stdenv.mkDerivation ((builtins.removeAttrs args [ "name" ]) // {
|
}@args: stdenv.mkDerivation ((builtins.removeAttrs args [ "name" ]) // {
|
||||||
pname = "php-${name}";
|
pname = "php-${name}";
|
||||||
extensionName = name;
|
extensionName = extName;
|
||||||
|
|
||||||
outputs = [ "out" "dev" ];
|
outputs = [ "out" "dev" ];
|
||||||
|
|
||||||
@ -103,7 +104,7 @@ lib.makeScope pkgs.newScope (self: with self; {
|
|||||||
|
|
||||||
cdToExtensionRootPhase = ''
|
cdToExtensionRootPhase = ''
|
||||||
# Go to extension source root.
|
# Go to extension source root.
|
||||||
cd "ext/${name}"
|
cd "ext/${extName}"
|
||||||
'';
|
'';
|
||||||
|
|
||||||
preConfigure = ''
|
preConfigure = ''
|
||||||
@ -139,7 +140,7 @@ lib.makeScope pkgs.newScope (self: with self; {
|
|||||||
runHook preInstall
|
runHook preInstall
|
||||||
|
|
||||||
mkdir -p $out/lib/php/extensions
|
mkdir -p $out/lib/php/extensions
|
||||||
cp modules/${name}.so $out/lib/php/extensions/${name}.so
|
cp modules/${extName}.so $out/lib/php/extensions/${extName}.so
|
||||||
mkdir -p $dev/include
|
mkdir -p $dev/include
|
||||||
${rsync}/bin/rsync -r --filter="+ */" \
|
${rsync}/bin/rsync -r --filter="+ */" \
|
||||||
--filter="+ *.h" \
|
--filter="+ *.h" \
|
||||||
@ -419,6 +420,7 @@ lib.makeScope pkgs.newScope (self: with self; {
|
|||||||
# without a specific openssl.cnf file
|
# without a specific openssl.cnf file
|
||||||
{
|
{
|
||||||
name = "openssl-legacy";
|
name = "openssl-legacy";
|
||||||
|
extName = "openssl";
|
||||||
buildInputs = [ openssl_1_1 ];
|
buildInputs = [ openssl_1_1 ];
|
||||||
configureFlags = [ "--with-openssl" ];
|
configureFlags = [ "--with-openssl" ];
|
||||||
doCheck = false;
|
doCheck = false;
|
||||||
|
Loading…
Reference in New Issue
Block a user