nixos/nextcloud: write config to additional config file

One of the main problems of the Nextcloud module is that it's currently not possible to alter e.g. database configuration after the initial setup as it's written by their imperative installer to a file. After some research[1] it turned out that it's possible to override all values with an additional config file. The documentation has been slightly updated to remain up-to-date, but the warnings should remain there as the imperative configuration is still used and may cause unwanted side-effects. Also simplified the postgresql test which uses `ensure{Databases,Users}` to configure the database. Fixes #49783 [1] https://github.com/NixOS/nixpkgs/issues/49783#issuecomment-483063922
2025-01-17 18:34:38 +00:00 · 2019-06-28 17:54:11 +02:00 · 2019-06-28 17:54:11 +02:00 · 3944aa051c
commit 3944aa051c
parent d893a9acf8
4 changed files with 74 additions and 47 deletions
--- a/nixos/doc/manual/release-notes/rl-1909.xml
+++ b/nixos/doc/manual/release-notes/rl-1909.xml
@ -354,6 +354,15 @@
     The <literal>tomcat-connector</literal> <literal>httpd.extraSubservice</literal> has been removed from nixpkgs.
    </para>
   </listitem>
+   <listitem>
+    <para>
+     It's now possible to change configuration in
+     <link linkend="opt-services.nextcloud.enable">services.nextcloud</link> after the initial deploy
+     since all config parameters are persisted in an additional config file generated by the module.
+     Previously core configuration like database parameters were set using their imperative
+     installer after creating <literal>/var/lib/nextcloud</literal>.
+    </para>
+   </listitem>
  </itemizedlist>
 </section>
 </section>
--- a/nixos/modules/services/web-apps/nextcloud.nix
+++ b/nixos/modules/services/web-apps/nextcloud.nix
@ -297,8 +297,23 @@ in {

      systemd.services = {
        "nextcloud-setup" = let
+          c = cfg.config;
+          writePhpArrary = a: "[${concatMapStringsSep "," (val: ''"${toString val}"'') a}]";
          overrideConfig = pkgs.writeText "nextcloud-config.php" ''
            <?php
+            ${optionalString (c.dbpassFile != null) ''
+              function nix_read_pwd() {
+                $file = "${c.dbpassFile}";
+                if (!file_exists($file)) {
+                  throw new \RuntimeException(sprintf(
+                    "Cannot start Nextcloud, dbpass file %s set by NixOS doesn't exist!",
+                    $file
+                  ));
+                }
+
+                return trim(file_get_contents($file));
+              }
+            ''}
            $CONFIG = [
              'apps_paths' => [
                [ 'path' => '${cfg.home}/apps', 'url' => '/apps', 'writable' => false ],
@ -309,19 +324,27 @@ in {
              ${optionalString cfg.caching.apcu "'memcache.local' => '\\OC\\Memcache\\APCu',"}
              'log_type' => 'syslog',
              'log_level' => '${builtins.toString cfg.logLevel}',
-              ${optionalString (cfg.config.overwriteProtocol != null) "'overwriteprotocol' => '${cfg.config.overwriteProtocol}',"}
+              ${optionalString (c.overwriteProtocol != null) "'overwriteprotocol' => '${c.overwriteProtocol}',"}
+              ${optionalString (c.dbname != null) "'dbname' => '${c.dbname}',"}
+              ${optionalString (c.dbhost != null) "'dbhost' => '${c.dbhost}',"}
+              ${optionalString (c.dbport != null) "'dbport' => '${toString c.dbport}',"}
+              ${optionalString (c.dbuser != null) "'dbuser' => '${c.dbuser}',"}
+              ${optionalString (c.dbtableprefix != null) "'dbtableprefix' => '${toString c.dbtableprefix}',"}
+              ${optionalString (c.dbpass != null) "'dbpassword' => '${c.dbpass}',"}
+              ${optionalString (c.dbpassFile != null) "'dbpassword' => nix_read_pwd(),"}
+              'dbtype' => '${c.dbtype}',
+              'trusted_domains' => ${writePhpArrary c.extraTrustedDomains},
            ];
          '';
          occInstallCmd = let
-            c = cfg.config;
-            adminpass = if c.adminpassFile != null
-              then ''"$(<"${toString c.adminpassFile}")"''
-              else ''"${toString c.adminpass}"'';
            dbpass = if c.dbpassFile != null
              then ''"$(<"${toString c.dbpassFile}")"''
              else if c.dbpass != null
              then ''"${toString c.dbpass}"''
              else null;
+            adminpass = if c.adminpassFile != null
+              then ''"$(<"${toString c.adminpassFile}")"''
+              else ''"${toString c.adminpass}"'';
            installFlags = concatStringsSep " \\\n    "
              (mapAttrsToList (k: v: "${k} ${toString v}") {
              "--database" = ''"${c.dbtype}"'';
--- a/nixos/modules/services/web-apps/nextcloud.xml
+++ b/nixos/modules/services/web-apps/nextcloud.xml
@ -42,10 +42,12 @@

  services.postgresql = {
    <link linkend="opt-services.postgresql.enable">enable</link> = true;
-    <link linkend="opt-services.postgresql.initialScript">initialScript</link> = pkgs.writeText "psql-init" ''
-      CREATE ROLE nextcloud WITH LOGIN;
-      CREATE DATABASE nextcloud WITH OWNER nextcloud;
-    '';
+    <link linkend="opt-services.postgresql.ensureDatabases">ensureDatabases</link> = [ "nextcloud" ];
+    <link linkend="opt-services.postgresql.ensureUsers">ensureUsers</link> = [
+     { name = "nextcloud";
+       ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+     }
+    ];
  };

  # ensure that postgres is running *before* running the setup
@ -63,17 +65,22 @@
   are used internally to configure an HTTP server using
   <literal><link xlink:href="https://php-fpm.org/">PHP-FPM</link></literal>
   and <literal>nginx</literal>. The <literal>config</literal> attribute set is
-   used for the <literal>config.php</literal> which is used for the
-   application's configuration. <emphasis>Beware: this isn't entirely pure
-   since the config is modified by the application's runtime!</emphasis>
+   used by the imperative installer and all values are written to an additional file
+   to ensure that changes can be applied by changing the module's options.
  </para>

  <para>
-   In case the application serves multiple hosts (those are checked with
+   In case the application serves multiple domains (those are checked with
   <literal><link xlink:href="http://php.net/manual/en/reserved.variables.server.php">$_SERVER['HTTP_HOST']</link></literal>)
-   those can be added using
+   it's needed to add them to
   <literal><link linkend="opt-services.nextcloud.config.extraTrustedDomains">services.nextcloud.config.extraTrustedDomains</link></literal>.
  </para>
+
+  <para>
+   Auto updates for Nextcloud apps can be enabled using
+   <literal><link linkend="opt-services.nextcloud.autoUpdateApps.enable">services.nextcloud.autoUpdateApps</link></literal>.
+</para>
+
 </section>
 <section xml:id="module-services-nextcloud-pitfalls-during-upgrade">
  <title>Pitfalls</title>
@ -87,35 +94,24 @@
  </para>

  <para>
-   Right now changes to the <literal>services.nextcloud.config</literal>
-   attribute set won't take effect after the first install (except
-   <literal><link linkend="opt-services.nextcloud.config.extraTrustedDomains">services.nextcloud.config.extraTrustedDomains</link></literal>)
-   since the actual configuration file is generated by the NextCloud installer
-   which also sets up critical parts such as the database structure.
+   All configuration parameters are also stored in
+   <literal>/var/lib/nextcloud/config/override.config.php</literal> which is generated by
+   the module and linked from the store to ensure that all values from <literal>config.php</literal>
+   can be modified by the module.
+   However <literal>config.php</literal> manages the application's state and shouldn't be touched
+   manually because of that.
  </para>

-  <para>
-   <emphasis>Warning: don't delete <literal>config.php</literal>! This file
+  <warning>
+   <para>Don't delete <literal>config.php</literal>! This file
   tracks the application's state and a deletion can cause unwanted
-   side-effects!</emphasis>
-  </para>
+   side-effects!</para>
+  </warning>

-  <para>
-   <emphasis>Warning: don't rerun <literal>nextcloud-occ
+  <warning>
+   <para>Don't rerun <literal>nextcloud-occ
   maintenance:install</literal>! This command tries to install the application
-   and can cause unwanted side-effects!</emphasis>
-  </para>
-
-  <para>
-   The issues are known and reported in
-   <link xlink:href="https://github.com/NixOS/nixpkgs/issues/49783">#49783</link>,
-   for now it's unfortunately necessary to manually work around these issues.
-  </para>
-
-  <para>
-   Right now app installation and configuration is done imperatively in the nextcloud web ui or via the <literal>nextcloud-occ</literal> command line utility.
-   You can activate auto updates for your apps via
-   <literal><link linkend="opt-services.nextcloud.autoUpdateApps.enable">services.nextcloud.autoUpdateApps</link></literal>.
-  </para>
+   and can cause unwanted side-effects!</para>
+  </warning>
 </section>
 </chapter>
--- a/nixos/tests/nextcloud/with-postgresql-and-redis.nix
+++ b/nixos/tests/nextcloud/with-postgresql-and-redis.nix
@ -27,10 +27,7 @@ in {
          dbtype = "pgsql";
          dbname = "nextcloud";
          dbuser = "nextcloud";
-          dbhost = "localhost";
-          dbpassFile = toString (pkgs.writeText "db-pass-file" ''
-            hunter2
-          '');
+          dbhost = "/run/postgresql";
          inherit adminuser;
          adminpassFile = toString (pkgs.writeText "admin-pass-file" ''
            ${adminpass}
@ -84,10 +81,12 @@ in {

      services.postgresql = {
        enable = true;
-        initialScript = pkgs.writeText "psql-init" ''
-          create role nextcloud with login password 'hunter2';
-          create database nextcloud with owner nextcloud;
-        '';
+        ensureDatabases = [ "nextcloud" ];
+        ensureUsers = [
+          { name = "nextcloud";
+            ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+          }
+        ];
      };
    };
  };