There is a comment above the invocation of 'nextcloud-occ app:enable', stating
that the script should not fail if any of the apps cannot be enabled, but there
is nothing in place to suppress errors. The app:enable command already
continues installing the remaining apps when one fails to install, and we do not
want to suppress errors in the setup script, so this just removes the comment
about not failing.
* Add an option services.nextcloud.nginx.hstsMaxAge for setting the max-age
directive of the Strict-Transport-Security HTTP header.
* Make the Strict-Transport-Security HTTP header in the Nginx virtualhost block
dependant upon the option services.nextcloud.https instead of
services.nextcloud.nginx.recommendedHttpHeaders, as this header makes no sense
when not using HTTPS. (Closes#169465)
Added Nextcloud 23 and set it as the default Nextcloud version for the
NixOS module. Added PHP 8.1 as an option for phpPackage and default for
Nextcloud ≥ 24.
Release notes available at https://www.keycloak.org/docs/latest/release_notes/index.html#keycloak-18-0-0.
The way the database port is configured changed in Keycloak 18 and the
old way of including it in the `db-url-host` setting no longer
works. Use the new `db-url-port` setting instead.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
Signed-off-by: Kim Lindberger <kim.lindberger@gmail.com>
I recently learned that Nextcloud 23's new profile feature — basically a
way for users to share personal contact details — has a problematic
default setting, profile data is shared with **everyone** by default.
This means that an unauthenticated user can access personal information
by accessing `nextcloud.tld/u/user.name`.
The announcement of v23 states[1]:
> We go a step further and introduce a profile page. Here you can put a
> description of yourself, show links to, for example, social media, what
> department you are in and information on how to contact you. All these
> are of course entirely optional and you can choose what is visible to who!
> The profile and user status are accessible also from our mobile and desktop clients.
It's not mentioned that by default you share personal information[3] with
everyone and personally I think that's somewhat problematic.
To work around that, I decided to add an option for the recently added[2]
and even set it to `false` by default to make an explicit opt-in for
that feature.
[1] https://nextcloud.com/blog/nextcloud-hub-2-brings-major-overhaul-introducing-nextcloud-office-p2p-backup-and-more/
[2] https://github.com/nextcloud/server/pull/31624/files
[3] By default, this affects the following properties:
* About
* Full name
* Headline
* Organisation
* Profile picture
* Role
* Twitter
* Website
Phone, Address and Email are not affected and only shown to
authenticated users by default.
With version 17 of Keycloak, the Wildfly based distribution was
deprecated in favor of the one based on Quarkus. The difference in
configuration is massive and to accommodate it, both the package and
module had to be rewritten.
This fixes the following issues with the database provisioning script
included in the services.keycloak module:
- It lacked permission to access the DB password file specified in the
module option 'services.keycloak.database.passwordFile'.
- It prevented Keycloak from starting after the second time if the user
chose MySQL for the database.