nixpkgs/nixos/modules/services/web-servers/apache-httpd/owncloud.nix
Philip Potter 7ad6dac43b owncloud: don't store plaintext adminPassword in nix store
Rather than using openssl to hash the password at build time, and hence
leaving the plaintext password world-readable in the nix store, we can
instead hash the password in the nix expression itself using
builtins.hashString.
2015-03-16 22:42:22 +00:00

577 lines
21 KiB
Nix

{ config, lib, pkgs, serverInfo, php, ... }:
with lib;
let
httpd = serverInfo.serverConfig.package;
version24 = !versionOlder httpd.version "2.4";
allGranted = if version24 then ''
Require all granted
'' else ''
Order allow,deny
Allow from all
'';
owncloudConfig = pkgs.writeText "config.php"
''
<?php
/* Only enable this for local development and not in productive environments */
/* This will disable the minifier and outputs some additional debug informations */
define("DEBUG", false);
$CONFIG = array(
/* Flag to indicate ownCloud is successfully installed (true = installed) */
"installed" => true,
/* Type of database, can be sqlite, mysql or pgsql */
"dbtype" => "${config.dbType}",
/* Name of the ownCloud database */
"dbname" => "${config.dbName}",
/* User to access the ownCloud database */
"dbuser" => "${config.dbUser}",
/* Password to access the ownCloud database */
"dbpassword" => "${config.dbPassword}",
/* Host running the ownCloud database. To specify a port use "HOSTNAME:####"; to specify a unix sockets use "localhost:/path/to/socket". */
"dbhost" => "${config.dbServer}",
/* Prefix for the ownCloud tables in the database */
"dbtableprefix" => "",
/* Force use of HTTPS connection (true = use HTTPS) */
"forcessl" => ${config.forceSSL},
/* Blacklist a specific file and disallow the upload of files with this name - WARNING: USE THIS ONLY IF YOU KNOW WHAT YOU ARE DOING. */
"blacklisted_files" => array('.htaccess'),
/* The automatic hostname detection of ownCloud can fail in certain reverse proxy and CLI/cron situations. This option allows to manually override the automatic detection. You can also add a port. For example "www.example.com:88" */
"overwritehost" => "${config.overwriteHost}",
/* The automatic protocol detection of ownCloud can fail in certain reverse proxy and CLI/cron situations. This option allows to manually override the protocol detection. For example "https" */
"overwriteprotocol" => "${config.overwriteProtocol}",
/* The automatic webroot detection of ownCloud can fail in certain reverse proxy and CLI/cron situations. This option allows to manually override the automatic detection. For example "/domain.tld/ownCloud". The value "/" can be used to remove the root. */
"overwritewebroot" => "${config.overwriteWebRoot}",
/* The automatic detection of ownCloud can fail in certain reverse proxy and CLI/cron situations. This option allows to define a manually override condition as regular expression for the remote ip address. For example "^10\.0\.0\.[1-3]$" */
"overwritecondaddr" => "",
/* A proxy to use to connect to the internet. For example "myproxy.org:88" */
"proxy" => "",
/* The optional authentication for the proxy to use to connect to the internet. The format is: [username]:[password] */
"proxyuserpwd" => "",
/* List of trusted domains, to prevent host header poisoning ownCloud is only using these Host headers */
'trusted_domains' => array('${config.trustedDomain}'),
/* Theme to use for ownCloud */
"theme" => "",
/* Optional ownCloud default language - overrides automatic language detection on public pages like login or shared items. This has no effect on the user's language preference configured under "personal -> language" once they have logged in */
"default_language" => "${config.defaultLang}",
/* Path to the parent directory of the 3rdparty directory */
"3rdpartyroot" => "",
/* URL to the parent directory of the 3rdparty directory, as seen by the browser */
"3rdpartyurl" => "",
/* Default app to open on login.
* This can be a comma-separated list of app ids.
* If the first app is not enabled for the current user,
* it will try with the second one and so on. If no enabled app could be found,
* the "files" app will be displayed instead. */
"defaultapp" => "${config.defaultApp}",
/* Enable the help menu item in the settings */
"knowledgebaseenabled" => true,
/* Enable installing apps from the appstore */
"appstoreenabled" => ${config.appStoreEnable},
/* URL of the appstore to use, server should understand OCS */
"appstoreurl" => "https://api.owncloud.com/v1",
/* Domain name used by ownCloud for the sender mail address, e.g. no-reply@example.com */
"mail_domain" => "${config.mailFromDomain}",
/* FROM address used by ownCloud for the sender mail address, e.g. owncloud@example.com
This setting overwrites the built in 'sharing-noreply' and 'lostpassword-noreply'
FROM addresses, that ownCloud uses
*/
"mail_from_address" => "${config.mailFrom}",
/* Enable SMTP class debugging */
"mail_smtpdebug" => false,
/* Mode to use for sending mail, can be sendmail, smtp, qmail or php, see PHPMailer docs */
"mail_smtpmode" => "${config.SMTPMode}",
/* Host to use for sending mail, depends on mail_smtpmode if this is used */
"mail_smtphost" => "${config.SMTPHost}",
/* Port to use for sending mail, depends on mail_smtpmode if this is used */
"mail_smtpport" => ${config.SMTPPort},
/* SMTP server timeout in seconds for sending mail, depends on mail_smtpmode if this is used */
"mail_smtptimeout" => ${config.SMTPTimeout},
/* SMTP connection prefix or sending mail, depends on mail_smtpmode if this is used.
Can be "", ssl or tls */
"mail_smtpsecure" => "${config.SMTPSecure}",
/* authentication needed to send mail, depends on mail_smtpmode if this is used
* (false = disable authentication)
*/
"mail_smtpauth" => ${config.SMTPAuth},
/* authentication type needed to send mail, depends on mail_smtpmode if this is used
* Can be LOGIN (default), PLAIN or NTLM */
"mail_smtpauthtype" => "${config.SMTPAuthType}",
/* Username to use for sendmail mail, depends on mail_smtpauth if this is used */
"mail_smtpname" => "${config.SMTPUser}",
/* Password to use for sendmail mail, depends on mail_smtpauth if this is used */
"mail_smtppassword" => "${config.SMTPPass}",
/* memcached servers (Only used when xCache, APC and APCu are absent.) */
"memcached_servers" => array(
// hostname, port and optional weight. Also see:
// http://www.php.net/manual/en/memcached.addservers.php
// http://www.php.net/manual/en/memcached.addserver.php
//array('localhost', 11211),
//array('other.host.local', 11211),
),
/* How long should ownCloud keep deleted files in the trash bin, default value: 30 days */
'trashbin_retention_obligation' => 30,
/* Disable/Enable auto expire for the trash bin, by default auto expire is enabled */
'trashbin_auto_expire' => true,
/* allow user to change his display name, if it is supported by the back-end */
'allow_user_to_change_display_name' => true,
/* Check 3rdparty apps for malicious code fragments */
"appcodechecker" => true,
/* Check if ownCloud is up to date */
"updatechecker" => true,
/* Are we connected to the internet or are we running in a closed network? */
"has_internet_connection" => true,
/* Check if the ownCloud WebDAV server is working correctly. Can be disabled if not needed in special situations*/
"check_for_working_webdav" => true,
/* Check if .htaccess protection of data is working correctly. Can be disabled if not needed in special situations*/
"check_for_working_htaccess" => true,
/* Place to log to, can be owncloud and syslog (owncloud is log menu item in admin menu) */
"log_type" => "owncloud",
/* File for the owncloud logger to log to, (default is ownloud.log in the data dir) */
"logfile" => "${config.dataDir}/owncloud.log",
/* Loglevel to start logging at. 0=DEBUG, 1=INFO, 2=WARN, 3=ERROR (default is WARN) */
"loglevel" => "2",
/* date format to be used while writing to the owncloud logfile */
'logdateformat' => 'F d, Y H:i:s',
/* timezone used while writing to the owncloud logfile (default: UTC) */
'logtimezone' => '${serverInfo.fullConfig.time.timeZone}',
/* Append all database queries and parameters to the log file.
(watch out, this option can increase the size of your log file)*/
"log_query" => false,
/* Whether ownCloud should log the last successfull cron exec */
"cron_log" => true,
/*
* Configure the size in bytes log rotation should happen, 0 or false disables the rotation.
* This rotates the current owncloud logfile to a new name, this way the total log usage
* will stay limited and older entries are available for a while longer. The
* total disk usage is twice the configured size.
* WARNING: When you use this, the log entries will eventually be lost.
*/
'log_rotate_size' => "104857600", // 104857600, // 100 MiB
/* Lifetime of the remember login cookie, default is 15 days */
"remember_login_cookie_lifetime" => 1296000,
/* Life time of a session after inactivity */
"session_lifetime" => 86400,
/*
* Enable/disable session keep alive when a user is logged in in the Web UI.
* This is achieved by sending a "heartbeat" to the server to prevent
* the session timing out.
*/
"session_keepalive" => true,
/* Custom CSP policy, changing this will overwrite the standard policy */
"custom_csp_policy" => "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src *; font-src 'self' data:; media-src *",
/* Enable/disable X-Frame-Restriction */
/* HIGH SECURITY RISK IF DISABLED*/
"xframe_restriction" => true,
/* The directory where the user data is stored, default to data in the owncloud
* directory. The sqlite database is also stored here, when sqlite is used.
*/
"datadirectory" => "${config.dataDir}/storage",
/* The directory where the skeleton files are located. These files will be copied to the data
* directory of new users. Leave empty to not copy any skeleton files.
*/
// "skeletondirectory" => "",
/* Enable maintenance mode to disable ownCloud
If you want to prevent users to login to ownCloud before you start doing some maintenance work,
you need to set the value of the maintenance parameter to true.
Please keep in mind that users who are already logged-in are kicked out of ownCloud instantly.
*/
"maintenance" => false,
"apps_paths" => array(
/* Set an array of path for your apps directories
key 'path' is for the fs path and the key 'url' is for the http path to your
applications paths. 'writable' indicates whether the user can install apps in this folder.
You must have at least 1 app folder writable or you must set the parameter 'appstoreenabled' to false
*/
array(
'path'=> '${config.dataDir}/apps',
'url' => '/apps',
'writable' => true,
),
),
'user_backends'=>array(
/*
array(
'class'=>'OC_User_IMAP',
'arguments'=>array('{imap.gmail.com:993/imap/ssl}INBOX')
)
*/
),
//links to custom clients
'customclient_desktop' => ''', //http://owncloud.org/sync-clients/
'customclient_android' => ''', //https://play.google.com/store/apps/details?id=com.owncloud.android
'customclient_ios' => ''', //https://itunes.apple.com/us/app/owncloud/id543672169?mt=8
// PREVIEW
'enable_previews' => true,
/* the max width of a generated preview, if value is null, there is no limit */
'preview_max_x' => null,
/* the max height of a generated preview, if value is null, there is no limit */
'preview_max_y' => null,
/* the max factor to scale a preview, default is set to 10 */
'preview_max_scale_factor' => 10,
/* custom path for libreoffice / openoffice binary */
'preview_libreoffice_path' => '${config.libreofficePath}',
/* cl parameters for libreoffice / openoffice */
'preview_office_cl_parameters' => ''',
/* whether avatars should be enabled */
'enable_avatars' => true,
// Extra SSL options to be used for configuration
'openssl' => array(
'config' => '/etc/ssl/openssl.cnf',
),
// default cipher used for file encryption, currently we support AES-128-CFB and AES-256-CFB
'cipher' => 'AES-256-CFB',
/* whether usage of the instance should be restricted to admin users only */
'singleuser' => false,
/* all css and js files will be served by the web server statically in one js file and ons css file*/
'asset-pipeline.enabled' => false,
/* where mount.json file should be stored, defaults to data/mount.json */
'mount_file' => ''',
/*
* Location of the cache folder, defaults to "data/$user/cache" where "$user" is the current user.
*
* When specified, the format will change to "$cache_path/$user" where "$cache_path" is the configured
* cache directory and "$user" is the user.
*
*/
'cache_path' => ''',
/* EXPERIMENTAL: option whether to include external storage in quota calculation, defaults to false */
'quota_include_external_storage' => false,
/*
* specifies how often the filesystem is checked for changes made outside owncloud
* 0 -> never check the filesystem for outside changes, provides a performance increase when it's certain that no changes are made directly to the filesystem
* 1 -> check each file or folder at most once per request, recomended for general use if outside changes might happen
* 2 -> check every time the filesystem is used, causes a performance hit when using external storages, not recomended for regular use
*/
'filesystem_check_changes' => 1,
/* If true, prevent owncloud from changing the cache due to changes in the filesystem for all storage */
'filesystem_cache_readonly' => false,
/**
* define default folder for shared files and folders
*/
'share_folder' => '/',
'version' => '${pkgs.owncloud.version}',
'openssl' => '${pkgs.openssl}/bin/openssl'
);
'';
in
rec {
extraConfig =
''
ServerName ${config.siteName}
ServerAdmin ${config.adminAddr}
DocumentRoot ${documentRoot}
RewriteEngine On
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-f
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-d
<Directory ${pkgs.owncloud}>
${builtins.readFile "${pkgs.owncloud}/.htaccess"}
</Directory>
'';
globalEnvVars = [
{ name = "OC_CONFIG_PATH"; value = "${config.dataDir}/config/"; }
];
documentRoot = pkgs.owncloud;
enablePHP = true;
options = {
id = mkOption {
default = "main";
description = ''
A unique identifier necessary to keep multiple owncloud server
instances on the same machine apart. This is used to
disambiguate the administrative scripts, which get names like
mediawiki-$id-change-password.
'';
};
adminUser = mkOption {
default = "owncloud";
description = "The admin user name for accessing owncloud.";
};
adminPassword = mkOption {
description = "The admin password for accessing owncloud.";
};
dbType = mkOption {
default = "pgsql";
description = "Type of database, in NixOS, for now, only pgsql.";
};
dbName = mkOption {
default = "owncloud";
description = "Name of the database that holds the owncloud data.";
};
dbServer = mkOption {
default = "localhost:5432";
description = ''
The location of the database server.
'';
};
dbUser = mkOption {
default = "owncloud";
description = "The user name for accessing the database.";
};
dbPassword = mkOption {
example = "foobar";
description = ''
The password of the database user. Warning: this is stored in
cleartext in the Nix store!
'';
};
forceSSL = mkOption {
default = "false";
description = "Force use of HTTPS connection.";
};
adminAddr = mkOption {
default = serverInfo.serverConfig.adminAddr;
example = "admin@example.com";
description = ''
Emergency contact e-mail address. Defaults to the Apache
admin address.
'';
};
siteName = mkOption {
default = "owncloud";
example = "Foobar owncloud";
description = "Name of the owncloud";
};
trustedDomain = mkOption {
default = "";
description = "Trusted domain";
};
defaultLang = mkOption {
default = "";
description = "Default language";
};
defaultApp = mkOption {
default = "";
description = "Default application";
};
appStoreEnable = mkOption {
default = "true";
description = "Enable app store";
};
mailFrom = mkOption {
default = "no-reply";
description = "Mail from";
};
mailFromDomain = mkOption {
default = "example.xyz";
description = "Mail from domain";
};
SMTPMode = mkOption {
default = "smtp";
description = "Which mode to use for sending mail: sendmail, smtp, qmail or php.";
};
SMTPHost = mkOption {
default = "";
description = "SMTP host";
};
SMTPPort = mkOption {
default = "25";
description = "SMTP port";
};
SMTPTimeout = mkOption {
default = "10";
description = "SMTP mode";
};
SMTPSecure = mkOption {
default = "ssl";
description = "SMTP secure";
};
SMTPAuth = mkOption {
default = "true";
description = "SMTP auth";
};
SMTPAuthType = mkOption {
default = "LOGIN";
description = "SMTP auth type";
};
SMTPUser = mkOption {
default = "";
description = "SMTP user";
};
SMTPPass = mkOption {
default = "";
description = "SMTP pass";
};
dataDir = mkOption {
default = "/var/lib/owncloud";
description = "Data dir";
};
libreofficePath = mkOption {
default = "/usr/bin/libreoffice";
description = "Path for LibreOffice/OpenOffice binary.";
};
overwriteHost = mkOption {
default = "";
description = "The automatic hostname detection of ownCloud can fail in
certain reverse proxy and CLI/cron situations. This option allows to
manually override the automatic detection. You can also add a port.";
};
overwriteProtocol = mkOption {
default = "";
description = "The automatic protocol detection of ownCloud can fail in
certain reverse proxy and CLI/cron situations. This option allows to
manually override the protocol detection.";
};
overwriteWebRoot = mkOption {
default = "";
description = "The automatic webroot detection of ownCloud can fail in
certain reverse proxy and CLI/cron situations. This option allows to
manually override the automatic detection.";
};
};
startupScript = pkgs.writeScript "owncloud_startup.sh" ''
if [ ! -d ${config.dataDir}/config ]; then
mkdir -p ${config.dataDir}/config
cp ${owncloudConfig} ${config.dataDir}/config/config.php
mkdir -p ${config.dataDir}/storage
mkdir -p ${config.dataDir}/apps
cp -r ${pkgs.owncloud}/apps/* ${config.dataDir}/apps/
chmod -R ug+rw ${config.dataDir}
chmod -R o-rwx ${config.dataDir}
chown -R wwwrun:wwwrun ${config.dataDir}
${pkgs.postgresql}/bin/createuser -s -r postgres
${pkgs.postgresql}/bin/createuser --no-superuser --no-createdb --no-createrole "${config.dbUser}" || true
${pkgs.postgresql}/bin/createdb "${config.dbName}" -O "${config.dbUser}" || true
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/psql -U postgres -d postgres -c "alter user ${config.dbUser} with password '${config.dbPassword}';" || true
QUERY="CREATE TABLE appconfig (appid VARCHAR( 255 ) NOT NULL ,configkey VARCHAR( 255 ) NOT NULL ,configvalue VARCHAR( 255 ) NOT NULL); GRANT ALL ON appconfig TO ${config.dbUser}; ALTER TABLE appconfig OWNER TO ${config.dbUser};"
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/psql -h "/tmp" -U postgres -d ${config.dbName} -Atw -c "$QUERY" || true
fi
${php}/bin/php ${pkgs.owncloud}/occ upgrade || true
chown wwwrun:wwwrun ${config.dataDir}/owncloud.log || true
QUERY="INSERT INTO groups (gid) values('admin'); INSERT INTO users (uid,password) values('${config.adminUser}','${builtins.hashString "sha1" config.adminPassword}'); INSERT INTO group_user (gid,uid) values('admin','${config.adminUser}');"
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/psql -h "/tmp" -U postgres -d ${config.dbName} -Atw -c "$QUERY" || true
'';
}