nixos/nextcloud: check if ownership of config is correct

Follow-up on #169733 For `data`, Nextcloud checks on its own if everything is readable. However, for `config` it's crucial that the ownership is actually correct: otherwise, systemd-tmpfiles will refuse any operations inside because of unsafe path transitions. This can result in a subtly broken setup by the `override.config.php` not being updated, but also not part of the system closure anymore (another override.config.php is referenced now) which means it'll be GCed eventually even though Nextcloud relies on it. If this precondition is not met, the following error will be printed: nextcloud-setup-start[972]: /var/lib/nextcloud/config is not owned by user 'nextcloud'! nextcloud-setup-start[972]: Please check the logs via 'journalctl -u systemd-tmpfiles-setup' nextcloud-setup-start[972]: and make sure there are no unsafe path transitions. nextcloud-setup-start[972]: (https://nixos.org/manual/nixos/stable/#module-services-nextcloud-pitfalls-during-upgrade)
2026-01-12 02:40:31 +08:00 · 2025-02-05 12:33:16 +01:00
parent 1f0082fe19
commit 39dcdc5c9b
1 changed files with 9 additions and 0 deletions
--- a/nixos/modules/services/web-apps/nextcloud.nix
+++ b/nixos/modules/services/web-apps/nextcloud.nix
@@ -1173,6 +1173,15 @@ in
                exit 1
              fi

+              # Check if systemd-tmpfiles setup worked correctly
+              if [[ ! -O "${datadir}/config" ]]; then
+                echo "${datadir}/config is not owned by user 'nextcloud'!"
+                echo "Please check the logs via 'journalctl -u systemd-tmpfiles-setup'"
+                echo "and make sure there are no unsafe path transitions."
+                echo "(https://nixos.org/manual/nixos/stable/#module-services-nextcloud-pitfalls-during-upgrade)"
+                exit 1
+              fi
+
              ${concatMapStrings
                (name: ''
                  if [ -d "${cfg.home}"/${name} ]; then