From 39dcdc5c9b1a1f150dbd2d35198b4bf2ae4b2c73 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Wed, 5 Feb 2025 12:33:16 +0100 Subject: [PATCH] nixos/nextcloud: check if ownership of config is correct Follow-up on #169733 For `data`, Nextcloud checks on its own if everything is readable. However, for `config` it's crucial that the ownership is actually correct: otherwise, systemd-tmpfiles will refuse any operations inside because of unsafe path transitions. This can result in a subtly broken setup by the `override.config.php` not being updated, but also not part of the system closure anymore (another override.config.php is referenced now) which means it'll be GCed eventually even though Nextcloud relies on it. If this precondition is not met, the following error will be printed: nextcloud-setup-start[972]: /var/lib/nextcloud/config is not owned by user 'nextcloud'! nextcloud-setup-start[972]: Please check the logs via 'journalctl -u systemd-tmpfiles-setup' nextcloud-setup-start[972]: and make sure there are no unsafe path transitions. nextcloud-setup-start[972]: (https://nixos.org/manual/nixos/stable/#module-services-nextcloud-pitfalls-during-upgrade) --- nixos/modules/services/web-apps/nextcloud.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index c249989dae22..4b3be5e9fda3 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -1173,6 +1173,15 @@ in exit 1 fi + # Check if systemd-tmpfiles setup worked correctly + if [[ ! -O "${datadir}/config" ]]; then + echo "${datadir}/config is not owned by user 'nextcloud'!" + echo "Please check the logs via 'journalctl -u systemd-tmpfiles-setup'" + echo "and make sure there are no unsafe path transitions." + echo "(https://nixos.org/manual/nixos/stable/#module-services-nextcloud-pitfalls-during-upgrade)" + exit 1 + fi + ${concatMapStrings (name: '' if [ -d "${cfg.home}"/${name} ]; then