Merge pull request #115372 from BBBSnowball/pr-add-config-nextcloud-imagick

nixos/nextcloud: Conditionally enable ImageMagick PHP extension
2024-09-22 13:08:39 +03:00 · 2021-03-11 12:45:17 +01:00 · 2021-03-11 12:45:17 +01:00 · 7ecc3b0684
commit 7ecc3b0684
parent ad47086dea 1bd7941a6b
2 changed files with 32 additions and 4 deletions
--- a/nixos/modules/services/web-apps/nextcloud.nix
+++ b/nixos/modules/services/web-apps/nextcloud.nix
@ -10,7 +10,7 @@ let
    extensions = { enabled, all }:
      (with all;
        enabled
-        ++ [ imagick ] # Always enabled
+        ++ optional (!cfg.disableImagemagick) imagick
        # Optionally enabled depending on caching settings
        ++ optional cfg.caching.apcu apcu
        ++ optional cfg.caching.redis redis
@ -303,6 +303,18 @@ in {
      };
    };

+    disableImagemagick = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to not load the ImageMagick module into PHP.
+        This is used by the theming app and for generating previews of certain images (e.g. SVG and HEIF).
+        You may want to disable it for increased security. In that case, previews will still be available
+        for some images (e.g. JPEG and PNG).
+        See https://github.com/nextcloud/server/issues/13099
+      '';
+    };
+
    caching = {
      apcu = mkOption {
        type = types.bool;
--- a/nixos/tests/nextcloud/basic.nix
+++ b/nixos/tests/nextcloud/basic.nix
@ -7,7 +7,7 @@ in {
    maintainers = [ globin eqyiel ];
  };

-  nodes = {
+  nodes = rec {
    # The only thing the client needs to do is download a file.
    client = { ... }: {
      services.davfs2.enable = true;
@ -47,9 +47,14 @@ in {

      environment.systemPackages = [ cfg.services.nextcloud.occ ];
    };
+
+    nextcloudWithoutMagick = args@{ config, pkgs, lib, ... }:
+      lib.mkMerge
+      [ (nextcloud args)
+        { services.nextcloud.disableImagemagick = true; } ];
  };

-  testScript = let
+  testScript = { nodes, ... }: let
    withRcloneEnv = pkgs.writeScript "with-rclone-env" ''
      #!${pkgs.runtimeShell}
      export RCLONE_CONFIG_NEXTCLOUD_TYPE=webdav
@ -68,8 +73,19 @@ in {
      #!${pkgs.runtimeShell}
      diff <(echo 'hi') <(${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file)
    '';
+
+    findInClosure = what: drv: pkgs.runCommand "find-in-closure" { exportReferencesGraph = [ "graph" drv ]; inherit what; } ''
+      test -e graph
+      grep "$what" graph >$out || true
+    '';
+    nextcloudUsesImagick = findInClosure "imagick" nodes.nextcloud.config.system.build.vm;
+    nextcloudWithoutDoesntUseIt = findInClosure "imagick" nodes.nextcloudWithoutMagick.config.system.build.vm;
  in ''
-    start_all()
+    assert open("${nextcloudUsesImagick}").read() != ""
+    assert open("${nextcloudWithoutDoesntUseIt}").read() == ""
+
+    nextcloud.start()
+    client.start()
    nextcloud.wait_for_unit("multi-user.target")
    # This is just to ensure the nextcloud-occ program is working
    nextcloud.succeed("nextcloud-occ status")