Nixpkgs: nextcloud: rebuild does not change adminpass

Created on 4 Apr 2020 · 6Comments · Source: NixOS/nixpkgs

Describe the bug
When I rebuild the nextcloud service as a nix container with a new adminpass specified, it doesn't get changed in the nextcloud database. It was reproducible on 19.09 and 20.03.

To Reproduce
Steps to reproduce the behavior:

Enable the nextcloud option in configuration.nix as a containerd application and set adminpass = "10ffn4bdl8" (example config for import)
Rebuild
Verify that you can login on http://localhost with admin and 10ffn4bdl8
Change adminpass to "otherpass313"
Rebuild
Try to login with the new password (it will not work, but the old one will)

Expected behavior
New admin password in nextcloud database after rebuild.

Additional context
I tried to use the adminpassFile and dbpassFile options but it didn't worked as expected in
nix container. After I specified adminpass and dbpass directly I noticed that I still can't login.

Metadata

system: "x86_64-linux"
host os: Linux 5.4.24, NixOS, 20.03beta874.b0c285807d6 (Markhor)
multi-user?: yes
sandbox: yes
version: nix-env (Nix) 2.3.2
channels(root): "nixos-20.03beta874.b0c285807d6"
channels(cap): ""
nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

bug stale nixos

Source

scaredmushroom

All 6 comments

AFAICS it's not possible to declare an admin password in config.php, only at the very first installation. And I'm rather skeptical when it comes to patching nextcloud to idempotently change the admin-pass. So my suggestion would be to rename adminpass to initialAdminpass to make it clear that this setting only applies at the first install.

Ma27 on 5 Apr 2020

👍1

I think it would be possible with occ. There is a specific command occ user:resetpassword admin
with the option to get the password from env.
I'm willing to tinker around a bit and see if I could make some values idempotently change without messing around with nextclouds internal behavior.

Should I open an issue for discussion for that or just publish the branch later?

scaredmushroom on 5 Apr 2020

We really shouldn't interpolate the password into the nix store, like we currently do, but have the script read the password from there at runtime, and change the option to adminpassFile (or initialAdminpassFile, depending on @scaredmushroom's test results)

flokli on 5 Apr 2020

We really shouldn't interpolate the password into the nix store

Agreed, my proposal would apply for adminpassFile as well :)

I think it would be possible with occ. There is a specific command occ user:resetpassword admin
with the option to get the password from env.

:-1: from me. This occ-based setup has caused enough headaches in the past. If something goes wrong during such an update, we might mess up people's databases I'm afraid.

Ma27 on 5 Apr 2020

I agree with @Ma27, and as much as I dislike initial* options aren't we just begging for something to go horribly wrong by messing with the admin password every single time the service starts?

aanderse on 5 Apr 2020

👍1

Hello, I'm a bot and I thank you in the name of the community for opening this issue.

To help our human contributors focus on the most-relevant reports, I check up on old issues to see if they're still relevant. This issue has had no activity for 180 days, and so I marked it as stale, but you can rest assured it will never be closed by a non-human.

The community would appreciate your effort in checking if the issue is still valid. If it isn't, please close it.

If the issue persists, and you'd like to remove the stale label, you simply need to leave a comment. Your comment can be as simple as "still important to me". If you'd like it to get more attention, you can ask for help by searching for maintainers and people that previously touched related code and @ mention them in a comment. You can use Git blame or GitHub's web interface on the relevant files to find them.

Lastly, you can always ask for help at our Discourse Forum or at #nixos' IRC channel.