nextcloud: rebuild does not change adminpass

[scaredmushroom]

Describe the bug When I rebuild the nextcloud service as a nix container with a new adminpass specified, it doesn't get changed in the nextcloud database. It was reproducible on 19.09 and 20.03.

To Reproduce Steps to reproduce the behavior:

1. Enable the nextcloud option in configuration.nix as a containerd application and set adminpass = "10ffn4bdl8" (example config for import)
2. Rebuild
3. Verify that you can login on http://localhost with admin and 10ffn4bdl8
4. Change adminpass to "otherpass313"
5. Rebuild
6. Try to login with the new password (it will not work, but the old one will)

Expected behavior New admin password in nextcloud database after rebuild.

Additional context I tried to use the adminpassFile and dbpassFile options but it didn't worked as expected in nix container. After I specified adminpass and dbpass directly I noticed that I still can't login.

Metadata

• system: "x86_64-linux"
• host os: Linux 5.4.24, NixOS, 20.03beta874.b0c285807d6 (Markhor)
• multi-user?: yes
• sandbox: yes
• version: nix-env (Nix) 2.3.2
• channels(root): "nixos-20.03beta874.b0c285807d6"
• channels(cap): ""
• nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

[Ma27]

AFAICS it's not possible to declare an admin password in config.php, only at the very first installation. And I'm rather skeptical when it comes to patching nextcloud to idempotently change the admin-pass. So my suggestion would be to rename adminpass to initialAdminpass to make it clear that this setting only applies at the first install.

[scaredmushroom]

I think it would be possible with occ. There is a specific command occ user:resetpassword admin with the option to get the password from env. I'm willing to tinker around a bit and see if I could make some values idempotently change without messing around with nextclouds internal behavior.

Should I open an issue for discussion for that or just publish the branch later?

[flokli]

We really shouldn't interpolate the password into the nix store, like we currently do, but have the script read the password from there at runtime, and change the option to adminpassFile (or initialAdminpassFile, depending on @scaredmushroom's test results)

[Ma27]

We really shouldn't interpolate the password into the nix store

Agreed, my proposal would apply for adminpassFile as well :)

I think it would be possible with occ. There is a specific command occ user:resetpassword admin with the option to get the password from env.

:-1: from me. This occ-based setup has caused enough headaches in the past. If something goes wrong during such an update, we might mess up people's databases I'm afraid.

[aanderse]

I agree with @Ma27, and as much as I dislike initial* options aren't we just begging for something to go horribly wrong by messing with the admin password every single time the service starts?

[stale[bot]]

Hello, I'm a bot and I thank you in the name of the community for opening this issue.

To help our human contributors focus on the most-relevant reports, I check up on old issues to see if they're still relevant. This issue has had no activity for 180 days, and so I marked it as stale, but you can rest assured it will never be closed by a non-human.

The community would appreciate your effort in checking if the issue is still valid. If it isn't, please close it.

If the issue persists, and you'd like to remove the stale label, you simply need to leave a comment. Your comment can be as simple as "still important to me". If you'd like it to get more attention, you can ask for help by searching for maintainers and people that previously touched related code and @ mention them in a comment. You can use Git blame or GitHub's web interface on the relevant files to find them.

Lastly, you can always ask for help at our Discourse Forum or at #nixos' IRC channel.

[RonnyPfannschmidt]

it seems the option was renamed to passFile, however the initial part was left out

[Ma27]

however the initial part was left out

As mentioned above, I'm doubt that there's a reasonable solution.

[RonnyPfannschmidt]

the current implementation is a initial password, the option name wrongly indicates that the password updates ideally the option would be renamed to include the initial + docs would be added to use the occ command for imperative fixes

[RonnyPfannschmidt]

An alternative would be if nix could provide a nextcloud compatible sso where nix regenerates the password files just like the users for the sso

[bronson]

Just ran into this. I like the suggested resolution: change the config name to initialAdminPassFile and refer users to occ if they want to change it in the future. That seems entirely reasonable to me.

I'd bang together a patch if there's a committer interested in applying it.

The SSO server option would be a fairly complex solution for a minor problem, wouldn't it?

[RonnyPfannschmidt]

It's only complex if it's not packaged nicely,

I'd prefer a sso over having to manage users in multiple services

[bronson]

Well that's true, a low-configuration NixOS-wide SSO would be useful. If anyone is working on one, I hope you get ahold of me so I can try it!