nextcloud: Don't set password on redis server

- Before we can enable this added protection, we need to address a couple of issues: - Redis password is restored after a restore. This means that if nextcloud's backup is restored on a machine where redis server already has a password set, then the password won't match with the password configured for other apps that are using redis. - When email server is already installed before this patch and then nextcloud is installed. rspamd will fail to connect to redis server. This even with the changes intended on the email server as the setup version in those changes has not been incremented. - Restart redis-server only when needed. This avoids major disruption caused due un-persisted cache and locks removed. - Don't use Redis for caching of server-local data as this APCu seems to be preferred by upstream containers. - Don't set filelocking.enabled=true as this is already the default. Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
2026-01-21 07:55:00 +00:00 · 2024-04-04 12:14:36 -07:00 · 2024-04-04 12:14:36 -07:00 · 12374d8783
commit 12374d8783
parent 281aaa9462
2 changed files with 8 additions and 29 deletions
--- a/plinth/modules/nextcloud/manifest.py
+++ b/plinth/modules/nextcloud/manifest.py
@ -51,9 +51,6 @@ backup = {
        'directories': [
            '/var/lib/containers/storage/volumes/nextcloud-volume-freedombox/'
        ],
-        'files': [
-            '/var/lib/plinth/backups-data/nextcloud-database.sql',
-            '/etc/redis/redis.conf'
-        ]
+        'files': ['/var/lib/plinth/backups-data/nextcloud-database.sql']
    }
 }
--- a/plinth/modules/nextcloud/privileged.py
+++ b/plinth/modules/nextcloud/privileged.py
@ -48,8 +48,6 @@ def setup():

    # Setup redis for caching
    _redis_listen_socket()
-    _set_redis_password(_generate_secret_key(16))
-    action_utils.service_restart('redis-server')

    action_utils.podman_run(
        network_name=NETWORK_NAME, subnet='172.16.16.0/24',
@ -77,7 +75,7 @@ def setup():
        time.sleep(1)

    _nextcloud_setup_wizard(database_password, administrator_password)
-    _create_redis_config(_get_redis_password())
+    _create_redis_config()

    _configure_ldap()

@ -363,18 +361,14 @@ def _get_dbpassword():
                             capture_output=True).stdout.decode().strip()


-def _create_redis_config(password):
+def _create_redis_config():
    """Create a php file for Redis configuration."""
    config_file = _volume_path / '_data/config/freedombox.config.php'
-    file_content = f'''<?php
+    file_content = r'''<?php
 $CONFIG = [
-'filelocking.enabled' => true,
-'memcache.locking' => '\\\\OC\\\\Memcache\\\\Redis',
-'memcache.distributed' => '\\\\OC\\\\Memcache\\\\Redis',
-'redis' => [
-    'host' => '/run/redis/redis-server.sock',
-    'password' => '{password}',
-    ],
+'memcache.distributed' => '\OC\Memcache\Redis',
+'memcache.locking' => '\OC\Memcache\Redis',
+'redis' => ['host' => '/run/redis/redis-server.sock'],
 ];
 '''
    config_file.write_text(file_content)
@ -399,17 +393,5 @@ def _redis_listen_socket():
    found = any((aug.get(match_) == value for match_ in aug.match('include')))
    if not found:
        aug.set('include[last() + 1]', value)
-
-    aug.save()
-
-
-def _set_redis_password(password: str):
-    if _get_redis_password() is None:
-        aug = _load_augeas()
-        aug.set('requirepass', password)
        aug.save()
-
-
-def _get_redis_password() -> str:
-    aug = _load_augeas()
-    return aug.get('requirepass')
+        action_utils.service_restart('redis-server')