From 12374d87835dac2ec4f537e420e68638002f5f99 Mon Sep 17 00:00:00 2001 From: Sunil Mohan Adapa Date: Thu, 4 Apr 2024 12:14:36 -0700 Subject: [PATCH] nextcloud: Don't set password on redis server - Before we can enable this added protection, we need to address a couple of issues: - Redis password is restored after a restore. This means that if nextcloud's backup is restored on a machine where redis server already has a password set, then the password won't match with the password configured for other apps that are using redis. - When email server is already installed before this patch and then nextcloud is installed. rspamd will fail to connect to redis server. This even with the changes intended on the email server as the setup version in those changes has not been incremented. - Restart redis-server only when needed. This avoids major disruption caused due un-persisted cache and locks removed. - Don't use Redis for caching of server-local data as this APCu seems to be preferred by upstream containers. - Don't set filelocking.enabled=true as this is already the default. Signed-off-by: Sunil Mohan Adapa Reviewed-by: James Valleroy --- plinth/modules/nextcloud/manifest.py | 5 +--- plinth/modules/nextcloud/privileged.py | 32 ++++++-------------------- 2 files changed, 8 insertions(+), 29 deletions(-) diff --git a/plinth/modules/nextcloud/manifest.py b/plinth/modules/nextcloud/manifest.py index 7d3543ea3..31a1fce10 100644 --- a/plinth/modules/nextcloud/manifest.py +++ b/plinth/modules/nextcloud/manifest.py @@ -51,9 +51,6 @@ backup = { 'directories': [ '/var/lib/containers/storage/volumes/nextcloud-volume-freedombox/' ], - 'files': [ - '/var/lib/plinth/backups-data/nextcloud-database.sql', - '/etc/redis/redis.conf' - ] + 'files': ['/var/lib/plinth/backups-data/nextcloud-database.sql'] } } diff --git a/plinth/modules/nextcloud/privileged.py b/plinth/modules/nextcloud/privileged.py index 5fd36f8d4..6ae894a4e 100644 --- a/plinth/modules/nextcloud/privileged.py +++ b/plinth/modules/nextcloud/privileged.py @@ -48,8 +48,6 @@ def setup(): # Setup redis for caching _redis_listen_socket() - _set_redis_password(_generate_secret_key(16)) - action_utils.service_restart('redis-server') action_utils.podman_run( network_name=NETWORK_NAME, subnet='172.16.16.0/24', @@ -77,7 +75,7 @@ def setup(): time.sleep(1) _nextcloud_setup_wizard(database_password, administrator_password) - _create_redis_config(_get_redis_password()) + _create_redis_config() _configure_ldap() @@ -363,18 +361,14 @@ def _get_dbpassword(): capture_output=True).stdout.decode().strip() -def _create_redis_config(password): +def _create_redis_config(): """Create a php file for Redis configuration.""" config_file = _volume_path / '_data/config/freedombox.config.php' - file_content = f''' true, -'memcache.locking' => '\\\\OC\\\\Memcache\\\\Redis', -'memcache.distributed' => '\\\\OC\\\\Memcache\\\\Redis', -'redis' => [ - 'host' => '/run/redis/redis-server.sock', - 'password' => '{password}', - ], +'memcache.distributed' => '\OC\Memcache\Redis', +'memcache.locking' => '\OC\Memcache\Redis', +'redis' => ['host' => '/run/redis/redis-server.sock'], ]; ''' config_file.write_text(file_content) @@ -399,17 +393,5 @@ def _redis_listen_socket(): found = any((aug.get(match_) == value for match_ in aug.match('include'))) if not found: aug.set('include[last() + 1]', value) - - aug.save() - - -def _set_redis_password(password: str): - if _get_redis_password() is None: - aug = _load_augeas() - aug.set('requirepass', password) aug.save() - - -def _get_redis_password() -> str: - aug = _load_augeas() - return aug.get('requirepass') + action_utils.service_restart('redis-server')