gador/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/onlyoffice: allow specifying a nonce (#461561)

Browse Source
This commit is contained in:
Arnout Engelen
2025-11-14 16:22:41 +00:00
committed by GitHub
parent 666a34b387 acad2ac1d3
commit 50f126198c
1 changed files with 29 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
nixos/modules/services/web-apps/onlyoffice.nix
View File

@@ -7,6 +7,10 @@
let let
cfg = config.services.onlyoffice; cfg = config.services.onlyoffice;
defaultNginxNonceFileContent = "set $secure_link_secret \"mynonce\";";
defaultNginxNonceFile = pkgs.writeText "onlyoffice-nonce-nginx.conf" ''
${defaultNginxNonceFileContent}
'';
in in
{ {
options.services.onlyoffice = { options.services.onlyoffice = {
@@ -20,6 +24,22 @@ in
description = "FQDN for the OnlyOffice instance."; description = "FQDN for the OnlyOffice instance.";
}; };
securityNonceFile = lib.mkOption {
type = lib.types.str;
default = "${defaultNginxNonceFile}";
defaultText = lib.literalExpression ''
(pkgs.writeText "onlyoffice-nonce-nginx.conf" \'\'
${defaultNginxNonceFileContent}
\'\').outPath;
'';
description = ''
Path to a file that contains a secret to sign web requests.
This file should set a 'secure_link_secret' nginx variable,
and ideally be managed by a
[secret managing scheme](https://wiki.nixos.org/wiki/Comparison_of_secret_managing_schemes).
'';
};
jwtSecretFile = lib.mkOption { jwtSecretFile = lib.mkOption {
type = lib.types.nullOr lib.types.str; type = lib.types.nullOr lib.types.str;
default = null; default = null;
@@ -83,6 +103,12 @@ in
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
warnings = [
(lib.optionalString (cfg.securityNonceFile == "${defaultNginxNonceFile}") ''
Please set `options.services.onlyoffice.securityNonceFile`
to avoid an (albeit unlikely) information disclosure issue.
'')
];
services = { services = {
nginx = { nginx = {
enable = lib.mkDefault true; enable = lib.mkDefault true;
@@ -147,7 +173,7 @@ in
alias /var/lib/onlyoffice/documentserver/App_Data$1; alias /var/lib/onlyoffice/documentserver/App_Data$1;
more_set_headers "Content-Disposition: attachment; filename*=UTF-8''$arg_filename"; more_set_headers "Content-Disposition: attachment; filename*=UTF-8''$arg_filename";
set $secure_link_secret verysecretstring; include ${cfg.securityNonceFile};
secure_link $arg_md5,$arg_expires; secure_link $arg_md5,$arg_expires;
secure_link_md5 "$secure_link_expires$uri$secure_link_secret"; secure_link_md5 "$secure_link_expires$uri$secure_link_secret";
@@ -279,7 +305,9 @@ in
# for a mapping of environment variables from the docker container to json options see # for a mapping of environment variables from the docker container to json options see
# https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/master/run-document-server.sh # https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/master/run-document-server.sh
FS_SECRET_STRING=$(cut -d '"' -f 2 < ${cfg.securityNonceFile})
jq ' jq '
.storage.fs.secretString = "'$FS_SECRET_STRING'" |
.services.CoAuthoring.server.port = ${toString cfg.port} | .services.CoAuthoring.server.port = ${toString cfg.port} |
.services.CoAuthoring.sql.dbHost = "${cfg.postgresHost}" | .services.CoAuthoring.sql.dbHost = "${cfg.postgresHost}" |
.services.CoAuthoring.sql.dbName = "${cfg.postgresName}" | .services.CoAuthoring.sql.dbName = "${cfg.postgresName}" |