Nextcloud fails code integrity check

[scintill]

Describe the bug

Nextcloud instance fails Nextcloud's internal code integrity check. This produces a warning in Nextcloud's admin area.

Steps To Reproduce

Steps to reproduce the behavior:

1. Enable nextcloud 24. E.g. services.nextcloud = { enable = true; package = pkgs.nextcloud24; }
2. Browse to the URL /settings/admin/overview on your nextcloud server.
3. You should see the red warning Some files have not passed the integrity check. Further information on how to resolve this issue can be found in the documentation.

Screenshot

Expected behavior

The warning should not appear; the integrity check should pass.

Additional context

I believe this is caused by the patch in #190646.

Notify maintainers

@schneefux @bachp @globin @Ma27

Metadata

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 5.15.68, NixOS, 22.05 (Quokka), 22.05.3167.e64df9c5c8f`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.8.1`
 - channels(scintill): `""`
 - channels(root): `"nixos-22.05"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

[Ma27]

I think the patch is valid in our case, though (as described in the patch message).

The question is if there's something we can/should do about this warning or just leave it because it's a valid distro-level patch.

cc @aanderse @yayayayaka @lheckemann @nlewo for opinions.

[yayayayaka]

It is a valid distro-level patch in my opinion. I think the best way to approach this is to get our patch merged upstream.

[scintill]

I agree, working with upstream would be best.

I found an undocument config.php option, 'integrity.check.disabled' => true that got rid of the warning (you may have to re-run the scan, which is an option provided in the warning.) I recommend against disabling it this way in the official NixOS packaging, but maybe this is useful for individual users.

[BurNiinTRee]

The Nextcloud docs suggest that custom distributions set the release version branch to something other than "stable" (maybe "stable-nix" or something in our case). IIUC this still just disables the checks as well.

[dotlambda]

Why don't we modify $out/core/signature.json?
EDIT: Never mind, it's signed. Here's an implementation of such a modification though, for posterity: https://github.com/dotlambda/nixpkgs/tree/nextcloud-signature

[icewind1991]

Starting with nc26 you can disable the behavior that is currently patched out by setting NC_setup_create_db_user=false during the setup. So we should be able to have the check pass with nc26.

See nextcloud/server#36428

[Luflosi]

This should be fixed for Nextcloud 26: #222372.