Merge master into staging-next

2 files changed, 15 insertions, 4 deletions

diff --git a/nixos/modules/services/networking/privoxy.nix b/nixos/modules/services/networking/privoxy.nix
index f1a9c6029cb07..7c22b7d09b9bd 100644
--- a/nixos/modules/services/networking/privoxy.nix
+++ b/nixos/modules/services/networking/privoxy.nix
@@ -205,9 +205,8 @@ in
 
     users.groups.privoxy = {};
 
-    systemd.tmpfiles.rules = with cfg.settings; [
-      "d ${certificate-directory} 0770 privoxy privoxy ${cfg.certsLifetime}"
-    ];
+    systemd.tmpfiles.rules = optional cfg.inspectHttps
+      "d ${cfg.settings.certificate-directory} 0770 privoxy privoxy ${cfg.certsLifetime}";
 
     systemd.services.privoxy = {
       description = "Filtering web proxy";
diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix
index 5636415f6a0d0..9a541aba6e43b 100644
--- a/nixos/modules/services/web-apps/nextcloud.nix
+++ b/nixos/modules/services/web-apps/nextcloud.nix
@@ -10,7 +10,7 @@ let
     extensions = { enabled, all }:
       (with all;
         enabled
-        ++ [ imagick ] # Always enabled
+        ++ optional (!cfg.disableImagemagick) imagick
         # Optionally enabled depending on caching settings
         ++ optional cfg.caching.apcu apcu
         ++ optional cfg.caching.redis redis
@@ -303,6 +303,18 @@ in {
       };
     };
 
+    disableImagemagick = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to not load the ImageMagick module into PHP.
+        This is used by the theming app and for generating previews of certain images (e.g. SVG and HEIF).
+        You may want to disable it for increased security. In that case, previews will still be available
+        for some images (e.g. JPEG and PNG).
+        See https://github.com/nextcloud/server/issues/13099
+      '';
+    };
+
     caching = {
       apcu = mkOption {
         type = types.bool;