sysutils/nextcloud-backup: add option to disable SSL verification

Adds an optional "Verify SSL certificate" checkbox to the Nextcloud
backup settings, defaulting to enabled so existing behavior is
preserved. When unchecked, CURLOPT_SSL_VERIFYPEER and
CURLOPT_SSL_VERIFYHOST are disabled, allowing the plugin to back up
to Nextcloud instances behind self-signed or otherwise untrusted
certificates.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: enoch85

sysutils/nextcloud-backup/Makefile

@@ -1,5 +1,5 @@
 PLUGIN_NAME=		nextcloud-backup
-PLUGIN_VERSION=		1.2
+PLUGIN_VERSION=		1.3
 PLUGIN_COMMENT=		Track config changes using NextCloud
 
 .include "../../Mk/plugins.mk"

sysutils/nextcloud-backup/pkg-descr

@@ -6,6 +6,10 @@ strongly advise to not use a public service to send backups to.
 Plugin Changelog
 ================
 
+1.3
+
+* Add option to disable SSL certificate verification
+
 1.2
 
 * Add option to upload to one file each day instead of syncing the contents of /conf/backup

sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php

@@ -79,6 +79,14 @@ public function getConfigurationFields()
                 "help" => gettext("A password to encrypt your configuration"),
                 "value" => null
             ),
+            array(
+                "name" => "verify_ssl",
+                "type" => "checkbox",
+                "label" => gettext("Verify SSL certificate"),
+                "help" => gettext("Uncheck to allow self-signed or otherwise untrusted certificates. " .
+                    "Only disable this if you trust the network path to the Nextcloud server."),
+                "value" => null
+            ),
             array(
                 "name" => "backupdir",
                 "type" => "text",
@@ -691,6 +699,9 @@ public function curl_request_nothrow(
         $postdata = null,
         $headers = array("User-Agent: OPNsense Firewall")
     ) {
+        // verify_ssl defaults to '1' via the model definition (NextcloudSettings.xml),
+        // so unset/upgraded configs verify by default; only an explicit '0' disables it
+        $verify_ssl = (string)(new NextcloudSettings())->verify_ssl !== '0';
         $curl = curl_init();
         curl_setopt_array($curl, array(
             CURLOPT_URL => $url,
@@ -701,6 +712,8 @@ public function curl_request_nothrow(
             CURLOPT_TIMEOUT => 60,          // maximum time: 1 min
             CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
             CURLOPT_USERPWD => $username . ":" . $password,
+            CURLOPT_SSL_VERIFYPEER => $verify_ssl,
+            CURLOPT_SSL_VERIFYHOST => $verify_ssl ? 2 : 0,
             CURLOPT_HTTPHEADER => $headers
         ));
         if ($postdata != null) {

sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml

@@ -1,6 +1,6 @@
 <model>
     <mount>//system/backup/nextcloud</mount>
-    <version>1.0.2</version>
+    <version>1.0.3</version>
     <description>OPNsense Nextcloud Backup Settings</description>
     <items>
         <enabled type="BooleanField">
@@ -43,6 +43,9 @@
             </Constraints>
         </password>
         <password_encryption type="UpdateOnlyTextField"/>
+        <verify_ssl type="BooleanField">
+            <Default>1</Default>
+        </verify_ssl>
         <backupdir type="TextField">
             <Required>Y</Required>
             <Mask>/^([\w%+\-]+\/)*[\w+%\-]+$/</Mask>