chore: publish 6.0.1+28.0.2-fpm release

Reviewed-on: coop-cloud/nextcloud#36
Co-authored-by: p4u1 <p4u1_f4u1@riseup.net>
Co-committed-by: p4u1 <p4u1_f4u1@riseup.net>

.drone.yml

@@ -31,3 +31,19 @@ steps:
 trigger:
   branch:
     - main
+---
+kind: pipeline
+name: generate recipe catalogue
+steps:
+  - name: release a new version
+    image: plugins/downstream
+    settings:
+      server: https://build.coopcloud.tech
+      token:
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - coop-cloud/auto-recipes-catalogue-json
+
+trigger:
+  event: tag

.env.sample

@@ -1,5 +1,5 @@
 TYPE=nextcloud
-TIMEOUT=500
+TIMEOUT=900
 ENABLE_AUTO_UPDATE=true
 
 DOMAIN=nextcloud.example.com
@@ -48,6 +48,8 @@ DEFAULT_QUOTA="10 GB"
 # ONLYOFFICE_URL=https://onlyoffice.example.com
 # SECRET_ONLYOFFICE_JWT_VERSION=v1
 #
+# COLLABORA_URL=https://collabora.example.com
+#
 # BBB_URL=https://talk.example.org/bigbluebutton/ # trailing slash!
 # SECRET_BBB_SECRET_VERSION=v1
 #
@@ -60,3 +62,6 @@ DEFAULT_QUOTA="10 GB"
 # AUTHENTIK_DOMAIN=authentik.example.com
 # SECRET_AUTHENTIK_SECRET_VERSION=v1
 # SECRET_AUTHENTIK_ID_VERSION=v1
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.fulltextsearch.yml"
+#SECRET_ELASTICSEARCH_PASSWORD_VERSION=v1

README.md

@@ -244,3 +244,41 @@ docker exec -u www-data $(docker ps -f name=foo_com_app -q) ./occ preview:pre-ge
 ```
 
 This app will improve performance of image browsing at the cost of storage space.
+
+## Fulltextsearch using elasticsearch
+
+1. Uncomment the following lines in your env file:
+```
+#COMPOSE_FILE="$COMPOSE_FILE:compose.fulltextsearch.yml"
+#SECRET_ELASTICSEARCH_PASSWORD_VERSION=v1
+```
+
+2. Generate the secret for elasticsearch:
+```bash
+abra app secret generate <domain> elasticsearch_password v1
+```
+
+3. Deploy your app:
+```bash
+abra app deploy <domain>
+```
+
+4. Install the apps and configure them:
+```
+abra app cmd <domain> app install_fulltextsearch
+```
+
+5. You might need to configure the files_fulltextsearch app. run this command to check its settings:
+```
+abra app cmd <domain> app run_occ '"config:list files_fulltextsearch"
+```
+
+6. You can check if the nextcloud can connect to elasticsearch:
+```
+abra app cmd <domain> app run_occ '"fulltextsearch:test"'
+```
+
+And you can populate the index manually and check if any errors occur:
+```
+abra app cmd <domain> app run_occ '"fulltextsearch:index"'
+```

abra.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 export FPM_TUNE_VERSION=v5
-export NGINX_CONF_VERSION=v4
+export NGINX_CONF_VERSION=v5
 export MY_CNF_VERSION=v4
 export ENTRYPOINT_VERSION=v3
 
@@ -65,6 +65,21 @@ install_onlyoffice() {
     set_app_config onlyoffice customizationForcesave true
 }
 
+install_collabora() {
+    install_apps richdocuments
+    set_app_config richdocuments wopi_url "$COLLABORA_URL"
+}
+
+install_fulltextsearch() {
+    install_apps fulltextsearch
+    install_apps fulltextsearch_elasticsearch
+    install_apps files_fulltextsearch
+    set_app_config fulltextsearch search_platform "OCA\\FullTextSearch_Elasticsearch\\Platform\\ElasticSearchPlatform"
+    set_app_config fulltextsearch_elasticsearch elastic_host "http://elastic:$(cat /run/secrets/elasticsearch_password)@elasticsearch:9200/"
+    set_app_config fulltextsearch_elasticsearch elastic_index "nextcloud"
+    set_app_config files_fulltextsearch files_local "1"
+}
+
 set_default_quota() {
     set_app_config files default_quota "$DEFAULT_QUOTA"
 }

compose.fulltextsearch.yaml

@@ -0,0 +1,55 @@
+version: "3.8"
+
+services:
+  elasticsearch:
+    image: "docker.elastic.co/elasticsearch/elasticsearch:8.11.3"
+    environment:
+      - cluster.name=docker-cluster
+      - bootstrap.memory_lock=true
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+      - discovery.type=single-node
+      # Disable authentication and ssl completely
+      # - xpack.security.enabled=false
+      # Use this to enable Basic Authentication:
+      - xpack.security.enabled=true
+      - xpack.security.http.ssl.enabled=false
+      - ELASTIC_PASSWORD_FILE=/var/run/secrets/elasticsearch_password
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+    volumes:
+      - elasticsearch:/usr/share/elasticsearch/data
+    networks:
+      - internal
+    secrets:
+      - source: elasticsearch_password
+        uid: "1000"
+        gid: "1000"
+        mode: 0600
+
+  searchindexer:
+    image: nextcloud:27.1.3-fpm
+    volumes:
+      - nextcloud:/var/www/html/
+      - nextapps:/var/www/html/custom_apps:cached
+      - nextdata:/var/www/html/data:cached
+      - nextconfig:/var/www/html/config:cached
+      - ${EXTRA_VOLUME}
+    networks:
+      - internal
+    entrypoint: su -p www-data -s /bin/sh -c '/var/www/html/occ fulltextsearch:live'
+
+  # Add the secret to the app service so it is avaiable in the
+  # install_fulltextsearch command
+  app:
+    secrets:
+      - elasticsearch_password
+
+secrets:
+  elasticsearch_password:
+    external: true
+    name: ${STACK_NAME}_elasticsearch_password_${SECRET_ELASTICSEARCH_PASSWORD_VERSION}
+
+volumes:
+  elasticsearch:

compose.mariadb.yml

@@ -42,5 +42,10 @@ configs:
     name: ${STACK_NAME}_my_cnf_${MY_CNF_VERSION}
     file: my-tune.cnf
 
+secrets:
+  db_root_password:
+    external: true
+    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
+
 volumes:
   mariadb:

compose.yml

@@ -1,7 +1,9 @@
 version: "3.8"
 services:
   web:
-    image: nginx:1.25.1
+    image: nginx:1.25.3
+    depends_on:
+      - app
     configs:
       - source: nginx_conf
         target: /etc/nginx/nginx.conf
@@ -33,6 +35,9 @@ services:
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
+        - "caddy=${DOMAIN}"
+        - "caddy.reverse_proxy={{upstreams 80}}"
+        - "caddy.tls.on_demand="
     healthcheck:
       test: ["CMD-SHELL", 'curl -s -N curl -Ns localhost/status.php |  grep "installed\":true"']
       interval: 30s
@@ -41,7 +46,7 @@ services:
       start_period: 5m
 
   app:
-    image: nextcloud:27.0.1-fpm
+    image: nextcloud:28.0.2-fpm
     depends_on:
       - db
     configs:
@@ -86,7 +91,7 @@ services:
         failure_action: rollback
         order: start-first
       labels:
-        - "coop-cloud.${STACK_NAME}.version=5.0.1+27.0.1-fpm"
+        - "coop-cloud.${STACK_NAME}.version=6.0.1+28.0.2-fpm"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
         - "backupbot.backup=true"
         - "backupbot.backup.path=/var/www/html/config/,/var/www/html/data/,/var/www/html/custom_apps/"
@@ -95,10 +100,10 @@ services:
       interval: 30s
       timeout: 10s
       retries: 10
-      start_period: 5m
+      start_period: 15m
 
   cron:
-    image: nextcloud:27.0.1-fpm
+    image: nextcloud:28.0.2-fpm
     volumes:
       - nextcloud:/var/www/html/
       - nextapps:/var/www/html/custom_apps:cached
@@ -110,7 +115,7 @@ services:
     entrypoint: /cron.sh
 
   cache:
-    image: redis:7.0.12-alpine
+    image: redis:7.2.4-alpine
     networks:
       - internal
     volumes:
@@ -122,9 +127,6 @@ services:
       retries: 20
 
 secrets:
-  db_root_password:
-    external: true
-    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
   db_password:
     external: true
     name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}

nginx.conf.tmpl

@@ -59,12 +59,12 @@ http {
         #pagespeed off;
 
         # HTTP response headers borrowed from Nextcloud `.htaccess`
-        add_header Referrer-Policy                      "no-referrer"   always;
+        add_header Referrer-Policy                      "no-referrer"       always;
-        add_header X-Content-Type-Options               "nosniff"       always;
+        add_header X-Content-Type-Options               "nosniff"           always;
-        add_header X-Download-Options                   "noopen"        always;
+        add_header X-Download-Options                   "noopen"            always;
-        add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+        add_header X-Permitted-Cross-Domain-Policies    "none"              always;
-        add_header X-Robots-Tag                         "none"          always;
+        add_header X-Robots-Tag                         "noindex, nofollow" always;
-        add_header X-XSS-Protection                     "1; mode=block" always;
+        add_header X-XSS-Protection                     "1; mode=block"     always;
 
         {{ if eq (env "X_FRAME_OPTIONS_ENABLED") "1" }}
         add_header Content-Security-Policy              "frame-ancestors {{ env "X_FRAME_OPTIONS_ALLOW_FROM" }} {{ env "DOMAIN" }}";