chore: publish 5.0.3+27.0.1-fpm release

it seems like php-fpm applys configs in aphabetical order, so that our
fpm-tune was overwritten by the www.conf with default values.

so let's go on highspeed now! :)

.drone.yml

@@ -31,3 +31,19 @@ steps:
 trigger:
   branch:
     - main
+---
+kind: pipeline
+name: generate recipe catalogue
+steps:
+  - name: release a new version
+    image: plugins/downstream
+    settings:
+      server: https://build.coopcloud.tech
+      token:
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - coop-cloud/auto-recipes-catalogue-json
+
+trigger:
+  event: tag

.env.sample

@@ -1,4 +1,6 @@
 TYPE=nextcloud
+TIMEOUT=500
+ENABLE_AUTO_UPDATE=true
 
 DOMAIN=nextcloud.example.com
 ## Domain aliases
@@ -9,6 +11,8 @@ COMPOSE_FILE="compose.yml"
 COMPOSE_FILE="$COMPOSE_FILE:compose.mariadb.yml"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.postgres.yml"
 
+#MAX_DB_CONNECTIONS=500
+
 ADMIN_USER=admin
 
 SECRET_DB_ROOT_PASSWORD_VERSION=v1
@@ -17,11 +21,12 @@ SECRET_ADMIN_PASSWORD_VERSION=v1
 
 EXTRA_VOLUME=/dev/null:/tmp/.dummy
 
+PHP_MEMORY_LIMIT=1G
 # fpm-tune, see: https://spot13.com/pmcalculator/
-FPM_MAX_CHILDREN=131
+FPM_MAX_CHILDREN=16
-FPM_START_SERVERS=32
+FPM_START_SERVERS=4
-FPM_MIN_SPARE_SERVERS=32
+FPM_MIN_SPARE_SERVERS=4
-FPM_MAX_SPARE_SERVERS=98
+FPM_MAX_SPARE_SERVERS=12
 
 DEFAULT_QUOTA="10 GB"
 
@@ -55,5 +60,5 @@ DEFAULT_QUOTA="10 GB"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
 # AUTHENTIK_USER_PREFIX=authentik
 # AUTHENTIK_DOMAIN=authentik.example.com
-# AUTHENTIK_SECRET_NAME=authentik_example_com_nextcloud_secret_v1  # the same as in authentik
+# SECRET_AUTHENTIK_SECRET_VERSION=v1
-# AUTHENTIK_ID_NAME=authentik_example_com_nextcloud_id_v1  # the same as in authentik
+# SECRET_AUTHENTIK_ID_VERSION=v1

README.md

@@ -120,7 +120,7 @@ Use [this plugin](https://github.com/pulsejet/nextcloud-oidc-login). Unlike the
 ```
   'oidc_login_client_id' => 'nextcloud',
   'oidc_login_client_secret' => 'mysecret',
-  'oidc_login_provider_url' => 'https://example.com/auth/realms/myrealm',
+  'oidc_login_provider_url' => 'https://example.com/realms/myrealm',
   'oidc_login_disable_registration' => false,
   'oidc_login_hide_password_form' => true,
   'oidc_login_button_text' => 'Log in with your myssodomain',

abra.sh

@@ -2,62 +2,78 @@
 
 export FPM_TUNE_VERSION=v5
 export NGINX_CONF_VERSION=v4
-export MY_CNF_VERSION=v4
+export MY_CNF_VERSION=v5
 export ENTRYPOINT_VERSION=v3
 
-run_occ(){
+run_occ() {
     su -p www-data -s /bin/sh -c "/var/www/html/occ $@"
 }
 
-post_install_occ(){
+post_install_occ() {
-    IFS='|' read -ra CMD <<< "$OCC_CMDS"
+    IFS='|' read -ra CMD <<<"$OCC_CMDS"
     for cmd in "${CMD[@]}"; do
-      run_occ "$cmd"
+        run_occ "$cmd"
     done
 }
 
-install_apps(){
+install_apps() {
     install_apps="$@"
-    if [ -z "$install_apps" ]
+    if [ -z "$install_apps" ]; then
-    then
         install_apps=$APPS
     fi
-    for app in $install_apps
+    for app in $install_apps; do
-    do
         run_occ "app:install $app"
     done
 }
 
-set_app_config(){
+set_app_config() {
     APP=$1
     KEY=$2
     VALUE=$3
     run_occ "config:app:set $APP $KEY --value '$VALUE'"
 }
 
-install_bbb(){
+set_system_config() {
+    KEY=$1
+    VALUE=$2
+    run_occ "config:system:set $KEY --value '$VALUE'"
+}
+
+set_trusted_proxies() {
+    trusted_proxies="$@"
+    if [ -z "$1" ]; then
+        trusted_proxies="$TRUSTED_PROXIES"
+    fi
+    set_system_config trusted_proxies "$trusted_proxies"
+}
+
+set_logfile_stdout() {
+    set_system_config logfile '/dev/stdout'
+}
+
+install_bbb() {
     install_apps bbb
     set_app_config bbb app.navigation true
     set_app_config bbb api.url "$BBB_URL"
     set_app_config bbb api.secret "$(cat /run/secrets/bbb_secret)"
 }
 
-install_onlyoffice(){
+install_onlyoffice() {
     install_apps onlyoffice
     set_app_config onlyoffice DocumentServerUrl "$ONLYOFFICE_URL"
     set_app_config onlyoffice jwt_secret "$(cat /run/secrets/onlyoffice_jwt)"
     set_app_config onlyoffice customizationForcesave true
 }
 
-set_default_quota(){
+set_default_quota() {
-    set_app_config files default_quota '"$DEFAULT_QUOTA"'
+    set_app_config files default_quota "$DEFAULT_QUOTA"
 }
 
-set_authentik(){
+set_authentik() {
-install_apps sociallogin
+    install_apps sociallogin
-AUTHENTIK_SECRET=$(cat /run/secrets/authentik_secret)
+    AUTHENTIK_SECRET=$(cat /run/secrets/authentik_secret)
-AUTHENTIK_ID=$(cat /run/secrets/authentik_id)
+    AUTHENTIK_ID=$(cat /run/secrets/authentik_id)
-set_app_config sociallogin custom_providers "
+    set_app_config sociallogin custom_providers "
 {
     \"custom_oidc\":[
     {
@@ -75,16 +91,17 @@ set_app_config sociallogin custom_providers "
         \"style\":\"openid\",
         \"defaultGroup\":\"\",
         \"groupMapping\": {
-          \"admin\": \"admin\"
+          \"admin\": \"admin\",
+          \"authentik Admins\": \"admin\"
         }
     }
 ]
 }"
 
-set_app_config sociallogin update_profile_on_login 1
+    set_app_config sociallogin update_profile_on_login 1
-set_app_config sociallogin auto_create_groups 1
+    set_app_config sociallogin auto_create_groups 1
-set_app_config sociallogin hide_default_login 1
+    set_app_config sociallogin hide_default_login 1
-run_occ 'config:system:set social_login_auto_redirect --value true'
+    run_occ 'config:system:set social_login_auto_redirect --value true'
-run_occ 'config:system:set allow_user_to_change_display_name --value=false'
+    run_occ 'config:system:set allow_user_to_change_display_name --value=false'
-run_occ 'config:system:set lost_password_link --value=disabled'
+    run_occ 'config:system:set lost_password_link --value=disabled'
 }

compose.authentik.yml

@@ -8,7 +8,7 @@ services:
 secrets:
   authentik_secret:
     external: true
-    name: ${AUTHENTIK_SECRET_NAME}
+    name: ${STACK_NAME}_authentik_secret_${SECRET_AUTHENTIK_SECRET_VERSION}
   authentik_id:
     external: true
-    name: ${AUTHENTIK_ID_NAME}
+    name: ${STACK_NAME}_authentik_id_${SECRET_AUTHENTIK_ID_VERSION}

compose.mariadb.yml

@@ -15,6 +15,7 @@ services:
       - MYSQL_USER=nextcloud
       - MYSQL_PASSWORD_FILE=/run/secrets/db_password
       - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
+      - MAX_DB_CONNECTIONS=${MAX_DB_CONNECTIONS:-100}
     configs:
       - source: my_tune
         target: /etc/mysql/conf.d/my-tune.cnf
@@ -28,9 +29,9 @@ services:
     deploy:
       labels:
           backupbot.backup: "true"
-          backupbot.backup.pre-hook: 'mkdir -p /tmp/backup/ && mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" nextcloud > /tmp/backup/backup.sql'
+          backupbot.backup.pre-hook: 'mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" nextcloud > /var/lib/mysql/backup.sql'
-          backupbot.backup.post-hook: "rm -rf /tmp/backup"
+          backupbot.backup.post-hook: "rm -rf /var/lib/mysql/backup.sql"
-          backupbot.backup.path: "/tmp/backup/"
+          backupbot.backup.path: "/var/lib/mysql/backup.sql"
     healthcheck:
       test: ["CMD-SHELL", 'mysqladmin -p"$$(cat /run/secrets/db_root_password)"  ping']
       interval: 30s
@@ -41,6 +42,7 @@ configs:
   my_tune:
     name: ${STACK_NAME}_my_cnf_${MY_CNF_VERSION}
     file: my-tune.cnf
+    template_driver: golang
 
 volumes:
   mariadb:

compose.postgres.yml

@@ -11,27 +11,28 @@ services:
 
   db:
     image: "postgres:12"
+    command: -c "max_connections=${MAX_DB_CONNECTIONS:-100}"
     volumes:
       - "postgres:/var/lib/postgresql/data"
     networks:
       - internal
     environment:
-      POSTGRES_USER: nextcloud 
+      POSTGRES_USER: nextcloud
       POSTGRES_PASSWORD_FILE: /run/secrets/db_password
-      POSTGRES_DB: nextcloud 
+      POSTGRES_DB: nextcloud
     secrets:
       - db_password
     healthcheck:
-      test: ["CMD-SHELL", "pg_isready"]
+      test: ["CMD-SHELL", "pg_isready", "-U", "nextcloud"]
       interval: 10s
       timeout: 5s
       retries: 5
     deploy:
       labels:
             backupbot.backup: "true"
-            backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /tmp/backup/backup.sql"
+            backupbot.backup.pre-hook: "PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
-            backupbot.backup.post-hook: "rm -rf /tmp/backup"
+            backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/backup.sql"
-            backupbot.backup.path: "/tmp/backup/"
+            backupbot.backup.path: "/var/lib/postgresql/data/"
 
 volumes:
   postgres:

compose.yml

@@ -1,7 +1,7 @@
 version: "3.8"
 services:
   web:
-    image: nginx:1.23.3
+    image: nginx:1.25.1
     configs:
       - source: nginx_conf
         target: /etc/nginx/nginx.conf
@@ -33,6 +33,9 @@ services:
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
+        - "caddy=${DOMAIN}"
+        - "caddy.reverse_proxy={{upstreams 80}}"
+        - "caddy.tls.on_demand="
     healthcheck:
       test: ["CMD-SHELL", 'curl -s -N curl -Ns localhost/status.php |  grep "installed\":true"']
       interval: 30s
@@ -41,12 +44,12 @@ services:
       start_period: 5m
 
   app:
-    image: nextcloud:25.0.4-fpm
+    image: nextcloud:27.0.1-fpm
     depends_on:
       - db
     configs:
       - source: fpm_tune
-        target: /usr/local/etc/php-fpm.d/fpm-tune.conf
+        target: /usr/local/etc/php-fpm.d/zzz-fpm-tune.conf
       - source: entrypoint
         target: /custom-entrypoint.sh
         mode: 555
@@ -64,14 +67,14 @@ services:
       - NEXTCLOUD_ADMIN_USER=${ADMIN_USER}
       - NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/admin_password
       - NEXTCLOUD_TRUSTED_DOMAINS=${DOMAIN}
-      - TRUSTED_PROXIES=traefik
+      - TRUSTED_PROXIES=10.0.0.0/8
       - REDIS_HOST=cache
       - OVERWRITEPROTOCOL=https
-      - PHP_MEMORY_LIMIT=1G
+      - PHP_MEMORY_LIMIT=${PHP_MEMORY_LIMIT:-1G}
-      - FPM_MAX_CHILDREN=131
+      - FPM_MAX_CHILDREN=${FPM_MAX_CHILDREN:-131}
-      - FPM_START_SERVERS=32
+      - FPM_START_SERVERS=${FPM_START_SERVERS:-32}
-      - FPM_MIN_SPARE_SERVERS=32
+      - FPM_MIN_SPARE_SERVERS=${FPM_MIN_SPARE_SERVERS:-32}
-      - FPM_MAX_SPARE_SERVERS=98
+      - FPM_MAX_SPARE_SERVERS=${FPM_MAX_SPARE_SERVERS:-98}
       - DEFAULT_QUOTA
     volumes:
       - nextcloud:/var/www/html/
@@ -86,7 +89,8 @@ services:
         failure_action: rollback
         order: start-first
       labels:
-        - "coop-cloud.${STACK_NAME}.version=3.1.2+25.0.4-fpm"
+        - "coop-cloud.${STACK_NAME}.version=5.0.3+27.0.1-fpm"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
         - "backupbot.backup=true"
         - "backupbot.backup.path=/var/www/html/config/,/var/www/html/data/,/var/www/html/custom_apps/"
     healthcheck:
@@ -97,7 +101,7 @@ services:
       start_period: 5m
 
   cron:
-    image: nextcloud:25.0.4-fpm
+    image: nextcloud:27.0.1-fpm
     volumes:
       - nextcloud:/var/www/html/
       - nextapps:/var/www/html/custom_apps:cached
@@ -109,7 +113,7 @@ services:
     entrypoint: /cron.sh
 
   cache:
-    image: redis:7.0.9-alpine
+    image: redis:7.0.12-alpine
     networks:
       - internal
     volumes:

my-tune.cnf

@@ -13,7 +13,7 @@ key_buffer_size                = 16M
 innodb_log_file_size           = 256M
 long_query_time                = 1
 max_allowed_packet             = 256M
-max_connections                = 100
+max_connections                = {{ env "MAX_DB_CONNECTIONS" }}
 max_heap_table_size            = 64M
 max_user_connections           = 0
 myisam_recover_options         = BACKUP

release/3.2.0+25.0.4-fpm

@@ -0,0 +1,11 @@
+If the authentik configuration should be handled by abra add the following to the env:
+
+    COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
+    AUTHENTIK_USER_PREFIX=authentik
+    AUTHENTIK_DOMAIN=authentik.example.com
+    AUTHENTIK_SECRET_NAME=authentik_example_com_nextcloud_secret_v1  # the same as in authentik
+    AUTHENTIK_ID_NAME=authentik_example_com_nextcloud_id_v1  # the same as in authentik
+
+And run:
+
+    abra app cmd <app-name> app set_authentik

release/next

@@ -0,0 +1 @@
+The authentik secrets need to be inserted again, as nextcloud is not sharing the secret with authentik any more.