Implement NC Talk High Performance Backend

Reviewed-on: coop-cloud/nextcloud#55

.drone.yml

@@ -22,6 +22,8 @@ steps:
       NGINX_CONF_VERSION: v1
       MY_CNF_VERSION: v1
       ENTRYPOINT_VERSION: v1
+      CRONTAB_VERSION: v1
+      PG_BACKUP_VERSION: v2
       SECRET_DB_PASSWORD_VERSION: v1
       SECRET_DB_ROOT_PASSWORD_VERSION: v1
       SECRET_ADMIN_PASSWORD_VERSION: v1
@@ -43,7 +45,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - coop-cloud/auto-recipes-catalogue-json
+        - toolshed/auto-recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -1,6 +1,7 @@
 TYPE=nextcloud
 TIMEOUT=900
 ENABLE_AUTO_UPDATE=true
+ENABLE_BACKUPS=true
 
 DOMAIN=nextcloud.example.com
 ## Domain aliases
@@ -14,6 +15,7 @@ COMPOSE_FILE="$COMPOSE_FILE:compose.mariadb.yml"
 #MAX_DB_CONNECTIONS=500
 
 ADMIN_USER=admin
+TZ=Etc/UTC
 
 SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
@@ -22,6 +24,7 @@ SECRET_ADMIN_PASSWORD_VERSION=v1
 EXTRA_VOLUME=/dev/null:/tmp/.dummy
 
 PHP_MEMORY_LIMIT=1G
+PHP_UPLOAD_LIMIT=512M
 # fpm-tune, see: https://spot13.com/pmcalculator/
 FPM_MAX_CHILDREN=16
 FPM_START_SERVERS=4
@@ -44,9 +47,22 @@ DEFAULT_QUOTA="10 GB"
 # MAIL_DOMAIN=
 # SECRET_SMTP_PASSWORD_VERSION=v1
 
+## Customization
+# THEMING_COLOR=
+# THEMING_SLOGAN=
+# COPY_ASSETS="flow_background.jpg|app:/var/www/html/themes/"
+# COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/var/www/html/themes/"
+# COPY_ASSETS="$COPY_ASSETS icon.png|app:/var/www/html/themes/"
+
 # APPS="calendar"
 
 # COLLABORA_URL=https://collabora.example.com
+## IMPORTANT FOR SECURITY REASONS WHEN RUNNING COLLABORA
+## list of IP addresses that are allowed to make WOPI requests. Use the default
+## when running the collabora server on the same machine as nextcloud.
+## Otherwise set this to the IP address range of your collabora server(s) i.e. 1.2.3.4/32
+## https://docs.nextcloud.com/server/latest/admin_manual/office/configuration.html#wopi-settings
+# COLLABORA_ALLOWLIST="172.16.0.0/12"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.onlyoffice.yml"
 # ONLYOFFICE_URL=https://onlyoffice.example.com
@@ -57,15 +73,29 @@ DEFAULT_QUOTA="10 GB"
 # BBB_URL=https://talk.example.org/bigbluebutton/ # trailing slash!
 # SECRET_BBB_SECRET_VERSION=v1
 
+# COMPOSE_FILE="$COMPOSE_FILE:compose.whiteboard.yml"
+# APPS="$APPS whiteboard"
+# SECRET_WHITEBOARD_JWT_VERSION=v1
+
 # COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
 # APPS="$APPS sociallogin"
 # AUTHENTIK_USER_PREFIX=authentik
 # AUTHENTIK_DOMAIN=authentik.example.com
 # SECRET_AUTHENTIK_SECRET_VERSION=v1
 # SECRET_AUTHENTIK_ID_VERSION=v1
-# OCC_CMDS="app:disable dashboard"
-# OCC_CMDS="$OCC_CMDS|config:app:set sociallogin auto_create_groups --value 1"
-# OCC_CMDS="$OCC_CMDS|config:app:set sociallogin hide_default_login --value 1"
 
 #COMPOSE_FILE="$COMPOSE_FILE:compose.fulltextsearch.yml"
 #SECRET_ELASTICSEARCH_PASSWORD_VERSION=v1
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.talk.yml"
+#TALK_DOMAIN=talk.example.com
+#SECRET_TALK_INTERNAL_SECRET_VERSION=v1 # length=64 charset=default
+#SECRET_TALK_TURN_SECRET_VERSION=v1 # length=64 charset=default
+#SECRET_TALK_SIGNALING_SECRET_VERSION=v1 # length=64 charset=default
+
+
+# HSTS Options
+# Uncomment this line to enable HSTS: https://docs.nextcloud.com/server/30/admin_manual/installation/harden_server.html
+#HSTS_ENABLED=1
+# Uncomment this line to add the `preload` part
+#HSTS_PRELOAD=1

README.md

@@ -26,6 +26,7 @@ Fully automated luxury Nextcloud via docker-swarm.
 ### Onlyoffice Integration
 
 `abra app config <app-name>` 
+
 Configure the following envs:
 ```
 COMPOSE_FILE="$COMPOSE_FILE:compose.apps.yml"
@@ -33,12 +34,13 @@ ONLYOFFICE_URL=https://onlyoffice.example.com
 SECRET_ONLYOFFICE_JWT_VERSION=v1
 ```
 
-`abra app secret insert <app-name> onlyoffice_jwt v1 <jwt_secret>`
-`abra app cmd <app-name> app install_onlyoffice`
+* `abra app secret insert <app-name> onlyoffice_jwt v1 <jwt_secret>`
+* `abra app cmd <app-name> app install_onlyoffice`
 
 ### BBB Integration
 
 `abra app config <app-name>` 
+
 Configure the following envs:
 ```
 COMPOSE_FILE="$COMPOSE_FILE:compose.apps.yml"
@@ -46,8 +48,44 @@ BBB_URL=https://talk.example.org/bigbluebutton/ # trailing slash!
 SECRET_BBB_SECRET_VERSION=v1
 ```
 
-`abra app secret insert <app-name> bbb_secret v1 <bbb_secret>`
-`abra app cmd <app-name> app install_bbb`
+* `abra app secret insert <app-name> bbb_secret v1 <bbb_secret>`
+* `abra app cmd <app-name> app install_bbb`
+
+### Nextcloud Talk High performance Backend
+
+Note: at the moment you are limited to run one Nextcloud high performance backend per docker host with this setup.
+
+`abra app config <app-name>` 
+
+Configure the following envs:
+```
+#COMPOSE_FILE="$COMPOSE_FILE:compose.talk.yml"
+#TALK_DOMAIN=talk.example.com
+#SECRET_TALK_INTERNAL_SECRET_VERSION=v1 # length=64 charset=default
+#SECRET_TALK_TURN_SECRET_VERSION=v1 # length=64 charset=default
+#SECRET_TALK_SIGNALING_SECRET_VERSION=v1 # length=64 charset=default
+```
+
+* `abra app secret insert <app-name> talk_internal_secret v1 <talk_internal_secret>`
+* `abra app secret insert <app-name> talk_turn_secret v1 <talk_turn_secret>`
+* `abra app secret insert <app-name> talk_signaling_secret v1 <talk_signaling_secret>`
+* `abra app cmd <app-name> app install_talk`
+
+Don't forget to enable the additional env's in your hosts traefik instance:
+```
+COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud-talk-hpb.yml"
+NEXTCLOUD_TALK_HPB_ENABLED=1
+```
+
+Due to a bug in compose that deletes duplacted ports without checking for the protocol, traefik need to get the additional udp binding added after the deployment via ssh (this might take longer than expected!):
+```
+docker service update  --publish-add published=3478,target=3478,protocol=udp traefik_XXX_XXX_app
+```
+
+To check if tcp and udp was binded, you can use:
+```
+docker service inspect traefik_XXX_XXX_app | grep 3478 -a2
+```
 
 ### Authentik Integration
 
@@ -64,21 +102,18 @@ AUTHENTIK_ID_NAME=authentik_example_com_nextcloud_id_v1  # the same as in authen
 
 `abra app cmd <app-name> app set_authentik`
 
-### Disable Dashboard
-
-Disable dashboard app since it is so corporate:
-
-`abra app config <app-name>` 
-Configure the following envs:
-```
-OCC_CMDS="app:disable dashboard"
-```
-`abra app cmd <app-name> app post_install_occ`
-
 ## Running `occ`
 
 `abra app cmd <app-name> app run_occ '"user:list --help"'`
 
+Read more about [occ command here](https://docs.nextcloud.com/server/stable/admin_manual/occ_command.html).
+
+### Disable Dashboard
+
+To disable dashboard app (since it is so corporate):
+
+`abra app cmd <app-name> app run_occ '"app:disable dashboard"'`
+
 ## Default user files
 
 - Follow [these docs](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/default_files_configuration.html) to set the default files list for each user in the Files app
@@ -87,7 +122,12 @@ OCC_CMDS="app:disable dashboard"
 
 - Configure a `defaultapp` in your `config.php` or use [apporder](https://apps.nextcloud.com/apps/apporder)
 
-## Upgrading Nextcloud apps
+## Upgrading Nextcloud
+Upgrading Nextcloud can be a hair raising experiance. They [don't support downgrading](https://docs.nextcloud.com/server/latest/admin_manual/maintenance/upgrade.html) even for minor versions.
+
+Many of us  have found that jumping major versions when upgrading is also a bad idea. We have however found that it's ok to skip minor version upgrades and go to the last minor version before a major version (e.g. 24.0.0 to 24.9.9 before going to 25.0.0). To extra cautious just upgrade one release at a time. Read the release notes and check your logs.
+
+## Upgrading Nextcloud apps (plug-ins)
 
 `abra app cmd <app-name> app run_occ '"app:update --all"'`
 
@@ -281,3 +321,11 @@ And you can populate the index manually and check if any errors occur:
 ```
 abra app cmd <domain> app run_occ '"fulltextsearch:index"'
 ```
+
+### Troubleshooting fulltextsearch
+
+The fulltextsearch plugin might be stuck with this error: "Index is already running". In that case the following command can get things runing again:
+
+```
+abra app run <domain> db /bin/sh -- -c 'echo "delete from oc_fulltextsearch_ticks;" | mariadb -u root -p$(cat /run/secrets/db_root_password) nextcloud'
+```

abra.sh

@@ -1,22 +1,18 @@
 #!/bin/bash
 
 export FPM_TUNE_VERSION=v5
-export NGINX_CONF_VERSION=v7
-export MY_CNF_VERSION=v5
+export NGINX_CONF_VERSION=v8
+export MY_CNF_VERSION=v6
 export ENTRYPOINT_VERSION=v3
+export ENTRYPOINT_WHITEBOARD_VERSION=v1
+export ENTRYPOINT_TALK_VERSION=v1
 export CRONTAB_VERSION=v1
+export PG_BACKUP_VERSION=v2
 
 run_occ() {
     su -p www-data -s /bin/sh -c "/var/www/html/occ $@"
 }
 
-post_install_occ() {
-    IFS='|' read -ra CMD <<<"$OCC_CMDS"
-    for cmd in "${CMD[@]}"; do
-        run_occ "$cmd"
-    done
-}
-
 install_apps() {
     install_apps="$@"
     if [ -z "$install_apps" ]; then
@@ -52,6 +48,27 @@ set_logfile_stdout() {
     set_system_config logfile '/dev/stdout'
 }
 
+customize() {
+    if [ -z "$1" ]
+    then
+            echo "Usage: ... customize <assets_path>"
+            exit 1
+    fi
+    asset_dir=$1
+    for asset in $COPY_ASSETS; do
+        source=$(echo $asset | cut -d "|" -f1)
+        target=$(echo $asset | cut -d "|" -f2)
+        echo copy $source to $target
+        abra app cp $APP_NAME $asset_dir/$source $target
+    done
+
+    abra app cmd -T $APP_NAME app set_app_config theming color \"$THEMING_COLOR\"
+    abra app cmd -T $APP_NAME app set_app_config theming slogan \"$THEMING_SLOGAN\"
+    abra app cmd -T $APP_NAME app run_occ '"theming:config background \"/var/www/html/themes/flow_background.jpg\""'
+    abra app cmd -T $APP_NAME app run_occ '"theming:config logo \"/var/www/html/themes/icon_left_brand.svg\""'
+    abra app cmd -T $APP_NAME app run_occ '"theming:config logoheader \"/var/www/html/themes/icon.png\""'
+}
+
 install_bbb() {
     install_apps bbb
     set_app_config bbb app.navigation true
@@ -69,6 +86,25 @@ install_onlyoffice() {
 install_collabora() {
     install_apps richdocuments
     set_app_config richdocuments wopi_url "$COLLABORA_URL"
+    # important for security reaosns
+    # https://docs.nextcloud.com/server/latest/admin_manual/office/configuration.html#wopi-settings
+    set_app_config richdocuments wopi_allowlist "$COLLABORA_ALLOWLIST"
+}
+
+install_whiteboard() {
+    install_apps whiteboard
+    set_app_config whiteboard collabBackendUrl "https://${DOMAIN}/whiteboard"
+    set_app_config whiteboard jwt_secret_key "$(cat /run/secrets/whiteboard_jwt)"
+}
+
+
+install_talk() {
+    install_apps spreed
+    run_occ "talk:signaling:add --verify 'wss://${TALK_DOMAIN}' '$(cat /run/secrets/talk_signaling_secret)'"
+    run_occ "talk:stun:add '${TALK_DOMAIN}:3478'"
+    run_occ "talk:stun:add '${TALK_DOMAIN}:443'"
+    run_occ "talk:turn:add --secret='$(cat /run/secrets/talk_turn_secret)' turn '${TALK_DOMAIN}:3478' udp,tcp"
+
 }
 
 install_fulltextsearch() {
@@ -89,6 +125,7 @@ set_authentik() {
     install_apps sociallogin
     AUTHENTIK_SECRET=$(cat /run/secrets/authentik_secret)
     AUTHENTIK_ID=$(cat /run/secrets/authentik_id)
+    set_system_config logo_url https://$AUTHENTIK_DOMAIN
     set_app_config sociallogin custom_providers "
 {
     \"custom_oidc\":[
@@ -99,7 +136,7 @@ set_authentik() {
         \"tokenUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/token/\",
         \"displayNameClaim\":\"preferred_username\",
         \"userInfoUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/userinfo/\",
-        \"logoutUrl\": \"https://$AUTHENTIK_DOMAIN/if/session-end/nextcloud/\",
+        \"logoutUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/nextcloud/end-session/\",
         \"clientId\":\"$AUTHENTIK_ID\",
         \"clientSecret\":\"$AUTHENTIK_SECRET\",
         \"scope\":\"openid profile email nextcloud\",
@@ -121,3 +158,21 @@ set_authentik() {
     run_occ 'config:system:set allow_user_to_change_display_name --value=false'
     run_occ 'config:system:set lost_password_link --value=disabled'
 }
+
+disable_skeletondirectory() {
+    run_occ "config:system:set skeletondirectory --value ''"
+}
+
+set_windowsfriendly_filenames() {
+    run_occ 'config:system:set forbidden_filename_characters 0 --value=?'
+    run_occ 'config:system:set forbidden_filename_characters 1 --value=\<'
+    run_occ 'config:system:set forbidden_filename_characters 2 --value=\>'
+    run_occ 'config:system:set forbidden_filename_characters 3 --value=:'
+    run_occ 'config:system:set forbidden_filename_characters 4 --value=*'
+    run_occ 'config:system:set forbidden_filename_characters 5 --value=\|'
+    run_occ 'config:system:set forbidden_filename_characters 6 --value=\"'
+}
+
+upgrade_mariadb() {
+    mariadb-upgrade -p`cat /run/secrets/db_root_password`
+}

alaconnect.yml

@@ -5,7 +5,7 @@ authentik:
         - AUTHENTIK_DOMAIN
         - SECRET_AUTHENTIK_SECRET_VERSION
         - SECRET_AUTHENTIK_ID_VERSION
-    execute:
+    initial-hooks:
         - app set_authentik
     shared_secrets:
         nextcloud_secret: authentik_secret
@@ -15,10 +15,10 @@ onlyoffice:
         - compose.onlyoffice.yml
         - ONLYOFFICE_URL
         - SECRET_ONLYOFFICE_JWT_VERSION
-    execute:
+    initial-hooks:
         - app install_onlyoffice
 collabora:
     uncomment:
         - COLLABORA_URL
-    execute:
+    initial-hooks:
         - app install_collabora

compose.fulltextsearch.yml

@@ -2,7 +2,7 @@ version: "3.8"
 
 services:
   elasticsearch:
-    image: "docker.elastic.co/elasticsearch/elasticsearch:8.11.4"
+    image: "docker.elastic.co/elasticsearch/elasticsearch:8.17.2"
     environment:
       - cluster.name=docker-cluster
       - bootstrap.memory_lock=true
@@ -29,7 +29,7 @@ services:
         mode: 0600
 
   searchindexer:
-    image: nextcloud:29.0.1-fpm
+    image: nextcloud:31.0.6-fpm
     volumes:
       - nextcloud:/var/www/html/
       - nextapps:/var/www/html/custom_apps:cached

compose.mariadb.yml

@@ -9,13 +9,14 @@ services:
       - MYSQL_PASSWORD_FILE=/run/secrets/db_password
 
   db:
-    image: "mariadb:10.5"
+    image: "mariadb:11.4"
     environment:
       - MYSQL_DATABASE=nextcloud
       - MYSQL_USER=nextcloud
       - MYSQL_PASSWORD_FILE=/run/secrets/db_password
       - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
       - MAX_DB_CONNECTIONS=${MAX_DB_CONNECTIONS:-100}
+      - INNODB_BUFFER_POOL_SIZE=${INNODB_BUFFER_POOL_SIZE:-1G}"
     configs:
       - source: my_tune
         target: /etc/mysql/conf.d/my-tune.cnf
@@ -28,12 +29,11 @@ services:
       - internal
     deploy:
       labels:
-          backupbot.backup: "true"
-          backupbot.backup.pre-hook: 'mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" nextcloud > /var/lib/mysql/backup.sql'
-          backupbot.backup.post-hook: "rm -rf /var/lib/mysql/backup.sql"
-          backupbot.backup.path: "/var/lib/mysql/backup.sql"
+        backupbot.backup.pre-hook: 'mariadb-dump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" nextcloud > /var/lib/mysql/backup.sql'
+        backupbot.backup.volumes.mariadb.path: "backup.sql"
+        backupbot.restore.post-hook: 'mariadb -u root -p"$$(cat /run/secrets/db_root_password)" nextcloud < /var/lib/mysql/backup.sql'
     healthcheck:
-      test: ["CMD-SHELL", 'mysqladmin -p"$$(cat /run/secrets/db_root_password)"  ping']
+      test: ["CMD-SHELL", 'mariadb-admin -p"$$(cat /run/secrets/db_root_password)"  ping']
       interval: 30s
       timeout: 10s
       retries: 10

compose.postgres.yml

@@ -10,7 +10,7 @@ services:
       - NEXTCLOUD_UPDATE=1
 
   db:
-    image: "postgres:12"
+    image: "postgres:13"
     command: -c "max_connections=${MAX_DB_CONNECTIONS:-100}"
     volumes:
       - "postgres:/var/lib/postgresql/data"
@@ -29,10 +29,18 @@ services:
       retries: 5
     deploy:
       labels:
-            backupbot.backup: "true"
-            backupbot.backup.pre-hook: "PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
-            backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/backup.sql"
-            backupbot.backup.path: "/var/lib/postgresql/data/"
+        backupbot.backup.pre-hook: "/pg_backup.sh backup"
+        backupbot.backup.volumes.postgres.path: "backup.sql"
+        backupbot.restore.post-hook: '/pg_backup.sh restore'
+    configs:
+        - source: pg_backup
+          target: /pg_backup.sh
+          mode: 0555
 
 volumes:
   postgres:
+
+configs:
+  pg_backup:
+    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
+    file: pg_backup.sh

compose.talk.yml

@@ -0,0 +1,70 @@
+version: "3.8"
+
+services:
+  talk:
+    image: "nextcloud/aio-talk:20251128_084214"
+    environment:
+      - NC_DOMAIN=${DOMAIN}
+      - TALK_HOST=${TALK_DOMAIN}
+      - TZ
+      - TALK_PORT=3478
+      - INTERNAL_SECRET_FILE=/run/secrets/talk_internal_secret 
+      - TURN_SECRET_FILE=/run/secrets/talk_turn_secret
+      - SIGNALING_SECRET_FILE=/run/secrets/talk_signaling_secret
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.docker.network=proxy
+        - traefik.http.services.${STACK_NAME}_talk.loadbalancer.server.port=8081
+        - traefik.http.routers.${STACK_NAME}_talk.rule=Host(`${TALK_DOMAIN}`)
+        - traefik.http.routers.${STACK_NAME}_talk.entrypoints=web-secure
+        - traefik.http.routers.${STACK_NAME}_talk.tls.certresolver=${LETS_ENCRYPT_ENV}
+        - traefik.tcp.routers.${STACK_NAME}_nextcloud-talk-hpb.rule=HostSNI(`*`)
+        - traefik.tcp.routers.${STACK_NAME}_nextcloud-talk-hpb.entrypoints=nextcloud-talk-hpb
+        - traefik.tcp.routers.${STACK_NAME}_nextcloud-talk-hpb.service=${STACK_NAME}_nextcloud-talk-hpb-svc
+        - traefik.tcp.services.${STACK_NAME}_nextcloud-talk-hpb-svc.loadbalancer.server.port=3478
+        - traefik.udp.routers.${STACK_NAME}_nextcloud-talk-hpb-udp.entrypoints=nextcloud-talk-hpb-udp
+        - traefik.udp.routers.${STACK_NAME}_nextcloud-talk-hpb-udp.service=${STACK_NAME}_nextcloud-talk-hpb-udp-svc
+        - traefik.udp.services.${STACK_NAME}_nextcloud-talk-hpb-udp-svc.loadbalancer.server.port=3478
+    networks:
+      - proxy
+    configs:
+      - source: entrypoint_talk
+        target: /custom-entrypoint.sh
+        mode: 775
+    entrypoint: /custom-entrypoint.sh
+    secrets:
+      - source: talk_internal_secret
+        uid: "1000"
+        gid: "122"
+        mode: 0600
+      - source: talk_turn_secret
+        uid: "1000"
+        gid: "122"
+        mode: 0600
+      - source: talk_signaling_secret
+        uid: "1000"
+        gid: "122"
+        mode: 0600
+
+  app:
+    secrets:
+      - talk_turn_secret
+      - talk_signaling_secret
+
+secrets:
+  talk_internal_secret:
+    external: true
+    name: ${STACK_NAME}_talk_internal_secret_${SECRET_TALK_INTERNAL_SECRET_VERSION}
+  talk_turn_secret:
+    external: true
+    name: ${STACK_NAME}_talk_turn_secret_${SECRET_TALK_TURN_SECRET_VERSION}
+  talk_signaling_secret:
+    external: true
+    name: ${STACK_NAME}_talk_signaling_secret_${SECRET_TALK_SIGNALING_SECRET_VERSION}
+
+configs:
+  entrypoint_talk:
+    name: ${STACK_NAME}_entrypoint_talk_${ENTRYPOINT_TALK_VERSION}
+    file: entrypoint.talk.sh.tmpl
+    template_driver: golang

compose.whiteboard.yml

@@ -0,0 +1,44 @@
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - whiteboard_jwt
+
+  whiteboard:
+    image: ghcr.io/nextcloud-releases/whiteboard:v1.1.2
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.docker.network=proxy
+        - traefik.http.services.${STACK_NAME}_whiteboard.loadbalancer.server.port=3002
+        - traefik.http.routers.${STACK_NAME}_whiteboard.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS}) && PathPrefix(`/whiteboard`)
+        - traefik.http.routers.${STACK_NAME}_whiteboard.entrypoints=web-secure
+        - traefik.http.routers.${STACK_NAME}_whiteboard.tls.certresolver=${LETS_ENCRYPT_ENV}
+        - traefik.http.middlewares.${STACK_NAME}_whiteboard-stripprefix.stripprefix.prefixes=/whiteboard
+        - traefik.http.routers.${STACK_NAME}_whiteboard.middlewares=${STACK_NAME}_whiteboard-stripprefix
+    configs:
+      - source: entrypoint_whiteboard
+        target: /custom-entrypoint.sh
+    entrypoint: ["sh", "/custom-entrypoint.sh"]
+    user: root
+    networks:
+     - proxy
+    ports:
+      - 3002:3002
+    secrets:
+      - whiteboard_jwt
+    environment:
+      - NEXTCLOUD_URL=https://$DOMAIN
+      - JWT_SECRET_KEY_FILE=/run/secrets/whiteboard_jwt
+
+secrets:
+  whiteboard_jwt:
+    external: true
+    name: ${STACK_NAME}_whiteboard_jwt_${SECRET_WHITEBOARD_JWT_VERSION}
+
+configs:
+  entrypoint_whiteboard:
+    name: ${STACK_NAME}_entrypoint_whiteboard_${ENTRYPOINT_WHITEBOARD_VERSION}
+    file: entrypoint.whiteboard.sh.tmpl
+    template_driver: golang

compose.yml

@@ -1,7 +1,7 @@
 version: "3.8"
 services:
   web:
-    image: nginx:1.26.1
+    image: nginx:1.29.0
     depends_on:
       - app
     configs:
@@ -12,6 +12,8 @@ services:
       - X_FRAME_OPTIONS_ENABLED
       - DOMAIN
       - STACK_NAME
+      - HSTS_ENABLED
+      - HSTS_PRELOAD
     volumes:
       - nextcloud:/var/www/html/
       - nextapps:/var/www/html/custom_apps:cached
@@ -33,8 +35,8 @@ services:
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.scheme=https"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.permanent=true"
         - "caddy=${DOMAIN}"
         - "caddy.reverse_proxy={{upstreams 80}}"
         - "caddy.tls.on_demand="
@@ -46,7 +48,7 @@ services:
       start_period: 5m
 
   app:
-    image: nextcloud:29.0.1-fpm
+    image: nextcloud:31.0.6-fpm
     depends_on:
       - db
     configs:
@@ -72,7 +74,9 @@ services:
       - TRUSTED_PROXIES=10.0.0.0/8
       - REDIS_HOST=cache
       - OVERWRITEPROTOCOL=https
+      - OVERWRITECLIURL=https://${DOMAIN}
       - PHP_MEMORY_LIMIT=${PHP_MEMORY_LIMIT:-1G}
+      - PHP_UPLOAD_LIMIT=${PHP_UPLOAD_LIMIT:-512M}
       - FPM_MAX_CHILDREN=${FPM_MAX_CHILDREN:-131}
       - FPM_START_SERVERS=${FPM_START_SERVERS:-32}
       - FPM_MIN_SPARE_SERVERS=${FPM_MIN_SPARE_SERVERS:-32}
@@ -91,10 +95,12 @@ services:
         failure_action: rollback
         order: start-first
       labels:
-        - "coop-cloud.${STACK_NAME}.version=8.0.0+29.0.1-fpm"
+        - "coop-cloud.${STACK_NAME}.version=12.0.1+31.0.6-fpm"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
-        - "backupbot.backup=true"
-        - "backupbot.backup.path=/var/www/html/config/,/var/www/html/data/,/var/www/html/custom_apps/"
+        - "backupbot.backup=${ENABLE_BACKUPS:-true}"
+        - "backupbot.backup.volumes.redis=false"
+       #- "backupbot.backup.volumes.nextcloud=false"
+
     healthcheck:
       test: ["CMD-SHELL", 'SCRIPT_NAME=status SCRIPT_FILENAME=/var/www/html/status.php REQUEST_METHOD=GET cgi-fcgi -bind -connect 127.0.0.1:9000 | grep "installed\":true"']
       interval: 30s
@@ -103,7 +109,7 @@ services:
       start_period: 15m
 
   cron:
-    image: nextcloud:29.0.1-fpm
+    image: nextcloud:31.0.6-fpm
     volumes:
       - nextcloud:/var/www/html/
       - nextapps:/var/www/html/custom_apps:cached
@@ -119,7 +125,7 @@ services:
 
 
   cache:
-    image: redis:7.2.5-alpine
+    image: redis:8.0.2-alpine
     networks:
       - internal
     volumes:

entrypoint.talk.sh.tmpl

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+set -eu
+
+file_env() {
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+
+  local val="$def"
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+
+  export "$var"="$val"
+  unset "$fileVar"
+}
+
+file_env "INTERNAL_SECRET"
+file_env "TURN_SECRET"
+file_env "SIGNALING_SECRET"
+
+/start.sh supervisord -c /supervisord.conf

entrypoint.whiteboard.sh.tmpl

@@ -0,0 +1,6 @@
+#!/bin/sh
+set -e
+
+export JWT_SECRET_KEY=$(cat /run/secrets/whiteboard_jwt)
+
+exec npm run server:start

my-tune.cnf

@@ -4,7 +4,7 @@
 # https://mariadb.com/kb/en/library/performance-schema-overview/
 
 [server]
-innodb_buffer_pool_size        = 1G
+innodb_buffer_pool_size        = {{ env "INNODB_BUFFER_POOL_SIZE" }}
 innodb_flush_log_at_trx_commit = 2
 innodb_log_buffer_size         = 32M
 innodb_max_dirty_pages_pct     = 90

nginx.conf.tmpl

@@ -10,7 +10,11 @@ events {
 
 
 http {
-    include mime.types;
+    include       /etc/nginx/mime.types;
+    # See https://github.com/nextcloud/forms/issues/1838#issuecomment-1860497200
+    types {
+        application/javascript js mjs;
+    }
     default_type  application/octet-stream;
 
     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
@@ -22,17 +26,8 @@ http {
     sendfile        on;
     #tcp_nopush     on;
 
-    # Prevent nginx HTTP Server Detection
-    server_tokens   off;
-
     keepalive_timeout  65;
 
-    # Set the `immutable` cache control options only for assets with a cache busting `v` argument
-    map $arg_v $asset_immutable {
-        "" "";
-    default "immutable";
-    }
-
     #gzip  on;
 
     upstream php-handler {
@@ -50,15 +45,17 @@ http {
         # could take several months.
         #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
 
-        # set max upload size and increase upload timeout:
-        client_max_body_size 512M;
-        client_body_timeout 300s;
-        fastcgi_buffers 64 4K;
+        {{ if eq (env "HSTS_ENABLED") "1" }}
+        {{ if eq (env "HSTS_PRELOAD") "1" }}
+        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+        {{ else }}
+        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;" always;
+        {{ end }}
+        {{ end }}
 
-        # The settings allows you to optimize the HTTP2 bandwidth.
-        # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
-        # for tuning hints
-        client_body_buffer_size 512k;
+        # set max upload size
+        client_max_body_size 512M;
+        fastcgi_buffers 64 4K;
 
         # Enable gzip but do not remove ETag headers
         gzip on;
@@ -66,7 +63,7 @@ http {
         gzip_comp_level 4;
         gzip_min_length 256;
         gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-        gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
 
         # Pagespeed is not supported by Nextcloud, so if your server is built
         # with the `ngx_pagespeed` module, uncomment this line to disable it.
@@ -75,6 +72,7 @@ http {
         # HTTP response headers borrowed from Nextcloud `.htaccess`
         add_header Referrer-Policy                      "no-referrer"       always;
         add_header X-Content-Type-Options               "nosniff"           always;
+        add_header X-Download-Options                   "noopen"            always;
         add_header X-Permitted-Cross-Domain-Policies    "none"              always;
         add_header X-Robots-Tag                         "noindex, nofollow" always;
         add_header X-XSS-Protection                     "1; mode=block"     always;
@@ -164,32 +162,12 @@ http {
 
             fastcgi_intercept_errors on;
             fastcgi_request_buffering off;
-
-            fastcgi_max_temp_file_size 0;
         }
 
-        # Javascript mimetype fixes for nginx
-        # Note: The block below should be removed, and the js|mjs section should be
-        # added to the block below this one. This is a temporary fix until Nginx 
-        # upstream fixes the js mime-type
-        location ~* \.(?:js|mjs)$ {
-            types { 
-                text/javascript js mjs;
-            } 
+        location ~ \.(?:css|js|svg|gif)$ {
             try_files $uri /index.php$request_uri;
-            add_header Cache-Control "public, max-age=15778463, $asset_immutable";
-            access_log off;
-        }
-
-        # Serve static files
-        location ~ \.(?:css|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
-            try_files $uri /index.php$request_uri;
-            add_header Cache-Control "public, max-age=15778463, $asset_immutable";
+            expires 6M;         # Cache-Control policy borrowed from `.htaccess`
             access_log off;     # Optional: Don't log access to assets
-
-            location ~ \.wasm$ {
-                default_type application/wasm;
-            }
         }
 
         location ~ \.woff2?$ {

pg_backup.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+set -e
+
+BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
+
+function backup {
+  export PGPASSWORD=$(cat /run/secrets/db_password)
+  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
+}
+
+function restore {
+    cd /var/lib/postgresql/data/
+    restore_config(){
+        # Restore allowed connections
+        cat pg_hba.conf.bak > pg_hba.conf
+        su postgres -c 'pg_ctl reload'
+    }
+    # Don't allow any other connections than local
+    cp pg_hba.conf pg_hba.conf.bak
+    echo "local all all trust" > pg_hba.conf
+    su postgres -c 'pg_ctl reload'
+    trap restore_config EXIT INT TERM
+
+    # Recreate Database
+    psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);" 
+    createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
+    psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
+
+    trap - EXIT INT TERM
+    restore_config
+}
+
+$@

release/10.0.0+30.0.4-fpm

@@ -0,0 +1 @@
+https://docs.nextcloud.com/server/latest/admin_manual/release_notes/upgrade_to_30.html

release/11.0.0+30.0.4-fpm

@@ -0,0 +1,4 @@
+Upgrades mariadb from 10.5 to 11.4
+NOTE: If your Nextcloud instance is using mariadb, after running this update you MUST run the database upgrade command:
+`abra app command nextcloud.yourserver.org db upgrade_mariadb`
+More info: https://mariadb.com/kb/en/upgrading-from-mariadb-10-11-to-mariadb-11-4/

release/9.1.0+29.0.5-fpm

@@ -0,0 +1 @@
+Added automated customization options. Config needs to be updated to be able to use it.