chore: publish 12.0.1+31.0.6-fpm release

Reviewed-on: #49

.env.sample

@@ -55,6 +55,12 @@ DEFAULT_QUOTA="10 GB"
 # APPS="calendar"
 
 # COLLABORA_URL=https://collabora.example.com
+## IMPORTANT FOR SECURITY REASONS WHEN RUNNING COLLABORA
+## list of IP addresses that are allowed to make WOPI requests. Use the default
+## when running the collabora server on the same machine as nextcloud.
+## Otherwise set this to the IP address range of your collabora server(s) i.e. 1.2.3.4/32
+## https://docs.nextcloud.com/server/latest/admin_manual/office/configuration.html#wopi-settings
+# COLLABORA_ALLOWLIST="172.16.0.0/12"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.onlyoffice.yml"
 # ONLYOFFICE_URL=https://onlyoffice.example.com
@@ -65,6 +71,10 @@ DEFAULT_QUOTA="10 GB"
 # BBB_URL=https://talk.example.org/bigbluebutton/ # trailing slash!
 # SECRET_BBB_SECRET_VERSION=v1
 
+# COMPOSE_FILE="$COMPOSE_FILE:compose.whiteboard.yml"
+# APPS="$APPS whiteboard"
+# SECRET_WHITEBOARD_JWT_VERSION=v1
+
 # COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
 # APPS="$APPS sociallogin"
 # AUTHENTIK_USER_PREFIX=authentik
@@ -77,3 +87,9 @@ DEFAULT_QUOTA="10 GB"
 
 #COMPOSE_FILE="$COMPOSE_FILE:compose.fulltextsearch.yml"
 #SECRET_ELASTICSEARCH_PASSWORD_VERSION=v1
+
+# HSTS Options
+# Uncomment this line to enable HSTS: https://docs.nextcloud.com/server/30/admin_manual/installation/harden_server.html
+#HSTS_ENABLED=1
+# Uncomment this line to add the `preload` part
+#HSTS_PRELOAD=1

README.md

@@ -286,3 +286,11 @@ And you can populate the index manually and check if any errors occur:
 ```
 abra app cmd <domain> app run_occ '"fulltextsearch:index"'
 ```
+
+### Troubleshooting fulltextsearch
+
+The fulltextsearch plugin might be stuck with this error: "Index is already running". In that case the following command can get things runing again:
+
+```
+abra app run <domain> db /bin/sh -- -c 'echo "delete from oc_fulltextsearch_ticks;" | mariadb -u root -p$(cat /run/secrets/db_root_password) nextcloud'
+```

abra.sh

@@ -1,9 +1,10 @@
 #!/bin/bash
 
 export FPM_TUNE_VERSION=v5
-export NGINX_CONF_VERSION=v7
+export NGINX_CONF_VERSION=v8
 export MY_CNF_VERSION=v5
 export ENTRYPOINT_VERSION=v3
+export ENTRYPOINT_WHITEBOARD_VERSION=v1
 export CRONTAB_VERSION=v1
 export PG_BACKUP_VERSION=v2
 
@@ -91,8 +92,18 @@ install_onlyoffice() {
 install_collabora() {
     install_apps richdocuments
     set_app_config richdocuments wopi_url "$COLLABORA_URL"
+    # important for security reaosns
+    # https://docs.nextcloud.com/server/latest/admin_manual/office/configuration.html#wopi-settings
+    set_app_config richdocuments wopi_allowlist "$COLLABORA_ALLOWLIST"
 }
 
+install_whiteboard() {
+    install_apps whiteboard
+    set_app_config whiteboard collabBackendUrl "https://${DOMAIN}/whiteboard"
+    set_app_config whiteboard jwt_secret_key "$(cat /run/secrets/whiteboard_jwt)"
+}
+
+
 install_fulltextsearch() {
     install_apps fulltextsearch
     install_apps fulltextsearch_elasticsearch

compose.fulltextsearch.yml

@@ -29,7 +29,7 @@ services:
         mode: 0600
 
   searchindexer:
-    image: nextcloud:30.0.6-fpm
+    image: nextcloud:31.0.6-fpm
     volumes:
       - nextcloud:/var/www/html/
       - nextapps:/var/www/html/custom_apps:cached

compose.whiteboard.yml

@@ -0,0 +1,44 @@
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - whiteboard_jwt
+
+  whiteboard:
+    image: ghcr.io/nextcloud-releases/whiteboard:v1.1.2
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.docker.network=proxy
+        - traefik.http.services.${STACK_NAME}_whiteboard.loadbalancer.server.port=3002
+        - traefik.http.routers.${STACK_NAME}_whiteboard.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS}) && PathPrefix(`/whiteboard`)
+        - traefik.http.routers.${STACK_NAME}_whiteboard.entrypoints=web-secure
+        - traefik.http.routers.${STACK_NAME}_whiteboard.tls.certresolver=${LETS_ENCRYPT_ENV}
+        - traefik.http.middlewares.${STACK_NAME}_whiteboard-stripprefix.stripprefix.prefixes=/whiteboard
+        - traefik.http.routers.${STACK_NAME}_whiteboard.middlewares=${STACK_NAME}_whiteboard-stripprefix
+    configs:
+      - source: entrypoint_whiteboard
+        target: /custom-entrypoint.sh
+    entrypoint: ["sh", "/custom-entrypoint.sh"]
+    user: root
+    networks:
+     - proxy
+    ports:
+      - 3002:3002
+    secrets:
+      - whiteboard_jwt
+    environment:
+      - NEXTCLOUD_URL=https://$DOMAIN
+      - JWT_SECRET_KEY_FILE=/run/secrets/whiteboard_jwt
+
+secrets:
+  whiteboard_jwt:
+    external: true
+    name: ${STACK_NAME}_whiteboard_jwt_${SECRET_WHITEBOARD_JWT_VERSION}
+
+configs:
+  entrypoint_whiteboard:
+    name: ${STACK_NAME}_entrypoint_whiteboard_${ENTRYPOINT_WHITEBOARD_VERSION}
+    file: entrypoint.whiteboard.sh.tmpl
+    template_driver: golang

compose.yml

@@ -1,7 +1,7 @@
 version: "3.8"
 services:
   web:
-    image: nginx:1.27.4
+    image: nginx:1.29.0
     depends_on:
       - app
     configs:
@@ -12,6 +12,8 @@ services:
       - X_FRAME_OPTIONS_ENABLED
       - DOMAIN
       - STACK_NAME
+      - HSTS_ENABLED
+      - HSTS_PRELOAD
     volumes:
       - nextcloud:/var/www/html/
       - nextapps:/var/www/html/custom_apps:cached
@@ -46,7 +48,7 @@ services:
       start_period: 5m
 
   app:
-    image: nextcloud:30.0.6-fpm
+    image: nextcloud:31.0.6-fpm
     depends_on:
       - db
     configs:
@@ -72,6 +74,7 @@ services:
       - TRUSTED_PROXIES=10.0.0.0/8
       - REDIS_HOST=cache
       - OVERWRITEPROTOCOL=https
+      - OVERWRITECLIURL=https://${DOMAIN}
       - PHP_MEMORY_LIMIT=${PHP_MEMORY_LIMIT:-1G}
       - FPM_MAX_CHILDREN=${FPM_MAX_CHILDREN:-131}
       - FPM_START_SERVERS=${FPM_START_SERVERS:-32}
@@ -91,7 +94,7 @@ services:
         failure_action: rollback
         order: start-first
       labels:
-        - "coop-cloud.${STACK_NAME}.version=11.1.0+30.0.6-fpm"
+        - "coop-cloud.${STACK_NAME}.version=12.0.1+31.0.6-fpm"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
         - "backupbot.backup=${ENABLE_BACKUPS:-true}"
         - "backupbot.backup.volumes.redis=false"
@@ -105,7 +108,7 @@ services:
       start_period: 15m
 
   cron:
-    image: nextcloud:30.0.6-fpm
+    image: nextcloud:31.0.6-fpm
     volumes:
       - nextcloud:/var/www/html/
       - nextapps:/var/www/html/custom_apps:cached
@@ -121,7 +124,7 @@ services:
 
 
   cache:
-    image: redis:7.4.2-alpine
+    image: redis:8.0.2-alpine
     networks:
       - internal
     volumes:

entrypoint.whiteboard.sh.tmpl

@@ -0,0 +1,6 @@
+#!/bin/sh
+set -e
+
+export JWT_SECRET_KEY=$(cat /run/secrets/whiteboard_jwt)
+
+exec npm run server:start

nginx.conf.tmpl

@@ -45,6 +45,13 @@ http {
         # could take several months.
         #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
 
+        {{ if eq (env "HSTS_ENABLED") "1" }}
+        {{ if eq (env "HSTS_PRELOAD") "1" }}
+        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+        {{ else }}
+        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;" always;
+        {{ end }}
+        {{ end }}
 
         # set max upload size
         client_max_body_size 512M;