fixup stuff

add release note
add backupbot for postgres
2022-05-18 10:33:08 +02:00 · 2022-05-12 12:19:56 +02:00 · 2022-05-11 18:43:39 +02:00 · 2022-05-11 15:17:47 +02:00
31 changed files with 147 additions and 1021 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -3,7 +3,7 @@ kind: pipeline
 name: deploy to swarm-test.autonomic.zone
 steps:
  - name: deployment
-    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    image: decentral1se/stack-ssh-deploy:latest
    settings:
      host: swarm-test.autonomic.zone
      stack: nextcloud
@ -11,41 +11,15 @@ steps:
      purge: true
      deploy_key:
        from_secret: drone_ssh_swarm_test
      networks:
        - proxy
    environment:
      DOMAIN: nextcloud.swarm-test.autonomic.zone
      STACK_NAME: nextcloud
      LETS_ENCRYPT_ENV: production
      ADMIN_USER: foobar
      FPM_TUNE_VERSION: v1
      NGINX_CONF_VERSION: v1
      MY_CNF_VERSION: v1
      ENTRYPOINT_VERSION: v1
      CRONTAB_VERSION: v1
      PG_BACKUP_VERSION: v2
      SECRET_DB_PASSWORD_VERSION: v1
      SECRET_DB_ROOT_PASSWORD_VERSION: v1
      SECRET_ADMIN_PASSWORD_VERSION: v1
      SECRET_ONLYOFFICE_JWT_VERSION: v1
      SECRET_BBB_SECRET_VERSION: v1
      EXTRA_VOLUME: "/dev/null:/tmp/.dummy"
 trigger:
  branch:
    - main
 ---
 kind: pipeline
 name: generate recipe catalogue
 steps:
  - name: release a new version
    image: plugins/downstream
    settings:
      server: https://build.coopcloud.tech
      token:
        from_secret: drone_abra-bot_token
      fork: true
      repositories:
        - toolshed/auto-recipes-catalogue-json
 trigger:
  event: tag
--- a/.env.sample
+++ b/.env.sample
@ -1,7 +1,4 @@
 TYPE=nextcloud
 TIMEOUT=900
 ENABLE_AUTO_UPDATE=true
 ENABLE_BACKUPS=true
 DOMAIN=nextcloud.example.com
 ## Domain aliases
@ -12,90 +9,10 @@ COMPOSE_FILE="compose.yml"
 COMPOSE_FILE="$COMPOSE_FILE:compose.mariadb.yml"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.postgres.yml"
 #MAX_DB_CONNECTIONS=500
 ADMIN_USER=admin
 TZ=Etc/UTC
 SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_ADMIN_PASSWORD_VERSION=v1
 EXTRA_VOLUME=/dev/null:/tmp/.dummy
 PHP_MEMORY_LIMIT=1G
 PHP_UPLOAD_LIMIT=512M
 # fpm-tune, see: https://spot13.com/pmcalculator/
 FPM_MAX_CHILDREN=16
 FPM_START_SERVERS=4
 FPM_MIN_SPARE_SERVERS=4
 FPM_MAX_SPARE_SERVERS=12
 DEFAULT_QUOTA="10 GB"
 # X_FRAME_OPTIONS_ENABLED=1
 # X_FRAME_OPTIONS_ALLOW_FROM=embedding-site.example.org
 # COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
 # See https://github.com/nextcloud/docker#auto-configuration-via-environment-variables for default values
 # SMTP_AUTHTYPE=
 # SMTP_HOST=
 # SMTP_SECURE=
 # SMTP_NAME=
 # SMTP_PORT=
 # MAIL_FROM_ADDRESS=
 # MAIL_DOMAIN=
 # SECRET_SMTP_PASSWORD_VERSION=v1
 ## Customization
 # THEMING_COLOR=
 # THEMING_SLOGAN=
 # COPY_ASSETS="flow_background.jpg|app:/var/www/html/themes/"
 # COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/var/www/html/themes/"
 # COPY_ASSETS="$COPY_ASSETS icon.png|app:/var/www/html/themes/"
 # APPS="calendar"
 # COLLABORA_URL=https://collabora.example.com
 ## IMPORTANT FOR SECURITY REASONS WHEN RUNNING COLLABORA
 ## list of IP addresses that are allowed to make WOPI requests. Use the default
 ## when running the collabora server on the same machine as nextcloud.
 ## Otherwise set this to the IP address range of your collabora server(s) i.e. 1.2.3.4/32
 ## https://docs.nextcloud.com/server/latest/admin_manual/office/configuration.html#wopi-settings
 # COLLABORA_ALLOWLIST="172.16.0.0/12"
 # COMPOSE_FILE="$COMPOSE_FILE:compose.onlyoffice.yml"
 # ONLYOFFICE_URL=https://onlyoffice.example.com
 # APPS="$APPS onlyoffice"
 # SECRET_ONLYOFFICE_JWT_VERSION=v1
 # COMPOSE_FILE="$COMPOSE_FILE:compose.bbb.yml"
 # BBB_URL=https://talk.example.org/bigbluebutton/ # trailing slash!
 # SECRET_BBB_SECRET_VERSION=v1
 # COMPOSE_FILE="$COMPOSE_FILE:compose.whiteboard.yml"
 # APPS="$APPS whiteboard"
 # SECRET_WHITEBOARD_JWT_VERSION=v1
 # COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
 # APPS="$APPS sociallogin"
 # AUTHENTIK_USER_PREFIX=authentik
 # AUTHENTIK_DOMAIN=authentik.example.com
 # SECRET_AUTHENTIK_SECRET_VERSION=v1
 # SECRET_AUTHENTIK_ID_VERSION=v1
 #COMPOSE_FILE="$COMPOSE_FILE:compose.fulltextsearch.yml"
 #SECRET_ELASTICSEARCH_PASSWORD_VERSION=v1
 #COMPOSE_FILE="$COMPOSE_FILE:compose.talk.yml"
 #TALK_DOMAIN=talk.example.com
 #SECRET_TALK_INTERNAL_SECRET_VERSION=v1 # length=64 charset=default
 #SECRET_TALK_TURN_SECRET_VERSION=v1 # length=64 charset=default
 #SECRET_TALK_SIGNALING_SECRET_VERSION=v1 # length=64 charset=default
 # HSTS Options
 # Uncomment this line to enable HSTS: https://docs.nextcloud.com/server/30/admin_manual/installation/harden_server.html
 #HSTS_ENABLED=1
 # Uncomment this line to add the `preload` part
 #HSTS_PRELOAD=1
--- a/README.md
+++ b/README.md
@ -6,131 +6,38 @@ Fully automated luxury Nextcloud via docker-swarm.
 <!-- metadata -->
 * **Category**: Apps
-* **Status**: 5
+* **Status**: 2, beta
 * **Image**: [`nextcloud`](https://hub.docker.com/_/nextcloud), 4, upstream
 * **Healthcheck**: Yes
-* **Backups**: Yes
+* **Backups**: No
 * **Email**: 3
 * **Tests**: 2
 * **SSO**: 1 (OAuth)
 <!-- endmetadata -->
-## Quick start
+## Basic usage
-* `abra app new nextcloud`
+1. Set up Docker Swarm and [`abra`]
-* `abra app config <app-name>`
+2. Deploy [`coop-cloud/traefik`]
-* `abra app secret insert <app-name> smtp_password v1 <SMTP_PASSWORD>`
+3. `abra app new nextcloud --secrets` (optionally with `--pass` if you'd like
-* `abra app secret generate -a <app-name>`
+   to save secrets in `pass`)
-* `abra app deploy <app-name>`
+4. `abra app YOURAPPDOMAIN config` - be sure to change `$DOMAIN` to something that resolves to
   your Docker swarm box
 5. `abra app YOURAPPDOMAIN deploy`
-### Onlyoffice Integration
+## How do I customise the default home page when logging in?
-`abra app config <app-name>` 
+- Delete the dashboard app since it is so corporate
-
+- Follow [these docs](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/default_files_configuration.html) to set the default files list for each user in the Files app
-Configure the following envs:
+- Configure a `defaultapp` in your `config.php` or use [apporder](https://apps.nextcloud.com/apps/apporder)
 ```
 COMPOSE_FILE="$COMPOSE_FILE:compose.apps.yml"
 ONLYOFFICE_URL=https://onlyoffice.example.com
 SECRET_ONLYOFFICE_JWT_VERSION=v1
 ```
 * `abra app secret insert <app-name> onlyoffice_jwt v1 <jwt_secret>`
 * `abra app cmd <app-name> app install_onlyoffice`
 ### BBB Integration
 `abra app config <app-name>` 
 Configure the following envs:
 ```
 COMPOSE_FILE="$COMPOSE_FILE:compose.apps.yml"
 BBB_URL=https://talk.example.org/bigbluebutton/ # trailing slash!
 SECRET_BBB_SECRET_VERSION=v1
 ```
 * `abra app secret insert <app-name> bbb_secret v1 <bbb_secret>`
 * `abra app cmd <app-name> app install_bbb`
 ### Nextcloud Talk High performance Backend
 Note: at the moment you are limited to run one Nextcloud high performance backend per docker host with this setup.
 `abra app config <app-name>` 
 Configure the following envs:
 ```
 #COMPOSE_FILE="$COMPOSE_FILE:compose.talk.yml"
 #TALK_DOMAIN=talk.example.com
 #SECRET_TALK_INTERNAL_SECRET_VERSION=v1 # length=64 charset=default
 #SECRET_TALK_TURN_SECRET_VERSION=v1 # length=64 charset=default
 #SECRET_TALK_SIGNALING_SECRET_VERSION=v1 # length=64 charset=default
 ```
 * `abra app secret insert <app-name> talk_internal_secret v1 <talk_internal_secret>`
 * `abra app secret insert <app-name> talk_turn_secret v1 <talk_turn_secret>`
 * `abra app secret insert <app-name> talk_signaling_secret v1 <talk_signaling_secret>`
 * `abra app cmd <app-name> app install_talk`
 Don't forget to enable the additional env's in your hosts traefik instance:
 ```
 COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud-talk-hpb.yml"
 NEXTCLOUD_TALK_HPB_ENABLED=1
 ```
 Due to a bug in compose that deletes duplacted ports without checking for the protocol, traefik need to get the additional udp binding added after the deployment via ssh (this might take longer than expected!):
 ```
 docker service update  --publish-add published=3478,target=3478,protocol=udp traefik_XXX_XXX_app
 ```
 To check if tcp and udp was binded, you can use:
 ```
 docker service inspect traefik_XXX_XXX_app | grep 3478 -a2
 ```
 ### Authentik Integration
 `abra app config <app-name>` 
 Configure the following envs:
 ```
 COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
 AUTHENTIK_USER_PREFIX=authentik
 AUTHENTIK_DOMAIN=authentik.example.com
 AUTHENTIK_SECRET_NAME=authentik_example_com_nextcloud_secret_v1  # the same as in authentik
 AUTHENTIK_ID_NAME=authentik_example_com_nextcloud_id_v1  # the same as in authentik
 ```
 `abra app cmd <app-name> app set_authentik`
 ## Running `occ`
-`abra app cmd <app-name> app run_occ '"user:list --help"'`
+`abra app run --user www-data YOURAPPDOMAIN app occ user:list --help`
-Read more about [occ command here](https://docs.nextcloud.com/server/stable/admin_manual/occ_command.html).
+## Upgrading Nextcloud apps
 ### Disable Dashboard
 To disable dashboard app (since it is so corporate):
 `abra app cmd <app-name> app run_occ '"app:disable dashboard"'`
 ## Default user files
 - Follow [these docs](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/default_files_configuration.html) to set the default files list for each user in the Files app
 ## Default App
 - Configure a `defaultapp` in your `config.php` or use [apporder](https://apps.nextcloud.com/apps/apporder)
 ## Upgrading Nextcloud
 Upgrading Nextcloud can be a hair raising experiance. They [don't support downgrading](https://docs.nextcloud.com/server/latest/admin_manual/maintenance/upgrade.html) even for minor versions.
 Many of us  have found that jumping major versions when upgrading is also a bad idea. We have however found that it's ok to skip minor version upgrades and go to the last minor version before a major version (e.g. 24.0.0 to 24.9.9 before going to 25.0.0). To extra cautious just upgrade one release at a time. Read the release notes and check your logs.
 ## Upgrading Nextcloud apps (plug-ins)
 `abra app cmd <app-name> app run_occ '"app:update --all"'`
 `abra app run --user www-data YOURAPPDOMAIN app occ app:update --all`
 ## How do I fix a Nextcloud version snafu?
@ -159,7 +66,7 @@ Use [this plugin](https://github.com/pulsejet/nextcloud-oidc-login). Unlike the
 ```
  'oidc_login_client_id' => 'nextcloud',
  'oidc_login_client_secret' => 'mysecret',
-  'oidc_login_provider_url' => 'https://example.com/realms/myrealm',
+  'oidc_login_provider_url' => 'https://example.com/auth/realms/myrealm',
  'oidc_login_disable_registration' => false,
  'oidc_login_hide_password_form' => true,
  'oidc_login_button_text' => 'Log in with your myssodomain',
@ -259,73 +166,3 @@ Here is an example CSS config which hides the local login and makes space for a
 [nextcloud-docker]: https://hub.docker.com/_/nextcloud/
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
 [`coop-cloud/traefik`]: https://git.autonomic.zone/coop-cloud/traefik
 ## Using [`previewgenerator`](https://github.com/nextcloud/previewgenerator) app
 > Beware, this appp has been known to not work...
 After you install, enable etc. then you need to run the generation (**warning**: it can take a long time!):
 ```
 abra app run <domain> app bash -u www-data
 ./occ preview:generate-all
 ```
 To set up the cron to run again, there is [no clear solution in the context of
 containers](https://github.com/nextcloud/previewgenerator/issues/1). So, a
 pretty dodgy hack is to run it from the system directly:
 ```
 root@foo.com /etc/cron.hourly $ cat foo-com-preview-generate 
 #!/bin/bash
 docker exec -u www-data $(docker ps -f name=foo_com_app -q) ./occ preview:pre-generate
 ```
 This app will improve performance of image browsing at the cost of storage space.
 ## Fulltextsearch using elasticsearch
 1. Uncomment the following lines in your env file:
 ```
 #COMPOSE_FILE="$COMPOSE_FILE:compose.fulltextsearch.yml"
 #SECRET_ELASTICSEARCH_PASSWORD_VERSION=v1
 ```
 2. Generate the secret for elasticsearch:
 ```bash
 abra app secret generate <domain> elasticsearch_password v1
 ```
 3. Deploy your app:
 ```bash
 abra app deploy <domain>
 ```
 4. Install the apps and configure them:
 ```
 abra app cmd <domain> app install_fulltextsearch
 ```
 5. You might need to configure the files_fulltextsearch app. run this command to check its settings:
 ```
 abra app cmd <domain> app run_occ '"config:list files_fulltextsearch"
 ```
 6. You can check if the nextcloud can connect to elasticsearch:
 ```
 abra app cmd <domain> app run_occ '"fulltextsearch:test"'
 ```
 And you can populate the index manually and check if any errors occur:
 ```
 abra app cmd <domain> app run_occ '"fulltextsearch:index"'
 ```
 ### Troubleshooting fulltextsearch
 The fulltextsearch plugin might be stuck with this error: "Index is already running". In that case the following command can get things runing again:
 ```
 abra app run <domain> db /bin/sh -- -c 'echo "delete from oc_fulltextsearch_ticks;" | mariadb -u root -p$(cat /run/secrets/db_root_password) nextcloud'
 ```
--- a/abra.sh
+++ b/abra.sh
@ -1,178 +1,105 @@
-#!/bin/bash
+export FPM_TUNE_VERSION=v4
 export NGINX_CONF_VERSION=v2
 export MY_CNF_VERSION=v4
-export FPM_TUNE_VERSION=v5
+NC_APP_DIR="app:/var/www/html"
 export NGINX_CONF_VERSION=v8
 export MY_CNF_VERSION=v6
 export ENTRYPOINT_VERSION=v3
 export ENTRYPOINT_WHITEBOARD_VERSION=v1
 export ENTRYPOINT_TALK_VERSION=v1
 export CRONTAB_VERSION=v1
 export PG_BACKUP_VERSION=v2
-run_occ() {
+sub_occ(){
-    su -p www-data -s /bin/sh -c "/var/www/html/occ $@"
+  # shellcheck disable=SC2034
  abra__service_="app"
  # shellcheck disable=SC2034
  abra___user="www-data"
  sub_app_run php /var/www/html/occ "$@"
 }
-install_apps() {
+_backup_app() {
-    install_apps="$@"
+  # Copied _abra_backup_dir to make UX better on restore and backup
-    if [ -z "$install_apps" ]; then
+  {
-        install_apps=$APPS
+    abra__src_="$1"
-    fi
+    abra__dst_="-"
-    for app in $install_apps; do
+  }
-        run_occ "app:install $app"
+
-    done
+  # shellcheck disable=SC2154
  FILENAME="$(basename "$1").tar"
  debug "Copying '$1' to '$FILENAME'"
  silence
  mkdir -p /tmp/abra
  sub_app_cp > /tmp/abra/$FILENAME
  unsilence
 }
-set_app_config() {
+next_maintenance_on() {
-    APP=$1
+  silence
-    KEY=$2
+  sub_occ maintenance:mode --on > /dev/null
-    VALUE=$3
+  unsilence
-    run_occ "config:app:set $APP $KEY --value '$VALUE'"
+  debug "Nextcloud maintenance mode enabled"
 }
-set_system_config() {
+next_maintenance_off() {
-    KEY=$1
+  silence
-    VALUE=$2
+  sub_occ maintenance:mode --off > /dev/null
-    run_occ "config:system:set $KEY --value '$VALUE'"
+  unsilence
  debug "Nextcloud maintenance mode disabled"
 }
-set_trusted_proxies() {
+abra_backup_app() {
-    trusted_proxies="$@"
+  # shellcheck disable=SC2154
-    if [ -z "$1" ]; then
+  ARK_FILENAME="$ABRA_BACKUP_DIR/${abra__app_}_app_$(date +%F).tar.gz"
-        trusted_proxies="$TRUSTED_PROXIES"
+  # Cant be FILENAME as that gets changed by something
-    fi
+  next_maintenance_on
-    set_system_config trusted_proxies "$trusted_proxies"
+  _backup_app $NC_APP_DIR/config
  _backup_app $NC_APP_DIR/data
  _backup_app $NC_APP_DIR/themes
  # Combine archives
  tar -Af /tmp/abra/config.tar /tmp/abra/data.tar
  tar -Af /tmp/abra/config.tar /tmp/abra/themes.tar
  gzip /tmp/abra/config.tar -c > "$ARK_FILENAME"
  rm /tmp/abra/*.tar
  success "Backed up 'app' to $ARK_FILENAME"
  next_maintenance_off
 }
-set_logfile_stdout() {
+abra_backup_db() {
-    set_system_config logfile '/dev/stdout'
+  next_maintenance_on
  _abra_backup_mysql "db" "nextcloud"
  next_maintenance_off
 }
-customize() {
+abra_backup() {
-    if [ -z "$1" ]
+  abra_backup_app && abra_backup_db
    then
            echo "Usage: ... customize <assets_path>"
            exit 1
    fi
    asset_dir=$1
    for asset in $COPY_ASSETS; do
        source=$(echo $asset | cut -d "|" -f1)
        target=$(echo $asset | cut -d "|" -f2)
        echo copy $source to $target
        abra app cp $APP_NAME $asset_dir/$source $target
    done
    abra app cmd -T $APP_NAME app set_app_config theming color \"$THEMING_COLOR\"
    abra app cmd -T $APP_NAME app set_app_config theming slogan \"$THEMING_SLOGAN\"
    abra app cmd -T $APP_NAME app run_occ '"theming:config background \"/var/www/html/themes/flow_background.jpg\""'
    abra app cmd -T $APP_NAME app run_occ '"theming:config logo \"/var/www/html/themes/icon_left_brand.svg\""'
    abra app cmd -T $APP_NAME app run_occ '"theming:config logoheader \"/var/www/html/themes/icon.png\""'
 }
 install_bbb() {
    install_apps bbb
    set_app_config bbb app.navigation true
    set_app_config bbb api.url "$BBB_URL"
    set_app_config bbb api.secret "$(cat /run/secrets/bbb_secret)"
 }
 install_onlyoffice() {
    install_apps onlyoffice
    set_app_config onlyoffice DocumentServerUrl "$ONLYOFFICE_URL"
    set_app_config onlyoffice jwt_secret "$(cat /run/secrets/onlyoffice_jwt)"
    set_app_config onlyoffice customizationForcesave true
 }
 install_collabora() {
    install_apps richdocuments
    set_app_config richdocuments wopi_url "$COLLABORA_URL"
    # important for security reaosns
    # https://docs.nextcloud.com/server/latest/admin_manual/office/configuration.html#wopi-settings
    set_app_config richdocuments wopi_allowlist "$COLLABORA_ALLOWLIST"
 }
 install_whiteboard() {
    install_apps whiteboard
    set_app_config whiteboard collabBackendUrl "https://${DOMAIN}/whiteboard"
    set_app_config whiteboard jwt_secret_key "$(cat /run/secrets/whiteboard_jwt)"
 }
-install_talk() {
+abra_restore_app() {
-    install_apps spreed
+  next_maintenance_on
-    run_occ "talk:signaling:add --verify 'wss://${TALK_DOMAIN}' '$(cat /run/secrets/talk_signaling_secret)'"
+  # shellcheck disable=SC2034
-    run_occ "talk:stun:add '${TALK_DOMAIN}:3478'"
+  {
-    run_occ "talk:stun:add '${TALK_DOMAIN}:443'"
+  abra__src_="-"
-    run_occ "talk:turn:add --secret='$(cat /run/secrets/talk_turn_secret)' turn '${TALK_DOMAIN}:3478' udp,tcp"
+  abra__dst_=$NC_APP_DIR
  }
  zcat "$@" | sub_app_cp
  next_maintenance_off
  sub_occ files:scan --all > /dev/null # Needs to be run in normal mode
  success "Restored 'app'"
 }
-install_fulltextsearch() {
+# abra_restore_db() {
-    install_apps fulltextsearch
+#   warning "Restoring the database is on a existing app and not a new one has not been tested. Use with caution."
-    install_apps fulltextsearch_elasticsearch
+#   next_maintenance_on
-    install_apps files_fulltextsearch
+#   # 3wc: unlike abra_backup_db, we can assume abra__service_ will be 'db' if we
-    set_app_config fulltextsearch search_platform "OCA\\FullTextSearch_Elasticsearch\\Platform\\ElasticSearchPlatform"
+#   # got this far..
    set_app_config fulltextsearch_elasticsearch elastic_host "http://elastic:$(cat /run/secrets/elasticsearch_password)@elasticsearch:9200/"
    set_app_config fulltextsearch_elasticsearch elastic_index "nextcloud"
    set_app_config files_fulltextsearch files_local "1"
 }
-set_default_quota() {
+#   # shellcheck disable=SC2034
-    set_app_config files default_quota "$DEFAULT_QUOTA"
+#   abra___no_tty="true"
 }
-set_authentik() {
+#   DB_PASSWORD=$(sub_app_run cat /run/secrets/db_password)
    install_apps sociallogin
    AUTHENTIK_SECRET=$(cat /run/secrets/authentik_secret)
    AUTHENTIK_ID=$(cat /run/secrets/authentik_id)
    set_system_config logo_url https://$AUTHENTIK_DOMAIN
    set_app_config sociallogin custom_providers "
 {
    \"custom_oidc\":[
    {
        \"name\":\"$AUTHENTIK_USER_PREFIX\",
        \"title\":\"authentik\",
        \"authorizeUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/authorize/\",
        \"tokenUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/token/\",
        \"displayNameClaim\":\"preferred_username\",
        \"userInfoUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/userinfo/\",
        \"logoutUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/nextcloud/end-session/\",
        \"clientId\":\"$AUTHENTIK_ID\",
        \"clientSecret\":\"$AUTHENTIK_SECRET\",
        \"scope\":\"openid profile email nextcloud\",
        \"groupsClaim\":\"nextcloud_groups\",
        \"style\":\"openid\",
        \"defaultGroup\":\"\",
        \"groupMapping\": {
          \"admin\": \"admin\",
          \"authentik Admins\": \"admin\"
        }
    }
 ]
 }"
-    set_app_config sociallogin update_profile_on_login 1
+#   zcat "$@" | sub_app_run mysql -u root -p"$DB_PASSWORD" wordpress
    set_app_config sociallogin auto_create_groups 1
    set_app_config sociallogin hide_default_login 1
    run_occ 'config:system:set social_login_auto_redirect --value true'
    run_occ 'config:system:set allow_user_to_change_display_name --value=false'
    run_occ 'config:system:set lost_password_link --value=disabled'
 }
-disable_skeletondirectory() {
+#   success "Restored 'db'"
-    run_occ "config:system:set skeletondirectory --value ''"
+#   next_maintenance_off
-}
+# }
 set_windowsfriendly_filenames() {
    run_occ 'config:system:set forbidden_filename_characters 0 --value=?'
    run_occ 'config:system:set forbidden_filename_characters 1 --value=\<'
    run_occ 'config:system:set forbidden_filename_characters 2 --value=\>'
    run_occ 'config:system:set forbidden_filename_characters 3 --value=:'
    run_occ 'config:system:set forbidden_filename_characters 4 --value=*'
    run_occ 'config:system:set forbidden_filename_characters 5 --value=\|'
    run_occ 'config:system:set forbidden_filename_characters 6 --value=\"'
 }
 upgrade_mariadb() {
    mariadb-upgrade -p`cat /run/secrets/db_root_password`
 }
--- a/alaconnect.yml
+++ b/alaconnect.yml
@ -1,24 +0,0 @@
 authentik:
    uncomment:
        - compose.authentik.yml
        - AUTHENTIK_USER_PREFIX
        - AUTHENTIK_DOMAIN
        - SECRET_AUTHENTIK_SECRET_VERSION
        - SECRET_AUTHENTIK_ID_VERSION
    initial-hooks:
        - app set_authentik
    shared_secrets:
        nextcloud_secret: authentik_secret
        nextcloud_id: authentik_id
 onlyoffice:
    uncomment:
        - compose.onlyoffice.yml
        - ONLYOFFICE_URL
        - SECRET_ONLYOFFICE_JWT_VERSION
    initial-hooks:
        - app install_onlyoffice
 collabora:
    uncomment:
        - COLLABORA_URL
    initial-hooks:
        - app install_collabora
--- a/compose.authentik.yml
+++ b/compose.authentik.yml
@ -1,14 +0,0 @@
 version: "3.8"
 services:
  app:
    secrets:
      - authentik_secret
      - authentik_id
 secrets:
  authentik_secret:
    external: true
    name: ${STACK_NAME}_authentik_secret_${SECRET_AUTHENTIK_SECRET_VERSION}
  authentik_id:
    external: true
    name: ${STACK_NAME}_authentik_id_${SECRET_AUTHENTIK_ID_VERSION}
--- a/compose.bbb.yml
+++ b/compose.bbb.yml
@ -1,12 +0,0 @@
 version: "3.8"
 services:
  app:
    secrets:
      - bbb_secret
    environment:
      - BBB_URL
 secrets:
  bbb_secret:
    external: true
    name: ${STACK_NAME}_bbb_secret_${SECRET_BBB_SECRET_VERSION}
--- a/compose.fulltextsearch.yml
+++ b/compose.fulltextsearch.yml
@ -1,55 +0,0 @@
 version: "3.8"
 services:
  elasticsearch:
    image: "docker.elastic.co/elasticsearch/elasticsearch:8.17.2"
    environment:
      - cluster.name=docker-cluster
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - discovery.type=single-node
      # Disable authentication and ssl completely
      # - xpack.security.enabled=false
      # Use this to enable Basic Authentication:
      - xpack.security.enabled=true
      - xpack.security.http.ssl.enabled=false
      - ELASTIC_PASSWORD_FILE=/var/run/secrets/elasticsearch_password
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - elasticsearch:/usr/share/elasticsearch/data
    networks:
      - internal
    secrets:
      - source: elasticsearch_password
        uid: "1000"
        gid: "1000"
        mode: 0600
  searchindexer:
    image: nextcloud:31.0.6-fpm
    volumes:
      - nextcloud:/var/www/html/
      - nextapps:/var/www/html/custom_apps:cached
      - nextdata:/var/www/html/data:cached
      - nextconfig:/var/www/html/config:cached
      - ${EXTRA_VOLUME}
    networks:
      - internal
    entrypoint: su -p www-data -s /bin/sh -c '/var/www/html/occ fulltextsearch:live'
  # Add the secret to the app service so it is avaiable in the
  # install_fulltextsearch command
  app:
    secrets:
      - elasticsearch_password
 secrets:
  elasticsearch_password:
    external: true
    name: ${STACK_NAME}_elasticsearch_password_${SECRET_ELASTICSEARCH_PASSWORD_VERSION}
 volumes:
  elasticsearch:
--- a/compose.mariadb.yml
+++ b/compose.mariadb.yml
@ -9,14 +9,12 @@ services:
      - MYSQL_PASSWORD_FILE=/run/secrets/db_password
  db:
-    image: "mariadb:11.4"
+    image: "mariadb:10.5"
    environment:
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_PASSWORD_FILE=/run/secrets/db_password
      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
      - MAX_DB_CONNECTIONS=${MAX_DB_CONNECTIONS:-100}
      - INNODB_BUFFER_POOL_SIZE=${INNODB_BUFFER_POOL_SIZE:-1G}"
    configs:
      - source: my_tune
        target: /etc/mysql/conf.d/my-tune.cnf
@ -29,25 +27,14 @@ services:
      - internal
    deploy:
      labels:
-        backupbot.backup.pre-hook: 'mariadb-dump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" nextcloud > /var/lib/mysql/backup.sql'
+          backupbot.backup: "true"
-        backupbot.backup.volumes.mariadb.path: "backup.sql"
+          backupbot.backup.pre-hook: 'mkdir -p /tmp/backup/ && mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" nextcloud > /tmp/backup/backup.sql'
-        backupbot.restore.post-hook: 'mariadb -u root -p"$$(cat /run/secrets/db_root_password)" nextcloud < /var/lib/mysql/backup.sql'
+          backupbot.backup.post-hook: "rm -rf /tmp/backup"
-    healthcheck:
+          backupbot.backup.path: "/tmp/backup/"
      test: ["CMD-SHELL", 'mariadb-admin -p"$$(cat /run/secrets/db_root_password)"  ping']
      interval: 30s
      timeout: 10s
      retries: 10
      start_period: 1m
 configs:
  my_tune:
    name: ${STACK_NAME}_my_cnf_${MY_CNF_VERSION}
    file: my-tune.cnf
    template_driver: golang
 secrets:
  db_root_password:
    external: true
    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
 volumes:
  mariadb:
--- a/compose.onlyoffice.yml
+++ b/compose.onlyoffice.yml
@ -1,12 +0,0 @@
 version: "3.8"
 services:
  app:
    secrets:
      - onlyoffice_jwt
    environment:
      - ONLYOFFICE_URL
 secrets:
  onlyoffice_jwt:
    external: true
    name: ${STACK_NAME}_onlyoffice_jwt_${SECRET_ONLYOFFICE_JWT_VERSION}
--- a/compose.postgres.yml
+++ b/compose.postgres.yml
@ -2,6 +2,7 @@ version: '3.8'
 services:
  app:
    entrypoint: "sh -c 'sleep 10 && /entrypoint.sh php-fpm'" # tries to mitigate this error with postgres https://github.com/nextcloud/docker/issues/1204
    environment:
      - POSTGRES_HOST=db
      - POSTGRES_DB=nextcloud
@ -10,37 +11,28 @@ services:
      - NEXTCLOUD_UPDATE=1
  db:
-    image: "postgres:13"
+    image: "postgres:12"
    command: -c "max_connections=${MAX_DB_CONNECTIONS:-100}"
    volumes:
      - "postgres:/var/lib/postgresql/data"
    networks:
      - internal
    environment:
-      POSTGRES_USER: nextcloud
+      POSTGRES_USER: nextcloud 
      POSTGRES_PASSWORD_FILE: /run/secrets/db_password
-      POSTGRES_DB: nextcloud
+      POSTGRES_DB: nextcloud 
    secrets:
      - db_password
    healthcheck:
-      test: ["CMD-SHELL", "pg_isready", "-U", "nextcloud"]
+      test: ["CMD-SHELL", "pg_isready"]
      interval: 10s
      timeout: 5s
      retries: 5
    deploy:
      labels:
-        backupbot.backup.pre-hook: "/pg_backup.sh backup"
+            backupbot.backup: "true"
-        backupbot.backup.volumes.postgres.path: "backup.sql"
+            backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /tmp/backup/backup.sql"
-        backupbot.restore.post-hook: '/pg_backup.sh restore'
+            backupbot.backup.post-hook: "rm -rf /tmp/backup"
-    configs:
+            backupbot.backup.path: "/tmp/backup/"
        - source: pg_backup
          target: /pg_backup.sh
          mode: 0555
 volumes:
  postgres:
 configs:
  pg_backup:
    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
    file: pg_backup.sh
--- a/compose.smtp.yml
+++ b/compose.smtp.yml
@ -1,19 +0,0 @@
 version: "3.8"
 services:
  app:
    secrets:
      - smtp_password
    environment:
      - SMTP_AUTHTYPE
      - SMTP_HOST
      - SMTP_SECURE
      - SMTP_NAME
      - SMTP_PORT
      - SMTP_PASSWORD_FILE=/run/secrets/smtp_password
      - MAIL_FROM_ADDRESS
      - MAIL_DOMAIN
 secrets:
  smtp_password:
    external: true
    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
--- a/compose.talk.yml
+++ b/compose.talk.yml
@ -1,70 +0,0 @@
 version: "3.8"
 services:
  talk:
    image: "nextcloud/aio-talk:20251128_084214"
    environment:
      - NC_DOMAIN=${DOMAIN}
      - TALK_HOST=${TALK_DOMAIN}
      - TZ
      - TALK_PORT=3478
      - INTERNAL_SECRET_FILE=/run/secrets/talk_internal_secret 
      - TURN_SECRET_FILE=/run/secrets/talk_turn_secret
      - SIGNALING_SECRET_FILE=/run/secrets/talk_signaling_secret
    deploy:
      labels:
        - traefik.enable=true
        - traefik.docker.network=proxy
        - traefik.http.services.${STACK_NAME}_talk.loadbalancer.server.port=8081
        - traefik.http.routers.${STACK_NAME}_talk.rule=Host(`${TALK_DOMAIN}`)
        - traefik.http.routers.${STACK_NAME}_talk.entrypoints=web-secure
        - traefik.http.routers.${STACK_NAME}_talk.tls.certresolver=${LETS_ENCRYPT_ENV}
        - traefik.tcp.routers.${STACK_NAME}_nextcloud-talk-hpb.rule=HostSNI(`*`)
        - traefik.tcp.routers.${STACK_NAME}_nextcloud-talk-hpb.entrypoints=nextcloud-talk-hpb
        - traefik.tcp.routers.${STACK_NAME}_nextcloud-talk-hpb.service=${STACK_NAME}_nextcloud-talk-hpb-svc
        - traefik.tcp.services.${STACK_NAME}_nextcloud-talk-hpb-svc.loadbalancer.server.port=3478
        - traefik.udp.routers.${STACK_NAME}_nextcloud-talk-hpb-udp.entrypoints=nextcloud-talk-hpb-udp
        - traefik.udp.routers.${STACK_NAME}_nextcloud-talk-hpb-udp.service=${STACK_NAME}_nextcloud-talk-hpb-udp-svc
        - traefik.udp.services.${STACK_NAME}_nextcloud-talk-hpb-udp-svc.loadbalancer.server.port=3478
    networks:
      - proxy
    configs:
      - source: entrypoint_talk
        target: /custom-entrypoint.sh
        mode: 775
    entrypoint: /custom-entrypoint.sh
    secrets:
      - source: talk_internal_secret
        uid: "1000"
        gid: "122"
        mode: 0600
      - source: talk_turn_secret
        uid: "1000"
        gid: "122"
        mode: 0600
      - source: talk_signaling_secret
        uid: "1000"
        gid: "122"
        mode: 0600
  app:
    secrets:
      - talk_turn_secret
      - talk_signaling_secret
 secrets:
  talk_internal_secret:
    external: true
    name: ${STACK_NAME}_talk_internal_secret_${SECRET_TALK_INTERNAL_SECRET_VERSION}
  talk_turn_secret:
    external: true
    name: ${STACK_NAME}_talk_turn_secret_${SECRET_TALK_TURN_SECRET_VERSION}
  talk_signaling_secret:
    external: true
    name: ${STACK_NAME}_talk_signaling_secret_${SECRET_TALK_SIGNALING_SECRET_VERSION}
 configs:
  entrypoint_talk:
    name: ${STACK_NAME}_entrypoint_talk_${ENTRYPOINT_TALK_VERSION}
    file: entrypoint.talk.sh.tmpl
    template_driver: golang
--- a/compose.whiteboard.yml
+++ b/compose.whiteboard.yml
@ -1,44 +0,0 @@
 version: "3.8"
 services:
  app:
    secrets:
      - whiteboard_jwt
  whiteboard:
    image: ghcr.io/nextcloud-releases/whiteboard:v1.1.2
    deploy:
      labels:
        - traefik.enable=true
        - traefik.docker.network=proxy
        - traefik.http.services.${STACK_NAME}_whiteboard.loadbalancer.server.port=3002
        - traefik.http.routers.${STACK_NAME}_whiteboard.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS}) && PathPrefix(`/whiteboard`)
        - traefik.http.routers.${STACK_NAME}_whiteboard.entrypoints=web-secure
        - traefik.http.routers.${STACK_NAME}_whiteboard.tls.certresolver=${LETS_ENCRYPT_ENV}
        - traefik.http.middlewares.${STACK_NAME}_whiteboard-stripprefix.stripprefix.prefixes=/whiteboard
        - traefik.http.routers.${STACK_NAME}_whiteboard.middlewares=${STACK_NAME}_whiteboard-stripprefix
    configs:
      - source: entrypoint_whiteboard
        target: /custom-entrypoint.sh
    entrypoint: ["sh", "/custom-entrypoint.sh"]
    user: root
    networks:
     - proxy
    ports:
      - 3002:3002
    secrets:
      - whiteboard_jwt
    environment:
      - NEXTCLOUD_URL=https://$DOMAIN
      - JWT_SECRET_KEY_FILE=/run/secrets/whiteboard_jwt
 secrets:
  whiteboard_jwt:
    external: true
    name: ${STACK_NAME}_whiteboard_jwt_${SECRET_WHITEBOARD_JWT_VERSION}
 configs:
  entrypoint_whiteboard:
    name: ${STACK_NAME}_entrypoint_whiteboard_${ENTRYPOINT_WHITEBOARD_VERSION}
    file: entrypoint.whiteboard.sh.tmpl
    template_driver: golang
--- a/compose.yml
+++ b/compose.yml
@ -1,19 +1,13 @@
 version: "3.8"
 services:
  web:
-    image: nginx:1.29.0
+    image: nginx:1.20.0
    depends_on:
      - app
    configs:
      - source: nginx_conf
        target: /etc/nginx/nginx.conf
    environment:
      - X_FRAME_OPTIONS_ALLOW_FROM
      - X_FRAME_OPTIONS_ENABLED
      - DOMAIN
      - STACK_NAME
      - HSTS_ENABLED
      - HSTS_PRELOAD
    volumes:
      - nextcloud:/var/www/html/
      - nextapps:/var/www/html/custom_apps:cached
@ -35,53 +29,33 @@ services:
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.scheme=https"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.permanent=true"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
        - "caddy=${DOMAIN}"
        - "caddy.reverse_proxy={{upstreams 80}}"
        - "caddy.tls.on_demand="
    healthcheck:
      test: ["CMD-SHELL", 'curl -s -N curl -Ns localhost/status.php |  grep "installed\":true"']
      interval: 30s
      timeout: 10s
      retries: 10
      start_period: 5m
  app:
-    image: nextcloud:31.0.6-fpm
+    image: nextcloud:23.0.3-fpm
    depends_on:
      - db
    configs:
      - source: fpm_tune
-        target: /usr/local/etc/php-fpm.d/zzz-fpm-tune.conf
+        target: /usr/local/etc/php-fpm.d/fpm-tune.conf
      - source: entrypoint
        target: /custom-entrypoint.sh
        mode: 555
    entrypoint: /custom-entrypoint.sh
    secrets:
      - db_password
      - admin_password
    environment:
      - APPS
      - OCC_CMDS
      - X_FRAME_OPTIONS_ALLOW_FROM
      - X_FRAME_OPTIONS_ENABLED
      - DOMAIN
      - STACK_NAME
      - NEXTCLOUD_ADMIN_USER=${ADMIN_USER}
      - NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/admin_password
      - NEXTCLOUD_TRUSTED_DOMAINS=${DOMAIN}
-      - TRUSTED_PROXIES=10.0.0.0/8
+      - TRUSTED_PROXIES=traefik
      - REDIS_HOST=cache
      - SMTP_HOST
      - MAIL_FROM_ADDRESS
      - MAIL_DOMAIN
      - SMTP_AUTHTYPE=PLAIN
      - OVERWRITEPROTOCOL=https
-      - OVERWRITECLIURL=https://${DOMAIN}
+      - PHP_MEMORY_LIMIT=1G
      - PHP_MEMORY_LIMIT=${PHP_MEMORY_LIMIT:-1G}
      - PHP_UPLOAD_LIMIT=${PHP_UPLOAD_LIMIT:-512M}
      - FPM_MAX_CHILDREN=${FPM_MAX_CHILDREN:-131}
      - FPM_START_SERVERS=${FPM_START_SERVERS:-32}
      - FPM_MIN_SPARE_SERVERS=${FPM_MIN_SPARE_SERVERS:-32}
      - FPM_MAX_SPARE_SERVERS=${FPM_MAX_SPARE_SERVERS:-98}
      - DEFAULT_QUOTA
    volumes:
      - nextcloud:/var/www/html/
      - nextapps:/var/www/html/custom_apps:cached
@ -95,21 +69,13 @@ services:
        failure_action: rollback
        order: start-first
      labels:
-        - "coop-cloud.${STACK_NAME}.version=12.0.1+31.0.6-fpm"
+        - "coop-cloud.${STACK_NAME}.version=2.0.0+23.0.3-fpm"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
+        - "backupbot.backup=true"
-        - "backupbot.backup=${ENABLE_BACKUPS:-true}"
+        - "backupbot.backup.path=/var/www/html/config/,/var/www/html/data/,/var/www/html/custom_apps/"
        - "backupbot.backup.volumes.redis=false"
       #- "backupbot.backup.volumes.nextcloud=false"
    healthcheck:
      test: ["CMD-SHELL", 'SCRIPT_NAME=status SCRIPT_FILENAME=/var/www/html/status.php REQUEST_METHOD=GET cgi-fcgi -bind -connect 127.0.0.1:9000 | grep "installed\":true"']
      interval: 30s
      timeout: 10s
      retries: 10
      start_period: 15m
  cron:
-    image: nextcloud:31.0.6-fpm
+    image: nextcloud:23.0.3-fpm
    volumes:
      - nextcloud:/var/www/html/
      - nextapps:/var/www/html/custom_apps:cached
@ -119,27 +85,21 @@ services:
    networks:
      - internal
    entrypoint: /cron.sh
    configs:
      - source: crontab
        target: /var/spool/cron/crontabs/www-data
  cache:
-    image: redis:8.0.2-alpine
+    image: redis:6.2.5-alpine
    networks:
      - internal
    volumes:
      - "redis:/data"
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 3s
      timeout: 5s
      retries: 20
 secrets:
  db_root_password:
    external: true
    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
  db_password:
    external: true
-    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+    name: ${STACK_NAME}_db_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
  admin_password:
    external: true
    name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}
@ -151,7 +111,6 @@ volumes:
  nextconfig:
  redis:
 configs:
  nginx_conf:
    name: ${STACK_NAME}_nginx_${NGINX_CONF_VERSION}
@ -160,14 +119,6 @@ configs:
  fpm_tune:
    name: ${STACK_NAME}_fpm_tune_${FPM_TUNE_VERSION}
    file: fpm-tune.ini
    template_driver: golang
  entrypoint:
    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
    file: entrypoint.sh.tmpl
    template_driver: golang
  crontab:
    name: ${STACK_NAME}_crontab_${CRONTAB_VERSION}
    file: crontab
 networks:
  proxy:
--- a/1
+++ b/1
@ -1 +0,0 @@
 */5 * * * * php -d memory_limit=1G -f /var/www/html/cron.php
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@ -1,41 +0,0 @@
 #!/bin/bash
 set -eu
 file_env() {
  local var="$1"
  local fileVar="${var}_FILE"
  local def="${2:-}"
  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
    exit 1
  fi
  local val="$def"
  if [ "${!var:-}" ]; then
    val="${!var}"
  elif [ "${!fileVar:-}" ]; then
    val="$(< "${!fileVar}")"
  fi
  export "$var"="$val"
  unset "$fileVar"
 }
 file_env "SMTP_PASSWORD"
 echo "Giving the db container some time to come up"; sleep 20
 # see this issue with postgres db https://github.com/nextcloud/docker/issues/1204
 {{ if eq (env "X_FRAME_OPTIONS_ENABLED") "1" }}
 if ! [[ $(grep {{ env "X_FRAME_OPTIONS_ALLOW_FROM" }} lib/public/AppFramework/Http/ContentSecurityPolicy.php) ]]; then
    sed -i "91 a\\\t\t'{{ env "X_FRAME_OPTIONS_ALLOW_FROM" }}', " lib/public/AppFramework/Http/ContentSecurityPolicy.php
 fi
 {{ end }}
 # Required for healthcheck
 which cgi-fcgi > /dev/null || (apt-get update && apt-get install -y libfcgi-bin)
 /entrypoint.sh php-fpm
--- a/entrypoint.talk.sh.tmpl
+++ b/entrypoint.talk.sh.tmpl
@ -1,30 +0,0 @@
 #!/bin/bash
 set -eu
 file_env() {
  local var="$1"
  local fileVar="${var}_FILE"
  local def="${2:-}"
  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
    exit 1
  fi
  local val="$def"
  if [ "${!var:-}" ]; then
    val="${!var}"
  elif [ "${!fileVar:-}" ]; then
    val="$(< "${!fileVar}")"
  fi
  export "$var"="$val"
  unset "$fileVar"
 }
 file_env "INTERNAL_SECRET"
 file_env "TURN_SECRET"
 file_env "SIGNALING_SECRET"
 /start.sh supervisord -c /supervisord.conf
--- a/entrypoint.whiteboard.sh.tmpl
+++ b/entrypoint.whiteboard.sh.tmpl
@ -1,6 +0,0 @@
 #!/bin/sh
 set -e
 export JWT_SECRET_KEY=$(cat /run/secrets/whiteboard_jwt)
 exec npm run server:start
--- a/fpm-tune.ini
+++ b/fpm-tune.ini
@ -1,5 +1,5 @@
 pm = dynamic
-pm.max_children = {{ env "FPM_MAX_CHILDREN" }}
+pm.max_children = 131
-pm.start_servers = {{ env "FPM_START_SERVERS" }}
+pm.start_servers = 32
-pm.min_spare_servers = {{ env "FPM_MIN_SPARE_SERVERS" }}
+pm.min_spare_servers = 32
-pm.max_spare_servers = {{ env "FPM_MAX_SPARE_SERVERS" }}
+pm.max_spare_servers = 98
--- a/my-tune.cnf
+++ b/my-tune.cnf
@ -4,7 +4,7 @@
 # https://mariadb.com/kb/en/library/performance-schema-overview/
 [server]
-innodb_buffer_pool_size        = {{ env "INNODB_BUFFER_POOL_SIZE" }}
+innodb_buffer_pool_size        = 1G
 innodb_flush_log_at_trx_commit = 2
 innodb_log_buffer_size         = 32M
 innodb_max_dirty_pages_pct     = 90
@ -13,7 +13,7 @@ key_buffer_size                = 16M
 innodb_log_file_size           = 256M
 long_query_time                = 1
 max_allowed_packet             = 256M
-max_connections                = {{ env "MAX_DB_CONNECTIONS" }}
+max_connections                = 100
 max_heap_table_size            = 64M
 max_user_connections           = 0
 myisam_recover_options         = BACKUP
--- a/nginx.conf.tmpl
+++ b/nginx.conf.tmpl
@ -11,10 +11,6 @@ events {
 http {
    include       /etc/nginx/mime.types;
    # See https://github.com/nextcloud/forms/issues/1838#issuecomment-1860497200
    types {
        application/javascript js mjs;
    }
    default_type  application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
@ -45,14 +41,6 @@ http {
        # could take several months.
        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
        {{ if eq (env "HSTS_ENABLED") "1" }}
        {{ if eq (env "HSTS_PRELOAD") "1" }}
        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
        {{ else }}
        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;" always;
        {{ end }}
        {{ end }}
        # set max upload size
        client_max_body_size 512M;
        fastcgi_buffers 64 4K;
@ -70,19 +58,13 @@ http {
        #pagespeed off;
        # HTTP response headers borrowed from Nextcloud `.htaccess`
-        add_header Referrer-Policy                      "no-referrer"       always;
+        add_header Referrer-Policy                      "no-referrer"   always;
-        add_header X-Content-Type-Options               "nosniff"           always;
+        add_header X-Content-Type-Options               "nosniff"       always;
-        add_header X-Download-Options                   "noopen"            always;
+        add_header X-Download-Options                   "noopen"        always;
        add_header X-Permitted-Cross-Domain-Policies    "none"              always;
        add_header X-Robots-Tag                         "noindex, nofollow" always;
        add_header X-XSS-Protection                     "1; mode=block"     always;
        {{ if eq (env "X_FRAME_OPTIONS_ENABLED") "1" }}
        add_header Content-Security-Policy              "frame-ancestors {{ env "X_FRAME_OPTIONS_ALLOW_FROM" }} {{ env "DOMAIN" }}";
        {{ else }}
        add_header X-Frame-Options                      "SAMEORIGIN"    always;
-        {{ end }}
+        add_header X-Permitted-Cross-Domain-Policies    "none"          always;
-
+        add_header X-Robots-Tag                         "none"          always;
        add_header X-XSS-Protection                     "1; mode=block" always;
        # Remove X-Powered-By, which is an information leak
        fastcgi_hide_header X-Powered-By;
@ -143,9 +125,6 @@ http {
        # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
        # to the URI, resulting in a HTTP 500 error response.
        location ~ \.php(?:$|/) {
            # Required for legacy support
            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
            set $path_info $fastcgi_path_info;
--- a/pg_backup.sh
+++ b/pg_backup.sh
@ -1,34 +0,0 @@
 #!/bin/bash
 set -e
 BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
 function backup {
  export PGPASSWORD=$(cat /run/secrets/db_password)
  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
 }
 function restore {
    cd /var/lib/postgresql/data/
    restore_config(){
        # Restore allowed connections
        cat pg_hba.conf.bak > pg_hba.conf
        su postgres -c 'pg_ctl reload'
    }
    # Don't allow any other connections than local
    cp pg_hba.conf pg_hba.conf.bak
    echo "local all all trust" > pg_hba.conf
    su postgres -c 'pg_ctl reload'
    trap restore_config EXIT INT TERM
    # Recreate Database
    psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);" 
    createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
    psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
    trap - EXIT INT TERM
    restore_config
 }
 $@
--- a/release/10.0.0+30.0.4-fpm
+++ b/release/10.0.0+30.0.4-fpm
@ -1 +0,0 @@
 https://docs.nextcloud.com/server/latest/admin_manual/release_notes/upgrade_to_30.html
--- a/release/11.0.0+30.0.4-fpm
+++ b/release/11.0.0+30.0.4-fpm
@ -1,4 +0,0 @@
 Upgrades mariadb from 10.5 to 11.4
 NOTE: If your Nextcloud instance is using mariadb, after running this update you MUST run the database upgrade command:
 `abra app command nextcloud.yourserver.org db upgrade_mariadb`
 More info: https://mariadb.com/kb/en/upgrading-from-mariadb-10-11-to-mariadb-11-4/
--- a/release/3.1.0+25.0.1-fpm
+++ b/release/3.1.0+25.0.1-fpm
@ -1,57 +0,0 @@
 ## FPM Tune
 The fpm-tune.ini settings are now configurable by `.env`. Please add this to your servers configs:
 ```
 # fpm-tune, see: https://spot13.com/pmcalculator/
 FPM_MAX_CHILDREN=131
 FPM_START_SERVERS=32
 FPM_MIN_SPARE_SERVERS=32
 FPM_MAX_SPARE_SERVERS=98
 ```
 ## SMTP
 Add SMTP Config to your .env file:
 ```
 # COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
 # See https://github.com/nextcloud/docker#auto-configuration-via-environment-variables for default values
 # SMTP_AUTHTYPE=
 # SMTP_HOST=
 # SMTP_SECURE=
 # SMTP_NAME=
 # SMTP_PORT=
 # MAIL_FROM_ADDRESS=
 # MAIL_DOMAIN=
 # SECRET_SMTP_PASSWORD_VERSION=v1
 abra app secret insert example.com smtp_password v1 example_password
 ```
 ## Post Deploy Commands
 Some Apps can also be managed with abra app cmd!
 ```
 # COMPOSE_FILE="$COMPOSE_FILE:compose.apps.yml"
 # APPS="calendar sociallogin onlyoffice"
 abra app cmd example.com app install_apps
 # ONLYOFFICE_URL=https://onlyoffice.example.com
 # SECRET_ONLYOFFICE_JWT_VERSION=v1
 abra app secret insert example.com onlyoffice_jwt v1 example_password
 abra app cmd example.com app install_onlyoffice
 # BBB_URL=https://talk.example.org/bigbluebutton/ # trailing slash!
 # SECRET_BBB_SECRET_VERSION=v1
 abra app secret insert example.com bbb_secret v1 example_password
 abra app cmd example.com app install_bbb
 ```
 ## Set Quota
 ```
 # DEFAULT_QUOTA="10 GB"
 abra app cmd example.com app set_default_quota
 ```
--- a/release/3.2.0+25.0.4-fpm
+++ b/release/3.2.0+25.0.4-fpm
@ -1,11 +0,0 @@
 If the authentik configuration should be handled by abra add the following to the env:
    COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
    AUTHENTIK_USER_PREFIX=authentik
    AUTHENTIK_DOMAIN=authentik.example.com
    AUTHENTIK_SECRET_NAME=authentik_example_com_nextcloud_secret_v1  # the same as in authentik
    AUTHENTIK_ID_NAME=authentik_example_com_nextcloud_id_v1  # the same as in authentik
 And run:
    abra app cmd <app-name> app set_authentik
--- a/release/5.0.1+27.0.1-fpm
+++ b/release/5.0.1+27.0.1-fpm
@ -1 +0,0 @@
 The authentik secrets need to be inserted again, as nextcloud is not sharing the secret with authentik any more.
--- a/release/8.0.0+29.0.1-fpm
+++ b/release/8.0.0+29.0.1-fpm
@ -1 +0,0 @@
 BREAKING CHANGE: compose.apps.yml is now split for bbb and onlyoffice, configs must be updated
--- a/release/9.1.0+29.0.5-fpm
+++ b/release/9.1.0+29.0.5-fpm
@ -1 +0,0 @@
 Added automated customization options. Config needs to be updated to be able to use it.
--- a/releases/2.0.0+23.0.3-fpm
+++ b/releases/2.0.0+23.0.3-fpm
@ -1,4 +1,4 @@
-2.0.0 introduces a minor nextcloud update to 23.0.4 and moves the database service to a seperate override.yml file to support different database types (mariadb / postgres). This might break your installation. Please add the following snippet to your config .env to ensure the right db is used:
+2.0.0 introduces a minor nextcloud update to 23.0.3 and moves the database service to a seperate override.yml file to support different database types (mariadb / postgres). This might break your installation. Please add the following snippet to your config .env to ensure the right db is used:
 ```
 COMPOSE_FILE="compose.yml"
Author	SHA1	Message	Date
Philipp Rothmann	ea48f6837c	fixup stuff Some checks failed continuous-integration/drone/pr Build is failing Details	2022-05-18 10:33:08 +02:00
Philipp Rothmann	dba042ff46	add release note Some checks failed continuous-integration/drone/pr Build is failing Details	2022-05-12 12:19:56 +02:00
Philipp Rothmann	27e8e62675	add backupbot for postgres Some checks failed continuous-integration/drone/pr Build is failing Details	2022-05-11 18:43:39 +02:00
Philipp Rothmann	559ca6a95c	split db definitions in override files	2022-05-11 15:17:47 +02:00
		`@ -1 +0,0 @@`
			`/5 * * * php -d memory_limit=1G -f /var/www/html/cron.php`
		`@ -1 +0,0 @@`
			`https://docs.nextcloud.com/server/latest/admin_manual/release_notes/upgrade_to_30.html`
		`@ -1 +0,0 @@`
			`The authentik secrets need to be inserted again, as nextcloud is not sharing the secret with authentik any more.`
		`@ -1 +0,0 @@`
			`BREAKING CHANGE: compose.apps.yml is now split for bbb and onlyoffice, configs must be updated`
		`@ -1 +0,0 @@`
			`Added automated customization options. Config needs to be updated to be able to use it.`