chore: publish 9.1.0+29.0.5-fpm release

.drone.yml

@@ -22,8 +22,6 @@ steps:
       NGINX_CONF_VERSION: v1
       MY_CNF_VERSION: v1
       ENTRYPOINT_VERSION: v1
-      CRONTAB_VERSION: v1
-      PG_BACKUP_VERSION: v2
       SECRET_DB_PASSWORD_VERSION: v1
       SECRET_DB_ROOT_PASSWORD_VERSION: v1
       SECRET_ADMIN_PASSWORD_VERSION: v1
@@ -45,7 +43,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - toolshed/auto-recipes-catalogue-json
+        - coop-cloud/auto-recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -1,7 +1,6 @@
 TYPE=nextcloud
 TIMEOUT=900
 ENABLE_AUTO_UPDATE=true
-ENABLE_BACKUPS=true
 
 DOMAIN=nextcloud.example.com
 ## Domain aliases
@@ -23,7 +22,6 @@ SECRET_ADMIN_PASSWORD_VERSION=v1
 EXTRA_VOLUME=/dev/null:/tmp/.dummy
 
 PHP_MEMORY_LIMIT=1G
-PHP_UPLOAD_LIMIT=512M
 # fpm-tune, see: https://spot13.com/pmcalculator/
 FPM_MAX_CHILDREN=16
 FPM_START_SERVERS=4
@@ -49,19 +47,13 @@ DEFAULT_QUOTA="10 GB"
 ## Customization
 # THEMING_COLOR=
 # THEMING_SLOGAN=
-# COPY_ASSETS="flow_background.jpg|app:/var/www/html/themes/"
-# COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/var/www/html/themes/"
-# COPY_ASSETS="$COPY_ASSETS icon.png|app:/var/www/html/themes/"
+# COPY_ASSETS="flow_background.jpg|app:/var/www/html/themes/background.jpg"
+# COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/var/www/html/themes/logo.svg"
+# COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/icon.png"
 
 # APPS="calendar"
 
 # COLLABORA_URL=https://collabora.example.com
-## IMPORTANT FOR SECURITY REASONS WHEN RUNNING COLLABORA
-## list of IP addresses that are allowed to make WOPI requests. Use the default
-## when running the collabora server on the same machine as nextcloud.
-## Otherwise set this to the IP address range of your collabora server(s) i.e. 1.2.3.4/32
-## https://docs.nextcloud.com/server/latest/admin_manual/office/configuration.html#wopi-settings
-# COLLABORA_ALLOWLIST="172.16.0.0/12"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.onlyoffice.yml"
 # ONLYOFFICE_URL=https://onlyoffice.example.com
@@ -72,22 +64,15 @@ DEFAULT_QUOTA="10 GB"
 # BBB_URL=https://talk.example.org/bigbluebutton/ # trailing slash!
 # SECRET_BBB_SECRET_VERSION=v1
 
-# COMPOSE_FILE="$COMPOSE_FILE:compose.whiteboard.yml"
-# APPS="$APPS whiteboard"
-# SECRET_WHITEBOARD_JWT_VERSION=v1
-
 # COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
 # APPS="$APPS sociallogin"
 # AUTHENTIK_USER_PREFIX=authentik
 # AUTHENTIK_DOMAIN=authentik.example.com
 # SECRET_AUTHENTIK_SECRET_VERSION=v1
 # SECRET_AUTHENTIK_ID_VERSION=v1
+# OCC_CMDS="app:disable dashboard"
+# OCC_CMDS="$OCC_CMDS|config:app:set sociallogin auto_create_groups --value 1"
+# OCC_CMDS="$OCC_CMDS|config:app:set sociallogin hide_default_login --value 1"
 
 #COMPOSE_FILE="$COMPOSE_FILE:compose.fulltextsearch.yml"
 #SECRET_ELASTICSEARCH_PASSWORD_VERSION=v1
-
-# HSTS Options
-# Uncomment this line to enable HSTS: https://docs.nextcloud.com/server/30/admin_manual/installation/harden_server.html
-#HSTS_ENABLED=1
-# Uncomment this line to add the `preload` part
-#HSTS_PRELOAD=1

README.md

@@ -64,18 +64,21 @@ AUTHENTIK_ID_NAME=authentik_example_com_nextcloud_id_v1  # the same as in authen
 
 `abra app cmd <app-name> app set_authentik`
 
+### Disable Dashboard
+
+Disable dashboard app since it is so corporate:
+
+`abra app config <app-name>` 
+Configure the following envs:
+```
+OCC_CMDS="app:disable dashboard"
+```
+`abra app cmd <app-name> app post_install_occ`
+
 ## Running `occ`
 
 `abra app cmd <app-name> app run_occ '"user:list --help"'`
 
-Read more about [occ command here](https://docs.nextcloud.com/server/stable/admin_manual/occ_command.html).
-
-### Disable Dashboard
-
-To disable dashboard app (since it is so corporate):
-
-`abra app cmd <app-name> app run_occ '"app:disable dashboard"'`
-
 ## Default user files
 
 - Follow [these docs](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/default_files_configuration.html) to set the default files list for each user in the Files app
@@ -84,12 +87,7 @@ To disable dashboard app (since it is so corporate):
 
 - Configure a `defaultapp` in your `config.php` or use [apporder](https://apps.nextcloud.com/apps/apporder)
 
-## Upgrading Nextcloud
-Upgrading Nextcloud can be a hair raising experiance. They [don't support downgrading](https://docs.nextcloud.com/server/latest/admin_manual/maintenance/upgrade.html) even for minor versions.
-
-Many of us  have found that jumping major versions when upgrading is also a bad idea. We have however found that it's ok to skip minor version upgrades and go to the last minor version before a major version (e.g. 24.0.0 to 24.9.9 before going to 25.0.0). To extra cautious just upgrade one release at a time. Read the release notes and check your logs.
-
-## Upgrading Nextcloud apps (plug-ins)
+## Upgrading Nextcloud apps
 
 `abra app cmd <app-name> app run_occ '"app:update --all"'`
 
@@ -283,11 +281,3 @@ And you can populate the index manually and check if any errors occur:
 ```
 abra app cmd <domain> app run_occ '"fulltextsearch:index"'
 ```
-
-### Troubleshooting fulltextsearch
-
-The fulltextsearch plugin might be stuck with this error: "Index is already running". In that case the following command can get things runing again:
-
-```
-abra app run <domain> db /bin/sh -- -c 'echo "delete from oc_fulltextsearch_ticks;" | mariadb -u root -p$(cat /run/secrets/db_root_password) nextcloud'
-```

abra.sh

@@ -1,17 +1,22 @@
 #!/bin/bash
 
 export FPM_TUNE_VERSION=v5
-export NGINX_CONF_VERSION=v8
-export MY_CNF_VERSION=v6
+export NGINX_CONF_VERSION=v7
+export MY_CNF_VERSION=v5
 export ENTRYPOINT_VERSION=v3
-export ENTRYPOINT_WHITEBOARD_VERSION=v1
 export CRONTAB_VERSION=v1
-export PG_BACKUP_VERSION=v2
 
 run_occ() {
     su -p www-data -s /bin/sh -c "/var/www/html/occ $@"
 }
 
+post_install_occ() {
+    IFS='|' read -ra CMD <<<"$OCC_CMDS"
+    for cmd in "${CMD[@]}"; do
+        run_occ "$cmd"
+    done
+}
+
 install_apps() {
     install_apps="$@"
     if [ -z "$install_apps" ]; then
@@ -85,18 +90,8 @@ install_onlyoffice() {
 install_collabora() {
     install_apps richdocuments
     set_app_config richdocuments wopi_url "$COLLABORA_URL"
-    # important for security reaosns
-    # https://docs.nextcloud.com/server/latest/admin_manual/office/configuration.html#wopi-settings
-    set_app_config richdocuments wopi_allowlist "$COLLABORA_ALLOWLIST"
 }
 
-install_whiteboard() {
-    install_apps whiteboard
-    set_app_config whiteboard collabBackendUrl "https://${DOMAIN}/whiteboard"
-    set_app_config whiteboard jwt_secret_key "$(cat /run/secrets/whiteboard_jwt)"
-}
-
-
 install_fulltextsearch() {
     install_apps fulltextsearch
     install_apps fulltextsearch_elasticsearch
@@ -126,7 +121,7 @@ set_authentik() {
         \"tokenUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/token/\",
         \"displayNameClaim\":\"preferred_username\",
         \"userInfoUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/userinfo/\",
-        \"logoutUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/nextcloud/end-session/\",
+        \"logoutUrl\": \"https://$AUTHENTIK_DOMAIN/if/session-end/nextcloud/\",
         \"clientId\":\"$AUTHENTIK_ID\",
         \"clientSecret\":\"$AUTHENTIK_SECRET\",
         \"scope\":\"openid profile email nextcloud\",
@@ -152,17 +147,3 @@ set_authentik() {
 disable_skeletondirectory() {
     run_occ "config:system:set skeletondirectory --value ''"
 }
-
-set_windowsfriendly_filenames() {
-    run_occ 'config:system:set forbidden_filename_characters 0 --value=?'
-    run_occ 'config:system:set forbidden_filename_characters 1 --value=\<'
-    run_occ 'config:system:set forbidden_filename_characters 2 --value=\>'
-    run_occ 'config:system:set forbidden_filename_characters 3 --value=:'
-    run_occ 'config:system:set forbidden_filename_characters 4 --value=*'
-    run_occ 'config:system:set forbidden_filename_characters 5 --value=\|'
-    run_occ 'config:system:set forbidden_filename_characters 6 --value=\"'
-}
-
-upgrade_mariadb() {
-    mariadb-upgrade -p`cat /run/secrets/db_root_password`
-}

compose.fulltextsearch.yml

@@ -2,7 +2,7 @@ version: "3.8"
 
 services:
   elasticsearch:
-    image: "docker.elastic.co/elasticsearch/elasticsearch:8.17.2"
+    image: "docker.elastic.co/elasticsearch/elasticsearch:8.15.0"
     environment:
       - cluster.name=docker-cluster
       - bootstrap.memory_lock=true
@@ -29,7 +29,7 @@ services:
         mode: 0600
 
   searchindexer:
-    image: nextcloud:31.0.6-fpm
+    image: nextcloud:29.0.5-fpm
     volumes:
       - nextcloud:/var/www/html/
       - nextapps:/var/www/html/custom_apps:cached

compose.mariadb.yml

@@ -9,14 +9,13 @@ services:
       - MYSQL_PASSWORD_FILE=/run/secrets/db_password
 
   db:
-    image: "mariadb:11.4"
+    image: "mariadb:10.5"
     environment:
       - MYSQL_DATABASE=nextcloud
       - MYSQL_USER=nextcloud
       - MYSQL_PASSWORD_FILE=/run/secrets/db_password
       - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
       - MAX_DB_CONNECTIONS=${MAX_DB_CONNECTIONS:-100}
-      - INNODB_BUFFER_POOL_SIZE=${INNODB_BUFFER_POOL_SIZE:-1G}"
     configs:
       - source: my_tune
         target: /etc/mysql/conf.d/my-tune.cnf
@@ -29,11 +28,12 @@ services:
       - internal
     deploy:
       labels:
-        backupbot.backup.pre-hook: 'mariadb-dump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" nextcloud > /var/lib/mysql/backup.sql'
-        backupbot.backup.volumes.mariadb.path: "backup.sql"
-        backupbot.restore.post-hook: 'mariadb -u root -p"$$(cat /run/secrets/db_root_password)" nextcloud < /var/lib/mysql/backup.sql'
+          backupbot.backup: "true"
+          backupbot.backup.pre-hook: 'mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" nextcloud > /var/lib/mysql/backup.sql'
+          backupbot.backup.post-hook: "rm -rf /var/lib/mysql/backup.sql"
+          backupbot.backup.path: "/var/lib/mysql/backup.sql"
     healthcheck:
-      test: ["CMD-SHELL", 'mariadb-admin -p"$$(cat /run/secrets/db_root_password)"  ping']
+      test: ["CMD-SHELL", 'mysqladmin -p"$$(cat /run/secrets/db_root_password)"  ping']
       interval: 30s
       timeout: 10s
       retries: 10

compose.postgres.yml

@@ -29,18 +29,10 @@ services:
       retries: 5
     deploy:
       labels:
-        backupbot.backup.pre-hook: "/pg_backup.sh backup"
-        backupbot.backup.volumes.postgres.path: "backup.sql"
-        backupbot.restore.post-hook: '/pg_backup.sh restore'
-    configs:
-        - source: pg_backup
-          target: /pg_backup.sh
-          mode: 0555
+            backupbot.backup: "true"
+            backupbot.backup.pre-hook: "PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql"
+            backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/backup.sql"
+            backupbot.backup.path: "/var/lib/postgresql/data/"
 
 volumes:
   postgres:
-
-configs:
-  pg_backup:
-    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
-    file: pg_backup.sh

compose.whiteboard.yml

@@ -1,44 +0,0 @@
-version: "3.8"
-
-services:
-  app:
-    secrets:
-      - whiteboard_jwt
-
-  whiteboard:
-    image: ghcr.io/nextcloud-releases/whiteboard:v1.1.2
-    deploy:
-      labels:
-        - traefik.enable=true
-        - traefik.docker.network=proxy
-        - traefik.http.services.${STACK_NAME}_whiteboard.loadbalancer.server.port=3002
-        - traefik.http.routers.${STACK_NAME}_whiteboard.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS}) && PathPrefix(`/whiteboard`)
-        - traefik.http.routers.${STACK_NAME}_whiteboard.entrypoints=web-secure
-        - traefik.http.routers.${STACK_NAME}_whiteboard.tls.certresolver=${LETS_ENCRYPT_ENV}
-        - traefik.http.middlewares.${STACK_NAME}_whiteboard-stripprefix.stripprefix.prefixes=/whiteboard
-        - traefik.http.routers.${STACK_NAME}_whiteboard.middlewares=${STACK_NAME}_whiteboard-stripprefix
-    configs:
-      - source: entrypoint_whiteboard
-        target: /custom-entrypoint.sh
-    entrypoint: ["sh", "/custom-entrypoint.sh"]
-    user: root
-    networks:
-     - proxy
-    ports:
-      - 3002:3002
-    secrets:
-      - whiteboard_jwt
-    environment:
-      - NEXTCLOUD_URL=https://$DOMAIN
-      - JWT_SECRET_KEY_FILE=/run/secrets/whiteboard_jwt
-
-secrets:
-  whiteboard_jwt:
-    external: true
-    name: ${STACK_NAME}_whiteboard_jwt_${SECRET_WHITEBOARD_JWT_VERSION}
-
-configs:
-  entrypoint_whiteboard:
-    name: ${STACK_NAME}_entrypoint_whiteboard_${ENTRYPOINT_WHITEBOARD_VERSION}
-    file: entrypoint.whiteboard.sh.tmpl
-    template_driver: golang

compose.yml

@@ -1,7 +1,7 @@
 version: "3.8"
 services:
   web:
-    image: nginx:1.29.0
+    image: nginx:1.27.1
     depends_on:
       - app
     configs:
@@ -12,8 +12,6 @@ services:
       - X_FRAME_OPTIONS_ENABLED
       - DOMAIN
       - STACK_NAME
-      - HSTS_ENABLED
-      - HSTS_PRELOAD
     volumes:
       - nextcloud:/var/www/html/
       - nextapps:/var/www/html/custom_apps:cached
@@ -35,8 +33,8 @@ services:
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.scheme=https"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.permanent=true"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
         - "caddy=${DOMAIN}"
         - "caddy.reverse_proxy={{upstreams 80}}"
         - "caddy.tls.on_demand="
@@ -48,7 +46,7 @@ services:
       start_period: 5m
 
   app:
-    image: nextcloud:31.0.6-fpm
+    image: nextcloud:29.0.5-fpm
     depends_on:
       - db
     configs:
@@ -74,9 +72,7 @@ services:
       - TRUSTED_PROXIES=10.0.0.0/8
       - REDIS_HOST=cache
       - OVERWRITEPROTOCOL=https
-      - OVERWRITECLIURL=https://${DOMAIN}
       - PHP_MEMORY_LIMIT=${PHP_MEMORY_LIMIT:-1G}
-      - PHP_UPLOAD_LIMIT=${PHP_UPLOAD_LIMIT:-512M}
       - FPM_MAX_CHILDREN=${FPM_MAX_CHILDREN:-131}
       - FPM_START_SERVERS=${FPM_START_SERVERS:-32}
       - FPM_MIN_SPARE_SERVERS=${FPM_MIN_SPARE_SERVERS:-32}
@@ -95,12 +91,10 @@ services:
         failure_action: rollback
         order: start-first
       labels:
-        - "coop-cloud.${STACK_NAME}.version=12.0.1+31.0.6-fpm"
+        - "coop-cloud.${STACK_NAME}.version=9.1.0+29.0.5-fpm"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
-        - "backupbot.backup=${ENABLE_BACKUPS:-true}"
-        - "backupbot.backup.volumes.redis=false"
-       #- "backupbot.backup.volumes.nextcloud=false"
-
+        - "backupbot.backup=true"
+        - "backupbot.backup.path=/var/www/html/config/,/var/www/html/data/,/var/www/html/custom_apps/"
     healthcheck:
       test: ["CMD-SHELL", 'SCRIPT_NAME=status SCRIPT_FILENAME=/var/www/html/status.php REQUEST_METHOD=GET cgi-fcgi -bind -connect 127.0.0.1:9000 | grep "installed\":true"']
       interval: 30s
@@ -109,7 +103,7 @@ services:
       start_period: 15m
 
   cron:
-    image: nextcloud:31.0.6-fpm
+    image: nextcloud:29.0.5-fpm
     volumes:
       - nextcloud:/var/www/html/
       - nextapps:/var/www/html/custom_apps:cached
@@ -125,7 +119,7 @@ services:
 
 
   cache:
-    image: redis:8.0.2-alpine
+    image: redis:7.4.0-alpine
     networks:
       - internal
     volumes:

entrypoint.whiteboard.sh.tmpl

@@ -1,6 +0,0 @@
-#!/bin/sh
-set -e
-
-export JWT_SECRET_KEY=$(cat /run/secrets/whiteboard_jwt)
-
-exec npm run server:start

my-tune.cnf

@@ -4,7 +4,7 @@
 # https://mariadb.com/kb/en/library/performance-schema-overview/
 
 [server]
-innodb_buffer_pool_size        = {{ env "INNODB_BUFFER_POOL_SIZE" }}
+innodb_buffer_pool_size        = 1G
 innodb_flush_log_at_trx_commit = 2
 innodb_log_buffer_size         = 32M
 innodb_max_dirty_pages_pct     = 90

nginx.conf.tmpl

@@ -45,13 +45,6 @@ http {
         # could take several months.
         #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
 
-        {{ if eq (env "HSTS_ENABLED") "1" }}
-        {{ if eq (env "HSTS_PRELOAD") "1" }}
-        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
-        {{ else }}
-        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;" always;
-        {{ end }}
-        {{ end }}
 
         # set max upload size
         client_max_body_size 512M;

pg_backup.sh

@@ -1,34 +0,0 @@
-#!/bin/bash
-
-set -e
-
-BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
-
-function backup {
-  export PGPASSWORD=$(cat /run/secrets/db_password)
-  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
-}
-
-function restore {
-    cd /var/lib/postgresql/data/
-    restore_config(){
-        # Restore allowed connections
-        cat pg_hba.conf.bak > pg_hba.conf
-        su postgres -c 'pg_ctl reload'
-    }
-    # Don't allow any other connections than local
-    cp pg_hba.conf pg_hba.conf.bak
-    echo "local all all trust" > pg_hba.conf
-    su postgres -c 'pg_ctl reload'
-    trap restore_config EXIT INT TERM
-
-    # Recreate Database
-    psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);" 
-    createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
-    psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
-
-    trap - EXIT INT TERM
-    restore_config
-}
-
-$@

release/10.0.0+30.0.4-fpm

@@ -1 +0,0 @@
-https://docs.nextcloud.com/server/latest/admin_manual/release_notes/upgrade_to_30.html

release/11.0.0+30.0.4-fpm

@@ -1,4 +0,0 @@
-Upgrades mariadb from 10.5 to 11.4
-NOTE: If your Nextcloud instance is using mariadb, after running this update you MUST run the database upgrade command:
-`abra app command nextcloud.yourserver.org db upgrade_mariadb`
-More info: https://mariadb.com/kb/en/upgrading-from-mariadb-10-11-to-mariadb-11-4/