Adding maintainers to README.md

Cobbled together a file with the help of Claude.
I did re-read all of it, manually edited some parts,
and asked for modifications.

.env.sample

@@ -93,14 +93,6 @@ DEFAULT_QUOTA="10 GB"
 #SECRET_TALK_TURN_SECRET_VERSION=v1 # length=64 charset=default
 #SECRET_TALK_SIGNALING_SECRET_VERSION=v1 # length=64 charset=default
 
-# COMPOSE_FILE="$COMPOSE_FILE:compose.user_oidc.yml"
-# APPS="$APPS user_oidc"
-# USER_OIDC_PROVIDER=
-# USER_OIDC_ID=
-# USER_OIDC_DISCOVERY_URI=
-# USER_OIDC_END_SESSION_URI=
-# USER_OIDC_LOGIN_ONLY=false
-# SECRET_USER_OIDC_SECRET_VERSION=v1
 
 # HSTS Options
 # Uncomment this line to enable HSTS: https://docs.nextcloud.com/server/30/admin_manual/installation/harden_server.html

MAINTENANCE.md

@@ -0,0 +1,96 @@
+# Nextcloud Recipe Maintenance
+
+> Status: **DRAFT** — open for discussion with co-maintainers and the wider
+> federation. Sections marked _(TBD)_ need collective input before this
+> document is considered ratified.
+
+This document describes how the Nextcloud recipe is maintained. It builds on
+the floor set by [Federation Resolution
+025](https://docs.coopcloud.tech/federation/resolutions/passed/025/) and
+follows the [`MAINTENANCE.md`
+template](https://docs.coopcloud.tech/maintainers/maintain/#maintenancemd-template)
+described in the Co-op Cloud maintainers' docs.
+
+All contributions should be made via a pull request so that quality and
+consistency stay something others can rely on.
+
+## Maintainers
+
+Everyone can apply to be a recipe maintainer. 
+Simply add your self to the list in the README.md and open a new pull request 
+with the change.
+
+## Maintainer Responsibilities
+
+This recipe commits to the following, which is tighter than the floor set by
+Resolution 025 (stable-recipe category). However, these timelines are
+best-effort, so we aim for them as good as possible:
+
+- Respond to PRs / issues within 3 working days
+- Apply security patches within 1 week of disclosure
+- Ship patch / minor image updates within 2 weeks of upstream release
+- Adopt major Nextcloud version updates within 1 release cycle of upstream
+  EOL of the previous major (see below)
+- Keep documentation current
+
+In order to meet these responsibilities each maintainer:
+
+- Watches the repository so notifications arrive
+- Keeps an eye on [Renovate](./renovate.json) updates and helps shepherd them through
+- Has a working contact (Matrix handle or email) reachable by the others
+
+## Release cadence
+
+The intent is to **track Nextcloud's own release schedule** rather than invent
+our own. In practice this means:
+
+- **Patch releases (e.g. `32.0.x`)**: published to this recipe shortly after
+  upstream, ideally within 1 week. `chore(deps)` opens the PRs; a maintainer
+  reviews the release notes and Nextcloud's issue tracker, and merges the PR
+  if it is OK.
+- **Minor releases**: same flow as patch releases, but one of the maintainer
+  tests it on their own instance before merging.
+- **Major releases (e.g. `32 → 33`)**: not adopted on day one. We wait for the
+  first one or two upstream patch releases of the new major to land
+  (typically 1–2 months) before promoting it here, to avoid passing the
+  early-adopter cost to operators. Major bumps get their own PR with release
+  notes and an upgrade-path check.
+  Before adding a major release, the following needs to be done:
+  - at least two maintainers update one of their production instances to the
+    new version
+  - the previous release gets a last update pointing to the docker image
+    versions nextcloud:xx-fpm, so that users can auto-update if they wish so
+  - the new release is added to this repo
+- If people have the time it would be nice to create specially tagged versions
+  for major releases, which reflect that this is 'bleeding edge' and has not
+  been thoroughly tested.
+- **Co-installed components** (Talk HPB, OnlyOffice, Whiteboard, etc.) are
+  bumped alongside or shortly after the matching Nextcloud release.
+
+## Pull Requests
+
+A pull request can be merged once it is approved by at least one maintainer.
+PRs opened by a maintainer need approval from another maintainer. With three
+maintainers this is workable; if the group shrinks, the rule should be
+revisited.
+
+Approvals should ideally include a smoke test on a real instance for anything
+beyond a patch bump — Nextcloud upgrades have a long history of surprising us
+(see the [upgrade notes in `README.md`](./README.md#upgrading-nextcloud)),
+and silent CI is not enough.
+
+## Becoming a maintainer
+
+Everyone is welcome to apply:
+
+1. Watch the repository so you get notifications.
+2. Open a pull request adding yourself to the `Maintainer` line in
+   [`README.md`](./README.md) and to the list above.
+3. Once an existing maintainer merges the PR, you'll be added to the
+   [nextcloud maintainers
+   team](https://git.coopcloud.tech/org/coop-cloud/teams/nextcloud-maintainers)
+   _(team to be created if it does not yet exist — TBD)_.
+
+Stepping down is symmetrical: open a PR removing yourself, and flag it in
+the federation channels so the group can plan replacement before falling
+below the Res. 025 floor of one named maintainer.

README.md

@@ -5,6 +5,7 @@
 Fully automated luxury Nextcloud via docker-swarm.
 
 <!-- metadata -->
+* **Maintainer**: [@dannygroenewegen](https://git.coopcloud.tech/dannygroenewegen), [@ineiti](https://git.coopcloud.tech/ineiti)
 * **Category**: Apps
 * **Status**: 5
 * **Image**: [`nextcloud`](https://hub.docker.com/_/nextcloud), 4, upstream
@@ -25,21 +26,15 @@ Fully automated luxury Nextcloud via docker-swarm.
 
 ### Onlyoffice Integration
 
-First install onlyoffice following the instructions in the 
-[OnlyOffice Recipe](https://recipes.coopcloud.tech/onlyoffice), and enable
-the JWT secret.
-
 `abra app config <app-name>` 
 
-Configure the following envs with the URL of the onlyoffice service:
+Configure the following envs:
 ```
 COMPOSE_FILE="$COMPOSE_FILE:compose.apps.yml"
 ONLYOFFICE_URL=https://onlyoffice.example.com
 SECRET_ONLYOFFICE_JWT_VERSION=v1
 ```
 
-Then set the onlyoffice JWT secret from the onlyoffice installation:
-
 * `abra app secret insert <app-name> onlyoffice_jwt v1 <jwt_secret>`
 * `abra app cmd <app-name> app install_onlyoffice`
 
@@ -194,31 +189,6 @@ We've been able to get this setup by using the [social login](https://apps.nextc
 
 If using Keycloak, you'll want to do [this trick](https://janikvonrotz.ch/2020/10/20/openid-connect-with-nextcloud-and-keycloak/) also.
 
-## How do I enable OpenID Connect (OIDC) providers?
-[user_oidc](https://github.com/nextcloud/user_oidc) is the recommended way to integrate Nextcloud with OIDC providers.
-
-Run `abra app config <app-name>`
-
-Set the following envs:
-```env
-COMPOSE_FILE="$COMPOSE_FILE:compose.user_oidc.yml"
-APPS="$APPS user_oidc"
-USER_OIDC_PROVIDER=example-provider # this has been tested with keycloak
-USER_OIDC_ID=example-client-id # get this from your oidc provider
-USER_OIDC_DISCOVERY_URI=example-oidc-provider.com/.well-known/openid-configuration # get this from your oidc provider
-USER_OIDC_END_SESSION_URI=example-oidc-provider.com/protocol/openid-connect/logout # get this from your oidc provider
-USER_OIDC_LOGIN_ONLY=false # set this to true to automatically redirect all logins to your oidc provider
-SECRET_USER_OIDC_SECRET_VERSION=v1
-```
-
-Then insert the client secret from your OIDC provider:
-```sh
-abra app secret insert <app-name> user_oidc_secret v1 <client-secret from oidc provider>
-```
-
-After you deploy (or redeploy), run the following to set up the user_oidc Nextcloud app:
-`abra app cmd <app-name> app set_user_oidc`
-
 ## How can I customise the CSS?
 
 There is some basic stuff in the admin settings.

abra.sh

@@ -159,23 +159,6 @@ set_authentik() {
     run_occ 'config:system:set lost_password_link --value=disabled'
 }
 
-set_user_oidc() {
-    install_apps user_oidc
-    USER_OIDC_SECRET=$(cat /run/secrets/user_oidc_secret)
-    run_occ "user_oidc:provider \
-            --clientid=${USER_OIDC_ID} \
-            --clientsecret=${USER_OIDC_SECRET} \
-            --discoveryuri=${USER_OIDC_DISCOVERY_URI} \
-            --endsessionendpointuri=${USER_OIDC_END_SESSION_URI} \
-            --postlogouturi=https://${DOMAIN} \
-            --scope='openid email profile' \
-            ${USER_OIDC_PROVIDER}"
-    # disable non user_oidc login
-    if [[ ${USER_OIDC_LOGIN_ONLY:-false} = "true" ]]; then
-        run_occ "config:app:set --value=0 user_oidc allow_multiple_user_backends"
-    fi
-}
-
 disable_skeletondirectory() {
     run_occ "config:system:set skeletondirectory --value ''"
 }

compose.fulltextsearch.yml

@@ -2,7 +2,7 @@ version: "3.8"
 
 services:
   elasticsearch:
-    image: "docker.elastic.co/elasticsearch/elasticsearch:8.19.16"
+    image: "docker.elastic.co/elasticsearch/elasticsearch:8.17.2"
     environment:
       - cluster.name=docker-cluster
       - bootstrap.memory_lock=true
@@ -29,7 +29,7 @@ services:
         mode: 0600
 
   searchindexer:
-    image: nextcloud:32.0.11-fpm
+    image: nextcloud:32.0.3-fpm
     volumes:
       - nextcloud:/var/www/html/
       - nextapps:/var/www/html/custom_apps:cached

compose.postgres.yml

@@ -10,7 +10,7 @@ services:
       - NEXTCLOUD_UPDATE=1
 
   db:
-    image: "pgautoupgrade/pgautoupgrade:14-debian"
+    image: "postgres:13"
     command: -c "max_connections=${MAX_DB_CONNECTIONS:-100}"
     volumes:
       - "postgres:/var/lib/postgresql/data"

compose.talk.yml

@@ -14,7 +14,7 @@ services:
     deploy:
       labels:
         - traefik.enable=true
-        - traefik.swarm.network=proxy
+        - traefik.docker.network=proxy
         - traefik.http.services.${STACK_NAME}_talk.loadbalancer.server.port=8081
         - traefik.http.routers.${STACK_NAME}_talk.rule=Host(`${TALK_DOMAIN}`)
         - traefik.http.routers.${STACK_NAME}_talk.entrypoints=web-secure
@@ -67,4 +67,4 @@ configs:
   entrypoint_talk:
     name: ${STACK_NAME}_entrypoint_talk_${ENTRYPOINT_TALK_VERSION}
     file: entrypoint.talk.sh.tmpl
-    template_driver: golang
+    template_driver: golang

compose.user_oidc.yml

@@ -1,10 +0,0 @@
-version: "3.8"
-services:
-  app:
-    secrets:
-      - user_oidc_secret
-
-secrets:
-  user_oidc_secret:
-    external: true
-    name: ${STACK_NAME}_user_oidc_secret_${SECRET_USER_OIDC_SECRET_VERSION}

compose.whiteboard.yml

@@ -6,11 +6,11 @@ services:
       - whiteboard_jwt
 
   whiteboard:
-    image: ghcr.io/nextcloud-releases/whiteboard:v1.5.9
+    image: ghcr.io/nextcloud-releases/whiteboard:v1.5.0
     deploy:
       labels:
         - traefik.enable=true
-        - traefik.swarm.network=proxy
+        - traefik.docker.network=proxy
         - traefik.http.services.${STACK_NAME}_whiteboard.loadbalancer.server.port=3002
         - traefik.http.routers.${STACK_NAME}_whiteboard.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS}) && PathPrefix(`/whiteboard`)
         - traefik.http.routers.${STACK_NAME}_whiteboard.entrypoints=web-secure
@@ -41,4 +41,4 @@ configs:
   entrypoint_whiteboard:
     name: ${STACK_NAME}_entrypoint_whiteboard_${ENTRYPOINT_WHITEBOARD_VERSION}
     file: entrypoint.whiteboard.sh.tmpl
-    template_driver: golang
+    template_driver: golang

compose.yml

@@ -1,7 +1,7 @@
 version: "3.8"
 services:
   web:
-    image: nginx:1.31.1
+    image: nginx:1.29.4
     depends_on:
       - app
     configs:
@@ -29,7 +29,7 @@ services:
         order: start-first
       labels:
         - "traefik.enable=true"
-        - "traefik.swarm.network=proxy"
+        - "traefik.docker.network=proxy"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
@@ -48,7 +48,7 @@ services:
       start_period: 5m
 
   app:
-    image: nextcloud:32.0.11-fpm
+    image: nextcloud:32.0.3-fpm
     depends_on:
       - db
     configs:
@@ -95,7 +95,7 @@ services:
         failure_action: rollback
         order: start-first
       labels:
-        - "coop-cloud.${STACK_NAME}.version=13.1.0+32.0.11-fpm"
+        - "coop-cloud.${STACK_NAME}.version=13.0.1+32.0.3-fpm"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
         - "backupbot.backup=${ENABLE_BACKUPS:-true}"
         - "backupbot.backup.volumes.redis=false"
@@ -109,7 +109,7 @@ services:
       start_period: 15m
 
   cron:
-    image: nextcloud:32.0.11-fpm
+    image: nextcloud:32.0.3-fpm
     volumes:
       - nextcloud:/var/www/html/
       - nextapps:/var/www/html/custom_apps:cached
@@ -125,7 +125,7 @@ services:
 
 
   cache:
-    image: redis:8.8.0-alpine
+    image: redis:8.4.0-alpine
     networks:
       - internal
     volumes:

release/13.1.0+32.0.11-fpm

@@ -1,3 +0,0 @@
-Important:
-Posgres: Due to end of support for postgres 13 we upgraded to pgautoupgrade-14-debian but we could not test it, so please take backups before the upgrade!
-Elastic Search: We chose the latest minor update for elasticsearch but we were also not able to test it.