README update for imaginary

.env.sample

@@ -1,5 +1,5 @@
 TYPE=nextcloud
-#TIMEOUT=900
+TIMEOUT=900
 ENABLE_AUTO_UPDATE=true
 ENABLE_BACKUPS=true
 
@@ -15,7 +15,6 @@ COMPOSE_FILE="$COMPOSE_FILE:compose.mariadb.yml"
 #MAX_DB_CONNECTIONS=500
 
 ADMIN_USER=admin
-TZ=Etc/UTC
 
 SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
@@ -24,7 +23,6 @@ SECRET_ADMIN_PASSWORD_VERSION=v1
 EXTRA_VOLUME=/dev/null:/tmp/.dummy
 
 PHP_MEMORY_LIMIT=1G
-PHP_UPLOAD_LIMIT=512M
 # fpm-tune, see: https://spot13.com/pmcalculator/
 FPM_MAX_CHILDREN=16
 FPM_START_SERVERS=4
@@ -83,24 +81,15 @@ DEFAULT_QUOTA="10 GB"
 # AUTHENTIK_DOMAIN=authentik.example.com
 # SECRET_AUTHENTIK_SECRET_VERSION=v1
 # SECRET_AUTHENTIK_ID_VERSION=v1
+# OCC_CMDS="app:disable dashboard"
+# OCC_CMDS="$OCC_CMDS|config:app:set sociallogin auto_create_groups --value 1"
+# OCC_CMDS="$OCC_CMDS|config:app:set sociallogin hide_default_login --value 1"
 
 #COMPOSE_FILE="$COMPOSE_FILE:compose.fulltextsearch.yml"
 #SECRET_ELASTICSEARCH_PASSWORD_VERSION=v1
 
-#COMPOSE_FILE="$COMPOSE_FILE:compose.talk.yml"
-#TALK_DOMAIN=talk.example.com
-#SECRET_TALK_INTERNAL_SECRET_VERSION=v1 # length=64 charset=default
-#SECRET_TALK_TURN_SECRET_VERSION=v1 # length=64 charset=default
-#SECRET_TALK_SIGNALING_SECRET_VERSION=v1 # length=64 charset=default
-
-# COMPOSE_FILE="$COMPOSE_FILE:compose.user_oidc.yml"
-# APPS="$APPS user_oidc"
-# USER_OIDC_PROVIDER=
-# USER_OIDC_ID=
-# USER_OIDC_DISCOVERY_URI=
-# USER_OIDC_END_SESSION_URI=
-# USER_OIDC_LOGIN_ONLY=false
-# SECRET_USER_OIDC_SECRET_VERSION=v1
+# Image / PDF previews with Imaginary (see README)
+#COMPOSE_FILE="$COMPOSE_FILE:compose.imaginary-preview.yml"
 
 # HSTS Options
 # Uncomment this line to enable HSTS: https://docs.nextcloud.com/server/30/admin_manual/installation/harden_server.html

README.md

@@ -25,28 +25,20 @@ Fully automated luxury Nextcloud via docker-swarm.
 
 ### Onlyoffice Integration
 
-First install onlyoffice following the instructions in the 
-[OnlyOffice Recipe](https://recipes.coopcloud.tech/onlyoffice), and enable
-the JWT secret.
-
 `abra app config <app-name>` 
-
-Configure the following envs with the URL of the onlyoffice service:
+Configure the following envs:
 ```
 COMPOSE_FILE="$COMPOSE_FILE:compose.apps.yml"
 ONLYOFFICE_URL=https://onlyoffice.example.com
 SECRET_ONLYOFFICE_JWT_VERSION=v1
 ```
 
-Then set the onlyoffice JWT secret from the onlyoffice installation:
-
-* `abra app secret insert <app-name> onlyoffice_jwt v1 <jwt_secret>`
-* `abra app cmd <app-name> app install_onlyoffice`
+`abra app secret insert <app-name> onlyoffice_jwt v1 <jwt_secret>`
+`abra app cmd <app-name> app install_onlyoffice`
 
 ### BBB Integration
 
 `abra app config <app-name>` 
-
 Configure the following envs:
 ```
 COMPOSE_FILE="$COMPOSE_FILE:compose.apps.yml"
@@ -54,44 +46,8 @@ BBB_URL=https://talk.example.org/bigbluebutton/ # trailing slash!
 SECRET_BBB_SECRET_VERSION=v1
 ```
 
-* `abra app secret insert <app-name> bbb_secret v1 <bbb_secret>`
-* `abra app cmd <app-name> app install_bbb`
-
-### Nextcloud Talk High performance Backend
-
-Note: at the moment you are limited to run one Nextcloud high performance backend per docker host with this setup.
-
-`abra app config <app-name>` 
-
-Configure the following envs:
-```
-#COMPOSE_FILE="$COMPOSE_FILE:compose.talk.yml"
-#TALK_DOMAIN=talk.example.com
-#SECRET_TALK_INTERNAL_SECRET_VERSION=v1 # length=64 charset=default
-#SECRET_TALK_TURN_SECRET_VERSION=v1 # length=64 charset=default
-#SECRET_TALK_SIGNALING_SECRET_VERSION=v1 # length=64 charset=default
-```
-
-* `abra app secret insert <app-name> talk_internal_secret v1 <talk_internal_secret>`
-* `abra app secret insert <app-name> talk_turn_secret v1 <talk_turn_secret>`
-* `abra app secret insert <app-name> talk_signaling_secret v1 <talk_signaling_secret>`
-* `abra app cmd <app-name> app install_talk`
-
-Don't forget to enable the additional env's in your hosts traefik instance:
-```
-COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud-talk-hpb.yml"
-NEXTCLOUD_TALK_HPB_ENABLED=1
-```
-
-Due to a bug in compose that deletes duplacted ports without checking for the protocol, traefik need to get the additional udp binding added after the deployment via ssh (this might take longer than expected!):
-```
-docker service update  --publish-add published=3478,target=3478,protocol=udp traefik_XXX_XXX_app
-```
-
-To check if tcp and udp was binded, you can use:
-```
-docker service inspect traefik_XXX_XXX_app | grep 3478 -a2
-```
+`abra app secret insert <app-name> bbb_secret v1 <bbb_secret>`
+`abra app cmd <app-name> app install_bbb`
 
 ### Authentik Integration
 
@@ -108,18 +64,21 @@ AUTHENTIK_ID_NAME=authentik_example_com_nextcloud_id_v1  # the same as in authen
 
 `abra app cmd <app-name> app set_authentik`
 
+### Disable Dashboard
+
+Disable dashboard app since it is so corporate:
+
+`abra app config <app-name>` 
+Configure the following envs:
+```
+OCC_CMDS="app:disable dashboard"
+```
+`abra app cmd <app-name> app post_install_occ`
+
 ## Running `occ`
 
 `abra app cmd <app-name> app run_occ '"user:list --help"'`
 
-Read more about [occ command here](https://docs.nextcloud.com/server/stable/admin_manual/occ_command.html).
-
-### Disable Dashboard
-
-To disable dashboard app (since it is so corporate):
-
-`abra app cmd <app-name> app run_occ '"app:disable dashboard"'`
-
 ## Default user files
 
 - Follow [these docs](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/default_files_configuration.html) to set the default files list for each user in the Files app
@@ -194,31 +153,6 @@ We've been able to get this setup by using the [social login](https://apps.nextc
 
 If using Keycloak, you'll want to do [this trick](https://janikvonrotz.ch/2020/10/20/openid-connect-with-nextcloud-and-keycloak/) also.
 
-## How do I enable OpenID Connect (OIDC) providers?
-[user_oidc](https://github.com/nextcloud/user_oidc) is the recommended way to integrate Nextcloud with OIDC providers.
-
-Run `abra app config <app-name>`
-
-Set the following envs:
-```env
-COMPOSE_FILE="$COMPOSE_FILE:compose.user_oidc.yml"
-APPS="$APPS user_oidc"
-USER_OIDC_PROVIDER=example-provider # this has been tested with keycloak
-USER_OIDC_ID=example-client-id # get this from your oidc provider
-USER_OIDC_DISCOVERY_URI=example-oidc-provider.com/.well-known/openid-configuration # get this from your oidc provider
-USER_OIDC_END_SESSION_URI=example-oidc-provider.com/protocol/openid-connect/logout # get this from your oidc provider
-USER_OIDC_LOGIN_ONLY=false # set this to true to automatically redirect all logins to your oidc provider
-SECRET_USER_OIDC_SECRET_VERSION=v1
-```
-
-Then insert the client secret from your OIDC provider:
-```sh
-abra app secret insert <app-name> user_oidc_secret v1 <client-secret from oidc provider>
-```
-
-After you deploy (or redeploy), run the following to set up the user_oidc Nextcloud app:
-`abra app cmd <app-name> app set_user_oidc`
-
 ## How can I customise the CSS?
 
 There is some basic stuff in the admin settings.
@@ -315,6 +249,20 @@ docker exec -u www-data $(docker ps -f name=foo_com_app -q) ./occ preview:pre-ge
 
 This app will improve performance of image browsing at the cost of storage space.
 
+## Better image previews with `imaginary`
+
+1. Run `abra app config <domain>` and uncomment the line `#COMPOSE_FILE="$COMPOSE_FILE:compose.imaginary-preview.yml"`.
+2. Re-deploy the app (`abra app deploy <domain> --force`)
+3. Edit `/var/www/config/config.php` and add:
+
+  ```
+  'enabledPreviewProviders' => 
+  array (
+    0 => 'OC\\Preview\\Imaginary',
+  ),
+  'preview_imaginary_url' => 'http://imaginary:9000',
+  ```
+
 ## Fulltextsearch using elasticsearch
 
 1. Uncomment the following lines in your env file:

abra.sh

@@ -2,10 +2,9 @@
 
 export FPM_TUNE_VERSION=v5
 export NGINX_CONF_VERSION=v8
-export MY_CNF_VERSION=v6
+export MY_CNF_VERSION=v5
 export ENTRYPOINT_VERSION=v3
 export ENTRYPOINT_WHITEBOARD_VERSION=v1
-export ENTRYPOINT_TALK_VERSION=v1
 export CRONTAB_VERSION=v1
 export PG_BACKUP_VERSION=v2
 
@@ -13,6 +12,13 @@ run_occ() {
     su -p www-data -s /bin/sh -c "/var/www/html/occ $@"
 }
 
+post_install_occ() {
+    IFS='|' read -ra CMD <<<"$OCC_CMDS"
+    for cmd in "${CMD[@]}"; do
+        run_occ "$cmd"
+    done
+}
+
 install_apps() {
     install_apps="$@"
     if [ -z "$install_apps" ]; then
@@ -98,15 +104,6 @@ install_whiteboard() {
 }
 
 
-install_talk() {
-    install_apps spreed
-    run_occ "talk:signaling:add --verify 'wss://${TALK_DOMAIN}' '$(cat /run/secrets/talk_signaling_secret)'"
-    run_occ "talk:stun:add '${TALK_DOMAIN}:3478'"
-    run_occ "talk:stun:add '${TALK_DOMAIN}:443'"
-    run_occ "talk:turn:add --secret='$(cat /run/secrets/talk_turn_secret)' turn '${TALK_DOMAIN}:3478' udp,tcp"
-
-}
-
 install_fulltextsearch() {
     install_apps fulltextsearch
     install_apps fulltextsearch_elasticsearch
@@ -159,23 +156,6 @@ set_authentik() {
     run_occ 'config:system:set lost_password_link --value=disabled'
 }
 
-set_user_oidc() {
-    install_apps user_oidc
-    USER_OIDC_SECRET=$(cat /run/secrets/user_oidc_secret)
-    run_occ "user_oidc:provider \
-            --clientid=${USER_OIDC_ID} \
-            --clientsecret=${USER_OIDC_SECRET} \
-            --discoveryuri=${USER_OIDC_DISCOVERY_URI} \
-            --endsessionendpointuri=${USER_OIDC_END_SESSION_URI} \
-            --postlogouturi=https://${DOMAIN} \
-            --scope='openid email profile' \
-            ${USER_OIDC_PROVIDER}"
-    # disable non user_oidc login
-    if [[ ${USER_OIDC_LOGIN_ONLY:-false} = "true" ]]; then
-        run_occ "config:app:set --value=0 user_oidc allow_multiple_user_backends"
-    fi
-}
-
 disable_skeletondirectory() {
     run_occ "config:system:set skeletondirectory --value ''"
 }

compose.fulltextsearch.yml

@@ -29,7 +29,7 @@ services:
         mode: 0600
 
   searchindexer:
-    image: nextcloud:32.0.3-fpm
+    image: nextcloud:31.0.6-fpm
     volumes:
       - nextcloud:/var/www/html/
       - nextapps:/var/www/html/custom_apps:cached

compose.imaginary-preview.yml

@@ -0,0 +1,10 @@
+---
+version: '3.8'
+services:
+  imaginary:
+    image: nextcloud/aio-imaginary:20250822_112758
+    environment:
+      - PORT=9000
+    command: -concurrency 50 -enable-url-source -log-level debug
+    networks:
+      - internal

compose.mariadb.yml

@@ -16,7 +16,6 @@ services:
       - MYSQL_PASSWORD_FILE=/run/secrets/db_password
       - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
       - MAX_DB_CONNECTIONS=${MAX_DB_CONNECTIONS:-100}
-      - INNODB_BUFFER_POOL_SIZE=${INNODB_BUFFER_POOL_SIZE:-1G}"
     configs:
       - source: my_tune
         target: /etc/mysql/conf.d/my-tune.cnf

compose.talk.yml

@@ -1,70 +0,0 @@
-version: "3.8"
-
-services:
-  talk:
-    image: "nextcloud/aio-talk:20251128_084214"
-    environment:
-      - NC_DOMAIN=${DOMAIN}
-      - TALK_HOST=${TALK_DOMAIN}
-      - TZ
-      - TALK_PORT=3478
-      - INTERNAL_SECRET_FILE=/run/secrets/talk_internal_secret 
-      - TURN_SECRET_FILE=/run/secrets/talk_turn_secret
-      - SIGNALING_SECRET_FILE=/run/secrets/talk_signaling_secret
-    deploy:
-      labels:
-        - traefik.enable=true
-        - traefik.swarm.network=proxy
-        - traefik.http.services.${STACK_NAME}_talk.loadbalancer.server.port=8081
-        - traefik.http.routers.${STACK_NAME}_talk.rule=Host(`${TALK_DOMAIN}`)
-        - traefik.http.routers.${STACK_NAME}_talk.entrypoints=web-secure
-        - traefik.http.routers.${STACK_NAME}_talk.tls.certresolver=${LETS_ENCRYPT_ENV}
-        - traefik.tcp.routers.${STACK_NAME}_nextcloud-talk-hpb.rule=HostSNI(`*`)
-        - traefik.tcp.routers.${STACK_NAME}_nextcloud-talk-hpb.entrypoints=nextcloud-talk-hpb
-        - traefik.tcp.routers.${STACK_NAME}_nextcloud-talk-hpb.service=${STACK_NAME}_nextcloud-talk-hpb-svc
-        - traefik.tcp.services.${STACK_NAME}_nextcloud-talk-hpb-svc.loadbalancer.server.port=3478
-        - traefik.udp.routers.${STACK_NAME}_nextcloud-talk-hpb-udp.entrypoints=nextcloud-talk-hpb-udp
-        - traefik.udp.routers.${STACK_NAME}_nextcloud-talk-hpb-udp.service=${STACK_NAME}_nextcloud-talk-hpb-udp-svc
-        - traefik.udp.services.${STACK_NAME}_nextcloud-talk-hpb-udp-svc.loadbalancer.server.port=3478
-    networks:
-      - proxy
-    configs:
-      - source: entrypoint_talk
-        target: /custom-entrypoint.sh
-        mode: 775
-    entrypoint: /custom-entrypoint.sh
-    secrets:
-      - source: talk_internal_secret
-        uid: "1000"
-        gid: "122"
-        mode: 0600
-      - source: talk_turn_secret
-        uid: "1000"
-        gid: "122"
-        mode: 0600
-      - source: talk_signaling_secret
-        uid: "1000"
-        gid: "122"
-        mode: 0600
-
-  app:
-    secrets:
-      - talk_turn_secret
-      - talk_signaling_secret
-
-secrets:
-  talk_internal_secret:
-    external: true
-    name: ${STACK_NAME}_talk_internal_secret_${SECRET_TALK_INTERNAL_SECRET_VERSION}
-  talk_turn_secret:
-    external: true
-    name: ${STACK_NAME}_talk_turn_secret_${SECRET_TALK_TURN_SECRET_VERSION}
-  talk_signaling_secret:
-    external: true
-    name: ${STACK_NAME}_talk_signaling_secret_${SECRET_TALK_SIGNALING_SECRET_VERSION}
-
-configs:
-  entrypoint_talk:
-    name: ${STACK_NAME}_entrypoint_talk_${ENTRYPOINT_TALK_VERSION}
-    file: entrypoint.talk.sh.tmpl
-    template_driver: golang

compose.user_oidc.yml

@@ -1,10 +0,0 @@
-version: "3.8"
-services:
-  app:
-    secrets:
-      - user_oidc_secret
-
-secrets:
-  user_oidc_secret:
-    external: true
-    name: ${STACK_NAME}_user_oidc_secret_${SECRET_USER_OIDC_SECRET_VERSION}

compose.whiteboard.yml

@@ -6,11 +6,11 @@ services:
       - whiteboard_jwt
 
   whiteboard:
-    image: ghcr.io/nextcloud-releases/whiteboard:v1.5.0
+    image: ghcr.io/nextcloud-releases/whiteboard:v1.1.2
     deploy:
       labels:
         - traefik.enable=true
-        - traefik.swarm.network=proxy
+        - traefik.docker.network=proxy
         - traefik.http.services.${STACK_NAME}_whiteboard.loadbalancer.server.port=3002
         - traefik.http.routers.${STACK_NAME}_whiteboard.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS}) && PathPrefix(`/whiteboard`)
         - traefik.http.routers.${STACK_NAME}_whiteboard.entrypoints=web-secure
@@ -41,4 +41,4 @@ configs:
   entrypoint_whiteboard:
     name: ${STACK_NAME}_entrypoint_whiteboard_${ENTRYPOINT_WHITEBOARD_VERSION}
     file: entrypoint.whiteboard.sh.tmpl
-    template_driver: golang
+    template_driver: golang

compose.yml

@@ -1,7 +1,7 @@
 version: "3.8"
 services:
   web:
-    image: nginx:1.29.4
+    image: nginx:1.29.0
     depends_on:
       - app
     configs:
@@ -29,26 +29,26 @@ services:
         order: start-first
       labels:
         - "traefik.enable=true"
-        - "traefik.swarm.network=proxy"
+        - "traefik.docker.network=proxy"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.scheme=https"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.permanent=true"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
         - "caddy=${DOMAIN}"
         - "caddy.reverse_proxy={{upstreams 80}}"
         - "caddy.tls.on_demand="
     healthcheck:
-      test: ["CMD-SHELL", "curl -fsS http://localhost/status.php | grep -q '\"installed\":true'"]
+      test: ["CMD-SHELL", 'curl -s -N curl -Ns localhost/status.php |  grep "installed\":true"']
       interval: 30s
       timeout: 10s
       retries: 10
       start_period: 5m
 
   app:
-    image: nextcloud:32.0.3-fpm
+    image: nextcloud:31.0.6-fpm
     depends_on:
       - db
     configs:
@@ -76,7 +76,6 @@ services:
       - OVERWRITEPROTOCOL=https
       - OVERWRITECLIURL=https://${DOMAIN}
       - PHP_MEMORY_LIMIT=${PHP_MEMORY_LIMIT:-1G}
-      - PHP_UPLOAD_LIMIT=${PHP_UPLOAD_LIMIT:-512M}
       - FPM_MAX_CHILDREN=${FPM_MAX_CHILDREN:-131}
       - FPM_START_SERVERS=${FPM_START_SERVERS:-32}
       - FPM_MIN_SPARE_SERVERS=${FPM_MIN_SPARE_SERVERS:-32}
@@ -95,8 +94,8 @@ services:
         failure_action: rollback
         order: start-first
       labels:
-        - "coop-cloud.${STACK_NAME}.version=13.0.1+32.0.3-fpm"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
+        - "coop-cloud.${STACK_NAME}.version=12.0.1+31.0.6-fpm"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
         - "backupbot.backup=${ENABLE_BACKUPS:-true}"
         - "backupbot.backup.volumes.redis=false"
        #- "backupbot.backup.volumes.nextcloud=false"
@@ -109,7 +108,7 @@ services:
       start_period: 15m
 
   cron:
-    image: nextcloud:32.0.3-fpm
+    image: nextcloud:31.0.6-fpm
     volumes:
       - nextcloud:/var/www/html/
       - nextapps:/var/www/html/custom_apps:cached
@@ -125,7 +124,7 @@ services:
 
 
   cache:
-    image: redis:8.4.0-alpine
+    image: redis:8.0.2-alpine
     networks:
       - internal
     volumes:

entrypoint.talk.sh.tmpl

@@ -1,30 +0,0 @@
-#!/bin/bash
-
-set -eu
-
-file_env() {
-  local var="$1"
-  local fileVar="${var}_FILE"
-  local def="${2:-}"
-
-  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
-    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
-    exit 1
-  fi
-
-  local val="$def"
-  if [ "${!var:-}" ]; then
-    val="${!var}"
-  elif [ "${!fileVar:-}" ]; then
-    val="$(< "${!fileVar}")"
-  fi
-
-  export "$var"="$val"
-  unset "$fileVar"
-}
-
-file_env "INTERNAL_SECRET"
-file_env "TURN_SECRET"
-file_env "SIGNALING_SECRET"
-
-/start.sh supervisord -c /supervisord.conf

my-tune.cnf

@@ -4,7 +4,7 @@
 # https://mariadb.com/kb/en/library/performance-schema-overview/
 
 [server]
-innodb_buffer_pool_size        = {{ env "INNODB_BUFFER_POOL_SIZE" }}
+innodb_buffer_pool_size        = 1G
 innodb_flush_log_at_trx_commit = 2
 innodb_log_buffer_size         = 32M
 innodb_max_dirty_pages_pct     = 90