chore: publish 13.1.0+32.0.11-fpm release

Reviewed-on: #70

.env.sample

@@ -93,6 +93,14 @@ DEFAULT_QUOTA="10 GB"
 #SECRET_TALK_TURN_SECRET_VERSION=v1 # length=64 charset=default
 #SECRET_TALK_SIGNALING_SECRET_VERSION=v1 # length=64 charset=default
 
+# COMPOSE_FILE="$COMPOSE_FILE:compose.user_oidc.yml"
+# APPS="$APPS user_oidc"
+# USER_OIDC_PROVIDER=
+# USER_OIDC_ID=
+# USER_OIDC_DISCOVERY_URI=
+# USER_OIDC_END_SESSION_URI=
+# USER_OIDC_LOGIN_ONLY=false
+# SECRET_USER_OIDC_SECRET_VERSION=v1
 
 # HSTS Options
 # Uncomment this line to enable HSTS: https://docs.nextcloud.com/server/30/admin_manual/installation/harden_server.html

README.md

@@ -25,15 +25,21 @@ Fully automated luxury Nextcloud via docker-swarm.
 
 ### Onlyoffice Integration
 
+First install onlyoffice following the instructions in the 
+[OnlyOffice Recipe](https://recipes.coopcloud.tech/onlyoffice), and enable
+the JWT secret.
+
 `abra app config <app-name>` 
 
-Configure the following envs:
+Configure the following envs with the URL of the onlyoffice service:
 ```
 COMPOSE_FILE="$COMPOSE_FILE:compose.apps.yml"
 ONLYOFFICE_URL=https://onlyoffice.example.com
 SECRET_ONLYOFFICE_JWT_VERSION=v1
 ```
 
+Then set the onlyoffice JWT secret from the onlyoffice installation:
+
 * `abra app secret insert <app-name> onlyoffice_jwt v1 <jwt_secret>`
 * `abra app cmd <app-name> app install_onlyoffice`
 
@@ -188,6 +194,31 @@ We've been able to get this setup by using the [social login](https://apps.nextc
 
 If using Keycloak, you'll want to do [this trick](https://janikvonrotz.ch/2020/10/20/openid-connect-with-nextcloud-and-keycloak/) also.
 
+## How do I enable OpenID Connect (OIDC) providers?
+[user_oidc](https://github.com/nextcloud/user_oidc) is the recommended way to integrate Nextcloud with OIDC providers.
+
+Run `abra app config <app-name>`
+
+Set the following envs:
+```env
+COMPOSE_FILE="$COMPOSE_FILE:compose.user_oidc.yml"
+APPS="$APPS user_oidc"
+USER_OIDC_PROVIDER=example-provider # this has been tested with keycloak
+USER_OIDC_ID=example-client-id # get this from your oidc provider
+USER_OIDC_DISCOVERY_URI=example-oidc-provider.com/.well-known/openid-configuration # get this from your oidc provider
+USER_OIDC_END_SESSION_URI=example-oidc-provider.com/protocol/openid-connect/logout # get this from your oidc provider
+USER_OIDC_LOGIN_ONLY=false # set this to true to automatically redirect all logins to your oidc provider
+SECRET_USER_OIDC_SECRET_VERSION=v1
+```
+
+Then insert the client secret from your OIDC provider:
+```sh
+abra app secret insert <app-name> user_oidc_secret v1 <client-secret from oidc provider>
+```
+
+After you deploy (or redeploy), run the following to set up the user_oidc Nextcloud app:
+`abra app cmd <app-name> app set_user_oidc`
+
 ## How can I customise the CSS?
 
 There is some basic stuff in the admin settings.

abra.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 export FPM_TUNE_VERSION=v5
-export NGINX_CONF_VERSION=v8b
+export NGINX_CONF_VERSION=v8
 export MY_CNF_VERSION=v6
 export ENTRYPOINT_VERSION=v3
 export ENTRYPOINT_WHITEBOARD_VERSION=v1
@@ -159,6 +159,23 @@ set_authentik() {
     run_occ 'config:system:set lost_password_link --value=disabled'
 }
 
+set_user_oidc() {
+    install_apps user_oidc
+    USER_OIDC_SECRET=$(cat /run/secrets/user_oidc_secret)
+    run_occ "user_oidc:provider \
+            --clientid=${USER_OIDC_ID} \
+            --clientsecret=${USER_OIDC_SECRET} \
+            --discoveryuri=${USER_OIDC_DISCOVERY_URI} \
+            --endsessionendpointuri=${USER_OIDC_END_SESSION_URI} \
+            --postlogouturi=https://${DOMAIN} \
+            --scope='openid email profile' \
+            ${USER_OIDC_PROVIDER}"
+    # disable non user_oidc login
+    if [[ ${USER_OIDC_LOGIN_ONLY:-false} = "true" ]]; then
+        run_occ "config:app:set --value=0 user_oidc allow_multiple_user_backends"
+    fi
+}
+
 disable_skeletondirectory() {
     run_occ "config:system:set skeletondirectory --value ''"
 }

compose.fulltextsearch.yml

@@ -2,7 +2,7 @@ version: "3.8"
 
 services:
   elasticsearch:
-    image: "docker.elastic.co/elasticsearch/elasticsearch:8.17.2"
+    image: "docker.elastic.co/elasticsearch/elasticsearch:8.19.16"
     environment:
       - cluster.name=docker-cluster
       - bootstrap.memory_lock=true
@@ -29,7 +29,7 @@ services:
         mode: 0600
 
   searchindexer:
-    image: nextcloud:32.0.3-fpm
+    image: nextcloud:32.0.11-fpm
     volumes:
       - nextcloud:/var/www/html/
       - nextapps:/var/www/html/custom_apps:cached

compose.postgres.yml

@@ -10,7 +10,7 @@ services:
       - NEXTCLOUD_UPDATE=1
 
   db:
-    image: "postgres:13"
+    image: "pgautoupgrade/pgautoupgrade:14-debian"
     command: -c "max_connections=${MAX_DB_CONNECTIONS:-100}"
     volumes:
       - "postgres:/var/lib/postgresql/data"

compose.talk.yml

@@ -14,7 +14,7 @@ services:
     deploy:
       labels:
         - traefik.enable=true
-        - traefik.docker.network=proxy
+        - traefik.swarm.network=proxy
         - traefik.http.services.${STACK_NAME}_talk.loadbalancer.server.port=8081
         - traefik.http.routers.${STACK_NAME}_talk.rule=Host(`${TALK_DOMAIN}`)
         - traefik.http.routers.${STACK_NAME}_talk.entrypoints=web-secure
@@ -67,4 +67,4 @@ configs:
   entrypoint_talk:
     name: ${STACK_NAME}_entrypoint_talk_${ENTRYPOINT_TALK_VERSION}
     file: entrypoint.talk.sh.tmpl
-    template_driver: golang
+    template_driver: golang

compose.user_oidc.yml

@@ -0,0 +1,10 @@
+version: "3.8"
+services:
+  app:
+    secrets:
+      - user_oidc_secret
+
+secrets:
+  user_oidc_secret:
+    external: true
+    name: ${STACK_NAME}_user_oidc_secret_${SECRET_USER_OIDC_SECRET_VERSION}

compose.whiteboard.yml

@@ -6,11 +6,11 @@ services:
       - whiteboard_jwt
 
   whiteboard:
-    image: ghcr.io/nextcloud-releases/whiteboard:v1.5.0
+    image: ghcr.io/nextcloud-releases/whiteboard:v1.5.9
     deploy:
       labels:
         - traefik.enable=true
-        - traefik.docker.network=proxy
+        - traefik.swarm.network=proxy
         - traefik.http.services.${STACK_NAME}_whiteboard.loadbalancer.server.port=3002
         - traefik.http.routers.${STACK_NAME}_whiteboard.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS}) && PathPrefix(`/whiteboard`)
         - traefik.http.routers.${STACK_NAME}_whiteboard.entrypoints=web-secure
@@ -41,4 +41,4 @@ configs:
   entrypoint_whiteboard:
     name: ${STACK_NAME}_entrypoint_whiteboard_${ENTRYPOINT_WHITEBOARD_VERSION}
     file: entrypoint.whiteboard.sh.tmpl
-    template_driver: golang
+    template_driver: golang

compose.yml

@@ -1,7 +1,7 @@
 version: "3.8"
 services:
   web:
-    image: nginx:1.29.4
+    image: nginx:1.31.1
     depends_on:
       - app
     configs:
@@ -14,7 +14,6 @@ services:
       - STACK_NAME
       - HSTS_ENABLED
       - HSTS_PRELOAD
-      - PHP_UPLOAD_LIMIT=${PHP_UPLOAD_LIMIT:-512M}
     volumes:
       - nextcloud:/var/www/html/
       - nextapps:/var/www/html/custom_apps:cached
@@ -30,7 +29,7 @@ services:
         order: start-first
       labels:
         - "traefik.enable=true"
-        - "traefik.docker.network=proxy"
+        - "traefik.swarm.network=proxy"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
@@ -38,7 +37,6 @@ services:
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.scheme=https"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.permanent=true"
-        - "traefik.http.middlewares.${STACK_NAME}-buffering.buffering.maxRequestBodyBytes=0"
         - "caddy=${DOMAIN}"
         - "caddy.reverse_proxy={{upstreams 80}}"
         - "caddy.tls.on_demand="
@@ -50,7 +48,7 @@ services:
       start_period: 5m
 
   app:
-    image: nextcloud:32.0.3-fpm
+    image: nextcloud:32.0.11-fpm
     depends_on:
       - db
     configs:
@@ -97,7 +95,7 @@ services:
         failure_action: rollback
         order: start-first
       labels:
-        - "coop-cloud.${STACK_NAME}.version=13.0.1+32.0.3-fpm"
+        - "coop-cloud.${STACK_NAME}.version=13.1.0+32.0.11-fpm"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
         - "backupbot.backup=${ENABLE_BACKUPS:-true}"
         - "backupbot.backup.volumes.redis=false"
@@ -111,7 +109,7 @@ services:
       start_period: 15m
 
   cron:
-    image: nextcloud:32.0.3-fpm
+    image: nextcloud:32.0.11-fpm
     volumes:
       - nextcloud:/var/www/html/
       - nextapps:/var/www/html/custom_apps:cached
@@ -127,7 +125,7 @@ services:
 
 
   cache:
-    image: redis:8.4.0-alpine
+    image: redis:8.8.0-alpine
     networks:
       - internal
     volumes:

nginx.conf.tmpl

@@ -54,7 +54,7 @@ http {
         {{ end }}
 
         # set max upload size
-        client_max_body_size {{ env "PHP_UPLOAD_LIMIT" }} ;
+        client_max_body_size 512M;
         fastcgi_buffers 64 4K;
 
         # Enable gzip but do not remove ETag headers
@@ -162,10 +162,6 @@ http {
 
             fastcgi_intercept_errors on;
             fastcgi_request_buffering off;
-
-            fastcgi_read_timeout 3600s;
-            fastcgi_send_timeout 3600s;
-            fastcgi_connect_timeout 60s;
         }
 
         location ~ \.(?:css|js|svg|gif)$ {

release/13.1.0+32.0.11-fpm

@@ -0,0 +1,3 @@
+Important:
+Posgres: Due to end of support for postgres 13 we upgraded to pgautoupgrade-14-debian but we could not test it, so please take backups before the upgrade!
+Elastic Search: We chose the latest minor update for elasticsearch but we were also not able to test it.