chore: update readme

.drone.yml

@@ -22,8 +22,6 @@ steps:
       NGINX_CONF_VERSION: v1
       MY_CNF_VERSION: v1
       ENTRYPOINT_VERSION: v1
-      CRONTAB_VERSION: v1
-      PG_BACKUP_VERSION: v2
       SECRET_DB_PASSWORD_VERSION: v1
       SECRET_DB_ROOT_PASSWORD_VERSION: v1
       SECRET_ADMIN_PASSWORD_VERSION: v1
@@ -33,19 +31,3 @@ steps:
 trigger:
   branch:
     - main
----
-kind: pipeline
-name: generate recipe catalogue
-steps:
-  - name: release a new version
-    image: plugins/downstream
-    settings:
-      server: https://build.coopcloud.tech
-      token:
-        from_secret: drone_abra-bot_token
-      fork: true
-      repositories:
-        - toolshed/auto-recipes-catalogue-json
-
-trigger:
-  event: tag

.env.sample

@@ -1,7 +1,4 @@
 TYPE=nextcloud
-#TIMEOUT=900
-ENABLE_AUTO_UPDATE=true
-ENABLE_BACKUPS=true
 
 DOMAIN=nextcloud.example.com
 ## Domain aliases
@@ -12,10 +9,7 @@ COMPOSE_FILE="compose.yml"
 COMPOSE_FILE="$COMPOSE_FILE:compose.mariadb.yml"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.postgres.yml"
 
-#MAX_DB_CONNECTIONS=500
-
 ADMIN_USER=admin
-TZ=Etc/UTC
 
 SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
@@ -23,13 +17,11 @@ SECRET_ADMIN_PASSWORD_VERSION=v1
 
 EXTRA_VOLUME=/dev/null:/tmp/.dummy
 
-PHP_MEMORY_LIMIT=1G
-PHP_UPLOAD_LIMIT=512M
 # fpm-tune, see: https://spot13.com/pmcalculator/
-FPM_MAX_CHILDREN=16
-FPM_START_SERVERS=4
-FPM_MIN_SPARE_SERVERS=4
-FPM_MAX_SPARE_SERVERS=12
+FPM_MAX_CHILDREN=131
+FPM_START_SERVERS=32
+FPM_MIN_SPARE_SERVERS=32
+FPM_MAX_SPARE_SERVERS=98
 
 DEFAULT_QUOTA="10 GB"
 
@@ -47,55 +39,21 @@ DEFAULT_QUOTA="10 GB"
 # MAIL_DOMAIN=
 # SECRET_SMTP_PASSWORD_VERSION=v1
 
-## Customization
-# THEMING_COLOR=
-# THEMING_SLOGAN=
-# COPY_ASSETS="flow_background.jpg|app:/var/www/html/themes/"
-# COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/var/www/html/themes/"
-# COPY_ASSETS="$COPY_ASSETS icon.png|app:/var/www/html/themes/"
-
-# APPS="calendar"
-
-# COLLABORA_URL=https://collabora.example.com
-## IMPORTANT FOR SECURITY REASONS WHEN RUNNING COLLABORA
-## list of IP addresses that are allowed to make WOPI requests. Use the default
-## when running the collabora server on the same machine as nextcloud.
-## Otherwise set this to the IP address range of your collabora server(s) i.e. 1.2.3.4/32
-## https://docs.nextcloud.com/server/latest/admin_manual/office/configuration.html#wopi-settings
-# COLLABORA_ALLOWLIST="172.16.0.0/12"
-
-# COMPOSE_FILE="$COMPOSE_FILE:compose.onlyoffice.yml"
+# COMPOSE_FILE="$COMPOSE_FILE:compose.apps.yml"
+# APPS="calendar sociallogin onlyoffice"
+#
 # ONLYOFFICE_URL=https://onlyoffice.example.com
-# APPS="$APPS onlyoffice"
 # SECRET_ONLYOFFICE_JWT_VERSION=v1
-
-# COMPOSE_FILE="$COMPOSE_FILE:compose.bbb.yml"
+#
 # BBB_URL=https://talk.example.org/bigbluebutton/ # trailing slash!
 # SECRET_BBB_SECRET_VERSION=v1
-
-# COMPOSE_FILE="$COMPOSE_FILE:compose.whiteboard.yml"
-# APPS="$APPS whiteboard"
-# SECRET_WHITEBOARD_JWT_VERSION=v1
+#
+# OCC_CMDS="app:disable dashboard"
+# OCC_CMDS="$OCC_CMDS|config:app:set sociallogin auto_create_groups --value 1"
+# OCC_CMDS="$OCC_CMDS|config:app:set sociallogin hide_default_login --value 1"
 
 # COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
-# APPS="$APPS sociallogin"
 # AUTHENTIK_USER_PREFIX=authentik
 # AUTHENTIK_DOMAIN=authentik.example.com
-# SECRET_AUTHENTIK_SECRET_VERSION=v1
-# SECRET_AUTHENTIK_ID_VERSION=v1
-
-#COMPOSE_FILE="$COMPOSE_FILE:compose.fulltextsearch.yml"
-#SECRET_ELASTICSEARCH_PASSWORD_VERSION=v1
-
-#COMPOSE_FILE="$COMPOSE_FILE:compose.talk.yml"
-#TALK_DOMAIN=talk.example.com
-#SECRET_TALK_INTERNAL_SECRET_VERSION=v1 # length=64 charset=default
-#SECRET_TALK_TURN_SECRET_VERSION=v1 # length=64 charset=default
-#SECRET_TALK_SIGNALING_SECRET_VERSION=v1 # length=64 charset=default
-
-
-# HSTS Options
-# Uncomment this line to enable HSTS: https://docs.nextcloud.com/server/30/admin_manual/installation/harden_server.html
-#HSTS_ENABLED=1
-# Uncomment this line to add the `preload` part
-#HSTS_PRELOAD=1
+# AUTHENTIK_SECRET_NAME=authentik_example_com_nextcloud_secret_v1  # the same as in authentik
+# AUTHENTIK_ID_NAME=authentik_example_com_nextcloud_id_v1  # the same as in authentik

MAINTENANCE.md

@@ -1,96 +0,0 @@
-# Nextcloud Recipe Maintenance
-
-> Status: **DRAFT** — open for discussion with co-maintainers and the wider
-> federation. Sections marked _(TBD)_ need collective input before this
-> document is considered ratified.
-
-This document describes how the Nextcloud recipe is maintained. It builds on
-the floor set by [Federation Resolution
-025](https://docs.coopcloud.tech/federation/resolutions/passed/025/) and
-follows the [`MAINTENANCE.md`
-template](https://docs.coopcloud.tech/maintainers/maintain/#maintenancemd-template)
-described in the Co-op Cloud maintainers' docs.
-
-All contributions should be made via a pull request so that quality and
-consistency stay something others can rely on.
-
-## Maintainers
-
-Everyone can apply to be a recipe maintainer. 
-Simply add your self to the list in the README.md and open a new pull request 
-with the change.
-
-## Maintainer Responsibilities
-
-This recipe commits to the following, which is tighter than the floor set by
-Resolution 025 (stable-recipe category). However, these timelines are
-best-effort, so we aim for them as good as possible:
-
-- Respond to PRs / issues within 3 working days
-- Apply security patches within 1 week of disclosure
-- Ship patch / minor image updates within 2 weeks of upstream release
-- Adopt major Nextcloud version updates within 1 release cycle of upstream
-  EOL of the previous major (see below)
-- Keep documentation current
-
-In order to meet these responsibilities each maintainer:
-
-- Watches the repository so notifications arrive
-- Keeps an eye on [Renovate](./renovate.json) updates and helps shepherd them through
-- Has a working contact (Matrix handle or email) reachable by the others
-
-## Release cadence
-
-The intent is to **track Nextcloud's own release schedule** rather than invent
-our own. In practice this means:
-
-- **Patch releases (e.g. `32.0.x`)**: published to this recipe shortly after
-  upstream, ideally within 1 week. `chore(deps)` opens the PRs; a maintainer
-  reviews the release notes and Nextcloud's issue tracker, and merges the PR
-  if it is OK.
-- **Minor releases**: same flow as patch releases, but one of the maintainer
-  tests it on their own instance before merging.
-- **Major releases (e.g. `32 → 33`)**: not adopted on day one. We wait for the
-  first one or two upstream patch releases of the new major to land
-  (typically 1–2 months) before promoting it here, to avoid passing the
-  early-adopter cost to operators. Major bumps get their own PR with release
-  notes and an upgrade-path check.
-  Before adding a major release, the following needs to be done:
-  - at least two maintainers update one of their production instances to the
-    new version
-  - the previous release gets a last update pointing to the docker image
-    versions nextcloud:xx-fpm, so that users can auto-update if they wish so
-  - the new release is added to this repo
-- If people have the time it would be nice to create specially tagged versions
-  for major releases, which reflect that this is 'bleeding edge' and has not
-  been thoroughly tested.
-- **Co-installed components** (Talk HPB, OnlyOffice, Whiteboard, etc.) are
-  bumped alongside or shortly after the matching Nextcloud release.
-
-## Pull Requests
-
-A pull request can be merged once it is approved by at least one maintainer.
-PRs opened by a maintainer need approval from another maintainer. With three
-maintainers this is workable; if the group shrinks, the rule should be
-revisited.
-
-Approvals should ideally include a smoke test on a real instance for anything
-beyond a patch bump — Nextcloud upgrades have a long history of surprising us
-(see the [upgrade notes in `README.md`](./README.md#upgrading-nextcloud)),
-and silent CI is not enough.
-
-## Becoming a maintainer
-
-Everyone is welcome to apply:
-
-1. Watch the repository so you get notifications.
-2. Open a pull request adding yourself to the `Maintainer` line in
-   [`README.md`](./README.md) and to the list above.
-3. Once an existing maintainer merges the PR, you'll be added to the
-   [nextcloud maintainers
-   team](https://git.coopcloud.tech/org/coop-cloud/teams/nextcloud-maintainers)
-   _(team to be created if it does not yet exist — TBD)_.
-
-Stepping down is symmetrical: open a PR removing yourself, and flag it in
-the federation channels so the group can plan replacement before falling
-below the Res. 025 floor of one named maintainer.

README.md

@@ -5,12 +5,11 @@
 Fully automated luxury Nextcloud via docker-swarm.
 
 <!-- metadata -->
-* **Maintainer**: [@dannygroenewegen](https://git.coopcloud.tech/dannygroenewegen), [@ineiti](https://git.coopcloud.tech/ineiti)
 * **Category**: Apps
-* **Status**: 5
+* **Status**: 2, beta
 * **Image**: [`nextcloud`](https://hub.docker.com/_/nextcloud), 4, upstream
 * **Healthcheck**: Yes
-* **Backups**: Yes
+* **Backups**: No
 * **Email**: 3
 * **Tests**: 2
 * **SSO**: 1 (OAuth)
@@ -18,6 +17,7 @@ Fully automated luxury Nextcloud via docker-swarm.
 
 ## Quick start
 
+
 * `abra app new nextcloud`
 * `abra app config <app-name>`
 * `abra app secret insert <app-name> smtp_password v1 <SMTP_PASSWORD>`
@@ -27,7 +27,6 @@ Fully automated luxury Nextcloud via docker-swarm.
 ### Onlyoffice Integration
 
 `abra app config <app-name>` 
-
 Configure the following envs:
 ```
 COMPOSE_FILE="$COMPOSE_FILE:compose.apps.yml"
@@ -35,13 +34,12 @@ ONLYOFFICE_URL=https://onlyoffice.example.com
 SECRET_ONLYOFFICE_JWT_VERSION=v1
 ```
 
-* `abra app secret insert <app-name> onlyoffice_jwt v1 <jwt_secret>`
-* `abra app cmd <app-name> app install_onlyoffice`
+`abra app secret insert <app-name> onlyoffice_jwt v1 <jwt_secret>`
+`abra app cmd <app-name> app install_onlyoffice`
 
 ### BBB Integration
 
 `abra app config <app-name>` 
-
 Configure the following envs:
 ```
 COMPOSE_FILE="$COMPOSE_FILE:compose.apps.yml"
@@ -49,44 +47,8 @@ BBB_URL=https://talk.example.org/bigbluebutton/ # trailing slash!
 SECRET_BBB_SECRET_VERSION=v1
 ```
 
-* `abra app secret insert <app-name> bbb_secret v1 <bbb_secret>`
-* `abra app cmd <app-name> app install_bbb`
-
-### Nextcloud Talk High performance Backend
-
-Note: at the moment you are limited to run one Nextcloud high performance backend per docker host with this setup.
-
-`abra app config <app-name>` 
-
-Configure the following envs:
-```
-#COMPOSE_FILE="$COMPOSE_FILE:compose.talk.yml"
-#TALK_DOMAIN=talk.example.com
-#SECRET_TALK_INTERNAL_SECRET_VERSION=v1 # length=64 charset=default
-#SECRET_TALK_TURN_SECRET_VERSION=v1 # length=64 charset=default
-#SECRET_TALK_SIGNALING_SECRET_VERSION=v1 # length=64 charset=default
-```
-
-* `abra app secret insert <app-name> talk_internal_secret v1 <talk_internal_secret>`
-* `abra app secret insert <app-name> talk_turn_secret v1 <talk_turn_secret>`
-* `abra app secret insert <app-name> talk_signaling_secret v1 <talk_signaling_secret>`
-* `abra app cmd <app-name> app install_talk`
-
-Don't forget to enable the additional env's in your hosts traefik instance:
-```
-COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud-talk-hpb.yml"
-NEXTCLOUD_TALK_HPB_ENABLED=1
-```
-
-Due to a bug in compose that deletes duplacted ports without checking for the protocol, traefik need to get the additional udp binding added after the deployment via ssh (this might take longer than expected!):
-```
-docker service update  --publish-add published=3478,target=3478,protocol=udp traefik_XXX_XXX_app
-```
-
-To check if tcp and udp was binded, you can use:
-```
-docker service inspect traefik_XXX_XXX_app | grep 3478 -a2
-```
+`abra app secret insert <app-name> bbb_secret v1 <bbb_secret>`
+`abra app cmd <app-name> app install_bbb`
 
 ### Authentik Integration
 
@@ -103,18 +65,21 @@ AUTHENTIK_ID_NAME=authentik_example_com_nextcloud_id_v1  # the same as in authen
 
 `abra app cmd <app-name> app set_authentik`
 
+### Disable Dashboard
+
+Disable dashboard app since it is so corporate:
+
+`abra app config <app-name>` 
+Configure the following envs:
+```
+OCC_CMDS="app:disable dashboard"
+```
+`abra app cmd <app-name> app post_install_occ`
+
 ## Running `occ`
 
 `abra app cmd <app-name> app run_occ '"user:list --help"'`
 
-Read more about [occ command here](https://docs.nextcloud.com/server/stable/admin_manual/occ_command.html).
-
-### Disable Dashboard
-
-To disable dashboard app (since it is so corporate):
-
-`abra app cmd <app-name> app run_occ '"app:disable dashboard"'`
-
 ## Default user files
 
 - Follow [these docs](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/default_files_configuration.html) to set the default files list for each user in the Files app
@@ -123,12 +88,7 @@ To disable dashboard app (since it is so corporate):
 
 - Configure a `defaultapp` in your `config.php` or use [apporder](https://apps.nextcloud.com/apps/apporder)
 
-## Upgrading Nextcloud
-Upgrading Nextcloud can be a hair raising experiance. They [don't support downgrading](https://docs.nextcloud.com/server/latest/admin_manual/maintenance/upgrade.html) even for minor versions.
-
-Many of us  have found that jumping major versions when upgrading is also a bad idea. We have however found that it's ok to skip minor version upgrades and go to the last minor version before a major version (e.g. 24.0.0 to 24.9.9 before going to 25.0.0). To extra cautious just upgrade one release at a time. Read the release notes and check your logs.
-
-## Upgrading Nextcloud apps (plug-ins)
+## Upgrading Nextcloud apps
 
 `abra app cmd <app-name> app run_occ '"app:update --all"'`
 
@@ -160,7 +120,7 @@ Use [this plugin](https://github.com/pulsejet/nextcloud-oidc-login). Unlike the
 ```
   'oidc_login_client_id' => 'nextcloud',
   'oidc_login_client_secret' => 'mysecret',
-  'oidc_login_provider_url' => 'https://example.com/realms/myrealm',
+  'oidc_login_provider_url' => 'https://example.com/auth/realms/myrealm',
   'oidc_login_disable_registration' => false,
   'oidc_login_hide_password_form' => true,
   'oidc_login_button_text' => 'Log in with your myssodomain',
@@ -284,49 +244,3 @@ docker exec -u www-data $(docker ps -f name=foo_com_app -q) ./occ preview:pre-ge
 ```
 
 This app will improve performance of image browsing at the cost of storage space.
-
-## Fulltextsearch using elasticsearch
-
-1. Uncomment the following lines in your env file:
-```
-#COMPOSE_FILE="$COMPOSE_FILE:compose.fulltextsearch.yml"
-#SECRET_ELASTICSEARCH_PASSWORD_VERSION=v1
-```
-
-2. Generate the secret for elasticsearch:
-```bash
-abra app secret generate <domain> elasticsearch_password v1
-```
-
-3. Deploy your app:
-```bash
-abra app deploy <domain>
-```
-
-4. Install the apps and configure them:
-```
-abra app cmd <domain> app install_fulltextsearch
-```
-
-5. You might need to configure the files_fulltextsearch app. run this command to check its settings:
-```
-abra app cmd <domain> app run_occ '"config:list files_fulltextsearch"
-```
-
-6. You can check if the nextcloud can connect to elasticsearch:
-```
-abra app cmd <domain> app run_occ '"fulltextsearch:test"'
-```
-
-And you can populate the index manually and check if any errors occur:
-```
-abra app cmd <domain> app run_occ '"fulltextsearch:index"'
-```
-
-### Troubleshooting fulltextsearch
-
-The fulltextsearch plugin might be stuck with this error: "Index is already running". In that case the following command can get things runing again:
-
-```
-abra app run <domain> db /bin/sh -- -c 'echo "delete from oc_fulltextsearch_ticks;" | mariadb -u root -p$(cat /run/secrets/db_root_password) nextcloud'
-```

abra.sh

@@ -1,132 +1,63 @@
 #!/bin/bash
 
 export FPM_TUNE_VERSION=v5
-export NGINX_CONF_VERSION=v8
-export MY_CNF_VERSION=v6
+export NGINX_CONF_VERSION=v4
+export MY_CNF_VERSION=v4
 export ENTRYPOINT_VERSION=v3
-export ENTRYPOINT_WHITEBOARD_VERSION=v1
-export ENTRYPOINT_TALK_VERSION=v1
-export CRONTAB_VERSION=v1
-export PG_BACKUP_VERSION=v2
 
-run_occ() {
+run_occ(){
     su -p www-data -s /bin/sh -c "/var/www/html/occ $@"
 }
 
-install_apps() {
+post_install_occ(){
+    IFS='|' read -ra CMD <<< "$OCC_CMDS"
+    for cmd in "${CMD[@]}"; do
+      run_occ "$cmd"
+    done
+}
+
+install_apps(){
     install_apps="$@"
-    if [ -z "$install_apps" ]; then
+    if [ -z "$install_apps" ]
+    then
         install_apps=$APPS
     fi
-    for app in $install_apps; do
+    for app in $install_apps
+    do
         run_occ "app:install $app"
     done
 }
 
-set_app_config() {
+set_app_config(){
     APP=$1
     KEY=$2
     VALUE=$3
     run_occ "config:app:set $APP $KEY --value '$VALUE'"
 }
 
-set_system_config() {
-    KEY=$1
-    VALUE=$2
-    run_occ "config:system:set $KEY --value '$VALUE'"
-}
-
-set_trusted_proxies() {
-    trusted_proxies="$@"
-    if [ -z "$1" ]; then
-        trusted_proxies="$TRUSTED_PROXIES"
-    fi
-    set_system_config trusted_proxies "$trusted_proxies"
-}
-
-set_logfile_stdout() {
-    set_system_config logfile '/dev/stdout'
-}
-
-customize() {
-    if [ -z "$1" ]
-    then
-            echo "Usage: ... customize <assets_path>"
-            exit 1
-    fi
-    asset_dir=$1
-    for asset in $COPY_ASSETS; do
-        source=$(echo $asset | cut -d "|" -f1)
-        target=$(echo $asset | cut -d "|" -f2)
-        echo copy $source to $target
-        abra app cp $APP_NAME $asset_dir/$source $target
-    done
-
-    abra app cmd -T $APP_NAME app set_app_config theming color \"$THEMING_COLOR\"
-    abra app cmd -T $APP_NAME app set_app_config theming slogan \"$THEMING_SLOGAN\"
-    abra app cmd -T $APP_NAME app run_occ '"theming:config background \"/var/www/html/themes/flow_background.jpg\""'
-    abra app cmd -T $APP_NAME app run_occ '"theming:config logo \"/var/www/html/themes/icon_left_brand.svg\""'
-    abra app cmd -T $APP_NAME app run_occ '"theming:config logoheader \"/var/www/html/themes/icon.png\""'
-}
-
-install_bbb() {
+install_bbb(){
     install_apps bbb
     set_app_config bbb app.navigation true
     set_app_config bbb api.url "$BBB_URL"
     set_app_config bbb api.secret "$(cat /run/secrets/bbb_secret)"
 }
 
-install_onlyoffice() {
+install_onlyoffice(){
     install_apps onlyoffice
     set_app_config onlyoffice DocumentServerUrl "$ONLYOFFICE_URL"
     set_app_config onlyoffice jwt_secret "$(cat /run/secrets/onlyoffice_jwt)"
     set_app_config onlyoffice customizationForcesave true
 }
 
-install_collabora() {
-    install_apps richdocuments
-    set_app_config richdocuments wopi_url "$COLLABORA_URL"
-    # important for security reaosns
-    # https://docs.nextcloud.com/server/latest/admin_manual/office/configuration.html#wopi-settings
-    set_app_config richdocuments wopi_allowlist "$COLLABORA_ALLOWLIST"
+set_default_quota(){
+    set_app_config files default_quota '"$DEFAULT_QUOTA"'
 }
 
-install_whiteboard() {
-    install_apps whiteboard
-    set_app_config whiteboard collabBackendUrl "https://${DOMAIN}/whiteboard"
-    set_app_config whiteboard jwt_secret_key "$(cat /run/secrets/whiteboard_jwt)"
-}
-
-
-install_talk() {
-    install_apps spreed
-    run_occ "talk:signaling:add --verify 'wss://${TALK_DOMAIN}' '$(cat /run/secrets/talk_signaling_secret)'"
-    run_occ "talk:stun:add '${TALK_DOMAIN}:3478'"
-    run_occ "talk:stun:add '${TALK_DOMAIN}:443'"
-    run_occ "talk:turn:add --secret='$(cat /run/secrets/talk_turn_secret)' turn '${TALK_DOMAIN}:3478' udp,tcp"
-
-}
-
-install_fulltextsearch() {
-    install_apps fulltextsearch
-    install_apps fulltextsearch_elasticsearch
-    install_apps files_fulltextsearch
-    set_app_config fulltextsearch search_platform "OCA\\FullTextSearch_Elasticsearch\\Platform\\ElasticSearchPlatform"
-    set_app_config fulltextsearch_elasticsearch elastic_host "http://elastic:$(cat /run/secrets/elasticsearch_password)@elasticsearch:9200/"
-    set_app_config fulltextsearch_elasticsearch elastic_index "nextcloud"
-    set_app_config files_fulltextsearch files_local "1"
-}
-
-set_default_quota() {
-    set_app_config files default_quota "$DEFAULT_QUOTA"
-}
-
-set_authentik() {
-    install_apps sociallogin
-    AUTHENTIK_SECRET=$(cat /run/secrets/authentik_secret)
-    AUTHENTIK_ID=$(cat /run/secrets/authentik_id)
-    set_system_config logo_url https://$AUTHENTIK_DOMAIN
-    set_app_config sociallogin custom_providers "
+set_authentik(){
+install_apps sociallogin
+AUTHENTIK_SECRET=$(cat /run/secrets/authentik_secret)
+AUTHENTIK_ID=$(cat /run/secrets/authentik_id)
+set_app_config sociallogin custom_providers "
 {
     \"custom_oidc\":[
     {
@@ -136,7 +67,7 @@ set_authentik() {
         \"tokenUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/token/\",
         \"displayNameClaim\":\"preferred_username\",
         \"userInfoUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/userinfo/\",
-        \"logoutUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/nextcloud/end-session/\",
+        \"logoutUrl\": \"https://$AUTHENTIK_DOMAIN/if/session-end/nextcloud/\",
         \"clientId\":\"$AUTHENTIK_ID\",
         \"clientSecret\":\"$AUTHENTIK_SECRET\",
         \"scope\":\"openid profile email nextcloud\",
@@ -144,35 +75,16 @@ set_authentik() {
         \"style\":\"openid\",
         \"defaultGroup\":\"\",
         \"groupMapping\": {
-          \"admin\": \"admin\",
-          \"authentik Admins\": \"admin\"
+          \"admin\": \"admin\"
         }
     }
 ]
 }"
 
-    set_app_config sociallogin update_profile_on_login 1
-    set_app_config sociallogin auto_create_groups 1
-    set_app_config sociallogin hide_default_login 1
-    run_occ 'config:system:set social_login_auto_redirect --value true'
-    run_occ 'config:system:set allow_user_to_change_display_name --value=false'
-    run_occ 'config:system:set lost_password_link --value=disabled'
-}
-
-disable_skeletondirectory() {
-    run_occ "config:system:set skeletondirectory --value ''"
-}
-
-set_windowsfriendly_filenames() {
-    run_occ 'config:system:set forbidden_filename_characters 0 --value=?'
-    run_occ 'config:system:set forbidden_filename_characters 1 --value=\<'
-    run_occ 'config:system:set forbidden_filename_characters 2 --value=\>'
-    run_occ 'config:system:set forbidden_filename_characters 3 --value=:'
-    run_occ 'config:system:set forbidden_filename_characters 4 --value=*'
-    run_occ 'config:system:set forbidden_filename_characters 5 --value=\|'
-    run_occ 'config:system:set forbidden_filename_characters 6 --value=\"'
-}
-
-upgrade_mariadb() {
-    mariadb-upgrade -p`cat /run/secrets/db_root_password`
+set_app_config sociallogin update_profile_on_login 1
+set_app_config sociallogin auto_create_groups 1
+set_app_config sociallogin hide_default_login 1
+run_occ 'config:system:set social_login_auto_redirect --value true'
+run_occ 'config:system:set allow_user_to_change_display_name --value=false'
+run_occ 'config:system:set lost_password_link --value=disabled'
 }

alaconnect.yml

@@ -1,24 +0,0 @@
-authentik:
-    uncomment:
-        - compose.authentik.yml
-        - AUTHENTIK_USER_PREFIX
-        - AUTHENTIK_DOMAIN
-        - SECRET_AUTHENTIK_SECRET_VERSION
-        - SECRET_AUTHENTIK_ID_VERSION
-    initial-hooks:
-        - app set_authentik
-    shared_secrets:
-        nextcloud_secret: authentik_secret
-        nextcloud_id: authentik_id
-onlyoffice:
-    uncomment:
-        - compose.onlyoffice.yml
-        - ONLYOFFICE_URL
-        - SECRET_ONLYOFFICE_JWT_VERSION
-    initial-hooks:
-        - app install_onlyoffice
-collabora:
-    uncomment:
-        - COLLABORA_URL
-    initial-hooks:
-        - app install_collabora

compose.apps.yml

@@ -3,10 +3,16 @@ services:
   app:
     secrets:
       - onlyoffice_jwt
+      - bbb_secret
     environment:
+      - APPS
       - ONLYOFFICE_URL
+      - BBB_URL
 
 secrets:
   onlyoffice_jwt:
     external: true
     name: ${STACK_NAME}_onlyoffice_jwt_${SECRET_ONLYOFFICE_JWT_VERSION}
+  bbb_secret:
+    external: true
+    name: ${STACK_NAME}_bbb_secret_${SECRET_BBB_SECRET_VERSION}

compose.authentik.yml

@@ -8,7 +8,7 @@ services:
 secrets:
   authentik_secret:
     external: true
-    name: ${STACK_NAME}_authentik_secret_${SECRET_AUTHENTIK_SECRET_VERSION}
+    name: ${AUTHENTIK_SECRET_NAME}
   authentik_id:
     external: true
-    name: ${STACK_NAME}_authentik_id_${SECRET_AUTHENTIK_ID_VERSION}
+    name: ${AUTHENTIK_ID_NAME}

compose.bbb.yml

@@ -1,12 +0,0 @@
-version: "3.8"
-services:
-  app:
-    secrets:
-      - bbb_secret
-    environment:
-      - BBB_URL
-
-secrets:
-  bbb_secret:
-    external: true
-    name: ${STACK_NAME}_bbb_secret_${SECRET_BBB_SECRET_VERSION}

compose.fulltextsearch.yml

@@ -1,55 +0,0 @@
-version: "3.8"
-
-services:
-  elasticsearch:
-    image: "docker.elastic.co/elasticsearch/elasticsearch:8.17.2"
-    environment:
-      - cluster.name=docker-cluster
-      - bootstrap.memory_lock=true
-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
-      - discovery.type=single-node
-      # Disable authentication and ssl completely
-      # - xpack.security.enabled=false
-      # Use this to enable Basic Authentication:
-      - xpack.security.enabled=true
-      - xpack.security.http.ssl.enabled=false
-      - ELASTIC_PASSWORD_FILE=/var/run/secrets/elasticsearch_password
-    ulimits:
-      memlock:
-        soft: -1
-        hard: -1
-    volumes:
-      - elasticsearch:/usr/share/elasticsearch/data
-    networks:
-      - internal
-    secrets:
-      - source: elasticsearch_password
-        uid: "1000"
-        gid: "1000"
-        mode: 0600
-
-  searchindexer:
-    image: nextcloud:32.0.3-fpm
-    volumes:
-      - nextcloud:/var/www/html/
-      - nextapps:/var/www/html/custom_apps:cached
-      - nextdata:/var/www/html/data:cached
-      - nextconfig:/var/www/html/config:cached
-      - ${EXTRA_VOLUME}
-    networks:
-      - internal
-    entrypoint: su -p www-data -s /bin/sh -c '/var/www/html/occ fulltextsearch:live'
-
-  # Add the secret to the app service so it is avaiable in the
-  # install_fulltextsearch command
-  app:
-    secrets:
-      - elasticsearch_password
-
-secrets:
-  elasticsearch_password:
-    external: true
-    name: ${STACK_NAME}_elasticsearch_password_${SECRET_ELASTICSEARCH_PASSWORD_VERSION}
-
-volumes:
-  elasticsearch:

compose.mariadb.yml

@@ -9,14 +9,12 @@ services:
       - MYSQL_PASSWORD_FILE=/run/secrets/db_password
 
   db:
-    image: "mariadb:11.4"
+    image: "mariadb:10.5"
     environment:
       - MYSQL_DATABASE=nextcloud
       - MYSQL_USER=nextcloud
       - MYSQL_PASSWORD_FILE=/run/secrets/db_password
       - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
-      - MAX_DB_CONNECTIONS=${MAX_DB_CONNECTIONS:-100}
-      - INNODB_BUFFER_POOL_SIZE=${INNODB_BUFFER_POOL_SIZE:-1G}"
     configs:
       - source: my_tune
         target: /etc/mysql/conf.d/my-tune.cnf
@@ -29,11 +27,12 @@ services:
       - internal
     deploy:
       labels:
-        backupbot.backup.pre-hook: 'mariadb-dump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" nextcloud > /var/lib/mysql/backup.sql'
-        backupbot.backup.volumes.mariadb.path: "backup.sql"
-        backupbot.restore.post-hook: 'mariadb -u root -p"$$(cat /run/secrets/db_root_password)" nextcloud < /var/lib/mysql/backup.sql'
+          backupbot.backup: "true"
+          backupbot.backup.pre-hook: 'mkdir -p /tmp/backup/ && mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" nextcloud > /tmp/backup/backup.sql'
+          backupbot.backup.post-hook: "rm -rf /tmp/backup"
+          backupbot.backup.path: "/tmp/backup/"
     healthcheck:
-      test: ["CMD-SHELL", 'mariadb-admin -p"$$(cat /run/secrets/db_root_password)"  ping']
+      test: ["CMD-SHELL", 'mysqladmin -p"$$(cat /run/secrets/db_root_password)"  ping']
       interval: 30s
       timeout: 10s
       retries: 10
@@ -42,12 +41,6 @@ configs:
   my_tune:
     name: ${STACK_NAME}_my_cnf_${MY_CNF_VERSION}
     file: my-tune.cnf
-    template_driver: golang
-
-secrets:
-  db_root_password:
-    external: true
-    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
 
 volumes:
   mariadb:

compose.postgres.yml

@@ -10,37 +10,28 @@ services:
       - NEXTCLOUD_UPDATE=1
 
   db:
-    image: "postgres:13"
-    command: -c "max_connections=${MAX_DB_CONNECTIONS:-100}"
+    image: "postgres:12"
     volumes:
       - "postgres:/var/lib/postgresql/data"
     networks:
       - internal
     environment:
-      POSTGRES_USER: nextcloud
+      POSTGRES_USER: nextcloud 
       POSTGRES_PASSWORD_FILE: /run/secrets/db_password
-      POSTGRES_DB: nextcloud
+      POSTGRES_DB: nextcloud 
     secrets:
       - db_password
     healthcheck:
-      test: ["CMD-SHELL", "pg_isready", "-U", "nextcloud"]
+      test: ["CMD-SHELL", "pg_isready"]
       interval: 10s
       timeout: 5s
       retries: 5
     deploy:
       labels:
-        backupbot.backup.pre-hook: "/pg_backup.sh backup"
-        backupbot.backup.volumes.postgres.path: "backup.sql"
-        backupbot.restore.post-hook: '/pg_backup.sh restore'
-    configs:
-        - source: pg_backup
-          target: /pg_backup.sh
-          mode: 0555
+            backupbot.backup: "true"
+            backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /tmp/backup/backup.sql"
+            backupbot.backup.post-hook: "rm -rf /tmp/backup"
+            backupbot.backup.path: "/tmp/backup/"
 
 volumes:
   postgres:
-
-configs:
-  pg_backup:
-    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
-    file: pg_backup.sh

compose.talk.yml

@@ -1,70 +0,0 @@
-version: "3.8"
-
-services:
-  talk:
-    image: "nextcloud/aio-talk:20251128_084214"
-    environment:
-      - NC_DOMAIN=${DOMAIN}
-      - TALK_HOST=${TALK_DOMAIN}
-      - TZ
-      - TALK_PORT=3478
-      - INTERNAL_SECRET_FILE=/run/secrets/talk_internal_secret 
-      - TURN_SECRET_FILE=/run/secrets/talk_turn_secret
-      - SIGNALING_SECRET_FILE=/run/secrets/talk_signaling_secret
-    deploy:
-      labels:
-        - traefik.enable=true
-        - traefik.docker.network=proxy
-        - traefik.http.services.${STACK_NAME}_talk.loadbalancer.server.port=8081
-        - traefik.http.routers.${STACK_NAME}_talk.rule=Host(`${TALK_DOMAIN}`)
-        - traefik.http.routers.${STACK_NAME}_talk.entrypoints=web-secure
-        - traefik.http.routers.${STACK_NAME}_talk.tls.certresolver=${LETS_ENCRYPT_ENV}
-        - traefik.tcp.routers.${STACK_NAME}_nextcloud-talk-hpb.rule=HostSNI(`*`)
-        - traefik.tcp.routers.${STACK_NAME}_nextcloud-talk-hpb.entrypoints=nextcloud-talk-hpb
-        - traefik.tcp.routers.${STACK_NAME}_nextcloud-talk-hpb.service=${STACK_NAME}_nextcloud-talk-hpb-svc
-        - traefik.tcp.services.${STACK_NAME}_nextcloud-talk-hpb-svc.loadbalancer.server.port=3478
-        - traefik.udp.routers.${STACK_NAME}_nextcloud-talk-hpb-udp.entrypoints=nextcloud-talk-hpb-udp
-        - traefik.udp.routers.${STACK_NAME}_nextcloud-talk-hpb-udp.service=${STACK_NAME}_nextcloud-talk-hpb-udp-svc
-        - traefik.udp.services.${STACK_NAME}_nextcloud-talk-hpb-udp-svc.loadbalancer.server.port=3478
-    networks:
-      - proxy
-    configs:
-      - source: entrypoint_talk
-        target: /custom-entrypoint.sh
-        mode: 775
-    entrypoint: /custom-entrypoint.sh
-    secrets:
-      - source: talk_internal_secret
-        uid: "1000"
-        gid: "122"
-        mode: 0600
-      - source: talk_turn_secret
-        uid: "1000"
-        gid: "122"
-        mode: 0600
-      - source: talk_signaling_secret
-        uid: "1000"
-        gid: "122"
-        mode: 0600
-
-  app:
-    secrets:
-      - talk_turn_secret
-      - talk_signaling_secret
-
-secrets:
-  talk_internal_secret:
-    external: true
-    name: ${STACK_NAME}_talk_internal_secret_${SECRET_TALK_INTERNAL_SECRET_VERSION}
-  talk_turn_secret:
-    external: true
-    name: ${STACK_NAME}_talk_turn_secret_${SECRET_TALK_TURN_SECRET_VERSION}
-  talk_signaling_secret:
-    external: true
-    name: ${STACK_NAME}_talk_signaling_secret_${SECRET_TALK_SIGNALING_SECRET_VERSION}
-
-configs:
-  entrypoint_talk:
-    name: ${STACK_NAME}_entrypoint_talk_${ENTRYPOINT_TALK_VERSION}
-    file: entrypoint.talk.sh.tmpl
-    template_driver: golang

compose.whiteboard.yml

@@ -1,44 +0,0 @@
-version: "3.8"
-
-services:
-  app:
-    secrets:
-      - whiteboard_jwt
-
-  whiteboard:
-    image: ghcr.io/nextcloud-releases/whiteboard:v1.5.0
-    deploy:
-      labels:
-        - traefik.enable=true
-        - traefik.docker.network=proxy
-        - traefik.http.services.${STACK_NAME}_whiteboard.loadbalancer.server.port=3002
-        - traefik.http.routers.${STACK_NAME}_whiteboard.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS}) && PathPrefix(`/whiteboard`)
-        - traefik.http.routers.${STACK_NAME}_whiteboard.entrypoints=web-secure
-        - traefik.http.routers.${STACK_NAME}_whiteboard.tls.certresolver=${LETS_ENCRYPT_ENV}
-        - traefik.http.middlewares.${STACK_NAME}_whiteboard-stripprefix.stripprefix.prefixes=/whiteboard
-        - traefik.http.routers.${STACK_NAME}_whiteboard.middlewares=${STACK_NAME}_whiteboard-stripprefix
-    configs:
-      - source: entrypoint_whiteboard
-        target: /custom-entrypoint.sh
-    entrypoint: ["sh", "/custom-entrypoint.sh"]
-    user: root
-    networks:
-     - proxy
-    ports:
-      - 3002:3002
-    secrets:
-      - whiteboard_jwt
-    environment:
-      - NEXTCLOUD_URL=https://$DOMAIN
-      - JWT_SECRET_KEY_FILE=/run/secrets/whiteboard_jwt
-
-secrets:
-  whiteboard_jwt:
-    external: true
-    name: ${STACK_NAME}_whiteboard_jwt_${SECRET_WHITEBOARD_JWT_VERSION}
-
-configs:
-  entrypoint_whiteboard:
-    name: ${STACK_NAME}_entrypoint_whiteboard_${ENTRYPOINT_WHITEBOARD_VERSION}
-    file: entrypoint.whiteboard.sh.tmpl
-    template_driver: golang

compose.yml

@@ -1,9 +1,7 @@
 version: "3.8"
 services:
   web:
-    image: nginx:1.29.4
-    depends_on:
-      - app
+    image: nginx:1.23.3
     configs:
       - source: nginx_conf
         target: /etc/nginx/nginx.conf
@@ -12,8 +10,6 @@ services:
       - X_FRAME_OPTIONS_ENABLED
       - DOMAIN
       - STACK_NAME
-      - HSTS_ENABLED
-      - HSTS_PRELOAD
     volumes:
       - nextcloud:/var/www/html/
       - nextapps:/var/www/html/custom_apps:cached
@@ -35,25 +31,22 @@ services:
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.scheme=https"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.permanent=true"
-        - "caddy=${DOMAIN}"
-        - "caddy.reverse_proxy={{upstreams 80}}"
-        - "caddy.tls.on_demand="
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
     healthcheck:
-      test: ["CMD-SHELL", "curl -fsS http://localhost/status.php | grep -q '\"installed\":true'"]
+      test: ["CMD-SHELL", 'curl -s -N curl -Ns localhost/status.php |  grep "installed\":true"']
       interval: 30s
       timeout: 10s
       retries: 10
       start_period: 5m
 
   app:
-    image: nextcloud:32.0.3-fpm
+    image: nextcloud:25.0.4-fpm
     depends_on:
       - db
     configs:
       - source: fpm_tune
-        target: /usr/local/etc/php-fpm.d/zzz-fpm-tune.conf
+        target: /usr/local/etc/php-fpm.d/fpm-tune.conf
       - source: entrypoint
         target: /custom-entrypoint.sh
         mode: 555
@@ -71,16 +64,14 @@ services:
       - NEXTCLOUD_ADMIN_USER=${ADMIN_USER}
       - NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/admin_password
       - NEXTCLOUD_TRUSTED_DOMAINS=${DOMAIN}
-      - TRUSTED_PROXIES=10.0.0.0/8
+      - TRUSTED_PROXIES=traefik
       - REDIS_HOST=cache
       - OVERWRITEPROTOCOL=https
-      - OVERWRITECLIURL=https://${DOMAIN}
-      - PHP_MEMORY_LIMIT=${PHP_MEMORY_LIMIT:-1G}
-      - PHP_UPLOAD_LIMIT=${PHP_UPLOAD_LIMIT:-512M}
-      - FPM_MAX_CHILDREN=${FPM_MAX_CHILDREN:-131}
-      - FPM_START_SERVERS=${FPM_START_SERVERS:-32}
-      - FPM_MIN_SPARE_SERVERS=${FPM_MIN_SPARE_SERVERS:-32}
-      - FPM_MAX_SPARE_SERVERS=${FPM_MAX_SPARE_SERVERS:-98}
+      - PHP_MEMORY_LIMIT=1G
+      - FPM_MAX_CHILDREN=131
+      - FPM_START_SERVERS=32
+      - FPM_MIN_SPARE_SERVERS=32
+      - FPM_MAX_SPARE_SERVERS=98
       - DEFAULT_QUOTA
     volumes:
       - nextcloud:/var/www/html/
@@ -95,21 +86,18 @@ services:
         failure_action: rollback
         order: start-first
       labels:
-        - "coop-cloud.${STACK_NAME}.version=13.0.1+32.0.3-fpm"
-        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT}"
-        - "backupbot.backup=${ENABLE_BACKUPS:-true}"
-        - "backupbot.backup.volumes.redis=false"
-       #- "backupbot.backup.volumes.nextcloud=false"
-
+        - "coop-cloud.${STACK_NAME}.version=3.1.2+25.0.4-fpm"
+        - "backupbot.backup=true"
+        - "backupbot.backup.path=/var/www/html/config/,/var/www/html/data/,/var/www/html/custom_apps/"
     healthcheck:
       test: ["CMD-SHELL", 'SCRIPT_NAME=status SCRIPT_FILENAME=/var/www/html/status.php REQUEST_METHOD=GET cgi-fcgi -bind -connect 127.0.0.1:9000 | grep "installed\":true"']
       interval: 30s
       timeout: 10s
       retries: 10
-      start_period: 15m
+      start_period: 5m
 
   cron:
-    image: nextcloud:32.0.3-fpm
+    image: nextcloud:25.0.4-fpm
     volumes:
       - nextcloud:/var/www/html/
       - nextapps:/var/www/html/custom_apps:cached
@@ -119,13 +107,9 @@ services:
     networks:
       - internal
     entrypoint: /cron.sh
-    configs:
-      - source: crontab
-        target: /var/spool/cron/crontabs/www-data
-
 
   cache:
-    image: redis:8.4.0-alpine
+    image: redis:7.0.9-alpine
     networks:
       - internal
     volumes:
@@ -137,6 +121,9 @@ services:
       retries: 20
 
 secrets:
+  db_root_password:
+    external: true
+    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
   db_password:
     external: true
     name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
@@ -165,9 +152,6 @@ configs:
     name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
     file: entrypoint.sh.tmpl
     template_driver: golang
-  crontab:
-    name: ${STACK_NAME}_crontab_${CRONTAB_VERSION}
-    file: crontab
 
 networks:
   proxy:

crontab

@@ -1 +0,0 @@
-*/5 * * * * php -d memory_limit=1G -f /var/www/html/cron.php

entrypoint.talk.sh.tmpl

@@ -1,30 +0,0 @@
-#!/bin/bash
-
-set -eu
-
-file_env() {
-  local var="$1"
-  local fileVar="${var}_FILE"
-  local def="${2:-}"
-
-  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
-    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
-    exit 1
-  fi
-
-  local val="$def"
-  if [ "${!var:-}" ]; then
-    val="${!var}"
-  elif [ "${!fileVar:-}" ]; then
-    val="$(< "${!fileVar}")"
-  fi
-
-  export "$var"="$val"
-  unset "$fileVar"
-}
-
-file_env "INTERNAL_SECRET"
-file_env "TURN_SECRET"
-file_env "SIGNALING_SECRET"
-
-/start.sh supervisord -c /supervisord.conf

entrypoint.whiteboard.sh.tmpl

@@ -1,6 +0,0 @@
-#!/bin/sh
-set -e
-
-export JWT_SECRET_KEY=$(cat /run/secrets/whiteboard_jwt)
-
-exec npm run server:start

my-tune.cnf

@@ -4,7 +4,7 @@
 # https://mariadb.com/kb/en/library/performance-schema-overview/
 
 [server]
-innodb_buffer_pool_size        = {{ env "INNODB_BUFFER_POOL_SIZE" }}
+innodb_buffer_pool_size        = 1G
 innodb_flush_log_at_trx_commit = 2
 innodb_log_buffer_size         = 32M
 innodb_max_dirty_pages_pct     = 90
@@ -13,7 +13,7 @@ key_buffer_size                = 16M
 innodb_log_file_size           = 256M
 long_query_time                = 1
 max_allowed_packet             = 256M
-max_connections                = {{ env "MAX_DB_CONNECTIONS" }}
+max_connections                = 100
 max_heap_table_size            = 64M
 max_user_connections           = 0
 myisam_recover_options         = BACKUP

nginx.conf.tmpl

@@ -11,10 +11,6 @@ events {
 
 http {
     include       /etc/nginx/mime.types;
-    # See https://github.com/nextcloud/forms/issues/1838#issuecomment-1860497200
-    types {
-        application/javascript js mjs;
-    }
     default_type  application/octet-stream;
 
     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
@@ -45,13 +41,6 @@ http {
         # could take several months.
         #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
 
-        {{ if eq (env "HSTS_ENABLED") "1" }}
-        {{ if eq (env "HSTS_PRELOAD") "1" }}
-        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
-        {{ else }}
-        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;" always;
-        {{ end }}
-        {{ end }}
 
         # set max upload size
         client_max_body_size 512M;
@@ -70,12 +59,12 @@ http {
         #pagespeed off;
 
         # HTTP response headers borrowed from Nextcloud `.htaccess`
-        add_header Referrer-Policy                      "no-referrer"       always;
-        add_header X-Content-Type-Options               "nosniff"           always;
-        add_header X-Download-Options                   "noopen"            always;
-        add_header X-Permitted-Cross-Domain-Policies    "none"              always;
-        add_header X-Robots-Tag                         "noindex, nofollow" always;
-        add_header X-XSS-Protection                     "1; mode=block"     always;
+        add_header Referrer-Policy                      "no-referrer"   always;
+        add_header X-Content-Type-Options               "nosniff"       always;
+        add_header X-Download-Options                   "noopen"        always;
+        add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+        add_header X-Robots-Tag                         "none"          always;
+        add_header X-XSS-Protection                     "1; mode=block" always;
 
         {{ if eq (env "X_FRAME_OPTIONS_ENABLED") "1" }}
         add_header Content-Security-Policy              "frame-ancestors {{ env "X_FRAME_OPTIONS_ALLOW_FROM" }} {{ env "DOMAIN" }}";
@@ -143,9 +132,6 @@ http {
         # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
         # to the URI, resulting in a HTTP 500 error response.
         location ~ \.php(?:$|/) {
-            # Required for legacy support
-            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
-
             fastcgi_split_path_info ^(.+?\.php)(/.*)$;
             set $path_info $fastcgi_path_info;
 

pg_backup.sh

@@ -1,34 +0,0 @@
-#!/bin/bash
-
-set -e
-
-BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
-
-function backup {
-  export PGPASSWORD=$(cat /run/secrets/db_password)
-  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
-}
-
-function restore {
-    cd /var/lib/postgresql/data/
-    restore_config(){
-        # Restore allowed connections
-        cat pg_hba.conf.bak > pg_hba.conf
-        su postgres -c 'pg_ctl reload'
-    }
-    # Don't allow any other connections than local
-    cp pg_hba.conf pg_hba.conf.bak
-    echo "local all all trust" > pg_hba.conf
-    su postgres -c 'pg_ctl reload'
-    trap restore_config EXIT INT TERM
-
-    # Recreate Database
-    psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);" 
-    createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
-    psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
-
-    trap - EXIT INT TERM
-    restore_config
-}
-
-$@

release/10.0.0+30.0.4-fpm

@@ -1 +0,0 @@
-https://docs.nextcloud.com/server/latest/admin_manual/release_notes/upgrade_to_30.html

release/11.0.0+30.0.4-fpm

@@ -1,4 +0,0 @@
-Upgrades mariadb from 10.5 to 11.4
-NOTE: If your Nextcloud instance is using mariadb, after running this update you MUST run the database upgrade command:
-`abra app command nextcloud.yourserver.org db upgrade_mariadb`
-More info: https://mariadb.com/kb/en/upgrading-from-mariadb-10-11-to-mariadb-11-4/

release/3.2.0+25.0.4-fpm

@@ -1,11 +0,0 @@
-If the authentik configuration should be handled by abra add the following to the env:
-
-    COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
-    AUTHENTIK_USER_PREFIX=authentik
-    AUTHENTIK_DOMAIN=authentik.example.com
-    AUTHENTIK_SECRET_NAME=authentik_example_com_nextcloud_secret_v1  # the same as in authentik
-    AUTHENTIK_ID_NAME=authentik_example_com_nextcloud_id_v1  # the same as in authentik
-
-And run:
-
-    abra app cmd <app-name> app set_authentik

release/5.0.1+27.0.1-fpm

@@ -1 +0,0 @@
-The authentik secrets need to be inserted again, as nextcloud is not sharing the secret with authentik any more.

release/8.0.0+29.0.1-fpm

@@ -1 +0,0 @@
-BREAKING CHANGE: compose.apps.yml is now split for bbb and onlyoffice, configs must be updated

release/9.1.0+29.0.5-fpm

@@ -1 +0,0 @@
-Added automated customization options. Config needs to be updated to be able to use it.