add headers to embed nextcloud in frame on external site

This introduces new env variables to configure nextloud to be embedded via
iframe on an external site.
Setting X_FRAME_OPTIONS_ENABLED=1 will configure nginx and nextcloud to
set X-Frame-Options and CSP headers to allow the domain configured in
X_FRAME_OPTIONS_ALLOW_FROM.

.env.sample

@@ -1,6 +1,6 @@
 TYPE=nextcloud
 
-DOMAIN={{ .Domain }}
+DOMAIN=nextcloud.example.com
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.nextcloud.example.com`'
 LETS_ENCRYPT_ENV=production
@@ -19,5 +19,3 @@ EXTRA_VOLUME=/dev/null:/tmp/.dummy
 
 # X_FRAME_OPTIONS_ENABLED=1
 # X_FRAME_OPTIONS_ALLOW_FROM=embedding-site.example.org
-# APPS="calendar sociallogin onlyoffice"
-

.gitignore

@@ -1,2 +1 @@
 /.envrc
-

.vscode/settings.json

@@ -0,0 +1,5 @@
+{
+    "shellcheck.customArgs": [
+        "--shell=bash"
+    ]
+}

abra.sh

@@ -1,7 +1,7 @@
 export FPM_TUNE_VERSION=v4
-export NGINX_CONF_VERSION=v4
+export NGINX_CONF_VERSION=v3
 export MY_CNF_VERSION=v4
-export ENTRYPOINT_VERSION=v2
+export ENTRYPOINT_VERSION=v1
 
 NC_APP_DIR="app:/var/www/html"
 
@@ -13,22 +13,6 @@ sub_occ(){
   sub_app_run php /var/www/html/occ "$@"
 }
 
-run_occ(){
-    su -p www-data -s /bin/sh -c "/var/www/html/occ $@"
-}
-
-install_apps(){
-    install_apps="$@"
-    if [ -z "$install_apps" ]
-    then
-        install_apps=$APPS
-    fi
-    for app in $install_apps
-    do
-        run_occ "app:install $app"
-    done
-}
-
 _backup_app() {
   # Copied _abra_backup_dir to make UX better on restore and backup
   {

compose.postgres.yml

@@ -2,6 +2,7 @@ version: '3.8'
 
 services:
   app:
+    entrypoint: "sh -c 'sleep 10 && /entrypoint.sh php-fpm'" # tries to mitigate this error with postgres https://github.com/nextcloud/docker/issues/1204
     environment:
       - POSTGRES_HOST=db
       - POSTGRES_DB=nextcloud

compose.yml

@@ -1,7 +1,7 @@
 version: "3.8"
 services:
   web:
-    image: nginx:1.22.1
+    image: nginx:1.23.1
     configs:
       - source: nginx_conf
         target: /etc/nginx/nginx.conf
@@ -35,7 +35,7 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
 
   app:
-    image: nextcloud:25.0.1-fpm
+    image: nextcloud:24.0.3-fpm
     depends_on:
       - db
     configs:
@@ -49,7 +49,6 @@ services:
       - db_password
       - admin_password
     environment:
-      - APPS
       - X_FRAME_OPTIONS_ALLOW_FROM
       - X_FRAME_OPTIONS_ENABLED
       - DOMAIN
@@ -78,12 +77,12 @@ services:
         failure_action: rollback
         order: start-first
       labels:
-        - "coop-cloud.${STACK_NAME}.version=2.1.6+25.0.1-fpm"
+        - "coop-cloud.${STACK_NAME}.version=2.1.2+24.0.3-fpm"
         - "backupbot.backup=true"
         - "backupbot.backup.path=/var/www/html/config/,/var/www/html/data/,/var/www/html/custom_apps/"
 
   cron:
-    image: nextcloud:25.0.1-fpm
+    image: nextcloud:24.0.3-fpm
     volumes:
       - nextcloud:/var/www/html/
       - nextapps:/var/www/html/custom_apps:cached
@@ -95,7 +94,7 @@ services:
     entrypoint: /cron.sh
 
   cache:
-    image: redis:7.0.5-alpine
+    image: redis:7.0.4-alpine
     networks:
       - internal
     volumes:

entrypoint.sh.tmpl

@@ -1,8 +1,5 @@
 #!/bin/bash
 
-echo "Giving the db container some time to come up"; sleep 20
-# see this issue with postgres db https://github.com/nextcloud/docker/issues/1204
-
 {{ if eq (env "X_FRAME_OPTIONS_ENABLED") "1" }}
 if ! [[ $(grep {{ env "X_FRAME_OPTIONS_ALLOW_FROM" }} lib/public/AppFramework/Http/ContentSecurityPolicy.php) ]]; then
     sed -i "91 a\\\t\t'{{ env "X_FRAME_OPTIONS_ALLOW_FROM" }}', " lib/public/AppFramework/Http/ContentSecurityPolicy.php

nginx.conf.tmpl

@@ -67,7 +67,8 @@ http {
         add_header X-XSS-Protection                     "1; mode=block" always;
 
         {{ if eq (env "X_FRAME_OPTIONS_ENABLED") "1" }}
-        add_header Content-Security-Policy              "frame-ancestors {{ env "X_FRAME_OPTIONS_ALLOW_FROM" }} {{ env "DOMAIN" }}";
+        add_header X-Frame-Options                      "{{ env "X_FRAME_OPTIONS_ALLOW_FROM" }}"    always;
+        add_header Content-Security-Policy              "frame-ancestors {{ env "X_FRAME_OPTIONS_ALLOW_FROM" }}";
         {{ else }}
         add_header X-Frame-Options                      "SAMEORIGIN"    always;
         {{ end }}