chore: publish 3.0.0+25.0.1-fpm release

Reviewed-on: coop-cloud/nextcloud#29

.drone.yml

@@ -11,11 +11,17 @@ steps:
       purge: true
       deploy_key:
         from_secret: drone_ssh_swarm_test
+      networks:
+        - proxy
     environment:
       DOMAIN: nextcloud.swarm-test.autonomic.zone
       STACK_NAME: nextcloud
       LETS_ENCRYPT_ENV: production
       ADMIN_USER: foobar
+      FPM_TUNE_VERSION: v1
+      NGINX_CONF_VERSION: v1
+      MY_CNF_VERSION: v1
+      ENTRYPOINT_VERSION: v1
       SECRET_DB_PASSWORD_VERSION: v1
       SECRET_DB_ROOT_PASSWORD_VERSION: v1
       SECRET_ADMIN_PASSWORD_VERSION: v1

.env.sample

@@ -16,3 +16,8 @@ SECRET_DB_PASSWORD_VERSION=v1
 SECRET_ADMIN_PASSWORD_VERSION=v1
 
 EXTRA_VOLUME=/dev/null:/tmp/.dummy
+
+# X_FRAME_OPTIONS_ENABLED=1
+# X_FRAME_OPTIONS_ALLOW_FROM=embedding-site.example.org
+# APPS="calendar sociallogin onlyoffice"
+

README.md

@@ -166,3 +166,27 @@ Here is an example CSS config which hides the local login and makes space for a
 [nextcloud-docker]: https://hub.docker.com/_/nextcloud/
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
 [`coop-cloud/traefik`]: https://git.autonomic.zone/coop-cloud/traefik
+
+## Using [`previewgenerator`](https://github.com/nextcloud/previewgenerator) app
+
+> Beware, this appp has been known to not work...
+
+After you install, enable etc. then you need to run the generation (**warning**: it can take a long time!):
+
+```
+abra app run <domain> app bash -u www-data
+./occ preview:generate-all
+```
+
+To set up the cron to run again, there is [no clear solution in the context of
+containers](https://github.com/nextcloud/previewgenerator/issues/1). So, a
+pretty dodgy hack is to run it from the system directly:
+
+```
+root@foo.com /etc/cron.hourly $ cat foo-com-preview-generate 
+#!/bin/bash
+
+docker exec -u www-data $(docker ps -f name=foo_com_app -q) ./occ preview:pre-generate
+```
+
+This app will improve performance of image browsing at the cost of storage space.

abra.sh

@@ -1,105 +1,38 @@
+#!/bin/bash
+
 export FPM_TUNE_VERSION=v4
-export NGINX_CONF_VERSION=v2
+export NGINX_CONF_VERSION=v4
 export MY_CNF_VERSION=v4
+export ENTRYPOINT_VERSION=v2
 
-NC_APP_DIR="app:/var/www/html"
-
-sub_occ(){
-  # shellcheck disable=SC2034
-  abra__service_="app"
-  # shellcheck disable=SC2034
-  abra___user="www-data"
-  sub_app_run php /var/www/html/occ "$@"
+run_occ(){
+    su -p www-data -s /bin/sh -c "/var/www/html/occ $@"
 }
 
-_backup_app() {
-  # Copied _abra_backup_dir to make UX better on restore and backup
-  {
-    abra__src_="$1"
-    abra__dst_="-"
-  }
-
-  # shellcheck disable=SC2154
-  FILENAME="$(basename "$1").tar"
-
-  debug "Copying '$1' to '$FILENAME'"
-
-  silence
-  mkdir -p /tmp/abra
-  sub_app_cp > /tmp/abra/$FILENAME
-  unsilence
+install_apps(){
+    install_apps="$@"
+    if [ -z "$install_apps" ]
+    then
+        install_apps=$APPS
+    fi
+    for app in $install_apps
+    do
+        run_occ "app:install $app"
+    done
 }
 
-next_maintenance_on() {
-  silence
-  sub_occ maintenance:mode --on > /dev/null
-  unsilence
-  debug "Nextcloud maintenance mode enabled"
+set_app_config(){
+    APP=$1
+    KEY=$2
+    VALUE=$3
+    run_occ "config:app:set $APP $KEY --value $VALUE"
 }
 
-next_maintenance_off() {
-  silence
-  sub_occ maintenance:mode --off > /dev/null
-  unsilence
-  debug "Nextcloud maintenance mode disabled"
+install_bbb(){
+    URL=$1 # https://talk.example.org/bigbluebutton/ (trailing slash!)
+    SECRET=$2 # bbb secret key
+    install_apps bbb
+    set_app_config bbb app.navigation true
+    set_app_config bbb api.url "$URL"
+    set_app_config bbb api.secret "$SECRET"
 }
-
-abra_backup_app() {
-  # shellcheck disable=SC2154
-  ARK_FILENAME="$ABRA_BACKUP_DIR/${abra__app_}_app_$(date +%F).tar.gz"
-  # Cant be FILENAME as that gets changed by something
-  next_maintenance_on
-  _backup_app $NC_APP_DIR/config
-  _backup_app $NC_APP_DIR/data
-  _backup_app $NC_APP_DIR/themes
-  # Combine archives
-  tar -Af /tmp/abra/config.tar /tmp/abra/data.tar
-  tar -Af /tmp/abra/config.tar /tmp/abra/themes.tar
-  gzip /tmp/abra/config.tar -c > "$ARK_FILENAME"
-  rm /tmp/abra/*.tar
-  success "Backed up 'app' to $ARK_FILENAME"
-  next_maintenance_off
-}
-
-abra_backup_db() {
-  next_maintenance_on
-  _abra_backup_mysql "db" "nextcloud"
-  next_maintenance_off
-}
-
-abra_backup() {
-  abra_backup_app && abra_backup_db
-}
-
-
-abra_restore_app() {
-  next_maintenance_on
-  # shellcheck disable=SC2034
-  {
-  abra__src_="-"
-  abra__dst_=$NC_APP_DIR
-  }
-
-  zcat "$@" | sub_app_cp
-
-  next_maintenance_off
-  sub_occ files:scan --all > /dev/null # Needs to be run in normal mode
-  success "Restored 'app'"
-}
-
-# abra_restore_db() {
-#   warning "Restoring the database is on a existing app and not a new one has not been tested. Use with caution."
-#   next_maintenance_on
-#   # 3wc: unlike abra_backup_db, we can assume abra__service_ will be 'db' if we
-#   # got this far..
-
-#   # shellcheck disable=SC2034
-#   abra___no_tty="true"
-
-#   DB_PASSWORD=$(sub_app_run cat /run/secrets/db_password)
-
-#   zcat "$@" | sub_app_run mysql -u root -p"$DB_PASSWORD" wordpress
-
-#   success "Restored 'db'"
-#   next_maintenance_off
-# }

compose.postgres.yml

@@ -2,7 +2,6 @@ version: '3.8'
 
 services:
   app:
-    entrypoint: "sh -c 'sleep 10 && /entrypoint.sh php-fpm'" # tries to mitigate this error with postgres https://github.com/nextcloud/docker/issues/1204
     environment:
       - POSTGRES_HOST=db
       - POSTGRES_DB=nextcloud

compose.yml

@@ -1,11 +1,13 @@
 version: "3.8"
 services:
   web:
-    image: nginx:1.21.6
+    image: nginx:1.23.1
     configs:
       - source: nginx_conf
         target: /etc/nginx/nginx.conf
     environment:
+      - X_FRAME_OPTIONS_ALLOW_FROM
+      - X_FRAME_OPTIONS_ENABLED
       - DOMAIN
       - STACK_NAME
     volumes:
@@ -33,16 +35,23 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
 
   app:
-    image: nextcloud:24.0.0-fpm
+    image: nextcloud:25.0.1-fpm
     depends_on:
       - db
     configs:
       - source: fpm_tune
         target: /usr/local/etc/php-fpm.d/fpm-tune.conf
+      - source: entrypoint
+        target: /custom-entrypoint.sh
+        mode: 555
+    entrypoint: /custom-entrypoint.sh
     secrets:
       - db_password
       - admin_password
     environment:
+      - APPS
+      - X_FRAME_OPTIONS_ALLOW_FROM
+      - X_FRAME_OPTIONS_ENABLED
       - DOMAIN
       - STACK_NAME
       - NEXTCLOUD_ADMIN_USER=${ADMIN_USER}
@@ -69,13 +78,12 @@ services:
         failure_action: rollback
         order: start-first
       labels:
-        - "coop-cloud.${STACK_NAME}.version=2.1.0+24.0.0-fpm"
+        - "coop-cloud.${STACK_NAME}.version=3.0.0+25.0.1-fpm"
         - "backupbot.backup=true"
         - "backupbot.backup.path=/var/www/html/config/,/var/www/html/data/,/var/www/html/custom_apps/"
 
-
   cron:
-    image: nextcloud:24.0.0-fpm
+    image: nextcloud:25.0.1-fpm
     volumes:
       - nextcloud:/var/www/html/
       - nextapps:/var/www/html/custom_apps:cached
@@ -87,7 +95,7 @@ services:
     entrypoint: /cron.sh
 
   cache:
-    image: redis:7.0.0-alpine
+    image: redis:7.0.5-alpine
     networks:
       - internal
     volumes:
@@ -111,6 +119,7 @@ volumes:
   nextconfig:
   redis:
 
+
 configs:
   nginx_conf:
     name: ${STACK_NAME}_nginx_${NGINX_CONF_VERSION}
@@ -119,6 +128,10 @@ configs:
   fpm_tune:
     name: ${STACK_NAME}_fpm_tune_${FPM_TUNE_VERSION}
     file: fpm-tune.ini
+  entrypoint:
+    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang
 
 networks:
   proxy:

entrypoint.sh.tmpl

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+echo "Giving the db container some time to come up"; sleep 20
+# see this issue with postgres db https://github.com/nextcloud/docker/issues/1204
+
+{{ if eq (env "X_FRAME_OPTIONS_ENABLED") "1" }}
+if ! [[ $(grep {{ env "X_FRAME_OPTIONS_ALLOW_FROM" }} lib/public/AppFramework/Http/ContentSecurityPolicy.php) ]]; then
+    sed -i "91 a\\\t\t'{{ env "X_FRAME_OPTIONS_ALLOW_FROM" }}', " lib/public/AppFramework/Http/ContentSecurityPolicy.php
+fi
+{{ end }}
+
+/entrypoint.sh php-fpm

nginx.conf.tmpl

@@ -41,6 +41,7 @@ http {
         # could take several months.
         #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
 
+
         # set max upload size
         client_max_body_size 512M;
         fastcgi_buffers 64 4K;
@@ -61,11 +62,17 @@ http {
         add_header Referrer-Policy                      "no-referrer"   always;
         add_header X-Content-Type-Options               "nosniff"       always;
         add_header X-Download-Options                   "noopen"        always;
-        add_header X-Frame-Options                      "SAMEORIGIN"    always;
         add_header X-Permitted-Cross-Domain-Policies    "none"          always;
         add_header X-Robots-Tag                         "none"          always;
         add_header X-XSS-Protection                     "1; mode=block" always;
 
+        {{ if eq (env "X_FRAME_OPTIONS_ENABLED") "1" }}
+        add_header Content-Security-Policy              "frame-ancestors {{ env "X_FRAME_OPTIONS_ALLOW_FROM" }} {{ env "DOMAIN" }}";
+        {{ else }}
+        add_header X-Frame-Options                      "SAMEORIGIN"    always;
+        {{ end }}
+
+
         # Remove X-Powered-By, which is an information leak
         fastcgi_hide_header X-Powered-By;