Implement NC Talk High Performance Backend

Reviewed-on: coop-cloud/nextcloud#55

.drone.yml

@@ -3,7 +3,7 @@ kind: pipeline
 name: deploy to swarm-test.autonomic.zone
 steps:
   - name: deployment
-    image: decentral1se/stack-ssh-deploy:latest
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
     settings:
       host: swarm-test.autonomic.zone
       stack: nextcloud
@@ -11,15 +11,41 @@ steps:
       purge: true
       deploy_key:
         from_secret: drone_ssh_swarm_test
+      networks:
+        - proxy
     environment:
       DOMAIN: nextcloud.swarm-test.autonomic.zone
       STACK_NAME: nextcloud
       LETS_ENCRYPT_ENV: production
       ADMIN_USER: foobar
+      FPM_TUNE_VERSION: v1
+      NGINX_CONF_VERSION: v1
+      MY_CNF_VERSION: v1
+      ENTRYPOINT_VERSION: v1
+      CRONTAB_VERSION: v1
+      PG_BACKUP_VERSION: v2
       SECRET_DB_PASSWORD_VERSION: v1
       SECRET_DB_ROOT_PASSWORD_VERSION: v1
       SECRET_ADMIN_PASSWORD_VERSION: v1
+      SECRET_ONLYOFFICE_JWT_VERSION: v1
+      SECRET_BBB_SECRET_VERSION: v1
       EXTRA_VOLUME: "/dev/null:/tmp/.dummy"
 trigger:
   branch:
     - main
+---
+kind: pipeline
+name: generate recipe catalogue
+steps:
+  - name: release a new version
+    image: plugins/downstream
+    settings:
+      server: https://build.coopcloud.tech
+      token:
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - toolshed/auto-recipes-catalogue-json
+
+trigger:
+  event: tag

.env.sample

@@ -1,4 +1,7 @@
 TYPE=nextcloud
+TIMEOUT=900
+ENABLE_AUTO_UPDATE=true
+ENABLE_BACKUPS=true
 
 DOMAIN=nextcloud.example.com
 ## Domain aliases
@@ -9,10 +12,90 @@ COMPOSE_FILE="compose.yml"
 COMPOSE_FILE="$COMPOSE_FILE:compose.mariadb.yml"
 #COMPOSE_FILE="$COMPOSE_FILE:compose.postgres.yml"
 
+#MAX_DB_CONNECTIONS=500
+
 ADMIN_USER=admin
+TZ=Etc/UTC
 
 SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_ADMIN_PASSWORD_VERSION=v1
 
 EXTRA_VOLUME=/dev/null:/tmp/.dummy
+
+PHP_MEMORY_LIMIT=1G
+PHP_UPLOAD_LIMIT=512M
+# fpm-tune, see: https://spot13.com/pmcalculator/
+FPM_MAX_CHILDREN=16
+FPM_START_SERVERS=4
+FPM_MIN_SPARE_SERVERS=4
+FPM_MAX_SPARE_SERVERS=12
+
+DEFAULT_QUOTA="10 GB"
+
+# X_FRAME_OPTIONS_ENABLED=1
+# X_FRAME_OPTIONS_ALLOW_FROM=embedding-site.example.org
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
+# See https://github.com/nextcloud/docker#auto-configuration-via-environment-variables for default values
+# SMTP_AUTHTYPE=
+# SMTP_HOST=
+# SMTP_SECURE=
+# SMTP_NAME=
+# SMTP_PORT=
+# MAIL_FROM_ADDRESS=
+# MAIL_DOMAIN=
+# SECRET_SMTP_PASSWORD_VERSION=v1
+
+## Customization
+# THEMING_COLOR=
+# THEMING_SLOGAN=
+# COPY_ASSETS="flow_background.jpg|app:/var/www/html/themes/"
+# COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/var/www/html/themes/"
+# COPY_ASSETS="$COPY_ASSETS icon.png|app:/var/www/html/themes/"
+
+# APPS="calendar"
+
+# COLLABORA_URL=https://collabora.example.com
+## IMPORTANT FOR SECURITY REASONS WHEN RUNNING COLLABORA
+## list of IP addresses that are allowed to make WOPI requests. Use the default
+## when running the collabora server on the same machine as nextcloud.
+## Otherwise set this to the IP address range of your collabora server(s) i.e. 1.2.3.4/32
+## https://docs.nextcloud.com/server/latest/admin_manual/office/configuration.html#wopi-settings
+# COLLABORA_ALLOWLIST="172.16.0.0/12"
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.onlyoffice.yml"
+# ONLYOFFICE_URL=https://onlyoffice.example.com
+# APPS="$APPS onlyoffice"
+# SECRET_ONLYOFFICE_JWT_VERSION=v1
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.bbb.yml"
+# BBB_URL=https://talk.example.org/bigbluebutton/ # trailing slash!
+# SECRET_BBB_SECRET_VERSION=v1
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.whiteboard.yml"
+# APPS="$APPS whiteboard"
+# SECRET_WHITEBOARD_JWT_VERSION=v1
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
+# APPS="$APPS sociallogin"
+# AUTHENTIK_USER_PREFIX=authentik
+# AUTHENTIK_DOMAIN=authentik.example.com
+# SECRET_AUTHENTIK_SECRET_VERSION=v1
+# SECRET_AUTHENTIK_ID_VERSION=v1
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.fulltextsearch.yml"
+#SECRET_ELASTICSEARCH_PASSWORD_VERSION=v1
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.talk.yml"
+#TALK_DOMAIN=talk.example.com
+#SECRET_TALK_INTERNAL_SECRET_VERSION=v1 # length=64 charset=default
+#SECRET_TALK_TURN_SECRET_VERSION=v1 # length=64 charset=default
+#SECRET_TALK_SIGNALING_SECRET_VERSION=v1 # length=64 charset=default
+
+
+# HSTS Options
+# Uncomment this line to enable HSTS: https://docs.nextcloud.com/server/30/admin_manual/installation/harden_server.html
+#HSTS_ENABLED=1
+# Uncomment this line to add the `preload` part
+#HSTS_PRELOAD=1

README.md

@@ -6,38 +6,131 @@ Fully automated luxury Nextcloud via docker-swarm.
 
 <!-- metadata -->
 * **Category**: Apps
-* **Status**: 2, beta
+* **Status**: 5
 * **Image**: [`nextcloud`](https://hub.docker.com/_/nextcloud), 4, upstream
 * **Healthcheck**: Yes
-* **Backups**: No
+* **Backups**: Yes
 * **Email**: 3
 * **Tests**: 2
 * **SSO**: 1 (OAuth)
 <!-- endmetadata -->
 
-## Basic usage
+## Quick start
 
-1. Set up Docker Swarm and [`abra`]
+* `abra app new nextcloud`
-2. Deploy [`coop-cloud/traefik`]
+* `abra app config <app-name>`
-3. `abra app new nextcloud --secrets` (optionally with `--pass` if you'd like
+* `abra app secret insert <app-name> smtp_password v1 <SMTP_PASSWORD>`
-   to save secrets in `pass`)
+* `abra app secret generate -a <app-name>`
-4. `abra app YOURAPPDOMAIN config` - be sure to change `$DOMAIN` to something that resolves to
+* `abra app deploy <app-name>`
-   your Docker swarm box
-5. `abra app YOURAPPDOMAIN deploy`
 
-## How do I customise the default home page when logging in?
+### Onlyoffice Integration
 
-- Delete the dashboard app since it is so corporate
+`abra app config <app-name>` 
-- Follow [these docs](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/default_files_configuration.html) to set the default files list for each user in the Files app
+
-- Configure a `defaultapp` in your `config.php` or use [apporder](https://apps.nextcloud.com/apps/apporder)
+Configure the following envs:
+```
+COMPOSE_FILE="$COMPOSE_FILE:compose.apps.yml"
+ONLYOFFICE_URL=https://onlyoffice.example.com
+SECRET_ONLYOFFICE_JWT_VERSION=v1
+```
+
+* `abra app secret insert <app-name> onlyoffice_jwt v1 <jwt_secret>`
+* `abra app cmd <app-name> app install_onlyoffice`
+
+### BBB Integration
+
+`abra app config <app-name>` 
+
+Configure the following envs:
+```
+COMPOSE_FILE="$COMPOSE_FILE:compose.apps.yml"
+BBB_URL=https://talk.example.org/bigbluebutton/ # trailing slash!
+SECRET_BBB_SECRET_VERSION=v1
+```
+
+* `abra app secret insert <app-name> bbb_secret v1 <bbb_secret>`
+* `abra app cmd <app-name> app install_bbb`
+
+### Nextcloud Talk High performance Backend
+
+Note: at the moment you are limited to run one Nextcloud high performance backend per docker host with this setup.
+
+`abra app config <app-name>` 
+
+Configure the following envs:
+```
+#COMPOSE_FILE="$COMPOSE_FILE:compose.talk.yml"
+#TALK_DOMAIN=talk.example.com
+#SECRET_TALK_INTERNAL_SECRET_VERSION=v1 # length=64 charset=default
+#SECRET_TALK_TURN_SECRET_VERSION=v1 # length=64 charset=default
+#SECRET_TALK_SIGNALING_SECRET_VERSION=v1 # length=64 charset=default
+```
+
+* `abra app secret insert <app-name> talk_internal_secret v1 <talk_internal_secret>`
+* `abra app secret insert <app-name> talk_turn_secret v1 <talk_turn_secret>`
+* `abra app secret insert <app-name> talk_signaling_secret v1 <talk_signaling_secret>`
+* `abra app cmd <app-name> app install_talk`
+
+Don't forget to enable the additional env's in your hosts traefik instance:
+```
+COMPOSE_FILE="$COMPOSE_FILE:compose.nextcloud-talk-hpb.yml"
+NEXTCLOUD_TALK_HPB_ENABLED=1
+```
+
+Due to a bug in compose that deletes duplacted ports without checking for the protocol, traefik need to get the additional udp binding added after the deployment via ssh (this might take longer than expected!):
+```
+docker service update  --publish-add published=3478,target=3478,protocol=udp traefik_XXX_XXX_app
+```
+
+To check if tcp and udp was binded, you can use:
+```
+docker service inspect traefik_XXX_XXX_app | grep 3478 -a2
+```
+
+### Authentik Integration
+
+
+`abra app config <app-name>` 
+Configure the following envs:
+```
+COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
+AUTHENTIK_USER_PREFIX=authentik
+AUTHENTIK_DOMAIN=authentik.example.com
+AUTHENTIK_SECRET_NAME=authentik_example_com_nextcloud_secret_v1  # the same as in authentik
+AUTHENTIK_ID_NAME=authentik_example_com_nextcloud_id_v1  # the same as in authentik
+```
+
+`abra app cmd <app-name> app set_authentik`
 
 ## Running `occ`
 
-`abra app run --user www-data YOURAPPDOMAIN app occ user:list --help`
+`abra app cmd <app-name> app run_occ '"user:list --help"'`
 
-## Upgrading Nextcloud apps
+Read more about [occ command here](https://docs.nextcloud.com/server/stable/admin_manual/occ_command.html).
+
+### Disable Dashboard
+
+To disable dashboard app (since it is so corporate):
+
+`abra app cmd <app-name> app run_occ '"app:disable dashboard"'`
+
+## Default user files
+
+- Follow [these docs](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/default_files_configuration.html) to set the default files list for each user in the Files app
+
+## Default App
+
+- Configure a `defaultapp` in your `config.php` or use [apporder](https://apps.nextcloud.com/apps/apporder)
+
+## Upgrading Nextcloud
+Upgrading Nextcloud can be a hair raising experiance. They [don't support downgrading](https://docs.nextcloud.com/server/latest/admin_manual/maintenance/upgrade.html) even for minor versions.
+
+Many of us  have found that jumping major versions when upgrading is also a bad idea. We have however found that it's ok to skip minor version upgrades and go to the last minor version before a major version (e.g. 24.0.0 to 24.9.9 before going to 25.0.0). To extra cautious just upgrade one release at a time. Read the release notes and check your logs.
+
+## Upgrading Nextcloud apps (plug-ins)
+
+`abra app cmd <app-name> app run_occ '"app:update --all"'`
 
-`abra app run --user www-data YOURAPPDOMAIN app occ app:update --all`
 
 ## How do I fix a Nextcloud version snafu?
 
@@ -66,7 +159,7 @@ Use [this plugin](https://github.com/pulsejet/nextcloud-oidc-login). Unlike the
 ```
   'oidc_login_client_id' => 'nextcloud',
   'oidc_login_client_secret' => 'mysecret',
-  'oidc_login_provider_url' => 'https://example.com/auth/realms/myrealm',
+  'oidc_login_provider_url' => 'https://example.com/realms/myrealm',
   'oidc_login_disable_registration' => false,
   'oidc_login_hide_password_form' => true,
   'oidc_login_button_text' => 'Log in with your myssodomain',
@@ -166,3 +259,73 @@ Here is an example CSS config which hides the local login and makes space for a
 [nextcloud-docker]: https://hub.docker.com/_/nextcloud/
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
 [`coop-cloud/traefik`]: https://git.autonomic.zone/coop-cloud/traefik
+
+## Using [`previewgenerator`](https://github.com/nextcloud/previewgenerator) app
+
+> Beware, this appp has been known to not work...
+
+After you install, enable etc. then you need to run the generation (**warning**: it can take a long time!):
+
+```
+abra app run <domain> app bash -u www-data
+./occ preview:generate-all
+```
+
+To set up the cron to run again, there is [no clear solution in the context of
+containers](https://github.com/nextcloud/previewgenerator/issues/1). So, a
+pretty dodgy hack is to run it from the system directly:
+
+```
+root@foo.com /etc/cron.hourly $ cat foo-com-preview-generate 
+#!/bin/bash
+
+docker exec -u www-data $(docker ps -f name=foo_com_app -q) ./occ preview:pre-generate
+```
+
+This app will improve performance of image browsing at the cost of storage space.
+
+## Fulltextsearch using elasticsearch
+
+1. Uncomment the following lines in your env file:
+```
+#COMPOSE_FILE="$COMPOSE_FILE:compose.fulltextsearch.yml"
+#SECRET_ELASTICSEARCH_PASSWORD_VERSION=v1
+```
+
+2. Generate the secret for elasticsearch:
+```bash
+abra app secret generate <domain> elasticsearch_password v1
+```
+
+3. Deploy your app:
+```bash
+abra app deploy <domain>
+```
+
+4. Install the apps and configure them:
+```
+abra app cmd <domain> app install_fulltextsearch
+```
+
+5. You might need to configure the files_fulltextsearch app. run this command to check its settings:
+```
+abra app cmd <domain> app run_occ '"config:list files_fulltextsearch"
+```
+
+6. You can check if the nextcloud can connect to elasticsearch:
+```
+abra app cmd <domain> app run_occ '"fulltextsearch:test"'
+```
+
+And you can populate the index manually and check if any errors occur:
+```
+abra app cmd <domain> app run_occ '"fulltextsearch:index"'
+```
+
+### Troubleshooting fulltextsearch
+
+The fulltextsearch plugin might be stuck with this error: "Index is already running". In that case the following command can get things runing again:
+
+```
+abra app run <domain> db /bin/sh -- -c 'echo "delete from oc_fulltextsearch_ticks;" | mariadb -u root -p$(cat /run/secrets/db_root_password) nextcloud'
+```

abra.sh

@@ -1,105 +1,178 @@
-export FPM_TUNE_VERSION=v4
+#!/bin/bash
-export NGINX_CONF_VERSION=v2
-export MY_CNF_VERSION=v4
 
-NC_APP_DIR="app:/var/www/html"
+export FPM_TUNE_VERSION=v5
+export NGINX_CONF_VERSION=v8
+export MY_CNF_VERSION=v6
+export ENTRYPOINT_VERSION=v3
+export ENTRYPOINT_WHITEBOARD_VERSION=v1
+export ENTRYPOINT_TALK_VERSION=v1
+export CRONTAB_VERSION=v1
+export PG_BACKUP_VERSION=v2
 
-sub_occ(){
+run_occ() {
-  # shellcheck disable=SC2034
+    su -p www-data -s /bin/sh -c "/var/www/html/occ $@"
-  abra__service_="app"
-  # shellcheck disable=SC2034
-  abra___user="www-data"
-  sub_app_run php /var/www/html/occ "$@"
 }
 
-_backup_app() {
+install_apps() {
-  # Copied _abra_backup_dir to make UX better on restore and backup
+    install_apps="$@"
+    if [ -z "$install_apps" ]; then
+        install_apps=$APPS
+    fi
+    for app in $install_apps; do
+        run_occ "app:install $app"
+    done
+}
+
+set_app_config() {
+    APP=$1
+    KEY=$2
+    VALUE=$3
+    run_occ "config:app:set $APP $KEY --value '$VALUE'"
+}
+
+set_system_config() {
+    KEY=$1
+    VALUE=$2
+    run_occ "config:system:set $KEY --value '$VALUE'"
+}
+
+set_trusted_proxies() {
+    trusted_proxies="$@"
+    if [ -z "$1" ]; then
+        trusted_proxies="$TRUSTED_PROXIES"
+    fi
+    set_system_config trusted_proxies "$trusted_proxies"
+}
+
+set_logfile_stdout() {
+    set_system_config logfile '/dev/stdout'
+}
+
+customize() {
+    if [ -z "$1" ]
+    then
+            echo "Usage: ... customize <assets_path>"
+            exit 1
+    fi
+    asset_dir=$1
+    for asset in $COPY_ASSETS; do
+        source=$(echo $asset | cut -d "|" -f1)
+        target=$(echo $asset | cut -d "|" -f2)
+        echo copy $source to $target
+        abra app cp $APP_NAME $asset_dir/$source $target
+    done
+
+    abra app cmd -T $APP_NAME app set_app_config theming color \"$THEMING_COLOR\"
+    abra app cmd -T $APP_NAME app set_app_config theming slogan \"$THEMING_SLOGAN\"
+    abra app cmd -T $APP_NAME app run_occ '"theming:config background \"/var/www/html/themes/flow_background.jpg\""'
+    abra app cmd -T $APP_NAME app run_occ '"theming:config logo \"/var/www/html/themes/icon_left_brand.svg\""'
+    abra app cmd -T $APP_NAME app run_occ '"theming:config logoheader \"/var/www/html/themes/icon.png\""'
+}
+
+install_bbb() {
+    install_apps bbb
+    set_app_config bbb app.navigation true
+    set_app_config bbb api.url "$BBB_URL"
+    set_app_config bbb api.secret "$(cat /run/secrets/bbb_secret)"
+}
+
+install_onlyoffice() {
+    install_apps onlyoffice
+    set_app_config onlyoffice DocumentServerUrl "$ONLYOFFICE_URL"
+    set_app_config onlyoffice jwt_secret "$(cat /run/secrets/onlyoffice_jwt)"
+    set_app_config onlyoffice customizationForcesave true
+}
+
+install_collabora() {
+    install_apps richdocuments
+    set_app_config richdocuments wopi_url "$COLLABORA_URL"
+    # important for security reaosns
+    # https://docs.nextcloud.com/server/latest/admin_manual/office/configuration.html#wopi-settings
+    set_app_config richdocuments wopi_allowlist "$COLLABORA_ALLOWLIST"
+}
+
+install_whiteboard() {
+    install_apps whiteboard
+    set_app_config whiteboard collabBackendUrl "https://${DOMAIN}/whiteboard"
+    set_app_config whiteboard jwt_secret_key "$(cat /run/secrets/whiteboard_jwt)"
+}
+
+
+install_talk() {
+    install_apps spreed
+    run_occ "talk:signaling:add --verify 'wss://${TALK_DOMAIN}' '$(cat /run/secrets/talk_signaling_secret)'"
+    run_occ "talk:stun:add '${TALK_DOMAIN}:3478'"
+    run_occ "talk:stun:add '${TALK_DOMAIN}:443'"
+    run_occ "talk:turn:add --secret='$(cat /run/secrets/talk_turn_secret)' turn '${TALK_DOMAIN}:3478' udp,tcp"
+
+}
+
+install_fulltextsearch() {
+    install_apps fulltextsearch
+    install_apps fulltextsearch_elasticsearch
+    install_apps files_fulltextsearch
+    set_app_config fulltextsearch search_platform "OCA\\FullTextSearch_Elasticsearch\\Platform\\ElasticSearchPlatform"
+    set_app_config fulltextsearch_elasticsearch elastic_host "http://elastic:$(cat /run/secrets/elasticsearch_password)@elasticsearch:9200/"
+    set_app_config fulltextsearch_elasticsearch elastic_index "nextcloud"
+    set_app_config files_fulltextsearch files_local "1"
+}
+
+set_default_quota() {
+    set_app_config files default_quota "$DEFAULT_QUOTA"
+}
+
+set_authentik() {
+    install_apps sociallogin
+    AUTHENTIK_SECRET=$(cat /run/secrets/authentik_secret)
+    AUTHENTIK_ID=$(cat /run/secrets/authentik_id)
+    set_system_config logo_url https://$AUTHENTIK_DOMAIN
+    set_app_config sociallogin custom_providers "
+{
+    \"custom_oidc\":[
     {
-    abra__src_="$1"
+        \"name\":\"$AUTHENTIK_USER_PREFIX\",
-    abra__dst_="-"
+        \"title\":\"authentik\",
+        \"authorizeUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/authorize/\",
+        \"tokenUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/token/\",
+        \"displayNameClaim\":\"preferred_username\",
+        \"userInfoUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/userinfo/\",
+        \"logoutUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/nextcloud/end-session/\",
+        \"clientId\":\"$AUTHENTIK_ID\",
+        \"clientSecret\":\"$AUTHENTIK_SECRET\",
+        \"scope\":\"openid profile email nextcloud\",
+        \"groupsClaim\":\"nextcloud_groups\",
+        \"style\":\"openid\",
+        \"defaultGroup\":\"\",
+        \"groupMapping\": {
+          \"admin\": \"admin\",
+          \"authentik Admins\": \"admin\"
         }
-
-  # shellcheck disable=SC2154
-  FILENAME="$(basename "$1").tar"
-
-  debug "Copying '$1' to '$FILENAME'"
-
-  silence
-  mkdir -p /tmp/abra
-  sub_app_cp > /tmp/abra/$FILENAME
-  unsilence
-}
-
-next_maintenance_on() {
-  silence
-  sub_occ maintenance:mode --on > /dev/null
-  unsilence
-  debug "Nextcloud maintenance mode enabled"
-}
-
-next_maintenance_off() {
-  silence
-  sub_occ maintenance:mode --off > /dev/null
-  unsilence
-  debug "Nextcloud maintenance mode disabled"
-}
-
-abra_backup_app() {
-  # shellcheck disable=SC2154
-  ARK_FILENAME="$ABRA_BACKUP_DIR/${abra__app_}_app_$(date +%F).tar.gz"
-  # Cant be FILENAME as that gets changed by something
-  next_maintenance_on
-  _backup_app $NC_APP_DIR/config
-  _backup_app $NC_APP_DIR/data
-  _backup_app $NC_APP_DIR/themes
-  # Combine archives
-  tar -Af /tmp/abra/config.tar /tmp/abra/data.tar
-  tar -Af /tmp/abra/config.tar /tmp/abra/themes.tar
-  gzip /tmp/abra/config.tar -c > "$ARK_FILENAME"
-  rm /tmp/abra/*.tar
-  success "Backed up 'app' to $ARK_FILENAME"
-  next_maintenance_off
-}
-
-abra_backup_db() {
-  next_maintenance_on
-  _abra_backup_mysql "db" "nextcloud"
-  next_maintenance_off
-}
-
-abra_backup() {
-  abra_backup_app && abra_backup_db
-}
-
-
-abra_restore_app() {
-  next_maintenance_on
-  # shellcheck disable=SC2034
-  {
-  abra__src_="-"
-  abra__dst_=$NC_APP_DIR
     }
+]
+}"
 
-  zcat "$@" | sub_app_cp
+    set_app_config sociallogin update_profile_on_login 1
-
+    set_app_config sociallogin auto_create_groups 1
-  next_maintenance_off
+    set_app_config sociallogin hide_default_login 1
-  sub_occ files:scan --all > /dev/null # Needs to be run in normal mode
+    run_occ 'config:system:set social_login_auto_redirect --value true'
-  success "Restored 'app'"
+    run_occ 'config:system:set allow_user_to_change_display_name --value=false'
+    run_occ 'config:system:set lost_password_link --value=disabled'
 }
 
-# abra_restore_db() {
+disable_skeletondirectory() {
-#   warning "Restoring the database is on a existing app and not a new one has not been tested. Use with caution."
+    run_occ "config:system:set skeletondirectory --value ''"
-#   next_maintenance_on
+}
-#   # 3wc: unlike abra_backup_db, we can assume abra__service_ will be 'db' if we
-#   # got this far..
 
-#   # shellcheck disable=SC2034
+set_windowsfriendly_filenames() {
-#   abra___no_tty="true"
+    run_occ 'config:system:set forbidden_filename_characters 0 --value=?'
+    run_occ 'config:system:set forbidden_filename_characters 1 --value=\<'
+    run_occ 'config:system:set forbidden_filename_characters 2 --value=\>'
+    run_occ 'config:system:set forbidden_filename_characters 3 --value=:'
+    run_occ 'config:system:set forbidden_filename_characters 4 --value=*'
+    run_occ 'config:system:set forbidden_filename_characters 5 --value=\|'
+    run_occ 'config:system:set forbidden_filename_characters 6 --value=\"'
+}
 
-#   DB_PASSWORD=$(sub_app_run cat /run/secrets/db_password)
+upgrade_mariadb() {
-
+    mariadb-upgrade -p`cat /run/secrets/db_root_password`
-#   zcat "$@" | sub_app_run mysql -u root -p"$DB_PASSWORD" wordpress
+}
-
-#   success "Restored 'db'"
-#   next_maintenance_off
-# }

alaconnect.yml

@@ -0,0 +1,24 @@
+authentik:
+    uncomment:
+        - compose.authentik.yml
+        - AUTHENTIK_USER_PREFIX
+        - AUTHENTIK_DOMAIN
+        - SECRET_AUTHENTIK_SECRET_VERSION
+        - SECRET_AUTHENTIK_ID_VERSION
+    initial-hooks:
+        - app set_authentik
+    shared_secrets:
+        nextcloud_secret: authentik_secret
+        nextcloud_id: authentik_id
+onlyoffice:
+    uncomment:
+        - compose.onlyoffice.yml
+        - ONLYOFFICE_URL
+        - SECRET_ONLYOFFICE_JWT_VERSION
+    initial-hooks:
+        - app install_onlyoffice
+collabora:
+    uncomment:
+        - COLLABORA_URL
+    initial-hooks:
+        - app install_collabora

compose.authentik.yml

@@ -0,0 +1,14 @@
+version: "3.8"
+services:
+  app:
+    secrets:
+      - authentik_secret
+      - authentik_id
+
+secrets:
+  authentik_secret:
+    external: true
+    name: ${STACK_NAME}_authentik_secret_${SECRET_AUTHENTIK_SECRET_VERSION}
+  authentik_id:
+    external: true
+    name: ${STACK_NAME}_authentik_id_${SECRET_AUTHENTIK_ID_VERSION}

compose.bbb.yml

@@ -0,0 +1,12 @@
+version: "3.8"
+services:
+  app:
+    secrets:
+      - bbb_secret
+    environment:
+      - BBB_URL
+
+secrets:
+  bbb_secret:
+    external: true
+    name: ${STACK_NAME}_bbb_secret_${SECRET_BBB_SECRET_VERSION}

compose.fulltextsearch.yml

@@ -0,0 +1,55 @@
+version: "3.8"
+
+services:
+  elasticsearch:
+    image: "docker.elastic.co/elasticsearch/elasticsearch:8.17.2"
+    environment:
+      - cluster.name=docker-cluster
+      - bootstrap.memory_lock=true
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+      - discovery.type=single-node
+      # Disable authentication and ssl completely
+      # - xpack.security.enabled=false
+      # Use this to enable Basic Authentication:
+      - xpack.security.enabled=true
+      - xpack.security.http.ssl.enabled=false
+      - ELASTIC_PASSWORD_FILE=/var/run/secrets/elasticsearch_password
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+    volumes:
+      - elasticsearch:/usr/share/elasticsearch/data
+    networks:
+      - internal
+    secrets:
+      - source: elasticsearch_password
+        uid: "1000"
+        gid: "1000"
+        mode: 0600
+
+  searchindexer:
+    image: nextcloud:31.0.6-fpm
+    volumes:
+      - nextcloud:/var/www/html/
+      - nextapps:/var/www/html/custom_apps:cached
+      - nextdata:/var/www/html/data:cached
+      - nextconfig:/var/www/html/config:cached
+      - ${EXTRA_VOLUME}
+    networks:
+      - internal
+    entrypoint: su -p www-data -s /bin/sh -c '/var/www/html/occ fulltextsearch:live'
+
+  # Add the secret to the app service so it is avaiable in the
+  # install_fulltextsearch command
+  app:
+    secrets:
+      - elasticsearch_password
+
+secrets:
+  elasticsearch_password:
+    external: true
+    name: ${STACK_NAME}_elasticsearch_password_${SECRET_ELASTICSEARCH_PASSWORD_VERSION}
+
+volumes:
+  elasticsearch:

compose.mariadb.yml

@@ -9,12 +9,14 @@ services:
       - MYSQL_PASSWORD_FILE=/run/secrets/db_password
 
   db:
-    image: "mariadb:10.5"
+    image: "mariadb:11.4"
     environment:
       - MYSQL_DATABASE=nextcloud
       - MYSQL_USER=nextcloud
       - MYSQL_PASSWORD_FILE=/run/secrets/db_password
       - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
+      - MAX_DB_CONNECTIONS=${MAX_DB_CONNECTIONS:-100}
+      - INNODB_BUFFER_POOL_SIZE=${INNODB_BUFFER_POOL_SIZE:-1G}"
     configs:
       - source: my_tune
         target: /etc/mysql/conf.d/my-tune.cnf
@@ -27,14 +29,25 @@ services:
       - internal
     deploy:
       labels:
-          backupbot.backup: "true"
+        backupbot.backup.pre-hook: 'mariadb-dump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" nextcloud > /var/lib/mysql/backup.sql'
-          backupbot.backup.pre-hook: 'mkdir -p /tmp/backup/ && mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" nextcloud > /tmp/backup/backup.sql'
+        backupbot.backup.volumes.mariadb.path: "backup.sql"
-          backupbot.backup.post-hook: "rm -rf /tmp/backup"
+        backupbot.restore.post-hook: 'mariadb -u root -p"$$(cat /run/secrets/db_root_password)" nextcloud < /var/lib/mysql/backup.sql'
-          backupbot.backup.path: "/tmp/backup/"
+    healthcheck:
+      test: ["CMD-SHELL", 'mariadb-admin -p"$$(cat /run/secrets/db_root_password)"  ping']
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 1m
 configs:
   my_tune:
     name: ${STACK_NAME}_my_cnf_${MY_CNF_VERSION}
     file: my-tune.cnf
+    template_driver: golang
+
+secrets:
+  db_root_password:
+    external: true
+    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
 
 volumes:
   mariadb:

compose.onlyoffice.yml

@@ -0,0 +1,12 @@
+version: "3.8"
+services:
+  app:
+    secrets:
+      - onlyoffice_jwt
+    environment:
+      - ONLYOFFICE_URL
+
+secrets:
+  onlyoffice_jwt:
+    external: true
+    name: ${STACK_NAME}_onlyoffice_jwt_${SECRET_ONLYOFFICE_JWT_VERSION}

compose.postgres.yml

@@ -2,7 +2,6 @@ version: '3.8'
 
 services:
   app:
-    entrypoint: "sh -c 'sleep 10 && /entrypoint.sh php-fpm'" # tries to mitigate this error with postgres https://github.com/nextcloud/docker/issues/1204
     environment:
       - POSTGRES_HOST=db
       - POSTGRES_DB=nextcloud
@@ -11,7 +10,8 @@ services:
       - NEXTCLOUD_UPDATE=1
 
   db:
-    image: "postgres:12"
+    image: "postgres:13"
+    command: -c "max_connections=${MAX_DB_CONNECTIONS:-100}"
     volumes:
       - "postgres:/var/lib/postgresql/data"
     networks:
@@ -23,16 +23,24 @@ services:
     secrets:
       - db_password
     healthcheck:
-      test: ["CMD-SHELL", "pg_isready"]
+      test: ["CMD-SHELL", "pg_isready", "-U", "nextcloud"]
       interval: 10s
       timeout: 5s
       retries: 5
     deploy:
       labels:
-            backupbot.backup: "true"
+        backupbot.backup.pre-hook: "/pg_backup.sh backup"
-            backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /tmp/backup/backup.sql"
+        backupbot.backup.volumes.postgres.path: "backup.sql"
-            backupbot.backup.post-hook: "rm -rf /tmp/backup"
+        backupbot.restore.post-hook: '/pg_backup.sh restore'
-            backupbot.backup.path: "/tmp/backup/"
+    configs:
+        - source: pg_backup
+          target: /pg_backup.sh
+          mode: 0555
 
 volumes:
   postgres:
+
+configs:
+  pg_backup:
+    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
+    file: pg_backup.sh

compose.smtp.yml

@@ -0,0 +1,19 @@
+version: "3.8"
+services:
+  app:
+    secrets:
+      - smtp_password
+    environment:
+      - SMTP_AUTHTYPE
+      - SMTP_HOST
+      - SMTP_SECURE
+      - SMTP_NAME
+      - SMTP_PORT
+      - SMTP_PASSWORD_FILE=/run/secrets/smtp_password
+      - MAIL_FROM_ADDRESS
+      - MAIL_DOMAIN
+
+secrets:
+  smtp_password:
+    external: true
+    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}

compose.talk.yml

@@ -0,0 +1,70 @@
+version: "3.8"
+
+services:
+  talk:
+    image: "nextcloud/aio-talk:20251128_084214"
+    environment:
+      - NC_DOMAIN=${DOMAIN}
+      - TALK_HOST=${TALK_DOMAIN}
+      - TZ
+      - TALK_PORT=3478
+      - INTERNAL_SECRET_FILE=/run/secrets/talk_internal_secret 
+      - TURN_SECRET_FILE=/run/secrets/talk_turn_secret
+      - SIGNALING_SECRET_FILE=/run/secrets/talk_signaling_secret
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.docker.network=proxy
+        - traefik.http.services.${STACK_NAME}_talk.loadbalancer.server.port=8081
+        - traefik.http.routers.${STACK_NAME}_talk.rule=Host(`${TALK_DOMAIN}`)
+        - traefik.http.routers.${STACK_NAME}_talk.entrypoints=web-secure
+        - traefik.http.routers.${STACK_NAME}_talk.tls.certresolver=${LETS_ENCRYPT_ENV}
+        - traefik.tcp.routers.${STACK_NAME}_nextcloud-talk-hpb.rule=HostSNI(`*`)
+        - traefik.tcp.routers.${STACK_NAME}_nextcloud-talk-hpb.entrypoints=nextcloud-talk-hpb
+        - traefik.tcp.routers.${STACK_NAME}_nextcloud-talk-hpb.service=${STACK_NAME}_nextcloud-talk-hpb-svc
+        - traefik.tcp.services.${STACK_NAME}_nextcloud-talk-hpb-svc.loadbalancer.server.port=3478
+        - traefik.udp.routers.${STACK_NAME}_nextcloud-talk-hpb-udp.entrypoints=nextcloud-talk-hpb-udp
+        - traefik.udp.routers.${STACK_NAME}_nextcloud-talk-hpb-udp.service=${STACK_NAME}_nextcloud-talk-hpb-udp-svc
+        - traefik.udp.services.${STACK_NAME}_nextcloud-talk-hpb-udp-svc.loadbalancer.server.port=3478
+    networks:
+      - proxy
+    configs:
+      - source: entrypoint_talk
+        target: /custom-entrypoint.sh
+        mode: 775
+    entrypoint: /custom-entrypoint.sh
+    secrets:
+      - source: talk_internal_secret
+        uid: "1000"
+        gid: "122"
+        mode: 0600
+      - source: talk_turn_secret
+        uid: "1000"
+        gid: "122"
+        mode: 0600
+      - source: talk_signaling_secret
+        uid: "1000"
+        gid: "122"
+        mode: 0600
+
+  app:
+    secrets:
+      - talk_turn_secret
+      - talk_signaling_secret
+
+secrets:
+  talk_internal_secret:
+    external: true
+    name: ${STACK_NAME}_talk_internal_secret_${SECRET_TALK_INTERNAL_SECRET_VERSION}
+  talk_turn_secret:
+    external: true
+    name: ${STACK_NAME}_talk_turn_secret_${SECRET_TALK_TURN_SECRET_VERSION}
+  talk_signaling_secret:
+    external: true
+    name: ${STACK_NAME}_talk_signaling_secret_${SECRET_TALK_SIGNALING_SECRET_VERSION}
+
+configs:
+  entrypoint_talk:
+    name: ${STACK_NAME}_entrypoint_talk_${ENTRYPOINT_TALK_VERSION}
+    file: entrypoint.talk.sh.tmpl
+    template_driver: golang

compose.whiteboard.yml

@@ -0,0 +1,44 @@
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - whiteboard_jwt
+
+  whiteboard:
+    image: ghcr.io/nextcloud-releases/whiteboard:v1.1.2
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.docker.network=proxy
+        - traefik.http.services.${STACK_NAME}_whiteboard.loadbalancer.server.port=3002
+        - traefik.http.routers.${STACK_NAME}_whiteboard.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS}) && PathPrefix(`/whiteboard`)
+        - traefik.http.routers.${STACK_NAME}_whiteboard.entrypoints=web-secure
+        - traefik.http.routers.${STACK_NAME}_whiteboard.tls.certresolver=${LETS_ENCRYPT_ENV}
+        - traefik.http.middlewares.${STACK_NAME}_whiteboard-stripprefix.stripprefix.prefixes=/whiteboard
+        - traefik.http.routers.${STACK_NAME}_whiteboard.middlewares=${STACK_NAME}_whiteboard-stripprefix
+    configs:
+      - source: entrypoint_whiteboard
+        target: /custom-entrypoint.sh
+    entrypoint: ["sh", "/custom-entrypoint.sh"]
+    user: root
+    networks:
+     - proxy
+    ports:
+      - 3002:3002
+    secrets:
+      - whiteboard_jwt
+    environment:
+      - NEXTCLOUD_URL=https://$DOMAIN
+      - JWT_SECRET_KEY_FILE=/run/secrets/whiteboard_jwt
+
+secrets:
+  whiteboard_jwt:
+    external: true
+    name: ${STACK_NAME}_whiteboard_jwt_${SECRET_WHITEBOARD_JWT_VERSION}
+
+configs:
+  entrypoint_whiteboard:
+    name: ${STACK_NAME}_entrypoint_whiteboard_${ENTRYPOINT_WHITEBOARD_VERSION}
+    file: entrypoint.whiteboard.sh.tmpl
+    template_driver: golang

compose.yml

@@ -1,13 +1,19 @@
 version: "3.8"
 services:
   web:
-    image: nginx:1.21.6
+    image: nginx:1.29.0
+    depends_on:
+      - app
     configs:
       - source: nginx_conf
         target: /etc/nginx/nginx.conf
     environment:
+      - X_FRAME_OPTIONS_ALLOW_FROM
+      - X_FRAME_OPTIONS_ENABLED
       - DOMAIN
       - STACK_NAME
+      - HSTS_ENABLED
+      - HSTS_PRELOAD
     volumes:
       - nextcloud:/var/www/html/
       - nextapps:/var/www/html/custom_apps:cached
@@ -29,33 +35,53 @@ services:
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.scheme=https"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.permanent=true"
+        - "caddy=${DOMAIN}"
+        - "caddy.reverse_proxy={{upstreams 80}}"
+        - "caddy.tls.on_demand="
+    healthcheck:
+      test: ["CMD-SHELL", 'curl -s -N curl -Ns localhost/status.php |  grep "installed\":true"']
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 5m
 
   app:
-    image: nextcloud:24.0.0-fpm
+    image: nextcloud:31.0.6-fpm
     depends_on:
       - db
     configs:
       - source: fpm_tune
-        target: /usr/local/etc/php-fpm.d/fpm-tune.conf
+        target: /usr/local/etc/php-fpm.d/zzz-fpm-tune.conf
+      - source: entrypoint
+        target: /custom-entrypoint.sh
+        mode: 555
+    entrypoint: /custom-entrypoint.sh
     secrets:
       - db_password
       - admin_password
     environment:
+      - APPS
+      - OCC_CMDS
+      - X_FRAME_OPTIONS_ALLOW_FROM
+      - X_FRAME_OPTIONS_ENABLED
       - DOMAIN
       - STACK_NAME
       - NEXTCLOUD_ADMIN_USER=${ADMIN_USER}
       - NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/admin_password
       - NEXTCLOUD_TRUSTED_DOMAINS=${DOMAIN}
-      - TRUSTED_PROXIES=traefik
+      - TRUSTED_PROXIES=10.0.0.0/8
       - REDIS_HOST=cache
-      - SMTP_HOST
-      - MAIL_FROM_ADDRESS
-      - MAIL_DOMAIN
-      - SMTP_AUTHTYPE=PLAIN
       - OVERWRITEPROTOCOL=https
-      - PHP_MEMORY_LIMIT=1G
+      - OVERWRITECLIURL=https://${DOMAIN}
+      - PHP_MEMORY_LIMIT=${PHP_MEMORY_LIMIT:-1G}
+      - PHP_UPLOAD_LIMIT=${PHP_UPLOAD_LIMIT:-512M}
+      - FPM_MAX_CHILDREN=${FPM_MAX_CHILDREN:-131}
+      - FPM_START_SERVERS=${FPM_START_SERVERS:-32}
+      - FPM_MIN_SPARE_SERVERS=${FPM_MIN_SPARE_SERVERS:-32}
+      - FPM_MAX_SPARE_SERVERS=${FPM_MAX_SPARE_SERVERS:-98}
+      - DEFAULT_QUOTA
     volumes:
       - nextcloud:/var/www/html/
       - nextapps:/var/www/html/custom_apps:cached
@@ -69,13 +95,21 @@ services:
         failure_action: rollback
         order: start-first
       labels:
-        - "coop-cloud.${STACK_NAME}.version=2.1.0+24.0.0-fpm"
+        - "coop-cloud.${STACK_NAME}.version=12.0.1+31.0.6-fpm"
-        - "backupbot.backup=true"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
-        - "backupbot.backup.path=/var/www/html/config/,/var/www/html/data/,/var/www/html/custom_apps/"
+        - "backupbot.backup=${ENABLE_BACKUPS:-true}"
+        - "backupbot.backup.volumes.redis=false"
+       #- "backupbot.backup.volumes.nextcloud=false"
 
+    healthcheck:
+      test: ["CMD-SHELL", 'SCRIPT_NAME=status SCRIPT_FILENAME=/var/www/html/status.php REQUEST_METHOD=GET cgi-fcgi -bind -connect 127.0.0.1:9000 | grep "installed\":true"']
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 15m
 
   cron:
-    image: nextcloud:24.0.0-fpm
+    image: nextcloud:31.0.6-fpm
     volumes:
       - nextcloud:/var/www/html/
       - nextapps:/var/www/html/custom_apps:cached
@@ -85,21 +119,27 @@ services:
     networks:
       - internal
     entrypoint: /cron.sh
+    configs:
+      - source: crontab
+        target: /var/spool/cron/crontabs/www-data
+
 
   cache:
-    image: redis:7.0.0-alpine
+    image: redis:8.0.2-alpine
     networks:
       - internal
     volumes:
       - "redis:/data"
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 3s
+      timeout: 5s
+      retries: 20
 
 secrets:
-  db_root_password:
-    external: true
-    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
   db_password:
     external: true
-    name: ${STACK_NAME}_db_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
   admin_password:
     external: true
     name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}
@@ -111,6 +151,7 @@ volumes:
   nextconfig:
   redis:
 
+
 configs:
   nginx_conf:
     name: ${STACK_NAME}_nginx_${NGINX_CONF_VERSION}
@@ -119,6 +160,14 @@ configs:
   fpm_tune:
     name: ${STACK_NAME}_fpm_tune_${FPM_TUNE_VERSION}
     file: fpm-tune.ini
+    template_driver: golang
+  entrypoint:
+    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang
+  crontab:
+    name: ${STACK_NAME}_crontab_${CRONTAB_VERSION}
+    file: crontab
 
 networks:
   proxy:

configure_nextcloud.sh

@@ -1,55 +0,0 @@
-#!/bin/bash
-
-set -eu
-
-app_name=$1
-domain=$2
-secret=$3
-
-sub_occ(){
-abra app run --user www-data $app_name app /var/www/html/occ "$@"
-}
-
-# Install apps
-sub_occ app:install calendar || true
-sub_occ app:install sociallogin || true
-sub_occ app:install onlyoffice || true
-
-# Disable Dashboard
-sub_occ app:disable dashboard || true
-
-# Configure SSO
-
-sub_occ config:app:set sociallogin custom_providers --value="
-{
-  \"custom_oidc\": [
-    {
-      \"name\": \"authentik\",
-      \"title\": \"Login\",
-      \"authorizeUrl\": \"https://$domain/application/o/authorize/\",
-      \"tokenUrl\": \"https://$domain/application/o/token/\",
-      \"displayNameClaim\": \"preferred_username\",
-      \"userInfoUrl\": \"https://$domain/application/o/userinfo/\",
-      \"logoutUrl\": \"https://$domain/application/o/nextcloud/end-session/\",
-      \"clientId\": \"nextcloud\",
-      \"clientSecret\": \"$secret\",
-      \"scope\": \"openid profile email nextcloud\",
-      \"groupsClaim\": \"nextcloud_groups\",
-      \"style\": \"openid\",
-      \"defaultGroup\": \"\",
-      \"groupMapping\": {
-        \"admin\": \"admin\"
-      }
-    }
-  ]
-}"
-
-sub_occ config:app:set sociallogin update_profile_on_login --value 1
-sub_occ config:app:set sociallogin auto_create_groups --value 1
-sub_occ config:app:set sociallogin hide_default_login --value 1
-
-sub_occ config:system:set allow_user_to_change_display_name --value=false
-sub_occ config:system:set lost_password_link --value=disabled
-sub_occ config:system:set social_login_auto_redirect --value=true
-
-abra app run --user www-data $app_name app cat config/config.php

crontab

@@ -0,0 +1 @@
+*/5 * * * * php -d memory_limit=1G -f /var/www/html/cron.php

entrypoint.sh.tmpl

@@ -0,0 +1,41 @@
+#!/bin/bash
+
+set -eu
+
+file_env() {
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+
+  local val="$def"
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+
+  export "$var"="$val"
+  unset "$fileVar"
+}
+
+file_env "SMTP_PASSWORD"
+
+echo "Giving the db container some time to come up"; sleep 20
+# see this issue with postgres db https://github.com/nextcloud/docker/issues/1204
+
+{{ if eq (env "X_FRAME_OPTIONS_ENABLED") "1" }}
+if ! [[ $(grep {{ env "X_FRAME_OPTIONS_ALLOW_FROM" }} lib/public/AppFramework/Http/ContentSecurityPolicy.php) ]]; then
+    sed -i "91 a\\\t\t'{{ env "X_FRAME_OPTIONS_ALLOW_FROM" }}', " lib/public/AppFramework/Http/ContentSecurityPolicy.php
+fi
+{{ end }}
+
+# Required for healthcheck
+which cgi-fcgi > /dev/null || (apt-get update && apt-get install -y libfcgi-bin)
+
+
+/entrypoint.sh php-fpm

entrypoint.talk.sh.tmpl

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+set -eu
+
+file_env() {
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+
+  local val="$def"
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+
+  export "$var"="$val"
+  unset "$fileVar"
+}
+
+file_env "INTERNAL_SECRET"
+file_env "TURN_SECRET"
+file_env "SIGNALING_SECRET"
+
+/start.sh supervisord -c /supervisord.conf

entrypoint.whiteboard.sh.tmpl

@@ -0,0 +1,6 @@
+#!/bin/sh
+set -e
+
+export JWT_SECRET_KEY=$(cat /run/secrets/whiteboard_jwt)
+
+exec npm run server:start

fpm-tune.ini

@@ -1,5 +1,5 @@
 pm = dynamic
-pm.max_children = 131
+pm.max_children = {{ env "FPM_MAX_CHILDREN" }}
-pm.start_servers = 32
+pm.start_servers = {{ env "FPM_START_SERVERS" }}
-pm.min_spare_servers = 32
+pm.min_spare_servers = {{ env "FPM_MIN_SPARE_SERVERS" }}
-pm.max_spare_servers = 98
+pm.max_spare_servers = {{ env "FPM_MAX_SPARE_SERVERS" }}

my-tune.cnf

@@ -4,7 +4,7 @@
 # https://mariadb.com/kb/en/library/performance-schema-overview/
 
 [server]
-innodb_buffer_pool_size        = 1G
+innodb_buffer_pool_size        = {{ env "INNODB_BUFFER_POOL_SIZE" }}
 innodb_flush_log_at_trx_commit = 2
 innodb_log_buffer_size         = 32M
 innodb_max_dirty_pages_pct     = 90
@@ -13,7 +13,7 @@ key_buffer_size                = 16M
 innodb_log_file_size           = 256M
 long_query_time                = 1
 max_allowed_packet             = 256M
-max_connections                = 100
+max_connections                = {{ env "MAX_DB_CONNECTIONS" }}
 max_heap_table_size            = 64M
 max_user_connections           = 0
 myisam_recover_options         = BACKUP

nginx.conf.tmpl

@@ -11,6 +11,10 @@ events {
 
 http {
     include       /etc/nginx/mime.types;
+    # See https://github.com/nextcloud/forms/issues/1838#issuecomment-1860497200
+    types {
+        application/javascript js mjs;
+    }
     default_type  application/octet-stream;
 
     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
@@ -41,6 +45,14 @@ http {
         # could take several months.
         #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
 
+        {{ if eq (env "HSTS_ENABLED") "1" }}
+        {{ if eq (env "HSTS_PRELOAD") "1" }}
+        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+        {{ else }}
+        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;" always;
+        {{ end }}
+        {{ end }}
+
         # set max upload size
         client_max_body_size 512M;
         fastcgi_buffers 64 4K;
@@ -61,11 +73,17 @@ http {
         add_header Referrer-Policy                      "no-referrer"       always;
         add_header X-Content-Type-Options               "nosniff"           always;
         add_header X-Download-Options                   "noopen"            always;
-        add_header X-Frame-Options                      "SAMEORIGIN"    always;
         add_header X-Permitted-Cross-Domain-Policies    "none"              always;
-        add_header X-Robots-Tag                         "none"          always;
+        add_header X-Robots-Tag                         "noindex, nofollow" always;
         add_header X-XSS-Protection                     "1; mode=block"     always;
 
+        {{ if eq (env "X_FRAME_OPTIONS_ENABLED") "1" }}
+        add_header Content-Security-Policy              "frame-ancestors {{ env "X_FRAME_OPTIONS_ALLOW_FROM" }} {{ env "DOMAIN" }}";
+        {{ else }}
+        add_header X-Frame-Options                      "SAMEORIGIN"    always;
+        {{ end }}
+
+
         # Remove X-Powered-By, which is an information leak
         fastcgi_hide_header X-Powered-By;
 
@@ -125,6 +143,9 @@ http {
         # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
         # to the URI, resulting in a HTTP 500 error response.
         location ~ \.php(?:$|/) {
+            # Required for legacy support
+            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
+
             fastcgi_split_path_info ^(.+?\.php)(/.*)$;
             set $path_info $fastcgi_path_info;
 

pg_backup.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+set -e
+
+BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
+
+function backup {
+  export PGPASSWORD=$(cat /run/secrets/db_password)
+  pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > $BACKUP_FILE
+}
+
+function restore {
+    cd /var/lib/postgresql/data/
+    restore_config(){
+        # Restore allowed connections
+        cat pg_hba.conf.bak > pg_hba.conf
+        su postgres -c 'pg_ctl reload'
+    }
+    # Don't allow any other connections than local
+    cp pg_hba.conf pg_hba.conf.bak
+    echo "local all all trust" > pg_hba.conf
+    su postgres -c 'pg_ctl reload'
+    trap restore_config EXIT INT TERM
+
+    # Recreate Database
+    psql -U ${POSTGRES_USER} -d postgres -c "DROP DATABASE ${POSTGRES_DB} WITH (FORCE);" 
+    createdb -U ${POSTGRES_USER} ${POSTGRES_DB}
+    psql -U ${POSTGRES_USER} -d ${POSTGRES_DB} -1 -f $BACKUP_FILE
+
+    trap - EXIT INT TERM
+    restore_config
+}
+
+$@

release/10.0.0+30.0.4-fpm

@@ -0,0 +1 @@
+https://docs.nextcloud.com/server/latest/admin_manual/release_notes/upgrade_to_30.html

release/11.0.0+30.0.4-fpm

@@ -0,0 +1,4 @@
+Upgrades mariadb from 10.5 to 11.4
+NOTE: If your Nextcloud instance is using mariadb, after running this update you MUST run the database upgrade command:
+`abra app command nextcloud.yourserver.org db upgrade_mariadb`
+More info: https://mariadb.com/kb/en/upgrading-from-mariadb-10-11-to-mariadb-11-4/

release/3.1.0+25.0.1-fpm

@@ -0,0 +1,57 @@
+
+## FPM Tune
+
+The fpm-tune.ini settings are now configurable by `.env`. Please add this to your servers configs:
+
+```
+# fpm-tune, see: https://spot13.com/pmcalculator/
+FPM_MAX_CHILDREN=131
+FPM_START_SERVERS=32
+FPM_MIN_SPARE_SERVERS=32
+FPM_MAX_SPARE_SERVERS=98
+```
+
+## SMTP
+
+Add SMTP Config to your .env file:
+
+```
+# COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
+# See https://github.com/nextcloud/docker#auto-configuration-via-environment-variables for default values
+# SMTP_AUTHTYPE=
+# SMTP_HOST=
+# SMTP_SECURE=
+# SMTP_NAME=
+# SMTP_PORT=
+# MAIL_FROM_ADDRESS=
+# MAIL_DOMAIN=
+# SECRET_SMTP_PASSWORD_VERSION=v1
+abra app secret insert example.com smtp_password v1 example_password
+```
+
+
+## Post Deploy Commands
+
+Some Apps can also be managed with abra app cmd!
+
+```
+# COMPOSE_FILE="$COMPOSE_FILE:compose.apps.yml"
+# APPS="calendar sociallogin onlyoffice"
+abra app cmd example.com app install_apps
+# ONLYOFFICE_URL=https://onlyoffice.example.com
+# SECRET_ONLYOFFICE_JWT_VERSION=v1
+abra app secret insert example.com onlyoffice_jwt v1 example_password
+abra app cmd example.com app install_onlyoffice
+# BBB_URL=https://talk.example.org/bigbluebutton/ # trailing slash!
+# SECRET_BBB_SECRET_VERSION=v1
+abra app secret insert example.com bbb_secret v1 example_password
+abra app cmd example.com app install_bbb
+```
+
+## Set Quota
+
+```
+# DEFAULT_QUOTA="10 GB"
+abra app cmd example.com app set_default_quota
+```
+

release/3.2.0+25.0.4-fpm

@@ -0,0 +1,11 @@
+If the authentik configuration should be handled by abra add the following to the env:
+
+    COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml"
+    AUTHENTIK_USER_PREFIX=authentik
+    AUTHENTIK_DOMAIN=authentik.example.com
+    AUTHENTIK_SECRET_NAME=authentik_example_com_nextcloud_secret_v1  # the same as in authentik
+    AUTHENTIK_ID_NAME=authentik_example_com_nextcloud_id_v1  # the same as in authentik
+
+And run:
+
+    abra app cmd <app-name> app set_authentik

release/5.0.1+27.0.1-fpm

@@ -0,0 +1 @@
+The authentik secrets need to be inserted again, as nextcloud is not sharing the secret with authentik any more.

release/8.0.0+29.0.1-fpm

@@ -0,0 +1 @@
+BREAKING CHANGE: compose.apps.yml is now split for bbb and onlyoffice, configs must be updated

release/9.1.0+29.0.5-fpm

@@ -0,0 +1 @@
+Added automated customization options. Config needs to be updated to be able to use it.