chore: publish 2.1.4+24.0.6-fpm release

This introduces new env variables to configure nextloud to be embedded via
iframe on an external site.
Setting X_FRAME_OPTIONS_ENABLED=1 will configure nginx and nextcloud to
set X-Frame-Options and CSP headers to allow the domain configured in
X_FRAME_OPTIONS_ALLOW_FROM.

I created a PR because I'm not sure if this is helpful for other people or just a custom hack that bloats the recipe :D

Co-authored-by: Philipp Rothmann <philipprothmann@posteo.de>
Reviewed-on: coop-cloud/nextcloud#28

.env.sample

@@ -1,6 +1,6 @@
 TYPE=nextcloud
 
-DOMAIN=nextcloud.example.com
+DOMAIN={{ .Domain }}
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.nextcloud.example.com`'
 LETS_ENCRYPT_ENV=production
@@ -16,3 +16,6 @@ SECRET_DB_PASSWORD_VERSION=v1
 SECRET_ADMIN_PASSWORD_VERSION=v1
 
 EXTRA_VOLUME=/dev/null:/tmp/.dummy
+
+# X_FRAME_OPTIONS_ENABLED=1
+# X_FRAME_OPTIONS_ALLOW_FROM=embedding-site.example.org

abra.sh

@@ -1,6 +1,7 @@
 export FPM_TUNE_VERSION=v4
-export NGINX_CONF_VERSION=v2
+export NGINX_CONF_VERSION=v4
 export MY_CNF_VERSION=v4
+export ENTRYPOINT_VERSION=v2
 
 NC_APP_DIR="app:/var/www/html"
 

compose.postgres.yml

@@ -2,7 +2,6 @@ version: '3.8'
 
 services:
   app:
-    entrypoint: "sh -c 'sleep 10 && /entrypoint.sh php-fpm'" # tries to mitigate this error with postgres https://github.com/nextcloud/docker/issues/1204
     environment:
       - POSTGRES_HOST=db
       - POSTGRES_DB=nextcloud

compose.yml

@@ -6,6 +6,8 @@ services:
       - source: nginx_conf
         target: /etc/nginx/nginx.conf
     environment:
+      - X_FRAME_OPTIONS_ALLOW_FROM
+      - X_FRAME_OPTIONS_ENABLED
       - DOMAIN
       - STACK_NAME
     volumes:
@@ -33,16 +35,22 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
 
   app:
-    image: nextcloud:24.0.3-fpm
+    image: nextcloud:24.0.6-fpm
     depends_on:
       - db
     configs:
       - source: fpm_tune
         target: /usr/local/etc/php-fpm.d/fpm-tune.conf
+      - source: entrypoint
+        target: /custom-entrypoint.sh
+        mode: 555
+    entrypoint: /custom-entrypoint.sh
     secrets:
       - db_password
       - admin_password
     environment:
+      - X_FRAME_OPTIONS_ALLOW_FROM
+      - X_FRAME_OPTIONS_ENABLED
       - DOMAIN
       - STACK_NAME
       - NEXTCLOUD_ADMIN_USER=${ADMIN_USER}
@@ -69,13 +77,12 @@ services:
         failure_action: rollback
         order: start-first
       labels:
-        - "coop-cloud.${STACK_NAME}.version=2.1.2+24.0.3-fpm"
+        - "coop-cloud.${STACK_NAME}.version=2.1.4+24.0.6-fpm"
         - "backupbot.backup=true"
         - "backupbot.backup.path=/var/www/html/config/,/var/www/html/data/,/var/www/html/custom_apps/"
 
-
   cron:
-    image: nextcloud:24.0.3-fpm
+    image: nextcloud:24.0.6-fpm
     volumes:
       - nextcloud:/var/www/html/
       - nextapps:/var/www/html/custom_apps:cached
@@ -87,7 +94,7 @@ services:
     entrypoint: /cron.sh
 
   cache:
-    image: redis:7.0.4-alpine
+    image: redis:7.0.5-alpine
     networks:
       - internal
     volumes:
@@ -111,6 +118,7 @@ volumes:
   nextconfig:
   redis:
 
+
 configs:
   nginx_conf:
     name: ${STACK_NAME}_nginx_${NGINX_CONF_VERSION}
@@ -119,6 +127,10 @@ configs:
   fpm_tune:
     name: ${STACK_NAME}_fpm_tune_${FPM_TUNE_VERSION}
     file: fpm-tune.ini
+  entrypoint:
+    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang
 
 networks:
   proxy:

entrypoint.sh.tmpl

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+echo "Giving the db container some time to come up"; sleep 20
+# see this issue with postgres db https://github.com/nextcloud/docker/issues/1204
+
+{{ if eq (env "X_FRAME_OPTIONS_ENABLED") "1" }}
+if ! [[ $(grep {{ env "X_FRAME_OPTIONS_ALLOW_FROM" }} lib/public/AppFramework/Http/ContentSecurityPolicy.php) ]]; then
+    sed -i "91 a\\\t\t'{{ env "X_FRAME_OPTIONS_ALLOW_FROM" }}', " lib/public/AppFramework/Http/ContentSecurityPolicy.php
+fi
+{{ end }}
+
+/entrypoint.sh php-fpm

nginx.conf.tmpl

@@ -41,6 +41,7 @@ http {
         # could take several months.
         #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
 
+
         # set max upload size
         client_max_body_size 512M;
         fastcgi_buffers 64 4K;
@@ -61,11 +62,17 @@ http {
         add_header Referrer-Policy                      "no-referrer"   always;
         add_header X-Content-Type-Options               "nosniff"       always;
         add_header X-Download-Options                   "noopen"        always;
-        add_header X-Frame-Options                      "SAMEORIGIN"    always;
         add_header X-Permitted-Cross-Domain-Policies    "none"          always;
         add_header X-Robots-Tag                         "none"          always;
         add_header X-XSS-Protection                     "1; mode=block" always;
 
+        {{ if eq (env "X_FRAME_OPTIONS_ENABLED") "1" }}
+        add_header Content-Security-Policy              "frame-ancestors {{ env "X_FRAME_OPTIONS_ALLOW_FROM" }} {{ env "DOMAIN" }}";
+        {{ else }}
+        add_header X-Frame-Options                      "SAMEORIGIN"    always;
+        {{ end }}
+
+
         # Remove X-Powered-By, which is an information leak
         fastcgi_hide_header X-Powered-By;