diff --git a/.github/workflows/collabora.yml b/.github/workflows/collabora.yml index a61067f3..798c22ad 100644 --- a/.github/workflows/collabora.yml +++ b/.github/workflows/collabora.yml @@ -20,6 +20,7 @@ jobs: - name: Create Pull Request uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7 with: + token: ${{ secrets.GITHUB_TOKEN }} commit-message: collabora-seccomp-update automated change signoff: true title: collabora seccomp update diff --git a/.github/workflows/dependency-updates.yml b/.github/workflows/dependency-updates.yml index ef286f86..b8daa1c6 100644 --- a/.github/workflows/dependency-updates.yml +++ b/.github/workflows/dependency-updates.yml @@ -43,9 +43,19 @@ jobs: | tail -1 )" sed -i "s|pecl install APCu.*\;|pecl install APCu-$apcu_version\;|" ./Containers/mastercontainer/Dockerfile + + # CADDY_REMOTE_HOST_HASH + CADDY_REMOTE_HOST_HASH="$( + git ls-remote https://github.com/muety/caddy-remote-host master \ + | cut -f1 \ + | tail -1 + )" + sed -i "s|^ARG CADDY_REMOTE_HOST_HASH.*$|ARG CADDY_REMOTE_HOST_HASH=$CADDY_REMOTE_HOST_HASH|" ./Containers/mastercontainer/Dockerfile + - name: Create Pull Request uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7 with: + token: ${{ secrets.GITHUB_TOKEN }} commit-message: php dependency updates signoff: true title: PHP dependency updates diff --git a/.github/workflows/imaginary-update.yml b/.github/workflows/imaginary-update.yml index 05050a20..855a8dbe 100644 --- a/.github/workflows/imaginary-update.yml +++ b/.github/workflows/imaginary-update.yml @@ -24,6 +24,7 @@ jobs: - name: Create Pull Request uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7 with: + token: ${{ secrets.GITHUB_TOKEN }} commit-message: imaginary-update automated change signoff: true title: Imaginary update diff --git a/.github/workflows/lint-yaml.yml b/.github/workflows/lint-yaml.yml index cecc047e..d9e68a33 100644 --- a/.github/workflows/lint-yaml.yml +++ b/.github/workflows/lint-yaml.yml @@ -36,7 +36,7 @@ jobs: line-length: warning - name: Install the latest version of uv - uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0 + uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1 - name: Check GitHub actions run: uvx zizmor --min-severity medium .github/workflows/*.yml diff --git a/.github/workflows/nextcloud-update.yml b/.github/workflows/nextcloud-update.yml index b2475290..e4cca512 100644 --- a/.github/workflows/nextcloud-update.yml +++ b/.github/workflows/nextcloud-update.yml @@ -81,6 +81,7 @@ jobs: - name: Create Pull Request uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7 with: + token: ${{ secrets.GITHUB_TOKEN }} commit-message: nextcloud-update automated change signoff: true title: Nextcloud dependency update diff --git a/.github/workflows/playwright-on-push.yml b/.github/workflows/playwright-on-push.yml index c9dfd5e2..96e2619e 100644 --- a/.github/workflows/playwright-on-push.yml +++ b/.github/workflows/playwright-on-push.yml @@ -26,7 +26,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 + - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: lts/* @@ -114,7 +114,7 @@ jobs: exit 1 fi - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 if: ${{ !cancelled() }} with: name: playwright-report diff --git a/.github/workflows/playwright-on-workflow-dispatch.yml b/.github/workflows/playwright-on-workflow-dispatch.yml index 6d2f6d32..0dd1d911 100644 --- a/.github/workflows/playwright-on-workflow-dispatch.yml +++ b/.github/workflows/playwright-on-workflow-dispatch.yml @@ -15,7 +15,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 + - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: lts/* @@ -82,7 +82,7 @@ jobs: exit 1 fi - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 if: ${{ !cancelled() }} with: name: playwright-report diff --git a/.github/workflows/psalm-update-baseline.yml b/.github/workflows/psalm-update-baseline.yml index e83a6376..f145557d 100644 --- a/.github/workflows/psalm-update-baseline.yml +++ b/.github/workflows/psalm-update-baseline.yml @@ -18,6 +18,7 @@ jobs: php-version: 8.5 extensions: apcu coverage: none + ini-file: development - name: Run script run: | @@ -32,7 +33,7 @@ jobs: - name: Create Pull Request uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7 with: - token: ${{ secrets.COMMAND_BOT_PAT }} + token: ${{ secrets.GITHUB_TOKEN }} commit-message: Update psalm baseline committer: GitHub author: nextcloud-command diff --git a/.github/workflows/psalm.yml b/.github/workflows/psalm.yml index 354222b8..15e8a4b1 100644 --- a/.github/workflows/psalm.yml +++ b/.github/workflows/psalm.yml @@ -43,8 +43,7 @@ jobs: extensions: apcu coverage: none ini-file: development - # Temporary workaround for missing pcntl_* in PHP 8.3 - ini-values: disable_functions= + env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/talk.yml b/.github/workflows/talk.yml index b19e1cb5..ce5462eb 100644 --- a/.github/workflows/talk.yml +++ b/.github/workflows/talk.yml @@ -47,6 +47,7 @@ jobs: - name: Create Pull Request uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7 with: + token: ${{ secrets.GITHUB_TOKEN }} commit-message: talk-update automated change signoff: true title: talk container update diff --git a/.github/workflows/watchtower-update.yml b/.github/workflows/watchtower-update.yml index ecd82a69..06d5f794 100644 --- a/.github/workflows/watchtower-update.yml +++ b/.github/workflows/watchtower-update.yml @@ -28,6 +28,7 @@ jobs: - name: Create Pull Request uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7 with: + token: ${{ secrets.GITHUB_TOKEN }} commit-message: watchtower-update automated change signoff: true title: watchtower container update diff --git a/Containers/apache/Caddyfile b/Containers/apache/Caddyfile index 92e84b49..40da90f9 100644 --- a/Containers/apache/Caddyfile +++ b/Containers/apache/Caddyfile @@ -15,7 +15,7 @@ } https://{$ADDITIONAL_TRUSTED_DOMAIN}:443, -http://{$APACHE_HOST}:23973, # For Collabora callback and WOPI requests, see containers.json +http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI requests, see containers.json {$PROTOCOL}://{$NC_DOMAIN}:{$APACHE_PORT} { header -Server header -X-Powered-By diff --git a/Containers/apache/Dockerfile b/Containers/apache/Dockerfile index 9a4ecbbf..b9581b13 100644 --- a/Containers/apache/Dockerfile +++ b/Containers/apache/Dockerfile @@ -1,5 +1,5 @@ # syntax=docker/dockerfile:latest -FROM caddy:2.11.1-alpine AS caddy +FROM caddy:2.11.2-alpine AS caddy # From https://github.com/docker-library/httpd/blob/master/2.4/alpine/Dockerfile FROM httpd:2.4.66-alpine3.23 diff --git a/Containers/collabora/Dockerfile b/Containers/collabora/Dockerfile index 411f08e0..a845bc46 100644 --- a/Containers/collabora/Dockerfile +++ b/Containers/collabora/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:latest # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/blob/master/docker/from-packages/Dockerfile -FROM collabora/code:25.04.8.3.1 +FROM collabora/code:25.04.9.3.1 USER root ARG DEBIAN_FRONTEND=noninteractive diff --git a/Containers/docker-socket-proxy/Dockerfile b/Containers/docker-socket-proxy/Dockerfile index ffcc152e..0f162d54 100644 --- a/Containers/docker-socket-proxy/Dockerfile +++ b/Containers/docker-socket-proxy/Dockerfile @@ -1,5 +1,5 @@ # syntax=docker/dockerfile:latest -FROM haproxy:3.3.4-alpine +FROM haproxy:3.3.6-alpine # hadolint ignore=DL3002 USER root diff --git a/Containers/fulltextsearch/Dockerfile b/Containers/fulltextsearch/Dockerfile index e2f61559..b31f0361 100644 --- a/Containers/fulltextsearch/Dockerfile +++ b/Containers/fulltextsearch/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:latest # Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile -FROM elasticsearch:8.19.11 +FROM elasticsearch:8.19.13 USER root diff --git a/Containers/imaginary/Dockerfile b/Containers/imaginary/Dockerfile index e22c9e54..8ba9f244 100644 --- a/Containers/imaginary/Dockerfile +++ b/Containers/imaginary/Dockerfile @@ -1,5 +1,5 @@ # syntax=docker/dockerfile:latest -FROM golang:1.26.0-alpine3.23 AS go +FROM golang:1.26.1-alpine3.23 AS go ENV IMAGINARY_HASH=6a274b488759a896aff02f52afee6e50b5e3a3ee diff --git a/Containers/mastercontainer/Caddyfile b/Containers/mastercontainer/Caddyfile deleted file mode 100644 index da0e222d..00000000 --- a/Containers/mastercontainer/Caddyfile +++ /dev/null @@ -1,37 +0,0 @@ -{ - # auto_https will create redirects for https://{host}:8443 instead of https://{host} - # https redirects are added manually in the http://:80 block - auto_https disable_redirects - - storage file_system { - root /mnt/docker-aio-config/caddy/ - } - - log { - level ERROR - } - - servers { - protocols h1 h2 h2c - } - - on_demand_tls { - ask http://127.0.0.1:9876/ - } -} - -http://:80 { - redir https://{host}{uri} permanent -} - -https://:8443 { - - reverse_proxy 127.0.0.1:8000 - - tls { - on_demand - issuer acme { - disable_tlsalpn_challenge - } - } -} diff --git a/Containers/mastercontainer/Dockerfile b/Containers/mastercontainer/Dockerfile index a94ee60a..0b4dd878 100644 --- a/Containers/mastercontainer/Dockerfile +++ b/Containers/mastercontainer/Dockerfile @@ -1,12 +1,17 @@ # syntax=docker/dockerfile:latest # Docker CLI is a requirement -FROM docker:29.2.1-cli AS docker +FROM docker:29.3.0-cli AS docker + +ARG CADDY_REMOTE_HOST_HASH=b21775afa730ffb52a24ddff310c8a6d1fd37276 # Caddy is a requirement -FROM caddy:2.11.1-alpine AS caddy +FROM caddy:2.11.2-builder-alpine AS caddy +RUN set -ex; \ + xcaddy build --with github.com/muety/caddy-remote-host@"$CADDY_REMOTE_HOST_HASH"; \ + /usr/bin/caddy list-modules # From https://github.com/docker-library/php/blob/master/8.5/alpine3.23/fpm/Dockerfile -FROM php:8.5.3-fpm-alpine3.23 +FROM php:8.5.4-fpm-alpine3.23 EXPOSE 80 EXPOSE 8080 @@ -21,9 +26,8 @@ COPY --from=docker /usr/local/bin/docker /usr/local/bin/docker COPY community-containers /var/www/docker-aio/community-containers COPY php /var/www/docker-aio/php COPY --chmod=775 Containers/mastercontainer/*.sh / -COPY --chmod=664 Containers/mastercontainer/Caddyfile /Caddyfile +COPY --chmod=664 Containers/mastercontainer/*.Caddyfile / COPY --chmod=664 Containers/mastercontainer/supervisord.conf /supervisord.conf -COPY Containers/mastercontainer/mastercontainer.conf /etc/apache2/sites-available/mastercontainer.conf WORKDIR /var/www/docker-aio @@ -37,13 +41,8 @@ RUN set -ex; \ apk add --no-cache \ util-linux-misc \ ca-certificates \ - wget \ bash \ - apache2 \ - apache2-proxy \ - apache2-ssl \ supervisor \ - openssl \ sudo \ netcat-openbsd \ curl \ @@ -67,11 +66,12 @@ RUN set -ex; \ sed -i 's/^pm = dynamic/pm = ondemand/' /usr/local/etc/php-fpm.d/www.conf; \ sed -i 's/^pm.max_children =.*/pm.max_children = 80/' /usr/local/etc/php-fpm.d/www.conf; \ sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \ - grep -q ';listen.allowed_clients' /usr/local/etc/php-fpm.d/www.conf; \ - sed -i 's|;listen.allowed_clients.*|listen.allowed_clients = 127.0.0.1,::1|' /usr/local/etc/php-fpm.d/www.conf; \ + grep -q '^listen =' /usr/local/etc/php-fpm.d/docker.conf; \ + sed -i 's|listen =.*|listen = /run/php.sock|' /usr/local/etc/php-fpm.d/docker.conf; \ + echo "listen.owner = www-data" | tee -a /usr/local/etc/php-fpm.d/docker.conf; \ \ apk add --no-cache git; \ - wget https://getcomposer.org/installer -O - | php -- --install-dir=/usr/local/bin --filename=composer; \ + curl https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer; \ chmod +x /usr/local/bin/composer; \ cd /var/www/docker-aio; \ rm -r ./php/tests; \ @@ -86,42 +86,6 @@ RUN set -ex; \ rm -r php/data; \ rm -r php/session; \ \ - mkdir -p /etc/apache2/certs; \ - cd /etc/apache2/certs; \ - openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout /etc/apache2/certs/ssl.key -out /etc/apache2/certs/ssl.crt; \ - \ - sed -i \ - -e '/^Listen /d' \ - -e 's/^LogLevel .*/LogLevel error/' \ - -e 's|^ErrorLog .*|ErrorLog /proc/self/fd/2|' \ - -e 's/User apache/User www-data/g' \ - -e 's/Group apache/Group www-data/g' \ - -e 's/^#\(LoadModule .*mod_rewrite.so\)/\1/' \ - -e 's/^#\(LoadModule .*mod_headers.so\)/\1/' \ - -e 's/^#\(LoadModule .*mod_env.so\)/\1/' \ - -e 's/^#\(LoadModule .*mod_mime.so\)/\1/' \ - -e 's/^#\(LoadModule .*mod_dir.so\)/\1/' \ - -e 's/^#\(LoadModule .*mod_authz_core.so\)/\1/' \ - -e 's/^#\(LoadModule .*mod_mpm_event.so\)/\1/' \ - -e 's/\(LoadModule .*mod_mpm_worker.so\)/#\1/' \ - -e 's/\(LoadModule .*mod_mpm_prefork.so\)/#\1/' \ - -e 's/\(ScriptAlias \)/#\1/' \ - /etc/apache2/httpd.conf; \ - mkdir -p /etc/apache2/logs; \ - rm /etc/apache2/conf.d/ssl.conf; \ - echo "ServerName localhost" | tee -a /etc/apache2/httpd.conf; \ - grep -q '^LoadModule lbmethod_heartbeat_module' /etc/apache2/conf.d/proxy.conf; \ - sed -i 's|^LoadModule lbmethod_heartbeat_module.*|#LoadModule lbmethod_heartbeat_module|' /etc/apache2/conf.d/proxy.conf; \ - echo "SSLSessionCache nonenotnull" | tee -a /etc/apache2/httpd.conf; \ - echo "LoadModule ssl_module modules/mod_ssl.so" | tee -a /etc/apache2/httpd.conf; \ - echo "LoadModule socache_shmcb_module modules/mod_socache_shmcb.so" | tee -a /etc/apache2/httpd.conf; \ - echo "Include /etc/apache2/sites-available/mastercontainer.conf" | tee -a /etc/apache2/httpd.conf; \ - \ - rm -f /etc/apache2/conf.d/default.conf \ - /etc/apache2/conf.d/userdir.conf \ - /etc/apache2/conf.d/info.conf; \ - \ - rm -rf /var/www/localhost/cgi-bin/; \ mkdir /var/log/supervisord; \ mkdir /var/run/supervisord; diff --git a/Containers/mastercontainer/README.md b/Containers/mastercontainer/README.md index de6b535d..7206a5f3 100644 --- a/Containers/mastercontainer/README.md +++ b/Containers/mastercontainer/README.md @@ -12,8 +12,8 @@ The mastercontainer acts as the central orchestration service for the deployment of all other containers in the Nextcloud All-in-One stack. It hosts: - A dedicated PHP SAPI/backend (php-fpm) for AIO itself (not Nextcloud Server) -- An Apache service for accessing the AIO interface via a self-signed HTTPS VirtualHost on 8080/tcp -- A Caddy reverse proxy service enabling HTTPS access to the AIO frontend on port 8443/tcp. +- A Caddy server enabling self-signed HTTPS access to the AIO frontend on port 8080/tcp. +- A Caddy server enabling trusted HTTPS access to the AIO frontend on port 8443/tcp. - Caddy will automatically issue a Let's Encrypt issued certificate if port 80 and 8443 is open/forwarded and a domain pointer is in place; then, simply open the Nextcloud AIO interface using the domain (`https://your-domain-that-points-to-this-server.tld:8443`). The Let's Encrypt certificate request will diff --git a/Containers/mastercontainer/acme.Caddyfile b/Containers/mastercontainer/acme.Caddyfile new file mode 100644 index 00000000..d217481d --- /dev/null +++ b/Containers/mastercontainer/acme.Caddyfile @@ -0,0 +1,52 @@ +{ + admin off + + # auto_https will create redirects for https://{host}:8443 instead of https://{host} + # https redirects are added manually in the http://:80 block + auto_https disable_redirects + + storage file_system { + root /mnt/docker-aio-config/caddy/ + } + + log { + level ERROR + # We need to exclude the remote-host plugin from logging as it would spam the logs + # See https://github.com/nextcloud/all-in-one/pull/7006#issuecomment-4003238239 + exclude http.matchers.remote_host + } + + servers { + # Only h1 is allowed as we prevent `ERR_NETWORK_CHANGED` from happening + protocols h1 + } + + on_demand_tls { + ask http://127.0.0.1:9876/ + } + + skip_install_trust +} + +http://:80 { + redir https://{host}{uri} permanent +} + +https://:8443 { + @denied { + path /api/auth/login /api/auth/getlogin + remote_host nextcloud-aio-nextcloud + } + abort @denied + + root * /var/www/docker-aio/php/public + php_fastcgi unix//run/php.sock + file_server + + tls { + on_demand + issuer acme { + disable_tlsalpn_challenge + } + } +} diff --git a/Containers/mastercontainer/healthcheck.sh b/Containers/mastercontainer/healthcheck.sh index 72187591..3f773553 100644 --- a/Containers/mastercontainer/healthcheck.sh +++ b/Containers/mastercontainer/healthcheck.sh @@ -2,9 +2,8 @@ if [ -f "/mnt/docker-aio-config/data/configuration.json" ]; then nc -z 127.0.0.1 80 || exit 1 - nc -z 127.0.0.1 8000 || exit 1 nc -z 127.0.0.1 8080 || exit 1 nc -z 127.0.0.1 8443 || exit 1 - nc -z 127.0.0.1 9000 || exit 1 + test -S /run/php.sock || exit 1 nc -z 127.0.0.1 9876 || exit 1 fi diff --git a/Containers/mastercontainer/internal.Caddyfile b/Containers/mastercontainer/internal.Caddyfile new file mode 100644 index 00000000..934458b5 --- /dev/null +++ b/Containers/mastercontainer/internal.Caddyfile @@ -0,0 +1,38 @@ +{ + admin off + + storage file_system { + root /mnt/docker-aio-config/caddy/ + } + + log { + level ERROR + # We need to exclude the remote-host plugin from logging as it would spam the logs + # See https://github.com/nextcloud/all-in-one/pull/7006#issuecomment-4003238239 + exclude http.matchers.remote_host + } + + servers { + # Only h1 is allowed as we prevent `ERR_NETWORK_CHANGED` from happening + protocols h1 + } + + skip_install_trust +} + +https://:8080 { + @denied { + path /api/auth/login /api/auth/getlogin + remote_host nextcloud-aio-nextcloud + } + abort @denied + + root * /var/www/docker-aio/php/public + php_fastcgi unix//run/php.sock + file_server + + tls { + on_demand + issuer internal + } +} diff --git a/Containers/mastercontainer/mastercontainer.conf b/Containers/mastercontainer/mastercontainer.conf deleted file mode 100644 index d85fe1f3..00000000 --- a/Containers/mastercontainer/mastercontainer.conf +++ /dev/null @@ -1,67 +0,0 @@ -Listen 127.0.0.1:8000 -Listen 8080 https - -# Deny access to .ht files - - Require all denied - - -# Http host - - ServerName 127.0.0.1 - - # Add error log - CustomLog /proc/self/fd/1 proxy - LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy - ErrorLog /proc/self/fd/2 - ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]" - LogLevel warn - - # PHP match - - SetHandler "proxy:fcgi://127.0.0.1:9000" - - - # Disable output buffering to enable streaming responses. - - - - # Master dir - DocumentRoot /var/www/docker-aio/php/public/ - - RewriteEngine On - RewriteCond %{REQUEST_FILENAME} !-f - RewriteRule ^ index.php [QSA,L] - Options Indexes FollowSymLinks - Require all granted - AllowOverride All - Options FollowSymLinks MultiViews - Satisfy Any - - Dav off - - - - -# Https host - - # Proxy to https - ProxyPass / http://127.0.0.1:8000/ - ProxyPassReverse / http://127.0.0.1:8000/ - ProxyPreserveHost On - # SSL - SSLCertificateKeyFile /etc/apache2/certs/ssl.key - SSLCertificateFile /etc/apache2/certs/ssl.crt - SSLEngine on - SSLProtocol -all +TLSv1.2 +TLSv1.3 - SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 - SSLHonorCipherOrder off - SSLSessionTickets off - - -# Increase timeout in case e.g. the initial download takes a long time -Timeout 7200 -ProxyTimeout 7200 - -# See https://httpd.apache.org/docs/trunk/mod/core.html#traceenable -TraceEnable Off diff --git a/Containers/mastercontainer/start.sh b/Containers/mastercontainer/start.sh index ccb4d26b..d2420f24 100644 --- a/Containers/mastercontainer/start.sh +++ b/Containers/mastercontainer/start.sh @@ -364,7 +364,6 @@ fi mkdir -p /mnt/docker-aio-config/data/ mkdir -p /mnt/docker-aio-config/session/ mkdir -p /mnt/docker-aio-config/caddy/ -mkdir -p /mnt/docker-aio-config/certs/ # Adjust permissions for all instances chmod 770 -R /mnt/docker-aio-config @@ -372,37 +371,6 @@ chmod 777 /mnt/docker-aio-config chown www-data:www-data -R /mnt/docker-aio-config/data/ chown www-data:www-data -R /mnt/docker-aio-config/session/ chown www-data:www-data -R /mnt/docker-aio-config/caddy/ -chown root:root -R /mnt/docker-aio-config/certs/ - -# Don't allow access to the AIO interface from the Nextcloud container -# Probably more cosmetic than anything but at least an attempt -if ! grep -q '# nextcloud-aio-block' /etc/apache2/httpd.conf; then - cat << APACHE_CONF >> /etc/apache2/httpd.conf -# nextcloud-aio-block-start - -order allow,deny -deny from nextcloud-aio-nextcloud.nextcloud-aio -allow from all - -# nextcloud-aio-block-end -APACHE_CONF -fi - -# Adjust certs -GENERATED_CERTS="/mnt/docker-aio-config/certs" -TMP_CERTS="/etc/apache2/certs" -mkdir -p "$GENERATED_CERTS" -cd "$GENERATED_CERTS" || exit 1 -if ! [ -f ./ssl.crt ] && ! [ -f ./ssl.key ]; then - openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout ./ssl.key -out ./ssl.crt -fi -if [ -f ./ssl.crt ] && [ -f ./ssl.key ]; then - cd "$TMP_CERTS" || exit 1 - rm ./ssl.crt - rm ./ssl.key - cp "$GENERATED_CERTS/ssl.crt" ./ - cp "$GENERATED_CERTS/ssl.key" ./ -fi print_green "Initial startup of Nextcloud All-in-One complete! You should be able to open the Nextcloud AIO Interface now on port 8080 of this server! @@ -415,8 +383,11 @@ https://your-domain-that-points-to-this-server.tld:8443" # Set the timezone to Etc/UTC export TZ=Etc/UTC -# Fix apache startup -rm -f /var/run/apache2/httpd.pid +# Remove unused certs +rm -vrf /mnt/docker-aio-config/certs + +# Remove the php socket as safeguard +rm -vf /run/php.sock # Fix caddy startup if [ -d "/mnt/docker-aio-config/caddy/locks" ]; then @@ -424,7 +395,8 @@ if [ -d "/mnt/docker-aio-config/caddy/locks" ]; then fi # Fix the Caddyfile format -caddy fmt --overwrite /Caddyfile +caddy fmt --overwrite /acme.Caddyfile +caddy fmt --overwrite /internal.Caddyfile # Fix caddy log chmod 777 /root diff --git a/Containers/mastercontainer/supervisord.conf b/Containers/mastercontainer/supervisord.conf index fa5d0845..9fbb9516 100644 --- a/Containers/mastercontainer/supervisord.conf +++ b/Containers/mastercontainer/supervisord.conf @@ -16,20 +16,20 @@ stderr_logfile_maxbytes=0 command=php-fpm user=root -[program:apache] -# Stdout logging is disabled as otherwise the logs are spammed -stdout_logfile=NONE -stderr_logfile=/dev/stderr -stderr_logfile_maxbytes=0 -command=httpd -DFOREGROUND -user=root - -[program:caddy] +[program:caddy-internal] stdout_logfile=/dev/stdout stdout_logfile_maxbytes=0 stderr_logfile=/dev/stderr stderr_logfile_maxbytes=0 -command=/usr/bin/caddy run --config /Caddyfile +command=/usr/bin/caddy run --config /internal.Caddyfile +user=www-data + +[program:caddy-acme] +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 +command=/usr/bin/caddy run --config /acme.Caddyfile user=www-data [program:cron] diff --git a/Containers/nextcloud/config/redis.config.php b/Containers/nextcloud/config/redis.config.php index 637e1b5f..12b5a64b 100644 --- a/Containers/nextcloud/config/redis.config.php +++ b/Containers/nextcloud/config/redis.config.php @@ -24,6 +24,10 @@ if (getenv('REDIS_MODE') !== 'rediscluster') { if (getenv('REDIS_USER_AUTH')) { $CONFIG['redis']['user'] = str_replace("&auth[]=", "", getenv('REDIS_USER_AUTH')); } + + if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_REDIS')) { + $CONFIG['redis']['ssl_context']['cafile'] = '/var/www/html/data/certificates/ca-bundle.crt'; + } } else { $CONFIG = array( 'memcache.distributed' => '\OC\Memcache\Redis', @@ -53,4 +57,8 @@ if (getenv('REDIS_MODE') !== 'rediscluster') { if (getenv('REDIS_USER_AUTH')) { $CONFIG['redis.cluster']['user'] = str_replace("&auth[]=", "", getenv('REDIS_USER_AUTH')); } + + if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_REDIS')) { + $CONFIG['redis.cluster']['ssl_context']['cafile'] = '/var/www/html/data/certificates/ca-bundle.crt'; + } } diff --git a/Containers/nextcloud/upgrade.exclude b/Containers/nextcloud/upgrade.exclude index 354864da..5e4b1d73 100644 --- a/Containers/nextcloud/upgrade.exclude +++ b/Containers/nextcloud/upgrade.exclude @@ -3,3 +3,4 @@ /custom_apps/ /themes/ /version.php +/lost+found diff --git a/Containers/onlyoffice/Dockerfile b/Containers/onlyoffice/Dockerfile index 22554c68..21c9e5ed 100644 --- a/Containers/onlyoffice/Dockerfile +++ b/Containers/onlyoffice/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:latest # From https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/master/Dockerfile -FROM onlyoffice/documentserver:9.3.0.1 +FROM onlyoffice/documentserver:9.3.1.2 # USER root is probably used diff --git a/Containers/postgresql/Dockerfile b/Containers/postgresql/Dockerfile index 96426ac1..980ed423 100644 --- a/Containers/postgresql/Dockerfile +++ b/Containers/postgresql/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:latest # From https://github.com/docker-library/postgres/blob/master/17/alpine3.23/Dockerfile -FROM postgres:17.8-alpine +FROM postgres:17.9-alpine COPY --chmod=775 start.sh /start.sh COPY --chmod=775 healthcheck.sh /healthcheck.sh diff --git a/Containers/talk-recording/Dockerfile b/Containers/talk-recording/Dockerfile index 34f41dff..796ba26f 100644 --- a/Containers/talk-recording/Dockerfile +++ b/Containers/talk-recording/Dockerfile @@ -20,6 +20,9 @@ RUN set -ex; \ xvfb \ ffmpeg \ firefox \ + font-noto-all \ + font-noto-cjk \ + font-noto-cjk-extra \ bind-tools \ netcat-openbsd \ git \ diff --git a/Containers/talk/Dockerfile b/Containers/talk/Dockerfile index 6a3b227e..7c9454c5 100644 --- a/Containers/talk/Dockerfile +++ b/Containers/talk/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:latest -FROM nats:2.12.4-scratch AS nats +FROM nats:2.12.5-scratch AS nats FROM eturnal/eturnal:1.12.2-alpine AS eturnal -FROM strukturag/nextcloud-spreed-signaling:2.1.0 AS signaling +FROM strukturag/nextcloud-spreed-signaling:2.1.1 AS signaling FROM alpine:3.23.3 AS janus ARG JANUS_VERSION=v1.4.0 @@ -70,7 +70,8 @@ RUN set -ex; \ libwebsockets \ \ shadow \ - grep; \ + grep \ + util-linux-misc; \ useradd --system -u 1000 eturnal; \ apk del --no-cache \ shadow; \ diff --git a/Containers/talk/start.sh b/Containers/talk/start.sh index f89949f3..57344ee0 100644 --- a/Containers/talk/start.sh +++ b/Containers/talk/start.sh @@ -18,6 +18,22 @@ elif [ -z "$INTERNAL_SECRET" ]; then exit 1 fi +# Trust additional CA certificates, if the user provided NEXTCLOUD_TRUSTED_CACERTS_DIR +# The container is read-only, so we build a custom bundle in /tmp (tmpfs) and +# point Go's TLS stack to it via SSL_CERT_FILE. +if mountpoint -q /usr/local/share/ca-certificates; then + echo "Trusting additional CA certificates..." + set -x + cp /etc/ssl/certs/ca-certificates.crt /tmp/ca-certificates.crt + for cert in /usr/local/share/ca-certificates/*; do + if [ -f "$cert" ]; then + cat "$cert" >> /tmp/ca-certificates.crt + fi + done + export SSL_CERT_FILE=/tmp/ca-certificates.crt + set +x +fi + set -x IPv4_ADDRESS_TALK_RELAY="$(hostname -i | grep -oP '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | head -1)" # shellcheck disable=SC2153 diff --git a/Containers/watchtower/Dockerfile b/Containers/watchtower/Dockerfile index 7132ffd6..fea7e60e 100644 --- a/Containers/watchtower/Dockerfile +++ b/Containers/watchtower/Dockerfile @@ -1,13 +1,13 @@ # syntax=docker/dockerfile:latest -FROM golang:1.26.0-alpine3.23 AS go +FROM golang:1.26.1-alpine3.23 AS go -ENV WATCHTOWER_COMMIT_HASH=943098a670cb78a620af6499fb94b3ee2c940cf0 +ENV WATCHTOWER_COMMIT_HASH=5a33e3c0aa3b2770c648a114b4a9d32e0a5b55ba RUN set -ex; \ apk upgrade --no-cache -a; \ apk add --no-cache \ build-base; \ - go install github.com/nicholas-fedor/watchtower@$WATCHTOWER_COMMIT_HASH # v1.14.2 + go install github.com/nicholas-fedor/watchtower@$WATCHTOWER_COMMIT_HASH # v1.14.4 FROM alpine:3.23.3 diff --git a/Containers/whiteboard/Dockerfile b/Containers/whiteboard/Dockerfile index 874df27d..a9fd9434 100644 --- a/Containers/whiteboard/Dockerfile +++ b/Containers/whiteboard/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:latest # Probably from this file: https://github.com/nextcloud/whiteboard/blob/main/Dockerfile -FROM ghcr.io/nextcloud-releases/whiteboard:v1.5.6 +FROM ghcr.io/nextcloud-releases/whiteboard:v1.5.7 USER root RUN set -ex; \ diff --git a/community-containers/glances/glances.json b/community-containers/glances/glances.json new file mode 100644 index 00000000..13bb13d1 --- /dev/null +++ b/community-containers/glances/glances.json @@ -0,0 +1,38 @@ +{ + "aio_services_v1": [ + { + "container_name": "nextcloud-aio-glances", + "display_name": "Glances", + "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/glances", + "image": "nicolargo/glances", + "image_tag": "latest-full", + "internal_port": "61208", + "restart": "unless-stopped", + "ports": [ + { + "ip_binding": "", + "port_number": "61208", + "protocol": "tcp" + } + ], + "volumes": [ + { + "source": "nextcloud_aio_glances", + "destination": "/etc/glances", + "writeable": true + }, + { + "source": "%WATCHTOWER_DOCKER_SOCKET_PATH%", + "destination": "/var/run/docker.sock", + "writeable": false + } + ], + "environment": [ + "GLANCES_OPT=-w" + ], + "backup_volumes": [ + "nextcloud_aio_glances" + ] + } + ] +} \ No newline at end of file diff --git a/community-containers/glances/readme.md b/community-containers/glances/readme.md new file mode 100644 index 00000000..a9860778 --- /dev/null +++ b/community-containers/glances/readme.md @@ -0,0 +1,18 @@ +## Glances +This container starts Glances, a web-based info-board, and auto-configures it for you. + +> [!CAUTION] +> This container mounts the docker-socket from the host-system. + +### Notes +- After adding and starting the container, you can directly visit http://ip.address.of.server:61208/ and access your new Glances instance! +- It is recommended to start this container only in home networks, because there is no built-in authentication. But you can do a http-auth with your proxy. +- In order to access your Glances outside the local network, you have to set up your own reverse proxy. You can set up a reverse proxy following [these instructions](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md). +- The data of Glances will be automatically included in AIO's backup solution! +- See [here](https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers) how to add it to the AIO stack. + +### Repository +https://github.com/nicolargo/glances + +### Maintainer +https://github.com/pi-farm diff --git a/community-containers/languagetool/readme.md b/community-containers/languagetool/readme.md index 4c2ca98c..c7a725e9 100644 --- a/community-containers/languagetool/readme.md +++ b/community-containers/languagetool/readme.md @@ -1,9 +1,9 @@ -## LanguageTool for Collabora -This container bundles a LanguageTool for Collabora which adds spell checking functionality to Collabora. +## LanguageTool for Nextcloud Office +This container bundles a LanguageTool for Nextcloud Office which adds spell checking functionality to Nextcloud Office. ### Notes -- Make sure to have collabora enabled via the AIO interface -- After adding this container via the AIO Interface, while all containers are still stopped, you need to scroll down to the `Additional Collabora options` section and enter `--o:languagetool.enabled=true --o:languagetool.base_url=http://nextcloud-aio-languagetool:8010/v2`. +- Make sure to have Nextcloud Office enabled via the AIO interface +- After adding this container via the AIO Interface, while all containers are still stopped, you need to scroll down to the `Additional Nextcloud Office options` section and enter `--o:languagetool.enabled=true --o:languagetool.base_url=http://nextcloud-aio-languagetool:8010/v2`. - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack ### Repository diff --git a/compose.yaml b/compose.yaml index c18d92d3..e3286ea3 100644 --- a/compose.yaml +++ b/compose.yaml @@ -11,9 +11,9 @@ services: network_mode: bridge # This adds the container to the same network as docker run would do. Comment this line and uncomment the line below and the networks section at the end of the file if you want to define a custom MTU size for the docker network # networks: ["nextcloud-aio"] ports: - - 80:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md - - 8080:8080 # This is the AIO interface, served via https and self-signed certificate. See https://github.com/nextcloud/all-in-one#explanation-of-used-ports - - 8443:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md + - "80:80" # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md + - "8080:8080" # This is the AIO interface, served via https and self-signed certificate. See https://github.com/nextcloud/all-in-one#explanation-of-used-ports + - "8443:8443" # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md # security_opt: ["label:disable"] # Is needed when using SELinux. See https://github.com/nextcloud/all-in-one#are-there-known-problems-when-selinux-is-enabled # environment: # Is needed when using any of the options below # AIO_DISABLE_BACKUP_SECTION: false # Setting this to true allows to hide the backup section in the AIO interface. See https://github.com/nextcloud/all-in-one#how-to-disable-the-backup-section diff --git a/manual-install/latest.yml b/manual-install/latest.yml index e9362ccc..0c9f29a2 100644 --- a/manual-install/latest.yml +++ b/manual-install/latest.yml @@ -45,6 +45,7 @@ services: - APACHE_MAX_TIME=${NEXTCLOUD_MAX_TIME} - NOTIFY_PUSH_HOST=nextcloud-aio-notify-push - WHITEBOARD_HOST=nextcloud-aio-whiteboard + - HARP_HOST=nextcloud-aio-harp volumes: - nextcloud_aio_nextcloud:/var/www/html:ro - nextcloud_aio_apache:/mnt/data:rw @@ -202,19 +203,10 @@ services: expose: - "7867" volumes: - - nextcloud_aio_nextcloud:/nextcloud:ro + - nextcloud_aio_nextcloud:/var/www/html:ro environment: - - NC_DOMAIN - NEXTCLOUD_HOST=nextcloud-aio-nextcloud - TZ=${TIMEZONE} - - REDIS_HOST=nextcloud-aio-redis - - REDIS_PORT=6379 - - REDIS_HOST_PASSWORD=${REDIS_PASSWORD} - - POSTGRES_HOST=nextcloud-aio-database - - POSTGRES_PORT=5432 - - POSTGRES_PASSWORD=${DATABASE_PASSWORD} - - POSTGRES_DB=nextcloud_database - - POSTGRES_USER=nextcloud restart: unless-stopped read_only: true cap_drop: diff --git a/multiple-instances.md b/multiple-instances.md index 00386e1b..a0822739 100644 --- a/multiple-instances.md +++ b/multiple-instances.md @@ -180,6 +180,7 @@ apt install --no-install-recommends qemu-system qemu-utils libvirt-clients libvi # Virtual machine #1 - "example1-com" https://[DOMAIN_NAME_1]:8443 { reverse_proxy https://[IP_ADDRESS_1]:8080 { + header_up Host {host} transport http { tls_insecure_skip_verify } @@ -192,6 +193,7 @@ apt install --no-install-recommends qemu-system qemu-utils libvirt-clients libvi # Virtual machine #2 - "example2-com" https://[DOMAIN_NAME_2]:8443 { reverse_proxy https://[IP_ADDRESS_2]:8080 { + header_up Host {host} transport http { tls_insecure_skip_verify } diff --git a/nextcloud-aio-helm-chart/Chart.yaml b/nextcloud-aio-helm-chart/Chart.yaml index 04dfcd65..ea90ecf6 100755 --- a/nextcloud-aio-helm-chart/Chart.yaml +++ b/nextcloud-aio-helm-chart/Chart.yaml @@ -1,6 +1,6 @@ name: nextcloud-aio-helm-chart description: A generated Helm Chart for Nextcloud AIO from Skippbox Kompose -version: 12.7.0 +version: 12.8.0 apiVersion: v2 keywords: - latest diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml index 692be202..1d3d43f3 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml @@ -63,7 +63,7 @@ spec: value: "{{ .Values.TIMEZONE }}" - name: WHITEBOARD_HOST value: nextcloud-aio-whiteboard - image: ghcr.io/nextcloud-releases/aio-apache:20260218_123804 + image: ghcr.io/nextcloud-releases/aio-apache:20260306_081319 readinessProbe: exec: command: diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml index 9707f5ec..6fec4b18 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml @@ -36,7 +36,7 @@ spec: {{- end }} initContainers: - name: init-subpath - image: ghcr.io/nextcloud-releases/aio-alpine:20260218_123804 + image: ghcr.io/nextcloud-releases/aio-alpine:20260306_081319 command: - mkdir - "-p" @@ -59,7 +59,7 @@ spec: value: "{{ .Values.NEXTCLOUD_UPLOAD_LIMIT }}" - name: TZ value: "{{ .Values.TIMEZONE }}" - image: ghcr.io/nextcloud-releases/aio-clamav:20260218_123804 + image: ghcr.io/nextcloud-releases/aio-clamav:20260306_081319 readinessProbe: exec: command: diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml index ce9a93fb..18529634 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml @@ -36,9 +36,9 @@ spec: - name: server_name value: "{{ .Values.NC_DOMAIN }}" {{- if contains "--o:support_key=" (join " " (.Values.ADDITIONAL_COLLABORA_OPTIONS | default list)) }} - image: ghcr.io/nextcloud-releases/aio-collabora-online:20260218_123804 + image: ghcr.io/nextcloud-releases/aio-collabora-online:20260306_081319 {{- else }} - image: ghcr.io/nextcloud-releases/aio-collabora:20260218_123804 + image: ghcr.io/nextcloud-releases/aio-collabora:20260306_081319 {{- end }} readinessProbe: exec: diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml index 0e38091d..a98758e9 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml @@ -35,7 +35,7 @@ spec: {{- end }} initContainers: - name: init-subpath - image: ghcr.io/nextcloud-releases/aio-alpine:20260218_123804 + image: ghcr.io/nextcloud-releases/aio-alpine:20260306_081319 command: - mkdir - "-p" @@ -64,7 +64,7 @@ spec: value: nextcloud - name: TZ value: "{{ .Values.TIMEZONE }}" - image: ghcr.io/nextcloud-releases/aio-postgresql:20260218_123804 + image: ghcr.io/nextcloud-releases/aio-postgresql:20260306_081319 readinessProbe: exec: command: diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml index 1a2ef23f..ec8e00fa 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml @@ -24,7 +24,7 @@ spec: spec: initContainers: - name: init-volumes - image: ghcr.io/nextcloud-releases/aio-alpine:20260218_123804 + image: ghcr.io/nextcloud-releases/aio-alpine:20260306_081319 command: - chmod - "777" @@ -54,7 +54,7 @@ spec: value: basic - name: xpack.security.enabled value: "false" - image: ghcr.io/nextcloud-releases/aio-fulltextsearch:20260218_123804 + image: ghcr.io/nextcloud-releases/aio-fulltextsearch:20260306_081319 readinessProbe: exec: command: diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml index cb8cbcd3..bb1368ae 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml @@ -38,7 +38,7 @@ spec: value: "{{ .Values.IMAGINARY_SECRET }}" - name: TZ value: "{{ .Values.TIMEZONE }}" - image: ghcr.io/nextcloud-releases/aio-imaginary:20260218_123804 + image: ghcr.io/nextcloud-releases/aio-imaginary:20260306_081319 readinessProbe: exec: command: diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml index e6a54c4e..f3cb647b 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml @@ -38,7 +38,7 @@ spec: # AIO settings start # Do not remove or change this line! initContainers: - name: init-volumes - image: ghcr.io/nextcloud-releases/aio-alpine:20260218_123804 + image: ghcr.io/nextcloud-releases/aio-alpine:20260306_081319 command: - chmod - "777" @@ -190,7 +190,7 @@ spec: value: "{{ .Values.WHITEBOARD_ENABLED }}" - name: WHITEBOARD_SECRET value: "{{ .Values.WHITEBOARD_SECRET }}" - image: ghcr.io/nextcloud-releases/aio-nextcloud:20260218_123804 + image: ghcr.io/nextcloud-releases/aio-nextcloud:20260306_081319 {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }} # AIO-config - do not change this comment! securityContext: # The items below only work in container context diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml index eec33deb..ff901710 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml @@ -39,7 +39,7 @@ spec: value: nextcloud-aio-nextcloud - name: TZ value: "{{ .Values.TIMEZONE }}" - image: ghcr.io/nextcloud-releases/aio-notify-push:20260218_123804 + image: ghcr.io/nextcloud-releases/aio-notify-push:20260306_081319 readinessProbe: exec: command: diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml index 1bd82fc2..a5d1e719 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml @@ -24,7 +24,7 @@ spec: spec: initContainers: - name: init-volumes - image: ghcr.io/nextcloud-releases/aio-alpine:20260218_123804 + image: ghcr.io/nextcloud-releases/aio-alpine:20260306_081319 command: - chmod - "777" @@ -42,7 +42,7 @@ spec: value: "{{ .Values.ONLYOFFICE_SECRET }}" - name: TZ value: "{{ .Values.TIMEZONE }}" - image: ghcr.io/nextcloud-releases/aio-onlyoffice:20260218_123804 + image: ghcr.io/nextcloud-releases/aio-onlyoffice:20260306_081319 readinessProbe: exec: command: diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml index 28e58483..1733f31c 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml @@ -39,7 +39,7 @@ spec: value: "{{ .Values.REDIS_PASSWORD }}" - name: TZ value: "{{ .Values.TIMEZONE }}" - image: ghcr.io/nextcloud-releases/aio-redis:20260218_123804 + image: ghcr.io/nextcloud-releases/aio-redis:20260306_081319 readinessProbe: exec: command: diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml index b8a7ff44..f5dc967c 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml @@ -52,7 +52,7 @@ spec: value: "{{ .Values.TURN_SECRET }}" - name: TZ value: "{{ .Values.TIMEZONE }}" - image: ghcr.io/nextcloud-releases/aio-talk:20260218_123804 + image: ghcr.io/nextcloud-releases/aio-talk:20260306_081319 readinessProbe: exec: command: diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml index cc22fb12..2fee7719 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml @@ -44,7 +44,7 @@ spec: value: "{{ .Values.RECORDING_SECRET }}" - name: TZ value: "{{ .Values.TIMEZONE }}" - image: ghcr.io/nextcloud-releases/aio-talk-recording:20260218_123804 + image: ghcr.io/nextcloud-releases/aio-talk-recording:20260306_081319 readinessProbe: exec: command: diff --git a/nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml b/nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml index a4ad4d2f..55646dd4 100755 --- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml +++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml @@ -50,7 +50,7 @@ spec: value: redis - name: TZ value: "{{ .Values.TIMEZONE }}" - image: ghcr.io/nextcloud-releases/aio-whiteboard:20260218_123804 + image: ghcr.io/nextcloud-releases/aio-whiteboard:20260306_081319 readinessProbe: exec: command: diff --git a/php/composer.lock b/php/composer.lock index 9965bd5d..978e89a8 100644 --- a/php/composer.lock +++ b/php/composer.lock @@ -273,16 +273,16 @@ }, { "name": "guzzlehttp/psr7", - "version": "2.8.0", + "version": "2.9.0", "source": { "type": "git", "url": "https://github.com/guzzle/psr7.git", - "reference": "21dc724a0583619cd1652f673303492272778051" + "reference": "7d0ed42f28e42d61352a7a79de682e5e67fec884" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/guzzle/psr7/zipball/21dc724a0583619cd1652f673303492272778051", - "reference": "21dc724a0583619cd1652f673303492272778051", + "url": "https://api.github.com/repos/guzzle/psr7/zipball/7d0ed42f28e42d61352a7a79de682e5e67fec884", + "reference": "7d0ed42f28e42d61352a7a79de682e5e67fec884", "shasum": "" }, "require": { @@ -298,6 +298,7 @@ "require-dev": { "bamarni/composer-bin-plugin": "^1.8.2", "http-interop/http-factory-tests": "0.9.0", + "jshttp/mime-db": "1.54.0.1", "phpunit/phpunit": "^8.5.44 || ^9.6.25" }, "suggest": { @@ -369,7 +370,7 @@ ], "support": { "issues": "https://github.com/guzzle/psr7/issues", - "source": "https://github.com/guzzle/psr7/tree/2.8.0" + "source": "https://github.com/guzzle/psr7/tree/2.9.0" }, "funding": [ { @@ -385,7 +386,7 @@ "type": "tidelift" } ], - "time": "2025-08-23T21:21:41+00:00" + "time": "2026-03-10T16:41:02+00:00" }, { "name": "http-interop/http-factory-guzzle", @@ -1779,16 +1780,16 @@ }, { "name": "twig/twig", - "version": "v3.23.0", + "version": "v3.24.0", "source": { "type": "git", "url": "https://github.com/twigphp/Twig.git", - "reference": "a64dc5d2cc7d6cafb9347f6cd802d0d06d0351c9" + "reference": "a6769aefb305efef849dc25c9fd1653358c148f0" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/twigphp/Twig/zipball/a64dc5d2cc7d6cafb9347f6cd802d0d06d0351c9", - "reference": "a64dc5d2cc7d6cafb9347f6cd802d0d06d0351c9", + "url": "https://api.github.com/repos/twigphp/Twig/zipball/a6769aefb305efef849dc25c9fd1653358c148f0", + "reference": "a6769aefb305efef849dc25c9fd1653358c148f0", "shasum": "" }, "require": { @@ -1798,7 +1799,8 @@ "symfony/polyfill-mbstring": "^1.3" }, "require-dev": { - "phpstan/phpstan": "^2.0", + "php-cs-fixer/shim": "^3.0@stable", + "phpstan/phpstan": "^2.0@stable", "psr/container": "^1.0|^2.0", "symfony/phpunit-bridge": "^5.4.9|^6.4|^7.0" }, @@ -1842,7 +1844,7 @@ ], "support": { "issues": "https://github.com/twigphp/Twig/issues", - "source": "https://github.com/twigphp/Twig/tree/v3.23.0" + "source": "https://github.com/twigphp/Twig/tree/v3.24.0" }, "funding": [ { @@ -1854,7 +1856,7 @@ "type": "tidelift" } ], - "time": "2026-01-23T21:00:41+00:00" + "time": "2026-03-17T21:31:11+00:00" } ], "packages-dev": [ @@ -3246,20 +3248,20 @@ }, { "name": "league/uri", - "version": "7.8.0", + "version": "7.8.1", "source": { "type": "git", "url": "https://github.com/thephpleague/uri.git", - "reference": "4436c6ec8d458e4244448b069cc572d088230b76" + "reference": "08cf38e3924d4f56238125547b5720496fac8fd4" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/thephpleague/uri/zipball/4436c6ec8d458e4244448b069cc572d088230b76", - "reference": "4436c6ec8d458e4244448b069cc572d088230b76", + "url": "https://api.github.com/repos/thephpleague/uri/zipball/08cf38e3924d4f56238125547b5720496fac8fd4", + "reference": "08cf38e3924d4f56238125547b5720496fac8fd4", "shasum": "" }, "require": { - "league/uri-interfaces": "^7.8", + "league/uri-interfaces": "^7.8.1", "php": "^8.1", "psr/http-factory": "^1" }, @@ -3332,7 +3334,7 @@ "docs": "https://uri.thephpleague.com", "forum": "https://thephpleague.slack.com", "issues": "https://github.com/thephpleague/uri-src/issues", - "source": "https://github.com/thephpleague/uri/tree/7.8.0" + "source": "https://github.com/thephpleague/uri/tree/7.8.1" }, "funding": [ { @@ -3340,20 +3342,20 @@ "type": "github" } ], - "time": "2026-01-14T17:24:56+00:00" + "time": "2026-03-15T20:22:25+00:00" }, { "name": "league/uri-interfaces", - "version": "7.8.0", + "version": "7.8.1", "source": { "type": "git", "url": "https://github.com/thephpleague/uri-interfaces.git", - "reference": "c5c5cd056110fc8afaba29fa6b72a43ced42acd4" + "reference": "85d5c77c5d6d3af6c54db4a78246364908f3c928" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/thephpleague/uri-interfaces/zipball/c5c5cd056110fc8afaba29fa6b72a43ced42acd4", - "reference": "c5c5cd056110fc8afaba29fa6b72a43ced42acd4", + "url": "https://api.github.com/repos/thephpleague/uri-interfaces/zipball/85d5c77c5d6d3af6c54db4a78246364908f3c928", + "reference": "85d5c77c5d6d3af6c54db4a78246364908f3c928", "shasum": "" }, "require": { @@ -3416,7 +3418,7 @@ "docs": "https://uri.thephpleague.com", "forum": "https://thephpleague.slack.com", "issues": "https://github.com/thephpleague/uri-src/issues", - "source": "https://github.com/thephpleague/uri-interfaces/tree/7.8.0" + "source": "https://github.com/thephpleague/uri-interfaces/tree/7.8.1" }, "funding": [ { @@ -3424,7 +3426,7 @@ "type": "github" } ], - "time": "2026-01-15T06:54:53+00:00" + "time": "2026-03-08T20:05:35+00:00" }, { "name": "netresearch/jsonmapper", @@ -3590,16 +3592,16 @@ }, { "name": "phpdocumentor/reflection-docblock", - "version": "6.0.1", + "version": "6.0.3", "source": { "type": "git", "url": "https://github.com/phpDocumentor/ReflectionDocBlock.git", - "reference": "2f5cbed597cb261d1ea458f3da3a9ad32e670b1e" + "reference": "7bae67520aa9f5ecc506d646810bd40d9da54582" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/phpDocumentor/ReflectionDocBlock/zipball/2f5cbed597cb261d1ea458f3da3a9ad32e670b1e", - "reference": "2f5cbed597cb261d1ea458f3da3a9ad32e670b1e", + "url": "https://api.github.com/repos/phpDocumentor/ReflectionDocBlock/zipball/7bae67520aa9f5ecc506d646810bd40d9da54582", + "reference": "7bae67520aa9f5ecc506d646810bd40d9da54582", "shasum": "" }, "require": { @@ -3649,9 +3651,9 @@ "description": "With this component, a library can provide support for annotations via DocBlocks or otherwise retrieve information that is embedded in a DocBlock.", "support": { "issues": "https://github.com/phpDocumentor/ReflectionDocBlock/issues", - "source": "https://github.com/phpDocumentor/ReflectionDocBlock/tree/6.0.1" + "source": "https://github.com/phpDocumentor/ReflectionDocBlock/tree/6.0.3" }, - "time": "2026-01-20T15:30:42+00:00" + "time": "2026-03-18T20:49:53+00:00" }, { "name": "phpdocumentor/type-resolver", @@ -4037,16 +4039,16 @@ }, { "name": "symfony/console", - "version": "v6.4.32", + "version": "v6.4.35", "source": { "type": "git", "url": "https://github.com/symfony/console.git", - "reference": "0bc2199c6c1f05276b05956f1ddc63f6d7eb5fc3" + "reference": "49257c96304c508223815ee965c251e7c79e614e" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/console/zipball/0bc2199c6c1f05276b05956f1ddc63f6d7eb5fc3", - "reference": "0bc2199c6c1f05276b05956f1ddc63f6d7eb5fc3", + "url": "https://api.github.com/repos/symfony/console/zipball/49257c96304c508223815ee965c251e7c79e614e", + "reference": "49257c96304c508223815ee965c251e7c79e614e", "shasum": "" }, "require": { @@ -4111,7 +4113,7 @@ "terminal" ], "support": { - "source": "https://github.com/symfony/console/tree/v6.4.32" + "source": "https://github.com/symfony/console/tree/v6.4.35" }, "funding": [ { @@ -4131,20 +4133,20 @@ "type": "tidelift" } ], - "time": "2026-01-13T08:45:59+00:00" + "time": "2026-03-06T13:31:08+00:00" }, { "name": "symfony/filesystem", - "version": "v8.0.1", + "version": "v8.0.6", "source": { "type": "git", "url": "https://github.com/symfony/filesystem.git", - "reference": "d937d400b980523dc9ee946bb69972b5e619058d" + "reference": "7bf9162d7a0dff98d079b72948508fa48018a770" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/filesystem/zipball/d937d400b980523dc9ee946bb69972b5e619058d", - "reference": "d937d400b980523dc9ee946bb69972b5e619058d", + "url": "https://api.github.com/repos/symfony/filesystem/zipball/7bf9162d7a0dff98d079b72948508fa48018a770", + "reference": "7bf9162d7a0dff98d079b72948508fa48018a770", "shasum": "" }, "require": { @@ -4181,7 +4183,7 @@ "description": "Provides basic utilities for the filesystem", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/filesystem/tree/v8.0.1" + "source": "https://github.com/symfony/filesystem/tree/v8.0.6" }, "funding": [ { @@ -4201,20 +4203,20 @@ "type": "tidelift" } ], - "time": "2025-12-01T09:13:36+00:00" + "time": "2026-02-25T16:59:43+00:00" }, { "name": "symfony/finder", - "version": "v6.4.33", + "version": "v6.4.34", "source": { "type": "git", "url": "https://github.com/symfony/finder.git", - "reference": "24965ca011dac87431729640feef8bcf7b5523e0" + "reference": "9590e86be1d1c57bfbb16d0dd040345378c20896" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/finder/zipball/24965ca011dac87431729640feef8bcf7b5523e0", - "reference": "24965ca011dac87431729640feef8bcf7b5523e0", + "url": "https://api.github.com/repos/symfony/finder/zipball/9590e86be1d1c57bfbb16d0dd040345378c20896", + "reference": "9590e86be1d1c57bfbb16d0dd040345378c20896", "shasum": "" }, "require": { @@ -4249,7 +4251,7 @@ "description": "Finds files and directories via an intuitive fluent interface", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/finder/tree/v6.4.33" + "source": "https://github.com/symfony/finder/tree/v6.4.34" }, "funding": [ { @@ -4269,7 +4271,7 @@ "type": "tidelift" } ], - "time": "2026-01-26T13:03:48+00:00" + "time": "2026-01-28T15:16:37+00:00" }, { "name": "symfony/polyfill-intl-grapheme", @@ -4607,16 +4609,16 @@ }, { "name": "symfony/string", - "version": "v7.4.4", + "version": "v7.4.6", "source": { "type": "git", "url": "https://github.com/symfony/string.git", - "reference": "1c4b10461bf2ec27537b5f36105337262f5f5d6f" + "reference": "9f209231affa85aa930a5e46e6eb03381424b30b" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/string/zipball/1c4b10461bf2ec27537b5f36105337262f5f5d6f", - "reference": "1c4b10461bf2ec27537b5f36105337262f5f5d6f", + "url": "https://api.github.com/repos/symfony/string/zipball/9f209231affa85aa930a5e46e6eb03381424b30b", + "reference": "9f209231affa85aa930a5e46e6eb03381424b30b", "shasum": "" }, "require": { @@ -4674,7 +4676,7 @@ "utf8" ], "support": { - "source": "https://github.com/symfony/string/tree/v7.4.4" + "source": "https://github.com/symfony/string/tree/v7.4.6" }, "funding": [ { @@ -4694,20 +4696,20 @@ "type": "tidelift" } ], - "time": "2026-01-12T10:54:30+00:00" + "time": "2026-02-09T09:33:46+00:00" }, { "name": "vimeo/psalm", - "version": "6.15.1", + "version": "6.16.1", "source": { "type": "git", "url": "https://github.com/vimeo/psalm.git", - "reference": "28dc127af1b5aecd52314f6f645bafc10d0e11f9" + "reference": "f1f5de594dc76faf8784e02d3dc4716c91c6f6ac" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/vimeo/psalm/zipball/28dc127af1b5aecd52314f6f645bafc10d0e11f9", - "reference": "28dc127af1b5aecd52314f6f645bafc10d0e11f9", + "url": "https://api.github.com/repos/vimeo/psalm/zipball/f1f5de594dc76faf8784e02d3dc4716c91c6f6ac", + "reference": "f1f5de594dc76faf8784e02d3dc4716c91c6f6ac", "shasum": "" }, "require": { @@ -4812,7 +4814,7 @@ "issues": "https://github.com/vimeo/psalm/issues", "source": "https://github.com/vimeo/psalm" }, - "time": "2026-02-07T19:27:16+00:00" + "time": "2026-03-19T10:56:09+00:00" }, { "name": "wapmorgan/php-deprecation-detector", @@ -4883,16 +4885,16 @@ }, { "name": "webmozart/assert", - "version": "2.1.5", + "version": "2.1.6", "source": { "type": "git", "url": "https://github.com/webmozarts/assert.git", - "reference": "79155f94852fa27e2f73b459f6503f5e87e2c188" + "reference": "ff31ad6efc62e66e518fbab1cde3453d389bcdc8" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/webmozarts/assert/zipball/79155f94852fa27e2f73b459f6503f5e87e2c188", - "reference": "79155f94852fa27e2f73b459f6503f5e87e2c188", + "url": "https://api.github.com/repos/webmozarts/assert/zipball/ff31ad6efc62e66e518fbab1cde3453d389bcdc8", + "reference": "ff31ad6efc62e66e518fbab1cde3453d389bcdc8", "shasum": "" }, "require": { @@ -4939,9 +4941,9 @@ ], "support": { "issues": "https://github.com/webmozarts/assert/issues", - "source": "https://github.com/webmozarts/assert/tree/2.1.5" + "source": "https://github.com/webmozarts/assert/tree/2.1.6" }, - "time": "2026-02-18T14:09:36+00:00" + "time": "2026-02-27T10:28:38+00:00" } ], "aliases": [], diff --git a/php/containers-schema.json b/php/containers-schema.json index 7accc513..fc0e03dc 100644 --- a/php/containers-schema.json +++ b/php/containers-schema.json @@ -49,6 +49,9 @@ "type": "string", "pattern": "^[()A-Za-z &0-9-]+$" }, + "hide_from_list": { + "type": "boolean" + }, "environment": { "type": "array", "items": { @@ -229,4 +232,4 @@ } } } -} \ No newline at end of file +} diff --git a/php/containers.json b/php/containers.json index a72d19a2..96346cfe 100644 --- a/php/containers.json +++ b/php/containers.json @@ -379,8 +379,8 @@ ], "internal_port": "9980", "environment": [ - "aliasgroup1=https://%NC_DOMAIN%:443,http://nextcloud-aio-apache:23973", - "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false %COLLABORA_SECCOMP_POLICY% --o:remote_font_config.url=https://%NC_DOMAIN%/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+", + "aliasgroup1=https://%NC_DOMAIN%:443,http://nextcloud-aio-apache.nextcloud-aio:23973", + "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false --o:fetch_update_check=0 --o:allow_update_popup=false %COLLABORA_SECCOMP_POLICY% --o:remote_font_config.url=https://%NC_DOMAIN%/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+", "dictionaries=%COLLABORA_DICTIONARIES%", "TZ=%TIMEZONE%", "server_name=%NC_DOMAIN%", @@ -389,13 +389,12 @@ "restart": "unless-stopped", "nextcloud_exec_commands": [ "echo 'Activating Collabora config...'", - "php /var/www/html/occ richdocuments:activate-config --wopi-url='http://nextcloud-aio-apache:23973' --callback-url='http://nextcloud-aio-apache:23973'" + "php /var/www/html/occ richdocuments:activate-config --wopi-url='http://nextcloud-aio-apache.nextcloud-aio:23973' --callback-url='http://nextcloud-aio-apache.nextcloud-aio:23973'" ], "profiles": [ "collabora" ], "cap_add": [ - "MKNOD", "SYS_ADMIN", "SYS_CHROOT", "FOWNER", @@ -437,6 +436,13 @@ "8081" ], "internal_port": "%TALK_PORT%", + "volumes": [ + { + "source": "%NEXTCLOUD_TRUSTED_CACERTS_DIR%", + "destination": "/usr/local/share/ca-certificates", + "writeable": false + } + ], "environment": [ "NC_DOMAIN=%NC_DOMAIN%", "TALK_HOST=nextcloud-aio-talk", @@ -523,6 +529,8 @@ }, { "container_name": "nextcloud-aio-borgbackup", + "display_name": "Borgbackup", + "hide_from_list": true, "image_tag": "%AIO_CHANNEL%", "image": "ghcr.io/nextcloud-releases/aio-borgbackup", "init": true, @@ -591,6 +599,8 @@ }, { "container_name": "nextcloud-aio-watchtower", + "display_name": "Watchtower", + "hide_from_list": true, "image_tag": "%AIO_CHANNEL%", "image": "ghcr.io/nextcloud-releases/aio-watchtower", "init": true, @@ -611,6 +621,8 @@ }, { "container_name": "nextcloud-aio-domaincheck", + "display_name": "Domaincheck", + "hide_from_list": true, "image_tag": "%AIO_CHANNEL%", "image": "ghcr.io/nextcloud-releases/aio-domaincheck", "init": true, diff --git a/php/domain-validator.php b/php/domain-validator.php index 4f622653..55fb110f 100644 --- a/php/domain-validator.php +++ b/php/domain-validator.php @@ -7,15 +7,15 @@ if (isset($_GET['domain']) && is_string($_GET['domain'])) { } if (!str_contains($domain, '.')) { - http_response_code(400); + http_response_code(400); } elseif (str_contains($domain, '/')) { - http_response_code(400); + http_response_code(400); } elseif (str_contains($domain, ':')) { - http_response_code(400); + http_response_code(400); } elseif (filter_var($domain, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) === false) { - http_response_code(400); + http_response_code(400); } elseif (filter_var($domain, FILTER_VALIDATE_IP)) { - http_response_code(400); + http_response_code(400); } else { // Commented because logging is disabled as otherwise all attempts will be logged which spams the logs // error_log($domain . ' was accepted as valid domain.'); diff --git a/php/psalm-baseline.xml b/php/psalm-baseline.xml index cbb6fc69..c67b56af 100644 --- a/php/psalm-baseline.xml +++ b/php/psalm-baseline.xml @@ -1,2 +1,2 @@ - + diff --git a/php/public/style.css b/php/public/style.css index 2dd199f1..9a8d17d7 100644 --- a/php/public/style.css +++ b/php/public/style.css @@ -483,8 +483,8 @@ input[type="checkbox"]:disabled:not(:checked) + label { visibility: hidden; opacity: 0; align-self: start; - width: 20%; - height: 7rem; + width: 300px; + height: 200px; border-radius: var(--border-radius-large); border: solid thin rgb(192, 192, 192); } diff --git a/php/src/Container/Container.php b/php/src/Container/Container.php index 67ff72ad..6b6c5af9 100644 --- a/php/src/Container/Container.php +++ b/php/src/Container/Container.php @@ -38,6 +38,7 @@ readonly class Container { public string $imageTag, public AioVariables $aioVariables, public string $documentation, + public bool $hideFromList, private DockerActionManager $dockerActionManager ) { } diff --git a/php/src/ContainerDefinitionFetcher.php b/php/src/ContainerDefinitionFetcher.php index 5481cd00..e4050f5d 100644 --- a/php/src/ContainerDefinitionFetcher.php +++ b/php/src/ContainerDefinitionFetcher.php @@ -324,6 +324,8 @@ readonly class ContainerDefinitionFetcher { $documentation = $entry['documentation']; } + $hideFromList = $entry['hide_from_list'] ?? false; + $containers[] = new Container( $entry['container_name'], $displayName, @@ -349,6 +351,7 @@ readonly class ContainerDefinitionFetcher { $imageTag, $aioVariables, $documentation, + $hideFromList, $this->container->get(DockerActionManager::class) ); } diff --git a/php/templates/includes/aio-version.twig b/php/templates/includes/aio-version.twig index 0aee7e7e..d581945c 100644 --- a/php/templates/includes/aio-version.twig +++ b/php/templates/includes/aio-version.twig @@ -1 +1 @@ -12.8.0 +12.9.0 diff --git a/php/templates/layout.twig b/php/templates/layout.twig index eb7467c2..39f8f45b 100644 --- a/php/templates/layout.twig +++ b/php/templates/layout.twig @@ -1,7 +1,7 @@ AIO - + diff --git a/php/templates/log.twig b/php/templates/log.twig index 4d814b47..2fe3b1ce 100644 --- a/php/templates/log.twig +++ b/php/templates/log.twig @@ -1,13 +1,15 @@ +