enable psalm-security workflow again

Signed-off-by: szaimen <szaimen@e.mail.de>

Containers/apache/Caddyfile

@@ -11,24 +11,34 @@
     # Notify Push
     route /push/* {
         uri strip_prefix /push
-        reverse_proxy {$NEXTCLOUD_HOST}:7867
+        reverse_proxy {$NEXTCLOUD_HOST}:7867 {
+            # trusted_proxies placeholder
+        }
     }
 
     # Talk
     route /standalone-signaling/* {
         uri strip_prefix /standalone-signaling
-        reverse_proxy {$TALK_HOST}:8081
+        reverse_proxy {$TALK_HOST}:8081 {
+            # trusted_proxies placeholder
+        }
     }
 
     # Collabora
     route /browser/* {
-        reverse_proxy {$COLLABORA_HOST}:9980
+        reverse_proxy {$COLLABORA_HOST}:9980 {
+            # trusted_proxies placeholder
+        }
     }
     route /hosting/* {
-        reverse_proxy {$COLLABORA_HOST}:9980
+        reverse_proxy {$COLLABORA_HOST}:9980 {
+            # trusted_proxies placeholder
+        }
     }
     route /cool/* {
-        reverse_proxy {$COLLABORA_HOST}:9980
+        reverse_proxy {$COLLABORA_HOST}:9980 {
+            # trusted_proxies placeholder
+        }
     }
 
     # Onlyoffice
@@ -37,6 +47,7 @@
         reverse_proxy {$ONLYOFFICE_HOST}:80 {
             header_up X-Forwarded-Host {http.request.host}/onlyoffice
             header_up X-Forwarded-Proto https
+            # trusted_proxies placeholder
         }
     }
 
@@ -45,7 +56,10 @@
         rewrite /.well-known/carddav /remote.php/dav
         rewrite /.well-known/caldav /remote.php/dav
         header Strict-Transport-Security max-age=31536000;
-        reverse_proxy localhost:8000
+        reverse_proxy localhost:8000 {
+            # See https://github.com/nextcloud/all-in-one/issues/828
+            # trusted_proxies placeholder
+        }
     }
 
     # TLS options

Containers/apache/start.sh

@@ -21,17 +21,30 @@ if [ -z "$APACHE_PORT" ]; then
     export APACHE_PORT="443"
 fi
 
-# Change the Caddyfile
+# Change variables in case of reverse proxies
 if [ "$APACHE_PORT" != '443' ]; then
     export PROTOCOL="http"
     export NC_DOMAIN=""
-    CADDYFILE="$(sed 's|auto_https.*|auto_https off|' /Caddyfile)"
 else
     export PROTOCOL="https"
+fi
+
+# Change the auto_https in case of reverse proxies
+if [ "$APACHE_PORT" != '443' ]; then
+    CADDYFILE="$(sed 's|auto_https.*|auto_https off|' /Caddyfile)"
+else
     CADDYFILE="$(sed 's|auto_https.*|auto_https disable_redirects|' /Caddyfile)"
 fi
 echo "$CADDYFILE" > /Caddyfile
 
+# Change the trusted_proxies in case of reverse proxies
+if [ "$APACHE_PORT" != '443' ]; then
+    CADDYFILE="$(sed 's|# trusted_proxies placeholder|trusted_proxies private_ranges|' /Caddyfile)"
+else
+    CADDYFILE="$(sed 's|trusted_proxies private_ranges|# trusted_proxies placeholder|' /Caddyfile)"
+fi
+echo "$CADDYFILE" > /Caddyfile
+
 # Add caddy path
 mkdir -p /mnt/data/caddy/
 

Containers/borgbackup/backupscript.sh

@@ -37,6 +37,13 @@ if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != test ] && ! [ -f "$BORG_BACKU
     exit 1
 fi
 
+# Do not continue if this file exists (needed for simple external blocking)
+if [ -f "$BORG_BACKUP_DIRECTORY/aio-lockfile" ]; then
+    echo "Not continuing because aio-lockfile exists - it seems like a script is externally running which is locking the backup archive."
+    echo "If this should not be the case, you can fix this by deleting the 'aio-lockfile' file from the backup archive directory."
+    exit 1
+fi
+
 # Create lockfile
 if [ "$BORG_MODE" = backup ] || [ "$BORG_MODE" = restore ]; then
     touch "/nextcloud_aio_volumes/nextcloud_aio_database_dump/backup-is-running"

Containers/collabora/Dockerfile

@@ -1,5 +1,5 @@
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/tree/master/docker
-FROM collabora/code:21.11.5.1.1
+FROM collabora/code:21.11.5.3.1
 
 USER root
 

Containers/mastercontainer/Dockerfile

@@ -1,5 +1,5 @@
 # Docker CLI is a requirement
-FROM docker:20.10.16-dind-alpine3.16 as dind
+FROM docker:20.10.17-dind-alpine3.16 as dind
 
 # Caddy is a requirement
 FROM caddy:2.5.1-alpine as caddy

Containers/nextcloud/Dockerfile

@@ -85,7 +85,7 @@ RUN set -ex; \
 # set recommended PHP.ini settings
 # see https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/server_tuning.html#enable-php-opcache
 RUN { \
-        echo 'opcache.interned_strings_buffer=64'; \
+        echo 'opcache.interned_strings_buffer=32'; \
         echo 'opcache.save_comments=1'; \
         echo 'opcache.revalidate_freq=60'; \
     } > /usr/local/etc/php/conf.d/opcache-recommended.ini; \
@@ -105,7 +105,7 @@ RUN { \
 VOLUME /var/www/html
 
 
-ENV NEXTCLOUD_VERSION 23.0.5
+ENV NEXTCLOUD_VERSION 23.0.6
 
 RUN set -ex; \
     apk add --no-cache --virtual .fetch-deps \

Containers/nextcloud/entrypoint.sh

@@ -307,6 +307,7 @@ else
     php /var/www/html/occ app:update notify_push
 fi
 php /var/www/html/occ config:system:set trusted_proxies 0 --value="127.0.0.1"
+php /var/www/html/occ config:system:set trusted_proxies 1 --value="::1"
 php /var/www/html/occ config:app:set notify_push base_endpoint --value="https://$NC_DOMAIN/push"
 
 # Collabora

docker-rootless.md

@@ -4,6 +4,9 @@ You can run AIO with docker rootless by following the steps below.
 
 0. If docker is already installed, you should consider disabling it first: (`sudo systemctl disable --now docker.service docker.socket`)
 1. Install docker rootless by following the official documentation: https://docs.docker.com/engine/security/rootless/#install. The easiest way is installing it **Without packages**. Further limitations, distribution specific hints, etc. are discussed on the same site. Also do not forget to enable the systemd service, which may not be enabled always by default. See https://docs.docker.com/engine/security/rootless/#usage. (`systemctl --user enable docker`)
+1. Do not forget to set the mentioned environmental variables and in best case add them to your `~/.bashrc` file as shown!
 1. Expose the privileged ports by following https://docs.docker.com/engine/security/rootless/#exposing-privileged-ports. (`sudo setcap cap_net_bind_service=ep $(which rootlesskit); systemctl --user restart docker`)
 1. Use the official AIO startup command but use `--volume $XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock:ro` instead of `--volume /var/run/docker.sock:/var/run/docker.sock:ro` and also add `-e DOCKER_SOCKET_PATH=$XDG_RUNTIME_DIR/docker.sock` to the initial container startup (which is needed for mastercontainer updates to work correctly).
 1. Now everything should work like without docker rootless. You can consider using docker-compose for this or running it behind a reverse proxy. Basically the only thing that needs to be adjusted always in the startup command or docker-compose file (after installing docker rootles) are things that are mentioned in point 3.
+
+**Please note:** All files outside the containers get created, written to and accessed as the user that is running the docker daemon or a subuid of it. So for the built-in backup to work you need to allow this user to write to the target directory. For changing Nextcloud's datadir, you need to adjust the permissions of the chosen folders to be accessible/writeable by the userid `100032:100032` (if running `grep ^$(whoami): /etc/subuid` as the user that is running the docker daemon returns 100000 as first value). This logically also applies to the NEXTCLOUD_MOUNT option.

php/composer.lock

@@ -8,22 +8,22 @@
     "packages": [
         {
             "name": "guzzlehttp/guzzle",
-            "version": "7.4.4",
+            "version": "7.4.5",
             "source": {
                 "type": "git",
                 "url": "https://github.com/guzzle/guzzle.git",
-                "reference": "e3ff079b22820c2029d4c2a87796b6a0b8716ad8"
+                "reference": "1dd98b0564cb3f6bd16ce683cb755f94c10fbd82"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/guzzle/guzzle/zipball/e3ff079b22820c2029d4c2a87796b6a0b8716ad8",
-                "reference": "e3ff079b22820c2029d4c2a87796b6a0b8716ad8",
+                "url": "https://api.github.com/repos/guzzle/guzzle/zipball/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82",
+                "reference": "1dd98b0564cb3f6bd16ce683cb755f94c10fbd82",
                 "shasum": ""
             },
             "require": {
                 "ext-json": "*",
                 "guzzlehttp/promises": "^1.5",
-                "guzzlehttp/psr7": "^1.8.3 || ^2.1",
+                "guzzlehttp/psr7": "^1.9 || ^2.4",
                 "php": "^7.2.5 || ^8.0",
                 "psr/http-client": "^1.0",
                 "symfony/deprecation-contracts": "^2.2 || ^3.0"
@@ -112,7 +112,7 @@
             ],
             "support": {
                 "issues": "https://github.com/guzzle/guzzle/issues",
-                "source": "https://github.com/guzzle/guzzle/tree/7.4.4"
+                "source": "https://github.com/guzzle/guzzle/tree/7.4.5"
             },
             "funding": [
                 {
@@ -128,7 +128,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2022-06-09T21:39:15+00:00"
+            "time": "2022-06-20T22:16:13+00:00"
         },
         {
             "name": "guzzlehttp/promises",
@@ -216,16 +216,16 @@
         },
         {
             "name": "guzzlehttp/psr7",
-            "version": "2.3.0",
+            "version": "2.4.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/guzzle/psr7.git",
-                "reference": "83260bb50b8fc753c72d14dc1621a2dac31877ee"
+                "reference": "13388f00956b1503577598873fffb5ae994b5737"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/guzzle/psr7/zipball/83260bb50b8fc753c72d14dc1621a2dac31877ee",
-                "reference": "83260bb50b8fc753c72d14dc1621a2dac31877ee",
+                "url": "https://api.github.com/repos/guzzle/psr7/zipball/13388f00956b1503577598873fffb5ae994b5737",
+                "reference": "13388f00956b1503577598873fffb5ae994b5737",
                 "shasum": ""
             },
             "require": {
@@ -249,7 +249,7 @@
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-master": "2.3-dev"
+                    "dev-master": "2.4-dev"
                 }
             },
             "autoload": {
@@ -311,7 +311,7 @@
             ],
             "support": {
                 "issues": "https://github.com/guzzle/psr7/issues",
-                "source": "https://github.com/guzzle/psr7/tree/2.3.0"
+                "source": "https://github.com/guzzle/psr7/tree/2.4.0"
             },
             "funding": [
                 {
@@ -327,7 +327,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2022-06-09T08:26:02+00:00"
+            "time": "2022-06-20T21:43:11+00:00"
         },
         {
             "name": "http-interop/http-factory-guzzle",

php/templates/containers.twig

@@ -16,7 +16,7 @@
     </header>
 
     <div class="content">
-        <h1>Nextcloud AIO v1.4.1</h1>
+        <h1>Nextcloud AIO v1.4.2</h1>
 
         {% set isAnyRunning = false %}
         {% set isAnyRestarting = false %}

readme.md

@@ -293,11 +293,21 @@ if ! [ -d "$TARGET_DIRECTORY" ]; then
     exit 1
 fi
 
+if [ -f "$SOURCE_DIRECTORY/aio-lockfile" ]; then
+    echo "Not continuing because aio-lockfile already exists."
+    exit 1
+fi
+
+touch "$SOURCE_DIRECTORY/aio-lockfile"
+
 if ! rsync --stats --archive --human-readable --delete "$SOURCE_DIRECTORY/" "$TARGET_DIRECTORY"; then
     echo "Failed to sync the backup repository to the target directory."
     exit 1
 fi
 
+rm "$SOURCE_DIRECTORY/aio-lockfile"
+rm "$TARGET_DIRECTORY/aio-lockfile"
+
 umount "$DRIVE_MOUNTPOINT"
 
 if docker ps --format "{{.Names}}" | grep "^nextcloud-aio-nextcloud$"; then
@@ -317,8 +327,6 @@ Afterwards apply the correct permissions with `sudo chown root:root /root/backup
 1. Add the following new line to the crontab if not already present: `0 20 * * 7 /root/backup-script.sh` which will run the script at 20:00 on Sundays each week. 
 1. save and close the crontab (when using nano are the shortcuts for this `Ctrl + o` -> `Enter` and close the editor with `Ctrl + x`).
 
-⚠️ **Attention:** Make sure that the execution of the script does not collide with the daily backups from AIO (if configured) since the target backup repository might get into an inconsistent state. (There is no check in place that checks this.)
-
 ### How to change the default location of Nextcloud's Datadir?
 You can configure the Nextcloud container to use a specific directory on your host as data directory. You can do so by adding the environmental variable `NEXTCLOUD_DATADIR` to the initial startup of the mastercontainer. Allowed values for that variable are strings that start with `/` and are not equal to `/`.