diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000000000000000000000000000000000000..58f889b37dce79280cb6f318de8db119f508fd2e --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,83 @@ +variables: + GIT_SUBMODULE_STRATEGY: recursive + DOCKER_HUB_REPO: libresh/nextcloud + +.compute_long_version: &compute_long_version + - export LONG_VERSION=`cat ${CI_PROJECT_DIR}/upstream/${VERSION}/fpm-alpine/Dockerfile | grep "ENV NEXTCLOUD_VERSION" | cut -d" " -f3` + +.test: + tags: + - build + image: + name: gcr.io/kaniko-project/executor:debug + entrypoint: [""] + variables: + DESTINATION_UPSTREAM: "--no-push" + DESTINATION_BASE: "--no-push" + DESTINATION_FR: "--no-push" + DESTINATION_WEB: "--no-push" + script: + - *compute_long_version + - cp $DOCKER_SECRET_CONFIG /kaniko/.docker/config.json + - export CONTEXT=${CI_PROJECT_DIR}/upstream/${VERSION}/fpm-alpine + - cd ${CONTEXT} + - /kaniko/executor --context ${CONTEXT} ${DESTINATION_UPSTREAM} + - export CONTEXT=${CI_PROJECT_DIR}/base + - cd ${CONTEXT} + - /kaniko/executor --context ${CONTEXT} ${DESTINATION_BASE} --build-arg VERSION=$LONG_VERSION + - export CONTEXT=${CI_PROJECT_DIR}/fr + - cd ${CONTEXT} + #- /kaniko/executor --context ${CONTEXT} ${DESTINATION_FR} --build-arg VERSION=$LONG_VERSION + - export CONTEXT=${CI_PROJECT_DIR}/web + - cd ${CONTEXT} + - /kaniko/executor --context ${CONTEXT} ${DESTINATION_WEB} --build-arg VERSION=$LONG_VERSION + except: + - master + +test-v16: + extends: .test + variables: + VERSION: "16.0" + +test-v17: + extends: .test + variables: + VERSION: "17.0" + +test-v18: + extends: .test + variables: + VERSION: "18.0" + +.push: + extends: .test + before_script: + - *compute_long_version + - export DESTINATION_PREFIX="--destination ${DOCKER_HUB_REPO}" + - export DATE=`date "+%Y-%m-%d"` + - export DESTINATION_UPSTREAM="${DESTINATION_PREFIX}:${VERSION}-upstream ${DESTINATION_PREFIX}:${VERSION}-upstream-${DATE}" + - export DESTINATION_UPSTREAM="${DESTINATION_UPSTREAM} ${DESTINATION_PREFIX}:${LONG_VERSION}-upstream ${DESTINATION_PREFIX}:${LONG_VERSION}-upstream-${DATE}" + - export DESTINATION_BASE="${DESTINATION_PREFIX}:${VERSION} ${DESTINATION_PREFIX}:${VERSION}-${DATE}" + - export DESTINATION_BASE="${DESTINATION_BASE} ${DESTINATION_PREFIX}:${LONG_VERSION} ${DESTINATION_PREFIX}:${LONG_VERSION}-${DATE}" + - export DESTINATION_FR="${DESTINATION_PREFIX}:${VERSION}-fr ${DESTINATION_PREFIX}:${VERSION}-fr-${DATE}" + - export DESTINATION_FR="${DESTINATION_FR} ${DESTINATION_PREFIX}:${LONG_VERSION}-fr ${DESTINATION_PREFIX}:${LONG_VERSION}-fr-${DATE}" + - export DESTINATION_WEB="${DESTINATION_PREFIX}:${VERSION}-web ${DESTINATION_PREFIX}:${VERSION}-web-${DATE}" + - export DESTINATION_WEB="${DESTINATION_WEB} ${DESTINATION_PREFIX}:${LONG_VERSION}-web ${DESTINATION_PREFIX}:${LONG_VERSION}-web-${DATE}" + except: [] + only: + - master + +push-v16: + extends: .push + variables: + VERSION: "16.0" + +push-v17: + extends: .push + variables: + VERSION: "17.0" + +push-v18: + extends: .push + variables: + VERSION: "18.0" \ No newline at end of file diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000000000000000000000000000000000000..063da10d347c22617fe57e11ce508518c3836010 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "upstream"] + path = upstream + url = https://github.com/pierreozoux/docker-1 diff --git a/README.md b/README.md index 7c5987bf15155ceb8096e5fea0ad9fadb4cc38da..630e9744949bae605a4e1d86e8c69c011dde268f 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,3 @@ # docker-nextcloud -Nextcloud docker image for libre.sh + +Nextcloud docker image for libre.sh \ No newline at end of file diff --git a/base/Dockerfile b/base/Dockerfile index b0a4502757509c062335c51ac778473562e6aa1e..5bdf1d5f14e83276e19dd62ad399facdd60c0ddb 100644 --- a/base/Dockerfile +++ b/base/Dockerfile @@ -1,4 +1,34 @@ -ARG VERSION=latest -FROM nextcloud:$VERSION -COPY entrypoint.sh / -COPY /config/ /usr/src/nextcloud/config/ +ARG VERSION +FROM alpine as apps +RUN apk add --no-cache jq curl bash +COPY apps /apps +WORKDIR /apps +ARG VERSION +RUN ./install.sh +RUN rm ./install.sh ./install-list + +FROM libresh/nextcloud:$VERSION-upstream +RUN set -ex; \ + \ + apk add --no-cache \ + imagemagick \ + ; +RUN set -ex; \ + \ + apk add --no-cache --virtual .build-deps \ + imap-dev \ + libressl-dev \ + bzip2-dev \ + ; \ + docker-php-ext-configure imap --with-imap-ssl; \ + docker-php-ext-install imap; \ + apk del .build-deps +COPY redis.ini /usr/local/etc/php/conf.d/ +COPY --chown=www-data:root config/* /var/www/html/config/ +COPY --from=apps --chown=www-data:root /apps/* /var/www/html/apps/ +RUN for app in $(cat /var/www/html/apps/remove-list);do \ + echo "removing app $app"; \ + rm -R /var/www/html/apps/$app; \ +done +RUN rm /var/www/html/apps/remove-list +CMD ["php-fpm"] \ No newline at end of file diff --git a/base/apps/install-list b/base/apps/install-list new file mode 100644 index 0000000000000000000000000000000000000000..26bf805ad95e12a7cbb78fff01805b08752f6276 --- /dev/null +++ b/base/apps/install-list @@ -0,0 +1,19 @@ +announcementcenter +apporder +bookmarks +calendar +contacts +data_request +drop_account +files_automatedtagging +files_rightclick +groupfolders +impersonate +music +notes +quota_warning +registration +richdocuments +text +twofactor_totp +user_saml \ No newline at end of file diff --git a/base/apps/install.sh b/base/apps/install.sh new file mode 100755 index 0000000000000000000000000000000000000000..cd1e0f8d4c83eb1628ac9845b715cafd95104e54 --- /dev/null +++ b/base/apps/install.sh @@ -0,0 +1,17 @@ +#!/bin/bash -eux + +curl -Ls https://apps.nextcloud.com/api/v1/platform/${VERSION}/apps.json > /tmp/apps.json + +function download_link() { + cat /tmp/apps.json | jq '.[] | select(.id == "'$1'") | .releases[0].download' +} + +links=`cat ./install-list | xargs -I@ bash -c "$(declare -f download_link) ; download_link @ ; " | tr -d '"'` + +mkdir -p apps +cd apps + +for link in $links; do + echo "downloading $link..." + curl -Ls $link | tar xz +done diff --git a/base/apps/remove-list b/base/apps/remove-list new file mode 100644 index 0000000000000000000000000000000000000000..28390f1b532386febd5267c297a039771ba47bbd --- /dev/null +++ b/base/apps/remove-list @@ -0,0 +1,4 @@ +encryption +serverinfo +support +updatenotification \ No newline at end of file diff --git a/base/config/20.apps.config.php b/base/config/20.apps.config.php new file mode 100644 index 0000000000000000000000000000000000000000..d356d919b09a30d555b4c3bc75020729bacd75d1 --- /dev/null +++ b/base/config/20.apps.config.php @@ -0,0 +1,11 @@ + array ( + 0 => array ( + "path" => OC::$SERVERROOT."/apps", + "url" => "/apps", + "writable" => false, + ), + ), + "appstoreenabled" => "false", +); \ No newline at end of file diff --git a/base/config/mail.config.php b/base/config/mail.config.php deleted file mode 100644 index 59f1eaa166a0ae16fdeeb227bbc144aba6a046c4..0000000000000000000000000000000000000000 --- a/base/config/mail.config.php +++ /dev/null @@ -1,15 +0,0 @@ - 'smtp', - 'mail_smtphost' => getenv('SMTP_HOST'), - 'mail_smtpport' => getenv('SMTP_PORT') ?: (getenv('SMTP_SECURE') ? 465 : 25), - 'mail_smtpsecure' => getenv('SMTP_SECURE') ?: '', - 'mail_smtpauth' => getenv('SMTP_NAME') && getenv('SMTP_PASSWORD'), - 'mail_smtpauthtype' => getenv('SMTP_AUTHTYPE') ?: 'LOGIN', - 'mail_smtpname' => getenv('SMTP_NAME') ?: '', - 'mail_smtppassword' => getenv('SMTP_PASSWORD') ?: '', - 'mail_from_address' => getenv('MAIL_FROM_ADDRESS'), - 'mail_domain' => getenv('MAIL_DOMAIN'), - ); -} diff --git a/base/config/redis.config.php b/base/config/redis.config.php deleted file mode 100644 index 71f1f453c7af301d1f494cdff4429321b181e183..0000000000000000000000000000000000000000 --- a/base/config/redis.config.php +++ /dev/null @@ -1,10 +0,0 @@ - '\OC\Memcache\Redis', - 'redis' => array( - 'host' => getenv('REDIS_HOST'), - 'port' => getenv('REDIS_PORT') ?: 6379, - ), - ); -} diff --git a/base/entrypoint.sh b/base/entrypoint.sh deleted file mode 100755 index f1cd2d6858ef4425474ae5837fd44b672ab00398..0000000000000000000000000000000000000000 --- a/base/entrypoint.sh +++ /dev/null @@ -1,153 +0,0 @@ -#!/bin/sh -set -eu - -# version_greater A B returns whether A > B -version_greater() { - [ "$(printf '%s\n' "$@" | sort -t '.' -n -k1,1 -k2,2 -k3,3 -k4,4 | head -n 1)" != "$1" ] -} - -# version_equal A B returns whether A = B -version_equal() { - [ "$(printf '%s\n' "$@" | sort -t '.' -n -k1,1 -k2,2 -k3,3 -k4,4 | head -n 1)" = "$1" ] -} - -# return true if specified directory is empty -directory_empty() { - [ -z "$(ls -A "$1/")" ] -} - -run_as() { - if [ "$(id -u)" = 0 ]; then - su -p www-data -s /bin/sh -c "$1" - else - sh -c "$1" - fi -} - -if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then - installed_version="0.0.0.0" - if [ -f /var/www/html/config/config.php ]; then - # shellcheck disable=SC2016 - installed_version="$(awk '$1 ~ /version/ { print $3 }' /var/www/html/config/config.php | grep -oP "(?<=').*(?=')")" - fi - # shellcheck disable=SC2016 - image_version="$(php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);')" - - if version_greater "$installed_version" "$image_version"; then - echo "Can't start Nextcloud because the version of the data ($installed_version) is higher than the docker image version ($image_version) and downgrading is not supported. Are you sure you have pulled the newest image version?" - exit 1 - fi - - if version_equal "$installed_version" "$image_version"; then - if [ "$(id -u)" = 0 ]; then - rsync_options="-rlDog --chown www-data:root" - else - rsync_options="-rlD" - fi - rsync $rsync_options --delete --exclude-from=/upgrade.exclude /usr/src/nextcloud/ /var/www/html/ - - for dir in config data custom_apps themes; do - if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then - rsync $rsync_options --include "/$dir/" --exclude '/*' /usr/src/nextcloud/ /var/www/html/ - fi - done - echo "Initializing finished" - fi - - if version_greater "$image_version" "$installed_version"; then - echo "Initializing nextcloud $image_version ..." - if [ "$installed_version" != "0.0.0.0" ]; then - echo "Upgrading nextcloud from $installed_version ..." - run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_before - fi - if [ "$(id -u)" = 0 ]; then - rsync_options="-rlDog --chown www-data:root" - else - rsync_options="-rlD" - fi - rsync $rsync_options --delete --exclude-from=/upgrade.exclude /usr/src/nextcloud/ /var/www/html/ - - for dir in config data custom_apps themes; do - if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then - rsync $rsync_options --include "/$dir/" --exclude '/*' /usr/src/nextcloud/ /var/www/html/ - fi - done - echo "Initializing finished" - - #install - if [ "$installed_version" = "0.0.0.0" ]; then - echo "New nextcloud instance" - - if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then - # shellcheck disable=SC2016 - install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"' - if [ -n "${NEXTCLOUD_TABLE_PREFIX+x}" ]; then - # shellcheck disable=SC2016 - install_options=$install_options' --database-table-prefix "$NEXTCLOUD_TABLE_PREFIX"' - else - install_options=$install_options' --database-table-prefix ""' - fi - if [ -n "${NEXTCLOUD_DATA_DIR+x}" ]; then - # shellcheck disable=SC2016 - install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"' - fi - - install=false - if [ -n "${SQLITE_DATABASE+x}" ]; then - echo "Installing with SQLite database" - # shellcheck disable=SC2016 - install_options=$install_options' --database-name "$SQLITE_DATABASE"' - install=true - elif [ -n "${MYSQL_DATABASE+x}" ] && [ -n "${MYSQL_USER+x}" ] && [ -n "${MYSQL_PASSWORD+x}" ] && [ -n "${MYSQL_HOST+x}" ]; then - echo "Installing with MySQL database" - # shellcheck disable=SC2016 - install_options=$install_options' --database mysql --database-name "$MYSQL_DATABASE" --database-user "$MYSQL_USER" --database-pass "$MYSQL_PASSWORD" --database-host "$MYSQL_HOST"' - install=true - elif [ -n "${POSTGRES_DB+x}" ] && [ -n "${POSTGRES_USER+x}" ] && [ -n "${POSTGRES_PASSWORD+x}" ] && [ -n "${POSTGRES_HOST+x}" ]; then - echo "Installing with PostgreSQL database" - # shellcheck disable=SC2016 - install_options=$install_options' --database pgsql --database-name "$POSTGRES_DB" --database-user "$POSTGRES_USER" --database-pass "$POSTGRES_PASSWORD" --database-host "$POSTGRES_HOST"' - install=true - fi - - if [ "$install" = true ]; then - echo "starting nexcloud installation" - max_retries=10 - try=0 - until run_as "php /var/www/html/occ maintenance:install $install_options" || [ "$try" -gt "$max_retries" ] - do - echo "retrying install..." - try=$((try+1)) - sleep 3s - done - if [ "$try" -gt "$max_retries" ]; then - echo "installing of nextcloud failed!" - exit 1 - fi - if [ -n "${NEXTCLOUD_TRUSTED_DOMAINS+x}" ]; then - echo "setting trusted domains…" - NC_TRUSTED_DOMAIN_IDX=1 - for DOMAIN in $NEXTCLOUD_TRUSTED_DOMAINS ; do - DOMAIN=$(echo "$DOMAIN" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//') - run_as "php /var/www/html/occ config:system:set trusted_domains $NC_TRUSTED_DOMAIN_IDX --value=$DOMAIN" - NC_TRUSTED_DOMAIN_IDX=$(($NC_TRUSTED_DOMAIN_IDX+1)) - done - fi - else - echo "running web-based installer on first connect!" - fi - fi - #upgrade - else - run_as 'php /var/www/html/occ upgrade' - - run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_after - echo "The following apps have been disabled:" - diff /tmp/list_before /tmp/list_after | grep '<' | cut -d- -f2 | cut -d: -f1 - rm -f /tmp/list_before /tmp/list_after - - fi - fi -fi - -exec "$@" diff --git a/base/redis.ini b/base/redis.ini new file mode 100644 index 0000000000000000000000000000000000000000..bf8fac1de2c755cc143851a5927a2cc3ea7eb7d5 --- /dev/null +++ b/base/redis.ini @@ -0,0 +1,2 @@ +session.save_handler = redis +session.save_path = "tcp://${REDIS_HOST}:${REDIS_PORT}" \ No newline at end of file diff --git a/fr/Dockerfile b/fr/Dockerfile new file mode 100644 index 0000000000000000000000000000000000000000..bc937d750165199d65b5e9701ca3e2f63fd7a190 --- /dev/null +++ b/fr/Dockerfile @@ -0,0 +1,3 @@ +ARG VERSION +FROM libresh/nextcloud:${VERSION} as builder +COPY --chown=www-data:root _build/html/release/fr/ /var/www/html/core/doc/user/ diff --git a/imap/Dockerfile b/imap/Dockerfile deleted file mode 100644 index 443d5ae9d141c4cbbaa44f10b08370585fd5cb2e..0000000000000000000000000000000000000000 --- a/imap/Dockerfile +++ /dev/null @@ -1,12 +0,0 @@ -ARG VERSION=latest -FROM indiehosters/nextcloud:$VERSION -RUN apt-get update \ - && apt-get install -y --no-install-recommends \ - libc-client-dev \ - libkrb5-dev \ - libmagickwand-dev \ - && docker-php-ext-configure imap --with-kerberos --with-imap-ssl \ - && docker-php-ext-install imap \ - && pecl install imagick \ - && docker-php-ext-enable imagick \ - && rm -rf /var/lib/apt/lists/* diff --git a/upstream b/upstream new file mode 160000 index 0000000000000000000000000000000000000000..0433976ebe509588ec6967392d9e093f47abbf81 --- /dev/null +++ b/upstream @@ -0,0 +1 @@ +Subproject commit 0433976ebe509588ec6967392d9e093f47abbf81 diff --git a/web/Dockerfile b/web/Dockerfile new file mode 100644 index 0000000000000000000000000000000000000000..795f8d5a6fe8c43f337d4208914afb21019d3f40 --- /dev/null +++ b/web/Dockerfile @@ -0,0 +1,6 @@ +ARG VERSION +FROM libresh/nextcloud:${VERSION} as builder +FROM nginx +COPY --from=builder /var/www/html /var/www/html +COPY nginx.conf /etc/nginx/nginx.conf +CMD ["nginx", "-g", "daemon off;"] \ No newline at end of file diff --git a/web/nginx.conf b/web/nginx.conf new file mode 100644 index 0000000000000000000000000000000000000000..6ea3933991b18a0655072b10493e637926a0b049 --- /dev/null +++ b/web/nginx.conf @@ -0,0 +1,110 @@ +user www-data; + +events { + worker_connections 768; +} + +http { + upstream backend { + server nextcloud-app:9000; + } + include /etc/nginx/mime.types; + default_type application/octet-stream; + + server { + set_real_ip_from 10.0.0.0/8; + set_real_ip_from 172.16.0.0/12; + set_real_ip_from 192.168.0.0/16; + real_ip_header X-Forwarded-For; + listen 80; + + # Add headers to serve security related headers + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + + root /var/www/html; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location = /.well-known/carddav { + return 301 https://$host/remote.php/dav; + } + location = /.well-known/caldav { + return 301 https://$host/remote.php/dav; + } + + client_max_body_size 1G; + fastcgi_buffers 64 4K; + + gzip off; # handled at haproxy level + + location / { + rewrite ^ /index.php; + } + + location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { + deny all; + } + + location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { + fastcgi_split_path_info ^(.+\.php)(/.*)$; + try_files $fastcgi_script_name =404; + set $path_info $fastcgi_path_info; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + fastcgi_param HTTPS on; + #Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; + fastcgi_pass backend; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { + try_files $uri/ =404; + index index.php; + } + + # Adding the cache control header for js and css files + # Make sure it is BELOW the PHP block + location ~ \.(?:css|js|woff2?|svg|gif|map)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + # Add headers to serve security related headers (It is intended to + # have those duplicated to the ones above) + # Before enabling Strict-Transport-Security headers please read into + # this topic first. + # add_header Strict-Transport-Security "max-age=15768000; + # includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + # Optional: Don't log access to assets + access_log off; + } + + location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ { + try_files $uri /index.php$request_uri; + # Optional: Don't log access to other assets + access_log off; + } + } +}