diff --git a/README.md b/README.md index 3af5d08..f1f9204 100644 --- a/README.md +++ b/README.md @@ -9,15 +9,18 @@ This non-official image is intended as an **all-in-one** (as in monolithic) Next ## Security Don't run random images from random dudes on the Internet. Ideally, you want to maintain and build it yourself. -Images are scanned every day by [Trivy](https://github.com/aquasecurity/trivy) for OS vulnerabilities. They are rebuilt once a week, so you should often update your images regardless of your Nextcloud version. +Images are scanned every day by [Trivy](https://github.com/aquasecurity/trivy) for OS vulnerabilities. Latest tag/version is automatically built weekly, so you should often update your images regardless if you're already using the latest Nextcloud version. ## Features - Fetching PHP/nginx from their official images. -- Does not use any privilege at any time, even at startup. +- **Rootless**: no privilege at any time, even at startup. +- Includes **hardened_malloc**, a hardened memory allocator. +- Includes a simple **built-in cron** system. - Much easier to maintain thanks to multi-stages build. -- Includes hardened_malloc, a hardened memory allocator. - Does not include imagick, samba, etc. by default. +You're free to make your own image based on this one if you want a specific feature. Uncommon features won't be included as they can increase attack surface: this image intends to stay **minimal**, but **functional enough** to cover basic needs. + ## Tags - `latest` : latest Nextcloud version - `x` : latest Nextcloud x.x (e.g. `21`) @@ -36,10 +39,11 @@ Only the **latest stable version** will be maintained by myself. | **APCU_VERSION** | version of APCu (php ext) | | **REDIS_VERSION** | version of redis (php ext) | | **HARDENED_MALLOC_VERSION** | version of hardened_malloc | +| **CONFIG_NATIVE** | native code for hmalloc | | **UID** | user id (default: 1000) | | **GID** | group id (default: 1000) | -For convenience they were put at the very of the Dockerfile and their usage should be quite explicit if you intend to build this image yourself. +For convenience they were put at [the very top of the Dockerfile](https://github.com/Wonderfall/docker-nextcloud/blob/main/Dockerfile#L1-L13) and their usage should be quite explicit if you intend to build this image yourself. ## Environment variables (Dockerfile) @@ -69,6 +73,8 @@ Leave them at default if you're not sure what you're doing. `ADMIN_USER` and `ADMIN_PASSWORD` are optional and mainly for niche purposes. Obviously, avoid clear text passwords. Once `setup.sh` has run for the first time, these variables can be removed. You should then edit `/nextcloud/config/config.php` directly if you want to change something in your configuration. +The usage of [Docker secrets](https://docs.docker.com/engine/swarm/secrets/) will be considered in the future, but `config.php` already covers quite a lot. + ## Volumes | Variable | Description | | ------------------------- | -------------------------- | @@ -80,10 +86,12 @@ Leave them at default if you're not sure what you're doing. ## Ports | Port | Use | | ------------------------- | -------------------------- | -| **8888** | Nextcloud web | +| **8888** (tcp) | Nextcloud web | -A reverse proxy like Traefik/Caddy should be used. +A reverse proxy like [Traefik](https://doc.traefik.io/traefik/) or [Caddy](https://caddyserver.com/) can be used, and you should consider: +- Redirecting all HTTP traffic to HTTPS +- Setting the [HSTS header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) correctly ## Migration from the legacy image From now on you'll need to make sure all volumes have proper permissions. The default UID/GID is now 1000, so you'll need to build the image yourself if you want to change that, or you can just change the actual permissions of the volumes using `chown -R 1000:1000`. The flexibility provided by the legacy image came at some cost (performance & security), therefore this feature won't be provided anymore.