mirror of
https://github.com/hoellen/docker-nextcloud.git
synced 2025-07-01 15:46:13 +00:00
Compare commits
11 Commits
5bb4d67f04
...
version-25
| Author | SHA1 | Date | |
|---|---|---|---|
| 84c8433c6c | |||
| e4ac6877ee | |||
| ba7356184b | |||
| 2df5fa9674 | |||
| ad6682a594 | |||
| 4448daf29e | |||
| f628650c63 | |||
| 7fdf687f23 | |||
| b5eda66c8c | |||
| c181d509f5 | |||
| dc50eed61b |
15
.github/workflows/build.yml
vendored
15
.github/workflows/build.yml
vendored
@ -3,9 +3,7 @@ name: build
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
- version-*
|
||||
branches: [ version-25 ]
|
||||
schedule:
|
||||
# Build the image regularly (each Friday)
|
||||
- cron: '23 04 * * 5'
|
||||
@ -29,12 +27,6 @@ jobs:
|
||||
|
||||
- name: Extract version for tags
|
||||
run: |
|
||||
if [[ "$GITHUB_REF" == refs/heads/* ]]; then
|
||||
BRANCH="${GITHUB_REF#refs/heads/}"
|
||||
if [ "$BRANCH" = "master" ]; then
|
||||
echo "BRANCH_VERSION=latest" >> $GITHUB_ENV
|
||||
fi
|
||||
fi
|
||||
echo "FULL_VERSION=$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c6)" >> $GITHUB_ENV
|
||||
echo "MAJOR_VERSION=$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c2)" >> $GITHUB_ENV
|
||||
|
||||
@ -42,7 +34,7 @@ jobs:
|
||||
if: github.event_name != 'pull_request'
|
||||
uses: sigstore/cosign-installer@main
|
||||
with:
|
||||
cosign-release: 'v2.2.2'
|
||||
cosign-release: 'v1.13.1'
|
||||
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v1
|
||||
@ -61,7 +53,6 @@ jobs:
|
||||
with:
|
||||
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
||||
tags: |
|
||||
${{ env.BRANCH_VERSION }}
|
||||
${{ env.FULL_VERSION }}
|
||||
${{ env.MAJOR_VERSION }}
|
||||
|
||||
@ -78,4 +69,4 @@ jobs:
|
||||
if: ${{ github.event_name != 'pull_request' }}
|
||||
env:
|
||||
COSIGN_EXPERIMENTAL: "true"
|
||||
run: cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
|
||||
run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
|
||||
|
||||
23
Dockerfile
23
Dockerfile
@ -1,24 +1,24 @@
|
||||
# -------------- Build-time variables --------------
|
||||
ARG NEXTCLOUD_VERSION=28.0.4
|
||||
ARG PHP_VERSION=8.2
|
||||
ARG NGINX_VERSION=1.24
|
||||
ARG NEXTCLOUD_VERSION=25.0.13
|
||||
ARG PHP_VERSION=8.1
|
||||
ARG NGINX_VERSION=1.22
|
||||
|
||||
ARG ALPINE_VERSION=3.19
|
||||
ARG ALPINE_VERSION=3.17
|
||||
ARG HARDENED_MALLOC_VERSION=11
|
||||
ARG SNUFFLEUPAGUS_VERSION=0.10.0
|
||||
ARG SNUFFLEUPAGUS_VERSION=0.8.3
|
||||
|
||||
ARG UID=1000
|
||||
ARG GID=1000
|
||||
|
||||
# nextcloud-28.0.4.tar.bz2
|
||||
ARG SHA256_SUM="9bfecee1e12fba48c49e9a71caa81c4ba10b2884787fab75d64ccfd122a13019"
|
||||
# nextcloud-25.0.13.tar.bz2
|
||||
ARG SHA256_SUM="387bac148a696244f1ec02698a082d408283a875b3de85eb9719dd4493eebe33"
|
||||
|
||||
# Nextcloud Security <security@nextcloud.com> (D75899B9A724937A)
|
||||
ARG GPG_FINGERPRINT="2880 6A87 8AE4 23A2 8372 792E D758 99B9 A724 937A"
|
||||
# ---------------------------------------------------
|
||||
|
||||
### Build PHP base
|
||||
FROM docker.io/library/php:${PHP_VERSION}-fpm-alpine${ALPINE_VERSION} as base
|
||||
FROM php:${PHP_VERSION}-fpm-alpine${ALPINE_VERSION} as base
|
||||
|
||||
ARG SNUFFLEUPAGUS_VERSION
|
||||
|
||||
@ -43,7 +43,6 @@ RUN apk -U upgrade \
|
||||
gmp \
|
||||
icu \
|
||||
libjpeg-turbo \
|
||||
librsvg \
|
||||
libpq \
|
||||
libpq \
|
||||
libwebp \
|
||||
@ -59,14 +58,12 @@ RUN apk -U upgrade \
|
||||
bcmath \
|
||||
exif \
|
||||
gd \
|
||||
bz2 \
|
||||
intl \
|
||||
ldap \
|
||||
opcache \
|
||||
pcntl \
|
||||
pdo_mysql \
|
||||
pdo_pgsql \
|
||||
sysvsem \
|
||||
zip \
|
||||
gmp \
|
||||
&& pecl install smbclient \
|
||||
@ -85,7 +82,7 @@ RUN apk -U upgrade \
|
||||
|
||||
### Build Hardened Malloc
|
||||
ARG ALPINE_VERSION
|
||||
FROM docker.io/library/alpine:${ALPINE_VERSION} as build-malloc
|
||||
FROM alpine:${ALPINE_VERSION} as build-malloc
|
||||
|
||||
ARG HARDENED_MALLOC_VERSION
|
||||
ARG CONFIG_NATIVE=false
|
||||
@ -99,7 +96,7 @@ RUN apk --no-cache add build-base git gnupg && cd /tmp \
|
||||
|
||||
|
||||
### Fetch nginx
|
||||
FROM docker.io/library/nginx:${NGINX_VERSION}-alpine as nginx
|
||||
FROM nginx:${NGINX_VERSION}-alpine as nginx
|
||||
|
||||
|
||||
### Build Nextcloud (production environemnt)
|
||||
|
||||
@ -58,8 +58,8 @@ Verifying the signature isn't a requirement, and might not be as seamless as usi
|
||||
## Tags
|
||||
|
||||
- `latest` : latest Nextcloud version
|
||||
- `x` : latest Nextcloud x.x (e.g. `28`)
|
||||
- `x.x.x` : Nextcloud x.x.x (e.g. `28.0.0`)
|
||||
- `x` : latest Nextcloud x.x (e.g. `25`)
|
||||
- `x.x.x` : Nextcloud x.x.x (e.g. `25.0.0`)
|
||||
|
||||
You can always have a glance [here](https://github.com/users/hoellen/packages/container/package/nextcloud).
|
||||
Only the **latest stable version** will be maintained by myself.
|
||||
|
||||
@ -7,16 +7,12 @@ and will receive the minor version updates and security patches.
|
||||
|
||||
| Version | Supported |
|
||||
| ------- | ------------------ |
|
||||
| 28. x | :white_check_mark: |
|
||||
| 27. x | :white_check_mark: |
|
||||
| 26. x | :white_check_mark: |
|
||||
| 25. x | :negative_squared_cross_mark: |
|
||||
| 24. x | :negative_squared_cross_mark: |
|
||||
| 25. x | :white_check_mark: |
|
||||
| 24. x | :white_check_mark: |
|
||||
| 23. x | :negative_squared_cross_mark: |
|
||||
| 22. x | :negative_squared_cross_mark: |
|
||||
|
||||
Please update to the latest version available. Major migrations are always tested before being pushed.
|
||||
An up-to-date list of the currently maintained Nextcloud versions can also be found in the [Nextcloud Repository Wiki](https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule).
|
||||
|
||||
## Automated vulnerability scanning
|
||||
|
||||
|
||||
@ -18,9 +18,10 @@ server {
|
||||
|
||||
add_header Referrer-Policy "no-referrer" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Download-Options "noopen" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
||||
add_header X-Robots-Tag "noindex, nofollow" always;
|
||||
add_header X-Robots-Tag "none" always;
|
||||
add_header X-XSS-Protection "0" always;
|
||||
|
||||
location = /robots.txt {
|
||||
@ -48,7 +49,7 @@ server {
|
||||
return 404;
|
||||
}
|
||||
|
||||
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) {
|
||||
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
|
||||
include /etc/nginx/fastcgi_params;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.*)$;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
@ -61,12 +62,12 @@ server {
|
||||
fastcgi_read_timeout 1200;
|
||||
}
|
||||
|
||||
location ~ ^\/(?:updater|ocs-provider)(?:$|\/) {
|
||||
location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
|
||||
try_files $uri/ =404;
|
||||
index index.php;
|
||||
}
|
||||
|
||||
location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
|
||||
location ~ \.(?:css|js|svg|gif|map)$ {
|
||||
try_files $uri /index.php$uri$is_args$args;
|
||||
expires 6M;
|
||||
access_log off;
|
||||
|
||||
@ -9,11 +9,6 @@ events {
|
||||
|
||||
http {
|
||||
include /etc/nginx/mime.types;
|
||||
# Add .mjs as a file extension for javascript
|
||||
# https://github.com/nextcloud/server/pull/36057
|
||||
types {
|
||||
application/javascript mjs;
|
||||
}
|
||||
default_type application/octet-stream;
|
||||
|
||||
access_log /nginx/logs/access.log combined;
|
||||
|
||||
@ -15,16 +15,6 @@ if [ "$PHP_HARDENING" == "true" ] && [ ! -f /usr/local/etc/php/conf.d/snuffleupa
|
||||
cp /usr/local/etc/php/snuffleupagus/* /usr/local/etc/php/conf.d
|
||||
fi
|
||||
|
||||
# Check if database is available
|
||||
if [ -n "${DB_TYPE}" ] && [ "${DB_TYPE}" != "sqlite3" ]; then
|
||||
DB_PORT=${DB_PORT:-$( [ "${DB_TYPE}" = "pgsql" ] && echo 5432 || echo 3306 )}
|
||||
until nc -z "${DB_HOST:-nextcloud-db}" "${DB_PORT}"
|
||||
do
|
||||
echo "waiting for the database container..."
|
||||
sleep 1
|
||||
done
|
||||
fi
|
||||
|
||||
# If new install, run setup
|
||||
if [ ! -f /nextcloud/config/config.php ]; then
|
||||
touch /nextcloud/config/CAN_INSTALL
|
||||
|
||||
@ -55,6 +55,14 @@ cat >> /nextcloud/config/autoconfig.php <<EOF;
|
||||
?>
|
||||
EOF
|
||||
|
||||
if [ ${DB_TYPE} != "sqlite3" ]; then
|
||||
until nc -z "${DB_HOST:-nextcloud-db}" "${DB_PORT:-3306}"
|
||||
do
|
||||
echo "waiting for the database container..."
|
||||
sleep 1
|
||||
done
|
||||
fi
|
||||
|
||||
echo "Starting automatic configuration..."
|
||||
# Execute setup
|
||||
(cd /nextcloud; php index.php &>/dev/null)
|
||||
|
||||
@ -47,10 +47,6 @@ sp.disable_function.function("ini_get").param("option").value("open_basedir").fi
|
||||
sp.disable_function.function("ini_get").param("option").value("allow_url_fopen").filename("/nextcloud/3rdparty/guzzlehttp/guzzle/src/Utils.php").allow();
|
||||
sp.disable_function.function("exec").param("command").value("apachectl -M | grep mpm").filename("/nextcloud/apps2/spreed/lib/Settings/Admin/AdminSettings.php").allow();
|
||||
|
||||
# Nextcloud inherently enables XXE-Protection since 27.0.1, therefore, drop setting a new external entity loader
|
||||
sp.disable_function.function("libxml_set_external_entity_loader").filename("/nextcloud/lib/base.php").allow();
|
||||
sp.disable_function.function("libxml_set_external_entity_loader").drop();
|
||||
|
||||
# Harden the `chmod` function (0777 (oct = 511, 0666 = 438)
|
||||
sp.disable_function.function("chmod").param("permissions").value("438").drop();
|
||||
sp.disable_function.function("chmod").param("permissions").value("511").drop();
|
||||
|
||||
Reference in New Issue
Block a user