hoellen/docker-nextcloud
1
0
Fork 0
mirror of https://github.com/hoellen/docker-nextcloud.git synced 2026-06-01 22:10:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: hoellen/docker-nextcloud:a441bbddf4d4f9646490f68e3d4d3065db9bc867
Branches Tags
hoellen/docker-nextcloud:master hoellen/docker-nextcloud:version-32 hoellen/docker-nextcloud:version-31 hoellen/docker-nextcloud:version-30 hoellen/docker-nextcloud:version-29 hoellen/docker-nextcloud:version-28 hoellen/docker-nextcloud:version-27 hoellen/docker-nextcloud:version-26 hoellen/docker-nextcloud:version-25 hoellen/docker-nextcloud:version-24 hoellen/docker-nextcloud:version-23 hoellen/docker-nextcloud:version-22
..
compare: hoellen/docker-nextcloud:version-31
Branches Tags
hoellen/docker-nextcloud:master hoellen/docker-nextcloud:version-32 hoellen/docker-nextcloud:version-31 hoellen/docker-nextcloud:version-30 hoellen/docker-nextcloud:version-29 hoellen/docker-nextcloud:version-28 hoellen/docker-nextcloud:version-27 hoellen/docker-nextcloud:version-26 hoellen/docker-nextcloud:version-25 hoellen/docker-nextcloud:version-24 hoellen/docker-nextcloud:version-23 hoellen/docker-nextcloud:version-22

5 Commits
a441bbddf4 .. version-31

Author SHA1 Message Date
Jan Wagner 3994847aef chore: update Nextcloud to 31.0.14 2026-02-12 17:09:11 +01:00
Jan Wagner db268825c0 chore: update Nextcloud to 31.0.13 2026-01-16 22:29:49 +01:00
Jan Wagner 50c30a97bf chore: update Nextcloud to 31.0.12 2025-12-11 14:13:33 +01:00
Jan Wagner ccb24c5fdc chore: update Nextcloud to 31.0.11 2025-11-20 19:43:51 +01:00
Jan Wagner 5d880cf60e chore: update Nextcloud to 31.0.10 2025-10-23 23:01:50 +02:00
7 changed files with 73 additions and 83 deletions
Expand all files Collapse all files
.github/workflows/build.yml
+13 -27
View File
@@ -8,7 +8,7 @@ on:
- version-* - version-*
schedule: schedule:
# Build the image regularly (each Friday) # Build the image regularly (each Friday)
- cron: "23 04 * * 5" - cron: '23 04 * * 5'
env: env:
REGISTRY: ghcr.io REGISTRY: ghcr.io
@@ -25,7 +25,7 @@ jobs:
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v6 uses: actions/checkout@v2
- name: Extract version for tags - name: Extract version for tags
run: | run: |
@@ -37,14 +37,16 @@ jobs:
- name: Install cosign - name: Install cosign
if: github.event_name != 'pull_request' if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@v4.1.1 uses: sigstore/cosign-installer@main
with:
cosign-release: 'v2.2.2'
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4 uses: docker/setup-buildx-action@v1
- name: Login to registry - name: Login to registry
if: github.event_name != 'pull_request' if: github.event_name != 'pull_request'
uses: docker/login-action@v4 uses: docker/login-action@v1
with: with:
registry: ${{ env.REGISTRY }} registry: ${{ env.REGISTRY }}
username: ${{ github.repository_owner }} username: ${{ github.repository_owner }}
@@ -52,7 +54,7 @@ jobs:
- name: Set Docker metadata - name: Set Docker metadata
id: meta id: meta
uses: docker/metadata-action@v6 uses: docker/metadata-action@v3
with: with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: | tags: |
@@ -60,28 +62,12 @@ jobs:
${{ env.FULL_VERSION }} ${{ env.FULL_VERSION }}
${{ env.MAJOR_VERSION }} ${{ env.MAJOR_VERSION }}
- name: Build and export Docker image to Docker - name: Build and push Docker image
id: build id: build-and-push
uses: docker/build-push-action@v7 uses: docker/build-push-action@v2
with:
load: true
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:testing
context: .
- name: Test Docker image
id: test
run: |
docker run -d -p 8888:8888 --name nextcloud --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:testing && \
sleep 5 && docker exec nextcloud occ status && \
nc -z localhost 8888
- name: Push Docker image
id: push
if: github.event_name != 'pull_request'
uses: docker/build-push-action@v7
with: with:
context: . context: .
push: true push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }} tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }} labels: ${{ steps.meta.outputs.labels }}
@@ -89,4 +75,4 @@ jobs:
if: ${{ github.event_name != 'pull_request' }} if: ${{ github.event_name != 'pull_request' }}
env: env:
COSIGN_EXPERIMENTAL: "true" COSIGN_EXPERIMENTAL: "true"
run: cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }} run: cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
.github/workflows/scan.yml
+10 -10
View File
@@ -3,7 +3,7 @@ name: scan
on: on:
schedule: schedule:
# Scan the image regularly (once a day) # Scan the image regularly (once a day)
- cron: "45 03 * * *" - cron: '45 03 * * *'
jobs: jobs:
build: build:
@@ -11,19 +11,19 @@ jobs:
runs-on: "ubuntu-24.04" runs-on: "ubuntu-24.04"
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v6 uses: actions/checkout@v2
- name: Run Trivy vulnerability scanner - name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@v0.36.0 uses: aquasecurity/trivy-action@master
with: with:
image-ref: "ghcr.io/${{ github.actor }}/nextcloud" image-ref: 'ghcr.io/${{ github.actor }}/nextcloud'
format: "template" format: 'template'
template: "@/contrib/sarif.tpl" template: '@/contrib/sarif.tpl'
output: "trivy-results.sarif" output: 'trivy-results.sarif'
severity: "CRITICAL,HIGH" severity: 'CRITICAL,HIGH'
vuln-type: "os" vuln-type: "os"
- name: Upload Trivy scan results to GitHub Security tab - name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3 uses: github/codeql-action/upload-sarif@v1
with: with:
sarif_file: "trivy-results.sarif" sarif_file: 'trivy-results.sarif'
Dockerfile
+12 -13
View File
@@ -1,17 +1,17 @@
# -------------- Build-time variables -------------- # -------------- Build-time variables --------------
ARG NEXTCLOUD_VERSION=33.0.3 ARG NEXTCLOUD_VERSION=31.0.14
ARG PHP_VERSION=8.4 ARG PHP_VERSION=8.3
ARG NGINX_VERSION=1.28 ARG NGINX_VERSION=1.28
ARG ALPINE_VERSION=3.23 ARG ALPINE_VERSION=3.21
ARG HARDENED_MALLOC_VERSION=14 ARG HARDENED_MALLOC_VERSION=11
ARG SNUFFLEUPAGUS_VERSION=0.13.0 ARG SNUFFLEUPAGUS_VERSION=0.10.0
ARG UID=1000 ARG UID=1000
ARG GID=1000 ARG GID=1000
# nextcloud-33.0.3.tar.bz2 # nextcloud-31.0.14.tar.bz2
ARG SHA256_SUM="5c1052f860b35aa56b24bc2613a6bea0c22313b9fbd02bb0247c1f0b9dbf77d2" ARG SHA256_SUM="d0965eb2cbf68105743cbbe6eef404c89092cf92c40daee2c9cb9cf6edf63613"
# Nextcloud Security <security@nextcloud.com> (D75899B9A724937A) # Nextcloud Security <security@nextcloud.com> (D75899B9A724937A)
ARG GPG_FINGERPRINT="2880 6A87 8AE4 23A2 8372 792E D758 99B9 A724 937A" ARG GPG_FINGERPRINT="2880 6A87 8AE4 23A2 8372 792E D758 99B9 A724 937A"
@@ -91,16 +91,15 @@ ARG HARDENED_MALLOC_VERSION
ARG CONFIG_NATIVE=false ARG CONFIG_NATIVE=false
ARG VARIANT=light ARG VARIANT=light
RUN apk --no-cache add build-base git openssh && cd /tmp \ RUN apk --no-cache add build-base git gnupg && cd /tmp \
&& wget -q -O - https://github.com/thestinger.keys | while read -r key; do echo "thestinger@github.com $key"; done > allowed_signers \ && wget -q https://github.com/thestinger.gpg && gpg --import thestinger.gpg \
&& git config --global gpg.ssh.allowedSignersFile /tmp/allowed_signers && git init hardened_malloc && cd hardened_malloc \ && git clone --depth 1 --branch ${HARDENED_MALLOC_VERSION} https://github.com/GrapheneOS/hardened_malloc \
&& git fetch --depth 1 https://github.com/GrapheneOS/hardened_malloc tag ${HARDENED_MALLOC_VERSION} \ && cd hardened_malloc && git verify-tag $(git describe --tags) \
&& git checkout FETCH_HEAD && git verify-tag $(git describe --tags) \
&& make CONFIG_NATIVE=${CONFIG_NATIVE} VARIANT=${VARIANT} && make CONFIG_NATIVE=${CONFIG_NATIVE} VARIANT=${VARIANT}
### Fetch nginx ### Fetch nginx
FROM docker.io/library/nginx:${NGINX_VERSION}-alpine${ALPINE_VERSION} AS nginx FROM docker.io/library/nginx:${NGINX_VERSION}-alpine AS nginx
### Build Nextcloud (production environemnt) ### Build Nextcloud (production environemnt)
README.md
+3 -3
View File
@@ -35,7 +35,7 @@ ___
- Includes **Snuffleupagus**, [a PHP security module](https://github.com/jvoisin/snuffleupagus). - Includes **Snuffleupagus**, [a PHP security module](https://github.com/jvoisin/snuffleupagus).
- Includes a simple **built-in cron** system. - Includes a simple **built-in cron** system.
- Much easier to maintain thanks to multi-stages build. - Much easier to maintain thanks to multi-stages build.
- Includes imagick and smbclient for extended file handling and SMB/CIFS support. - Does not include imagick, samba, etc. by default.
You're free to make your own image based on this one if you want a specific feature. Uncommon features won't be included as they can increase attack surface: this image intends to stay **minimal**, but **functional enough** to cover basic needs. You're free to make your own image based on this one if you want a specific feature. Uncommon features won't be included as they can increase attack surface: this image intends to stay **minimal**, but **functional enough** to cover basic needs.
@@ -58,8 +58,8 @@ Verifying the signature isn't a requirement, and might not be as seamless as usi
## Tags ## Tags
- `latest` : latest Nextcloud version - `latest` : latest Nextcloud version
- `x` : latest Nextcloud x.x (e.g. `33`) - `x` : latest Nextcloud x.x (e.g. `31`)
- `x.x.x` : Nextcloud x.x.x (e.g. `33.0.0`) - `x.x.x` : Nextcloud x.x.x (e.g. `31.0.0`)
You can always have a glance [here](https://github.com/users/hoellen/packages/container/package/nextcloud). You can always have a glance [here](https://github.com/users/hoellen/packages/container/package/nextcloud).
Only the **latest stable version** will be maintained by myself. Only the **latest stable version** will be maintained by myself.
SECURITY.md
+6 -9
View File
@@ -2,15 +2,13 @@
## Supported versions ## Supported versions
All versions of the Nextcloud community version which still receive updates will be supported All versions of the Nextcloud community version which still receive updates will be supported
and will receive the minor version updates and security patches. and will receive the minor version updates and security patches.
| Version | Supported | | Version | Supported |
| ------- | ----------------------------- | | ------- | ------------------ |
| 33. x | :white_check_mark: | | 31. x | :white_check_mark: |
| 32. x | :white_check_mark: | | 30. x | :white_check_mark: |
| 31. x | :negative_squared_cross_mark: |
| 30. x | :negative_squared_cross_mark: |
| 29. x | :negative_squared_cross_mark: | | 29. x | :negative_squared_cross_mark: |
| 28. x | :negative_squared_cross_mark: | | 28. x | :negative_squared_cross_mark: |
| 27. x | :negative_squared_cross_mark: | | 27. x | :negative_squared_cross_mark: |
@@ -29,10 +27,9 @@ Uploaded images are regularly scanned for [OS vulnerabilities](https://github.co
## Reporting a vulnerability ## Reporting a vulnerability
_Upstream_ vulnerabilities should be reported to _upstream_ projects according to their own security policies. *Upstream* vulnerabilities should be reported to *upstream* projects according to their own security policies.
Regarding vulnerabilities specific to this project: Regarding vulnerabilities specific to this project:
- Faulty configuration files - Faulty configuration files
- Unsafe defaults - Unsafe defaults
- Dependencies security updates - Dependencies security updates
rootfs/etc/nginx/conf.d/default.conf
+28 -21
View File
@@ -1,21 +1,27 @@
map $http_x_forwarded_port $nc_port {
default "$http_x_forwarded_port";
'' "$server_port";
}
map $http_x_forwarded_proto $nc_proto {
default "$http_x_forwarded_proto";
'' "$scheme";
}
server { server {
listen 8888; listen 8888;
listen [::]:8888;
root /nextcloud; root /nextcloud;
# Emit relative redirects (protocol handled by reverse proxy)
absolute_redirect off;
fastcgi_buffers 64 4K; fastcgi_buffers 64 4K;
fastcgi_hide_header X-Powered-By; fastcgi_hide_header X-Powered-By;
large_client_header_buffers 4 16k; large_client_header_buffers 4 16k;
client_body_timeout 300s;
add_header Referrer-Policy "no-referrer" always; add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always; add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always; add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "0" always;
location = /robots.txt { location = /robots.txt {
allow all; allow all;
@@ -24,18 +30,14 @@ server {
} }
location ^~ /.well-known { location ^~ /.well-known {
location = /.well-known/carddav { return 301 /remote.php/dav/; } location = /.well-known/carddav { return 301 $nc_proto://$host/remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; } location = /.well-known/caldav { return 301 $nc_proto://$host/remote.php/dav/; }
location ^~ /.well-known { return 301 $nc_proto://$host/index.php$uri; }
return 301 /index.php$request_uri; try_files $uri $uri/ =404;
} }
location / { location / {
rewrite ^ /index.php$request_uri; rewrite ^ /index.php$uri;
}
location /remote {
return 301 /remote.php$request_uri;
} }
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) {
@@ -46,9 +48,9 @@ server {
return 404; return 404;
} }
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy)\.php(?:$|\/) { location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) {
include /etc/nginx/fastcgi_params; include /etc/nginx/fastcgi_params;
fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param modHeadersAvailable true; fastcgi_param modHeadersAvailable true;
@@ -59,20 +61,25 @@ server {
fastcgi_read_timeout 1200; fastcgi_read_timeout 1200;
} }
location ~ ^/(?:updater|ocs-provider)(?:$|/) { location ~ ^\/(?:updater|ocs-provider)(?:$|\/) {
try_files $uri/ =404; try_files $uri/ =404;
index index.php; index index.php;
} }
location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|jpeg|png|webp|wasm|tflite|map|ogg|flac|mp4|webm)$ { location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
try_files $uri /index.php$request_uri; try_files $uri /index.php$uri$is_args$args;
expires 6M; expires 6M;
access_log off; access_log off;
} }
location ~ \.(otf|woff2?)$ { location ~ \.(otf|woff2)?$ {
try_files $uri /index.php$request_uri; try_files $uri /index.php$uri$is_args$args;
expires 7d; expires 7d;
access_log off; access_log off;
} }
location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
try_files $uri /index.php$uri$is_args$args;
access_log off;
}
} }
rootfs/usr/local/etc/php/conf.d/docker-php-ext-opcache.ini
+1
View File
@@ -1,6 +1,7 @@
zend_extension=opcache.so zend_extension=opcache.so
opcache.enable=1 opcache.enable=1
opcache.enable_cli=1 opcache.enable_cli=1
opcache.fast_shutdown=1
opcache.memory_consumption=<OPCACHE_MEM_SIZE> opcache.memory_consumption=<OPCACHE_MEM_SIZE>
opcache.interned_strings_buffer=16 opcache.interned_strings_buffer=16
opcache.max_accelerated_files=10000 opcache.max_accelerated_files=10000