feat: listen on IPv6 address

fix: cicd race condition
chore: update nginx config with upstream documentation
2026-06-01 14:00:28 +00:00 · 2026-05-01 00:32:49 +02:00 · 2026-04-30 23:41:21 +02:00 · 2026-04-30 23:41:17 +02:00 · 2026-04-30 22:45:24 +02:00 · 2026-04-30 22:45:24 +02:00
6 changed files with 44 additions and 54 deletions
@@ -8,7 +8,7 @@ on:
      - version-*
  schedule:
    # Build the image regularly (each Friday)
-    - cron: '23 04 * * 5'
+    - cron: "23 04 * * 5"

 env:
  REGISTRY: ghcr.io
@@ -25,7 +25,7 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v6

      - name: Extract version for tags
        run: |
@@ -37,16 +37,14 @@ jobs:

      - name: Install cosign
        if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@main
-        with:
-          cosign-release: 'v2.2.2'
+        uses: sigstore/cosign-installer@v4.1.1

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v4

      - name: Login to registry
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v1
+        uses: docker/login-action@v4
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.repository_owner }}
@@ -54,7 +52,7 @@ jobs:

      - name: Set Docker metadata
        id: meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v6
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
@@ -64,7 +62,7 @@ jobs:

      - name: Build and export Docker image to Docker
        id: build
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v7
        with:
          load: true
          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:testing
@@ -74,13 +72,13 @@ jobs:
        id: test
        run: |
          docker run -d -p 8888:8888 --name nextcloud --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:testing && \
-          docker exec nextcloud occ status && \
+          sleep 5 && docker exec nextcloud occ status && \
          nc -z localhost 8888

      - name: Push Docker image
        id: push
        if: github.event_name != 'pull_request'
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v7
        with:
          context: .
          push: true
@@ -3,7 +3,7 @@ name: scan
 on:
  schedule:
    # Scan the image regularly (once a day)
-    - cron: '45 03 * * *'
+    - cron: "45 03 * * *"

 jobs:
  build:
@@ -11,19 +11,19 @@ jobs:
    runs-on: "ubuntu-24.04"
    steps:
      - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v6

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@v0.36.0
        with:
-          image-ref: 'ghcr.io/${{ github.actor }}/nextcloud'
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
-          output: 'trivy-results.sarif'
-          severity: 'CRITICAL,HIGH'
+          image-ref: "ghcr.io/${{ github.actor }}/nextcloud"
+          format: "template"
+          template: "@/contrib/sarif.tpl"
+          output: "trivy-results.sarif"
+          severity: "CRITICAL,HIGH"
          vuln-type: "os"

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v1
+        uses: github/codeql-action/upload-sarif@v3
        with:
-          sarif_file: 'trivy-results.sarif'
+          sarif_file: "trivy-results.sarif"
@@ -1,5 +1,5 @@
 # -------------- Build-time variables --------------
-ARG NEXTCLOUD_VERSION=33.0.2
+ARG NEXTCLOUD_VERSION=33.0.3
 ARG PHP_VERSION=8.4
 ARG NGINX_VERSION=1.28

@@ -10,8 +10,8 @@ ARG SNUFFLEUPAGUS_VERSION=0.13.0
 ARG UID=1000
 ARG GID=1000

-# nextcloud-33.0.2.tar.bz2
-ARG SHA256_SUM="91257ab5002d5d09da8d09d80389983330351c5c00a7e3a25b177bcea81171cc"
+# nextcloud-33.0.3.tar.bz2
+ARG SHA256_SUM="5c1052f860b35aa56b24bc2613a6bea0c22313b9fbd02bb0247c1f0b9dbf77d2"

 # Nextcloud Security <security@nextcloud.com> (D75899B9A724937A)
 ARG GPG_FINGERPRINT="2880 6A87 8AE4 23A2 8372  792E D758 99B9 A724 937A"
@@ -35,7 +35,7 @@ ___
 - Includes **Snuffleupagus**, [a PHP security module](https://github.com/jvoisin/snuffleupagus).
 - Includes a simple **built-in cron** system.
 - Much easier to maintain thanks to multi-stages build.
- Does not include imagick, samba, etc. by default.
+- Includes imagick and smbclient for extended file handling and SMB/CIFS support.

 You're free to make your own image based on this one if you want a specific feature. Uncommon features won't be included as they can increase attack surface: this image intends to stay **minimal**, but **functional enough** to cover basic needs.

@@ -1,27 +1,21 @@
-map $http_x_forwarded_port $nc_port {
-  default "$http_x_forwarded_port";
-  ''      "$server_port";
-}
-
-map $http_x_forwarded_proto $nc_proto {
-  default "$http_x_forwarded_proto";
-  ''      "$scheme";
-}
-
 server {
        listen 8888;
+        listen [::]:8888;
        root /nextcloud;

+        # Emit relative redirects (protocol handled by reverse proxy)
+        absolute_redirect off;
+
        fastcgi_buffers 64 4K;
        fastcgi_hide_header X-Powered-By;
        large_client_header_buffers 4 16k;
+        client_body_timeout 300s;

        add_header Referrer-Policy "no-referrer" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Permitted-Cross-Domain-Policies "none" always;
        add_header X-Robots-Tag "noindex, nofollow" always;
-        add_header X-XSS-Protection "0" always;

        location = /robots.txt {
            allow all;
@@ -30,14 +24,18 @@ server {
        }

        location ^~ /.well-known {
-            location = /.well-known/carddav   { return 301 $nc_proto://$host/remote.php/dav/; }
-            location = /.well-known/caldav    { return 301 $nc_proto://$host/remote.php/dav/; }
-            location ^~ /.well-known          { return 301 $nc_proto://$host/index.php$uri;  }
-            try_files $uri $uri/ =404;
+            location = /.well-known/carddav { return 301 /remote.php/dav/; }
+            location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+
+            return 301 /index.php$request_uri;
        }

        location / {
-            rewrite ^ /index.php$uri;
+            rewrite ^ /index.php$request_uri;
+        }
+
+        location /remote {
+            return 301 /remote.php$request_uri;
        }

        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) {
@@ -48,9 +46,9 @@ server {
            return 404;
        }

-        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) {
+        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy)\.php(?:$|\/) {
            include /etc/nginx/fastcgi_params;
-            fastcgi_split_path_info ^(.+\.php)(/.*)$;
+            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            fastcgi_param modHeadersAvailable true;
@@ -61,25 +59,20 @@ server {
            fastcgi_read_timeout 1200;
        }

-        location ~ ^\/(?:updater|ocs-provider)(?:$|\/) {
+        location ~ ^/(?:updater|ocs-provider)(?:$|/) {
            try_files $uri/ =404;
            index index.php;
        }

-        location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
-            try_files $uri /index.php$uri$is_args$args;
+        location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|jpeg|png|webp|wasm|tflite|map|ogg|flac|mp4|webm)$ {
+            try_files $uri /index.php$request_uri;
            expires 6M;
            access_log off;
        }

-        location ~ \.(otf|woff2)?$ {
-            try_files $uri /index.php$uri$is_args$args;
+        location ~ \.(otf|woff2?)$ {
+            try_files $uri /index.php$request_uri;
            expires 7d;
            access_log off;
        }
-
-        location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ {
-            try_files $uri /index.php$uri$is_args$args;
-            access_log off;
-        }
 }
@@ -1,7 +1,6 @@
 zend_extension=opcache.so
 opcache.enable=1
 opcache.enable_cli=1
-opcache.fast_shutdown=1
 opcache.memory_consumption=<OPCACHE_MEM_SIZE>
 opcache.interned_strings_buffer=16
 opcache.max_accelerated_files=10000
Author	SHA1	Message	Date
hoellen	a441bbddf4	feat: listen on IPv6 address	2026-05-01 00:32:49 +02:00
hoellen	936b72737d	fix: cicd race condition	2026-04-30 23:41:21 +02:00
hoellen	debf69d30c	chore: update nginx config with upstream documentation	2026-04-30 23:41:17 +02:00
hoellen	0be740bcae	chore: cleanup option removed from old PHP version	2026-04-30 22:45:24 +02:00
hoellen	2e11f73a89	chore: update README	2026-04-30 22:45:24 +02:00
hoellen	f607c77556	chore: update cicd packages	2026-04-30 22:45:19 +02:00
Jan Wagner	2bf6716730	chore: update Nextcloud to 33.0.3	2026-04-30 21:48:32 +02:00