hoellen/docker-nextcloud
1
0
Fork 0
mirror of https://github.com/hoellen/docker-nextcloud.git synced 2026-01-17 04:17:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: hoellen:master
Branches Tags
hoellen:master hoellen:version-31 hoellen:version-30 hoellen:version-29 hoellen:version-28 hoellen:version-27 hoellen:version-26 hoellen:version-25 hoellen:version-24 hoellen:version-23 hoellen:version-22
..
compare: hoellen:d3c19a637bde94a36fbab73a0cb8e6784b6e270c
Branches Tags
hoellen:version-31 hoellen:master hoellen:version-30 hoellen:version-29 hoellen:version-28 hoellen:version-27 hoellen:version-26 hoellen:version-25 hoellen:version-24 hoellen:version-23 hoellen:version-22

2 Commits
master ... d3c19a637b

Author SHA1 Message Date
waja
d3c19a637b Merge 35725bd4eb into dec3a7f789 2023-12-29 14:38:09 +13:00
Jan Wagner
35725bd4eb Enhance branch workflow 
Allow running CI pipelines on version-branches and still (only) tag latest on
master branch
 2023-12-16 15:10:45 +01:00
8 changed files with 43 additions and 66 deletions
Expand all files Collapse all files

37
.github/workflows/build.yml vendored
View File

@@ -29,17 +29,20 @@ jobs:
- name: Extract version for tags - name: Extract version for tags
run: | run: |
if [[ "$GITHUB_REF" == refs/heads/* ]]; then
BRANCH="${GITHUB_REF#refs/heads/}" BRANCH="${GITHUB_REF#refs/heads/}"
VERSION=$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile) if [ "$BRANCH" = "master" ]; then
[ "$BRANCH" = "master" ] && echo "BRANCH_VERSION=latest" >> $GITHUB_ENV echo "BRANCH_VERSION=latest" >> $GITHUB_ENV
echo "FULL_VERSION=${VERSION:0:7}" >> $GITHUB_ENV fi
echo "MAJOR_VERSION=${VERSION:0:2}" >> $GITHUB_ENV fi
echo "FULL_VERSION=$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c6)" >> $GITHUB_ENV
echo "MAJOR_VERSION=$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c2)" >> $GITHUB_ENV
- name: Install cosign - name: Install cosign
if: github.event_name != 'pull_request' if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@main uses: sigstore/cosign-installer@main
with: with:
cosign-release: 'v2.2.2' cosign-release: 'v1.13.1'
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1 uses: docker/setup-buildx-action@v1
@@ -62,28 +65,12 @@ jobs:
${{ env.FULL_VERSION }} ${{ env.FULL_VERSION }}
${{ env.MAJOR_VERSION }} ${{ env.MAJOR_VERSION }}
- name: Build and export Docker image to Docker - name: Build and push Docker image
id: build id: build-and-push
uses: docker/build-push-action@v2
with:
load: true
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:testing
context: .
- name: Test Docker image
id: test
run: |
docker run -d -p 8888:8888 --name nextcloud --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:testing && \
docker exec nextcloud occ status && \
nc -z localhost 8888
- name: Push Docker image
id: push
if: github.event_name != 'pull_request'
uses: docker/build-push-action@v2 uses: docker/build-push-action@v2
with: with:
context: . context: .
push: true push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }} tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }} labels: ${{ steps.meta.outputs.labels }}
@@ -91,4 +78,4 @@ jobs:
if: ${{ github.event_name != 'pull_request' }} if: ${{ github.event_name != 'pull_request' }}
env: env:
COSIGN_EXPERIMENTAL: "true" COSIGN_EXPERIMENTAL: "true"
run: cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }} run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}

2
.github/workflows/scan.yml vendored
View File

@@ -8,7 +8,7 @@ on:
jobs: jobs:
build: build:
name: Scan current image & report results name: Scan current image & report results
runs-on: "ubuntu-24.04" runs-on: "ubuntu-20.04"
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v2 uses: actions/checkout@v2

21
Dockerfile
View File

@@ -1,24 +1,24 @@
# -------------- Build-time variables -------------- # -------------- Build-time variables --------------
ARG NEXTCLOUD_VERSION=32.0.5 ARG NEXTCLOUD_VERSION=28.0.1
ARG PHP_VERSION=8.3 ARG PHP_VERSION=8.2
ARG NGINX_VERSION=1.28 ARG NGINX_VERSION=1.24
ARG ALPINE_VERSION=3.21 ARG ALPINE_VERSION=3.18
ARG HARDENED_MALLOC_VERSION=11 ARG HARDENED_MALLOC_VERSION=11
ARG SNUFFLEUPAGUS_VERSION=0.10.0 ARG SNUFFLEUPAGUS_VERSION=0.10.0
ARG UID=1000 ARG UID=1000
ARG GID=1000 ARG GID=1000
# nextcloud-32.0.5.tar.bz2 # nextcloud-28.0.1.tar.bz2
ARG SHA256_SUM="8dd0bc8f8e2d262edad11197d4a07af799b51fe872ee2d9259ffa19b43e543ad" ARG SHA256_SUM="2f80735b443082272fe6a3b5e32137957f1fc448c75342b94b5200b29725f3a4"
# Nextcloud Security <security@nextcloud.com> (D75899B9A724937A) # Nextcloud Security <security@nextcloud.com> (D75899B9A724937A)
ARG GPG_FINGERPRINT="2880 6A87 8AE4 23A2 8372 792E D758 99B9 A724 937A" ARG GPG_FINGERPRINT="2880 6A87 8AE4 23A2 8372 792E D758 99B9 A724 937A"
# --------------------------------------------------- # ---------------------------------------------------
### Build PHP base ### Build PHP base
FROM docker.io/library/php:${PHP_VERSION}-fpm-alpine${ALPINE_VERSION} AS base FROM php:${PHP_VERSION}-fpm-alpine${ALPINE_VERSION} as base
ARG SNUFFLEUPAGUS_VERSION ARG SNUFFLEUPAGUS_VERSION
@@ -43,7 +43,6 @@ RUN apk -U upgrade \
gmp \ gmp \
icu \ icu \
libjpeg-turbo \ libjpeg-turbo \
librsvg \
libpq \ libpq \
libpq \ libpq \
libwebp \ libwebp \
@@ -85,7 +84,7 @@ RUN apk -U upgrade \
### Build Hardened Malloc ### Build Hardened Malloc
ARG ALPINE_VERSION ARG ALPINE_VERSION
FROM docker.io/library/alpine:${ALPINE_VERSION} AS build-malloc FROM alpine:${ALPINE_VERSION} as build-malloc
ARG HARDENED_MALLOC_VERSION ARG HARDENED_MALLOC_VERSION
ARG CONFIG_NATIVE=false ARG CONFIG_NATIVE=false
@@ -99,11 +98,11 @@ RUN apk --no-cache add build-base git gnupg && cd /tmp \
### Fetch nginx ### Fetch nginx
FROM docker.io/library/nginx:${NGINX_VERSION}-alpine AS nginx FROM nginx:${NGINX_VERSION}-alpine as nginx
### Build Nextcloud (production environemnt) ### Build Nextcloud (production environemnt)
FROM base AS nextcloud FROM base as nextcloud
COPY --from=nginx /usr/sbin/nginx /usr/sbin/nginx COPY --from=nginx /usr/sbin/nginx /usr/sbin/nginx
COPY --from=nginx /etc/nginx /etc/nginx COPY --from=nginx /etc/nginx /etc/nginx

4
README.md
View File

@@ -58,8 +58,8 @@ Verifying the signature isn't a requirement, and might not be as seamless as usi
## Tags ## Tags
- `latest` : latest Nextcloud version - `latest` : latest Nextcloud version
- `x` : latest Nextcloud x.x (e.g. `32`) - `x` : latest Nextcloud x.x (e.g. `28`)
- `x.x.x` : Nextcloud x.x.x (e.g. `32.0.0`) - `x.x.x` : Nextcloud x.x.x (e.g. `28.0.0`)
You can always have a glance [here](https://github.com/users/hoellen/packages/container/package/nextcloud). You can always have a glance [here](https://github.com/users/hoellen/packages/container/package/nextcloud).
Only the **latest stable version** will be maintained by myself. Only the **latest stable version** will be maintained by myself.

15
SECURITY.md
View File

@@ -6,14 +6,10 @@ All versions of the Nextcloud community version which still receive updates will
and will receive the minor version updates and security patches. and will receive the minor version updates and security patches.
| Version | Supported | | Version | Supported |
| ------- | ----------------------------- | | ------- | ------------------ |
| 32. x | :white_check_mark: | | 28. x | :white_check_mark: |
| 31. x | :white_check_mark: | | 27. x | :white_check_mark: |
| 30. x | :negative_squared_cross_mark: | | 26. x | :white_check_mark: |
| 29. x | :negative_squared_cross_mark: |
| 28. x | :negative_squared_cross_mark: |
| 27. x | :negative_squared_cross_mark: |
| 26. x | :negative_squared_cross_mark: |
| 25. x | :negative_squared_cross_mark: | | 25. x | :negative_squared_cross_mark: |
| 24. x | :negative_squared_cross_mark: | | 24. x | :negative_squared_cross_mark: |
| 23. x | :negative_squared_cross_mark: | | 23. x | :negative_squared_cross_mark: |
@@ -28,10 +24,9 @@ Uploaded images are regularly scanned for [OS vulnerabilities](https://github.co
## Reporting a vulnerability ## Reporting a vulnerability
_Upstream_ vulnerabilities should be reported to _upstream_ projects according to their own security policies. *Upstream* vulnerabilities should be reported to *upstream* projects according to their own security policies.
Regarding vulnerabilities specific to this project: Regarding vulnerabilities specific to this project:
- Faulty configuration files - Faulty configuration files
- Unsafe defaults - Unsafe defaults
- Dependencies security updates - Dependencies security updates

11
rootfs/etc/nginx/conf.d/default.conf
View File

@@ -18,6 +18,7 @@ server {
add_header Referrer-Policy "no-referrer" always; add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always; add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always; add_header X-Robots-Tag "noindex, nofollow" always;
@@ -30,8 +31,8 @@ server {
} }
location ^~ /.well-known { location ^~ /.well-known {
location = /.well-known/carddav { return 301 $nc_proto://$host/remote.php/dav/; } location = /.well-known/carddav { return 301 $nc_proto://$host/remote.php/dav; }
location = /.well-known/caldav { return 301 $nc_proto://$host/remote.php/dav/; } location = /.well-known/caldav { return 301 $nc_proto://$host/remote.php/dav; }
location ^~ /.well-known { return 301 $nc_proto://$host/index.php$uri; } location ^~ /.well-known { return 301 $nc_proto://$host/index.php$uri; }
try_files $uri $uri/ =404; try_files $uri $uri/ =404;
} }
@@ -66,19 +67,19 @@ server {
index index.php; index index.php;
} }
location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ { location ~ \.(?:css|js|svg|gif|map)$ {
try_files $uri /index.php$uri$is_args$args; try_files $uri /index.php$uri$is_args$args;
expires 6M; expires 6M;
access_log off; access_log off;
} }
location ~ \.(otf|woff2)?$ { location ~ \.woff2?$ {
try_files $uri /index.php$uri$is_args$args; try_files $uri /index.php$uri$is_args$args;
expires 7d; expires 7d;
access_log off; access_log off;
} }
location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ { location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
try_files $uri /index.php$uri$is_args$args; try_files $uri /index.php$uri$is_args$args;
access_log off; access_log off;
} }

5
rootfs/etc/nginx/nginx.conf
View File

@@ -9,11 +9,6 @@ events {
http { http {
include /etc/nginx/mime.types; include /etc/nginx/mime.types;
# Add .mjs as a file extension for javascript
# https://github.com/nextcloud/server/pull/36057
types {
application/javascript mjs;
}
default_type application/octet-stream; default_type application/octet-stream;
access_log /nginx/logs/access.log combined; access_log /nginx/logs/access.log combined;

2
rootfs/usr/local/bin/run.sh
View File

@@ -34,4 +34,4 @@ else
fi fi
# Run processes # Run processes
exec /usr/bin/s6-svscan /etc/s6.d exec /bin/s6-svscan /etc/s6.d