Update Nextcloud to 23.0.12

Much lower memory usage, remains security-focused

.github/workflows/build.yml

@@ -3,10 +3,10 @@ name: build
 on:
   workflow_dispatch:
   push:
-    branches: [ main ]
+    branches: [ version-23 ]
   schedule:
     # Build the image regularly (each Friday)
-    - cron: '13 23 * * 5'
+    - cron: '23 04 * * 5'
 
 jobs:
   build:
@@ -19,25 +19,24 @@ jobs:
       - name: Build an image from Dockerfile
         run: |
           docker build \
-              -t ghcr.io/hoellen/nextcloud \
+              -t ghcr.io/${{ github.actor }}/nextcloud:$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c6) \
-              -t ghcr.io/hoellen/nextcloud:$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c6) \
+              -t ghcr.io/${{ github.actor }}/nextcloud:$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c2) \
-              -t ghcr.io/hoellen/nextcloud:$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c2) \
               .
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: 'ghcr.io/hoellen/nextcloud'
+          image-ref: 'ghcr.io/${{ github.actor }}/nextcloud'
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'
           vuln-type: "os"
 
-#      - name: Upload Trivy scan results to GitHub Security tab
+      - name: Upload Trivy scan results to GitHub Security tab
-#        uses: github/codeql-action/upload-sarif@v1
+        uses: github/codeql-action/upload-sarif@v1
-#        with:
+        with:
-#          sarif_file: 'trivy-results.sarif'
+          sarif_file: 'trivy-results.sarif'
 
       - name: Login to the registry
         run: >-
@@ -46,6 +45,6 @@ jobs:
 
       - name: Push image to GitHub
         run: |
-          docker push ghcr.io/hoellen/nextcloud
+          docker push ghcr.io/${{ github.actor }}/nextcloud:$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c6)
-          docker push ghcr.io/hoellen/nextcloud:$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c6)
+          docker push ghcr.io/${{ github.actor }}/nextcloud:$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c2)
-          docker push ghcr.io/hoellen/nextcloud:$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c2)
+

.github/workflows/scan.yml

@@ -16,7 +16,7 @@ jobs:
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: 'ghcr.io/hoellen/nextcloud'
+          image-ref: 'ghcr.io/${{ github.actor }}/nextcloud'
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'trivy-results.sarif'

Dockerfile

@@ -1,10 +1,10 @@
 # -------------- Build-time variables --------------
-ARG NEXTCLOUD_VERSION=22.2.3
+ARG NEXTCLOUD_VERSION=23.0.12
 ARG PHP_VERSION=8.0
 ARG NGINX_VERSION=1.20
 
-ARG ALPINE_VERSION=3.14
+ARG ALPINE_VERSION=3.15
-ARG HARDENED_MALLOC_VERSION=8
+ARG HARDENED_MALLOC_VERSION=11
 
 ARG UID=1000
 ARG GID=1000
@@ -28,6 +28,8 @@ RUN apk -U upgrade \
         libzip-dev \
         openldap-dev \
         postgresql-dev \
+        samba-dev \
+        imagemagick-dev \
         zlib-dev \
  && apk --no-cache add \
         freetype \
@@ -38,7 +40,10 @@ RUN apk -U upgrade \
         libpq \
         libwebp \
         libzip \
+        libsmbclient \
         openldap \
+	      libgomp \
+        imagemagick \
         zlib \
  && docker-php-ext-configure gd --with-freetype --with-jpeg --with-webp \
  && docker-php-ext-configure ldap \
@@ -54,9 +59,14 @@ RUN apk -U upgrade \
         pdo_pgsql \
         zip \
         gmp \
+ && pecl install smbclient \
  && pecl install APCu \
  && pecl install redis \
- && echo "extension=redis.so" > /usr/local/etc/php/conf.d/redis.ini \
+ && pecl install imagick \
+ && docker-php-ext-enable \
+        smbclient \
+        redis \
+        imagick \
  && apk del build-deps \
  && rm -rf /var/cache/apk/*
 
@@ -67,12 +77,13 @@ FROM alpine:${ALPINE_VERSION} as build-malloc
 
 ARG HARDENED_MALLOC_VERSION
 ARG CONFIG_NATIVE=false
+ARG VARIANT=light
 
 RUN apk --no-cache add build-base git gnupg && cd /tmp \
  && wget -q https://github.com/thestinger.gpg && gpg --import thestinger.gpg \
  && git clone --depth 1 --branch ${HARDENED_MALLOC_VERSION} https://github.com/GrapheneOS/hardened_malloc \
  && cd hardened_malloc && git verify-tag $(git describe --tags) \
- && make CONFIG_NATIVE=${CONFIG_NATIVE}
+ && make CONFIG_NATIVE=${CONFIG_NATIVE} VARIANT=${VARIANT}
 
 
 ### Fetch nginx
@@ -84,7 +95,7 @@ FROM base as nextcloud
 
 COPY --from=nginx /usr/sbin/nginx /usr/sbin/nginx
 COPY --from=nginx /etc/nginx /etc/nginx
-COPY --from=build-malloc /tmp/hardened_malloc/libhardened_malloc.so /usr/local/lib/
+COPY --from=build-malloc /tmp/hardened_malloc/out-light/libhardened_malloc-light.so /usr/local/lib/
 
 ARG NEXTCLOUD_VERSION
 ARG GPG_nextcloud="2880 6A87 8AE4 23A2 8372  792E D758 99B9 A724 937A"
@@ -100,7 +111,7 @@ ENV UPLOAD_MAX_SIZE=10G \
     CRON_MEMORY_LIMIT=1g \
     DB_TYPE=sqlite3 \
     DOMAIN=localhost \
-    LD_PRELOAD="/usr/local/lib/libhardened_malloc.so /usr/lib/preloadable_libiconv.so"
+    LD_PRELOAD="/usr/local/lib/libhardened_malloc-light.so /usr/lib/preloadable_libiconv.so"
 
 RUN apk --no-cache add \
         gnupg \

README.md

@@ -4,7 +4,7 @@
 Nextcloud [official website](https://nextcloud.com/) and [source code](https://github.com/nextcloud).
 
 ## Why this image?
-This non-official image is intended as an **all-in-one** (as in monolithic) Nextcloud **production** image. If you're not sure you want this image, you should probably use [the official image](https://hub.docker.com/r/nextcloud).
+This non-official image is intended as an **all-in-one** (as in monolithic) Nextcloud **production** image. It is based on the [Wondefall/docker-nextcloud](https://github.com/Wonderfall/docker-nextcloud) image. If you're not sure you want this image, you should probably use [the official image](https://hub.docker.com/r/nextcloud).
 
 ## Security
 Don't run random images from random dudes on the Internet. Ideally, you want to maintain and build it yourself.

rootfs/etc/nginx/conf.d/default.conf

@@ -30,10 +30,10 @@ server {
             access_log off;
         }
 
-        location /.well-known {
+        location ^~ /.well-known {
-            location = /.well-known/carddav   { return 301 $nc_proto://$host:$nc_port/remote.php/dav; }
+            location = /.well-known/carddav   { return 301 $nc_proto://$host/remote.php/dav; }
-            location = /.well-known/caldav    { return 301 $nc_proto://$host:$nc_port/remote.php/dav; }
+            location = /.well-known/caldav    { return 301 $nc_proto://$host/remote.php/dav; }
-            location ^~ /.well-known          { return 301 $nc_proto://$host:$nc_port/index.php$uri; }
+            location ^~ /.well-known          { return 301 $nc_proto://$host/index.php$uri;  }
             try_files $uri $uri/ =404;
         }
 

rootfs/usr/local/bin/setup.sh

@@ -55,6 +55,12 @@ cat >> /nextcloud/config/autoconfig.php <<EOF;
 ?>
 EOF
 
+until nc -z "${DB_HOST:-nextcloud-db}" "${DB_PORT:-3306}"
+do
+    echo "waiting for the database container..."
+    sleep 1
+done
+
 echo "Starting automatic configuration..."
 # Execute setup
 (cd /nextcloud; php index.php &>/dev/null)