hoellen/docker-nextcloud
1
0
Fork 0
mirror of https://github.com/hoellen/docker-nextcloud.git synced 2025-07-01 07:36:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: hoellen:version-30
Branches Tags
hoellen:master hoellen:version-30 hoellen:version-29 hoellen:version-28 hoellen:version-27 hoellen:version-26 hoellen:version-25 hoellen:version-24 hoellen:version-23 hoellen:version-22
..
compare: hoellen:version-24
Branches Tags
hoellen:master hoellen:version-30 hoellen:version-29 hoellen:version-28 hoellen:version-27 hoellen:version-26 hoellen:version-25 hoellen:version-24 hoellen:version-23 hoellen:version-22

8 Commits
version-30 ... version-24

Author SHA1 Message Date
hoellen
dd188059ab chore: update Nextcloud and Alpine Linux 2023-04-20 09:41:13 +02:00
hoellen
055b1f5723 chore: update Nextcloud to 24.0.11 2023-03-27 18:45:15 +02:00
hoellen
7726c3f386 Update Nextcloud 24.0.10 2023-02-23 21:19:17 +01:00
hoellen
5906c3ea91 Update Nextcloud to 24.0.9 2023-01-17 10:41:46 +01:00
hoellen
89f2aacb32 Update Nextcloud to 24.0.8 2022-12-08 15:27:39 +01:00
hoellen
1365e7a046 update cosign 2022-11-03 18:43:32 +01:00
Jan Wagner
49d7a7a469 Update to 24.0.7 2022-11-03 18:35:14 +01:00
hoellen
183fb4b9df Create new version branch 2022-10-18 17:02:37 +02:00
9 changed files with 42 additions and 73 deletions
Expand all files Collapse all files

16
.github/workflows/build.yml vendored
View File

@ -3,9 +3,7 @@ name: build
on:
workflow_dispatch:
push:
branches:
- master
- version-*
branches: [ version-24 ]
schedule:
# Build the image regularly (each Friday)
- cron: '23 04 * * 5'
@ -29,17 +27,14 @@ jobs:
- name: Extract version for tags
run: |
BRANCH="${GITHUB_REF#refs/heads/}"
VERSION=$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile)
[ "$BRANCH" = "master" ] && echo "BRANCH_VERSION=latest" >> $GITHUB_ENV
echo "FULL_VERSION=${VERSION:0:7}" >> $GITHUB_ENV
echo "MAJOR_VERSION=${VERSION:0:2}" >> $GITHUB_ENV
echo "FULL_VERSION=$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c6)" >> $GITHUB_ENV
echo "MAJOR_VERSION=$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c2)" >> $GITHUB_ENV
- name: Install cosign
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v2.2.2'
cosign-release: 'v1.13.1'
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
@ -58,7 +53,6 @@ jobs:
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
${{ env.BRANCH_VERSION }}
${{ env.FULL_VERSION }}
${{ env.MAJOR_VERSION }}
@ -75,4 +69,4 @@ jobs:
if: ${{ github.event_name != 'pull_request' }}
env:
COSIGN_EXPERIMENTAL: "true"
run: cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}

28
Dockerfile
View File

@ -1,29 +1,27 @@
# -------------- Build-time variables --------------
ARG NEXTCLOUD_VERSION=30.0.12
ARG PHP_VERSION=8.3
ARG NGINX_VERSION=1.26
ARG NEXTCLOUD_VERSION=24.0.12
ARG PHP_VERSION=8.1
ARG NGINX_VERSION=1.22
ARG ALPINE_VERSION=3.21
ARG ALPINE_VERSION=3.17
ARG HARDENED_MALLOC_VERSION=11
ARG SNUFFLEUPAGUS_VERSION=0.10.0
ARG SNUFFLEUPAGUS_VERSION=0.8.3
ARG UID=1000
ARG GID=1000
# nextcloud-30.0.12.tar.bz2
ARG SHA256_SUM="9e19b25f42273d4361218426b4762a766bee408cfa6aa8219f8c27f72095a7a8"
# nextcloud-24.0.12.tar.bz2
ARG SHA256_SUM="2f093bdf7d34faf38d22f38a5e11f3aee32746ff4add3df17c790b9b36390836"
# Nextcloud Security <security@nextcloud.com> (D75899B9A724937A)
ARG GPG_FINGERPRINT="2880 6A87 8AE4 23A2 8372 792E D758 99B9 A724 937A"
# ---------------------------------------------------
### Build PHP base
FROM docker.io/library/php:${PHP_VERSION}-fpm-alpine${ALPINE_VERSION} as base
FROM php:${PHP_VERSION}-fpm-alpine${ALPINE_VERSION} as base
ARG SNUFFLEUPAGUS_VERSION
ENV IMAGICK_SHA 28f27044e435a2b203e32675e942eb8de620ee58
RUN apk -U upgrade \
&& apk add -t build-deps \
$PHPIZE_DEPS \
@ -45,7 +43,6 @@ RUN apk -U upgrade \
gmp \
icu \
libjpeg-turbo \
librsvg \
libpq \
libpq \
libwebp \
@ -61,21 +58,18 @@ RUN apk -U upgrade \
bcmath \
exif \
gd \
bz2 \
intl \
ldap \
opcache \
pcntl \
pdo_mysql \
pdo_pgsql \
sysvsem \
zip \
gmp \
&& pecl install smbclient \
&& pecl install APCu \
&& pecl install redis \
&& curl -L -o /tmp/imagick.tar.gz https://github.com/Imagick/imagick/archive/${IMAGICK_SHA}.tar.gz && tar --strip-components=1 -xf /tmp/imagick.tar.gz && phpize && ./configure && make && make install \
&& apk add --no-cache --virtual .imagick-runtime-deps imagemagick \
&& pecl install imagick \
&& docker-php-ext-enable \
smbclient \
redis \
@ -88,7 +82,7 @@ RUN apk -U upgrade \
### Build Hardened Malloc
ARG ALPINE_VERSION
FROM docker.io/library/alpine:${ALPINE_VERSION} as build-malloc
FROM alpine:${ALPINE_VERSION} as build-malloc
ARG HARDENED_MALLOC_VERSION
ARG CONFIG_NATIVE=false
@ -102,7 +96,7 @@ RUN apk --no-cache add build-base git gnupg && cd /tmp \
### Fetch nginx
FROM docker.io/library/nginx:${NGINX_VERSION}-alpine as nginx
FROM nginx:${NGINX_VERSION}-alpine as nginx
### Build Nextcloud (production environemnt)

6
README.md
View File

@ -46,7 +46,7 @@ Don't run random images from random dudes on the Internet. Ideally, you want to
- **Images are scanned every day** by [Trivy](https://github.com/aquasecurity/trivy) for OS vulnerabilities. Known vulnerabilities will be automatically uploaded to [GitHub Security Lab](https://github.com/Wonderfall/docker-nextcloud/security/code-scanning) for full transparency. This also warns me if I have to take action to fix a vulnerability.
- **Latest tag/version is automatically built weekly**, so you should often update your images regardless if you're already using the latest Nextcloud version.
- **Build production images without cache** (use `docker build --no-cache` for instance) if you want to build your images manually. Latest dependencies will hence be used instead of outdated ones due to a cached layer.
- **A security module for PHP called [Snuffleupagus](https://github.com/jvoisin/snuffleupagus) is used by default**. This module aims at killing entire bug and security exploit classes (including weak PRNG, file-upload based code execution), thus raising the cost of attacks. For now we're using a configuration file derived from [the default one](https://github.com/jvoisin/snuffleupagus/blob/master/config/default_php8.rules), with some explicit exceptions related to Nextcloud. This configuration file is tested and shouldn't break basic functionality, but it can cause issues in specific and untested use cases: if that happens to you, get logs from either `syslog` or `/nginx/logs/error.log` inside the container, and [open an issue](https://github.com/hoellen/docker-nextcloud/issues). You can also disable the security module altogether by changing the `PHP_HARDENING` environment variable to `false` before recreating the container.
- **A security module for PHP called [Snuffleupagus](https://github.com/jvoisin/snuffleupagus) is used by default**. This module aims at killing entire bug and security exploit classes (including XXE, weak PRNG, file-upload based code execution), thus raising the cost of attacks. For now we're using a configuration file derived from [the default one](https://github.com/jvoisin/snuffleupagus/blob/master/config/default_php8.rules), with some explicit exceptions related to Nextcloud. This configuration file is tested and shouldn't break basic functionality, but it can cause issues in specific and untested use cases: if that happens to you, get logs from either `syslog` or `/nginx/logs/error.log` inside the container, and [open an issue](https://github.com/hoellen/docker-nextcloud/issues). You can also disable the security module altogether by changing the `PHP_HARDENING` environment variable to `false` before recreating the container.
- **Images are signed with the GitHub-provided OIDC token in Actions** using the experimental "keyless" signing feature provided by [cosign](https://github.com/sigstore/cosign). You can verify the image signature using `cosign` as well:
```
@ -58,8 +58,8 @@ Verifying the signature isn't a requirement, and might not be as seamless as usi
## Tags
- `latest` : latest Nextcloud version
- `x` : latest Nextcloud x.x (e.g. `30`)
- `x.x.x` : Nextcloud x.x.x (e.g. `30.0.0`)
- `x` : latest Nextcloud x.x (e.g. `24`)
- `x.x.x` : Nextcloud x.x.x (e.g. `24.0.0`)
You can always have a glance [here](https://github.com/users/hoellen/packages/container/package/nextcloud).
Only the **latest stable version** will be maintained by myself.

13
SECURITY.md
View File

@ -7,18 +7,11 @@ and will receive the minor version updates and security patches.
| Version | Supported |
| ------- | ------------------ |
| 30. x | :white_check_mark: |
| 29. x | :white_check_mark: |
| 28. x | :white_check_mark: |
| 27. x | :negative_squared_cross_mark: |
| 26. x | :negative_squared_cross_mark: |
| 25. x | :negative_squared_cross_mark: |
| 24. x | :negative_squared_cross_mark: |
| 23. x | :negative_squared_cross_mark: |
| 22. x | :negative_squared_cross_mark: |
| 24. x | :white_check_mark: |
| 23. x | :white_check_mark: |
| 22. x | :white_check_mark: |
Please update to the latest version available. Major migrations are always tested before being pushed.
An up-to-date list of the currently maintained Nextcloud versions can also be found in the [Nextcloud Repository Wiki](https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule).
## Automated vulnerability scanning

15
rootfs/etc/nginx/conf.d/default.conf
View File

@ -18,9 +18,10 @@ server {
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "0" always;
location = /robots.txt {
@ -30,8 +31,8 @@ server {
}
location ^~ /.well-known {
location = /.well-known/carddav { return 301 $nc_proto://$host/remote.php/dav/; }
location = /.well-known/caldav { return 301 $nc_proto://$host/remote.php/dav/; }
location = /.well-known/carddav { return 301 $nc_proto://$host/remote.php/dav; }
location = /.well-known/caldav { return 301 $nc_proto://$host/remote.php/dav; }
location ^~ /.well-known { return 301 $nc_proto://$host/index.php$uri; }
try_files $uri $uri/ =404;
}
@ -48,7 +49,7 @@ server {
return 404;
}
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) {
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
include /etc/nginx/fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
@ -61,18 +62,18 @@ server {
fastcgi_read_timeout 1200;
}
location ~ ^\/(?:updater|ocs-provider)(?:$|\/) {
location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404;
index index.php;
}
location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
location ~ \.(?:css|js|svg|gif|map)$ {
try_files $uri /index.php$uri$is_args$args;
expires 6M;
access_log off;
}
location ~ \.(otf|woff2)?$ {
location ~ \.woff2?$ {
try_files $uri /index.php$uri$is_args$args;
expires 7d;
access_log off;

5
rootfs/etc/nginx/nginx.conf
View File

@ -9,11 +9,6 @@ events {
http {
include /etc/nginx/mime.types;
# Add .mjs as a file extension for javascript
# https://github.com/nextcloud/server/pull/36057
types {
application/javascript mjs;
}
default_type application/octet-stream;
access_log /nginx/logs/access.log combined;

12
rootfs/usr/local/bin/run.sh
View File

@ -15,16 +15,6 @@ if [ "$PHP_HARDENING" == "true" ] && [ ! -f /usr/local/etc/php/conf.d/snuffleupa
cp /usr/local/etc/php/snuffleupagus/* /usr/local/etc/php/conf.d
fi
# Check if database is available
if [ -n "${DB_TYPE}" ] && [ "${DB_TYPE}" != "sqlite3" ]; then
DB_PORT=${DB_PORT:-$( [ "${DB_TYPE}" = "pgsql" ] && echo 5432 || echo 3306 )}
until nc -z "${DB_HOST:-nextcloud-db}" "${DB_PORT}"
do
echo "waiting for the database container..."
sleep 1
done
fi
# If new install, run setup
if [ ! -f /nextcloud/config/config.php ]; then
touch /nextcloud/config/CAN_INSTALL
@ -34,4 +24,4 @@ else
fi
# Run processes
exec /usr/bin/s6-svscan /etc/s6.d
exec /bin/s6-svscan /etc/s6.d

8
rootfs/usr/local/bin/setup.sh
View File

@ -55,6 +55,14 @@ cat >> /nextcloud/config/autoconfig.php <<EOF;
?>
EOF
if [ ${DB_TYPE} != "sqlite3" ]; then
until nc -z "${DB_HOST:-nextcloud-db}" "${DB_PORT:-3306}"
do
echo "waiting for the database container..."
sleep 1
done
fi
echo "Starting automatic configuration..."
# Execute setup
(cd /nextcloud; php index.php &>/dev/null)

12
rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules
View File

@ -8,7 +8,7 @@
sp.harden_random.enable();
# Disabled XXE
#sp.xxe_protection.enable();
sp.xxe_protection.enable();
# Global configuration variables
# sp.global.secret_key("YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS.");
@ -34,22 +34,16 @@ sp.sloppy_comparison.enable();
# https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
sp.cookie.name("PHPSESSID").samesite("lax");
# Nextcloud whitelist (tested with Nextcloud 27.0.1)
# Nextcloud whitelist (tested with Nextcloud 24.0.0)
sp.disable_function.function("function_exists").param("function").value("proc_open").filename("/nextcloud/3rdparty/symfony/console/Terminal.php").allow();
sp.disable_function.function("function_exists").param("function").value("exec").filename("/nextcloud/lib/private/legacy/OC_Helper.php").allow();
sp.disable_function.function("function_exists").param("function").value("exec").filename("/nextcloud/lib/public/Util.php").allow();
sp.disable_function.function("proc_open").filename("/nextcloud/3rdparty/symfony/console/Terminal.php").allow();
sp.disable_function.function("ini_set").param("option").value_r("display_errors").filename("/nextcloud/lib/base.php").allow();
sp.disable_function.function("ini_get").param("option").value("open_basedir").filename("/nextcloud/3rdparty/bantu/ini-get-wrapper/src/IniGetWrapper.php").allow();
sp.disable_function.function("function_exists").param("function").value("exec").filename("/nextcloud/lib/private/legacy/OC_Helper.php").allow();
sp.disable_function.function("ini_get").param("option").value_r("suhosin").filename("/nextcloud/3rdparty/bantu/ini-get-wrapper/src/IniGetWrapper.php").allow();
sp.disable_function.function("ini_get").param("option").value("open_basedir").filename("/nextcloud/apps2/twofactor_webauthn/vendor/symfony/process/ExecutableFinder.php").allow();
sp.disable_function.function("ini_get").param("option").value("open_basedir").filename("/nextcloud/3rdparty/symfony/process/ExecutableFinder.php").allow();
sp.disable_function.function("ini_get").param("option").value("allow_url_fopen").filename("/nextcloud/3rdparty/guzzlehttp/guzzle/src/Utils.php").allow();
sp.disable_function.function("exec").param("command").value("apachectl -M | grep mpm").filename("/nextcloud/apps2/spreed/lib/Settings/Admin/AdminSettings.php").allow();
# Nextcloud inherently enables XXE-Protection since 27.0.1, therefore, drop setting a new external entity loader
sp.disable_function.function("libxml_set_external_entity_loader").filename("/nextcloud/lib/base.php").allow();
sp.disable_function.function("libxml_set_external_entity_loader").drop();
# Harden the `chmod` function (0777 (oct = 511, 0666 = 438)
sp.disable_function.function("chmod").param("permissions").value("438").drop();