Merge pull request #2216 from nextcloud/fix/readme-help

fix(README): Point help seekers to forum first

.config/apps.config.php

@@ -1,15 +1,15 @@
 <?php
 $CONFIG = array (
-  "apps_paths" => array (
+  'apps_paths' => array (
       0 => array (
-              "path"     => OC::$SERVERROOT."/apps",
-              "url"      => "/apps",
-              "writable" => false,
+              'path'     => OC::$SERVERROOT.'/apps',
+              'url'      => '/apps',
+              'writable' => false,
       ),
       1 => array (
-              "path"     => OC::$SERVERROOT."/custom_apps",
-              "url"      => "/custom_apps",
-              "writable" => true,
+              'path'     => OC::$SERVERROOT.'/custom_apps',
+              'url'      => '/custom_apps',
+              'writable' => true,
       ),
   ),
 );

.config/autoconfig.php

@@ -3,29 +3,39 @@
 $autoconfig_enabled = false;
 
 if (getenv('SQLITE_DATABASE')) {
-    $AUTOCONFIG["dbtype"] = "sqlite";
-    $AUTOCONFIG["dbname"] = getenv('SQLITE_DATABASE');
+    $AUTOCONFIG['dbtype'] = 'sqlite';
+    $AUTOCONFIG['dbname'] = getenv('SQLITE_DATABASE');
+    $autoconfig_enabled = true;
+} elseif (getenv('MYSQL_DATABASE_FILE') && getenv('MYSQL_USER_FILE') && getenv('MYSQL_PASSWORD_FILE') && getenv('MYSQL_HOST')) {
+    $AUTOCONFIG['dbtype'] = 'mysql';
+    $AUTOCONFIG['dbname'] = trim(file_get_contents(getenv('MYSQL_DATABASE_FILE')));
+    $AUTOCONFIG['dbuser'] = trim(file_get_contents(getenv('MYSQL_USER_FILE')));
+    $AUTOCONFIG['dbpass'] = trim(file_get_contents(getenv('MYSQL_PASSWORD_FILE')));
+    $AUTOCONFIG['dbhost'] = getenv('MYSQL_HOST');
     $autoconfig_enabled = true;
 } elseif (getenv('MYSQL_DATABASE') && getenv('MYSQL_USER') && getenv('MYSQL_PASSWORD') && getenv('MYSQL_HOST')) {
-    $AUTOCONFIG["dbtype"] = "mysql";
-    $AUTOCONFIG["dbname"] = getenv('MYSQL_DATABASE');
-    $AUTOCONFIG["dbuser"] = getenv('MYSQL_USER');
-    $AUTOCONFIG["dbpass"] = getenv('MYSQL_PASSWORD');
-    $AUTOCONFIG["dbhost"] = getenv('MYSQL_HOST');
+    $AUTOCONFIG['dbtype'] = 'mysql';
+    $AUTOCONFIG['dbname'] = getenv('MYSQL_DATABASE');
+    $AUTOCONFIG['dbuser'] = getenv('MYSQL_USER');
+    $AUTOCONFIG['dbpass'] = getenv('MYSQL_PASSWORD');
+    $AUTOCONFIG['dbhost'] = getenv('MYSQL_HOST');
+    $autoconfig_enabled = true;
+} elseif (getenv('POSTGRES_DB_FILE') && getenv('POSTGRES_USER_FILE') && getenv('POSTGRES_PASSWORD_FILE') && getenv('POSTGRES_HOST')) {
+    $AUTOCONFIG['dbtype'] = 'pgsql';
+    $AUTOCONFIG['dbname'] = trim(file_get_contents(getenv('POSTGRES_DB_FILE')));
+    $AUTOCONFIG['dbuser'] = trim(file_get_contents(getenv('POSTGRES_USER_FILE')));
+    $AUTOCONFIG['dbpass'] = trim(file_get_contents(getenv('POSTGRES_PASSWORD_FILE')));
+    $AUTOCONFIG['dbhost'] = getenv('POSTGRES_HOST');
     $autoconfig_enabled = true;
 } elseif (getenv('POSTGRES_DB') && getenv('POSTGRES_USER') && getenv('POSTGRES_PASSWORD') && getenv('POSTGRES_HOST')) {
-    $AUTOCONFIG["dbtype"] = "pgsql";
-    $AUTOCONFIG["dbname"] = getenv('POSTGRES_DB');
-    $AUTOCONFIG["dbuser"] = getenv('POSTGRES_USER');
-    $AUTOCONFIG["dbpass"] = getenv('POSTGRES_PASSWORD');
-    $AUTOCONFIG["dbhost"] = getenv('POSTGRES_HOST');
+    $AUTOCONFIG['dbtype'] = 'pgsql';
+    $AUTOCONFIG['dbname'] = getenv('POSTGRES_DB');
+    $AUTOCONFIG['dbuser'] = getenv('POSTGRES_USER');
+    $AUTOCONFIG['dbpass'] = getenv('POSTGRES_PASSWORD');
+    $AUTOCONFIG['dbhost'] = getenv('POSTGRES_HOST');
     $autoconfig_enabled = true;
 }
 
 if ($autoconfig_enabled) {
-    if (getenv('NEXTCLOUD_TABLE_PREFIX')) {
-        $AUTOCONFIG["dbtableprefix"] = getenv('NEXTCLOUD_TABLE_PREFIX');
-    }
-
-    $AUTOCONFIG["directory"] = getenv('NEXTCLOUD_DATA_DIR') ?: "/var/www/html/data";
+    $AUTOCONFIG['directory'] = getenv('NEXTCLOUD_DATA_DIR') ?: '/var/www/html/data';
 }

.config/redis.config.php

@@ -1,11 +1,11 @@
 <?php
 if (getenv('REDIS_HOST')) {
-  $CONFIG = array (
+  $CONFIG = array(
     'memcache.distributed' => '\OC\Memcache\Redis',
     'memcache.locking' => '\OC\Memcache\Redis',
     'redis' => array(
       'host' => getenv('REDIS_HOST'),
-      'password' => getenv('REDIS_HOST_PASSWORD'),
+      'password' => (string) getenv('REDIS_HOST_PASSWORD'),
     ),
   );
 

.config/reverse-proxy.config.php

@@ -9,6 +9,11 @@ if ($overwriteProtocol) {
   $CONFIG['overwriteprotocol'] = $overwriteProtocol;
 }
 
+$overwriteCliUrl = getenv('OVERWRITECLIURL');
+if ($overwriteCliUrl) {
+  $CONFIG['overwrite.cli.url'] = $overwriteCliUrl;
+}
+
 $overwriteWebRoot = getenv('OVERWRITEWEBROOT');
 if ($overwriteWebRoot) {
   $CONFIG['overwritewebroot'] = $overwriteWebRoot;

.config/s3.config.php

@@ -0,0 +1,48 @@
+<?php
+if (getenv('OBJECTSTORE_S3_BUCKET')) {
+  $use_ssl = getenv('OBJECTSTORE_S3_SSL');
+  $use_path = getenv('OBJECTSTORE_S3_USEPATH_STYLE');
+  $use_legacyauth = getenv('OBJECTSTORE_S3_LEGACYAUTH');
+  $autocreate = getenv('OBJECTSTORE_S3_AUTOCREATE');
+  $CONFIG = array(
+    'objectstore' => array(
+      'class' => '\OC\Files\ObjectStore\S3',
+      'arguments' => array(
+        'bucket' => getenv('OBJECTSTORE_S3_BUCKET'),
+        'region' => getenv('OBJECTSTORE_S3_REGION') ?: '',
+        'hostname' => getenv('OBJECTSTORE_S3_HOST') ?: '',
+        'port' => getenv('OBJECTSTORE_S3_PORT') ?: '',
+        'storageClass' => getenv('OBJECTSTORE_S3_STORAGE_CLASS') ?: '',
+        'objectPrefix' => getenv("OBJECTSTORE_S3_OBJECT_PREFIX") ? getenv("OBJECTSTORE_S3_OBJECT_PREFIX") : "urn:oid:",
+        'autocreate' => (strtolower($autocreate) === 'false' || $autocreate == false) ? false : true,
+        'use_ssl' => (strtolower($use_ssl) === 'false' || $use_ssl == false) ? false : true,
+        // required for some non Amazon S3 implementations
+        'use_path_style' => $use_path == true && strtolower($use_path) !== 'false',
+        // required for older protocol versions
+        'legacy_auth' => $use_legacyauth == true && strtolower($use_legacyauth) !== 'false'
+      )
+    )
+  );
+
+  if (getenv('OBJECTSTORE_S3_KEY_FILE') && file_exists(getenv('OBJECTSTORE_S3_KEY_FILE'))) {
+    $CONFIG['objectstore']['arguments']['key'] = trim(file_get_contents(getenv('OBJECTSTORE_S3_KEY_FILE')));
+  } elseif (getenv('OBJECTSTORE_S3_KEY')) {
+    $CONFIG['objectstore']['arguments']['key'] = getenv('OBJECTSTORE_S3_KEY');
+  } else {
+    $CONFIG['objectstore']['arguments']['key'] = '';
+  }
+
+  if (getenv('OBJECTSTORE_S3_SECRET_FILE') && file_exists(getenv('OBJECTSTORE_S3_SECRET_FILE'))) {
+    $CONFIG['objectstore']['arguments']['secret'] = trim(file_get_contents(getenv('OBJECTSTORE_S3_SECRET_FILE')));
+  } elseif (getenv('OBJECTSTORE_S3_SECRET')) {
+    $CONFIG['objectstore']['arguments']['secret'] = getenv('OBJECTSTORE_S3_SECRET');
+  } else {
+    $CONFIG['objectstore']['arguments']['secret'] = '';
+  }
+
+  if (getenv('OBJECTSTORE_S3_SSE_C_KEY_FILE') && file_exists(getenv('OBJECTSTORE_S3_SSE_C_KEY_FILE'))) {
+    $CONFIG['objectstore']['arguments']['sse_c_key'] = trim(file_get_contents(getenv('OBJECTSTORE_S3_SSE_C_KEY_FILE')));
+  } elseif (getenv('OBJECTSTORE_S3_SSE_C_KEY')) {
+    $CONFIG['objectstore']['arguments']['sse_c_key'] = getenv('OBJECTSTORE_S3_SSE_C_KEY');
+  }
+}

.config/smtp.config.php

@@ -5,11 +5,18 @@ if (getenv('SMTP_HOST') && getenv('MAIL_FROM_ADDRESS') && getenv('MAIL_DOMAIN'))
     'mail_smtphost' => getenv('SMTP_HOST'),
     'mail_smtpport' => getenv('SMTP_PORT') ?: (getenv('SMTP_SECURE') ? 465 : 25),
     'mail_smtpsecure' => getenv('SMTP_SECURE') ?: '',
-    'mail_smtpauth' => getenv('SMTP_NAME') && getenv('SMTP_PASSWORD'),
+    'mail_smtpauth' => getenv('SMTP_NAME') && (getenv('SMTP_PASSWORD') || (getenv('SMTP_PASSWORD_FILE') && file_exists(getenv('SMTP_PASSWORD_FILE')))),
     'mail_smtpauthtype' => getenv('SMTP_AUTHTYPE') ?: 'LOGIN',
     'mail_smtpname' => getenv('SMTP_NAME') ?: '',
-    'mail_smtppassword' => getenv('SMTP_PASSWORD') ?: '',
     'mail_from_address' => getenv('MAIL_FROM_ADDRESS'),
     'mail_domain' => getenv('MAIL_DOMAIN'),
   );
+
+  if (getenv('SMTP_PASSWORD_FILE') && file_exists(getenv('SMTP_PASSWORD_FILE'))) {
+      $CONFIG['mail_smtppassword'] = trim(file_get_contents(getenv('SMTP_PASSWORD_FILE')));
+  } elseif (getenv('SMTP_PASSWORD')) {
+      $CONFIG['mail_smtppassword'] = getenv('SMTP_PASSWORD');
+  } else {
+      $CONFIG['mail_smtppassword'] = '';
+  }
 }

.config/swift.config.php

@@ -0,0 +1,31 @@
+<?php
+if (getenv('OBJECTSTORE_SWIFT_URL')) {
+    $autocreate = getenv('OBJECTSTORE_SWIFT_AUTOCREATE');
+  $CONFIG = array(
+    'objectstore' => [
+      'class' => 'OC\\Files\\ObjectStore\\Swift',
+      'arguments' => [
+        'autocreate' => $autocreate == true && strtolower($autocreate) !== 'false',
+        'user' => [
+          'name' => getenv('OBJECTSTORE_SWIFT_USER_NAME'),
+          'password' => getenv('OBJECTSTORE_SWIFT_USER_PASSWORD'),
+          'domain' => [
+            'name' => (getenv('OBJECTSTORE_SWIFT_USER_DOMAIN')) ?: 'Default',
+          ],
+        ],
+        'scope' => [
+          'project' => [
+            'name' => getenv('OBJECTSTORE_SWIFT_PROJECT_NAME'),
+            'domain' => [
+              'name' => (getenv('OBJECTSTORE_SWIFT_PROJECT_DOMAIN')) ?: 'Default',
+            ],
+          ],
+        ],
+        'serviceName' => (getenv('OBJECTSTORE_SWIFT_SERVICE_NAME')) ?: 'swift',
+        'region' => getenv('OBJECTSTORE_SWIFT_REGION'),
+        'url' => getenv('OBJECTSTORE_SWIFT_URL'),
+        'bucket' => getenv('OBJECTSTORE_SWIFT_CONTAINER_NAME'),
+      ]
+    ]
+  );
+}

.config/upgrade-disable-web.config.php

@@ -0,0 +1,4 @@
+<?php
+$CONFIG = array (
+  'upgrade.disable-web' => true,
+);

.examples/README.md

@@ -18,14 +18,17 @@ Example | Description
 [smb](https://github.com/nextcloud/docker/tree/master/.examples/dockerfiles/smb) | adds dependencies required to use smb shares
 [full](https://github.com/nextcloud/docker/tree/master/.examples/dockerfiles/full) | adds dependencies for ALL optional packages and cron functionality via supervisor (as in the `cron` example Dockerfile).
 
+### cron
+NOTE: [this container must run as root or `cron.php` will not run](https://github.com/nextcloud/docker/issues/1899).
+
 ### full
-The `full` Dockerfile example adds dependencies for all optional packages suggested by nextcloud that may be needed for some features (e.g. Video Preview Generation), as stated in the [Administration Manual](https://docs.nextcloud.com/server/12/admin_manual/installation/source_installation.html).
+The `full` Dockerfile example adds dependencies for all optional packages suggested by nextcloud that may be needed for some features (e.g. Video Preview Generation), as stated in the [Administration Manual](https://docs.nextcloud.com/server/latest/admin_manual/installation/source_installation.html).
 
 NOTE: The Dockerfile does not install the LibreOffice package (line is commented), because it would increase the generated Image size by approximately 500 MB. In order to install it, simply uncomment the appropriate line in the Dockerfile.
 
-NOTE: Per default, only previews for BMP, GIF, JPEG, MarkDown, MP3, PNG, TXT, and XBitmap Files are generated. The configuration of the preview generation can be done in config.php, as explained in the [Administration Manual](https://docs.nextcloud.com/server/12/admin_manual/configuration_server/config_sample_php_parameters.html#previews)
+NOTE: Per default, only previews for BMP, GIF, JPEG, MarkDown, MP3, PNG, TXT, and XBitmap Files are generated. The configuration of the preview generation can be done in config.php, as explained in the [Administration Manual](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#previews)
 
-NOTE: Nextcloud recommends [disabling preview generation](https://docs.nextcloud.com/server/12/admin_manual/configuration_server/harden_server.html?highlight=enabledpreviewproviders#disable-preview-image-generation) for high security deployments, as preview generation opens your nextcloud instance to new possible attack vectors.
+NOTE: Nextcloud recommends [disabling preview generation](https://docs.nextcloud.com/server/latest/admin_manual/installation/harden_server.html#disable-preview-image-generation) for high security deployments, as preview generation opens your nextcloud instance to new possible attack vectors.
 
 The required steps for each optional/recommended package that is not already in the Nextcloud image are listed here, so that the Dockerfile can easily be modified to only install the needed extra packages. Simply remove the steps for the unwanted packages from the Dockerfile.
 
@@ -68,7 +71,7 @@ The following Dockerfile commands are also necessary for a sucessfull cron insta
 In `docker-compose` additional services are bundled to create a complete nextcloud installation. The examples are designed to run out-of-the-box.
 Before running the examples you have to modify the `db.env` and `docker-compose.yml` file and fill in your custom information.
 
-The docker-compose examples make heavily use of dereived Dockerfiles to add configuration files into the containers. This way they should also work on remote docker systems as _Docker for Windows_. When running docker-compose on the same host as the docker daemon, another possibility would be to simply mount the files in the volumes section in the `docker-compose.yml` file.
+The docker-compose examples make heavily use of derived Dockerfiles to add configuration files into the containers. This way they should also work on remote docker systems as _Docker for Windows_. When running docker-compose on the same host as the docker daemon, another possibility would be to simply mount the files in the volumes section in the `docker-compose.yml` file.
 
 
 ### insecure
@@ -91,7 +94,7 @@ If you want to update your installation to a newer version of nextcloud, repeat
 The nginx proxy adds a proxy layer between nextcloud and the internet. The proxy is designed to serve multiple sites on the same host machine.
 
 The advantage in adding this layer is the ability to add a container for [Let's Encrypt](https://letsencrypt.org/) certificate handling.
-This combination of the [jwilder/nginx-proxy](https://github.com/jwilder/nginx-proxy) and [jrcs/docker-letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion) containers creates a fully automated https encryption of the nextcloud installation without worrying about certificate generation, validation or renewal.
+This combination of the [nginxproxy/nginx-proxy](https://github.com/nginx-proxy/nginx-proxy) and [nginxproxy/acme-companion](https://github.com/nginx-proxy/acme-companion) containers creates a fully automated https encryption of the nextcloud installation without worrying about certificate generation, validation or renewal.
 
 **This setup only works with a valid domain name on a server that is reachable from the internet.**
 

.examples/docker-compose/insecure/mariadb-cron-redis/apache/db.env

@@ -1,3 +0,0 @@
-MYSQL_PASSWORD=
-MYSQL_DATABASE=nextcloud
-MYSQL_USER=nextcloud

.examples/docker-compose/insecure/mariadb-cron-redis/apache/docker-compose.yml

@@ -1,47 +0,0 @@
-version: '3'
-
-services:
-  db:
-    image: mariadb
-    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
-    restart: always
-    volumes:
-      - db:/var/lib/mysql
-    environment:
-      - MYSQL_ROOT_PASSWORD=
-    env_file:
-      - db.env
-
-  redis:
-    image: redis:alpine
-    restart: always
-
-  app:
-    image: nextcloud:apache
-    restart: always
-    ports:
-      - 8080:80
-    volumes:
-      - nextcloud:/var/www/html
-    environment:
-      - MYSQL_HOST=db
-      - REDIS_HOST=redis
-    env_file:
-      - db.env
-    depends_on:
-      - db
-      - redis
-
-  cron:
-    image: nextcloud:apache
-    restart: always
-    volumes:
-      - nextcloud:/var/www/html
-    entrypoint: /cron.sh
-    depends_on:
-      - db
-      - redis
-
-volumes:
-  db:
-  nextcloud:

.examples/docker-compose/insecure/mariadb-cron-redis/fpm/db.env

@@ -1,3 +0,0 @@
-MYSQL_PASSWORD=
-MYSQL_DATABASE=nextcloud
-MYSQL_USER=nextcloud

.examples/docker-compose/insecure/mariadb-cron-redis/fpm/docker-compose.yml

@@ -1,55 +0,0 @@
-version: '3'
-
-services:
-  db:
-    image: mariadb
-    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
-    restart: always
-    volumes:
-      - db:/var/lib/mysql
-    environment:
-      - MYSQL_ROOT_PASSWORD=
-    env_file:
-      - db.env
-
-  redis:
-    image: redis:alpine
-    restart: always
-
-  app:
-    image: nextcloud:fpm-alpine
-    restart: always
-    volumes:
-      - nextcloud:/var/www/html
-    environment:
-      - MYSQL_HOST=db
-      - REDIS_HOST=redis
-    env_file:
-      - db.env
-    depends_on:
-      - db
-      - redis
-
-  web:
-    build: ./web
-    restart: always
-    ports:
-      - 8080:80
-    volumes:
-      - nextcloud:/var/www/html:ro
-    depends_on:
-      - app
-
-  cron:
-    image: nextcloud:fpm-alpine
-    restart: always
-    volumes:
-      - nextcloud:/var/www/html
-    entrypoint: /cron.sh
-    depends_on:
-      - db
-      - redis
-
-volumes:
-  db:
-  nextcloud:

.examples/docker-compose/insecure/mariadb-cron-redis/fpm/web/Dockerfile

@@ -1,3 +0,0 @@
-FROM nginx:alpine
-
-COPY nginx.conf /etc/nginx/nginx.conf

.examples/docker-compose/insecure/mariadb-cron-redis/fpm/web/nginx.conf

@@ -1,168 +0,0 @@
-worker_processes auto;
-
-error_log  /var/log/nginx/error.log warn;
-pid        /var/run/nginx.pid;
-
-
-events {
-    worker_connections  1024;
-}
-
-
-http {
-    include       /etc/nginx/mime.types;
-    default_type  application/octet-stream;
-
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent "$http_referer" '
-                      '"$http_user_agent" "$http_x_forwarded_for"';
-
-    access_log  /var/log/nginx/access.log  main;
-
-    sendfile        on;
-    #tcp_nopush     on;
-
-    keepalive_timeout  65;
-
-    #gzip  on;
-
-    upstream php-handler {
-        server app:9000;
-    }
-
-    server {
-        listen 80;
-
-        # Add headers to serve security related headers
-        # Before enabling Strict-Transport-Security headers please read into this
-        # topic first.
-        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
-        #
-        # WARNING: Only add the preload option once you read about
-        # the consequences in https://hstspreload.org/. This option
-        # will add the domain to a hardcoded list that is shipped
-        # in all major browsers and getting removed from this list
-        # could take several months.
-        add_header Referrer-Policy "no-referrer" always;
-        add_header X-Content-Type-Options "nosniff" always;
-        add_header X-Download-Options "noopen" always;
-        add_header X-Frame-Options "SAMEORIGIN" always;
-        add_header X-Permitted-Cross-Domain-Policies "none" always;
-        add_header X-Robots-Tag "none" always;
-        add_header X-XSS-Protection "1; mode=block" always;
-
-        # Remove X-Powered-By, which is an information leak
-        fastcgi_hide_header X-Powered-By;
-
-        # Path to the root of your installation
-        root /var/www/html;
-
-        location = /robots.txt {
-            allow all;
-            log_not_found off;
-            access_log off;
-        }
-
-        # The following 2 rules are only needed for the user_webfinger app.
-        # Uncomment it if you're planning to use this app.
-        #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
-        #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
-
-        # The following rule is only needed for the Social app.
-        # Uncomment it if you're planning to use this app.
-        #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
-
-        location = /.well-known/carddav {
-            return 301 $scheme://$host:$server_port/remote.php/dav;
-        }
-
-        location = /.well-known/caldav {
-            return 301 $scheme://$host:$server_port/remote.php/dav;
-        }
-
-        # set max upload size
-        client_max_body_size 10G;
-        fastcgi_buffers 64 4K;
-
-        # Enable gzip but do not remove ETag headers
-        gzip on;
-        gzip_vary on;
-        gzip_comp_level 4;
-        gzip_min_length 256;
-        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
-
-        # Uncomment if your server is build with the ngx_pagespeed module
-        # This module is currently not supported.
-        #pagespeed off;
-
-        location / {
-            rewrite ^ /index.php;
-        }
-
-        location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
-            deny all;
-        }
-        location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
-            deny all;
-        }
-
-        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
-            fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
-            set $path_info $fastcgi_path_info;
-            try_files $fastcgi_script_name =404;
-            include fastcgi_params;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            fastcgi_param PATH_INFO $path_info;
-            # fastcgi_param HTTPS on;
-
-            # Avoid sending the security headers twice
-            fastcgi_param modHeadersAvailable true;
-
-            # Enable pretty urls
-            fastcgi_param front_controller_active true;
-            fastcgi_pass php-handler;
-            fastcgi_intercept_errors on;
-            fastcgi_request_buffering off;
-        }
-
-        location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
-            try_files $uri/ =404;
-            index index.php;
-        }
-
-        # Adding the cache control header for js, css and map files
-        # Make sure it is BELOW the PHP block
-        location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
-            try_files $uri /index.php$request_uri;
-            add_header Cache-Control "public, max-age=15778463";
-            # Add headers to serve security related headers (It is intended to
-            # have those duplicated to the ones above)
-            # Before enabling Strict-Transport-Security headers please read into
-            # this topic first.
-            #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
-            #
-            # WARNING: Only add the preload option once you read about
-            # the consequences in https://hstspreload.org/. This option
-            # will add the domain to a hardcoded list that is shipped
-            # in all major browsers and getting removed from this list
-            # could take several months.
-            add_header Referrer-Policy "no-referrer" always;
-            add_header X-Content-Type-Options "nosniff" always;
-            add_header X-Download-Options "noopen" always;
-            add_header X-Frame-Options "SAMEORIGIN" always;
-            add_header X-Permitted-Cross-Domain-Policies "none" always;
-            add_header X-Robots-Tag "none" always;
-            add_header X-XSS-Protection "1; mode=block" always;
-
-            # Optional: Don't log access to assets
-            access_log off;
-        }
-
-        location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
-            try_files $uri /index.php$request_uri;
-            # Optional: Don't log access to other assets
-            access_log off;
-        }
-    }
-}

.examples/docker-compose/insecure/mariadb/apache/docker-compose.yml

@@ -2,29 +2,47 @@ version: '3'
 
 services:
   db:
-    image: mariadb
-    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
+    image: mariadb:10.6
+    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
     restart: always
     volumes:
-      - db:/var/lib/mysql
+      - db:/var/lib/mysql:Z
     environment:
       - MYSQL_ROOT_PASSWORD=
+      - MARIADB_AUTO_UPGRADE=1
+      - MARIADB_DISABLE_UPGRADE_BACKUP=1
     env_file:
       - db.env
 
+  redis:
+    image: redis:alpine
+    restart: always
+
   app:
     image: nextcloud:apache
     restart: always
     ports:
-      - 8080:80
+      - 127.0.0.1:8080:80
     volumes:
-      - nextcloud:/var/www/html
+      - nextcloud:/var/www/html:z
     environment:
       - MYSQL_HOST=db
+      - REDIS_HOST=redis
     env_file:
       - db.env
     depends_on:
       - db
+      - redis
+
+  cron:
+    image: nextcloud:apache
+    restart: always
+    volumes:
+      - nextcloud:/var/www/html:z
+    entrypoint: /cron.sh
+    depends_on:
+      - db
+      - redis
 
 volumes:
   db:

.examples/docker-compose/insecure/mariadb/fpm/docker-compose.yml

@@ -2,38 +2,56 @@ version: '3'
 
 services:
   db:
-    image: mariadb
-    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
+    image: mariadb:10.6
+    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
     restart: always
     volumes:
-      - db:/var/lib/mysql
+      - db:/var/lib/mysql:Z
     environment:
       - MYSQL_ROOT_PASSWORD=
+      - MARIADB_AUTO_UPGRADE=1
+      - MARIADB_DISABLE_UPGRADE_BACKUP=1
     env_file:
       - db.env
 
+  redis:
+    image: redis:alpine
+    restart: always
+
   app:
     image: nextcloud:fpm-alpine
     restart: always
     volumes:
-      - nextcloud:/var/www/html
+      - nextcloud:/var/www/html:z
     environment:
       - MYSQL_HOST=db
+      - REDIS_HOST=redis
     env_file:
       - db.env
     depends_on:
       - db
+      - redis
 
   web:
     build: ./web
     restart: always
     ports:
-      - 8080:80
+      - 127.0.0.1:8080:80
     volumes:
-      - nextcloud:/var/www/html:ro
+      - nextcloud:/var/www/html:z,ro
     depends_on:
       - app
 
+  cron:
+    image: nextcloud:fpm-alpine
+    restart: always
+    volumes:
+      - nextcloud:/var/www/html:z
+    entrypoint: /cron.sh
+    depends_on:
+      - db
+      - redis
+
 volumes:
   db:
   nextcloud:

.examples/docker-compose/insecure/mariadb/fpm/web/nginx.conf

@@ -10,7 +10,7 @@ events {
 
 
 http {
-    include       /etc/nginx/mime.types;
+    include mime.types;
     default_type  application/octet-stream;
 
     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
@@ -22,8 +22,17 @@ http {
     sendfile        on;
     #tcp_nopush     on;
 
+    # Prevent nginx HTTP Server Detection
+    server_tokens   off;
+
     keepalive_timeout  65;
 
+    # Set the `immutable` cache control options only for assets with a cache busting `v` argument
+    map $arg_v $asset_immutable {
+        "" "";
+    default "immutable";
+    }
+
     #gzip  on;
 
     upstream php-handler {
@@ -33,136 +42,164 @@ http {
     server {
         listen 80;
 
-        # Add headers to serve security related headers
-        # Before enabling Strict-Transport-Security headers please read into this
-        # topic first.
-        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
-        #
+        # HSTS settings
         # WARNING: Only add the preload option once you read about
         # the consequences in https://hstspreload.org/. This option
         # will add the domain to a hardcoded list that is shipped
         # in all major browsers and getting removed from this list
         # could take several months.
-        add_header Referrer-Policy "no-referrer" always;
-        add_header X-Content-Type-Options "nosniff" always;
-        add_header X-Download-Options "noopen" always;
-        add_header X-Frame-Options "SAMEORIGIN" always;
-        add_header X-Permitted-Cross-Domain-Policies "none" always;
-        add_header X-Robots-Tag "none" always;
-        add_header X-XSS-Protection "1; mode=block" always;
+        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
 
-        # Remove X-Powered-By, which is an information leak
-        fastcgi_hide_header X-Powered-By;
-
-        # Path to the root of your installation
-        root /var/www/html;
-
-        location = /robots.txt {
-            allow all;
-            log_not_found off;
-            access_log off;
-        }
-
-        # The following 2 rules are only needed for the user_webfinger app.
-        # Uncomment it if you're planning to use this app.
-        #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
-        #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
-
-        # The following rule is only needed for the Social app.
-        # Uncomment it if you're planning to use this app.
-        #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
-
-        location = /.well-known/carddav {
-            return 301 $scheme://$host:$server_port/remote.php/dav;
-        }
-
-        location = /.well-known/caldav {
-            return 301 $scheme://$host:$server_port/remote.php/dav;
-        }
-
-        # set max upload size
-        client_max_body_size 10G;
+        # set max upload size and increase upload timeout:
+        client_max_body_size 512M;
+        client_body_timeout 300s;
         fastcgi_buffers 64 4K;
 
+        # The settings allows you to optimize the HTTP2 bandwidth.
+        # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
+        # for tuning hints
+        client_body_buffer_size 512k;
+
         # Enable gzip but do not remove ETag headers
         gzip on;
         gzip_vary on;
         gzip_comp_level 4;
         gzip_min_length 256;
         gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+        gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
 
-        # Uncomment if your server is build with the ngx_pagespeed module
-        # This module is currently not supported.
+        # Pagespeed is not supported by Nextcloud, so if your server is built
+        # with the `ngx_pagespeed` module, uncomment this line to disable it.
         #pagespeed off;
 
-        location / {
-            rewrite ^ /index.php;
+        # HTTP response headers borrowed from Nextcloud `.htaccess`
+        add_header Referrer-Policy                      "no-referrer"       always;
+        add_header X-Content-Type-Options               "nosniff"           always;
+        add_header X-Frame-Options                      "SAMEORIGIN"        always;
+        add_header X-Permitted-Cross-Domain-Policies    "none"              always;
+        add_header X-Robots-Tag                         "noindex, nofollow" always;
+        add_header X-XSS-Protection                     "1; mode=block"     always;
+
+        # Remove X-Powered-By, which is an information leak
+        fastcgi_hide_header X-Powered-By;
+
+        # Path to the root of your installation
+        root /var/www/html;
+
+        # Specify how to handle directories -- specifying `/index.php$request_uri`
+        # here as the fallback means that Nginx always exhibits the desired behaviour
+        # when a client requests a path that corresponds to a directory that exists
+        # on the server. In particular, if that directory contains an index.php file,
+        # that file is correctly served; if it doesn't, then the request is passed to
+        # the front-end controller. This consistent behaviour means that we don't need
+        # to specify custom rules for certain paths (e.g. images and other assets,
+        # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
+        # `try_files $uri $uri/ /index.php$request_uri`
+        # always provides the desired behaviour.
+        index index.php index.html /index.php$request_uri;
+
+        # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+        location = / {
+            if ( $http_user_agent ~ ^DavClnt ) {
+                return 302 /remote.php/webdav/$is_args$args;
+            }
         }
 
-        location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
-            deny all;
-        }
-        location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
-            deny all;
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
         }
 
-        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
-            fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+        # Make a regex exception for `/.well-known` so that clients can still
+        # access it despite the existence of the regex rule
+        # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+        # for `/.well-known`.
+        location ^~ /.well-known {
+            # The rules in this block are an adaptation of the rules
+            # in `.htaccess` that concern `/.well-known`.
+
+            location = /.well-known/carddav { return 301 /remote.php/dav/; }
+            location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+
+            location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
+            location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
+
+            # Let Nextcloud's API for `/.well-known` URIs handle all other
+            # requests by passing them to the front-end controller.
+            return 301 /index.php$request_uri;
+        }
+
+        # Rules borrowed from `.htaccess` to hide certain paths from clients
+        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+
+        # Ensure this block, which passes PHP files to the PHP process, is above the blocks
+        # which handle static assets (as seen below). If this block is not declared first,
+        # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+        # to the URI, resulting in a HTTP 500 error response.
+        location ~ \.php(?:$|/) {
+            # Required for legacy support
+            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+
+            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
             set $path_info $fastcgi_path_info;
+
             try_files $fastcgi_script_name =404;
+
             include fastcgi_params;
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
             fastcgi_param PATH_INFO $path_info;
-            # fastcgi_param HTTPS on;
+            #fastcgi_param HTTPS on;
 
-            # Avoid sending the security headers twice
-            fastcgi_param modHeadersAvailable true;
-
-            # Enable pretty urls
-            fastcgi_param front_controller_active true;
+            fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
+            fastcgi_param front_controller_active true;     # Enable pretty urls
             fastcgi_pass php-handler;
+
             fastcgi_intercept_errors on;
             fastcgi_request_buffering off;
+
+            fastcgi_max_temp_file_size 0;
         }
 
-        location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
-            try_files $uri/ =404;
-            index index.php;
-        }
-
-        # Adding the cache control header for js, css and map files
-        # Make sure it is BELOW the PHP block
-        location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
+        # Javascript mimetype fixes for nginx
+        # Note: The block below should be removed, and the js|mjs section should be
+        # added to the block below this one. This is a temporary fix until Nginx 
+        # upstream fixes the js mime-type
+        location ~* \.(?:js|mjs)$ {
+            types { 
+                text/javascript js mjs;
+            } 
+            default_type "text/javascript";
             try_files $uri /index.php$request_uri;
-            add_header Cache-Control "public, max-age=15778463";
-            # Add headers to serve security related headers (It is intended to
-            # have those duplicated to the ones above)
-            # Before enabling Strict-Transport-Security headers please read into
-            # this topic first.
-            #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
-            #
-            # WARNING: Only add the preload option once you read about
-            # the consequences in https://hstspreload.org/. This option
-            # will add the domain to a hardcoded list that is shipped
-            # in all major browsers and getting removed from this list
-            # could take several months.
-            add_header Referrer-Policy "no-referrer" always;
-            add_header X-Content-Type-Options "nosniff" always;
-            add_header X-Download-Options "noopen" always;
-            add_header X-Frame-Options "SAMEORIGIN" always;
-            add_header X-Permitted-Cross-Domain-Policies "none" always;
-            add_header X-Robots-Tag "none" always;
-            add_header X-XSS-Protection "1; mode=block" always;
-
-            # Optional: Don't log access to assets
+            add_header Cache-Control "public, max-age=15778463, $asset_immutable";
             access_log off;
         }
 
-        location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
+        # Serve static files
+        location ~ \.(?:css|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
             try_files $uri /index.php$request_uri;
-            # Optional: Don't log access to other assets
-            access_log off;
+            add_header Cache-Control "public, max-age=15778463, $asset_immutable";
+            access_log off;     # Optional: Don't log access to assets
+
+            location ~ \.wasm$ {
+                default_type application/wasm;
+            }
+        }
+
+        location ~ \.woff2?$ {
+            try_files $uri /index.php$request_uri;
+            expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+            access_log off;     # Optional: Don't log access to assets
+        }
+
+        # Rule borrowed from `.htaccess`
+        location /remote {
+            return 301 /remote.php$request_uri;
+        }
+
+        location / {
+            try_files $uri $uri/ /index.php$request_uri;
         }
     }
 }

.examples/docker-compose/insecure/postgres/apache/docker-compose.yml

@@ -5,23 +5,39 @@ services:
     image: postgres:alpine
     restart: always
     volumes:
-      - db:/var/lib/postgresql/data
+      - db:/var/lib/postgresql/data:Z
     env_file:
       - db.env
 
+  redis:
+    image: redis:alpine
+    restart: always
+
   app:
     image: nextcloud:apache
     restart: always
     ports:
-      - 8080:80
+      - 127.0.0.1:8080:80
     volumes:
-      - nextcloud:/var/www/html
+      - nextcloud:/var/www/html:z
     environment:
       - POSTGRES_HOST=db
+      - REDIS_HOST=redis
     env_file:
       - db.env
     depends_on:
       - db
+      - redis
+
+  cron:
+    image: nextcloud:apache
+    restart: always
+    volumes:
+      - nextcloud:/var/www/html:z
+    entrypoint: /cron.sh
+    depends_on:
+      - db
+      - redis
 
 volumes:
   db:

.examples/docker-compose/insecure/postgres/fpm/docker-compose.yml

@@ -5,32 +5,48 @@ services:
     image: postgres:alpine
     restart: always
     volumes:
-      - db:/var/lib/postgresql/data
+      - db:/var/lib/postgresql/data:z
     env_file:
       - db.env
 
+  redis:
+    image: redis:alpine
+    restart: always
+
   app:
     image: nextcloud:fpm-alpine
     restart: always
     volumes:
-      - nextcloud:/var/www/html
+      - nextcloud:/var/www/html:z
     environment:
       - POSTGRES_HOST=db
+      - REDIS_HOST=redis
     env_file:
       - db.env
     depends_on:
       - db
+      - redis
 
   web:
     build: ./web
     restart: always
     ports:
-      - 8080:80
+      - 127.0.0.1:8080:80
     volumes:
-      - nextcloud:/var/www/html:ro
+      - nextcloud:/var/www/html:z,ro
     depends_on:
       - app
 
+  cron:
+    image: nextcloud:fpm-alpine
+    restart: always
+    volumes:
+      - nextcloud:/var/www/html:z
+    entrypoint: /cron.sh
+    depends_on:
+      - db
+      - redis
+
 volumes:
   db:
   nextcloud:

.examples/docker-compose/insecure/postgres/fpm/web/nginx.conf

@@ -10,7 +10,7 @@ events {
 
 
 http {
-    include       /etc/nginx/mime.types;
+    include mime.types;
     default_type  application/octet-stream;
 
     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
@@ -22,8 +22,17 @@ http {
     sendfile        on;
     #tcp_nopush     on;
 
+    # Prevent nginx HTTP Server Detection
+    server_tokens   off;
+
     keepalive_timeout  65;
 
+    # Set the `immutable` cache control options only for assets with a cache busting `v` argument
+    map $arg_v $asset_immutable {
+        "" "";
+    default "immutable";
+    }
+
     #gzip  on;
 
     upstream php-handler {
@@ -33,136 +42,163 @@ http {
     server {
         listen 80;
 
-        # Add headers to serve security related headers
-        # Before enabling Strict-Transport-Security headers please read into this
-        # topic first.
-        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
-        #
+        # HSTS settings
         # WARNING: Only add the preload option once you read about
         # the consequences in https://hstspreload.org/. This option
         # will add the domain to a hardcoded list that is shipped
         # in all major browsers and getting removed from this list
         # could take several months.
-        add_header Referrer-Policy "no-referrer" always;
-        add_header X-Content-Type-Options "nosniff" always;
-        add_header X-Download-Options "noopen" always;
-        add_header X-Frame-Options "SAMEORIGIN" always;
-        add_header X-Permitted-Cross-Domain-Policies "none" always;
-        add_header X-Robots-Tag "none" always;
-        add_header X-XSS-Protection "1; mode=block" always;
+        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
 
-        # Remove X-Powered-By, which is an information leak
-        fastcgi_hide_header X-Powered-By;
-
-        # Path to the root of your installation
-        root /var/www/html;
-
-        location = /robots.txt {
-            allow all;
-            log_not_found off;
-            access_log off;
-        }
-
-        # The following 2 rules are only needed for the user_webfinger app.
-        # Uncomment it if you're planning to use this app.
-        #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
-        #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
-
-        # The following rule is only needed for the Social app.
-        # Uncomment it if you're planning to use this app.
-        #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
-
-        location = /.well-known/carddav {
-            return 301 $scheme://$host:$server_port/remote.php/dav;
-        }
-
-        location = /.well-known/caldav {
-            return 301 $scheme://$host:$server_port/remote.php/dav;
-        }
-
-        # set max upload size
-        client_max_body_size 10G;
+        # set max upload size and increase upload timeout:
+        client_max_body_size 512M;
+        client_body_timeout 300s;
         fastcgi_buffers 64 4K;
 
+        # The settings allows you to optimize the HTTP2 bandwidth.
+        # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
+        # for tuning hints
+        client_body_buffer_size 512k;
+
         # Enable gzip but do not remove ETag headers
         gzip on;
         gzip_vary on;
         gzip_comp_level 4;
         gzip_min_length 256;
         gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+        gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
 
-        # Uncomment if your server is build with the ngx_pagespeed module
-        # This module is currently not supported.
+        # Pagespeed is not supported by Nextcloud, so if your server is built
+        # with the `ngx_pagespeed` module, uncomment this line to disable it.
         #pagespeed off;
 
-        location / {
-            rewrite ^ /index.php;
+        # HTTP response headers borrowed from Nextcloud `.htaccess`
+        add_header Referrer-Policy                      "no-referrer"       always;
+        add_header X-Content-Type-Options               "nosniff"           always;
+        add_header X-Frame-Options                      "SAMEORIGIN"        always;
+        add_header X-Permitted-Cross-Domain-Policies    "none"              always;
+        add_header X-Robots-Tag                         "noindex, nofollow" always;
+        add_header X-XSS-Protection                     "1; mode=block"     always;
+
+        # Remove X-Powered-By, which is an information leak
+        fastcgi_hide_header X-Powered-By;
+
+        # Path to the root of your installation
+        root /var/www/html;
+
+        # Specify how to handle directories -- specifying `/index.php$request_uri`
+        # here as the fallback means that Nginx always exhibits the desired behaviour
+        # when a client requests a path that corresponds to a directory that exists
+        # on the server. In particular, if that directory contains an index.php file,
+        # that file is correctly served; if it doesn't, then the request is passed to
+        # the front-end controller. This consistent behaviour means that we don't need
+        # to specify custom rules for certain paths (e.g. images and other assets,
+        # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
+        # `try_files $uri $uri/ /index.php$request_uri`
+        # always provides the desired behaviour.
+        index index.php index.html /index.php$request_uri;
+
+        # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+        location = / {
+            if ( $http_user_agent ~ ^DavClnt ) {
+                return 302 /remote.php/webdav/$is_args$args;
+            }
         }
 
-        location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
-            deny all;
-        }
-        location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
-            deny all;
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
         }
 
-        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
-            fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+        # Make a regex exception for `/.well-known` so that clients can still
+        # access it despite the existence of the regex rule
+        # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+        # for `/.well-known`.
+        location ^~ /.well-known {
+            # The rules in this block are an adaptation of the rules
+            # in `.htaccess` that concern `/.well-known`.
+
+            location = /.well-known/carddav { return 301 /remote.php/dav/; }
+            location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+
+            location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
+            location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
+
+            # Let Nextcloud's API for `/.well-known` URIs handle all other
+            # requests by passing them to the front-end controller.
+            return 301 /index.php$request_uri;
+        }
+
+        # Rules borrowed from `.htaccess` to hide certain paths from clients
+        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+
+        # Ensure this block, which passes PHP files to the PHP process, is above the blocks
+        # which handle static assets (as seen below). If this block is not declared first,
+        # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+        # to the URI, resulting in a HTTP 500 error response.
+        location ~ \.php(?:$|/) {
+            # Required for legacy support
+            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+
+            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
             set $path_info $fastcgi_path_info;
+
             try_files $fastcgi_script_name =404;
+
             include fastcgi_params;
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
             fastcgi_param PATH_INFO $path_info;
-            # fastcgi_param HTTPS on;
+            #fastcgi_param HTTPS on;
 
-            # Avoid sending the security headers twice
-            fastcgi_param modHeadersAvailable true;
-
-            # Enable pretty urls
-            fastcgi_param front_controller_active true;
+            fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
+            fastcgi_param front_controller_active true;     # Enable pretty urls
             fastcgi_pass php-handler;
+
             fastcgi_intercept_errors on;
             fastcgi_request_buffering off;
+
+            fastcgi_max_temp_file_size 0;
         }
 
-        location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
-            try_files $uri/ =404;
-            index index.php;
-        }
-
-        # Adding the cache control header for js, css and map files
-        # Make sure it is BELOW the PHP block
-        location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
+        # Javascript mimetype fixes for nginx
+        # Note: The block below should be removed, and the js|mjs section should be
+        # added to the block below this one. This is a temporary fix until Nginx 
+        # upstream fixes the js mime-type
+        location ~* \.(?:js|mjs)$ {
+            types { 
+                text/javascript js mjs;
+            } 
             try_files $uri /index.php$request_uri;
-            add_header Cache-Control "public, max-age=15778463";
-            # Add headers to serve security related headers (It is intended to
-            # have those duplicated to the ones above)
-            # Before enabling Strict-Transport-Security headers please read into
-            # this topic first.
-            #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
-            #
-            # WARNING: Only add the preload option once you read about
-            # the consequences in https://hstspreload.org/. This option
-            # will add the domain to a hardcoded list that is shipped
-            # in all major browsers and getting removed from this list
-            # could take several months.
-            add_header Referrer-Policy "no-referrer" always;
-            add_header X-Content-Type-Options "nosniff" always;
-            add_header X-Download-Options "noopen" always;
-            add_header X-Frame-Options "SAMEORIGIN" always;
-            add_header X-Permitted-Cross-Domain-Policies "none" always;
-            add_header X-Robots-Tag "none" always;
-            add_header X-XSS-Protection "1; mode=block" always;
-
-            # Optional: Don't log access to assets
+            add_header Cache-Control "public, max-age=15778463, $asset_immutable";
             access_log off;
         }
 
-        location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
+        # Serve static files
+        location ~ \.(?:css|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
             try_files $uri /index.php$request_uri;
-            # Optional: Don't log access to other assets
-            access_log off;
+            add_header Cache-Control "public, max-age=15778463, $asset_immutable";
+            access_log off;     # Optional: Don't log access to assets
+
+            location ~ \.wasm$ {
+                default_type application/wasm;
+            }
+        }
+
+        location ~ \.woff2?$ {
+            try_files $uri /index.php$request_uri;
+            expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+            access_log off;     # Optional: Don't log access to assets
+        }
+
+        # Rule borrowed from `.htaccess`
+        location /remote {
+            return 301 /remote.php$request_uri;
+        }
+
+        location / {
+            try_files $uri $uri/ /index.php$request_uri;
         }
     }
 }

.examples/docker-compose/with-nginx-proxy-self-signed-ssl/mariadb/fpm/db.env

@@ -1,3 +0,0 @@
-MYSQL_PASSWORD=
-MYSQL_DATABASE=nextcloud
-MYSQL_USER=nextcloud

.examples/docker-compose/with-nginx-proxy-self-signed-ssl/mariadb/fpm/docker-compose.yml

@@ -1,78 +0,0 @@
-version: '3'
-
-services:
-  db:
-    image: mariadb
-    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
-    restart: always
-    volumes:
-      - db:/var/lib/mysql
-    environment:
-      - MYSQL_ROOT_PASSWORD=
-    env_file:
-      - db.env
-
-  app:
-    image: nextcloud:fpm-alpine
-    restart: always
-    volumes:
-      - nextcloud:/var/www/html
-    environment:
-      - MYSQL_HOST=db
-    env_file:
-      - db.env
-    depends_on:
-      - db
-
-  web:
-    build: ./web
-    restart: always
-    volumes:
-      - nextcloud:/var/www/html:ro
-    environment:
-      - VIRTUAL_HOST=
-    depends_on:
-      - app
-    networks:
-      - proxy-tier
-      - default
-
-  proxy:
-    build: ./proxy
-    restart: always
-    ports:
-      - 80:80
-      - 443:443
-    volumes:
-      - certs:/etc/nginx/certs:ro
-      - vhost.d:/etc/nginx/vhost.d
-      - html:/usr/share/nginx/html
-      - /var/run/docker.sock:/tmp/docker.sock:ro
-    networks:
-      - proxy-tier
-    depends_on:
-      - omgwtfssl
-
-  omgwtfssl:
-    image: paulczar/omgwtfssl
-    restart: "no"
-    volumes:
-      - certs:/certs
-    environment:
-      - SSL_SUBJECT=servhostname.local
-      - CA_SUBJECT=my@example.com
-      - SSL_KEY=/certs/servhostname.local.key
-      - SSL_CSR=/certs/servhostname.local.csr
-      - SSL_CERT=/certs/servhostname.local.crt
-    networks:
-      - proxy-tier
-
-volumes:
-  db:
-  nextcloud:
-  certs:
-  vhost.d:
-  html:
-
-networks:
-  proxy-tier:

.examples/docker-compose/with-nginx-proxy-self-signed-ssl/mariadb/fpm/proxy/Dockerfile

@@ -1,3 +0,0 @@
-FROM jwilder/nginx-proxy:alpine
-
-COPY uploadsize.conf /etc/nginx/conf.d/uploadsize.conf

.examples/docker-compose/with-nginx-proxy-self-signed-ssl/mariadb/fpm/proxy/uploadsize.conf

@@ -1,2 +0,0 @@
-client_max_body_size 10G;
-proxy_request_buffering off;

.examples/docker-compose/with-nginx-proxy-self-signed-ssl/mariadb/fpm/web/Dockerfile

@@ -1,3 +0,0 @@
-FROM nginx:alpine
-
-COPY nginx.conf /etc/nginx/nginx.conf

.examples/docker-compose/with-nginx-proxy-self-signed-ssl/mariadb/fpm/web/nginx.conf

@@ -1,173 +0,0 @@
-worker_processes auto;
-
-error_log  /var/log/nginx/error.log warn;
-pid        /var/run/nginx.pid;
-
-
-events {
-    worker_connections  1024;
-}
-
-
-http {
-    include       /etc/nginx/mime.types;
-    default_type  application/octet-stream;
-
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent "$http_referer" '
-                      '"$http_user_agent" "$http_x_forwarded_for"';
-
-    access_log  /var/log/nginx/access.log  main;
-
-    sendfile        on;
-    #tcp_nopush     on;
-
-    keepalive_timeout  65;
-
-    set_real_ip_from  10.0.0.0/8;
-    set_real_ip_from  172.16.0.0/12;
-    set_real_ip_from  192.168.0.0/16;
-    real_ip_header    X-Real-IP;
-
-    #gzip  on;
-
-    upstream php-handler {
-        server app:9000;
-    }
-
-    server {
-        listen 80;
-
-        # Add headers to serve security related headers
-        # Before enabling Strict-Transport-Security headers please read into this
-        # topic first.
-        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
-        #
-        # WARNING: Only add the preload option once you read about
-        # the consequences in https://hstspreload.org/. This option
-        # will add the domain to a hardcoded list that is shipped
-        # in all major browsers and getting removed from this list
-        # could take several months.
-        add_header Referrer-Policy "no-referrer" always;
-        add_header X-Content-Type-Options "nosniff" always;
-        add_header X-Download-Options "noopen" always;
-        add_header X-Frame-Options "SAMEORIGIN" always;
-        add_header X-Permitted-Cross-Domain-Policies "none" always;
-        add_header X-Robots-Tag "none" always;
-        add_header X-XSS-Protection "1; mode=block" always;
-
-        # Remove X-Powered-By, which is an information leak
-        fastcgi_hide_header X-Powered-By;
-
-        # Path to the root of your installation
-        root /var/www/html;
-
-        location = /robots.txt {
-            allow all;
-            log_not_found off;
-            access_log off;
-        }
-
-        # The following 2 rules are only needed for the user_webfinger app.
-        # Uncomment it if you're planning to use this app.
-        #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
-        #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
-
-        # The following rule is only needed for the Social app.
-        # Uncomment it if you're planning to use this app.
-        #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
-
-        location = /.well-known/carddav {
-            return 301 $scheme://$host:$server_port/remote.php/dav;
-        }
-
-        location = /.well-known/caldav {
-            return 301 $scheme://$host:$server_port/remote.php/dav;
-        }
-
-        # set max upload size
-        client_max_body_size 10G;
-        fastcgi_buffers 64 4K;
-
-        # Enable gzip but do not remove ETag headers
-        gzip on;
-        gzip_vary on;
-        gzip_comp_level 4;
-        gzip_min_length 256;
-        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
-
-        # Uncomment if your server is build with the ngx_pagespeed module
-        # This module is currently not supported.
-        #pagespeed off;
-
-        location / {
-            rewrite ^ /index.php;
-        }
-
-        location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
-            deny all;
-        }
-        location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
-            deny all;
-        }
-
-        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
-            fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
-            set $path_info $fastcgi_path_info;
-            try_files $fastcgi_script_name =404;
-            include fastcgi_params;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            fastcgi_param PATH_INFO $path_info;
-            # fastcgi_param HTTPS on;
-
-            # Avoid sending the security headers twice
-            fastcgi_param modHeadersAvailable true;
-
-            # Enable pretty urls
-            fastcgi_param front_controller_active true;
-            fastcgi_pass php-handler;
-            fastcgi_intercept_errors on;
-            fastcgi_request_buffering off;
-        }
-
-        location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
-            try_files $uri/ =404;
-            index index.php;
-        }
-
-        # Adding the cache control header for js, css and map files
-        # Make sure it is BELOW the PHP block
-        location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
-            try_files $uri /index.php$request_uri;
-            add_header Cache-Control "public, max-age=15778463";
-            # Add headers to serve security related headers (It is intended to
-            # have those duplicated to the ones above)
-            # Before enabling Strict-Transport-Security headers please read into
-            # this topic first.
-            #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
-            #
-            # WARNING: Only add the preload option once you read about
-            # the consequences in https://hstspreload.org/. This option
-            # will add the domain to a hardcoded list that is shipped
-            # in all major browsers and getting removed from this list
-            # could take several months.
-            add_header Referrer-Policy "no-referrer" always;
-            add_header X-Content-Type-Options "nosniff" always;
-            add_header X-Download-Options "noopen" always;
-            add_header X-Frame-Options "SAMEORIGIN" always;
-            add_header X-Permitted-Cross-Domain-Policies "none" always;
-            add_header X-Robots-Tag "none" always;
-            add_header X-XSS-Protection "1; mode=block" always;
-
-            # Optional: Don't log access to assets
-            access_log off;
-        }
-
-        location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
-            try_files $uri /index.php$request_uri;
-            # Optional: Don't log access to other assets
-            access_log off;
-        }
-    }
-}

.examples/docker-compose/with-nginx-proxy/mariadb-cron-redis/apache/db.env

@@ -1,3 +0,0 @@
-MYSQL_PASSWORD=
-MYSQL_DATABASE=nextcloud
-MYSQL_USER=nextcloud

.examples/docker-compose/with-nginx-proxy/mariadb-cron-redis/apache/docker-compose.yml

@@ -1,86 +0,0 @@
-version: '3'
-
-services:
-  db:
-    image: mariadb
-    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
-    restart: always
-    volumes:
-      - db:/var/lib/mysql
-    environment:
-      - MYSQL_ROOT_PASSWORD=
-    env_file:
-      - db.env
-
-  redis:
-    image: redis:alpine
-    restart: always
-
-  app:
-    image: nextcloud:apache
-    restart: always
-    volumes:
-      - nextcloud:/var/www/html
-    environment:
-      - VIRTUAL_HOST=
-      - LETSENCRYPT_HOST=
-      - LETSENCRYPT_EMAIL=
-      - MYSQL_HOST=db
-      - REDIS_HOST=redis
-    env_file:
-      - db.env
-    depends_on:
-      - db
-      - redis
-    networks:
-      - proxy-tier
-      - default
-
-  cron:
-    image: nextcloud:apache
-    restart: always
-    volumes:
-      - nextcloud:/var/www/html
-    entrypoint: /cron.sh
-    depends_on:
-      - db
-      - redis
-
-  proxy:
-    build: ./proxy
-    restart: always
-    ports:
-      - 80:80
-      - 443:443
-    labels:
-      com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
-    volumes:
-      - certs:/etc/nginx/certs:ro
-      - vhost.d:/etc/nginx/vhost.d
-      - html:/usr/share/nginx/html
-      - /var/run/docker.sock:/tmp/docker.sock:ro
-    networks:
-      - proxy-tier
-
-  letsencrypt-companion:
-    image: jrcs/letsencrypt-nginx-proxy-companion
-    restart: always
-    volumes:
-      - certs:/etc/nginx/certs
-      - vhost.d:/etc/nginx/vhost.d
-      - html:/usr/share/nginx/html
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-    networks:
-      - proxy-tier
-    depends_on:
-      - proxy
-
-volumes:
-  db:
-  nextcloud:
-  certs:
-  vhost.d:
-  html:
-
-networks:
-  proxy-tier:

.examples/docker-compose/with-nginx-proxy/mariadb-cron-redis/apache/proxy/Dockerfile

@@ -1,3 +0,0 @@
-FROM jwilder/nginx-proxy:alpine
-
-COPY uploadsize.conf /etc/nginx/conf.d/uploadsize.conf

.examples/docker-compose/with-nginx-proxy/mariadb-cron-redis/apache/proxy/uploadsize.conf

@@ -1,2 +0,0 @@
-client_max_body_size 10G;
-proxy_request_buffering off;

.examples/docker-compose/with-nginx-proxy/mariadb-cron-redis/fpm/db.env

@@ -1,3 +0,0 @@
-MYSQL_PASSWORD=
-MYSQL_DATABASE=nextcloud
-MYSQL_USER=nextcloud

.examples/docker-compose/with-nginx-proxy/mariadb-cron-redis/fpm/docker-compose.yml

@@ -1,95 +0,0 @@
-version: '3'
-
-services:
-  db:
-    image: mariadb
-    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
-    restart: always
-    volumes:
-      - db:/var/lib/mysql
-    environment:
-      - MYSQL_ROOT_PASSWORD=
-    env_file:
-      - db.env
-
-  redis:
-    image: redis:alpine
-    restart: always
-
-  app:
-    image: nextcloud:fpm-alpine
-    restart: always
-    volumes:
-      - nextcloud:/var/www/html
-    environment:
-      - MYSQL_HOST=db
-      - REDIS_HOST=redis
-    env_file:
-      - db.env
-    depends_on:
-      - db
-      - redis
-
-  web:
-    build: ./web
-    restart: always
-    volumes:
-      - nextcloud:/var/www/html:ro
-    environment:
-      - VIRTUAL_HOST=
-      - LETSENCRYPT_HOST=
-      - LETSENCRYPT_EMAIL=
-    depends_on:
-      - app
-    networks:
-      - proxy-tier
-      - default
-
-  cron:
-    image: nextcloud:fpm-alpine
-    restart: always
-    volumes:
-      - nextcloud:/var/www/html
-    entrypoint: /cron.sh
-    depends_on:
-      - db
-      - redis
-
-  proxy:
-    build: ./proxy
-    restart: always
-    ports:
-      - 80:80
-      - 443:443
-    labels:
-      com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
-    volumes:
-      - certs:/etc/nginx/certs:ro
-      - vhost.d:/etc/nginx/vhost.d
-      - html:/usr/share/nginx/html
-      - /var/run/docker.sock:/tmp/docker.sock:ro
-    networks:
-      - proxy-tier
-
-  letsencrypt-companion:
-    image: jrcs/letsencrypt-nginx-proxy-companion
-    restart: always
-    volumes:
-      - certs:/etc/nginx/certs
-      - vhost.d:/etc/nginx/vhost.d
-      - html:/usr/share/nginx/html
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-    networks:
-      - proxy-tier
-    depends_on:
-      - proxy
-
-volumes:
-  db:
-  nextcloud:
-  certs:
-  vhost.d:
-  html:
-
-networks:
-  proxy-tier:

.examples/docker-compose/with-nginx-proxy/mariadb-cron-redis/fpm/proxy/Dockerfile

@@ -1,3 +0,0 @@
-FROM jwilder/nginx-proxy:alpine
-
-COPY uploadsize.conf /etc/nginx/conf.d/uploadsize.conf

.examples/docker-compose/with-nginx-proxy/mariadb-cron-redis/fpm/proxy/uploadsize.conf

@@ -1,2 +0,0 @@
-client_max_body_size 10G;
-proxy_request_buffering off;

.examples/docker-compose/with-nginx-proxy/mariadb-cron-redis/fpm/web/Dockerfile

@@ -1,3 +0,0 @@
-FROM nginx:alpine
-
-COPY nginx.conf /etc/nginx/nginx.conf

.examples/docker-compose/with-nginx-proxy/mariadb-cron-redis/fpm/web/nginx.conf

@@ -1,173 +0,0 @@
-worker_processes auto;
-
-error_log  /var/log/nginx/error.log warn;
-pid        /var/run/nginx.pid;
-
-
-events {
-    worker_connections  1024;
-}
-
-
-http {
-    include       /etc/nginx/mime.types;
-    default_type  application/octet-stream;
-
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent "$http_referer" '
-                      '"$http_user_agent" "$http_x_forwarded_for"';
-
-    access_log  /var/log/nginx/access.log  main;
-
-    sendfile        on;
-    #tcp_nopush     on;
-
-    keepalive_timeout  65;
-
-    set_real_ip_from  10.0.0.0/8;
-    set_real_ip_from  172.16.0.0/12;
-    set_real_ip_from  192.168.0.0/16;
-    real_ip_header    X-Real-IP;
-
-    #gzip  on;
-
-    upstream php-handler {
-        server app:9000;
-    }
-
-    server {
-        listen 80;
-
-        # Add headers to serve security related headers
-        # Before enabling Strict-Transport-Security headers please read into this
-        # topic first.
-        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
-        #
-        # WARNING: Only add the preload option once you read about
-        # the consequences in https://hstspreload.org/. This option
-        # will add the domain to a hardcoded list that is shipped
-        # in all major browsers and getting removed from this list
-        # could take several months.
-        add_header Referrer-Policy "no-referrer" always;
-        add_header X-Content-Type-Options "nosniff" always;
-        add_header X-Download-Options "noopen" always;
-        add_header X-Frame-Options "SAMEORIGIN" always;
-        add_header X-Permitted-Cross-Domain-Policies "none" always;
-        add_header X-Robots-Tag "none" always;
-        add_header X-XSS-Protection "1; mode=block" always;
-
-        # Remove X-Powered-By, which is an information leak
-        fastcgi_hide_header X-Powered-By;
-
-        # Path to the root of your installation
-        root /var/www/html;
-
-        location = /robots.txt {
-            allow all;
-            log_not_found off;
-            access_log off;
-        }
-
-        # The following 2 rules are only needed for the user_webfinger app.
-        # Uncomment it if you're planning to use this app.
-        #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
-        #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
-
-        # The following rule is only needed for the Social app.
-        # Uncomment it if you're planning to use this app.
-        #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
-
-        location = /.well-known/carddav {
-            return 301 $scheme://$host:$server_port/remote.php/dav;
-        }
-
-        location = /.well-known/caldav {
-            return 301 $scheme://$host:$server_port/remote.php/dav;
-        }
-
-        # set max upload size
-        client_max_body_size 10G;
-        fastcgi_buffers 64 4K;
-
-        # Enable gzip but do not remove ETag headers
-        gzip on;
-        gzip_vary on;
-        gzip_comp_level 4;
-        gzip_min_length 256;
-        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
-
-        # Uncomment if your server is build with the ngx_pagespeed module
-        # This module is currently not supported.
-        #pagespeed off;
-
-        location / {
-            rewrite ^ /index.php;
-        }
-
-        location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
-            deny all;
-        }
-        location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
-            deny all;
-        }
-
-        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
-            fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
-            set $path_info $fastcgi_path_info;
-            try_files $fastcgi_script_name =404;
-            include fastcgi_params;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            fastcgi_param PATH_INFO $path_info;
-            # fastcgi_param HTTPS on;
-
-            # Avoid sending the security headers twice
-            fastcgi_param modHeadersAvailable true;
-
-            # Enable pretty urls
-            fastcgi_param front_controller_active true;
-            fastcgi_pass php-handler;
-            fastcgi_intercept_errors on;
-            fastcgi_request_buffering off;
-        }
-
-        location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
-            try_files $uri/ =404;
-            index index.php;
-        }
-
-        # Adding the cache control header for js, css and map files
-        # Make sure it is BELOW the PHP block
-        location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
-            try_files $uri /index.php$request_uri;
-            add_header Cache-Control "public, max-age=15778463";
-            # Add headers to serve security related headers (It is intended to
-            # have those duplicated to the ones above)
-            # Before enabling Strict-Transport-Security headers please read into
-            # this topic first.
-            #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
-            #
-            # WARNING: Only add the preload option once you read about
-            # the consequences in https://hstspreload.org/. This option
-            # will add the domain to a hardcoded list that is shipped
-            # in all major browsers and getting removed from this list
-            # could take several months.
-            add_header Referrer-Policy "no-referrer" always;
-            add_header X-Content-Type-Options "nosniff" always;
-            add_header X-Download-Options "noopen" always;
-            add_header X-Frame-Options "SAMEORIGIN" always;
-            add_header X-Permitted-Cross-Domain-Policies "none" always;
-            add_header X-Robots-Tag "none" always;
-            add_header X-XSS-Protection "1; mode=block" always;
-
-            # Optional: Don't log access to assets
-            access_log off;
-        }
-
-        location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
-            try_files $uri /index.php$request_uri;
-            # Optional: Don't log access to other assets
-            access_log off;
-        }
-    }
-}

.examples/docker-compose/with-nginx-proxy/mariadb/apache/docker-compose.yml

@@ -2,34 +2,52 @@ version: '3'
 
 services:
   db:
-    image: mariadb
-    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
+    image: mariadb:10.6
+    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
     restart: always
     volumes:
-      - db:/var/lib/mysql
+      - db:/var/lib/mysql:Z
     environment:
       - MYSQL_ROOT_PASSWORD=
+      - MARIADB_AUTO_UPGRADE=1
+      - MARIADB_DISABLE_UPGRADE_BACKUP=1
     env_file:
       - db.env
 
+  redis:
+    image: redis:alpine
+    restart: always
+
   app:
     image: nextcloud:apache
     restart: always
     volumes:
-      - nextcloud:/var/www/html
+      - nextcloud:/var/www/html:z
     environment:
       - VIRTUAL_HOST=
       - LETSENCRYPT_HOST=
       - LETSENCRYPT_EMAIL=
       - MYSQL_HOST=db
+      - REDIS_HOST=redis
     env_file:
       - db.env
     depends_on:
       - db
+      - redis
     networks:
       - proxy-tier
       - default
 
+  cron:
+    image: nextcloud:apache
+    restart: always
+    volumes:
+      - nextcloud:/var/www/html:z
+    entrypoint: /cron.sh
+    depends_on:
+      - db
+      - redis
+
   proxy:
     build: ./proxy
     restart: always
@@ -39,30 +57,47 @@ services:
     labels:
       com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
     volumes:
-      - certs:/etc/nginx/certs:ro
-      - vhost.d:/etc/nginx/vhost.d
-      - html:/usr/share/nginx/html
-      - /var/run/docker.sock:/tmp/docker.sock:ro
+      - certs:/etc/nginx/certs:z,ro
+      - vhost.d:/etc/nginx/vhost.d:z
+      - html:/usr/share/nginx/html:z
+      - /var/run/docker.sock:/tmp/docker.sock:z,ro
     networks:
       - proxy-tier
 
   letsencrypt-companion:
-    image: jrcs/letsencrypt-nginx-proxy-companion
+    image: nginxproxy/acme-companion
     restart: always
     volumes:
-      - certs:/etc/nginx/certs
-      - vhost.d:/etc/nginx/vhost.d
-      - html:/usr/share/nginx/html
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - certs:/etc/nginx/certs:z
+      - acme:/etc/acme.sh:z
+      - vhost.d:/etc/nginx/vhost.d:z
+      - html:/usr/share/nginx/html:z
+      - /var/run/docker.sock:/var/run/docker.sock:z,ro
     networks:
       - proxy-tier
     depends_on:
       - proxy
 
+# self signed
+#  omgwtfssl:
+#    image: paulczar/omgwtfssl
+#    restart: "no"
+#    volumes:
+#      - certs:/certs
+#    environment:
+#      - SSL_SUBJECT=servhostname.local
+#      - CA_SUBJECT=my@example.com
+#      - SSL_KEY=/certs/servhostname.local.key
+#      - SSL_CSR=/certs/servhostname.local.csr
+#      - SSL_CERT=/certs/servhostname.local.crt
+#    networks:
+#      - proxy-tier
+
 volumes:
   db:
   nextcloud:
   certs:
+  acme:
   vhost.d:
   html:
 

.examples/docker-compose/with-nginx-proxy/mariadb/apache/proxy/Dockerfile

@@ -1,3 +1,3 @@
-FROM jwilder/nginx-proxy:alpine
+FROM nginxproxy/nginx-proxy:alpine
 
 COPY uploadsize.conf /etc/nginx/conf.d/uploadsize.conf

.examples/docker-compose/with-nginx-proxy/mariadb/fpm/docker-compose.yml

@@ -2,33 +2,41 @@ version: '3'
 
 services:
   db:
-    image: mariadb
-    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
+    image: mariadb:10.6
+    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
     restart: always
     volumes:
-      - db:/var/lib/mysql
+      - db:/var/lib/mysql:Z
     environment:
       - MYSQL_ROOT_PASSWORD=
+      - MARIADB_AUTO_UPGRADE=1
+      - MARIADB_DISABLE_UPGRADE_BACKUP=1
     env_file:
       - db.env
 
+  redis:
+    image: redis:alpine
+    restart: always
+
   app:
     image: nextcloud:fpm-alpine
     restart: always
     volumes:
-      - nextcloud:/var/www/html
+      - nextcloud:/var/www/html:z
     environment:
       - MYSQL_HOST=db
+      - REDIS_HOST=redis
     env_file:
       - db.env
     depends_on:
       - db
+      - redis
 
   web:
     build: ./web
     restart: always
     volumes:
-      - nextcloud:/var/www/html:ro
+      - nextcloud:/var/www/html:z,ro
     environment:
       - VIRTUAL_HOST=
       - LETSENCRYPT_HOST=
@@ -39,6 +47,16 @@ services:
       - proxy-tier
       - default
 
+  cron:
+    image: nextcloud:fpm-alpine
+    restart: always
+    volumes:
+      - nextcloud:/var/www/html:z
+    entrypoint: /cron.sh
+    depends_on:
+      - db
+      - redis
+
   proxy:
     build: ./proxy
     restart: always
@@ -48,30 +66,47 @@ services:
     labels:
       com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
     volumes:
-      - certs:/etc/nginx/certs:ro
-      - vhost.d:/etc/nginx/vhost.d
-      - html:/usr/share/nginx/html
-      - /var/run/docker.sock:/tmp/docker.sock:ro
+      - certs:/etc/nginx/certs:z,ro
+      - vhost.d:/etc/nginx/vhost.d:z
+      - html:/usr/share/nginx/html:z
+      - /var/run/docker.sock:/tmp/docker.sock:z,ro
     networks:
       - proxy-tier
 
   letsencrypt-companion:
-    image: jrcs/letsencrypt-nginx-proxy-companion
+    image: nginxproxy/acme-companion
     restart: always
     volumes:
-      - certs:/etc/nginx/certs
-      - vhost.d:/etc/nginx/vhost.d
-      - html:/usr/share/nginx/html
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - certs:/etc/nginx/certs:z
+      - acme:/etc/acme.sh:z
+      - vhost.d:/etc/nginx/vhost.d:z
+      - html:/usr/share/nginx/html:z
+      - /var/run/docker.sock:/var/run/docker.sock:z,ro
     networks:
       - proxy-tier
     depends_on:
       - proxy
 
+# self signed
+#  omgwtfssl:
+#    image: paulczar/omgwtfssl
+#    restart: "no"
+#    volumes:
+#      - certs:/certs
+#    environment:
+#      - SSL_SUBJECT=servhostname.local
+#      - CA_SUBJECT=my@example.com
+#      - SSL_KEY=/certs/servhostname.local.key
+#      - SSL_CSR=/certs/servhostname.local.csr
+#      - SSL_CERT=/certs/servhostname.local.crt
+#    networks:
+#      - proxy-tier
+
 volumes:
   db:
   nextcloud:
   certs:
+  acme:
   vhost.d:
   html:
 

.examples/docker-compose/with-nginx-proxy/mariadb/fpm/proxy/Dockerfile

@@ -1,3 +1,3 @@
-FROM jwilder/nginx-proxy:alpine
+FROM nginxproxy/nginx-proxy:alpine
 
 COPY uploadsize.conf /etc/nginx/conf.d/uploadsize.conf

.examples/docker-compose/with-nginx-proxy/mariadb/fpm/web/nginx.conf

@@ -10,7 +10,7 @@ events {
 
 
 http {
-    include       /etc/nginx/mime.types;
+    include mime.types;
     default_type  application/octet-stream;
 
     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
@@ -22,12 +22,16 @@ http {
     sendfile        on;
     #tcp_nopush     on;
 
+    # Prevent nginx HTTP Server Detection
+    server_tokens   off;
+
     keepalive_timeout  65;
 
-    set_real_ip_from  10.0.0.0/8;
-    set_real_ip_from  172.16.0.0/12;
-    set_real_ip_from  192.168.0.0/16;
-    real_ip_header    X-Real-IP;
+    # Set the `immutable` cache control options only for assets with a cache busting `v` argument
+    map $arg_v $asset_immutable {
+        "" "";
+    default "immutable";
+    }
 
     #gzip  on;
 
@@ -38,136 +42,163 @@ http {
     server {
         listen 80;
 
-        # Add headers to serve security related headers
-        # Before enabling Strict-Transport-Security headers please read into this
-        # topic first.
-        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
-        #
+        # HSTS settings
         # WARNING: Only add the preload option once you read about
         # the consequences in https://hstspreload.org/. This option
         # will add the domain to a hardcoded list that is shipped
         # in all major browsers and getting removed from this list
         # could take several months.
-        add_header Referrer-Policy "no-referrer" always;
-        add_header X-Content-Type-Options "nosniff" always;
-        add_header X-Download-Options "noopen" always;
-        add_header X-Frame-Options "SAMEORIGIN" always;
-        add_header X-Permitted-Cross-Domain-Policies "none" always;
-        add_header X-Robots-Tag "none" always;
-        add_header X-XSS-Protection "1; mode=block" always;
+        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
 
-        # Remove X-Powered-By, which is an information leak
-        fastcgi_hide_header X-Powered-By;
-
-        # Path to the root of your installation
-        root /var/www/html;
-
-        location = /robots.txt {
-            allow all;
-            log_not_found off;
-            access_log off;
-        }
-
-        # The following 2 rules are only needed for the user_webfinger app.
-        # Uncomment it if you're planning to use this app.
-        #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
-        #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
-
-        # The following rule is only needed for the Social app.
-        # Uncomment it if you're planning to use this app.
-        #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
-
-        location = /.well-known/carddav {
-            return 301 $scheme://$host:$server_port/remote.php/dav;
-        }
-
-        location = /.well-known/caldav {
-            return 301 $scheme://$host:$server_port/remote.php/dav;
-        }
-
-        # set max upload size
-        client_max_body_size 10G;
+        # set max upload size and increase upload timeout:
+        client_max_body_size 512M;
+        client_body_timeout 300s;
         fastcgi_buffers 64 4K;
 
+        # The settings allows you to optimize the HTTP2 bandwidth.
+        # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
+        # for tuning hints
+        client_body_buffer_size 512k;
+
         # Enable gzip but do not remove ETag headers
         gzip on;
         gzip_vary on;
         gzip_comp_level 4;
         gzip_min_length 256;
         gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+        gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
 
-        # Uncomment if your server is build with the ngx_pagespeed module
-        # This module is currently not supported.
+        # Pagespeed is not supported by Nextcloud, so if your server is built
+        # with the `ngx_pagespeed` module, uncomment this line to disable it.
         #pagespeed off;
 
-        location / {
-            rewrite ^ /index.php;
+        # HTTP response headers borrowed from Nextcloud `.htaccess`
+        add_header Referrer-Policy                      "no-referrer"       always;
+        add_header X-Content-Type-Options               "nosniff"           always;
+        add_header X-Frame-Options                      "SAMEORIGIN"        always;
+        add_header X-Permitted-Cross-Domain-Policies    "none"              always;
+        add_header X-Robots-Tag                         "noindex, nofollow" always;
+        add_header X-XSS-Protection                     "1; mode=block"     always;
+
+        # Remove X-Powered-By, which is an information leak
+        fastcgi_hide_header X-Powered-By;
+
+        # Path to the root of your installation
+        root /var/www/html;
+
+        # Specify how to handle directories -- specifying `/index.php$request_uri`
+        # here as the fallback means that Nginx always exhibits the desired behaviour
+        # when a client requests a path that corresponds to a directory that exists
+        # on the server. In particular, if that directory contains an index.php file,
+        # that file is correctly served; if it doesn't, then the request is passed to
+        # the front-end controller. This consistent behaviour means that we don't need
+        # to specify custom rules for certain paths (e.g. images and other assets,
+        # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
+        # `try_files $uri $uri/ /index.php$request_uri`
+        # always provides the desired behaviour.
+        index index.php index.html /index.php$request_uri;
+
+        # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+        location = / {
+            if ( $http_user_agent ~ ^DavClnt ) {
+                return 302 /remote.php/webdav/$is_args$args;
+            }
         }
 
-        location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
-            deny all;
-        }
-        location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
-            deny all;
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
         }
 
-        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
-            fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+        # Make a regex exception for `/.well-known` so that clients can still
+        # access it despite the existence of the regex rule
+        # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+        # for `/.well-known`.
+        location ^~ /.well-known {
+            # The rules in this block are an adaptation of the rules
+            # in `.htaccess` that concern `/.well-known`.
+
+            location = /.well-known/carddav { return 301 /remote.php/dav/; }
+            location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+
+            location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
+            location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
+
+            # Let Nextcloud's API for `/.well-known` URIs handle all other
+            # requests by passing them to the front-end controller.
+            return 301 /index.php$request_uri;
+        }
+
+        # Rules borrowed from `.htaccess` to hide certain paths from clients
+        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+
+        # Ensure this block, which passes PHP files to the PHP process, is above the blocks
+        # which handle static assets (as seen below). If this block is not declared first,
+        # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+        # to the URI, resulting in a HTTP 500 error response.
+        location ~ \.php(?:$|/) {
+            # Required for legacy support
+            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+
+            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
             set $path_info $fastcgi_path_info;
+
             try_files $fastcgi_script_name =404;
+
             include fastcgi_params;
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
             fastcgi_param PATH_INFO $path_info;
-            # fastcgi_param HTTPS on;
+            fastcgi_param HTTPS on;
 
-            # Avoid sending the security headers twice
-            fastcgi_param modHeadersAvailable true;
-
-            # Enable pretty urls
-            fastcgi_param front_controller_active true;
+            fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
+            fastcgi_param front_controller_active true;     # Enable pretty urls
             fastcgi_pass php-handler;
+
             fastcgi_intercept_errors on;
             fastcgi_request_buffering off;
+
+            fastcgi_max_temp_file_size 0;
         }
 
-        location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
-            try_files $uri/ =404;
-            index index.php;
-        }
-
-        # Adding the cache control header for js, css and map files
-        # Make sure it is BELOW the PHP block
-        location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
+        # Javascript mimetype fixes for nginx
+        # Note: The block below should be removed, and the js|mjs section should be
+        # added to the block below this one. This is a temporary fix until Nginx 
+        # upstream fixes the js mime-type
+        location ~* \.(?:js|mjs)$ {
+            types { 
+                text/javascript js mjs;
+            } 
             try_files $uri /index.php$request_uri;
-            add_header Cache-Control "public, max-age=15778463";
-            # Add headers to serve security related headers (It is intended to
-            # have those duplicated to the ones above)
-            # Before enabling Strict-Transport-Security headers please read into
-            # this topic first.
-            #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
-            #
-            # WARNING: Only add the preload option once you read about
-            # the consequences in https://hstspreload.org/. This option
-            # will add the domain to a hardcoded list that is shipped
-            # in all major browsers and getting removed from this list
-            # could take several months.
-            add_header Referrer-Policy "no-referrer" always;
-            add_header X-Content-Type-Options "nosniff" always;
-            add_header X-Download-Options "noopen" always;
-            add_header X-Frame-Options "SAMEORIGIN" always;
-            add_header X-Permitted-Cross-Domain-Policies "none" always;
-            add_header X-Robots-Tag "none" always;
-            add_header X-XSS-Protection "1; mode=block" always;
-
-            # Optional: Don't log access to assets
+            add_header Cache-Control "public, max-age=15778463, $asset_immutable";
             access_log off;
         }
 
-        location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
+        # Serve static files
+        location ~ \.(?:css|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
             try_files $uri /index.php$request_uri;
-            # Optional: Don't log access to other assets
-            access_log off;
+            add_header Cache-Control "public, max-age=15778463, $asset_immutable";
+            access_log off;     # Optional: Don't log access to assets
+
+            location ~ \.wasm$ {
+                default_type application/wasm;
+            }
+        }
+
+        location ~ \.woff2?$ {
+            try_files $uri /index.php$request_uri;
+            expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+            access_log off;     # Optional: Don't log access to assets
+        }
+
+        # Rule borrowed from `.htaccess`
+        location /remote {
+            return 301 /remote.php$request_uri;
+        }
+
+        location / {
+            try_files $uri $uri/ /index.php$request_uri;
         }
     }
 }

.examples/docker-compose/with-nginx-proxy/postgres/apache/docker-compose.yml

@@ -5,28 +5,44 @@ services:
     image: postgres:alpine
     restart: always
     volumes:
-      - db:/var/lib/postgresql/data
+      - db:/var/lib/postgresql/data:Z
     env_file:
       - db.env
 
+  redis:
+    image: redis:alpine
+    restart: always
+
   app:
     image: nextcloud:apache
     restart: always
     volumes:
-      - nextcloud:/var/www/html
+      - nextcloud:/var/www/html:z
     environment:
       - VIRTUAL_HOST=
       - LETSENCRYPT_HOST=
       - LETSENCRYPT_EMAIL=
       - POSTGRES_HOST=db
+      - REDIS_HOST=redis
     env_file:
       - db.env
     depends_on:
       - db
+      - redis
     networks:
       - proxy-tier
       - default
 
+  cron:
+    image: nextcloud:apache
+    restart: always
+    volumes:
+      - nextcloud:/var/www/html:z
+    entrypoint: /cron.sh
+    depends_on:
+      - db
+      - redis
+
   proxy:
     build: ./proxy
     restart: always
@@ -36,30 +52,47 @@ services:
     labels:
       com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
     volumes:
-      - certs:/etc/nginx/certs:ro
-      - vhost.d:/etc/nginx/vhost.d
-      - html:/usr/share/nginx/html
-      - /var/run/docker.sock:/tmp/docker.sock:ro
+      - certs:/etc/nginx/certs:z,ro
+      - vhost.d:/etc/nginx/vhost.d:z
+      - html:/usr/share/nginx/html:z
+      - /var/run/docker.sock:/tmp/docker.sock:z,ro
     networks:
       - proxy-tier
 
   letsencrypt-companion:
-    image: jrcs/letsencrypt-nginx-proxy-companion
+    image: nginxproxy/acme-companion
     restart: always
     volumes:
-      - certs:/etc/nginx/certs
-      - vhost.d:/etc/nginx/vhost.d
-      - html:/usr/share/nginx/html
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - certs:/etc/nginx/certs:z
+      - acme:/etc/acme.sh:z
+      - vhost.d:/etc/nginx/vhost.d:z
+      - html:/usr/share/nginx/html:z
+      - /var/run/docker.sock:/var/run/docker.sock:z,ro
     networks:
       - proxy-tier
     depends_on:
       - proxy
 
+# self signed
+#  omgwtfssl:
+#    image: paulczar/omgwtfssl
+#    restart: "no"
+#    volumes:
+#      - certs:/certs
+#    environment:
+#      - SSL_SUBJECT=servhostname.local
+#      - CA_SUBJECT=my@example.com
+#      - SSL_KEY=/certs/servhostname.local.key
+#      - SSL_CSR=/certs/servhostname.local.csr
+#      - SSL_CERT=/certs/servhostname.local.crt
+#    networks:
+#      - proxy-tier
+
 volumes:
   db:
   nextcloud:
   certs:
+  acme:
   vhost.d:
   html:
 

.examples/docker-compose/with-nginx-proxy/postgres/apache/proxy/Dockerfile

@@ -1,3 +1,3 @@
-FROM jwilder/nginx-proxy:alpine
+FROM nginxproxy/nginx-proxy:alpine
 
 COPY uploadsize.conf /etc/nginx/conf.d/uploadsize.conf

.examples/docker-compose/with-nginx-proxy/postgres/fpm/docker-compose.yml

@@ -5,27 +5,33 @@ services:
     image: postgres:alpine
     restart: always
     volumes:
-      - db:/var/lib/postgresql/data
+      - db:/var/lib/postgresql/data:Z
     env_file:
       - db.env
 
+  redis:
+    image: redis:alpine
+    restart: always
+
   app:
     image: nextcloud:fpm-alpine
     restart: always
     volumes:
-      - nextcloud:/var/www/html
+      - nextcloud:/var/www/html:z
     environment:
       - POSTGRES_HOST=db
+      - REDIS_HOST=redis
     env_file:
       - db.env
     depends_on:
       - db
+      - redis
 
   web:
     build: ./web
     restart: always
     volumes:
-      - nextcloud:/var/www/html:ro
+      - nextcloud:/var/www/html:z,ro
     environment:
       - VIRTUAL_HOST=
       - LETSENCRYPT_HOST=
@@ -36,6 +42,16 @@ services:
       - proxy-tier
       - default
 
+  cron:
+    image: nextcloud:fpm-alpine
+    restart: always
+    volumes:
+      - nextcloud:/var/www/html:z
+    entrypoint: /cron.sh
+    depends_on:
+      - db
+      - redis
+
   proxy:
     build: ./proxy
     restart: always
@@ -45,30 +61,47 @@ services:
     labels:
       com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
     volumes:
-      - certs:/etc/nginx/certs:ro
-      - vhost.d:/etc/nginx/vhost.d
-      - html:/usr/share/nginx/html
-      - /var/run/docker.sock:/tmp/docker.sock:ro
+      - certs:/etc/nginx/certs:z,ro
+      - vhost.d:/etc/nginx/vhost.d:z
+      - html:/usr/share/nginx/html:z
+      - /var/run/docker.sock:/tmp/docker.sock:z,ro
     networks:
       - proxy-tier
 
   letsencrypt-companion:
-    image: jrcs/letsencrypt-nginx-proxy-companion
+    image: nginxproxy/acme-companion
     restart: always
     volumes:
-      - certs:/etc/nginx/certs
-      - vhost.d:/etc/nginx/vhost.d
-      - html:/usr/share/nginx/html
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - certs:/etc/nginx/certs:z
+      - acme:/etc/acme.sh:z
+      - vhost.d:/etc/nginx/vhost.d:z
+      - html:/usr/share/nginx/html:z
+      - /var/run/docker.sock:/var/run/docker.sock:z,ro
     networks:
       - proxy-tier
     depends_on:
       - proxy
 
+# self signed
+#  omgwtfssl:
+#    image: paulczar/omgwtfssl
+#    restart: "no"
+#    volumes:
+#      - certs:/certs
+#    environment:
+#      - SSL_SUBJECT=servhostname.local
+#      - CA_SUBJECT=my@example.com
+#      - SSL_KEY=/certs/servhostname.local.key
+#      - SSL_CSR=/certs/servhostname.local.csr
+#      - SSL_CERT=/certs/servhostname.local.crt
+#    networks:
+#      - proxy-tier
+
 volumes:
   db:
   nextcloud:
   certs:
+  acme:
   vhost.d:
   html:
 

.examples/docker-compose/with-nginx-proxy/postgres/fpm/proxy/Dockerfile

@@ -1,3 +1,3 @@
-FROM jwilder/nginx-proxy:alpine
+FROM nginxproxy/nginx-proxy:alpine
 
 COPY uploadsize.conf /etc/nginx/conf.d/uploadsize.conf

.examples/docker-compose/with-nginx-proxy/postgres/fpm/web/nginx.conf

@@ -10,7 +10,7 @@ events {
 
 
 http {
-    include       /etc/nginx/mime.types;
+    include mime.types;
     default_type  application/octet-stream;
 
     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
@@ -22,12 +22,16 @@ http {
     sendfile        on;
     #tcp_nopush     on;
 
+    # Prevent nginx HTTP Server Detection
+    server_tokens   off;
+
     keepalive_timeout  65;
 
-    set_real_ip_from  10.0.0.0/8;
-    set_real_ip_from  172.16.0.0/12;
-    set_real_ip_from  192.168.0.0/16;
-    real_ip_header    X-Real-IP;
+    # Set the `immutable` cache control options only for assets with a cache busting `v` argument
+    map $arg_v $asset_immutable {
+        "" "";
+    default "immutable";
+    }
 
     #gzip  on;
 
@@ -38,136 +42,163 @@ http {
     server {
         listen 80;
 
-        # Add headers to serve security related headers
-        # Before enabling Strict-Transport-Security headers please read into this
-        # topic first.
-        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
-        #
+        # HSTS settings
         # WARNING: Only add the preload option once you read about
         # the consequences in https://hstspreload.org/. This option
         # will add the domain to a hardcoded list that is shipped
         # in all major browsers and getting removed from this list
         # could take several months.
-        add_header Referrer-Policy "no-referrer" always;
-        add_header X-Content-Type-Options "nosniff" always;
-        add_header X-Download-Options "noopen" always;
-        add_header X-Frame-Options "SAMEORIGIN" always;
-        add_header X-Permitted-Cross-Domain-Policies "none" always;
-        add_header X-Robots-Tag "none" always;
-        add_header X-XSS-Protection "1; mode=block" always;
+        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
 
-        # Remove X-Powered-By, which is an information leak
-        fastcgi_hide_header X-Powered-By;
-
-        # Path to the root of your installation
-        root /var/www/html;
-
-        location = /robots.txt {
-            allow all;
-            log_not_found off;
-            access_log off;
-        }
-
-        # The following 2 rules are only needed for the user_webfinger app.
-        # Uncomment it if you're planning to use this app.
-        #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
-        #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
-
-        # The following rule is only needed for the Social app.
-        # Uncomment it if you're planning to use this app.
-        #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
-
-        location = /.well-known/carddav {
-            return 301 $scheme://$host:$server_port/remote.php/dav;
-        }
-
-        location = /.well-known/caldav {
-            return 301 $scheme://$host:$server_port/remote.php/dav;
-        }
-
-        # set max upload size
-        client_max_body_size 10G;
+        # set max upload size and increase upload timeout:
+        client_max_body_size 512M;
+        client_body_timeout 300s;
         fastcgi_buffers 64 4K;
 
+        # The settings allows you to optimize the HTTP2 bandwidth.
+        # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
+        # for tuning hints
+        client_body_buffer_size 512k;
+
         # Enable gzip but do not remove ETag headers
         gzip on;
         gzip_vary on;
         gzip_comp_level 4;
         gzip_min_length 256;
         gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+        gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
 
-        # Uncomment if your server is build with the ngx_pagespeed module
-        # This module is currently not supported.
+        # Pagespeed is not supported by Nextcloud, so if your server is built
+        # with the `ngx_pagespeed` module, uncomment this line to disable it.
         #pagespeed off;
 
-        location / {
-            rewrite ^ /index.php;
+        # HTTP response headers borrowed from Nextcloud `.htaccess`
+        add_header Referrer-Policy                      "no-referrer"       always;
+        add_header X-Content-Type-Options               "nosniff"           always;
+        add_header X-Frame-Options                      "SAMEORIGIN"        always;
+        add_header X-Permitted-Cross-Domain-Policies    "none"              always;
+        add_header X-Robots-Tag                         "noindex, nofollow" always;
+        add_header X-XSS-Protection                     "1; mode=block"     always;
+
+        # Remove X-Powered-By, which is an information leak
+        fastcgi_hide_header X-Powered-By;
+
+        # Path to the root of your installation
+        root /var/www/html;
+
+        # Specify how to handle directories -- specifying `/index.php$request_uri`
+        # here as the fallback means that Nginx always exhibits the desired behaviour
+        # when a client requests a path that corresponds to a directory that exists
+        # on the server. In particular, if that directory contains an index.php file,
+        # that file is correctly served; if it doesn't, then the request is passed to
+        # the front-end controller. This consistent behaviour means that we don't need
+        # to specify custom rules for certain paths (e.g. images and other assets,
+        # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
+        # `try_files $uri $uri/ /index.php$request_uri`
+        # always provides the desired behaviour.
+        index index.php index.html /index.php$request_uri;
+
+        # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+        location = / {
+            if ( $http_user_agent ~ ^DavClnt ) {
+                return 302 /remote.php/webdav/$is_args$args;
+            }
         }
 
-        location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
-            deny all;
-        }
-        location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
-            deny all;
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
         }
 
-        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
-            fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+        # Make a regex exception for `/.well-known` so that clients can still
+        # access it despite the existence of the regex rule
+        # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+        # for `/.well-known`.
+        location ^~ /.well-known {
+            # The rules in this block are an adaptation of the rules
+            # in `.htaccess` that concern `/.well-known`.
+
+            location = /.well-known/carddav { return 301 /remote.php/dav/; }
+            location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+
+            location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
+            location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
+
+            # Let Nextcloud's API for `/.well-known` URIs handle all other
+            # requests by passing them to the front-end controller.
+            return 301 /index.php$request_uri;
+        }
+
+        # Rules borrowed from `.htaccess` to hide certain paths from clients
+        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+
+        # Ensure this block, which passes PHP files to the PHP process, is above the blocks
+        # which handle static assets (as seen below). If this block is not declared first,
+        # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+        # to the URI, resulting in a HTTP 500 error response.
+        location ~ \.php(?:$|/) {
+            # Required for legacy support
+            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+
+            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
             set $path_info $fastcgi_path_info;
+
             try_files $fastcgi_script_name =404;
+
             include fastcgi_params;
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
             fastcgi_param PATH_INFO $path_info;
-            # fastcgi_param HTTPS on;
+            fastcgi_param HTTPS on;
 
-            # Avoid sending the security headers twice
-            fastcgi_param modHeadersAvailable true;
-
-            # Enable pretty urls
-            fastcgi_param front_controller_active true;
+            fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
+            fastcgi_param front_controller_active true;     # Enable pretty urls
             fastcgi_pass php-handler;
+
             fastcgi_intercept_errors on;
             fastcgi_request_buffering off;
+
+            fastcgi_max_temp_file_size 0;
         }
 
-        location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
-            try_files $uri/ =404;
-            index index.php;
-        }
-
-        # Adding the cache control header for js, css and map files
-        # Make sure it is BELOW the PHP block
-        location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
+        # Javascript mimetype fixes for nginx
+        # Note: The block below should be removed, and the js|mjs section should be
+        # added to the block below this one. This is a temporary fix until Nginx 
+        # upstream fixes the js mime-type
+        location ~* \.(?:js|mjs)$ {
+            types { 
+                text/javascript js mjs;
+            } 
             try_files $uri /index.php$request_uri;
-            add_header Cache-Control "public, max-age=15778463";
-            # Add headers to serve security related headers (It is intended to
-            # have those duplicated to the ones above)
-            # Before enabling Strict-Transport-Security headers please read into
-            # this topic first.
-            #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
-            #
-            # WARNING: Only add the preload option once you read about
-            # the consequences in https://hstspreload.org/. This option
-            # will add the domain to a hardcoded list that is shipped
-            # in all major browsers and getting removed from this list
-            # could take several months.
-            add_header Referrer-Policy "no-referrer" always;
-            add_header X-Content-Type-Options "nosniff" always;
-            add_header X-Download-Options "noopen" always;
-            add_header X-Frame-Options "SAMEORIGIN" always;
-            add_header X-Permitted-Cross-Domain-Policies "none" always;
-            add_header X-Robots-Tag "none" always;
-            add_header X-XSS-Protection "1; mode=block" always;
-
-            # Optional: Don't log access to assets
+            add_header Cache-Control "public, max-age=15778463, $asset_immutable";
             access_log off;
         }
 
-        location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
+        # Serve static files
+        location ~ \.(?:css|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
             try_files $uri /index.php$request_uri;
-            # Optional: Don't log access to other assets
-            access_log off;
+            add_header Cache-Control "public, max-age=15778463, $asset_immutable";
+            access_log off;     # Optional: Don't log access to assets
+
+            location ~ \.wasm$ {
+                default_type application/wasm;
+            }
+        }
+
+        location ~ \.woff2?$ {
+            try_files $uri /index.php$request_uri;
+            expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+            access_log off;     # Optional: Don't log access to assets
+        }
+
+        # Rule borrowed from `.htaccess`
+        location /remote {
+            return 301 /remote.php$request_uri;
+        }
+
+        location / {
+            try_files $uri $uri/ /index.php$request_uri;
         }
     }
 }

.examples/dockerfiles/full/apache/Dockerfile

@@ -5,6 +5,7 @@ RUN set -ex; \
     apt-get update; \
     apt-get install -y --no-install-recommends \
         ffmpeg \
+        ghostscript \
         libmagickcore-6.q16-6-extra \
         procps \
         smbclient \
@@ -37,9 +38,9 @@ RUN set -ex; \
     apt-mark auto '.*' > /dev/null; \
     apt-mark manual $savedAptMark; \
     ldd "$(php -r 'echo ini_get("extension_dir");')"/*.so \
-        | awk '/=>/ { print $3 }' \
+        | awk '/=>/ { so = $(NF-1); if (index(so, "/usr/local/") == 1) { next }; gsub("^/(usr/)?", "", so); print so }' \
         | sort -u \
-        | xargs -r dpkg-query -S \
+        | xargs -r dpkg-query --search \
         | cut -d: -f1 \
         | sort -u \
         | xargs -rt apt-mark manual; \

.examples/dockerfiles/full/fpm-alpine/Dockerfile

@@ -17,7 +17,7 @@ RUN set -ex; \
         $PHPIZE_DEPS \
         imap-dev \
         krb5-dev \
-        libressl-dev \
+        openssl-dev \
         samba-dev \
         bzip2-dev \
     ; \

.examples/dockerfiles/full/fpm/Dockerfile

@@ -5,6 +5,7 @@ RUN set -ex; \
     apt-get update; \
     apt-get install -y --no-install-recommends \
         ffmpeg \
+        ghostscript \
         libmagickcore-6.q16-6-extra \
         procps \
         smbclient \
@@ -37,9 +38,9 @@ RUN set -ex; \
     apt-mark auto '.*' > /dev/null; \
     apt-mark manual $savedAptMark; \
     ldd "$(php -r 'echo ini_get("extension_dir");')"/*.so \
-        | awk '/=>/ { print $3 }' \
+        | awk '/=>/ { so = $(NF-1); if (index(so, "/usr/local/") == 1) { next }; gsub("^/(usr/)?", "", so); print so }' \
         | sort -u \
-        | xargs -r dpkg-query -S \
+        | xargs -r dpkg-query --search \
         | cut -d: -f1 \
         | sort -u \
         | xargs -rt apt-mark manual; \

.examples/dockerfiles/imap/apache/Dockerfile

@@ -17,9 +17,9 @@ RUN set -ex; \
     apt-mark auto '.*' > /dev/null; \
     apt-mark manual $savedAptMark; \
     ldd "$(php -r 'echo ini_get("extension_dir");')"/*.so \
-        | awk '/=>/ { print $3 }' \
+        | awk '/=>/ { so = $(NF-1); if (index(so, "/usr/local/") == 1) { next }; gsub("^/(usr/)?", "", so); print so }' \
         | sort -u \
-        | xargs -r dpkg-query -S \
+        | xargs -r dpkg-query --search \
         | cut -d: -f1 \
         | sort -u \
         | xargs -rt apt-mark manual; \

.examples/dockerfiles/imap/fpm-alpine/Dockerfile

@@ -6,7 +6,7 @@ RUN set -ex; \
         $PHPIZE_DEPS \
         imap-dev \
         krb5-dev \
-        libressl-dev \
+        openssl-dev \
     ; \
     \
     docker-php-ext-configure imap --with-kerberos --with-imap-ssl; \

.examples/dockerfiles/imap/fpm/Dockerfile

@@ -17,9 +17,9 @@ RUN set -ex; \
     apt-mark auto '.*' > /dev/null; \
     apt-mark manual $savedAptMark; \
     ldd "$(php -r 'echo ini_get("extension_dir");')"/*.so \
-        | awk '/=>/ { print $3 }' \
+        | awk '/=>/ { so = $(NF-1); if (index(so, "/usr/local/") == 1) { next }; gsub("^/(usr/)?", "", so); print so }' \
         | sort -u \
-        | xargs -r dpkg-query -S \
+        | xargs -r dpkg-query --search \
         | cut -d: -f1 \
         | sort -u \
         | xargs -rt apt-mark manual; \

.github/ISSUE_TEMPLATE/Image_issue.md

@@ -0,0 +1,14 @@
+---
+name: 🐛 Image issue
+about: Issues related to the Nextcloud Docker image
+---
+
+<!--
+Thanks for reporting issues back to Nextcloud!
+
+When reporting problems, please include your *complete* Docker Compose file (or run commands) and your Nextcloud Server config (e.g. `occ config:list system`). Incomplete reports cause extra work for all parties involved and delay resolution.
+
+Note: This is the issue tracker of the official Nextcloud **Docker image**, please do NOT use this to report issues with Docker or Nextcloud Server itself. You can find help debugging your system on our forums: https://help.nextcloud.com/ or https://forums.docker.com/.
+
+To learn more about official images, see https://github.com/docker-library/faq
+-->

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,10 @@
+contact_links:
+    - name: 🐛 Nextcloud issue
+      url: https://github.com/nextcloud/server/issues/new/choose
+      about: Bug reports and feature requests for Nextcloud
+    - name: 🐳 Docker Support and Help
+      url: https://forums.docker.com/
+      about: Configuration, installation, networking and other questions
+    - name: ❓ Nextcloud Support and Help
+      url: https://help.nextcloud.com/
+      about: Configuration, webserver/proxy or performance issues and other questions

.github/workflows/command-rebase.yml

@@ -0,0 +1,51 @@
+# This workflow is provided via the organization template repository
+#
+# https://github.com/nextcloud/.github
+# https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
+
+name: Rebase command
+
+on:
+  issue_comment:
+    types: created
+
+permissions:
+  contents: read
+
+jobs:
+  rebase:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: none
+
+    # On pull requests and if the comment starts with `/rebase`
+    if: github.event.issue.pull_request != '' && startsWith(github.event.comment.body, '/rebase')
+
+    steps:
+      - name: Add reaction on start
+        uses: peter-evans/create-or-update-comment@ca08ebd5dc95aa0cd97021e9708fcd6b87138c9b # v3.0.1
+        with:
+          token: ${{ secrets.COMMAND_BOT_PAT }}
+          repository: ${{ github.event.repository.full_name }}
+          comment-id: ${{ github.event.comment.id }}
+          reaction-type: "+1"
+
+      - name: Checkout the latest code
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.COMMAND_BOT_PAT }}
+
+      - name: Automatic Rebase
+        uses: cirrus-actions/rebase@b87d48154a87a85666003575337e27b8cd65f691 # 1.8
+        env:
+          GITHUB_TOKEN: ${{ secrets.COMMAND_BOT_PAT }}
+
+      - name: Add reaction on failure
+        uses: peter-evans/create-or-update-comment@ca08ebd5dc95aa0cd97021e9708fcd6b87138c9b # v3.0.1
+        if: failure()
+        with:
+          token: ${{ secrets.COMMAND_BOT_PAT }}
+          repository: ${{ github.event.repository.full_name }}
+          comment-id: ${{ github.event.comment.id }}
+          reaction-type: "-1"

.github/workflows/images.yml

@@ -0,0 +1,65 @@
+name: Images
+
+on:
+  pull_request:
+  workflow_run:
+    workflows: ["update.sh"]
+    branches: [master]
+    types: 
+      - completed
+
+defaults:
+  run:
+    shell: 'bash -Eeuo pipefail -x {0}'
+
+jobs:
+
+  init:
+    name: Generate Jobs
+    runs-on: ubuntu-latest
+    outputs:
+      strategy: ${{ steps.generate-jobs.outputs.strategy }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker-library/bashbrew@HEAD
+      - id: generate-jobs
+        name: Generate Jobs
+        run: |
+          strategy="$(GITHUB_REPOSITORY=nextcloud "$BASHBREW_SCRIPTS/github-actions/generate.sh")"
+          strategy="$("$BASHBREW_SCRIPTS/github-actions/munge-i386.sh" -c <<<"$strategy")"
+          echo "strategy=$strategy" >> "$GITHUB_OUTPUT"
+          jq . <<<"$strategy" # sanity check / debugging aid
+
+  test:
+    needs: init
+    strategy: ${{ fromJson(needs.init.outputs.strategy) }}
+    name: ${{ matrix.name }}
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Prepare Environment
+        run: ${{ matrix.runs.prepare }}
+      - name: Run update.sh script
+        run: ./update.sh
+      - name: Pull Dependencies
+        run: ${{ matrix.runs.pull }}
+      - name: Build ${{ matrix.name }}
+        run: ${{ matrix.runs.build }}
+      - name: History ${{ matrix.name }}
+        run: ${{ matrix.runs.history }}
+      - name: Test ${{ matrix.name }}
+        run: ${{ matrix.runs.test }}
+      - name: '"docker images"'
+        run: ${{ matrix.runs.images }}
+
+  summary:
+    runs-on: ubuntu-latest
+    needs: test
+
+    if: always()
+
+    name: images-test-summary
+
+    steps:
+      - name: Summary status
+        run: if ${{ needs.test.result != 'success' && needs.test.result != 'skipped' }}; then exit 1; fi

.github/workflows/update-sh.yml

@@ -0,0 +1,29 @@
+name: update.sh
+
+on:
+  push:
+    branches:
+    - master
+  schedule:
+  - cron:  '15 0 * * *'
+  workflow_dispatch:
+
+jobs:
+  run_update_sh:
+    name: Run update.sh script
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Run update.sh script
+      run: ./update.sh
+    - name: Commit files
+      run: |
+        git config --local user.email "workflow@github.com"
+        git config --local user.name "GitHub Workflow"
+        git add -A
+        git commit -m "Runs update.sh" || echo "Nothing to update"
+    - name: Push changes
+      uses: ad-m/github-push-action@master
+      with:
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        force: true

.travis.yml

@@ -1,94 +0,0 @@
-language: bash
-services: docker
-
-branches:
-  only:
-    - master
-
-# preload images to avoid timeouts in tests
-before_install:
-  - docker pull mariadb:10.3
-  - docker pull postgres:11-alpine
-
-install:
-  - git clone https://github.com/docker-library/official-images.git ~/official-images
-
-before_script:
-  - env | sort
-  - wget -qO- 'https://github.com/tianon/pgp-happy-eyeballs/raw/master/hack-my-builds.sh' | bash
-  - image="nextcloud:${VERSION}${VARIANT:+-$VARIANT}"
-  - if [[ "$ARCH" == 'i386' ]]; then sed -i -e 's/FROM php/FROM i386\/php/g' "${VERSION}/${VARIANT}/Dockerfile"; fi
-
-script:
-  - |
-    (
-      set -Eeuo pipefail
-      set -x
-      travis_retry docker build -t "$image" "${VERSION}/${VARIANT}"
-      travis_retry ~/official-images/test/run.sh "$image"
-      .travis/test-example-dockerfiles.sh "$image"
-    )
-
-after_script:
-  - docker images
-
-jobs:
-  # https://github.com/docker-library/php/issues/822
-  allow_failures:
-    - env: VERSION=16.0 VARIANT=apache ARCH=i386
-    - env: VERSION=17.0 VARIANT=apache ARCH=i386
-    - env: VERSION=18.0 VARIANT=apache ARCH=i386
-    - env: VERSION=19.0 VARIANT=apache ARCH=i386
-    - env: VERSION=16.0-rc VARIANT=apache ARCH=i386
-    - env: VERSION=17.0-rc VARIANT=apache ARCH=i386
-    - env: VERSION=18.0-rc VARIANT=apache ARCH=i386
-    - env: VERSION=19.0-rc VARIANT=apache ARCH=i386
-    - env: VERSION=17.0-beta VARIANT=apache ARCH=i386
-    - env: VERSION=18.0-beta VARIANT=apache ARCH=i386
-    - env: VERSION=19.0-beta VARIANT=apache ARCH=i386
-  include:
-    - &test-scripts
-      stage: test scripts
-      env: SCRIPT=update.sh
-      services: []
-      install: skip
-      before_script: skip
-      script:
-        - hash_before=$(git write-tree)
-        - travis_retry ./update.sh
-        - bash -c "[[ $hash_before = $(git add -A && git write-tree) ]]"
-      after_script: skip
-
-    - <<: *test-scripts
-      env: SCRIPT=generate-stackbrew-library.sh
-      install:
-        - wget -O "$HOME/bin/bashbrew" https://doi-janky.infosiftr.net/job/bashbrew/lastSuccessfulBuild/artifact/bin/bashbrew-amd64
-        - chmod +x "$HOME/bin/bashbrew"
-      script:
-        - travis_retry ./generate-stackbrew-library.sh
-
-    - stage: test images
-      env: VERSION=19.0-beta VARIANT=fpm-alpine ARCH=amd64
-    - env: VERSION=19.0-beta VARIANT=fpm-alpine ARCH=i386
-    - env: VERSION=19.0-beta VARIANT=fpm ARCH=amd64
-    - env: VERSION=19.0-beta VARIANT=fpm ARCH=i386
-    - env: VERSION=19.0-beta VARIANT=apache ARCH=amd64
-    - env: VERSION=19.0-beta VARIANT=apache ARCH=i386
-    - env: VERSION=16.0 VARIANT=fpm-alpine ARCH=amd64
-    - env: VERSION=16.0 VARIANT=fpm-alpine ARCH=i386
-    - env: VERSION=16.0 VARIANT=fpm ARCH=amd64
-    - env: VERSION=16.0 VARIANT=fpm ARCH=i386
-    - env: VERSION=16.0 VARIANT=apache ARCH=amd64
-    - env: VERSION=16.0 VARIANT=apache ARCH=i386
-    - env: VERSION=17.0 VARIANT=fpm-alpine ARCH=amd64
-    - env: VERSION=17.0 VARIANT=fpm-alpine ARCH=i386
-    - env: VERSION=17.0 VARIANT=fpm ARCH=amd64
-    - env: VERSION=17.0 VARIANT=fpm ARCH=i386
-    - env: VERSION=17.0 VARIANT=apache ARCH=amd64
-    - env: VERSION=17.0 VARIANT=apache ARCH=i386
-    - env: VERSION=18.0 VARIANT=fpm-alpine ARCH=amd64
-    - env: VERSION=18.0 VARIANT=fpm-alpine ARCH=i386
-    - env: VERSION=18.0 VARIANT=fpm ARCH=amd64
-    - env: VERSION=18.0 VARIANT=fpm ARCH=i386
-    - env: VERSION=18.0 VARIANT=apache ARCH=amd64
-    - env: VERSION=18.0 VARIANT=apache ARCH=i386

.travis/test-example-dockerfiles.sh

@@ -1,18 +0,0 @@
-#!/bin/bash
-set -e
-
-image="$1"
-
-cd .examples/dockerfiles
-
-dirs=( */ )
-dirs=( "${dirs[@]%/}" )
-for dir in "${dirs[@]}"; do
-    if [ -d "$dir/$VARIANT" ]; then
-        (
-            cd "$dir/$VARIANT"
-            sed -ri -e 's/^FROM .*/FROM '"$image"'/g' 'Dockerfile'
-            docker build -t "$image-$dir" .
-        )
-    fi
-done

16.0/apache/Dockerfile

@@ -1,151 +0,0 @@
-# DO NOT EDIT: created by update.sh from Dockerfile-debian.template
-FROM php:7.3-apache-buster
-
-# entrypoint.sh and cron.sh dependencies
-RUN set -ex; \
-    \
-    apt-get update; \
-    apt-get install -y --no-install-recommends \
-        rsync \
-        bzip2 \
-        busybox-static \
-    ; \
-    rm -rf /var/lib/apt/lists/*; \
-    \
-    mkdir -p /var/spool/cron/crontabs; \
-    echo '*/15 * * * * php -f /var/www/html/cron.php' > /var/spool/cron/crontabs/www-data
-
-# install the PHP extensions we need
-# see https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html
-RUN set -ex; \
-    \
-    savedAptMark="$(apt-mark showmanual)"; \
-    \
-    apt-get update; \
-    apt-get install -y --no-install-recommends \
-        libcurl4-openssl-dev \
-        libevent-dev \
-        libfreetype6-dev \
-        libicu-dev \
-        libjpeg-dev \
-        libldap2-dev \
-        libmcrypt-dev \
-        libmemcached-dev \
-        libpng-dev \
-        libpq-dev \
-        libxml2-dev \
-        libmagickwand-dev \
-        libzip-dev \
-        libwebp-dev \
-        libgmp-dev \
-    ; \
-    \
-    debMultiarch="$(dpkg-architecture --query DEB_BUILD_MULTIARCH)"; \
-    if [ ! -e /usr/include/gmp.h ]; then ln -s /usr/include/$debMultiarch/gmp.h /usr/include/gmp.h; fi;\
-    docker-php-ext-configure gd --with-freetype-dir=/usr --with-png-dir=/usr --with-jpeg-dir=/usr --with-webp-dir=/usr; \
-    docker-php-ext-configure gmp --with-gmp="/usr/include/$debMultiarch"; \
-    docker-php-ext-configure ldap --with-libdir="lib/$debMultiarch"; \
-    docker-php-ext-install -j "$(nproc)" \
-        exif \
-        gd \
-        intl \
-        ldap \
-        opcache \
-        pcntl \
-        pdo_mysql \
-        pdo_pgsql \
-        zip \
-        gmp \
-    ; \
-    \
-# pecl will claim success even if one install fails, so we need to perform each install separately
-    pecl install APCu-5.1.18; \
-    pecl install memcached-3.1.5; \
-    pecl install redis-4.3.0; \
-    pecl install imagick-3.4.4; \
-    \
-    docker-php-ext-enable \
-        apcu \
-        memcached \
-        redis \
-        imagick \
-    ; \
-    \
-# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
-    apt-mark auto '.*' > /dev/null; \
-    apt-mark manual $savedAptMark; \
-    ldd "$(php -r 'echo ini_get("extension_dir");')"/*.so \
-        | awk '/=>/ { print $3 }' \
-        | sort -u \
-        | xargs -r dpkg-query -S \
-        | cut -d: -f1 \
-        | sort -u \
-        | xargs -rt apt-mark manual; \
-    \
-    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
-    rm -rf /var/lib/apt/lists/*
-
-# set recommended PHP.ini settings
-# see https://docs.nextcloud.com/server/12/admin_manual/configuration_server/server_tuning.html#enable-php-opcache
-RUN { \
-        echo 'opcache.enable=1'; \
-        echo 'opcache.interned_strings_buffer=8'; \
-        echo 'opcache.max_accelerated_files=10000'; \
-        echo 'opcache.memory_consumption=128'; \
-        echo 'opcache.save_comments=1'; \
-        echo 'opcache.revalidate_freq=1'; \
-    } > /usr/local/etc/php/conf.d/opcache-recommended.ini; \
-    \
-    echo 'apc.enable_cli=1' >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
-    \
-    echo 'memory_limit=512M' > /usr/local/etc/php/conf.d/memory-limit.ini; \
-    \
-    mkdir /var/www/data; \
-    chown -R www-data:root /var/www; \
-    chmod -R g=u /var/www
-
-VOLUME /var/www/html
-
-RUN a2enmod headers rewrite remoteip ;\
-    {\
-     echo RemoteIPHeader X-Real-IP ;\
-     echo RemoteIPTrustedProxy 10.0.0.0/8 ;\
-     echo RemoteIPTrustedProxy 172.16.0.0/12 ;\
-     echo RemoteIPTrustedProxy 192.168.0.0/16 ;\
-    } > /etc/apache2/conf-available/remoteip.conf;\
-    a2enconf remoteip
-
-ENV NEXTCLOUD_VERSION 16.0.10
-
-RUN set -ex; \
-    fetchDeps=" \
-        gnupg \
-        dirmngr \
-    "; \
-    apt-get update; \
-    apt-get install -y --no-install-recommends $fetchDeps; \
-    \
-    curl -fsSL -o nextcloud.tar.bz2 \
-        "https://download.nextcloud.com/server/releases/nextcloud-${NEXTCLOUD_VERSION}.tar.bz2"; \
-    curl -fsSL -o nextcloud.tar.bz2.asc \
-        "https://download.nextcloud.com/server/releases/nextcloud-${NEXTCLOUD_VERSION}.tar.bz2.asc"; \
-    export GNUPGHOME="$(mktemp -d)"; \
-# gpg key from https://nextcloud.com/nextcloud.asc
-    gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys 28806A878AE423A28372792ED75899B9A724937A; \
-    gpg --batch --verify nextcloud.tar.bz2.asc nextcloud.tar.bz2; \
-    tar -xjf nextcloud.tar.bz2 -C /usr/src/; \
-    gpgconf --kill all; \
-    rm -r "$GNUPGHOME" nextcloud.tar.bz2.asc nextcloud.tar.bz2; \
-    rm -rf /usr/src/nextcloud/updater; \
-    mkdir -p /usr/src/nextcloud/data; \
-    mkdir -p /usr/src/nextcloud/custom_apps; \
-    chmod +x /usr/src/nextcloud/occ; \
-    \
-    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false $fetchDeps; \
-    rm -rf /var/lib/apt/lists/*
-
-COPY *.sh upgrade.exclude /
-COPY config/* /usr/src/nextcloud/config/
-
-ENTRYPOINT ["/entrypoint.sh"]
-CMD ["apache2-foreground"]

16.0/apache/config/apps.config.php

@@ -1,15 +0,0 @@
-<?php
-$CONFIG = array (
-  "apps_paths" => array (
-      0 => array (
-              "path"     => OC::$SERVERROOT."/apps",
-              "url"      => "/apps",
-              "writable" => false,
-      ),
-      1 => array (
-              "path"     => OC::$SERVERROOT."/custom_apps",
-              "url"      => "/custom_apps",
-              "writable" => true,
-      ),
-  ),
-);

16.0/apache/config/autoconfig.php

@@ -1,31 +0,0 @@
-<?php
-
-$autoconfig_enabled = false;
-
-if (getenv('SQLITE_DATABASE')) {
-    $AUTOCONFIG["dbtype"] = "sqlite";
-    $AUTOCONFIG["dbname"] = getenv('SQLITE_DATABASE');
-    $autoconfig_enabled = true;
-} elseif (getenv('MYSQL_DATABASE') && getenv('MYSQL_USER') && getenv('MYSQL_PASSWORD') && getenv('MYSQL_HOST')) {
-    $AUTOCONFIG["dbtype"] = "mysql";
-    $AUTOCONFIG["dbname"] = getenv('MYSQL_DATABASE');
-    $AUTOCONFIG["dbuser"] = getenv('MYSQL_USER');
-    $AUTOCONFIG["dbpass"] = getenv('MYSQL_PASSWORD');
-    $AUTOCONFIG["dbhost"] = getenv('MYSQL_HOST');
-    $autoconfig_enabled = true;
-} elseif (getenv('POSTGRES_DB') && getenv('POSTGRES_USER') && getenv('POSTGRES_PASSWORD') && getenv('POSTGRES_HOST')) {
-    $AUTOCONFIG["dbtype"] = "pgsql";
-    $AUTOCONFIG["dbname"] = getenv('POSTGRES_DB');
-    $AUTOCONFIG["dbuser"] = getenv('POSTGRES_USER');
-    $AUTOCONFIG["dbpass"] = getenv('POSTGRES_PASSWORD');
-    $AUTOCONFIG["dbhost"] = getenv('POSTGRES_HOST');
-    $autoconfig_enabled = true;
-}
-
-if ($autoconfig_enabled) {
-    if (getenv('NEXTCLOUD_TABLE_PREFIX')) {
-        $AUTOCONFIG["dbtableprefix"] = getenv('NEXTCLOUD_TABLE_PREFIX');
-    }
-
-    $AUTOCONFIG["directory"] = getenv('NEXTCLOUD_DATA_DIR') ?: "/var/www/html/data";
-}

16.0/apache/cron.sh

@@ -1,4 +0,0 @@
-#!/bin/sh
-set -eu
-
-exec busybox crond -f -l 0 -L /dev/stdout

16.0/apache/entrypoint.sh

@@ -1,192 +0,0 @@
-#!/bin/sh
-set -eu
-
-# version_greater A B returns whether A > B
-version_greater() {
-    [ "$(printf '%s\n' "$@" | sort -t '.' -n -k1,1 -k2,2 -k3,3 -k4,4 | head -n 1)" != "$1" ]
-}
-
-# return true if specified directory is empty
-directory_empty() {
-    [ -z "$(ls -A "$1/")" ]
-}
-
-run_as() {
-    if [ "$(id -u)" = 0 ]; then
-        su -p www-data -s /bin/sh -c "$1"
-    else
-        sh -c "$1"
-    fi
-}
-
-# usage: file_env VAR [DEFAULT]
-#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
-    local var="$1"
-    local fileVar="${var}_FILE"
-    local def="${2:-}"
-    local varValue=$(env | grep -E "^${var}=" | sed -E -e "s/^${var}=//")
-    local fileVarValue=$(env | grep -E "^${fileVar}=" | sed -E -e "s/^${fileVar}=//")
-    if [ -n "${varValue}" ] && [ -n "${fileVarValue}" ]; then
-        echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
-        exit 1
-    fi
-    if [ -n "${varValue}" ]; then
-        export "$var"="${varValue}"
-    elif [ -n "${fileVarValue}" ]; then
-        export "$var"="$(cat "${fileVarValue}")"
-    elif [ -n "${def}" ]; then
-        export "$var"="$def"
-    fi
-    unset "$fileVar"
-}
-
-if expr "$1" : "apache" 1>/dev/null; then
-    if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then
-        a2disconf remoteip
-    fi
-fi
-
-if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
-    if [ -n "${REDIS_HOST+x}" ]; then
-
-        echo "Configuring Redis as session handler"
-        {
-            echo 'session.save_handler = redis'
-            # check if redis host is an unix socket path
-            if [ "$(echo "$REDIS_HOST" | cut -c1-1)" = "/" ]; then
-              if [ -n "${REDIS_HOST_PASSWORD+x}" ]; then
-                echo "session.save_path = \"unix://${REDIS_HOST}?auth=${REDIS_HOST_PASSWORD}\""
-              else
-                echo "session.save_path = \"unix://${REDIS_HOST}\""
-              fi
-            # check if redis password has been set
-            elif [ -n "${REDIS_HOST_PASSWORD+x}" ]; then
-                echo "session.save_path = \"tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}?auth=${REDIS_HOST_PASSWORD}\""
-            else
-                echo "session.save_path = \"tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}\""
-            fi
-        } > /usr/local/etc/php/conf.d/redis-session.ini
-    fi
-
-    installed_version="0.0.0.0"
-    if [ -f /var/www/html/version.php ]; then
-        # shellcheck disable=SC2016
-        installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-    fi
-    # shellcheck disable=SC2016
-    image_version="$(php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);')"
-
-    if version_greater "$installed_version" "$image_version"; then
-        echo "Can't start Nextcloud because the version of the data ($installed_version) is higher than the docker image version ($image_version) and downgrading is not supported. Are you sure you have pulled the newest image version?"
-        exit 1
-    fi
-
-    if version_greater "$image_version" "$installed_version"; then
-        echo "Initializing nextcloud $image_version ..."
-        if [ "$installed_version" != "0.0.0.0" ]; then
-            echo "Upgrading nextcloud from $installed_version ..."
-            run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_before
-        fi
-        if [ "$(id -u)" = 0 ]; then
-            rsync_options="-rlDog --chown www-data:root"
-        else
-            rsync_options="-rlD"
-        fi
-        rsync $rsync_options --delete --exclude-from=/upgrade.exclude /usr/src/nextcloud/ /var/www/html/
-
-        for dir in config data custom_apps themes; do
-            if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then
-                rsync $rsync_options --include "/$dir/" --exclude '/*' /usr/src/nextcloud/ /var/www/html/
-            fi
-        done
-        rsync $rsync_options --include '/version.php' --exclude '/*' /usr/src/nextcloud/ /var/www/html/
-        echo "Initializing finished"
-
-        #install
-        if [ "$installed_version" = "0.0.0.0" ]; then
-            echo "New nextcloud instance"
-
-            file_env NEXTCLOUD_ADMIN_PASSWORD
-            file_env NEXTCLOUD_ADMIN_USER
-
-            if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then
-                # shellcheck disable=SC2016
-                install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"'
-                if [ -n "${NEXTCLOUD_TABLE_PREFIX+x}" ]; then
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --database-table-prefix "$NEXTCLOUD_TABLE_PREFIX"'
-                fi
-                if [ -n "${NEXTCLOUD_DATA_DIR+x}" ]; then
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"'
-                fi
-
-                file_env MYSQL_DATABASE
-                file_env MYSQL_PASSWORD
-                file_env MYSQL_USER
-                file_env POSTGRES_DB
-                file_env POSTGRES_PASSWORD
-                file_env POSTGRES_USER
-
-                install=false
-                if [ -n "${SQLITE_DATABASE+x}" ]; then
-                    echo "Installing with SQLite database"
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --database-name "$SQLITE_DATABASE"'
-                    install=true
-                elif [ -n "${MYSQL_DATABASE+x}" ] && [ -n "${MYSQL_USER+x}" ] && [ -n "${MYSQL_PASSWORD+x}" ] && [ -n "${MYSQL_HOST+x}" ]; then
-                    echo "Installing with MySQL database"
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --database mysql --database-name "$MYSQL_DATABASE" --database-user "$MYSQL_USER" --database-pass "$MYSQL_PASSWORD" --database-host "$MYSQL_HOST"'
-                    install=true
-                elif [ -n "${POSTGRES_DB+x}" ] && [ -n "${POSTGRES_USER+x}" ] && [ -n "${POSTGRES_PASSWORD+x}" ] && [ -n "${POSTGRES_HOST+x}" ]; then
-                    echo "Installing with PostgreSQL database"
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --database pgsql --database-name "$POSTGRES_DB" --database-user "$POSTGRES_USER" --database-pass "$POSTGRES_PASSWORD" --database-host "$POSTGRES_HOST"'
-                    install=true
-                fi
-
-                if [ "$install" = true ]; then
-                    echo "starting nextcloud installation"
-                    max_retries=10
-                    try=0
-                    until run_as "php /var/www/html/occ maintenance:install $install_options" || [ "$try" -gt "$max_retries" ]
-                    do
-                        echo "retrying install..."
-                        try=$((try+1))
-                        sleep 10s
-                    done
-                    if [ "$try" -gt "$max_retries" ]; then
-                        echo "installing of nextcloud failed!"
-                        exit 1
-                    fi
-                    if [ -n "${NEXTCLOUD_TRUSTED_DOMAINS+x}" ]; then
-                        echo "setting trusted domains…"
-                        NC_TRUSTED_DOMAIN_IDX=1
-                        for DOMAIN in $NEXTCLOUD_TRUSTED_DOMAINS ; do
-                            DOMAIN=$(echo "$DOMAIN" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')
-                            run_as "php /var/www/html/occ config:system:set trusted_domains $NC_TRUSTED_DOMAIN_IDX --value=$DOMAIN"
-                            NC_TRUSTED_DOMAIN_IDX=$(($NC_TRUSTED_DOMAIN_IDX+1))
-                        done
-                    fi
-                else
-                    echo "running web-based installer on first connect!"
-                fi
-            fi
-        #upgrade
-        else
-            run_as 'php /var/www/html/occ upgrade'
-
-            run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_after
-            echo "The following apps have been disabled:"
-            diff /tmp/list_before /tmp/list_after | grep '<' | cut -d- -f2 | cut -d: -f1
-            rm -f /tmp/list_before /tmp/list_after
-
-        fi
-    fi
-fi
-
-exec "$@"

16.0/fpm-alpine/Dockerfile

@@ -1,126 +0,0 @@
-# DO NOT EDIT: created by update.sh from Dockerfile-alpine.template
-FROM php:7.3-fpm-alpine3.11
-
-# entrypoint.sh and cron.sh dependencies
-RUN set -ex; \
-    \
-    apk add --no-cache \
-        rsync \
-    ; \
-    \
-    rm /var/spool/cron/crontabs/root; \
-    echo '*/15 * * * * php -f /var/www/html/cron.php' > /var/spool/cron/crontabs/www-data
-
-# install the PHP extensions we need
-# see https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html
-RUN set -ex; \
-    \
-    apk add --no-cache --virtual .build-deps \
-        $PHPIZE_DEPS \
-        autoconf \
-        freetype-dev \
-        icu-dev \
-        libevent-dev \
-        libjpeg-turbo-dev \
-        libmcrypt-dev \
-        libpng-dev \
-        libmemcached-dev \
-        libxml2-dev \
-        libzip-dev \
-        openldap-dev \
-        pcre-dev \
-        postgresql-dev \
-        imagemagick-dev \
-        libwebp-dev \
-        gmp-dev \
-    ; \
-    \
-    docker-php-ext-configure gd --with-freetype-dir=/usr --with-png-dir=/usr --with-jpeg-dir=/usr --with-webp-dir=/usr; \
-    docker-php-ext-configure ldap; \
-    docker-php-ext-install -j "$(nproc)" \
-        exif \
-        gd \
-        intl \
-        ldap \
-        opcache \
-        pcntl \
-        pdo_mysql \
-        pdo_pgsql \
-        zip \
-        gmp \
-    ; \
-    \
-# pecl will claim success even if one install fails, so we need to perform each install separately
-    pecl install APCu-5.1.18; \
-    pecl install memcached-3.1.5; \
-    pecl install redis-4.3.0; \
-    pecl install imagick-3.4.4; \
-    \
-    docker-php-ext-enable \
-        apcu \
-        memcached \
-        redis \
-        imagick \
-    ; \
-    \
-    runDeps="$( \
-        scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/lib/php/extensions \
-            | tr ',' '\n' \
-            | sort -u \
-            | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
-    )"; \
-    apk add --virtual .nextcloud-phpext-rundeps $runDeps; \
-    apk del .build-deps
-
-# set recommended PHP.ini settings
-# see https://docs.nextcloud.com/server/12/admin_manual/configuration_server/server_tuning.html#enable-php-opcache
-RUN { \
-        echo 'opcache.enable=1'; \
-        echo 'opcache.interned_strings_buffer=8'; \
-        echo 'opcache.max_accelerated_files=10000'; \
-        echo 'opcache.memory_consumption=128'; \
-        echo 'opcache.save_comments=1'; \
-        echo 'opcache.revalidate_freq=1'; \
-    } > /usr/local/etc/php/conf.d/opcache-recommended.ini; \
-    \
-    echo 'apc.enable_cli=1' >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
-    \
-    echo 'memory_limit=512M' > /usr/local/etc/php/conf.d/memory-limit.ini; \
-    \
-    mkdir /var/www/data; \
-    chown -R www-data:root /var/www; \
-    chmod -R g=u /var/www
-
-VOLUME /var/www/html
-
-
-ENV NEXTCLOUD_VERSION 16.0.10
-
-RUN set -ex; \
-    apk add --no-cache --virtual .fetch-deps \
-        bzip2 \
-        gnupg \
-    ; \
-    \
-    curl -fsSL -o nextcloud.tar.bz2 \
-        "https://download.nextcloud.com/server/releases/nextcloud-${NEXTCLOUD_VERSION}.tar.bz2"; \
-    curl -fsSL -o nextcloud.tar.bz2.asc \
-        "https://download.nextcloud.com/server/releases/nextcloud-${NEXTCLOUD_VERSION}.tar.bz2.asc"; \
-    export GNUPGHOME="$(mktemp -d)"; \
-# gpg key from https://nextcloud.com/nextcloud.asc
-    gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys 28806A878AE423A28372792ED75899B9A724937A; \
-    gpg --batch --verify nextcloud.tar.bz2.asc nextcloud.tar.bz2; \
-    tar -xjf nextcloud.tar.bz2 -C /usr/src/; \
-    gpgconf --kill all; \
-    rm -r "$GNUPGHOME" nextcloud.tar.bz2.asc nextcloud.tar.bz2; \
-    rm -rf /usr/src/nextcloud/updater; \
-    mkdir -p /usr/src/nextcloud/data; \
-    mkdir -p /usr/src/nextcloud/custom_apps; \
-    chmod +x /usr/src/nextcloud/occ; \
-    apk del .fetch-deps
-
-COPY *.sh upgrade.exclude /
-COPY config/* /usr/src/nextcloud/config/
-
-ENTRYPOINT ["/entrypoint.sh"]
-CMD ["php-fpm"]

16.0/fpm-alpine/config/apps.config.php

@@ -1,15 +0,0 @@
-<?php
-$CONFIG = array (
-  "apps_paths" => array (
-      0 => array (
-              "path"     => OC::$SERVERROOT."/apps",
-              "url"      => "/apps",
-              "writable" => false,
-      ),
-      1 => array (
-              "path"     => OC::$SERVERROOT."/custom_apps",
-              "url"      => "/custom_apps",
-              "writable" => true,
-      ),
-  ),
-);

16.0/fpm-alpine/config/autoconfig.php

@@ -1,31 +0,0 @@
-<?php
-
-$autoconfig_enabled = false;
-
-if (getenv('SQLITE_DATABASE')) {
-    $AUTOCONFIG["dbtype"] = "sqlite";
-    $AUTOCONFIG["dbname"] = getenv('SQLITE_DATABASE');
-    $autoconfig_enabled = true;
-} elseif (getenv('MYSQL_DATABASE') && getenv('MYSQL_USER') && getenv('MYSQL_PASSWORD') && getenv('MYSQL_HOST')) {
-    $AUTOCONFIG["dbtype"] = "mysql";
-    $AUTOCONFIG["dbname"] = getenv('MYSQL_DATABASE');
-    $AUTOCONFIG["dbuser"] = getenv('MYSQL_USER');
-    $AUTOCONFIG["dbpass"] = getenv('MYSQL_PASSWORD');
-    $AUTOCONFIG["dbhost"] = getenv('MYSQL_HOST');
-    $autoconfig_enabled = true;
-} elseif (getenv('POSTGRES_DB') && getenv('POSTGRES_USER') && getenv('POSTGRES_PASSWORD') && getenv('POSTGRES_HOST')) {
-    $AUTOCONFIG["dbtype"] = "pgsql";
-    $AUTOCONFIG["dbname"] = getenv('POSTGRES_DB');
-    $AUTOCONFIG["dbuser"] = getenv('POSTGRES_USER');
-    $AUTOCONFIG["dbpass"] = getenv('POSTGRES_PASSWORD');
-    $AUTOCONFIG["dbhost"] = getenv('POSTGRES_HOST');
-    $autoconfig_enabled = true;
-}
-
-if ($autoconfig_enabled) {
-    if (getenv('NEXTCLOUD_TABLE_PREFIX')) {
-        $AUTOCONFIG["dbtableprefix"] = getenv('NEXTCLOUD_TABLE_PREFIX');
-    }
-
-    $AUTOCONFIG["directory"] = getenv('NEXTCLOUD_DATA_DIR') ?: "/var/www/html/data";
-}

16.0/fpm-alpine/cron.sh

@@ -1,4 +0,0 @@
-#!/bin/sh
-set -eu
-
-exec busybox crond -f -l 0 -L /dev/stdout

16.0/fpm-alpine/entrypoint.sh

@@ -1,192 +0,0 @@
-#!/bin/sh
-set -eu
-
-# version_greater A B returns whether A > B
-version_greater() {
-    [ "$(printf '%s\n' "$@" | sort -t '.' -n -k1,1 -k2,2 -k3,3 -k4,4 | head -n 1)" != "$1" ]
-}
-
-# return true if specified directory is empty
-directory_empty() {
-    [ -z "$(ls -A "$1/")" ]
-}
-
-run_as() {
-    if [ "$(id -u)" = 0 ]; then
-        su -p www-data -s /bin/sh -c "$1"
-    else
-        sh -c "$1"
-    fi
-}
-
-# usage: file_env VAR [DEFAULT]
-#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
-    local var="$1"
-    local fileVar="${var}_FILE"
-    local def="${2:-}"
-    local varValue=$(env | grep -E "^${var}=" | sed -E -e "s/^${var}=//")
-    local fileVarValue=$(env | grep -E "^${fileVar}=" | sed -E -e "s/^${fileVar}=//")
-    if [ -n "${varValue}" ] && [ -n "${fileVarValue}" ]; then
-        echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
-        exit 1
-    fi
-    if [ -n "${varValue}" ]; then
-        export "$var"="${varValue}"
-    elif [ -n "${fileVarValue}" ]; then
-        export "$var"="$(cat "${fileVarValue}")"
-    elif [ -n "${def}" ]; then
-        export "$var"="$def"
-    fi
-    unset "$fileVar"
-}
-
-if expr "$1" : "apache" 1>/dev/null; then
-    if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then
-        a2disconf remoteip
-    fi
-fi
-
-if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
-    if [ -n "${REDIS_HOST+x}" ]; then
-
-        echo "Configuring Redis as session handler"
-        {
-            echo 'session.save_handler = redis'
-            # check if redis host is an unix socket path
-            if [ "$(echo "$REDIS_HOST" | cut -c1-1)" = "/" ]; then
-              if [ -n "${REDIS_HOST_PASSWORD+x}" ]; then
-                echo "session.save_path = \"unix://${REDIS_HOST}?auth=${REDIS_HOST_PASSWORD}\""
-              else
-                echo "session.save_path = \"unix://${REDIS_HOST}\""
-              fi
-            # check if redis password has been set
-            elif [ -n "${REDIS_HOST_PASSWORD+x}" ]; then
-                echo "session.save_path = \"tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}?auth=${REDIS_HOST_PASSWORD}\""
-            else
-                echo "session.save_path = \"tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}\""
-            fi
-        } > /usr/local/etc/php/conf.d/redis-session.ini
-    fi
-
-    installed_version="0.0.0.0"
-    if [ -f /var/www/html/version.php ]; then
-        # shellcheck disable=SC2016
-        installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-    fi
-    # shellcheck disable=SC2016
-    image_version="$(php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);')"
-
-    if version_greater "$installed_version" "$image_version"; then
-        echo "Can't start Nextcloud because the version of the data ($installed_version) is higher than the docker image version ($image_version) and downgrading is not supported. Are you sure you have pulled the newest image version?"
-        exit 1
-    fi
-
-    if version_greater "$image_version" "$installed_version"; then
-        echo "Initializing nextcloud $image_version ..."
-        if [ "$installed_version" != "0.0.0.0" ]; then
-            echo "Upgrading nextcloud from $installed_version ..."
-            run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_before
-        fi
-        if [ "$(id -u)" = 0 ]; then
-            rsync_options="-rlDog --chown www-data:root"
-        else
-            rsync_options="-rlD"
-        fi
-        rsync $rsync_options --delete --exclude-from=/upgrade.exclude /usr/src/nextcloud/ /var/www/html/
-
-        for dir in config data custom_apps themes; do
-            if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then
-                rsync $rsync_options --include "/$dir/" --exclude '/*' /usr/src/nextcloud/ /var/www/html/
-            fi
-        done
-        rsync $rsync_options --include '/version.php' --exclude '/*' /usr/src/nextcloud/ /var/www/html/
-        echo "Initializing finished"
-
-        #install
-        if [ "$installed_version" = "0.0.0.0" ]; then
-            echo "New nextcloud instance"
-
-            file_env NEXTCLOUD_ADMIN_PASSWORD
-            file_env NEXTCLOUD_ADMIN_USER
-
-            if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then
-                # shellcheck disable=SC2016
-                install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"'
-                if [ -n "${NEXTCLOUD_TABLE_PREFIX+x}" ]; then
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --database-table-prefix "$NEXTCLOUD_TABLE_PREFIX"'
-                fi
-                if [ -n "${NEXTCLOUD_DATA_DIR+x}" ]; then
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"'
-                fi
-
-                file_env MYSQL_DATABASE
-                file_env MYSQL_PASSWORD
-                file_env MYSQL_USER
-                file_env POSTGRES_DB
-                file_env POSTGRES_PASSWORD
-                file_env POSTGRES_USER
-
-                install=false
-                if [ -n "${SQLITE_DATABASE+x}" ]; then
-                    echo "Installing with SQLite database"
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --database-name "$SQLITE_DATABASE"'
-                    install=true
-                elif [ -n "${MYSQL_DATABASE+x}" ] && [ -n "${MYSQL_USER+x}" ] && [ -n "${MYSQL_PASSWORD+x}" ] && [ -n "${MYSQL_HOST+x}" ]; then
-                    echo "Installing with MySQL database"
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --database mysql --database-name "$MYSQL_DATABASE" --database-user "$MYSQL_USER" --database-pass "$MYSQL_PASSWORD" --database-host "$MYSQL_HOST"'
-                    install=true
-                elif [ -n "${POSTGRES_DB+x}" ] && [ -n "${POSTGRES_USER+x}" ] && [ -n "${POSTGRES_PASSWORD+x}" ] && [ -n "${POSTGRES_HOST+x}" ]; then
-                    echo "Installing with PostgreSQL database"
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --database pgsql --database-name "$POSTGRES_DB" --database-user "$POSTGRES_USER" --database-pass "$POSTGRES_PASSWORD" --database-host "$POSTGRES_HOST"'
-                    install=true
-                fi
-
-                if [ "$install" = true ]; then
-                    echo "starting nextcloud installation"
-                    max_retries=10
-                    try=0
-                    until run_as "php /var/www/html/occ maintenance:install $install_options" || [ "$try" -gt "$max_retries" ]
-                    do
-                        echo "retrying install..."
-                        try=$((try+1))
-                        sleep 10s
-                    done
-                    if [ "$try" -gt "$max_retries" ]; then
-                        echo "installing of nextcloud failed!"
-                        exit 1
-                    fi
-                    if [ -n "${NEXTCLOUD_TRUSTED_DOMAINS+x}" ]; then
-                        echo "setting trusted domains…"
-                        NC_TRUSTED_DOMAIN_IDX=1
-                        for DOMAIN in $NEXTCLOUD_TRUSTED_DOMAINS ; do
-                            DOMAIN=$(echo "$DOMAIN" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')
-                            run_as "php /var/www/html/occ config:system:set trusted_domains $NC_TRUSTED_DOMAIN_IDX --value=$DOMAIN"
-                            NC_TRUSTED_DOMAIN_IDX=$(($NC_TRUSTED_DOMAIN_IDX+1))
-                        done
-                    fi
-                else
-                    echo "running web-based installer on first connect!"
-                fi
-            fi
-        #upgrade
-        else
-            run_as 'php /var/www/html/occ upgrade'
-
-            run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_after
-            echo "The following apps have been disabled:"
-            diff /tmp/list_before /tmp/list_after | grep '<' | cut -d- -f2 | cut -d: -f1
-            rm -f /tmp/list_before /tmp/list_after
-
-        fi
-    fi
-fi
-
-exec "$@"

16.0/fpm/Dockerfile

@@ -1,143 +0,0 @@
-# DO NOT EDIT: created by update.sh from Dockerfile-debian.template
-FROM php:7.3-fpm-buster
-
-# entrypoint.sh and cron.sh dependencies
-RUN set -ex; \
-    \
-    apt-get update; \
-    apt-get install -y --no-install-recommends \
-        rsync \
-        bzip2 \
-        busybox-static \
-    ; \
-    rm -rf /var/lib/apt/lists/*; \
-    \
-    mkdir -p /var/spool/cron/crontabs; \
-    echo '*/15 * * * * php -f /var/www/html/cron.php' > /var/spool/cron/crontabs/www-data
-
-# install the PHP extensions we need
-# see https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html
-RUN set -ex; \
-    \
-    savedAptMark="$(apt-mark showmanual)"; \
-    \
-    apt-get update; \
-    apt-get install -y --no-install-recommends \
-        libcurl4-openssl-dev \
-        libevent-dev \
-        libfreetype6-dev \
-        libicu-dev \
-        libjpeg-dev \
-        libldap2-dev \
-        libmcrypt-dev \
-        libmemcached-dev \
-        libpng-dev \
-        libpq-dev \
-        libxml2-dev \
-        libmagickwand-dev \
-        libzip-dev \
-        libwebp-dev \
-        libgmp-dev \
-    ; \
-    \
-    debMultiarch="$(dpkg-architecture --query DEB_BUILD_MULTIARCH)"; \
-    if [ ! -e /usr/include/gmp.h ]; then ln -s /usr/include/$debMultiarch/gmp.h /usr/include/gmp.h; fi;\
-    docker-php-ext-configure gd --with-freetype-dir=/usr --with-png-dir=/usr --with-jpeg-dir=/usr --with-webp-dir=/usr; \
-    docker-php-ext-configure gmp --with-gmp="/usr/include/$debMultiarch"; \
-    docker-php-ext-configure ldap --with-libdir="lib/$debMultiarch"; \
-    docker-php-ext-install -j "$(nproc)" \
-        exif \
-        gd \
-        intl \
-        ldap \
-        opcache \
-        pcntl \
-        pdo_mysql \
-        pdo_pgsql \
-        zip \
-        gmp \
-    ; \
-    \
-# pecl will claim success even if one install fails, so we need to perform each install separately
-    pecl install APCu-5.1.18; \
-    pecl install memcached-3.1.5; \
-    pecl install redis-4.3.0; \
-    pecl install imagick-3.4.4; \
-    \
-    docker-php-ext-enable \
-        apcu \
-        memcached \
-        redis \
-        imagick \
-    ; \
-    \
-# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
-    apt-mark auto '.*' > /dev/null; \
-    apt-mark manual $savedAptMark; \
-    ldd "$(php -r 'echo ini_get("extension_dir");')"/*.so \
-        | awk '/=>/ { print $3 }' \
-        | sort -u \
-        | xargs -r dpkg-query -S \
-        | cut -d: -f1 \
-        | sort -u \
-        | xargs -rt apt-mark manual; \
-    \
-    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
-    rm -rf /var/lib/apt/lists/*
-
-# set recommended PHP.ini settings
-# see https://docs.nextcloud.com/server/12/admin_manual/configuration_server/server_tuning.html#enable-php-opcache
-RUN { \
-        echo 'opcache.enable=1'; \
-        echo 'opcache.interned_strings_buffer=8'; \
-        echo 'opcache.max_accelerated_files=10000'; \
-        echo 'opcache.memory_consumption=128'; \
-        echo 'opcache.save_comments=1'; \
-        echo 'opcache.revalidate_freq=1'; \
-    } > /usr/local/etc/php/conf.d/opcache-recommended.ini; \
-    \
-    echo 'apc.enable_cli=1' >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
-    \
-    echo 'memory_limit=512M' > /usr/local/etc/php/conf.d/memory-limit.ini; \
-    \
-    mkdir /var/www/data; \
-    chown -R www-data:root /var/www; \
-    chmod -R g=u /var/www
-
-VOLUME /var/www/html
-
-
-ENV NEXTCLOUD_VERSION 16.0.10
-
-RUN set -ex; \
-    fetchDeps=" \
-        gnupg \
-        dirmngr \
-    "; \
-    apt-get update; \
-    apt-get install -y --no-install-recommends $fetchDeps; \
-    \
-    curl -fsSL -o nextcloud.tar.bz2 \
-        "https://download.nextcloud.com/server/releases/nextcloud-${NEXTCLOUD_VERSION}.tar.bz2"; \
-    curl -fsSL -o nextcloud.tar.bz2.asc \
-        "https://download.nextcloud.com/server/releases/nextcloud-${NEXTCLOUD_VERSION}.tar.bz2.asc"; \
-    export GNUPGHOME="$(mktemp -d)"; \
-# gpg key from https://nextcloud.com/nextcloud.asc
-    gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys 28806A878AE423A28372792ED75899B9A724937A; \
-    gpg --batch --verify nextcloud.tar.bz2.asc nextcloud.tar.bz2; \
-    tar -xjf nextcloud.tar.bz2 -C /usr/src/; \
-    gpgconf --kill all; \
-    rm -r "$GNUPGHOME" nextcloud.tar.bz2.asc nextcloud.tar.bz2; \
-    rm -rf /usr/src/nextcloud/updater; \
-    mkdir -p /usr/src/nextcloud/data; \
-    mkdir -p /usr/src/nextcloud/custom_apps; \
-    chmod +x /usr/src/nextcloud/occ; \
-    \
-    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false $fetchDeps; \
-    rm -rf /var/lib/apt/lists/*
-
-COPY *.sh upgrade.exclude /
-COPY config/* /usr/src/nextcloud/config/
-
-ENTRYPOINT ["/entrypoint.sh"]
-CMD ["php-fpm"]

16.0/fpm/config/apps.config.php

@@ -1,15 +0,0 @@
-<?php
-$CONFIG = array (
-  "apps_paths" => array (
-      0 => array (
-              "path"     => OC::$SERVERROOT."/apps",
-              "url"      => "/apps",
-              "writable" => false,
-      ),
-      1 => array (
-              "path"     => OC::$SERVERROOT."/custom_apps",
-              "url"      => "/custom_apps",
-              "writable" => true,
-      ),
-  ),
-);

16.0/fpm/config/autoconfig.php

@@ -1,31 +0,0 @@
-<?php
-
-$autoconfig_enabled = false;
-
-if (getenv('SQLITE_DATABASE')) {
-    $AUTOCONFIG["dbtype"] = "sqlite";
-    $AUTOCONFIG["dbname"] = getenv('SQLITE_DATABASE');
-    $autoconfig_enabled = true;
-} elseif (getenv('MYSQL_DATABASE') && getenv('MYSQL_USER') && getenv('MYSQL_PASSWORD') && getenv('MYSQL_HOST')) {
-    $AUTOCONFIG["dbtype"] = "mysql";
-    $AUTOCONFIG["dbname"] = getenv('MYSQL_DATABASE');
-    $AUTOCONFIG["dbuser"] = getenv('MYSQL_USER');
-    $AUTOCONFIG["dbpass"] = getenv('MYSQL_PASSWORD');
-    $AUTOCONFIG["dbhost"] = getenv('MYSQL_HOST');
-    $autoconfig_enabled = true;
-} elseif (getenv('POSTGRES_DB') && getenv('POSTGRES_USER') && getenv('POSTGRES_PASSWORD') && getenv('POSTGRES_HOST')) {
-    $AUTOCONFIG["dbtype"] = "pgsql";
-    $AUTOCONFIG["dbname"] = getenv('POSTGRES_DB');
-    $AUTOCONFIG["dbuser"] = getenv('POSTGRES_USER');
-    $AUTOCONFIG["dbpass"] = getenv('POSTGRES_PASSWORD');
-    $AUTOCONFIG["dbhost"] = getenv('POSTGRES_HOST');
-    $autoconfig_enabled = true;
-}
-
-if ($autoconfig_enabled) {
-    if (getenv('NEXTCLOUD_TABLE_PREFIX')) {
-        $AUTOCONFIG["dbtableprefix"] = getenv('NEXTCLOUD_TABLE_PREFIX');
-    }
-
-    $AUTOCONFIG["directory"] = getenv('NEXTCLOUD_DATA_DIR') ?: "/var/www/html/data";
-}

16.0/fpm/cron.sh

@@ -1,4 +0,0 @@
-#!/bin/sh
-set -eu
-
-exec busybox crond -f -l 0 -L /dev/stdout

16.0/fpm/entrypoint.sh

@@ -1,192 +0,0 @@
-#!/bin/sh
-set -eu
-
-# version_greater A B returns whether A > B
-version_greater() {
-    [ "$(printf '%s\n' "$@" | sort -t '.' -n -k1,1 -k2,2 -k3,3 -k4,4 | head -n 1)" != "$1" ]
-}
-
-# return true if specified directory is empty
-directory_empty() {
-    [ -z "$(ls -A "$1/")" ]
-}
-
-run_as() {
-    if [ "$(id -u)" = 0 ]; then
-        su -p www-data -s /bin/sh -c "$1"
-    else
-        sh -c "$1"
-    fi
-}
-
-# usage: file_env VAR [DEFAULT]
-#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
-    local var="$1"
-    local fileVar="${var}_FILE"
-    local def="${2:-}"
-    local varValue=$(env | grep -E "^${var}=" | sed -E -e "s/^${var}=//")
-    local fileVarValue=$(env | grep -E "^${fileVar}=" | sed -E -e "s/^${fileVar}=//")
-    if [ -n "${varValue}" ] && [ -n "${fileVarValue}" ]; then
-        echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
-        exit 1
-    fi
-    if [ -n "${varValue}" ]; then
-        export "$var"="${varValue}"
-    elif [ -n "${fileVarValue}" ]; then
-        export "$var"="$(cat "${fileVarValue}")"
-    elif [ -n "${def}" ]; then
-        export "$var"="$def"
-    fi
-    unset "$fileVar"
-}
-
-if expr "$1" : "apache" 1>/dev/null; then
-    if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then
-        a2disconf remoteip
-    fi
-fi
-
-if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
-    if [ -n "${REDIS_HOST+x}" ]; then
-
-        echo "Configuring Redis as session handler"
-        {
-            echo 'session.save_handler = redis'
-            # check if redis host is an unix socket path
-            if [ "$(echo "$REDIS_HOST" | cut -c1-1)" = "/" ]; then
-              if [ -n "${REDIS_HOST_PASSWORD+x}" ]; then
-                echo "session.save_path = \"unix://${REDIS_HOST}?auth=${REDIS_HOST_PASSWORD}\""
-              else
-                echo "session.save_path = \"unix://${REDIS_HOST}\""
-              fi
-            # check if redis password has been set
-            elif [ -n "${REDIS_HOST_PASSWORD+x}" ]; then
-                echo "session.save_path = \"tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}?auth=${REDIS_HOST_PASSWORD}\""
-            else
-                echo "session.save_path = \"tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}\""
-            fi
-        } > /usr/local/etc/php/conf.d/redis-session.ini
-    fi
-
-    installed_version="0.0.0.0"
-    if [ -f /var/www/html/version.php ]; then
-        # shellcheck disable=SC2016
-        installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-    fi
-    # shellcheck disable=SC2016
-    image_version="$(php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);')"
-
-    if version_greater "$installed_version" "$image_version"; then
-        echo "Can't start Nextcloud because the version of the data ($installed_version) is higher than the docker image version ($image_version) and downgrading is not supported. Are you sure you have pulled the newest image version?"
-        exit 1
-    fi
-
-    if version_greater "$image_version" "$installed_version"; then
-        echo "Initializing nextcloud $image_version ..."
-        if [ "$installed_version" != "0.0.0.0" ]; then
-            echo "Upgrading nextcloud from $installed_version ..."
-            run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_before
-        fi
-        if [ "$(id -u)" = 0 ]; then
-            rsync_options="-rlDog --chown www-data:root"
-        else
-            rsync_options="-rlD"
-        fi
-        rsync $rsync_options --delete --exclude-from=/upgrade.exclude /usr/src/nextcloud/ /var/www/html/
-
-        for dir in config data custom_apps themes; do
-            if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then
-                rsync $rsync_options --include "/$dir/" --exclude '/*' /usr/src/nextcloud/ /var/www/html/
-            fi
-        done
-        rsync $rsync_options --include '/version.php' --exclude '/*' /usr/src/nextcloud/ /var/www/html/
-        echo "Initializing finished"
-
-        #install
-        if [ "$installed_version" = "0.0.0.0" ]; then
-            echo "New nextcloud instance"
-
-            file_env NEXTCLOUD_ADMIN_PASSWORD
-            file_env NEXTCLOUD_ADMIN_USER
-
-            if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then
-                # shellcheck disable=SC2016
-                install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"'
-                if [ -n "${NEXTCLOUD_TABLE_PREFIX+x}" ]; then
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --database-table-prefix "$NEXTCLOUD_TABLE_PREFIX"'
-                fi
-                if [ -n "${NEXTCLOUD_DATA_DIR+x}" ]; then
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"'
-                fi
-
-                file_env MYSQL_DATABASE
-                file_env MYSQL_PASSWORD
-                file_env MYSQL_USER
-                file_env POSTGRES_DB
-                file_env POSTGRES_PASSWORD
-                file_env POSTGRES_USER
-
-                install=false
-                if [ -n "${SQLITE_DATABASE+x}" ]; then
-                    echo "Installing with SQLite database"
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --database-name "$SQLITE_DATABASE"'
-                    install=true
-                elif [ -n "${MYSQL_DATABASE+x}" ] && [ -n "${MYSQL_USER+x}" ] && [ -n "${MYSQL_PASSWORD+x}" ] && [ -n "${MYSQL_HOST+x}" ]; then
-                    echo "Installing with MySQL database"
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --database mysql --database-name "$MYSQL_DATABASE" --database-user "$MYSQL_USER" --database-pass "$MYSQL_PASSWORD" --database-host "$MYSQL_HOST"'
-                    install=true
-                elif [ -n "${POSTGRES_DB+x}" ] && [ -n "${POSTGRES_USER+x}" ] && [ -n "${POSTGRES_PASSWORD+x}" ] && [ -n "${POSTGRES_HOST+x}" ]; then
-                    echo "Installing with PostgreSQL database"
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --database pgsql --database-name "$POSTGRES_DB" --database-user "$POSTGRES_USER" --database-pass "$POSTGRES_PASSWORD" --database-host "$POSTGRES_HOST"'
-                    install=true
-                fi
-
-                if [ "$install" = true ]; then
-                    echo "starting nextcloud installation"
-                    max_retries=10
-                    try=0
-                    until run_as "php /var/www/html/occ maintenance:install $install_options" || [ "$try" -gt "$max_retries" ]
-                    do
-                        echo "retrying install..."
-                        try=$((try+1))
-                        sleep 10s
-                    done
-                    if [ "$try" -gt "$max_retries" ]; then
-                        echo "installing of nextcloud failed!"
-                        exit 1
-                    fi
-                    if [ -n "${NEXTCLOUD_TRUSTED_DOMAINS+x}" ]; then
-                        echo "setting trusted domains…"
-                        NC_TRUSTED_DOMAIN_IDX=1
-                        for DOMAIN in $NEXTCLOUD_TRUSTED_DOMAINS ; do
-                            DOMAIN=$(echo "$DOMAIN" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')
-                            run_as "php /var/www/html/occ config:system:set trusted_domains $NC_TRUSTED_DOMAIN_IDX --value=$DOMAIN"
-                            NC_TRUSTED_DOMAIN_IDX=$(($NC_TRUSTED_DOMAIN_IDX+1))
-                        done
-                    fi
-                else
-                    echo "running web-based installer on first connect!"
-                fi
-            fi
-        #upgrade
-        else
-            run_as 'php /var/www/html/occ upgrade'
-
-            run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_after
-            echo "The following apps have been disabled:"
-            diff /tmp/list_before /tmp/list_after | grep '<' | cut -d- -f2 | cut -d: -f1
-            rm -f /tmp/list_before /tmp/list_after
-
-        fi
-    fi
-fi
-
-exec "$@"

17.0/apache/config/apps.config.php

@@ -1,15 +0,0 @@
-<?php
-$CONFIG = array (
-  "apps_paths" => array (
-      0 => array (
-              "path"     => OC::$SERVERROOT."/apps",
-              "url"      => "/apps",
-              "writable" => false,
-      ),
-      1 => array (
-              "path"     => OC::$SERVERROOT."/custom_apps",
-              "url"      => "/custom_apps",
-              "writable" => true,
-      ),
-  ),
-);

17.0/apache/config/autoconfig.php

@@ -1,31 +0,0 @@
-<?php
-
-$autoconfig_enabled = false;
-
-if (getenv('SQLITE_DATABASE')) {
-    $AUTOCONFIG["dbtype"] = "sqlite";
-    $AUTOCONFIG["dbname"] = getenv('SQLITE_DATABASE');
-    $autoconfig_enabled = true;
-} elseif (getenv('MYSQL_DATABASE') && getenv('MYSQL_USER') && getenv('MYSQL_PASSWORD') && getenv('MYSQL_HOST')) {
-    $AUTOCONFIG["dbtype"] = "mysql";
-    $AUTOCONFIG["dbname"] = getenv('MYSQL_DATABASE');
-    $AUTOCONFIG["dbuser"] = getenv('MYSQL_USER');
-    $AUTOCONFIG["dbpass"] = getenv('MYSQL_PASSWORD');
-    $AUTOCONFIG["dbhost"] = getenv('MYSQL_HOST');
-    $autoconfig_enabled = true;
-} elseif (getenv('POSTGRES_DB') && getenv('POSTGRES_USER') && getenv('POSTGRES_PASSWORD') && getenv('POSTGRES_HOST')) {
-    $AUTOCONFIG["dbtype"] = "pgsql";
-    $AUTOCONFIG["dbname"] = getenv('POSTGRES_DB');
-    $AUTOCONFIG["dbuser"] = getenv('POSTGRES_USER');
-    $AUTOCONFIG["dbpass"] = getenv('POSTGRES_PASSWORD');
-    $AUTOCONFIG["dbhost"] = getenv('POSTGRES_HOST');
-    $autoconfig_enabled = true;
-}
-
-if ($autoconfig_enabled) {
-    if (getenv('NEXTCLOUD_TABLE_PREFIX')) {
-        $AUTOCONFIG["dbtableprefix"] = getenv('NEXTCLOUD_TABLE_PREFIX');
-    }
-
-    $AUTOCONFIG["directory"] = getenv('NEXTCLOUD_DATA_DIR') ?: "/var/www/html/data";
-}

17.0/apache/cron.sh

@@ -1,4 +0,0 @@
-#!/bin/sh
-set -eu
-
-exec busybox crond -f -l 0 -L /dev/stdout

17.0/apache/entrypoint.sh

@@ -1,192 +0,0 @@
-#!/bin/sh
-set -eu
-
-# version_greater A B returns whether A > B
-version_greater() {
-    [ "$(printf '%s\n' "$@" | sort -t '.' -n -k1,1 -k2,2 -k3,3 -k4,4 | head -n 1)" != "$1" ]
-}
-
-# return true if specified directory is empty
-directory_empty() {
-    [ -z "$(ls -A "$1/")" ]
-}
-
-run_as() {
-    if [ "$(id -u)" = 0 ]; then
-        su -p www-data -s /bin/sh -c "$1"
-    else
-        sh -c "$1"
-    fi
-}
-
-# usage: file_env VAR [DEFAULT]
-#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
-    local var="$1"
-    local fileVar="${var}_FILE"
-    local def="${2:-}"
-    local varValue=$(env | grep -E "^${var}=" | sed -E -e "s/^${var}=//")
-    local fileVarValue=$(env | grep -E "^${fileVar}=" | sed -E -e "s/^${fileVar}=//")
-    if [ -n "${varValue}" ] && [ -n "${fileVarValue}" ]; then
-        echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
-        exit 1
-    fi
-    if [ -n "${varValue}" ]; then
-        export "$var"="${varValue}"
-    elif [ -n "${fileVarValue}" ]; then
-        export "$var"="$(cat "${fileVarValue}")"
-    elif [ -n "${def}" ]; then
-        export "$var"="$def"
-    fi
-    unset "$fileVar"
-}
-
-if expr "$1" : "apache" 1>/dev/null; then
-    if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then
-        a2disconf remoteip
-    fi
-fi
-
-if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
-    if [ -n "${REDIS_HOST+x}" ]; then
-
-        echo "Configuring Redis as session handler"
-        {
-            echo 'session.save_handler = redis'
-            # check if redis host is an unix socket path
-            if [ "$(echo "$REDIS_HOST" | cut -c1-1)" = "/" ]; then
-              if [ -n "${REDIS_HOST_PASSWORD+x}" ]; then
-                echo "session.save_path = \"unix://${REDIS_HOST}?auth=${REDIS_HOST_PASSWORD}\""
-              else
-                echo "session.save_path = \"unix://${REDIS_HOST}\""
-              fi
-            # check if redis password has been set
-            elif [ -n "${REDIS_HOST_PASSWORD+x}" ]; then
-                echo "session.save_path = \"tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}?auth=${REDIS_HOST_PASSWORD}\""
-            else
-                echo "session.save_path = \"tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}\""
-            fi
-        } > /usr/local/etc/php/conf.d/redis-session.ini
-    fi
-
-    installed_version="0.0.0.0"
-    if [ -f /var/www/html/version.php ]; then
-        # shellcheck disable=SC2016
-        installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-    fi
-    # shellcheck disable=SC2016
-    image_version="$(php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);')"
-
-    if version_greater "$installed_version" "$image_version"; then
-        echo "Can't start Nextcloud because the version of the data ($installed_version) is higher than the docker image version ($image_version) and downgrading is not supported. Are you sure you have pulled the newest image version?"
-        exit 1
-    fi
-
-    if version_greater "$image_version" "$installed_version"; then
-        echo "Initializing nextcloud $image_version ..."
-        if [ "$installed_version" != "0.0.0.0" ]; then
-            echo "Upgrading nextcloud from $installed_version ..."
-            run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_before
-        fi
-        if [ "$(id -u)" = 0 ]; then
-            rsync_options="-rlDog --chown www-data:root"
-        else
-            rsync_options="-rlD"
-        fi
-        rsync $rsync_options --delete --exclude-from=/upgrade.exclude /usr/src/nextcloud/ /var/www/html/
-
-        for dir in config data custom_apps themes; do
-            if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then
-                rsync $rsync_options --include "/$dir/" --exclude '/*' /usr/src/nextcloud/ /var/www/html/
-            fi
-        done
-        rsync $rsync_options --include '/version.php' --exclude '/*' /usr/src/nextcloud/ /var/www/html/
-        echo "Initializing finished"
-
-        #install
-        if [ "$installed_version" = "0.0.0.0" ]; then
-            echo "New nextcloud instance"
-
-            file_env NEXTCLOUD_ADMIN_PASSWORD
-            file_env NEXTCLOUD_ADMIN_USER
-
-            if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then
-                # shellcheck disable=SC2016
-                install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"'
-                if [ -n "${NEXTCLOUD_TABLE_PREFIX+x}" ]; then
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --database-table-prefix "$NEXTCLOUD_TABLE_PREFIX"'
-                fi
-                if [ -n "${NEXTCLOUD_DATA_DIR+x}" ]; then
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"'
-                fi
-
-                file_env MYSQL_DATABASE
-                file_env MYSQL_PASSWORD
-                file_env MYSQL_USER
-                file_env POSTGRES_DB
-                file_env POSTGRES_PASSWORD
-                file_env POSTGRES_USER
-
-                install=false
-                if [ -n "${SQLITE_DATABASE+x}" ]; then
-                    echo "Installing with SQLite database"
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --database-name "$SQLITE_DATABASE"'
-                    install=true
-                elif [ -n "${MYSQL_DATABASE+x}" ] && [ -n "${MYSQL_USER+x}" ] && [ -n "${MYSQL_PASSWORD+x}" ] && [ -n "${MYSQL_HOST+x}" ]; then
-                    echo "Installing with MySQL database"
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --database mysql --database-name "$MYSQL_DATABASE" --database-user "$MYSQL_USER" --database-pass "$MYSQL_PASSWORD" --database-host "$MYSQL_HOST"'
-                    install=true
-                elif [ -n "${POSTGRES_DB+x}" ] && [ -n "${POSTGRES_USER+x}" ] && [ -n "${POSTGRES_PASSWORD+x}" ] && [ -n "${POSTGRES_HOST+x}" ]; then
-                    echo "Installing with PostgreSQL database"
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --database pgsql --database-name "$POSTGRES_DB" --database-user "$POSTGRES_USER" --database-pass "$POSTGRES_PASSWORD" --database-host "$POSTGRES_HOST"'
-                    install=true
-                fi
-
-                if [ "$install" = true ]; then
-                    echo "starting nextcloud installation"
-                    max_retries=10
-                    try=0
-                    until run_as "php /var/www/html/occ maintenance:install $install_options" || [ "$try" -gt "$max_retries" ]
-                    do
-                        echo "retrying install..."
-                        try=$((try+1))
-                        sleep 10s
-                    done
-                    if [ "$try" -gt "$max_retries" ]; then
-                        echo "installing of nextcloud failed!"
-                        exit 1
-                    fi
-                    if [ -n "${NEXTCLOUD_TRUSTED_DOMAINS+x}" ]; then
-                        echo "setting trusted domains…"
-                        NC_TRUSTED_DOMAIN_IDX=1
-                        for DOMAIN in $NEXTCLOUD_TRUSTED_DOMAINS ; do
-                            DOMAIN=$(echo "$DOMAIN" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')
-                            run_as "php /var/www/html/occ config:system:set trusted_domains $NC_TRUSTED_DOMAIN_IDX --value=$DOMAIN"
-                            NC_TRUSTED_DOMAIN_IDX=$(($NC_TRUSTED_DOMAIN_IDX+1))
-                        done
-                    fi
-                else
-                    echo "running web-based installer on first connect!"
-                fi
-            fi
-        #upgrade
-        else
-            run_as 'php /var/www/html/occ upgrade'
-
-            run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_after
-            echo "The following apps have been disabled:"
-            diff /tmp/list_before /tmp/list_after | grep '<' | cut -d- -f2 | cut -d: -f1
-            rm -f /tmp/list_before /tmp/list_after
-
-        fi
-    fi
-fi
-
-exec "$@"

17.0/fpm-alpine/config/apps.config.php

@@ -1,15 +0,0 @@
-<?php
-$CONFIG = array (
-  "apps_paths" => array (
-      0 => array (
-              "path"     => OC::$SERVERROOT."/apps",
-              "url"      => "/apps",
-              "writable" => false,
-      ),
-      1 => array (
-              "path"     => OC::$SERVERROOT."/custom_apps",
-              "url"      => "/custom_apps",
-              "writable" => true,
-      ),
-  ),
-);

17.0/fpm-alpine/config/autoconfig.php

@@ -1,31 +0,0 @@
-<?php
-
-$autoconfig_enabled = false;
-
-if (getenv('SQLITE_DATABASE')) {
-    $AUTOCONFIG["dbtype"] = "sqlite";
-    $AUTOCONFIG["dbname"] = getenv('SQLITE_DATABASE');
-    $autoconfig_enabled = true;
-} elseif (getenv('MYSQL_DATABASE') && getenv('MYSQL_USER') && getenv('MYSQL_PASSWORD') && getenv('MYSQL_HOST')) {
-    $AUTOCONFIG["dbtype"] = "mysql";
-    $AUTOCONFIG["dbname"] = getenv('MYSQL_DATABASE');
-    $AUTOCONFIG["dbuser"] = getenv('MYSQL_USER');
-    $AUTOCONFIG["dbpass"] = getenv('MYSQL_PASSWORD');
-    $AUTOCONFIG["dbhost"] = getenv('MYSQL_HOST');
-    $autoconfig_enabled = true;
-} elseif (getenv('POSTGRES_DB') && getenv('POSTGRES_USER') && getenv('POSTGRES_PASSWORD') && getenv('POSTGRES_HOST')) {
-    $AUTOCONFIG["dbtype"] = "pgsql";
-    $AUTOCONFIG["dbname"] = getenv('POSTGRES_DB');
-    $AUTOCONFIG["dbuser"] = getenv('POSTGRES_USER');
-    $AUTOCONFIG["dbpass"] = getenv('POSTGRES_PASSWORD');
-    $AUTOCONFIG["dbhost"] = getenv('POSTGRES_HOST');
-    $autoconfig_enabled = true;
-}
-
-if ($autoconfig_enabled) {
-    if (getenv('NEXTCLOUD_TABLE_PREFIX')) {
-        $AUTOCONFIG["dbtableprefix"] = getenv('NEXTCLOUD_TABLE_PREFIX');
-    }
-
-    $AUTOCONFIG["directory"] = getenv('NEXTCLOUD_DATA_DIR') ?: "/var/www/html/data";
-}

17.0/fpm-alpine/config/redis.config.php

@@ -1,17 +0,0 @@
-<?php
-if (getenv('REDIS_HOST')) {
-  $CONFIG = array (
-    'memcache.distributed' => '\OC\Memcache\Redis',
-    'memcache.locking' => '\OC\Memcache\Redis',
-    'redis' => array(
-      'host' => getenv('REDIS_HOST'),
-      'password' => getenv('REDIS_HOST_PASSWORD'),
-    ),
-  );
-
-  if (getenv('REDIS_HOST_PORT') !== false) {
-    $CONFIG['redis']['port'] = (int) getenv('REDIS_HOST_PORT');
-  } elseif (getenv('REDIS_HOST')[0] != '/') {
-    $CONFIG['redis']['port'] = 6379;
-  }
-}

17.0/fpm-alpine/config/reverse-proxy.config.php

@@ -1,25 +0,0 @@
-<?php
-$overwriteHost = getenv('OVERWRITEHOST');
-if ($overwriteHost) {
-  $CONFIG['overwritehost'] = $overwriteHost;
-}
-
-$overwriteProtocol = getenv('OVERWRITEPROTOCOL');
-if ($overwriteProtocol) {
-  $CONFIG['overwriteprotocol'] = $overwriteProtocol;
-}
-
-$overwriteWebRoot = getenv('OVERWRITEWEBROOT');
-if ($overwriteWebRoot) {
-  $CONFIG['overwritewebroot'] = $overwriteWebRoot;
-}
-
-$overwriteCondAddr = getenv('OVERWRITECONDADDR');
-if ($overwriteCondAddr) {
-  $CONFIG['overwritecondaddr'] = $overwriteCondAddr;
-}
-
-$trustedProxies = getenv('TRUSTED_PROXIES');
-if ($trustedProxies) {
-  $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
-}

17.0/fpm-alpine/config/smtp.config.php

@@ -1,15 +0,0 @@
-<?php
-if (getenv('SMTP_HOST') && getenv('MAIL_FROM_ADDRESS') && getenv('MAIL_DOMAIN')) {
-  $CONFIG = array (
-    'mail_smtpmode' => 'smtp',
-    'mail_smtphost' => getenv('SMTP_HOST'),
-    'mail_smtpport' => getenv('SMTP_PORT') ?: (getenv('SMTP_SECURE') ? 465 : 25),
-    'mail_smtpsecure' => getenv('SMTP_SECURE') ?: '',
-    'mail_smtpauth' => getenv('SMTP_NAME') && getenv('SMTP_PASSWORD'),
-    'mail_smtpauthtype' => getenv('SMTP_AUTHTYPE') ?: 'LOGIN',
-    'mail_smtpname' => getenv('SMTP_NAME') ?: '',
-    'mail_smtppassword' => getenv('SMTP_PASSWORD') ?: '',
-    'mail_from_address' => getenv('MAIL_FROM_ADDRESS'),
-    'mail_domain' => getenv('MAIL_DOMAIN'),
-  );
-}

17.0/fpm-alpine/cron.sh

@@ -1,4 +0,0 @@
-#!/bin/sh
-set -eu
-
-exec busybox crond -f -l 0 -L /dev/stdout

17.0/fpm-alpine/entrypoint.sh

@@ -1,192 +0,0 @@
-#!/bin/sh
-set -eu
-
-# version_greater A B returns whether A > B
-version_greater() {
-    [ "$(printf '%s\n' "$@" | sort -t '.' -n -k1,1 -k2,2 -k3,3 -k4,4 | head -n 1)" != "$1" ]
-}
-
-# return true if specified directory is empty
-directory_empty() {
-    [ -z "$(ls -A "$1/")" ]
-}
-
-run_as() {
-    if [ "$(id -u)" = 0 ]; then
-        su -p www-data -s /bin/sh -c "$1"
-    else
-        sh -c "$1"
-    fi
-}
-
-# usage: file_env VAR [DEFAULT]
-#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
-    local var="$1"
-    local fileVar="${var}_FILE"
-    local def="${2:-}"
-    local varValue=$(env | grep -E "^${var}=" | sed -E -e "s/^${var}=//")
-    local fileVarValue=$(env | grep -E "^${fileVar}=" | sed -E -e "s/^${fileVar}=//")
-    if [ -n "${varValue}" ] && [ -n "${fileVarValue}" ]; then
-        echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
-        exit 1
-    fi
-    if [ -n "${varValue}" ]; then
-        export "$var"="${varValue}"
-    elif [ -n "${fileVarValue}" ]; then
-        export "$var"="$(cat "${fileVarValue}")"
-    elif [ -n "${def}" ]; then
-        export "$var"="$def"
-    fi
-    unset "$fileVar"
-}
-
-if expr "$1" : "apache" 1>/dev/null; then
-    if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then
-        a2disconf remoteip
-    fi
-fi
-
-if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
-    if [ -n "${REDIS_HOST+x}" ]; then
-
-        echo "Configuring Redis as session handler"
-        {
-            echo 'session.save_handler = redis'
-            # check if redis host is an unix socket path
-            if [ "$(echo "$REDIS_HOST" | cut -c1-1)" = "/" ]; then
-              if [ -n "${REDIS_HOST_PASSWORD+x}" ]; then
-                echo "session.save_path = \"unix://${REDIS_HOST}?auth=${REDIS_HOST_PASSWORD}\""
-              else
-                echo "session.save_path = \"unix://${REDIS_HOST}\""
-              fi
-            # check if redis password has been set
-            elif [ -n "${REDIS_HOST_PASSWORD+x}" ]; then
-                echo "session.save_path = \"tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}?auth=${REDIS_HOST_PASSWORD}\""
-            else
-                echo "session.save_path = \"tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}\""
-            fi
-        } > /usr/local/etc/php/conf.d/redis-session.ini
-    fi
-
-    installed_version="0.0.0.0"
-    if [ -f /var/www/html/version.php ]; then
-        # shellcheck disable=SC2016
-        installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-    fi
-    # shellcheck disable=SC2016
-    image_version="$(php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);')"
-
-    if version_greater "$installed_version" "$image_version"; then
-        echo "Can't start Nextcloud because the version of the data ($installed_version) is higher than the docker image version ($image_version) and downgrading is not supported. Are you sure you have pulled the newest image version?"
-        exit 1
-    fi
-
-    if version_greater "$image_version" "$installed_version"; then
-        echo "Initializing nextcloud $image_version ..."
-        if [ "$installed_version" != "0.0.0.0" ]; then
-            echo "Upgrading nextcloud from $installed_version ..."
-            run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_before
-        fi
-        if [ "$(id -u)" = 0 ]; then
-            rsync_options="-rlDog --chown www-data:root"
-        else
-            rsync_options="-rlD"
-        fi
-        rsync $rsync_options --delete --exclude-from=/upgrade.exclude /usr/src/nextcloud/ /var/www/html/
-
-        for dir in config data custom_apps themes; do
-            if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then
-                rsync $rsync_options --include "/$dir/" --exclude '/*' /usr/src/nextcloud/ /var/www/html/
-            fi
-        done
-        rsync $rsync_options --include '/version.php' --exclude '/*' /usr/src/nextcloud/ /var/www/html/
-        echo "Initializing finished"
-
-        #install
-        if [ "$installed_version" = "0.0.0.0" ]; then
-            echo "New nextcloud instance"
-
-            file_env NEXTCLOUD_ADMIN_PASSWORD
-            file_env NEXTCLOUD_ADMIN_USER
-
-            if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then
-                # shellcheck disable=SC2016
-                install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"'
-                if [ -n "${NEXTCLOUD_TABLE_PREFIX+x}" ]; then
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --database-table-prefix "$NEXTCLOUD_TABLE_PREFIX"'
-                fi
-                if [ -n "${NEXTCLOUD_DATA_DIR+x}" ]; then
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"'
-                fi
-
-                file_env MYSQL_DATABASE
-                file_env MYSQL_PASSWORD
-                file_env MYSQL_USER
-                file_env POSTGRES_DB
-                file_env POSTGRES_PASSWORD
-                file_env POSTGRES_USER
-
-                install=false
-                if [ -n "${SQLITE_DATABASE+x}" ]; then
-                    echo "Installing with SQLite database"
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --database-name "$SQLITE_DATABASE"'
-                    install=true
-                elif [ -n "${MYSQL_DATABASE+x}" ] && [ -n "${MYSQL_USER+x}" ] && [ -n "${MYSQL_PASSWORD+x}" ] && [ -n "${MYSQL_HOST+x}" ]; then
-                    echo "Installing with MySQL database"
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --database mysql --database-name "$MYSQL_DATABASE" --database-user "$MYSQL_USER" --database-pass "$MYSQL_PASSWORD" --database-host "$MYSQL_HOST"'
-                    install=true
-                elif [ -n "${POSTGRES_DB+x}" ] && [ -n "${POSTGRES_USER+x}" ] && [ -n "${POSTGRES_PASSWORD+x}" ] && [ -n "${POSTGRES_HOST+x}" ]; then
-                    echo "Installing with PostgreSQL database"
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --database pgsql --database-name "$POSTGRES_DB" --database-user "$POSTGRES_USER" --database-pass "$POSTGRES_PASSWORD" --database-host "$POSTGRES_HOST"'
-                    install=true
-                fi
-
-                if [ "$install" = true ]; then
-                    echo "starting nextcloud installation"
-                    max_retries=10
-                    try=0
-                    until run_as "php /var/www/html/occ maintenance:install $install_options" || [ "$try" -gt "$max_retries" ]
-                    do
-                        echo "retrying install..."
-                        try=$((try+1))
-                        sleep 10s
-                    done
-                    if [ "$try" -gt "$max_retries" ]; then
-                        echo "installing of nextcloud failed!"
-                        exit 1
-                    fi
-                    if [ -n "${NEXTCLOUD_TRUSTED_DOMAINS+x}" ]; then
-                        echo "setting trusted domains…"
-                        NC_TRUSTED_DOMAIN_IDX=1
-                        for DOMAIN in $NEXTCLOUD_TRUSTED_DOMAINS ; do
-                            DOMAIN=$(echo "$DOMAIN" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')
-                            run_as "php /var/www/html/occ config:system:set trusted_domains $NC_TRUSTED_DOMAIN_IDX --value=$DOMAIN"
-                            NC_TRUSTED_DOMAIN_IDX=$(($NC_TRUSTED_DOMAIN_IDX+1))
-                        done
-                    fi
-                else
-                    echo "running web-based installer on first connect!"
-                fi
-            fi
-        #upgrade
-        else
-            run_as 'php /var/www/html/occ upgrade'
-
-            run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_after
-            echo "The following apps have been disabled:"
-            diff /tmp/list_before /tmp/list_after | grep '<' | cut -d- -f2 | cut -d: -f1
-            rm -f /tmp/list_before /tmp/list_after
-
-        fi
-    fi
-fi
-
-exec "$@"

17.0/fpm-alpine/upgrade.exclude

@@ -1,5 +0,0 @@
-/config/
-/data/
-/custom_apps/
-/themes/
-/version.php

17.0/fpm/config/apps.config.php

@@ -1,15 +0,0 @@
-<?php
-$CONFIG = array (
-  "apps_paths" => array (
-      0 => array (
-              "path"     => OC::$SERVERROOT."/apps",
-              "url"      => "/apps",
-              "writable" => false,
-      ),
-      1 => array (
-              "path"     => OC::$SERVERROOT."/custom_apps",
-              "url"      => "/custom_apps",
-              "writable" => true,
-      ),
-  ),
-);

17.0/fpm/config/autoconfig.php

@@ -1,31 +0,0 @@
-<?php
-
-$autoconfig_enabled = false;
-
-if (getenv('SQLITE_DATABASE')) {
-    $AUTOCONFIG["dbtype"] = "sqlite";
-    $AUTOCONFIG["dbname"] = getenv('SQLITE_DATABASE');
-    $autoconfig_enabled = true;
-} elseif (getenv('MYSQL_DATABASE') && getenv('MYSQL_USER') && getenv('MYSQL_PASSWORD') && getenv('MYSQL_HOST')) {
-    $AUTOCONFIG["dbtype"] = "mysql";
-    $AUTOCONFIG["dbname"] = getenv('MYSQL_DATABASE');
-    $AUTOCONFIG["dbuser"] = getenv('MYSQL_USER');
-    $AUTOCONFIG["dbpass"] = getenv('MYSQL_PASSWORD');
-    $AUTOCONFIG["dbhost"] = getenv('MYSQL_HOST');
-    $autoconfig_enabled = true;
-} elseif (getenv('POSTGRES_DB') && getenv('POSTGRES_USER') && getenv('POSTGRES_PASSWORD') && getenv('POSTGRES_HOST')) {
-    $AUTOCONFIG["dbtype"] = "pgsql";
-    $AUTOCONFIG["dbname"] = getenv('POSTGRES_DB');
-    $AUTOCONFIG["dbuser"] = getenv('POSTGRES_USER');
-    $AUTOCONFIG["dbpass"] = getenv('POSTGRES_PASSWORD');
-    $AUTOCONFIG["dbhost"] = getenv('POSTGRES_HOST');
-    $autoconfig_enabled = true;
-}
-
-if ($autoconfig_enabled) {
-    if (getenv('NEXTCLOUD_TABLE_PREFIX')) {
-        $AUTOCONFIG["dbtableprefix"] = getenv('NEXTCLOUD_TABLE_PREFIX');
-    }
-
-    $AUTOCONFIG["directory"] = getenv('NEXTCLOUD_DATA_DIR') ?: "/var/www/html/data";
-}

17.0/fpm/config/redis.config.php

@@ -1,17 +0,0 @@
-<?php
-if (getenv('REDIS_HOST')) {
-  $CONFIG = array (
-    'memcache.distributed' => '\OC\Memcache\Redis',
-    'memcache.locking' => '\OC\Memcache\Redis',
-    'redis' => array(
-      'host' => getenv('REDIS_HOST'),
-      'password' => getenv('REDIS_HOST_PASSWORD'),
-    ),
-  );
-
-  if (getenv('REDIS_HOST_PORT') !== false) {
-    $CONFIG['redis']['port'] = (int) getenv('REDIS_HOST_PORT');
-  } elseif (getenv('REDIS_HOST')[0] != '/') {
-    $CONFIG['redis']['port'] = 6379;
-  }
-}

17.0/fpm/config/reverse-proxy.config.php

@@ -1,25 +0,0 @@
-<?php
-$overwriteHost = getenv('OVERWRITEHOST');
-if ($overwriteHost) {
-  $CONFIG['overwritehost'] = $overwriteHost;
-}
-
-$overwriteProtocol = getenv('OVERWRITEPROTOCOL');
-if ($overwriteProtocol) {
-  $CONFIG['overwriteprotocol'] = $overwriteProtocol;
-}
-
-$overwriteWebRoot = getenv('OVERWRITEWEBROOT');
-if ($overwriteWebRoot) {
-  $CONFIG['overwritewebroot'] = $overwriteWebRoot;
-}
-
-$overwriteCondAddr = getenv('OVERWRITECONDADDR');
-if ($overwriteCondAddr) {
-  $CONFIG['overwritecondaddr'] = $overwriteCondAddr;
-}
-
-$trustedProxies = getenv('TRUSTED_PROXIES');
-if ($trustedProxies) {
-  $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
-}

17.0/fpm/config/smtp.config.php

@@ -1,15 +0,0 @@
-<?php
-if (getenv('SMTP_HOST') && getenv('MAIL_FROM_ADDRESS') && getenv('MAIL_DOMAIN')) {
-  $CONFIG = array (
-    'mail_smtpmode' => 'smtp',
-    'mail_smtphost' => getenv('SMTP_HOST'),
-    'mail_smtpport' => getenv('SMTP_PORT') ?: (getenv('SMTP_SECURE') ? 465 : 25),
-    'mail_smtpsecure' => getenv('SMTP_SECURE') ?: '',
-    'mail_smtpauth' => getenv('SMTP_NAME') && getenv('SMTP_PASSWORD'),
-    'mail_smtpauthtype' => getenv('SMTP_AUTHTYPE') ?: 'LOGIN',
-    'mail_smtpname' => getenv('SMTP_NAME') ?: '',
-    'mail_smtppassword' => getenv('SMTP_PASSWORD') ?: '',
-    'mail_from_address' => getenv('MAIL_FROM_ADDRESS'),
-    'mail_domain' => getenv('MAIL_DOMAIN'),
-  );
-}

17.0/fpm/cron.sh

@@ -1,4 +0,0 @@
-#!/bin/sh
-set -eu
-
-exec busybox crond -f -l 0 -L /dev/stdout

17.0/fpm/entrypoint.sh

@@ -1,192 +0,0 @@
-#!/bin/sh
-set -eu
-
-# version_greater A B returns whether A > B
-version_greater() {
-    [ "$(printf '%s\n' "$@" | sort -t '.' -n -k1,1 -k2,2 -k3,3 -k4,4 | head -n 1)" != "$1" ]
-}
-
-# return true if specified directory is empty
-directory_empty() {
-    [ -z "$(ls -A "$1/")" ]
-}
-
-run_as() {
-    if [ "$(id -u)" = 0 ]; then
-        su -p www-data -s /bin/sh -c "$1"
-    else
-        sh -c "$1"
-    fi
-}
-
-# usage: file_env VAR [DEFAULT]
-#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
-    local var="$1"
-    local fileVar="${var}_FILE"
-    local def="${2:-}"
-    local varValue=$(env | grep -E "^${var}=" | sed -E -e "s/^${var}=//")
-    local fileVarValue=$(env | grep -E "^${fileVar}=" | sed -E -e "s/^${fileVar}=//")
-    if [ -n "${varValue}" ] && [ -n "${fileVarValue}" ]; then
-        echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
-        exit 1
-    fi
-    if [ -n "${varValue}" ]; then
-        export "$var"="${varValue}"
-    elif [ -n "${fileVarValue}" ]; then
-        export "$var"="$(cat "${fileVarValue}")"
-    elif [ -n "${def}" ]; then
-        export "$var"="$def"
-    fi
-    unset "$fileVar"
-}
-
-if expr "$1" : "apache" 1>/dev/null; then
-    if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then
-        a2disconf remoteip
-    fi
-fi
-
-if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
-    if [ -n "${REDIS_HOST+x}" ]; then
-
-        echo "Configuring Redis as session handler"
-        {
-            echo 'session.save_handler = redis'
-            # check if redis host is an unix socket path
-            if [ "$(echo "$REDIS_HOST" | cut -c1-1)" = "/" ]; then
-              if [ -n "${REDIS_HOST_PASSWORD+x}" ]; then
-                echo "session.save_path = \"unix://${REDIS_HOST}?auth=${REDIS_HOST_PASSWORD}\""
-              else
-                echo "session.save_path = \"unix://${REDIS_HOST}\""
-              fi
-            # check if redis password has been set
-            elif [ -n "${REDIS_HOST_PASSWORD+x}" ]; then
-                echo "session.save_path = \"tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}?auth=${REDIS_HOST_PASSWORD}\""
-            else
-                echo "session.save_path = \"tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}\""
-            fi
-        } > /usr/local/etc/php/conf.d/redis-session.ini
-    fi
-
-    installed_version="0.0.0.0"
-    if [ -f /var/www/html/version.php ]; then
-        # shellcheck disable=SC2016
-        installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-    fi
-    # shellcheck disable=SC2016
-    image_version="$(php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);')"
-
-    if version_greater "$installed_version" "$image_version"; then
-        echo "Can't start Nextcloud because the version of the data ($installed_version) is higher than the docker image version ($image_version) and downgrading is not supported. Are you sure you have pulled the newest image version?"
-        exit 1
-    fi
-
-    if version_greater "$image_version" "$installed_version"; then
-        echo "Initializing nextcloud $image_version ..."
-        if [ "$installed_version" != "0.0.0.0" ]; then
-            echo "Upgrading nextcloud from $installed_version ..."
-            run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_before
-        fi
-        if [ "$(id -u)" = 0 ]; then
-            rsync_options="-rlDog --chown www-data:root"
-        else
-            rsync_options="-rlD"
-        fi
-        rsync $rsync_options --delete --exclude-from=/upgrade.exclude /usr/src/nextcloud/ /var/www/html/
-
-        for dir in config data custom_apps themes; do
-            if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then
-                rsync $rsync_options --include "/$dir/" --exclude '/*' /usr/src/nextcloud/ /var/www/html/
-            fi
-        done
-        rsync $rsync_options --include '/version.php' --exclude '/*' /usr/src/nextcloud/ /var/www/html/
-        echo "Initializing finished"
-
-        #install
-        if [ "$installed_version" = "0.0.0.0" ]; then
-            echo "New nextcloud instance"
-
-            file_env NEXTCLOUD_ADMIN_PASSWORD
-            file_env NEXTCLOUD_ADMIN_USER
-
-            if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then
-                # shellcheck disable=SC2016
-                install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"'
-                if [ -n "${NEXTCLOUD_TABLE_PREFIX+x}" ]; then
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --database-table-prefix "$NEXTCLOUD_TABLE_PREFIX"'
-                fi
-                if [ -n "${NEXTCLOUD_DATA_DIR+x}" ]; then
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"'
-                fi
-
-                file_env MYSQL_DATABASE
-                file_env MYSQL_PASSWORD
-                file_env MYSQL_USER
-                file_env POSTGRES_DB
-                file_env POSTGRES_PASSWORD
-                file_env POSTGRES_USER
-
-                install=false
-                if [ -n "${SQLITE_DATABASE+x}" ]; then
-                    echo "Installing with SQLite database"
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --database-name "$SQLITE_DATABASE"'
-                    install=true
-                elif [ -n "${MYSQL_DATABASE+x}" ] && [ -n "${MYSQL_USER+x}" ] && [ -n "${MYSQL_PASSWORD+x}" ] && [ -n "${MYSQL_HOST+x}" ]; then
-                    echo "Installing with MySQL database"
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --database mysql --database-name "$MYSQL_DATABASE" --database-user "$MYSQL_USER" --database-pass "$MYSQL_PASSWORD" --database-host "$MYSQL_HOST"'
-                    install=true
-                elif [ -n "${POSTGRES_DB+x}" ] && [ -n "${POSTGRES_USER+x}" ] && [ -n "${POSTGRES_PASSWORD+x}" ] && [ -n "${POSTGRES_HOST+x}" ]; then
-                    echo "Installing with PostgreSQL database"
-                    # shellcheck disable=SC2016
-                    install_options=$install_options' --database pgsql --database-name "$POSTGRES_DB" --database-user "$POSTGRES_USER" --database-pass "$POSTGRES_PASSWORD" --database-host "$POSTGRES_HOST"'
-                    install=true
-                fi
-
-                if [ "$install" = true ]; then
-                    echo "starting nextcloud installation"
-                    max_retries=10
-                    try=0
-                    until run_as "php /var/www/html/occ maintenance:install $install_options" || [ "$try" -gt "$max_retries" ]
-                    do
-                        echo "retrying install..."
-                        try=$((try+1))
-                        sleep 10s
-                    done
-                    if [ "$try" -gt "$max_retries" ]; then
-                        echo "installing of nextcloud failed!"
-                        exit 1
-                    fi
-                    if [ -n "${NEXTCLOUD_TRUSTED_DOMAINS+x}" ]; then
-                        echo "setting trusted domains…"
-                        NC_TRUSTED_DOMAIN_IDX=1
-                        for DOMAIN in $NEXTCLOUD_TRUSTED_DOMAINS ; do
-                            DOMAIN=$(echo "$DOMAIN" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')
-                            run_as "php /var/www/html/occ config:system:set trusted_domains $NC_TRUSTED_DOMAIN_IDX --value=$DOMAIN"
-                            NC_TRUSTED_DOMAIN_IDX=$(($NC_TRUSTED_DOMAIN_IDX+1))
-                        done
-                    fi
-                else
-                    echo "running web-based installer on first connect!"
-                fi
-            fi
-        #upgrade
-        else
-            run_as 'php /var/www/html/occ upgrade'
-
-            run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_after
-            echo "The following apps have been disabled:"
-            diff /tmp/list_before /tmp/list_after | grep '<' | cut -d- -f2 | cut -d: -f1
-            rm -f /tmp/list_before /tmp/list_after
-
-        fi
-    fi
-fi
-
-exec "$@"

17.0/fpm/upgrade.exclude

@@ -1,5 +0,0 @@
-/config/
-/data/
-/custom_apps/
-/themes/
-/version.php

18.0/apache/config/apps.config.php

@@ -1,15 +0,0 @@
-<?php
-$CONFIG = array (
-  "apps_paths" => array (
-      0 => array (
-              "path"     => OC::$SERVERROOT."/apps",
-              "url"      => "/apps",
-              "writable" => false,
-      ),
-      1 => array (
-              "path"     => OC::$SERVERROOT."/custom_apps",
-              "url"      => "/custom_apps",
-              "writable" => true,
-      ),
-  ),
-);

18.0/apache/config/autoconfig.php

@@ -1,31 +0,0 @@
-<?php
-
-$autoconfig_enabled = false;
-
-if (getenv('SQLITE_DATABASE')) {
-    $AUTOCONFIG["dbtype"] = "sqlite";
-    $AUTOCONFIG["dbname"] = getenv('SQLITE_DATABASE');
-    $autoconfig_enabled = true;
-} elseif (getenv('MYSQL_DATABASE') && getenv('MYSQL_USER') && getenv('MYSQL_PASSWORD') && getenv('MYSQL_HOST')) {
-    $AUTOCONFIG["dbtype"] = "mysql";
-    $AUTOCONFIG["dbname"] = getenv('MYSQL_DATABASE');
-    $AUTOCONFIG["dbuser"] = getenv('MYSQL_USER');
-    $AUTOCONFIG["dbpass"] = getenv('MYSQL_PASSWORD');
-    $AUTOCONFIG["dbhost"] = getenv('MYSQL_HOST');
-    $autoconfig_enabled = true;
-} elseif (getenv('POSTGRES_DB') && getenv('POSTGRES_USER') && getenv('POSTGRES_PASSWORD') && getenv('POSTGRES_HOST')) {
-    $AUTOCONFIG["dbtype"] = "pgsql";
-    $AUTOCONFIG["dbname"] = getenv('POSTGRES_DB');
-    $AUTOCONFIG["dbuser"] = getenv('POSTGRES_USER');
-    $AUTOCONFIG["dbpass"] = getenv('POSTGRES_PASSWORD');
-    $AUTOCONFIG["dbhost"] = getenv('POSTGRES_HOST');
-    $autoconfig_enabled = true;
-}
-
-if ($autoconfig_enabled) {
-    if (getenv('NEXTCLOUD_TABLE_PREFIX')) {
-        $AUTOCONFIG["dbtableprefix"] = getenv('NEXTCLOUD_TABLE_PREFIX');
-    }
-
-    $AUTOCONFIG["directory"] = getenv('NEXTCLOUD_DATA_DIR') ?: "/var/www/html/data";
-}

18.0/apache/config/redis.config.php

@@ -1,17 +0,0 @@
-<?php
-if (getenv('REDIS_HOST')) {
-  $CONFIG = array (
-    'memcache.distributed' => '\OC\Memcache\Redis',
-    'memcache.locking' => '\OC\Memcache\Redis',
-    'redis' => array(
-      'host' => getenv('REDIS_HOST'),
-      'password' => getenv('REDIS_HOST_PASSWORD'),
-    ),
-  );
-
-  if (getenv('REDIS_HOST_PORT') !== false) {
-    $CONFIG['redis']['port'] = (int) getenv('REDIS_HOST_PORT');
-  } elseif (getenv('REDIS_HOST')[0] != '/') {
-    $CONFIG['redis']['port'] = 6379;
-  }
-}

18.0/apache/config/reverse-proxy.config.php

@@ -1,25 +0,0 @@
-<?php
-$overwriteHost = getenv('OVERWRITEHOST');
-if ($overwriteHost) {
-  $CONFIG['overwritehost'] = $overwriteHost;
-}
-
-$overwriteProtocol = getenv('OVERWRITEPROTOCOL');
-if ($overwriteProtocol) {
-  $CONFIG['overwriteprotocol'] = $overwriteProtocol;
-}
-
-$overwriteWebRoot = getenv('OVERWRITEWEBROOT');
-if ($overwriteWebRoot) {
-  $CONFIG['overwritewebroot'] = $overwriteWebRoot;
-}
-
-$overwriteCondAddr = getenv('OVERWRITECONDADDR');
-if ($overwriteCondAddr) {
-  $CONFIG['overwritecondaddr'] = $overwriteCondAddr;
-}
-
-$trustedProxies = getenv('TRUSTED_PROXIES');
-if ($trustedProxies) {
-  $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
-}

18.0/apache/config/smtp.config.php

@@ -1,15 +0,0 @@
-<?php
-if (getenv('SMTP_HOST') && getenv('MAIL_FROM_ADDRESS') && getenv('MAIL_DOMAIN')) {
-  $CONFIG = array (
-    'mail_smtpmode' => 'smtp',
-    'mail_smtphost' => getenv('SMTP_HOST'),
-    'mail_smtpport' => getenv('SMTP_PORT') ?: (getenv('SMTP_SECURE') ? 465 : 25),
-    'mail_smtpsecure' => getenv('SMTP_SECURE') ?: '',
-    'mail_smtpauth' => getenv('SMTP_NAME') && getenv('SMTP_PASSWORD'),
-    'mail_smtpauthtype' => getenv('SMTP_AUTHTYPE') ?: 'LOGIN',
-    'mail_smtpname' => getenv('SMTP_NAME') ?: '',
-    'mail_smtppassword' => getenv('SMTP_PASSWORD') ?: '',
-    'mail_from_address' => getenv('MAIL_FROM_ADDRESS'),
-    'mail_domain' => getenv('MAIL_DOMAIN'),
-  );
-}