Merge pull request #4325 from nextcloud/enh/2591/add-imaginary-key

secure imaginary with imaginary_key
2025-12-20 06:26:57 +00:00 · 2024-03-04 12:05:35 +01:00 · 2024-03-04 12:05:35 +01:00 · 78b0e0042b
commit 78b0e0042b
parent 6bc2d1d6ae fd3f6d9018
4 changed files with 22 additions and 6 deletions
--- a/Containers/imaginary/Dockerfile
+++ b/Containers/imaginary/Dockerfile
@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:latest
 FROM golang:1.22.0-alpine3.18 as go

-ENV IMAGINARY_HASH 6cd9edd1d3fb151eb773c14552886e4fc8e50138
+ENV IMAGINARY_HASH 6cd9edd1d3fb151eb773c14552886e4fc8e50138

 RUN set -ex; \
    apk add --no-cache \
@ -23,9 +23,11 @@ RUN set -ex; \
        vips-magick \
        vips-heif \
        vips-jxl \
-        vips-poppler
+        vips-poppler \
+        bash

 COPY --from=go /go/bin/imaginary /usr/local/bin/imaginary
+COPY --chmod=775 start.sh /start.sh

 ENV PORT 9000

@ -33,7 +35,7 @@ USER nobody

 # https://github.com/h2non/imaginary#memory-issues
 ENV MALLOC_ARENA_MAX=2
-ENTRYPOINT ["imaginary", "-return-size", "-max-allowed-resolution", "222.2"]
+ENTRYPOINT ["/start.sh"]

 HEALTHCHECK CMD nc -z localhost "$PORT" || exit 1
 LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/imaginary/start.sh
+++ b/Containers/imaginary/start.sh
@ -0,0 +1,7 @@
+#!/bin/bash
+
+if [ -z "$IMAGINARY_SECRET" ]; then
+    imaginary -return-size -max-allowed-resolution 222.2 "$@"
+else
+    imaginary -return-size -max-allowed-resolution 222.2 -key "$IMAGINARY_SECRET" "$@"
+fi
--- a/Containers/nextcloud/entrypoint.sh
+++ b/Containers/nextcloud/entrypoint.sh
@ -703,6 +703,7 @@ fi
 if [ "$IMAGINARY_ENABLED" = 'yes' ]; then
    php /var/www/html/occ config:system:set enabledPreviewProviders 0 --value="OC\\Preview\\Imaginary"
    php /var/www/html/occ config:system:set preview_imaginary_url --value="http://$IMAGINARY_HOST:9000"
+    php /var/www/html/occ config:system:set preview_imaginary_key --value="$IMAGINARY_SECRET"
 else
    if [ -n "$(php /var/www/html/occ config:system:get preview_imaginary_url)" ]; then
        php /var/www/html/occ config:system:delete enabledPreviewProviders 0
--- a/php/containers.json
+++ b/php/containers.json
@ -146,7 +146,8 @@
        "NEXTCLOUD_PASSWORD",
        "TURN_SECRET",
        "SIGNALING_SECRET",
-        "FULLTEXTSEARCH_PASSWORD"
+        "FULLTEXTSEARCH_PASSWORD",
+        "IMAGINARY_SECRET"
      ],
      "volumes": [
        {
@ -220,7 +221,8 @@
        "APACHE_PORT=%APACHE_PORT%",
        "APACHE_IP_BINDING=%APACHE_IP_BINDING%",
        "ADDITIONAL_TRUSTED_PROXY=%CADDY_IP_ADDRESS%",
-        "THIS_IS_AIO=true"
+        "THIS_IS_AIO=true",
+        "IMAGINARY_SECRET=%IMAGINARY_SECRET%"
      ],
      "stop_grace_period": 600,
      "restart": "unless-stopped",
@ -646,7 +648,8 @@
      ],
      "internal_port": "9000",
      "environment": [
-        "TZ=%TIMEZONE%"
+        "TZ=%TIMEZONE%",
+        "IMAGINARY_SECRET=%IMAGINARY_SECRET%"
      ],
      "restart": "unless-stopped",
      "cap_add": [
@ -664,6 +667,9 @@
      "read_only": true,
      "tmpfs": [
        "/tmp"
+      ],
+      "secrets": [
+        "IMAGINARY_SECRET"
      ]
    },
    {