From 76f46a24b7904efc0c7c9248098d5067f6d4e98b Mon Sep 17 00:00:00 2001 From: szaimen <42591237+szaimen@users.noreply.github.com> Date: Wed, 5 Nov 2025 12:03:46 +0000 Subject: [PATCH 1/8] Yaml updates Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- manual-install/latest.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/manual-install/latest.yml b/manual-install/latest.yml index 83bc1ef1..730254fb 100644 --- a/manual-install/latest.yml +++ b/manual-install/latest.yml @@ -256,7 +256,7 @@ services: - "9980" environment: - aliasgroup1=https://${NC_DOMAIN}:443,http://nextcloud-aio-apache:23973 - - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:logging.level_startup=warning --o:home_mode.enable=true --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+ + - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.level=warning --o:logging.level_startup=warning --o:home_mode.enable=true --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+ - dictionaries=${COLLABORA_DICTIONARIES} - TZ=${TIMEZONE} - server_name=${NC_DOMAIN} @@ -270,6 +270,9 @@ services: - SYS_CHROOT - FOWNER - CHOWN + - MAC_OVERRIDE + - BLOCK_SUSPEND + - AUDIT_READ cap_drop: - NET_RAW From c57610b1b939188f02f84c06ece837a6fdae1355 Mon Sep 17 00:00:00 2001 From: szaimen <42591237+szaimen@users.noreply.github.com> Date: Wed, 5 Nov 2025 12:11:43 +0000 Subject: [PATCH 2/8] watchtower-update automated change Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- Containers/watchtower/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Containers/watchtower/Dockerfile b/Containers/watchtower/Dockerfile index e3858248..46f16459 100644 --- a/Containers/watchtower/Dockerfile +++ b/Containers/watchtower/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:latest FROM golang:1.25.3-alpine3.22 AS go -ENV WATCHTOWER_COMMIT_HASH=v1.12.1 +ENV WATCHTOWER_COMMIT_HASH=9130559da17f882f2db4dbc2a3ed0425f41f25e4 # v1.12.1 RUN set -ex; \ apk upgrade --no-cache -a; \ From 29831f4e4b0bd65e175a67768342756cfc4365c0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 6 Nov 2025 04:16:23 +0000 Subject: [PATCH 3/8] build(deps): bump golang in /Containers/imaginary Bumps golang from 1.25.3-alpine3.22 to 1.25.4-alpine3.22. --- updated-dependencies: - dependency-name: golang dependency-version: 1.25.4-alpine3.22 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Containers/imaginary/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Containers/imaginary/Dockerfile b/Containers/imaginary/Dockerfile index 47eccfad..6eeb4661 100644 --- a/Containers/imaginary/Dockerfile +++ b/Containers/imaginary/Dockerfile @@ -1,5 +1,5 @@ # syntax=docker/dockerfile:latest -FROM golang:1.25.3-alpine3.22 AS go +FROM golang:1.25.4-alpine3.22 AS go ENV IMAGINARY_HASH=1d4e251cfcd58ea66f8361f8721d7b8cc85002a3 From 43a2b27180cac7f0f6cc935a8209af71ef4a04fe Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 6 Nov 2025 04:16:29 +0000 Subject: [PATCH 4/8] build(deps): bump docker in /Containers/mastercontainer Bumps docker from 28.5.1-cli to 28.5.2-cli. --- updated-dependencies: - dependency-name: docker dependency-version: 28.5.2-cli dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Containers/mastercontainer/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Containers/mastercontainer/Dockerfile b/Containers/mastercontainer/Dockerfile index 20f22421..24b7cee0 100644 --- a/Containers/mastercontainer/Dockerfile +++ b/Containers/mastercontainer/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:latest # Docker CLI is a requirement -FROM docker:28.5.1-cli AS docker +FROM docker:28.5.2-cli AS docker # Caddy is a requirement FROM caddy:2.10.2-alpine AS caddy From 2da872244c995e71553a60373e772a474bdc412a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 6 Nov 2025 04:17:20 +0000 Subject: [PATCH 5/8] build(deps): bump golang in /Containers/watchtower Bumps golang from 1.25.3-alpine3.22 to 1.25.4-alpine3.22. --- updated-dependencies: - dependency-name: golang dependency-version: 1.25.4-alpine3.22 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Containers/watchtower/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Containers/watchtower/Dockerfile b/Containers/watchtower/Dockerfile index 46f16459..fe3cca1e 100644 --- a/Containers/watchtower/Dockerfile +++ b/Containers/watchtower/Dockerfile @@ -1,5 +1,5 @@ # syntax=docker/dockerfile:latest -FROM golang:1.25.3-alpine3.22 AS go +FROM golang:1.25.4-alpine3.22 AS go ENV WATCHTOWER_COMMIT_HASH=9130559da17f882f2db4dbc2a3ed0425f41f25e4 # v1.12.1 From 0a4258423857ed0746e8815f24be1c64f16eba94 Mon Sep 17 00:00:00 2001 From: "Simon L." Date: Thu, 6 Nov 2025 11:21:46 +0100 Subject: [PATCH 6/8] collabora: allow to use enterprise container image with support key Signed-off-by: Simon L. --- Containers/collabora-online/Dockerfile | 15 +++++++++++++++ Containers/collabora-online/healthcheck.sh | 7 +++++++ nextcloud-aio-helm-chart/update-helm.sh | 15 +++++++++++++++ php/containers.json | 2 +- php/src/ContainerDefinitionFetcher.php | 3 +++ php/src/Data/ConfigurationManager.php | 7 +++++++ 6 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 Containers/collabora-online/Dockerfile create mode 100644 Containers/collabora-online/healthcheck.sh diff --git a/Containers/collabora-online/Dockerfile b/Containers/collabora-online/Dockerfile new file mode 100644 index 00000000..72f79928 --- /dev/null +++ b/Containers/collabora-online/Dockerfile @@ -0,0 +1,15 @@ +# syntax=docker/dockerfile:latest +# From https://gitlab.collabora.com/collabora-online/docker +# hadolint ignore=DL3007 +FROM registry.gitlab.collabora.com/collabora-online/docker:latest + +USER root +ARG DEBIAN_FRONTEND=noninteractive + +COPY --chmod=775 healthcheck.sh /healthcheck.sh + +USER 1001 + +HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh +LABEL com.centurylinklabs.watchtower.enable="false" \ + org.label-schema.vendor="Nextcloud" diff --git a/Containers/collabora-online/healthcheck.sh b/Containers/collabora-online/healthcheck.sh new file mode 100644 index 00000000..45e9278b --- /dev/null +++ b/Containers/collabora-online/healthcheck.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +# Unfortunately, no curl and no nc is installed in the container +# and packages can also not be added as the package list is broken. +# So always exiting 0 for now. +# nc http://127.0.0.1:9980 || exit 1 +exit 0 diff --git a/nextcloud-aio-helm-chart/update-helm.sh b/nextcloud-aio-helm-chart/update-helm.sh index d63dd39e..02428db8 100755 --- a/nextcloud-aio-helm-chart/update-helm.sh +++ b/nextcloud-aio-helm-chart/update-helm.sh @@ -343,6 +343,21 @@ EOL # shellcheck disable=SC1083 find ./ -name '*talk-deployment.yaml' -exec sed -i "/^.*\- env:/r /tmp/additional-talk.config" \{} \; +# Additional collabora config +# shellcheck disable=SC1083 +find ./ -name '*collabora-deployment.yaml' -exec sed -i "s/image: ghcr.io.*/IMAGE_PLACEHOLDER/" \{} \; +cat << EOL > /tmp/additional-collabora.config + {{- if contains "--o:support_key=" (join " " (.Values.ADDITIONAL_COLLABORA_OPTIONS | default list)) }} + image: ghcr.io/nextcloud-releases/aio-collabora-online:$DOCKER_TAG + {{- else }} + image: ghcr.io/nextcloud-releases/aio-collabora:$DOCKER_TAG + {{- end }} +EOL +# shellcheck disable=SC1083 +find ./ -name '*collabora-deployment.yaml' -exec sed -i "/IMAGE_PLACEHOLDER/r /tmp/additional-collabora.config" \{} \; +# shellcheck disable=SC1083 +find ./ -name '*collabora-deployment.yaml' -exec sed -i "/IMAGE_PLACEHOLDER/d" \{} \; + cat << EOL > templates/nextcloud-aio-networkpolicy.yaml {{- if eq .Values.NETWORK_POLICY_ENABLED "yes" }} # https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/04-deny-traffic-from-other-namespaces.md diff --git a/php/containers.json b/php/containers.json index 1a775c98..df0e2d28 100644 --- a/php/containers.json +++ b/php/containers.json @@ -380,7 +380,7 @@ "internal_port": "9980", "environment": [ "aliasgroup1=https://%NC_DOMAIN%:443,http://nextcloud-aio-apache:23973", - "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.level=warning --o:logging.level_startup=warning --o:home_mode.enable=true %COLLABORA_SECCOMP_POLICY% --o:remote_font_config.url=https://%NC_DOMAIN%/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+", + "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false %COLLABORA_SECCOMP_POLICY% --o:remote_font_config.url=https://%NC_DOMAIN%/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+", "dictionaries=%COLLABORA_DICTIONARIES%", "TZ=%TIMEZONE%", "server_name=%NC_DOMAIN%", diff --git a/php/src/ContainerDefinitionFetcher.php b/php/src/ContainerDefinitionFetcher.php index 2ea04d82..7b092e45 100644 --- a/php/src/ContainerDefinitionFetcher.php +++ b/php/src/ContainerDefinitionFetcher.php @@ -67,6 +67,9 @@ readonly class ContainerDefinitionFetcher { if (!$this->configurationManager->isCollaboraEnabled()) { continue; } + if ($this->configurationManager->isCollaboraSubscriptionEnabled()) { + $entry['image'] = 'ghcr.io/nextcloud-releases/aio-collabora-online'; + } } elseif ($entry['container_name'] === 'nextcloud-aio-talk') { if (!$this->configurationManager->isTalkEnabled()) { continue; diff --git a/php/src/Data/ConfigurationManager.php b/php/src/Data/ConfigurationManager.php index 50937222..58962248 100644 --- a/php/src/Data/ConfigurationManager.php +++ b/php/src/Data/ConfigurationManager.php @@ -978,6 +978,13 @@ class ConfigurationManager return $config['collabora_additional_options']; } + public function isCollaboraSubscriptionEnabled() : bool { + if (str_contains($this->GetAdditionalCollaboraOptions(), '--o:support_key=')) { + return true; + } + return false; + } + public function DeleteAdditionalCollaboraOptions() : void { $config = $this->GetConfig(); $config['collabora_additional_options'] = ''; From a7b9c95c6c5262cefadfefb031e3efe50f0bede8 Mon Sep 17 00:00:00 2001 From: "Simon L." Date: Thu, 6 Nov 2025 11:40:14 +0100 Subject: [PATCH 7/8] borg-init: remove unnecessary delete logic Signed-off-by: Simon L. --- Containers/borgbackup/backupscript.sh | 5 ----- 1 file changed, 5 deletions(-) diff --git a/Containers/borgbackup/backupscript.sh b/Containers/borgbackup/backupscript.sh index 41c05724..50815f38 100644 --- a/Containers/borgbackup/backupscript.sh +++ b/Containers/borgbackup/backupscript.sh @@ -138,11 +138,6 @@ if [ "$BORG_MODE" = backup ]; then NEW_REPOSITORY=1 if ! borg init --debug --encryption=repokey-blake2; then echo "Could not initialize borg repository." - if [ -z "$BORG_REMOTE_REPO" ]; then - # Originally we checked for presence of the config file instead of calling `borg info`. Likely `borg info` - # will error on a partially initialized repo, so this line is probably no longer necessary - rm -f "$BORG_BACKUP_DIRECTORY/config" - fi exit 1 fi From 7f70cca4e2b1814bbb77b5901a611f906c3e5ae0 Mon Sep 17 00:00:00 2001 From: szaimen <42591237+szaimen@users.noreply.github.com> Date: Thu, 6 Nov 2025 12:03:46 +0000 Subject: [PATCH 8/8] Yaml updates Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- manual-install/latest.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/manual-install/latest.yml b/manual-install/latest.yml index 83bc1ef1..0192fc84 100644 --- a/manual-install/latest.yml +++ b/manual-install/latest.yml @@ -256,7 +256,7 @@ services: - "9980" environment: - aliasgroup1=https://${NC_DOMAIN}:443,http://nextcloud-aio-apache:23973 - - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:logging.level_startup=warning --o:home_mode.enable=true --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+ + - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+ - dictionaries=${COLLABORA_DICTIONARIES} - TZ=${TIMEZONE} - server_name=${NC_DOMAIN} @@ -270,6 +270,9 @@ services: - SYS_CHROOT - FOWNER - CHOWN + - MAC_OVERRIDE + - BLOCK_SUSPEND + - AUDIT_READ cap_drop: - NET_RAW