From 29c093afaec391e8eee896222aa733b9a7a9c9ae Mon Sep 17 00:00:00 2001 From: Alan Savage <3028205+asavageiv@users.noreply.github.com> Date: Tue, 9 Sep 2025 14:44:23 -0700 Subject: [PATCH 1/3] Make secrets global and init on first use. This allows all containers to use any secret declared anywhere in their placeholders but they will not be generated and written to the configuration until they are used. Signed-off-by: Alan Savage <3028205+asavageiv@users.noreply.github.com> --- php/src/Container/Container.php | 6 ------ php/src/ContainerDefinitionFetcher.php | 8 +++++--- php/src/Data/ConfigurationManager.php | 14 +++++++++----- php/src/Docker/DockerActionManager.php | 14 +------------- 4 files changed, 15 insertions(+), 27 deletions(-) diff --git a/php/src/Container/Container.php b/php/src/Container/Container.php index 77858283..baee1c00 100644 --- a/php/src/Container/Container.php +++ b/php/src/Container/Container.php @@ -19,8 +19,6 @@ readonly class Container { private ContainerEnvironmentVariables $containerEnvironmentVariables, /** @var string[] */ private array $dependsOn, - /** @var string[] */ - private array $secrets, private string $uiSecret, /** @var string[] */ private array $devices, @@ -82,10 +80,6 @@ readonly class Container { return $this->maxShutdownTime; } - public function GetSecrets() : array { - return $this->secrets; - } - public function GetUiSecret() : string { return $this->dockerActionManager->GetAndGenerateSecretWrapper($this->uiSecret); } diff --git a/php/src/ContainerDefinitionFetcher.php b/php/src/ContainerDefinitionFetcher.php index 6809650c..a404e3a3 100644 --- a/php/src/ContainerDefinitionFetcher.php +++ b/php/src/ContainerDefinitionFetcher.php @@ -239,9 +239,12 @@ readonly class ContainerDefinitionFetcher { $internalPort = $entry['internal_port']; } - $secrets = []; if (isset($entry['secrets'])) { - $secrets = $entry['secrets']; + // All secrets are registered with the configuration when they + // are discovered so they can be later generated at time-of-use. + foreach ($entry['secrets'] as $secret) { + $this->configurationManager->RegisterSecret($secret); + } } $uiSecret = ''; @@ -320,7 +323,6 @@ readonly class ContainerDefinitionFetcher { $volumes, $variables, $dependsOn, - $secrets, $uiSecret, $devices, $enableNvidiaGpu, diff --git a/php/src/Data/ConfigurationManager.php b/php/src/Data/ConfigurationManager.php index 257e69d0..ceae13d0 100644 --- a/php/src/Data/ConfigurationManager.php +++ b/php/src/Data/ConfigurationManager.php @@ -7,6 +7,8 @@ use AIO\Controller\DockerController; class ConfigurationManager { + private array $secrets = []; + public function GetConfig() : array { if(file_exists(DataConst::GetConfigFile())) @@ -50,13 +52,15 @@ class ConfigurationManager return $config['secrets'][$secretId]; } - public function GetSecret(string $secretId) : string { - $config = $this->GetConfig(); - if(!isset($config['secrets'][$secretId])) { - $config['secrets'][$secretId] = ""; + public function GetRegisteredSecret(string $secretId) : string { + if ($this->secrets[$secretId]) { + return $this->GetAndGenerateSecret($secretId); } + throw new \Exception("The secret " . $secretId . " was not registered. Please check if it is defined in secrets of containers.json."); + } - return $config['secrets'][$secretId]; + public function RegisterSecret(string $secretId) : void { + $this->secrets[$secretId] = true; } private function DoubleSafeBackupSecret(string $borgBackupPassword) : void { diff --git a/php/src/Docker/DockerActionManager.php b/php/src/Docker/DockerActionManager.php index f6ffbdc3..d46bc5c9 100644 --- a/php/src/Docker/DockerActionManager.php +++ b/php/src/Docker/DockerActionManager.php @@ -221,10 +221,6 @@ readonly class DockerActionManager { $requestBody['HostConfig']['Binds'] = $volumes; } - foreach ($container->GetSecrets() as $secret) { - $this->configurationManager->GetAndGenerateSecret($secret); - } - $aioVariables = $container->GetAioVariables()->GetVariables(); foreach ($aioVariables as $variable) { $config = $this->configurationManager->GetConfig(); @@ -566,18 +562,10 @@ readonly class DockerActionManager { // Allow to get local ip-address of caddy container and add it to trusted proxies automatically 'CADDY_IP_ADDRESS' => in_array('caddy', $this->configurationManager->GetEnabledCommunityContainers(), true) ? gethostbyname('nextcloud-aio-caddy') : '', 'WHITEBOARD_ENABLED' => $this->configurationManager->isWhiteboardEnabled() ? 'yes' : '', - default => $this->getSecretOrThrow($placeholder), + default => $this->configurationManager->GetRegisteredSecret($placeholder), }; } - private function getSecretOrThrow(string $secretName): string { - $secret = $this->configurationManager->GetSecret($secretName); - if ($secret === "") { - throw new \Exception("The secret " . $secretName . " is empty. Cannot substitute its value. Please check if it is defined in secrets of containers.json."); - } - return $secret; - } - private function isContainerUpdateAvailable(string $id): string { $container = $this->containerDefinitionFetcher->GetContainerById($id); From f87bd7ae450785e909ccbe65f2b2b55d24a4d600 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 10 Sep 2025 04:21:22 +0000 Subject: [PATCH 2/3] build(deps): bump nats in /Containers/talk Bumps nats from 2.11.8-scratch to 2.11.9-scratch. --- updated-dependencies: - dependency-name: nats dependency-version: 2.11.9-scratch dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Containers/talk/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Containers/talk/Dockerfile b/Containers/talk/Dockerfile index abe8dd7a..88a9cd1e 100644 --- a/Containers/talk/Dockerfile +++ b/Containers/talk/Dockerfile @@ -1,5 +1,5 @@ # syntax=docker/dockerfile:latest -FROM nats:2.11.8-scratch AS nats +FROM nats:2.11.9-scratch AS nats FROM eturnal/eturnal:1.12.1 AS eturnal FROM strukturag/nextcloud-spreed-signaling:2.0.4 AS signaling FROM alpine:3.22.1 AS janus From 976db132e544bb39e9e120d7129d4c4349d0e030 Mon Sep 17 00:00:00 2001 From: szaimen <42591237+szaimen@users.noreply.github.com> Date: Wed, 10 Sep 2025 12:03:42 +0000 Subject: [PATCH 3/3] Yaml updates Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- manual-install/latest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manual-install/latest.yml b/manual-install/latest.yml index 236ab444..83bc1ef1 100644 --- a/manual-install/latest.yml +++ b/manual-install/latest.yml @@ -255,7 +255,7 @@ services: expose: - "9980" environment: - - aliasgroup1=https://${NC_DOMAIN}:443 + - aliasgroup1=https://${NC_DOMAIN}:443,http://nextcloud-aio-apache:23973 - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:logging.level_startup=warning --o:home_mode.enable=true --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+ - dictionaries=${COLLABORA_DICTIONARIES} - TZ=${TIMEZONE}