infra: Update to 32.0.1 and sync with other changes.

Author: intersectRaven

Dockerfile

@@ -1,5 +1,5 @@
 # DO NOT EDIT: created by update.sh from Dockerfile-debian.template
-FROM php:8.0-apache-bullseye
+FROM php:8.4-apache-trixie
 
 # entrypoint.sh and cron.sh dependencies
 RUN set -ex; \
@@ -9,9 +9,12 @@ RUN set -ex; \
         rsync \
         bzip2 \
         busybox-static \
+        ghostscript \
+        imagemagick \
         libldap-common \
+        libmagickcore-7.q16-10-extra \
     ; \
-    rm -rf /var/lib/apt/lists/*; \
+    apt-get dist-clean; \
     \
     mkdir -p /var/spool/cron/crontabs; \
     echo '*/5 * * * * php -f /var/www/html/cron.php' > /var/spool/cron/crontabs/www-data
@@ -24,6 +27,8 @@ RUN chmod +x /usr/local/bin/install-php-extensions && sync
 
 ENV PHP_MEMORY_LIMIT 512M
 ENV PHP_UPLOAD_LIMIT 512M
+ENV PHP_OPCACHE_MEMORY_CONSUMPTION 128
+ENV IPE_GD_WITHOUTAVIF 1
 RUN set -ex; \
     \
     install-php-extensions \
@@ -32,6 +37,7 @@ RUN set -ex; \
         exif \
         gd \
         gmp \
+        igbinary \
         imagick \
         intl \
         ldap \
@@ -41,41 +47,88 @@ RUN set -ex; \
         pdo_mysql \
         pdo_pgsql \
         redis \
+        sysvsem \
         zip \
     ;
 
+# trust all ldap certificates
+RUN { \
+        echo 'TLS_REQCERT allow'; \
+    } >> /etc/ldap/ldap.conf
+
 # set recommended PHP.ini settings
 # see https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/server_tuning.html#enable-php-opcache
 RUN { \
-        echo 'opcache.interned_strings_buffer=16'; \
-        echo 'opcache.revalidate_freq=5'; \
-        echo 'opcache.jit_buffer_size=100M'; \
-    } > /usr/local/etc/php/conf.d/opcache-recommended.ini; \
+        echo 'opcache.enable=1'; \
+        echo 'opcache.interned_strings_buffer=32'; \
+        echo 'opcache.jit=1255'; \
+        echo 'opcache.jit_buffer_size=128M'; \
+        echo 'opcache.max_accelerated_files=10000'; \
+        echo 'opcache.memory_consumption=${PHP_OPCACHE_MEMORY_CONSUMPTION}'; \
+        echo 'opcache.revalidate_freq=60'; \
+        echo 'opcache.save_comments=1'; \
+    } > "${PHP_INI_DIR}/conf.d/opcache-recommended.ini"; \
     \
-    echo 'apc.enable_cli=1' >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
+    { \
+        echo 'apc.enable_cli=1'; \
+        echo 'apc.shm_size=128M'; \
+    } >> "${PHP_INI_DIR}/conf.d/docker-php-ext-apcu.ini"; \
     \
     { \
+        echo 'always_populate_raw_post_data=-1'; \
+        echo 'default_socket_timeout=600'; \
+        echo 'max_execution_time=300'; \
+        echo 'max_input_time=300'; \
         echo 'memory_limit=${PHP_MEMORY_LIMIT}'; \
-        echo 'upload_max_filesize=${PHP_UPLOAD_LIMIT}'; \
+        echo 'output_buffering=0'; \
         echo 'post_max_size=${PHP_UPLOAD_LIMIT}'; \
-    } > /usr/local/etc/php/conf.d/nextcloud.ini; \
+        echo 'upload_max_filesize=${PHP_UPLOAD_LIMIT}'; \
+    } > "${PHP_INI_DIR}/conf.d/nextcloud.ini"; \
+    \
+    { \
+        echo 'apc.serializer=igbinary'; \
+        echo 'session.serialize_handler=igbinary'; \
+    } >> "${PHP_INI_DIR}/conf.d/docker-php-ext-igbinary.ini"; \
+    \
+    { \
+        echo 'redis.session.locking_enabled = 1'; \
+        echo 'redis.session.lock_retries = -1'; \
+        echo 'redis.session.lock_wait_time = 10000'; \
+        echo 'session.gc_maxlifetime = 86400'; \
+    } > "${PHP_INI_DIR}/conf.d/redis-session.ini"; \
     \
     mkdir /var/www/data; \
+    mkdir -p /docker-entrypoint-hooks.d/pre-installation \
+             /docker-entrypoint-hooks.d/post-installation \
+             /docker-entrypoint-hooks.d/pre-upgrade \
+             /docker-entrypoint-hooks.d/post-upgrade \
+             /docker-entrypoint-hooks.d/before-starting; \
     chown -R www-data:root /var/www; \
     chmod -R g=u /var/www
 
+# set ImageMagick policy
+RUN sed -i'' 's|.*<policy domain="coder".*"PDF".*|  <policy domain="coder" rights="read \| write" pattern="PDF" />|g' \
+    /etc/ImageMagick-7/policy.xml
+
 VOLUME /var/www/html
 
-RUN a2enmod headers rewrite remoteip ;\
-    {\
-     echo RemoteIPHeader X-Real-IP ;\
-     echo RemoteIPTrustedProxy 10.0.0.0/8 ;\
-     echo RemoteIPTrustedProxy 172.16.0.0/12 ;\
-     echo RemoteIPTrustedProxy 192.168.0.0/16 ;\
-    } > /etc/apache2/conf-available/remoteip.conf;\
+RUN a2enmod headers rewrite remoteip ; \
+    { \
+     echo 'RemoteIPHeader X-Real-IP'; \
+     echo 'RemoteIPInternalProxy 10.0.0.0/8'; \
+     echo 'RemoteIPInternalProxy 172.16.0.0/12'; \
+     echo 'RemoteIPInternalProxy 192.168.0.0/16'; \
+    } > /etc/apache2/conf-available/remoteip.conf; \
     a2enconf remoteip
 
-ENV NEXTCLOUD_VERSION 23.0.3
+# set apache config LimitRequestBody
+ENV APACHE_BODY_LIMIT 1073741824
+RUN { \
+     echo 'LimitRequestBody ${APACHE_BODY_LIMIT}'; \
+    } > /etc/apache2/conf-available/apache-limits.conf; \
+    a2enconf apache-limits
+
+ENV NEXTCLOUD_VERSION 32.0.1
 
 RUN set -ex; \
     fetchDeps=" \
@@ -112,8 +165,7 @@ CMD ["apache2-foreground"]
 
 RUN apt-get update && apt-get install -y \
     supervisor \
-  && rm -rf /var/lib/apt/lists/* \
-  && mkdir /var/log/supervisord /var/run/supervisord
+  && rm -rf /var/lib/apt/lists/*
 
 COPY supervisord.conf /
 

config/redis.config.php

@@ -5,7 +5,7 @@
     'memcache.locking' => '\OC\Memcache\Redis',
     'redis' => array(
       'host' => getenv('REDIS_HOST'),
-      'password' => (string) getenv('REDIS_HOST_PASSWORD'),
+      'password' => getenv('REDIS_HOST_PASSWORD_FILE') ? trim(file_get_contents(getenv('REDIS_HOST_PASSWORD_FILE'))) : (string) getenv('REDIS_HOST_PASSWORD'),
     ),
   );
 
@@ -14,4 +14,8 @@
   } elseif (getenv('REDIS_HOST')[0] != '/') {
     $CONFIG['redis']['port'] = 6379;
   }
+
+  if (getenv('REDIS_HOST_USER') !== false) {
+    $CONFIG['redis']['user'] = (string) getenv('REDIS_HOST_USER');
+  }
 }

config/reverse-proxy.config.php

@@ -9,6 +9,11 @@
   $CONFIG['overwriteprotocol'] = $overwriteProtocol;
 }
 
+$overwriteCliUrl = getenv('OVERWRITECLIURL');
+if ($overwriteCliUrl) {
+  $CONFIG['overwrite.cli.url'] = $overwriteCliUrl;
+}
+
 $overwriteWebRoot = getenv('OVERWRITEWEBROOT');
 if ($overwriteWebRoot) {
   $CONFIG['overwritewebroot'] = $overwriteWebRoot;
@@ -23,3 +28,8 @@
 if ($trustedProxies) {
   $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
 }
+
+$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS');
+if ($forwardedForHeaders) {
+  $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders)));
+}

config/s3.config.php

@@ -9,19 +9,40 @@
       'class' => '\OC\Files\ObjectStore\S3',
       'arguments' => array(
         'bucket' => getenv('OBJECTSTORE_S3_BUCKET'),
-        'key' => getenv('OBJECTSTORE_S3_KEY') ?: '',
-        'secret' => getenv('OBJECTSTORE_S3_SECRET') ?: '',
         'region' => getenv('OBJECTSTORE_S3_REGION') ?: '',
         'hostname' => getenv('OBJECTSTORE_S3_HOST') ?: '',
         'port' => getenv('OBJECTSTORE_S3_PORT') ?: '',
+        'storageClass' => getenv('OBJECTSTORE_S3_STORAGE_CLASS') ?: '',
         'objectPrefix' => getenv("OBJECTSTORE_S3_OBJECT_PREFIX") ? getenv("OBJECTSTORE_S3_OBJECT_PREFIX") : "urn:oid:",
-        'autocreate' => (strtolower($autocreate) === 'false' || $autocreate == false) ? false : true,
-        'use_ssl' => (strtolower($use_ssl) === 'false' || $use_ssl == false) ? false : true,
+        'autocreate' => strtolower($autocreate) !== 'false',
+        'use_ssl' => strtolower($use_ssl) !== 'false',
         // required for some non Amazon S3 implementations
         'use_path_style' => $use_path == true && strtolower($use_path) !== 'false',
         // required for older protocol versions
         'legacy_auth' => $use_legacyauth == true && strtolower($use_legacyauth) !== 'false'
       )
     )
   );
-} 
+
+  if (getenv('OBJECTSTORE_S3_KEY_FILE')) {
+    $CONFIG['objectstore']['arguments']['key'] = trim(file_get_contents(getenv('OBJECTSTORE_S3_KEY_FILE')));
+  } elseif (getenv('OBJECTSTORE_S3_KEY')) {
+    $CONFIG['objectstore']['arguments']['key'] = getenv('OBJECTSTORE_S3_KEY');
+  } else {
+    $CONFIG['objectstore']['arguments']['key'] = '';
+  }
+
+  if (getenv('OBJECTSTORE_S3_SECRET_FILE')) {
+    $CONFIG['objectstore']['arguments']['secret'] = trim(file_get_contents(getenv('OBJECTSTORE_S3_SECRET_FILE')));
+  } elseif (getenv('OBJECTSTORE_S3_SECRET')) {
+    $CONFIG['objectstore']['arguments']['secret'] = getenv('OBJECTSTORE_S3_SECRET');
+  } else {
+    $CONFIG['objectstore']['arguments']['secret'] = '';
+  }
+
+  if (getenv('OBJECTSTORE_S3_SSE_C_KEY_FILE')) {
+    $CONFIG['objectstore']['arguments']['sse_c_key'] = trim(file_get_contents(getenv('OBJECTSTORE_S3_SSE_C_KEY_FILE')));
+  } elseif (getenv('OBJECTSTORE_S3_SSE_C_KEY')) {
+    $CONFIG['objectstore']['arguments']['sse_c_key'] = getenv('OBJECTSTORE_S3_SSE_C_KEY');
+  }
+}

config/smtp.config.php

@@ -5,14 +5,14 @@
     'mail_smtphost' => getenv('SMTP_HOST'),
     'mail_smtpport' => getenv('SMTP_PORT') ?: (getenv('SMTP_SECURE') ? 465 : 25),
     'mail_smtpsecure' => getenv('SMTP_SECURE') ?: '',
-    'mail_smtpauth' => getenv('SMTP_NAME') && getenv('SMTP_PASSWORD'),
+    'mail_smtpauth' => getenv('SMTP_NAME') && (getenv('SMTP_PASSWORD') || getenv('SMTP_PASSWORD_FILE')),
     'mail_smtpauthtype' => getenv('SMTP_AUTHTYPE') ?: 'LOGIN',
     'mail_smtpname' => getenv('SMTP_NAME') ?: '',
     'mail_from_address' => getenv('MAIL_FROM_ADDRESS'),
     'mail_domain' => getenv('MAIL_DOMAIN'),
   );
 
-  if (getenv('SMTP_PASSWORD_FILE') && file_exists(getenv('SMTP_PASSWORD_FILE'))) {
+  if (getenv('SMTP_PASSWORD_FILE')) {
       $CONFIG['mail_smtppassword'] = trim(file_get_contents(getenv('SMTP_PASSWORD_FILE')));
   } elseif (getenv('SMTP_PASSWORD')) {
       $CONFIG['mail_smtppassword'] = getenv('SMTP_PASSWORD');

config/upgrade-disable-web.config.php

@@ -0,0 +1,4 @@
+<?php
+$CONFIG = array (
+  'upgrade.disable-web' => true,
+);

cron.sh

@@ -1,4 +1,4 @@
 #!/bin/sh
 set -eu
 
-exec busybox crond -f -l 0 -L /dev/stdout
+exec busybox crond -f -L /dev/stdout