From 8edda7ae6082a5aa0b435a1985565cb87b086094 Mon Sep 17 00:00:00 2001 From: Stavros Kois Date: Tue, 1 Jul 2025 14:36:12 +0300 Subject: [PATCH 1/7] nextcloud: allow setting different internal/private collabora url --- ix-dev/test/nextcloud/app.yaml | 2 +- ix-dev/test/nextcloud/questions.yaml | 11 +++++++++++ ix-dev/test/nextcloud/templates/docker-compose.yaml | 1 + .../nextcloud/templates/test_values/basic-values.yaml | 1 + 4 files changed, 14 insertions(+), 1 deletion(-) diff --git a/ix-dev/test/nextcloud/app.yaml b/ix-dev/test/nextcloud/app.yaml index 8a2c6401b2c..ccbff21cc2f 100644 --- a/ix-dev/test/nextcloud/app.yaml +++ b/ix-dev/test/nextcloud/app.yaml @@ -70,4 +70,4 @@ sources: - https://hub.docker.com/r/ixsystems/nextcloud-notify-push title: Nextcloud train: test -version: 1.0.30 +version: 1.0.31 diff --git a/ix-dev/test/nextcloud/questions.yaml b/ix-dev/test/nextcloud/questions.yaml index fbbb4bad6b0..374b0c86fd0 100644 --- a/ix-dev/test/nextcloud/questions.yaml +++ b/ix-dev/test/nextcloud/questions.yaml @@ -458,6 +458,17 @@ questions: type: string show_if: [["enabled", "=", true]] required: true + - variable: internal_url + label: Internal URL + description: | + The internal URL to use for Collabora.
+ This URL needs to be accessible from the Nextcloud container.
+ But not required to be accessible from the outside (ie clients).
+ schema: + type: string + show_if: [["enabled", "=", true]] + default: http://host.docker.internal:9980 + required: true - variable: allowlist label: Allowlist description: | diff --git a/ix-dev/test/nextcloud/templates/docker-compose.yaml b/ix-dev/test/nextcloud/templates/docker-compose.yaml index bcea5bd5f4f..0b8540ffb56 100644 --- a/ix-dev/test/nextcloud/templates/docker-compose.yaml +++ b/ix-dev/test/nextcloud/templates/docker-compose.yaml @@ -122,6 +122,7 @@ {% do nc_container.environment.add_env("IX_COLLABORA", values.nextcloud.collabora.enabled) %} {% if values.nextcloud.collabora.enabled %} {% do nc_container.environment.add_env("IX_COLLABORA_URL", values.nextcloud.collabora.url) %} + {% do nc_container.environment.add_env("IX_COLLABORA_INTERNAL_URL", values.nextcloud.collabora.internal_url) %} {% do nc_container.environment.add_env("IX_COLLABORA_ALLOWLIST", values.nextcloud.collabora.allowlist | join(" ")) %} {% endif %} diff --git a/ix-dev/test/nextcloud/templates/test_values/basic-values.yaml b/ix-dev/test/nextcloud/templates/test_values/basic-values.yaml index a549cf92624..0b76e2f5b43 100644 --- a/ix-dev/test/nextcloud/templates/test_values/basic-values.yaml +++ b/ix-dev/test/nextcloud/templates/test_values/basic-values.yaml @@ -77,6 +77,7 @@ nextcloud: collabora: enabled: false url: http://collabora.example.com + internal_url: http://collabora:9980 allowlist: - 0.0.0.0/0 From f523250f6bad8b4e0cc16009ccc1598f7cee5913 Mon Sep 17 00:00:00 2001 From: Stavros Kois Date: Tue, 1 Jul 2025 15:44:56 +0300 Subject: [PATCH 2/7] initial talk --- .github/renovate-config.js | 5 +++- cspell.config.yaml | 1 + ix-dev/test/nextcloud/ix_values.yaml | 25 ++++++++++++------- .../nextcloud/templates/docker-compose.yaml | 24 ++++++++++++++++++ .../nextcloud/templates/macros/nginx.conf | 20 +++++++++++++++ .../templates/test_values/basic-values.yaml | 17 ++++++++++--- 6 files changed, 78 insertions(+), 14 deletions(-) diff --git a/.github/renovate-config.js b/.github/renovate-config.js index 203de8bf3a9..a098d213965 100644 --- a/.github/renovate-config.js +++ b/.github/renovate-config.js @@ -179,7 +179,10 @@ module.exports = { customVersioning( // 20250122_091948 {year}{month}{day}_{build} "^(?\\d{4})(?\\d{2})(?\\d{2})_(?\\d+)$", - ["ghcr.io/nextcloud-releases/aio-imaginary"] + [ + "ghcr.io/nextcloud-releases/aio-imaginary", + "ghcr.io/nextcloud-releases/aio-talk", + ] ), customVersioning( // 2024.10.22-7ca5933 diff --git a/cspell.config.yaml b/cspell.config.yaml index f28fc141fd6..8600e18010d 100644 --- a/cspell.config.yaml +++ b/cspell.config.yaml @@ -362,6 +362,7 @@ words: - storjlabs - strato - subquestions + - supervisord - syncthing - sysadminsmedia - sysctls diff --git a/ix-dev/test/nextcloud/ix_values.yaml b/ix-dev/test/nextcloud/ix_values.yaml index 81da3a16539..5c194b0191a 100644 --- a/ix-dev/test/nextcloud/ix_values.yaml +++ b/ix-dev/test/nextcloud/ix_values.yaml @@ -2,21 +2,24 @@ images: image: repository: ixsystems/nextcloud-fpm tag: 31.0.6-fpm-7e93480c - notify_push_image: - repository: ixsystems/nextcloud-notify-push - tag: 1.1.0-25d76a32 nginx_image: repository: nginxinc/nginx-unprivileged tag: 1.29.0 - postgres_17_image: - repository: postgres - tag: "17.5" - redis_image: - repository: bitnami/redis - tag: 8.0.2 + notify_push_image: + repository: ixsystems/nextcloud-notify-push + tag: 1.1.0-25d76a32 + talk_image: + repository: ghcr.io/nextcloud-releases/aio-talk + tag: "20250701_092737" imaginary_image: repository: ghcr.io/nextcloud-releases/aio-imaginary tag: "20250619_082329" + redis_image: + repository: bitnami/redis + tag: 8.0.2 + postgres_17_image: + repository: postgres + tag: "17.5" postgres_upgrade_image: repository: ixsystems/postgres-upgrade tag: 1.0.2 @@ -30,11 +33,15 @@ consts: nginx_container_name: nginx imaginary_container_name: imaginary notify_push_container_name: notify-push + talk_container_name: talk + db_user: nextcloud db_name: nextcloud + internal_nextcloud_port: 9000 internal_imaginary_port: 9000 internal_notify_push_port: 7867 + internal_talk_signaling_port: 8081 html_path: /var/www/html data_path: /nc-data diff --git a/ix-dev/test/nextcloud/templates/docker-compose.yaml b/ix-dev/test/nextcloud/templates/docker-compose.yaml index 0b8540ffb56..01f17d09f5c 100644 --- a/ix-dev/test/nextcloud/templates/docker-compose.yaml +++ b/ix-dev/test/nextcloud/templates/docker-compose.yaml @@ -190,6 +190,8 @@ {% if values.nextcloud.previews.enabled and values.nextcloud.previews.imaginary.enabled %} {% set imaginary_container = tpl.add_container(values.consts.imaginary_container_name, "imaginary_image") %} {% do imaginary_container.set_user(values.run_as.user, values.run_as.group) %} + {% do imaginary_container.set_init(true) %} + {% do imaginary_container.set_read_only(true) %} {% do imaginary_container.healthcheck.set_test("wget", {"port": values.consts.internal_imaginary_port, "path": "/health"}) %} {% do imaginary_container.set_entrypoint([ "imaginary", @@ -207,6 +209,7 @@ {% if values.nextcloud.notify_push.enabled %} {% set notify_push_container = tpl.add_container(values.consts.notify_push_container_name, "notify_push_image") %} {% do notify_push_container.set_user(values.run_as.user, values.run_as.group) %} + {% do notify_push_container.set_read_only(true) %} {% do notify_push_container.healthcheck.set_test("curl", { "port": values.consts.internal_notify_push_port, "path": "/push/test/cookie", "headers": [("Host", "docker.internal.healthcheck")] @@ -221,6 +224,27 @@ {% do nc_container.environment.add_env("IX_NOTIFY_PUSH_ENDPOINT", "%s://%s/push" | format(ext_protocol, ext_host_port.x)) %} {% endif %} +{# -- Talk -- #} +{% if values.nextcloud.talk.enabled %} + {% set talk_container = tpl.add_container(values.consts.talk_container_name, "talk_image") %} + {% do talk_container.set_user(values.run_as.user, values.run_as.group) %} + {% do talk_container.healthcheck.set_custom_test(["CMD", "/healthcheck.sh"]) %} + {% do talk_container.set_init(true) %} + {% do talk_container.set_read_only(true) %} + {% do talk_container.environment.add_env("NC_DOMAIN", ext_host_port.x) %} + {% do talk_container.environment.add_env("TALK_HOST", values.consts.talk_container_name) %} + {% do talk_container.environment.add_env("TALK_PORT", values.network.talk_port.port_number) %} + {% do talk_container.environment.add_env("TURN_SECRET", values.nextcloud.talk.turn_secret) %} + {% do talk_container.environment.add_env("INTERNAL_SECRET", values.nextcloud.talk.internal_secret) %} + {% do talk_container.environment.add_env("SIGNALING_SECRET", values.nextcloud.talk.signaling_secret) %} + + {% do talk_container.add_port(values.network.talk_port) %} + {% do talk_container.add_port(values.network.talk_port, {"protocol": "udp"}) %} + {% for dir in ["/var/log/supervisord", "/var/run/supervisord", "/opt/eturnal/run", "/conf", "/tmp"] %} + {% do talk_container.add_storage(dir, {"type": "tmpfs"}) %} + {% endfor %} +{% endif %} + {% if perm_container.has_actions() %} {% do perm_container.activate() %} {% do nc_container.depends.add_dependency(values.consts.perms_container_name, "service_completed_successfully") %} diff --git a/ix-dev/test/nextcloud/templates/macros/nginx.conf b/ix-dev/test/nextcloud/templates/macros/nginx.conf index 3216df23dc1..5686be6f9ab 100644 --- a/ix-dev/test/nextcloud/templates/macros/nginx.conf +++ b/ix-dev/test/nextcloud/templates/macros/nginx.conf @@ -151,6 +151,26 @@ http { } {%- endif %} + {%- if values.nextcloud.talk.enabled %} + location /standalone-signaling/ { + proxy_pass {{ "http://%s:%d/" | format(values.consts.talk_container_name, values.consts.internal_talk_port) }}; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + location /standalone-signaling/spreed { + proxy_pass {{ "http://%s:%d/spreed" | format(values.consts.talk_container_name, values.consts.internal_talk_port) }}; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + {%- endif %} + # Make a regex exception for `/.well-known` so that clients can still # access it despite the existence of the regex rule # `location ~ /(\.|autotest|...)` which would otherwise handle requests diff --git a/ix-dev/test/nextcloud/templates/test_values/basic-values.yaml b/ix-dev/test/nextcloud/templates/test_values/basic-values.yaml index 0b76e2f5b43..3739822a463 100644 --- a/ix-dev/test/nextcloud/templates/test_values/basic-values.yaml +++ b/ix-dev/test/nextcloud/templates/test_values/basic-values.yaml @@ -23,7 +23,7 @@ nextcloud: php_memory_limit_mb: 512 urls: protocol: http - host: 10.20.30.6 + host: 127.0.0.1 external_port: null trusted_domains: - cloud.example.com @@ -95,6 +95,12 @@ nextcloud: file_max_size: -1 infected_action: only_log + talk: + enabled: true + turn_secret: random_string_of_characters + signaling_secret: random_string_of_characters + internal_secret: random_string_of_characters + additional_envs: [] run_as: @@ -105,12 +111,15 @@ network: web_port: bind_mode: published port_number: 8080 + talk_port: + bind_mode: published + port_number: 8082 certificate_id: ix_volumes: - postgres_data: /mnt/data/test/postgres_data - nextcloud-data: /mnt/data/test/nextcloud-data - nextcloud-html: /mnt/data/test/nextcloud-html + postgres_data: /opt/tests/mnt/nextcloud/postgres_data + nextcloud-data: /opt/tests/mnt/nextcloud/nextcloud-data + nextcloud-html: /opt/tests/mnt/nextcloud/nextcloud-html storage: data: From 11e59553bab26025cb4a996f1734b6ffb2a1389a Mon Sep 17 00:00:00 2001 From: Stavros Kois Date: Tue, 1 Jul 2025 17:46:04 +0300 Subject: [PATCH 3/7] more fixes --- ix-dev/test/nextcloud/templates/docker-compose.yaml | 12 ++++++++++++ ix-dev/test/nextcloud/templates/macros/nginx.conf | 4 ++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/ix-dev/test/nextcloud/templates/docker-compose.yaml b/ix-dev/test/nextcloud/templates/docker-compose.yaml index 01f17d09f5c..f94d542a77e 100644 --- a/ix-dev/test/nextcloud/templates/docker-compose.yaml +++ b/ix-dev/test/nextcloud/templates/docker-compose.yaml @@ -225,7 +225,12 @@ {% endif %} {# -- Talk -- #} +{% do nc_container.environment.add_env("IX_TALK", values.nextcloud.talk.enabled) %} {% if values.nextcloud.talk.enabled %} + {% if values.nextcloud.urls.protocol != "https" %} + {% do tpl.funcs.fail("Nextcloud URL Protocol must be set to HTTPS for talk to work") %} + {% endif %} + {% set talk_container = tpl.add_container(values.consts.talk_container_name, "talk_image") %} {% do talk_container.set_user(values.run_as.user, values.run_as.group) %} {% do talk_container.healthcheck.set_custom_test(["CMD", "/healthcheck.sh"]) %} @@ -243,6 +248,13 @@ {% for dir in ["/var/log/supervisord", "/var/run/supervisord", "/opt/eturnal/run", "/conf", "/tmp"] %} {% do talk_container.add_storage(dir, {"type": "tmpfs"}) %} {% endfor %} + + {% do nc_container.environment.add_env("NX_TALK_SIGNALING_SECRET", values.nextcloud.talk.signaling_secret) %} + {% do nc_container.environment.add_env("NX_TALK_TURN_SECRET", values.nextcloud.talk.turn_secret) %} + {% do nc_container.environment.add_env("NX_TALK_SIGNALING_SERVER", ext_host_port.x) %} + {% do nc_container.environment.add_env("NX_TALK_SIGNALING_SERVER_VERIFY", true) %} + {% do nc_container.environment.add_env("NX_TALK_STUN_SERVER", "%s:%d"|format(values.consts.talk_container_name, values.network.talk_port.port_number)) %} + {% do nc_container.environment.add_env("NX_TALK_TURN_SERVER", "%s:%d"|format(values.consts.talk_container_name, values.network.talk_port.port_number)) %} {% endif %} {% if perm_container.has_actions() %} diff --git a/ix-dev/test/nextcloud/templates/macros/nginx.conf b/ix-dev/test/nextcloud/templates/macros/nginx.conf index 5686be6f9ab..5bc2c1da8d5 100644 --- a/ix-dev/test/nextcloud/templates/macros/nginx.conf +++ b/ix-dev/test/nextcloud/templates/macros/nginx.conf @@ -153,7 +153,7 @@ http { {%- if values.nextcloud.talk.enabled %} location /standalone-signaling/ { - proxy_pass {{ "http://%s:%d/" | format(values.consts.talk_container_name, values.consts.internal_talk_port) }}; + proxy_pass {{ "http://%s:%d/" | format(values.consts.talk_container_name, values.consts.internal_talk_signaling_port) }}; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; @@ -161,7 +161,7 @@ http { } location /standalone-signaling/spreed { - proxy_pass {{ "http://%s:%d/spreed" | format(values.consts.talk_container_name, values.consts.internal_talk_port) }}; + proxy_pass {{ "http://%s:%d/spreed" | format(values.consts.talk_container_name, values.consts.internal_talk_signaling_port) }}; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; From abb4334295eee1f155b92f0dd58376114ce12cb6 Mon Sep 17 00:00:00 2001 From: Stavros Kois Date: Tue, 1 Jul 2025 17:46:26 +0300 Subject: [PATCH 4/7] correct --- .../nextcloud/templates/docker-compose.yaml | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/ix-dev/test/nextcloud/templates/docker-compose.yaml b/ix-dev/test/nextcloud/templates/docker-compose.yaml index f94d542a77e..e0a918581a1 100644 --- a/ix-dev/test/nextcloud/templates/docker-compose.yaml +++ b/ix-dev/test/nextcloud/templates/docker-compose.yaml @@ -1,4 +1,4 @@ -{% from "macros/nginx.conf" import nginx_conf, nginx_headers %} +{% from "macros/nginx.conf" import ngiIx_conf, ngiIx_headers %} {% from "macros/crontasks" import crontasks %} {% from "macros/tune.ini" import php_tune_ini, redis_session, opcache_recommended %} {% from "macros/builder.jinja" import builder %} @@ -154,30 +154,30 @@ {% endfor %} {# -- Nginx -- #} -{% set nginx_container = tpl.add_container(values.consts.nginx_container_name, "nginx_image") %} -{% do nginx_container.set_user(values.run_as.user, values.run_as.group) %} -{% do nginx_container.healthcheck.set_test("curl", { +{% set ngiIx_container = tpl.add_container(values.consts.ngiIx_container_name, "ngiIx_image") %} +{% do ngiIx_container.set_user(values.run_as.user, values.run_as.group) %} +{% do ngiIx_container.healthcheck.set_test("curl", { "port": values.network.web_port.port_number, "path": "/status.php", "scheme": "https" if values.network.certificate_id else "http", "headers": [("Host", "docker.internal.healthcheck")] }) %} -{% do nginx_container.configs.add("nginx.conf", nginx_conf(values), "/etc/nginx/nginx.conf") %} -{% do nginx_container.configs.add("nginx_headers.conf", nginx_headers(values), "/etc/nginx/nginx-headers.conf") %} -{% do nginx_container.depends.add_dependency(values.consts.nextcloud_container_name, "service_healthy") %} +{% do ngiIx_container.configs.add("nginx.conf", ngiIx_conf(values), "/etc/nginx/nginx.conf") %} +{% do ngiIx_container.configs.add("ngiIx_headers.conf", ngiIx_headers(values), "/etc/nginx/nginx-headers.conf") %} +{% do ngiIx_container.depends.add_dependency(values.consts.nextcloud_container_name, "service_healthy") %} {% if values.network.certificate_id %} {% set cert = values.ix_certificates[values.network.certificate_id] %} - {% do nginx_container.configs.add("private", cert.privatekey, values.consts.ssl_key_path) %} - {% do nginx_container.configs.add("public", cert.certificate, values.consts.ssl_cert_path) %} + {% do ngiIx_container.configs.add("private", cert.privatekey, values.consts.ssl_key_path) %} + {% do ngiIx_container.configs.add("public", cert.certificate, values.consts.ssl_cert_path) %} {% endif %} -{% do nginx_container.add_port(values.network.web_port) %} -{% do nginx_container.add_storage(values.consts.html_path, dict(values.storage.html, **{"read_only": true})) %} +{% do ngiIx_container.add_port(values.network.web_port) %} +{% do ngiIx_container.add_storage(values.consts.html_path, dict(values.storage.html, **{"read_only": true})) %} {# -- Cron -- #} {% set cron_container = tpl.add_container(values.consts.cron_container_name, "image") %} {% do cron_container.set_user(values.run_as.user, values.run_as.group) %} {% do cron_container.healthcheck.disable() %} {% do cron_container.set_entrypoint(["/cron.sh"]) %} -{% do cron_container.depends.add_dependency(values.consts.nginx_container_name, "service_healthy") %} +{% do cron_container.depends.add_dependency(values.consts.ngiIx_container_name, "service_healthy") %} {% do cron_container.configs.add("crontasks", crontasks(values.nextcloud.cron.tasks), "/crontasks") %} {% do cron_container.add_storage(values.consts.html_path, values.storage.html) %} {% do cron_container.add_storage(values.consts.data_path, values.storage.data) %} @@ -216,7 +216,7 @@ }) %} {% do notify_push_container.environment.add_env("NEXTCLOUD_URL", "%s://%s:%s" | format( "https" if values.network.certificate_id else "http", - values.consts.nginx_container_name, values.network.web_port.port_number + values.consts.ngiIx_container_name, values.network.web_port.port_number )) %} {% do notify_push_container.environment.add_env("CONFIG_FILE", "%s/config/config.php" | format(values.consts.html_path)) %} {% do notify_push_container.depends.add_dependency(values.consts.nextcloud_container_name, "service_healthy") %} @@ -249,12 +249,12 @@ {% do talk_container.add_storage(dir, {"type": "tmpfs"}) %} {% endfor %} - {% do nc_container.environment.add_env("NX_TALK_SIGNALING_SECRET", values.nextcloud.talk.signaling_secret) %} - {% do nc_container.environment.add_env("NX_TALK_TURN_SECRET", values.nextcloud.talk.turn_secret) %} - {% do nc_container.environment.add_env("NX_TALK_SIGNALING_SERVER", ext_host_port.x) %} - {% do nc_container.environment.add_env("NX_TALK_SIGNALING_SERVER_VERIFY", true) %} - {% do nc_container.environment.add_env("NX_TALK_STUN_SERVER", "%s:%d"|format(values.consts.talk_container_name, values.network.talk_port.port_number)) %} - {% do nc_container.environment.add_env("NX_TALK_TURN_SERVER", "%s:%d"|format(values.consts.talk_container_name, values.network.talk_port.port_number)) %} + {% do nc_container.environment.add_env("IX_TALK_SIGNALING_SECRET", values.nextcloud.talk.signaling_secret) %} + {% do nc_container.environment.add_env("IX_TALK_TURN_SECRET", values.nextcloud.talk.turn_secret) %} + {% do nc_container.environment.add_env("IX_TALK_SIGNALING_SERVER", ext_host_port.x) %} + {% do nc_container.environment.add_env("IX_TALK_SIGNALING_SERVER_VERIFY", true) %} + {% do nc_container.environment.add_env("IX_TALK_STUN_SERVER", "%s:%d"|format(values.consts.talk_container_name, values.network.talk_port.port_number)) %} + {% do nc_container.environment.add_env("IX_TALK_TURN_SERVER", "%s:%d"|format(values.consts.talk_container_name, values.network.talk_port.port_number)) %} {% endif %} {% if perm_container.has_actions() %} From 50cbcaf9665e15d4968eefcefc239b7e2fdbdcd1 Mon Sep 17 00:00:00 2001 From: Stavros Kois Date: Tue, 1 Jul 2025 18:20:09 +0300 Subject: [PATCH 5/7] fix few thinmgs --- .../nextcloud/templates/docker-compose.yaml | 45 ++++++++++--------- .../templates/test_values/basic-values.yaml | 7 +-- 2 files changed, 29 insertions(+), 23 deletions(-) diff --git a/ix-dev/test/nextcloud/templates/docker-compose.yaml b/ix-dev/test/nextcloud/templates/docker-compose.yaml index e0a918581a1..610a9751c6c 100644 --- a/ix-dev/test/nextcloud/templates/docker-compose.yaml +++ b/ix-dev/test/nextcloud/templates/docker-compose.yaml @@ -1,4 +1,4 @@ -{% from "macros/nginx.conf" import ngiIx_conf, ngiIx_headers %} +{% from "macros/nginx.conf" import nginx_conf, nginx_headers %} {% from "macros/crontasks" import crontasks %} {% from "macros/tune.ini" import php_tune_ini, redis_session, opcache_recommended %} {% from "macros/builder.jinja" import builder %} @@ -154,30 +154,30 @@ {% endfor %} {# -- Nginx -- #} -{% set ngiIx_container = tpl.add_container(values.consts.ngiIx_container_name, "ngiIx_image") %} -{% do ngiIx_container.set_user(values.run_as.user, values.run_as.group) %} -{% do ngiIx_container.healthcheck.set_test("curl", { +{% set nginx_container = tpl.add_container(values.consts.nginx_container_name, "nginx_image") %} +{% do nginx_container.set_user(values.run_as.user, values.run_as.group) %} +{% do nginx_container.healthcheck.set_test("curl", { "port": values.network.web_port.port_number, "path": "/status.php", "scheme": "https" if values.network.certificate_id else "http", "headers": [("Host", "docker.internal.healthcheck")] }) %} -{% do ngiIx_container.configs.add("nginx.conf", ngiIx_conf(values), "/etc/nginx/nginx.conf") %} -{% do ngiIx_container.configs.add("ngiIx_headers.conf", ngiIx_headers(values), "/etc/nginx/nginx-headers.conf") %} -{% do ngiIx_container.depends.add_dependency(values.consts.nextcloud_container_name, "service_healthy") %} +{% do nginx_container.configs.add("nginx.conf", nginx_conf(values), "/etc/nginx/nginx.conf") %} +{% do nginx_container.configs.add("nginx_headers.conf", nginx_headers(values), "/etc/nginx/nginx-headers.conf") %} +{% do nginx_container.depends.add_dependency(values.consts.nextcloud_container_name, "service_healthy") %} {% if values.network.certificate_id %} {% set cert = values.ix_certificates[values.network.certificate_id] %} - {% do ngiIx_container.configs.add("private", cert.privatekey, values.consts.ssl_key_path) %} - {% do ngiIx_container.configs.add("public", cert.certificate, values.consts.ssl_cert_path) %} + {% do nginx_container.configs.add("private", cert.privatekey, values.consts.ssl_key_path) %} + {% do nginx_container.configs.add("public", cert.certificate, values.consts.ssl_cert_path) %} {% endif %} -{% do ngiIx_container.add_port(values.network.web_port) %} -{% do ngiIx_container.add_storage(values.consts.html_path, dict(values.storage.html, **{"read_only": true})) %} +{% do nginx_container.add_port(values.network.web_port) %} +{% do nginx_container.add_storage(values.consts.html_path, dict(values.storage.html, **{"read_only": true})) %} {# -- Cron -- #} {% set cron_container = tpl.add_container(values.consts.cron_container_name, "image") %} {% do cron_container.set_user(values.run_as.user, values.run_as.group) %} {% do cron_container.healthcheck.disable() %} {% do cron_container.set_entrypoint(["/cron.sh"]) %} -{% do cron_container.depends.add_dependency(values.consts.ngiIx_container_name, "service_healthy") %} +{% do cron_container.depends.add_dependency(values.consts.nginx_container_name, "service_healthy") %} {% do cron_container.configs.add("crontasks", crontasks(values.nextcloud.cron.tasks), "/crontasks") %} {% do cron_container.add_storage(values.consts.html_path, values.storage.html) %} {% do cron_container.add_storage(values.consts.data_path, values.storage.data) %} @@ -216,7 +216,7 @@ }) %} {% do notify_push_container.environment.add_env("NEXTCLOUD_URL", "%s://%s:%s" | format( "https" if values.network.certificate_id else "http", - values.consts.ngiIx_container_name, values.network.web_port.port_number + values.consts.nginx_container_name, values.network.web_port.port_number )) %} {% do notify_push_container.environment.add_env("CONFIG_FILE", "%s/config/config.php" | format(values.consts.html_path)) %} {% do notify_push_container.depends.add_dependency(values.consts.nextcloud_container_name, "service_healthy") %} @@ -230,6 +230,9 @@ {% if values.nextcloud.urls.protocol != "https" %} {% do tpl.funcs.fail("Nextcloud URL Protocol must be set to HTTPS for talk to work") %} {% endif %} + {% if not values.nextcloud.urls.is_cert_valid %} + {% do tpl.funcs.fail("Nextcloud URL Certificate must be valid for talk to work") %} + {% endif %} {% set talk_container = tpl.add_container(values.consts.talk_container_name, "talk_image") %} {% do talk_container.set_user(values.run_as.user, values.run_as.group) %} @@ -245,16 +248,18 @@ {% do talk_container.add_port(values.network.talk_port) %} {% do talk_container.add_port(values.network.talk_port, {"protocol": "udp"}) %} - {% for dir in ["/var/log/supervisord", "/var/run/supervisord", "/opt/eturnal/run", "/conf", "/tmp"] %} - {% do talk_container.add_storage(dir, {"type": "tmpfs"}) %} - {% endfor %} + {% do talk_container.add_storage("/var/log/supervisord", {"type": "tmpfs"}) %} + {% do talk_container.add_storage("/var/run/supervisord", {"type": "tmpfs"}) %} + {% do talk_container.add_storage("/opt/eturnal/run", {"type": "tmpfs"}) %} + {% do talk_container.add_storage("/conf", {"type": "tmpfs"}) %} + {% do talk_container.add_storage("/tmp", {"type": "tmpfs"}) %} {% do nc_container.environment.add_env("IX_TALK_SIGNALING_SECRET", values.nextcloud.talk.signaling_secret) %} {% do nc_container.environment.add_env("IX_TALK_TURN_SECRET", values.nextcloud.talk.turn_secret) %} - {% do nc_container.environment.add_env("IX_TALK_SIGNALING_SERVER", ext_host_port.x) %} - {% do nc_container.environment.add_env("IX_TALK_SIGNALING_SERVER_VERIFY", true) %} - {% do nc_container.environment.add_env("IX_TALK_STUN_SERVER", "%s:%d"|format(values.consts.talk_container_name, values.network.talk_port.port_number)) %} - {% do nc_container.environment.add_env("IX_TALK_TURN_SERVER", "%s:%d"|format(values.consts.talk_container_name, values.network.talk_port.port_number)) %} + {% do nc_container.environment.add_env("IX_TALK_SIGNALING_SERVER", "%s/standalone-signaling/" | format(ext_host_port.x)) %} + {% do nc_container.environment.add_env("IX_TALK_SIGNALING_SERVER_VERIFY", values.nextcloud.urls.is_cert_valid) %} + {% do nc_container.environment.add_env("IX_TALK_STUN_SERVERS", "%s:%d"|format(values.nextcloud.urls.host, values.network.talk_port.port_number)) %} + {% do nc_container.environment.add_env("IX_TALK_TURN_SERVER", "%s:%d"|format(values.nextcloud.urls.host, values.network.talk_port.port_number)) %} {% endif %} {% if perm_container.has_actions() %} diff --git a/ix-dev/test/nextcloud/templates/test_values/basic-values.yaml b/ix-dev/test/nextcloud/templates/test_values/basic-values.yaml index 3739822a463..3dcfe8d96bf 100644 --- a/ix-dev/test/nextcloud/templates/test_values/basic-values.yaml +++ b/ix-dev/test/nextcloud/templates/test_values/basic-values.yaml @@ -22,8 +22,9 @@ nextcloud: php_upload_limit_gb: 3 php_memory_limit_mb: 512 urls: - protocol: http - host: 127.0.0.1 + protocol: https + host: 10.20.30.6 + is_cert_valid: true external_port: null trusted_domains: - cloud.example.com @@ -114,7 +115,7 @@ network: talk_port: bind_mode: published port_number: 8082 - certificate_id: + certificate_id: null ix_volumes: postgres_data: /opt/tests/mnt/nextcloud/postgres_data From bea5440a75bbe84346f39dc81e7557ce2c687abb Mon Sep 17 00:00:00 2001 From: Stavros Kois Date: Tue, 1 Jul 2025 18:27:44 +0300 Subject: [PATCH 6/7] clean --- .github/scripts/ci.py | 13 ++++++++++++- ix-dev/test/nextcloud/ix_values.yaml | 7 +++++-- .../templates/test_values/basic-values.yaml | 10 +++++----- .../templates/test_values/build-values.yaml | 9 +++++++++ .../templates/test_values/https-values.yaml | 10 ++++++++++ 5 files changed, 41 insertions(+), 8 deletions(-) diff --git a/.github/scripts/ci.py b/.github/scripts/ci.py index 3159339f15c..9d45f26921d 100755 --- a/.github/scripts/ci.py +++ b/.github/scripts/ci.py @@ -62,6 +62,11 @@ def parse_args(): type=bool, help="Wait for user input before stopping the app", ) + parser.add_argument( + "--run-host", + required=False, + help="Run the app on the specified docker host", + ) parsed = parser.parse_args() return { @@ -72,6 +77,7 @@ def parse_args(): "render_only_debug": parsed.render_only_debug, "project": secrets.token_hex(16), "wait": parsed.wait, + "run_host": parsed.run_host, } @@ -84,6 +90,8 @@ def print_info(): print_stderr(f" - render-only: [{args['render_only']}]") print_stderr(f" - render-only-debug: [{args['render_only_debug']}]") print_stderr(f" - wait: [{args['wait']}]") + if args["run_host"] is not None: + print_stderr(f" - run-host: [{args['run_host']}]") def command_exists(command): @@ -100,12 +108,15 @@ def check_required_commands(): def get_base_cmd(): rendered_compose = "templates/rendered/docker-compose.yaml" - return " ".join( + cmd = " ".join( [ f"docker compose -p {args['project']} -f", f"ix-dev/{args['train']}/{args['app']}/{rendered_compose}", ] ) + if args["run_host"] is not None: + cmd = f"DOCKER_HOST={args['run_host']} {cmd}" + return cmd def pull_app_catalog_container(): diff --git a/ix-dev/test/nextcloud/ix_values.yaml b/ix-dev/test/nextcloud/ix_values.yaml index 5c194b0191a..1d2363dd7a8 100644 --- a/ix-dev/test/nextcloud/ix_values.yaml +++ b/ix-dev/test/nextcloud/ix_values.yaml @@ -1,7 +1,10 @@ images: + # image: + # repository: ixsystems/nextcloud-fpm + # tag: 31.0.6-fpm-7e93480c image: - repository: ixsystems/nextcloud-fpm - tag: 31.0.6-fpm-7e93480c + repository: ghcr.io/stavros-k/nextcloud-fpm + tag: 31.0.6-fpm nginx_image: repository: nginxinc/nginx-unprivileged tag: 1.29.0 diff --git a/ix-dev/test/nextcloud/templates/test_values/basic-values.yaml b/ix-dev/test/nextcloud/templates/test_values/basic-values.yaml index 3dcfe8d96bf..59780212f44 100644 --- a/ix-dev/test/nextcloud/templates/test_values/basic-values.yaml +++ b/ix-dev/test/nextcloud/templates/test_values/basic-values.yaml @@ -22,9 +22,9 @@ nextcloud: php_upload_limit_gb: 3 php_memory_limit_mb: 512 urls: - protocol: https - host: 10.20.30.6 - is_cert_valid: true + protocol: http + host: localhost + is_cert_valid: false external_port: null trusted_domains: - cloud.example.com @@ -97,7 +97,7 @@ nextcloud: infected_action: only_log talk: - enabled: true + enabled: fales turn_secret: random_string_of_characters signaling_secret: random_string_of_characters internal_secret: random_string_of_characters @@ -113,7 +113,7 @@ network: bind_mode: published port_number: 8080 talk_port: - bind_mode: published + bind_mode: "" port_number: 8082 certificate_id: null diff --git a/ix-dev/test/nextcloud/templates/test_values/build-values.yaml b/ix-dev/test/nextcloud/templates/test_values/build-values.yaml index 413b663a62a..66fc38394e7 100644 --- a/ix-dev/test/nextcloud/templates/test_values/build-values.yaml +++ b/ix-dev/test/nextcloud/templates/test_values/build-values.yaml @@ -95,6 +95,12 @@ nextcloud: file_max_size: -1 infected_action: only_log + talk: + enabled: false + turn_secret: random_string_of_characters + signaling_secret: random_string_of_characters + internal_secret: random_string_of_characters + additional_envs: [] run_as: @@ -105,6 +111,9 @@ network: web_port: bind_mode: published port_number: 8080 + talk_port: + bind_mode: "" + port_number: 8082 certificate_id: ix_volumes: diff --git a/ix-dev/test/nextcloud/templates/test_values/https-values.yaml b/ix-dev/test/nextcloud/templates/test_values/https-values.yaml index 1326bf3aab6..3d5badbd0cd 100644 --- a/ix-dev/test/nextcloud/templates/test_values/https-values.yaml +++ b/ix-dev/test/nextcloud/templates/test_values/https-values.yaml @@ -25,6 +25,7 @@ nextcloud: urls: protocol: http host: localhost + is_cert_valid: true external_port: null trusted_domains: - cloud.example.com @@ -95,6 +96,12 @@ nextcloud: file_max_size: -1 infected_action: only_log + talk: + enabled: true + turn_secret: random_string_of_characters + signaling_secret: random_string_of_characters + internal_secret: random_string_of_characters + additional_envs: [] run_as: @@ -105,6 +112,9 @@ network: web_port: bind_mode: published port_number: 8080 + talk_port: + bind_mode: published + port_number: 8082 certificate_id: "2" ix_volumes: From 1d4408fcdad3194de2b33c0b139ec7062f0f2109 Mon Sep 17 00:00:00 2001 From: Stavros Kois Date: Tue, 1 Jul 2025 18:29:57 +0300 Subject: [PATCH 7/7] typo --- ix-dev/test/nextcloud/templates/test_values/basic-values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ix-dev/test/nextcloud/templates/test_values/basic-values.yaml b/ix-dev/test/nextcloud/templates/test_values/basic-values.yaml index 59780212f44..a455208f66b 100644 --- a/ix-dev/test/nextcloud/templates/test_values/basic-values.yaml +++ b/ix-dev/test/nextcloud/templates/test_values/basic-values.yaml @@ -97,7 +97,7 @@ nextcloud: infected_action: only_log talk: - enabled: fales + enabled: false turn_secret: random_string_of_characters signaling_secret: random_string_of_characters internal_secret: random_string_of_characters