Merge pull request #1020 from tilosp/bot/update

Add nextcloud 16.0.9RC1, 17.0.4RC1 and 18.0.2RC1

.config/autoconfig.php

@@ -23,12 +23,9 @@ if (getenv('SQLITE_DATABASE')) {
 }
 
 if ($autoconfig_enabled) {
-    $AUTOCONFIG["dbtableprefix"] = getenv('NEXTCLOUD_TABLE_PREFIX') ?: "";
+    if (getenv('NEXTCLOUD_TABLE_PREFIX')) {
+        $AUTOCONFIG["dbtableprefix"] = getenv('NEXTCLOUD_TABLE_PREFIX');
+    }
 
     $AUTOCONFIG["directory"] = getenv('NEXTCLOUD_DATA_DIR') ?: "/var/www/html/data";
-
-    if (getenv('NEXTCLOUD_ADMIN_USER') && getenv('NEXTCLOUD_ADMIN_PASSWORD')) {
-        $AUTOCONFIG["adminlogin"] = getenv('NEXTCLOUD_ADMIN_USER');
-        $AUTOCONFIG["adminpass"] = getenv('NEXTCLOUD_ADMIN_PASSWORD');
-    }
 }

.config/redis.config.php

@@ -0,0 +1,17 @@
+<?php
+if (getenv('REDIS_HOST')) {
+  $CONFIG = array (
+    'memcache.distributed' => '\OC\Memcache\Redis',
+    'memcache.locking' => '\OC\Memcache\Redis',
+    'redis' => array(
+      'host' => getenv('REDIS_HOST'),
+      'password' => getenv('REDIS_HOST_PASSWORD'),
+    ),
+  );
+
+  if (getenv('REDIS_HOST_PORT') !== false) {
+    $CONFIG['redis']['port'] = (int) getenv('REDIS_HOST_PORT');
+  } elseif (getenv('REDIS_HOST')[0] != '/') {
+    $CONFIG['redis']['port'] = 6379;
+  }
+}

.config/smtp.config.php

@@ -0,0 +1,15 @@
+<?php
+if (getenv('SMTP_HOST') && getenv('MAIL_FROM_ADDRESS') && getenv('MAIL_DOMAIN')) {
+  $CONFIG = array (
+    'mail_smtpmode' => 'smtp',
+    'mail_smtphost' => getenv('SMTP_HOST'),
+    'mail_smtpport' => getenv('SMTP_PORT') ?: (getenv('SMTP_SECURE') ? 465 : 25),
+    'mail_smtpsecure' => getenv('SMTP_SECURE') ?: '',
+    'mail_smtpauth' => getenv('SMTP_NAME') && getenv('SMTP_PASSWORD'),
+    'mail_smtpauthtype' => getenv('SMTP_AUTHTYPE') ?: 'LOGIN',
+    'mail_smtpname' => getenv('SMTP_NAME') ?: '',
+    'mail_smtppassword' => getenv('SMTP_PASSWORD') ?: '',
+    'mail_from_address' => getenv('MAIL_FROM_ADDRESS'),
+    'mail_domain' => getenv('MAIL_DOMAIN'),
+  );
+}

.examples/README.md

@@ -13,7 +13,7 @@ The Dockerfiles use the default images as base image and build on top of it.
 
 Example | Description
 ------- | -------
-[cron](https://github.com/nextcloud/docker/tree/master/.examples/dockerfiles/cron) | uses supervisor to run the cron job inside the container (so no extra container is needed).
+[cron](https://github.com/nextcloud/docker/tree/master/.examples/dockerfiles/cron) | uses supervisor to run the cron job inside the container (so no extra container is needed). This image runs `supervisord` to start nextcloud and cron as two seperate processes inside the container.
 [imap](https://github.com/nextcloud/docker/tree/master/.examples/dockerfiles/imap) | adds dependencies required to authenticate users via imap
 [smb](https://github.com/nextcloud/docker/tree/master/.examples/dockerfiles/smb) | adds dependencies required to use smb shares
 [full](https://github.com/nextcloud/docker/tree/master/.examples/dockerfiles/full) | adds dependencies for ALL optional packages and cron functionality via supervisor (as in the `cron` example Dockerfile).
@@ -21,49 +21,46 @@ Example | Description
 ### full
 The `full` Dockerfile example adds dependencies for all optional packages suggested by nextcloud that may be needed for some features (e.g. Video Preview Generation), as stated in the [Administration Manual](https://docs.nextcloud.com/server/12/admin_manual/installation/source_installation.html).
 
-NOTE: The Dockerfile does not install the LibreOffice package (line is commented), because it would increase the generated Image size by approximately 500 MB. In order to install it, simply uncomment the 13th line of the Dockerfile.</br>
+NOTE: The Dockerfile does not install the LibreOffice package (line is commented), because it would increase the generated Image size by approximately 500 MB. In order to install it, simply uncomment the appropriate line in the Dockerfile.
 
-NOTE: Per default, only previews for BMP, GIF, JPEG, MarkDown, MP3, PNG, TXT, and XBitmap Files are generated. The configuration of the preview generation can be done in config.php, as explained in the [Administration Manual](https://docs.nextcloud.com/server/12/admin_manual/configuration_server/config_sample_php_parameters.html#previews)</br>
+NOTE: Per default, only previews for BMP, GIF, JPEG, MarkDown, MP3, PNG, TXT, and XBitmap Files are generated. The configuration of the preview generation can be done in config.php, as explained in the [Administration Manual](https://docs.nextcloud.com/server/12/admin_manual/configuration_server/config_sample_php_parameters.html#previews)
 
-NOTE: Nextcloud recommends [disabling preview generation](https://docs.nextcloud.com/server/12/admin_manual/configuration_server/harden_server.html?highlight=enabledpreviewproviders#disable-preview-image-generation) for high security deployments, as preview generation opens your nextcloud instance to new possible attack vectors.</br>
+NOTE: Nextcloud recommends [disabling preview generation](https://docs.nextcloud.com/server/12/admin_manual/configuration_server/harden_server.html?highlight=enabledpreviewproviders#disable-preview-image-generation) for high security deployments, as preview generation opens your nextcloud instance to new possible attack vectors.
 
-The required steps for each optional/recommended package that is not already in the Nextcloud image are listed here, so that the Dockerfile can easily be modified to only install the needed extra packages. Simply remove the steps for the unwanted packages  from the Dockerfile.
+The required steps for each optional/recommended package that is not already in the Nextcloud image are listed here, so that the Dockerfile can easily be modified to only install the needed extra packages. Simply remove the steps for the unwanted packages from the Dockerfile.
 
 #### PHP Module bz2
-`docker-php-ext-install bz2` </br>
-
-#### PHP Module imagick
-`apt install libmagickwand-dev` </br>
-`pecl install imagick` </br>
-`docker-php-ext-enable imagick` </br>
+`docker-php-ext-install bz2`
 
 #### PHP Module imap
-`apt install libc-client-dev libkrb5-dev` </br>
-`docker-php-ext-configure imap --with-kerberos --with-imap-ssl` </br>
-`docker-php-ext-install imap` </br>
+`apt install libc-client-dev libkrb5-dev`
+`docker-php-ext-configure imap --with-kerberos --with-imap-ssl`
+`docker-php-ext-install imap`
 
 #### PHP Module gmp
-`apt install libgmp3-dev` </br>
-`docker-php-ext-install gmp` </br>
+`apt install libgmp3-dev`
+`docker-php-ext-install gmp`
 
 #### PHP Module smbclient
-`apt install smbclient libsmbclient-dev` </br>
-`pecl install smbclient` </br>
-`docker-php-ext-enable smbclient` </br>
+`apt install smbclient libsmbclient-dev`
+`pecl install smbclient`
+`docker-php-ext-enable smbclient`
 
 #### ffmpeg
-`echo "deb http://ftp.debian.org/debian jessie-backports main" >> /etc/apt/sources.list` </br>
-`apt install ffmpeg` </br>
+`apt install ffmpeg`
+
+#### imagemagick SVG support
+`apt install libmagickcore-6.q16-6-extra`
 
 #### LibreOffice
-`apt install LibreOffice` </br>
+`apt install libreoffice`
 
 #### CRON via supervisor
-`apt install supervisor` </br>
-`mkdir /var/log/supervisord /var/run/supervisord` </br>
-The following Dockerfile commands are also necessary for a sucessfull cron installation: </br>
-`COPY supervisord.conf /etc/supervisor/supervisord.conf` </br>
-`CMD ["/usr/bin/supervisord"]` </br>
+`apt install supervisor`
+`mkdir /var/log/supervisord /var/run/supervisord`
+The following Dockerfile commands are also necessary for a sucessfull cron installation:
+`COPY supervisord.conf /etc/supervisor/supervisord.conf`
+`CMD ["/usr/bin/supervisord"]`
 
 
 
@@ -92,9 +89,12 @@ If you want to update your installation to a newer version of nextcloud, repeat
 
 ### with-nginx-proxy
 The nginx proxy adds a proxy layer between nextcloud and the internet. The proxy is designed to serve multiple sites on the same host machine.
+
 The advantage in adding this layer is the ability to add a container for [Let's Encrypt](https://letsencrypt.org/) certificate handling.
 This combination of the [jwilder/nginx-proxy](https://github.com/jwilder/nginx-proxy) and [jrcs/docker-letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion) containers creates a fully automated https encryption of the nextcloud installation without worrying about certificate generation, validation or renewal.
 
+**This setup only works with a valid domain name on a server that is reachable from the internet.**
+
 To use this example complete the following steps:
 
 1. open `docker-compose.yml`

.examples/docker-compose/insecure/mariadb-cron-redis/apache/app/Dockerfile

@@ -1,3 +0,0 @@
-FROM nextcloud:apache
-
-COPY redis.config.php /usr/src/nextcloud/config/redis.config.php

.examples/docker-compose/insecure/mariadb-cron-redis/apache/app/redis.config.php

@@ -1,8 +0,0 @@
-<?php
-$CONFIG = array (
-  'memcache.locking' => '\OC\Memcache\Redis',
-  'redis' => array(
-    'host' => 'redis',
-    'port' => 6379,
-  ),
-);

.examples/docker-compose/insecure/mariadb-cron-redis/apache/docker-compose.yml

@@ -13,11 +13,11 @@ services:
       - db.env
 
   redis:
-    image: redis
+    image: redis:alpine
     restart: always
 
   app:
-    build: ./app
+    image: nextcloud:apache
     restart: always
     ports:
       - 8080:80
@@ -25,6 +25,7 @@ services:
       - nextcloud:/var/www/html
     environment:
       - MYSQL_HOST=db
+      - REDIS_HOST=redis
     env_file:
       - db.env
     depends_on:
@@ -32,7 +33,7 @@ services:
       - redis
 
   cron:
-    build: ./app
+    image: nextcloud:apache
     restart: always
     volumes:
       - nextcloud:/var/www/html

.examples/docker-compose/insecure/mariadb-cron-redis/fpm/app/Dockerfile

@@ -1,3 +0,0 @@
-FROM nextcloud:fpm
-
-COPY redis.config.php /usr/src/nextcloud/config/redis.config.php

.examples/docker-compose/insecure/mariadb-cron-redis/fpm/app/redis.config.php

@@ -1,8 +0,0 @@
-<?php
-$CONFIG = array (
-  'memcache.locking' => '\OC\Memcache\Redis',
-  'redis' => array(
-    'host' => 'redis',
-    'port' => 6379,
-  ),
-);

.examples/docker-compose/insecure/mariadb-cron-redis/fpm/docker-compose.yml

@@ -13,16 +13,17 @@ services:
       - db.env
 
   redis:
-    image: redis
+    image: redis:alpine
     restart: always
 
   app:
-    build: ./app
+    image: nextcloud:fpm-alpine
     restart: always
     volumes:
       - nextcloud:/var/www/html
     environment:
       - MYSQL_HOST=db
+      - REDIS_HOST=redis
     env_file:
       - db.env
     depends_on:
@@ -40,7 +41,7 @@ services:
       - app
 
   cron:
-    build: ./app
+    image: nextcloud:fpm-alpine
     restart: always
     volumes:
       - nextcloud:/var/www/html

.examples/docker-compose/insecure/mariadb-cron-redis/fpm/web/Dockerfile

@@ -1,3 +1,3 @@
-FROM nginx
+FROM nginx:alpine
 
 COPY nginx.conf /etc/nginx/nginx.conf

.examples/docker-compose/insecure/mariadb-cron-redis/fpm/web/nginx.conf

@@ -1,5 +1,4 @@
-user  www-data;
-worker_processes  1;
+worker_processes auto;
 
 error_log  /var/log/nginx/error.log warn;
 pid        /var/run/nginx.pid;
@@ -37,20 +36,25 @@ http {
         # Add headers to serve security related headers
         # Before enabling Strict-Transport-Security headers please read into this
         # topic first.
-        # add_header Strict-Transport-Security "max-age=15768000;
-        # includeSubDomains; preload;";
+        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
         #
         # WARNING: Only add the preload option once you read about
         # the consequences in https://hstspreload.org/. This option
         # will add the domain to a hardcoded list that is shipped
         # in all major browsers and getting removed from this list
         # could take several months.
-        add_header X-Content-Type-Options nosniff;
-        add_header X-XSS-Protection "1; mode=block";
-        add_header X-Robots-Tag none;
-        add_header X-Download-Options noopen;
-        add_header X-Permitted-Cross-Domain-Policies none;
+        add_header Referrer-Policy "no-referrer" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Download-Options "noopen" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Permitted-Cross-Domain-Policies "none" always;
+        add_header X-Robots-Tag "none" always;
+        add_header X-XSS-Protection "1; mode=block" always;
 
+        # Remove X-Powered-By, which is an information leak
+        fastcgi_hide_header X-Powered-By;
+
+        # Path to the root of your installation
         root /var/www/html;
 
         location = /robots.txt {
@@ -62,14 +66,18 @@ http {
         # The following 2 rules are only needed for the user_webfinger app.
         # Uncomment it if you're planning to use this app.
         #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
-        #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
-        # last;
+        #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
+
+        # The following rule is only needed for the Social app.
+        # Uncomment it if you're planning to use this app.
+        #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
 
         location = /.well-known/carddav {
-            return 301 $scheme://$host/remote.php/dav;
+            return 301 $scheme://$host:$server_port/remote.php/dav;
         }
+
         location = /.well-known/caldav {
-            return 301 $scheme://$host/remote.php/dav;
+            return 301 $scheme://$host:$server_port/remote.php/dav;
         }
 
         # set max upload size
@@ -89,66 +97,72 @@ http {
         #pagespeed off;
 
         location / {
-            rewrite ^ /index.php$uri;
+            rewrite ^ /index.php;
         }
 
-        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
+        location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
             deny all;
         }
-        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
+        location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
             deny all;
         }
 
-        location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
-            fastcgi_split_path_info ^(.+\.php)(/.*)$;
+        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
+            fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+            set $path_info $fastcgi_path_info;
+            try_files $fastcgi_script_name =404;
             include fastcgi_params;
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            fastcgi_param PATH_INFO $fastcgi_path_info;
+            fastcgi_param PATH_INFO $path_info;
             # fastcgi_param HTTPS on;
-            #Avoid sending the security headers twice
+
+            # Avoid sending the security headers twice
             fastcgi_param modHeadersAvailable true;
+
+            # Enable pretty urls
             fastcgi_param front_controller_active true;
             fastcgi_pass php-handler;
             fastcgi_intercept_errors on;
             fastcgi_request_buffering off;
         }
 
-        location ~ ^/(?:updater|ocs-provider)(?:$|/) {
+        location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
             try_files $uri/ =404;
             index index.php;
         }
 
-        # Adding the cache control header for js and css files
+        # Adding the cache control header for js, css and map files
         # Make sure it is BELOW the PHP block
-        location ~ \.(?:css|js|woff|svg|gif)$ {
-            try_files $uri /index.php$uri$is_args$args;
+        location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
+            try_files $uri /index.php$request_uri;
             add_header Cache-Control "public, max-age=15778463";
             # Add headers to serve security related headers (It is intended to
             # have those duplicated to the ones above)
             # Before enabling Strict-Transport-Security headers please read into
             # this topic first.
-            # add_header Strict-Transport-Security "max-age=15768000;
-            #  includeSubDomains; preload;";
+            #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
             #
             # WARNING: Only add the preload option once you read about
             # the consequences in https://hstspreload.org/. This option
             # will add the domain to a hardcoded list that is shipped
             # in all major browsers and getting removed from this list
             # could take several months.
-            add_header X-Content-Type-Options nosniff;
-            add_header X-XSS-Protection "1; mode=block";
-            add_header X-Robots-Tag none;
-            add_header X-Download-Options noopen;
-            add_header X-Permitted-Cross-Domain-Policies none;
+            add_header Referrer-Policy "no-referrer" always;
+            add_header X-Content-Type-Options "nosniff" always;
+            add_header X-Download-Options "noopen" always;
+            add_header X-Frame-Options "SAMEORIGIN" always;
+            add_header X-Permitted-Cross-Domain-Policies "none" always;
+            add_header X-Robots-Tag "none" always;
+            add_header X-XSS-Protection "1; mode=block" always;
+
             # Optional: Don't log access to assets
             access_log off;
         }
 
-        location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
-            try_files $uri /index.php$uri$is_args$args;
+        location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
+            try_files $uri /index.php$request_uri;
             # Optional: Don't log access to other assets
             access_log off;
         }
     }
-
 }

.examples/docker-compose/insecure/mariadb/fpm/docker-compose.yml

@@ -13,7 +13,7 @@ services:
       - db.env
 
   app:
-    image: nextcloud:fpm
+    image: nextcloud:fpm-alpine
     restart: always
     volumes:
       - nextcloud:/var/www/html

.examples/docker-compose/insecure/mariadb/fpm/web/Dockerfile

@@ -1,3 +1,3 @@
-FROM nginx
+FROM nginx:alpine
 
 COPY nginx.conf /etc/nginx/nginx.conf

.examples/docker-compose/insecure/mariadb/fpm/web/nginx.conf

@@ -1,5 +1,4 @@
-user  www-data;
-worker_processes  1;
+worker_processes auto;
 
 error_log  /var/log/nginx/error.log warn;
 pid        /var/run/nginx.pid;
@@ -37,20 +36,25 @@ http {
         # Add headers to serve security related headers
         # Before enabling Strict-Transport-Security headers please read into this
         # topic first.
-        # add_header Strict-Transport-Security "max-age=15768000;
-        # includeSubDomains; preload;";
+        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
         #
         # WARNING: Only add the preload option once you read about
         # the consequences in https://hstspreload.org/. This option
         # will add the domain to a hardcoded list that is shipped
         # in all major browsers and getting removed from this list
         # could take several months.
-        add_header X-Content-Type-Options nosniff;
-        add_header X-XSS-Protection "1; mode=block";
-        add_header X-Robots-Tag none;
-        add_header X-Download-Options noopen;
-        add_header X-Permitted-Cross-Domain-Policies none;
+        add_header Referrer-Policy "no-referrer" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Download-Options "noopen" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Permitted-Cross-Domain-Policies "none" always;
+        add_header X-Robots-Tag "none" always;
+        add_header X-XSS-Protection "1; mode=block" always;
 
+        # Remove X-Powered-By, which is an information leak
+        fastcgi_hide_header X-Powered-By;
+
+        # Path to the root of your installation
         root /var/www/html;
 
         location = /robots.txt {
@@ -62,14 +66,18 @@ http {
         # The following 2 rules are only needed for the user_webfinger app.
         # Uncomment it if you're planning to use this app.
         #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
-        #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
-        # last;
+        #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
+
+        # The following rule is only needed for the Social app.
+        # Uncomment it if you're planning to use this app.
+        #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
 
         location = /.well-known/carddav {
-            return 301 $scheme://$host/remote.php/dav;
+            return 301 $scheme://$host:$server_port/remote.php/dav;
         }
+
         location = /.well-known/caldav {
-            return 301 $scheme://$host/remote.php/dav;
+            return 301 $scheme://$host:$server_port/remote.php/dav;
         }
 
         # set max upload size
@@ -89,66 +97,72 @@ http {
         #pagespeed off;
 
         location / {
-            rewrite ^ /index.php$uri;
+            rewrite ^ /index.php;
         }
 
-        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
+        location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
             deny all;
         }
-        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
+        location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
             deny all;
         }
 
-        location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
-            fastcgi_split_path_info ^(.+\.php)(/.*)$;
+        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
+            fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+            set $path_info $fastcgi_path_info;
+            try_files $fastcgi_script_name =404;
             include fastcgi_params;
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            fastcgi_param PATH_INFO $fastcgi_path_info;
+            fastcgi_param PATH_INFO $path_info;
             # fastcgi_param HTTPS on;
-            #Avoid sending the security headers twice
+
+            # Avoid sending the security headers twice
             fastcgi_param modHeadersAvailable true;
+
+            # Enable pretty urls
             fastcgi_param front_controller_active true;
             fastcgi_pass php-handler;
             fastcgi_intercept_errors on;
             fastcgi_request_buffering off;
         }
 
-        location ~ ^/(?:updater|ocs-provider)(?:$|/) {
+        location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
             try_files $uri/ =404;
             index index.php;
         }
 
-        # Adding the cache control header for js and css files
+        # Adding the cache control header for js, css and map files
         # Make sure it is BELOW the PHP block
-        location ~ \.(?:css|js|woff|svg|gif)$ {
-            try_files $uri /index.php$uri$is_args$args;
+        location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
+            try_files $uri /index.php$request_uri;
             add_header Cache-Control "public, max-age=15778463";
             # Add headers to serve security related headers (It is intended to
             # have those duplicated to the ones above)
             # Before enabling Strict-Transport-Security headers please read into
             # this topic first.
-            # add_header Strict-Transport-Security "max-age=15768000;
-            #  includeSubDomains; preload;";
+            #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
             #
             # WARNING: Only add the preload option once you read about
             # the consequences in https://hstspreload.org/. This option
             # will add the domain to a hardcoded list that is shipped
             # in all major browsers and getting removed from this list
             # could take several months.
-            add_header X-Content-Type-Options nosniff;
-            add_header X-XSS-Protection "1; mode=block";
-            add_header X-Robots-Tag none;
-            add_header X-Download-Options noopen;
-            add_header X-Permitted-Cross-Domain-Policies none;
+            add_header Referrer-Policy "no-referrer" always;
+            add_header X-Content-Type-Options "nosniff" always;
+            add_header X-Download-Options "noopen" always;
+            add_header X-Frame-Options "SAMEORIGIN" always;
+            add_header X-Permitted-Cross-Domain-Policies "none" always;
+            add_header X-Robots-Tag "none" always;
+            add_header X-XSS-Protection "1; mode=block" always;
+
             # Optional: Don't log access to assets
             access_log off;
         }
 
-        location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
-            try_files $uri /index.php$uri$is_args$args;
+        location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
+            try_files $uri /index.php$request_uri;
             # Optional: Don't log access to other assets
             access_log off;
         }
     }
-
 }

.examples/docker-compose/insecure/postgres/apache/docker-compose.yml

@@ -2,7 +2,7 @@ version: '3'
 
 services:
   db:
-    image: postgres
+    image: postgres:alpine
     restart: always
     volumes:
       - db:/var/lib/postgresql/data

.examples/docker-compose/insecure/postgres/fpm/docker-compose.yml

@@ -2,7 +2,7 @@ version: '3'
 
 services:
   db:
-    image: postgres
+    image: postgres:alpine
     restart: always
     volumes:
       - db:/var/lib/postgresql/data
@@ -10,7 +10,7 @@ services:
       - db.env
 
   app:
-    image: nextcloud:fpm
+    image: nextcloud:fpm-alpine
     restart: always
     volumes:
       - nextcloud:/var/www/html

.examples/docker-compose/insecure/postgres/fpm/web/Dockerfile

@@ -1,3 +1,3 @@
-FROM nginx
+FROM nginx:alpine
 
 COPY nginx.conf /etc/nginx/nginx.conf

.examples/docker-compose/insecure/postgres/fpm/web/nginx.conf

@@ -1,5 +1,4 @@
-user  www-data;
-worker_processes  1;
+worker_processes auto;
 
 error_log  /var/log/nginx/error.log warn;
 pid        /var/run/nginx.pid;
@@ -37,20 +36,25 @@ http {
         # Add headers to serve security related headers
         # Before enabling Strict-Transport-Security headers please read into this
         # topic first.
-        # add_header Strict-Transport-Security "max-age=15768000;
-        # includeSubDomains; preload;";
+        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
         #
         # WARNING: Only add the preload option once you read about
         # the consequences in https://hstspreload.org/. This option
         # will add the domain to a hardcoded list that is shipped
         # in all major browsers and getting removed from this list
         # could take several months.
-        add_header X-Content-Type-Options nosniff;
-        add_header X-XSS-Protection "1; mode=block";
-        add_header X-Robots-Tag none;
-        add_header X-Download-Options noopen;
-        add_header X-Permitted-Cross-Domain-Policies none;
+        add_header Referrer-Policy "no-referrer" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Download-Options "noopen" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Permitted-Cross-Domain-Policies "none" always;
+        add_header X-Robots-Tag "none" always;
+        add_header X-XSS-Protection "1; mode=block" always;
 
+        # Remove X-Powered-By, which is an information leak
+        fastcgi_hide_header X-Powered-By;
+
+        # Path to the root of your installation
         root /var/www/html;
 
         location = /robots.txt {
@@ -62,14 +66,18 @@ http {
         # The following 2 rules are only needed for the user_webfinger app.
         # Uncomment it if you're planning to use this app.
         #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
-        #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
-        # last;
+        #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
+
+        # The following rule is only needed for the Social app.
+        # Uncomment it if you're planning to use this app.
+        #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
 
         location = /.well-known/carddav {
-            return 301 $scheme://$host/remote.php/dav;
+            return 301 $scheme://$host:$server_port/remote.php/dav;
         }
+
         location = /.well-known/caldav {
-            return 301 $scheme://$host/remote.php/dav;
+            return 301 $scheme://$host:$server_port/remote.php/dav;
         }
 
         # set max upload size
@@ -89,66 +97,72 @@ http {
         #pagespeed off;
 
         location / {
-            rewrite ^ /index.php$uri;
+            rewrite ^ /index.php;
         }
 
-        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
+        location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
             deny all;
         }
-        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
+        location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
             deny all;
         }
 
-        location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
-            fastcgi_split_path_info ^(.+\.php)(/.*)$;
+        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
+            fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+            set $path_info $fastcgi_path_info;
+            try_files $fastcgi_script_name =404;
             include fastcgi_params;
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            fastcgi_param PATH_INFO $fastcgi_path_info;
+            fastcgi_param PATH_INFO $path_info;
             # fastcgi_param HTTPS on;
-            #Avoid sending the security headers twice
+
+            # Avoid sending the security headers twice
             fastcgi_param modHeadersAvailable true;
+
+            # Enable pretty urls
             fastcgi_param front_controller_active true;
             fastcgi_pass php-handler;
             fastcgi_intercept_errors on;
             fastcgi_request_buffering off;
         }
 
-        location ~ ^/(?:updater|ocs-provider)(?:$|/) {
+        location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
             try_files $uri/ =404;
             index index.php;
         }
 
-        # Adding the cache control header for js and css files
+        # Adding the cache control header for js, css and map files
         # Make sure it is BELOW the PHP block
-        location ~ \.(?:css|js|woff|svg|gif)$ {
-            try_files $uri /index.php$uri$is_args$args;
+        location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
+            try_files $uri /index.php$request_uri;
             add_header Cache-Control "public, max-age=15778463";
             # Add headers to serve security related headers (It is intended to
             # have those duplicated to the ones above)
             # Before enabling Strict-Transport-Security headers please read into
             # this topic first.
-            # add_header Strict-Transport-Security "max-age=15768000;
-            #  includeSubDomains; preload;";
+            #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
             #
             # WARNING: Only add the preload option once you read about
             # the consequences in https://hstspreload.org/. This option
             # will add the domain to a hardcoded list that is shipped
             # in all major browsers and getting removed from this list
             # could take several months.
-            add_header X-Content-Type-Options nosniff;
-            add_header X-XSS-Protection "1; mode=block";
-            add_header X-Robots-Tag none;
-            add_header X-Download-Options noopen;
-            add_header X-Permitted-Cross-Domain-Policies none;
+            add_header Referrer-Policy "no-referrer" always;
+            add_header X-Content-Type-Options "nosniff" always;
+            add_header X-Download-Options "noopen" always;
+            add_header X-Frame-Options "SAMEORIGIN" always;
+            add_header X-Permitted-Cross-Domain-Policies "none" always;
+            add_header X-Robots-Tag "none" always;
+            add_header X-XSS-Protection "1; mode=block" always;
+
             # Optional: Don't log access to assets
             access_log off;
         }
 
-        location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
-            try_files $uri /index.php$uri$is_args$args;
+        location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
+            try_files $uri /index.php$request_uri;
             # Optional: Don't log access to other assets
             access_log off;
         }
     }
-
 }

.examples/docker-compose/with-nginx-proxy-self-signed-ssl/mariadb/fpm/db.env

@@ -0,0 +1,3 @@
+MYSQL_PASSWORD=
+MYSQL_DATABASE=nextcloud
+MYSQL_USER=nextcloud

.examples/docker-compose/with-nginx-proxy-self-signed-ssl/mariadb/fpm/docker-compose.yml

@@ -0,0 +1,78 @@
+version: '3'
+
+services:
+  db:
+    image: mariadb
+    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
+    restart: always
+    volumes:
+      - db:/var/lib/mysql
+    environment:
+      - MYSQL_ROOT_PASSWORD=
+    env_file:
+      - db.env
+
+  app:
+    image: nextcloud:fpm-alpine
+    restart: always
+    volumes:
+      - nextcloud:/var/www/html
+    environment:
+      - MYSQL_HOST=db
+    env_file:
+      - db.env
+    depends_on:
+      - db
+
+  web:
+    build: ./web
+    restart: always
+    volumes:
+      - nextcloud:/var/www/html:ro
+    environment:
+      - VIRTUAL_HOST=
+    depends_on:
+      - app
+    networks:
+      - proxy-tier
+      - default
+
+  proxy:
+    build: ./proxy
+    restart: always
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - certs:/etc/nginx/certs:ro
+      - vhost.d:/etc/nginx/vhost.d
+      - html:/usr/share/nginx/html
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+    networks:
+      - proxy-tier
+    depends_on:
+      - omgwtfssl
+
+  omgwtfssl:
+    image: paulczar/omgwtfssl
+    restart: "no"
+    volumes:
+      - certs:/certs
+    environment:
+      - SSL_SUBJECT=servhostname.local
+      - CA_SUBJECT=my@example.com
+      - SSL_KEY=/certs/servhostname.local.key
+      - SSL_CSR=/certs/servhostname.local.csr
+      - SSL_CERT=/certs/servhostname.local.crt
+    networks:
+      - proxy-tier
+
+volumes:
+  db:
+  nextcloud:
+  certs:
+  vhost.d:
+  html:
+
+networks:
+  proxy-tier:

.examples/docker-compose/with-nginx-proxy-self-signed-ssl/mariadb/fpm/proxy/Dockerfile

@@ -0,0 +1,3 @@
+FROM jwilder/nginx-proxy:alpine
+
+COPY uploadsize.conf /etc/nginx/conf.d/uploadsize.conf

.examples/docker-compose/with-nginx-proxy-self-signed-ssl/mariadb/fpm/proxy/uploadsize.conf

@@ -0,0 +1,2 @@
+client_max_body_size 10G;
+proxy_request_buffering off;

.examples/docker-compose/with-nginx-proxy-self-signed-ssl/mariadb/fpm/web/Dockerfile

@@ -0,0 +1,3 @@
+FROM nginx:alpine
+
+COPY nginx.conf /etc/nginx/nginx.conf

.examples/docker-compose/with-nginx-proxy-self-signed-ssl/mariadb/fpm/web/nginx.conf

@@ -0,0 +1,173 @@
+worker_processes auto;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    set_real_ip_from  10.0.0.0/8;
+    set_real_ip_from  172.16.0.0/12;
+    set_real_ip_from  192.168.0.0/16;
+    real_ip_header    X-Real-IP;
+
+    #gzip  on;
+
+    upstream php-handler {
+        server app:9000;
+    }
+
+    server {
+        listen 80;
+
+        # Add headers to serve security related headers
+        # Before enabling Strict-Transport-Security headers please read into this
+        # topic first.
+        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+        #
+        # WARNING: Only add the preload option once you read about
+        # the consequences in https://hstspreload.org/. This option
+        # will add the domain to a hardcoded list that is shipped
+        # in all major browsers and getting removed from this list
+        # could take several months.
+        add_header Referrer-Policy "no-referrer" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Download-Options "noopen" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Permitted-Cross-Domain-Policies "none" always;
+        add_header X-Robots-Tag "none" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+
+        # Remove X-Powered-By, which is an information leak
+        fastcgi_hide_header X-Powered-By;
+
+        # Path to the root of your installation
+        root /var/www/html;
+
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
+        }
+
+        # The following 2 rules are only needed for the user_webfinger app.
+        # Uncomment it if you're planning to use this app.
+        #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+        #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
+
+        # The following rule is only needed for the Social app.
+        # Uncomment it if you're planning to use this app.
+        #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
+
+        location = /.well-known/carddav {
+            return 301 $scheme://$host:$server_port/remote.php/dav;
+        }
+
+        location = /.well-known/caldav {
+            return 301 $scheme://$host:$server_port/remote.php/dav;
+        }
+
+        # set max upload size
+        client_max_body_size 10G;
+        fastcgi_buffers 64 4K;
+
+        # Enable gzip but do not remove ETag headers
+        gzip on;
+        gzip_vary on;
+        gzip_comp_level 4;
+        gzip_min_length 256;
+        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+        # Uncomment if your server is build with the ngx_pagespeed module
+        # This module is currently not supported.
+        #pagespeed off;
+
+        location / {
+            rewrite ^ /index.php;
+        }
+
+        location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
+            deny all;
+        }
+        location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
+            deny all;
+        }
+
+        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
+            fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+            set $path_info $fastcgi_path_info;
+            try_files $fastcgi_script_name =404;
+            include fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_param PATH_INFO $path_info;
+            # fastcgi_param HTTPS on;
+
+            # Avoid sending the security headers twice
+            fastcgi_param modHeadersAvailable true;
+
+            # Enable pretty urls
+            fastcgi_param front_controller_active true;
+            fastcgi_pass php-handler;
+            fastcgi_intercept_errors on;
+            fastcgi_request_buffering off;
+        }
+
+        location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
+            try_files $uri/ =404;
+            index index.php;
+        }
+
+        # Adding the cache control header for js, css and map files
+        # Make sure it is BELOW the PHP block
+        location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
+            try_files $uri /index.php$request_uri;
+            add_header Cache-Control "public, max-age=15778463";
+            # Add headers to serve security related headers (It is intended to
+            # have those duplicated to the ones above)
+            # Before enabling Strict-Transport-Security headers please read into
+            # this topic first.
+            #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+            #
+            # WARNING: Only add the preload option once you read about
+            # the consequences in https://hstspreload.org/. This option
+            # will add the domain to a hardcoded list that is shipped
+            # in all major browsers and getting removed from this list
+            # could take several months.
+            add_header Referrer-Policy "no-referrer" always;
+            add_header X-Content-Type-Options "nosniff" always;
+            add_header X-Download-Options "noopen" always;
+            add_header X-Frame-Options "SAMEORIGIN" always;
+            add_header X-Permitted-Cross-Domain-Policies "none" always;
+            add_header X-Robots-Tag "none" always;
+            add_header X-XSS-Protection "1; mode=block" always;
+
+            # Optional: Don't log access to assets
+            access_log off;
+        }
+
+        location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
+            try_files $uri /index.php$request_uri;
+            # Optional: Don't log access to other assets
+            access_log off;
+        }
+    }
+}

.examples/docker-compose/with-nginx-proxy/mariadb-cron-redis/apache/app/Dockerfile

@@ -1,3 +0,0 @@
-FROM nextcloud:apache
-
-COPY redis.config.php /usr/src/nextcloud/config/redis.config.php

.examples/docker-compose/with-nginx-proxy/mariadb-cron-redis/apache/app/redis.config.php

@@ -1,8 +0,0 @@
-<?php
-$CONFIG = array (
-  'memcache.locking' => '\OC\Memcache\Redis',
-  'redis' => array(
-    'host' => 'redis',
-    'port' => 6379,
-  ),
-);

.examples/docker-compose/with-nginx-proxy/mariadb-cron-redis/apache/docker-compose.yml

@@ -13,11 +13,11 @@ services:
       - db.env
 
   redis:
-    image: redis
+    image: redis:alpine
     restart: always
 
   app:
-    build: ./app
+    image: nextcloud:apache
     restart: always
     volumes:
       - nextcloud:/var/www/html
@@ -26,6 +26,7 @@ services:
       - LETSENCRYPT_HOST=
       - LETSENCRYPT_EMAIL=
       - MYSQL_HOST=db
+      - REDIS_HOST=redis
     env_file:
       - db.env
     depends_on:
@@ -36,7 +37,7 @@ services:
       - default
 
   cron:
-    build: ./app
+    image: nextcloud:apache
     restart: always
     volumes:
       - nextcloud:/var/www/html

.examples/docker-compose/with-nginx-proxy/mariadb-cron-redis/apache/proxy/uploadsize.conf

@@ -1 +1,2 @@
 client_max_body_size 10G;
+proxy_request_buffering off;

.examples/docker-compose/with-nginx-proxy/mariadb-cron-redis/fpm/app/Dockerfile

@@ -1,3 +0,0 @@
-FROM nextcloud:fpm
-
-COPY redis.config.php /usr/src/nextcloud/config/redis.config.php

.examples/docker-compose/with-nginx-proxy/mariadb-cron-redis/fpm/app/redis.config.php

@@ -1,8 +0,0 @@
-<?php
-$CONFIG = array (
-  'memcache.locking' => '\OC\Memcache\Redis',
-  'redis' => array(
-    'host' => 'redis',
-    'port' => 6379,
-  ),
-);

.examples/docker-compose/with-nginx-proxy/mariadb-cron-redis/fpm/docker-compose.yml

@@ -13,16 +13,17 @@ services:
       - db.env
 
   redis:
-    image: redis
+    image: redis:alpine
     restart: always
 
   app:
-    build: ./app
+    image: nextcloud:fpm-alpine
     restart: always
     volumes:
       - nextcloud:/var/www/html
     environment:
       - MYSQL_HOST=db
+      - REDIS_HOST=redis
     env_file:
       - db.env
     depends_on:
@@ -45,7 +46,7 @@ services:
       - default
 
   cron:
-    build: ./app
+    image: nextcloud:fpm-alpine
     restart: always
     volumes:
       - nextcloud:/var/www/html

.examples/docker-compose/with-nginx-proxy/mariadb-cron-redis/fpm/proxy/uploadsize.conf

@@ -1 +1,2 @@
 client_max_body_size 10G;
+proxy_request_buffering off;

.examples/docker-compose/with-nginx-proxy/mariadb-cron-redis/fpm/web/Dockerfile

@@ -1,3 +1,3 @@
-FROM nginx
+FROM nginx:alpine
 
 COPY nginx.conf /etc/nginx/nginx.conf

.examples/docker-compose/with-nginx-proxy/mariadb-cron-redis/fpm/web/nginx.conf

@@ -1,5 +1,4 @@
-user  www-data;
-worker_processes  1;
+worker_processes auto;
 
 error_log  /var/log/nginx/error.log warn;
 pid        /var/run/nginx.pid;
@@ -42,20 +41,25 @@ http {
         # Add headers to serve security related headers
         # Before enabling Strict-Transport-Security headers please read into this
         # topic first.
-        # add_header Strict-Transport-Security "max-age=15768000;
-        # includeSubDomains; preload;";
+        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
         #
         # WARNING: Only add the preload option once you read about
         # the consequences in https://hstspreload.org/. This option
         # will add the domain to a hardcoded list that is shipped
         # in all major browsers and getting removed from this list
         # could take several months.
-        add_header X-Content-Type-Options nosniff;
-        add_header X-XSS-Protection "1; mode=block";
-        add_header X-Robots-Tag none;
-        add_header X-Download-Options noopen;
-        add_header X-Permitted-Cross-Domain-Policies none;
+        add_header Referrer-Policy "no-referrer" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Download-Options "noopen" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Permitted-Cross-Domain-Policies "none" always;
+        add_header X-Robots-Tag "none" always;
+        add_header X-XSS-Protection "1; mode=block" always;
 
+        # Remove X-Powered-By, which is an information leak
+        fastcgi_hide_header X-Powered-By;
+
+        # Path to the root of your installation
         root /var/www/html;
 
         location = /robots.txt {
@@ -67,14 +71,18 @@ http {
         # The following 2 rules are only needed for the user_webfinger app.
         # Uncomment it if you're planning to use this app.
         #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
-        #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
-        # last;
+        #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
+
+        # The following rule is only needed for the Social app.
+        # Uncomment it if you're planning to use this app.
+        #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
 
         location = /.well-known/carddav {
-            return 301 $scheme://$host/remote.php/dav;
+            return 301 $scheme://$host:$server_port/remote.php/dav;
         }
+
         location = /.well-known/caldav {
-            return 301 $scheme://$host/remote.php/dav;
+            return 301 $scheme://$host:$server_port/remote.php/dav;
         }
 
         # set max upload size
@@ -94,66 +102,72 @@ http {
         #pagespeed off;
 
         location / {
-            rewrite ^ /index.php$uri;
+            rewrite ^ /index.php;
         }
 
-        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
+        location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
             deny all;
         }
-        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
+        location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
             deny all;
         }
 
-        location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
-            fastcgi_split_path_info ^(.+\.php)(/.*)$;
+        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
+            fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+            set $path_info $fastcgi_path_info;
+            try_files $fastcgi_script_name =404;
             include fastcgi_params;
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            fastcgi_param PATH_INFO $fastcgi_path_info;
+            fastcgi_param PATH_INFO $path_info;
             # fastcgi_param HTTPS on;
-            #Avoid sending the security headers twice
+
+            # Avoid sending the security headers twice
             fastcgi_param modHeadersAvailable true;
+
+            # Enable pretty urls
             fastcgi_param front_controller_active true;
             fastcgi_pass php-handler;
             fastcgi_intercept_errors on;
             fastcgi_request_buffering off;
         }
 
-        location ~ ^/(?:updater|ocs-provider)(?:$|/) {
+        location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
             try_files $uri/ =404;
             index index.php;
         }
 
-        # Adding the cache control header for js and css files
+        # Adding the cache control header for js, css and map files
         # Make sure it is BELOW the PHP block
-        location ~ \.(?:css|js|woff|svg|gif)$ {
-            try_files $uri /index.php$uri$is_args$args;
+        location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
+            try_files $uri /index.php$request_uri;
             add_header Cache-Control "public, max-age=15778463";
             # Add headers to serve security related headers (It is intended to
             # have those duplicated to the ones above)
             # Before enabling Strict-Transport-Security headers please read into
             # this topic first.
-            # add_header Strict-Transport-Security "max-age=15768000;
-            #  includeSubDomains; preload;";
+            #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
             #
             # WARNING: Only add the preload option once you read about
             # the consequences in https://hstspreload.org/. This option
             # will add the domain to a hardcoded list that is shipped
             # in all major browsers and getting removed from this list
             # could take several months.
-            add_header X-Content-Type-Options nosniff;
-            add_header X-XSS-Protection "1; mode=block";
-            add_header X-Robots-Tag none;
-            add_header X-Download-Options noopen;
-            add_header X-Permitted-Cross-Domain-Policies none;
+            add_header Referrer-Policy "no-referrer" always;
+            add_header X-Content-Type-Options "nosniff" always;
+            add_header X-Download-Options "noopen" always;
+            add_header X-Frame-Options "SAMEORIGIN" always;
+            add_header X-Permitted-Cross-Domain-Policies "none" always;
+            add_header X-Robots-Tag "none" always;
+            add_header X-XSS-Protection "1; mode=block" always;
+
             # Optional: Don't log access to assets
             access_log off;
         }
 
-        location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
-            try_files $uri /index.php$uri$is_args$args;
+        location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
+            try_files $uri /index.php$request_uri;
             # Optional: Don't log access to other assets
             access_log off;
         }
     }
-
 }

.examples/docker-compose/with-nginx-proxy/mariadb/apache/proxy/uploadsize.conf

@@ -1 +1,2 @@
 client_max_body_size 10G;
+proxy_request_buffering off;

.examples/docker-compose/with-nginx-proxy/mariadb/fpm/docker-compose.yml

@@ -13,7 +13,7 @@ services:
       - db.env
 
   app:
-    image: nextcloud:fpm
+    image: nextcloud:fpm-alpine
     restart: always
     volumes:
       - nextcloud:/var/www/html

.examples/docker-compose/with-nginx-proxy/mariadb/fpm/proxy/uploadsize.conf

@@ -1 +1,2 @@
 client_max_body_size 10G;
+proxy_request_buffering off;

.examples/docker-compose/with-nginx-proxy/mariadb/fpm/web/Dockerfile

@@ -1,3 +1,3 @@
-FROM nginx
+FROM nginx:alpine
 
 COPY nginx.conf /etc/nginx/nginx.conf

.examples/docker-compose/with-nginx-proxy/mariadb/fpm/web/nginx.conf

@@ -1,5 +1,4 @@
-user  www-data;
-worker_processes  1;
+worker_processes auto;
 
 error_log  /var/log/nginx/error.log warn;
 pid        /var/run/nginx.pid;
@@ -42,20 +41,25 @@ http {
         # Add headers to serve security related headers
         # Before enabling Strict-Transport-Security headers please read into this
         # topic first.
-        # add_header Strict-Transport-Security "max-age=15768000;
-        # includeSubDomains; preload;";
+        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
         #
         # WARNING: Only add the preload option once you read about
         # the consequences in https://hstspreload.org/. This option
         # will add the domain to a hardcoded list that is shipped
         # in all major browsers and getting removed from this list
         # could take several months.
-        add_header X-Content-Type-Options nosniff;
-        add_header X-XSS-Protection "1; mode=block";
-        add_header X-Robots-Tag none;
-        add_header X-Download-Options noopen;
-        add_header X-Permitted-Cross-Domain-Policies none;
+        add_header Referrer-Policy "no-referrer" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Download-Options "noopen" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Permitted-Cross-Domain-Policies "none" always;
+        add_header X-Robots-Tag "none" always;
+        add_header X-XSS-Protection "1; mode=block" always;
 
+        # Remove X-Powered-By, which is an information leak
+        fastcgi_hide_header X-Powered-By;
+
+        # Path to the root of your installation
         root /var/www/html;
 
         location = /robots.txt {
@@ -67,14 +71,18 @@ http {
         # The following 2 rules are only needed for the user_webfinger app.
         # Uncomment it if you're planning to use this app.
         #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
-        #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
-        # last;
+        #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
+
+        # The following rule is only needed for the Social app.
+        # Uncomment it if you're planning to use this app.
+        #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
 
         location = /.well-known/carddav {
-            return 301 $scheme://$host/remote.php/dav;
+            return 301 $scheme://$host:$server_port/remote.php/dav;
         }
+
         location = /.well-known/caldav {
-            return 301 $scheme://$host/remote.php/dav;
+            return 301 $scheme://$host:$server_port/remote.php/dav;
         }
 
         # set max upload size
@@ -94,66 +102,72 @@ http {
         #pagespeed off;
 
         location / {
-            rewrite ^ /index.php$uri;
+            rewrite ^ /index.php;
         }
 
-        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
+        location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
             deny all;
         }
-        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
+        location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
             deny all;
         }
 
-        location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
-            fastcgi_split_path_info ^(.+\.php)(/.*)$;
+        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
+            fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+            set $path_info $fastcgi_path_info;
+            try_files $fastcgi_script_name =404;
             include fastcgi_params;
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            fastcgi_param PATH_INFO $fastcgi_path_info;
+            fastcgi_param PATH_INFO $path_info;
             # fastcgi_param HTTPS on;
-            #Avoid sending the security headers twice
+
+            # Avoid sending the security headers twice
             fastcgi_param modHeadersAvailable true;
+
+            # Enable pretty urls
             fastcgi_param front_controller_active true;
             fastcgi_pass php-handler;
             fastcgi_intercept_errors on;
             fastcgi_request_buffering off;
         }
 
-        location ~ ^/(?:updater|ocs-provider)(?:$|/) {
+        location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
             try_files $uri/ =404;
             index index.php;
         }
 
-        # Adding the cache control header for js and css files
+        # Adding the cache control header for js, css and map files
         # Make sure it is BELOW the PHP block
-        location ~ \.(?:css|js|woff|svg|gif)$ {
-            try_files $uri /index.php$uri$is_args$args;
+        location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
+            try_files $uri /index.php$request_uri;
             add_header Cache-Control "public, max-age=15778463";
             # Add headers to serve security related headers (It is intended to
             # have those duplicated to the ones above)
             # Before enabling Strict-Transport-Security headers please read into
             # this topic first.
-            # add_header Strict-Transport-Security "max-age=15768000;
-            #  includeSubDomains; preload;";
+            #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
             #
             # WARNING: Only add the preload option once you read about
             # the consequences in https://hstspreload.org/. This option
             # will add the domain to a hardcoded list that is shipped
             # in all major browsers and getting removed from this list
             # could take several months.
-            add_header X-Content-Type-Options nosniff;
-            add_header X-XSS-Protection "1; mode=block";
-            add_header X-Robots-Tag none;
-            add_header X-Download-Options noopen;
-            add_header X-Permitted-Cross-Domain-Policies none;
+            add_header Referrer-Policy "no-referrer" always;
+            add_header X-Content-Type-Options "nosniff" always;
+            add_header X-Download-Options "noopen" always;
+            add_header X-Frame-Options "SAMEORIGIN" always;
+            add_header X-Permitted-Cross-Domain-Policies "none" always;
+            add_header X-Robots-Tag "none" always;
+            add_header X-XSS-Protection "1; mode=block" always;
+
             # Optional: Don't log access to assets
             access_log off;
         }
 
-        location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
-            try_files $uri /index.php$uri$is_args$args;
+        location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
+            try_files $uri /index.php$request_uri;
             # Optional: Don't log access to other assets
             access_log off;
         }
     }
-
 }

.examples/docker-compose/with-nginx-proxy/postgres/apache/docker-compose.yml

@@ -2,7 +2,7 @@ version: '3'
 
 services:
   db:
-    image: postgres
+    image: postgres:alpine
     restart: always
     volumes:
       - db:/var/lib/postgresql/data

.examples/docker-compose/with-nginx-proxy/postgres/apache/proxy/uploadsize.conf

@@ -1 +1,2 @@
 client_max_body_size 10G;
+proxy_request_buffering off;

.examples/docker-compose/with-nginx-proxy/postgres/fpm/docker-compose.yml

@@ -2,7 +2,7 @@ version: '3'
 
 services:
   db:
-    image: postgres
+    image: postgres:alpine
     restart: always
     volumes:
       - db:/var/lib/postgresql/data
@@ -10,7 +10,7 @@ services:
       - db.env
 
   app:
-    image: nextcloud:fpm
+    image: nextcloud:fpm-alpine
     restart: always
     volumes:
       - nextcloud:/var/www/html

.examples/docker-compose/with-nginx-proxy/postgres/fpm/proxy/uploadsize.conf

@@ -1 +1,2 @@
 client_max_body_size 10G;
+proxy_request_buffering off;

.examples/docker-compose/with-nginx-proxy/postgres/fpm/web/Dockerfile

@@ -1,3 +1,3 @@
-FROM nginx
+FROM nginx:alpine
 
 COPY nginx.conf /etc/nginx/nginx.conf

.examples/docker-compose/with-nginx-proxy/postgres/fpm/web/nginx.conf

@@ -1,5 +1,4 @@
-user  www-data;
-worker_processes  1;
+worker_processes auto;
 
 error_log  /var/log/nginx/error.log warn;
 pid        /var/run/nginx.pid;
@@ -42,20 +41,25 @@ http {
         # Add headers to serve security related headers
         # Before enabling Strict-Transport-Security headers please read into this
         # topic first.
-        # add_header Strict-Transport-Security "max-age=15768000;
-        # includeSubDomains; preload;";
+        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
         #
         # WARNING: Only add the preload option once you read about
         # the consequences in https://hstspreload.org/. This option
         # will add the domain to a hardcoded list that is shipped
         # in all major browsers and getting removed from this list
         # could take several months.
-        add_header X-Content-Type-Options nosniff;
-        add_header X-XSS-Protection "1; mode=block";
-        add_header X-Robots-Tag none;
-        add_header X-Download-Options noopen;
-        add_header X-Permitted-Cross-Domain-Policies none;
+        add_header Referrer-Policy "no-referrer" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Download-Options "noopen" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Permitted-Cross-Domain-Policies "none" always;
+        add_header X-Robots-Tag "none" always;
+        add_header X-XSS-Protection "1; mode=block" always;
 
+        # Remove X-Powered-By, which is an information leak
+        fastcgi_hide_header X-Powered-By;
+
+        # Path to the root of your installation
         root /var/www/html;
 
         location = /robots.txt {
@@ -67,14 +71,18 @@ http {
         # The following 2 rules are only needed for the user_webfinger app.
         # Uncomment it if you're planning to use this app.
         #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
-        #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
-        # last;
+        #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
+
+        # The following rule is only needed for the Social app.
+        # Uncomment it if you're planning to use this app.
+        #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
 
         location = /.well-known/carddav {
-            return 301 $scheme://$host/remote.php/dav;
+            return 301 $scheme://$host:$server_port/remote.php/dav;
         }
+
         location = /.well-known/caldav {
-            return 301 $scheme://$host/remote.php/dav;
+            return 301 $scheme://$host:$server_port/remote.php/dav;
         }
 
         # set max upload size
@@ -94,66 +102,72 @@ http {
         #pagespeed off;
 
         location / {
-            rewrite ^ /index.php$uri;
+            rewrite ^ /index.php;
         }
 
-        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
+        location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
             deny all;
         }
-        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
+        location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
             deny all;
         }
 
-        location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
-            fastcgi_split_path_info ^(.+\.php)(/.*)$;
+        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
+            fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+            set $path_info $fastcgi_path_info;
+            try_files $fastcgi_script_name =404;
             include fastcgi_params;
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            fastcgi_param PATH_INFO $fastcgi_path_info;
+            fastcgi_param PATH_INFO $path_info;
             # fastcgi_param HTTPS on;
-            #Avoid sending the security headers twice
+
+            # Avoid sending the security headers twice
             fastcgi_param modHeadersAvailable true;
+
+            # Enable pretty urls
             fastcgi_param front_controller_active true;
             fastcgi_pass php-handler;
             fastcgi_intercept_errors on;
             fastcgi_request_buffering off;
         }
 
-        location ~ ^/(?:updater|ocs-provider)(?:$|/) {
+        location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
             try_files $uri/ =404;
             index index.php;
         }
 
-        # Adding the cache control header for js and css files
+        # Adding the cache control header for js, css and map files
         # Make sure it is BELOW the PHP block
-        location ~ \.(?:css|js|woff|svg|gif)$ {
-            try_files $uri /index.php$uri$is_args$args;
+        location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
+            try_files $uri /index.php$request_uri;
             add_header Cache-Control "public, max-age=15778463";
             # Add headers to serve security related headers (It is intended to
             # have those duplicated to the ones above)
             # Before enabling Strict-Transport-Security headers please read into
             # this topic first.
-            # add_header Strict-Transport-Security "max-age=15768000;
-            #  includeSubDomains; preload;";
+            #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
             #
             # WARNING: Only add the preload option once you read about
             # the consequences in https://hstspreload.org/. This option
             # will add the domain to a hardcoded list that is shipped
             # in all major browsers and getting removed from this list
             # could take several months.
-            add_header X-Content-Type-Options nosniff;
-            add_header X-XSS-Protection "1; mode=block";
-            add_header X-Robots-Tag none;
-            add_header X-Download-Options noopen;
-            add_header X-Permitted-Cross-Domain-Policies none;
+            add_header Referrer-Policy "no-referrer" always;
+            add_header X-Content-Type-Options "nosniff" always;
+            add_header X-Download-Options "noopen" always;
+            add_header X-Frame-Options "SAMEORIGIN" always;
+            add_header X-Permitted-Cross-Domain-Policies "none" always;
+            add_header X-Robots-Tag "none" always;
+            add_header X-XSS-Protection "1; mode=block" always;
+
             # Optional: Don't log access to assets
             access_log off;
         }
 
-        location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
-            try_files $uri /index.php$uri$is_args$args;
+        location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
+            try_files $uri /index.php$request_uri;
             # Optional: Don't log access to other assets
             access_log off;
         }
     }
-
 }

.examples/dockerfiles/cron/apache/Dockerfile

@@ -5,6 +5,8 @@ RUN apt-get update && apt-get install -y \
   && rm -rf /var/lib/apt/lists/* \
   && mkdir /var/log/supervisord /var/run/supervisord
 
-COPY supervisord.conf /etc/supervisor/supervisord.conf
+COPY supervisord.conf /
 
-CMD ["/usr/bin/supervisord"]
+ENV NEXTCLOUD_UPDATE=1
+
+CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]

.examples/dockerfiles/cron/fpm-alpine/Dockerfile

@@ -0,0 +1,10 @@
+FROM nextcloud:fpm-alpine
+
+RUN apk add --no-cache supervisor \
+  && mkdir /var/log/supervisord /var/run/supervisord
+
+COPY supervisord.conf /
+
+ENV NEXTCLOUD_UPDATE=1
+
+CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]

.examples/dockerfiles/cron/fpm-alpine/supervisord.conf

@@ -0,0 +1,22 @@
+[supervisord]
+nodaemon=true
+logfile=/var/log/supervisord/supervisord.log
+pidfile=/var/run/supervisord/supervisord.pid
+childlogdir=/var/log/supervisord/
+logfile_maxbytes=50MB                           ; maximum size of logfile before rotation
+logfile_backups=10                              ; number of backed up logfiles
+loglevel=error
+
+[program:php-fpm]
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+command=php-fpm
+
+[program:cron]
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+command=/cron.sh

.examples/dockerfiles/cron/fpm/Dockerfile

@@ -5,6 +5,8 @@ RUN apt-get update && apt-get install -y \
   && rm -rf /var/lib/apt/lists/* \
   && mkdir /var/log/supervisord /var/run/supervisord
 
-COPY supervisord.conf /etc/supervisor/supervisord.conf
+COPY supervisord.conf /
 
-CMD ["/usr/bin/supervisord"]
+ENV NEXTCLOUD_UPDATE=1
+
+CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]

.examples/dockerfiles/full/apache/Dockerfile

@@ -1,24 +1,59 @@
 FROM nextcloud:apache
 
-RUN echo "deb http://ftp.debian.org/debian jessie-backports main" >> /etc/apt/sources.list \
-    && apt-get update && apt-get install -y \
-        supervisor \
+RUN set -ex; \
+    \
+    apt-get update; \
+    apt-get install -y --no-install-recommends \
         ffmpeg \
-        libmagickwand-dev \
-        libgmp3-dev \
+        libmagickcore-6.q16-6-extra \
+        procps \
+        smbclient \
+        supervisor \
+#       libreoffice \
+    ; \
+    rm -rf /var/lib/apt/lists/*
+
+RUN set -ex; \
+    \
+    savedAptMark="$(apt-mark showmanual)"; \
+    \
+    apt-get update; \
+    apt-get install -y --no-install-recommends \
+        libbz2-dev \
         libc-client-dev \
         libkrb5-dev \
-        smbclient \
         libsmbclient-dev \
-#       LibreOffice \
-    && rm -rf /var/lib/apt/lists/* \
-    && docker-php-ext-configure imap --with-kerberos --with-imap-ssl \
-    && ln -s "/usr/include/$(dpkg-architecture --query DEB_BUILD_MULTIARCH)/gmp.h" /usr/include/gmp.h \
-    && docker-php-ext-install bz2 gmp imap \
-    && pecl install imagick smbclient \
-    && docker-php-ext-enable imagick smbclient \
-    && mkdir /var/log/supervisord /var/run/supervisord
+    ; \
+    \
+    docker-php-ext-configure imap --with-kerberos --with-imap-ssl; \
+    docker-php-ext-install \
+        bz2 \
+        imap \
+    ; \
+    pecl install smbclient; \
+    docker-php-ext-enable smbclient; \
+    \
+# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+    apt-mark auto '.*' > /dev/null; \
+    apt-mark manual $savedAptMark; \
+    ldd "$(php -r 'echo ini_get("extension_dir");')"/*.so \
+        | awk '/=>/ { print $3 }' \
+        | sort -u \
+        | xargs -r dpkg-query -S \
+        | cut -d: -f1 \
+        | sort -u \
+        | xargs -rt apt-mark manual; \
+    \
+    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+    rm -rf /var/lib/apt/lists/*
 
-COPY supervisord.conf /etc/supervisor/supervisord.conf
+RUN mkdir -p \
+    /var/log/supervisord \
+    /var/run/supervisord \
+;
 
-CMD ["/usr/bin/supervisord"]
+COPY supervisord.conf /
+
+ENV NEXTCLOUD_UPDATE=1
+
+CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]

.examples/dockerfiles/full/fpm-alpine/Dockerfile

@@ -0,0 +1,51 @@
+FROM nextcloud:fpm-alpine
+
+RUN set -ex; \
+    \
+    apk add --no-cache \
+        ffmpeg \
+        imagemagick \
+        procps \
+        samba-client \
+        supervisor \
+#       libreoffice \
+    ;
+
+RUN set -ex; \
+    \
+    apk add --no-cache --virtual .build-deps \
+        $PHPIZE_DEPS \
+        imap-dev \
+        krb5-dev \
+        libressl-dev \
+        samba-dev \
+        bzip2-dev \
+    ; \
+    \
+    docker-php-ext-configure imap --with-kerberos --with-imap-ssl; \
+    docker-php-ext-install \
+        bz2 \
+        imap \
+    ; \
+    pecl install smbclient; \
+    docker-php-ext-enable smbclient; \
+    \
+    runDeps="$( \
+        scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/lib/php/extensions \
+            | tr ',' '\n' \
+            | sort -u \
+            | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
+    )"; \
+    apk add --virtual .nextcloud-phpext-rundeps $runDeps; \
+    apk del .build-deps
+
+RUN mkdir -p \
+    /var/log/supervisord \
+    /var/run/supervisord \
+;
+
+COPY supervisord.conf /
+
+ENV NEXTCLOUD_UPDATE=1
+
+CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]

.examples/dockerfiles/full/fpm-alpine/supervisord.conf

@@ -0,0 +1,22 @@
+[supervisord]
+nodaemon=true
+logfile=/var/log/supervisord/supervisord.log
+pidfile=/var/run/supervisord/supervisord.pid
+childlogdir=/var/log/supervisord/
+logfile_maxbytes=50MB                           ; maximum size of logfile before rotation
+logfile_backups=10                              ; number of backed up logfiles
+loglevel=error
+
+[program:php-fpm]
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+command=php-fpm
+
+[program:cron]
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+command=/cron.sh

.examples/dockerfiles/full/fpm/Dockerfile

@@ -1,24 +1,59 @@
 FROM nextcloud:fpm
 
-RUN echo "deb http://ftp.debian.org/debian jessie-backports main" >> /etc/apt/sources.list \
-    && apt-get update && apt-get install -y \
-        supervisor \
+RUN set -ex; \
+    \
+    apt-get update; \
+    apt-get install -y --no-install-recommends \
         ffmpeg \
-        libmagickwand-dev \
-        libgmp3-dev \
+        libmagickcore-6.q16-6-extra \
+        procps \
+        smbclient \
+        supervisor \
+#       libreoffice \
+    ; \
+    rm -rf /var/lib/apt/lists/*
+
+RUN set -ex; \
+    \
+    savedAptMark="$(apt-mark showmanual)"; \
+    \
+    apt-get update; \
+    apt-get install -y --no-install-recommends \
+        libbz2-dev \
         libc-client-dev \
         libkrb5-dev \
-        smbclient \
         libsmbclient-dev \
-#       LibreOffice \
-    && rm -rf /var/lib/apt/lists/* \
-    && docker-php-ext-configure imap --with-kerberos --with-imap-ssl \
-    && ln -s "/usr/include/$(dpkg-architecture --query DEB_BUILD_MULTIARCH)/gmp.h" /usr/include/gmp.h \
-    && docker-php-ext-install bz2 gmp imap \
-    && pecl install imagick smbclient \
-    && docker-php-ext-enable imagick smbclient \
-    && mkdir /var/log/supervisord /var/run/supervisord
+    ; \
+    \
+    docker-php-ext-configure imap --with-kerberos --with-imap-ssl; \
+    docker-php-ext-install \
+        bz2 \
+        imap \
+    ; \
+    pecl install smbclient; \
+    docker-php-ext-enable smbclient; \
+    \
+# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+    apt-mark auto '.*' > /dev/null; \
+    apt-mark manual $savedAptMark; \
+    ldd "$(php -r 'echo ini_get("extension_dir");')"/*.so \
+        | awk '/=>/ { print $3 }' \
+        | sort -u \
+        | xargs -r dpkg-query -S \
+        | cut -d: -f1 \
+        | sort -u \
+        | xargs -rt apt-mark manual; \
+    \
+    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+    rm -rf /var/lib/apt/lists/*
 
-COPY supervisord.conf /etc/supervisor/supervisord.conf
+RUN mkdir -p \
+    /var/log/supervisord \
+    /var/run/supervisord \
+;
 
-CMD ["/usr/bin/supervisord"]
+COPY supervisord.conf /
+
+ENV NEXTCLOUD_UPDATE=1
+
+CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]

.examples/dockerfiles/imap/apache/Dockerfile

@@ -1,7 +1,28 @@
 FROM nextcloud:apache
 
-RUN apt-get update \
- && apt-get install -y libc-client-dev libkrb5-dev \
- && rm -rf /var/lib/apt/lists/* \
- && docker-php-ext-configure imap --with-kerberos --with-imap-ssl \
- && docker-php-ext-install imap
+RUN set -ex; \
+    \
+    savedAptMark="$(apt-mark showmanual)"; \
+    \
+    apt-get update; \
+    apt-get install -y --no-install-recommends \
+        libc-client-dev \
+        libkrb5-dev \
+    ; \
+    \
+    docker-php-ext-configure imap --with-kerberos --with-imap-ssl; \
+    docker-php-ext-install imap; \
+    \
+# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+    apt-mark auto '.*' > /dev/null; \
+    apt-mark manual $savedAptMark; \
+    ldd "$(php -r 'echo ini_get("extension_dir");')"/*.so \
+        | awk '/=>/ { print $3 }' \
+        | sort -u \
+        | xargs -r dpkg-query -S \
+        | cut -d: -f1 \
+        | sort -u \
+        | xargs -rt apt-mark manual; \
+    \
+    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+    rm -rf /var/lib/apt/lists/*

.examples/dockerfiles/imap/fpm-alpine/Dockerfile

@@ -0,0 +1,22 @@
+FROM nextcloud:fpm-alpine
+
+RUN set -ex; \
+    \
+    apk add --no-cache --virtual .build-deps \
+        $PHPIZE_DEPS \
+        imap-dev \
+        krb5-dev \
+        libressl-dev \
+    ; \
+    \
+    docker-php-ext-configure imap --with-kerberos --with-imap-ssl; \
+    docker-php-ext-install imap; \
+    \
+    runDeps="$( \
+        scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/lib/php/extensions \
+            | tr ',' '\n' \
+            | sort -u \
+            | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
+    )"; \
+    apk add --virtual .nextcloud-phpext-rundeps $runDeps; \
+    apk del .build-deps

.examples/dockerfiles/imap/fpm/Dockerfile

@@ -1,7 +1,28 @@
 FROM nextcloud:fpm
 
-RUN apt-get update \
- && apt-get install -y libc-client-dev libkrb5-dev \
- && rm -rf /var/lib/apt/lists/* \
- && docker-php-ext-configure imap --with-kerberos --with-imap-ssl \
- && docker-php-ext-install imap
+RUN set -ex; \
+    \
+    savedAptMark="$(apt-mark showmanual)"; \
+    \
+    apt-get update; \
+    apt-get install -y --no-install-recommends \
+        libc-client-dev \
+        libkrb5-dev \
+    ; \
+    \
+    docker-php-ext-configure imap --with-kerberos --with-imap-ssl; \
+    docker-php-ext-install imap; \
+    \
+# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+    apt-mark auto '.*' > /dev/null; \
+    apt-mark manual $savedAptMark; \
+    ldd "$(php -r 'echo ini_get("extension_dir");')"/*.so \
+        | awk '/=>/ { print $3 }' \
+        | sort -u \
+        | xargs -r dpkg-query -S \
+        | cut -d: -f1 \
+        | sort -u \
+        | xargs -rt apt-mark manual; \
+    \
+    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+    rm -rf /var/lib/apt/lists/*

.examples/dockerfiles/smb/apache/Dockerfile

@@ -1,3 +1,3 @@
 FROM nextcloud:apache
 
-RUN apt-get update && apt-get install -y smbclient && rm -rf /var/lib/apt/lists/*
+RUN apt-get update && apt-get install -y procps smbclient && rm -rf /var/lib/apt/lists/*

.examples/dockerfiles/smb/fpm-alpine/Dockerfile

@@ -0,0 +1,3 @@
+FROM nextcloud:fpm-alpine
+
+RUN apk add --no-cache procps samba-client

.examples/dockerfiles/smb/fpm/Dockerfile

@@ -1,3 +1,3 @@
 FROM nextcloud:fpm
 
-RUN apt-get update && apt-get install -y smbclient && rm -rf /var/lib/apt/lists/*
+RUN apt-get update && apt-get install -y procps smbclient && rm -rf /var/lib/apt/lists/*

.travis.yml

@@ -1,42 +1,60 @@
-dist: trusty
-sudo: required
-
-services: docker
-
 language: bash
+services: docker
 
 branches:
   only:
     - master
 
+# preload images to avoid timeouts in tests
+before_install:
+  - docker pull mariadb:10
+  - docker pull postgres:11-alpine
+
 install:
   - git clone https://github.com/docker-library/official-images.git ~/official-images
 
 before_script:
   - env | sort
+  - wget -qO- 'https://github.com/tianon/pgp-happy-eyeballs/raw/master/hack-my-builds.sh' | bash
   - image="nextcloud:${VERSION}${VARIANT:+-$VARIANT}"
   - if [[ "$ARCH" == 'i386' ]]; then sed -i -e 's/FROM php/FROM i386\/php/g' "${VERSION}/${VARIANT}/Dockerfile"; fi
 
 script:
-  - travis_retry docker build -t "$image" "${VERSION}/${VARIANT}"
-  - ~/official-images/test/run.sh "$image"
-  - .travis/test-example-dockerfiles.sh "$image"
+  - |
+    (
+      set -Eeuo pipefail
+      set -x
+      travis_retry docker build -t "$image" "${VERSION}/${VARIANT}"
+      travis_retry ~/official-images/test/run.sh "$image"
+      .travis/test-example-dockerfiles.sh "$image"
+    )
 
 after_script:
   - docker images
 
 jobs:
+  # https://github.com/docker-library/php/issues/822
+  allow_failures:
+    - env: VERSION=15.0 VARIANT=apache ARCH=i386
+    - env: VERSION=16.0 VARIANT=apache ARCH=i386
+    - env: VERSION=17.0 VARIANT=apache ARCH=i386
+    - env: VERSION=18.0 VARIANT=apache ARCH=i386
+    - env: VERSION=15.0-rc VARIANT=apache ARCH=i386
+    - env: VERSION=16.0-rc VARIANT=apache ARCH=i386
+    - env: VERSION=17.0-rc VARIANT=apache ARCH=i386
+    - env: VERSION=18.0-rc VARIANT=apache ARCH=i386
+    - env: VERSION=17.0-beta VARIANT=apache ARCH=i386
+    - env: VERSION=18.0-beta VARIANT=apache ARCH=i386
   include:
     - &test-scripts
       stage: test scripts
       env: SCRIPT=update.sh
-      sudo: false
       services: []
       install: skip
       before_script: skip
       script:
         - hash_before=$(git write-tree)
-        - ./update.sh
+        - travis_retry ./update.sh
         - bash -c "[[ $hash_before = $(git add -A && git write-tree) ]]"
       after_script: skip
 
@@ -46,18 +64,42 @@ jobs:
         - wget -O "$HOME/bin/bashbrew" https://doi-janky.infosiftr.net/job/bashbrew/lastSuccessfulBuild/artifact/bin/bashbrew-amd64
         - chmod +x "$HOME/bin/bashbrew"
       script:
-        - ./generate-stackbrew-library.sh
+        - travis_retry ./generate-stackbrew-library.sh
 
     - stage: test images
-      env: VERSION=12.0 VARIANT=fpm-alpine ARCH=amd64
-    - env: VERSION=12.0 VARIANT=fpm-alpine ARCH=i386
-    - env: VERSION=12.0 VARIANT=fpm ARCH=amd64
-    - env: VERSION=12.0 VARIANT=fpm ARCH=i386
-    - env: VERSION=12.0 VARIANT=apache ARCH=amd64
-    - env: VERSION=12.0 VARIANT=apache ARCH=i386
-    - env: VERSION=13.0 VARIANT=fpm-alpine ARCH=amd64
-    - env: VERSION=13.0 VARIANT=fpm-alpine ARCH=i386
-    - env: VERSION=13.0 VARIANT=fpm ARCH=amd64
-    - env: VERSION=13.0 VARIANT=fpm ARCH=i386
-    - env: VERSION=13.0 VARIANT=apache ARCH=amd64
-    - env: VERSION=13.0 VARIANT=apache ARCH=i386
+      env: VERSION=16.0-rc VARIANT=fpm-alpine ARCH=amd64
+    - env: VERSION=16.0-rc VARIANT=fpm-alpine ARCH=i386
+    - env: VERSION=16.0-rc VARIANT=fpm ARCH=amd64
+    - env: VERSION=16.0-rc VARIANT=fpm ARCH=i386
+    - env: VERSION=16.0-rc VARIANT=apache ARCH=amd64
+    - env: VERSION=16.0-rc VARIANT=apache ARCH=i386
+    - env: VERSION=17.0-rc VARIANT=fpm-alpine ARCH=amd64
+    - env: VERSION=17.0-rc VARIANT=fpm-alpine ARCH=i386
+    - env: VERSION=17.0-rc VARIANT=fpm ARCH=amd64
+    - env: VERSION=17.0-rc VARIANT=fpm ARCH=i386
+    - env: VERSION=17.0-rc VARIANT=apache ARCH=amd64
+    - env: VERSION=17.0-rc VARIANT=apache ARCH=i386
+    - env: VERSION=18.0-rc VARIANT=fpm-alpine ARCH=amd64
+    - env: VERSION=18.0-rc VARIANT=fpm-alpine ARCH=i386
+    - env: VERSION=18.0-rc VARIANT=fpm ARCH=amd64
+    - env: VERSION=18.0-rc VARIANT=fpm ARCH=i386
+    - env: VERSION=18.0-rc VARIANT=apache ARCH=amd64
+    - env: VERSION=18.0-rc VARIANT=apache ARCH=i386
+    - env: VERSION=16.0 VARIANT=fpm-alpine ARCH=amd64
+    - env: VERSION=16.0 VARIANT=fpm-alpine ARCH=i386
+    - env: VERSION=16.0 VARIANT=fpm ARCH=amd64
+    - env: VERSION=16.0 VARIANT=fpm ARCH=i386
+    - env: VERSION=16.0 VARIANT=apache ARCH=amd64
+    - env: VERSION=16.0 VARIANT=apache ARCH=i386
+    - env: VERSION=17.0 VARIANT=fpm-alpine ARCH=amd64
+    - env: VERSION=17.0 VARIANT=fpm-alpine ARCH=i386
+    - env: VERSION=17.0 VARIANT=fpm ARCH=amd64
+    - env: VERSION=17.0 VARIANT=fpm ARCH=i386
+    - env: VERSION=17.0 VARIANT=apache ARCH=amd64
+    - env: VERSION=17.0 VARIANT=apache ARCH=i386
+    - env: VERSION=18.0 VARIANT=fpm-alpine ARCH=amd64
+    - env: VERSION=18.0 VARIANT=fpm-alpine ARCH=i386
+    - env: VERSION=18.0 VARIANT=fpm ARCH=amd64
+    - env: VERSION=18.0 VARIANT=fpm ARCH=i386
+    - env: VERSION=18.0 VARIANT=apache ARCH=amd64
+    - env: VERSION=18.0 VARIANT=apache ARCH=i386

.travis/test-example-dockerfiles.sh

@@ -13,7 +13,6 @@ for dir in "${dirs[@]}"; do
             cd "$dir/$VARIANT"
             sed -ri -e 's/^FROM .*/FROM '"$image"'/g' 'Dockerfile'
             docker build -t "$image-$dir" .
-            ~/official-images/test/run.sh "$image-$dir"
         )
     fi
 done

12.0/apache/entrypoint.sh

@@ -1,62 +0,0 @@
-#!/bin/sh
-set -eu
-
-# version_greater A B returns whether A > B
-version_greater() {
-	[ "$(printf '%s\n' "$@" | sort -t '.' -n -k1,1 -k2,2 -k3,3 -k4,4 | head -n 1)" != "$1" ]
-}
-
-# return true if specified directory is empty
-directory_empty() {
-    [ -z "$(ls -A "$1/")" ]
-}
-
-run_as() {
-  if [ "$(id -u)" = 0 ]; then
-    su - www-data -s /bin/sh -c "$1"
-  else
-    sh -c "$1"
-  fi
-}
-
-installed_version="0.0.0.0"
-if [ -f /var/www/html/version.php ]; then
-    # shellcheck disable=SC2016
-    installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-fi
-# shellcheck disable=SC2016
-image_version="$(php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);')"
-
-if version_greater "$installed_version" "$image_version"; then
-    echo "Can't start Nextcloud because the version of the data ($installed_version) is higher than the docker image version ($image_version) and downgrading is not supported. Are you sure you have pulled the newest image version?"
-    exit 1
-fi
-
-if version_greater "$image_version" "$installed_version"; then
-    if [ "$installed_version" != "0.0.0.0" ]; then
-        run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_before
-    fi
-    if [ "$(id -u)" = 0 ]; then
-      rsync_options="-rlDog --chown www-data:root"
-    else
-      rsync_options="-rlD"
-    fi
-    rsync $rsync_options --delete --exclude /config/ --exclude /data/ --exclude /custom_apps/ --exclude /themes/ /usr/src/nextcloud/ /var/www/html/
-
-    for dir in config data custom_apps themes; do
-        if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then
-            rsync $rsync_options --include "/$dir/" --exclude '/*' /usr/src/nextcloud/ /var/www/html/
-        fi
-    done
-
-    if [ "$installed_version" != "0.0.0.0" ]; then
-        run_as 'php /var/www/html/occ upgrade --no-app-disable'
-
-        run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_after
-        echo "The following apps have beed disabled:"
-        diff /tmp/list_before /tmp/list_after | grep '<' | cut -d- -f2 | cut -d: -f1
-        rm -f /tmp/list_before /tmp/list_after
-    fi
-fi
-
-exec "$@"

12.0/fpm-alpine/entrypoint.sh

@@ -1,62 +0,0 @@
-#!/bin/sh
-set -eu
-
-# version_greater A B returns whether A > B
-version_greater() {
-	[ "$(printf '%s\n' "$@" | sort -t '.' -n -k1,1 -k2,2 -k3,3 -k4,4 | head -n 1)" != "$1" ]
-}
-
-# return true if specified directory is empty
-directory_empty() {
-    [ -z "$(ls -A "$1/")" ]
-}
-
-run_as() {
-  if [ "$(id -u)" = 0 ]; then
-    su - www-data -s /bin/sh -c "$1"
-  else
-    sh -c "$1"
-  fi
-}
-
-installed_version="0.0.0.0"
-if [ -f /var/www/html/version.php ]; then
-    # shellcheck disable=SC2016
-    installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-fi
-# shellcheck disable=SC2016
-image_version="$(php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);')"
-
-if version_greater "$installed_version" "$image_version"; then
-    echo "Can't start Nextcloud because the version of the data ($installed_version) is higher than the docker image version ($image_version) and downgrading is not supported. Are you sure you have pulled the newest image version?"
-    exit 1
-fi
-
-if version_greater "$image_version" "$installed_version"; then
-    if [ "$installed_version" != "0.0.0.0" ]; then
-        run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_before
-    fi
-    if [ "$(id -u)" = 0 ]; then
-      rsync_options="-rlDog --chown www-data:root"
-    else
-      rsync_options="-rlD"
-    fi
-    rsync $rsync_options --delete --exclude /config/ --exclude /data/ --exclude /custom_apps/ --exclude /themes/ /usr/src/nextcloud/ /var/www/html/
-
-    for dir in config data custom_apps themes; do
-        if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then
-            rsync $rsync_options --include "/$dir/" --exclude '/*' /usr/src/nextcloud/ /var/www/html/
-        fi
-    done
-
-    if [ "$installed_version" != "0.0.0.0" ]; then
-        run_as 'php /var/www/html/occ upgrade --no-app-disable'
-
-        run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_after
-        echo "The following apps have beed disabled:"
-        diff /tmp/list_before /tmp/list_after | grep '<' | cut -d- -f2 | cut -d: -f1
-        rm -f /tmp/list_before /tmp/list_after
-    fi
-fi
-
-exec "$@"

12.0/fpm/entrypoint.sh

@@ -1,62 +0,0 @@
-#!/bin/sh
-set -eu
-
-# version_greater A B returns whether A > B
-version_greater() {
-	[ "$(printf '%s\n' "$@" | sort -t '.' -n -k1,1 -k2,2 -k3,3 -k4,4 | head -n 1)" != "$1" ]
-}
-
-# return true if specified directory is empty
-directory_empty() {
-    [ -z "$(ls -A "$1/")" ]
-}
-
-run_as() {
-  if [ "$(id -u)" = 0 ]; then
-    su - www-data -s /bin/sh -c "$1"
-  else
-    sh -c "$1"
-  fi
-}
-
-installed_version="0.0.0.0"
-if [ -f /var/www/html/version.php ]; then
-    # shellcheck disable=SC2016
-    installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-fi
-# shellcheck disable=SC2016
-image_version="$(php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);')"
-
-if version_greater "$installed_version" "$image_version"; then
-    echo "Can't start Nextcloud because the version of the data ($installed_version) is higher than the docker image version ($image_version) and downgrading is not supported. Are you sure you have pulled the newest image version?"
-    exit 1
-fi
-
-if version_greater "$image_version" "$installed_version"; then
-    if [ "$installed_version" != "0.0.0.0" ]; then
-        run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_before
-    fi
-    if [ "$(id -u)" = 0 ]; then
-      rsync_options="-rlDog --chown www-data:root"
-    else
-      rsync_options="-rlD"
-    fi
-    rsync $rsync_options --delete --exclude /config/ --exclude /data/ --exclude /custom_apps/ --exclude /themes/ /usr/src/nextcloud/ /var/www/html/
-
-    for dir in config data custom_apps themes; do
-        if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then
-            rsync $rsync_options --include "/$dir/" --exclude '/*' /usr/src/nextcloud/ /var/www/html/
-        fi
-    done
-
-    if [ "$installed_version" != "0.0.0.0" ]; then
-        run_as 'php /var/www/html/occ upgrade --no-app-disable'
-
-        run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_after
-        echo "The following apps have beed disabled:"
-        diff /tmp/list_before /tmp/list_after | grep '<' | cut -d- -f2 | cut -d: -f1
-        rm -f /tmp/list_before /tmp/list_after
-    fi
-fi
-
-exec "$@"

13.0/apache/entrypoint.sh

@@ -1,62 +0,0 @@
-#!/bin/sh
-set -eu
-
-# version_greater A B returns whether A > B
-version_greater() {
-	[ "$(printf '%s\n' "$@" | sort -t '.' -n -k1,1 -k2,2 -k3,3 -k4,4 | head -n 1)" != "$1" ]
-}
-
-# return true if specified directory is empty
-directory_empty() {
-    [ -z "$(ls -A "$1/")" ]
-}
-
-run_as() {
-  if [ "$(id -u)" = 0 ]; then
-    su - www-data -s /bin/sh -c "$1"
-  else
-    sh -c "$1"
-  fi
-}
-
-installed_version="0.0.0.0"
-if [ -f /var/www/html/version.php ]; then
-    # shellcheck disable=SC2016
-    installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-fi
-# shellcheck disable=SC2016
-image_version="$(php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);')"
-
-if version_greater "$installed_version" "$image_version"; then
-    echo "Can't start Nextcloud because the version of the data ($installed_version) is higher than the docker image version ($image_version) and downgrading is not supported. Are you sure you have pulled the newest image version?"
-    exit 1
-fi
-
-if version_greater "$image_version" "$installed_version"; then
-    if [ "$installed_version" != "0.0.0.0" ]; then
-        run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_before
-    fi
-    if [ "$(id -u)" = 0 ]; then
-      rsync_options="-rlDog --chown www-data:root"
-    else
-      rsync_options="-rlD"
-    fi
-    rsync $rsync_options --delete --exclude /config/ --exclude /data/ --exclude /custom_apps/ --exclude /themes/ /usr/src/nextcloud/ /var/www/html/
-
-    for dir in config data custom_apps themes; do
-        if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then
-            rsync $rsync_options --include "/$dir/" --exclude '/*' /usr/src/nextcloud/ /var/www/html/
-        fi
-    done
-
-    if [ "$installed_version" != "0.0.0.0" ]; then
-        run_as 'php /var/www/html/occ upgrade --no-app-disable'
-
-        run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_after
-        echo "The following apps have beed disabled:"
-        diff /tmp/list_before /tmp/list_after | grep '<' | cut -d- -f2 | cut -d: -f1
-        rm -f /tmp/list_before /tmp/list_after
-    fi
-fi
-
-exec "$@"

13.0/fpm-alpine/config/autoconfig.php

@@ -1,34 +0,0 @@
-<?php
-
-$autoconfig_enabled = false;
-
-if (getenv('SQLITE_DATABASE')) {
-    $AUTOCONFIG["dbtype"] = "sqlite";
-    $AUTOCONFIG["dbname"] = getenv('SQLITE_DATABASE');
-    $autoconfig_enabled = true;
-} elseif (getenv('MYSQL_DATABASE') && getenv('MYSQL_USER') && getenv('MYSQL_PASSWORD') && getenv('MYSQL_HOST')) {
-    $AUTOCONFIG["dbtype"] = "mysql";
-    $AUTOCONFIG["dbname"] = getenv('MYSQL_DATABASE');
-    $AUTOCONFIG["dbuser"] = getenv('MYSQL_USER');
-    $AUTOCONFIG["dbpass"] = getenv('MYSQL_PASSWORD');
-    $AUTOCONFIG["dbhost"] = getenv('MYSQL_HOST');
-    $autoconfig_enabled = true;
-} elseif (getenv('POSTGRES_DB') && getenv('POSTGRES_USER') && getenv('POSTGRES_PASSWORD') && getenv('POSTGRES_HOST')) {
-    $AUTOCONFIG["dbtype"] = "pgsql";
-    $AUTOCONFIG["dbname"] = getenv('POSTGRES_DB');
-    $AUTOCONFIG["dbuser"] = getenv('POSTGRES_USER');
-    $AUTOCONFIG["dbpass"] = getenv('POSTGRES_PASSWORD');
-    $AUTOCONFIG["dbhost"] = getenv('POSTGRES_HOST');
-    $autoconfig_enabled = true;
-}
-
-if ($autoconfig_enabled) {
-    $AUTOCONFIG["dbtableprefix"] = getenv('NEXTCLOUD_TABLE_PREFIX') ?: "";
-
-    $AUTOCONFIG["directory"] = getenv('NEXTCLOUD_DATA_DIR') ?: "/var/www/html/data";
-
-    if (getenv('NEXTCLOUD_ADMIN_USER') && getenv('NEXTCLOUD_ADMIN_PASSWORD')) {
-        $AUTOCONFIG["adminlogin"] = getenv('NEXTCLOUD_ADMIN_USER');
-        $AUTOCONFIG["adminpass"] = getenv('NEXTCLOUD_ADMIN_PASSWORD');
-    }
-}

13.0/fpm-alpine/entrypoint.sh

@@ -1,62 +0,0 @@
-#!/bin/sh
-set -eu
-
-# version_greater A B returns whether A > B
-version_greater() {
-	[ "$(printf '%s\n' "$@" | sort -t '.' -n -k1,1 -k2,2 -k3,3 -k4,4 | head -n 1)" != "$1" ]
-}
-
-# return true if specified directory is empty
-directory_empty() {
-    [ -z "$(ls -A "$1/")" ]
-}
-
-run_as() {
-  if [ "$(id -u)" = 0 ]; then
-    su - www-data -s /bin/sh -c "$1"
-  else
-    sh -c "$1"
-  fi
-}
-
-installed_version="0.0.0.0"
-if [ -f /var/www/html/version.php ]; then
-    # shellcheck disable=SC2016
-    installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-fi
-# shellcheck disable=SC2016
-image_version="$(php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);')"
-
-if version_greater "$installed_version" "$image_version"; then
-    echo "Can't start Nextcloud because the version of the data ($installed_version) is higher than the docker image version ($image_version) and downgrading is not supported. Are you sure you have pulled the newest image version?"
-    exit 1
-fi
-
-if version_greater "$image_version" "$installed_version"; then
-    if [ "$installed_version" != "0.0.0.0" ]; then
-        run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_before
-    fi
-    if [ "$(id -u)" = 0 ]; then
-      rsync_options="-rlDog --chown www-data:root"
-    else
-      rsync_options="-rlD"
-    fi
-    rsync $rsync_options --delete --exclude /config/ --exclude /data/ --exclude /custom_apps/ --exclude /themes/ /usr/src/nextcloud/ /var/www/html/
-
-    for dir in config data custom_apps themes; do
-        if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then
-            rsync $rsync_options --include "/$dir/" --exclude '/*' /usr/src/nextcloud/ /var/www/html/
-        fi
-    done
-
-    if [ "$installed_version" != "0.0.0.0" ]; then
-        run_as 'php /var/www/html/occ upgrade --no-app-disable'
-
-        run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_after
-        echo "The following apps have beed disabled:"
-        diff /tmp/list_before /tmp/list_after | grep '<' | cut -d- -f2 | cut -d: -f1
-        rm -f /tmp/list_before /tmp/list_after
-    fi
-fi
-
-exec "$@"

13.0/fpm/config/autoconfig.php

@@ -1,34 +0,0 @@
-<?php
-
-$autoconfig_enabled = false;
-
-if (getenv('SQLITE_DATABASE')) {
-    $AUTOCONFIG["dbtype"] = "sqlite";
-    $AUTOCONFIG["dbname"] = getenv('SQLITE_DATABASE');
-    $autoconfig_enabled = true;
-} elseif (getenv('MYSQL_DATABASE') && getenv('MYSQL_USER') && getenv('MYSQL_PASSWORD') && getenv('MYSQL_HOST')) {
-    $AUTOCONFIG["dbtype"] = "mysql";
-    $AUTOCONFIG["dbname"] = getenv('MYSQL_DATABASE');
-    $AUTOCONFIG["dbuser"] = getenv('MYSQL_USER');
-    $AUTOCONFIG["dbpass"] = getenv('MYSQL_PASSWORD');
-    $AUTOCONFIG["dbhost"] = getenv('MYSQL_HOST');
-    $autoconfig_enabled = true;
-} elseif (getenv('POSTGRES_DB') && getenv('POSTGRES_USER') && getenv('POSTGRES_PASSWORD') && getenv('POSTGRES_HOST')) {
-    $AUTOCONFIG["dbtype"] = "pgsql";
-    $AUTOCONFIG["dbname"] = getenv('POSTGRES_DB');
-    $AUTOCONFIG["dbuser"] = getenv('POSTGRES_USER');
-    $AUTOCONFIG["dbpass"] = getenv('POSTGRES_PASSWORD');
-    $AUTOCONFIG["dbhost"] = getenv('POSTGRES_HOST');
-    $autoconfig_enabled = true;
-}
-
-if ($autoconfig_enabled) {
-    $AUTOCONFIG["dbtableprefix"] = getenv('NEXTCLOUD_TABLE_PREFIX') ?: "";
-
-    $AUTOCONFIG["directory"] = getenv('NEXTCLOUD_DATA_DIR') ?: "/var/www/html/data";
-
-    if (getenv('NEXTCLOUD_ADMIN_USER') && getenv('NEXTCLOUD_ADMIN_PASSWORD')) {
-        $AUTOCONFIG["adminlogin"] = getenv('NEXTCLOUD_ADMIN_USER');
-        $AUTOCONFIG["adminpass"] = getenv('NEXTCLOUD_ADMIN_PASSWORD');
-    }
-}

13.0/fpm/entrypoint.sh

@@ -1,62 +0,0 @@
-#!/bin/sh
-set -eu
-
-# version_greater A B returns whether A > B
-version_greater() {
-	[ "$(printf '%s\n' "$@" | sort -t '.' -n -k1,1 -k2,2 -k3,3 -k4,4 | head -n 1)" != "$1" ]
-}
-
-# return true if specified directory is empty
-directory_empty() {
-    [ -z "$(ls -A "$1/")" ]
-}
-
-run_as() {
-  if [ "$(id -u)" = 0 ]; then
-    su - www-data -s /bin/sh -c "$1"
-  else
-    sh -c "$1"
-  fi
-}
-
-installed_version="0.0.0.0"
-if [ -f /var/www/html/version.php ]; then
-    # shellcheck disable=SC2016
-    installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-fi
-# shellcheck disable=SC2016
-image_version="$(php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);')"
-
-if version_greater "$installed_version" "$image_version"; then
-    echo "Can't start Nextcloud because the version of the data ($installed_version) is higher than the docker image version ($image_version) and downgrading is not supported. Are you sure you have pulled the newest image version?"
-    exit 1
-fi
-
-if version_greater "$image_version" "$installed_version"; then
-    if [ "$installed_version" != "0.0.0.0" ]; then
-        run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_before
-    fi
-    if [ "$(id -u)" = 0 ]; then
-      rsync_options="-rlDog --chown www-data:root"
-    else
-      rsync_options="-rlD"
-    fi
-    rsync $rsync_options --delete --exclude /config/ --exclude /data/ --exclude /custom_apps/ --exclude /themes/ /usr/src/nextcloud/ /var/www/html/
-
-    for dir in config data custom_apps themes; do
-        if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then
-            rsync $rsync_options --include "/$dir/" --exclude '/*' /usr/src/nextcloud/ /var/www/html/
-        fi
-    done
-
-    if [ "$installed_version" != "0.0.0.0" ]; then
-        run_as 'php /var/www/html/occ upgrade --no-app-disable'
-
-        run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_after
-        echo "The following apps have beed disabled:"
-        diff /tmp/list_before /tmp/list_after | grep '<' | cut -d- -f2 | cut -d: -f1
-        rm -f /tmp/list_before /tmp/list_after
-    fi
-fi
-
-exec "$@"

16.0-rc/apache/Dockerfile

@@ -0,0 +1,151 @@
+# DO NOT EDIT: created by update.sh from Dockerfile-debian.template
+FROM php:7.3-apache-buster
+
+# entrypoint.sh and cron.sh dependencies
+RUN set -ex; \
+    \
+    apt-get update; \
+    apt-get install -y --no-install-recommends \
+        rsync \
+        bzip2 \
+        busybox-static \
+    ; \
+    rm -rf /var/lib/apt/lists/*; \
+    \
+    mkdir -p /var/spool/cron/crontabs; \
+    echo '*/15 * * * * php -f /var/www/html/cron.php' > /var/spool/cron/crontabs/www-data
+
+# install the PHP extensions we need
+# see https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html
+RUN set -ex; \
+    \
+    savedAptMark="$(apt-mark showmanual)"; \
+    \
+    apt-get update; \
+    apt-get install -y --no-install-recommends \
+        libcurl4-openssl-dev \
+        libevent-dev \
+        libfreetype6-dev \
+        libicu-dev \
+        libjpeg-dev \
+        libldap2-dev \
+        libmcrypt-dev \
+        libmemcached-dev \
+        libpng-dev \
+        libpq-dev \
+        libxml2-dev \
+        libmagickwand-dev \
+        libzip-dev \
+        libwebp-dev \
+        libgmp-dev \
+    ; \
+    \
+    debMultiarch="$(dpkg-architecture --query DEB_BUILD_MULTIARCH)"; \
+    if [ ! -e /usr/include/gmp.h ]; then ln -s /usr/include/$debMultiarch/gmp.h /usr/include/gmp.h; fi;\
+    docker-php-ext-configure gd --with-freetype-dir=/usr --with-png-dir=/usr --with-jpeg-dir=/usr --with-webp-dir=/usr; \
+    docker-php-ext-configure gmp --with-gmp="/usr/include/$debMultiarch"; \
+    docker-php-ext-configure ldap --with-libdir="lib/$debMultiarch"; \
+    docker-php-ext-install -j "$(nproc)" \
+        exif \
+        gd \
+        intl \
+        ldap \
+        opcache \
+        pcntl \
+        pdo_mysql \
+        pdo_pgsql \
+        zip \
+        gmp \
+    ; \
+    \
+# pecl will claim success even if one install fails, so we need to perform each install separately
+    pecl install APCu-5.1.18; \
+    pecl install memcached-3.1.5; \
+    pecl install redis-4.3.0; \
+    pecl install imagick-3.4.4; \
+    \
+    docker-php-ext-enable \
+        apcu \
+        memcached \
+        redis \
+        imagick \
+    ; \
+    \
+# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+    apt-mark auto '.*' > /dev/null; \
+    apt-mark manual $savedAptMark; \
+    ldd "$(php -r 'echo ini_get("extension_dir");')"/*.so \
+        | awk '/=>/ { print $3 }' \
+        | sort -u \
+        | xargs -r dpkg-query -S \
+        | cut -d: -f1 \
+        | sort -u \
+        | xargs -rt apt-mark manual; \
+    \
+    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+    rm -rf /var/lib/apt/lists/*
+
+# set recommended PHP.ini settings
+# see https://docs.nextcloud.com/server/12/admin_manual/configuration_server/server_tuning.html#enable-php-opcache
+RUN { \
+        echo 'opcache.enable=1'; \
+        echo 'opcache.interned_strings_buffer=8'; \
+        echo 'opcache.max_accelerated_files=10000'; \
+        echo 'opcache.memory_consumption=128'; \
+        echo 'opcache.save_comments=1'; \
+        echo 'opcache.revalidate_freq=1'; \
+    } > /usr/local/etc/php/conf.d/opcache-recommended.ini; \
+    \
+    echo 'apc.enable_cli=1' >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
+    \
+    echo 'memory_limit=512M' > /usr/local/etc/php/conf.d/memory-limit.ini; \
+    \
+    mkdir /var/www/data; \
+    chown -R www-data:root /var/www; \
+    chmod -R g=u /var/www
+
+VOLUME /var/www/html
+
+RUN a2enmod rewrite remoteip ;\
+    {\
+     echo RemoteIPHeader X-Real-IP ;\
+     echo RemoteIPTrustedProxy 10.0.0.0/8 ;\
+     echo RemoteIPTrustedProxy 172.16.0.0/12 ;\
+     echo RemoteIPTrustedProxy 192.168.0.0/16 ;\
+    } > /etc/apache2/conf-available/remoteip.conf;\
+    a2enconf remoteip
+
+ENV NEXTCLOUD_VERSION 16.0.9RC1
+
+RUN set -ex; \
+    fetchDeps=" \
+        gnupg \
+        dirmngr \
+    "; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends $fetchDeps; \
+    \
+    curl -fsSL -o nextcloud.tar.bz2 \
+        "https://download.nextcloud.com/server/prereleases/nextcloud-${NEXTCLOUD_VERSION}.tar.bz2"; \
+    curl -fsSL -o nextcloud.tar.bz2.asc \
+        "https://download.nextcloud.com/server/prereleases/nextcloud-${NEXTCLOUD_VERSION}.tar.bz2.asc"; \
+    export GNUPGHOME="$(mktemp -d)"; \
+# gpg key from https://nextcloud.com/nextcloud.asc
+    gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys 28806A878AE423A28372792ED75899B9A724937A; \
+    gpg --batch --verify nextcloud.tar.bz2.asc nextcloud.tar.bz2; \
+    tar -xjf nextcloud.tar.bz2 -C /usr/src/; \
+    gpgconf --kill all; \
+    rm -r "$GNUPGHOME" nextcloud.tar.bz2.asc nextcloud.tar.bz2; \
+    rm -rf /usr/src/nextcloud/updater; \
+    mkdir -p /usr/src/nextcloud/data; \
+    mkdir -p /usr/src/nextcloud/custom_apps; \
+    chmod +x /usr/src/nextcloud/occ; \
+    \
+    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false $fetchDeps; \
+    rm -rf /var/lib/apt/lists/*
+
+COPY *.sh upgrade.exclude /
+COPY config/* /usr/src/nextcloud/config/
+
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["apache2-foreground"]

16.0-rc/apache/config/autoconfig.php

@@ -23,12 +23,9 @@ if (getenv('SQLITE_DATABASE')) {
 }
 
 if ($autoconfig_enabled) {
-    $AUTOCONFIG["dbtableprefix"] = getenv('NEXTCLOUD_TABLE_PREFIX') ?: "";
+    if (getenv('NEXTCLOUD_TABLE_PREFIX')) {
+        $AUTOCONFIG["dbtableprefix"] = getenv('NEXTCLOUD_TABLE_PREFIX');
+    }
 
     $AUTOCONFIG["directory"] = getenv('NEXTCLOUD_DATA_DIR') ?: "/var/www/html/data";
-
-    if (getenv('NEXTCLOUD_ADMIN_USER') && getenv('NEXTCLOUD_ADMIN_PASSWORD')) {
-        $AUTOCONFIG["adminlogin"] = getenv('NEXTCLOUD_ADMIN_USER');
-        $AUTOCONFIG["adminpass"] = getenv('NEXTCLOUD_ADMIN_PASSWORD');
-    }
 }

16.0-rc/apache/config/redis.config.php

@@ -0,0 +1,17 @@
+<?php
+if (getenv('REDIS_HOST')) {
+  $CONFIG = array (
+    'memcache.distributed' => '\OC\Memcache\Redis',
+    'memcache.locking' => '\OC\Memcache\Redis',
+    'redis' => array(
+      'host' => getenv('REDIS_HOST'),
+      'password' => getenv('REDIS_HOST_PASSWORD'),
+    ),
+  );
+
+  if (getenv('REDIS_HOST_PORT') !== false) {
+    $CONFIG['redis']['port'] = (int) getenv('REDIS_HOST_PORT');
+  } elseif (getenv('REDIS_HOST')[0] != '/') {
+    $CONFIG['redis']['port'] = 6379;
+  }
+}

16.0-rc/apache/config/smtp.config.php

@@ -0,0 +1,15 @@
+<?php
+if (getenv('SMTP_HOST') && getenv('MAIL_FROM_ADDRESS') && getenv('MAIL_DOMAIN')) {
+  $CONFIG = array (
+    'mail_smtpmode' => 'smtp',
+    'mail_smtphost' => getenv('SMTP_HOST'),
+    'mail_smtpport' => getenv('SMTP_PORT') ?: (getenv('SMTP_SECURE') ? 465 : 25),
+    'mail_smtpsecure' => getenv('SMTP_SECURE') ?: '',
+    'mail_smtpauth' => getenv('SMTP_NAME') && getenv('SMTP_PASSWORD'),
+    'mail_smtpauthtype' => getenv('SMTP_AUTHTYPE') ?: 'LOGIN',
+    'mail_smtpname' => getenv('SMTP_NAME') ?: '',
+    'mail_smtppassword' => getenv('SMTP_PASSWORD') ?: '',
+    'mail_from_address' => getenv('MAIL_FROM_ADDRESS'),
+    'mail_domain' => getenv('MAIL_DOMAIN'),
+  );
+}

16.0-rc/apache/entrypoint.sh

@@ -0,0 +1,152 @@
+#!/bin/sh
+set -eu
+
+# version_greater A B returns whether A > B
+version_greater() {
+    [ "$(printf '%s\n' "$@" | sort -t '.' -n -k1,1 -k2,2 -k3,3 -k4,4 | head -n 1)" != "$1" ]
+}
+
+# return true if specified directory is empty
+directory_empty() {
+    [ -z "$(ls -A "$1/")" ]
+}
+
+run_as() {
+    if [ "$(id -u)" = 0 ]; then
+        su -p www-data -s /bin/sh -c "$1"
+    else
+        sh -c "$1"
+    fi
+}
+
+if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
+    if [ -n "${REDIS_HOST+x}" ]; then
+
+        echo "Configuring Redis as session handler"
+        {
+            echo 'session.save_handler = redis'
+            # check if redis host is an unix socket path
+            if [ "$(echo "$REDIS_HOST" | cut -c1-1)" = "/" ]; then
+              if [ -n "${REDIS_HOST_PASSWORD+x}" ]; then
+                echo "session.save_path = \"unix://${REDIS_HOST}?auth=${REDIS_HOST_PASSWORD}\""
+              else
+                echo "session.save_path = \"unix://${REDIS_HOST}\""
+              fi
+            # check if redis password has been set
+            elif [ -n "${REDIS_HOST_PASSWORD+x}" ]; then
+                echo "session.save_path = \"tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}?auth=${REDIS_HOST_PASSWORD}\""
+            else
+                echo "session.save_path = \"tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}\""
+            fi
+        } > /usr/local/etc/php/conf.d/redis-session.ini
+    fi
+
+    installed_version="0.0.0.0"
+    if [ -f /var/www/html/version.php ]; then
+        # shellcheck disable=SC2016
+        installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
+    fi
+    # shellcheck disable=SC2016
+    image_version="$(php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);')"
+
+    if version_greater "$installed_version" "$image_version"; then
+        echo "Can't start Nextcloud because the version of the data ($installed_version) is higher than the docker image version ($image_version) and downgrading is not supported. Are you sure you have pulled the newest image version?"
+        exit 1
+    fi
+
+    if version_greater "$image_version" "$installed_version"; then
+        echo "Initializing nextcloud $image_version ..."
+        if [ "$installed_version" != "0.0.0.0" ]; then
+            echo "Upgrading nextcloud from $installed_version ..."
+            run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_before
+        fi
+        if [ "$(id -u)" = 0 ]; then
+            rsync_options="-rlDog --chown www-data:root"
+        else
+            rsync_options="-rlD"
+        fi
+        rsync $rsync_options --delete --exclude-from=/upgrade.exclude /usr/src/nextcloud/ /var/www/html/
+
+        for dir in config data custom_apps themes; do
+            if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then
+                rsync $rsync_options --include "/$dir/" --exclude '/*' /usr/src/nextcloud/ /var/www/html/
+            fi
+        done
+        rsync $rsync_options --include '/version.php' --exclude '/*' /usr/src/nextcloud/ /var/www/html/
+        echo "Initializing finished"
+
+        #install
+        if [ "$installed_version" = "0.0.0.0" ]; then
+            echo "New nextcloud instance"
+
+            if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then
+                # shellcheck disable=SC2016
+                install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"'
+                if [ -n "${NEXTCLOUD_TABLE_PREFIX+x}" ]; then
+                    # shellcheck disable=SC2016
+                    install_options=$install_options' --database-table-prefix "$NEXTCLOUD_TABLE_PREFIX"'
+                fi
+                if [ -n "${NEXTCLOUD_DATA_DIR+x}" ]; then
+                    # shellcheck disable=SC2016
+                    install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"'
+                fi
+
+                install=false
+                if [ -n "${SQLITE_DATABASE+x}" ]; then
+                    echo "Installing with SQLite database"
+                    # shellcheck disable=SC2016
+                    install_options=$install_options' --database-name "$SQLITE_DATABASE"'
+                    install=true
+                elif [ -n "${MYSQL_DATABASE+x}" ] && [ -n "${MYSQL_USER+x}" ] && [ -n "${MYSQL_PASSWORD+x}" ] && [ -n "${MYSQL_HOST+x}" ]; then
+                    echo "Installing with MySQL database"
+                    # shellcheck disable=SC2016
+                    install_options=$install_options' --database mysql --database-name "$MYSQL_DATABASE" --database-user "$MYSQL_USER" --database-pass "$MYSQL_PASSWORD" --database-host "$MYSQL_HOST"'
+                    install=true
+                elif [ -n "${POSTGRES_DB+x}" ] && [ -n "${POSTGRES_USER+x}" ] && [ -n "${POSTGRES_PASSWORD+x}" ] && [ -n "${POSTGRES_HOST+x}" ]; then
+                    echo "Installing with PostgreSQL database"
+                    # shellcheck disable=SC2016
+                    install_options=$install_options' --database pgsql --database-name "$POSTGRES_DB" --database-user "$POSTGRES_USER" --database-pass "$POSTGRES_PASSWORD" --database-host "$POSTGRES_HOST"'
+                    install=true
+                fi
+
+                if [ "$install" = true ]; then
+                    echo "starting nextcloud installation"
+                    max_retries=10
+                    try=0
+                    until run_as "php /var/www/html/occ maintenance:install $install_options" || [ "$try" -gt "$max_retries" ]
+                    do
+                        echo "retrying install..."
+                        try=$((try+1))
+                        sleep 10s
+                    done
+                    if [ "$try" -gt "$max_retries" ]; then
+                        echo "installing of nextcloud failed!"
+                        exit 1
+                    fi
+                    if [ -n "${NEXTCLOUD_TRUSTED_DOMAINS+x}" ]; then
+                        echo "setting trusted domains…"
+                        NC_TRUSTED_DOMAIN_IDX=1
+                        for DOMAIN in $NEXTCLOUD_TRUSTED_DOMAINS ; do
+                            DOMAIN=$(echo "$DOMAIN" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')
+                            run_as "php /var/www/html/occ config:system:set trusted_domains $NC_TRUSTED_DOMAIN_IDX --value=$DOMAIN"
+                            NC_TRUSTED_DOMAIN_IDX=$(($NC_TRUSTED_DOMAIN_IDX+1))
+                        done
+                    fi
+                else
+                    echo "running web-based installer on first connect!"
+                fi
+            fi
+        #upgrade
+        else
+            run_as 'php /var/www/html/occ upgrade'
+
+            run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_after
+            echo "The following apps have been disabled:"
+            diff /tmp/list_before /tmp/list_after | grep '<' | cut -d- -f2 | cut -d: -f1
+            rm -f /tmp/list_before /tmp/list_after
+
+        fi
+    fi
+fi
+
+exec "$@"

16.0-rc/apache/upgrade.exclude

@@ -0,0 +1,5 @@
+/config/
+/data/
+/custom_apps/
+/themes/
+/version.php

16.0-rc/fpm-alpine/Dockerfile

@@ -0,0 +1,126 @@
+# DO NOT EDIT: created by update.sh from Dockerfile-alpine.template
+FROM php:7.3-fpm-alpine3.11
+
+# entrypoint.sh and cron.sh dependencies
+RUN set -ex; \
+    \
+    apk add --no-cache \
+        rsync \
+    ; \
+    \
+    rm /var/spool/cron/crontabs/root; \
+    echo '*/15 * * * * php -f /var/www/html/cron.php' > /var/spool/cron/crontabs/www-data
+
+# install the PHP extensions we need
+# see https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html
+RUN set -ex; \
+    \
+    apk add --no-cache --virtual .build-deps \
+        $PHPIZE_DEPS \
+        autoconf \
+        freetype-dev \
+        icu-dev \
+        libevent-dev \
+        libjpeg-turbo-dev \
+        libmcrypt-dev \
+        libpng-dev \
+        libmemcached-dev \
+        libxml2-dev \
+        libzip-dev \
+        openldap-dev \
+        pcre-dev \
+        postgresql-dev \
+        imagemagick-dev \
+        libwebp-dev \
+        gmp-dev \
+    ; \
+    \
+    docker-php-ext-configure gd --with-freetype-dir=/usr --with-png-dir=/usr --with-jpeg-dir=/usr --with-webp-dir=/usr; \
+    docker-php-ext-configure ldap; \
+    docker-php-ext-install -j "$(nproc)" \
+        exif \
+        gd \
+        intl \
+        ldap \
+        opcache \
+        pcntl \
+        pdo_mysql \
+        pdo_pgsql \
+        zip \
+        gmp \
+    ; \
+    \
+# pecl will claim success even if one install fails, so we need to perform each install separately
+    pecl install APCu-5.1.18; \
+    pecl install memcached-3.1.5; \
+    pecl install redis-4.3.0; \
+    pecl install imagick-3.4.4; \
+    \
+    docker-php-ext-enable \
+        apcu \
+        memcached \
+        redis \
+        imagick \
+    ; \
+    \
+    runDeps="$( \
+        scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/lib/php/extensions \
+            | tr ',' '\n' \
+            | sort -u \
+            | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
+    )"; \
+    apk add --virtual .nextcloud-phpext-rundeps $runDeps; \
+    apk del .build-deps
+
+# set recommended PHP.ini settings
+# see https://docs.nextcloud.com/server/12/admin_manual/configuration_server/server_tuning.html#enable-php-opcache
+RUN { \
+        echo 'opcache.enable=1'; \
+        echo 'opcache.interned_strings_buffer=8'; \
+        echo 'opcache.max_accelerated_files=10000'; \
+        echo 'opcache.memory_consumption=128'; \
+        echo 'opcache.save_comments=1'; \
+        echo 'opcache.revalidate_freq=1'; \
+    } > /usr/local/etc/php/conf.d/opcache-recommended.ini; \
+    \
+    echo 'apc.enable_cli=1' >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
+    \
+    echo 'memory_limit=512M' > /usr/local/etc/php/conf.d/memory-limit.ini; \
+    \
+    mkdir /var/www/data; \
+    chown -R www-data:root /var/www; \
+    chmod -R g=u /var/www
+
+VOLUME /var/www/html
+
+
+ENV NEXTCLOUD_VERSION 16.0.9RC1
+
+RUN set -ex; \
+    apk add --no-cache --virtual .fetch-deps \
+        bzip2 \
+        gnupg \
+    ; \
+    \
+    curl -fsSL -o nextcloud.tar.bz2 \
+        "https://download.nextcloud.com/server/prereleases/nextcloud-${NEXTCLOUD_VERSION}.tar.bz2"; \
+    curl -fsSL -o nextcloud.tar.bz2.asc \
+        "https://download.nextcloud.com/server/prereleases/nextcloud-${NEXTCLOUD_VERSION}.tar.bz2.asc"; \
+    export GNUPGHOME="$(mktemp -d)"; \
+# gpg key from https://nextcloud.com/nextcloud.asc
+    gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys 28806A878AE423A28372792ED75899B9A724937A; \
+    gpg --batch --verify nextcloud.tar.bz2.asc nextcloud.tar.bz2; \
+    tar -xjf nextcloud.tar.bz2 -C /usr/src/; \
+    gpgconf --kill all; \
+    rm -r "$GNUPGHOME" nextcloud.tar.bz2.asc nextcloud.tar.bz2; \
+    rm -rf /usr/src/nextcloud/updater; \
+    mkdir -p /usr/src/nextcloud/data; \
+    mkdir -p /usr/src/nextcloud/custom_apps; \
+    chmod +x /usr/src/nextcloud/occ; \
+    apk del .fetch-deps
+
+COPY *.sh upgrade.exclude /
+COPY config/* /usr/src/nextcloud/config/
+
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["php-fpm"]

16.0-rc/fpm-alpine/config/autoconfig.php

@@ -23,12 +23,9 @@ if (getenv('SQLITE_DATABASE')) {
 }
 
 if ($autoconfig_enabled) {
-    $AUTOCONFIG["dbtableprefix"] = getenv('NEXTCLOUD_TABLE_PREFIX') ?: "";
+    if (getenv('NEXTCLOUD_TABLE_PREFIX')) {
+        $AUTOCONFIG["dbtableprefix"] = getenv('NEXTCLOUD_TABLE_PREFIX');
+    }
 
     $AUTOCONFIG["directory"] = getenv('NEXTCLOUD_DATA_DIR') ?: "/var/www/html/data";
-
-    if (getenv('NEXTCLOUD_ADMIN_USER') && getenv('NEXTCLOUD_ADMIN_PASSWORD')) {
-        $AUTOCONFIG["adminlogin"] = getenv('NEXTCLOUD_ADMIN_USER');
-        $AUTOCONFIG["adminpass"] = getenv('NEXTCLOUD_ADMIN_PASSWORD');
-    }
 }

16.0-rc/fpm-alpine/config/redis.config.php

@@ -0,0 +1,17 @@
+<?php
+if (getenv('REDIS_HOST')) {
+  $CONFIG = array (
+    'memcache.distributed' => '\OC\Memcache\Redis',
+    'memcache.locking' => '\OC\Memcache\Redis',
+    'redis' => array(
+      'host' => getenv('REDIS_HOST'),
+      'password' => getenv('REDIS_HOST_PASSWORD'),
+    ),
+  );
+
+  if (getenv('REDIS_HOST_PORT') !== false) {
+    $CONFIG['redis']['port'] = (int) getenv('REDIS_HOST_PORT');
+  } elseif (getenv('REDIS_HOST')[0] != '/') {
+    $CONFIG['redis']['port'] = 6379;
+  }
+}

16.0-rc/fpm-alpine/config/smtp.config.php

@@ -0,0 +1,15 @@
+<?php
+if (getenv('SMTP_HOST') && getenv('MAIL_FROM_ADDRESS') && getenv('MAIL_DOMAIN')) {
+  $CONFIG = array (
+    'mail_smtpmode' => 'smtp',
+    'mail_smtphost' => getenv('SMTP_HOST'),
+    'mail_smtpport' => getenv('SMTP_PORT') ?: (getenv('SMTP_SECURE') ? 465 : 25),
+    'mail_smtpsecure' => getenv('SMTP_SECURE') ?: '',
+    'mail_smtpauth' => getenv('SMTP_NAME') && getenv('SMTP_PASSWORD'),
+    'mail_smtpauthtype' => getenv('SMTP_AUTHTYPE') ?: 'LOGIN',
+    'mail_smtpname' => getenv('SMTP_NAME') ?: '',
+    'mail_smtppassword' => getenv('SMTP_PASSWORD') ?: '',
+    'mail_from_address' => getenv('MAIL_FROM_ADDRESS'),
+    'mail_domain' => getenv('MAIL_DOMAIN'),
+  );
+}

16.0-rc/fpm-alpine/entrypoint.sh

@@ -0,0 +1,152 @@
+#!/bin/sh
+set -eu
+
+# version_greater A B returns whether A > B
+version_greater() {
+    [ "$(printf '%s\n' "$@" | sort -t '.' -n -k1,1 -k2,2 -k3,3 -k4,4 | head -n 1)" != "$1" ]
+}
+
+# return true if specified directory is empty
+directory_empty() {
+    [ -z "$(ls -A "$1/")" ]
+}
+
+run_as() {
+    if [ "$(id -u)" = 0 ]; then
+        su -p www-data -s /bin/sh -c "$1"
+    else
+        sh -c "$1"
+    fi
+}
+
+if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
+    if [ -n "${REDIS_HOST+x}" ]; then
+
+        echo "Configuring Redis as session handler"
+        {
+            echo 'session.save_handler = redis'
+            # check if redis host is an unix socket path
+            if [ "$(echo "$REDIS_HOST" | cut -c1-1)" = "/" ]; then
+              if [ -n "${REDIS_HOST_PASSWORD+x}" ]; then
+                echo "session.save_path = \"unix://${REDIS_HOST}?auth=${REDIS_HOST_PASSWORD}\""
+              else
+                echo "session.save_path = \"unix://${REDIS_HOST}\""
+              fi
+            # check if redis password has been set
+            elif [ -n "${REDIS_HOST_PASSWORD+x}" ]; then
+                echo "session.save_path = \"tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}?auth=${REDIS_HOST_PASSWORD}\""
+            else
+                echo "session.save_path = \"tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}\""
+            fi
+        } > /usr/local/etc/php/conf.d/redis-session.ini
+    fi
+
+    installed_version="0.0.0.0"
+    if [ -f /var/www/html/version.php ]; then
+        # shellcheck disable=SC2016
+        installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
+    fi
+    # shellcheck disable=SC2016
+    image_version="$(php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);')"
+
+    if version_greater "$installed_version" "$image_version"; then
+        echo "Can't start Nextcloud because the version of the data ($installed_version) is higher than the docker image version ($image_version) and downgrading is not supported. Are you sure you have pulled the newest image version?"
+        exit 1
+    fi
+
+    if version_greater "$image_version" "$installed_version"; then
+        echo "Initializing nextcloud $image_version ..."
+        if [ "$installed_version" != "0.0.0.0" ]; then
+            echo "Upgrading nextcloud from $installed_version ..."
+            run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_before
+        fi
+        if [ "$(id -u)" = 0 ]; then
+            rsync_options="-rlDog --chown www-data:root"
+        else
+            rsync_options="-rlD"
+        fi
+        rsync $rsync_options --delete --exclude-from=/upgrade.exclude /usr/src/nextcloud/ /var/www/html/
+
+        for dir in config data custom_apps themes; do
+            if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then
+                rsync $rsync_options --include "/$dir/" --exclude '/*' /usr/src/nextcloud/ /var/www/html/
+            fi
+        done
+        rsync $rsync_options --include '/version.php' --exclude '/*' /usr/src/nextcloud/ /var/www/html/
+        echo "Initializing finished"
+
+        #install
+        if [ "$installed_version" = "0.0.0.0" ]; then
+            echo "New nextcloud instance"
+
+            if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then
+                # shellcheck disable=SC2016
+                install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"'
+                if [ -n "${NEXTCLOUD_TABLE_PREFIX+x}" ]; then
+                    # shellcheck disable=SC2016
+                    install_options=$install_options' --database-table-prefix "$NEXTCLOUD_TABLE_PREFIX"'
+                fi
+                if [ -n "${NEXTCLOUD_DATA_DIR+x}" ]; then
+                    # shellcheck disable=SC2016
+                    install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"'
+                fi
+
+                install=false
+                if [ -n "${SQLITE_DATABASE+x}" ]; then
+                    echo "Installing with SQLite database"
+                    # shellcheck disable=SC2016
+                    install_options=$install_options' --database-name "$SQLITE_DATABASE"'
+                    install=true
+                elif [ -n "${MYSQL_DATABASE+x}" ] && [ -n "${MYSQL_USER+x}" ] && [ -n "${MYSQL_PASSWORD+x}" ] && [ -n "${MYSQL_HOST+x}" ]; then
+                    echo "Installing with MySQL database"
+                    # shellcheck disable=SC2016
+                    install_options=$install_options' --database mysql --database-name "$MYSQL_DATABASE" --database-user "$MYSQL_USER" --database-pass "$MYSQL_PASSWORD" --database-host "$MYSQL_HOST"'
+                    install=true
+                elif [ -n "${POSTGRES_DB+x}" ] && [ -n "${POSTGRES_USER+x}" ] && [ -n "${POSTGRES_PASSWORD+x}" ] && [ -n "${POSTGRES_HOST+x}" ]; then
+                    echo "Installing with PostgreSQL database"
+                    # shellcheck disable=SC2016
+                    install_options=$install_options' --database pgsql --database-name "$POSTGRES_DB" --database-user "$POSTGRES_USER" --database-pass "$POSTGRES_PASSWORD" --database-host "$POSTGRES_HOST"'
+                    install=true
+                fi
+
+                if [ "$install" = true ]; then
+                    echo "starting nextcloud installation"
+                    max_retries=10
+                    try=0
+                    until run_as "php /var/www/html/occ maintenance:install $install_options" || [ "$try" -gt "$max_retries" ]
+                    do
+                        echo "retrying install..."
+                        try=$((try+1))
+                        sleep 10s
+                    done
+                    if [ "$try" -gt "$max_retries" ]; then
+                        echo "installing of nextcloud failed!"
+                        exit 1
+                    fi
+                    if [ -n "${NEXTCLOUD_TRUSTED_DOMAINS+x}" ]; then
+                        echo "setting trusted domains…"
+                        NC_TRUSTED_DOMAIN_IDX=1
+                        for DOMAIN in $NEXTCLOUD_TRUSTED_DOMAINS ; do
+                            DOMAIN=$(echo "$DOMAIN" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')
+                            run_as "php /var/www/html/occ config:system:set trusted_domains $NC_TRUSTED_DOMAIN_IDX --value=$DOMAIN"
+                            NC_TRUSTED_DOMAIN_IDX=$(($NC_TRUSTED_DOMAIN_IDX+1))
+                        done
+                    fi
+                else
+                    echo "running web-based installer on first connect!"
+                fi
+            fi
+        #upgrade
+        else
+            run_as 'php /var/www/html/occ upgrade'
+
+            run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_after
+            echo "The following apps have been disabled:"
+            diff /tmp/list_before /tmp/list_after | grep '<' | cut -d- -f2 | cut -d: -f1
+            rm -f /tmp/list_before /tmp/list_after
+
+        fi
+    fi
+fi
+
+exec "$@"

16.0-rc/fpm-alpine/upgrade.exclude

@@ -0,0 +1,5 @@
+/config/
+/data/
+/custom_apps/
+/themes/
+/version.php

16.0-rc/fpm/Dockerfile

@@ -0,0 +1,143 @@
+# DO NOT EDIT: created by update.sh from Dockerfile-debian.template
+FROM php:7.3-fpm-buster
+
+# entrypoint.sh and cron.sh dependencies
+RUN set -ex; \
+    \
+    apt-get update; \
+    apt-get install -y --no-install-recommends \
+        rsync \
+        bzip2 \
+        busybox-static \
+    ; \
+    rm -rf /var/lib/apt/lists/*; \
+    \
+    mkdir -p /var/spool/cron/crontabs; \
+    echo '*/15 * * * * php -f /var/www/html/cron.php' > /var/spool/cron/crontabs/www-data
+
+# install the PHP extensions we need
+# see https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html
+RUN set -ex; \
+    \
+    savedAptMark="$(apt-mark showmanual)"; \
+    \
+    apt-get update; \
+    apt-get install -y --no-install-recommends \
+        libcurl4-openssl-dev \
+        libevent-dev \
+        libfreetype6-dev \
+        libicu-dev \
+        libjpeg-dev \
+        libldap2-dev \
+        libmcrypt-dev \
+        libmemcached-dev \
+        libpng-dev \
+        libpq-dev \
+        libxml2-dev \
+        libmagickwand-dev \
+        libzip-dev \
+        libwebp-dev \
+        libgmp-dev \
+    ; \
+    \
+    debMultiarch="$(dpkg-architecture --query DEB_BUILD_MULTIARCH)"; \
+    if [ ! -e /usr/include/gmp.h ]; then ln -s /usr/include/$debMultiarch/gmp.h /usr/include/gmp.h; fi;\
+    docker-php-ext-configure gd --with-freetype-dir=/usr --with-png-dir=/usr --with-jpeg-dir=/usr --with-webp-dir=/usr; \
+    docker-php-ext-configure gmp --with-gmp="/usr/include/$debMultiarch"; \
+    docker-php-ext-configure ldap --with-libdir="lib/$debMultiarch"; \
+    docker-php-ext-install -j "$(nproc)" \
+        exif \
+        gd \
+        intl \
+        ldap \
+        opcache \
+        pcntl \
+        pdo_mysql \
+        pdo_pgsql \
+        zip \
+        gmp \
+    ; \
+    \
+# pecl will claim success even if one install fails, so we need to perform each install separately
+    pecl install APCu-5.1.18; \
+    pecl install memcached-3.1.5; \
+    pecl install redis-4.3.0; \
+    pecl install imagick-3.4.4; \
+    \
+    docker-php-ext-enable \
+        apcu \
+        memcached \
+        redis \
+        imagick \
+    ; \
+    \
+# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+    apt-mark auto '.*' > /dev/null; \
+    apt-mark manual $savedAptMark; \
+    ldd "$(php -r 'echo ini_get("extension_dir");')"/*.so \
+        | awk '/=>/ { print $3 }' \
+        | sort -u \
+        | xargs -r dpkg-query -S \
+        | cut -d: -f1 \
+        | sort -u \
+        | xargs -rt apt-mark manual; \
+    \
+    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+    rm -rf /var/lib/apt/lists/*
+
+# set recommended PHP.ini settings
+# see https://docs.nextcloud.com/server/12/admin_manual/configuration_server/server_tuning.html#enable-php-opcache
+RUN { \
+        echo 'opcache.enable=1'; \
+        echo 'opcache.interned_strings_buffer=8'; \
+        echo 'opcache.max_accelerated_files=10000'; \
+        echo 'opcache.memory_consumption=128'; \
+        echo 'opcache.save_comments=1'; \
+        echo 'opcache.revalidate_freq=1'; \
+    } > /usr/local/etc/php/conf.d/opcache-recommended.ini; \
+    \
+    echo 'apc.enable_cli=1' >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
+    \
+    echo 'memory_limit=512M' > /usr/local/etc/php/conf.d/memory-limit.ini; \
+    \
+    mkdir /var/www/data; \
+    chown -R www-data:root /var/www; \
+    chmod -R g=u /var/www
+
+VOLUME /var/www/html
+
+
+ENV NEXTCLOUD_VERSION 16.0.9RC1
+
+RUN set -ex; \
+    fetchDeps=" \
+        gnupg \
+        dirmngr \
+    "; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends $fetchDeps; \
+    \
+    curl -fsSL -o nextcloud.tar.bz2 \
+        "https://download.nextcloud.com/server/prereleases/nextcloud-${NEXTCLOUD_VERSION}.tar.bz2"; \
+    curl -fsSL -o nextcloud.tar.bz2.asc \
+        "https://download.nextcloud.com/server/prereleases/nextcloud-${NEXTCLOUD_VERSION}.tar.bz2.asc"; \
+    export GNUPGHOME="$(mktemp -d)"; \
+# gpg key from https://nextcloud.com/nextcloud.asc
+    gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys 28806A878AE423A28372792ED75899B9A724937A; \
+    gpg --batch --verify nextcloud.tar.bz2.asc nextcloud.tar.bz2; \
+    tar -xjf nextcloud.tar.bz2 -C /usr/src/; \
+    gpgconf --kill all; \
+    rm -r "$GNUPGHOME" nextcloud.tar.bz2.asc nextcloud.tar.bz2; \
+    rm -rf /usr/src/nextcloud/updater; \
+    mkdir -p /usr/src/nextcloud/data; \
+    mkdir -p /usr/src/nextcloud/custom_apps; \
+    chmod +x /usr/src/nextcloud/occ; \
+    \
+    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false $fetchDeps; \
+    rm -rf /var/lib/apt/lists/*
+
+COPY *.sh upgrade.exclude /
+COPY config/* /usr/src/nextcloud/config/
+
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["php-fpm"]

16.0-rc/fpm/config/autoconfig.php

@@ -23,12 +23,9 @@ if (getenv('SQLITE_DATABASE')) {
 }
 
 if ($autoconfig_enabled) {
-    $AUTOCONFIG["dbtableprefix"] = getenv('NEXTCLOUD_TABLE_PREFIX') ?: "";
+    if (getenv('NEXTCLOUD_TABLE_PREFIX')) {
+        $AUTOCONFIG["dbtableprefix"] = getenv('NEXTCLOUD_TABLE_PREFIX');
+    }
 
     $AUTOCONFIG["directory"] = getenv('NEXTCLOUD_DATA_DIR') ?: "/var/www/html/data";
-
-    if (getenv('NEXTCLOUD_ADMIN_USER') && getenv('NEXTCLOUD_ADMIN_PASSWORD')) {
-        $AUTOCONFIG["adminlogin"] = getenv('NEXTCLOUD_ADMIN_USER');
-        $AUTOCONFIG["adminpass"] = getenv('NEXTCLOUD_ADMIN_PASSWORD');
-    }
 }

16.0-rc/fpm/config/redis.config.php

@@ -0,0 +1,17 @@
+<?php
+if (getenv('REDIS_HOST')) {
+  $CONFIG = array (
+    'memcache.distributed' => '\OC\Memcache\Redis',
+    'memcache.locking' => '\OC\Memcache\Redis',
+    'redis' => array(
+      'host' => getenv('REDIS_HOST'),
+      'password' => getenv('REDIS_HOST_PASSWORD'),
+    ),
+  );
+
+  if (getenv('REDIS_HOST_PORT') !== false) {
+    $CONFIG['redis']['port'] = (int) getenv('REDIS_HOST_PORT');
+  } elseif (getenv('REDIS_HOST')[0] != '/') {
+    $CONFIG['redis']['port'] = 6379;
+  }
+}

16.0-rc/fpm/config/smtp.config.php

@@ -0,0 +1,15 @@
+<?php
+if (getenv('SMTP_HOST') && getenv('MAIL_FROM_ADDRESS') && getenv('MAIL_DOMAIN')) {
+  $CONFIG = array (
+    'mail_smtpmode' => 'smtp',
+    'mail_smtphost' => getenv('SMTP_HOST'),
+    'mail_smtpport' => getenv('SMTP_PORT') ?: (getenv('SMTP_SECURE') ? 465 : 25),
+    'mail_smtpsecure' => getenv('SMTP_SECURE') ?: '',
+    'mail_smtpauth' => getenv('SMTP_NAME') && getenv('SMTP_PASSWORD'),
+    'mail_smtpauthtype' => getenv('SMTP_AUTHTYPE') ?: 'LOGIN',
+    'mail_smtpname' => getenv('SMTP_NAME') ?: '',
+    'mail_smtppassword' => getenv('SMTP_PASSWORD') ?: '',
+    'mail_from_address' => getenv('MAIL_FROM_ADDRESS'),
+    'mail_domain' => getenv('MAIL_DOMAIN'),
+  );
+}

16.0-rc/fpm/entrypoint.sh

@@ -0,0 +1,152 @@
+#!/bin/sh
+set -eu
+
+# version_greater A B returns whether A > B
+version_greater() {
+    [ "$(printf '%s\n' "$@" | sort -t '.' -n -k1,1 -k2,2 -k3,3 -k4,4 | head -n 1)" != "$1" ]
+}
+
+# return true if specified directory is empty
+directory_empty() {
+    [ -z "$(ls -A "$1/")" ]
+}
+
+run_as() {
+    if [ "$(id -u)" = 0 ]; then
+        su -p www-data -s /bin/sh -c "$1"
+    else
+        sh -c "$1"
+    fi
+}
+
+if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
+    if [ -n "${REDIS_HOST+x}" ]; then
+
+        echo "Configuring Redis as session handler"
+        {
+            echo 'session.save_handler = redis'
+            # check if redis host is an unix socket path
+            if [ "$(echo "$REDIS_HOST" | cut -c1-1)" = "/" ]; then
+              if [ -n "${REDIS_HOST_PASSWORD+x}" ]; then
+                echo "session.save_path = \"unix://${REDIS_HOST}?auth=${REDIS_HOST_PASSWORD}\""
+              else
+                echo "session.save_path = \"unix://${REDIS_HOST}\""
+              fi
+            # check if redis password has been set
+            elif [ -n "${REDIS_HOST_PASSWORD+x}" ]; then
+                echo "session.save_path = \"tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}?auth=${REDIS_HOST_PASSWORD}\""
+            else
+                echo "session.save_path = \"tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}\""
+            fi
+        } > /usr/local/etc/php/conf.d/redis-session.ini
+    fi
+
+    installed_version="0.0.0.0"
+    if [ -f /var/www/html/version.php ]; then
+        # shellcheck disable=SC2016
+        installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
+    fi
+    # shellcheck disable=SC2016
+    image_version="$(php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);')"
+
+    if version_greater "$installed_version" "$image_version"; then
+        echo "Can't start Nextcloud because the version of the data ($installed_version) is higher than the docker image version ($image_version) and downgrading is not supported. Are you sure you have pulled the newest image version?"
+        exit 1
+    fi
+
+    if version_greater "$image_version" "$installed_version"; then
+        echo "Initializing nextcloud $image_version ..."
+        if [ "$installed_version" != "0.0.0.0" ]; then
+            echo "Upgrading nextcloud from $installed_version ..."
+            run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_before
+        fi
+        if [ "$(id -u)" = 0 ]; then
+            rsync_options="-rlDog --chown www-data:root"
+        else
+            rsync_options="-rlD"
+        fi
+        rsync $rsync_options --delete --exclude-from=/upgrade.exclude /usr/src/nextcloud/ /var/www/html/
+
+        for dir in config data custom_apps themes; do
+            if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then
+                rsync $rsync_options --include "/$dir/" --exclude '/*' /usr/src/nextcloud/ /var/www/html/
+            fi
+        done
+        rsync $rsync_options --include '/version.php' --exclude '/*' /usr/src/nextcloud/ /var/www/html/
+        echo "Initializing finished"
+
+        #install
+        if [ "$installed_version" = "0.0.0.0" ]; then
+            echo "New nextcloud instance"
+
+            if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then
+                # shellcheck disable=SC2016
+                install_options='-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"'
+                if [ -n "${NEXTCLOUD_TABLE_PREFIX+x}" ]; then
+                    # shellcheck disable=SC2016
+                    install_options=$install_options' --database-table-prefix "$NEXTCLOUD_TABLE_PREFIX"'
+                fi
+                if [ -n "${NEXTCLOUD_DATA_DIR+x}" ]; then
+                    # shellcheck disable=SC2016
+                    install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"'
+                fi
+
+                install=false
+                if [ -n "${SQLITE_DATABASE+x}" ]; then
+                    echo "Installing with SQLite database"
+                    # shellcheck disable=SC2016
+                    install_options=$install_options' --database-name "$SQLITE_DATABASE"'
+                    install=true
+                elif [ -n "${MYSQL_DATABASE+x}" ] && [ -n "${MYSQL_USER+x}" ] && [ -n "${MYSQL_PASSWORD+x}" ] && [ -n "${MYSQL_HOST+x}" ]; then
+                    echo "Installing with MySQL database"
+                    # shellcheck disable=SC2016
+                    install_options=$install_options' --database mysql --database-name "$MYSQL_DATABASE" --database-user "$MYSQL_USER" --database-pass "$MYSQL_PASSWORD" --database-host "$MYSQL_HOST"'
+                    install=true
+                elif [ -n "${POSTGRES_DB+x}" ] && [ -n "${POSTGRES_USER+x}" ] && [ -n "${POSTGRES_PASSWORD+x}" ] && [ -n "${POSTGRES_HOST+x}" ]; then
+                    echo "Installing with PostgreSQL database"
+                    # shellcheck disable=SC2016
+                    install_options=$install_options' --database pgsql --database-name "$POSTGRES_DB" --database-user "$POSTGRES_USER" --database-pass "$POSTGRES_PASSWORD" --database-host "$POSTGRES_HOST"'
+                    install=true
+                fi
+
+                if [ "$install" = true ]; then
+                    echo "starting nextcloud installation"
+                    max_retries=10
+                    try=0
+                    until run_as "php /var/www/html/occ maintenance:install $install_options" || [ "$try" -gt "$max_retries" ]
+                    do
+                        echo "retrying install..."
+                        try=$((try+1))
+                        sleep 10s
+                    done
+                    if [ "$try" -gt "$max_retries" ]; then
+                        echo "installing of nextcloud failed!"
+                        exit 1
+                    fi
+                    if [ -n "${NEXTCLOUD_TRUSTED_DOMAINS+x}" ]; then
+                        echo "setting trusted domains…"
+                        NC_TRUSTED_DOMAIN_IDX=1
+                        for DOMAIN in $NEXTCLOUD_TRUSTED_DOMAINS ; do
+                            DOMAIN=$(echo "$DOMAIN" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')
+                            run_as "php /var/www/html/occ config:system:set trusted_domains $NC_TRUSTED_DOMAIN_IDX --value=$DOMAIN"
+                            NC_TRUSTED_DOMAIN_IDX=$(($NC_TRUSTED_DOMAIN_IDX+1))
+                        done
+                    fi
+                else
+                    echo "running web-based installer on first connect!"
+                fi
+            fi
+        #upgrade
+        else
+            run_as 'php /var/www/html/occ upgrade'
+
+            run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_after
+            echo "The following apps have been disabled:"
+            diff /tmp/list_before /tmp/list_after | grep '<' | cut -d- -f2 | cut -d: -f1
+            rm -f /tmp/list_before /tmp/list_after
+
+        fi
+    fi
+fi
+
+exec "$@"

16.0-rc/fpm/upgrade.exclude

@@ -0,0 +1,5 @@
+/config/
+/data/
+/custom_apps/
+/themes/
+/version.php

16.0/apache/Dockerfile

@@ -1,5 +1,5 @@
 # DO NOT EDIT: created by update.sh from Dockerfile-debian.template
-FROM php:7.1-apache
+FROM php:7.3-apache-buster
 
 # entrypoint.sh and cron.sh dependencies
 RUN set -ex; \
@@ -16,7 +16,7 @@ RUN set -ex; \
     echo '*/15 * * * * php -f /var/www/html/cron.php' > /var/spool/cron/crontabs/www-data
 
 # install the PHP extensions we need
-# see https://docs.nextcloud.com/server/12/admin_manual/installation/source_installation.html
+# see https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html
 RUN set -ex; \
     \
     savedAptMark="$(apt-mark showmanual)"; \
@@ -24,41 +24,51 @@ RUN set -ex; \
     apt-get update; \
     apt-get install -y --no-install-recommends \
         libcurl4-openssl-dev \
+        libevent-dev \
         libfreetype6-dev \
         libicu-dev \
         libjpeg-dev \
         libldap2-dev \
         libmcrypt-dev \
         libmemcached-dev \
-        libpng12-dev \
+        libpng-dev \
         libpq-dev \
         libxml2-dev \
+        libmagickwand-dev \
+        libzip-dev \
+        libwebp-dev \
+        libgmp-dev \
     ; \
     \
     debMultiarch="$(dpkg-architecture --query DEB_BUILD_MULTIARCH)"; \
-    docker-php-ext-configure gd --with-freetype-dir=/usr --with-png-dir=/usr --with-jpeg-dir=/usr; \
+    if [ ! -e /usr/include/gmp.h ]; then ln -s /usr/include/$debMultiarch/gmp.h /usr/include/gmp.h; fi;\
+    docker-php-ext-configure gd --with-freetype-dir=/usr --with-png-dir=/usr --with-jpeg-dir=/usr --with-webp-dir=/usr; \
+    docker-php-ext-configure gmp --with-gmp="/usr/include/$debMultiarch"; \
     docker-php-ext-configure ldap --with-libdir="lib/$debMultiarch"; \
-    docker-php-ext-install \
+    docker-php-ext-install -j "$(nproc)" \
         exif \
         gd \
         intl \
         ldap \
-        mcrypt \
         opcache \
         pcntl \
         pdo_mysql \
         pdo_pgsql \
         zip \
+        gmp \
     ; \
-    pecl install \
-        APCu-5.1.11 \
-        memcached-3.0.4 \
-        redis-3.1.6 \
-    ; \
+    \
+# pecl will claim success even if one install fails, so we need to perform each install separately
+    pecl install APCu-5.1.18; \
+    pecl install memcached-3.1.5; \
+    pecl install redis-4.3.0; \
+    pecl install imagick-3.4.4; \
+    \
     docker-php-ext-enable \
         apcu \
         memcached \
         redis \
+        imagick \
     ; \
     \
 # reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
@@ -79,7 +89,6 @@ RUN set -ex; \
 # see https://docs.nextcloud.com/server/12/admin_manual/configuration_server/server_tuning.html#enable-php-opcache
 RUN { \
         echo 'opcache.enable=1'; \
-        echo 'opcache.enable_cli=1'; \
         echo 'opcache.interned_strings_buffer=8'; \
         echo 'opcache.max_accelerated_files=10000'; \
         echo 'opcache.memory_consumption=128'; \
@@ -87,6 +96,10 @@ RUN { \
         echo 'opcache.revalidate_freq=1'; \
     } > /usr/local/etc/php/conf.d/opcache-recommended.ini; \
     \
+    echo 'apc.enable_cli=1' >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
+    \
+    echo 'memory_limit=512M' > /usr/local/etc/php/conf.d/memory-limit.ini; \
+    \
     mkdir /var/www/data; \
     chown -R www-data:root /var/www; \
     chmod -R g=u /var/www
@@ -102,26 +115,36 @@ RUN a2enmod rewrite remoteip ;\
     } > /etc/apache2/conf-available/remoteip.conf;\
     a2enconf remoteip
 
-ENV NEXTCLOUD_VERSION 12.0.7
+ENV NEXTCLOUD_VERSION 16.0.8
 
 RUN set -ex; \
+    fetchDeps=" \
+        gnupg \
+        dirmngr \
+    "; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends $fetchDeps; \
+    \
     curl -fsSL -o nextcloud.tar.bz2 \
         "https://download.nextcloud.com/server/releases/nextcloud-${NEXTCLOUD_VERSION}.tar.bz2"; \
     curl -fsSL -o nextcloud.tar.bz2.asc \
         "https://download.nextcloud.com/server/releases/nextcloud-${NEXTCLOUD_VERSION}.tar.bz2.asc"; \
     export GNUPGHOME="$(mktemp -d)"; \
 # gpg key from https://nextcloud.com/nextcloud.asc
-    gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 28806A878AE423A28372792ED75899B9A724937A; \
+    gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys 28806A878AE423A28372792ED75899B9A724937A; \
     gpg --batch --verify nextcloud.tar.bz2.asc nextcloud.tar.bz2; \
-    rm -r "$GNUPGHOME" nextcloud.tar.bz2.asc; \
     tar -xjf nextcloud.tar.bz2 -C /usr/src/; \
-    rm nextcloud.tar.bz2; \
+    gpgconf --kill all; \
+    rm -r "$GNUPGHOME" nextcloud.tar.bz2.asc nextcloud.tar.bz2; \
     rm -rf /usr/src/nextcloud/updater; \
     mkdir -p /usr/src/nextcloud/data; \
     mkdir -p /usr/src/nextcloud/custom_apps; \
-    chmod +x /usr/src/nextcloud/occ
+    chmod +x /usr/src/nextcloud/occ; \
+    \
+    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false $fetchDeps; \
+    rm -rf /var/lib/apt/lists/*
 
-COPY *.sh /
+COPY *.sh upgrade.exclude /
 COPY config/* /usr/src/nextcloud/config/
 
 ENTRYPOINT ["/entrypoint.sh"]