Merge pull request #5945 from nextcloud/enh/5938/show-secret-in-inter…

…face

containers-schema: allow to specify ui-secret and show in aio interface

community-containers/borgbackup-viewer/borgbackup-viewer.json

@@ -26,6 +26,7 @@
                 "BORGBACKUP_VIEWER_PASSWORD",
                 "BORGBACKUP_PASSWORD"
             ],
+            "ui_secret": "BORGBACKUP_VIEWER_PASSWORD",
             "volumes": [
             {
                 "source": "nextcloud_aio_backup_cache",

community-containers/borgbackup-viewer/readme.md

@@ -2,7 +2,7 @@
 This container allows to view the local borg repository in a web session. It also allows you to restore files and folders from the backup by using desktop programs in a web browser.
 
 ### Notes
-- After adding and starting the container, you need to visit `https://ip.address.of.this.server:5801` in order to log in with the user `nextcloud` and the password that you can retrieve when running `sudo docker inspect nextcloud-aio-borgbackup-viewer | grep WEB_AUTHENTICATION_PASSWORD`. (It uses a self-signed certificate, so you need to accept the warning).
+- After adding and starting the container, you need to visit `https://ip.address.of.this.server:5801` in order to log in with the user `nextcloud` and the password that you can see next to the container in the AIO interface. (The web page uses a self-signed certificate, so you need to accept the warning).
 - Then, you should see a terminal. There type in `borg mount /mnt/borgbackup/borg /tmp/borg` to mount the backup archive at `/tmp/borg` inside the container. Afterwards type in `nautilus /tmp/borg` which will show a file explorer and allows you to see all the files. You can then copy files and folders back to their initial mountpoints inside `/nextcloud_aio_volumes/`, `/host_mounts/` and `/docker_volumes/`. ⚠️ Be very carefully while doing that as can break your instance!
 - After you are done with the operation, click on the terminal in the background and press `[CTRL]+[c]` multiple times to close any open application. Then run `umount /tmp/borg` to unmount the mountpoint correctly.
 - You can also delete specific archives by running `borg list`,  delete a specific archive e.g. via `borg delete --stats --progress "::20220223_174237-nextcloud-aio"` and compact the archives via `borg compact`. After doing so, make sure to update the backup archives list in the AIO interface! You can do so by clicking on the `Check backup integrity` button or `Create backup` button.

community-containers/lldap/lldap.json

@@ -27,6 +27,7 @@
         "LLDAP_JWT_SECRET",
         "LLDAP_LDAP_USER_PASS"
       ],
+      "ui_secret": "LLDAP_JWT_SECRET",
       "volumes": [
         {
           "source": "nextcloud_aio_lldap",

community-containers/lldap/readme.md

@@ -3,7 +3,7 @@ This container bundles LLDAP server and auto-configures your Nextcloud instance
 
 ### Notes
 - In order to access your LLDAP web interface outside the local network, you have to set up your own reverse proxy. You can set up a reverse proxy following [these instructions](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md) OR use the [Caddy](https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy) community container that will automatically configure `ldap.$NC_DOMAIN` to redirect to your Lldap. You need to point the reverse proxy at port 17170 of this server.
-- After adding and starting the container, you can log in to the lldap web interface by using the username `admin` and the password that you can retrieve via `sudo docker inspect nextcloud-aio-lldap | grep LLDAP_JWT_SECRET`.
+- After adding and starting the container, you can log in to the lldap web interface by using the username `admin` and the secret that you can see next to the container in the AIO interface.
 - To configure Nextcloud, you can use the generic configuration proposed below.
 - For advanced configurations, see how to configure a client with lldap https://github.com/lldap/lldap#client-configuration
 - Also, see how Nextcloud's LDAP application works https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html

community-containers/makemkv/makemkv.json

@@ -50,6 +50,7 @@
             "secrets": [
                 "MAKEMKV_PASSWORD"
             ],
+            "ui_secret": "MAKEMKV_PASSWORD",
             "backup_volumes": [
                 "nextcloud_aio_makemkv"
             ]

community-containers/makemkv/readme.md

@@ -6,7 +6,7 @@ This container bundles MakeMKV and auto-configures it for you.
 - ⚠️ This container mounts all devices from the host inside the container in order to be able to access the external DVD/Blu-ray drives which is a security issue. However no better solution was found for the time being.
 - This container only works on Linux and not on Docker-Desktop.
 - This container requires the [`NEXTCLOUD_MOUNT` variable in AIO to be set](https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host). Otherwise the output will not be saved correctly..
-- After adding and starting the container, you need to visit `https://internal.ip.of.server:5802` in order to log in with the `makemkv` user and the password that you can retrieve when running `sudo docker inspect nextcloud-aio-makemkv | grep WEB_AUTHENTICATION_PASSWORD`. (It uses a self-signed certificate, so you need to accept the warning).
+- After adding and starting the container, you need to visit `https://internal.ip.of.server:5802` in order to log in with the `makemkv` user and the password that you can see next to the container in the AIO interface. (The web page uses a self-signed certificate, so you need to accept the warning).
 - After the first login, you can adjust the `/output` directory in the MakeMKV settings to a subdirectory of the root of your chosen `NEXTCLOUD_MOUNT`. (by default `NEXTCLOUD_MOUNT` is mounted to `/output` inside the container. Thus all data is written to the root of it)
 - The configured `NEXTCLOUD_DATADIR` is getting mounted to `/storage` inside the container.
 - The config data of MakeMKV will be automatically included in AIOs backup solution!

community-containers/nocodb/nocodb.json

@@ -28,6 +28,7 @@
                 "NOCODB_JWT_SECRET",
                 "NOCODB_USER_PASS"
             ],
+            "ui_secret": "NOCODB_USER_PASS",
             "volumes": [
                 {
                     "source": "nextcloud_aio_nocodb",

community-containers/nocodb/readme.md

@@ -17,7 +17,7 @@ This is an alternative of **Airtable**.
 - You need to configure a reverse proxy in order to run this container since nocodb needs a dedicated (sub)domain! For that, you might have a look at https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy.
 - Currently, only `tables.$NC_DOMAIN` is supported as subdomain! So if Nextcloud is using `your-domain.com`, nocodb will use `tables.your-domain.com`.
 - The data of NocoDb will be automatically included in AIOs backup solution!
-- After adding and starting the container, you need to run `docker inspect nextcloud-aio-nocodb  | grep NC_ADMIN_PASS` to obtain the system administrator password (username: `[email protected]`). With this information, you can log in to the web interface at `https://tables.$NC_DOMAIN/#/signin`
+- After adding and starting the container, you can log in to the web interface at `https://tables.$NC_DOMAIN/#/signin` with the username `[email protected]` and the password that you can see in the AIO interface next to the container. 
 - See https://docs.nocodb.com/ for usage of NocoDb
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
 

community-containers/stalwart/stalwart.json

@@ -53,6 +53,7 @@
             "secrets": [
                 "STALWART_USER_PASS"
             ],
+            "ui_secret": "STALWART_USER_PASS",
             "volumes": [
                 {
                     "source": "nextcloud_aio_stalwart",

manual-install/update-yaml.sh

@@ -14,6 +14,7 @@ cat /tmp/containers.json
 OUTPUT="$(cat /tmp/containers.json)"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].internal_port)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].secrets)')"
+OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].ui_secrets)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].devices)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].enable_nvidia_gpu)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].backup_volumes)')"

php/containers-schema.json

@@ -145,6 +145,10 @@
 							"pattern": "^[A-Z_]+$"
 						}
 					},
+					"ui_secret": {
+						"type": "string",
+						"pattern": "^[A-Z_]+$"
+					},
 					"image_tag": {
 						"type": "string",
 						"pattern": "^([a-z0-9.-]+|%AIO_CHANNEL%)$"

php/src/Container/Container.php

@@ -21,6 +21,7 @@ public function __construct(
         private array                         $dependsOn,
         /** @var string[] */
         private array                         $secrets,
+        private string                        $uiSecret,
         /** @var string[] */
         private array                         $devices,
         private bool                          $enableNvidiaGpu,
@@ -85,6 +86,10 @@ public function GetSecrets() : array {
         return $this->secrets;
     }
 
+    public function GetUiSecret() : string {
+        return $this->dockerActionManager->GetAndGenerateSecretWrapper($this->uiSecret);
+    }
+
     public function GetTmpfs() : array {
         return $this->tmpfs;
     }

php/src/ContainerDefinitionFetcher.php

@@ -244,6 +244,11 @@ private function GetDefinition(): array
                 $secrets = $entry['secrets'];
             }
 
+            $uiSecret = '';
+            if (isset($entry['ui_secret'])) {
+                $uiSecret = $entry['ui_secret'];
+            }
+
             $devices = [];
             if (isset($entry['devices'])) {
                 $devices = $entry['devices'];
@@ -316,6 +321,7 @@ private function GetDefinition(): array
                 $variables,
                 $dependsOn,
                 $secrets,
+                $uiSecret,
                 $devices,
                 $enableNvidiaGpu,
                 $capAdd,

php/src/Data/ConfigurationManager.php

@@ -33,6 +33,10 @@ public function SetPassword(string $password) : void {
     }
 
     public function GetAndGenerateSecret(string $secretId) : string {
+        if ($secretId === '') {
+            return '';
+        }
+
         $config = $this->GetConfig();
         if(!isset($config['secrets'][$secretId])) {
             $config['secrets'][$secretId] = bin2hex(random_bytes(24));

php/src/Docker/DockerActionManager.php

@@ -1032,6 +1032,10 @@ private function GetCreatedTimeOfNextcloudImage() : ?string {
         }
     }
 
+    public function GetAndGenerateSecretWrapper(string $secretId) : string {
+        return $this->configurationManager->GetAndGenerateSecret($secretId);
+    }
+
     public function isNextcloudImageOutdated() : bool {
         $createdTime = $this->GetCreatedTimeOfNextcloudImage();
 

php/templates/containers.twig

@@ -282,20 +282,29 @@
                                             {% if container.GetDocumentation() != '' %}
                                                 (<a href="{{ container.GetDocumentation() }}">docs</a>)
                                             {% endif %}
+                                            {% if container.GetUiSecret() != '' %}
+                                                (password: {{ GetUiSecret.GetUiSecret() }} )
+                                            {% endif %}
                                             </span>
                                         {% elseif container.GetRunningState().value == 'running' %}
                                             <span class="status success"></span>
                                             <span>{{ container.GetDisplayName() }} (<a href="/api/docker/logs?id={{ container.GetIdentifier() }}" target="_blank" rel="noopener">Running</a>)
                                             {% if container.GetDocumentation() != '' %}
                                                 (<a href="{{ container.GetDocumentation() }}">docs</a>)
                                             {% endif %}
+                                            {% if container.GetUiSecret() != '' %}
+                                                (password: {{ GetUiSecret.GetUiSecret() }} )
+                                            {% endif %}
                                             </span>
                                         {% else %}
                                             <span class="status error"></span>
                                             <span>{{ container.GetDisplayName() }} (<a href="/api/docker/logs?id={{ container.GetIdentifier() }}" target="_blank" rel="noopener">Stopped</a>)
                                             {% if container.GetDocumentation() != '' %}
                                                 (<a href="{{ container.GetDocumentation() }}">docs</a>)
                                             {% endif %}
+                                            {% if container.GetUiSecret() != '' %}
+                                                (password: {{ GetUiSecret.GetUiSecret() }} )
+                                            {% endif %}
                                             </span>
                                         {% endif %}
                                     </li>