From 04ef45667ff62f7c09917e103e504d36b035d6b5 Mon Sep 17 00:00:00 2001 From: "Simon L." Date: Thu, 23 Jan 2025 16:28:07 +0100 Subject: [PATCH 1/2] containers-schema: allow to specify ui-secret and show in aio interface Signed-off-by: Simon L. --- .../borgbackup-viewer/borgbackup-viewer.json | 1 + community-containers/borgbackup-viewer/readme.md | 2 +- community-containers/lldap/readme.md | 2 +- community-containers/makemkv/makemkv.json | 1 + community-containers/makemkv/readme.md | 2 +- manual-install/update-yaml.sh | 1 + php/containers-schema.json | 4 ++++ php/src/Container/Container.php | 5 +++++ php/src/ContainerDefinitionFetcher.php | 6 ++++++ php/src/Data/ConfigurationManager.php | 4 ++++ php/src/Docker/DockerActionManager.php | 4 ++++ php/templates/containers.twig | 9 +++++++++ 12 files changed, 38 insertions(+), 3 deletions(-) diff --git a/community-containers/borgbackup-viewer/borgbackup-viewer.json b/community-containers/borgbackup-viewer/borgbackup-viewer.json index 417cc660c66..9b5c58e5881 100644 --- a/community-containers/borgbackup-viewer/borgbackup-viewer.json +++ b/community-containers/borgbackup-viewer/borgbackup-viewer.json @@ -26,6 +26,7 @@ "BORGBACKUP_VIEWER_PASSWORD", "BORGBACKUP_PASSWORD" ], + "ui_secret": "BORGBACKUP_VIEWER_PASSWORD", "volumes": [ { "source": "nextcloud_aio_backup_cache", diff --git a/community-containers/borgbackup-viewer/readme.md b/community-containers/borgbackup-viewer/readme.md index 42b692ecdf4..dc3d5806d96 100644 --- a/community-containers/borgbackup-viewer/readme.md +++ b/community-containers/borgbackup-viewer/readme.md @@ -2,7 +2,7 @@ This container allows to view the local borg repository in a web session. It also allows you to restore files and folders from the backup by using desktop programs in a web browser. ### Notes -- After adding and starting the container, you need to visit `https://ip.address.of.this.server:5801` in order to log in with the user `nextcloud` and the password that you can retrieve when running `sudo docker inspect nextcloud-aio-borgbackup-viewer | grep WEB_AUTHENTICATION_PASSWORD`. (It uses a self-signed certificate, so you need to accept the warning). +- After adding and starting the container, you need to visit `https://ip.address.of.this.server:5801` in order to log in with the user `nextcloud` and the password that you can see next to the container in the AIO interface. (The web page uses a self-signed certificate, so you need to accept the warning). - Then, you should see a terminal. There type in `borg mount /mnt/borgbackup/borg /tmp/borg` to mount the backup archive at `/tmp/borg` inside the container. Afterwards type in `nautilus /tmp/borg` which will show a file explorer and allows you to see all the files. You can then copy files and folders back to their initial mountpoints inside `/nextcloud_aio_volumes/`, `/host_mounts/` and `/docker_volumes/`. ⚠️ Be very carefully while doing that as can break your instance! - After you are done with the operation, click on the terminal in the background and press `[CTRL]+[c]` multiple times to close any open application. Then run `umount /tmp/borg` to unmount the mountpoint correctly. - You can also delete specific archives by running `borg list`, delete a specific archive e.g. via `borg delete --stats --progress "::20220223_174237-nextcloud-aio"` and compact the archives via `borg compact`. After doing so, make sure to update the backup archives list in the AIO interface! You can do so by clicking on the `Check backup integrity` button or `Create backup` button. diff --git a/community-containers/lldap/readme.md b/community-containers/lldap/readme.md index 27934d28ada..74a51c6157a 100644 --- a/community-containers/lldap/readme.md +++ b/community-containers/lldap/readme.md @@ -3,7 +3,7 @@ This container bundles LLDAP server and auto-configures your Nextcloud instance ### Notes - In order to access your LLDAP web interface outside the local network, you have to set up your own reverse proxy. You can set up a reverse proxy following [these instructions](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md) OR use the [Caddy](https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy) community container that will automatically configure `ldap.$NC_DOMAIN` to redirect to your Lldap. You need to point the reverse proxy at port 17170 of this server. -- After adding and starting the container, you can log in to the lldap web interface by using the username `admin` and the password that you can retrieve via `sudo docker inspect nextcloud-aio-lldap | grep LLDAP_JWT_SECRET`. +- After adding and starting the container, you can log in to the lldap web interface by using the username `admin` and the secret that you can see next to the container in the AIO interface. - To configure Nextcloud, you can use the generic configuration proposed below. - For advanced configurations, see how to configure a client with lldap https://github.com/lldap/lldap#client-configuration - Also, see how Nextcloud's LDAP application works https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html diff --git a/community-containers/makemkv/makemkv.json b/community-containers/makemkv/makemkv.json index e8d7f8ddd1d..22132cb8391 100644 --- a/community-containers/makemkv/makemkv.json +++ b/community-containers/makemkv/makemkv.json @@ -50,6 +50,7 @@ "secrets": [ "MAKEMKV_PASSWORD" ], + "ui_secret": "MAKEMKV_PASSWORD", "backup_volumes": [ "nextcloud_aio_makemkv" ] diff --git a/community-containers/makemkv/readme.md b/community-containers/makemkv/readme.md index fa26be40531..ed9ce040c87 100644 --- a/community-containers/makemkv/readme.md +++ b/community-containers/makemkv/readme.md @@ -6,7 +6,7 @@ This container bundles MakeMKV and auto-configures it for you. - ⚠️ This container mounts all devices from the host inside the container in order to be able to access the external DVD/Blu-ray drives which is a security issue. However no better solution was found for the time being. - This container only works on Linux and not on Docker-Desktop. - This container requires the [`NEXTCLOUD_MOUNT` variable in AIO to be set](https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host). Otherwise the output will not be saved correctly.. -- After adding and starting the container, you need to visit `https://internal.ip.of.server:5802` in order to log in with the `makemkv` user and the password that you can retrieve when running `sudo docker inspect nextcloud-aio-makemkv | grep WEB_AUTHENTICATION_PASSWORD`. (It uses a self-signed certificate, so you need to accept the warning). +- After adding and starting the container, you need to visit `https://internal.ip.of.server:5802` in order to log in with the `makemkv` user and the password that you can see next to the container in the AIO interface. (The web page uses a self-signed certificate, so you need to accept the warning). - After the first login, you can adjust the `/output` directory in the MakeMKV settings to a subdirectory of the root of your chosen `NEXTCLOUD_MOUNT`. (by default `NEXTCLOUD_MOUNT` is mounted to `/output` inside the container. Thus all data is written to the root of it) - The configured `NEXTCLOUD_DATADIR` is getting mounted to `/storage` inside the container. - The config data of MakeMKV will be automatically included in AIOs backup solution! diff --git a/manual-install/update-yaml.sh b/manual-install/update-yaml.sh index f4d207c37b0..95c99426f90 100644 --- a/manual-install/update-yaml.sh +++ b/manual-install/update-yaml.sh @@ -14,6 +14,7 @@ cat /tmp/containers.json OUTPUT="$(cat /tmp/containers.json)" OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].internal_port)')" OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].secrets)')" +OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].ui_secrets)')" OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].devices)')" OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].enable_nvidia_gpu)')" OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].backup_volumes)')" diff --git a/php/containers-schema.json b/php/containers-schema.json index 4f030e8f2a5..7a675e60be9 100644 --- a/php/containers-schema.json +++ b/php/containers-schema.json @@ -145,6 +145,10 @@ "pattern": "^[A-Z_]+$" } }, + "ui_secret": { + "type": "string", + "pattern": "^[A-Z_]+$" + }, "image_tag": { "type": "string", "pattern": "^([a-z0-9.-]+|%AIO_CHANNEL%)$" diff --git a/php/src/Container/Container.php b/php/src/Container/Container.php index 0b032e8c2d4..77858283cf0 100644 --- a/php/src/Container/Container.php +++ b/php/src/Container/Container.php @@ -21,6 +21,7 @@ public function __construct( private array $dependsOn, /** @var string[] */ private array $secrets, + private string $uiSecret, /** @var string[] */ private array $devices, private bool $enableNvidiaGpu, @@ -85,6 +86,10 @@ public function GetSecrets() : array { return $this->secrets; } + public function GetUiSecret() : string { + return $this->dockerActionManager->GetAndGenerateSecretWrapper($this->uiSecret); + } + public function GetTmpfs() : array { return $this->tmpfs; } diff --git a/php/src/ContainerDefinitionFetcher.php b/php/src/ContainerDefinitionFetcher.php index 8f7c6a97576..6809650cf71 100644 --- a/php/src/ContainerDefinitionFetcher.php +++ b/php/src/ContainerDefinitionFetcher.php @@ -244,6 +244,11 @@ private function GetDefinition(): array $secrets = $entry['secrets']; } + $uiSecret = ''; + if (isset($entry['ui_secret'])) { + $uiSecret = $entry['ui_secret']; + } + $devices = []; if (isset($entry['devices'])) { $devices = $entry['devices']; @@ -316,6 +321,7 @@ private function GetDefinition(): array $variables, $dependsOn, $secrets, + $uiSecret, $devices, $enableNvidiaGpu, $capAdd, diff --git a/php/src/Data/ConfigurationManager.php b/php/src/Data/ConfigurationManager.php index e7d6884ff27..2a0fa3d5209 100644 --- a/php/src/Data/ConfigurationManager.php +++ b/php/src/Data/ConfigurationManager.php @@ -33,6 +33,10 @@ public function SetPassword(string $password) : void { } public function GetAndGenerateSecret(string $secretId) : string { + if ($secretId === '') { + return ''; + } + $config = $this->GetConfig(); if(!isset($config['secrets'][$secretId])) { $config['secrets'][$secretId] = bin2hex(random_bytes(24)); diff --git a/php/src/Docker/DockerActionManager.php b/php/src/Docker/DockerActionManager.php index c9eb402e8b3..e98a5237c41 100644 --- a/php/src/Docker/DockerActionManager.php +++ b/php/src/Docker/DockerActionManager.php @@ -1032,6 +1032,10 @@ private function GetCreatedTimeOfNextcloudImage() : ?string { } } + public function GetAndGenerateSecretWrapper(string $secretId) : string { + return $this->configurationManager->GetAndGenerateSecret($secretId); + } + public function isNextcloudImageOutdated() : bool { $createdTime = $this->GetCreatedTimeOfNextcloudImage(); diff --git a/php/templates/containers.twig b/php/templates/containers.twig index 1a2fd11c571..6f0128b3bc1 100644 --- a/php/templates/containers.twig +++ b/php/templates/containers.twig @@ -282,6 +282,9 @@ {% if container.GetDocumentation() != '' %} (docs) {% endif %} + {% if container.GetUiSecret() != '' %} + (secret: {{ GetUiSecret.GetUiSecret() }} ) + {% endif %} {% elseif container.GetRunningState().value == 'running' %} @@ -289,6 +292,9 @@ {% if container.GetDocumentation() != '' %} (docs) {% endif %} + {% if container.GetUiSecret() != '' %} + (secret: {{ GetUiSecret.GetUiSecret() }} ) + {% endif %} {% else %} @@ -296,6 +302,9 @@ {% if container.GetDocumentation() != '' %} (docs) {% endif %} + {% if container.GetUiSecret() != '' %} + (secret: {{ GetUiSecret.GetUiSecret() }} ) + {% endif %} {% endif %} From 2efeff2b9608f9f22ceaeb65a834011f112ba7b0 Mon Sep 17 00:00:00 2001 From: "Simon L." Date: Fri, 24 Jan 2025 13:34:14 +0100 Subject: [PATCH 2/2] address review Signed-off-by: Simon L. --- community-containers/lldap/lldap.json | 1 + community-containers/nocodb/nocodb.json | 1 + community-containers/nocodb/readme.md | 2 +- community-containers/stalwart/stalwart.json | 1 + php/templates/containers.twig | 6 +++--- 5 files changed, 7 insertions(+), 4 deletions(-) diff --git a/community-containers/lldap/lldap.json b/community-containers/lldap/lldap.json index 3592f1799c5..8f7fba8818f 100644 --- a/community-containers/lldap/lldap.json +++ b/community-containers/lldap/lldap.json @@ -27,6 +27,7 @@ "LLDAP_JWT_SECRET", "LLDAP_LDAP_USER_PASS" ], + "ui_secret": "LLDAP_JWT_SECRET", "volumes": [ { "source": "nextcloud_aio_lldap", diff --git a/community-containers/nocodb/nocodb.json b/community-containers/nocodb/nocodb.json index 8a915c2ff48..a5d56e1372a 100644 --- a/community-containers/nocodb/nocodb.json +++ b/community-containers/nocodb/nocodb.json @@ -28,6 +28,7 @@ "NOCODB_JWT_SECRET", "NOCODB_USER_PASS" ], + "ui_secret": "NOCODB_USER_PASS", "volumes": [ { "source": "nextcloud_aio_nocodb", diff --git a/community-containers/nocodb/readme.md b/community-containers/nocodb/readme.md index 8d528928dd4..748c8585698 100644 --- a/community-containers/nocodb/readme.md +++ b/community-containers/nocodb/readme.md @@ -17,7 +17,7 @@ This is an alternative of **Airtable**. - You need to configure a reverse proxy in order to run this container since nocodb needs a dedicated (sub)domain! For that, you might have a look at https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy. - Currently, only `tables.$NC_DOMAIN` is supported as subdomain! So if Nextcloud is using `your-domain.com`, nocodb will use `tables.your-domain.com`. - The data of NocoDb will be automatically included in AIOs backup solution! -- After adding and starting the container, you need to run `docker inspect nextcloud-aio-nocodb | grep NC_ADMIN_PASS` to obtain the system administrator password (username: `admin@noco.db`). With this information, you can log in to the web interface at `https://tables.$NC_DOMAIN/#/signin` +- After adding and starting the container, you can log in to the web interface at `https://tables.$NC_DOMAIN/#/signin` with the username `admin@noco.db` and the password that you can see in the AIO interface next to the container. - See https://docs.nocodb.com/ for usage of NocoDb - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack diff --git a/community-containers/stalwart/stalwart.json b/community-containers/stalwart/stalwart.json index 891bd9da005..7858327ca7e 100644 --- a/community-containers/stalwart/stalwart.json +++ b/community-containers/stalwart/stalwart.json @@ -53,6 +53,7 @@ "secrets": [ "STALWART_USER_PASS" ], + "ui_secret": "STALWART_USER_PASS", "volumes": [ { "source": "nextcloud_aio_stalwart", diff --git a/php/templates/containers.twig b/php/templates/containers.twig index 6f0128b3bc1..a3de0b241a3 100644 --- a/php/templates/containers.twig +++ b/php/templates/containers.twig @@ -283,7 +283,7 @@ (docs) {% endif %} {% if container.GetUiSecret() != '' %} - (secret: {{ GetUiSecret.GetUiSecret() }} ) + (password: {{ GetUiSecret.GetUiSecret() }} ) {% endif %} {% elseif container.GetRunningState().value == 'running' %} @@ -293,7 +293,7 @@ (docs) {% endif %} {% if container.GetUiSecret() != '' %} - (secret: {{ GetUiSecret.GetUiSecret() }} ) + (password: {{ GetUiSecret.GetUiSecret() }} ) {% endif %} {% else %} @@ -303,7 +303,7 @@ (docs) {% endif %} {% if container.GetUiSecret() != '' %} - (secret: {{ GetUiSecret.GetUiSecret() }} ) + (password: {{ GetUiSecret.GetUiSecret() }} ) {% endif %} {% endif %}