diff --git a/Containers/mastercontainer/start.sh b/Containers/mastercontainer/start.sh index fc613b73..c57b4207 100755 --- a/Containers/mastercontainer/start.sh +++ b/Containers/mastercontainer/start.sh @@ -161,6 +161,14 @@ It is set to '$DOCKER_SOCKET_PATH'." exit 1 fi fi +if [ -n "$TRUSTED_CACERTS_DIR" ]; then + if ! echo "$TRUSTED_CACERTS_DIR" | grep -q "^/" || echo "$TRUSTED_CACERTS_DIR" | grep -q "/$"; then + echo "You've set TRUSTED_CACERTS_DIR but not to an allowed value. +It should be an absolute path to a directory that starts with '/' but not end with '/'. +It is set to '$TRUSTED_CACERTS_DIR '." + exit 1 + fi +fi # Check DNS resolution # Prevents issues like https://github.com/nextcloud/all-in-one/discussions/565 diff --git a/Containers/nextcloud/start.sh b/Containers/nextcloud/start.sh index 92cef7f8..8b7e8d97 100644 --- a/Containers/nextcloud/start.sh +++ b/Containers/nextcloud/start.sh @@ -22,6 +22,12 @@ if [ -f "/var/www/html/config/config.php" ]; then # sed -i "s|'dbpassword'.*=>.*$|'dbpassword' => '$POSTGRES_PASSWORD',|" /var/www/html/config/config.php fi +# Trust additional Cacerts, if the user provided $TRUSTED_CACERTS_DIR +if [ -n "$TRUSTED_CACERTS_DIR" ]; then + echo "User required to trust additional CA certificates, running 'update-ca-certificates." + update-ca-certificates +fi + # Run original entrypoint if ! bash /entrypoint.sh; then exit 1 diff --git a/docker-compose.yml b/docker-compose.yml index 42688d0c..d96afc08 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -26,6 +26,7 @@ services: # - DISABLE_BACKUP_SECTION=true # Setting this to true allows to hide the backup section in the AIO interface. # - NEXTCLOUD_UPLOAD_LIMIT=10G # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud # - NEXTCLOUD_MAX_TIME=3600 # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud + # - TRUSTED_CACERTS_DIR=/path/to/my/cacerts # CA certificates in this directory will be trusted by the OS of the nexcloud container (Useful e.g. for LDAPS) See See https://github.com/nextcloud/all-in-one#how-to-trust-user-defiend-certification-authorities-(ca) # # Optional: Caddy reverse proxy. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md # # You can find further examples here: https://github.com/nextcloud/all-in-one/discussions/588 diff --git a/manual-install/update-yaml.sh b/manual-install/update-yaml.sh index 3cf23451..564891cf 100644 --- a/manual-install/update-yaml.sh +++ b/manual-install/update-yaml.sh @@ -64,6 +64,7 @@ sed -i 's|NEXTCLOUD_DATADIR=|NEXTCLOUD_DATADIR=nextcloud_aio_nextcloud_data sed -i 's|NEXTCLOUD_MOUNT=|NEXTCLOUD_MOUNT=/mnt/ # This allows the Nextcloud container to access directories on the host. It must never be equal to the value of NEXTCLOUD_DATADIR!|' sample.conf sed -i 's|NEXTCLOUD_UPLOAD_LIMIT=|NEXTCLOUD_UPLOAD_LIMIT=10G # This allows to change the upload limit of the Nextcloud container|' sample.conf sed -i 's|NEXTCLOUD_MAX_TIME=|NEXTCLOUD_MAX_TIME=3600 # This allows to change the upload time limit of the Nextcloud container|' sample.conf +sed -i 's|TRUSTED_CACERTS_DIR=|TRUSTED_CACERTS_DIR=/path/to/my/cacerts # Nextcloud container will trust all the Certification Authorities, whose certificates are included in the given directory.|' sample.conf sed -i 's|UPDATE_NEXTCLOUD_APPS=|UPDATE_NEXTCLOUD_APPS=no # When setting to yes, it will automatically update all installed Nextcloud apps upon container startup on saturdays.|' sample.conf sed -i 's|APACHE_PORT=|APACHE_PORT=443 # Changing this to a different value than 443 will allow you to run it behind a reverse proxy.|' sample.conf sed -i 's|TALK_PORT=|TALK_PORT=3478 # This allows to adjust the port that the talk container is using.|' sample.conf diff --git a/php/containers.json b/php/containers.json index 879c4521..1efbaa14 100644 --- a/php/containers.json +++ b/php/containers.json @@ -112,6 +112,11 @@ "name": "%NEXTCLOUD_MOUNT%", "location": "%NEXTCLOUD_MOUNT%", "writeable": true + }, + { + "name": "%TRUSTED_CACERTS_DIR%", + "location": "/usr/local/share/ca-certificates", + "writeable": false } ], "environmentVariables": [ @@ -148,7 +153,8 @@ "PHP_UPLOAD_LIMIT=%NEXTCLOUD_UPLOAD_LIMIT%", "FULLTEXTSEARCH_ENABLED=%FULLTEXTSEARCH_ENABLED%", "FULLTEXTSEARCH_HOST=nextcloud-aio-fulltextsearch", - "PHP_MAX_TIME=%NEXTCLOUD_MAX_TIME%" + "PHP_MAX_TIME=%NEXTCLOUD_MAX_TIME%", + "TRUSTED_CACERTS_DIR=%TRUSTED_CACERTS_DIR%" ], "maxShutdownTime": 10, "restartPolicy": "unless-stopped" diff --git a/php/src/ContainerDefinitionFetcher.php b/php/src/ContainerDefinitionFetcher.php index 15e84b1e..e6d416ef 100644 --- a/php/src/ContainerDefinitionFetcher.php +++ b/php/src/ContainerDefinitionFetcher.php @@ -120,6 +120,11 @@ class ContainerDefinitionFetcher if($value['name'] === '') { continue; } + } elseif ($value['name'] === '%TRUSTED_CACERTS_DIR%') { + $value['name'] = $this->configurationManager->GetTrustedCacertsDir(); + if($value['name'] === '') { + continue; + } } if ($value['location'] === '%NEXTCLOUD_MOUNT%') { $value['location'] = $this->configurationManager->GetNextcloudMount(); diff --git a/php/src/Data/ConfigurationManager.php b/php/src/Data/ConfigurationManager.php index 2ebcf53e..c19a747d 100644 --- a/php/src/Data/ConfigurationManager.php +++ b/php/src/Data/ConfigurationManager.php @@ -538,6 +538,13 @@ class ConfigurationManager return $this->GetEnvironmentalVariableOrConfig($envVariableName, $configName, $defaultValue); } + public function GetTrustedCacertsDir() : string { + $envVariableName = 'TRUSTED_CACERTS_DIR'; + $configName = 'trusted_cacerts_dir'; + $defaultValue = ''; + return $this->GetEnvironmentalVariableOrConfig($envVariableName, $configName, $defaultValue); + } + /** * @throws InvalidSettingConfigurationException */ diff --git a/php/src/Docker/DockerActionManager.php b/php/src/Docker/DockerActionManager.php index 74cb4a96..2682ef15 100644 --- a/php/src/Docker/DockerActionManager.php +++ b/php/src/Docker/DockerActionManager.php @@ -314,6 +314,8 @@ class DockerActionManager $replacements[1] = $this->configurationManager->GetNextcloudUploadLimit(); } elseif ($out[1] === 'NEXTCLOUD_MAX_TIME') { $replacements[1] = $this->configurationManager->GetNextcloudMaxTime(); + } elseif ($out[1] === 'TRUSTED_CACERTS_DIR') { + $replacements[1] = $this->configurationManager->GetTrustedCacertsDir(); } elseif ($out[1] === 'ADDITIONAL_DIRECTORIES_BACKUP') { if ($this->configurationManager->GetAdditionalBackupDirectoriesString() !== '') { $replacements[1] = 'yes'; diff --git a/readme.md b/readme.md index d564caef..f671edeb 100644 --- a/readme.md +++ b/readme.md @@ -490,3 +490,12 @@ What are the requirements? 3. The feature that gets added into Nextcloud by adding the container must be maintained by the Nextcloud GmbH. 4. It must be possible to run the container without big quirks inside docker containers. Big quirks means e.g. needing to change the capabilities or security options. 5. The container should not mount directories from the host into the container: only docker volumes should be used. + +### How to trust user-defiend Certification Authorities (CA)? +For some applications it might be necessary to enstablish a secured connection to a host / server which is using a certificated issued by a Certification Authority that is not trusted out of the box. An example could be configuring LDAPS against the Domain Controller (ActiveDirectory) of an organization + +You can make the Nextcloud container trust any Certification Authority by providing the environmental variable `TRUSTED_CACERTS_DIR` when starting the AIO-mastercontainer. The value of the variables should be set to the absolute path to a directory on the host, which contains one or more Certification Authority's certificate. You should use X.509 certificates, Base64 encoded. (Other formats may work but have not been tested!) All the certificates in the directory will be trusted. + +When using `docker run`, the environmental variable can be set with `-e TRUSTED_CACERTS_DIR=/path/to/my/cacerts`. + +In order for the value to be valid, the path should start with `/` and not end with '/' and point to an existing **directory**. Pointing the variable directly to a certificate **file** will not work and may also break things. diff --git a/tests/QA/060-environmental-variables.md b/tests/QA/060-environmental-variables.md index 8cff4438..faf636d2 100644 --- a/tests/QA/060-environmental-variables.md +++ b/tests/QA/060-environmental-variables.md @@ -11,5 +11,7 @@ - [ ] When starting the mastercontainer with `-e NEXTCLOUD_MAX_TIME=4000` it should change Nextclouds upload max time 4000s. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud for allowed values. - [ ] When starting the mastercontainer with `-e DOCKER_SOCKET_PATH="/var/run/docker.sock.raw"` it should map `/var/run/docker.sock.raw` to `/var/run/docker.sock` inside the watchtower container which allow to update the mastercontainer on macos and with docker rootless. - [ ] When starting the mastercontainer with `-e DISABLE_BACKUP_SECTION=true` it should hide the backup section that gets shown after AIO is set up (everything of [020-backup-and-restore](./020-backup-and-restore.md)) and simply show that the backup section is disabled. +- [ ] When starting the mastercontainer with `-e TRUSTED_CACERTS_DIR=/path/to/my/cacerts`, the resulting nextcloud container should trust all the Certification Authorities, whose certificates are included in the directory `/path/to/my/cacerts` on the host. +See https://github.com/nextcloud/all-in-one#how-to-trust-user-defiend-certification-authorities-(ca) You can now continue with [070-timezone-change.md](./070-timezone-change.md)