From cc3409def91b8e90d92997de629a6cab8dd83391 Mon Sep 17 00:00:00 2001
From: Guy Elsmore-Paddock <guy@inveniem.com>
Date: Thu, 28 Mar 2024 02:53:48 -0400
Subject: [PATCH 1/3] Upgrade to Nextcloud `25.0.13`

---
 README.md                                  |  1 +
 docker/backend-nextcloud-apache/Dockerfile |  2 +-
 docker/backend-nextcloud-fpm/Dockerfile    |  2 +-
 docker/nextcloud-common/entrypoint.sh      | 66 ++++++++++++++++++++++
 docker/nextcloud-cron/Dockerfile           |  2 +-
 overlays/00-sample/publish.profile         | 10 ++--
 6 files changed, 75 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 91817af..9cb10f7 100644
--- a/README.md
+++ b/README.md
@@ -32,6 +32,7 @@ this kit:
 
 | nextcloud-azure-aks | Kubernetes Version Compatibility* | Nextcloud Version | Deployment Mechanism        |
 |---------------------|-----------------------------------|-------------------|-----------------------------|
+| 12.x                | Only tested on 1.25+              | 25.x              | Kustomize and Rigger CLI    |
 | 11.x                | Only tested on 1.25+              | 24.x              | Kustomize and Rigger CLI    |
 | 10.x                | 1.16-1.22+                        | 23.x              | Kustomize and Rigger CLI    |
 | 9.x                 | 1.16-1.22+                        | 22.x              | Kustomize and Rigger CLI    |
diff --git a/docker/backend-nextcloud-apache/Dockerfile b/docker/backend-nextcloud-apache/Dockerfile
index 05fb651..959d965 100644
--- a/docker/backend-nextcloud-apache/Dockerfile
+++ b/docker/backend-nextcloud-apache/Dockerfile
@@ -8,7 +8,7 @@
 # @copyright Copyright (c) 2019-2024, Inveniem
 # @license GNU AGPL version 3 or any later version
 #
-FROM nextcloud:24.0.12-apache
+FROM nextcloud:25.0.13-apache
 
 ENV NEXTCLOUD_CONFIG_READ_ONLY "false"
 ENV NEXTCLOUD_INIT_LOCK "true"
diff --git a/docker/backend-nextcloud-fpm/Dockerfile b/docker/backend-nextcloud-fpm/Dockerfile
index e3c62e9..26e05ac 100644
--- a/docker/backend-nextcloud-fpm/Dockerfile
+++ b/docker/backend-nextcloud-fpm/Dockerfile
@@ -59,7 +59,7 @@ RUN set -eux;\
 ################################################################################
 # This is the container that actually gets pushed.
 #
-FROM nextcloud:24.0.12-fpm-alpine
+FROM nextcloud:25.0.13-fpm-alpine
 
 ENV NEXTCLOUD_CONFIG_READ_ONLY "false"
 ENV NEXTCLOUD_INIT_LOCK "true"
diff --git a/docker/nextcloud-common/entrypoint.sh b/docker/nextcloud-common/entrypoint.sh
index 9a454ad..f12a6a0 100755
--- a/docker/nextcloud-common/entrypoint.sh
+++ b/docker/nextcloud-common/entrypoint.sh
@@ -72,6 +72,8 @@ initialize_container() {
 
         configure_web_server "${container_type}"
         release_initialization_lock
+
+        invoke_hooks_for_stage "before-starting"
     fi
 }
 
@@ -185,6 +187,52 @@ sanitize_environment_vars() {
     fi
 }
 
+##
+# Execute any scripts included in the Docker image for a given stage of startup.
+#
+# @param $1
+#   The stage of Nextcloud initialization. Must be one of:
+#     - "pre-installation"
+#     - "post-installation"
+#     - "pre-upgrade"
+#     - "post-upgrade"
+#     - "before-starting"
+#
+invoke_hooks_for_stage() {
+    stage="${1}"
+    hook_folder_path="/docker-entrypoint-hooks.d/${stage}"
+    return_code=0
+
+    if ! [ -d "${hook_folder_path}" ]; then
+        echo "=> Skipping the folder \"${hook_folder_path}\", because it doesn't exist"
+        return 0
+    fi
+
+    echo "=> Searching for scripts (*.sh) to run, located in the folder: ${hook_folder_path}"
+
+    (
+        find "${hook_folder_path}" -type f -maxdepth 1 -iname '*.sh' -print | \
+          sort | \
+          while read -r script_file_path; do
+            if ! [ -x "${script_file_path}" ]; then
+                echo "==> The script \"${script_file_path}\" was skipped, because it didn't have the executable flag"
+                continue
+            fi
+
+            echo "==> Running the script (cwd: $(pwd)): \"${script_file_path}\""
+
+            run_as "${script_file_path}" || return_code="$?"
+
+            if [ "${return_code}" -ne "0" ]; then
+                echo "==> Failed at executing \"${script_file_path}\". Exit code: ${return_code}"
+                exit 1
+            fi
+
+            echo "==> Finished the script: \"${script_file_path}\""
+        done
+    )
+}
+
 ##
 # Identifies what user and group ID the image should run processes as.
 #
@@ -393,6 +441,8 @@ capture_existing_app_list() {
 install_nextcloud() {
     image_version="${1}"
 
+    invoke_hooks_for_stage "pre-installation"
+
     echo "This is a new installation of Nextcloud."
     echo ""
 
@@ -421,6 +471,8 @@ install_nextcloud() {
     fi
 
     echo ""
+
+    invoke_hooks_for_stage "post-installation"
 }
 
 
@@ -443,6 +495,16 @@ ensure_compatible_image() {
             echo "Are you sure you have pulled the newest image version?"
         } >&2
     fi
+
+    if [ "${image_version%%.*}" -gt "$((${installed_version%%.*} + 1))" ]; then
+        {
+            echo "Nextcloud cannot be upgraded from ${installed_version} directly to ${image_version}."
+            echo "It is only possible to upgrade one major version at a time."
+            echo "For example, if you want to upgrade from version 24 to 26, you"
+            echo "will have to upgrade from version 24 to 25, then from 25 to 26."
+        } >&2
+        exit 1
+    fi
 }
 
 ##
@@ -457,6 +519,8 @@ upgrade_nextcloud() {
     installed_version="${1}"
     image_version="${2}"
 
+    invoke_hooks_for_stage "pre-upgrade"
+
     echo "Nextcloud will be upgraded from ${installed_version} to ${image_version}."
     echo ""
 
@@ -471,6 +535,8 @@ upgrade_nextcloud() {
     diff /tmp/list_before /tmp/list_after | grep '<' | cut -d- -f2 | cut -d: -f1
 
     rm -f /tmp/list_before /tmp/list_after
+
+    invoke_hooks_for_stage "post-upgrade"
 }
 
 ##
diff --git a/docker/nextcloud-cron/Dockerfile b/docker/nextcloud-cron/Dockerfile
index 192808f..ba5bfcb 100644
--- a/docker/nextcloud-cron/Dockerfile
+++ b/docker/nextcloud-cron/Dockerfile
@@ -7,7 +7,7 @@
 # @copyright Copyright (c) 2019-2024, Inveniem
 # @license GNU AGPL version 3 or any later version
 #
-FROM nextcloud:24.0.12-apache
+FROM nextcloud:25.0.13-apache
 
 ENV NEXTCLOUD_CONFIG_READ_ONLY "true"
 
diff --git a/overlays/00-sample/publish.profile b/overlays/00-sample/publish.profile
index 0a54b6f..313bf03 100644
--- a/overlays/00-sample/publish.profile
+++ b/overlays/00-sample/publish.profile
@@ -39,16 +39,16 @@ CONTAINER_ENGINE="docker"
 #
 NEXTCLOUD_CUSTOM_APPS=(
     'https://github.com/westberliner/checksum/releases/download/v1.2.3/checksum.tar.gz'
-    'https://github.com/nextcloud-releases/files_antivirus/releases/download/v5.3.1/files_antivirus-v5.3.1.tar.gz'
-    'https://github.com/nextcloud-releases/files_automatedtagging/releases/download/v1.14.2/files_automatedtagging-v1.14.2.tar.gz'
+    'https://github.com/nextcloud-releases/files_antivirus/releases/download/v5.4.2/files_antivirus-v5.4.2.tar.gz'
+    'https://github.com/nextcloud-releases/files_automatedtagging/releases/download/v1.15.3/files_automatedtagging-v1.15.3.tar.gz'
     'https://github.com/nextcloud-releases/files_downloadactivity/releases/download/v1.16.0/files_downloadactivity-v1.16.0.tar.gz'
     'https://github.com/Inveniem/nextcloud-files-excludedirs/releases/download/v1.0.1-beta/nextcloud_files_excludedirs-v1.0.1-beta.tar.gz'
     'https://github.com/nextcloud/files_rightclick/releases/download/v0.15.1/files_rightclick.tar.gz'
     'https://github.com/gino0631/nextcloud-metadata/releases/download/v0.19.0/metadata.tar.gz'
     'https://github.com/owncloud/music/releases/download/v1.10.0/music_1.10.0_for_nextcloud.tar.gz'
-    'https://github.com/nextcloud-releases/previewgenerator/releases/download/v5.2.4/previewgenerator-v5.2.4.tar.gz'
-    'https://github.com/nextcloud-releases/user_external/releases/download/v3.1.0/user_external-v3.1.0.tar.gz'
-    'https://github.com/nextcloud-releases/user_saml/releases/download/v5.1.5/user_saml-v5.1.5.tar.gz'
+    'https://github.com/nextcloud-releases/previewgenerator/releases/download/v5.3.0/previewgenerator-v5.3.0.tar.gz'
+    'https://github.com/nextcloud-releases/user_external/releases/download/v3.2.0/user_external-v3.2.0.tar.gz'
+    'https://github.com/nextcloud-releases/user_saml/releases/download/v5.2.7/user_saml-v5.2.7.tar.gz'
 )
 
 ################################################################################

From ae8e04604d6ed76b231ec023aba1a733b37a60cb Mon Sep 17 00:00:00 2001
From: Guy Elsmore-Paddock <guy@inveniem.com>
Date: Thu, 28 Mar 2024 02:54:55 -0400
Subject: [PATCH 2/3] Add Upgrade Steps to `README.md`

It's best for everyone's sanity if this is spelled out step by step.
---
 README.md | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 57 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 9cb10f7..836be31 100644
--- a/README.md
+++ b/README.md
@@ -45,6 +45,62 @@ this kit:
 | 2.x                 | 1.15-1.21                         | 16.x              | Shell scripts and templates |
 | 1.x                 | 1.15-1.21                         | 15.x              | Shell scripts and templates |
 
+### Turning the Maintenance Page On and Off
+1. See instructions in `config-environment.yaml` for what settings to add to
+   your overlay configuration.
+2. Uncomment the maintenance page component in the `kustomization.yaml` file
+   of the overlay.
+3. Deploy just the maintenance page and shared dependencies using the following
+   command while you are in an overlay:
+   ```
+   ./rigger deploy maintenance-page --with-dependencies
+   ```
+4. Perform maintenance.
+5. Comment out the maintenance page component in the `kustomization.yaml` file
+   of the overlay.
+6. Re-deploy just the maintenance page and shared dependencies using the
+   following command while you are in an overlay:
+   ```
+   ./rigger deploy maintenance-page --with-dependencies
+   ```
+
+### Performing the Upgrade
+Follow these steps to upgrade:
+1.  Backup your database (as mentioned earlier in this document).
+2.  Enable the ingress maintenance page (if desired), as described above.
+3.  Change the version number of the docker images in the `kustomization.yaml`
+    file of your overlay to the new version you wish to deploy.
+4.  Change the replica count for the `nextcloud` pod in the `kustomization.yaml`
+    file to `1`.
+5.  Ensure that the storage configuration for the overlay is set to mount the
+    Nextcloud configuration volume as read-write.
+6.  Deploy the overlay with `./rigger deploy`.
+7.  Wait for deployment to finish and pods to start.
+8.  Observe the status of the upgrade using 
+    `kubectl logs -n <NAMESPACE> <NAME OF POD>` (e.g., you can get the names of
+    the pods with `kubectl get pods -n <NAMESPACE>`).
+9.  **If the upgrade failed:** You will need to troubleshoot your installation.
+    Some tips:
+    - You can modify the 
+      `components/http-nginx-fpm/app-nextcloud.nginx-fpm.yaml` and
+      `components/http-apache/app-nextcloud.apache.yaml` manifests, overriding
+      the `command` of the `backend-nextcloud-fpm` and
+      `backend-nextcloud-apache` containers, respectively, to be
+      `['sleep', 'inf']` or `['sleep', '86400']`. You can also change the 
+      `periodSeconds` values for the health checks to `86400` as well. Then,
+      re-deploy. These changes will prevent the pod from failing on startup 
+      from a bad upgrade, and will disable automatic restart of the pods from a
+      failing health checks, allowing you up to 24 hours to enter the pod with
+      `kubectl exec -it` to troubleshoot it.
+    - While in a Nextcloud pod, you can run the entrypoint script yourself to
+      see the output. The command is `/entrypoint.sh php-fpm` or
+      `/entrypoint.sh apache2-foreground`, for the nginx and Apache images,
+      respectively. You can run the entrypoint multiple times if you are
+      iterating on solving a problem.
+10. **If the upgrade succeeded:** rollback the changes you made to your 
+    `kustomization.yaml` file in steps 3, 4, and 5, and re-deploy the overlay to
+    restore full functionality.
+
 ### Switching from "Shell Script" Deployment to "Kustomize" Deployment
 If you are running version 1.x through 6.x of this kit and are now upgrading to
 version 7.x, we recommend taking the following steps:
@@ -423,4 +479,4 @@ credentials that Nextcloud uses to connect.
 All scripts and documentation provided in this repository are licensed under the
 GNU Affero GPL version 3, or any later version.
 
-© 2019-2022 Inveniem. All rights reserved.
+© 2019-2024 Inveniem. All rights reserved.

From 77c16cdcb9f2b51fe35b69a25616b5459ec9afce Mon Sep 17 00:00:00 2001
From: Guy Elsmore-Paddock <guy@inveniem.com>
Date: Thu, 28 Mar 2024 03:16:02 -0400
Subject: [PATCH 3/3] Update to Cisco Talos Images for ClamAV

The original source has been discontinued.

See:
https://mko-x.github.io/docker-clamav/
---
 base/manifests/app-clamav.yaml        | 4 ++--
 overlays/00-sample/kustomization.yaml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/base/manifests/app-clamav.yaml b/base/manifests/app-clamav.yaml
index 75c79bb..696fa36 100644
--- a/base/manifests/app-clamav.yaml
+++ b/base/manifests/app-clamav.yaml
@@ -51,7 +51,7 @@ spec:
           effect: NoSchedule
       containers:
         - name: backend-clamav
-          image: "mkodockx/docker-clamav:latest"
+          image: "clamav/clamav:latest"
           ports:
             - containerPort: 3310
           resources:
@@ -60,7 +60,7 @@ spec:
               memory: 128Mi
             limits:
               cpu: 1000m
-              memory: 1536Mi
+              memory: 2048Mi
 ---
 apiVersion: v1
 kind: Service
diff --git a/overlays/00-sample/kustomization.yaml b/overlays/00-sample/kustomization.yaml
index 535c7eb..941135b 100644
--- a/overlays/00-sample/kustomization.yaml
+++ b/overlays/00-sample/kustomization.yaml
@@ -98,8 +98,8 @@ patches:
 namespace: nextcloud-sample
 
 images:
-  - name: mkodockx/docker-clamav
-    digest: "sha256:09faf0d32b3f6f1169d2428e8226f2ea12bbb8fc3d96acc95ee1278f1a9f39c4"
+  - name: clamav/clamav
+    digest: "docker pull 1.2"
 
   - name: redis
     newTag: "7.2.4-alpine"