chore: merge back release/2.7 branch (#750)

* ci: mark nightly releases as pre-release (#748)

Signed-off-by: Saw-jan <saw.jan.grg3e@gmail.com>

* Fix(l10n): Update translations from Transifex

Signed-off-by: Nextcloud bot <bot@nextcloud.com>

* Fix(l10n): Update translations from Transifex

Signed-off-by: Nextcloud bot <bot@nextcloud.com>

* build: full nextcloud-openproject docker compose deployment (#749)

* build: add full op-nc compose setup

add cert to certs db

move setup to dev directory

Signed-off-by: Saw-jan <saw.jan.grg3e@gmail.com>

* docs: add nc-op full setup docs

Signed-off-by: Saw-jan <saw.jan.grg3e@gmail.com>

* docs: add docs for extra apps

Signed-off-by: Saw-jan <saw.jan.grg3e@gmail.com>

---------

Signed-off-by: Saw-jan <saw.jan.grg3e@gmail.com>

---------

Signed-off-by: Saw-jan <saw.jan.grg3e@gmail.com>
Signed-off-by: Nextcloud bot <bot@nextcloud.com>
Co-authored-by: Nextcloud bot <bot@nextcloud.com>

.github/workflows/release.yml

@@ -83,7 +83,7 @@ jobs:
           name: ${{ steps.tag.outputs.currenttag }}
           files: /tmp/build/${{ steps.build_release.outputs.app_id }}-${{ steps.build_release.outputs.version }}.tar.gz
           draft: false
-          prerelease: false
+          prerelease: ${{ endsWith( steps.tag.outputs.currenttag , 'nightly' ) }}
 
       - name: Publish to appstore
         if: ${{ startsWith( steps.tag.outputs.currenttag , 'v' ) && !endsWith( steps.tag.outputs.currenttag , 'nightly' ) }}

.gitignore

@@ -19,3 +19,8 @@ docker-compose.override.yml
 # VSCode
 .vscode
 *.code-workspace
+
+# dev environment
+!dev/.env
+dev/apps
+dev/certs

README.md

@@ -31,6 +31,7 @@ Please report issues and bugs here: https://community.openproject.org/projects/n
 
 ## 🔨 Development Setup Guide
 - [Set up via docker](docs/setup_via_docker.md)
+- [Start Nextcloud-OpenProject full setup](docs/setup_nc_op__full.md)
 - [APIs for integration setup for admin](docs/setting_up_as_admin.md)
 - [Setting up Integration via Shell Script](docs/setting_up_via_shell_script.md)
 - [APIs for Direct Upload](docs/direct_upload.md)

dev/.env

@@ -0,0 +1,13 @@
+# Nextcloud configurations
+NEXTCLOUD_IMAGE_TAG=
+
+# OpenProject configurations
+OPENPROJECT_IMAGE_TAG=
+OPENPROJECT_DEV_HOST=
+OPENPROJECT_RAILS__RELATIVE__URL__ROOT=
+OPENPROJECT_EDITION=
+
+# run keycloak
+# KEYCLOAK=:keycloak.yaml
+
+COMPOSE_FILE=compose.yaml${KEYCLOAK:-}

dev/compose.yaml

@@ -0,0 +1,165 @@
+services:
+  step:
+    image: smallstep/step-ca:latest
+    restart: unless-stopped
+    user: root
+    entrypoint: bash
+    command: /step.sh
+    environment:
+      TZ: UTC
+      DOCKER_STEPCA_INIT_NAME: NC-OP Integration
+      DOCKER_STEPCA_INIT_DNS_NAMES: step,localhost
+      DOCKER_STEPCA_INIT_PROVISIONER_NAME: jankaritech
+      DOCKER_STEPCA_INIT_PASSWORD: jankaritech
+      DOCKER_STEPCA_INIT_ACME: true
+    volumes:
+      - ./step.sh:/step.sh:ro
+      - ./certs:/certs
+      - step:/home/step
+    networks:
+      - nc-op
+
+  traefik:
+    image: traefik:latest
+    restart: unless-stopped
+    command: >
+      --log.level=ERROR
+      --providers.docker
+      --providers.docker.exposedByDefault=false
+      --api.dashboard=true
+      --api.disabledashboardad=true
+      --entryPoints.web.address=:80
+      --entryPoints.web.http.redirections.entrypoint.to=websecure
+      --entryPoints.websecure.address=:443
+      --entryPoints.websecure.http.tls=true
+      --entryPoints.websecure.http.tls.certresolver=step
+      --certificatesresolvers.step.acme.caserver=https://step:9000/acme/acme/directory
+      --certificatesresolvers.step.acme.tlschallenge=true
+      --certificatesresolvers.step.acme.email=root@localhost
+      --certificatesresolvers.step.acme.keytype=RSA4096
+      --certificatesresolvers.step.acme.storage=/certs/acme.json
+    environment:
+      TZ: UTC
+      LEGO_CA_CERTIFICATES: /step/certs/root_ca.crt
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./certs:/certs
+      - step:/step:ro
+    networks:
+      nc-op:
+        aliases:
+          - traefik.local
+          - openproject.local
+          - nextcloud.local
+          - keycloak.local
+    depends_on:
+      step:
+        condition: service_healthy
+    labels:
+      traefik.enable: true
+      traefik.http.routers.traefik.rule: Host(`traefik.local`)
+      traefik.http.routers.traefik.service: api@internal
+      traefik.http.routers.traefik.entrypoints: websecure
+
+  nextcloud-db:
+    image: postgres:14
+    restart: always
+    environment:
+      POSTGRES_DB: nextcloud
+      POSTGRES_USER: nextcloud
+      POSTGRES_PASSWORD: nextcloud
+    volumes:
+      - ncdb:/var/lib/postgresql/data
+    networks:
+      - nc-op
+    healthcheck:
+      test: ['CMD-SHELL', 'pg_isready', '-d', 'db_prod']
+      interval: 10s
+      timeout: 30s
+      retries: 5
+      start_period: 10s
+
+  nextcloud:
+    image: nextcloud:${NEXTCLOUD_IMAGE_TAG:-apache}
+    restart: always
+    entrypoint: bash
+    command: /nextcloud.sh
+    environment:
+      OVERWRITEPROTOCOL: 'https'
+      OVERWRITECLIURL: 'https://nextcloud.local'
+      PHP_UPLOAD_SIZE: '1024M'
+      POSTGRES_HOST: nextcloud-db
+      POSTGRES_DB: nextcloud
+      POSTGRES_USER: nextcloud
+      POSTGRES_PASSWORD: nextcloud
+    volumes:
+      - ./nextcloud.sh:/nextcloud.sh
+      - ./apps:/var/www/html/custom_apps
+      - ../:/var/www/html/custom_apps/integration_openproject:ro
+      - ncdata:/var/www/html
+      - apache_conf:/etc/apache2
+      - step:/step:ro
+    networks:
+      - nc-op
+    depends_on:
+      traefik:
+        condition: service_started
+      nextcloud-db:
+        condition: service_healthy
+    labels:
+      traefik.enable: true
+      traefik.http.routers.nextcloud.rule: Host(`nextcloud.local`)
+      traefik.http.routers.nextcloud.entrypoints: websecure
+
+  cron:
+    image: nextcloud:apache
+    restart: always
+    entrypoint: /cron.sh
+    volumes:
+      - ncdata:/var/www/html
+      - apache_conf:/etc/apache2
+    networks:
+      - nc-op
+    depends_on:
+      nextcloud-db:
+        condition: service_healthy
+
+  openproject:
+    image: openproject/openproject:${OPENPROJECT_IMAGE_TAG:-15}
+    restart: unless-stopped
+    entrypoint: bash
+    command: /openproject.sh
+    environment:
+      OPENPROJECT_HOST__NAME: '${OPENPROJECT_DEV_HOST:-openproject.local}'
+      OPENPROJECT_HTTPS: true
+      OPENPROJECT_DEV_EXTRA_HOSTS: '${OPENPROJECT_DEV_HOST:-openproject.local}'
+      OPENPROJECT_RAILS__RELATIVE__URL__ROOT: '${OPENPROJECT_RAILS__RELATIVE__URL__ROOT:-}'
+      OPENPROJECT_EDITION: ${OPENPROJECT_EDITION:-standard}
+      OPENPROJECT_SEED__ADMIN__USER__PASSWORD__RESET: false
+    volumes:
+      - ./openproject.sh:/openproject.sh
+      - opdata:/var/openproject/assets
+      - opdb:/var/postgresql/data
+      - step:/step:ro
+    networks:
+      - nc-op
+    depends_on:
+      - traefik
+    labels:
+      traefik.enable: true
+      traefik.http.routers.openproject.rule: Host(`${OPENPROJECT_DEV_HOST:-openproject.local}`)
+      traefik.http.routers.openproject.entrypoints: websecure
+
+volumes:
+  ncdb:
+  ncdata:
+  apache_conf:
+  opdb:
+  opdata:
+  step:
+
+networks:
+  nc-op:

dev/keycloak.yaml

@@ -0,0 +1,46 @@
+services:
+  keycloak-db:
+    image: postgres:13
+    restart: always
+    networks:
+      - nc-op
+    environment:
+      POSTGRES_DB: keycloak
+      POSTGRES_USER: keycloak
+      POSTGRES_PASSWORD: keycloak
+
+  keycloak:
+    image: quay.io/keycloak/keycloak:21.1
+    restart: always
+    command:
+      [
+        'start-dev',
+        '--proxy edge',
+        '--spi-connections-http-client-default-disable-trust-manager=true',
+      ]
+    environment:
+      KC_DB: postgres
+      KC_DB_USERNAME: keycloak
+      KC_DB_PASSWORD: keycloak
+      KC_DB_URL: jdbc:postgresql://keycloak-db:5432/keycloak
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: admin
+      KC_DB_SCHEMA: public
+      KC_HOSTNAME: keycloak.local
+      KC_FEATURES: preview
+      KC_TRANSACTION_XA_ENABLED: false
+    networks:
+      - nc-op
+    volumes:
+      - step:/step:ro
+      - keycloakdata:/opt/keycloak/data/
+    labels:
+      traefik.enable: true
+      traefik.http.routers.keycloak.rule: Host(`keycloak.local`)
+      traefik.http.routers.keycloak.entrypoints: websecure
+    depends_on:
+      - keycloak-db
+      - traefik
+
+volumes:
+  keycloakdata:

dev/nextcloud.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+
+STEP_CERTS_DIR="/step/certs"
+
+if [ -d "$STEP_CERTS_DIR" ]; then
+    rm -rf /etc/ssl/certs/Step_Root_CA.pem /usr/local/share/ca-certificates/Step_Root_CA.crt
+    echo "[INFO] Linking root CA certificate..."
+    cp "$STEP_CERTS_DIR"/root_ca.crt /usr/local/share/ca-certificates/Step_Root_CA.crt
+    update-ca-certificates
+fi
+
+chown www-data custom_apps
+find ./custom_apps -mindepth 1 -path ./custom_apps/integration_openproject -prune -o -exec chown www-data {} \;
+
+/entrypoint.sh apache2-foreground &
+
+# Wait for Nextcloud
+while [ $(curl -s http://localhost -w %{http_code} -o /dev/null) != 302 ] && [ $(curl -s http://localhost -w %{http_code} -o /dev/null) != 200 ]; do
+    sleep 1
+done
+
+chsh -s /bin/bash www-data
+# install nextcloud
+su www-data -c "php occ maintenance:install -vvv \
+    --database pgsql \
+    --database-name $POSTGRES_DB \
+    --database-host $POSTGRES_HOST \
+    --database-user $POSTGRES_USER \
+    --database-pass $POSTGRES_PASSWORD \
+    --admin-user admin \
+    --admin-pass admin \
+    --data-dir /var/www/html/data"
+
+su www-data -c "php occ a:e integration_openproject"
+su www-data -c "php occ config:system:set allow_local_remote_servers --value 1"
+su www-data -c "php occ security:certificates:import /etc/ssl/certs/ca-certificates.crt"
+su www-data -c "php occ config:system:set trusted_domains 1 --value=nextcloud.local"
+
+tail -f data/nextcloud.log

dev/openproject.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+STEP_CERTS_DIR="/step/certs"
+
+if [ -d "$STEP_CERTS_DIR" ]; then
+    rm -rf /etc/ssl/certs/Step_Root_CA.pem /usr/local/share/ca-certificates/Step_Root_CA.crt
+    echo "[INFO] Linking root CA certificate..."
+    cp "$STEP_CERTS_DIR"/root_ca.crt /usr/local/share/ca-certificates/Step_Root_CA.crt
+    update-ca-certificates
+fi
+
+./docker/prod/entrypoint.sh ./docker/prod/supervisord

dev/ssl.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+tmp_cert_dir="$HOME/tmp"
+
+mkdir -p "$tmp_cert_dir"
+
+tmp_cert="$tmp_cert_dir/root_ca.crt"
+
+sudo rm -rf "$tmp_cert" /usr/local/share/ca-certificates/Step_Root_CA.crt /etc/ssl/certs/Step_Root_CA.pem
+
+docker compose cp step:/home/step/certs/root_ca.crt "$tmp_cert"
+sudo cp "$tmp_cert" /usr/local/share/ca-certificates/Step_Root_CA.crt
+sudo update-ca-certificates
+
+cert_db="$HOME/.pki/nssdb"
+# delete existing cert
+certutil -D -n "NC-OP Integration Root CA" -d sql:"$cert_db"
+# add root CA to cert db
+certutil -A -n "NC-OP Integration Root CA" -t TC -d sql:"$cert_db" -i "$tmp_cert"
+# update/rebuild cert db
+certutil -M -d sql:"$cert_db"
+# list certs
+certutil -L -d sql:"$cert_db"

dev/step.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+rm -f /certs/acme.json
+touch /certs/acme.json
+chmod 600 /certs/acme.json
+
+bash /entrypoint.sh
+
+HOME=/home/step
+
+# update the certificate duration to 1 year
+step ca provisioner update acme --x509-min-dur=24h --x509-max-dur=8760h --x509-default-dur=8760h
+
+cp "$HOME/certs/root_ca.crt" "$HOME/certs/Step_Root_CA.crt"
+ln -s "$HOME/certs/Step_Root_CA.crt" /etc/ssl/certs/Step_Root_CA.pem
+update-ca-certificates
+
+step-ca --password-file $PWDPATH $CONFIGPATH

docs/setup_nc_op__full.md

@@ -0,0 +1,83 @@
+# Nextcloud-OpenProject Full Setup
+
+**Pre-requisites:**
+
+- Docker
+- Docker Compose
+- [certutil](https://command-not-found.com/certutil)
+
+### Run the Setup
+
+1. Add the following line to the `/etc/hosts` file:
+
+   ```bash
+   127.0.0.1	nextcloud.local openproject.local keycloak.local traefik.local
+   ```
+
+2. Change the directory to the `dev` folder
+
+   ```bash
+   cd dev
+   ```
+
+3. _(Optional)_ To enable keycloak service, uncomment the following line in the `dev/.env` file:
+
+   ```yaml
+   # run keycloak
+   KEYCLOAK=:keycloak.yaml
+   ```
+
+4. Start the services
+
+   ```bash
+   docker compose up
+   ```
+
+5. Once the services are up, add the certificates to the system and browser trust store
+
+   ```bash
+   bash ./ssl.sh
+   ```
+
+   **NOTE:** Restart the browser after adding the certificates to the trust store.
+
+6. Access the services:
+
+   Nextcloud: [nextcloud.local](https://nextcloud.local)
+
+   OpenProject: [openproject.local](https://openproject.local)
+
+   Keycloak: [keycloak.local](https://keycloak.local)
+
+   Traefik: [traefik.local](https://traefik.local)
+
+### Installing Extra Apps
+
+By default, `integration_openproject` app is enabled in Nextcloud. To install other apps, you can clone and build the desired apps in the `apps` directory.
+
+1. Clone and build the app in the `apps` directory
+
+   ```bash
+   cd apps
+   git clone git@github.com:nextcloud/<app>.git
+
+   cd <app>
+   # build the app
+   ```
+
+2. Enable the app in Nextcloud
+
+   ```bash
+   # integration_openproject/dev
+   cd ../../
+
+   docker compose exec -u www-data nextcloud php occ a:e <app>
+   ```
+
+If permission issues occur, you can run the following command:
+
+```bash
+# <integration_openproject>/dev
+
+docker compose exec nextcloud chown www-data -R custom_apps/<app>
+```