From aacb187401982d248ef5b04c9a89c1c9b00afc0f Mon Sep 17 00:00:00 2001 From: MagelanM Date: Sun, 10 May 2026 20:48:41 +0200 Subject: [PATCH 01/20] dist-upgrade for debian 12, php-8.3 placeholder for trixie, bump ncp.cfg to trixie Signed-off-by: MagelanM --- bin/ncp-dist-upgrade.d/debian-12.sh | 77 +++++++++++++++++++ bin/ncp-update-nc.d/upgrade-php-trixie-8.3.sh | 13 ++++ 2 files changed, 90 insertions(+) create mode 100644 bin/ncp-dist-upgrade.d/debian-12.sh create mode 100644 bin/ncp-update-nc.d/upgrade-php-trixie-8.3.sh diff --git a/bin/ncp-dist-upgrade.d/debian-12.sh b/bin/ncp-dist-upgrade.d/debian-12.sh new file mode 100644 index 000000000..3997749bc --- /dev/null +++ b/bin/ncp-dist-upgrade.d/debian-12.sh @@ -0,0 +1,77 @@ +#!/bin/bash + +set -eu -o pipefail + +new_cfg=/usr/local/etc/ncp-recommended.cfg +[[ -f "${new_cfg}" ]] || { echo "Already on the latest recommended distribution. Abort." >&2; exit 1; } + +echo " +>>> ATTENTION <<< +This is a dangerous process that is only guaranteed to work properly if you +have not made manual changes in the system. Backup the SD card first and +proceed at your own risk. + +Note that this is not a requirement for NCP to continue working properly. +The current distribution will keep receiving updates for some time. + +Do you want to continue? [y/N]" + +if [[ "${DEBIAN_FRONTEND:-}" == "noninteractive" ]] || ! [[ -t 0 ]] +then + echo "Noninteractive environment detected. Automatically proceeding in 30 seconds..." + sleep 30 +else + read -n1 -r key + [[ "${key,,}" == y ]] || exit 0 +fi + +export DEBIAN_FRONTEND=noninteractive + +source /usr/local/etc/library.sh +is_more_recent_than "${PHPVER}.0" "8.2.0" || { + echo "You still have PHP version ${PHPVER} installed. Please update to the latest supported version of nextcloud (which will also update your PHP version) before proceeding with the distribution upgrade." + echo "Exiting." + exit 1 +} +save_maintenance_mode + +# Perform dist-upgrade + +apt-get update +apt-get upgrade -y +for aptlist in /etc/apt/sources.list /etc/apt/sources.list.d/{php.list,armbian.list,raspi.list} +do + [ -f "$aptlist" ] && sed -i -e "s/bookworm/trixie/g" "$aptlist" +done +for aptlist in /etc/apt/sources.list.d/*.list +do + [[ "$aptlist" =~ "/etc/apt/sources.list.d/"(php|armbian|raspi)".list" ]] || { + echo "Disabling repositories from \"$aptlist\"" + sed -i -e "s/deb/#deb/g" "$aptlist" + } +done +apt-get update +apt-get upgrade -y dpkg +apt-get upgrade -y --without-new-pkgs +if is_lxc +then + # Required to avoid breakage of /etc/resolv.conf + apt-get install -y --no-install-recommends systemd-resolved && systemctl enable --now systemd-resolved +fi +apt-get full-upgrade -y +apt-get --purge autoremove -y + +restore_maintenance_mode +cfg="$(jq "." "$NCPCFG")" +cfg="$(jq ".release = \"trixie\"" <<<"$cfg")" +echo "$cfg" > "$NCPCFG" +rm -f /etc/update-motd.d/30ncp-dist-upgrade +rm -f /usr/local/etc/ncp-recommended.cfg + +echo "Update to Debian 13 (trixie) successful." + +is_active_app unattended-upgrades && { + echo "Setting up unattended upgrades..." + run_app unattended-upgrades || true + echo "done." +} \ No newline at end of file diff --git a/bin/ncp-update-nc.d/upgrade-php-trixie-8.3.sh b/bin/ncp-update-nc.d/upgrade-php-trixie-8.3.sh new file mode 100644 index 000000000..c32b6823e --- /dev/null +++ b/bin/ncp-update-nc.d/upgrade-php-trixie-8.3.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +source /usr/local/etc/library.sh + +echo "Refreshing PHP repository for trixie..." +export DEBIAN_FRONTEND=noninteractive + +# Refresh sury repo for trixie +wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg +echo "deb https://packages.sury.org/php/ ${RELEASE%-security} main" > /etc/apt/sources.list.d/php.list +apt-get update + +echo "PHP ${PHPVER} repository updated for trixie." \ No newline at end of file From 48cd715b09014b7504e827e1c1503062d54753b5 Mon Sep 17 00:00:00 2001 From: MagelanM Date: Sun, 10 May 2026 21:16:05 +0200 Subject: [PATCH 02/20] correct trixie dist repos Signed-off-by: MagelanM --- bin/ncp-update-nc.d/update-nc.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/bin/ncp-update-nc.d/update-nc.sh b/bin/ncp-update-nc.d/update-nc.sh index 401677fbb..ae6176e0d 100755 --- a/bin/ncp-update-nc.d/update-nc.sh +++ b/bin/ncp-update-nc.d/update-nc.sh @@ -258,6 +258,11 @@ elif ! is_more_recent_than "29.0.0" "${NCVER}" && is_more_recent_than "8.3.0" "$ then /usr/local/bin/ncp-update-nc.d/upgrade-php-bookworm-8.3.sh + # Reload library.sh to reset PHPVER + source /usr/local/etc/library.sh +elif is_more_recent_than "8.3.0" "${PHPVER}.0" && [[ "$DEBIAN_VERSION" -ge 13 ]] +then + /usr/local/bin/ncp-update-nc.d/upgrade-php-trixie-8.3.sh # Reload library.sh to reset PHPVER source /usr/local/etc/library.sh fi From f161ca99ba4f6ad9c1e76dd93e01f0563224c4a3 Mon Sep 17 00:00:00 2001 From: MagelanM Date: Sun, 10 May 2026 21:29:28 +0200 Subject: [PATCH 03/20] suppress php error if not yet installed Signed-off-by: MagelanM --- etc/library.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/etc/library.sh b/etc/library.sh index eb3697eef..de5d102c0 100644 --- a/etc/library.sh +++ b/etc/library.sh @@ -14,7 +14,8 @@ export NCDIR=/var/www/nextcloud export ncc=/usr/local/bin/ncc export NCPCFG=${NCPCFG:-etc/ncp.cfg} export ARCH="$(dpkg --print-architecture)" -export DB_PREFIX="$(php -r 'include("/var/www/nextcloud/config/config.php"); echo $CONFIG['"'dbtableprefix'"'];' || echo 'oc_')" +# 2>/dev/null suppresses stderr-Output if PHP is not yet installed (new system) +export DB_PREFIX="$(php -r 'include("/var/www/nextcloud/config/config.php"); echo $CONFIG['"'dbtableprefix'"'];' 2>/dev/null || echo 'oc_')" [[ "${ARCH}" =~ ^(armhf|arm)$ ]] && ARCH="armv7" [[ "${ARCH}" == "arm64" ]] && ARCH=aarch64 [[ "${ARCH}" == "amd64" ]] && ARCH=x86_64 @@ -55,8 +56,10 @@ command -v jq &>/dev/null || { NCLATESTVER=$(jq -r .nextcloud_version < "$NCPCFG") PHPVER=$( jq -r .php_version < "$NCPCFG") RELEASE=$( jq -r .release < "$NCPCFG") -# the default repo in bullseye is bullseye-security -grep -Eh '^deb ' /etc/apt/sources.list | grep "${RELEASE}-security" > /dev/null && RELEASE="${RELEASE}-security" +# check also /etc/apt/sources.list.d/ in Trixie +grep -Eh '^deb ' /etc/apt/sources.list 2>/dev/null | grep "${RELEASE}-security" > /dev/null \ + || grep -Eh '^deb ' /etc/apt/sources.list.d/*.list 2>/dev/null | grep "${RELEASE}-security" > /dev/null \ + && RELEASE="${RELEASE}-security" command -v ncc &>/dev/null && NCVER="$(ncc status 2>/dev/null | grep "version:" | awk '{ print $3 }')" function configure_app() From 77904f5a94c85eddcb33bb958b326ee000e09972 Mon Sep 17 00:00:00 2001 From: MagelanM Date: Sun, 10 May 2026 21:37:10 +0200 Subject: [PATCH 04/20] bump ncp.cfg to trixie Signed-off-by: MagelanM --- etc/ncp.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/ncp.cfg b/etc/ncp.cfg index f4ed75ee8..7b25528d2 100644 --- a/etc/ncp.cfg +++ b/etc/ncp.cfg @@ -1,5 +1,5 @@ { "nextcloud_version": "33.0.2", "php_version": "8.3", - "release": "bookworm" + "release": "trixie" } From fb7e89191b252c0d4fb019855efd2c3a12b01461 Mon Sep 17 00:00:00 2001 From: MagelanM Date: Sun, 10 May 2026 21:45:23 +0200 Subject: [PATCH 05/20] correct mariadb inst command Signed-off-by: MagelanM --- lamp.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lamp.sh b/lamp.sh index f9ffae3d1..9df1f6af9 100644 --- a/lamp.sh +++ b/lamp.sh @@ -102,7 +102,8 @@ install() done cd /tmp - mysql_secure_installation < Date: Sun, 10 May 2026 22:14:56 +0200 Subject: [PATCH 06/20] Disable OCSP stapling for self-signed certs - fixes OpenSSL 3.5 incompatibility on trixie Signed-off-by: MagelanM --- etc/ncp-templates/apache2/http2.conf.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/ncp-templates/apache2/http2.conf.sh b/etc/ncp-templates/apache2/http2.conf.sh index a286d7746..a5e595ae1 100644 --- a/etc/ncp-templates/apache2/http2.conf.sh +++ b/etc/ncp-templates/apache2/http2.conf.sh @@ -22,7 +22,7 @@ SSLCompression off SSLSessionTickets on # OCSP Stapling -SSLUseStapling on +SSLUseStapling off SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000) From 1c59171f082a336cb19598ec492bca80dd392419 Mon Sep 17 00:00:00 2001 From: MagelanM Date: Sun, 10 May 2026 22:25:16 +0200 Subject: [PATCH 07/20] Enabling OCSP Stapling with valid Let's Encrypt certificates Signed-off-by: MagelanM --- bin/ncp/NETWORKING/letsencrypt.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/bin/ncp/NETWORKING/letsencrypt.sh b/bin/ncp/NETWORKING/letsencrypt.sh index 8f66451db..6ad935d40 100644 --- a/bin/ncp/NETWORKING/letsencrypt.sh +++ b/bin/ncp/NETWORKING/letsencrypt.sh @@ -62,6 +62,8 @@ configure() local key_path="$(grep SSLCertificateKeyFile "${nc_vhostcfg}" | awk '{ print $2 }')" sed -i "s|SSLCertificateFile.*|SSLCertificateFile ${cert_path}|" "${ncp_vhostcfg}" sed -i "s|SSLCertificateKeyFile.*|SSLCertificateKeyFile ${key_path}|" "${ncp_vhostcfg}" + # Enable OCSP stapling with valid Let's Encrypt certificate + sed -i 's/SSLUseStapling.*$/SSLUseStapling on/' /etc/apache2/conf-available/http2.conf apachectl -k graceful echo "letsencrypt certificates disabled. Using self-signed certificates instead." exit 0 @@ -134,6 +136,8 @@ EOF } done set-nc-domain "$DOMAIN" + # Enable OCSP stapling with valid Let's Encrypt certificate + sed -i 's/SSLUseStapling.*$/SSLUseStapling on/' /etc/apache2/conf-available/http2.conf apachectl -k graceful rm -rf $ncdir/.well-known From 86c461d3114056dc29301a4aa4a7bc23aaae29ca Mon Sep 17 00:00:00 2001 From: MagelanM Date: Sun, 10 May 2026 22:38:02 +0200 Subject: [PATCH 08/20] restart ssh instead of reload for socket-activated ssh Signed-off-by: MagelanM --- bin/ncp/NETWORKING/SSH.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/bin/ncp/NETWORKING/SSH.sh b/bin/ncp/NETWORKING/SSH.sh index 58dfcebdb..a596cd93c 100644 --- a/bin/ncp/NETWORKING/SSH.sh +++ b/bin/ncp/NETWORKING/SSH.sh @@ -17,7 +17,12 @@ install() { else echo 'PermitRootLogin prohibit-password' >> /etc/ssh/sshd_config fi - systemctl reload ssh + # On Debian 13+ SSH is socket-activated, reload via socket + if systemctl is-active ssh.socket &>/dev/null; then + systemctl restart ssh + else + systemctl reload ssh + fi } is_active() From 6bf959cbda2675c67bcfa33ff45514cbcd50fbd7 Mon Sep 17 00:00:00 2001 From: MagelanM Date: Mon, 11 May 2026 22:11:45 +0200 Subject: [PATCH 09/20] remove switch to systemd-resolved for lxc enviroments, it breaks DNS and should done separatly Signed-off-by: MagelanM --- bin/ncp-dist-upgrade.d/debian-12.sh | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/bin/ncp-dist-upgrade.d/debian-12.sh b/bin/ncp-dist-upgrade.d/debian-12.sh index 3997749bc..d4c1a7275 100644 --- a/bin/ncp-dist-upgrade.d/debian-12.sh +++ b/bin/ncp-dist-upgrade.d/debian-12.sh @@ -53,11 +53,7 @@ done apt-get update apt-get upgrade -y dpkg apt-get upgrade -y --without-new-pkgs -if is_lxc -then - # Required to avoid breakage of /etc/resolv.conf - apt-get install -y --no-install-recommends systemd-resolved && systemctl enable --now systemd-resolved -fi + apt-get full-upgrade -y apt-get --purge autoremove -y From 3a1358f2285689e0df7abb84887bf44c2fbebbc6 Mon Sep 17 00:00:00 2001 From: MagelanM Date: Wed, 13 May 2026 21:56:51 +0200 Subject: [PATCH 10/20] remove deprecated,removed directives for MariaDB 11.8 and later Signed-off-by: MagelanM --- etc/ncp-templates/mysql/91-ncp.cnf.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/etc/ncp-templates/mysql/91-ncp.cnf.sh b/etc/ncp-templates/mysql/91-ncp.cnf.sh index c65717122..9186044ed 100644 --- a/etc/ncp-templates/mysql/91-ncp.cnf.sh +++ b/etc/ncp-templates/mysql/91-ncp.cnf.sh @@ -14,9 +14,6 @@ fi cat < Date: Thu, 14 May 2026 19:18:26 +0200 Subject: [PATCH 11/20] extended dpkg failure handling Signed-off-by: MagelanM --- bin/ncp/NETWORKING/freeDNS.sh | 23 +++++++++++++++++++---- etc/library.sh | 16 ++++++++++++++++ 2 files changed, 35 insertions(+), 4 deletions(-) diff --git a/bin/ncp/NETWORKING/freeDNS.sh b/bin/ncp/NETWORKING/freeDNS.sh index 0a66099c7..fd64c72e7 100644 --- a/bin/ncp/NETWORKING/freeDNS.sh +++ b/bin/ncp/NETWORKING/freeDNS.sh @@ -7,10 +7,25 @@ # -install() -{ - apt-get update - apt-get install --no-install-recommends -y dnsutils +wait_for_dpkg() { + local tries=0 + while fuser /var/lib/dpkg/lock-frontend /var/lib/dpkg/lock >/dev/null 2>&1; do + echo "dpkg locked, waiting..." + fuser -v /var/lib/dpkg/lock-frontend /var/lib/dpkg/lock 2>/dev/null || true + sleep 2 + tries=$((tries + 1)) + if [[ $tries -ge 150 ]]; then + echo "dpkg lock timeout" + return 1 + fi + done +} + +install() { + wait_for_dpkg || return 1 + apt-get update || return 1 + wait_for_dpkg || return 1 + DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y dnsutils || return 1 } configure() diff --git a/etc/library.sh b/etc/library.sh index de5d102c0..3e0b8f342 100644 --- a/etc/library.sh +++ b/etc/library.sh @@ -603,10 +603,26 @@ function clear_password_fields() function apt_install() { + wait_for_dpkg apt-get update --allow-releaseinfo-change + wait_for_dpkg DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends -o Dpkg::Options::=--force-confdef -o Dpkg::Options::="--force-confold" "$@" } +function wait_for_dpkg() { + local tries=0 + while fuser /var/lib/dpkg/lock-frontend /var/lib/dpkg/lock >/dev/null 2>&1; do + echo "dpkg locked, waiting..." + fuser -v /var/lib/dpkg/lock-frontend /var/lib/dpkg/lock 2>/dev/null || true + sleep 2 + tries=$((tries + 1)) + if [[ $tries -ge 150 ]]; then + echo "dpkg lock timeout" + return 1 + fi + done +} + function is_docker() { [[ -f /.dockerenv ]] || [[ -f /.docker-image ]] || [[ "$DOCKERBUILD" == 1 ]] } From 5f44e2de1ef966087c06ad226b833748947b0a35 Mon Sep 17 00:00:00 2001 From: MagelanM Date: Thu, 14 May 2026 20:43:40 +0200 Subject: [PATCH 12/20] change order: first set new data dir in config, then move data Signed-off-by: MagelanM --- bin/ncp/CONFIG/nc-datadir.sh | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/bin/ncp/CONFIG/nc-datadir.sh b/bin/ncp/CONFIG/nc-datadir.sh index 967516ffe..bfa3bc02a 100644 --- a/bin/ncp/CONFIG/nc-datadir.sh +++ b/bin/ncp/CONFIG/nc-datadir.sh @@ -8,6 +8,10 @@ # More at https://ownyourbits.com/2017/03/13/nextcloudpi-gets-nextcloudpi-config/ # +log_step() { + echo "[$(date -Is)] $*" +} + is_active() { local SRCDIR @@ -112,6 +116,10 @@ configure() btrfs subvolume create "${BASEDIR}" } + log_step "setting nc config: datadirectory" + # first set in config the new value, because occ checks if the current datadir exists + ncc config:system:set datadirectory --value="${DATADIR}" + # use encryption, if selected if is_active_app nc-encrypt; then # if we have encryption AND BTRFS, then store ncdata_enc in the subvolume @@ -123,12 +131,7 @@ configure() fi chown www-data: "${DATADIR}" - # datadir - ncc config:system:set datadirectory --value="${DATADIR}" \ - || sed -i "s|'datadirectory' =>.*|'datadirectory' => '${DATADIR}',|" "${NCDIR?}"/config/config.php - - ncc config:system:set logfile --value="${DATADIR}/nextcloud.log" \ - || sed -i "s|'logfile' =>.*|'logfile' => '${DATADIR}/nextcloud.log',|" "${NCDIR?}"/config/config.php + ncc config:system:set logfile --value="${DATADIR}/nextcloud.log" set_ncpcfg datadir "${DATADIR}" # tmp upload dir From bacbc3fdc38adf9ccfe9d892898b5452ae889b64 Mon Sep 17 00:00:00 2001 From: MagelanM Date: Fri, 15 May 2026 20:16:14 +0200 Subject: [PATCH 13/20] remove log Signed-off-by: MagelanM --- bin/ncp/CONFIG/nc-datadir.sh | 5 ----- 1 file changed, 5 deletions(-) diff --git a/bin/ncp/CONFIG/nc-datadir.sh b/bin/ncp/CONFIG/nc-datadir.sh index bfa3bc02a..a34e9d712 100644 --- a/bin/ncp/CONFIG/nc-datadir.sh +++ b/bin/ncp/CONFIG/nc-datadir.sh @@ -8,10 +8,6 @@ # More at https://ownyourbits.com/2017/03/13/nextcloudpi-gets-nextcloudpi-config/ # -log_step() { - echo "[$(date -Is)] $*" -} - is_active() { local SRCDIR @@ -116,7 +112,6 @@ configure() btrfs subvolume create "${BASEDIR}" } - log_step "setting nc config: datadirectory" # first set in config the new value, because occ checks if the current datadir exists ncc config:system:set datadirectory --value="${DATADIR}" From f8876a1a6236921fd3b32a7f65e9809682c2e2e0 Mon Sep 17 00:00:00 2001 From: MagelanM Date: Fri, 15 May 2026 20:19:00 +0200 Subject: [PATCH 14/20] systemd drop-in for write access Signed-off-by: MagelanM --- bin/ncp/CONFIG/nc-limits.sh | 9 +++++++++ .../systemd/php-fpm.service.d.ncp.conf.sh | 17 +++++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 etc/ncp-templates/systemd/php-fpm.service.d.ncp.conf.sh diff --git a/bin/ncp/CONFIG/nc-limits.sh b/bin/ncp/CONFIG/nc-limits.sh index de411e9a8..d1d24421e 100644 --- a/bin/ncp/CONFIG/nc-limits.sh +++ b/bin/ncp/CONFIG/nc-limits.sh @@ -76,6 +76,15 @@ configure() install_template "php/pool.d.www.conf.sh" "$CONF" [[ "$CONF_VALUE" == "$(cat "$CONF")" ]] || require_fpm_restart=true + # PHP-FPM SYSTEMD DROP-IN (ReadWritePaths for ProtectSystem=full) + local DROPIN=/etc/systemd/system/php${PHPVER}-fpm.service.d/ncp.conf + CONF_VALUE="$(cat "$DROPIN" 2> /dev/null || true)" + install_template "systemd/php-fpm.service.d.ncp.conf.sh" "$DROPIN" + if [[ "$CONF_VALUE" != "$(cat "$DROPIN")" ]]; then + systemctl daemon-reload + require_fpm_restart=true + fi + local CONF=/etc/mysql/mariadb.conf.d/91-ncp.cnf CONF_VALUE="$(cat "$CONF" 2> /dev/null || true)" install_template "mysql/91-ncp.cnf.sh" "$CONF" diff --git a/etc/ncp-templates/systemd/php-fpm.service.d.ncp.conf.sh b/etc/ncp-templates/systemd/php-fpm.service.d.ncp.conf.sh new file mode 100644 index 000000000..720af3b73 --- /dev/null +++ b/etc/ncp-templates/systemd/php-fpm.service.d.ncp.conf.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +# systemd drop-in for php-fpm to allow write access to NCP paths +# that are otherwise blocked by ProtectSystem=full in the upstream +# php-fpm service unit (introduced in php8.x Debian packages). +# +# ProtectSystem=full makes /usr, /boot and /etc read-only for the +# php-fpm process. ReadWritePaths carves out explicit exceptions. + +set -e +source /usr/local/etc/library.sh + +cat < Date: Fri, 15 May 2026 21:01:31 +0200 Subject: [PATCH 15/20] move drop-in to update.sh Signed-off-by: MagelanM --- bin/ncp/CONFIG/nc-limits.sh | 9 --------- update.sh | 9 +++++++++ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/bin/ncp/CONFIG/nc-limits.sh b/bin/ncp/CONFIG/nc-limits.sh index d1d24421e..de411e9a8 100644 --- a/bin/ncp/CONFIG/nc-limits.sh +++ b/bin/ncp/CONFIG/nc-limits.sh @@ -76,15 +76,6 @@ configure() install_template "php/pool.d.www.conf.sh" "$CONF" [[ "$CONF_VALUE" == "$(cat "$CONF")" ]] || require_fpm_restart=true - # PHP-FPM SYSTEMD DROP-IN (ReadWritePaths for ProtectSystem=full) - local DROPIN=/etc/systemd/system/php${PHPVER}-fpm.service.d/ncp.conf - CONF_VALUE="$(cat "$DROPIN" 2> /dev/null || true)" - install_template "systemd/php-fpm.service.d.ncp.conf.sh" "$DROPIN" - if [[ "$CONF_VALUE" != "$(cat "$DROPIN")" ]]; then - systemctl daemon-reload - require_fpm_restart=true - fi - local CONF=/etc/mysql/mariadb.conf.d/91-ncp.cnf CONF_VALUE="$(cat "$CONF" 2> /dev/null || true)" install_template "mysql/91-ncp.cnf.sh" "$CONF" diff --git a/update.sh b/update.sh index ccf042543..4b82f7b51 100755 --- a/update.sh +++ b/update.sh @@ -172,12 +172,21 @@ if is_docker; then cp build/docker/{lamp/010lamp,nextcloud/020nextcloud,nextcloudpi/000ncp} /etc/services-enabled.d fi +# PHP-FPM systemd drop-in: allow write access to NCP paths blocked by ProtectSystem=full +# (introduced in php8.x Debian packages via systemd hardening) +install_template "systemd/php-fpm.service.d.ncp.conf.sh" \ + "/etc/systemd/system/php${PHPVER}-fpm.service.d/ncp.conf" + # only live updates from here [[ -f /.ncp-image ]] && exit 0 # update old images ./run_update_history.sh "$UPDATESDIR" +# reload systemd after drop-in changes +systemctl daemon-reload +service "php${PHPVER}-fpm" restart + # update to the latest NC version is_active_app nc-autoupdate-nc && run_app nc-autoupdate-nc From 00a6f58fc6e23719abc6cb250ff99cd2b1ccec8d Mon Sep 17 00:00:00 2001 From: MagelanM Date: Fri, 15 May 2026 21:40:35 +0200 Subject: [PATCH 16/20] drop in also in lamp.sh Signed-off-by: MagelanM --- lamp.sh | 5 +++++ update.sh | 4 ---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/lamp.sh b/lamp.sh index 9df1f6af9..c345f9e8f 100644 --- a/lamp.sh +++ b/lamp.sh @@ -66,6 +66,11 @@ install() install_template "php/opcache.ini.sh" "/etc/php/${PHPVER}/mods-available/opcache.ini" --defaults + # systemd drop-in: allow write access to NCP paths blocked by ProtectSystem=full + install_template "systemd/php-fpm.service.d.ncp.conf.sh" \ + "/etc/systemd/system/php${PHPVER}-fpm.service.d/ncp.conf" + systemctl daemon-reload + a2enmod http2 a2enconf http2 a2enmod proxy_fcgi setenvif diff --git a/update.sh b/update.sh index 4b82f7b51..7b82273a1 100755 --- a/update.sh +++ b/update.sh @@ -183,10 +183,6 @@ install_template "systemd/php-fpm.service.d.ncp.conf.sh" \ # update old images ./run_update_history.sh "$UPDATESDIR" -# reload systemd after drop-in changes -systemctl daemon-reload -service "php${PHPVER}-fpm" restart - # update to the latest NC version is_active_app nc-autoupdate-nc && run_app nc-autoupdate-nc From 9552a5d17b1e190c835ec9dfd4344da224d46c8f Mon Sep 17 00:00:00 2001 From: MagelanM Date: Fri, 15 May 2026 22:03:43 +0200 Subject: [PATCH 17/20] ProtectSystem=false for unprivileged lxcs Signed-off-by: MagelanM --- .../systemd/php-fpm.service.d.ncp.conf.sh | 28 +++++++++++++++++-- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/etc/ncp-templates/systemd/php-fpm.service.d.ncp.conf.sh b/etc/ncp-templates/systemd/php-fpm.service.d.ncp.conf.sh index 720af3b73..f01ec0a51 100644 --- a/etc/ncp-templates/systemd/php-fpm.service.d.ncp.conf.sh +++ b/etc/ncp-templates/systemd/php-fpm.service.d.ncp.conf.sh @@ -4,14 +4,36 @@ # that are otherwise blocked by ProtectSystem=full in the upstream # php-fpm service unit (introduced in php8.x Debian packages). # -# ProtectSystem=full makes /usr, /boot and /etc read-only for the -# php-fpm process. ReadWritePaths carves out explicit exceptions. +# ProtectSystem=full creates a private mount namespace to make /usr, +# /boot and /etc read-only for the php-fpm process. +# +# In unprivileged LXC containers, non-root users cannot create mount +# namespaces (unshare CLONE_NEWNS is blocked by the kernel), so +# ProtectSystem=full causes php-fpm to fail with status=226/NAMESPACE. +# In that case we disable ProtectSystem entirely. Security is still +# provided by Unix file permissions (cfg files are root:www-data 660) +# and LXC container isolation. +# +# On bare-metal, VMs, and privileged LXC, ReadWritePaths is used to +# carve out targeted exceptions while keeping the rest of the +# hardening intact. set -e source /usr/local/etc/library.sh -cat </dev/null; then + # Unprivileged LXC: namespace operations not permitted for non-root. + # Disable ProtectSystem to prevent php-fpm failing with 226/NAMESPACE. + cat < Date: Sun, 31 May 2026 19:46:20 +0200 Subject: [PATCH 18/20] daemon-reload for push service Signed-off-by: MagelanM --- etc/library.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/library.sh b/etc/library.sh index 3e0b8f342..ffe8ba5f6 100644 --- a/etc/library.sh +++ b/etc/library.sh @@ -179,6 +179,8 @@ function start_notify_push() if [[ -f /.docker-image ]]; then NEXTCLOUD_URL=https://localhost sudo -E -u www-data "/var/www/nextcloud/apps/notify_push/bin/${ARCH}/notify_push" --allow-self-signed /var/www/nextcloud/config/config.php &>/dev/null & else + # load generated systemd-unit + systemctl daemon-reload systemctl enable --now notify_push fi sleep 5 # apparently we need to make sure we wait until the database is written or something From db51f472bc14af3418c1ed72c92ba5e85a7d0349 Mon Sep 17 00:00:00 2001 From: MagelanM Date: Sun, 31 May 2026 20:25:13 +0200 Subject: [PATCH 19/20] move start of push service after configuration is complete Signed-off-by: MagelanM --- bin/ncp/CONFIG/nc-init.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/bin/ncp/CONFIG/nc-init.sh b/bin/ncp/CONFIG/nc-init.sh index dcc83b61c..92ec85990 100644 --- a/bin/ncp/CONFIG/nc-init.sh +++ b/bin/ncp/CONFIG/nc-init.sh @@ -180,7 +180,6 @@ EOF if ! is_more_recent_than "21.0.0" "${ncver}"; then ncc app:install notify_push ncc app:enable notify_push - test -f /.ncp-image || start_notify_push # don't start during build fi # previews @@ -216,6 +215,9 @@ EOF test -f /.ncp-image || bash /usr/local/bin/nextcloud-domain.sh } + # start notify_push after NC is fully configured + test -f /.ncp-image || start_notify_push # don't start during build + # dettach mysql during the build if [[ "${db_pid}" != "" ]]; then echo "Shutting down mariaDB (${db_pid})" From 6ebc6f330a6e5f018e64f24619e600f72f3d20ce Mon Sep 17 00:00:00 2001 From: MagelanM Date: Sun, 31 May 2026 22:21:19 +0200 Subject: [PATCH 20/20] start push service explicit Signed-off-by: MagelanM --- install.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/install.sh b/install.sh index e77104ab8..4df95258a 100644 --- a/install.sh +++ b/install.sh @@ -80,6 +80,10 @@ rm /usr/local/etc/ncp-config.d/nc-nextcloud.cfg # armbian overlay is ro systemctl restart mysqld # TODO this shouldn't be necessary, but somehow it's needed in Debian 9.6. Fixme install_app ncp.sh run_app_unsafe bin/ncp/CONFIG/nc-init.sh +# notify_push was skipped during nc-init because /.ncp-image was set +# start it now explicitly +[[ -f /.docker-image ]] || start_notify_push + echo 'Moving data directory to a more sensible location' df -h mkdir -p /opt/ncdata