From aacb187401982d248ef5b04c9a89c1c9b00afc0f Mon Sep 17 00:00:00 2001 From: MagelanM Date: Sun, 10 May 2026 20:48:41 +0200 Subject: [PATCH 01/35] dist-upgrade for debian 12, php-8.3 placeholder for trixie, bump ncp.cfg to trixie Signed-off-by: MagelanM --- bin/ncp-dist-upgrade.d/debian-12.sh | 77 +++++++++++++++++++ bin/ncp-update-nc.d/upgrade-php-trixie-8.3.sh | 13 ++++ 2 files changed, 90 insertions(+) create mode 100644 bin/ncp-dist-upgrade.d/debian-12.sh create mode 100644 bin/ncp-update-nc.d/upgrade-php-trixie-8.3.sh diff --git a/bin/ncp-dist-upgrade.d/debian-12.sh b/bin/ncp-dist-upgrade.d/debian-12.sh new file mode 100644 index 000000000..3997749bc --- /dev/null +++ b/bin/ncp-dist-upgrade.d/debian-12.sh @@ -0,0 +1,77 @@ +#!/bin/bash + +set -eu -o pipefail + +new_cfg=/usr/local/etc/ncp-recommended.cfg +[[ -f "${new_cfg}" ]] || { echo "Already on the latest recommended distribution. Abort." >&2; exit 1; } + +echo " +>>> ATTENTION <<< +This is a dangerous process that is only guaranteed to work properly if you +have not made manual changes in the system. Backup the SD card first and +proceed at your own risk. + +Note that this is not a requirement for NCP to continue working properly. +The current distribution will keep receiving updates for some time. + +Do you want to continue? [y/N]" + +if [[ "${DEBIAN_FRONTEND:-}" == "noninteractive" ]] || ! [[ -t 0 ]] +then + echo "Noninteractive environment detected. Automatically proceeding in 30 seconds..." + sleep 30 +else + read -n1 -r key + [[ "${key,,}" == y ]] || exit 0 +fi + +export DEBIAN_FRONTEND=noninteractive + +source /usr/local/etc/library.sh +is_more_recent_than "${PHPVER}.0" "8.2.0" || { + echo "You still have PHP version ${PHPVER} installed. Please update to the latest supported version of nextcloud (which will also update your PHP version) before proceeding with the distribution upgrade." + echo "Exiting." + exit 1 +} +save_maintenance_mode + +# Perform dist-upgrade + +apt-get update +apt-get upgrade -y +for aptlist in /etc/apt/sources.list /etc/apt/sources.list.d/{php.list,armbian.list,raspi.list} +do + [ -f "$aptlist" ] && sed -i -e "s/bookworm/trixie/g" "$aptlist" +done +for aptlist in /etc/apt/sources.list.d/*.list +do + [[ "$aptlist" =~ "/etc/apt/sources.list.d/"(php|armbian|raspi)".list" ]] || { + echo "Disabling repositories from \"$aptlist\"" + sed -i -e "s/deb/#deb/g" "$aptlist" + } +done +apt-get update +apt-get upgrade -y dpkg +apt-get upgrade -y --without-new-pkgs +if is_lxc +then + # Required to avoid breakage of /etc/resolv.conf + apt-get install -y --no-install-recommends systemd-resolved && systemctl enable --now systemd-resolved +fi +apt-get full-upgrade -y +apt-get --purge autoremove -y + +restore_maintenance_mode +cfg="$(jq "." "$NCPCFG")" +cfg="$(jq ".release = \"trixie\"" <<<"$cfg")" +echo "$cfg" > "$NCPCFG" +rm -f /etc/update-motd.d/30ncp-dist-upgrade +rm -f /usr/local/etc/ncp-recommended.cfg + +echo "Update to Debian 13 (trixie) successful." + +is_active_app unattended-upgrades && { + echo "Setting up unattended upgrades..." + run_app unattended-upgrades || true + echo "done." +} \ No newline at end of file diff --git a/bin/ncp-update-nc.d/upgrade-php-trixie-8.3.sh b/bin/ncp-update-nc.d/upgrade-php-trixie-8.3.sh new file mode 100644 index 000000000..c32b6823e --- /dev/null +++ b/bin/ncp-update-nc.d/upgrade-php-trixie-8.3.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +source /usr/local/etc/library.sh + +echo "Refreshing PHP repository for trixie..." +export DEBIAN_FRONTEND=noninteractive + +# Refresh sury repo for trixie +wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg +echo "deb https://packages.sury.org/php/ ${RELEASE%-security} main" > /etc/apt/sources.list.d/php.list +apt-get update + +echo "PHP ${PHPVER} repository updated for trixie." \ No newline at end of file From 48cd715b09014b7504e827e1c1503062d54753b5 Mon Sep 17 00:00:00 2001 From: MagelanM Date: Sun, 10 May 2026 21:16:05 +0200 Subject: [PATCH 02/35] correct trixie dist repos Signed-off-by: MagelanM --- bin/ncp-update-nc.d/update-nc.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/bin/ncp-update-nc.d/update-nc.sh b/bin/ncp-update-nc.d/update-nc.sh index 401677fbb..ae6176e0d 100755 --- a/bin/ncp-update-nc.d/update-nc.sh +++ b/bin/ncp-update-nc.d/update-nc.sh @@ -258,6 +258,11 @@ elif ! is_more_recent_than "29.0.0" "${NCVER}" && is_more_recent_than "8.3.0" "$ then /usr/local/bin/ncp-update-nc.d/upgrade-php-bookworm-8.3.sh + # Reload library.sh to reset PHPVER + source /usr/local/etc/library.sh +elif is_more_recent_than "8.3.0" "${PHPVER}.0" && [[ "$DEBIAN_VERSION" -ge 13 ]] +then + /usr/local/bin/ncp-update-nc.d/upgrade-php-trixie-8.3.sh # Reload library.sh to reset PHPVER source /usr/local/etc/library.sh fi From f161ca99ba4f6ad9c1e76dd93e01f0563224c4a3 Mon Sep 17 00:00:00 2001 From: MagelanM Date: Sun, 10 May 2026 21:29:28 +0200 Subject: [PATCH 03/35] suppress php error if not yet installed Signed-off-by: MagelanM --- etc/library.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/etc/library.sh b/etc/library.sh index eb3697eef..de5d102c0 100644 --- a/etc/library.sh +++ b/etc/library.sh @@ -14,7 +14,8 @@ export NCDIR=/var/www/nextcloud export ncc=/usr/local/bin/ncc export NCPCFG=${NCPCFG:-etc/ncp.cfg} export ARCH="$(dpkg --print-architecture)" -export DB_PREFIX="$(php -r 'include("/var/www/nextcloud/config/config.php"); echo $CONFIG['"'dbtableprefix'"'];' || echo 'oc_')" +# 2>/dev/null suppresses stderr-Output if PHP is not yet installed (new system) +export DB_PREFIX="$(php -r 'include("/var/www/nextcloud/config/config.php"); echo $CONFIG['"'dbtableprefix'"'];' 2>/dev/null || echo 'oc_')" [[ "${ARCH}" =~ ^(armhf|arm)$ ]] && ARCH="armv7" [[ "${ARCH}" == "arm64" ]] && ARCH=aarch64 [[ "${ARCH}" == "amd64" ]] && ARCH=x86_64 @@ -55,8 +56,10 @@ command -v jq &>/dev/null || { NCLATESTVER=$(jq -r .nextcloud_version < "$NCPCFG") PHPVER=$( jq -r .php_version < "$NCPCFG") RELEASE=$( jq -r .release < "$NCPCFG") -# the default repo in bullseye is bullseye-security -grep -Eh '^deb ' /etc/apt/sources.list | grep "${RELEASE}-security" > /dev/null && RELEASE="${RELEASE}-security" +# check also /etc/apt/sources.list.d/ in Trixie +grep -Eh '^deb ' /etc/apt/sources.list 2>/dev/null | grep "${RELEASE}-security" > /dev/null \ + || grep -Eh '^deb ' /etc/apt/sources.list.d/*.list 2>/dev/null | grep "${RELEASE}-security" > /dev/null \ + && RELEASE="${RELEASE}-security" command -v ncc &>/dev/null && NCVER="$(ncc status 2>/dev/null | grep "version:" | awk '{ print $3 }')" function configure_app() From 77904f5a94c85eddcb33bb958b326ee000e09972 Mon Sep 17 00:00:00 2001 From: MagelanM Date: Sun, 10 May 2026 21:37:10 +0200 Subject: [PATCH 04/35] bump ncp.cfg to trixie Signed-off-by: MagelanM --- etc/ncp.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/ncp.cfg b/etc/ncp.cfg index f4ed75ee8..7b25528d2 100644 --- a/etc/ncp.cfg +++ b/etc/ncp.cfg @@ -1,5 +1,5 @@ { "nextcloud_version": "33.0.2", "php_version": "8.3", - "release": "bookworm" + "release": "trixie" } From fb7e89191b252c0d4fb019855efd2c3a12b01461 Mon Sep 17 00:00:00 2001 From: MagelanM Date: Sun, 10 May 2026 21:45:23 +0200 Subject: [PATCH 05/35] correct mariadb inst command Signed-off-by: MagelanM --- lamp.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lamp.sh b/lamp.sh index f9ffae3d1..9df1f6af9 100644 --- a/lamp.sh +++ b/lamp.sh @@ -102,7 +102,8 @@ install() done cd /tmp - mysql_secure_installation < Date: Sun, 10 May 2026 22:14:56 +0200 Subject: [PATCH 06/35] Disable OCSP stapling for self-signed certs - fixes OpenSSL 3.5 incompatibility on trixie Signed-off-by: MagelanM --- etc/ncp-templates/apache2/http2.conf.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/ncp-templates/apache2/http2.conf.sh b/etc/ncp-templates/apache2/http2.conf.sh index a286d7746..a5e595ae1 100644 --- a/etc/ncp-templates/apache2/http2.conf.sh +++ b/etc/ncp-templates/apache2/http2.conf.sh @@ -22,7 +22,7 @@ SSLCompression off SSLSessionTickets on # OCSP Stapling -SSLUseStapling on +SSLUseStapling off SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000) From 1c59171f082a336cb19598ec492bca80dd392419 Mon Sep 17 00:00:00 2001 From: MagelanM Date: Sun, 10 May 2026 22:25:16 +0200 Subject: [PATCH 07/35] Enabling OCSP Stapling with valid Let's Encrypt certificates Signed-off-by: MagelanM --- bin/ncp/NETWORKING/letsencrypt.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/bin/ncp/NETWORKING/letsencrypt.sh b/bin/ncp/NETWORKING/letsencrypt.sh index 8f66451db..6ad935d40 100644 --- a/bin/ncp/NETWORKING/letsencrypt.sh +++ b/bin/ncp/NETWORKING/letsencrypt.sh @@ -62,6 +62,8 @@ configure() local key_path="$(grep SSLCertificateKeyFile "${nc_vhostcfg}" | awk '{ print $2 }')" sed -i "s|SSLCertificateFile.*|SSLCertificateFile ${cert_path}|" "${ncp_vhostcfg}" sed -i "s|SSLCertificateKeyFile.*|SSLCertificateKeyFile ${key_path}|" "${ncp_vhostcfg}" + # Enable OCSP stapling with valid Let's Encrypt certificate + sed -i 's/SSLUseStapling.*$/SSLUseStapling on/' /etc/apache2/conf-available/http2.conf apachectl -k graceful echo "letsencrypt certificates disabled. Using self-signed certificates instead." exit 0 @@ -134,6 +136,8 @@ EOF } done set-nc-domain "$DOMAIN" + # Enable OCSP stapling with valid Let's Encrypt certificate + sed -i 's/SSLUseStapling.*$/SSLUseStapling on/' /etc/apache2/conf-available/http2.conf apachectl -k graceful rm -rf $ncdir/.well-known From 86c461d3114056dc29301a4aa4a7bc23aaae29ca Mon Sep 17 00:00:00 2001 From: MagelanM Date: Sun, 10 May 2026 22:38:02 +0200 Subject: [PATCH 08/35] restart ssh instead of reload for socket-activated ssh Signed-off-by: MagelanM --- bin/ncp/NETWORKING/SSH.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/bin/ncp/NETWORKING/SSH.sh b/bin/ncp/NETWORKING/SSH.sh index 58dfcebdb..a596cd93c 100644 --- a/bin/ncp/NETWORKING/SSH.sh +++ b/bin/ncp/NETWORKING/SSH.sh @@ -17,7 +17,12 @@ install() { else echo 'PermitRootLogin prohibit-password' >> /etc/ssh/sshd_config fi - systemctl reload ssh + # On Debian 13+ SSH is socket-activated, reload via socket + if systemctl is-active ssh.socket &>/dev/null; then + systemctl restart ssh + else + systemctl reload ssh + fi } is_active() From 6bf959cbda2675c67bcfa33ff45514cbcd50fbd7 Mon Sep 17 00:00:00 2001 From: MagelanM Date: Mon, 11 May 2026 22:11:45 +0200 Subject: [PATCH 09/35] remove switch to systemd-resolved for lxc enviroments, it breaks DNS and should done separatly Signed-off-by: MagelanM --- bin/ncp-dist-upgrade.d/debian-12.sh | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/bin/ncp-dist-upgrade.d/debian-12.sh b/bin/ncp-dist-upgrade.d/debian-12.sh index 3997749bc..d4c1a7275 100644 --- a/bin/ncp-dist-upgrade.d/debian-12.sh +++ b/bin/ncp-dist-upgrade.d/debian-12.sh @@ -53,11 +53,7 @@ done apt-get update apt-get upgrade -y dpkg apt-get upgrade -y --without-new-pkgs -if is_lxc -then - # Required to avoid breakage of /etc/resolv.conf - apt-get install -y --no-install-recommends systemd-resolved && systemctl enable --now systemd-resolved -fi + apt-get full-upgrade -y apt-get --purge autoremove -y From 3a1358f2285689e0df7abb84887bf44c2fbebbc6 Mon Sep 17 00:00:00 2001 From: MagelanM Date: Wed, 13 May 2026 21:56:51 +0200 Subject: [PATCH 10/35] remove deprecated,removed directives for MariaDB 11.8 and later Signed-off-by: MagelanM --- etc/ncp-templates/mysql/91-ncp.cnf.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/etc/ncp-templates/mysql/91-ncp.cnf.sh b/etc/ncp-templates/mysql/91-ncp.cnf.sh index c65717122..9186044ed 100644 --- a/etc/ncp-templates/mysql/91-ncp.cnf.sh +++ b/etc/ncp-templates/mysql/91-ncp.cnf.sh @@ -14,9 +14,6 @@ fi cat < Date: Thu, 14 May 2026 19:18:26 +0200 Subject: [PATCH 11/35] extended dpkg failure handling Signed-off-by: MagelanM --- bin/ncp/NETWORKING/freeDNS.sh | 23 +++++++++++++++++++---- etc/library.sh | 16 ++++++++++++++++ 2 files changed, 35 insertions(+), 4 deletions(-) diff --git a/bin/ncp/NETWORKING/freeDNS.sh b/bin/ncp/NETWORKING/freeDNS.sh index 0a66099c7..fd64c72e7 100644 --- a/bin/ncp/NETWORKING/freeDNS.sh +++ b/bin/ncp/NETWORKING/freeDNS.sh @@ -7,10 +7,25 @@ # -install() -{ - apt-get update - apt-get install --no-install-recommends -y dnsutils +wait_for_dpkg() { + local tries=0 + while fuser /var/lib/dpkg/lock-frontend /var/lib/dpkg/lock >/dev/null 2>&1; do + echo "dpkg locked, waiting..." + fuser -v /var/lib/dpkg/lock-frontend /var/lib/dpkg/lock 2>/dev/null || true + sleep 2 + tries=$((tries + 1)) + if [[ $tries -ge 150 ]]; then + echo "dpkg lock timeout" + return 1 + fi + done +} + +install() { + wait_for_dpkg || return 1 + apt-get update || return 1 + wait_for_dpkg || return 1 + DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y dnsutils || return 1 } configure() diff --git a/etc/library.sh b/etc/library.sh index de5d102c0..3e0b8f342 100644 --- a/etc/library.sh +++ b/etc/library.sh @@ -603,10 +603,26 @@ function clear_password_fields() function apt_install() { + wait_for_dpkg apt-get update --allow-releaseinfo-change + wait_for_dpkg DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends -o Dpkg::Options::=--force-confdef -o Dpkg::Options::="--force-confold" "$@" } +function wait_for_dpkg() { + local tries=0 + while fuser /var/lib/dpkg/lock-frontend /var/lib/dpkg/lock >/dev/null 2>&1; do + echo "dpkg locked, waiting..." + fuser -v /var/lib/dpkg/lock-frontend /var/lib/dpkg/lock 2>/dev/null || true + sleep 2 + tries=$((tries + 1)) + if [[ $tries -ge 150 ]]; then + echo "dpkg lock timeout" + return 1 + fi + done +} + function is_docker() { [[ -f /.dockerenv ]] || [[ -f /.docker-image ]] || [[ "$DOCKERBUILD" == 1 ]] } From 5f44e2de1ef966087c06ad226b833748947b0a35 Mon Sep 17 00:00:00 2001 From: MagelanM Date: Thu, 14 May 2026 20:43:40 +0200 Subject: [PATCH 12/35] change order: first set new data dir in config, then move data Signed-off-by: MagelanM --- bin/ncp/CONFIG/nc-datadir.sh | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/bin/ncp/CONFIG/nc-datadir.sh b/bin/ncp/CONFIG/nc-datadir.sh index 967516ffe..bfa3bc02a 100644 --- a/bin/ncp/CONFIG/nc-datadir.sh +++ b/bin/ncp/CONFIG/nc-datadir.sh @@ -8,6 +8,10 @@ # More at https://ownyourbits.com/2017/03/13/nextcloudpi-gets-nextcloudpi-config/ # +log_step() { + echo "[$(date -Is)] $*" +} + is_active() { local SRCDIR @@ -112,6 +116,10 @@ configure() btrfs subvolume create "${BASEDIR}" } + log_step "setting nc config: datadirectory" + # first set in config the new value, because occ checks if the current datadir exists + ncc config:system:set datadirectory --value="${DATADIR}" + # use encryption, if selected if is_active_app nc-encrypt; then # if we have encryption AND BTRFS, then store ncdata_enc in the subvolume @@ -123,12 +131,7 @@ configure() fi chown www-data: "${DATADIR}" - # datadir - ncc config:system:set datadirectory --value="${DATADIR}" \ - || sed -i "s|'datadirectory' =>.*|'datadirectory' => '${DATADIR}',|" "${NCDIR?}"/config/config.php - - ncc config:system:set logfile --value="${DATADIR}/nextcloud.log" \ - || sed -i "s|'logfile' =>.*|'logfile' => '${DATADIR}/nextcloud.log',|" "${NCDIR?}"/config/config.php + ncc config:system:set logfile --value="${DATADIR}/nextcloud.log" set_ncpcfg datadir "${DATADIR}" # tmp upload dir From bacbc3fdc38adf9ccfe9d892898b5452ae889b64 Mon Sep 17 00:00:00 2001 From: MagelanM Date: Fri, 15 May 2026 20:16:14 +0200 Subject: [PATCH 13/35] remove log Signed-off-by: MagelanM --- bin/ncp/CONFIG/nc-datadir.sh | 5 ----- 1 file changed, 5 deletions(-) diff --git a/bin/ncp/CONFIG/nc-datadir.sh b/bin/ncp/CONFIG/nc-datadir.sh index bfa3bc02a..a34e9d712 100644 --- a/bin/ncp/CONFIG/nc-datadir.sh +++ b/bin/ncp/CONFIG/nc-datadir.sh @@ -8,10 +8,6 @@ # More at https://ownyourbits.com/2017/03/13/nextcloudpi-gets-nextcloudpi-config/ # -log_step() { - echo "[$(date -Is)] $*" -} - is_active() { local SRCDIR @@ -116,7 +112,6 @@ configure() btrfs subvolume create "${BASEDIR}" } - log_step "setting nc config: datadirectory" # first set in config the new value, because occ checks if the current datadir exists ncc config:system:set datadirectory --value="${DATADIR}" From f8876a1a6236921fd3b32a7f65e9809682c2e2e0 Mon Sep 17 00:00:00 2001 From: MagelanM Date: Fri, 15 May 2026 20:19:00 +0200 Subject: [PATCH 14/35] systemd drop-in for write access Signed-off-by: MagelanM --- bin/ncp/CONFIG/nc-limits.sh | 9 +++++++++ .../systemd/php-fpm.service.d.ncp.conf.sh | 17 +++++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 etc/ncp-templates/systemd/php-fpm.service.d.ncp.conf.sh diff --git a/bin/ncp/CONFIG/nc-limits.sh b/bin/ncp/CONFIG/nc-limits.sh index de411e9a8..d1d24421e 100644 --- a/bin/ncp/CONFIG/nc-limits.sh +++ b/bin/ncp/CONFIG/nc-limits.sh @@ -76,6 +76,15 @@ configure() install_template "php/pool.d.www.conf.sh" "$CONF" [[ "$CONF_VALUE" == "$(cat "$CONF")" ]] || require_fpm_restart=true + # PHP-FPM SYSTEMD DROP-IN (ReadWritePaths for ProtectSystem=full) + local DROPIN=/etc/systemd/system/php${PHPVER}-fpm.service.d/ncp.conf + CONF_VALUE="$(cat "$DROPIN" 2> /dev/null || true)" + install_template "systemd/php-fpm.service.d.ncp.conf.sh" "$DROPIN" + if [[ "$CONF_VALUE" != "$(cat "$DROPIN")" ]]; then + systemctl daemon-reload + require_fpm_restart=true + fi + local CONF=/etc/mysql/mariadb.conf.d/91-ncp.cnf CONF_VALUE="$(cat "$CONF" 2> /dev/null || true)" install_template "mysql/91-ncp.cnf.sh" "$CONF" diff --git a/etc/ncp-templates/systemd/php-fpm.service.d.ncp.conf.sh b/etc/ncp-templates/systemd/php-fpm.service.d.ncp.conf.sh new file mode 100644 index 000000000..720af3b73 --- /dev/null +++ b/etc/ncp-templates/systemd/php-fpm.service.d.ncp.conf.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +# systemd drop-in for php-fpm to allow write access to NCP paths +# that are otherwise blocked by ProtectSystem=full in the upstream +# php-fpm service unit (introduced in php8.x Debian packages). +# +# ProtectSystem=full makes /usr, /boot and /etc read-only for the +# php-fpm process. ReadWritePaths carves out explicit exceptions. + +set -e +source /usr/local/etc/library.sh + +cat < Date: Fri, 15 May 2026 21:01:31 +0200 Subject: [PATCH 15/35] move drop-in to update.sh Signed-off-by: MagelanM --- bin/ncp/CONFIG/nc-limits.sh | 9 --------- update.sh | 9 +++++++++ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/bin/ncp/CONFIG/nc-limits.sh b/bin/ncp/CONFIG/nc-limits.sh index d1d24421e..de411e9a8 100644 --- a/bin/ncp/CONFIG/nc-limits.sh +++ b/bin/ncp/CONFIG/nc-limits.sh @@ -76,15 +76,6 @@ configure() install_template "php/pool.d.www.conf.sh" "$CONF" [[ "$CONF_VALUE" == "$(cat "$CONF")" ]] || require_fpm_restart=true - # PHP-FPM SYSTEMD DROP-IN (ReadWritePaths for ProtectSystem=full) - local DROPIN=/etc/systemd/system/php${PHPVER}-fpm.service.d/ncp.conf - CONF_VALUE="$(cat "$DROPIN" 2> /dev/null || true)" - install_template "systemd/php-fpm.service.d.ncp.conf.sh" "$DROPIN" - if [[ "$CONF_VALUE" != "$(cat "$DROPIN")" ]]; then - systemctl daemon-reload - require_fpm_restart=true - fi - local CONF=/etc/mysql/mariadb.conf.d/91-ncp.cnf CONF_VALUE="$(cat "$CONF" 2> /dev/null || true)" install_template "mysql/91-ncp.cnf.sh" "$CONF" diff --git a/update.sh b/update.sh index ccf042543..4b82f7b51 100755 --- a/update.sh +++ b/update.sh @@ -172,12 +172,21 @@ if is_docker; then cp build/docker/{lamp/010lamp,nextcloud/020nextcloud,nextcloudpi/000ncp} /etc/services-enabled.d fi +# PHP-FPM systemd drop-in: allow write access to NCP paths blocked by ProtectSystem=full +# (introduced in php8.x Debian packages via systemd hardening) +install_template "systemd/php-fpm.service.d.ncp.conf.sh" \ + "/etc/systemd/system/php${PHPVER}-fpm.service.d/ncp.conf" + # only live updates from here [[ -f /.ncp-image ]] && exit 0 # update old images ./run_update_history.sh "$UPDATESDIR" +# reload systemd after drop-in changes +systemctl daemon-reload +service "php${PHPVER}-fpm" restart + # update to the latest NC version is_active_app nc-autoupdate-nc && run_app nc-autoupdate-nc From 00a6f58fc6e23719abc6cb250ff99cd2b1ccec8d Mon Sep 17 00:00:00 2001 From: MagelanM Date: Fri, 15 May 2026 21:40:35 +0200 Subject: [PATCH 16/35] drop in also in lamp.sh Signed-off-by: MagelanM --- lamp.sh | 5 +++++ update.sh | 4 ---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/lamp.sh b/lamp.sh index 9df1f6af9..c345f9e8f 100644 --- a/lamp.sh +++ b/lamp.sh @@ -66,6 +66,11 @@ install() install_template "php/opcache.ini.sh" "/etc/php/${PHPVER}/mods-available/opcache.ini" --defaults + # systemd drop-in: allow write access to NCP paths blocked by ProtectSystem=full + install_template "systemd/php-fpm.service.d.ncp.conf.sh" \ + "/etc/systemd/system/php${PHPVER}-fpm.service.d/ncp.conf" + systemctl daemon-reload + a2enmod http2 a2enconf http2 a2enmod proxy_fcgi setenvif diff --git a/update.sh b/update.sh index 4b82f7b51..7b82273a1 100755 --- a/update.sh +++ b/update.sh @@ -183,10 +183,6 @@ install_template "systemd/php-fpm.service.d.ncp.conf.sh" \ # update old images ./run_update_history.sh "$UPDATESDIR" -# reload systemd after drop-in changes -systemctl daemon-reload -service "php${PHPVER}-fpm" restart - # update to the latest NC version is_active_app nc-autoupdate-nc && run_app nc-autoupdate-nc From 9552a5d17b1e190c835ec9dfd4344da224d46c8f Mon Sep 17 00:00:00 2001 From: MagelanM Date: Fri, 15 May 2026 22:03:43 +0200 Subject: [PATCH 17/35] ProtectSystem=false for unprivileged lxcs Signed-off-by: MagelanM --- .../systemd/php-fpm.service.d.ncp.conf.sh | 28 +++++++++++++++++-- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/etc/ncp-templates/systemd/php-fpm.service.d.ncp.conf.sh b/etc/ncp-templates/systemd/php-fpm.service.d.ncp.conf.sh index 720af3b73..f01ec0a51 100644 --- a/etc/ncp-templates/systemd/php-fpm.service.d.ncp.conf.sh +++ b/etc/ncp-templates/systemd/php-fpm.service.d.ncp.conf.sh @@ -4,14 +4,36 @@ # that are otherwise blocked by ProtectSystem=full in the upstream # php-fpm service unit (introduced in php8.x Debian packages). # -# ProtectSystem=full makes /usr, /boot and /etc read-only for the -# php-fpm process. ReadWritePaths carves out explicit exceptions. +# ProtectSystem=full creates a private mount namespace to make /usr, +# /boot and /etc read-only for the php-fpm process. +# +# In unprivileged LXC containers, non-root users cannot create mount +# namespaces (unshare CLONE_NEWNS is blocked by the kernel), so +# ProtectSystem=full causes php-fpm to fail with status=226/NAMESPACE. +# In that case we disable ProtectSystem entirely. Security is still +# provided by Unix file permissions (cfg files are root:www-data 660) +# and LXC container isolation. +# +# On bare-metal, VMs, and privileged LXC, ReadWritePaths is used to +# carve out targeted exceptions while keeping the rest of the +# hardening intact. set -e source /usr/local/etc/library.sh -cat </dev/null; then + # Unprivileged LXC: namespace operations not permitted for non-root. + # Disable ProtectSystem to prevent php-fpm failing with 226/NAMESPACE. + cat < Date: Sun, 31 May 2026 19:46:20 +0200 Subject: [PATCH 18/35] daemon-reload for push service Signed-off-by: MagelanM --- etc/library.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/library.sh b/etc/library.sh index 3e0b8f342..ffe8ba5f6 100644 --- a/etc/library.sh +++ b/etc/library.sh @@ -179,6 +179,8 @@ function start_notify_push() if [[ -f /.docker-image ]]; then NEXTCLOUD_URL=https://localhost sudo -E -u www-data "/var/www/nextcloud/apps/notify_push/bin/${ARCH}/notify_push" --allow-self-signed /var/www/nextcloud/config/config.php &>/dev/null & else + # load generated systemd-unit + systemctl daemon-reload systemctl enable --now notify_push fi sleep 5 # apparently we need to make sure we wait until the database is written or something From db51f472bc14af3418c1ed72c92ba5e85a7d0349 Mon Sep 17 00:00:00 2001 From: MagelanM Date: Sun, 31 May 2026 20:25:13 +0200 Subject: [PATCH 19/35] move start of push service after configuration is complete Signed-off-by: MagelanM --- bin/ncp/CONFIG/nc-init.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/bin/ncp/CONFIG/nc-init.sh b/bin/ncp/CONFIG/nc-init.sh index dcc83b61c..92ec85990 100644 --- a/bin/ncp/CONFIG/nc-init.sh +++ b/bin/ncp/CONFIG/nc-init.sh @@ -180,7 +180,6 @@ EOF if ! is_more_recent_than "21.0.0" "${ncver}"; then ncc app:install notify_push ncc app:enable notify_push - test -f /.ncp-image || start_notify_push # don't start during build fi # previews @@ -216,6 +215,9 @@ EOF test -f /.ncp-image || bash /usr/local/bin/nextcloud-domain.sh } + # start notify_push after NC is fully configured + test -f /.ncp-image || start_notify_push # don't start during build + # dettach mysql during the build if [[ "${db_pid}" != "" ]]; then echo "Shutting down mariaDB (${db_pid})" From 6ebc6f330a6e5f018e64f24619e600f72f3d20ce Mon Sep 17 00:00:00 2001 From: MagelanM Date: Sun, 31 May 2026 22:21:19 +0200 Subject: [PATCH 20/35] start push service explicit Signed-off-by: MagelanM --- install.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/install.sh b/install.sh index e77104ab8..4df95258a 100644 --- a/install.sh +++ b/install.sh @@ -80,6 +80,10 @@ rm /usr/local/etc/ncp-config.d/nc-nextcloud.cfg # armbian overlay is ro systemctl restart mysqld # TODO this shouldn't be necessary, but somehow it's needed in Debian 9.6. Fixme install_app ncp.sh run_app_unsafe bin/ncp/CONFIG/nc-init.sh +# notify_push was skipped during nc-init because /.ncp-image was set +# start it now explicitly +[[ -f /.docker-image ]] || start_notify_push + echo 'Moving data directory to a more sensible location' df -h mkdir -p /opt/ncdata From 212522074e56da51da5e29549139cd6360bb0dba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Kn=C3=B6ppler?= <6317548+theCalcaholic@users.noreply.github.com> Date: Fri, 5 Jun 2026 12:54:18 +0200 Subject: [PATCH 21/35] build-lxd.yml: Enable dist-upgrade test for debian 13 --- .github/workflows/build-lxd.yml | 110 ++++++++++++++++++++------------ 1 file changed, 70 insertions(+), 40 deletions(-) diff --git a/.github/workflows/build-lxd.yml b/.github/workflows/build-lxd.yml index 254aa366c..92a280f2f 100644 --- a/.github/workflows/build-lxd.yml +++ b/.github/workflows/build-lxd.yml @@ -278,7 +278,7 @@ jobs: sudo "$LXC" exec ncp -- bash -c "tail -n20 /var/log/ncp.log" || true echo "================" echo "nextcloud log: " - datadir="$("$LXC" exec ncp -- ncc config:system:get datadirectory)" + datadir="$(sudo "$LXC" exec ncp -- ncc config:system:get datadirectory)" sudo "$LXC" exec ncp -- cat "$datadir/nextcloud.log" || true exit 1 } @@ -393,7 +393,6 @@ jobs: sudo "$LXC" stop ncp test-dist-upgrade: - if: false needs: - determine-runner runs-on: ${{ needs.determine-runner.outputs.runner_label }} @@ -401,8 +400,8 @@ jobs: VERSION: "${{ inputs.git_ref || github.ref }}" LXC: "${{ needs.determine-runner.outputs.lxc_cmd }}" LXD_EXTRA_PROFILE: "${{ needs.determine-runner.outputs.lxd_extra_profile }}" - PREVIOUS_IMAGE_URL_ARM64: "https://github.com/nextcloud/nextcloudpi/releases/download/v1.53.2/NextcloudPi_LXD_arm64_v1.53.2.tar.gz" - PREVIOUS_IMAGE_URL_AMD64: "https://github.com/nextcloud/nextcloudpi/releases/download/v1.53.2/NextCloudPi_LXD_x86_v1.53.2.tar.gz" + PREVIOUS_IMAGE_URL_ARM64: "https://github.com/nextcloud/nextcloudpi/releases/download/v1.57.1/NextcloudPi_LXD_arm64_v1.57.1.tar.gz" + PREVIOUS_IMAGE_URL_AMD64: "https://github.com/nextcloud/nextcloudpi/releases/download/v1.57.1/NextCloudPi_LXD_x86_v1.57.1.tar.gz" USE_INCUS: "${{ needs.determine-runner.outputs.lxc_cmd == 'incus' && 'yes' || 'no' }}" steps: - name: Setup incus @@ -416,7 +415,7 @@ jobs: - name: Checkout code uses: actions/checkout@v3 with: - ref: "v1.54.3" + ref: "v1.57.1" - name: Setup Firefox if: ${{ runner.arch != 'ARM64' }} continue-on-error: true @@ -425,6 +424,7 @@ jobs: - name: Setup Firefox from packages if: ${{ runner.arch == 'ARM64' || steps.setup-firefox-browser-action.outcome == 'failure' }} run: | + sudo apt-get update sudo apt-get install -y --no-install-recommends firefox - name: Setup GeckoDriver env: @@ -458,8 +458,9 @@ jobs: - name: Launch ncp container run: | set -x + . ./build/buildlib.sh sudo "$LXC" delete -q -f ncp || true - sudo "$LXC" image import -q "./ncp.tar.gz" --alias "ncp/update" + sudo "$LXC" image import -q "./ncp.tar.gz" --alias "ncp/update" || true LXC_ARGS=(-p default) [[ -z "$LXD_EXTRA_PROFILE" ]] || LXC_ARGS+=(-p "$LXD_EXTRA_PROFILE") systemd-run --user --scope -p "Delegate=yes" "$LXC" launch -q "${LXC_ARGS[@]}" "ncp/update" ncp || \ @@ -477,6 +478,7 @@ jobs: set -x export GECKODRIVER_PATH="$GECKODRIVER_PATH" export FF_BINARY_PATH="$(which firefox)" + sudo "$LXC" exec ncp -- /usr/local/bin/ncc config:system:set overwrite.cli.url --value "https://nextcloudpi.local" sudo "$LXC" exec ncp -- bash -c 'tail -f /var/log/ncp.log' |& awk '{ print "NCP::" $0 }' & ../.venv/bin/python activation_tests.py --no-gui "nextcloudpi.local" 443 4443 || { echo "Activation test failed!" @@ -485,6 +487,10 @@ jobs: echo "================" echo "ncp.log: " sudo "$LXC" exec ncp -- bash -c "tail -n20 /var/log/ncp.log" || true + echo "================" + echo "nextcloud log: " + datadir="$(sudo "$LXC" exec ncp -- ncc config:system:get datadirectory)" + sudo "$LXC" exec ncp -- cat "$datadir/nextcloud.log" || true exit 1 } ../.venv/bin/python nextcloud_tests.py --skip-release-check --no-gui "nextcloudpi.local" 443 4443 || { @@ -528,22 +534,34 @@ jobs: echo "Running update to ${VERSION}" current_nc_version="$(sudo "$LXC" exec ncp -- ncc status | grep "version:" | awk '{ print $3 }')" - latest_nc_version="29.0.9" - - sudo "$LXC" exec ncp -- apt-get update ||: - sudo "$LXC" exec ncp -- apt-get install --no-install-recommends -y gnupg2 - sudo "$LXC" exec ncp -- apt-key adv --fetch-keys https://packages.sury.org/php/apt.gpg - + latest_nc_version="33.0.3" + sudo "$LXC" exec ncp -- bash -c "DBG=x ncp-update ${UPDATE_ARGS[*]}" sudo "$LXC" exec ncp -- /usr/local/bin/ncc status - #if [[ "$current_nc_version" =~ "$latest_nc_version".* ]] - #then - # echo "Nextcloud is up to date - skipping NC update test." - #else - # sudo "$LXC" exec ncp -- bash -c "DBG=x ncp-update-nc ${latest_nc_version?}" - # sudo "$LXC" exec ncp -- /usr/local/bin/ncc status - #fi + if [[ "$current_nc_version" =~ "$latest_nc_version".* ]] + then + echo "Nextcloud is up to date - skipping NC update test." + else + for i in {1..10} + do + echo "running nc update $i/10..." + sudo "$LXC" exec ncp -- bash -c "DBG=x ncp-update-nc ${latest_nc_version?}" + sudo "$LXC" exec ncp -- /usr/local/bin/ncc status + current_nc_version_new="$(sudo "$LXC" exec ncp -- ncc status | grep "version:" | awk '{ print $3 }')" + + if [[ "$current_nc_version_new" =~ "$latest_nc_version".* ]] + then + break + fi + if [[ "$current_nc_version" == "$current_nc_version_new" ]] + then + echo "failed to update to $latest_nc_version" + exit 1 + fi + current_nc_version="$current_nc_version_new" + done + fi sudo "$LXC" exec ncp -- rm -f /opt/ncdata/data/nextcloud.log @@ -564,9 +582,22 @@ jobs: - name: Test LXD Image working-directory: ./tests run: | + set -x + sudo "$LXC" exec ncp -- bash -c 'tail -f /var/log/ncp.log' |& awk '{ print "NCP::" $0 }' & export GECKODRIVER_PATH="$GECKODRIVER_PATH" export FF_BINARY_PATH="$(which firefox)" - ../.venv/bin/python nextcloud_tests.py --no-gui --skip-release-check "nextcloudpi.local" 443 4443 || { + + USE_INCUS="$USE_INCUS" ../.venv/bin/python system_tests.py --skip-update-test --non-interactive || { + echo "System test failed!" + echo "ncp.log: " + sudo "$LXC" exec ncp -- bash -c "tail -n20 /var/log/ncp.log" || true + echo "================" + echo "nextcloud log: " + datadir="$(sudo "$LXC" exec ncp -- ncc config:system:get datadirectory)" + sudo "$LXC" exec ncp -- cat "$datadir/nextcloud.log" || true + exit 1 + } + ../.venv/bin/python nextcloud_tests.py --no-gui "nextcloudpi.local" 443 4443 || { echo "Nextcloud test failed!" echo "Geckodriver logs:" tail -n 20 geckodriver.log >&2 || true @@ -579,11 +610,6 @@ jobs: sudo "$LXC" exec ncp -- cat "$datadir/nextcloud.log" || true exit 1 } - sudo "$LXC" exec ncp -- bash -c 'tail -f /var/log/ncp.log' |& awk '{ print "NCP::" $0 }' & - USE_INCUS="$USE_INCUS" ../.venv/bin/python system_tests.py --non-interactive --skip-update-test || { - echo "System test failed!" - exit 1 - } - name: Checkout current version run: | git fetch origin @@ -592,7 +618,7 @@ jobs: id: distupgrade run: | set -x - sudo "$LXC" exec ncp -- cat /etc/os-release | grep 'VERSION_ID="11"' || { + sudo "$LXC" exec ncp -- cat /etc/os-release | grep 'VERSION_ID="12"' || { echo "can't upgrade from Debian $(sudo "$LXC" exec ncp -- cat /etc/os-release | grep VERSION_ID=)" exit 1 } @@ -606,14 +632,13 @@ jobs: then echo "Nextcloud is up to date - skipping NC update test." else - - for i in {1..10}; + for i in {1..10} do - echo "running nc update ($i/10)..." + echo "running nc update $i/10..." sudo "$LXC" exec ncp -- bash -c "DBG=x ncp-update-nc ${latest_nc_version?}" - sudo "$LXC" exec ncp -- /usr/local/bin/ncc status current_nc_version_new="$(sudo "$LXC" exec ncp -- ncc status | grep "version:" | awk '{ print $3 }')" + if [[ "$current_nc_version_new" =~ "$latest_nc_version".* ]] then break @@ -632,10 +657,8 @@ jobs: - name: Relaunch container run: | set -x - LXC_ARGS=() - [[ -z "$LXD_EXTRA_PROFILE" ]] || LXC_ARGS+=(-p "$LXD_EXTRA_PROFILE") - systemd-run --user --scope -p "Delegate=yes" "$LXC" start ncp || \ - sudo systemd-run --scope -p "Delegate=yes" "$LXC" start ncp + systemd-run --user --scope -p "Delegate=yes" "$LXC" start -q ncp || \ + sudo systemd-run --scope -p "Delegate=yes" "$LXC" start -q ncp sudo "$LXC" exec ncp -- bash -c 'while [ "$(systemctl is-system-running 2>/dev/null)" != "running" ] && [ "$(systemctl is-system-running 2>/dev/null)" != "degraded" ]; do :; done' sleep 30 ip="$(sudo "$LXC" list -c n4 -f csv | grep '^ncp' | cut -d ',' -f2)" @@ -646,9 +669,20 @@ jobs: working-directory: ./tests run: | set -x + sudo "$LXC" exec ncp -- bash -c 'tail -f /var/log/ncp.log' |& awk '{ print "NCP::" $0 }' & export GECKODRIVER_PATH="$GECKODRIVER_PATH" export FF_BINARY_PATH="$(which firefox)" - sudo "$LXC" exec ncp -- bash -c 'tail -f /var/log/ncp.log' |& awk '{ print "NCP::" $0 }' & + + USE_INCUS="$USE_INCUS" ../.venv/bin/python system_tests.py --skip-update-test --non-interactive || { + echo "System test failed!" + echo "ncp.log: " + sudo "$LXC" exec ncp -- bash -c "tail -n20 /var/log/ncp.log" || true + echo "================" + echo "nextcloud log: " + datadir="$(sudo "$LXC" exec ncp -- ncc config:system:get datadirectory)" + sudo "$LXC" exec ncp -- cat "$datadir/nextcloud.log" || true + exit 1 + } ../.venv/bin/python nextcloud_tests.py --no-gui "nextcloudpi.local" 443 4443 || { echo "Nextcloud test failed!" echo "Geckodriver logs:" @@ -662,10 +696,6 @@ jobs: sudo "$LXC" exec ncp -- cat "$datadir/nextcloud.log" || true exit 1 } - USE_INCUS="$USE_INCUS" ../.venv/bin/python system_tests.py --non-interactive || { - echo "System test failed!" - exit 1 - } sudo "$LXC" stop ncp test-fresh-install: @@ -767,7 +797,7 @@ jobs: sudo "$LXC" exec ncp -- bash -c "tail -n20 /var/log/ncp.log" || true echo "================" echo "nextcloud log: " - datadir="$("$LXC" exec ncp -- ncc config:system:get datadirectory)" + datadir="$(sudo "$LXC" exec ncp -- ncc config:system:get datadirectory)" sudo "$LXC" exec ncp -- cat "$datadir/nextcloud.log" || true exit 1 } From 79278448eefc59b7c70078b112489835b00df713 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Kn=C3=B6ppler?= <6317548+theCalcaholic@users.noreply.github.com> Date: Fri, 5 Jun 2026 12:54:55 +0200 Subject: [PATCH 22/35] ncp-dist-upgrade: Run (to-be-merged) debian-12.sh when upgrading from bookworm --- bin/ncp-dist-upgrade | 3 +++ bin/ncp-dist-upgrade.d/debian-11.sh | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/bin/ncp-dist-upgrade b/bin/ncp-dist-upgrade index 7c93def98..31a3cecd7 100755 --- a/bin/ncp-dist-upgrade +++ b/bin/ncp-dist-upgrade @@ -15,6 +15,9 @@ then elif [[ "$VERSION_ID" -eq 11 ]] then UPGRADE_CMD=(bash /usr/local/bin/ncp-dist-upgrade.d/debian-11.sh) +elif [[ "$VERSION_ID" -eq 12 ]] +then + UPGRADE_CMD=(bash /usr/local/bin/ncp-dist-upgrade.d/debian-12.sh) else echo "No dist-upgrade available for OS version: Debian ${VERSION}." exit 0 diff --git a/bin/ncp-dist-upgrade.d/debian-11.sh b/bin/ncp-dist-upgrade.d/debian-11.sh index 89513fd28..d8d3d3e8e 100644 --- a/bin/ncp-dist-upgrade.d/debian-11.sh +++ b/bin/ncp-dist-upgrade.d/debian-11.sh @@ -1,4 +1,4 @@ - #!/bin/bash +#!/bin/bash set -eu -o pipefail From ef3a22c58a0c3afcea8544d401403cca158d5e5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Kn=C3=B6ppler?= <6317548+theCalcaholic@users.noreply.github.com> Date: Sun, 7 Jun 2026 14:57:30 +0200 Subject: [PATCH 23/35] Don't handle the case os_version = trixie && php version < 8.3 (prevented in dist-upgrade) --- bin/ncp-update-nc.d/update-nc.sh | 5 ----- bin/ncp-update-nc.d/upgrade-php-trixie-8.3.sh | 13 ------------- 2 files changed, 18 deletions(-) delete mode 100644 bin/ncp-update-nc.d/upgrade-php-trixie-8.3.sh diff --git a/bin/ncp-update-nc.d/update-nc.sh b/bin/ncp-update-nc.d/update-nc.sh index ae6176e0d..401677fbb 100755 --- a/bin/ncp-update-nc.d/update-nc.sh +++ b/bin/ncp-update-nc.d/update-nc.sh @@ -258,11 +258,6 @@ elif ! is_more_recent_than "29.0.0" "${NCVER}" && is_more_recent_than "8.3.0" "$ then /usr/local/bin/ncp-update-nc.d/upgrade-php-bookworm-8.3.sh - # Reload library.sh to reset PHPVER - source /usr/local/etc/library.sh -elif is_more_recent_than "8.3.0" "${PHPVER}.0" && [[ "$DEBIAN_VERSION" -ge 13 ]] -then - /usr/local/bin/ncp-update-nc.d/upgrade-php-trixie-8.3.sh # Reload library.sh to reset PHPVER source /usr/local/etc/library.sh fi diff --git a/bin/ncp-update-nc.d/upgrade-php-trixie-8.3.sh b/bin/ncp-update-nc.d/upgrade-php-trixie-8.3.sh deleted file mode 100644 index c32b6823e..000000000 --- a/bin/ncp-update-nc.d/upgrade-php-trixie-8.3.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/usr/bin/env bash - -source /usr/local/etc/library.sh - -echo "Refreshing PHP repository for trixie..." -export DEBIAN_FRONTEND=noninteractive - -# Refresh sury repo for trixie -wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg -echo "deb https://packages.sury.org/php/ ${RELEASE%-security} main" > /etc/apt/sources.list.d/php.list -apt-get update - -echo "PHP ${PHPVER} repository updated for trixie." \ No newline at end of file From 776ee440e86b5ff06d29b868c7552dc4de6c2340 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Kn=C3=B6ppler?= <6317548+theCalcaholic@users.noreply.github.com> Date: Sun, 7 Jun 2026 14:59:09 +0200 Subject: [PATCH 24/35] nc-datadir.sh: Restore fallbacks for editing config.php without php --- bin/ncp/CONFIG/nc-datadir.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/bin/ncp/CONFIG/nc-datadir.sh b/bin/ncp/CONFIG/nc-datadir.sh index a34e9d712..89da86812 100644 --- a/bin/ncp/CONFIG/nc-datadir.sh +++ b/bin/ncp/CONFIG/nc-datadir.sh @@ -113,7 +113,9 @@ configure() } # first set in config the new value, because occ checks if the current datadir exists - ncc config:system:set datadirectory --value="${DATADIR}" + ncc config:system:set datadirectory --value="${DATADIR}" \ + || sed -i "s|'datadirectory' =>.*|'datadirectory' => '${DATADIR}',|" "${NCDIR?}"/config/config.php + Could not apply suggestion. # use encryption, if selected if is_active_app nc-encrypt; then @@ -126,7 +128,8 @@ configure() fi chown www-data: "${DATADIR}" - ncc config:system:set logfile --value="${DATADIR}/nextcloud.log" + ncc config:system:set logfile --value="${DATADIR}/nextcloud.log" \ + || sed -i "s|'logfile' =>.*|'logfile' => '${DATADIR}/nextcloud.log',|" "${NCDIR?}"/config/config.php set_ncpcfg datadir "${DATADIR}" # tmp upload dir From 57b1bf4270a5b85bf83e5178cbff0dca8b61c4fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Kn=C3=B6ppler?= <6317548+theCalcaholic@users.noreply.github.com> Date: Sun, 7 Jun 2026 15:02:45 +0200 Subject: [PATCH 25/35] freeDNS.sh: Remove redundant function wait_for_dpkg --- bin/ncp/NETWORKING/freeDNS.sh | 23 ++++------------------- 1 file changed, 4 insertions(+), 19 deletions(-) diff --git a/bin/ncp/NETWORKING/freeDNS.sh b/bin/ncp/NETWORKING/freeDNS.sh index fd64c72e7..bddbee6e7 100644 --- a/bin/ncp/NETWORKING/freeDNS.sh +++ b/bin/ncp/NETWORKING/freeDNS.sh @@ -6,26 +6,11 @@ # GPL licensed (see end of file) * Use at your own risk! # - -wait_for_dpkg() { - local tries=0 - while fuser /var/lib/dpkg/lock-frontend /var/lib/dpkg/lock >/dev/null 2>&1; do - echo "dpkg locked, waiting..." - fuser -v /var/lib/dpkg/lock-frontend /var/lib/dpkg/lock 2>/dev/null || true - sleep 2 - tries=$((tries + 1)) - if [[ $tries -ge 150 ]]; then - echo "dpkg lock timeout" - return 1 - fi - done -} - install() { - wait_for_dpkg || return 1 - apt-get update || return 1 - wait_for_dpkg || return 1 - DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y dnsutils || return 1 + wait_for_dpkg \ + && apt-get update \ + && wait_for_dpkg \ + && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y dnsutils } configure() From f0f58fe55692039903ee39f4ab41830886035a86 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Kn=C3=B6ppler?= <6317548+theCalcaholic@users.noreply.github.com> Date: Sun, 7 Jun 2026 15:05:41 +0200 Subject: [PATCH 26/35] letsencrypt.sh: Disable OCSP stapling when disabling letsencrypt certificates --- bin/ncp/NETWORKING/letsencrypt.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/ncp/NETWORKING/letsencrypt.sh b/bin/ncp/NETWORKING/letsencrypt.sh index 6ad935d40..db5dc3bcf 100644 --- a/bin/ncp/NETWORKING/letsencrypt.sh +++ b/bin/ncp/NETWORKING/letsencrypt.sh @@ -62,8 +62,8 @@ configure() local key_path="$(grep SSLCertificateKeyFile "${nc_vhostcfg}" | awk '{ print $2 }')" sed -i "s|SSLCertificateFile.*|SSLCertificateFile ${cert_path}|" "${ncp_vhostcfg}" sed -i "s|SSLCertificateKeyFile.*|SSLCertificateKeyFile ${key_path}|" "${ncp_vhostcfg}" - # Enable OCSP stapling with valid Let's Encrypt certificate - sed -i 's/SSLUseStapling.*$/SSLUseStapling on/' /etc/apache2/conf-available/http2.conf + # Disable OCSP stapling without Let's Encrypt certificate + sed -i 's/SSLUseStapling.*$/SSLUseStapling off/' /etc/apache2/conf-available/http2.conf apachectl -k graceful echo "letsencrypt certificates disabled. Using self-signed certificates instead." exit 0 From 6f756744b7a0f031fe04fd06c465d3cc4858b7b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Kn=C3=B6ppler?= <6317548+theCalcaholic@users.noreply.github.com> Date: Sun, 7 Jun 2026 15:14:10 +0200 Subject: [PATCH 27/35] Move installation of php-fpm systemd service dropin to updates/1.58.0.sh --- .github/workflows/build-sd-images.yml | 12 ++++++------ bin/ncp-dist-upgrade.d/debian-11.sh | 4 ++-- bin/ncp-update-nc.d/upgrade-php-bookworm-8.3.sh | 5 +---- update.sh | 5 ----- updates/1.58.0.sh | 11 +++++++++++ 5 files changed, 20 insertions(+), 17 deletions(-) create mode 100644 updates/1.58.0.sh diff --git a/.github/workflows/build-sd-images.yml b/.github/workflows/build-sd-images.yml index 9f8356d70..c0ddc18c5 100644 --- a/.github/workflows/build-sd-images.yml +++ b/.github/workflows/build-sd-images.yml @@ -178,12 +178,12 @@ jobs: echo 'Mutex posixsem' | sudo tee -a raspbian_root/etc/apache2/mods-available/ssl.conf echo 'ignore-warnings ARM64-COW-BUG' | sudo tee -a raspbian_root/etc/redis/redis.conf sudo mkdir -p raspbian_root/etc/systemd/system/redis-server.service.d - echo '[Service]' | sudo tee raspbian_root/etc/systemd/system/redis-server.service.d/ncp.conf - echo 'PrivateUsers=false' | sudo tee -a raspbian_root/etc/systemd/system/redis-server.service.d/ncp.conf + echo '[Service]' | sudo tee raspbian_root/etc/systemd/system/redis-server.service.d/ncp-ci.conf + echo 'PrivateUsers=false' | sudo tee -a raspbian_root/etc/systemd/system/redis-server.service.d/ncp-ci.conf sudo mkdir -p raspbian_root/etc/systemd/system/php8.3-fpm.service.d - echo '[Service]' | sudo tee raspbian_root/etc/systemd/system/php8.3-fpm.service.d/ncp.conf - echo 'ExecStartPre=mkdir -p /var/run/php' | sudo tee -a raspbian_root/etc/systemd/system/php8.3-fpm.service.d/ncp.conf + echo '[Service]' | sudo tee raspbian_root/etc/systemd/system/php8.3-fpm.service.d/ncp-ci.conf + echo 'ExecStartPre=mkdir -p /var/run/php' | sudo tee -a raspbian_root/etc/systemd/system/php8.3-fpm.service.d/ncp-ci.conf - name: Test image id: test run: | @@ -421,8 +421,8 @@ jobs: # echo 'Mutex posixsem' | sudo tee -a raspbian_root/etc/apache2/mods-available/ssl.conf # echo 'ignore-warnings ARM64-COW-BUG' | sudo tee -a raspbian_root/etc/redis/redis.conf # sudo mkdir -p raspbian_root/etc/systemd/system/redis-server.service.d -# echo '[Service]' | sudo tee raspbian_root/etc/systemd/system/redis-server.service.d/ncp.conf -# echo 'PrivateUsers=false' | sudo tee -a raspbian_root/etc/systemd/system/redis-server.service.d/ncp.conf +# echo '[Service]' | sudo tee raspbian_root/etc/systemd/system/redis-server.service.d/ncp-ci.conf +# echo 'PrivateUsers=false' | sudo tee -a raspbian_root/etc/systemd/system/redis-server.service.d/ncp-ci.conf # - name: Test and activate image # if: ${{ steps.download-previous-image.outputs.skipped == 'false' }} # id: test diff --git a/bin/ncp-dist-upgrade.d/debian-11.sh b/bin/ncp-dist-upgrade.d/debian-11.sh index 89513fd28..d91fd6949 100644 --- a/bin/ncp-dist-upgrade.d/debian-11.sh +++ b/bin/ncp-dist-upgrade.d/debian-11.sh @@ -66,8 +66,8 @@ sudo apt-get --purge autoremove -y apt-get install -y --no-install-recommends exfatprogs #mkdir -p /etc/systemd/system/php8.1-fpm.service.d -#echo '[Service]' > /etc/systemd/system/php8.1-fpm.service.d/ncp.conf -#echo 'ExecStartPre=mkdir -p /var/run/php' >> /etc/systemd/system/php8.1-fpm.service.d/ncp.conf +#echo '[Service]' > /etc/systemd/system/php8.1-fpm.service.d/ncp-ci.conf +#echo 'ExecStartPre=mkdir -p /var/run/php' >> /etc/systemd/system/php8.1-fpm.service.d/ncp-ci.conf #[[ "$INIT_SYSTEM" != "systemd" ]] || { systemctl daemon-reload && systemctl restart php8.1-fpm; } restore_maintenance_mode diff --git a/bin/ncp-update-nc.d/upgrade-php-bookworm-8.3.sh b/bin/ncp-update-nc.d/upgrade-php-bookworm-8.3.sh index c84c322a8..1a3c51479 100755 --- a/bin/ncp-update-nc.d/upgrade-php-bookworm-8.3.sh +++ b/bin/ncp-update-nc.d/upgrade-php-bookworm-8.3.sh @@ -57,10 +57,7 @@ install_template "php/opcache.ini.sh" "/etc/php/${PHPVER_NEW}/mods-available/opc a2enconf "php${PHPVER_NEW}-fpm" -[[ -f "/etc/systemd/system/php${PHPVER_OLD}-fpm.service.d/ncp.conf" ]] && { - mkdir -p "/etc/systemd/system/php${PHPVER_NEW}-fpm.service.d" - cp "/etc/systemd/system/php${PHPVER_OLD}-fpm.service.d/ncp.conf" "/etc/systemd/system/php${PHPVER_NEW}-fpm.service.d/ncp.conf" -} +install_template "systemd/php-fpm.service.d.ncp.conf.sh" "/etc/systemd/system/php${PHPVER_NEW}-fpm.service.d/ncp.conf" echo "Starting apache and php-fpm..." service "php${PHPVER_NEW}-fpm" start diff --git a/update.sh b/update.sh index 7b82273a1..ccf042543 100755 --- a/update.sh +++ b/update.sh @@ -172,11 +172,6 @@ if is_docker; then cp build/docker/{lamp/010lamp,nextcloud/020nextcloud,nextcloudpi/000ncp} /etc/services-enabled.d fi -# PHP-FPM systemd drop-in: allow write access to NCP paths blocked by ProtectSystem=full -# (introduced in php8.x Debian packages via systemd hardening) -install_template "systemd/php-fpm.service.d.ncp.conf.sh" \ - "/etc/systemd/system/php${PHPVER}-fpm.service.d/ncp.conf" - # only live updates from here [[ -f /.ncp-image ]] && exit 0 diff --git a/updates/1.58.0.sh b/updates/1.58.0.sh new file mode 100644 index 000000000..1ab3f63aa --- /dev/null +++ b/updates/1.58.0.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +set -euo pipefail + +source /usr/local/etc/library.sh + +# PHP-FPM systemd drop-in: allow write access to NCP paths blocked by ProtectSystem=full +# (introduced in php8.x Debian packages via systemd hardening) +install_template "systemd/php-fpm.service.d.ncp.conf.sh" \ + "/etc/systemd/system/php${PHPVER}-fpm.service.d/ncp.conf" +systemctl daemon-reload From cbc34bbce8cf0a86981a4078d3716b186e4952fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Kn=C3=B6ppler?= <6317548+theCalcaholic@users.noreply.github.com> Date: Sun, 7 Jun 2026 15:44:48 +0200 Subject: [PATCH 28/35] build-lxd.yml: Don't perform NC updates if installed NC version is newer than latest supported version --- .github/workflows/build-lxd.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-lxd.yml b/.github/workflows/build-lxd.yml index 92a280f2f..8bffa5863 100644 --- a/.github/workflows/build-lxd.yml +++ b/.github/workflows/build-lxd.yml @@ -321,7 +321,9 @@ jobs: sudo "$LXC" exec ncp -- bash -c "DBG=x ncp-update ${UPDATE_ARGS[*]}" sudo "$LXC" exec ncp -- /usr/local/bin/ncc status - if [[ "$current_nc_version" =~ "$latest_nc_version".* ]] + latest_build="${latest_nc_version#*.}" + latest_build="${latest_build#*.}" + if [[ "$current_nc_version" =~ "$latest_nc_version".* ]] || { [[ "^${latest_nc_version}" =~ "${current_nc_version%.*}".* ]] && [[ "${current_nc_version##*.}" -lt "${latest_build}" ]]; } then echo "Nextcloud is up to date - skipping NC update test." else From dce1a9407f31aa128f4734d97f9331192b1789f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Kn=C3=B6ppler?= <6317548+theCalcaholic@users.noreply.github.com> Date: Sun, 7 Jun 2026 15:46:32 +0200 Subject: [PATCH 29/35] nc-datadir.sh: Remove IDE artifact --- bin/ncp/CONFIG/nc-datadir.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/bin/ncp/CONFIG/nc-datadir.sh b/bin/ncp/CONFIG/nc-datadir.sh index 89da86812..4a2ae35a8 100644 --- a/bin/ncp/CONFIG/nc-datadir.sh +++ b/bin/ncp/CONFIG/nc-datadir.sh @@ -115,7 +115,6 @@ configure() # first set in config the new value, because occ checks if the current datadir exists ncc config:system:set datadirectory --value="${DATADIR}" \ || sed -i "s|'datadirectory' =>.*|'datadirectory' => '${DATADIR}',|" "${NCDIR?}"/config/config.php - Could not apply suggestion. # use encryption, if selected if is_active_app nc-encrypt; then From ef1bdd4ecf528310aa365fce555a2031d79680c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Kn=C3=B6ppler?= <6317548+theCalcaholic@users.noreply.github.com> Date: Sun, 7 Jun 2026 17:12:45 +0200 Subject: [PATCH 30/35] build-lxd.yml: Fix NC version comparison --- .github/workflows/build-lxd.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-lxd.yml b/.github/workflows/build-lxd.yml index 8bffa5863..e1d47d99f 100644 --- a/.github/workflows/build-lxd.yml +++ b/.github/workflows/build-lxd.yml @@ -323,7 +323,15 @@ jobs: latest_build="${latest_nc_version#*.}" latest_build="${latest_build#*.}" - if [[ "$current_nc_version" =~ "$latest_nc_version".* ]] || { [[ "^${latest_nc_version}" =~ "${current_nc_version%.*}".* ]] && [[ "${current_nc_version##*.}" -lt "${latest_build}" ]]; } + + if [[ "$current_nc_version" =~ ^[0-9]*\\.[0-9]*\\.[0-9]*\\.[0-9]*$ ]] + then + current_nc_version="${current_nc_version%.*}" + fi + current_build="${current_nc_version#*.}" + current_build="${current_build#*.}" + + if [[ "${current_nc_version%.*}" == "${latest_nc_version%.*}" ]] && [[ "${current_build}" -ge "${latest_build}" ]] then echo "Nextcloud is up to date - skipping NC update test." else From 26dc04ce68697f6a7112b22cc503c075f68c4937 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Kn=C3=B6ppler?= <6317548+theCalcaholic@users.noreply.github.com> Date: Sun, 7 Jun 2026 17:17:17 +0200 Subject: [PATCH 31/35] build-lxd.yml: Fix nc-update test --- .github/workflows/build-lxd.yml | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-lxd.yml b/.github/workflows/build-lxd.yml index e1d47d99f..d3b471f35 100644 --- a/.github/workflows/build-lxd.yml +++ b/.github/workflows/build-lxd.yml @@ -275,7 +275,7 @@ jobs: tail -n 20 geckodriver.log >&2 || true echo "================" echo "ncp.log: " - sudo "$LXC" exec ncp -- bash -c "tail -n20 /var/log/ncp.log" || true + sudo "$LXC" exec ncp -- bash -c "tail -n100 /var/log/ncp.log" || true echo "================" echo "nextcloud log: " datadir="$(sudo "$LXC" exec ncp -- ncc config:system:get datadirectory)" @@ -295,7 +295,7 @@ jobs: sudo "$LXC" exec ncp -- cat "$datadir/nextcloud.log" || true exit 1 } - USE_INCUS="$USE_INCUS" python system_tests.py --non-interactive --skip-update-test || { + USE_INCUS="$USE_INCUS" ../.venv/bin/python system_tests.py --non-interactive --skip-update-test || { echo "System test failed!" exit 1 } @@ -324,7 +324,7 @@ jobs: latest_build="${latest_nc_version#*.}" latest_build="${latest_build#*.}" - if [[ "$current_nc_version" =~ ^[0-9]*\\.[0-9]*\\.[0-9]*\\.[0-9]*$ ]] + if [[ "$current_nc_version" =~ ^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*$ ]] then current_nc_version="${current_nc_version%.*}" fi @@ -638,7 +638,17 @@ jobs: sudo "$LXC" exec ncp -- bash -c "DEBIAN_FRONTEND=noninteractive ncp-dist-upgrade" sudo "$LXC" exec ncp -- /usr/local/bin/ncc status - if [[ "$current_nc_version" =~ "$latest_nc_version".* ]] + latest_build="${latest_nc_version#*.}" + latest_build="${latest_build#*.}" + + if [[ "$current_nc_version" =~ ^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*$ ]] + then + current_nc_version="${current_nc_version%.*}" + fi + current_build="${current_nc_version#*.}" + current_build="${current_build#*.}" + + if [[ "${current_nc_version%.*}" == "${latest_nc_version%.*}" ]] && [[ "${current_build}" -ge "${latest_build}" ]] then echo "Nextcloud is up to date - skipping NC update test." else From 0fc5c108a1e3626c3c84c295ad0cca17ba949217 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Kn=C3=B6ppler?= <6317548+theCalcaholic@users.noreply.github.com> Date: Sun, 7 Jun 2026 19:27:29 +0200 Subject: [PATCH 32/35] debian-12.sh: Make sure, PHP8.3 repo is properly setup --- bin/ncp-dist-upgrade.d/debian-12.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/bin/ncp-dist-upgrade.d/debian-12.sh b/bin/ncp-dist-upgrade.d/debian-12.sh index d4c1a7275..09953fa75 100644 --- a/bin/ncp-dist-upgrade.d/debian-12.sh +++ b/bin/ncp-dist-upgrade.d/debian-12.sh @@ -36,6 +36,12 @@ is_more_recent_than "${PHPVER}.0" "8.2.0" || { save_maintenance_mode # Perform dist-upgrade +set -x + +# Make sure, PHP repo is properly setup +curl -sSLo /tmp/debsuryorg-archive-keyring.deb https://packages.sury.org/debsuryorg-archive-keyring.deb +dpkg -i /tmp/debsuryorg-archive-keyring.deb +echo "deb [signed-by=/usr/share/keyrings/debsuryorg-archive-keyring.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list apt-get update apt-get upgrade -y From edbefe6df48afe6680230a3a8b5fb4c4f97b1c50 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Kn=C3=B6ppler?= <6317548+theCalcaholic@users.noreply.github.com> Date: Sun, 7 Jun 2026 19:30:16 +0200 Subject: [PATCH 33/35] Add debug output --- .github/workflows/build-lxd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-lxd.yml b/.github/workflows/build-lxd.yml index d3b471f35..e287d0c8e 100644 --- a/.github/workflows/build-lxd.yml +++ b/.github/workflows/build-lxd.yml @@ -275,7 +275,7 @@ jobs: tail -n 20 geckodriver.log >&2 || true echo "================" echo "ncp.log: " - sudo "$LXC" exec ncp -- bash -c "tail -n100 /var/log/ncp.log" || true + sudo "$LXC" exec ncp -- bash -c "tail -n500 /var/log/ncp.log" || true echo "================" echo "nextcloud log: " datadir="$(sudo "$LXC" exec ncp -- ncc config:system:get datadirectory)" From 6fa3d4025fdaa7ae758aceda61d444742d43e738 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Kn=C3=B6ppler?= <6317548+theCalcaholic@users.noreply.github.com> Date: Sun, 7 Jun 2026 19:47:46 +0200 Subject: [PATCH 34/35] bin/ncp-dist-upgrade*: Move prompt to launch script (so it happens outside of tmux). --- bin/ncp-dist-upgrade | 23 +++++++++++++++++++++++ bin/ncp-dist-upgrade.d/debian-10.sh | 20 -------------------- bin/ncp-dist-upgrade.d/debian-11.sh | 23 ----------------------- bin/ncp-dist-upgrade.d/debian-12.sh | 23 ----------------------- 4 files changed, 23 insertions(+), 66 deletions(-) diff --git a/bin/ncp-dist-upgrade b/bin/ncp-dist-upgrade index 31a3cecd7..6cfb0038d 100755 --- a/bin/ncp-dist-upgrade +++ b/bin/ncp-dist-upgrade @@ -9,6 +9,29 @@ set -e . /etc/os-release +new_cfg=/usr/local/etc/ncp-recommended.cfg +[[ -f "${new_cfg}" ]] || { echo "Already on the latest recommended distribution. Abort." >&2; exit 1; } + +echo " +>>> ATTENTION <<< +This is a dangerous process that is only guaranteed to work properly if you +have not made manual changes in the system. Backup the SD card first and +proceed at your own risk. + +Note that this is not a requirement for NCP to continue working properly. +The current distribution will keep receiving updates for some time. + +Do you want to continue? [y/N]" + +if [[ "${DEBIAN_FRONTEND:-}" == "noninteractive" ]] || ! [[ -t 0 ]] +then + echo "Noninteractive environment detected. Automatically proceeding in 30 seconds..." + sleep 30 +else + read -n1 -r key + [[ "${key,,}" == y ]] || exit 0 +fi + if [[ "$VERSION_ID" -eq 10 ]] then UPGRADE_CMD=(bash /usr/local/bin/ncp-dist-upgrade.d/debian-10.sh) diff --git a/bin/ncp-dist-upgrade.d/debian-10.sh b/bin/ncp-dist-upgrade.d/debian-10.sh index d63dee59f..d46dfc734 100644 --- a/bin/ncp-dist-upgrade.d/debian-10.sh +++ b/bin/ncp-dist-upgrade.d/debian-10.sh @@ -4,26 +4,6 @@ set -eu -o pipefail [[ -f /.dockerenv ]] && { echo "Not supported in Docker. Upgrade the container instead"; exit 0; } -new_cfg=/usr/local/etc/ncp-recommended.cfg -[[ -f "${new_cfg}" ]] || { echo "Already on the lastest recommended distribution. Abort." >&2; exit 1; } - -APTINSTALL="apt-get install -y --no-install-recommends" -export DEBIAN_FRONTEND=noninteractive - -echo " ->>> ATTENTION <<< -This is a dangerous process that is only guaranteed to work properly if you -have not made manual changes in the system. Backup the SD card first and -proceed at your own risk. - -Note that this is not a requirement for NCP to continue working properly. -The current distribution will keep receiving updates for some time. - -Do you want to continue? [y/N]" - -read key -[[ "$key" == y ]] || exit 0 - source /usr/local/etc/library.sh # sets NCPCFG RELEASE PHPVER old_cfg="${NCPCFG}" diff --git a/bin/ncp-dist-upgrade.d/debian-11.sh b/bin/ncp-dist-upgrade.d/debian-11.sh index e4218806a..cb43cfb2f 100644 --- a/bin/ncp-dist-upgrade.d/debian-11.sh +++ b/bin/ncp-dist-upgrade.d/debian-11.sh @@ -2,29 +2,6 @@ set -eu -o pipefail -new_cfg=/usr/local/etc/ncp-recommended.cfg -[[ -f "${new_cfg}" ]] || { echo "Already on the lastest recommended distribution. Abort." >&2; exit 1; } - -echo " ->>> ATTENTION <<< -This is a dangerous process that is only guaranteed to work properly if you -have not made manual changes in the system. Backup the SD card first and -proceed at your own risk. - -Note that this is not a requirement for NCP to continue working properly. -The current distribution will keep receiving updates for some time. - -Do you want to continue? [y/N]" - -if [[ "${DEBIAN_FRONTEND:-}" == "noninteractive" ]] || ! [[ -t 0 ]] -then - echo "Noninteractive environment detected. Automatically proceeding in 30 seconds..." - sleep 30 -else - read -n1 -r key - [[ "${key,,}" == y ]] || exit 0 -fi - export DEBIAN_FRONTEND=noninteractive source /usr/local/etc/library.sh diff --git a/bin/ncp-dist-upgrade.d/debian-12.sh b/bin/ncp-dist-upgrade.d/debian-12.sh index 09953fa75..142674b24 100644 --- a/bin/ncp-dist-upgrade.d/debian-12.sh +++ b/bin/ncp-dist-upgrade.d/debian-12.sh @@ -2,29 +2,6 @@ set -eu -o pipefail -new_cfg=/usr/local/etc/ncp-recommended.cfg -[[ -f "${new_cfg}" ]] || { echo "Already on the latest recommended distribution. Abort." >&2; exit 1; } - -echo " ->>> ATTENTION <<< -This is a dangerous process that is only guaranteed to work properly if you -have not made manual changes in the system. Backup the SD card first and -proceed at your own risk. - -Note that this is not a requirement for NCP to continue working properly. -The current distribution will keep receiving updates for some time. - -Do you want to continue? [y/N]" - -if [[ "${DEBIAN_FRONTEND:-}" == "noninteractive" ]] || ! [[ -t 0 ]] -then - echo "Noninteractive environment detected. Automatically proceeding in 30 seconds..." - sleep 30 -else - read -n1 -r key - [[ "${key,,}" == y ]] || exit 0 -fi - export DEBIAN_FRONTEND=noninteractive source /usr/local/etc/library.sh From 9b291115f1d554b1796de4b9932fdfabc334b476 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Kn=C3=B6ppler?= <6317548+theCalcaholic@users.noreply.github.com> Date: Sun, 7 Jun 2026 19:49:15 +0200 Subject: [PATCH 35/35] Add debug output --- .github/workflows/build-lxd.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-lxd.yml b/.github/workflows/build-lxd.yml index e287d0c8e..77e3235be 100644 --- a/.github/workflows/build-lxd.yml +++ b/.github/workflows/build-lxd.yml @@ -159,6 +159,7 @@ jobs: env: USE_INCUS: "${{ needs.determine-runner.outputs.lxc_cmd == 'incus' && 'yes' || 'no' }}" run: | + set -x export CI LXD_EXTRA_PROFILE="$LXD_EXTRA_PROFILE" BRANCH="${VERSION##refs/heads/}" ./build/build-LXD.sh - name: Pack LXD image @@ -269,13 +270,13 @@ jobs: export FF_BINARY_PATH="$(which firefox)" sudo "$LXC" exec ncp -- /usr/local/bin/ncc config:system:set overwrite.cli.url --value "https://nextcloudpi.local" sudo "$LXC" exec ncp -- bash -c 'tail -f /var/log/ncp.log' |& awk '{ print "NCP::" $0 }' & - ../.venv/bin/python activation_tests.py --no-gui "nextcloudpi.local" 443 4443 || { + ../.venv/bin/python activation_tests.py -t 300 --no-gui "nextcloudpi.local" 443 4443 || { echo "Activation test failed!" echo "Geckodriver logs:" tail -n 20 geckodriver.log >&2 || true echo "================" echo "ncp.log: " - sudo "$LXC" exec ncp -- bash -c "tail -n500 /var/log/ncp.log" || true + sudo "$LXC" exec ncp -- bash -c "cat /var/log/ncp.log" || true echo "================" echo "nextcloud log: " datadir="$(sudo "$LXC" exec ncp -- ncc config:system:get datadirectory)"