Allow to run the containers without access to the docker socket

[szaimen]

See #557 (comment)

[szaimen]

@ForestJohnson @QEDeD

I am open for accepting PRs that allow to run the project without access to the docker socket by auto-converting our containers definition into a working docker-compose file. It will not be as convenient to use and you will loose some functionality but you will gain the security improvement.

So if you want to contribute something useful to this project, this a possibility to do so.

[acetousk]

Here's a start to this:

services:
  nextcloud-aio-apache:
    build: apache
    container_name: nextcloud-aio-apache
    restart: unless-stopped
    ports:
      - "${APACHE_PORT:-11000}"
    environment:
      - NC_DOMAIN=%NC_DOMAIN%
      - NEXTCLOUD_HOST=nextcloud-aio-nextcloud
      - COLLABORA_HOST=nextcloud-aio-collabora
      - TALK_HOST=nextcloud-aio-talk
      - APACHE_PORT=${APACHE_PORT:-11000}
      - ONLYOFFICE_HOST=nextcloud-aio-onlyoffice
    volumes:
      - nextcloud_aio_nextcloud:/var/www/html:ro
      - nextcloud_aio_apache:/mnt/data
    depends_on:
      - nextcloud-aio-onlyoffice
      - nextcloud-aio-collabora
      - nextcloud-aio-clamav
      - nextcloud-aio-talk
      - nextcloud-aio-nextcloud

  nextcloud-aio-database:
    build: postgresql
    container_name: nextcloud-aio-database
    displayName: Database
    container_name_old: nextcloud-aio-postgresql
    ports:
      - '5432'
    secrets:
      - DATABASE_PASSWORD
    volumes:
      - nextcloud_aio_database:/var/lib/postgresql/data
      - nextcloud_aio_database_dump:/mnt/data
    environment:
      - POSTGRES_PASSWORD=%DATABASE_PASSWORD%
      - POSTGRES_DB=nextcloud_database
      - POSTGRES_USER=nextcloud

  nextcloud-aio-nextcloud:
    build: nextcloud
    container_name: nextcloud-aio-nextcloud
    restart: unless-stopped
    ports:
      - '9000:9000'
    secrets:
      - DATABASE_PASSWORD
      - REDIS_PASSWORD
      - NEXTCLOUD_PASSWORD
      - TURN_SECRET
      - SIGNALING_SECRET
    environment:
      - POSTGRES_HOST=nextcloud-aio-database
      - POSTGRES_PASSWORD=%DATABASE_PASSWORD%
      - POSTGRES_DB=nextcloud_database
      - POSTGRES_USER=nextcloud
      - REDIS_HOST=nextcloud-aio-redis
      - REDIS_HOST_PASSWORD=%REDIS_PASSWORD%
      - AIO_TOKEN=%AIO_TOKEN%
      - NC_DOMAIN=%NC_DOMAIN%
      - ADMIN_USER=admin
      - ADMIN_PASSWORD=%NEXTCLOUD_PASSWORD%
      - NEXTCLOUD_DATA_DIR=/mnt/ncdata
      - OVERWRITEHOST=%NC_DOMAIN%
      - OVERWRITEPROTOCOL=https
      - TURN_SECRET=%TURN_SECRET%
      - SIGNALING_SECRET=%SIGNALING_SECRET%
      - AIO_URL=%AIO_URL%
      - NEXTCLOUD_MOUNT=%NEXTCLOUD_MOUNT%
      - CLAMAV_ENABLED=%CLAMAV_ENABLED%
      - CLAMAV_HOST=nextcloud-aio-clamav
      - ONLYOFFICE_ENABLED=%ONLYOFFICE_ENABLED%
      - COLLABORA_ENABLED=%COLLABORA_ENABLED%
      - COLLABORA_HOST=nextcloud-aio-collabora
      - TALK_ENABLED=%TALK_ENABLED%
      - ONLYOFFICE_HOST=nextcloud-aio-onlyoffice
      - DAILY_BACKUP_RUNNING=%DAILY_BACKUP_RUNNING%
    volumes:
      - nextcloud_aio_nextcloud:/var/www/html
      - "%NEXTCLOUD_DATADIR%":/mnt/ncdata
      - "%NEXTCLOUD_MOUNT%":%NEXTCLOUD_MOUNT%
    depends_on:
      - nextcloud-aio-database
      - nextcloud-aio-redis

  nextcloud-aio-redis:
    build: redis
    container_name: nextcloud-aio-redis
    restart: unless-stopped
    ports:
      - '6379'
    environment:
      - REDIS_HOST_PASSWORD=%REDIS_PASSWORD%
    secrets:
      - REDIS_PASSWORD

  nextcloud-aio-collabora:
    container_name: nextcloud-aio-collabora
    ports:
      - '9980'
    environment:
      - aliasgroup1=https://%NC_DOMAIN%:443
      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.level=warning
    restart: unless-stopped

  nextcloud-aio-talk:
    build: talk
    container_name: nextcloud-aio-talk
    restart: unless-stopped
    ports:
      - "3478:3478/tcp"
      - "3478:3478/udp"
    environment:
      - NC_DOMAIN=%NC_DOMAIN%
      - TURN_SECRET=%TURN_SECRET%
      - SIGNALING_SECRET=%SIGNALING_SECRET%
      - JANUS_API_KEY=%JANUS_API_KEY%
    secrets:
      - TURN_SECRET
      - SIGNALING_SECRET
      - JANUS_API_KEY

  nextcloud-aio-borgbackup:
    container_name: nextcloud-aio-borgbackup
    environment:
      - BORG_PASSWORD=%BORGBACKUP_PASSWORD%
      - BORG_MODE=%BORGBACKUP_MODE%
      - SELECTED_RESTORE_TIME=%SELECTED_RESTORE_TIME%
      - BACKUP_RESTORE_PASSWORD=%BACKUP_RESTORE_PASSWORD%
    volumes:
      - nextcloud_aio_backup_cache:/root
      - nextcloud_aio_nextcloud:/nextcloud_aio_volumes/nextcloud_aio_nextcloud
      - "%NEXTCLOUD_DATADIR%":/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data
      - nextcloud_aio_database:/nextcloud_aio_volumes/nextcloud_aio_database
      - nextcloud_aio_database_dump:/nextcloud_aio_volumes/nextcloud_aio_database_dump
      - nextcloud_aio_apache:/nextcloud_aio_volumes/nextcloud_aio_apache
      - nextcloud_aio_mastercontainer:/nextcloud_aio_volumes/nextcloud_aio_mastercontainer
      - "%BORGBACKUP_HOST_LOCATION%":/mnt/borgbackup
    secrets:
      - BORGBACKUP_PASSWORD

  nextcloud-aio-watchtower:
    container_name: nextcloud-aio-watchtower
    environment:
      - CONTAINER_TO_UPDATE=nextcloud-aio-mastercontainer
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro

  nextcloud-aio-clamav:
    container_name: nextcloud-aio-clamav
    ports:
      - '3310'
    volumes:
      - nextcloud_aio_clamav:/var/lib/clamav

  nextcloud-aio-onlyoffice:
    container_name: nextcloud-aio-onlyoffice
    restart: unless-stopped
    ports:
      - '80'
    volumes:
      - nextcloud_aio_onlyoffice:/var/lib/onlyoffice

Hope it helps

[szaimen]

@acetousk Thanks! Can you provide the commands that you used to get to this output or did you convert everything by hand without using any command line tool?

[szaimen]

(I am only interested in the convert logic using cli tools.) The docker compose file can then be auto-generated...

[acetousk]

I just did it by hand. It would take some work to get it automated lot's of weird edge cases.

[szaimen]

Okay, I fear doing this automatically is the only way to make it maintainable for me so for anyone that wants to tackle this: please look into writing this convert logic...

[szaimen]

I guess using jq for this will probably be easier as the documentation is better.
Current try: jq 'map( { (.[].identifier|tostring): .[] } ) | add' containers.json | yq -P

results in

nextcloud-aio-apache:
  dependsOn: []
  identifier: nextcloud-aio-onlyoffice
  displayName: OnlyOffice
  containerName: nextcloud/aio-onlyoffice
  ports: []
  internalPorts:
    - "80"
  environmentVariables: []
  volumes:
    - name: nextcloud_aio_onlyoffice
      location: /var/lib/onlyoffice
      writeable: true
  secrets: []
  maxShutdownTime: 10
  restartPolicy: unless-stopped
nextcloud-aio-database:
  dependsOn: []
  identifier: nextcloud-aio-onlyoffice
  displayName: OnlyOffice
  containerName: nextcloud/aio-onlyoffice
  ports: []
  internalPorts:
    - "80"
  environmentVariables: []
  volumes:
    - name: nextcloud_aio_onlyoffice
      location: /var/lib/onlyoffice
      writeable: true
  secrets: []
  maxShutdownTime: 10
  restartPolicy: unless-stopped
nextcloud-aio-nextcloud:
  dependsOn: []
  identifier: nextcloud-aio-onlyoffice
  displayName: OnlyOffice
  containerName: nextcloud/aio-onlyoffice
  ports: []
  internalPorts:
    - "80"
  environmentVariables: []
  volumes:
    - name: nextcloud_aio_onlyoffice
      location: /var/lib/onlyoffice
      writeable: true
  secrets: []
  maxShutdownTime: 10
  restartPolicy: unless-stopped
nextcloud-aio-redis:
  dependsOn: []
  identifier: nextcloud-aio-onlyoffice
  displayName: OnlyOffice
  containerName: nextcloud/aio-onlyoffice
  ports: []
  internalPorts:
    - "80"
  environmentVariables: []
  volumes:
    - name: nextcloud_aio_onlyoffice
      location: /var/lib/onlyoffice
      writeable: true
  secrets: []
  maxShutdownTime: 10
  restartPolicy: unless-stopped
nextcloud-aio-collabora:
  dependsOn: []
  identifier: nextcloud-aio-onlyoffice
  displayName: OnlyOffice
  containerName: nextcloud/aio-onlyoffice
  ports: []
  internalPorts:
    - "80"
  environmentVariables: []
  volumes:
    - name: nextcloud_aio_onlyoffice
      location: /var/lib/onlyoffice
      writeable: true
  secrets: []
  maxShutdownTime: 10
  restartPolicy: unless-stopped
nextcloud-aio-talk:
  dependsOn: []
  identifier: nextcloud-aio-onlyoffice
  displayName: OnlyOffice
  containerName: nextcloud/aio-onlyoffice
  ports: []
  internalPorts:
    - "80"
  environmentVariables: []
  volumes:
    - name: nextcloud_aio_onlyoffice
      location: /var/lib/onlyoffice
      writeable: true
  secrets: []
  maxShutdownTime: 10
  restartPolicy: unless-stopped
nextcloud-aio-borgbackup:
  dependsOn: []
  identifier: nextcloud-aio-onlyoffice
  displayName: OnlyOffice
  containerName: nextcloud/aio-onlyoffice
  ports: []
  internalPorts:
    - "80"
  environmentVariables: []
  volumes:
    - name: nextcloud_aio_onlyoffice
      location: /var/lib/onlyoffice
      writeable: true
  secrets: []
  maxShutdownTime: 10
  restartPolicy: unless-stopped
nextcloud-aio-watchtower:
  dependsOn: []
  identifier: nextcloud-aio-onlyoffice
  displayName: OnlyOffice
  containerName: nextcloud/aio-onlyoffice
  ports: []
  internalPorts:
    - "80"
  environmentVariables: []
  volumes:
    - name: nextcloud_aio_onlyoffice
      location: /var/lib/onlyoffice
      writeable: true
  secrets: []
  maxShutdownTime: 10
  restartPolicy: unless-stopped
nextcloud-aio-domaincheck:
  dependsOn: []
  identifier: nextcloud-aio-onlyoffice
  displayName: OnlyOffice
  containerName: nextcloud/aio-onlyoffice
  ports: []
  internalPorts:
    - "80"
  environmentVariables: []
  volumes:
    - name: nextcloud_aio_onlyoffice
      location: /var/lib/onlyoffice
      writeable: true
  secrets: []
  maxShutdownTime: 10
  restartPolicy: unless-stopped
nextcloud-aio-clamav:
  dependsOn: []
  identifier: nextcloud-aio-onlyoffice
  displayName: OnlyOffice
  containerName: nextcloud/aio-onlyoffice
  ports: []
  internalPorts:
    - "80"
  environmentVariables: []
  volumes:
    - name: nextcloud_aio_onlyoffice
      location: /var/lib/onlyoffice
      writeable: true
  secrets: []
  maxShutdownTime: 10
  restartPolicy: unless-stopped
nextcloud-aio-onlyoffice:
  dependsOn: []
  identifier: nextcloud-aio-onlyoffice
  displayName: OnlyOffice
  containerName: nextcloud/aio-onlyoffice
  ports: []
  internalPorts:
    - "80"
  environmentVariables: []
  volumes:
    - name: nextcloud_aio_onlyoffice
      location: /var/lib/onlyoffice
      writeable: true
  secrets: []
  maxShutdownTime: 10
  restartPolicy: unless-stopped

[szaimen]

Change in plan:

• use the above command to update a file that only contains this on commit/pr and commits the change to the branch (skip lfs files then if possible).
• Say in the pr description that the default xaml file that was manually created needs to be adjusted
• on commit/pr run a workflow that modifies the docker compose files automatically
• more?

[szaimen]

I started working on this. You can see my progress here: #599

[szaimen]

The basic idea is to indeed auto-generate the yaml files from the json. I am also already very close to success.
Then always when we update the json, it will automatically update the yaml files too and push the changes to the same branch.
The advantage of doing it like this I don't need to think about updating these files since they are auto-generated.

[szaimen]

I am pretty finished with this feature now.

See https://github.com/nextcloud/all-in-one/tree/enh/557/add-docker-compose/manual-install#manuall-install

Feedback is welcome!