From 1087c5c5131afea6ce902e19cfe210bddbe17adb Mon Sep 17 00:00:00 2001
From: Evilham <contact@evilham.com>
Date: Wed, 11 Jan 2023 18:19:09 +0100
Subject: [PATCH] [NC] Rework image to self-configure as opposed to using
 dd-ctl

By managing volumes in a better fashion and using code that is closer
to being idempotent, while being declarative, we achieve an image that
is closer to the original one, but gets the plugins that we want and
the configuration that we want for integration with DD.

Closes #9. This image now allows for BBB_HOST and BBB_API_SECRET as
variables in dd.conf, which also configure the corresponding plugin on
Nextcloud.

This is a necessary update-step towards NC25, and temporarily disables
the forms plugin.
---
 dd-apps/docker/nextcloud/Dockerfile       |  39 +++-
 dd-apps/docker/nextcloud/dd-patch         |   1 +
 dd-apps/docker/nextcloud/nc-setup.sh      | 268 ++++++++++++++++++++++
 dd-apps/docker/nextcloud/nextcloud.yml    |  19 +-
 dd-apps/docker/nextcloud/supervisord.conf |  14 ++
 dd-ctl                                    | 214 -----------------
 dd.conf.sample                            |  11 +
 7 files changed, 344 insertions(+), 222 deletions(-)
 create mode 100755 dd-apps/docker/nextcloud/nc-setup.sh

diff --git a/dd-apps/docker/nextcloud/Dockerfile b/dd-apps/docker/nextcloud/Dockerfile
index acdd39b..dfdea19 100644
--- a/dd-apps/docker/nextcloud/Dockerfile
+++ b/dd-apps/docker/nextcloud/Dockerfile
@@ -1,5 +1,6 @@
 #
 #   Copyright © 2021,2022 IsardVDI S.L.
+#   Copyright © 2023 Evilham <contact@evilham.com>
 #
 #   This file is part of DD
 #
@@ -28,7 +29,17 @@ RUN set -ex; \
         procps \
         samba-client \
         supervisor \
-#       libreoffice \
+    ;
+
+# These are documented DD dependencies for nc-setup.sh
+# jq: to patch mimetypemapping
+# npm + composer: due to oddities installing forms plugin
+RUN set -ex; \
+    \
+    apk add --no-cache \
+        jq \
+        npm \
+        composer \
     ;
 
 RUN set -ex; \
@@ -59,6 +70,26 @@ RUN set -ex; \
     apk add --virtual .nextcloud-phpext-rundeps $runDeps; \
     apk del .build-deps
 
+# Temporary replacement for a real queue
+RUN echo '*/1 * * * * /nc-queue.sh' >> /etc/crontabs/www-data
+COPY nc-queue.sh /
+COPY nc-mail-update.sh /
+# DD plugins and other setup
+COPY nc-setup.sh /
+# SAML setup script
+COPY saml.sh /
+# Submission template
+COPY template.docx /
+
+## Save current forms plugin hash
+#RUN sh -c 'curl -sL https://api.github.com/repos/3iPunt/nextcloud_forms/commits/STABLE_25 | jq  -r .sha > /forms.hash'
+## And current forms code
+#RUN sh -c 'curl -sL "https://github.com/3iPunt/nextcloud_forms/archive/$(cat /forms.hash).zip" > /forms.zip'
+# Mail app patches. To remove in NC 25
+COPY nc_mail/ /nc_mail/
+
+# Setup cron as documented in:
+# https://github.com/nextcloud/docker/blob/master/.examples/dockerfiles/cron/fpm-alpine/Dockerfile
 RUN mkdir -p \
     /var/log/supervisord \
     /var/run/supervisord \
@@ -66,12 +97,6 @@ RUN mkdir -p \
 
 COPY supervisord.conf /
 
-# Temporary replacement for a real queue
-RUN echo '*/1 * * * * /nc-queue.sh' >> /etc/crontabs/www-data
-COPY nc-queue.sh /
-COPY nc-mail-update.sh /
-COPY saml.sh /
-
 ENV NEXTCLOUD_UPDATE=1
 
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
diff --git a/dd-apps/docker/nextcloud/dd-patch b/dd-apps/docker/nextcloud/dd-patch
index 5da1ffe..72f2848 100644
--- a/dd-apps/docker/nextcloud/dd-patch
+++ b/dd-apps/docker/nextcloud/dd-patch
@@ -5,3 +5,4 @@ supervisord.conf	AGPL-3.0-or-later	https://github.com/nextcloud/	https://raw.git
 nc_mail/appinfo/info.xml	AGPL-3.0-or-later	https://github.com/nextcloud/	https://raw.githubusercontent.com/nextcloud/mail/v1.15.2/appinfo/info.xml
 nc_mail/lib/Command/UpdateAccount.php	AGPL-3.0-or-later	https://github.com/nextcloud/	https://raw.githubusercontent.com/nextcloud/mail/1e777a1783254bd4b7f69f39a6c5123323f8b701/lib/Command/UpdateAccount.php
 nc_mail/lib/Db/MailAccountMapper.php	AGPL-3.0-or-later	https://github.com/nextcloud/	https://raw.githubusercontent.com/nextcloud/mail/1e777a1783254bd4b7f69f39a6c5123323f8b701/lib/Db/MailAccountMapper.php
+src/themes/dd/core/templates/layout.user.php	AGPL-3.0-or-later	https://github.com/nextcloud/	https://raw.githubusercontent.com/nextcloud/server/v21.0.9/core/templates/layout.user.php
diff --git a/dd-apps/docker/nextcloud/nc-setup.sh b/dd-apps/docker/nextcloud/nc-setup.sh
new file mode 100755
index 0000000..fa5c00c
--- /dev/null
+++ b/dd-apps/docker/nextcloud/nc-setup.sh
@@ -0,0 +1,268 @@
+#!/bin/sh -eu
+
+#
+# This runs as www-data
+#
+
+occupgrade() {
+	# Maintenance mode must be off
+	./occ maintenance:mode --off
+	# Sometimes this has to happen twice
+	./occ upgrade
+	./occ upgrade
+}
+
+plugin_status() {
+	plugin="$1"
+	plugins_state="$(./occ app:list --output=json_pretty)"
+	version="$(echo "${plugins_state}" | jq -r ".enabled.${plugin}")"
+	if [ "${version}" != "null" ]; then
+		printf "%s\t%s" "enabled" "${version}"
+	else
+		version="$(echo "${plugins_state}" | jq -r ".disabled.${plugin}")"
+		if [ "${version}" != "null" ]; then
+			printf "%s\t%s" "disabled" "${version}"
+		else
+			printf "%s\t%s" "n/a" "n/a"
+		fi
+	fi
+}
+
+
+cat <<EOF
+**************************************
+Performing DD-specific Nextcloud setup
+**************************************
+
+EOF
+
+# Install static settings
+echo "--> Setting up static DD config"
+STATIC_CFG=/var/www/html/config/zzz_dd.config.php
+cat > "${STATIC_CFG}" <<EOF
+<?php
+/** DD-customised static settings
+  */
+\$CONFIG = array(
+  'default_language' => 'ca',
+  'skeletondirectory' => '',
+  'theme' => 'dd',
+  'allow_local_remote_servers' => true,
+);
+EOF
+
+occupgrade
+
+# These cannot be edited from outside of the DD project
+# Operators should instead rely on the environment variables to ease deployment
+# EXTRA_PLUGINS_ENABLE and EXTRA_PLUGINS_DISABLE
+CORE_PLUGINS_ENABLE="user_saml,bruteforcesettings,polls,calendar,spreed,bbb,mail,ownpad,onlyoffice"
+CORE_PLUGINS_DISABLE="firstrunwizard,recommendations,dashboard,circles,forms"
+
+if [ "${DISABLE_CLAMAV:-true}" = "false" ]; then
+	CORE_PLUGINS_ENABLE="${CORE_PLUGINS_ENABLE},files_antivirus"
+	USING_CLAMAV="YES"
+else
+	CORE_PLUGINS_DISABLE="${CORE_PLUGINS_DISABLE},files_antivirus"
+fi
+
+# Take care of installing core plugins and extra requested plugins
+PLUGINS="${CORE_PLUGINS_ENABLE},${CORE_PLUGINS_DISABLE},${EXTRA_PLUGINS_ENABLE:-},${EXTRA_PLUGINS_DISABLE:-}"
+
+# Install all plugins
+# shellcheck disable=SC2086  # We do want multiple arguments
+for plugin in $(echo "${PLUGINS}" | tr ',' '\n'); do
+	if plugin_status "${plugin}" | grep -q "n/a"; then
+		echo "--> Installing ${plugin}"
+		./occ --no-warnings app:install "${plugin}"
+	fi
+done
+
+# Enable core plugins
+# shellcheck disable=SC2086  # We do want multiple arguments
+for plugin in $(echo "${CORE_PLUGINS_ENABLE}" | tr ',' '\n'); do
+	if plugin_status "${plugin}" | grep -qE "^disabled"; then
+		echo "--> Enabling core ${plugin}"
+		./occ --no-warnings app:enable "${plugin}"
+	fi
+done
+
+# Disable core plugins
+# shellcheck disable=SC2086  # We do want multiple arguments
+for plugin in $(echo "${CORE_PLUGINS_DISABLE}" | tr ',' '\n'); do
+	if plugin_status "${plugin}" | grep -qE "^enabled"; then
+		echo "--> Disabling core ${plugin}"
+		./occ --no-warnings app:disable "${plugin}"
+	fi
+done
+
+
+# Enable extra plugins
+# shellcheck disable=SC2086  # We do want multiple arguments
+for plugin in $(echo "${EXTRA_PLUGINS_ENABLE:-}" | tr ',' '\n'); do
+	if plugin_status "${plugin}" | grep -qE "^disabled"; then
+		echo "--> Enabling extra ${plugin}"
+		./occ --no-warnings app:enable "${plugin}"
+	fi
+done
+
+# Disable extra plugins
+# shellcheck disable=SC2086  # We do want multiple arguments
+for plugin in $(echo "${EXTRA_PLUGINS_DISABLE:-}" | tr ',' '\n'); do
+	if plugin_status "${plugin}" | grep -qE "^enabled"; then
+		echo "--> Disabling extra ${plugin}"
+		./occ --no-warnings app:disable "${plugin}"
+	fi
+done
+
+occupgrade
+
+# Temporary patch while upstream lands our changes
+# See: https://github.com/nextcloud/mail/pull/6908
+for f in appinfo/info.xml lib/Command/UpdateAccount.php lib/Db/MailAccountMapper.php; do
+	install -m 0644 -o www-data -g www-data "/nc_mail/$f" "/var/www/html/custom_apps/mail/$f"
+done
+
+occupgrade
+
+## Forms
+# TODO: This is broken in NC 24 due to:
+#   https://github.com/nextcloud/forms/pull/1149/files
+## TODO: request explanations and reduce upstream diff
+## This is what is being used: https://github.com/juanan3ip/form
+#FORMS_EXPECTED_HASH="$(cat /forms.hash)"
+#FORMS_DIR="/var/www/html/custom_apps/forms"
+#FORMS_HASH=""
+#if [ -f "${FORMS_DIR}.hash" ]; then
+#	FORMS_HASH="$(cat "${FORMS_DIR}.hash")"
+#fi
+#if [ "${FORMS_EXPECTED_HASH}" != "${FORMS_HASH}" ]; then
+#	# Remove old plugin
+#	rm -rf "${FORMS_DIR}"
+#	# Install new one
+#	unzip -o /forms.zip -d /tmp
+#	mv "/tmp/form-${FORMS_EXPECTED_HASH}" "${FORMS_DIR}"
+#	# Perform config / install
+#	npm --prefix "${FORMS_DIR}" install
+#	composer --ignore-platform-req=ext-dom -d"${FORMS_DIR}" install --no-dev -o
+#	# Place hash marker
+#	cp /forms.hash "${FORMS_DIR}.hash"
+#fi
+#if plugin_status "${plugin}" | grep -qE "^disabled"; then
+#	./occ app:enable forms
+#fi
+#
+#occupgrade
+
+#
+# Apply app-specific configurations
+#
+echo "--> Configuring BBB"
+# Host
+./occ config:app:set -n bbb api.url --value="${BBB_HOST:-}"
+# API Secret
+./occ config:app:set -n -q bbb api.secret --value="${BBB_API_SECRET:-}"
+# Disable Big Blue Button media check by default
+./occ config:app:set -n bbb join.mediaCheck --value="false"
+# Disable Big Blue Button listen only mode by default
+# And enable option to join muted to Big Blue Button room by default
+## TODO: Upstream these as toggeable settings
+# shellcheck disable=SC2016  # We want these literal strings
+sed -i.orig \
+	-e 's/^\(\s*$room->setListenOnly(\)true\();\)$/\1false\2/' \
+	-e 's/^\(\s*$room->setJoinMuted(\)false\();\)$/\1true\2/' \
+	/var/www/html/custom_apps/bbb/lib/Service/RoomService.php
+# Remove meeting join nextcloud bbb app dialog exclamation marks
+sed -i.orig \
+	-e 's/\(^\s*"Please enter your name!" : [^¡]*\)¡\?\([^!]*\)!\(.*\)$/\1\2\3/' \
+	-e 's/\(^\s*"Let.s go!" : [^¡]*\)¡\?\([^!]*\)!\(.*\)$/\1\2\3/' \
+	/var/www/html/custom_apps/bbb/l10n/*.json
+
+# Patches / fixes for Ownpad
+## Fix mimetypemapping for ownpad
+MIMETYPEMAPPINGJSON="/var/www/html/config/mimetypemapping.json"
+if ! grep -q "application/x-ownpad" "${MIMETYPEMAPPINGJSON}"; then
+	jq '. + {"pad": ["application/x-ownpad"], "calc": ["application/x-ownpad"]}' \
+		/var/www/html/resources/config/mimetypemapping.dist.json > "${MIMETYPEMAPPINGJSON}"
+	# We have to tell NC about this change as documented here:
+	# https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html#maintenance-commands
+	./occ maintenance:mimetype:update-db
+fi
+## Open pads on new tab/window
+OWNPADJS="/var/www/html/custom_apps/ownpad/js/ownpad.js"
+if ! grep -q viewerDD "${OWNPADJS}"; then
+	## TODO: Upstream this as a toggeable setting
+	sed -i.orig 's/^\(\s*\)var viewer = \(OC.generateUrl.*\)/\1var viewerDD = \2; window.open(viewerDD); return;/' "${OWNPADJS}"
+fi
+
+# Settings
+echo "--> Applying custom settings"
+./occ --no-warnings config:app:set -n ownpad ownpad_etherpad_enable --value="yes"
+./occ --no-warnings config:app:set -n ownpad ownpad_etherpad_host --value="https://pad.$DOMAIN"
+
+./occ --no-warnings config:app:set -n onlyoffice DocumentServerUrl --value="https://oof.$DOMAIN"
+./occ --no-warnings config:app:set -n onlyoffice jwt_secret --value="secret"
+./occ --no-warnings config:app:set -n onlyoffice jwt_header --value="Authorization"
+./occ --no-warnings config:app:set -n onlyoffice sameTab --value="false"
+
+# Moodle nextcloud task needs forcesave onlyoffice option
+./occ --no-warnings config:app:set -n onlyoffice customizationForcesave --value="true"
+
+# Add allow list IPs
+./occ --no-warnings config:app:set -n bruteForce whitelist_1 --value='172.16.0.0/12'
+
+# OnlyOffice
+./occ --no-warnings config:app:set -n onlyoffice preview --value="true"
+./occ --no-warnings config:app:set -n onlyoffice defFormats --value='{"csv":"false","doc":"true","docm":"false","docx":"true","docxf":"true","oform":"true","dotx":"false","epub":"false","html":"false","odp":"true","ods":"true","odt":"true","otp":"true","ots":"true","ott":"true","pdf":"false","potm":"false","potx":"false","ppsm":"false","ppsx":"true","ppt":"true","pptm":"false","pptx":"true","rtf":"false","txt":"false","xls":"true","xlsm":"false","xlsx":"true","xltm":"false","xltx":"true"}'
+./occ --no-warnings config:app:set -n onlyoffice editFormats --value='{"csv":"true","odp":"false","ods":"false","odt":"false","rtf":"false","txt":"true"}'
+
+if [ -n "${USING_CLAMAV:-}" ]; then
+	echo "--> Configuring ClamAV"
+	./occ --no-warnings config:app:set -n files_antivirus av_mode --value="daemon"
+	./occ --no-warnings config:app:set -n files_antivirus av_host --value="dd-apps-clamav"
+	./occ --no-warnings config:app:set -n files_antivirus av_port --value="3310"
+	./occ --no-warnings config:app:set -n files_antivirus av_infected_action --value="only_log"
+	./occ --no-warnings config:app:set -n files_antivirus av_stream_max_length --value="26214400"
+	./occ --no-warnings config:app:set -n files_antivirus av_max_file_size --value="-1"
+fi
+
+# Allow nextcloud into other apps iframes
+echo "--> Fixing CSP"
+# TODO: this should be done in a different fashion
+# Content-Security-Policy: frame-ancestors 'self' *.$DOMAIN;
+# Content-Set-Policy: connect-src 'self -' *.$DOMAIN;
+# Content-Set-Policy: img-src 'self' *. -$DOMAIN;
+# Content-Set-Policy: style-src 'self'  -*.$DOMAIN;
+# Content-Set-Policy: font-src 'self' * -.$DOMAIN;
+sed -i \
+	-E "s%'\\\\'self\\\\'',.*$%'\\\\'self\\\\'', '*.${DOMAIN}',%" \
+	/var/www/html/lib/public/AppFramework/Http/ContentSecurityPolicy.php
+
+# Add default file for moodle activities
+TEMPLATEDOCX="/var/www/html/data/admin/files/template.docx"
+if [ ! -f "${TEMPLATEDOCX}" ]; then
+	echo "--> Copying activity template for Moodle"
+	cp /template.docx "${TEMPLATEDOCX}"
+	# We have to tell NC about this change
+	./occ  files:scan admin
+fi
+
+# Configure logo
+echo "--> Configuring logo"
+# TODO: This should be a tad more dynamic
+cachebuster="0"
+if ./occ config:app:get theming cachebuster; then
+	cachebuster="$(./occ config:app:get theming cachebuster)"
+fi
+./occ theming:config logo /custom/img/logo.png
+./occ theming:config background /custom/img/background.png
+./occ config:app:set theming cachebuster --value="$((cachebuster + 1 ))"
+
+occupgrade
+
+cat <<EOF
+*************************************
+Done with DD-specific Nextcloud setup
+*************************************
+
+EOF
diff --git a/dd-apps/docker/nextcloud/nextcloud.yml b/dd-apps/docker/nextcloud/nextcloud.yml
index b4cc1d2..b4b3d9a 100644
--- a/dd-apps/docker/nextcloud/nextcloud.yml
+++ b/dd-apps/docker/nextcloud/nextcloud.yml
@@ -28,14 +28,25 @@ services:
         # Update dd.conf.sample when bumping this version in main
         - IMG=${NEXTCLOUD_IMG_OVERRIDE-nextcloud:24.0.10-fpm-alpine}
     container_name: dd-apps-nextcloud-app
+    image: registry.dd-work.space/dd/apps-nextcloud:${DD_BUILD:-latest}
     restart: unless-stopped
     depends_on:
       - dd-apps-postgresql
     volumes:
       - /etc/localtime:/etc/localtime:ro
+      # According to the documentation: https://hub.docker.com/_/nextcloud
+      # We need the full dir for upgrades, only version.php should matter though?
       - ${SRC_FOLDER}/nextcloud:/var/www/html
-      - ${DATA_FOLDER}/nextcloud:/var/www/html/data
+      # Making these dirs explicit so we can segregate them easier in the future
+      #- ${SRC_FOLDER}/nextcloud/custom_apps:/var/www/html/custom_apps
+      #- ${SRC_FOLDER}/nextcloud/config:/var/www/html/config
+      - ${DATA_FOLDER}/nextcloud:/var/www/html/data:rw
+      - ${BUILD_APPS_ROOT_PATH}/docker/nextcloud/src/themes/dd:/var/www/html/themes/dd:ro
+      # We need this to configure the custom logos and background
+      - ${CUSTOM_PATH}/custom/img:/custom/img:ro
+      # SAML certificates
       - ${DATA_FOLDER}/saml/nextcloud:/saml:ro
+      # NC mail client update queue
       - ${DATA_FOLDER}/nc-mail-queue:/nc-mail-queue:rw
     environment:
       # DD-specific settings
@@ -62,6 +73,12 @@ services:
       - PHP_MEMORY_LIMIT=${NEXTCLOUD_MEMORY_LIMIT-512M}
       # Proxy-specific settings
       - OVERWRITEPROTOCOL=https
+      # BBB settings
+      - BBB_HOST=${BBB_HOST:-}
+      - BBB_API_SECRET=${BBB_API_SECRET:-}
+      # Operator preferences
+      - EXTRA_PLUGINS_ENABLE=${NEXTCLOUD_PLUGINS_ENABLE:-}
+      - EXTRA_PLUGINS_DISABLE=${NEXTCLOUD_PLUGINS_DISABLE:-}
     networks:
       - dd_net
 
diff --git a/dd-apps/docker/nextcloud/supervisord.conf b/dd-apps/docker/nextcloud/supervisord.conf
index 4f76259..9677e64 100644
--- a/dd-apps/docker/nextcloud/supervisord.conf
+++ b/dd-apps/docker/nextcloud/supervisord.conf
@@ -20,3 +20,17 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=/cron.sh
+
+; Add our customisation scripts
+; Note these run *after* Nextcloud's upgrade logic and in parallel to php-fpm startup
+[program:nc-setup]
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+startsecs=0
+priority=100
+user=www-data
+environment=USER="www-data",HOME="/home/www-data"
+directory=/var/www/html
+command=/nc-setup.sh
diff --git a/dd-ctl b/dd-ctl
index 46011bd..b707268 100755
--- a/dd-ctl
+++ b/dd-ctl
@@ -325,180 +325,6 @@ down(){
 	docker-compose down
 }
 
-setup_nextcloud(){
-	echo " --> Applying custom settings in nextcloud"
-	# docker exec -u www-data dd-apps-nextcloud-app sh -c 'export OC_PASS=$DDADMIN_PASSWORD && php occ user:add --password-from-env --display-name="DD Admin" --group="admin" $DDADMIN_USER'
-
-	# docker exec -u www-data dd-apps-nextcloud-app sh -c 'export OC_PASS=admin && php occ user:delete admin'
-	# docker exec -u www-data dd-apps-nextcloud-app sh -c 'export OC_PASS=LostAdminGroup && php occ user:add --password-from-env --display-name="Admin" --group="admin" admin'
-
-	# docker exec -u www-data dd-apps-nextcloud-app php occ --no-warnings config:app:set unaprova token --value "SuperS3cret"
-
-	#cp -R $BUILD_APPS_ROOT_PATH/dd-apps/docker/nextcloud/themes/* $DATA_FOLDER/nextcloud/themes/
-	docker exec -u www-data dd-apps-nextcloud-app php occ --no-warnings config:system:set default_language --value="ca"
-	docker exec -u www-data dd-apps-nextcloud-app php occ --no-warnings config:system:set skeletondirectory --value=''
-
-	# Disable certain NextCloud apps
-	for app in firstrunwizard recommendations dashboard circles; do
-		docker exec -i -u www-data dd-apps-nextcloud-app sh -s <<-EOF
-		php occ --no-warnings app:disable "${app}" || true
-		EOF
-	done
-
-	# Install and enable NextCloud apps
-	for app in bruteforcesettings polls calendar spreed bbb mail ownpad onlyoffice; do
-		docker exec -i -u www-data dd-apps-nextcloud-app sh -s <<-EOF
-		php occ --no-warnings app:install "${app}"
-		php occ --no-warnings app:enable "${app}"
-		EOF
-	done
-
-	# Install ClamAV conditionally
-	if [ "${DISABLE_CLAMAV:-true}" = "false" ]; then
-		docker exec -i -u www-data dd-apps-nextcloud-app sh -s <<-EOF
-		php occ --no-warnings app:install files_antivirus
-		php occ --no-warnings app:enable files_antivirus
-		EOF
-	else
-		# Enforce disabled
-		docker exec -i -u www-data dd-apps-nextcloud-app sh -s <<-EOF
-		php occ --no-warnings app:install files_antivirus
-		php occ --no-warnings app:disable files_antivirus
-		EOF
-	fi
-
-	#docker exec -u www-data dd-apps-nextcloud-app php occ app:install user_saml
-	docker exec -u www-data dd-apps-nextcloud-app php occ app:enable user_saml
-
-	# Installing apps may require an occ upgrade
-	nextcloud_upgrade
-
-	# Temporary patch while upstream lands our changes
-	# See: https://github.com/nextcloud/mail/pull/6908
-	for f in appinfo/info.xml lib/Command/UpdateAccount.php lib/Db/MailAccountMapper.php; do
-		install -m 0644 -o 82 -g 82 "dd-apps/docker/nextcloud/nc_mail/$f" "${SRC_FOLDER}/nextcloud/custom_apps/mail/$f"
-	done
-
-	# Disable Big Blue Button media check by default
-	docker exec -u www-data dd-apps-nextcloud-app php occ config:app:set bbb join.mediaCheck --value="false"
-	# Disable Big Blue Button listen only mode by default
-	docker exec dd-apps-nextcloud-app sed -i.orig 's/^\(\s*$room->setListenOnly(\)true\();\)$/\1false\2/' /var/www/html/custom_apps/bbb/lib/Service/RoomService.php
-	# Enable option to join muted to Big Blue Button room by default
-	docker exec dd-apps-nextcloud-app sed -i 's/^\(\s*$room->setJoinMuted(\)false\();\)$/\1true\2/' /var/www/html/custom_apps/bbb/lib/Service/RoomService.php
-	# Remove meeting join nextcloud bbb app dialog exclamation marks
-	docker exec dd-apps-nextcloud-app sh -c "sed -i.orig 's/\(^\s*\"Please enter your name!\" : [^¡]*\)¡\?\([^!]*\)!\(.*\)$/\1\2\3/' /var/www/html/custom_apps/bbb/l10n/*.json"
-	docker exec dd-apps-nextcloud-app sh -c "sed -i 's/\(^\s*\"Let\x27s go!\" : [^¡]*\)¡\?\([^!]*\)!\(.*\)$/\1\2\3/' /var/www/html/custom_apps/bbb/l10n/*.json"
-
-	docker exec -u www-data dd-apps-nextcloud-app php occ --no-warnings config:system:set theme  --value=dd
-	docker exec -u www-data dd-apps-nextcloud-app php occ --no-warnings config:system:set allow_local_remote_servers  --value=true
-	docker exec -u www-data dd-apps-nextcloud-app php occ --no-warnings maintenance:theme:update
-
-	docker exec dd-apps-nextcloud-app apk add jq
-	docker exec dd-apps-nextcloud-app sh -c 'jq ". + {\"pad\": [\"application/x-ownpad\"], \"calc\": [\"application/x-ownpad\"]}" /var/www/html/resources/config/mimetypemapping.dist.json > /var/www/html/config/mimetypemapping.json'
-	# Open pads in a new tab/window
-	docker exec dd-apps-nextcloud-app sed -i.orig 's/^\(\s*\)\(var viewer = OC.generateUrl.*\)/\1\2\n\1window.open(viewer);\n\1return;/' /var/www/html/custom_apps/ownpad/js/ownpad.js
-
-	# SMTP
-	SMTP_LOCAL_PART="$(echo "${SMTP_USER}" | cut -d '@' -f 1)"
-	SMTP_DOMAIN="$(echo "${SMTP_USER}" | cut -d '@' -f 2)"
-	docker exec -i -u www-data dd-apps-nextcloud-app sh -s <<-EOF
-	php occ --no-warnings config:system:set -n mail_smtpmode --value="smtp"
-	php occ --no-warnings config:system:set -n mail_smtpsecure --value="${SMTP_PROTOCOL}"
-	php occ --no-warnings config:system:set -n mail_sendmailmode --value="smtp"
-	php occ --no-warnings config:system:set -n mail_from_address --value="${SMTP_LOCAL_PART}"
-	php occ --no-warnings config:system:set -n mail_domain --value="${SMTP_DOMAIN}"
-	php occ --no-warnings config:system:set -n mail_smtpauth --value=1
-	php occ --no-warnings config:system:set -n mail_smtpauthtype --value="LOGIN"
-	php occ --no-warnings config:system:set -n mail_smtphost --value="${SMTP_HOST}"
-	php occ --no-warnings config:system:set -n mail_smtpport --value="${SMTP_PORT}"
-	php occ --no-warnings config:system:set -n mail_smtpname --value="${SMTP_USER}"
-	echo 'Setting Nextcloud password'
-	php occ --no-warnings config:system:set -n -q mail_smtppassword --value="${SMTP_PASSWORD}"
-	EOF
-
-	# Settings
-	docker exec -i -u www-data dd-apps-nextcloud-app sh -s <<-EOF
-	php occ --no-warnings config:app:set -n ownpad ownpad_etherpad_enable --value="yes"
-	php occ --no-warnings config:app:set -n ownpad ownpad_etherpad_host --value="https://pad.$DOMAIN"
-
-	php occ --no-warnings config:app:set -n onlyoffice DocumentServerUrl --value="https://oof.$DOMAIN"
-	php occ --no-warnings config:app:set -n onlyoffice jwt_secret --value="secret"
-	php occ --no-warnings config:app:set -n onlyoffice jwt_header --value="Authorization"
-	php occ --no-warnings config:app:set -n onlyoffice sameTab --value="false"
-
-	# Moodle nextcloud task needs forcesave onlyoffice option
-	php occ --no-warnings config:app:set -n onlyoffice customizationForcesave --value="true"
-
-	# Add allow list IPs
-	php occ --no-warnings config:app:set -n bruteForce whitelist_1 --value='172.16.0.0/12'
-
-	# OnlyOffice
-	php occ --no-warnings config:app:set -n onlyoffice preview --value="true"
-	php occ --no-warnings config:app:set -n onlyoffice defFormats --value="{\"csv\":\"false\",\"doc\":\"true\",\"docm\":\"false\",\"docx\":\"true\",\"docxf\":\"true\",\"oform\":\"true\",\"dotx\":\"false\",\"epub\":\"false\",\"html\":\"false\",\"odp\":\"true\",\"ods\":\"true\",\"odt\":\"true\",\"otp\":\"true\",\"ots\":\"true\",\"ott\":\"true\",\"pdf\":\"false\",\"potm\":\"false\",\"potx\":\"false\",\"ppsm\":\"false\",\"ppsx\":\"true\",\"ppt\":\"true\",\"pptm\":\"false\",\"pptx\":\"true\",\"rtf\":\"false\",\"txt\":\"false\",\"xls\":\"true\",\"xlsm\":\"false\",\"xlsx\":\"true\",\"xltm\":\"false\",\"xltx\":\"true\"}",
-	php occ --no-warnings config:app:set -n onlyoffice editFormats --value="{\"csv\":\"true\",\"odp\":\"false\",\"ods\":\"false\",\"odt\":\"false\",\"rtf\":\"false\",\"txt\":\"true\"}"
-
-	EOF
-
-	# Configure ClamAV conditionally
-	if [ "${DISABLE_CLAMAV:-true}" = "false" ]; then
-		docker exec -i -u www-data dd-apps-nextcloud-app sh -s <<-EOF
-		php occ --no-warnings config:app:set -n files_antivirus av_mode --value="daemon"
-		php occ --no-warnings config:app:set -n files_antivirus av_host --value="dd-apps-clamav"
-		php occ --no-warnings config:app:set -n files_antivirus av_port --value="3310"
-		php occ --no-warnings config:app:set -n files_antivirus av_infected_action --value="only_log"
-		php occ --no-warnings config:app:set -n files_antivirus av_stream_max_length --value="26214400"
-		php occ --no-warnings config:app:set -n files_antivirus av_max_file_size --value="-1"
-		EOF
-	fi
-
-	# Allow nextcloud into other apps iframes
-	# Content-Security-Policy: frame-ancestors 'self' *.$DOMAIN;
-	docker exec dd-apps-nextcloud-app sed -i -e "/protected \\\$allowedFrameAncestors = \[/{n;s/\('\\\\\'self\\\\\'\)\('\)/\1 *.$DOMAIN\2/}" /var/www/html/lib/public/AppFramework/Http/ContentSecurityPolicy.php
-
-	# Content-Sety-Policy: connect-src 'self -' *.$DOMAIN;
-	docker exec dd-apps-nextcloud-app sed -i -e "/protected \\\$allowedConnectDomains = \[/{n;s/\('\\\\\'self\\\\\'\)\('\)/\1 *.$DOMAIN\2/}" /var/www/html/lib/public/AppFramework/Http/ContentSecurityPolicy.php
-
-	# Content-Sety-Policy: img-src 'self' *. -$DOMAIN;
-	docker exec dd-apps-nextcloud-app sed -i -e "/protected \\\$allowedImageDomains = \[/{n;s/\('\\\\\'self\\\\\'\)\('\)/\1 *.$DOMAIN\2/}" /var/www/html/lib/public/AppFramework/Http/ContentSecurityPolicy.php
-
-	# Content-Sety-Policy: style-src 'self'  -*.$DOMAIN;
-	docker exec dd-apps-nextcloud-app sed -i -e "/protected \\\$allowedStyleDomains = \[/{n;s/\('\\\\\'self\\\\\'\)\('\)/\1 *.$DOMAIN\2/}" /var/www/html/lib/public/AppFramework/Http/ContentSecurityPolicy.php
-
-	# Content-Sety-Policy: font-src 'self' * -.$DOMAIN;
-	docker exec dd-apps-nextcloud-app sed -i -e "/protected \\\$allowedFontDomains = \[/{n;s/\('\\\\\'self\\\\\'\)\('\)/\1 *.$DOMAIN\2/}" /var/www/html/lib/public/AppFramework/Http/ContentSecurityPolicy.php
-
-	# Fix nextcloud files_external "segudos" typo
-	# https://github.com/nextcloud/server/pull/28990
-	docker exec dd-apps-nextcloud-app sh -c 'sed -i.orig -e "s/segudos/segundos/" /var/www/html/apps/files_external/l10n/es_*.js'
-
-	# Import fix from Nextcloud 22 of pdf viewer
-	# https://github.com/nextcloud/files_pdfviewer/issues/381#issuecomment-845806364
-	docker exec dd-apps-nextcloud-app sed -i 's/encodeURIComponent(i\[a\])/i[a]/' /var/www/html/apps/files_pdfviewer/js/files_pdfviewer-main.js
-
-	# Add default file for moodle activities
-	if [ ! -f "$DATA_FOLDER/nextcloud/admin/files/template.docx" ]; then
-		cp dd-apps/docker/nextcloud/template.docx "$DATA_FOLDER/nextcloud/admin/files/"
-	fi
-
-	# Custom forms
-	## This may be forcing the need for occ upgrade in the past
-	## Keep it towards the end
-	docker exec dd-apps-nextcloud-app apk add git npm composer
-	docker exec -u www-data dd-apps-nextcloud-app rm -rf /var/www/html/custom_apps/forms
-	docker exec -u www-data dd-apps-nextcloud-app git clone https://github.com/juanan3ip/form -b dev /var/www/html/custom_apps/forms
-	docker exec -u www-data dd-apps-nextcloud-app npm --prefix /var/www/html/custom_apps/forms install
-	docker exec -u www-data dd-apps-nextcloud-app composer -d/var/www/html/custom_apps/forms install --no-dev -o
-	docker exec -u www-data dd-apps-nextcloud-app php occ app:enable forms
-
-	nextcloud_upgrade
-	configure_nextcloud_logo
-	nextcloud_scan
-}
-
-nextcloud_upgrade(){
-	docker exec -i -u www-data dd-apps-nextcloud-app ./occ upgrade
-}
-
 nextcloud_scan(){
 	# The folders shown as 'not writeable' are empty user folders. Not a problem.
 	docker exec -u www-data dd-apps-nextcloud-app php occ files:scan --all
@@ -669,16 +495,6 @@ extras_pgtuner(){
 	echo " --> Generated pgtuner.yml"
 }
 
-extras_nextcloud_remove_banned_ips(){
-	docker-compose exec dd-apps-postgresql psql -v ON_ERROR_STOP=1 \
-						-U admin nextcloud -c "DELETE FROM oc_bruteforce_attempts;"
-}
-
-extras_nextcloud_set_admin_group(){
-	docker exec -u www-data dd-apps-nextcloud-app sh -c 'export OC_PASS=admin && php occ user:delete admin'
-	docker exec -u www-data dd-apps-nextcloud-app sh -c 'export OC_PASS=N3xtcl0ud && php occ user:add --password-from-env --display-name="Admin" --group="admin" admin'
-}
-
 extras_dump_keycloak_client(){
 	docker exec -i dd-sso-keycloak sh -s <<-EOF
 	/opt/jboss/keycloak/bin/kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin --password keycloakkeycloak \
@@ -821,11 +637,6 @@ upgrade_plugins_moodle(){
 	docker exec -i dd-apps-moodle php7 admin/cli/purge_caches.php
 }
 
-upgrade_plugins_nextcloud(){
-	cp -R dd-apps/docker/nextcloud/src/* "$SRC_FOLDER/nextcloud/"
-	nextcloud_upgrade
-}
-
 upgrade_plugins_wp(){
 	cp -R dd-apps/docker/wordpress/src/* "$SRC_FOLDER/wordpress/"
 
@@ -857,29 +668,8 @@ upgrade_plugins_wp(){
 }
 
 update_logos_and_menu(){
-	# docker exec -i dd-sso-keycloak sh -c "/opt/jboss/keycloak/bin/jboss-cli.sh --connect --command='/subsystem=keycloak-server/theme=defaults/:write-attribute(name=cacheThemes,value=false)'"
-	# docker exec -i dd-sso-keycloak sh -c "/opt/jboss/keycloak/bin/jboss-cli.sh --connect --command='/subsystem=keycloak-server/theme=defaults/:write-attribute(name=cacheTemplates,value=false)'"
-	# docker exec -i dd-sso-keycloak sh -c "/opt/jboss/keycloak/bin/jboss-cli.sh --connect --command='/subsystem=keycloak-server/theme=defaults/:write-attribute(name=staticMaxAge,value=-1)'"
-	# docker exec -i dd-sso-keycloak sh -c "/opt/jboss/keycloak/bin/jboss-cli.sh --connect --command='reload'"
 	docker exec -i --user root dd-sso-keycloak sh -c 'rm -rf /opt/jboss/keycloak/standalone/tmp/kc-gzip-cache/*'
 	docker-compose build dd-sso-api && docker-compose up -d dd-sso-api
-	configure_nextcloud_logo
-}
-
-configure_nextcloud_logo(){
-	local instance_id
-	instance_id=$(docker exec -u www-data dd-apps-nextcloud-app php occ config:system:get instanceid)
-	local cachebuster
-	cachebuster=$(docker exec -u www-data dd-apps-nextcloud-app php occ config:app:get theming cachebuster)
-	docker exec -u www-data dd-apps-nextcloud-app mkdir -p "/var/www/html/data/appdata_$instance_id/theming/images"
-	nc_logo="${DATA_FOLDER}/nextcloud/appdata_$instance_id/theming/images/logo"
-	nc_background="${DATA_FOLDER}/nextcloud/appdata_$instance_id/theming/images/background"
-	cp custom/img/logo.png "${nc_logo}"
-	cp custom/img/background.png "${nc_background}"
-	chown 82:82 "${nc_logo}" "${nc_background}"
-	docker exec -u www-data dd-apps-nextcloud-app php occ config:app:set theming logoMime --value="image/png"
-	docker exec -u www-data dd-apps-nextcloud-app php occ config:app:set theming backgroundMime --value="image/png"
-	docker exec -u www-data dd-apps-nextcloud-app php occ config:app:set theming cachebuster --value="$((cachebuster + 1 ))"
 }
 
 genpwd() {
@@ -978,10 +768,8 @@ case "$OPERATION" in
 
 		wait_for_moodle
 		upgrade_plugins_moodle
-		upgrade_plugins_nextcloud
 		upgrade_plugins_wp
 
-		setup_nextcloud
 		setup_moodle
 		setup_wordpress
 
@@ -1008,7 +796,6 @@ case "$OPERATION" in
 	customize)
 		up
 		wait_for_moodle
-		setup_nextcloud
 		setup_wordpress
 		setup_moodle
 	;;
@@ -1066,7 +853,6 @@ case "$OPERATION" in
 		up
 		wait_for_moodle
 		upgrade_plugins_moodle
-		upgrade_plugins_nextcloud
 		upgrade_plugins_wp
 	;;
 	yml)
diff --git a/dd.conf.sample b/dd.conf.sample
index 553e9d3..c2f71ba 100644
--- a/dd.conf.sample
+++ b/dd.conf.sample
@@ -70,6 +70,11 @@ DDADMIN_USER=ddadmin
 DDADMIN_PASSWORD=Th3M@st3r
 DDADMIN_EMAIL=theemail@mymailserver.com
 
+# BBB settings
+# This gets automatically configured on Nextcloud
+#BBB_HOST=bbb.example.org
+#BBB_API_SECRET=APISECRET
+
 # ------ Api Secret -----------------------------------------------------------
 ## Generate your own SECRET! (or apply securize script)
 ## openssl rand -base64 32
@@ -113,6 +118,12 @@ NEXTCLOUD_ADMIN_PASSWORD=N3xtcl0ud
 NEXTCLOUD_POSTGRES_USER=nextcloud
 NEXTCLOUD_POSTGRES_PASSWORD=N3xtcl0ud
 
+### Comma-separated list of Nextcloud plugins that you want to enable/disable
+### These should be available from https://apps.nextcloud.com/
+### Example: NEXTCLOUD_PLUGINS_ENABLE=cospend,cookbook
+#NEXTCLOUD_PLUGINS_ENABLE=
+#NEXTCLOUD_PLUGINS_DISABLE
+
 ## WORDPRESS
 ##=============================================================================
 WORDPRESS_ADMIN_USER=admin