bump to 0.5.1+v2026.2.0

.env.sample

@@ -1,6 +1,5 @@
 TYPE=cryptpad
 
-COMPOSE_FILE="compose.yml"
 
 DOMAIN=cryptpad.example.com
 
@@ -18,12 +17,7 @@ SANDBOX_DOMAIN=sandbox.cryptpad.example.com
 #EXTRA_DOMAINS=', `www.cryptpad.example.com`'
 LETS_ENCRYPT_ENV=production
 
-## Set to true to block unregistered users from accessing any CryptPad applications
-## See https://docs.cryptpad.org/en/admin_guide/customization.html#restricting-guest-access
-#RESTRICT_GUEST_ACCESS=false
-
-## SSO / OIDC (optional — uncomment below and add compose.sso.yml to COMPOSE_FILE to enable)
-# COMPOSE_FILE="$COMPOSE_FILE:compose.sso.yml"
+## SSO / OIDC (optional — defaults to false)
 #SSO_ENABLED=true
 #SSO_ENFORCED=false
 #SSO_PROVIDER_NAME=Authentik
@@ -32,9 +26,3 @@ LETS_ENCRYPT_ENV=production
 #SSO_CLIENT_SECRET_VERSION=v1
 #SSO_JWT_ALG=RS256
 #SSO_PLUGIN_VERSION=0.4.0
-
-## Adding OnlyOffice to cryptpad
-#COMPOSE_FILE="$COMPOSE_FILE:compose.onlyoffice.yaml"
-## Enables installation of older onlyoffice versions so that older documents
-## can also be loaded and converted.
-#ONLYOFFICE_OLDEST=v6

README.md

@@ -11,7 +11,7 @@
 * **Backups**: Yes
 * **Email**: No
 * **Tests**: No
-* **SSO**: Yes
+* **SSO**: No
 
 <!-- endmetadata -->
 
@@ -40,49 +40,5 @@ Then redeploy with `abra app deploy YOURAPPDOMAIN --force`.
 Now when you login as your user, and visit https://cryptpad.cctest.autonomic.zone/admin/,
 you should be able to access the admin interface for this cryptpad instance. 
 
-## SSO
-
-SSO support is provided by `compose.sso.yml`. To enable it, add the SSO compose file and set the SSO variables in your app config:
-
-```
-COMPOSE_FILE="compose.yml:compose.sso.yml"
-SSO_ENABLED=true
-```
-
-On the next deploy, the [CryptPad SSO plugin](https://github.com/cryptpad/sso) will be installed automatically.
-
-You also need to configure the remaining SSO environment variables for your OIDC provider:
-
-- `SSO_PROVIDER_NAME` — display name shown on the login button (e.g. `Keycloak`, `Authentik`)
-- `SSO_OIDC_URL` — OIDC discovery URL for your provider
-- `SSO_CLIENT_ID` — OAuth2 client ID
-- `SSO_JWT_ALG` — JWT signing algorithm (e.g. `RS256`)
-
-The client secret is stored as a Docker secret. Insert it with:
-
-```
-abra app secret insert YOURAPPDOMAIN sso_client_s v1 YOUR_CLIENT_SECRET
-```
-
-Then deploy (or redeploy) to apply: `abra app deploy YOURAPPDOMAIN --force`.
-
-## OnlyOffice
-
-OnlyOffice support is provided by `compose.onlyoffice.yaml`. Enable it by adding the compose file to your app config:
-
-```
-COMPOSE_FILE="compose.yml:compose.onlyoffice.yaml"
-```
-
-On the next deploy, an entrypoint wrapper (`onlyoffice-entrypoint.sh`) prepares the OnlyOffice config volume **before** CryptPad starts, then the app container runs `install-onlyoffice.sh` to download the OnlyOffice assets. Running the prep work inside the app container (rather than a separate init service) is necessary because Docker Swarm ignores `depends_on` at runtime — a sidecar init container would race the app.
-
-To support opening documents created with older OnlyOffice versions, set `ONLYOFFICE_OLDEST` in your app config. This writes (or updates) `oldest_needed_version` in `onlyoffice-conf/onlyoffice.properties`, which `install-onlyoffice.sh` reads to fetch older versions in addition to the latest:
-
-```
-ONLYOFFICE_OLDEST=v6
-```
-
-If `ONLYOFFICE_OLDEST` is unset, `onlyoffice.properties` is left untouched (CryptPad's own default applies). Only the `oldest_needed_version` key is touched on each deploy, so any other entries in `onlyoffice.properties` are preserved. If you change `ONLYOFFICE_OLDEST` after the assets have already been downloaded, you may need to drop the `cryptpad_oo_dist` volume so `install-onlyoffice.sh` re-runs and pulls the additional versions.
-
 [`abra`]: https://git.coopcloud.tech/coop-cloud/abra
 [`coop-cloud/traefik`]: https://git.coopcloud.tech/coop-cloud/traefik

abra.sh

@@ -3,5 +3,3 @@ export CONFIG_JS_VERSION=v2
 export NGINX_CONF_VERSION=v1
 export SSO_ENTRYPOINT_VERSION=v6
 export SSO_JS_VERSION=v3
-export APP_CONFIG_JS_VERSION=v1
-export ONLYOFFICE_ENTRYPOINT_VERSION=v1

application_config.js.tmpl

@@ -1,24 +0,0 @@
-// CryptPad application customization — generated from environment variables
-// See https://docs.cryptpad.org/en/admin_guide/customization.html
-// For default file, see: https://github.com/cryptpad/cryptpad/blob/main/customize.dist/application_config.js
-
-(() => {
-const factory = (AppConfig) => {
-    {{ if eq (env "RESTRICT_GUEST_ACCESS") "true" }}
-    // Block unregistered users from accessing any applications
-    AppConfig.registeredOnlyTypes = AppConfig.availablePadTypes.slice();
-    {{ end }}
-
-    return AppConfig;
-};
-
-// Do not change code below
-if (typeof(module) !== 'undefined' && module.exports) {
-    module.exports = factory(
-        require('../www/common/application_config_internal.js')
-    );
-} else if ((typeof(define) !== 'undefined' && define !== null) && (define.amd !== null)) {
-    define(['/common/application_config_internal.js'], factory);
-}
-
-})();

compose.onlyoffice.yaml

@@ -1,48 +0,0 @@
-version: "3.8"
-
-services:
-  init-onlyoffice-dirs:
-    image: busybox
-    user: root
-    command:
-      - sh
-      - -eu
-      - -c
-      - |
-        mkdir -p /cryptpad/www/common/onlyoffice/dist /cryptpad/onlyoffice-conf
-        chown -R 4001:4001 \
-          /cryptpad/www/common/onlyoffice/dist \
-          /cryptpad/onlyoffice-conf
-        exec tail -f /dev/null
-    volumes:
-      - cryptpad_oo_dist:/cryptpad/www/common/onlyoffice/dist
-      - cryptpad_oo_conf:/cryptpad/onlyoffice-conf/
-
-  app:
-    # onlyoffice-entrypoint.sh auto-chains through /sso-entrypoint.sh if
-    # compose.sso.yml is also loaded, so order of COMPOSE_FILE doesn't matter.
-    entrypoint:
-      - /onlyoffice-entrypoint.sh
-      - /cryptpad/docker-entrypoint.sh
-    environment:
-      - "CPAD_INSTALL_ONLYOFFICE=yes"
-      - ONLYOFFICE_OLDEST
-    volumes:
-      - cryptpad_oo_dist:/cryptpad/www/common/onlyoffice/dist
-      - cryptpad_oo_conf:/cryptpad/onlyoffice-conf/
-    configs:
-      - source: onlyoffice_entrypoint
-        target: /onlyoffice-entrypoint.sh
-        mode: 0755
-    deploy:
-      labels:
-        - "backupbot.backup.volumes.cryptpad_oo_dist=false"
-
-volumes:
-  cryptpad_oo_dist:
-  cryptpad_oo_conf:
-
-configs:
-  onlyoffice_entrypoint:
-    name: ${STACK_NAME}_onlyoffice_entrypoint_${ONLYOFFICE_ENTRYPOINT_VERSION}
-    file: onlyoffice-entrypoint.sh

compose.sso.yml

@@ -1,41 +0,0 @@
----
-version: "3.8"
-
-services:
-  app:
-    entrypoint: ["/sso-entrypoint.sh", "/cryptpad/docker-entrypoint.sh"]
-    environment:
-      - SSO_PLUGIN_VERSION
-      - "SSO_ENABLED=${SSO_ENABLED:-false}"
-      - SSO_ENFORCED
-      - SSO_PROVIDER_NAME
-      - SSO_OIDC_URL
-      - SSO_CLIENT_ID
-      - SSO_JWT_ALG
-    secrets:
-      - sso_client_s
-    volumes:
-      - cryptpad_plugins:/cryptpad/lib/plugins
-    configs:
-      - source: sso_entrypoint
-        target: /sso-entrypoint.sh
-        mode: 0755
-      - source: sso_js
-        target: /sso.js
-
-volumes:
-  cryptpad_plugins:
-
-secrets:
-  sso_client_s:
-    external: true
-    name: ${STACK_NAME}_sso_client_s_${SSO_CLIENT_SECRET_VERSION}
-
-configs:
-  sso_entrypoint:
-    name: ${STACK_NAME}_sso_entrypoint_${SSO_ENTRYPOINT_VERSION}
-    file: sso-entrypoint.sh
-  sso_js:
-    name: ${STACK_NAME}_sso_js_${SSO_JS_VERSION}
-    file: sso.js.tmpl
-    template_driver: golang

compose.yml

@@ -3,7 +3,8 @@ version: "3.8"
 
 services:
   app:
-    image: cryptpad/cryptpad:version-2026.5.1
+    image: cryptpad/cryptpad:version-2026.2.0
+    entrypoint: ["/sso-entrypoint.sh", "/cryptpad/docker-entrypoint.sh"]
     command: ["npm", "start"]
     networks:
       - backend
@@ -16,7 +17,16 @@ services:
       - "CPAD_HTTP2_DISABLE=true"
       - "CPAD_TRUST_PROXY=1"
       - "CPAD_CONF=/cryptpad/config/config.js"
-      - "RESTRICT_GUEST_ACCESS=${RESTRICT_GUEST_ACCESS:-false}"
+      # SSO plugin
+      - SSO_PLUGIN_VERSION
+      - "SSO_ENABLED=${SSO_ENABLED:-false}"
+      - SSO_ENFORCED
+      - SSO_PROVIDER_NAME
+      - SSO_OIDC_URL
+      - SSO_CLIENT_ID
+      - SSO_JWT_ALG
+    secrets:
+      - sso_client_s
     volumes:
       - cryptpad_blob:/cryptpad/blob
       - cryptpad_block:/cryptpad/block
@@ -24,11 +34,15 @@ services:
       - cryptpad_data:/cryptpad/data
       - cryptpad_files:/cryptpad/datastore
       - cryptpad_config:/cryptpad/config/
+      - cryptpad_plugins:/cryptpad/lib/plugins
     configs:
       - source: config_js
         target: /cryptpad/config/config.js
-      - source: app_config_js
-        target: /cryptpad/customize/application_config.js
+      - source: sso_entrypoint
+        target: /sso-entrypoint.sh
+        mode: 0755
+      - source: sso_js
+        target: /sso.js
 
     deploy:
       restart_policy:
@@ -36,7 +50,7 @@ services:
       labels:
         - "traefik.enable=false"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
-        - "coop-cloud.${STACK_NAME}.version=0.6.0+v2026.5.1"
+        - "coop-cloud.${STACK_NAME}.version=0.5.1+v2026.2.0"
         - "backupbot.backup=true"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:3000"]
@@ -46,7 +60,7 @@ services:
       start_period: 1m
 
   web:
-    image: nginx:1.31
+    image: nginx:1.29
     configs:
       - source: nginx_conf
         target: /etc/nginx/conf.d/default.conf
@@ -79,6 +93,12 @@ volumes:
   cryptpad_data:
   cryptpad_files:
   cryptpad_config:
+  cryptpad_plugins:
+
+secrets:
+  sso_client_s:
+    external: true
+    name: ${STACK_NAME}_sso_client_s_${SSO_CLIENT_SECRET_VERSION}
 
 configs:
   config_js:
@@ -89,7 +109,10 @@ configs:
     name: ${STACK_NAME}_nginx_conf_${NGINX_CONF_VERSION}
     file: nginx.conf.tmpl
     template_driver: golang
-  app_config_js:
-    name: ${STACK_NAME}_app_config_js_${APP_CONFIG_JS_VERSION}
-    file: application_config.js.tmpl
+  sso_entrypoint:
+    name: ${STACK_NAME}_sso_entrypoint_${SSO_ENTRYPOINT_VERSION}
+    file: sso-entrypoint.sh
+  sso_js:
+    name: ${STACK_NAME}_sso_js_${SSO_JS_VERSION}
+    file: sso.js.tmpl
     template_driver: golang

onlyoffice-entrypoint.sh

@@ -1,42 +0,0 @@
-#!/bin/bash
-set -e
-
-# OnlyOffice init — runs before the original CryptPad entrypoint.
-# Ensures oldest_needed_version in onlyoffice.properties matches
-# ONLYOFFICE_OLDEST before install-onlyoffice.sh / CryptPad reads it.
-
-CONF_DIR="/cryptpad/onlyoffice-conf"
-PROPS="${CONF_DIR}/onlyoffice.properties"
-
-# Wait for init-onlyoffice-dirs to chown the volumes. Swarm ignores
-# depends_on, so the init sidecar and this container start in parallel.
-waited=0
-while [ ! -w "${CONF_DIR}" ]; do
-  if [ "${waited}" -ge 60 ]; then
-    echo "[onlyoffice-entrypoint] timed out waiting for ${CONF_DIR} to become writable" >&2
-    exit 1
-  fi
-  echo "[onlyoffice-entrypoint] waiting for ${CONF_DIR} to be writable (${waited}s)"
-  sleep 1
-  waited=$((waited + 1))
-done
-
-if [ -n "${ONLYOFFICE_OLDEST:-}" ]; then
-  mkdir -p "${CONF_DIR}"
-  touch "${PROPS}"
-  if grep -q '^oldest_needed_version=' "${PROPS}"; then
-    sed -i "s|^oldest_needed_version=.*|oldest_needed_version=${ONLYOFFICE_OLDEST}|" "${PROPS}"
-  else
-    echo "oldest_needed_version=${ONLYOFFICE_OLDEST}" >> "${PROPS}"
-  fi
-  echo "[onlyoffice-entrypoint] oldest_needed_version=${ONLYOFFICE_OLDEST}"
-else
-  echo "[onlyoffice-entrypoint] ONLYOFFICE_OLDEST unset, leaving ${PROPS} untouched"
-fi
-
-# Chain through the SSO entrypoint if compose.sso.yml mounted it.
-if [ -x /sso-entrypoint.sh ]; then
-  exec /sso-entrypoint.sh "$@"
-fi
-
-exec "$@"

renovate.json

@@ -1,6 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "config:recommended"
-  ]
-}