create minio bucket automatically on startup (minio-initialize.sh)

Replace the one-shot minio-createbuckets service (which required a
manual 'abra app restart minio-createbuckets' that appeared to hang)
with a minio-initialize.sh config, ported from lasuite-docs. The minio
service entrypoint runs it in the background before starting minio; it
waits for minio to be ready and idempotently creates the
drive-media-storage bucket with versioning. Manual trigger:
'abra app cmd minio minio_initialize'.

.env.sample

@@ -28,6 +28,8 @@ SECRET_MINIO_RU_VERSION=v1
 SECRET_POSTGRES_P_VERSION=v1
 # DJANGO_HOST_EMAIL_PASSWORD
 SECRET_EMAIL_PASS_VERSION=v1
+# COLLABORA_ADMIN_PASSWORD
+SECRET_COLLABORA_P_VERSION=v1
 
 ##############################################################################
 # EMAIL
@@ -66,6 +68,25 @@ LOGGING_LEVEL_HANDLERS_CONSOLE=INFO
 LOGGING_LEVEL_LOGGERS_ROOT=INFO
 LOGGING_LEVEL_LOGGERS_APP=INFO
 
+##############################################################################
+# MIGRATIONS
+##############################################################################
+# Set to false to disable automatic migrations on backend startup
+# AUTO_MIGRATIONS=true
+
+##############################################################################
+# COLLABORA ADMIN PANEL
+##############################################################################
+# Username for the Collabora admin panel (https://COLLABORA_DOMAIN/browser/dist/admin/admin.html)
+# Password is managed via Docker secret 'collabora_p'
+#COLLABORA_ADMIN_USERNAME=admin
+
+##############################################################################
+# BACKUPS
+##############################################################################
+# Set to false to disable backup-bot labels (default: true)
+#ENABLE_BACKUPS=true
+
 ##############################################################################
 # WOPI SCHEDULING
 ##############################################################################

README.md

@@ -7,11 +7,11 @@
 * **Category**: Apps
 * **Status**: 2
 * **Image**: [`lasuite/drive`](https://hub.docker.com/r/lasuite/drive), 4, upstream
-* **Healthcheck**: No
-* **Backups**: No
-* **Email**: 3
+* **Healthcheck**: Yes
+* **Backups**: Yes
+* **Email**: Yes
 * **Tests**: No
-* **SSO**: 3
+* **SSO**: Yes
 
 <!-- endmetadata -->
 
@@ -27,11 +27,12 @@ This recipe requires four domains. One domain for drive, and one for minio which
 * `abra app config <app-name>`
      - make sure to set MINIO_DOMAIN, COLLABORA_DOMAIN, ONLY_OFFICE_DOMAIN to the domains you set up for each. 
 * `abra app deploy <app-name>`
-* `abra app cmd <app-name> backend migrate` # creates database tables
-* `abra app restart <app-name> minio-createbuckets` (Note: this will appear to fail, but probably worked! Check `abra app logs <app-name> minio-createbuckets`)
 
 You should then be able to visit the landing page of your app, but not yet to login. To login, you need to deploy and integrate single sign on (described below in the "Configure Authentication" section). 
 
+* Migrations run automatically on backend startup. To trigger manually: `abra app cmd <app-name> backend migrate`
+* Minio buckets are created automatically on first deploy. To manually trigger: `abra app cmd <app-name> minio minio_initialize`
+
 Wopi discovery is supposed to happen automatically, but if collabora/onlyoffice are not connecting, you can try running:
 
 * `abra app cmd <app-name> backend trigger_wopi` # connects only office & collabora (if they stop working, try running this again)
@@ -69,7 +70,7 @@ OIDC_RP_CLIENT_ID=<yourkeycloakclientid>
 then redeploy drive:
 `abra app deploy <app-name> --force`
 
-at this point, when you go to your drive url, you shoud then be able to click "login" and login with the username and password for the user you created in keycloak.
+at this point, when you go to your drive url, you should then be able to click "login" and login with the username and password for the user you created in keycloak.
 
 you can make additional users in keycloak for this "client" and they will all be able to login to drive and collaborate. 
 

abra-entrypoint.sh

@@ -11,5 +11,12 @@ set -e
 
 # if not in "env" mode, then execute the original entrypoint and command
 if [ ! "$1" = "-e" ]; then
+  # Run WOPI configuration on startup if enabled (celery worker service only).
+  # This ensures WOPI clients are configured immediately after each deploy,
+  # rather than waiting for the next celery-beat cron tick (default: 3 AM).
+  if [ "${RUN_WOPI_ON_STARTUP:-}" = "true" ]; then
+    echo "🐳(entrypoint) running WOPI configuration on startup..."
+    python manage.py trigger_wopi_configuration || echo "⚠ WOPI configuration failed (non-fatal, will retry on schedule)"
+  fi
   exec "$@"
 fi

abra.sh

@@ -1,9 +1,11 @@
 # Set any config versions here
 # Docs: https://docs.coopcloud.tech/maintainers/handbook/#manage-configs
-export ABRA_ENTRYPOINT_VERSION=v5
+export ABRA_ENTRYPOINT_VERSION=v11
 export NGINX_CONF_VERSION=v6
 export ONLYOFFICE_CONF_VERSION=v2
-export PG_BACKUP_VERSION=v3
+export PG_BACKUP_VERSION=v4
+export MIGRATE_VERSION=v1
+export MINIO_INITIALIZE_VERSION=v1
 
 environment() {
   # this exports all the secrets as environment variables
@@ -11,8 +13,11 @@ environment() {
 }
 
 migrate() {
-  environment
-  python manage.py migrate --noinput
+  /migrate.sh
+}
+
+minio_initialize() {
+  /minio-initialize.sh
 }
 
 trigger_wopi() {

compose.yml

@@ -27,6 +27,9 @@ x-common-env: &common-env
   DJANGO_EMAIL_USE_SSL:
   DJANGO_EMAIL_USE_TLS:
   DJANGO_EMAIL_FROM:
+  DJANGO_EMAIL_URL_APP:
+  DJANGO_CSRF_TRUSTED_ORIGINS:
+  DATA_UPLOAD_MAX_MEMORY_SIZE:
   # Backend url
   DRIVE_BASE_URL: "https://${DOMAIN}"
   # Media
@@ -92,14 +95,14 @@ services:
 
   app:
     user: "${DOCKER_USER:-1000}"
-    image: lasuite/drive-frontend:v0.12.0
+    image: lasuite/drive-frontend:v0.19.0
     networks:
       - backend
     deploy:
       labels:
         - "traefik.enable=false"
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
-        - "coop-cloud.${STACK_NAME}.version=0.5.0+v0.12.0"
+        - "coop-cloud.${STACK_NAME}.version=0.10.1+v0.19.0"
     environment:
       <<: [ *common-env ]
     healthcheck:
@@ -113,11 +116,13 @@ services:
 
   backend:
     user: ${DOCKER_USER:-1000}
-    image: lasuite/drive-backend:v0.12.0
+    image: lasuite/drive-backend:v0.19.0
     command: [ "gunicorn", "-c", "/usr/local/etc/gunicorn/drive.py", "drive.wsgi:application" ]
-    entrypoint: [ "/abra-entrypoint.sh", "/usr/local/bin/entrypoint" ]
+    entrypoint: >
+      sh -c "if [ \"$$AUTO_MIGRATIONS\" = \"true\" ]; then /migrate.sh; fi && exec /abra-entrypoint.sh /usr/local/bin/entrypoint \"$$@\"" --
     environment:
       <<: [ *common-env, *postgres-env ]
+      AUTO_MIGRATIONS: "${AUTO_MIGRATIONS:-true}"
     networks:
       - backend
     depends_on:
@@ -126,6 +131,9 @@ services:
       - source: abra_entrypoint
         target: /abra-entrypoint.sh
         mode: 0555
+      - source: migrate
+        target: /migrate.sh
+        mode: 0555
     secrets:
       - django_sk
       - django_sp
@@ -137,13 +145,14 @@ services:
 
   celery:
     user: ${DOCKER_USER:-1000}
-    image: lasuite/drive-backend:v0.12.0
+    image: lasuite/drive-backend:v0.19.0
     networks:
       - backend
     command: [ "celery", "-A", "drive.celery_app", "worker", "-l", "INFO" ]
     entrypoint: ["/abra-entrypoint.sh", "/usr/local/bin/entrypoint"]
     environment:
       <<: [*common-env, *postgres-env]
+      RUN_WOPI_ON_STARTUP: "true"
     configs:
       - source: abra_entrypoint
         target: /abra-entrypoint.sh
@@ -158,7 +167,7 @@ services:
 
   celery-beat:
     user: ${DOCKER_USER:-1000}
-    image: lasuite/drive-backend:v0.12.0
+    image: lasuite/drive-backend:v0.19.0
     networks:
       - backend
     command: [ "celery", "-A", "drive.celery_app", "beat", "-l", "INFO", "--schedule", "/tmp/celerybeat-schedule" ]
@@ -205,34 +214,17 @@ services:
       - postgres_p
 
   redis:
-    image: redis:8
-    networks:
-      - backend 
-
-  mailcatcher:
-    image: sj26/mailcatcher:v0.10.0
+    image: redis:8.8.0
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
     networks:
       - backend
 
-  minio-createbuckets:
-    image: minio/minio:RELEASE.2025-09-07T16-13-09Z
-    environment: *minio-env
-    entrypoint: >
-      sh -c "
-      MINIO_ROOT_USER=\"\$$(cat /run/secrets/minio_ru)\" &&   
-      MINIO_ROOT_PASSWORD=\"\$$(cat /run/secrets/minio_rp)\" &&   
-      /usr/bin/mc alias set drive http://minio:9000 \$${MINIO_ROOT_USER} \"\$${MINIO_ROOT_PASSWORD}\" && \
-      /usr/bin/mc mb drive/drive-media-storage && \
-      /usr/bin/mc version enable drive/drive-media-storage && \
-      exit 0;"
-    deploy:
-      mode: replicated
-      replicas: 0
-      restart_policy:
-        condition: none
-    secrets:
-      - minio_rp
-      - minio_ru
+  mailcatcher:
+    image: sj26/mailcatcher:v0.10.0
     networks:
       - backend
 
@@ -248,13 +240,17 @@ services:
       - backend
       - proxy
     command: minio server /data
-    entrypoint: ["/usr/bin/docker-entrypoint.sh"]
+    entrypoint: >
+      sh -c "/minio-initialize.sh & exec /usr/bin/docker-entrypoint.sh \"$$@\"" --
     volumes:
       - minio:/data
     configs:
       - source: abra_entrypoint
         target: /abra-entrypoint.sh
         mode: 0555
+      - source: minio_initialize
+        target: /minio-initialize.sh
+        mode: 0555
     secrets:
       - minio_rp
       - minio_ru
@@ -274,23 +270,29 @@ services:
         - "traefik.http.middlewares.${STACK_NAME}_minio-cors.headers.accessControlMaxAge=600"
         - "traefik.http.middlewares.${STACK_NAME}_minio-cors.headers.addVaryHeader=true"
         - "traefik.http.routers.${STACK_NAME}_minio.middlewares=${STACK_NAME}_minio-cors"
+        - "backupbot.backup=${ENABLE_BACKUPS:-true}"
 
   collabora:
-    image: collabora/code:latest
-#    healthcheck:
-#      test: [ "CMD", "curl", "-f", "http://localhost:9980/hosting/discovery" ]
-#      interval: 30s
-#      retries: 5
-#      start_period: 60s
-#      timeout: 10s
+    image: collabora/code:25.04.9.4.1
+    entrypoint: >
+      sh -c "
+      export password=\"$$(cat /run/secrets/collabora_p)\" &&
+      exec /start-collabora-online.sh"
+    healthcheck:
+      test: [ "CMD", "curl", "-f", "http://localhost:9980/hosting/discovery" ]
+      interval: 30s
+      retries: 5
+      start_period: 60s
+      timeout: 10s
     networks:
       - backend
       - proxy
     environment:
       - extra_params=--o:ssl.enable=false --o:ssl.termination=true
-      - username=drive
-      - password=password
+      - username=${COLLABORA_ADMIN_USERNAME:-admin}
       - server_name=${COLLABORA_DOMAIN}
+    secrets:
+      - collabora_p
     deploy:
       labels:
       - "traefik.enable=true"
@@ -309,13 +311,13 @@ services:
       - "traefik.http.routers.${STACK_NAME}_collabora.middlewares=${STACK_NAME}_collabora-cors"
 
   onlyoffice:
-    image: onlyoffice/documentserver-de:9.2
-#    healthcheck:
-#      test: [ "CMD", "curl", "-f", "http://localhost/hosting/discovery" ]
-#      interval: 30s
-#      retries: 5
-#      start_period: 60s
-#      timeout: 10s
+    image: onlyoffice/documentserver-de:9.3.1.2
+    healthcheck:
+      test: [ "CMD", "curl", "-f", "http://localhost/hosting/discovery" ]
+      interval: 30s
+      retries: 5
+      start_period: 60s
+      timeout: 10s
     environment:
       TZ: "Europe/Berlin"
       USE_UNAUTHORIZED_STORAGE: "true"
@@ -348,7 +350,7 @@ services:
 
 
   web:
-    image: nginx:1.29
+    image: nginx:1.31.2
     configs:
       - source: nginx_conf
         target: /etc/nginx/conf.d/default.conf
@@ -390,6 +392,12 @@ configs:
   abra_entrypoint:
     name: ${STACK_NAME}_entrypoint_${ABRA_ENTRYPOINT_VERSION}
     file: abra-entrypoint.sh
+  migrate:
+    name: ${STACK_NAME}_migrate_${MIGRATE_VERSION}
+    file: migrate.sh
+  minio_initialize:
+    name: ${STACK_NAME}_minio_initialize_${MINIO_INITIALIZE_VERSION}
+    file: minio-initialize.sh
   onlyoffice_conf:
     name: ${STACK_NAME}_onlyoffice_conf_${ONLYOFFICE_CONF_VERSION}
     file: onlyoffice-config.json.tmpl
@@ -413,7 +421,10 @@ secrets:
     name: ${STACK_NAME}_minio_rp_${SECRET_MINIO_RP_VERSION}
   minio_ru:
     external: true
-    name: ${STACK_NAME}_minio_ru_${SECRET_MINIO_RP_VERSION}
+    name: ${STACK_NAME}_minio_ru_${SECRET_MINIO_RU_VERSION}
+  collabora_p:
+    external: true
+    name: ${STACK_NAME}_collabora_p_${SECRET_COLLABORA_P_VERSION}
   email_pass:
     external: true
     name: ${STACK_NAME}_email_pass_${SECRET_EMAIL_PASS_VERSION}

migrate.sh

@@ -0,0 +1,26 @@
+#!/bin/sh
+set -e
+
+# Load secrets into environment
+source /abra-entrypoint.sh -e
+
+# Wait for database to be ready (up to 30 seconds)
+i=0
+while ! python manage.py check --database default 2>/dev/null; do
+  i=$((i+1))
+  if [ "$i" -ge 30 ]; then
+    echo "migrate: timed out waiting for database" >&2
+    exit 1
+  fi
+  sleep 1
+done
+
+# Idempotent: skip if no pending migrations
+if python manage.py migrate --check > /dev/null 2>&1; then
+  echo "migrate: no pending migrations, skipping"
+  exit 0
+fi
+
+echo "migrate: applying pending migrations..."
+python manage.py migrate --noinput
+echo "migrate: done"

minio-initialize.sh

@@ -0,0 +1,29 @@
+#!/bin/sh
+set -e
+
+# Wait for minio to be ready (up to 60 seconds)
+i=0
+while ! mc ready local 2>/dev/null; do
+  i=$((i+1))
+  if [ "$i" -ge 60 ]; then
+    echo "minio-initialize: timed out waiting for minio to be ready" >&2
+    exit 1
+  fi
+  sleep 1
+done
+
+MINIO_ROOT_USER="$(cat /run/secrets/minio_ru)"
+MINIO_ROOT_PASSWORD="$(cat /run/secrets/minio_rp)"
+
+mc alias set drive http://localhost:9000 "${MINIO_ROOT_USER}" "${MINIO_ROOT_PASSWORD}"
+
+# Idempotent: skip if bucket already exists
+if mc ls drive/drive-media-storage > /dev/null 2>&1; then
+  echo "minio-initialize: bucket 'drive-media-storage' already exists, skipping"
+  exit 0
+fi
+
+echo "minio-initialize: creating bucket 'drive-media-storage'..."
+mc mb drive/drive-media-storage
+mc version enable drive/drive-media-storage
+echo "minio-initialize: done"

pg_backup.sh

@@ -10,7 +10,7 @@ function backup {
 }
 
 function restore {
-    cd /var/lib/postgresql/data/
+    cd /var/lib/postgresql/data/pgdata
     restore_config(){
         # Restore allowed connections
         cat pg_hba.conf.bak > pg_hba.conf

release/0.7.0+v0.12.0

@@ -0,0 +1,9 @@
+**Breaking change:** The Collabora admin panel password is now a secret (`collabora_p`).
+
+After upgrading, you must generate the new secret for collabora to work:
+
+```
+abra app secret generate <app-domain> collabora_p v1
+abra app config <app-domain>  # set SECRET_COLLABORA_P_VERSION=v1
+```
+