Release v7.0 (#4126)

.conf/desktop/gtk/.gtk-bookmarks

@@ -1,5 +1,5 @@
 file:/// /
-file:///root /root
+file:///root Home
 file:///mnt/dietpi_userdata DietPi User Data
 file:///mnt/samba Samba Client
 file:///mnt/nfs_client NFS Client

.conf/desktop/lxde/panel

@@ -1,25 +1,24 @@
 
 Global {
-    edge=bottom
-    allign=left
-    margin=0
-    widthtype=percent
-    width=100
-    height=36
-    transparent=0
-    tintcolor=#434343
-    alpha=255
-    autohide=0
-    heightwhenhidden=2
-    setdocktype=1
-    setpartialstrut=1
-    usefontcolor=1
-    fontsize=10
-    fontcolor=#ffffff
-    usefontsize=0
-    background=1
-    backgroundfile=/var/lib/dietpi/dietpi-software/installed/desktop/icons/grey_16x16.png
-    iconsize=34
+  edge=bottom
+  allign=left
+  margin=0
+  widthtype=percent
+  width=100
+  height=36
+  transparent=1
+  tintcolor=#313131
+  alpha=255
+  autohide=0
+  heightwhenhidden=2
+  setdocktype=1
+  setpartialstrut=1
+  usefontcolor=1
+  fontsize=10
+  fontcolor=#ffffff
+  usefontsize=0
+  background=0
+  iconsize=34
 }
 Plugin {
   type=space
@@ -109,7 +108,7 @@ Plugin {
     FlatButton=0
     MaxTaskWidth=150
     spacing=2
-	UseSmallerIcons=-1
+    UseSmallerIcons=-1
   }
 }
 Plugin {

.conf/dps_114/apache.nextcloud.conf

@@ -1,11 +1,11 @@
 # Location: /etc/apache2/sites-available/dietpi-nextcloud.conf
-# Based on: https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#apache-web-server-configuration
+# Based on: https://github.com/nextcloud/documentation/blob/master/admin_manual/installation/source_installation.rst#apache-web-server-configuration
 
-# Redirect OCM/OCS provider requests to Nextcloud endpoint
-Redirect permanent /ocm-provider /nextcloud/ocm-provider
-Redirect permanent /ocs-provider /nextcloud/ocs-provider
+# Redirect webfinger and nodeinfo requests to Nextcloud endpoint
+Redirect permanent /.well-known/webfinger /nextcloud/index.php/.well-known/webfinger
+Redirect permanent /.well-known/nodeinfo /nextcloud/index.php/.well-known/nodeinfo
 
-<Directory /var/www/nextcloud/>
+<Directory /var/www/nextcloud>
 	Require all granted
 	AllowOverride All
 	Options FollowSymLinks

.conf/dps_114/lighttpd.nextcloud.conf

@@ -1,11 +1,11 @@
 # Derived from:
 # - Apache: https://github.com/nextcloud/server/blob/master/.htaccess
-# - Nginx:  https://docs.nextcloud.com/server/stable/admin_manual/installation/nginx.html
+# - Nginx:  https://github.com/nextcloud/documentation/blob/master/admin_manual/installation/nginx.rst#nextcloud-in-a-subdir-of-the-nginx-webroot
 
 # Redirect OCM/OCS provider requests to Nextcloud endpoint:
 url.redirect += (
-	"^/ocm-provider" => "/nextcloud/ocm-provider",
-	"^/ocs-provider" => "/nextcloud/ocs-provider"
+	"^/.well-known/webfinger" => "/nextcloud/index.php/.well-known/webfinger",
+	"^/.well-known/nodeinfo" => "/nextcloud/index.php/.well-known/nodeinfo"
 )
 
 $HTTP["url"] =~ "^/nextcloud($|/)" {
@@ -17,17 +17,17 @@ $HTTP["url"] =~ "^/nextcloud($|/)" {
 	$HTTP["url"] =~ "^/nextcloud/(\.|autotest|occ|issue|indie|db_|console)" { url.access-deny = ("") }
 	# - Directory listing
 	dir-listing.activate = "disable"
-	# - Cache control and security headers for static resources
-	$HTTP["url"] =~ "^/nextcloud/.+[^/]\.(css|js|woff2?|svg|gif|map)$" {
+	# - Security and cache control headers for static resources
+	$HTTP["url"] =~ "\.(css|js|svg|gif|png|woff2?|map)$" {
 		setenv.add-response-header += (
-			"Cache-Control" => "public, max-age=15778463",
 			"Referrer-Policy" => "no-referrer",
 			"X-Content-Type-Options" => "nosniff",
 			"X-Download-Options" => "noopen",
 			"X-Frame-Options" => "SAMEORIGIN",
 			"X-Permitted-Cross-Domain-Policies" => "none",
 			"X-Robots-Tag" => "none",
 			"X-XSS-Protection" => "1; mode=block",
+			"Cache-Control" => "public, max-age=15778463",
 		)
 	}
 

.conf/dps_114/nginx.nextcloud.conf

@@ -1,25 +1,12 @@
-# Based on: https://docs.nextcloud.com/server/stable/admin_manual/installation/nginx.html#nextcloud-in-a-subdir-of-nginx
+# Based on: https://github.com/nextcloud/documentation/blob/master/admin_manual/installation/nginx.rst#nextcloud-in-a-subdir-of-the-nginx-webroot
 
-# Redirect OCM/OCS provider requests to Nextcloud endpoint:
-location ~ ^\/(?:ocm-provider|ocs-provider).* {
-	rewrite ^ /nextcloud$request_uri;
+# Redirect webfinger and nodeinfo requests to Nextcloud endpoint
+location ~ ^/\.well-known/(?:webfinger|nodeinfo) {
+	return 301 /nextcloud/index.php$request_uri;
 }
 
 location ^~ /nextcloud {
 
-	# Add headers to serve security related headers
-	#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;" always;
-	add_header Referrer-Policy "no-referrer" always;
-	add_header X-Content-Type-Options "nosniff" always;
-	add_header X-Download-Options "noopen" always;
-	add_header X-Frame-Options "SAMEORIGIN" always;
-	add_header X-Permitted-Cross-Domain-Policies "none" always;
-	add_header X-Robots-Tag "none" always;
-	add_header X-XSS-Protection "1; mode=block" always;
-
-	# Remove X-Powered-By, which is an information leak
-	fastcgi_hide_header X-Powered-By;
-
 	# Set max upload size
 	client_max_body_size 1048576M;
 	fastcgi_buffers 64 4K;
@@ -32,22 +19,51 @@ location ^~ /nextcloud {
 	gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
 	gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
 
-	# Uncomment if your server is build with the ngx_pagespeed module
-	# This module is currently not supported.
+	# Pagespeed is not supported by Nextcloud, so if your server is built
+	# with the `ngx_pagespeed` module, uncomment this line to disable it.
 	#pagespeed off;
 
-	location /nextcloud {
-		rewrite ^ /nextcloud/index.php;
-	}
+	# HTTP response headers borrowed from Nextcloud `.htaccess`
+	#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;" always;
+	add_header Referrer-Policy "no-referrer" always;
+	add_header X-Content-Type-Options "nosniff" always;
+	add_header X-Download-Options "noopen" always;
+	add_header X-Frame-Options "SAMEORIGIN" always;
+	add_header X-Permitted-Cross-Domain-Policies "none" always;
+	add_header X-Robots-Tag "none" always;
+	add_header X-XSS-Protection "1; mode=block" always;
 
-	location ~ ^\/nextcloud\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
-		deny all;
-	}
-	location ~ ^\/nextcloud\/(?:\.|autotest|occ|issue|indie|db_|console) {
-		deny all;
+	# Remove X-Powered-By, which is an information leak
+	fastcgi_hide_header X-Powered-By;
+
+	# Specify how to handle directories -- specifying `/nextcloud/index.php$request_uri`
+	# here as the fallback means that Nginx always exhibits the desired behaviour
+	# when a client requests a path that corresponds to a directory that exists
+	# on the server. In particular, if that directory contains an index.php file,
+	# that file is correctly served; if it doesn't, then the request is passed to
+	# the front-end controller. This consistent behaviour means that we don't need
+	# to specify custom rules for certain paths (e.g. images and other assets,
+	# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
+	# `try_files $uri $uri/ /nextcloud/index.php$request_uri`
+	# always provides the desired behaviour.
+	index index.php index.html /nextcloud/index.php$request_uri;
+
+	# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+	location = /nextcloud {
+		if ( $http_user_agent ~ ^DavClnt ) {
+			return 302 /nextcloud/remote.php/webdav/$is_args$args;
+		}
 	}
 
-	location ~ ^\/nextcloud\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
+	# Rules borrowed from `.htaccess` to hide certain paths from clients
+	location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
+	location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
+
+	# Ensure this block, which passes PHP files to the PHP process, is above the blocks
+	# which handle static assets (as seen below). If this block is not declared first,
+	# then Nginx will encounter an infinite rewriting loop when it prepends
+	# `/nextcloud/index.php` to the URI, resulting in a HTTP 500 error response.
+	location ~ \.php(?:$|/) {
 		fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
 		set $path_info $fastcgi_path_info;
 		try_files $fastcgi_script_name =404;
@@ -60,36 +76,21 @@ location ^~ /nextcloud {
 		fastcgi_pass php;
 		fastcgi_intercept_errors on;
 		fastcgi_request_buffering off;
-        }
-
-	location ~ ^\/nextcloud\/(?:updater|oc[ms]-provider)(?:$|\/) {
-		try_files $uri/ =404;
-		index index.php;
 	}
 
-	# Adding the cache control header for js and css files
-	# Make sure it is BELOW the PHP block
-	location ~ ^\/nextcloud\/.+[^\/]\.(?:css|js|woff2?|svg|gif|map)$ {
+	location ~ \.(?:css|js|svg|gif)$ {
 		try_files $uri /nextcloud/index.php$request_uri;
-		add_header Cache-Control "public, max-age=15778463";
-		# Add headers to serve security related headers  (It is intended
-		# to have those duplicated to the ones above)
-		#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;" always;
-		add_header Referrer-Policy "no-referrer" always;
-		add_header X-Content-Type-Options "nosniff" always;
-		add_header X-Download-Options "noopen" always;
-		add_header X-Frame-Options "SAMEORIGIN" always;
-		add_header X-Permitted-Cross-Domain-Policies "none" always;
-		add_header X-Robots-Tag "none" always;
-		add_header X-XSS-Protection "1; mode=block" always;
-
-		# Optional: Don't log access to assets
-		access_log off;
+		expires 6M; # Cache-Control policy borrowed from `.htaccess`
+		access_log off; # Optional: Don't log access to assets
 	}
 
-	location ~ ^\/nextcloud\/.+[^\/]\.(?:png|html|ttf|ico|jpg|jpeg)$ {
+	location ~ \.woff2?$ {
 		try_files $uri /nextcloud/index.php$request_uri;
-		# Optional: Don't log access to other assets
-		access_log off;
+		expires 7d; # Cache-Control policy borrowed from `.htaccess`
+		access_log off; # Optional: Don't log access to assets
+	}
+
+	location /nextcloud {
+		try_files $uri $uri/ /nextcloud/index.php$request_uri;
 	}
 }

.conf/dps_182/unbound.conf

@@ -0,0 +1,92 @@
+# https://nlnetlabs.nl/documentation/unbound/unbound.conf/
+server:
+	# Do not daemonize, to allow proper systemd service control and status estimation.
+	do-daemonize: no
+
+	# A single thread is pretty sufficient for home or small office instances.
+	num-threads: 1
+
+	# Logging: For the sake of privacy and performance, keep logging at a minimum!
+	# - Verbosity 2 and up practically contains query and reply logs.
+	verbosity: 0
+	log-queries: no
+	log-replies: no
+	# - If required, uncomment to log to a file, else logs are available via "journalctl -u unbound".
+	#logfile: "/var/log/unbound.log"
+
+	# Set interface to "0.0.0.0" to make Unbound listen on all network interfaces.
+	# Set it to "127.0.0.1" to listen on requests from the same machine only, useful in combination with Pi-hole.
+	interface: 0.0.0.0
+	# Default DNS port is "53". When used with Pi-hole, set this to e.g. "5335", since "5353" is used by mDNS already.
+	port: 53
+
+	# Control IP ranges which should be able to use this Unbound instance.
+	# The DietPi defaults permit access from official local network IP ranges only, hence requests from www are denied.
+	access-control: 0.0.0.0/0 refuse
+	access-control: 10.0.0.0/8 allow
+	access-control: 127.0.0.1/8 allow
+	access-control: 172.16.0.0/12 allow
+	access-control: 192.168.0.0/16 allow
+	access-control: ::/0 refuse
+	access-control: ::1/128 allow
+	access-control: fd00::/8 allow
+	access-control: fe80::/10 allow
+
+	# Private IP ranges, which shall never be returned or forwarded as public DNS response.
+	# NB: 127.0.0.1/8 is sometimes used by adblock lists, hence DietPi by default allows those as response.
+	private-address: 10.0.0.0/8
+	private-address: 172.16.0.0/12
+	private-address: 192.168.0.0/16
+	private-address: 169.254.0.0/16
+	private-address: fd00::/8
+	private-address: fe80::/10
+
+	# Define protocols for connections to and from Unbound.
+	# NB: Disabling IPv6 does not disable IPv6 IP resolving, which depends on the clients request.
+	do-udp: yes
+	do-tcp: yes
+	do-ip4: yes
+	do-ip6: yes
+	prefer-ip6: no
+
+	# DNS root server information file. Update regularly via: "curl -# https://www.internic.net/domain/named.root > /var/lib/unbound/root.hints"
+	root-hints: "/var/lib/unbound/root.hints"
+
+	# Maximum number of queries per second
+	ratelimit: 1000
+
+	# Defend against and print warning when reaching unwanted reply limit.
+	unwanted-reply-threshold: 10000
+
+	# Set EDNS reassembly buffer size to match new upstream default, as of DNS Flag Day 2020 recommendation.
+	edns-buffer-size: 1232
+
+	# Increase incoming and outgoing query buffer size to cover traffic peaks.
+	so-rcvbuf: 4m
+	so-sndbuf: 4m
+
+	# Hardening
+	harden-glue: yes
+	harden-dnssec-stripped: yes
+	harden-algo-downgrade: yes
+	harden-large-queries: yes
+	harden-short-bufsize: yes
+
+	# Privacy
+	use-caps-for-id: yes # Spoof protection by randomising capitalisation
+	rrset-roundrobin: yes
+	qname-minimisation: yes
+	minimal-responses: yes
+	hide-identity: yes
+	identity: "Server" # Purposefully a dummy identity name
+	hide-version: yes
+
+	# Caching
+	cache-min-ttl: 300
+	cache-max-ttl: 86400
+	serve-expired: yes
+	neg-cache-size: 4M
+	prefetch: yes
+	prefetch-key: yes
+	msg-cache-size: 50m
+	rrset-cache-size: 100m

.conf/dps_39/minidlna.conf

@@ -9,11 +9,9 @@ media_dir=V,/mnt/dietpi_userdata/Video
 # Path to the directory that should hold the database and album art cache.
 db_dir=/mnt/dietpi_userdata/.MiniDLNA_Cache
 
-# Path to the directory that should hold the log file.
-log_dir=/var/log
-
 # Must be one of "off", "fatal", "error", "warn", "info" or "debug".
-# "off" turns of logging entirely, "fatal" is the highest level of importance
+# "off" turns of logging entirely, "fatal" is the highest level of importance.
+# Access logs via: "journalctl -u minidlna"
 log_level=warn
 
 # Use a different container as the root of the directory tree presented to

.conf/dps_59/raspimjpeg.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/dash
 {
 	#////////////////////////////////////
 	# DietPi Raspimjpeg control Script
@@ -7,7 +7,7 @@
 	# Created by Daniel Knight / [email protected] / dietpi.com
 	#
 	# Info:
-	# - Location: /var/lib/dietpi/dietpi-software/services/raspimjpeg.sh
+	# - Location: /var/lib/dietpi/dietpi-software/installed/raspimjpeg.sh
 	# - Allows service control for Raspimjpeg and PHP schedule, used by RPi Camera Web
 	# - Called from /etc/systemd/system/raspimjpeg.service
 	#
@@ -24,17 +24,17 @@
 		mkdir -p /dev/shm/mjpeg
 		chown www-data:www-data /dev/shm/mjpeg
 		chmod 777 /dev/shm/mjpeg
-		sudo -u www-data raspimjpeg &> /dev/null &
+		sudo -u www-data raspimjpeg > /dev/null 2>&1 &
 		sleep 4
-		sudo -u www-data php /var/www/rpicam/schedule.php &> /dev/null &
+		sudo -u www-data php /var/www/rpicam/schedule.php > /dev/null 2>&1 &
 
 	}
 
-	if [[ $1 == 'stop' ]]; then
+	if [ "$1" = 'stop' ]; then
 
 		Raspimjeg_Stop
 
-	elif [[ $1 == 'start' ]]; then
+	elif [ "$1" = 'start' ]; then
 
 		Raspimjeg_Start