I agree to the force random password, but let´s assume I want to move my data to another docker host. I deploy the new container and then I use ncp-restore with docker exec.
Of course the restore contains NOT the default passwords, but the activation page is still showing up. Is it enough to call the two commands from nc-passwd.sh ?
activate NCP
a2ensite ncp nextcloud
a2dissite ncp-activation
Moreover I think showing up the activation page at an early stage is a potential security issue for docker deployments in public areas. As soon as you run the docker compose command, Apache is up with the activation page, but the rest of the init takes a while, depending on your docker host. Since the public ip of your docker host is added to the trusted domains, there is enough time for one to get the random generated passwords.
Wouldn´t it be nice to have an option in the docker-compose.yaml to “secure” the deployment until a docker exec command to change the initial passwords is called ? Just an idea…