forked from coop-cloud/nextcloud
		
	Compare commits
	
		
			2 Commits
		
	
	
		
			add-themin
			...
			authentik_
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| 97be5543f9 | |||
| 212559c8fc | 
							
								
								
									
										16
									
								
								.drone.yml
									
									
									
									
									
								
							
							
						
						
									
										16
									
								
								.drone.yml
									
									
									
									
									
								
							| @ -31,19 +31,3 @@ steps: | ||||
| trigger: | ||||
|   branch: | ||||
|     - main | ||||
| --- | ||||
| kind: pipeline | ||||
| name: generate recipe catalogue | ||||
| steps: | ||||
|   - name: release a new version | ||||
|     image: plugins/downstream | ||||
|     settings: | ||||
|       server: https://build.coopcloud.tech | ||||
|       token: | ||||
|         from_secret: drone_abra-bot_token | ||||
|       fork: true | ||||
|       repositories: | ||||
|         - coop-cloud/auto-recipes-catalogue-json | ||||
|  | ||||
| trigger: | ||||
|   event: tag | ||||
|  | ||||
							
								
								
									
										47
									
								
								.env.sample
									
									
									
									
									
								
							
							
						
						
									
										47
									
								
								.env.sample
									
									
									
									
									
								
							| @ -1,6 +1,4 @@ | ||||
| TYPE=nextcloud | ||||
| TIMEOUT=900 | ||||
| ENABLE_AUTO_UPDATE=true | ||||
|  | ||||
| DOMAIN=nextcloud.example.com | ||||
| ## Domain aliases | ||||
| @ -11,8 +9,6 @@ COMPOSE_FILE="compose.yml" | ||||
| COMPOSE_FILE="$COMPOSE_FILE:compose.mariadb.yml" | ||||
| #COMPOSE_FILE="$COMPOSE_FILE:compose.postgres.yml" | ||||
|  | ||||
| #MAX_DB_CONNECTIONS=500 | ||||
|  | ||||
| ADMIN_USER=admin | ||||
|  | ||||
| SECRET_DB_ROOT_PASSWORD_VERSION=v1 | ||||
| @ -21,12 +17,11 @@ SECRET_ADMIN_PASSWORD_VERSION=v1 | ||||
|  | ||||
| EXTRA_VOLUME=/dev/null:/tmp/.dummy | ||||
|  | ||||
| PHP_MEMORY_LIMIT=1G | ||||
| # fpm-tune, see: https://spot13.com/pmcalculator/ | ||||
| FPM_MAX_CHILDREN=16 | ||||
| FPM_START_SERVERS=4 | ||||
| FPM_MIN_SPARE_SERVERS=4 | ||||
| FPM_MAX_SPARE_SERVERS=12 | ||||
| FPM_MAX_CHILDREN=131 | ||||
| FPM_START_SERVERS=32 | ||||
| FPM_MIN_SPARE_SERVERS=32 | ||||
| FPM_MAX_SPARE_SERVERS=98 | ||||
|  | ||||
| DEFAULT_QUOTA="10 GB" | ||||
|  | ||||
| @ -44,35 +39,21 @@ DEFAULT_QUOTA="10 GB" | ||||
| # MAIL_DOMAIN= | ||||
| # SECRET_SMTP_PASSWORD_VERSION=v1 | ||||
|  | ||||
| ## Customization | ||||
| # THEMING_COLOR= | ||||
| # THEMING_SLOGAN= | ||||
| # COPY_ASSETS="flow_background.jpg|app:/var/www/html/themes/background.jpg" | ||||
| # COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/var/www/html/themes/logo.svg" | ||||
| # COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/icon.png" | ||||
|  | ||||
| # APPS="calendar" | ||||
|  | ||||
| # COLLABORA_URL=https://collabora.example.com | ||||
|  | ||||
| # COMPOSE_FILE="$COMPOSE_FILE:compose.onlyoffice.yml" | ||||
| # COMPOSE_FILE="$COMPOSE_FILE:compose.apps.yml" | ||||
| # APPS="calendar sociallogin onlyoffice" | ||||
| # | ||||
| # ONLYOFFICE_URL=https://onlyoffice.example.com | ||||
| # APPS="$APPS onlyoffice" | ||||
| # SECRET_ONLYOFFICE_JWT_VERSION=v1 | ||||
|  | ||||
| # COMPOSE_FILE="$COMPOSE_FILE:compose.bbb.yml" | ||||
| # | ||||
| # BBB_URL=https://talk.example.org/bigbluebutton/ # trailing slash! | ||||
| # SECRET_BBB_SECRET_VERSION=v1 | ||||
|  | ||||
| # COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml" | ||||
| # APPS="$APPS sociallogin" | ||||
| # AUTHENTIK_USER_PREFIX=authentik | ||||
| # AUTHENTIK_DOMAIN=authentik.example.com | ||||
| # SECRET_AUTHENTIK_SECRET_VERSION=v1 | ||||
| # SECRET_AUTHENTIK_ID_VERSION=v1 | ||||
| # | ||||
| # OCC_CMDS="app:disable dashboard" | ||||
| # OCC_CMDS="$OCC_CMDS|config:app:set sociallogin auto_create_groups --value 1" | ||||
| # OCC_CMDS="$OCC_CMDS|config:app:set sociallogin hide_default_login --value 1" | ||||
|  | ||||
| #COMPOSE_FILE="$COMPOSE_FILE:compose.fulltextsearch.yml" | ||||
| #SECRET_ELASTICSEARCH_PASSWORD_VERSION=v1 | ||||
| # COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml" | ||||
| # AUTHENTIK_USER_PREFIX=authentik | ||||
| # AUTHENTIK_DOMAIN=authentik.example.com | ||||
| # AUTHENTIK_SECRET_NAME=authentik_example_com_nextcloud_secret_v1  # the same as in authentik | ||||
| # AUTHENTIK_ID_NAME=authentik_example_com_nextcloud_id_v1  # the same as in authentik | ||||
|  | ||||
							
								
								
									
										45
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										45
									
								
								README.md
									
									
									
									
									
								
							| @ -6,10 +6,10 @@ Fully automated luxury Nextcloud via docker-swarm. | ||||
|  | ||||
| <!-- metadata --> | ||||
| * **Category**: Apps | ||||
| * **Status**: 5 | ||||
| * **Status**: 2, beta | ||||
| * **Image**: [`nextcloud`](https://hub.docker.com/_/nextcloud), 4, upstream | ||||
| * **Healthcheck**: Yes | ||||
| * **Backups**: Yes | ||||
| * **Backups**: No | ||||
| * **Email**: 3 | ||||
| * **Tests**: 2 | ||||
| * **SSO**: 1 (OAuth) | ||||
| @ -17,6 +17,7 @@ Fully automated luxury Nextcloud via docker-swarm. | ||||
|  | ||||
| ## Quick start | ||||
|  | ||||
|  | ||||
| * `abra app new nextcloud` | ||||
| * `abra app config <app-name>` | ||||
| * `abra app secret insert <app-name> smtp_password v1 <SMTP_PASSWORD>` | ||||
| @ -119,7 +120,7 @@ Use [this plugin](https://github.com/pulsejet/nextcloud-oidc-login). Unlike the | ||||
| ``` | ||||
|   'oidc_login_client_id' => 'nextcloud', | ||||
|   'oidc_login_client_secret' => 'mysecret', | ||||
|   'oidc_login_provider_url' => 'https://example.com/realms/myrealm', | ||||
|   'oidc_login_provider_url' => 'https://example.com/auth/realms/myrealm', | ||||
|   'oidc_login_disable_registration' => false, | ||||
|   'oidc_login_hide_password_form' => true, | ||||
|   'oidc_login_button_text' => 'Log in with your myssodomain', | ||||
| @ -243,41 +244,3 @@ docker exec -u www-data $(docker ps -f name=foo_com_app -q) ./occ preview:pre-ge | ||||
| ``` | ||||
|  | ||||
| This app will improve performance of image browsing at the cost of storage space. | ||||
|  | ||||
| ## Fulltextsearch using elasticsearch | ||||
|  | ||||
| 1. Uncomment the following lines in your env file: | ||||
| ``` | ||||
| #COMPOSE_FILE="$COMPOSE_FILE:compose.fulltextsearch.yml" | ||||
| #SECRET_ELASTICSEARCH_PASSWORD_VERSION=v1 | ||||
| ``` | ||||
|  | ||||
| 2. Generate the secret for elasticsearch: | ||||
| ```bash | ||||
| abra app secret generate <domain> elasticsearch_password v1 | ||||
| ``` | ||||
|  | ||||
| 3. Deploy your app: | ||||
| ```bash | ||||
| abra app deploy <domain> | ||||
| ``` | ||||
|  | ||||
| 4. Install the apps and configure them: | ||||
| ``` | ||||
| abra app cmd <domain> app install_fulltextsearch | ||||
| ``` | ||||
|  | ||||
| 5. You might need to configure the files_fulltextsearch app. run this command to check its settings: | ||||
| ``` | ||||
| abra app cmd <domain> app run_occ '"config:list files_fulltextsearch" | ||||
| ``` | ||||
|  | ||||
| 6. You can check if the nextcloud can connect to elasticsearch: | ||||
| ``` | ||||
| abra app cmd <domain> app run_occ '"fulltextsearch:test"' | ||||
| ``` | ||||
|  | ||||
| And you can populate the index manually and check if any errors occur: | ||||
| ``` | ||||
| abra app cmd <domain> app run_occ '"fulltextsearch:index"' | ||||
| ``` | ||||
|  | ||||
							
								
								
									
										115
									
								
								abra.sh
									
									
									
									
									
								
							
							
						
						
									
										115
									
								
								abra.sh
									
									
									
									
									
								
							| @ -1,117 +1,63 @@ | ||||
| #!/bin/bash | ||||
|  | ||||
| export FPM_TUNE_VERSION=v5 | ||||
| export NGINX_CONF_VERSION=v7 | ||||
| export MY_CNF_VERSION=v5 | ||||
| export NGINX_CONF_VERSION=v4 | ||||
| export MY_CNF_VERSION=v4 | ||||
| export ENTRYPOINT_VERSION=v3 | ||||
| export CRONTAB_VERSION=v1 | ||||
|  | ||||
| run_occ() { | ||||
| run_occ(){ | ||||
|     su -p www-data -s /bin/sh -c "/var/www/html/occ $@" | ||||
| } | ||||
|  | ||||
| post_install_occ() { | ||||
|     IFS='|' read -ra CMD <<<"$OCC_CMDS" | ||||
| post_install_occ(){ | ||||
|     IFS='|' read -ra CMD <<< "$OCC_CMDS" | ||||
|     for cmd in "${CMD[@]}"; do | ||||
|         run_occ "$cmd" | ||||
|       run_occ "$cmd" | ||||
|     done | ||||
| } | ||||
|  | ||||
| install_apps() { | ||||
| install_apps(){ | ||||
|     install_apps="$@" | ||||
|     if [ -z "$install_apps" ]; then | ||||
|     if [ -z "$install_apps" ] | ||||
|     then | ||||
|         install_apps=$APPS | ||||
|     fi | ||||
|     for app in $install_apps; do | ||||
|     for app in $install_apps | ||||
|     do | ||||
|         run_occ "app:install $app" | ||||
|     done | ||||
| } | ||||
|  | ||||
| set_app_config() { | ||||
| set_app_config(){ | ||||
|     APP=$1 | ||||
|     KEY=$2 | ||||
|     VALUE=$3 | ||||
|     run_occ "config:app:set $APP $KEY --value '$VALUE'" | ||||
| } | ||||
|  | ||||
| set_system_config() { | ||||
|     KEY=$1 | ||||
|     VALUE=$2 | ||||
|     run_occ "config:system:set $KEY --value '$VALUE'" | ||||
| } | ||||
|  | ||||
| set_trusted_proxies() { | ||||
|     trusted_proxies="$@" | ||||
|     if [ -z "$1" ]; then | ||||
|         trusted_proxies="$TRUSTED_PROXIES" | ||||
|     fi | ||||
|     set_system_config trusted_proxies "$trusted_proxies" | ||||
| } | ||||
|  | ||||
| set_logfile_stdout() { | ||||
|     set_system_config logfile '/dev/stdout' | ||||
| } | ||||
|  | ||||
| customize() { | ||||
|     if [ -z "$1" ] | ||||
|     then | ||||
|             echo "Usage: ... customize <assets_path>" | ||||
|             exit 1 | ||||
|     fi | ||||
|     asset_dir=$1 | ||||
|     for asset in $COPY_ASSETS; do | ||||
|         source=$(echo $asset | cut -d "|" -f1) | ||||
|         target=$(echo $asset | cut -d "|" -f2) | ||||
|         echo copy $source to $target | ||||
|         abra app cp $APP_NAME $asset_dir/$source $target | ||||
|     done | ||||
|  | ||||
|     abra app cmd -T $APP_NAME app set_app_config theming color \"$THEMING_COLOR\" | ||||
|     abra app cmd -T $APP_NAME app set_app_config theming slogan \"$THEMING_SLOGAN\" | ||||
|     abra app cmd -T $APP_NAME app run_occ '"theming:config background \"/var/www/html/themes/flow_background.jpg\""' | ||||
|     abra app cmd -T $APP_NAME app run_occ '"theming:config logo \"/var/www/html/themes/icon_left_brand.svg\""' | ||||
|     abra app cmd -T $APP_NAME app run_occ '"theming:config logoheader \"/var/www/html/themes/icon.png\""' | ||||
| } | ||||
|  | ||||
| install_bbb() { | ||||
| install_bbb(){ | ||||
|     install_apps bbb | ||||
|     set_app_config bbb app.navigation true | ||||
|     set_app_config bbb api.url "$BBB_URL" | ||||
|     set_app_config bbb api.secret "$(cat /run/secrets/bbb_secret)" | ||||
| } | ||||
|  | ||||
| install_onlyoffice() { | ||||
| install_onlyoffice(){ | ||||
|     install_apps onlyoffice | ||||
|     set_app_config onlyoffice DocumentServerUrl "$ONLYOFFICE_URL" | ||||
|     set_app_config onlyoffice jwt_secret "$(cat /run/secrets/onlyoffice_jwt)" | ||||
|     set_app_config onlyoffice customizationForcesave true | ||||
| } | ||||
|  | ||||
| install_collabora() { | ||||
|     install_apps richdocuments | ||||
|     set_app_config richdocuments wopi_url "$COLLABORA_URL" | ||||
| set_default_quota(){ | ||||
|     set_app_config files default_quota '"$DEFAULT_QUOTA"' | ||||
| } | ||||
|  | ||||
| install_fulltextsearch() { | ||||
|     install_apps fulltextsearch | ||||
|     install_apps fulltextsearch_elasticsearch | ||||
|     install_apps files_fulltextsearch | ||||
|     set_app_config fulltextsearch search_platform "OCA\\FullTextSearch_Elasticsearch\\Platform\\ElasticSearchPlatform" | ||||
|     set_app_config fulltextsearch_elasticsearch elastic_host "http://elastic:$(cat /run/secrets/elasticsearch_password)@elasticsearch:9200/" | ||||
|     set_app_config fulltextsearch_elasticsearch elastic_index "nextcloud" | ||||
|     set_app_config files_fulltextsearch files_local "1" | ||||
| } | ||||
|  | ||||
| set_default_quota() { | ||||
|     set_app_config files default_quota "$DEFAULT_QUOTA" | ||||
| } | ||||
|  | ||||
| set_authentik() { | ||||
|     install_apps sociallogin | ||||
|     AUTHENTIK_SECRET=$(cat /run/secrets/authentik_secret) | ||||
|     AUTHENTIK_ID=$(cat /run/secrets/authentik_id) | ||||
|     set_system_config logo_url https://$AUTHENTIK_DOMAIN | ||||
|     set_app_config sociallogin custom_providers " | ||||
| set_authentik(){ | ||||
| install_apps sociallogin | ||||
| AUTHENTIK_SECRET=$(cat /run/secrets/authentik_secret) | ||||
| AUTHENTIK_ID=$(cat /run/secrets/authentik_id) | ||||
| set_app_config sociallogin custom_providers " | ||||
| { | ||||
|     \"custom_oidc\":[ | ||||
|     { | ||||
| @ -129,21 +75,16 @@ set_authentik() { | ||||
|         \"style\":\"openid\", | ||||
|         \"defaultGroup\":\"\", | ||||
|         \"groupMapping\": { | ||||
|           \"admin\": \"admin\", | ||||
|           \"authentik Admins\": \"admin\" | ||||
|           \"admin\": \"admin\" | ||||
|         } | ||||
|     } | ||||
| ] | ||||
| }" | ||||
|  | ||||
|     set_app_config sociallogin update_profile_on_login 1 | ||||
|     set_app_config sociallogin auto_create_groups 1 | ||||
|     set_app_config sociallogin hide_default_login 1 | ||||
|     run_occ 'config:system:set social_login_auto_redirect --value true' | ||||
|     run_occ 'config:system:set allow_user_to_change_display_name --value=false' | ||||
|     run_occ 'config:system:set lost_password_link --value=disabled' | ||||
| } | ||||
|  | ||||
| disable_skeletondirectory() { | ||||
|     run_occ "config:system:set skeletondirectory --value ''" | ||||
| set_app_config sociallogin update_profile_on_login 1 | ||||
| set_app_config sociallogin auto_create_groups 1 | ||||
| set_app_config sociallogin hide_default_login 1 | ||||
| run_occ 'config:system:set social_login_auto_redirect --value true' | ||||
| run_occ 'config:system:set allow_user_to_change_display_name --value=false' | ||||
| run_occ 'config:system:set lost_password_link --value=disabled' | ||||
| } | ||||
|  | ||||
| @ -1,24 +0,0 @@ | ||||
| authentik: | ||||
|     uncomment: | ||||
|         - compose.authentik.yml | ||||
|         - AUTHENTIK_USER_PREFIX | ||||
|         - AUTHENTIK_DOMAIN | ||||
|         - SECRET_AUTHENTIK_SECRET_VERSION | ||||
|         - SECRET_AUTHENTIK_ID_VERSION | ||||
|     initial-hooks: | ||||
|         - app set_authentik | ||||
|     shared_secrets: | ||||
|         nextcloud_secret: authentik_secret | ||||
|         nextcloud_id: authentik_id | ||||
| onlyoffice: | ||||
|     uncomment: | ||||
|         - compose.onlyoffice.yml | ||||
|         - ONLYOFFICE_URL | ||||
|         - SECRET_ONLYOFFICE_JWT_VERSION | ||||
|     initial-hooks: | ||||
|         - app install_onlyoffice | ||||
| collabora: | ||||
|     uncomment: | ||||
|         - COLLABORA_URL | ||||
|     initial-hooks: | ||||
|         - app install_collabora | ||||
| @ -3,10 +3,16 @@ services: | ||||
|   app: | ||||
|     secrets: | ||||
|       - onlyoffice_jwt | ||||
|       - bbb_secret | ||||
|     environment: | ||||
|       - APPS | ||||
|       - ONLYOFFICE_URL | ||||
|       - BBB_URL | ||||
| 
 | ||||
| secrets: | ||||
|   onlyoffice_jwt: | ||||
|     external: true | ||||
|     name: ${STACK_NAME}_onlyoffice_jwt_${SECRET_ONLYOFFICE_JWT_VERSION} | ||||
|   bbb_secret: | ||||
|     external: true | ||||
|     name: ${STACK_NAME}_bbb_secret_${SECRET_BBB_SECRET_VERSION} | ||||
| @ -8,7 +8,7 @@ services: | ||||
| secrets: | ||||
|   authentik_secret: | ||||
|     external: true | ||||
|     name: ${STACK_NAME}_authentik_secret_${SECRET_AUTHENTIK_SECRET_VERSION} | ||||
|     name: ${AUTHENTIK_SECRET_NAME} | ||||
|   authentik_id: | ||||
|     external: true | ||||
|     name: ${STACK_NAME}_authentik_id_${SECRET_AUTHENTIK_ID_VERSION} | ||||
|     name: ${AUTHENTIK_ID_NAME} | ||||
|  | ||||
| @ -1,12 +0,0 @@ | ||||
| version: "3.8" | ||||
| services: | ||||
|   app: | ||||
|     secrets: | ||||
|       - bbb_secret | ||||
|     environment: | ||||
|       - BBB_URL | ||||
|  | ||||
| secrets: | ||||
|   bbb_secret: | ||||
|     external: true | ||||
|     name: ${STACK_NAME}_bbb_secret_${SECRET_BBB_SECRET_VERSION} | ||||
| @ -1,55 +0,0 @@ | ||||
| version: "3.8" | ||||
|  | ||||
| services: | ||||
|   elasticsearch: | ||||
|     image: "docker.elastic.co/elasticsearch/elasticsearch:8.15.0" | ||||
|     environment: | ||||
|       - cluster.name=docker-cluster | ||||
|       - bootstrap.memory_lock=true | ||||
|       - "ES_JAVA_OPTS=-Xms512m -Xmx512m" | ||||
|       - discovery.type=single-node | ||||
|       # Disable authentication and ssl completely | ||||
|       # - xpack.security.enabled=false | ||||
|       # Use this to enable Basic Authentication: | ||||
|       - xpack.security.enabled=true | ||||
|       - xpack.security.http.ssl.enabled=false | ||||
|       - ELASTIC_PASSWORD_FILE=/var/run/secrets/elasticsearch_password | ||||
|     ulimits: | ||||
|       memlock: | ||||
|         soft: -1 | ||||
|         hard: -1 | ||||
|     volumes: | ||||
|       - elasticsearch:/usr/share/elasticsearch/data | ||||
|     networks: | ||||
|       - internal | ||||
|     secrets: | ||||
|       - source: elasticsearch_password | ||||
|         uid: "1000" | ||||
|         gid: "1000" | ||||
|         mode: 0600 | ||||
|  | ||||
|   searchindexer: | ||||
|     image: nextcloud:29.0.5-fpm | ||||
|     volumes: | ||||
|       - nextcloud:/var/www/html/ | ||||
|       - nextapps:/var/www/html/custom_apps:cached | ||||
|       - nextdata:/var/www/html/data:cached | ||||
|       - nextconfig:/var/www/html/config:cached | ||||
|       - ${EXTRA_VOLUME} | ||||
|     networks: | ||||
|       - internal | ||||
|     entrypoint: su -p www-data -s /bin/sh -c '/var/www/html/occ fulltextsearch:live' | ||||
|  | ||||
|   # Add the secret to the app service so it is avaiable in the | ||||
|   # install_fulltextsearch command | ||||
|   app: | ||||
|     secrets: | ||||
|       - elasticsearch_password | ||||
|  | ||||
| secrets: | ||||
|   elasticsearch_password: | ||||
|     external: true | ||||
|     name: ${STACK_NAME}_elasticsearch_password_${SECRET_ELASTICSEARCH_PASSWORD_VERSION} | ||||
|  | ||||
| volumes: | ||||
|   elasticsearch: | ||||
| @ -15,7 +15,6 @@ services: | ||||
|       - MYSQL_USER=nextcloud | ||||
|       - MYSQL_PASSWORD_FILE=/run/secrets/db_password | ||||
|       - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password | ||||
|       - MAX_DB_CONNECTIONS=${MAX_DB_CONNECTIONS:-100} | ||||
|     configs: | ||||
|       - source: my_tune | ||||
|         target: /etc/mysql/conf.d/my-tune.cnf | ||||
| @ -29,9 +28,9 @@ services: | ||||
|     deploy: | ||||
|       labels: | ||||
|           backupbot.backup: "true" | ||||
|           backupbot.backup.pre-hook: 'mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" nextcloud > /var/lib/mysql/backup.sql' | ||||
|           backupbot.backup.post-hook: "rm -rf /var/lib/mysql/backup.sql" | ||||
|           backupbot.backup.path: "/var/lib/mysql/backup.sql" | ||||
|           backupbot.backup.pre-hook: 'mkdir -p /tmp/backup/ && mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" nextcloud > /tmp/backup/backup.sql' | ||||
|           backupbot.backup.post-hook: "rm -rf /tmp/backup" | ||||
|           backupbot.backup.path: "/tmp/backup/" | ||||
|     healthcheck: | ||||
|       test: ["CMD-SHELL", 'mysqladmin -p"$$(cat /run/secrets/db_root_password)"  ping'] | ||||
|       interval: 30s | ||||
| @ -42,12 +41,6 @@ configs: | ||||
|   my_tune: | ||||
|     name: ${STACK_NAME}_my_cnf_${MY_CNF_VERSION} | ||||
|     file: my-tune.cnf | ||||
|     template_driver: golang | ||||
|  | ||||
| secrets: | ||||
|   db_root_password: | ||||
|     external: true | ||||
|     name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION} | ||||
|  | ||||
| volumes: | ||||
|   mariadb: | ||||
|  | ||||
| @ -10,8 +10,7 @@ services: | ||||
|       - NEXTCLOUD_UPDATE=1 | ||||
|  | ||||
|   db: | ||||
|     image: "postgres:13" | ||||
|     command: -c "max_connections=${MAX_DB_CONNECTIONS:-100}" | ||||
|     image: "postgres:12" | ||||
|     volumes: | ||||
|       - "postgres:/var/lib/postgresql/data" | ||||
|     networks: | ||||
| @ -23,16 +22,16 @@ services: | ||||
|     secrets: | ||||
|       - db_password | ||||
|     healthcheck: | ||||
|       test: ["CMD-SHELL", "pg_isready", "-U", "nextcloud"] | ||||
|       test: ["CMD-SHELL", "pg_isready"] | ||||
|       interval: 10s | ||||
|       timeout: 5s | ||||
|       retries: 5 | ||||
|     deploy: | ||||
|       labels: | ||||
|             backupbot.backup: "true" | ||||
|             backupbot.backup.pre-hook: "PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql" | ||||
|             backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/backup.sql" | ||||
|             backupbot.backup.path: "/var/lib/postgresql/data/" | ||||
|             backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /tmp/backup/backup.sql" | ||||
|             backupbot.backup.post-hook: "rm -rf /tmp/backup" | ||||
|             backupbot.backup.path: "/tmp/backup/" | ||||
|  | ||||
| volumes: | ||||
|   postgres: | ||||
|  | ||||
							
								
								
									
										42
									
								
								compose.yml
									
									
									
									
									
								
							
							
						
						
									
										42
									
								
								compose.yml
									
									
									
									
									
								
							| @ -1,9 +1,7 @@ | ||||
| version: "3.8" | ||||
| services: | ||||
|   web: | ||||
|     image: nginx:1.27.1 | ||||
|     depends_on: | ||||
|       - app | ||||
|     image: nginx:1.23.3 | ||||
|     configs: | ||||
|       - source: nginx_conf | ||||
|         target: /etc/nginx/nginx.conf | ||||
| @ -35,9 +33,6 @@ services: | ||||
|         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect" | ||||
|         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true" | ||||
|         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}" | ||||
|         - "caddy=${DOMAIN}" | ||||
|         - "caddy.reverse_proxy={{upstreams 80}}" | ||||
|         - "caddy.tls.on_demand=" | ||||
|     healthcheck: | ||||
|       test: ["CMD-SHELL", 'curl -s -N curl -Ns localhost/status.php |  grep "installed\":true"'] | ||||
|       interval: 30s | ||||
| @ -46,12 +41,12 @@ services: | ||||
|       start_period: 5m | ||||
|  | ||||
|   app: | ||||
|     image: nextcloud:29.0.5-fpm | ||||
|     image: nextcloud:25.0.4-fpm | ||||
|     depends_on: | ||||
|       - db | ||||
|     configs: | ||||
|       - source: fpm_tune | ||||
|         target: /usr/local/etc/php-fpm.d/zzz-fpm-tune.conf | ||||
|         target: /usr/local/etc/php-fpm.d/fpm-tune.conf | ||||
|       - source: entrypoint | ||||
|         target: /custom-entrypoint.sh | ||||
|         mode: 555 | ||||
| @ -69,14 +64,14 @@ services: | ||||
|       - NEXTCLOUD_ADMIN_USER=${ADMIN_USER} | ||||
|       - NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/admin_password | ||||
|       - NEXTCLOUD_TRUSTED_DOMAINS=${DOMAIN} | ||||
|       - TRUSTED_PROXIES=10.0.0.0/8 | ||||
|       - TRUSTED_PROXIES=traefik | ||||
|       - REDIS_HOST=cache | ||||
|       - OVERWRITEPROTOCOL=https | ||||
|       - PHP_MEMORY_LIMIT=${PHP_MEMORY_LIMIT:-1G} | ||||
|       - FPM_MAX_CHILDREN=${FPM_MAX_CHILDREN:-131} | ||||
|       - FPM_START_SERVERS=${FPM_START_SERVERS:-32} | ||||
|       - FPM_MIN_SPARE_SERVERS=${FPM_MIN_SPARE_SERVERS:-32} | ||||
|       - FPM_MAX_SPARE_SERVERS=${FPM_MAX_SPARE_SERVERS:-98} | ||||
|       - PHP_MEMORY_LIMIT=1G | ||||
|       - FPM_MAX_CHILDREN=131 | ||||
|       - FPM_START_SERVERS=32 | ||||
|       - FPM_MIN_SPARE_SERVERS=32 | ||||
|       - FPM_MAX_SPARE_SERVERS=98 | ||||
|       - DEFAULT_QUOTA | ||||
|     volumes: | ||||
|       - nextcloud:/var/www/html/ | ||||
| @ -91,8 +86,7 @@ services: | ||||
|         failure_action: rollback | ||||
|         order: start-first | ||||
|       labels: | ||||
|         - "coop-cloud.${STACK_NAME}.version=9.1.0+29.0.5-fpm" | ||||
|         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}" | ||||
|         - "coop-cloud.${STACK_NAME}.version=3.1.2+25.0.4-fpm" | ||||
|         - "backupbot.backup=true" | ||||
|         - "backupbot.backup.path=/var/www/html/config/,/var/www/html/data/,/var/www/html/custom_apps/" | ||||
|     healthcheck: | ||||
| @ -100,10 +94,10 @@ services: | ||||
|       interval: 30s | ||||
|       timeout: 10s | ||||
|       retries: 10 | ||||
|       start_period: 15m | ||||
|       start_period: 5m | ||||
|  | ||||
|   cron: | ||||
|     image: nextcloud:29.0.5-fpm | ||||
|     image: nextcloud:25.0.4-fpm | ||||
|     volumes: | ||||
|       - nextcloud:/var/www/html/ | ||||
|       - nextapps:/var/www/html/custom_apps:cached | ||||
| @ -113,13 +107,9 @@ services: | ||||
|     networks: | ||||
|       - internal | ||||
|     entrypoint: /cron.sh | ||||
|     configs: | ||||
|       - source: crontab | ||||
|         target: /var/spool/cron/crontabs/www-data | ||||
|  | ||||
|  | ||||
|   cache: | ||||
|     image: redis:7.4.0-alpine | ||||
|     image: redis:7.0.9-alpine | ||||
|     networks: | ||||
|       - internal | ||||
|     volumes: | ||||
| @ -131,6 +121,9 @@ services: | ||||
|       retries: 20 | ||||
|  | ||||
| secrets: | ||||
|   db_root_password: | ||||
|     external: true | ||||
|     name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION} | ||||
|   db_password: | ||||
|     external: true | ||||
|     name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION} | ||||
| @ -159,9 +152,6 @@ configs: | ||||
|     name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION} | ||||
|     file: entrypoint.sh.tmpl | ||||
|     template_driver: golang | ||||
|   crontab: | ||||
|     name: ${STACK_NAME}_crontab_${CRONTAB_VERSION} | ||||
|     file: crontab | ||||
|  | ||||
| networks: | ||||
|   proxy: | ||||
|  | ||||
| @ -13,7 +13,7 @@ key_buffer_size                = 16M | ||||
| innodb_log_file_size           = 256M | ||||
| long_query_time                = 1 | ||||
| max_allowed_packet             = 256M | ||||
| max_connections                = {{ env "MAX_DB_CONNECTIONS" }} | ||||
| max_connections                = 100 | ||||
| max_heap_table_size            = 64M | ||||
| max_user_connections           = 0 | ||||
| myisam_recover_options         = BACKUP | ||||
|  | ||||
| @ -11,10 +11,6 @@ events { | ||||
|  | ||||
| http { | ||||
|     include       /etc/nginx/mime.types; | ||||
|     # See https://github.com/nextcloud/forms/issues/1838#issuecomment-1860497200 | ||||
|     types { | ||||
|         application/javascript js mjs; | ||||
|     } | ||||
|     default_type  application/octet-stream; | ||||
|  | ||||
|     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" ' | ||||
| @ -63,12 +59,12 @@ http { | ||||
|         #pagespeed off; | ||||
|  | ||||
|         # HTTP response headers borrowed from Nextcloud `.htaccess` | ||||
|         add_header Referrer-Policy                      "no-referrer"       always; | ||||
|         add_header X-Content-Type-Options               "nosniff"           always; | ||||
|         add_header X-Download-Options                   "noopen"            always; | ||||
|         add_header X-Permitted-Cross-Domain-Policies    "none"              always; | ||||
|         add_header X-Robots-Tag                         "noindex, nofollow" always; | ||||
|         add_header X-XSS-Protection                     "1; mode=block"     always; | ||||
|         add_header Referrer-Policy                      "no-referrer"   always; | ||||
|         add_header X-Content-Type-Options               "nosniff"       always; | ||||
|         add_header X-Download-Options                   "noopen"        always; | ||||
|         add_header X-Permitted-Cross-Domain-Policies    "none"          always; | ||||
|         add_header X-Robots-Tag                         "none"          always; | ||||
|         add_header X-XSS-Protection                     "1; mode=block" always; | ||||
|  | ||||
|         {{ if eq (env "X_FRAME_OPTIONS_ENABLED") "1" }} | ||||
|         add_header Content-Security-Policy              "frame-ancestors {{ env "X_FRAME_OPTIONS_ALLOW_FROM" }} {{ env "DOMAIN" }}"; | ||||
| @ -136,9 +132,6 @@ http { | ||||
|         # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` | ||||
|         # to the URI, resulting in a HTTP 500 error response. | ||||
|         location ~ \.php(?:$|/) { | ||||
|             # Required for legacy support | ||||
|             rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri; | ||||
|  | ||||
|             fastcgi_split_path_info ^(.+?\.php)(/.*)$; | ||||
|             set $path_info $fastcgi_path_info; | ||||
|  | ||||
|  | ||||
| @ -1,11 +0,0 @@ | ||||
| If the authentik configuration should be handled by abra add the following to the env: | ||||
|  | ||||
|     COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml" | ||||
|     AUTHENTIK_USER_PREFIX=authentik | ||||
|     AUTHENTIK_DOMAIN=authentik.example.com | ||||
|     AUTHENTIK_SECRET_NAME=authentik_example_com_nextcloud_secret_v1  # the same as in authentik | ||||
|     AUTHENTIK_ID_NAME=authentik_example_com_nextcloud_id_v1  # the same as in authentik | ||||
|  | ||||
| And run: | ||||
|  | ||||
|     abra app cmd <app-name> app set_authentik | ||||
| @ -1 +0,0 @@ | ||||
| The authentik secrets need to be inserted again, as nextcloud is not sharing the secret with authentik any more. | ||||
| @ -1 +0,0 @@ | ||||
| BREAKING CHANGE: compose.apps.yml is now split for bbb and onlyoffice, configs must be updated | ||||
| @ -1 +0,0 @@ | ||||
| Added automated customization options. Config needs to be updated to be able to use it. | ||||
		Reference in New Issue
	
	Block a user