Compare commits
	
		
			4 Commits
		
	
	
		
			6.0.5+28.0
			...
			add-postgr
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| ea48f6837c | |||
| dba042ff46 | |||
| 27e8e62675 | |||
| 559ca6a95c | 
							
								
								
									
										26
									
								
								.drone.yml
									
									
									
									
									
								
							
							
						
						
									
										26
									
								
								.drone.yml
									
									
									
									
									
								
							| @ -3,7 +3,7 @@ kind: pipeline | |||||||
| name: deploy to swarm-test.autonomic.zone | name: deploy to swarm-test.autonomic.zone | ||||||
| steps: | steps: | ||||||
|   - name: deployment |   - name: deployment | ||||||
|     image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest |     image: decentral1se/stack-ssh-deploy:latest | ||||||
|     settings: |     settings: | ||||||
|       host: swarm-test.autonomic.zone |       host: swarm-test.autonomic.zone | ||||||
|       stack: nextcloud |       stack: nextcloud | ||||||
| @ -11,39 +11,15 @@ steps: | |||||||
|       purge: true |       purge: true | ||||||
|       deploy_key: |       deploy_key: | ||||||
|         from_secret: drone_ssh_swarm_test |         from_secret: drone_ssh_swarm_test | ||||||
|       networks: |  | ||||||
|         - proxy |  | ||||||
|     environment: |     environment: | ||||||
|       DOMAIN: nextcloud.swarm-test.autonomic.zone |       DOMAIN: nextcloud.swarm-test.autonomic.zone | ||||||
|       STACK_NAME: nextcloud |       STACK_NAME: nextcloud | ||||||
|       LETS_ENCRYPT_ENV: production |       LETS_ENCRYPT_ENV: production | ||||||
|       ADMIN_USER: foobar |       ADMIN_USER: foobar | ||||||
|       FPM_TUNE_VERSION: v1 |  | ||||||
|       NGINX_CONF_VERSION: v1 |  | ||||||
|       MY_CNF_VERSION: v1 |  | ||||||
|       ENTRYPOINT_VERSION: v1 |  | ||||||
|       SECRET_DB_PASSWORD_VERSION: v1 |       SECRET_DB_PASSWORD_VERSION: v1 | ||||||
|       SECRET_DB_ROOT_PASSWORD_VERSION: v1 |       SECRET_DB_ROOT_PASSWORD_VERSION: v1 | ||||||
|       SECRET_ADMIN_PASSWORD_VERSION: v1 |       SECRET_ADMIN_PASSWORD_VERSION: v1 | ||||||
|       SECRET_ONLYOFFICE_JWT_VERSION: v1 |  | ||||||
|       SECRET_BBB_SECRET_VERSION: v1 |  | ||||||
|       EXTRA_VOLUME: "/dev/null:/tmp/.dummy" |       EXTRA_VOLUME: "/dev/null:/tmp/.dummy" | ||||||
| trigger: | trigger: | ||||||
|   branch: |   branch: | ||||||
|     - main |     - main | ||||||
| --- |  | ||||||
| kind: pipeline |  | ||||||
| name: generate recipe catalogue |  | ||||||
| steps: |  | ||||||
|   - name: release a new version |  | ||||||
|     image: plugins/downstream |  | ||||||
|     settings: |  | ||||||
|       server: https://build.coopcloud.tech |  | ||||||
|       token: |  | ||||||
|         from_secret: drone_abra-bot_token |  | ||||||
|       fork: true |  | ||||||
|       repositories: |  | ||||||
|         - coop-cloud/auto-recipes-catalogue-json |  | ||||||
|  |  | ||||||
| trigger: |  | ||||||
|   event: tag |  | ||||||
|  | |||||||
							
								
								
									
										53
									
								
								.env.sample
									
									
									
									
									
								
							
							
						
						
									
										53
									
								
								.env.sample
									
									
									
									
									
								
							| @ -1,6 +1,4 @@ | |||||||
| TYPE=nextcloud | TYPE=nextcloud | ||||||
| TIMEOUT=900 |  | ||||||
| ENABLE_AUTO_UPDATE=true |  | ||||||
|  |  | ||||||
| DOMAIN=nextcloud.example.com | DOMAIN=nextcloud.example.com | ||||||
| ## Domain aliases | ## Domain aliases | ||||||
| @ -11,8 +9,6 @@ COMPOSE_FILE="compose.yml" | |||||||
| COMPOSE_FILE="$COMPOSE_FILE:compose.mariadb.yml" | COMPOSE_FILE="$COMPOSE_FILE:compose.mariadb.yml" | ||||||
| #COMPOSE_FILE="$COMPOSE_FILE:compose.postgres.yml" | #COMPOSE_FILE="$COMPOSE_FILE:compose.postgres.yml" | ||||||
|  |  | ||||||
| #MAX_DB_CONNECTIONS=500 |  | ||||||
|  |  | ||||||
| ADMIN_USER=admin | ADMIN_USER=admin | ||||||
|  |  | ||||||
| SECRET_DB_ROOT_PASSWORD_VERSION=v1 | SECRET_DB_ROOT_PASSWORD_VERSION=v1 | ||||||
| @ -20,52 +16,3 @@ SECRET_DB_PASSWORD_VERSION=v1 | |||||||
| SECRET_ADMIN_PASSWORD_VERSION=v1 | SECRET_ADMIN_PASSWORD_VERSION=v1 | ||||||
|  |  | ||||||
| EXTRA_VOLUME=/dev/null:/tmp/.dummy | EXTRA_VOLUME=/dev/null:/tmp/.dummy | ||||||
|  |  | ||||||
| PHP_MEMORY_LIMIT=1G |  | ||||||
| # fpm-tune, see: https://spot13.com/pmcalculator/ |  | ||||||
| FPM_MAX_CHILDREN=16 |  | ||||||
| FPM_START_SERVERS=4 |  | ||||||
| FPM_MIN_SPARE_SERVERS=4 |  | ||||||
| FPM_MAX_SPARE_SERVERS=12 |  | ||||||
|  |  | ||||||
| DEFAULT_QUOTA="10 GB" |  | ||||||
|  |  | ||||||
| # X_FRAME_OPTIONS_ENABLED=1 |  | ||||||
| # X_FRAME_OPTIONS_ALLOW_FROM=embedding-site.example.org |  | ||||||
|  |  | ||||||
| # COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml" |  | ||||||
| # See https://github.com/nextcloud/docker#auto-configuration-via-environment-variables for default values |  | ||||||
| # SMTP_AUTHTYPE= |  | ||||||
| # SMTP_HOST= |  | ||||||
| # SMTP_SECURE= |  | ||||||
| # SMTP_NAME= |  | ||||||
| # SMTP_PORT= |  | ||||||
| # MAIL_FROM_ADDRESS= |  | ||||||
| # MAIL_DOMAIN= |  | ||||||
| # SECRET_SMTP_PASSWORD_VERSION=v1 |  | ||||||
|  |  | ||||||
| # APPS="calendar" |  | ||||||
|  |  | ||||||
| # COLLABORA_URL=https://collabora.example.com |  | ||||||
|  |  | ||||||
| # COMPOSE_FILE="$COMPOSE_FILE:compose.onlyoffice.yml" |  | ||||||
| # ONLYOFFICE_URL=https://onlyoffice.example.com |  | ||||||
| # APPS="$APPS onlyoffice" |  | ||||||
| # SECRET_ONLYOFFICE_JWT_VERSION=v1 |  | ||||||
|  |  | ||||||
| # COMPOSE_FILE="$COMPOSE_FILE:compose.bbb.yml" |  | ||||||
| # BBB_URL=https://talk.example.org/bigbluebutton/ # trailing slash! |  | ||||||
| # SECRET_BBB_SECRET_VERSION=v1 |  | ||||||
|  |  | ||||||
| # COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml" |  | ||||||
| # APPS="$APPS sociallogin" |  | ||||||
| # AUTHENTIK_USER_PREFIX=authentik |  | ||||||
| # AUTHENTIK_DOMAIN=authentik.example.com |  | ||||||
| # SECRET_AUTHENTIK_SECRET_VERSION=v1 |  | ||||||
| # SECRET_AUTHENTIK_ID_VERSION=v1 |  | ||||||
| # OCC_CMDS="app:disable dashboard" |  | ||||||
| # OCC_CMDS="$OCC_CMDS|config:app:set sociallogin auto_create_groups --value 1" |  | ||||||
| # OCC_CMDS="$OCC_CMDS|config:app:set sociallogin hide_default_login --value 1" |  | ||||||
|  |  | ||||||
| #COMPOSE_FILE="$COMPOSE_FILE:compose.fulltextsearch.yml" |  | ||||||
| #SECRET_ELASTICSEARCH_PASSWORD_VERSION=v1 |  | ||||||
|  | |||||||
							
								
								
									
										149
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										149
									
								
								README.md
									
									
									
									
									
								
							| @ -6,91 +6,38 @@ Fully automated luxury Nextcloud via docker-swarm. | |||||||
|  |  | ||||||
| <!-- metadata --> | <!-- metadata --> | ||||||
| * **Category**: Apps | * **Category**: Apps | ||||||
| * **Status**: 5 | * **Status**: 2, beta | ||||||
| * **Image**: [`nextcloud`](https://hub.docker.com/_/nextcloud), 4, upstream | * **Image**: [`nextcloud`](https://hub.docker.com/_/nextcloud), 4, upstream | ||||||
| * **Healthcheck**: Yes | * **Healthcheck**: Yes | ||||||
| * **Backups**: Yes | * **Backups**: No | ||||||
| * **Email**: 3 | * **Email**: 3 | ||||||
| * **Tests**: 2 | * **Tests**: 2 | ||||||
| * **SSO**: 1 (OAuth) | * **SSO**: 1 (OAuth) | ||||||
| <!-- endmetadata --> | <!-- endmetadata --> | ||||||
|  |  | ||||||
| ## Quick start | ## Basic usage | ||||||
|  |  | ||||||
| * `abra app new nextcloud` | 1. Set up Docker Swarm and [`abra`] | ||||||
| * `abra app config <app-name>` | 2. Deploy [`coop-cloud/traefik`] | ||||||
| * `abra app secret insert <app-name> smtp_password v1 <SMTP_PASSWORD>` | 3. `abra app new nextcloud --secrets` (optionally with `--pass` if you'd like | ||||||
| * `abra app secret generate -a <app-name>` |    to save secrets in `pass`) | ||||||
| * `abra app deploy <app-name>` | 4. `abra app YOURAPPDOMAIN config` - be sure to change `$DOMAIN` to something that resolves to | ||||||
|  |    your Docker swarm box | ||||||
|  | 5. `abra app YOURAPPDOMAIN deploy` | ||||||
|  |  | ||||||
| ### Onlyoffice Integration | ## How do I customise the default home page when logging in? | ||||||
|  |  | ||||||
| `abra app config <app-name>`  | - Delete the dashboard app since it is so corporate | ||||||
| Configure the following envs: | - Follow [these docs](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/default_files_configuration.html) to set the default files list for each user in the Files app | ||||||
| ``` | - Configure a `defaultapp` in your `config.php` or use [apporder](https://apps.nextcloud.com/apps/apporder) | ||||||
| COMPOSE_FILE="$COMPOSE_FILE:compose.apps.yml" |  | ||||||
| ONLYOFFICE_URL=https://onlyoffice.example.com |  | ||||||
| SECRET_ONLYOFFICE_JWT_VERSION=v1 |  | ||||||
| ``` |  | ||||||
|  |  | ||||||
| `abra app secret insert <app-name> onlyoffice_jwt v1 <jwt_secret>` |  | ||||||
| `abra app cmd <app-name> app install_onlyoffice` |  | ||||||
|  |  | ||||||
| ### BBB Integration |  | ||||||
|  |  | ||||||
| `abra app config <app-name>`  |  | ||||||
| Configure the following envs: |  | ||||||
| ``` |  | ||||||
| COMPOSE_FILE="$COMPOSE_FILE:compose.apps.yml" |  | ||||||
| BBB_URL=https://talk.example.org/bigbluebutton/ # trailing slash! |  | ||||||
| SECRET_BBB_SECRET_VERSION=v1 |  | ||||||
| ``` |  | ||||||
|  |  | ||||||
| `abra app secret insert <app-name> bbb_secret v1 <bbb_secret>` |  | ||||||
| `abra app cmd <app-name> app install_bbb` |  | ||||||
|  |  | ||||||
| ### Authentik Integration |  | ||||||
|  |  | ||||||
|  |  | ||||||
| `abra app config <app-name>`  |  | ||||||
| Configure the following envs: |  | ||||||
| ``` |  | ||||||
| COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml" |  | ||||||
| AUTHENTIK_USER_PREFIX=authentik |  | ||||||
| AUTHENTIK_DOMAIN=authentik.example.com |  | ||||||
| AUTHENTIK_SECRET_NAME=authentik_example_com_nextcloud_secret_v1  # the same as in authentik |  | ||||||
| AUTHENTIK_ID_NAME=authentik_example_com_nextcloud_id_v1  # the same as in authentik |  | ||||||
| ``` |  | ||||||
|  |  | ||||||
| `abra app cmd <app-name> app set_authentik` |  | ||||||
|  |  | ||||||
| ### Disable Dashboard |  | ||||||
|  |  | ||||||
| Disable dashboard app since it is so corporate: |  | ||||||
|  |  | ||||||
| `abra app config <app-name>`  |  | ||||||
| Configure the following envs: |  | ||||||
| ``` |  | ||||||
| OCC_CMDS="app:disable dashboard" |  | ||||||
| ``` |  | ||||||
| `abra app cmd <app-name> app post_install_occ` |  | ||||||
|  |  | ||||||
| ## Running `occ` | ## Running `occ` | ||||||
|  |  | ||||||
| `abra app cmd <app-name> app run_occ '"user:list --help"'` | `abra app run --user www-data YOURAPPDOMAIN app occ user:list --help` | ||||||
|  |  | ||||||
| ## Default user files |  | ||||||
|  |  | ||||||
| - Follow [these docs](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/default_files_configuration.html) to set the default files list for each user in the Files app |  | ||||||
|  |  | ||||||
| ## Default App |  | ||||||
|  |  | ||||||
| - Configure a `defaultapp` in your `config.php` or use [apporder](https://apps.nextcloud.com/apps/apporder) |  | ||||||
|  |  | ||||||
| ## Upgrading Nextcloud apps | ## Upgrading Nextcloud apps | ||||||
|  |  | ||||||
| `abra app cmd <app-name> app run_occ '"app:update --all"'` | `abra app run --user www-data YOURAPPDOMAIN app occ app:update --all` | ||||||
|  |  | ||||||
|  |  | ||||||
| ## How do I fix a Nextcloud version snafu? | ## How do I fix a Nextcloud version snafu? | ||||||
|  |  | ||||||
| @ -119,7 +66,7 @@ Use [this plugin](https://github.com/pulsejet/nextcloud-oidc-login). Unlike the | |||||||
| ``` | ``` | ||||||
|   'oidc_login_client_id' => 'nextcloud', |   'oidc_login_client_id' => 'nextcloud', | ||||||
|   'oidc_login_client_secret' => 'mysecret', |   'oidc_login_client_secret' => 'mysecret', | ||||||
|   'oidc_login_provider_url' => 'https://example.com/realms/myrealm', |   'oidc_login_provider_url' => 'https://example.com/auth/realms/myrealm', | ||||||
|   'oidc_login_disable_registration' => false, |   'oidc_login_disable_registration' => false, | ||||||
|   'oidc_login_hide_password_form' => true, |   'oidc_login_hide_password_form' => true, | ||||||
|   'oidc_login_button_text' => 'Log in with your myssodomain', |   'oidc_login_button_text' => 'Log in with your myssodomain', | ||||||
| @ -219,65 +166,3 @@ Here is an example CSS config which hides the local login and makes space for a | |||||||
| [nextcloud-docker]: https://hub.docker.com/_/nextcloud/ | [nextcloud-docker]: https://hub.docker.com/_/nextcloud/ | ||||||
| [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra | [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra | ||||||
| [`coop-cloud/traefik`]: https://git.autonomic.zone/coop-cloud/traefik | [`coop-cloud/traefik`]: https://git.autonomic.zone/coop-cloud/traefik | ||||||
|  |  | ||||||
| ## Using [`previewgenerator`](https://github.com/nextcloud/previewgenerator) app |  | ||||||
|  |  | ||||||
| > Beware, this appp has been known to not work... |  | ||||||
|  |  | ||||||
| After you install, enable etc. then you need to run the generation (**warning**: it can take a long time!): |  | ||||||
|  |  | ||||||
| ``` |  | ||||||
| abra app run <domain> app bash -u www-data |  | ||||||
| ./occ preview:generate-all |  | ||||||
| ``` |  | ||||||
|  |  | ||||||
| To set up the cron to run again, there is [no clear solution in the context of |  | ||||||
| containers](https://github.com/nextcloud/previewgenerator/issues/1). So, a |  | ||||||
| pretty dodgy hack is to run it from the system directly: |  | ||||||
|  |  | ||||||
| ``` |  | ||||||
| root@foo.com /etc/cron.hourly $ cat foo-com-preview-generate  |  | ||||||
| #!/bin/bash |  | ||||||
|  |  | ||||||
| docker exec -u www-data $(docker ps -f name=foo_com_app -q) ./occ preview:pre-generate |  | ||||||
| ``` |  | ||||||
|  |  | ||||||
| This app will improve performance of image browsing at the cost of storage space. |  | ||||||
|  |  | ||||||
| ## Fulltextsearch using elasticsearch |  | ||||||
|  |  | ||||||
| 1. Uncomment the following lines in your env file: |  | ||||||
| ``` |  | ||||||
| #COMPOSE_FILE="$COMPOSE_FILE:compose.fulltextsearch.yml" |  | ||||||
| #SECRET_ELASTICSEARCH_PASSWORD_VERSION=v1 |  | ||||||
| ``` |  | ||||||
|  |  | ||||||
| 2. Generate the secret for elasticsearch: |  | ||||||
| ```bash |  | ||||||
| abra app secret generate <domain> elasticsearch_password v1 |  | ||||||
| ``` |  | ||||||
|  |  | ||||||
| 3. Deploy your app: |  | ||||||
| ```bash |  | ||||||
| abra app deploy <domain> |  | ||||||
| ``` |  | ||||||
|  |  | ||||||
| 4. Install the apps and configure them: |  | ||||||
| ``` |  | ||||||
| abra app cmd <domain> app install_fulltextsearch |  | ||||||
| ``` |  | ||||||
|  |  | ||||||
| 5. You might need to configure the files_fulltextsearch app. run this command to check its settings: |  | ||||||
| ``` |  | ||||||
| abra app cmd <domain> app run_occ '"config:list files_fulltextsearch" |  | ||||||
| ``` |  | ||||||
|  |  | ||||||
| 6. You can check if the nextcloud can connect to elasticsearch: |  | ||||||
| ``` |  | ||||||
| abra app cmd <domain> app run_occ '"fulltextsearch:test"' |  | ||||||
| ``` |  | ||||||
|  |  | ||||||
| And you can populate the index manually and check if any errors occur: |  | ||||||
| ``` |  | ||||||
| abra app cmd <domain> app run_occ '"fulltextsearch:index"' |  | ||||||
| ``` |  | ||||||
|  | |||||||
							
								
								
									
										212
									
								
								abra.sh
									
									
									
									
									
								
							
							
						
						
									
										212
									
								
								abra.sh
									
									
									
									
									
								
							| @ -1,123 +1,105 @@ | |||||||
| #!/bin/bash | export FPM_TUNE_VERSION=v4 | ||||||
|  | export NGINX_CONF_VERSION=v2 | ||||||
|  | export MY_CNF_VERSION=v4 | ||||||
|  |  | ||||||
| export FPM_TUNE_VERSION=v5 | NC_APP_DIR="app:/var/www/html" | ||||||
| export NGINX_CONF_VERSION=v6 |  | ||||||
| export MY_CNF_VERSION=v5 |  | ||||||
| export ENTRYPOINT_VERSION=v3 |  | ||||||
| export CRONTAB_VERSION=v1 |  | ||||||
|  |  | ||||||
| run_occ() { | sub_occ(){ | ||||||
|     su -p www-data -s /bin/sh -c "/var/www/html/occ $@" |   # shellcheck disable=SC2034 | ||||||
|  |   abra__service_="app" | ||||||
|  |   # shellcheck disable=SC2034 | ||||||
|  |   abra___user="www-data" | ||||||
|  |   sub_app_run php /var/www/html/occ "$@" | ||||||
| } | } | ||||||
|  |  | ||||||
| post_install_occ() { | _backup_app() { | ||||||
|     IFS='|' read -ra CMD <<<"$OCC_CMDS" |   # Copied _abra_backup_dir to make UX better on restore and backup | ||||||
|     for cmd in "${CMD[@]}"; do |  | ||||||
|         run_occ "$cmd" |  | ||||||
|     done |  | ||||||
| } |  | ||||||
|  |  | ||||||
| install_apps() { |  | ||||||
|     install_apps="$@" |  | ||||||
|     if [ -z "$install_apps" ]; then |  | ||||||
|         install_apps=$APPS |  | ||||||
|     fi |  | ||||||
|     for app in $install_apps; do |  | ||||||
|         run_occ "app:install $app" |  | ||||||
|     done |  | ||||||
| } |  | ||||||
|  |  | ||||||
| set_app_config() { |  | ||||||
|     APP=$1 |  | ||||||
|     KEY=$2 |  | ||||||
|     VALUE=$3 |  | ||||||
|     run_occ "config:app:set $APP $KEY --value '$VALUE'" |  | ||||||
| } |  | ||||||
|  |  | ||||||
| set_system_config() { |  | ||||||
|     KEY=$1 |  | ||||||
|     VALUE=$2 |  | ||||||
|     run_occ "config:system:set $KEY --value '$VALUE'" |  | ||||||
| } |  | ||||||
|  |  | ||||||
| set_trusted_proxies() { |  | ||||||
|     trusted_proxies="$@" |  | ||||||
|     if [ -z "$1" ]; then |  | ||||||
|         trusted_proxies="$TRUSTED_PROXIES" |  | ||||||
|     fi |  | ||||||
|     set_system_config trusted_proxies "$trusted_proxies" |  | ||||||
| } |  | ||||||
|  |  | ||||||
| set_logfile_stdout() { |  | ||||||
|     set_system_config logfile '/dev/stdout' |  | ||||||
| } |  | ||||||
|  |  | ||||||
| install_bbb() { |  | ||||||
|     install_apps bbb |  | ||||||
|     set_app_config bbb app.navigation true |  | ||||||
|     set_app_config bbb api.url "$BBB_URL" |  | ||||||
|     set_app_config bbb api.secret "$(cat /run/secrets/bbb_secret)" |  | ||||||
| } |  | ||||||
|  |  | ||||||
| install_onlyoffice() { |  | ||||||
|     install_apps onlyoffice |  | ||||||
|     set_app_config onlyoffice DocumentServerUrl "$ONLYOFFICE_URL" |  | ||||||
|     set_app_config onlyoffice jwt_secret "$(cat /run/secrets/onlyoffice_jwt)" |  | ||||||
|     set_app_config onlyoffice customizationForcesave true |  | ||||||
| } |  | ||||||
|  |  | ||||||
| install_collabora() { |  | ||||||
|     install_apps richdocuments |  | ||||||
|     set_app_config richdocuments wopi_url "$COLLABORA_URL" |  | ||||||
| } |  | ||||||
|  |  | ||||||
| install_fulltextsearch() { |  | ||||||
|     install_apps fulltextsearch |  | ||||||
|     install_apps fulltextsearch_elasticsearch |  | ||||||
|     install_apps files_fulltextsearch |  | ||||||
|     set_app_config fulltextsearch search_platform "OCA\\FullTextSearch_Elasticsearch\\Platform\\ElasticSearchPlatform" |  | ||||||
|     set_app_config fulltextsearch_elasticsearch elastic_host "http://elastic:$(cat /run/secrets/elasticsearch_password)@elasticsearch:9200/" |  | ||||||
|     set_app_config fulltextsearch_elasticsearch elastic_index "nextcloud" |  | ||||||
|     set_app_config files_fulltextsearch files_local "1" |  | ||||||
| } |  | ||||||
|  |  | ||||||
| set_default_quota() { |  | ||||||
|     set_app_config files default_quota "$DEFAULT_QUOTA" |  | ||||||
| } |  | ||||||
|  |  | ||||||
| set_authentik() { |  | ||||||
|     install_apps sociallogin |  | ||||||
|     AUTHENTIK_SECRET=$(cat /run/secrets/authentik_secret) |  | ||||||
|     AUTHENTIK_ID=$(cat /run/secrets/authentik_id) |  | ||||||
|     set_app_config sociallogin custom_providers " |  | ||||||
|   { |   { | ||||||
|     \"custom_oidc\":[ |     abra__src_="$1" | ||||||
|     { |     abra__dst_="-" | ||||||
|         \"name\":\"$AUTHENTIK_USER_PREFIX\", |  | ||||||
|         \"title\":\"authentik\", |  | ||||||
|         \"authorizeUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/authorize/\", |  | ||||||
|         \"tokenUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/token/\", |  | ||||||
|         \"displayNameClaim\":\"preferred_username\", |  | ||||||
|         \"userInfoUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/userinfo/\", |  | ||||||
|         \"logoutUrl\": \"https://$AUTHENTIK_DOMAIN/if/session-end/nextcloud/\", |  | ||||||
|         \"clientId\":\"$AUTHENTIK_ID\", |  | ||||||
|         \"clientSecret\":\"$AUTHENTIK_SECRET\", |  | ||||||
|         \"scope\":\"openid profile email nextcloud\", |  | ||||||
|         \"groupsClaim\":\"nextcloud_groups\", |  | ||||||
|         \"style\":\"openid\", |  | ||||||
|         \"defaultGroup\":\"\", |  | ||||||
|         \"groupMapping\": { |  | ||||||
|           \"admin\": \"admin\", |  | ||||||
|           \"authentik Admins\": \"admin\" |  | ||||||
|   } |   } | ||||||
|     } |  | ||||||
| ] |  | ||||||
| }" |  | ||||||
|  |  | ||||||
|     set_app_config sociallogin update_profile_on_login 1 |   # shellcheck disable=SC2154 | ||||||
|     set_app_config sociallogin auto_create_groups 1 |   FILENAME="$(basename "$1").tar" | ||||||
|     set_app_config sociallogin hide_default_login 1 |  | ||||||
|     run_occ 'config:system:set social_login_auto_redirect --value true' |   debug "Copying '$1' to '$FILENAME'" | ||||||
|     run_occ 'config:system:set allow_user_to_change_display_name --value=false' |  | ||||||
|     run_occ 'config:system:set lost_password_link --value=disabled' |   silence | ||||||
|  |   mkdir -p /tmp/abra | ||||||
|  |   sub_app_cp > /tmp/abra/$FILENAME | ||||||
|  |   unsilence | ||||||
| } | } | ||||||
|  |  | ||||||
|  | next_maintenance_on() { | ||||||
|  |   silence | ||||||
|  |   sub_occ maintenance:mode --on > /dev/null | ||||||
|  |   unsilence | ||||||
|  |   debug "Nextcloud maintenance mode enabled" | ||||||
|  | } | ||||||
|  |  | ||||||
|  | next_maintenance_off() { | ||||||
|  |   silence | ||||||
|  |   sub_occ maintenance:mode --off > /dev/null | ||||||
|  |   unsilence | ||||||
|  |   debug "Nextcloud maintenance mode disabled" | ||||||
|  | } | ||||||
|  |  | ||||||
|  | abra_backup_app() { | ||||||
|  |   # shellcheck disable=SC2154 | ||||||
|  |   ARK_FILENAME="$ABRA_BACKUP_DIR/${abra__app_}_app_$(date +%F).tar.gz" | ||||||
|  |   # Cant be FILENAME as that gets changed by something | ||||||
|  |   next_maintenance_on | ||||||
|  |   _backup_app $NC_APP_DIR/config | ||||||
|  |   _backup_app $NC_APP_DIR/data | ||||||
|  |   _backup_app $NC_APP_DIR/themes | ||||||
|  |   # Combine archives | ||||||
|  |   tar -Af /tmp/abra/config.tar /tmp/abra/data.tar | ||||||
|  |   tar -Af /tmp/abra/config.tar /tmp/abra/themes.tar | ||||||
|  |   gzip /tmp/abra/config.tar -c > "$ARK_FILENAME" | ||||||
|  |   rm /tmp/abra/*.tar | ||||||
|  |   success "Backed up 'app' to $ARK_FILENAME" | ||||||
|  |   next_maintenance_off | ||||||
|  | } | ||||||
|  |  | ||||||
|  | abra_backup_db() { | ||||||
|  |   next_maintenance_on | ||||||
|  |   _abra_backup_mysql "db" "nextcloud" | ||||||
|  |   next_maintenance_off | ||||||
|  | } | ||||||
|  |  | ||||||
|  | abra_backup() { | ||||||
|  |   abra_backup_app && abra_backup_db | ||||||
|  | } | ||||||
|  |  | ||||||
|  |  | ||||||
|  | abra_restore_app() { | ||||||
|  |   next_maintenance_on | ||||||
|  |   # shellcheck disable=SC2034 | ||||||
|  |   { | ||||||
|  |   abra__src_="-" | ||||||
|  |   abra__dst_=$NC_APP_DIR | ||||||
|  |   } | ||||||
|  |  | ||||||
|  |   zcat "$@" | sub_app_cp | ||||||
|  |  | ||||||
|  |   next_maintenance_off | ||||||
|  |   sub_occ files:scan --all > /dev/null # Needs to be run in normal mode | ||||||
|  |   success "Restored 'app'" | ||||||
|  | } | ||||||
|  |  | ||||||
|  | # abra_restore_db() { | ||||||
|  | #   warning "Restoring the database is on a existing app and not a new one has not been tested. Use with caution." | ||||||
|  | #   next_maintenance_on | ||||||
|  | #   # 3wc: unlike abra_backup_db, we can assume abra__service_ will be 'db' if we | ||||||
|  | #   # got this far.. | ||||||
|  |  | ||||||
|  | #   # shellcheck disable=SC2034 | ||||||
|  | #   abra___no_tty="true" | ||||||
|  |  | ||||||
|  | #   DB_PASSWORD=$(sub_app_run cat /run/secrets/db_password) | ||||||
|  |  | ||||||
|  | #   zcat "$@" | sub_app_run mysql -u root -p"$DB_PASSWORD" wordpress | ||||||
|  |  | ||||||
|  | #   success "Restored 'db'" | ||||||
|  | #   next_maintenance_off | ||||||
|  | # } | ||||||
|  | |||||||
| @ -1,14 +0,0 @@ | |||||||
| version: "3.8" |  | ||||||
| services: |  | ||||||
|   app: |  | ||||||
|     secrets: |  | ||||||
|       - authentik_secret |  | ||||||
|       - authentik_id |  | ||||||
|  |  | ||||||
| secrets: |  | ||||||
|   authentik_secret: |  | ||||||
|     external: true |  | ||||||
|     name: ${STACK_NAME}_authentik_secret_${SECRET_AUTHENTIK_SECRET_VERSION} |  | ||||||
|   authentik_id: |  | ||||||
|     external: true |  | ||||||
|     name: ${STACK_NAME}_authentik_id_${SECRET_AUTHENTIK_ID_VERSION} |  | ||||||
| @ -1,12 +0,0 @@ | |||||||
| version: "3.8" |  | ||||||
| services: |  | ||||||
|   app: |  | ||||||
|     secrets: |  | ||||||
|       - bbb_secret |  | ||||||
|     environment: |  | ||||||
|       - BBB_URL |  | ||||||
|  |  | ||||||
| secrets: |  | ||||||
|   bbb_secret: |  | ||||||
|     external: true |  | ||||||
|     name: ${STACK_NAME}_bbb_secret_${SECRET_BBB_SECRET_VERSION} |  | ||||||
| @ -1,55 +0,0 @@ | |||||||
| version: "3.8" |  | ||||||
|  |  | ||||||
| services: |  | ||||||
|   elasticsearch: |  | ||||||
|     image: "docker.elastic.co/elasticsearch/elasticsearch:8.11.3" |  | ||||||
|     environment: |  | ||||||
|       - cluster.name=docker-cluster |  | ||||||
|       - bootstrap.memory_lock=true |  | ||||||
|       - "ES_JAVA_OPTS=-Xms512m -Xmx512m" |  | ||||||
|       - discovery.type=single-node |  | ||||||
|       # Disable authentication and ssl completely |  | ||||||
|       # - xpack.security.enabled=false |  | ||||||
|       # Use this to enable Basic Authentication: |  | ||||||
|       - xpack.security.enabled=true |  | ||||||
|       - xpack.security.http.ssl.enabled=false |  | ||||||
|       - ELASTIC_PASSWORD_FILE=/var/run/secrets/elasticsearch_password |  | ||||||
|     ulimits: |  | ||||||
|       memlock: |  | ||||||
|         soft: -1 |  | ||||||
|         hard: -1 |  | ||||||
|     volumes: |  | ||||||
|       - elasticsearch:/usr/share/elasticsearch/data |  | ||||||
|     networks: |  | ||||||
|       - internal |  | ||||||
|     secrets: |  | ||||||
|       - source: elasticsearch_password |  | ||||||
|         uid: "1000" |  | ||||||
|         gid: "1000" |  | ||||||
|         mode: 0600 |  | ||||||
|  |  | ||||||
|   searchindexer: |  | ||||||
|     image: nextcloud:28.0.5-fpm |  | ||||||
|     volumes: |  | ||||||
|       - nextcloud:/var/www/html/ |  | ||||||
|       - nextapps:/var/www/html/custom_apps:cached |  | ||||||
|       - nextdata:/var/www/html/data:cached |  | ||||||
|       - nextconfig:/var/www/html/config:cached |  | ||||||
|       - ${EXTRA_VOLUME} |  | ||||||
|     networks: |  | ||||||
|       - internal |  | ||||||
|     entrypoint: su -p www-data -s /bin/sh -c '/var/www/html/occ fulltextsearch:live' |  | ||||||
|  |  | ||||||
|   # Add the secret to the app service so it is avaiable in the |  | ||||||
|   # install_fulltextsearch command |  | ||||||
|   app: |  | ||||||
|     secrets: |  | ||||||
|       - elasticsearch_password |  | ||||||
|  |  | ||||||
| secrets: |  | ||||||
|   elasticsearch_password: |  | ||||||
|     external: true |  | ||||||
|     name: ${STACK_NAME}_elasticsearch_password_${SECRET_ELASTICSEARCH_PASSWORD_VERSION} |  | ||||||
|  |  | ||||||
| volumes: |  | ||||||
|   elasticsearch: |  | ||||||
| @ -15,7 +15,6 @@ services: | |||||||
|       - MYSQL_USER=nextcloud |       - MYSQL_USER=nextcloud | ||||||
|       - MYSQL_PASSWORD_FILE=/run/secrets/db_password |       - MYSQL_PASSWORD_FILE=/run/secrets/db_password | ||||||
|       - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password |       - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password | ||||||
|       - MAX_DB_CONNECTIONS=${MAX_DB_CONNECTIONS:-100} |  | ||||||
|     configs: |     configs: | ||||||
|       - source: my_tune |       - source: my_tune | ||||||
|         target: /etc/mysql/conf.d/my-tune.cnf |         target: /etc/mysql/conf.d/my-tune.cnf | ||||||
| @ -29,25 +28,13 @@ services: | |||||||
|     deploy: |     deploy: | ||||||
|       labels: |       labels: | ||||||
|           backupbot.backup: "true" |           backupbot.backup: "true" | ||||||
|           backupbot.backup.pre-hook: 'mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" nextcloud > /var/lib/mysql/backup.sql' |           backupbot.backup.pre-hook: 'mkdir -p /tmp/backup/ && mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" nextcloud > /tmp/backup/backup.sql' | ||||||
|           backupbot.backup.post-hook: "rm -rf /var/lib/mysql/backup.sql" |           backupbot.backup.post-hook: "rm -rf /tmp/backup" | ||||||
|           backupbot.backup.path: "/var/lib/mysql/backup.sql" |           backupbot.backup.path: "/tmp/backup/" | ||||||
|     healthcheck: |  | ||||||
|       test: ["CMD-SHELL", 'mysqladmin -p"$$(cat /run/secrets/db_root_password)"  ping'] |  | ||||||
|       interval: 30s |  | ||||||
|       timeout: 10s |  | ||||||
|       retries: 10 |  | ||||||
|       start_period: 1m |  | ||||||
| configs: | configs: | ||||||
|   my_tune: |   my_tune: | ||||||
|     name: ${STACK_NAME}_my_cnf_${MY_CNF_VERSION} |     name: ${STACK_NAME}_my_cnf_${MY_CNF_VERSION} | ||||||
|     file: my-tune.cnf |     file: my-tune.cnf | ||||||
|     template_driver: golang |  | ||||||
|  |  | ||||||
| secrets: |  | ||||||
|   db_root_password: |  | ||||||
|     external: true |  | ||||||
|     name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION} |  | ||||||
|  |  | ||||||
| volumes: | volumes: | ||||||
|   mariadb: |   mariadb: | ||||||
|  | |||||||
| @ -1,12 +0,0 @@ | |||||||
| version: "3.8" |  | ||||||
| services: |  | ||||||
|   app: |  | ||||||
|     secrets: |  | ||||||
|       - onlyoffice_jwt |  | ||||||
|     environment: |  | ||||||
|       - ONLYOFFICE_URL |  | ||||||
|  |  | ||||||
| secrets: |  | ||||||
|   onlyoffice_jwt: |  | ||||||
|     external: true |  | ||||||
|     name: ${STACK_NAME}_onlyoffice_jwt_${SECRET_ONLYOFFICE_JWT_VERSION} |  | ||||||
| @ -2,6 +2,7 @@ version: '3.8' | |||||||
|  |  | ||||||
| services: | services: | ||||||
|   app: |   app: | ||||||
|  |     entrypoint: "sh -c 'sleep 10 && /entrypoint.sh php-fpm'" # tries to mitigate this error with postgres https://github.com/nextcloud/docker/issues/1204 | ||||||
|     environment: |     environment: | ||||||
|       - POSTGRES_HOST=db |       - POSTGRES_HOST=db | ||||||
|       - POSTGRES_DB=nextcloud |       - POSTGRES_DB=nextcloud | ||||||
| @ -11,7 +12,6 @@ services: | |||||||
|  |  | ||||||
|   db: |   db: | ||||||
|     image: "postgres:12" |     image: "postgres:12" | ||||||
|     command: -c "max_connections=${MAX_DB_CONNECTIONS:-100}" |  | ||||||
|     volumes: |     volumes: | ||||||
|       - "postgres:/var/lib/postgresql/data" |       - "postgres:/var/lib/postgresql/data" | ||||||
|     networks: |     networks: | ||||||
| @ -23,16 +23,16 @@ services: | |||||||
|     secrets: |     secrets: | ||||||
|       - db_password |       - db_password | ||||||
|     healthcheck: |     healthcheck: | ||||||
|       test: ["CMD-SHELL", "pg_isready", "-U", "nextcloud"] |       test: ["CMD-SHELL", "pg_isready"] | ||||||
|       interval: 10s |       interval: 10s | ||||||
|       timeout: 5s |       timeout: 5s | ||||||
|       retries: 5 |       retries: 5 | ||||||
|     deploy: |     deploy: | ||||||
|       labels: |       labels: | ||||||
|             backupbot.backup: "true" |             backupbot.backup: "true" | ||||||
|             backupbot.backup.pre-hook: "PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql" |             backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /tmp/backup/backup.sql" | ||||||
|             backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/backup.sql" |             backupbot.backup.post-hook: "rm -rf /tmp/backup" | ||||||
|             backupbot.backup.path: "/var/lib/postgresql/data/" |             backupbot.backup.path: "/tmp/backup/" | ||||||
|  |  | ||||||
| volumes: | volumes: | ||||||
|   postgres: |   postgres: | ||||||
|  | |||||||
| @ -1,19 +0,0 @@ | |||||||
| version: "3.8" |  | ||||||
| services: |  | ||||||
|   app: |  | ||||||
|     secrets: |  | ||||||
|       - smtp_password |  | ||||||
|     environment: |  | ||||||
|       - SMTP_AUTHTYPE |  | ||||||
|       - SMTP_HOST |  | ||||||
|       - SMTP_SECURE |  | ||||||
|       - SMTP_NAME |  | ||||||
|       - SMTP_PORT |  | ||||||
|       - SMTP_PASSWORD_FILE=/run/secrets/smtp_password |  | ||||||
|       - MAIL_FROM_ADDRESS |  | ||||||
|       - MAIL_DOMAIN |  | ||||||
|  |  | ||||||
| secrets: |  | ||||||
|   smtp_password: |  | ||||||
|     external: true |  | ||||||
|     name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION} |  | ||||||
							
								
								
									
										77
									
								
								compose.yml
									
									
									
									
									
								
							
							
						
						
									
										77
									
								
								compose.yml
									
									
									
									
									
								
							| @ -1,15 +1,11 @@ | |||||||
| version: "3.8" | version: "3.8" | ||||||
| services: | services: | ||||||
|   web: |   web: | ||||||
|     image: nginx:1.25.3 |     image: nginx:1.20.0 | ||||||
|     depends_on: |  | ||||||
|       - app |  | ||||||
|     configs: |     configs: | ||||||
|       - source: nginx_conf |       - source: nginx_conf | ||||||
|         target: /etc/nginx/nginx.conf |         target: /etc/nginx/nginx.conf | ||||||
|     environment: |     environment: | ||||||
|       - X_FRAME_OPTIONS_ALLOW_FROM |  | ||||||
|       - X_FRAME_OPTIONS_ENABLED |  | ||||||
|       - DOMAIN |       - DOMAIN | ||||||
|       - STACK_NAME |       - STACK_NAME | ||||||
|     volumes: |     volumes: | ||||||
| @ -35,49 +31,31 @@ services: | |||||||
|         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect" |         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect" | ||||||
|         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true" |         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true" | ||||||
|         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}" |         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}" | ||||||
|         - "caddy=${DOMAIN}" |  | ||||||
|         - "caddy.reverse_proxy={{upstreams 80}}" |  | ||||||
|         - "caddy.tls.on_demand=" |  | ||||||
|     healthcheck: |  | ||||||
|       test: ["CMD-SHELL", 'curl -s -N curl -Ns localhost/status.php |  grep "installed\":true"'] |  | ||||||
|       interval: 30s |  | ||||||
|       timeout: 10s |  | ||||||
|       retries: 10 |  | ||||||
|       start_period: 5m |  | ||||||
|  |  | ||||||
|   app: |   app: | ||||||
|     image: nextcloud:28.0.5-fpm |     image: nextcloud:23.0.3-fpm | ||||||
|     depends_on: |     depends_on: | ||||||
|       - db |       - db | ||||||
|     configs: |     configs: | ||||||
|       - source: fpm_tune |       - source: fpm_tune | ||||||
|         target: /usr/local/etc/php-fpm.d/zzz-fpm-tune.conf |         target: /usr/local/etc/php-fpm.d/fpm-tune.conf | ||||||
|       - source: entrypoint |  | ||||||
|         target: /custom-entrypoint.sh |  | ||||||
|         mode: 555 |  | ||||||
|     entrypoint: /custom-entrypoint.sh |  | ||||||
|     secrets: |     secrets: | ||||||
|       - db_password |       - db_password | ||||||
|       - admin_password |       - admin_password | ||||||
|     environment: |     environment: | ||||||
|       - APPS |  | ||||||
|       - OCC_CMDS |  | ||||||
|       - X_FRAME_OPTIONS_ALLOW_FROM |  | ||||||
|       - X_FRAME_OPTIONS_ENABLED |  | ||||||
|       - DOMAIN |       - DOMAIN | ||||||
|       - STACK_NAME |       - STACK_NAME | ||||||
|       - NEXTCLOUD_ADMIN_USER=${ADMIN_USER} |       - NEXTCLOUD_ADMIN_USER=${ADMIN_USER} | ||||||
|       - NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/admin_password |       - NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/admin_password | ||||||
|       - NEXTCLOUD_TRUSTED_DOMAINS=${DOMAIN} |       - NEXTCLOUD_TRUSTED_DOMAINS=${DOMAIN} | ||||||
|       - TRUSTED_PROXIES=10.0.0.0/8 |       - TRUSTED_PROXIES=traefik | ||||||
|       - REDIS_HOST=cache |       - REDIS_HOST=cache | ||||||
|  |       - SMTP_HOST | ||||||
|  |       - MAIL_FROM_ADDRESS | ||||||
|  |       - MAIL_DOMAIN | ||||||
|  |       - SMTP_AUTHTYPE=PLAIN | ||||||
|       - OVERWRITEPROTOCOL=https |       - OVERWRITEPROTOCOL=https | ||||||
|       - PHP_MEMORY_LIMIT=${PHP_MEMORY_LIMIT:-1G} |       - PHP_MEMORY_LIMIT=1G | ||||||
|       - FPM_MAX_CHILDREN=${FPM_MAX_CHILDREN:-131} |  | ||||||
|       - FPM_START_SERVERS=${FPM_START_SERVERS:-32} |  | ||||||
|       - FPM_MIN_SPARE_SERVERS=${FPM_MIN_SPARE_SERVERS:-32} |  | ||||||
|       - FPM_MAX_SPARE_SERVERS=${FPM_MAX_SPARE_SERVERS:-98} |  | ||||||
|       - DEFAULT_QUOTA |  | ||||||
|     volumes: |     volumes: | ||||||
|       - nextcloud:/var/www/html/ |       - nextcloud:/var/www/html/ | ||||||
|       - nextapps:/var/www/html/custom_apps:cached |       - nextapps:/var/www/html/custom_apps:cached | ||||||
| @ -91,19 +69,13 @@ services: | |||||||
|         failure_action: rollback |         failure_action: rollback | ||||||
|         order: start-first |         order: start-first | ||||||
|       labels: |       labels: | ||||||
|         - "coop-cloud.${STACK_NAME}.version=6.0.5+28.0.5-fpm" |         - "coop-cloud.${STACK_NAME}.version=2.0.0+23.0.3-fpm" | ||||||
|         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}" |  | ||||||
|         - "backupbot.backup=true" |         - "backupbot.backup=true" | ||||||
|         - "backupbot.backup.path=/var/www/html/config/,/var/www/html/data/,/var/www/html/custom_apps/" |         - "backupbot.backup.path=/var/www/html/config/,/var/www/html/data/,/var/www/html/custom_apps/" | ||||||
|     healthcheck: |  | ||||||
|       test: ["CMD-SHELL", 'SCRIPT_NAME=status SCRIPT_FILENAME=/var/www/html/status.php REQUEST_METHOD=GET cgi-fcgi -bind -connect 127.0.0.1:9000 | grep "installed\":true"'] |  | ||||||
|       interval: 30s |  | ||||||
|       timeout: 10s |  | ||||||
|       retries: 10 |  | ||||||
|       start_period: 15m |  | ||||||
|  |  | ||||||
|   cron: |   cron: | ||||||
|     image: nextcloud:28.0.5-fpm |     image: nextcloud:23.0.3-fpm | ||||||
|     volumes: |     volumes: | ||||||
|       - nextcloud:/var/www/html/ |       - nextcloud:/var/www/html/ | ||||||
|       - nextapps:/var/www/html/custom_apps:cached |       - nextapps:/var/www/html/custom_apps:cached | ||||||
| @ -113,27 +85,21 @@ services: | |||||||
|     networks: |     networks: | ||||||
|       - internal |       - internal | ||||||
|     entrypoint: /cron.sh |     entrypoint: /cron.sh | ||||||
|     configs: |  | ||||||
|       - source: crontab |  | ||||||
|         target: /var/spool/cron/crontabs/www-data |  | ||||||
|  |  | ||||||
|  |  | ||||||
|   cache: |   cache: | ||||||
|     image: redis:7.2.4-alpine |     image: redis:6.2.5-alpine | ||||||
|     networks: |     networks: | ||||||
|       - internal |       - internal | ||||||
|     volumes: |     volumes: | ||||||
|       - "redis:/data" |       - "redis:/data" | ||||||
|     healthcheck: |  | ||||||
|       test: ["CMD", "redis-cli", "ping"] |  | ||||||
|       interval: 3s |  | ||||||
|       timeout: 5s |  | ||||||
|       retries: 20 |  | ||||||
|  |  | ||||||
| secrets: | secrets: | ||||||
|  |   db_root_password: | ||||||
|  |     external: true | ||||||
|  |     name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION} | ||||||
|   db_password: |   db_password: | ||||||
|     external: true |     external: true | ||||||
|     name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION} |     name: ${STACK_NAME}_db_password_${SECRET_DB_ROOT_PASSWORD_VERSION} | ||||||
|   admin_password: |   admin_password: | ||||||
|     external: true |     external: true | ||||||
|     name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION} |     name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION} | ||||||
| @ -145,7 +111,6 @@ volumes: | |||||||
|   nextconfig: |   nextconfig: | ||||||
|   redis: |   redis: | ||||||
|  |  | ||||||
|  |  | ||||||
| configs: | configs: | ||||||
|   nginx_conf: |   nginx_conf: | ||||||
|     name: ${STACK_NAME}_nginx_${NGINX_CONF_VERSION} |     name: ${STACK_NAME}_nginx_${NGINX_CONF_VERSION} | ||||||
| @ -154,14 +119,6 @@ configs: | |||||||
|   fpm_tune: |   fpm_tune: | ||||||
|     name: ${STACK_NAME}_fpm_tune_${FPM_TUNE_VERSION} |     name: ${STACK_NAME}_fpm_tune_${FPM_TUNE_VERSION} | ||||||
|     file: fpm-tune.ini |     file: fpm-tune.ini | ||||||
|     template_driver: golang |  | ||||||
|   entrypoint: |  | ||||||
|     name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION} |  | ||||||
|     file: entrypoint.sh.tmpl |  | ||||||
|     template_driver: golang |  | ||||||
|   crontab: |  | ||||||
|     name: ${STACK_NAME}_crontab_${CRONTAB_VERSION} |  | ||||||
|     file: crontab |  | ||||||
|  |  | ||||||
| networks: | networks: | ||||||
|   proxy: |   proxy: | ||||||
|  | |||||||
| @ -1,41 +0,0 @@ | |||||||
| #!/bin/bash |  | ||||||
|  |  | ||||||
| set -eu |  | ||||||
|  |  | ||||||
| file_env() { |  | ||||||
|   local var="$1" |  | ||||||
|   local fileVar="${var}_FILE" |  | ||||||
|   local def="${2:-}" |  | ||||||
|  |  | ||||||
|   if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then |  | ||||||
|     echo >&2 "error: both $var and $fileVar are set (but are exclusive)" |  | ||||||
|     exit 1 |  | ||||||
|   fi |  | ||||||
|  |  | ||||||
|   local val="$def" |  | ||||||
|   if [ "${!var:-}" ]; then |  | ||||||
|     val="${!var}" |  | ||||||
|   elif [ "${!fileVar:-}" ]; then |  | ||||||
|     val="$(< "${!fileVar}")" |  | ||||||
|   fi |  | ||||||
|  |  | ||||||
|   export "$var"="$val" |  | ||||||
|   unset "$fileVar" |  | ||||||
| } |  | ||||||
|  |  | ||||||
| file_env "SMTP_PASSWORD" |  | ||||||
|  |  | ||||||
| echo "Giving the db container some time to come up"; sleep 20 |  | ||||||
| # see this issue with postgres db https://github.com/nextcloud/docker/issues/1204 |  | ||||||
|  |  | ||||||
| {{ if eq (env "X_FRAME_OPTIONS_ENABLED") "1" }} |  | ||||||
| if ! [[ $(grep {{ env "X_FRAME_OPTIONS_ALLOW_FROM" }} lib/public/AppFramework/Http/ContentSecurityPolicy.php) ]]; then |  | ||||||
|     sed -i "91 a\\\t\t'{{ env "X_FRAME_OPTIONS_ALLOW_FROM" }}', " lib/public/AppFramework/Http/ContentSecurityPolicy.php |  | ||||||
| fi |  | ||||||
| {{ end }} |  | ||||||
|  |  | ||||||
| # Required for healthcheck |  | ||||||
| which cgi-fcgi > /dev/null || (apt-get update && apt-get install -y libfcgi-bin) |  | ||||||
|  |  | ||||||
|  |  | ||||||
| /entrypoint.sh php-fpm |  | ||||||
| @ -1,5 +1,5 @@ | |||||||
| pm = dynamic | pm = dynamic | ||||||
| pm.max_children = {{ env "FPM_MAX_CHILDREN" }} | pm.max_children = 131 | ||||||
| pm.start_servers = {{ env "FPM_START_SERVERS" }} | pm.start_servers = 32 | ||||||
| pm.min_spare_servers = {{ env "FPM_MIN_SPARE_SERVERS" }} | pm.min_spare_servers = 32 | ||||||
| pm.max_spare_servers = {{ env "FPM_MAX_SPARE_SERVERS" }} | pm.max_spare_servers = 98 | ||||||
|  | |||||||
| @ -13,7 +13,7 @@ key_buffer_size                = 16M | |||||||
| innodb_log_file_size           = 256M | innodb_log_file_size           = 256M | ||||||
| long_query_time                = 1 | long_query_time                = 1 | ||||||
| max_allowed_packet             = 256M | max_allowed_packet             = 256M | ||||||
| max_connections                = {{ env "MAX_DB_CONNECTIONS" }} | max_connections                = 100 | ||||||
| max_heap_table_size            = 64M | max_heap_table_size            = 64M | ||||||
| max_user_connections           = 0 | max_user_connections           = 0 | ||||||
| myisam_recover_options         = BACKUP | myisam_recover_options         = BACKUP | ||||||
|  | |||||||
| @ -11,10 +11,6 @@ events { | |||||||
|  |  | ||||||
| http { | http { | ||||||
|     include       /etc/nginx/mime.types; |     include       /etc/nginx/mime.types; | ||||||
|     # See https://github.com/nextcloud/forms/issues/1838#issuecomment-1860497200 |  | ||||||
|     types { |  | ||||||
|         application/javascript js mjs; |  | ||||||
|     } |  | ||||||
|     default_type  application/octet-stream; |     default_type  application/octet-stream; | ||||||
|  |  | ||||||
|     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" ' |     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" ' | ||||||
| @ -45,7 +41,6 @@ http { | |||||||
|         # could take several months. |         # could take several months. | ||||||
|         #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; |         #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; | ||||||
|  |  | ||||||
|  |  | ||||||
|         # set max upload size |         # set max upload size | ||||||
|         client_max_body_size 512M; |         client_max_body_size 512M; | ||||||
|         fastcgi_buffers 64 4K; |         fastcgi_buffers 64 4K; | ||||||
| @ -66,16 +61,10 @@ http { | |||||||
|         add_header Referrer-Policy                      "no-referrer"   always; |         add_header Referrer-Policy                      "no-referrer"   always; | ||||||
|         add_header X-Content-Type-Options               "nosniff"       always; |         add_header X-Content-Type-Options               "nosniff"       always; | ||||||
|         add_header X-Download-Options                   "noopen"        always; |         add_header X-Download-Options                   "noopen"        always; | ||||||
|         add_header X-Permitted-Cross-Domain-Policies    "none"              always; |  | ||||||
|         add_header X-Robots-Tag                         "noindex, nofollow" always; |  | ||||||
|         add_header X-XSS-Protection                     "1; mode=block"     always; |  | ||||||
|  |  | ||||||
|         {{ if eq (env "X_FRAME_OPTIONS_ENABLED") "1" }} |  | ||||||
|         add_header Content-Security-Policy              "frame-ancestors {{ env "X_FRAME_OPTIONS_ALLOW_FROM" }} {{ env "DOMAIN" }}"; |  | ||||||
|         {{ else }} |  | ||||||
|         add_header X-Frame-Options                      "SAMEORIGIN"    always; |         add_header X-Frame-Options                      "SAMEORIGIN"    always; | ||||||
|         {{ end }} |         add_header X-Permitted-Cross-Domain-Policies    "none"          always; | ||||||
|  |         add_header X-Robots-Tag                         "none"          always; | ||||||
|  |         add_header X-XSS-Protection                     "1; mode=block" always; | ||||||
|  |  | ||||||
|         # Remove X-Powered-By, which is an information leak |         # Remove X-Powered-By, which is an information leak | ||||||
|         fastcgi_hide_header X-Powered-By; |         fastcgi_hide_header X-Powered-By; | ||||||
|  | |||||||
| @ -1,57 +0,0 @@ | |||||||
|  |  | ||||||
| ## FPM Tune |  | ||||||
|  |  | ||||||
| The fpm-tune.ini settings are now configurable by `.env`. Please add this to your servers configs: |  | ||||||
|  |  | ||||||
| ``` |  | ||||||
| # fpm-tune, see: https://spot13.com/pmcalculator/ |  | ||||||
| FPM_MAX_CHILDREN=131 |  | ||||||
| FPM_START_SERVERS=32 |  | ||||||
| FPM_MIN_SPARE_SERVERS=32 |  | ||||||
| FPM_MAX_SPARE_SERVERS=98 |  | ||||||
| ``` |  | ||||||
|  |  | ||||||
| ## SMTP |  | ||||||
|  |  | ||||||
| Add SMTP Config to your .env file: |  | ||||||
|  |  | ||||||
| ``` |  | ||||||
| # COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml" |  | ||||||
| # See https://github.com/nextcloud/docker#auto-configuration-via-environment-variables for default values |  | ||||||
| # SMTP_AUTHTYPE= |  | ||||||
| # SMTP_HOST= |  | ||||||
| # SMTP_SECURE= |  | ||||||
| # SMTP_NAME= |  | ||||||
| # SMTP_PORT= |  | ||||||
| # MAIL_FROM_ADDRESS= |  | ||||||
| # MAIL_DOMAIN= |  | ||||||
| # SECRET_SMTP_PASSWORD_VERSION=v1 |  | ||||||
| abra app secret insert example.com smtp_password v1 example_password |  | ||||||
| ``` |  | ||||||
|  |  | ||||||
|  |  | ||||||
| ## Post Deploy Commands |  | ||||||
|  |  | ||||||
| Some Apps can also be managed with abra app cmd! |  | ||||||
|  |  | ||||||
| ``` |  | ||||||
| # COMPOSE_FILE="$COMPOSE_FILE:compose.apps.yml" |  | ||||||
| # APPS="calendar sociallogin onlyoffice" |  | ||||||
| abra app cmd example.com app install_apps |  | ||||||
| # ONLYOFFICE_URL=https://onlyoffice.example.com |  | ||||||
| # SECRET_ONLYOFFICE_JWT_VERSION=v1 |  | ||||||
| abra app secret insert example.com onlyoffice_jwt v1 example_password |  | ||||||
| abra app cmd example.com app install_onlyoffice |  | ||||||
| # BBB_URL=https://talk.example.org/bigbluebutton/ # trailing slash! |  | ||||||
| # SECRET_BBB_SECRET_VERSION=v1 |  | ||||||
| abra app secret insert example.com bbb_secret v1 example_password |  | ||||||
| abra app cmd example.com app install_bbb |  | ||||||
| ``` |  | ||||||
|  |  | ||||||
| ## Set Quota |  | ||||||
|  |  | ||||||
| ``` |  | ||||||
| # DEFAULT_QUOTA="10 GB" |  | ||||||
| abra app cmd example.com app set_default_quota |  | ||||||
| ``` |  | ||||||
|  |  | ||||||
| @ -1,11 +0,0 @@ | |||||||
| If the authentik configuration should be handled by abra add the following to the env: |  | ||||||
|  |  | ||||||
|     COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml" |  | ||||||
|     AUTHENTIK_USER_PREFIX=authentik |  | ||||||
|     AUTHENTIK_DOMAIN=authentik.example.com |  | ||||||
|     AUTHENTIK_SECRET_NAME=authentik_example_com_nextcloud_secret_v1  # the same as in authentik |  | ||||||
|     AUTHENTIK_ID_NAME=authentik_example_com_nextcloud_id_v1  # the same as in authentik |  | ||||||
|  |  | ||||||
| And run: |  | ||||||
|  |  | ||||||
|     abra app cmd <app-name> app set_authentik |  | ||||||
| @ -1 +0,0 @@ | |||||||
| BREAKING CHANGE: compose.apps.yml was split to compose.bbb.yml and compose.onlyoffice.yml, configuration update is required! |  | ||||||
| @ -1 +0,0 @@ | |||||||
| The authentik secrets need to be inserted again, as nextcloud is not sharing the secret with authentik any more. |  | ||||||
| @ -1,4 +1,4 @@ | |||||||
| 2.0.0 introduces a minor nextcloud update to 23.0.4 and moves the database service to a seperate override.yml file to support different database types (mariadb / postgres). This might break your installation. Please add the following snippet to your config .env to ensure the right db is used: | 2.0.0 introduces a minor nextcloud update to 23.0.3 and moves the database service to a seperate override.yml file to support different database types (mariadb / postgres). This might break your installation. Please add the following snippet to your config .env to ensure the right db is used: | ||||||
| 
 | 
 | ||||||
| ``` | ``` | ||||||
| COMPOSE_FILE="compose.yml" | COMPOSE_FILE="compose.yml" | ||||||
		Reference in New Issue
	
	Block a user