forked from coop-cloud/nextcloud
put secrets in correct files
This commit is contained in:
parent
907d73ea92
commit
9d2ec0f0b5
196
README.md
196
README.md
|
@ -1,204 +1,24 @@
|
|||
# Nextcloud
|
||||
|
||||
[![Build Status](https://drone.autonomic.zone/api/badges/coop-cloud/nextcloud/status.svg)](https://drone.autonomic.zone/coop-cloud/nextcloud)
|
||||
|
||||
Fully automated luxury Nextcloud via docker-swarm.
|
||||
|
||||
<!-- metadata -->
|
||||
* **Category**: Apps
|
||||
* **Status**: 2, beta
|
||||
* **Image**: [`nextcloud`](https://hub.docker.com/_/nextcloud), 4, upstream
|
||||
* **Healthcheck**: Yes
|
||||
* **Backups**: No
|
||||
* **Email**: 3
|
||||
* **Tests**: 2
|
||||
* **SSO**: 1 (OAuth)
|
||||
<!-- endmetadata -->
|
||||
|
||||
## Quick start
|
||||
|
||||
* `abra app new nextcloud`
|
||||
* `abra app config <app-name>`
|
||||
* `abra app secret insert <app-name> smtp_password v1 <SMTP_PASSWORD>`
|
||||
* `abra app secret generate -a <app-name>`
|
||||
* `abra app deploy <app-name>`
|
||||
|
||||
### Disable Dashboard
|
||||
|
||||
Disable dashboard app since it is so corporate:
|
||||
|
||||
`abra app config <app-name>`
|
||||
Configure the following envs:
|
||||
```
|
||||
OCC_CMDS="app:disable dashboard"
|
||||
```
|
||||
`abra app cmd <app-name> app post_install_occ`
|
||||
|
||||
## Running `occ`
|
||||
|
||||
`abra app cmd <app-name> app run_occ '"user:list --help"'`
|
||||
|
||||
## Default user files
|
||||
|
||||
- Follow [these docs](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/default_files_configuration.html) to set the default files list for each user in the Files app
|
||||
|
||||
## Default App
|
||||
|
||||
- Configure a `defaultapp` in your `config.php` or use [apporder](https://apps.nextcloud.com/apps/apporder)
|
||||
|
||||
## Upgrading Nextcloud apps
|
||||
|
||||
`abra app cmd <app-name> app run_occ '"app:update --all"'`
|
||||
Wiki Cafe's configuration for a Nextcloud deployment. Originally slimmed down from an `abra` [recipe](https://git.coopcloud.tech/coop-cloud/nextcloud) by [Co-op Cloud](https://coopcloud.tech/).
|
||||
|
||||
|
||||
## How do I fix a Nextcloud version snafu?
|
||||
## Deploying the app with Docker Swarm
|
||||
|
||||
`Exception: Updates between multiple major versions and downgrades are unsupported.`
|
||||
|
||||
Solution:
|
||||
|
||||
- Look at log files to determine the old Nextcloud version
|
||||
- Change your local `~/.abra/recipes/nextcloud/compose.yaml` to the highest minor
|
||||
version in the old version -- e.g. choose `22.2.5` for `22`, if you're
|
||||
upgrading to `23`.
|
||||
- Then, do one of (both bad):
|
||||
1. `abra app deploy --chaos ...`, then `app run` to go in and manually lower the version number in PHP (shell in, `apt install vim-core && vi version.php`), then try `php ./occ upgrade`
|
||||
2. `abra app undeploy ...`, `abra volume rm`, CAREFULLY only choose the volume
|
||||
ENDING `_nextcloud`, then `abra app deploy --chaos ...`, then edit the
|
||||
`compose.yaml` to add `entrypoint: ['tail', '-f', '/dev/null']` to `app`,
|
||||
then `app deploy --chaos` again, then `app run --user=www-data ... app bash` to get in and run `./occ maintenance:repair`, and `./occ upgrade`.
|
||||
- Change `compose.yaml` to the new version number; `git checkout compose.yaml`
|
||||
- `abra app deploy --force`
|
||||
- This wasn't even multiplle major versions was it 😾
|
||||
|
||||
## How do I integrate with Keycloak SSO?
|
||||
|
||||
Use [this plugin](https://github.com/pulsejet/nextcloud-oidc-login). Unlike the plugin it's forked from, there is no configuration UI, so you'll need to edit `/var/www/html/config/config.php`:
|
||||
Set the environment variables from the .env file during the shell session.
|
||||
|
||||
```
|
||||
'oidc_login_client_id' => 'nextcloud',
|
||||
'oidc_login_client_secret' => 'mysecret',
|
||||
'oidc_login_provider_url' => 'https://example.com/realms/myrealm',
|
||||
'oidc_login_disable_registration' => false,
|
||||
'oidc_login_hide_password_form' => true,
|
||||
'oidc_login_button_text' => 'Log in with your myssodomain',
|
||||
'oidc_login_default_group' => 'mygroup',
|
||||
'oidc_login_attributes' =>
|
||||
array (
|
||||
'id' => 'sub',
|
||||
'name' => 'name',
|
||||
'mail' => 'email',
|
||||
),
|
||||
'oidc_create_groups' => true,
|
||||
set -a && source .env && set +a
|
||||
```
|
||||
|
||||
You can use [this trick](https://janikvonrotz.ch/2020/10/20/openid-connect-with-nextcloud-and-keycloak/) (see "Cryptic Usernames" work-around) to get proper usernames.
|
||||
|
||||
If you ever need to change the realm, you'll need to reset the cache with:
|
||||
Set the secrets.
|
||||
|
||||
```
|
||||
docker exec -u www-data <container-id> php occ config:app:delete oidc_login last_updated_well_known
|
||||
docker exec -u www-data <container-id> php occ config:app:delete oidc_login last_updated_jwks
|
||||
printf "SECRET_HERE" | docker secret create SECRET_NAME -
|
||||
```
|
||||
|
||||
## How do I enable multiple SSO login buttons?
|
||||
|
||||
We've been able to get this setup by using the [social login](https://apps.nextcloud.com/apps/sociallogin) plugin.
|
||||
|
||||
If using Keycloak, you'll want to do [this trick](https://janikvonrotz.ch/2020/10/20/openid-connect-with-nextcloud-and-keycloak/) also.
|
||||
|
||||
## How can I customise the CSS?
|
||||
|
||||
There is some basic stuff in the admin settings.
|
||||
|
||||
To go a little deeper, you can use [this handy app](https://apps.nextcloud.com/apps/theming_customcss).
|
||||
|
||||
Here is an example CSS config which hides the local login and makes space for a central image:
|
||||
|
||||
```css
|
||||
#body-login .wrapper main form[name="login"],
|
||||
#body-login .wrapper main form[name="login"] ~ a {
|
||||
display: none;
|
||||
}
|
||||
|
||||
#body-login .logo {
|
||||
visibility: hidden;
|
||||
}
|
||||
|
||||
#body-login #alternative-logins a.button[href*="oidc"] {
|
||||
background: #233b4a;
|
||||
color: #fff;
|
||||
transition: all 0.2s ease-in-out;
|
||||
}
|
||||
#body-login #alternative-logins a.button[href*="oidc"]:hover {
|
||||
background: linear-gradient(-35deg, #233b4a 40%, #486c83 100%);
|
||||
}
|
||||
|
||||
#body-login #alternative-logins a.button[href*="/sociallogin/oauth/google"] {
|
||||
border: 0;
|
||||
color: #db4437 !important;
|
||||
background-color: #fff;
|
||||
}
|
||||
|
||||
#body-login
|
||||
#alternative-logins
|
||||
a.button[href*="/sociallogin/oauth/google"]::before {
|
||||
width: 25px;
|
||||
background-color: #db4437;
|
||||
border-radius: 100%;
|
||||
background-size: 60%;
|
||||
background-position: center;
|
||||
height: 25px;
|
||||
vertical-align: middle;
|
||||
margin-right: 4px;
|
||||
}
|
||||
|
||||
#body-login main {
|
||||
padding: 50vh 0 0 0;
|
||||
}
|
||||
|
||||
#body-login a[href*="#body-login"] {
|
||||
visibility: hidden;
|
||||
}
|
||||
|
||||
#body-login footer a,
|
||||
#body-login footer p {
|
||||
color: #233b4a;
|
||||
}
|
||||
|
||||
#body-login footer a:hover {
|
||||
color: #fff;
|
||||
}
|
||||
|
||||
#body-login footer p.info {
|
||||
text-shadow: none;
|
||||
}
|
||||
```
|
||||
|
||||
[nextcloud-docker]: https://hub.docker.com/_/nextcloud/
|
||||
[`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
|
||||
[`coop-cloud/traefik`]: https://git.autonomic.zone/coop-cloud/traefik
|
||||
|
||||
## Using [`previewgenerator`](https://github.com/nextcloud/previewgenerator) app
|
||||
|
||||
> Beware, this appp has been known to not work...
|
||||
|
||||
After you install, enable etc. then you need to run the generation (**warning**: it can take a long time!):
|
||||
Deploy using the `-c` flag to specify one or multiple compose files.
|
||||
|
||||
```
|
||||
abra app run <domain> app bash -u www-data
|
||||
./occ preview:generate-all
|
||||
docker stack deploy nextcloud -c compose.yaml -c compose.mariadb.yaml -c compose.smtp.yaml
|
||||
```
|
||||
|
||||
To set up the cron to run again, there is [no clear solution in the context of
|
||||
containers](https://github.com/nextcloud/previewgenerator/issues/1). So, a
|
||||
pretty dodgy hack is to run it from the system directly:
|
||||
|
||||
```
|
||||
root@foo.com /etc/cron.hourly $ cat foo-com-preview-generate
|
||||
#!/bin/bash
|
||||
|
||||
docker exec -u www-data $(docker ps -f name=foo_com_app -q) ./occ preview:pre-generate
|
||||
```
|
||||
|
||||
This app will improve performance of image browsing at the cost of storage space.
|
||||
|
|
|
@ -35,10 +35,19 @@ services:
|
|||
timeout: 10s
|
||||
retries: 10
|
||||
start_period: 1m
|
||||
|
||||
configs:
|
||||
my_tune:
|
||||
name: ${STACK_NAME}_my_cnf
|
||||
file: my-tune.cnf
|
||||
|
||||
secrets:
|
||||
db_root_password:
|
||||
external: true
|
||||
name: ${STACK_NAME}_db_root_password
|
||||
db_password:
|
||||
external: true
|
||||
name: ${STACK_NAME}_db_password
|
||||
|
||||
volumes:
|
||||
mariadb:
|
||||
|
|
|
@ -118,9 +118,6 @@ services:
|
|||
retries: 20
|
||||
|
||||
secrets:
|
||||
db_root_password:
|
||||
external: true
|
||||
name: ${STACK_NAME}_db_root_password
|
||||
db_password:
|
||||
external: true
|
||||
name: ${STACK_NAME}_db_password
|
||||
|
|
Loading…
Reference in New Issue