forked from coop-cloud/nextcloud
Compare commits
12 Commits
1.0.0+23.0
...
embed_next
| Author | SHA1 | Date | |
|---|---|---|---|
| e8a8f636d0 | |||
| daa57eece9 | |||
2ddf11728f
|
|||
|
71d15ef4df
|
|||
|
0d4f060e94
|
|||
| 1e1977a2b4 | |||
| 801e0a0762 | |||
| 01f610d02f | |||
| 12eea19cab | |||
| c4eed9d8ea | |||
|
986a6024fd
|
|||
|
a4102cd0ca
|
12
.env.sample
12
.env.sample
@ -5,6 +5,10 @@ DOMAIN=nextcloud.example.com
|
||||
#EXTRA_DOMAINS=', `www.nextcloud.example.com`'
|
||||
LETS_ENCRYPT_ENV=production
|
||||
|
||||
COMPOSE_FILE="compose.yml"
|
||||
COMPOSE_FILE="$COMPOSE_FILE:compose.mariadb.yml"
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.postgres.yml"
|
||||
|
||||
ADMIN_USER=admin
|
||||
|
||||
SECRET_DB_ROOT_PASSWORD_VERSION=v1
|
||||
@ -13,9 +17,5 @@ SECRET_ADMIN_PASSWORD_VERSION=v1
|
||||
|
||||
EXTRA_VOLUME=/dev/null:/tmp/.dummy
|
||||
|
||||
## SMTP settings
|
||||
#COMPOSE_FILE="compose.yml:compose.mailrelay.yml"
|
||||
#SMTP_HOST="postfix_relay_app"
|
||||
## Emails are sent from $MAIL_FROM@$MAIL_DOMAIN
|
||||
#MAIL_DOMAIN=nextcloud.example.com
|
||||
#MAIL_FROM_ADDRESS=nextcloud
|
||||
# X_FRAME_OPTIONS_ENABLED=1
|
||||
# X_FRAME_OPTIONS_ALLOW_FROM=embedding-site.example.org
|
||||
|
||||
52
README.md
52
README.md
@ -2,7 +2,7 @@
|
||||
|
||||
[](https://drone.autonomic.zone/coop-cloud/nextcloud)
|
||||
|
||||
Fully automated luxury Nextcloud via docker-swarm.
|
||||
Fully automated luxury Nextcloud via docker-swarm.
|
||||
|
||||
<!-- metadata -->
|
||||
* **Category**: Apps
|
||||
@ -39,6 +39,26 @@ Fully automated luxury Nextcloud via docker-swarm.
|
||||
|
||||
`abra app run --user www-data YOURAPPDOMAIN app occ app:update --all`
|
||||
|
||||
## How do I fix a Nextcloud version snafu?
|
||||
|
||||
`Exception: Updates between multiple major versions and downgrades are unsupported.`
|
||||
|
||||
Solution:
|
||||
|
||||
- Look at log files to determine the old Nextcloud version
|
||||
- Change your local `~/.abra/recipes/nextcloud/compose.yml` to the highest minor
|
||||
version in the old version -- e.g. choose `22.2.5` for `22`, if you're
|
||||
upgrading to `23`.
|
||||
- Then, do one of (both bad):
|
||||
1. `abra app deploy --chaos ...`, then `app run` to go in and manually lower the version number in PHP (shell in, `apt install vim-core && vi version.php`), then try `php ./occ upgrade`
|
||||
2. `abra app undeploy ...`, `abra volume rm`, CAREFULLY only choose the volume
|
||||
ENDING `_nextcloud`, then `abra app deploy --chaos ...`, then edit the
|
||||
`compose.yml` to add `entrypoint: ['tail', '-f', '/dev/null']` to `app`,
|
||||
then `app deploy --chaos` again, then `app run --user=www-data ... app bash` to get in and run `./occ maintenance:repair`, and `./occ upgrade`.
|
||||
- Change `compose.yml` to the new version number; `git checkout compose.yml`
|
||||
- `abra app deploy --force`
|
||||
- This wasn't even multiplle major versions was it 😾
|
||||
|
||||
## How do I integrate with Keycloak SSO?
|
||||
|
||||
Use [this plugin](https://github.com/pulsejet/nextcloud-oidc-login). Unlike the plugin it's forked from, there is no configuration UI, so you'll need to edit `/var/www/html/config/config.php`:
|
||||
@ -69,6 +89,12 @@ docker exec -u www-data <container-id> php occ config:app:delete oidc_login last
|
||||
docker exec -u www-data <container-id> php occ config:app:delete oidc_login last_updated_jwks
|
||||
```
|
||||
|
||||
## How do I enable multiple SSO login buttons?
|
||||
|
||||
We've been able to get this setup by using the [social login](https://apps.nextcloud.com/apps/sociallogin) plugin.
|
||||
|
||||
If using Keycloak, you'll want to do [this trick](https://janikvonrotz.ch/2020/10/20/openid-connect-with-nextcloud-and-keycloak/) also.
|
||||
|
||||
## How can I customise the CSS?
|
||||
|
||||
There is some basic stuff in the admin settings.
|
||||
@ -140,3 +166,27 @@ Here is an example CSS config which hides the local login and makes space for a
|
||||
[nextcloud-docker]: https://hub.docker.com/_/nextcloud/
|
||||
[`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
|
||||
[`coop-cloud/traefik`]: https://git.autonomic.zone/coop-cloud/traefik
|
||||
|
||||
## Using [`previewgenerator`](https://github.com/nextcloud/previewgenerator) app
|
||||
|
||||
> Beware, this appp has been known to not work...
|
||||
|
||||
After you install, enable etc. then you need to run the generation (**warning**: it can take a long time!):
|
||||
|
||||
```
|
||||
abra app run <domain> app bash -u www-data
|
||||
./occ preview:generate-all
|
||||
```
|
||||
|
||||
To set up the cron to run again, there is [no clear solution in the context of
|
||||
containers](https://github.com/nextcloud/previewgenerator/issues/1). So, a
|
||||
pretty dodgy hack is to run it from the system directly:
|
||||
|
||||
```
|
||||
root@foo.com /etc/cron.hourly $ cat foo-com-preview-generate
|
||||
#!/bin/bash
|
||||
|
||||
docker exec -u www-data $(docker ps -f name=foo_com_app -q) ./occ preview:pre-generate
|
||||
```
|
||||
|
||||
This app will improve performance of image browsing at the cost of storage space.
|
||||
|
||||
3
abra.sh
3
abra.sh
@ -1,6 +1,7 @@
|
||||
export FPM_TUNE_VERSION=v4
|
||||
export NGINX_CONF_VERSION=v2
|
||||
export NGINX_CONF_VERSION=v3
|
||||
export MY_CNF_VERSION=v4
|
||||
export ENTRYPOINT_VERSION=v1
|
||||
|
||||
NC_APP_DIR="app:/var/www/html"
|
||||
|
||||
|
||||
40
compose.mariadb.yml
Normal file
40
compose.mariadb.yml
Normal file
@ -0,0 +1,40 @@
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
environment:
|
||||
- MYSQL_HOST=db
|
||||
- MYSQL_DATABASE=nextcloud
|
||||
- MYSQL_USER=nextcloud
|
||||
- MYSQL_PASSWORD_FILE=/run/secrets/db_password
|
||||
|
||||
db:
|
||||
image: "mariadb:10.5"
|
||||
environment:
|
||||
- MYSQL_DATABASE=nextcloud
|
||||
- MYSQL_USER=nextcloud
|
||||
- MYSQL_PASSWORD_FILE=/run/secrets/db_password
|
||||
- MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
|
||||
configs:
|
||||
- source: my_tune
|
||||
target: /etc/mysql/conf.d/my-tune.cnf
|
||||
secrets:
|
||||
- db_root_password
|
||||
- db_password
|
||||
volumes:
|
||||
- "mariadb:/var/lib/mysql"
|
||||
networks:
|
||||
- internal
|
||||
deploy:
|
||||
labels:
|
||||
backupbot.backup: "true"
|
||||
backupbot.backup.pre-hook: 'mkdir -p /tmp/backup/ && mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" nextcloud > /tmp/backup/backup.sql'
|
||||
backupbot.backup.post-hook: "rm -rf /tmp/backup"
|
||||
backupbot.backup.path: "/tmp/backup/"
|
||||
configs:
|
||||
my_tune:
|
||||
name: ${STACK_NAME}_my_cnf_${MY_CNF_VERSION}
|
||||
file: my-tune.cnf
|
||||
|
||||
volumes:
|
||||
mariadb:
|
||||
38
compose.postgres.yml
Normal file
38
compose.postgres.yml
Normal file
@ -0,0 +1,38 @@
|
||||
version: '3.8'
|
||||
|
||||
services:
|
||||
app:
|
||||
entrypoint: "sh -c 'sleep 10 && /entrypoint.sh php-fpm'" # tries to mitigate this error with postgres https://github.com/nextcloud/docker/issues/1204
|
||||
environment:
|
||||
- POSTGRES_HOST=db
|
||||
- POSTGRES_DB=nextcloud
|
||||
- POSTGRES_USER=nextcloud
|
||||
- POSTGRES_PASSWORD_FILE=/run/secrets/db_password
|
||||
- NEXTCLOUD_UPDATE=1
|
||||
|
||||
db:
|
||||
image: "postgres:12"
|
||||
volumes:
|
||||
- "postgres:/var/lib/postgresql/data"
|
||||
networks:
|
||||
- internal
|
||||
environment:
|
||||
POSTGRES_USER: nextcloud
|
||||
POSTGRES_PASSWORD_FILE: /run/secrets/db_password
|
||||
POSTGRES_DB: nextcloud
|
||||
secrets:
|
||||
- db_password
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "pg_isready"]
|
||||
interval: 10s
|
||||
timeout: 5s
|
||||
retries: 5
|
||||
deploy:
|
||||
labels:
|
||||
backupbot.backup: "true"
|
||||
backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /tmp/backup/backup.sql"
|
||||
backupbot.backup.post-hook: "rm -rf /tmp/backup"
|
||||
backupbot.backup.path: "/tmp/backup/"
|
||||
|
||||
volumes:
|
||||
postgres:
|
||||
51
compose.yml
51
compose.yml
@ -1,11 +1,13 @@
|
||||
version: "3.8"
|
||||
services:
|
||||
web:
|
||||
image: nginx:1.20.0
|
||||
image: nginx:1.23.1
|
||||
configs:
|
||||
- source: nginx_conf
|
||||
target: /etc/nginx/nginx.conf
|
||||
environment:
|
||||
- X_FRAME_OPTIONS_ALLOW_FROM
|
||||
- X_FRAME_OPTIONS_ENABLED
|
||||
- DOMAIN
|
||||
- STACK_NAME
|
||||
volumes:
|
||||
@ -33,22 +35,24 @@ services:
|
||||
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
|
||||
|
||||
app:
|
||||
image: nextcloud:23.0.1-fpm
|
||||
image: nextcloud:24.0.3-fpm
|
||||
depends_on:
|
||||
- db
|
||||
configs:
|
||||
- source: fpm_tune
|
||||
target: /usr/local/etc/php-fpm.d/fpm-tune.conf
|
||||
- source: entrypoint
|
||||
target: /custom-entrypoint.sh
|
||||
mode: 555
|
||||
entrypoint: /custom-entrypoint.sh
|
||||
secrets:
|
||||
- db_password
|
||||
- admin_password
|
||||
environment:
|
||||
- X_FRAME_OPTIONS_ALLOW_FROM
|
||||
- X_FRAME_OPTIONS_ENABLED
|
||||
- DOMAIN
|
||||
- STACK_NAME
|
||||
- MYSQL_HOST=db
|
||||
- MYSQL_DATABASE=nextcloud
|
||||
- MYSQL_USER=nextcloud
|
||||
- MYSQL_PASSWORD_FILE=/run/secrets/db_password
|
||||
- NEXTCLOUD_ADMIN_USER=${ADMIN_USER}
|
||||
- NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/admin_password
|
||||
- NEXTCLOUD_TRUSTED_DOMAINS=${DOMAIN}
|
||||
@ -73,28 +77,12 @@ services:
|
||||
failure_action: rollback
|
||||
order: start-first
|
||||
labels:
|
||||
- "coop-cloud.${STACK_NAME}.version=1.0.0+23.0.1-fpm"
|
||||
|
||||
db:
|
||||
image: "mariadb:10.5"
|
||||
environment:
|
||||
- MYSQL_DATABASE=nextcloud
|
||||
- MYSQL_USER=nextcloud
|
||||
- MYSQL_PASSWORD_FILE=/run/secrets/db_password
|
||||
- MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
|
||||
configs:
|
||||
- source: my_tune
|
||||
target: /etc/mysql/conf.d/my-tune.cnf
|
||||
secrets:
|
||||
- db_root_password
|
||||
- db_password
|
||||
volumes:
|
||||
- "mariadb:/var/lib/mysql"
|
||||
networks:
|
||||
- internal
|
||||
- "coop-cloud.${STACK_NAME}.version=2.1.2+24.0.3-fpm"
|
||||
- "backupbot.backup=true"
|
||||
- "backupbot.backup.path=/var/www/html/config/,/var/www/html/data/,/var/www/html/custom_apps/"
|
||||
|
||||
cron:
|
||||
image: nextcloud:23.0.1-fpm
|
||||
image: nextcloud:24.0.3-fpm
|
||||
volumes:
|
||||
- nextcloud:/var/www/html/
|
||||
- nextapps:/var/www/html/custom_apps:cached
|
||||
@ -106,7 +94,7 @@ services:
|
||||
entrypoint: /cron.sh
|
||||
|
||||
cache:
|
||||
image: redis:6.2.5-alpine
|
||||
image: redis:7.0.4-alpine
|
||||
networks:
|
||||
- internal
|
||||
volumes:
|
||||
@ -128,9 +116,9 @@ volumes:
|
||||
nextapps:
|
||||
nextdata:
|
||||
nextconfig:
|
||||
mariadb:
|
||||
redis:
|
||||
|
||||
|
||||
configs:
|
||||
nginx_conf:
|
||||
name: ${STACK_NAME}_nginx_${NGINX_CONF_VERSION}
|
||||
@ -139,9 +127,10 @@ configs:
|
||||
fpm_tune:
|
||||
name: ${STACK_NAME}_fpm_tune_${FPM_TUNE_VERSION}
|
||||
file: fpm-tune.ini
|
||||
my_tune:
|
||||
name: ${STACK_NAME}_my_cnf_${MY_CNF_VERSION}
|
||||
file: my-tune.cnf
|
||||
entrypoint:
|
||||
name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
|
||||
file: entrypoint.sh.tmpl
|
||||
template_driver: golang
|
||||
|
||||
networks:
|
||||
proxy:
|
||||
|
||||
9
entrypoint.sh.tmpl
Normal file
9
entrypoint.sh.tmpl
Normal file
@ -0,0 +1,9 @@
|
||||
#!/bin/bash
|
||||
|
||||
{{ if eq (env "X_FRAME_OPTIONS_ENABLED") "1" }}
|
||||
if ! [[ $(grep {{ env "X_FRAME_OPTIONS_ALLOW_FROM" }} lib/public/AppFramework/Http/ContentSecurityPolicy.php) ]]; then
|
||||
sed -i "91 a\\\t\t'{{ env "X_FRAME_OPTIONS_ALLOW_FROM" }}', " lib/public/AppFramework/Http/ContentSecurityPolicy.php
|
||||
fi
|
||||
{{ end }}
|
||||
|
||||
/entrypoint.sh php-fpm
|
||||
@ -41,6 +41,7 @@ http {
|
||||
# could take several months.
|
||||
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
|
||||
|
||||
|
||||
# set max upload size
|
||||
client_max_body_size 512M;
|
||||
fastcgi_buffers 64 4K;
|
||||
@ -61,11 +62,18 @@ http {
|
||||
add_header Referrer-Policy "no-referrer" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Download-Options "noopen" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
||||
add_header X-Robots-Tag "none" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
|
||||
{{ if eq (env "X_FRAME_OPTIONS_ENABLED") "1" }}
|
||||
add_header X-Frame-Options "{{ env "X_FRAME_OPTIONS_ALLOW_FROM" }}" always;
|
||||
add_header Content-Security-Policy "frame-ancestors {{ env "X_FRAME_OPTIONS_ALLOW_FROM" }}";
|
||||
{{ else }}
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
{{ end }}
|
||||
|
||||
|
||||
# Remove X-Powered-By, which is an information leak
|
||||
fastcgi_hide_header X-Powered-By;
|
||||
|
||||
|
||||
6
releases/2.0.0+23.0.3-fpm
Normal file
6
releases/2.0.0+23.0.3-fpm
Normal file
@ -0,0 +1,6 @@
|
||||
2.0.0 introduces a minor nextcloud update to 23.0.4 and moves the database service to a seperate override.yml file to support different database types (mariadb / postgres). This might break your installation. Please add the following snippet to your config .env to ensure the right db is used:
|
||||
|
||||
```
|
||||
COMPOSE_FILE="compose.yml"
|
||||
COMPOSE_FILE="$COMPOSE_FILE:compose.mariadb.yml"
|
||||
```
|
||||
Reference in New Issue
Block a user