diff --git a/.drone.yml b/.drone.yml index b7b6066..b3002cd 100644 --- a/.drone.yml +++ b/.drone.yml @@ -3,7 +3,7 @@ kind: pipeline name: deploy to swarm-test.autonomic.zone steps: - name: deployment - image: decentral1se/stack-ssh-deploy:latest + image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest settings: host: swarm-test.autonomic.zone stack: nextcloud @@ -11,15 +11,39 @@ steps: purge: true deploy_key: from_secret: drone_ssh_swarm_test + networks: + - proxy environment: DOMAIN: nextcloud.swarm-test.autonomic.zone STACK_NAME: nextcloud LETS_ENCRYPT_ENV: production ADMIN_USER: foobar + FPM_TUNE_VERSION: v1 + NGINX_CONF_VERSION: v1 + MY_CNF_VERSION: v1 + ENTRYPOINT_VERSION: v1 SECRET_DB_PASSWORD_VERSION: v1 SECRET_DB_ROOT_PASSWORD_VERSION: v1 SECRET_ADMIN_PASSWORD_VERSION: v1 + SECRET_ONLYOFFICE_JWT_VERSION: v1 + SECRET_BBB_SECRET_VERSION: v1 EXTRA_VOLUME: "/dev/null:/tmp/.dummy" trigger: branch: - main +--- +kind: pipeline +name: generate recipe catalogue +steps: + - name: release a new version + image: plugins/downstream + settings: + server: https://build.coopcloud.tech + token: + from_secret: drone_abra-bot_token + fork: true + repositories: + - coop-cloud/auto-recipes-catalogue-json + +trigger: + event: tag diff --git a/.env.sample b/.env.sample index 89587e4..2e93eee 100644 --- a/.env.sample +++ b/.env.sample @@ -1,6 +1,8 @@ TYPE=nextcloud +TIMEOUT=500 +ENABLE_AUTO_UPDATE=true -DOMAIN={{ .Domain }} +DOMAIN=nextcloud.example.com ## Domain aliases #EXTRA_DOMAINS=', `www.nextcloud.example.com`' LETS_ENCRYPT_ENV=production @@ -17,5 +19,44 @@ SECRET_ADMIN_PASSWORD_VERSION=v1 EXTRA_VOLUME=/dev/null:/tmp/.dummy +PHP_MEMORY_LIMIT=1G +# fpm-tune, see: https://spot13.com/pmcalculator/ +FPM_MAX_CHILDREN=16 +FPM_START_SERVERS=4 +FPM_MIN_SPARE_SERVERS=4 +FPM_MAX_SPARE_SERVERS=12 + +DEFAULT_QUOTA="10 GB" + # X_FRAME_OPTIONS_ENABLED=1 # X_FRAME_OPTIONS_ALLOW_FROM=embedding-site.example.org + +# COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml" +# See https://github.com/nextcloud/docker#auto-configuration-via-environment-variables for default values +# SMTP_AUTHTYPE= +# SMTP_HOST= +# SMTP_SECURE= +# SMTP_NAME= +# SMTP_PORT= +# MAIL_FROM_ADDRESS= +# MAIL_DOMAIN= +# SECRET_SMTP_PASSWORD_VERSION=v1 + +# COMPOSE_FILE="$COMPOSE_FILE:compose.apps.yml" +# APPS="calendar sociallogin onlyoffice" +# +# ONLYOFFICE_URL=https://onlyoffice.example.com +# SECRET_ONLYOFFICE_JWT_VERSION=v1 +# +# BBB_URL=https://talk.example.org/bigbluebutton/ # trailing slash! +# SECRET_BBB_SECRET_VERSION=v1 +# +# OCC_CMDS="app:disable dashboard" +# OCC_CMDS="$OCC_CMDS|config:app:set sociallogin auto_create_groups --value 1" +# OCC_CMDS="$OCC_CMDS|config:app:set sociallogin hide_default_login --value 1" + +# COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml" +# AUTHENTIK_USER_PREFIX=authentik +# AUTHENTIK_DOMAIN=authentik.example.com +# SECRET_AUTHENTIK_SECRET_VERSION=v1 +# SECRET_AUTHENTIK_ID_VERSION=v1 diff --git a/README.md b/README.md index b39d6c5..2f7d17a 100644 --- a/README.md +++ b/README.md @@ -15,29 +15,83 @@ Fully automated luxury Nextcloud via docker-swarm. * **SSO**: 1 (OAuth) -## Basic usage +## Quick start -1. Set up Docker Swarm and [`abra`] -2. Deploy [`coop-cloud/traefik`] -3. `abra app new nextcloud --secrets` (optionally with `--pass` if you'd like - to save secrets in `pass`) -4. `abra app YOURAPPDOMAIN config` - be sure to change `$DOMAIN` to something that resolves to - your Docker swarm box -5. `abra app YOURAPPDOMAIN deploy` -## How do I customise the default home page when logging in? +* `abra app new nextcloud` +* `abra app config ` +* `abra app secret insert smtp_password v1 ` +* `abra app secret generate -a ` +* `abra app deploy ` -- Delete the dashboard app since it is so corporate -- Follow [these docs](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/default_files_configuration.html) to set the default files list for each user in the Files app -- Configure a `defaultapp` in your `config.php` or use [apporder](https://apps.nextcloud.com/apps/apporder) +### Onlyoffice Integration + +`abra app config ` +Configure the following envs: +``` +COMPOSE_FILE="$COMPOSE_FILE:compose.apps.yml" +ONLYOFFICE_URL=https://onlyoffice.example.com +SECRET_ONLYOFFICE_JWT_VERSION=v1 +``` + +`abra app secret insert onlyoffice_jwt v1 ` +`abra app cmd app install_onlyoffice` + +### BBB Integration + +`abra app config ` +Configure the following envs: +``` +COMPOSE_FILE="$COMPOSE_FILE:compose.apps.yml" +BBB_URL=https://talk.example.org/bigbluebutton/ # trailing slash! +SECRET_BBB_SECRET_VERSION=v1 +``` + +`abra app secret insert bbb_secret v1 ` +`abra app cmd app install_bbb` + +### Authentik Integration + + +`abra app config ` +Configure the following envs: +``` +COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml" +AUTHENTIK_USER_PREFIX=authentik +AUTHENTIK_DOMAIN=authentik.example.com +AUTHENTIK_SECRET_NAME=authentik_example_com_nextcloud_secret_v1 # the same as in authentik +AUTHENTIK_ID_NAME=authentik_example_com_nextcloud_id_v1 # the same as in authentik +``` + +`abra app cmd app set_authentik` + +### Disable Dashboard + +Disable dashboard app since it is so corporate: + +`abra app config ` +Configure the following envs: +``` +OCC_CMDS="app:disable dashboard" +``` +`abra app cmd app post_install_occ` ## Running `occ` -`abra app run --user www-data YOURAPPDOMAIN app occ user:list --help` +`abra app cmd app run_occ '"user:list --help"'` + +## Default user files + +- Follow [these docs](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/default_files_configuration.html) to set the default files list for each user in the Files app + +## Default App + +- Configure a `defaultapp` in your `config.php` or use [apporder](https://apps.nextcloud.com/apps/apporder) ## Upgrading Nextcloud apps -`abra app run --user www-data YOURAPPDOMAIN app occ app:update --all` +`abra app cmd app run_occ '"app:update --all"'` + ## How do I fix a Nextcloud version snafu? @@ -66,7 +120,7 @@ Use [this plugin](https://github.com/pulsejet/nextcloud-oidc-login). Unlike the ``` 'oidc_login_client_id' => 'nextcloud', 'oidc_login_client_secret' => 'mysecret', - 'oidc_login_provider_url' => 'https://example.com/auth/realms/myrealm', + 'oidc_login_provider_url' => 'https://example.com/realms/myrealm', 'oidc_login_disable_registration' => false, 'oidc_login_hide_password_form' => true, 'oidc_login_button_text' => 'Log in with your myssodomain', diff --git a/abra.sh b/abra.sh index d8dd9df..3738133 100644 --- a/abra.sh +++ b/abra.sh @@ -1,106 +1,107 @@ -export FPM_TUNE_VERSION=v4 +#!/bin/bash + +export FPM_TUNE_VERSION=v5 export NGINX_CONF_VERSION=v4 export MY_CNF_VERSION=v4 -export ENTRYPOINT_VERSION=v2 +export ENTRYPOINT_VERSION=v3 -NC_APP_DIR="app:/var/www/html" - -sub_occ(){ - # shellcheck disable=SC2034 - abra__service_="app" - # shellcheck disable=SC2034 - abra___user="www-data" - sub_app_run php /var/www/html/occ "$@" +run_occ() { + su -p www-data -s /bin/sh -c "/var/www/html/occ $@" } -_backup_app() { - # Copied _abra_backup_dir to make UX better on restore and backup - { - abra__src_="$1" - abra__dst_="-" - } - - # shellcheck disable=SC2154 - FILENAME="$(basename "$1").tar" - - debug "Copying '$1' to '$FILENAME'" - - silence - mkdir -p /tmp/abra - sub_app_cp > /tmp/abra/$FILENAME - unsilence +post_install_occ() { + IFS='|' read -ra CMD <<<"$OCC_CMDS" + for cmd in "${CMD[@]}"; do + run_occ "$cmd" + done } -next_maintenance_on() { - silence - sub_occ maintenance:mode --on > /dev/null - unsilence - debug "Nextcloud maintenance mode enabled" +install_apps() { + install_apps="$@" + if [ -z "$install_apps" ]; then + install_apps=$APPS + fi + for app in $install_apps; do + run_occ "app:install $app" + done } -next_maintenance_off() { - silence - sub_occ maintenance:mode --off > /dev/null - unsilence - debug "Nextcloud maintenance mode disabled" +set_app_config() { + APP=$1 + KEY=$2 + VALUE=$3 + run_occ "config:app:set $APP $KEY --value '$VALUE'" } -abra_backup_app() { - # shellcheck disable=SC2154 - ARK_FILENAME="$ABRA_BACKUP_DIR/${abra__app_}_app_$(date +%F).tar.gz" - # Cant be FILENAME as that gets changed by something - next_maintenance_on - _backup_app $NC_APP_DIR/config - _backup_app $NC_APP_DIR/data - _backup_app $NC_APP_DIR/themes - # Combine archives - tar -Af /tmp/abra/config.tar /tmp/abra/data.tar - tar -Af /tmp/abra/config.tar /tmp/abra/themes.tar - gzip /tmp/abra/config.tar -c > "$ARK_FILENAME" - rm /tmp/abra/*.tar - success "Backed up 'app' to $ARK_FILENAME" - next_maintenance_off +set_system_config() { + KEY=$1 + VALUE=$2 + run_occ "config:system:set $KEY --value '$VALUE'" } -abra_backup_db() { - next_maintenance_on - _abra_backup_mysql "db" "nextcloud" - next_maintenance_off +set_trusted_proxies() { + trusted_proxies="$@" + if [ -z "$1" ]; then + trusted_proxies="$TRUSTED_PROXIES" + fi + set_system_config trusted_proxies "$trusted_proxies" } -abra_backup() { - abra_backup_app && abra_backup_db +set_logfile_stdout() { + set_system_config logfile '/dev/stdout' } - -abra_restore_app() { - next_maintenance_on - # shellcheck disable=SC2034 - { - abra__src_="-" - abra__dst_=$NC_APP_DIR - } - - zcat "$@" | sub_app_cp - - next_maintenance_off - sub_occ files:scan --all > /dev/null # Needs to be run in normal mode - success "Restored 'app'" +install_bbb() { + install_apps bbb + set_app_config bbb app.navigation true + set_app_config bbb api.url "$BBB_URL" + set_app_config bbb api.secret "$(cat /run/secrets/bbb_secret)" } -# abra_restore_db() { -# warning "Restoring the database is on a existing app and not a new one has not been tested. Use with caution." -# next_maintenance_on -# # 3wc: unlike abra_backup_db, we can assume abra__service_ will be 'db' if we -# # got this far.. +install_onlyoffice() { + install_apps onlyoffice + set_app_config onlyoffice DocumentServerUrl "$ONLYOFFICE_URL" + set_app_config onlyoffice jwt_secret "$(cat /run/secrets/onlyoffice_jwt)" + set_app_config onlyoffice customizationForcesave true +} -# # shellcheck disable=SC2034 -# abra___no_tty="true" +set_default_quota() { + set_app_config files default_quota "$DEFAULT_QUOTA" +} -# DB_PASSWORD=$(sub_app_run cat /run/secrets/db_password) +set_authentik() { + install_apps sociallogin + AUTHENTIK_SECRET=$(cat /run/secrets/authentik_secret) + AUTHENTIK_ID=$(cat /run/secrets/authentik_id) + set_app_config sociallogin custom_providers " +{ + \"custom_oidc\":[ + { + \"name\":\"$AUTHENTIK_USER_PREFIX\", + \"title\":\"authentik\", + \"authorizeUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/authorize/\", + \"tokenUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/token/\", + \"displayNameClaim\":\"preferred_username\", + \"userInfoUrl\": \"https://$AUTHENTIK_DOMAIN/application/o/userinfo/\", + \"logoutUrl\": \"https://$AUTHENTIK_DOMAIN/if/session-end/nextcloud/\", + \"clientId\":\"$AUTHENTIK_ID\", + \"clientSecret\":\"$AUTHENTIK_SECRET\", + \"scope\":\"openid profile email nextcloud\", + \"groupsClaim\":\"nextcloud_groups\", + \"style\":\"openid\", + \"defaultGroup\":\"\", + \"groupMapping\": { + \"admin\": \"admin\", + \"authentik Admins\": \"admin\" + } + } +] +}" -# zcat "$@" | sub_app_run mysql -u root -p"$DB_PASSWORD" wordpress - -# success "Restored 'db'" -# next_maintenance_off -# } + set_app_config sociallogin update_profile_on_login 1 + set_app_config sociallogin auto_create_groups 1 + set_app_config sociallogin hide_default_login 1 + run_occ 'config:system:set social_login_auto_redirect --value true' + run_occ 'config:system:set allow_user_to_change_display_name --value=false' + run_occ 'config:system:set lost_password_link --value=disabled' +} diff --git a/compose.apps.yml b/compose.apps.yml new file mode 100644 index 0000000..b892636 --- /dev/null +++ b/compose.apps.yml @@ -0,0 +1,18 @@ +version: "3.8" +services: + app: + secrets: + - onlyoffice_jwt + - bbb_secret + environment: + - APPS + - ONLYOFFICE_URL + - BBB_URL + +secrets: + onlyoffice_jwt: + external: true + name: ${STACK_NAME}_onlyoffice_jwt_${SECRET_ONLYOFFICE_JWT_VERSION} + bbb_secret: + external: true + name: ${STACK_NAME}_bbb_secret_${SECRET_BBB_SECRET_VERSION} diff --git a/compose.authentik.yml b/compose.authentik.yml new file mode 100644 index 0000000..4046c63 --- /dev/null +++ b/compose.authentik.yml @@ -0,0 +1,14 @@ +version: "3.8" +services: + app: + secrets: + - authentik_secret + - authentik_id + +secrets: + authentik_secret: + external: true + name: ${STACK_NAME}_authentik_secret_${SECRET_AUTHENTIK_SECRET_VERSION} + authentik_id: + external: true + name: ${STACK_NAME}_authentik_id_${SECRET_AUTHENTIK_ID_VERSION} diff --git a/compose.mariadb.yml b/compose.mariadb.yml index 956e424..361e390 100644 --- a/compose.mariadb.yml +++ b/compose.mariadb.yml @@ -28,9 +28,15 @@ services: deploy: labels: backupbot.backup: "true" - backupbot.backup.pre-hook: 'mkdir -p /tmp/backup/ && mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" nextcloud > /tmp/backup/backup.sql' - backupbot.backup.post-hook: "rm -rf /tmp/backup" - backupbot.backup.path: "/tmp/backup/" + backupbot.backup.pre-hook: 'mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" nextcloud > /var/lib/mysql/backup.sql' + backupbot.backup.post-hook: "rm -rf /var/lib/mysql/backup.sql" + backupbot.backup.path: "/var/lib/mysql/backup.sql" + healthcheck: + test: ["CMD-SHELL", 'mysqladmin -p"$$(cat /run/secrets/db_root_password)" ping'] + interval: 30s + timeout: 10s + retries: 10 + start_period: 1m configs: my_tune: name: ${STACK_NAME}_my_cnf_${MY_CNF_VERSION} diff --git a/compose.postgres.yml b/compose.postgres.yml index 85630f6..398e5d3 100644 --- a/compose.postgres.yml +++ b/compose.postgres.yml @@ -16,22 +16,22 @@ services: networks: - internal environment: - POSTGRES_USER: nextcloud + POSTGRES_USER: nextcloud POSTGRES_PASSWORD_FILE: /run/secrets/db_password - POSTGRES_DB: nextcloud + POSTGRES_DB: nextcloud secrets: - db_password healthcheck: - test: ["CMD-SHELL", "pg_isready"] + test: ["CMD-SHELL", "pg_isready", "-U", "nextcloud"] interval: 10s timeout: 5s retries: 5 deploy: labels: backupbot.backup: "true" - backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /tmp/backup/backup.sql" - backupbot.backup.post-hook: "rm -rf /tmp/backup" - backupbot.backup.path: "/tmp/backup/" + backupbot.backup.pre-hook: "PGPASSWORD=$$(cat $${POSTGRES_PASSWORD_FILE}) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql" + backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/backup.sql" + backupbot.backup.path: "/var/lib/postgresql/data/" volumes: postgres: diff --git a/compose.smtp.yml b/compose.smtp.yml new file mode 100644 index 0000000..cd7436b --- /dev/null +++ b/compose.smtp.yml @@ -0,0 +1,19 @@ +version: "3.8" +services: + app: + secrets: + - smtp_password + environment: + - SMTP_AUTHTYPE + - SMTP_HOST + - SMTP_SECURE + - SMTP_NAME + - SMTP_PORT + - SMTP_PASSWORD_FILE=/run/secrets/smtp_password + - MAIL_FROM_ADDRESS + - MAIL_DOMAIN + +secrets: + smtp_password: + external: true + name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION} diff --git a/compose.yml b/compose.yml index f193a40..f23e1e9 100644 --- a/compose.yml +++ b/compose.yml @@ -1,7 +1,7 @@ version: "3.8" services: web: - image: nginx:1.23.1 + image: nginx:1.25.1 configs: - source: nginx_conf target: /etc/nginx/nginx.conf @@ -33,14 +33,20 @@ services: - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect" - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true" - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}" + healthcheck: + test: ["CMD-SHELL", 'curl -s -N curl -Ns localhost/status.php | grep "installed\":true"'] + interval: 30s + timeout: 10s + retries: 10 + start_period: 5m app: - image: nextcloud:24.0.6-fpm + image: nextcloud:27.0.1-fpm depends_on: - db configs: - source: fpm_tune - target: /usr/local/etc/php-fpm.d/fpm-tune.conf + target: /usr/local/etc/php-fpm.d/zzz-fpm-tune.conf - source: entrypoint target: /custom-entrypoint.sh mode: 555 @@ -49,6 +55,8 @@ services: - db_password - admin_password environment: + - APPS + - OCC_CMDS - X_FRAME_OPTIONS_ALLOW_FROM - X_FRAME_OPTIONS_ENABLED - DOMAIN @@ -56,14 +64,15 @@ services: - NEXTCLOUD_ADMIN_USER=${ADMIN_USER} - NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/admin_password - NEXTCLOUD_TRUSTED_DOMAINS=${DOMAIN} - - TRUSTED_PROXIES=traefik + - TRUSTED_PROXIES=10.0.0.0/8 - REDIS_HOST=cache - - SMTP_HOST - - MAIL_FROM_ADDRESS - - MAIL_DOMAIN - - SMTP_AUTHTYPE=PLAIN - OVERWRITEPROTOCOL=https - - PHP_MEMORY_LIMIT=1G + - PHP_MEMORY_LIMIT=${PHP_MEMORY_LIMIT:-1G} + - FPM_MAX_CHILDREN=${FPM_MAX_CHILDREN:-131} + - FPM_START_SERVERS=${FPM_START_SERVERS:-32} + - FPM_MIN_SPARE_SERVERS=${FPM_MIN_SPARE_SERVERS:-32} + - FPM_MAX_SPARE_SERVERS=${FPM_MAX_SPARE_SERVERS:-98} + - DEFAULT_QUOTA volumes: - nextcloud:/var/www/html/ - nextapps:/var/www/html/custom_apps:cached @@ -77,12 +86,19 @@ services: failure_action: rollback order: start-first labels: - - "coop-cloud.${STACK_NAME}.version=2.1.4+24.0.6-fpm" + - "coop-cloud.${STACK_NAME}.version=5.0.1+27.0.1-fpm" + - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}" - "backupbot.backup=true" - "backupbot.backup.path=/var/www/html/config/,/var/www/html/data/,/var/www/html/custom_apps/" + healthcheck: + test: ["CMD-SHELL", 'SCRIPT_NAME=status SCRIPT_FILENAME=/var/www/html/status.php REQUEST_METHOD=GET cgi-fcgi -bind -connect 127.0.0.1:9000 | grep "installed\":true"'] + interval: 30s + timeout: 10s + retries: 10 + start_period: 5m cron: - image: nextcloud:24.0.6-fpm + image: nextcloud:27.0.1-fpm volumes: - nextcloud:/var/www/html/ - nextapps:/var/www/html/custom_apps:cached @@ -94,11 +110,16 @@ services: entrypoint: /cron.sh cache: - image: redis:7.0.5-alpine + image: redis:7.0.12-alpine networks: - internal volumes: - "redis:/data" + healthcheck: + test: ["CMD", "redis-cli", "ping"] + interval: 3s + timeout: 5s + retries: 20 secrets: db_root_password: @@ -106,7 +127,7 @@ secrets: name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION} db_password: external: true - name: ${STACK_NAME}_db_password_${SECRET_DB_ROOT_PASSWORD_VERSION} + name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION} admin_password: external: true name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION} @@ -127,6 +148,7 @@ configs: fpm_tune: name: ${STACK_NAME}_fpm_tune_${FPM_TUNE_VERSION} file: fpm-tune.ini + template_driver: golang entrypoint: name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION} file: entrypoint.sh.tmpl diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl index 30d21e8..c2e5ab6 100644 --- a/entrypoint.sh.tmpl +++ b/entrypoint.sh.tmpl @@ -1,5 +1,30 @@ #!/bin/bash +set -eu + +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + + local val="$def" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + + export "$var"="$val" + unset "$fileVar" +} + +file_env "SMTP_PASSWORD" + echo "Giving the db container some time to come up"; sleep 20 # see this issue with postgres db https://github.com/nextcloud/docker/issues/1204 @@ -9,4 +34,8 @@ if ! [[ $(grep {{ env "X_FRAME_OPTIONS_ALLOW_FROM" }} lib/public/AppFramework/Ht fi {{ end }} +# Required for healthcheck +which cgi-fcgi > /dev/null || (apt-get update && apt-get install -y libfcgi-bin) + + /entrypoint.sh php-fpm diff --git a/fpm-tune.ini b/fpm-tune.ini index 8e0fc5c..af0f58d 100644 --- a/fpm-tune.ini +++ b/fpm-tune.ini @@ -1,5 +1,5 @@ pm = dynamic -pm.max_children = 131 -pm.start_servers = 32 -pm.min_spare_servers = 32 -pm.max_spare_servers = 98 +pm.max_children = {{ env "FPM_MAX_CHILDREN" }} +pm.start_servers = {{ env "FPM_START_SERVERS" }} +pm.min_spare_servers = {{ env "FPM_MIN_SPARE_SERVERS" }} +pm.max_spare_servers = {{ env "FPM_MAX_SPARE_SERVERS" }} diff --git a/releases/2.0.0+23.0.3-fpm b/release/2.0.0+23.0.3-fpm similarity index 100% rename from releases/2.0.0+23.0.3-fpm rename to release/2.0.0+23.0.3-fpm diff --git a/release/3.1.0+25.0.1-fpm b/release/3.1.0+25.0.1-fpm new file mode 100644 index 0000000..cbdbc6e --- /dev/null +++ b/release/3.1.0+25.0.1-fpm @@ -0,0 +1,57 @@ + +## FPM Tune + +The fpm-tune.ini settings are now configurable by `.env`. Please add this to your servers configs: + +``` +# fpm-tune, see: https://spot13.com/pmcalculator/ +FPM_MAX_CHILDREN=131 +FPM_START_SERVERS=32 +FPM_MIN_SPARE_SERVERS=32 +FPM_MAX_SPARE_SERVERS=98 +``` + +## SMTP + +Add SMTP Config to your .env file: + +``` +# COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml" +# See https://github.com/nextcloud/docker#auto-configuration-via-environment-variables for default values +# SMTP_AUTHTYPE= +# SMTP_HOST= +# SMTP_SECURE= +# SMTP_NAME= +# SMTP_PORT= +# MAIL_FROM_ADDRESS= +# MAIL_DOMAIN= +# SECRET_SMTP_PASSWORD_VERSION=v1 +abra app secret insert example.com smtp_password v1 example_password +``` + + +## Post Deploy Commands + +Some Apps can also be managed with abra app cmd! + +``` +# COMPOSE_FILE="$COMPOSE_FILE:compose.apps.yml" +# APPS="calendar sociallogin onlyoffice" +abra app cmd example.com app install_apps +# ONLYOFFICE_URL=https://onlyoffice.example.com +# SECRET_ONLYOFFICE_JWT_VERSION=v1 +abra app secret insert example.com onlyoffice_jwt v1 example_password +abra app cmd example.com app install_onlyoffice +# BBB_URL=https://talk.example.org/bigbluebutton/ # trailing slash! +# SECRET_BBB_SECRET_VERSION=v1 +abra app secret insert example.com bbb_secret v1 example_password +abra app cmd example.com app install_bbb +``` + +## Set Quota + +``` +# DEFAULT_QUOTA="10 GB" +abra app cmd example.com app set_default_quota +``` + diff --git a/release/3.2.0+25.0.4-fpm b/release/3.2.0+25.0.4-fpm new file mode 100644 index 0000000..c5080c8 --- /dev/null +++ b/release/3.2.0+25.0.4-fpm @@ -0,0 +1,11 @@ +If the authentik configuration should be handled by abra add the following to the env: + + COMPOSE_FILE="$COMPOSE_FILE:compose.authentik.yml" + AUTHENTIK_USER_PREFIX=authentik + AUTHENTIK_DOMAIN=authentik.example.com + AUTHENTIK_SECRET_NAME=authentik_example_com_nextcloud_secret_v1 # the same as in authentik + AUTHENTIK_ID_NAME=authentik_example_com_nextcloud_id_v1 # the same as in authentik + +And run: + + abra app cmd app set_authentik diff --git a/release/next b/release/next new file mode 100644 index 0000000..ee32142 --- /dev/null +++ b/release/next @@ -0,0 +1 @@ +The authentik secrets need to be inserted again, as nextcloud is not sharing the secret with authentik any more.