diff --git a/templates/Nextcloud/0/README.md b/templates/Nextcloud/0/README.md index 0ddd721..3c80e4c 100644 --- a/templates/Nextcloud/0/README.md +++ b/templates/Nextcloud/0/README.md @@ -2,6 +2,18 @@ ## First Run Setup +### Add Configuration For NGINX + +nginx.conf and mime.types to be put in the Configuration/NGINX directory. + +Included nginx.conf has only a few minor tweaks from the one located here: + +https://docs.nextcloud.com/server/stable/admin_manual/installation/nginx.html#nextcloud-in-the-webroot-of-nginx + +??? Template 1.conf is WITHOUT Collabora + +??? Template 2.conf is WITH Collabora + ### Add Your Domain as a Trusted Domain [Official Documentation](https://docs.nextcloud.com/server/latest/admin_manual/installation/installation_wizard.html#trusted-domains) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 4c16d3b..93ae21a 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -1,43 +1,57 @@ version: '2' services: + {{- if eq .Values.COLLABORA "true"}} + collabora: + image: collabora/code:latest + cap_add: + - MKNOD # Ability to create special files (https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities) + dns: # Using Cloudflare DNS + - 1.1.1.1 + - 1.0.0.1 + environment: + domain: collabora.${TRAEFIK_HOST} + expose: + - "9980" + labels: + io.rancher.container.pull_image: always + {{- if .Values.HOST_LABEL}} + io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} + {{- end}} + traefik.enable: true + ### Start Web Segment + traefik.frontend.entryPoints: http,https + traefik.frontend.headers.forceSTSHeader: true + traefik.frontend.headers.referrerPolicy: no-referrer # Security enhancement (Prevents leaking of referer information) + traefik.frontend.headers.SSLRedirect: true + traefik.frontend.headers.STSPreload: true + traefik.frontend.headers.STSSeconds: 15552000 + traefik.frontend.rule: Host:collabora.${TRAEFIK_HOST} + traefik.port: "9980" + ### End Web Segment + networks: + - public-proxy + restart: on-failure + {{- end}} nextcloud: - image: nextcloud:fpm-alpine + image: nextcloud:stable-apache dns: # Using Cloudflare DNS - 1.1.1.1 - 1.0.0.1 environment: MYSQL_HOST: mysql - MYSQL_DATABASE: nextcloud + MYSQL_DATABASE: nextcloud_db MYSQL_USER: nextcloud_user MYSQL_PASSWORD: ${DB_USER_PASS} NEXTCLOUD_ADMIN_USER: ${NC_ADMIN} NEXTCLOUD_ADMIN_PASSWORD: ${NC_ADMIN_PASS} expose: - "80" - - "9000" labels: io.rancher.container.pull_image: always {{- if .Values.HOST_LABEL}} io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} {{- end}} - networks: - - public-proxy - restart: on-failure - volumes_from: - - nginx - nginx: - image: nginx:latest # Can't use ":alpine" until I have a way to get the "www-data" user added automatically. (Project for another time) - dns: # Using Cloudflare DNS - - 1.1.1.1 - - 1.0.0.1 - labels: - io.rancher.container.pull_image: always - {{- if .Values.HOST_LABEL}} - io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} - {{- end}} - io.rancher.sidekicks: nextcloud - {{- if .Values.TRAEFIK_HOST}} traefik.enable: true ### Start Web Segment traefik.frontend.entryPoints: http,https @@ -49,12 +63,11 @@ services: traefik.frontend.rule: Host:${TRAEFIK_HOST} traefik.port: "80" ### End Web Segment - {{- else}} - traefik.enable: false - {{- end}} links: + {{- if eq .Values.COLLABORA "true"}} + - collabora + {{- end}} - mysql - - nextcloud {{- if eq .Values.REDIS "true"}} - redis {{- end}} @@ -68,18 +81,17 @@ services: volumes: - /etc/localtime:/etc/localtime:ro # Syncronize time of container with the host system - /etc/timezone:/etc/timezone:ro # Syncronize timezone of container with the host system - - /RancherCattle/${DATA_DIR}/Configuration/Nextcloud:/var/www/html/config # Nextcloud configuration files - - /RancherCattle/${DATA_DIR}/Configuration/NGINX:/etc/nginx # NGINX configuration files + - /RancherCattle/${DATA_DIR}/Configuration:/var/www/html/config # Nextcloud configuration files - /RancherCattle/${DATA_DIR}/Apps:/var/www/html/custom_apps # Nextcloud apps - /RancherCattle/${DATA_DIR}/Nextcloud:/var/www/html # Nextcloud site - /RancherCattle/${DATA_DIR}/UserData:/var/www/html/data # Users' data file mysql: - image: mysql:5 + image: mysql:latest dns: # Using Cloudflare DNS - 1.1.1.1 - 1.0.0.1 environment: - MYSQL_DATABASE: nextcloud # Will rename this to "nextcloud_db" in the future. + MYSQL_DATABASE: nextcloud_db MYSQL_ROOT_PASSWORD: ${DB_ROOT_PASS} MYSQL_USER: nextcloud_user MYSQL_PASSWORD: ${DB_USER_PASS} @@ -115,6 +127,6 @@ services: networks: db-admin: - external: true # Created by phpMyAdmin stack + external: true # Created by Adminer or phpMyAdmin stack public-proxy: external: true # Created by Traefik stack \ No newline at end of file diff --git a/templates/Nextcloud/0/rancher-compose.yml b/templates/Nextcloud/0/rancher-compose.yml index 5158688..a8f40ea 100644 --- a/templates/Nextcloud/0/rancher-compose.yml +++ b/templates/Nextcloud/0/rancher-compose.yml @@ -66,10 +66,18 @@ catalog: required: true type: password + - variable: "COLLABORA" + label: "Enable Collabora" + description: | + Add a Collabora container for office document editing and live collaboration. Additional setup required, see README. + default: true + required: true + type: boolean + - variable: "REDIS" label: "Enable Redis" description: | - Add a Redis container for memory caching. Must be setup manually. + Add a Redis container for memory caching. Additional setup required, see README. default: true required: true type: boolean @@ -78,6 +86,6 @@ catalog: label: "Data Directory" description: | The directory to store persistent data for the stack. - default: "Personal-Experimental/Nextcloud" + default: "Personal/Nextcloud-Experimental" required: true type: string \ No newline at end of file diff --git a/templates/Nextcloud/Resources/README.md b/templates/Nextcloud/Resources/README.md deleted file mode 100644 index 1f24674..0000000 --- a/templates/Nextcloud/Resources/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# Default Configured Files -nginx.conf and mime.types to be put in the Configuration/NGINX directory. - -Included nginx.conf has only a few minor tweaks from the one located here: -https://docs.nextcloud.com/server/stable/admin_manual/installation/nginx.html#nextcloud-in-the-webroot-of-nginx \ No newline at end of file diff --git a/templates/Nextcloud/Resources/Template 1.conf b/templates/Nextcloud/Resources/Template 1.conf new file mode 100644 index 0000000..2c33275 --- /dev/null +++ b/templates/Nextcloud/Resources/Template 1.conf @@ -0,0 +1,128 @@ +user www-data; +worker_processes 4; ## Default: 1 +# worker_rlimit_nofile 8192; + +#error_log /var/log/nginx/error.log warn; +#pid /var/run/nginx.pid; + +events { + worker_connections 1024; ## Default: 1024 +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + #access_log /var/log/nginx/access.log main; + sendfile on; + tcp_nopush on; + #keepalive_timeout 65; + + upstream php-handler { + server nextcloud:9000; + } + + server { + listen 80; + listen [::]:80; + server_name _; + + # Add headers to serve security related headers + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + # Path to the root of your installation + root /var/www/html/; + + # Will test later + #error_page 403 /core/templates/403.php; + #error_page 404 /core/templates/404.php; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location = /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + + location = /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + + # set max upload size + client_max_body_size 1G; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + location / { + rewrite ^ /index.php$request_uri; + } + + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { + deny all; + } + + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + # Mitigate https://httpoxy.org/ vulnerabilities: + fastcgi_param HTTP_PROXY ""; + #fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + #Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; + fastcgi_pass php-handler; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ ^/(?:updater|ocs-provider)(?:$|/) { + try_files $uri/ =404; + index index.php; + } + + # Adding the cache control header for js and css files + # Make sure it is BELOW the PHP block + location ~ \.(?:css|js|woff2?|svg|gif)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + + # Optional: Don't log access to assets + access_log off; + } + + location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { + try_files $uri /index.php$request_uri; + # Optional: Don't log access to other assets + access_log off; + } + } +} \ No newline at end of file diff --git a/templates/Nextcloud/Resources/Template 2.conf b/templates/Nextcloud/Resources/Template 2.conf new file mode 100644 index 0000000..2c33275 --- /dev/null +++ b/templates/Nextcloud/Resources/Template 2.conf @@ -0,0 +1,128 @@ +user www-data; +worker_processes 4; ## Default: 1 +# worker_rlimit_nofile 8192; + +#error_log /var/log/nginx/error.log warn; +#pid /var/run/nginx.pid; + +events { + worker_connections 1024; ## Default: 1024 +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + #access_log /var/log/nginx/access.log main; + sendfile on; + tcp_nopush on; + #keepalive_timeout 65; + + upstream php-handler { + server nextcloud:9000; + } + + server { + listen 80; + listen [::]:80; + server_name _; + + # Add headers to serve security related headers + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + # Path to the root of your installation + root /var/www/html/; + + # Will test later + #error_page 403 /core/templates/403.php; + #error_page 404 /core/templates/404.php; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location = /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + + location = /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + + # set max upload size + client_max_body_size 1G; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + location / { + rewrite ^ /index.php$request_uri; + } + + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { + deny all; + } + + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + # Mitigate https://httpoxy.org/ vulnerabilities: + fastcgi_param HTTP_PROXY ""; + #fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + #Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; + fastcgi_pass php-handler; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ ^/(?:updater|ocs-provider)(?:$|/) { + try_files $uri/ =404; + index index.php; + } + + # Adding the cache control header for js and css files + # Make sure it is BELOW the PHP block + location ~ \.(?:css|js|woff2?|svg|gif)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + + # Optional: Don't log access to assets + access_log off; + } + + location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { + try_files $uri /index.php$request_uri; + # Optional: Don't log access to other assets + access_log off; + } + } +} \ No newline at end of file diff --git a/templates/Nextcloud/Resources/nginx.conf b/templates/Nextcloud/Resources/nginx.conf deleted file mode 100644 index b7dcd16..0000000 --- a/templates/Nextcloud/Resources/nginx.conf +++ /dev/null @@ -1,119 +0,0 @@ -user www-data; -worker_processes 4; ## Default: 1 -# worker_rlimit_nofile 8192; - -#error_log /var/log/nginx/error.log warn; -#pid /var/run/nginx.pid; - -events { - worker_connections 1024; ## Default: 1024 -} - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; -# access_log /var/log/nginx/access.log main; - sendfile on; - tcp_nopush on; -# keepalive_timeout 65; - upstream php-handler { - server nextcloud:9000; - } - server { - listen 80; - server_name _; - - # Remove X-Powered-By, which is an information leak - fastcgi_hide_header X-Powered-By; - - # Path to the root of your installation - root /var/www/html/; - - - # set max upload size - client_max_body_size 1G; # Previous: "512M" - fastcgi_buffers 64 4K; - - # Enable gzip but do not remove ETag headers - gzip on; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 256; - gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; - - # Add headers to serve security related headers - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header Referrer-Policy no-referrer; - - # Uncomment if your server is build with the ngx_pagespeed module - # This module is currently not supported. - #pagespeed off; - -# Will test later -# error_page 403 /core/templates/403.php; -# error_page 404 /core/templates/404.php; - - - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - location = /.well-known/carddav { - return 301 $scheme://$host/remote.php/dav; - } - location = /.well-known/caldav { - return 301 $scheme://$host/remote.php/dav; - } - location / { - rewrite ^ /index.php$request_uri; - } - location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { - deny all; - } - location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { - deny all; - } - location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - - # Mitigate https://httpoxy.org/ vulnerabilities - fastcgi_param HTTP_PROXY ""; - - fastcgi_pass php-handler; - fastcgi_index index.php; - - # include the fastcgi_param setting - include fastcgi_params; - - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param modHeadersAvailable true; - fastcgi_param front_controller_active true; - fastcgi_intercept_errors on; - fastcgi_request_buffering off; - } - location ~ ^/(?:updater|ocs-provider)(?:$|/) { - try_files $uri/ =404; - index index.php; - } - # Adding the cache control header for js and css files - # Make sure it is BELOW the PHP block - location ~ \.(?:css|js|woff2?|svg|gif)$ { - try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463"; - # Optional: Don't log access to assets - access_log off; - } - location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { - try_files $uri /index.php$request_uri; - # Optional: Don't log access to other assets - access_log off; - } - } -} \ No newline at end of file