hoellen/docker-nextcloud
1
0
Fork 0
mirror of https://github.com/hoellen/docker-nextcloud.git synced 2025-04-19 20:19:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

add new image

Browse Source
This commit is contained in:
Wonderfall 2021-04-25 18:23:11 +02:00
parent 810e1c4923
commit 5615286de5
15 changed files with 231 additions and 451 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

143
Dockerfile Normal file
View File

@ -0,0 +1,143 @@
# -------------- Build-time variables --------------
ARG NEXTCLOUD_VERSION=21.0.1
ARG ALPINE_VERSION=3.13
ARG PHP_VERSION=8.0.3
ARG NGINX_VERSION=1.19.10
ARG APCU_VERSION=5.1.20
ARG REDIS_VERSION=5.3.4
ARG HARDENED_MALLOC_VERSION=7
ARG UID=1000
ARG GID=1000
# ---------------------------------------------------
### Build PHP base
FROM php:${PHP_VERSION}-fpm-alpine${ALPINE_VERSION} as base
ARG APCU_VERSION
ARG REDIS_VERSION
RUN apk --no-cache add -t build-deps \
$PHPIZE_DEPS \
freetype-dev \
gmp-dev \
icu-dev \
libjpeg-turbo-dev \
libpng-dev \
libwebp-dev \
libzip-dev \
openldap-dev \
postgresql-dev \
zlib-dev \
&& apk --no-cache add \
freetype \
gmp \
icu \
libjpeg \
libpq \
libpq \
libwebp \
libzip \
openldap \
zlib \
&& docker-php-ext-configure gd --with-freetype --with-jpeg --with-webp \
&& docker-php-ext-configure ldap \
&& docker-php-ext-install -j "$(nproc)" \
bcmath \
exif \
gd \
intl \
ldap \
opcache \
pcntl \
pdo_mysql \
pdo_pgsql \
zip \
gmp \
&& pecl install APCu-${APCU_VERSION} \
&& pecl install redis-${REDIS_VERSION} \
&& echo "extension=redis.so" > /usr/local/etc/php/conf.d/redis.ini \
&& apk del build-deps
### Build Hardened Malloc
ARG ALPINE_VERSION
FROM alpine:${ALPINE_VERSION} as build-malloc
ARG HARDENED_MALLOC_VERSION
RUN apk --no-cache add build-base && cd /tmp \
&& wget -q https://github.com/GrapheneOS/hardened_malloc/archive/refs/tags/${HARDENED_MALLOC_VERSION}.tar.gz \
&& mkdir hardened_malloc && tar xf ${HARDENED_MALLOC_VERSION}.tar.gz -C hardened_malloc --strip-components 1 \
&& cd hardened_malloc && make
### Fetch nginx
FROM nginx:${NGINX_VERSION}-alpine as nginx
### Build Nextcloud (production environemnt)
FROM base as nextcloud
COPY --from=nginx /usr/sbin/nginx /usr/sbin/nginx
COPY --from=nginx /etc/nginx /etc/nginx
COPY --from=build-malloc /tmp/hardened_malloc/libhardened_malloc.so /usr/local/lib/
ARG NEXTCLOUD_VERSION
ARG GPG_nextcloud="2880 6A87 8AE4 23A2 8372 792E D758 99B9 A724 937A"
ARG UID
ARG GID
ENV UPLOAD_MAX_SIZE=10G \
APC_SHM_SIZE=128M \
OPCACHE_MEM_SIZE=128 \
MEMORY_LIMIT=512M \
CRON_PERIOD=5m \
CRON_MEMORY_LIMIT=1g \
DB_TYPE=sqlite3 \
DOMAIN=localhost \
LD_PRELOAD="/usr/local/lib/libhardened_malloc.so /usr/lib/preloadable_libiconv.so"
RUN apk --no-cache add \
gnupg \
gnu-libiconv \
pcre \
s6 \
&& NEXTCLOUD_TARBALL="nextcloud-${NEXTCLOUD_VERSION}.tar.bz2" && cd /tmp \
&& wget -q https://download.nextcloud.com/server/releases/${NEXTCLOUD_TARBALL} \
&& wget -q https://download.nextcloud.com/server/releases/${NEXTCLOUD_TARBALL}.sha512 \
&& wget -q https://download.nextcloud.com/server/releases/${NEXTCLOUD_TARBALL}.asc \
&& wget -q https://nextcloud.com/nextcloud.asc \
&& echo "Verifying both integrity and authenticity of ${NEXTCLOUD_TARBALL}..." \
&& CHECKSUM_STATE=$(echo -n $(sha512sum -c ${NEXTCLOUD_TARBALL}.sha512) | tail -c 2) \
&& if [ "${CHECKSUM_STATE}" != "OK" ]; then echo "Warning! Checksum does not match!" && exit 1; fi \
&& gpg --import nextcloud.asc \
&& FINGERPRINT="$(LANG=C gpg --verify ${NEXTCLOUD_TARBALL}.asc ${NEXTCLOUD_TARBALL} 2>&1 \
| sed -n "s#Primary key fingerprint: \(.*\)#\1#p")" \
&& if [ -z "${FINGERPRINT}" ]; then echo "Warning! Invalid GPG signature!" && exit 1; fi \
&& if [ "${FINGERPRINT}" != "${GPG_nextcloud}" ]; then echo "Warning! Wrong GPG fingerprint!" && exit 1; fi \
&& echo "All seems good, now unpacking ${NEXTCLOUD_TARBALL}..." \
&& mkdir /nextcloud && tar xjf ${NEXTCLOUD_TARBALL} --strip 1 -C /nextcloud \
&& apk del gnupg && rm -rf /tmp/* /root/.gnupg \
&& adduser -g ${GID} -u ${UID} --disabled-password --gecos "" nextcloud \
&& chown -R nextcloud:nextcloud /nextcloud
COPY --chown=nextcloud:nextcloud rootfs /
RUN chmod +x /usr/local/bin/* /etc/s6.d/*/* /etc/s6.d/.s6-svscan/*
USER nextcloud
WORKDIR /nextcloud
VOLUME /nextcloud/data /nextcloud/config /nextcloud/apps2 /nextcloud/themes
EXPOSE 8888
LABEL description="A server software for creating file hosting services" \
nextcloud="Nextcloud v${NEXTCLOUD_VERSION}" \
maintainer="Wonderfall <wonderfall@targaryen.house>"
CMD ["run.sh"]

76
Dockerfile.20
View File

@ -1,76 +0,0 @@
FROM wonderfall/nginx-php:7.4
ARG NEXTCLOUD_VERSION=20.0.9
ARG GPG_nextcloud="2880 6A87 8AE4 23A2 8372 792E D758 99B9 A724 937A"
ENV UID=991 GID=991 \
UPLOAD_MAX_SIZE=10G \
APC_SHM_SIZE=128M \
OPCACHE_MEM_SIZE=128 \
MEMORY_LIMIT=512M \
CRON_PERIOD=5m \
CRON_MEMORY_LIMIT=1g \
TZ=Etc/UTC \
DB_TYPE=sqlite3 \
DOMAIN=localhost
RUN apk -U upgrade \
&& apk add -t build-dependencies \
gnupg \
tar \
build-base \
autoconf \
automake \
pcre-dev \
libtool \
samba-dev \
imagemagick-dev \
&& apk add \
libressl \
ca-certificates \
libsmbclient \
tzdata \
imagemagick \
ffmpeg \
&& pecl install \
smbclient \
apcu \
redis \
imagick \
&& echo "extension=smbclient.so" > /php/conf.d/smbclient.ini \
&& echo "extension=redis.so" > /php/conf.d/redis.ini \
&& echo "extension=imagick.so" > /php/conf.d/imagick.ini \
&& mkdir /nextcloud \
&& cd /tmp \
&& NEXTCLOUD_TARBALL="nextcloud-${NEXTCLOUD_VERSION}.tar.bz2" \
&& wget -q https://download.nextcloud.com/server/releases/${NEXTCLOUD_TARBALL} \
&& wget -q https://download.nextcloud.com/server/releases/${NEXTCLOUD_TARBALL}.sha512 \
&& wget -q https://download.nextcloud.com/server/releases/${NEXTCLOUD_TARBALL}.asc \
&& wget -q https://nextcloud.com/nextcloud.asc \
&& echo "Verifying both integrity and authenticity of ${NEXTCLOUD_TARBALL}..." \
&& CHECKSUM_STATE=$(echo -n $(sha512sum -c ${NEXTCLOUD_TARBALL}.sha512) | tail -c 2) \
&& if [ "${CHECKSUM_STATE}" != "OK" ]; then echo "Warning! Checksum does not match!" && exit 1; fi \
&& gpg --import nextcloud.asc \
&& FINGERPRINT="$(LANG=C gpg --verify ${NEXTCLOUD_TARBALL}.asc ${NEXTCLOUD_TARBALL} 2>&1 \
| sed -n "s#Primary key fingerprint: \(.*\)#\1#p")" \
&& if [ -z "${FINGERPRINT}" ]; then echo "Warning! Invalid GPG signature!" && exit 1; fi \
&& if [ "${FINGERPRINT}" != "${GPG_nextcloud}" ]; then echo "Warning! Wrong GPG fingerprint!" && exit 1; fi \
&& echo "All seems good, now unpacking ${NEXTCLOUD_TARBALL}..." \
&& tar xjf ${NEXTCLOUD_TARBALL} --strip 1 -C /nextcloud \
&& update-ca-certificates \
&& apk del build-dependencies \
&& rm -rf /var/cache/apk/* /tmp/* /root/.gnupg
COPY rootfs /
RUN chmod +x /usr/local/bin/* /etc/s6.d/*/* /etc/s6.d/.s6-svscan/*
VOLUME /data /config /apps2 /nextcloud/themes
EXPOSE 8888
LABEL description="A server software for creating file hosting services" \
nextcloud="Nextcloud v${NEXTCLOUD_VERSION}" \
maintainer="Wonderfall <wonderfall@targaryen.house>"
CMD ["run.sh"]

72
Dockerfile.21
View File

@ -1,72 +0,0 @@
FROM wonderfall/nginx-php:8.0
ARG NEXTCLOUD_VERSION=21.0.1
ARG GPG_nextcloud="2880 6A87 8AE4 23A2 8372 792E D758 99B9 A724 937A"
ENV UID=991 GID=991 \
UPLOAD_MAX_SIZE=10G \
APC_SHM_SIZE=128M \
OPCACHE_MEM_SIZE=128 \
MEMORY_LIMIT=512M \
CRON_PERIOD=5m \
CRON_MEMORY_LIMIT=1g \
TZ=Etc/UTC \
DB_TYPE=sqlite3 \
DOMAIN=localhost
RUN apk -U upgrade \
&& apk add -t build-dependencies \
gnupg \
tar \
build-base \
autoconf \
automake \
pcre-dev \
libtool \
samba-dev \
&& apk add \
libressl \
ca-certificates \
libsmbclient \
tzdata \
ffmpeg \
&& pecl install \
smbclient \
apcu \
redis \
&& echo "extension=smbclient.so" > /php/conf.d/smbclient.ini \
&& echo "extension=redis.so" > /php/conf.d/redis.ini \
&& mkdir /nextcloud \
&& cd /tmp \
&& NEXTCLOUD_TARBALL="nextcloud-${NEXTCLOUD_VERSION}.tar.bz2" \
&& wget -q https://download.nextcloud.com/server/releases/${NEXTCLOUD_TARBALL} \
&& wget -q https://download.nextcloud.com/server/releases/${NEXTCLOUD_TARBALL}.sha512 \
&& wget -q https://download.nextcloud.com/server/releases/${NEXTCLOUD_TARBALL}.asc \
&& wget -q https://nextcloud.com/nextcloud.asc \
&& echo "Verifying both integrity and authenticity of ${NEXTCLOUD_TARBALL}..." \
&& CHECKSUM_STATE=$(echo -n $(sha512sum -c ${NEXTCLOUD_TARBALL}.sha512) | tail -c 2) \
&& if [ "${CHECKSUM_STATE}" != "OK" ]; then echo "Warning! Checksum does not match!" && exit 1; fi \
&& gpg --import nextcloud.asc \
&& FINGERPRINT="$(LANG=C gpg --verify ${NEXTCLOUD_TARBALL}.asc ${NEXTCLOUD_TARBALL} 2>&1 \
| sed -n "s#Primary key fingerprint: \(.*\)#\1#p")" \
&& if [ -z "${FINGERPRINT}" ]; then echo "Warning! Invalid GPG signature!" && exit 1; fi \
&& if [ "${FINGERPRINT}" != "${GPG_nextcloud}" ]; then echo "Warning! Wrong GPG fingerprint!" && exit 1; fi \
&& echo "All seems good, now unpacking ${NEXTCLOUD_TARBALL}..." \
&& tar xjf ${NEXTCLOUD_TARBALL} --strip 1 -C /nextcloud \
&& update-ca-certificates \
&& apk del build-dependencies \
&& rm -rf /var/cache/apk/* /tmp/* /root/.gnupg
COPY rootfs /
RUN chmod +x /usr/local/bin/* /etc/s6.d/*/* /etc/s6.d/.s6-svscan/*
VOLUME /data /config /apps2 /nextcloud/themes
EXPOSE 8888
LABEL description="A server software for creating file hosting services" \
nextcloud="Nextcloud v${NEXTCLOUD_VERSION}" \
maintainer="Wonderfall <wonderfall@targaryen.house>"
CMD ["run.sh"]

213
README.md
View File

@ -1,207 +1,12 @@
## wonderfall/nextcloud # wonderfall/nextcloud
New version of my Nextcloud image, still in testing:
- Fetching PHP/nginx from their official images.
- Does not use any privilege at any time, even at startup.
- Much easier to maintain thanks to multi-stages build.
- Includes hardened_malloc, a hardened memory allocator.
- Does not include imagick, samba, etc. by default.
[![](https://images.microbadger.com/badges/version/wonderfall/nextcloud.svg)](http://microbadger.com/images/wonderfall/nextcloud "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/wonderfall/nextcloud.svg)](http://microbadger.com/images/wonderfall/nextcloud "Get your own image badge on microbadger.com") Goals: simple, lean, and secure.
**Made for my own use. Irregular updates! This image is eventually intended as a base for your own Docker image. I cannot be responsible if you're using outdated Docker images.** Be aware this image is not ready yet for production use. While it might work, please note a fresh install from the previous image is recommended. If you intend to migrate, please back up your data.
___
⚠️**DEPRECATED**: don't worry, I'll keep maintaing it for a while. This image was made years ago and needs some rework:
- For instance it uses `su-exec` to degrade privileges, which is fine as an attempt to get a *rootless running* image, but more secure ways to make sure *root* is never used should be preferred.
- As a consequence to that, a newer image should drop all the `chown` instructions at startup time: no more seconds of waiting, even minutes if you're using overlayfs as the storage driver (which is Docker's default). This was fine for flexibility, but users should really learn how to manage the permissions of their volumes.
- I made a base image (`wonderfall/nginx-php`) years ago when I estimated that the PHP packages from Alpine Linux were not reliable for this. I think this is no longer a requirement, and it's a pain to maintain two images instead of just one.
As I said, I'll keep "maintaining" it for now (I always thought of my images as being bases for your own images, really __don't run Docker images from random dudes__ like me from the Internet), but I'll eventually make a brand new image sometime soon. Meaning, you should be prepared to maintain or make your own image, or use the official one which is fine and regularly updated now.
Above all, take care and take security seriously. Thanks to everyone reading this!
___
⚠️ **HSTS is not enforced anymore as of 25/03/21:** please consider configuring your reverse proxy proprerly to do that. It didn't make sens in the first place to enforce my settings (which were outdated anyway), and I'm sorry for that. Also if you don't know what HSTS settings are right for you, I strongly advise reading [this](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security).
### Features
- Based on Alpine Linux.
- Bundled with nginx and PHP 8.0 (wonderfall/nginx-php image).
- Automatic installation using environment variables.
- Package integrity (SHA512) and authenticity (PGP) checked during building process.
- Data and apps persistence.
- OPCache (opcocde), APCu (local) installed and configured.
- system cron task running.
- MySQL, PostgreSQL (server not built-in) and sqlite3 support.
- Redis, FTP, SMB, LDAP, IMAP support.
- GNU Libiconv for php iconv extension (avoiding errors with some apps).
- No **running** root processes **except on start** (reducing privileges afterwards).
- Environment variables provided (see below).
### Security
As many images from the time it was first made, this image follows the principle of degrading privileges. It runs first as root to ensure permissions are set correctly and then only makes use of the UID/GID of your choice. While I agree it's not perfect (due to Linux insecurity), it seemed the best security/comfort balance at the time and it'll remain so for a while.
### Tags
- **latest** : latest stable version.
- **21.0** : latest 21.0.x version (stable, recommended)
- **20.0** : latest 20.0.x version (old stable)
Since this project should suit my needs, I'll only maintain the latest stable version available.
### Build-time variables
- **NEXTCLOUD_VERSION** : version of nextcloud
- **GPG_nextcloud** : signing key fingerprint
### Environment variables
- **UID** : nextcloud user id *(default : 991)*
- **GID** : nextcloud group id *(default : 991)*
- **UPLOAD_MAX_SIZE** : maximum upload size *(default : 10G)*
- **APC_SHM_SIZE** : apc memory size *(default : 128M)*
- **OPCACHE_MEM_SIZE** : opcache memory size in megabytes *(default : 128)*
- **MEMORY_LIMIT** : php memory limit *(default : 512M)*
- **CRON_PERIOD** : time interval between two cron tasks *(default : 15m)*
- **CRON_MEMORY_LIMIT** : memory limit for PHP when executing cronjobs *(default : 1024m)*
- **TZ** : the system/log timezone *(default : Etc/UTC)*
- **ADMIN_USER** : username of the admin account *(default : none, web configuration)*
- **ADMIN_PASSWORD** : password of the admin account *(default : none, web configuration)*
- **DOMAIN** : domain to use during the setup *(default : localhost)*
- **DB_TYPE** : database type (sqlite3, mysql or pgsql) *(default : sqlite3)*
- **DB_NAME** : name of database *(default : none)*
- **DB_USER** : username for database *(default : none)*
- **DB_PASSWORD** : password for database user *(default : none)*
- **DB_HOST** : database host *(default : none)*
Don't forget to use a **strong password** for the admin account!
### Port
- **8888** : HTTP Nextcloud port.
### Volumes
- **/data** : Nextcloud data.
- **/config** : config.php location.
- **/apps2** : Nextcloud downloaded apps.
- **/nextcloud/themes** : Nextcloud themes location.
- **/php/session** : php session files.
### Database
Basically, you can use a database instance running on the host or any other machine. An easier solution is to use an external database container. I suggest you to use MariaDB, which is a reliable database server. You can use the official `mariadb` image available on Docker Hub to create a database container, which must be linked to the Nextcloud container. PostgreSQL can also be used as well.
### Setup
Pull the image and create a container. `/docker` can be anywhere on your host, this is just an example. Change `MYSQL_ROOT_PASSWORD` and `MYSQL_PASSWORD` values (mariadb). You may also want to change UID and GID for Nextcloud, as well as other variables (see *Environment Variables*).
```
docker pull wonderfall/nextcloud && docker pull mariadb
docker run -d --name db_nextcloud \
-v /docker/nextcloud/db:/var/lib/mysql \
-e MYSQL_ROOT_PASSWORD=supersecretpassword \
-e MYSQL_DATABASE=nextcloud -e MYSQL_USER=nextcloud \
-e MYSQL_PASSWORD=supersecretpassword \
mariadb:10
docker run -d --name nextcloud \
--link db_nextcloud:db_nextcloud \
-v /docker/nextcloud/data:/data \
-v /docker/nextcloud/config:/config \
-v /docker/nextcloud/apps:/apps2 \
-v /docker/nextcloud/themes:/nextcloud/themes \
-e UID=1000 -e GID=1000 \
-e UPLOAD_MAX_SIZE=10G \
-e APC_SHM_SIZE=128M \
-e OPCACHE_MEM_SIZE=128 \
-e CRON_PERIOD=15m \
-e TZ=Etc/UTC \
-e ADMIN_USER=mrrobot \
-e ADMIN_PASSWORD=supercomplicatedpassword \
-e DOMAIN=cloud.example.com \
-e DB_TYPE=mysql \
-e DB_NAME=nextcloud \
-e DB_USER=nextcloud \
-e DB_PASSWORD=supersecretpassword \
-e DB_HOST=db_nextcloud \
wonderfall/nextcloud
```
You are **not obliged** to use `ADMIN_USER` and `ADMIN_PASSWORD`. If these variables are not provided, you'll be able to configure your admin acccount from your browser.
### Configure
In the admin panel, you should switch from `AJAX cron` to `cron` (system cron).
### Update
Pull a newer image, then recreate the container as you did before (*Setup* step). None of your data will be lost since you're using external volumes. If Nextcloud performed a full upgrade, your apps could be disabled, enable them again **(starting with 12.0.x, your apps are automatically enabled after an upgrade)**.
### Docker-compose
I advise you to use [docker-compose](https://docs.docker.com/compose/), which is a great tool for managing containers. You can create a `docker-compose.yml` with the following content (which must be adapted to your needs) and then run `docker-compose up -d nextcloud-db`, wait some 15 seconds for the database to come up, then run everything with `docker-compose up -d`, that's it! On subsequent runs, a single `docker-compose up -d` is sufficient!
#### Docker-compose file
Don't copy/paste without thinking! It is a model so you can see how to do it correctly.
```
version: '3'
networks:
nextcloud_network:
external: false
services:
nextcloud:
image: wonderfall/nextcloud
depends_on:
- nextcloud-db # If using MySQL
- redis # If using Redis
environment:
- UID=1000
- GID=1000
- UPLOAD_MAX_SIZE=10G
- APC_SHM_SIZE=128M
- OPCACHE_MEM_SIZE=128
- CRON_PERIOD=15m
- TZ=Europe/Berlin
- DOMAIN=localhost
- DB_TYPE=mysql
- DB_NAME=nextcloud
- DB_USER=nextcloud
- DB_PASSWORD=supersecretpassword
- DB_HOST=nextcloud-db
volumes:
- /docker/nextcloud/data:/data
- /docker/nextcloud/config:/config
- /docker/nextcloud/apps:/apps2
- /docker/nextcloud/themes:/nextcloud/themes
networks:
- nextcloud_network
# If using MySQL
nextcloud-db:
image: mariadb
volumes:
- /docker/nextcloud/db:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=supersecretpassword
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
- MYSQL_PASSWORD=supersecretpassword
networks:
- nextcloud_network
# If using Redis
redis:
image: redis:alpine
container_name: redis
volumes:
- /docker/nextcloud/redis:/data
networks:
- nextcloud_network
```
You can update everything with `docker-compose pull` followed by `docker-compose up -d`.
### How to configure Redis
Redis can be used for distributed and file locking cache, alongside with APCu (local cache), thus making Nextcloud even more faster. As PHP redis extension is already included, all you have to is to deploy a redis server (you can do as above with docker-compose) and bind it to nextcloud in your config.php file :
```
'memcache.distributed' => '\OC\Memcache\Redis',
'memcache.locking' => '\OC\Memcache\Redis',
'memcache.local' => '\OC\Memcache\APCu',
'redis' => array(
'host' => 'redis',
'port' => 6379,
 ),
```
### Tip : how to use occ command
There is a script for that, so you shouldn't bother to log into the container, set the right permissions, and so on. Just use `docker exec -ti nexcloud occ command`.

24
docker-compose.yml
View File

@ -1,24 +0,0 @@
---
version: '3'
# This instance is using SQLite3 as database backend.
# Please consider using a proper database like MariaDB or PostgreSQL
# if you want to use this productive.
services:
nextcloud:
image: wonderfall/nextcloud
build:
context: .
dockerfile: Dockerfile.18.0
environment:
- UID=1000
- GID=1000
- ADMIN_USER=mrrobot
- ADMIN_PASSWORD=supercomplicatedpassword
- DB_TYPE=sqlite
volumes:
- ./data:/data
- ./config:/config
- ./apps:/apps2
ports:
- 8888:8888

2
rootfs/nginx/sites-enabled/nginx.conf → rootfs/etc/nginx/conf.d/nextcloud.conf
View File

@ -50,7 +50,7 @@ server {
} }
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
include /nginx/conf/fastcgi_params; include /etc/nginx/fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(/.*)$; fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param PATH_INFO $fastcgi_path_info;

31
rootfs/etc/nginx/nginx.conf Normal file
View File

@ -0,0 +1,31 @@
worker_processes auto;
pid /nginx/run/nginx.pid;
daemon off;
events {
worker_connections 2048;
use epoll;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /nginx/logs/access.log combined;
error_log /nginx/logs/error.log error;
client_max_body_size <UPLOAD_MAX_SIZE>;
aio threads;
sendfile on;
keepalive_timeout 15;
keepalive_disable msie6;
keepalive_requests 100;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
gzip off;
include /etc/nginx/conf.d/*.conf;
}

2
rootfs/etc/s6.d/nginx/run Normal file
View File

@ -0,0 +1,2 @@
#!/bin/sh
exec nginx

2
rootfs/etc/s6.d/php/run Normal file
View File

@ -0,0 +1,2 @@
#!/bin/sh
exec php-fpm

2
rootfs/usr/local/bin/occ
View File

@ -1,2 +1,2 @@
#!/bin/sh #!/bin/sh
su-exec $UID:$GID php -d memory_limit=<MEMORY_LIMIT> -f /nextcloud/occ "$@" php -d memory_limit=<MEMORY_LIMIT> -f /nextcloud/occ "$@"

49
rootfs/usr/local/bin/run.sh
View File

@ -1,50 +1,21 @@
#!/bin/sh #!/bin/sh
sed -i -e "s/<APC_SHM_SIZE>/$APC_SHM_SIZE/g" /php/conf.d/apcu.ini \ # Apply environment variables settings
-e "s/<OPCACHE_MEM_SIZE>/$OPCACHE_MEM_SIZE/g" /php/conf.d/opcache.ini \ sed -i -e "s/<APC_SHM_SIZE>/$APC_SHM_SIZE/g" /usr/local/etc/php/conf.d/apcu.ini \
-e "s/<OPCACHE_MEM_SIZE>/$OPCACHE_MEM_SIZE/g" /usr/local/etc/php/conf.d/docker-php-ext-opcache.ini \
-e "s/<CRON_MEMORY_LIMIT>/$CRON_MEMORY_LIMIT/g" /etc/s6.d/cron/run \ -e "s/<CRON_MEMORY_LIMIT>/$CRON_MEMORY_LIMIT/g" /etc/s6.d/cron/run \
-e "s/<CRON_PERIOD>/$CRON_PERIOD/g" /etc/s6.d/cron/run \ -e "s/<CRON_PERIOD>/$CRON_PERIOD/g" /etc/s6.d/cron/run \
-e "s/<MEMORY_LIMIT>/$MEMORY_LIMIT/g" /usr/local/bin/occ \ -e "s/<MEMORY_LIMIT>/$MEMORY_LIMIT/g" /usr/local/bin/occ \
-e "s/<UPLOAD_MAX_SIZE>/$UPLOAD_MAX_SIZE/g" /nginx/conf/nginx.conf /php/etc/php-fpm.conf \ -e "s/<UPLOAD_MAX_SIZE>/$UPLOAD_MAX_SIZE/g" /etc/nginx/nginx.conf /usr/local/etc/php-fpm.conf \
-e "s/<MEMORY_LIMIT>/$MEMORY_LIMIT/g" /php/etc/php-fpm.conf -e "s/<MEMORY_LIMIT>/$MEMORY_LIMIT/g" /usr/local/etc/php-fpm.conf
# Put the configuration and apps into volumes # If new install, run setup
ln -sf /config/config.php /nextcloud/config/config.php &>/dev/null if [ ! -f /nextcloud/config/config.php ]; then
ln -sf /apps2 /nextcloud &>/dev/null touch /nextcloud/config/CAN_INSTALL
chown -h $UID:$GID /nextcloud/config/config.php /nextcloud/apps2
# Create folder for php sessions if not exists
if [ ! -d /data/session ]; then
mkdir -p /data/session;
fi
echo "Updating permissions..."
for dir in /nextcloud /data /config /apps2 /var/log /php /nginx /tmp /etc/s6.d; do
if $(find $dir ! -user $UID -o ! -group $GID|egrep '.' -q); then
echo "Updating permissions in $dir..."
chown -R $UID:$GID $dir
else
echo "Permissions in $dir are correct."
fi
done
echo "Done updating permissions."
echo "Check for UserId ${UID}"
grep ":${UID}:" /etc/passwd 1>/dev/null 2>&1
ERRORCODE=$?
if [ $ERRORCODE -ne 0 ]; then
echo "Creating user nextcloud with UID=${UID} and GID=${GID}"
/usr/sbin/adduser -g ${GID} -u ${UID} --disabled-password --gecos "" nextcloud
else
echo "An existing user with UID=${UID} was found, nothing to do"
fi
if [ ! -f /config/config.php ]; then
# New installation, run the setup
/usr/local/bin/setup.sh /usr/local/bin/setup.sh
else else
occ upgrade occ upgrade
fi fi
exec su-exec $UID:$GID /bin/s6-svscan /etc/s6.d # Run processes
exec /bin/s6-svscan /etc/s6.d

44
rootfs/usr/local/bin/setup.sh
View File

@ -1,11 +1,6 @@
#!/bin/sh #!/bin/sh
# Nextcloud
##########################
#source setup/functions.sh # load our functions
#source /etc/mailinabox.conf # load global vars
CONFIGFILE=/config/config.php
CONFIGFILE=/nextcloud/config/config.php
# Create an initial configuration file. # Create an initial configuration file.
instanceid=oc$(openssl rand -hex 6 | head -c 10) instanceid=oc$(openssl rand -hex 6 | head -c 10)
@ -13,7 +8,7 @@ instanceid=oc$(openssl rand -hex 6 | head -c 10)
cat > $CONFIGFILE <<EOF; cat > $CONFIGFILE <<EOF;
<?php <?php
\$CONFIG = array ( \$CONFIG = array (
'datadirectory' => '/data', 'datadirectory' => '/nextcloud/data',
"apps_paths" => array ( "apps_paths" => array (
0 => array ( 0 => array (
@ -22,7 +17,7 @@ cat > $CONFIGFILE <<EOF;
"writable" => false, "writable" => false,
), ),
1 => array ( 1 => array (
"path" => "/apps2", "path" => "/nextcloud/apps2",
"url" => "/apps2", "url" => "/apps2",
"writable" => true, "writable" => true,
), ),
@ -36,14 +31,12 @@ cat > $CONFIGFILE <<EOF;
EOF EOF
# Create an auto-configuration file to fill in database settings # Create an auto-configuration file to fill in database settings
# when the install script is run. Make an administrator account
# here or else the install can't finish.
adminpassword=$(dd if=/dev/urandom bs=1 count=40 2>/dev/null | sha1sum | fold -w 30 | head -n 1) adminpassword=$(dd if=/dev/urandom bs=1 count=40 2>/dev/null | sha1sum | fold -w 30 | head -n 1)
cat > /nextcloud/config/autoconfig.php <<EOF; cat > /nextcloud/config/autoconfig.php <<EOF;
<?php <?php
\$AUTOCONFIG = array ( \$AUTOCONFIG = array (
# storage/database # storage/database
'directory' => '/data', 'directory' => '/nextcloud/data',
'dbtype' => '${DB_TYPE:-sqlite3}', 'dbtype' => '${DB_TYPE:-sqlite3}',
'dbname' => '${DB_NAME:-nextcloud}', 'dbname' => '${DB_NAME:-nextcloud}',
'dbuser' => '${DB_USER:-nextcloud}', 'dbuser' => '${DB_USER:-nextcloud}',
@ -53,8 +46,6 @@ cat > /nextcloud/config/autoconfig.php <<EOF;
EOF EOF
if [[ ! -z "$ADMIN_USER" ]]; then if [[ ! -z "$ADMIN_USER" ]]; then
cat >> /nextcloud/config/autoconfig.php <<EOF; cat >> /nextcloud/config/autoconfig.php <<EOF;
# create an administrator account with a random password so that
# the user does not have to enter anything on first load of ownCloud
'adminlogin' => '${ADMIN_USER}', 'adminlogin' => '${ADMIN_USER}',
'adminpass' => '${ADMIN_PASSWORD}', 'adminpass' => '${ADMIN_PASSWORD}',
EOF EOF
@ -65,26 +56,15 @@ cat >> /nextcloud/config/autoconfig.php <<EOF;
EOF EOF
echo "Starting automatic configuration..." echo "Starting automatic configuration..."
# Execute ownCloud's setup step, which creates the ownCloud database. # Execute setup
# It also wipes it if it exists. And it updates config.php with database (cd /nextcloud; php index.php)
# settings and deletes the autoconfig.php file.
(cd /nextcloud; php index.php &>/dev/null)
echo "Automatic configuration finished." echo "Automatic configuration finished."
# Update config.php. # Update config.php
# * trusted_domains is reset to localhost by autoconfig starting with ownCloud 8.1.1,
# so set it here. It also can change if the box's PRIMARY_HOSTNAME changes, so
# this will make sure it has the right value.
# * Some settings weren't included in previous versions of Mail-in-a-Box.
# * We need to set the timezone to the system timezone to allow fail2ban to ban
# users within the proper timeframe
# * We need to set the logdateformat to something that will work correctly with fail2ban
# Use PHP to read the settings file, modify it, and write out the new settings array.
CONFIG_TEMP=$(/bin/mktemp) CONFIG_TEMP=$(/bin/mktemp)
php <<EOF > $CONFIG_TEMP && mv $CONFIG_TEMP $CONFIGFILE php <<EOF > $CONFIG_TEMP && mv $CONFIG_TEMP $CONFIGFILE
<?php <?php
include("/config/config.php"); include($CONFIGFILE);
//\$CONFIG['memcache.local'] = '\\OC\\Memcache\\Memcached'; //\$CONFIG['memcache.local'] = '\\OC\\Memcache\\Memcached';
\$CONFIG['mail_from_address'] = 'administrator'; # just the local part, matches our master administrator address \$CONFIG['mail_from_address'] = 'administrator'; # just the local part, matches our master administrator address
@ -98,13 +78,9 @@ echo ";";
?> ?>
EOF EOF
sed -i "s/localhost/$DOMAIN/g" /config/config.php sed -i "s/localhost/$DOMAIN/g" $CONFIGFILE
chown -R $UID:$GID /config /data # Setup is finished, no need for first run wizard
# Enable/disable apps. Note that this must be done after the ownCloud setup.
# The firstrunwizard gave Josh all sorts of problems, so disabling that.
# user_external is what allows ownCloud to use IMAP for login. The contacts
# and calendar apps are the extensions we really care about here.
if [[ ! -z "$ADMIN_USER" ]]; then if [[ ! -z "$ADMIN_USER" ]]; then
occ app:disable firstrunwizard occ app:disable firstrunwizard
fi fi

22
rootfs/usr/local/etc/php-fpm.conf Normal file
View File

@ -0,0 +1,22 @@
[global]
daemonize = no
error_log = /php/logs/error.log
[www]
listen = /php/run/php-fpm.sock
pm = dynamic
pm.max_children = 25
pm.start_servers = 10
pm.min_spare_servers = 5
pm.max_spare_servers = 20
pm.max_requests = 498
chdir = /
request_terminate_timeout = 0
env[PATH] = /usr/local/bin:/usr/bin:/bin
php_admin_value[post_max_size] = <UPLOAD_MAX_SIZE>
php_admin_value[upload_max_filesize] = <UPLOAD_MAX_SIZE>
php_admin_value[max_execution_time] = 10800
php_admin_value[max_input_time] = 3600
php_admin_value[expose_php] = Off
php_admin_value[memory_limit] = <MEMORY_LIMIT>
php_admin_value[session.save_path] = "/php/session"

0
rootfs/php/conf.d/apcu.ini → rootfs/usr/local/etc/php/conf.d/apcu.ini
View File

0
rootfs/php/conf.d/opcache.ini → rootfs/usr/local/etc/php/conf.d/docker-php-ext-opcache.ini
View File