hoellen/docker-nextcloud
1
0
Fork 0
mirror of https://github.com/hoellen/docker-nextcloud.git synced 2025-04-19 20:19:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
Wonderfall 2021-06-04 23:02:24 +02:00 committed by GitHub
parent e2dc947989
commit 7cab792c26
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
README.md
View File

@ -9,15 +9,18 @@ This non-official image is intended as an **all-in-one** (as in monolithic) Next
## Security ## Security
Don't run random images from random dudes on the Internet. Ideally, you want to maintain and build it yourself. Don't run random images from random dudes on the Internet. Ideally, you want to maintain and build it yourself.
Images are scanned every day by [Trivy](https://github.com/aquasecurity/trivy) for OS vulnerabilities. They are rebuilt once a week, so you should often update your images regardless of your Nextcloud version. Images are scanned every day by [Trivy](https://github.com/aquasecurity/trivy) for OS vulnerabilities. Latest tag/version is automatically built weekly, so you should often update your images regardless if you're already using the latest Nextcloud version.
## Features ## Features
- Fetching PHP/nginx from their official images. - Fetching PHP/nginx from their official images.
- Does not use any privilege at any time, even at startup. - **Rootless**: no privilege at any time, even at startup.
- Includes **hardened_malloc**, a hardened memory allocator.
- Includes a simple **built-in cron** system.
- Much easier to maintain thanks to multi-stages build. - Much easier to maintain thanks to multi-stages build.
- Includes hardened_malloc, a hardened memory allocator.
- Does not include imagick, samba, etc. by default. - Does not include imagick, samba, etc. by default.
You're free to make your own image based on this one if you want a specific feature. Uncommon features won't be included as they can increase attack surface: this image intends to stay **minimal**, but **functional enough** to cover basic needs.
## Tags ## Tags
- `latest` : latest Nextcloud version - `latest` : latest Nextcloud version
- `x` : latest Nextcloud x.x (e.g. `21`) - `x` : latest Nextcloud x.x (e.g. `21`)
@ -36,10 +39,11 @@ Only the **latest stable version** will be maintained by myself.
| **APCU_VERSION** | version of APCu (php ext) | | **APCU_VERSION** | version of APCu (php ext) |
| **REDIS_VERSION** | version of redis (php ext) | | **REDIS_VERSION** | version of redis (php ext) |
| **HARDENED_MALLOC_VERSION** | version of hardened_malloc | | **HARDENED_MALLOC_VERSION** | version of hardened_malloc |
| **CONFIG_NATIVE** | native code for hmalloc |
| **UID** | user id (default: 1000) | | **UID** | user id (default: 1000) |
| **GID** | group id (default: 1000) | | **GID** | group id (default: 1000) |
For convenience they were put at the very of the Dockerfile and their usage should be quite explicit if you intend to build this image yourself. For convenience they were put at [the very top of the Dockerfile](https://github.com/Wonderfall/docker-nextcloud/blob/main/Dockerfile#L1-L13) and their usage should be quite explicit if you intend to build this image yourself.
## Environment variables (Dockerfile) ## Environment variables (Dockerfile)
@ -69,6 +73,8 @@ Leave them at default if you're not sure what you're doing.
`ADMIN_USER` and `ADMIN_PASSWORD` are optional and mainly for niche purposes. Obviously, avoid clear text passwords. Once `setup.sh` has run for the first time, these variables can be removed. You should then edit `/nextcloud/config/config.php` directly if you want to change something in your configuration. `ADMIN_USER` and `ADMIN_PASSWORD` are optional and mainly for niche purposes. Obviously, avoid clear text passwords. Once `setup.sh` has run for the first time, these variables can be removed. You should then edit `/nextcloud/config/config.php` directly if you want to change something in your configuration.
The usage of [Docker secrets](https://docs.docker.com/engine/swarm/secrets/) will be considered in the future, but `config.php` already covers quite a lot.
## Volumes ## Volumes
| Variable | Description | | Variable | Description |
| ------------------------- | -------------------------- | | ------------------------- | -------------------------- |
@ -80,10 +86,12 @@ Leave them at default if you're not sure what you're doing.
## Ports ## Ports
| Port | Use | | Port | Use |
| ------------------------- | -------------------------- | | ------------------------- | -------------------------- |
| **8888** | Nextcloud web | | **8888** (tcp) | Nextcloud web |
A reverse proxy like Traefik/Caddy should be used. A reverse proxy like [Traefik](https://doc.traefik.io/traefik/) or [Caddy](https://caddyserver.com/) can be used, and you should consider:
- Redirecting all HTTP traffic to HTTPS
- Setting the [HSTS header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) correctly
## Migration from the legacy image ## Migration from the legacy image
From now on you'll need to make sure all volumes have proper permissions. The default UID/GID is now 1000, so you'll need to build the image yourself if you want to change that, or you can just change the actual permissions of the volumes using `chown -R 1000:1000`. The flexibility provided by the legacy image came at some cost (performance & security), therefore this feature won't be provided anymore. From now on you'll need to make sure all volumes have proper permissions. The default UID/GID is now 1000, so you'll need to build the image yourself if you want to change that, or you can just change the actual permissions of the volumes using `chown -R 1000:1000`. The flexibility provided by the legacy image came at some cost (performance & security), therefore this feature won't be provided anymore.