Installation Docker mit MariaDB SSL Nextcloud AIO
Beschreibung:
Nextcloud installation via docker-compose script.
Wir nutzen für das Letsencrypt cert das image linuxserver/swag.
Dies ist ein image was letsencrypt und den nginx vereint
Installation
Vorbereitung
DNS-A/AAAA Record anlegen
Sobald die URL mit 8443 nach dem starten des Containers aufgerufen wird, wird wenn die DNS Records richtig gesetzt sind.
gleich ein gültiges Zertifikat von Lets Encrypt abgerufen. Ist das nicht geil? ;-)
Docker und Verzeichnisse anlegen
apt install docker.io docker-compose apparmor
mkdir -p /root/nextcloud/mariadb/data
mkdir -p /root/nextcloud/data
mkdir -p /root/nextcloud/letsencrypt.env Datei
Am Anfang setzten wir staging auf true.Damit testen wir ob alles in ordnung ist beim Zertifikat holen.Wenn alles klappt dann auf false stellen.
root@cloud:~/nextcloud/letsencrypt/nginx/proxy-confs# cd ..
root@cloud:~/nextcloud/letsencrypt/nginx# cd ..
root@cloud:~/nextcloud/letsencrypt# cd ..
root@cloud:~/nextcloud# cat .env
# Datenbank Konfiguration
MYSQL_DATABASE=nextcloud
MYSQL_USER=nextclouduser
MYSQL_PASSWORD=nextcloudpassword
MYSQL_ROOT_PASSWORD=rootpassword
# Volumes
NEXTCLOUD_ROOT_PATH=/root/nextcloud
NEXTCLOUD_DATA_PATH=/root/nextcloud/data
DB_DATA_PATH=/root/nextcloud/mariadb/data
LETSENCRYPT_DATA_PATH=/root/nextcloud/letsencrypt
# Netzwerk
VIRTUAL_HOST=cloud.banane.com
LETSENCRYPT_HOST=cloud.banane.com
LETSENCRYPT_EMAIL=info@banane.com
#subdomains (wildcard,www,customdomain or nothing
SUBDOMAINS=
STAGING=true # Schaltet den Testmodus ein
Nextcloud.conf
Diese muss im Verzeichnis vom docker-compose file liegen
nano /root/nextcloud/nextcloud.confDort den Servernamen noch anpassen an die subdomain in unserem Fall banane.*
## Version 2023/06/24
# make sure that your nextcloud container is named nextcloud
# make sure that your dns has a cname set for nextcloud
# assuming this container is called "swag", edit your nextcloud container's config
# located at /config/www/nextcloud/config/config.php and add the following lines before the ");":
# 'trusted_proxies' => ['swag'],
# 'overwrite.cli.url' => 'https://nextcloud.example.com/',
# 'overwritehost' => 'nextcloud.example.com',
# 'overwriteprotocol' => 'https',
#
# Also don't forget to add your domain name to the trusted domains array. It should look somewhat like this:
# array (
# 0 => '192.168.0.1:444', # This line may look different on your setup, don't modify it.
# 1 => 'nextcloud.example.com',
# ),
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name banane.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
location / {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app app;
set $upstream_port 80;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
# Hide proxy response headers from Nextcloud that conflict with ssl.conf
# Uncomment the Optional additional headers in SWAG's ssl.conf to pass Nextcloud's security scan
proxy_hide_header Referrer-Policy;
proxy_hide_header X-Content-Type-Options;
proxy_hide_header X-Frame-Options;
proxy_hide_header X-XSS-Protection;
# Disable proxy buffering
proxy_buffering off;
}
}
Die composer Datei
Hier nur folgendenWert abändern
version: '3.8' # - NEXTCLOUD_DATADIR=/mnt/ncdatazu
NEXTCLOUD_DATADIR=/root/nextcloud/dataHier schon geändert
services:
db:nextcloud-aio-mastercontainer:
image: mariadbnextcloud/all-in-one:latest
init: true
restart: always
container_name: nextcloud-aio-mastercontainer # This line is not allowed to be changed as otherwise AIO will not work correctly
volumes:
- ${DB_DATA_PATH}:nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work
- /var/lib/mysqlrun/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'!
ports:
- 80:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
- 8080:8080
- 8443:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
# environment: -# MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}Is needed when using any of the options below
# - MYSQL_DATABASE=${MYSQL_DATABASE}AIO_DISABLE_BACKUP_SECTION=false # Setting this to true allows to hide the backup section in the AIO interface. See https://github.com/nextcloud/all-in-one#how-to-disable-the-backup-section
# - MYSQL_USER=${MYSQL_USER}APACHE_PORT=11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
# - MYSQL_PASSWORD=${MYSQL_PASSWORD}APACHE_IP_BINDING=127.0.0.1 app:# Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
# - BORG_RETENTION_POLICY=--keep-within=7d --keep-weekly=4 --keep-monthly=6 # Allows to adjust borgs retention policy. See https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy
# - COLLABORA_SECCOMP_DISABLED=false # Setting this to true allows to disable Collabora's Seccomp feature. See https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature
# - NEXTCLOUD_DATADIR=/mnt/ncdata # Allows to set the host directory for Nextcloud's datadir. ⚠️⚠️⚠️ Warning: do not set or adjust this value after the initial Nextcloud installation is done! See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
- NEXTCLOUD_DATADIR=/root/nextcloud/data
# - NEXTCLOUD_MOUNT=/mnt/ # Allows the Nextcloud container to access the chosen directory on the host. See https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host
# - NEXTCLOUD_UPLOAD_LIMIT=10G # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud
# - NEXTCLOUD_MAX_TIME=3600 # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud
# - NEXTCLOUD_MEMORY_LIMIT=512M # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-php-memory-limit-for-nextcloud
# - NEXTCLOUD_TRUSTED_CACERTS_DIR=/path/to/my/cacerts # CA certificates in this directory will be trusted by the OS of the nexcloud container (Useful e.g. for LDAPS) See See https://github.com/nextcloud/all-in-one#how-to-trust-user-defined-certification-authorities-ca
# - NEXTCLOUD_STARTUP_APPS=deck twofactor_totp tasks calendar contacts notes # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. See https://github.com/nextcloud/all-in-one#how-to-change-the-nextcloud-apps-that-are-installed-on-the-first-startup
# - NEXTCLOUD_ADDITIONAL_APKS=imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container
# - NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=imagick # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container
# - NEXTCLOUD_ENABLE_DRI_DEVICE=true # This allows to enable the /dev/dri device in the Nextcloud container. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't set this to true as otherwise the Nextcloud container will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud
# - NEXTCLOUD_KEEP_DISABLED_APPS=false # Setting this to true will keep Nextcloud apps that are disabled in the AIO interface and not uninstall them if they should be installed. See https://github.com/nextcloud/all-in-one#how-to-keep-disabled-apps
# - TALK_PORT=3478 # This allows to adjust the port that the talk container is using. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port
# - WATCHTOWER_DOCKER_SOCKET_PATH=/var/run/docker.sock # Needs to be specified if the docker socket on the host is not located in the default '/var/run/docker.sock'. Otherwise mastercontainer updates will fail. For macos it needs to be '/var/run/docker.sock'
# networks: # Is needed when you want to create the nextcloud-aio network with ipv6-support using this file, see the network config at the bottom of the file
# - nextcloud-aio # Is needed when you want to create the nextcloud-aio network with ipv6-support using this file, see the network config at the bottom of the file
# # Uncomment the following line when using SELinux
# security_opt: ["label:disable"]
# # Optional: Caddy reverse proxy. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
# # You can find further examples here: https://github.com/nextcloud/all-in-one/discussions/588
# caddy:
# image: nextcloudcaddy:alpine
# restart: always
# container_name: caddy
# volumes:
# - ${NEXTCLOUD_DATA_PATH}:./var/www/htmlCaddyfile:/etc/caddy/Caddyfile
environment:# - MYSQL_HOST=db./certs:/certs
# - MYSQL_DATABASE=${MYSQL_DATABASE}./config:/config
# - MYSQL_USER=${MYSQL_USER}./data:/data
# - MYSQL_PASSWORD=${MYSQL_PASSWORD}./sites:/srv
depends_on:# network_mode: "host"
volumes: # If you want to store the data on a different drive, see https://github.com/nextcloud/all-in-one#how-to-store-the-filesinstallation-on-a-separate-drive
nextcloud_aio_mastercontainer:
name: nextcloud_aio_mastercontainer # This line is not allowed to be changed as otherwise the built-in backup solution will not work
# # Optional: If you need ipv6, follow step 1 and 2 of https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md first and then uncomment the below config in order to activate ipv6 for the internal nextcloud-aio network.
# # Please make sure to uncomment also the networking lines of the mastercontainer above in order to actually create the network with docker-compose
# networks:
# nextcloud-aio:
# name: nextcloud-aio # This line is not allowed to be changed as otherwise the created network will not be used by the other containers of AIO
# driver: bridge
# enable_ipv6: true
# ipam:
# driver: default
# config:
# - dbsubnet: letsencrypt:
image: linuxserver/swag
restart: always
volumes:
- ${LETSENCRYPT_DATA_PATH}fd12:3456:789a:2::/config64 -# ${NEXTCLOUD_ROOT_PATH}/nextcloud.conf:/config/nginx/site-confs/nextcloud.confIPv6 environment:subnet -to URL=${VIRTUAL_HOST}
- SUBDOMAINS=${SUBDOMAINS}
- VALIDATION=http
- EMAIL=${LETSENCRYPT_EMAIL}
- STAGING=${STAGING}
depends_on:
- app
ports:
- "80:80"
- "443:443"
networks:
default:
external:
name: nginx-proxyDas Docker netzwerk nginx-proxy anlegen
docker network create nginx-proxyuseStartenNun undden schauenContainer obmit
docker-compose erstelltup wird.-dstarten
Nun kann man mit
docker-compose logs -f letsencryptnextcloud-aio-mastercontainerWennIn Zertifiaktedie erfolgreich erstellt, dann Staging auf False stellen in der .env Datei und Container neustarten
docker-compose restart letsencryptNun wieder ins loggingLogs schauen
docker-compose logs -f letsencrypt
Nun ist die Nextcloud instance erreichbar und es kann ein Admin Passwort vergeben werden
Nacharbeiten:
die config/config.php anpassen
nano /root/nextcloud/data/config/config.phpDort ergänzen am ende:
'maintenance_window' => ['day' => 'Sat', 'time' => '02:00'],Beispiel
...
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => 'nextclouduser',
'dbpassword' => 'nextcloudpassword',
'installed' => true,
'maintenance_window' => ['day' => 'Sat', 'time' => '02:00'],
);und den Bereich trusted domains ersetzen, und die Domain Namen anpassen.
'trusted_proxies' => ['swag'], // oder die interne IP des SWAG-Containers, wenn 'swag' nicht aufgelöst wird
'overwrite.cli.url' => 'https://cloud.banane.com',
'overwritehost' => 'cloud.banane.com',
'overwriteprotocol' => 'https',
'overwritecondaddr' => '^172\\.\\d+\\.\\d+\\.\\d+$', // Passen Sie das IP-Subnetz entsprechend dem Docker-Netzwerk an
'trusted_domains' =>
array (
0 => 'cloud.banane.com',
),Die nextcloud.conf anpassen
nano /root/nextcloud.confunter proxy_pass diesen Teil einfügen
# Hier werden die Header gesetzt
#proxy_set_header Host $host;
#proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
add_header Referrer-Policy "no-referrer" always;Beispiel
...
set $upstream_app app;
set $upstream_port 80;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
# Hier werden die Header gesetzt
#proxy_set_header Host $host;
#proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
add_header Referrer-Policy "no-referrer" always;
...