first commit

nextcloud/.example-env

@@ -0,0 +1,10 @@
+# Nextcloud
+DOMAIN=
+NEXTCLOUD_ADMIN_PASSWORD=
+NEXTCLOUD_ADMIN_USER=
+NEXTCLOUD_DB_HOST=
+NEXTCLOUD_DB_NAME=
+NEXTCLOUD_DB_PASSWORD=
+NEXTCLOUD_DB_USER=
+NEXTCLOUD_TRUSTED_DOMAINS=
+ONLYOFFICE_JWT_SECRET=

nextcloud/create_infra.bash

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+source .env
+source ../core/.env
+
+docker exec postgres psql -U $POSTGRES_USER -d postgres -c "CREATE USER $NEXTCLOUD_DB_USER WITH PASSWORD '$NEXTCLOUD_DB_PASSWORD';"
+docker exec postgres psql -U $POSTGRES_USER -d postgres -c "CREATE DATABASE $NEXTCLOUD_DB_NAME OWNER $NEXTCLOUD_DB_USER;"
+docker exec postgres psql -U $POSTGRES_USER -d $NEXTCLOUD_DB_NAME -c "GRANT ALL PRIVILEGES ON DATABASE $NEXTCLOUD_DB_NAME TO $NEXTCLOUD_DB_USER;"

nextcloud/custom/custom-config.php

@@ -0,0 +1,14 @@
+<?php
+$CONFIG = array (
+  'maintenance_window_start' => 1,
+  'memcache.local' => '\OC\Memcache\APCu',
+  'memcache.locking' => '\OC\Memcache\Redis',
+  'redis' => [
+    'host' => 'redis',
+    'port' => 6379,
+  ],
+  'default_phone_region' => 'DE',
+  'hsts' => true,
+  'hstsMaxAge' => 15552000,
+  'hstsIncludeSubdomains' => true,
+);

nextcloud/docker-compose.yml

@@ -0,0 +1,80 @@
+# Nextcloud-Stack
+services:
+  nextcloud:
+    image: nextcloud:31.0-fpm
+    container_name: nextcloud
+    depends_on:
+      - nextcloud-redis
+    environment:
+      - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER:-admin}
+      - NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD:-admin}
+      - NEXTCLOUD_DEFAULT_PHONE_REGION=DE
+      - NEXTCLOUD_TRUSTED_DOMAINS=${NEXTCLOUD_TRUSTED_DOMAINS}
+      - ONLYOFFICE_JWT_SECRET=${ONLYOFFICE_JWT_SECRET}
+      - POSTGRES_DB=${NEXTCLOUD_DB_NAME}
+      - POSTGRES_HOST=${NEXTCLOUD_DB_HOST}
+      - POSTGRES_PASSWORD=${NEXTCLOUD_DB_PASSWORD}
+      - POSTGRES_USER=${NEXTCLOUD_DB_USER}
+      - OVERWRITEPROTOCOL=https
+      - OVERWRITEHOST=${NEXTCLOUD_DOMAIN}
+      - REDIS_HOST=nextcloud-redis
+      - TRUSTED_PROXIES=traefik
+    labels:
+      - "traefik.enable=false"
+    volumes:
+      - nextcloud-data:/var/www/html
+      #- ./hooks/post-installation:/docker-entrypoint-hooks.d/post-installation
+    expose:
+      - 80
+      - 9000
+    networks:
+      - nextcloud
+      - traefik
+      - onlyoffice
+      - database
+    restart: unless-stopped
+
+  nextcloud-reverse-proxy:
+    container_name: nextcloud-reverse-proxy
+    image: nginx:1.27
+    depends_on:
+      - nextcloud
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik"
+      - "traefik.http.routers.nextcloud-reverse-proxy.rule=Host(`${NEXTCLOUD_DOMAIN}`)"
+      - "traefik.http.routers.nextcloud-reverse-proxy.entrypoints=web,websecure"
+      - "traefik.http.routers.nextcloud-reverse-proxy.middlewares=https-redirect"
+      - "traefik.http.routers.nextcloud-reverse-proxy.tls=true"
+      - "traefik.http.routers.nextcloud-reverse-proxy.tls.certresolver=le"
+      - "traefik.http.services.nextcloud-reverse-proxy.loadbalancer.server.port=80"
+    volumes:
+      - ./reverse-proxy/nginx.conf:/etc/nginx/nginx.conf
+      - nextcloud-data:/var/www/html
+    networks:
+      - nextcloud
+      - traefik
+      - onlyoffice
+    restart: unless-stopped
+
+  nextcloud-redis:
+    image: redis:alpine
+    container_name: nextcloud-redis
+    networks:
+      - nextcloud
+    restart: unless-stopped
+
+volumes:
+  nextcloud-data:
+    name: nextcloud-data
+
+networks:
+  database:
+    external: true
+  nextcloud:
+    name: nextcloud
+    external: true
+  traefik:
+    external: true
+  onlyoffice:
+    external: true

nextcloud/hooks/post-installation/install-drawio.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+set -e
+
+echo "Installing Draw.io plugin..."
+php /var/www/html/occ app:install drawio
+echo "Draw.io plugin installed successfully!"

nextcloud/hooks/post-installation/install-only-office.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# Print all commands and their arguments as they are executed.
+set -x
+
+# Get the trusted domains from the Nextcloud config
+php /var/www/html/occ --no-warnings config:system:get trusted_domains >> trusted_domain.tmp
+
+# If the nextcloud-reverse-proxy domain is not in the trusted domains, add it
+if ! grep -q "nextcloud-reverse-proxy" trusted_domain.tmp; then
+    # Get the number of trusted domains
+    TRUSTED_INDEX=$(cat trusted_domain.tmp | wc -l);
+    # Add the nextcloud-reverse-proxy domain to the trusted domains
+    php /var/www/html/occ --no-warnings config:system:set trusted_domains $TRUSTED_INDEX --value="nextcloud-reverse-proxy"
+fi
+
+rm trusted_domain.tmp
+
+# Install OnlyOffice app
+php /var/www/html/occ --no-warnings app:install onlyoffice
+
+# Set basic OnlyOffice configuration
+# Set the DocumentServerUrl to the path of the OnlyOffice Document Server
+php /var/www/html/occ --no-warnings config:system:set onlyoffice DocumentServerUrl --value="/ds-vpath/"
+# Set the DocumentServerInternalUrl to the URL of the OnlyOffice Document Server
+php /var/www/html/occ --no-warnings config:system:set onlyoffice DocumentServerInternalUrl --value="http://onlyoffice-document-server/"
+# Set the StorageUrl to the URL of the Nextcloud Reverse Proxy
+php /var/www/html/occ --no-warnings config:system:set onlyoffice StorageUrl --value="http://nextcloud-reverse-proxy/"
+# Set the JWT secret
+echo ${ONLYOFFICE_JWT_SECRET}
+php /var/www/html/occ --no-warnings config:system:set onlyoffice jwt_secret --value="${ONLYOFFICE_JWT_SECRET}"

nextcloud/reverse-proxy/nginx.conf

@@ -0,0 +1,144 @@
+user  www-data;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+
+    upstream backend {
+      server nextcloud:9000;
+    }
+
+
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    map $http_host $this_host {
+        "" $host;
+        default $http_host;
+    }
+
+    map $http_x_forwarded_proto $the_scheme {
+        default $http_x_forwarded_proto;
+        "" $scheme;
+    }
+
+    map $http_x_forwarded_host $the_host {
+       default $http_x_forwarded_host;
+       "" $this_host;
+    }
+
+    server {
+        listen 80;
+	# The below allows for being behind a reverse proxy and allowing the Nextcloud app to connect
+        server_tokens off;
+
+        # Add headers to serve security related headers
+        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header X-Robots-Tag none;
+        add_header X-Download-Options noopen;
+        add_header X-Permitted-Cross-Domain-Policies none;
+
+        root /var/www/html;
+        client_max_body_size 10G; # 0=unlimited - set max upload size
+        fastcgi_buffers 64 4K;
+
+        gzip off;
+
+        index index.php;
+        error_page 403 /core/templates/403.php;
+        error_page 404 /core/templates/404.php;
+
+        rewrite ^/.well-known/carddav /remote.php/dav/ permanent;
+        rewrite ^/.well-known/caldav /remote.php/dav/ permanent;
+
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
+        }
+
+        location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
+            deny all;
+        }
+
+        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
+            deny all;
+        }
+
+        location / {
+            rewrite ^/remote/(.*) /remote.php last;
+            rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
+            try_files $uri $uri/ =404;
+        }
+
+	location ~* ^/ds-vpath/ {
+		rewrite /ds-vpath/(.*) /$1  break;
+                proxy_pass http://onlyoffice-document-server;
+                proxy_redirect     off;
+
+                client_max_body_size 100m;
+
+                proxy_http_version 1.1;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection "upgrade";
+
+                proxy_set_header Host $http_host;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Host $the_host/ds-vpath;
+                proxy_set_header X-Forwarded-Proto https;
+        }
+
+        location ~ \.php(?:$|/) {
+            fastcgi_split_path_info ^(.+\.php)(/.+)$;
+            include fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_param PATH_INFO $fastcgi_path_info;
+            fastcgi_param HTTPS on;
+            fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
+            fastcgi_pass backend;
+            fastcgi_intercept_errors on;
+        }
+
+        # Adding the cache control header for js and css files
+        # Make sure it is BELOW the location ~ \.php(?:$|/) { block
+        location ~* \.(?:css|js)$ {
+            add_header Cache-Control "public, max-age=7200";
+            # Add headers to serve security related headers
+            add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
+            add_header X-Content-Type-Options nosniff;
+            add_header X-Frame-Options "SAMEORIGIN";
+            add_header X-XSS-Protection "1; mode=block";
+            add_header X-Robots-Tag none;
+            add_header X-Download-Options noopen;
+            add_header X-Permitted-Cross-Domain-Policies none;
+            # Optional: Don't log access to assets
+            access_log off;
+        }
+
+        # Optional: Don't log access to other assets
+        location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
+            access_log off;
+        }
+
+    }
+}