diff --git a/.gitignore b/.gitignore index 4713e2f..1a5d5ae 100644 --- a/.gitignore +++ b/.gitignore @@ -92,3 +92,8 @@ mailcow/refresh_images.sh mailcow/update_diffs/ mailcow/create_cold_standby.sh !mailcow/data/conf/nginx/mailcow_auth.conf + +nextcloud/hooks/post-installation/set-configs.sh +**/volumes/ +mailcow/data/conf/dovecot/auth/passwd-verify.lua +mailcow/data/conf/postfix/main.cf \ No newline at end of file diff --git a/copy_overrides.bash b/copy_overrides.bash index 57bf97d..5f7f411 100755 --- a/copy_overrides.bash +++ b/copy_overrides.bash @@ -15,3 +15,7 @@ cp override/nextcloud.docker-compose.override.yml nextcloud/docker-compose.overr cp override/onlyoffice.docker-compose.override.yml onlyoffice/docker-compose.override.yml cp override/openproject.docker-compose.override.yml openproject/docker-compose.override.yml echo "docker-compose.override.yml copied" + +echo "Copying hooks..." +cp override/nextcloud/hooks/post-installation/set-configs.sh nextcloud/hooks/post-installation/set-configs.sh +echo "Hooks copied" diff --git a/core/docker-compose.yml b/core/docker-compose.yml index 53116fb..66226ee 100644 --- a/core/docker-compose.yml +++ b/core/docker-compose.yml @@ -10,7 +10,7 @@ services: - "traefik.enable=true" - "traefik.docker.network=traefik" - "traefik.http.routers.adminer.rule=Host(`adminer.${DOMAIN}`)" - - "traefik.http.routers.adminer.entrypoints=web,websecure" + - "traefik.http.routers.adminer.entrypoints=websecure" - "traefik.http.routers.adminer.middlewares=https-redirect" - "traefik.http.routers.adminer.tls=true" - "traefik.http.routers.adminer.tls.certresolver=le" diff --git a/nextcloud/custom/custom-config.php b/nextcloud/custom/custom-config.php deleted file mode 100644 index 22cf41d..0000000 --- a/nextcloud/custom/custom-config.php +++ /dev/null @@ -1,21 +0,0 @@ - '\\OC\\Memcache\\APCu', - 'memcache.distributed' => '\\OC\\Memcache\\Redis', - 'memcache.locking' => '\\OC\\Memcache\\Redis', - 'trusted_proxies' => - array ( - 0 => 'traefik', - 1 => '172.16.0.0/12', - 2 => '192.168.0.0/16', - 3 => '10.0.0.0/8', - ), - 'trusted_domains' => - array ( - 0 => 'localhost', - 1 => 'nasarek.dev', - 2 => 'drive.nasarek.dev', - 3 => 'nextcloud-reverse-proxy', - 4 => 'onlyoffice-documentserver', - ), -); \ No newline at end of file diff --git a/nextcloud/docker-compose.yml b/nextcloud/docker-compose.yml index d775f89..edee8a2 100644 --- a/nextcloud/docker-compose.yml +++ b/nextcloud/docker-compose.yml @@ -1,15 +1,15 @@ # Nextcloud-Stack services: nextcloud: - image: nextcloud:31.0-fpm + image: nextcloud:31.0-fpm container_name: nextcloud depends_on: - nextcloud-redis environment: + - DOMAIN=${DOMAIN} - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER:-admin} - NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD:-admin} - NEXTCLOUD_DEFAULT_PHONE_REGION=DE - - NEXTCLOUD_TRUSTED_DOMAINS=${NEXTCLOUD_TRUSTED_DOMAINS} - ONLYOFFICE_JWT_SECRET=${ONLYOFFICE_JWT_SECRET} - POSTGRES_DB=${NEXTCLOUD_DB_NAME} - POSTGRES_HOST=${NEXTCLOUD_DB_HOST} @@ -18,13 +18,11 @@ services: - OVERWRITEPROTOCOL=https - OVERWRITEHOST=${NEXTCLOUD_DOMAIN} - REDIS_HOST=nextcloud-redis - - TRUSTED_PROXIES=traefik labels: - "traefik.enable=false" volumes: - nextcloud-data:/var/www/html - ./hooks/post-installation:/docker-entrypoint-hooks.d/post-installation - #- ./custom/custom-config.php:/var/www/html/config/custom-config.php expose: - 80 - 9000 diff --git a/nextcloud/reverse-proxy/nginx.conf b/nextcloud/reverse-proxy/nginx.conf index 249933c..dc7e044 100644 --- a/nextcloud/reverse-proxy/nginx.conf +++ b/nextcloud/reverse-proxy/nginx.conf @@ -58,9 +58,11 @@ http { add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; + add_header X-Robots-Tag "noindex, nofollow"; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options "SAMEORIGIN"; + add_header Referrer-Policy "no-referrer"; root /var/www/html; client_max_body_size 10G; # 0=unlimited - set max upload size @@ -72,8 +74,24 @@ http { error_page 403 /core/templates/403.php; error_page 404 /core/templates/404.php; - rewrite ^/.well-known/carddav /remote.php/dav/ permanent; - rewrite ^/.well-known/caldav /remote.php/dav/ permanent; + # Make a regex exception for `/.well-known` so that clients can still + # access it despite the existence of the regex rule + # `location ~ /(\.|autotest|...)` which would otherwise handle requests + # for `/.well-known`. + location ^~ /.well-known { + # The rules in this block are an adaptation of the rules + # in `.htaccess` that concern `/.well-known`. + + location = /.well-known/carddav { return 301 /remote.php/dav; } + location = /.well-known/caldav { return 301 /remote.php/dav; } + + location /.well-known/acme-challenge { try_files $uri $uri/ =404; } + location /.well-known/pki-validation { try_files $uri $uri/ =404; } + + # Let Nextcloud's API for `/.well-known` URIs handle all other + # requests by passing them to the front-end controller. + return 301 /index.php$request_uri; + } location = /robots.txt { allow all; @@ -133,9 +151,10 @@ http { add_header X-Content-Type-Options nosniff; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; + add_header X-Robots-Tag "noindex, nofollow"; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy "no-referrer"; # Optional: Don't log access to assets access_log off; } @@ -145,5 +164,15 @@ http { access_log off; } + location ~ ^/(?:updater|ocs-provider)(?:$|/) { + try_files $uri/ =404; + index index.php; + } + + # Add support for ocm-provider path handling + location /ocm-provider { + return 301 $scheme://$host/index.php/ocm-provider; + } + } }