fixed onlyoffice connection problem

.gitignore

@@ -92,3 +92,8 @@ mailcow/refresh_images.sh
 mailcow/update_diffs/
 mailcow/create_cold_standby.sh
 !mailcow/data/conf/nginx/mailcow_auth.conf
+
+nextcloud/hooks/post-installation/set-configs.sh
+**/volumes/
+mailcow/data/conf/dovecot/auth/passwd-verify.lua
+mailcow/data/conf/postfix/main.cf

copy_overrides.bash

@@ -15,3 +15,7 @@ cp override/nextcloud.docker-compose.override.yml nextcloud/docker-compose.overr
 cp override/onlyoffice.docker-compose.override.yml onlyoffice/docker-compose.override.yml
 cp override/openproject.docker-compose.override.yml openproject/docker-compose.override.yml
 echo "docker-compose.override.yml copied"
+
+echo "Copying hooks..."
+cp override/nextcloud/hooks/post-installation/set-configs.sh nextcloud/hooks/post-installation/set-configs.sh
+echo "Hooks copied"

core/docker-compose.yml

@@ -10,7 +10,7 @@ services:
       - "traefik.enable=true"
       - "traefik.docker.network=traefik"
       - "traefik.http.routers.adminer.rule=Host(`adminer.${DOMAIN}`)"
-      - "traefik.http.routers.adminer.entrypoints=web,websecure"
+      - "traefik.http.routers.adminer.entrypoints=websecure"
       - "traefik.http.routers.adminer.middlewares=https-redirect"
       - "traefik.http.routers.adminer.tls=true"
       - "traefik.http.routers.adminer.tls.certresolver=le"

nextcloud/custom/custom-config.php

@@ -1,21 +0,0 @@
-<?php
-$CONFIG = array (
-  'memcache.local' => '\\OC\\Memcache\\APCu',
-  'memcache.distributed' => '\\OC\\Memcache\\Redis',
-  'memcache.locking' => '\\OC\\Memcache\\Redis',
-  'trusted_proxies' => 
-  array (
-          0 => 'traefik',
-          1 => '172.16.0.0/12', 
-          2 => '192.168.0.0/16', 
-          3 => '10.0.0.0/8',
-  ),
-  'trusted_domains' => 
-  array (
-    0 => 'localhost',
-    1 => 'nasarek.dev',
-    2 => 'drive.nasarek.dev',
-    3 => 'nextcloud-reverse-proxy',
-    4 => 'onlyoffice-documentserver',
-  ),
-);

nextcloud/docker-compose.yml

@@ -1,15 +1,15 @@
 # Nextcloud-Stack
 services:
   nextcloud:
-    image: nextcloud:31.0-fpm
+    image: nextcloud:31.0-fpm 
     container_name: nextcloud
     depends_on:
       - nextcloud-redis
     environment:
+      - DOMAIN=${DOMAIN}
       - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER:-admin}
       - NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD:-admin}
       - NEXTCLOUD_DEFAULT_PHONE_REGION=DE
-      - NEXTCLOUD_TRUSTED_DOMAINS=${NEXTCLOUD_TRUSTED_DOMAINS}
       - ONLYOFFICE_JWT_SECRET=${ONLYOFFICE_JWT_SECRET}
       - POSTGRES_DB=${NEXTCLOUD_DB_NAME}
       - POSTGRES_HOST=${NEXTCLOUD_DB_HOST}
@@ -18,13 +18,11 @@ services:
       - OVERWRITEPROTOCOL=https
       - OVERWRITEHOST=${NEXTCLOUD_DOMAIN}
       - REDIS_HOST=nextcloud-redis
-      - TRUSTED_PROXIES=traefik
     labels:
       - "traefik.enable=false"
     volumes:
       - nextcloud-data:/var/www/html
       - ./hooks/post-installation:/docker-entrypoint-hooks.d/post-installation
-      #- ./custom/custom-config.php:/var/www/html/config/custom-config.php
     expose:
       - 80
       - 9000

nextcloud/reverse-proxy/nginx.conf

@@ -58,9 +58,11 @@ http {
         add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
         add_header X-Content-Type-Options nosniff;
         add_header X-XSS-Protection "1; mode=block";
-        add_header X-Robots-Tag none;
+        add_header X-Robots-Tag "noindex, nofollow";
         add_header X-Download-Options noopen;
         add_header X-Permitted-Cross-Domain-Policies none;
+        add_header X-Frame-Options "SAMEORIGIN";
+        add_header Referrer-Policy "no-referrer";
 
         root /var/www/html;
         client_max_body_size 10G; # 0=unlimited - set max upload size
@@ -72,8 +74,24 @@ http {
         error_page 403 /core/templates/403.php;
         error_page 404 /core/templates/404.php;
 
-        rewrite ^/.well-known/carddav /remote.php/dav/ permanent;
+        # Make a regex exception for `/.well-known` so that clients can still
-        rewrite ^/.well-known/caldav /remote.php/dav/ permanent;
+        # access it despite the existence of the regex rule
+        # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+        # for `/.well-known`.
+        location ^~ /.well-known {
+            # The rules in this block are an adaptation of the rules
+            # in `.htaccess` that concern `/.well-known`.
+
+            location = /.well-known/carddav { return 301 /remote.php/dav; }
+            location = /.well-known/caldav { return 301 /remote.php/dav; }
+        
+            location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
+            location /.well-known/pki-validation { try_files $uri $uri/ =404; }
+
+            # Let Nextcloud's API for `/.well-known` URIs handle all other
+            # requests by passing them to the front-end controller.
+            return 301 /index.php$request_uri;
+        }
 
         location = /robots.txt {
             allow all;
@@ -133,9 +151,10 @@ http {
             add_header X-Content-Type-Options nosniff;
             add_header X-Frame-Options "SAMEORIGIN";
             add_header X-XSS-Protection "1; mode=block";
-            add_header X-Robots-Tag none;
+            add_header X-Robots-Tag "noindex, nofollow";
             add_header X-Download-Options noopen;
             add_header X-Permitted-Cross-Domain-Policies none;
+            add_header Referrer-Policy "no-referrer";
             # Optional: Don't log access to assets
             access_log off;
         }
@@ -145,5 +164,15 @@ http {
             access_log off;
         }
 
+        location ~ ^/(?:updater|ocs-provider)(?:$|/) {
+            try_files $uri/ =404;
+            index index.php;
+        }
+
+        # Add support for ocm-provider path handling
+        location /ocm-provider {
+            return 301 $scheme://$host/index.php/ocm-provider;
+        }
+
     }
 }