From a142dcb3d19da08d812cc67548590a082bc3305d Mon Sep 17 00:00:00 2001
From: root <root@f11391a1.federatedcomputer.cloud>
Date: Fri, 5 Apr 2024 14:04:21 +0000
Subject: [PATCH] New changes for threads in app files
---
lib/collabora.sh | 1 +
lib/collabora.sh.old | 78 +++++++++++
lib/nextcloud.sh | 7 +
lib/nextcloud.sh.old | 307 +++++++++++++++++++++++++++++++++++++++++
lib/postgresql.sh | 12 --
lib/postgresql.sh.old | 114 +++++++++++++++
lib/traefik.sh | 6 +-
lib/traefik.sh.old | 132 ++++++++++++++++++
lib/vaultwarden.sh | 7 +
lib/vaultwarden.sh.old | 72 ++++++++++
10 files changed, 723 insertions(+), 13 deletions(-)
create mode 100644 lib/collabora.sh.old
create mode 100644 lib/nextcloud.sh.old
create mode 100644 lib/postgresql.sh.old
create mode 100644 lib/traefik.sh.old
create mode 100644 lib/vaultwarden.sh.old
diff --git a/lib/collabora.sh b/lib/collabora.sh
index 5cf5d81..9c0bb02 100644
--- a/lib/collabora.sh
+++ b/lib/collabora.sh
@@ -15,6 +15,7 @@ config_collabora() {
cp /federated/certs/certs/$DOMAIN.crt /federated/certs/private/$DOMAIN.key /federated/apps/collabora/data/root/certs/
chown 104 /federated/apps/collabora/data/root/certs/*
fi
+ get_externalip
cat > /federated/apps/collabora/docker-compose.yml <<EOF
version: '3.7'
diff --git a/lib/collabora.sh.old b/lib/collabora.sh.old
new file mode 100644
index 0000000..5cf5d81
--- /dev/null
+++ b/lib/collabora.sh.old
@@ -0,0 +1,78 @@
+#!/bin/bash
+#
+# Collabora Service
+
+PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+config_collabora() {
+ echo -ne "\n* Configuring /federated/apps/collabora container.."
+ spin &
+ SPINPID=$!
+
+ if [ ! -d "/federated/apps/collabora" ]; then
+ mkdir -p /federated/apps/collabora/data/root/certs &> /dev/null
+ mkdir -p /federated/apps/collabora/data/opt/collaboraoffice/share/fonts/truetype &> /dev/null
+ cp /federated/certs/certs/$DOMAIN.crt /federated/certs/private/$DOMAIN.key /federated/apps/collabora/data/root/certs/
+ chown 104 /federated/apps/collabora/data/root/certs/*
+ fi
+
+cat > /federated/apps/collabora/docker-compose.yml <<EOF
+version: '3.7'
+
+services:
+ collabora:
+ image: collabora/code:\${IMAGE_VERSION}
+ container_name: collabora
+ hostname: collabora.$DOMAIN
+ domainname: $DOMAIN
+ restart: always
+ networks:
+ federated:
+ ipv4_address: 172.99.0.17
+ extra_hosts:
+ - "nextcloud.$DOMAIN:$EXTERNALIP"
+ ports:
+ - "9980:9980"
+ volumes:
+ - ./data/root:/root
+ - ./data/opt/collaboraoffice/share/fonts/truetype:/opt/collaboraoffice/share/fonts/truetype
+# - ./data/root/certs/$DOMAIN.crt:/etc/coolwsd/cert.pem
+# - ./data/root/certs/$DOMAIN.key:/etc/coolwsd/key.pem
+ env_file:
+ - ./.env
+ cap_add:
+ - MKNOD
+ labels:
+ - "traefik.enable=true"
+ - "traefik.http.routers.collabora.rule=Host(\`collabora.$DOMAIN\`)"
+ - "traefik.http.routers.collabora.entrypoints=websecure"
+ - "traefik.http.routers.collabora.tls.certresolver=letsencrypt"
+ - "traefik.http.services.collabora.loadbalancer.server.port=9980"
+
+networks:
+ federated:
+ external: true
+EOF
+
+cat > /federated/apps/collabora/.env <<EOF
+IMAGE_VERSION=23.05.10.1.1
+domain=nextcloud.$DOMAIN
+server_name=collabora.$DOMAIN
+extra_params=--o:ssl.enable=false --o:ssl.termination=true
+EOF
+chmod 600 /federated/apps/collabora/.env
+
+# Extract extra fonts into collabora
+tar zxvf /federated/lib/files/collabora/fonts.tar.gz -C /federated/apps/collabora/data/opt/collaboraoffice/share/fonts/truetype/
+[ $? -ne 0 ] && fail "Couldn't extract files/collabora/fonts.tar.gz into collabora"
+
+kill -9 $SPINPID &> /dev/null
+echo -ne "done."
+}
+start_collabora() {
+ # Start service with command to make sure it's up before proceeding
+ start_service "collabora" "nc -z 172.99.0.17 9980 &> /dev/null" "15"
+
+ kill -9 $SPINPID &> /dev/null
+ echo -ne "done."
+}
diff --git a/lib/nextcloud.sh b/lib/nextcloud.sh
index 02c4829..4914abe 100644
--- a/lib/nextcloud.sh
+++ b/lib/nextcloud.sh
@@ -18,6 +18,7 @@ config_nextcloud() {
mkdir -p /federated/apps/nextcloud/data/var/www/data &> /dev/null
mkdir -p /federated/apps/nextcloud/data/usr/local/etc/php/conf.d &> /dev/null
fi
+ get_externalip
cat > /federated/apps/nextcloud/docker-compose.yml <<EOF
version: '3.7'
@@ -77,10 +78,16 @@ networks:
EOF
LDAP_SECRET=`cat /federated/apps/ldap/.ldap.secret`
+NEXTCLOUD_SECRET=$(create_password)
echo "$NEXTCLOUD_SECRET" > /federated/apps/nextcloud/.postgresql.secret
echo "$ADMINPASS" > /federated/apps/nextcloud/.nextcloud.secret
chmod 600 /federated/apps/nextcloud/.postgresql.secret /federated/apps/nextcloud/.nextcloud.secret
+# Create database and user in postgresql
+docker exec postgresql psql -U postgres -c "CREATE DATABASE nextcloud" &> /dev/null
+docker exec postgresql psql -U postgres -c "CREATE USER nextcloud WITH PASSWORD '$NEXTCLOUD_SECRET'" &> /dev/null
+docker exec postgresql psql -U postgres -c "GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud" &> /dev/null
+
cat > /federated/apps/nextcloud/.env <<EOF
IMAGE_VERSION=28.0.4
NEXTCLOUD_UPDATE=1
diff --git a/lib/nextcloud.sh.old b/lib/nextcloud.sh.old
new file mode 100644
index 0000000..02c4829
--- /dev/null
+++ b/lib/nextcloud.sh.old
@@ -0,0 +1,307 @@
+#!/bin/bash -x
+#
+# NextCloud Service
+
+PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+config_nextcloud() {
+ echo -ne "\n* Configuring /federated/apps/nextcloud container.."
+ spin &
+ SPINPID=$!
+
+ if [ ! -d "/federated/apps/nextcloud" ]; then
+ mkdir -p /federated/apps/nextcloud/data/root &> /dev/null
+ mkdir -p /federated/apps/nextcloud/data/home &> /dev/null
+ mkdir -p /federated/apps/nextcloud/data/var/www/html &> /dev/null
+ mkdir -p /federated/apps/nextcloud/data/var/www/html/custom_apps &> /dev/null
+ mkdir -p /federated/apps/nextcloud/data/var/www/config &> /dev/null
+ mkdir -p /federated/apps/nextcloud/data/var/www/data &> /dev/null
+ mkdir -p /federated/apps/nextcloud/data/usr/local/etc/php/conf.d &> /dev/null
+ fi
+
+cat > /federated/apps/nextcloud/docker-compose.yml <<EOF
+version: '3.7'
+
+services:
+ nextcloud:
+ image: nextcloud:\${IMAGE_VERSION}
+ container_name: nextcloud
+ hostname: nextcloud.$DOMAIN
+ domainname: $DOMAIN
+ restart: always
+# working_dir: /var/www/html
+ networks:
+ federated:
+ ipv4_address: 172.99.0.18
+ extra_hosts:
+ - "collabora.$DOMAIN:$EXTERNALIP"
+ volumes:
+ - ./data/root:/root
+ - ./data/home:/home
+ - ./data/var/www/html:/var/www/html
+ - ./data/var/www/html/custom_apps:/var/www/html/custom_apps
+ - ./data/var/www/config:/var/www/config
+ - ./data/var/www/data:/var/www/data
+ - ./data/usr/local/etc/php/conf.d/opcache-recommended.ini:/usr/local/etc/php/conf.d/opcache-recommended.ini
+ - ./data/usr/local/etc/php/conf.d/docker-php-ext-apcu.ini:/usr/local/etc/php/conf.d/docker-php-ext-apcu.ini
+ env_file:
+ - ./.env
+ secrets:
+ - federated_psql_password
+ - federated_nextcloud_password
+ labels:
+ - "traefik.enable=true"
+ - "traefik.http.routers.nextcloud.rule=Host(\`nextcloud.$DOMAIN\`)"
+ - "traefik.http.routers.nextcloud.entrypoints=websecure"
+ - "traefik.http.routers.nextcloud.tls.certresolver=letsencrypt"
+ - "traefik.http.routers.nextcloud.middlewares=nextcloud-redirectregex1,nextcloud-redirectregex2,nextcloudheader"
+ - "traefik.http.middlewares.nextcloud-redirectregex1.redirectregex.permanent=true"
+ - "traefik.http.middlewares.nextcloud-redirectregex1.redirectregex.regex=https?://([^/]*)/.well-known/(card|cal)dav"
+ - "traefik.http.middlewares.nextcloud-redirectregex1.redirectregex.replacement=https://\$\${1}/remote.php/dav/"
+ - "traefik.http.middlewares.nextcloud-redirectregex2.redirectregex.permanent=true"
+ - "traefik.http.middlewares.nextcloud-redirectregex2.redirectregex.regex=https?://([^/]*)(/.well-known[^#]*)"
+ - "traefik.http.middlewares.nextcloud-redirectregex2.redirectregex.replacement=https://\$\${1}/index.php\$\${2}"
+ - "traefik.http.middlewares.nextcloudheader.headers.stsSeconds=15552000"
+ - "traefik.http.middlewares.nextcloudheader.headers.stsIncludeSubdomains=true"
+ - "traefik.http.middlewares.nextcloudheader.headers.stsPreload=true"
+ - "traefik.http.middlewares.nextcloudheader.headers.forceSTSHeader=true"
+
+secrets:
+ federated_psql_password:
+ file: ./.postgresql.secret
+ federated_nextcloud_password:
+ file: ./.nextcloud.secret
+networks:
+ federated:
+ external: true
+EOF
+
+LDAP_SECRET=`cat /federated/apps/ldap/.ldap.secret`
+echo "$NEXTCLOUD_SECRET" > /federated/apps/nextcloud/.postgresql.secret
+echo "$ADMINPASS" > /federated/apps/nextcloud/.nextcloud.secret
+chmod 600 /federated/apps/nextcloud/.postgresql.secret /federated/apps/nextcloud/.nextcloud.secret
+
+cat > /federated/apps/nextcloud/.env <<EOF
+IMAGE_VERSION=28.0.4
+NEXTCLOUD_UPDATE=1
+PHP_MEMORY_LIMIT=2048M
+PHP_UPLOAD_LIMIT=2048M
+TRUSTED_PROXIES=172.99.0.0/16
+NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.$DOMAIN
+NEXTCLOUD_ADMIN_USER=nextcloud
+NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/federated_nextcloud_password
+POSTGRES_HOST=postgresql.$DOMAIN
+POSTGRES_DB=nextcloud
+POSTGRES_USER=nextcloud
+POSTGRES_PASSWORD_FILE=/run/secrets/federated_psql_password
+EOF
+chmod 600 /federated/apps/nextcloud/.env
+
+cat > /federated/apps/nextcloud/data/usr/local/etc/php/conf.d/opcache-recommended.ini <<EOF
+opcache.enable=1
+opcache.interned_strings_buffer=32
+opcache.max_accelerated_files=18000
+opcache.memory_consumption=256
+opcache.save_comments=1
+opcache.revalidate_freq=60
+EOF
+
+cat > /federated/apps/nextcloud/data/usr/local/etc/php/conf.d/docker-php-ext-apcu.ini <<EOF
+extension=apcu
+apc.enable_cli=1
+apc.shm_size=256M
+apc.ttl=3600
+apc.user_ttl=7200
+apc.gc_ttl=3600
+apc.max_file_size=2M
+EOF
+
+#if [[ "$BUNDLE" = "starter" ]]; then
+# sed -i "s/2048M/96M/g" /federated/apps/nextcloud/.env
+# sed -i "s/256/64/g" /federated/apps/nextcloud/data/usr/local/etc/php/conf.d/opcache-recommended.ini
+# sed -i "s/256M/64M/g" /federated/apps/nextcloud/data/usr/local/etc/php/conf.d/docker-php-ext-apcu.ini
+#fi
+
+cat > /federated/apps/nextcloud/data/configs.json <<EOF
+{
+ "system": {
+ "mail_smtpmode": "smtp",
+ "mail_smtpsecure": "tls",
+ "mail_sendmailmode": "smtp",
+ "mail_from_address": "nextcloud",
+ "mail_domain": "$DOMAIN",
+ "mail_smtpauthtype": "LOGIN",
+ "mail_smtpauth": 1,
+ "mail_smtphost": "mail.$DOMAIN",
+ "mail_smtpport": "587",
+ "mail_smtpname": "fcore",
+ "mail_smtppassword": "$ADMINPASS"
+ },
+ "apps": {
+ "core": {
+ "backgroundjobs_mode": "cron"
+ },
+ "side_menu": {
+ "background-color-opacity": "100",
+ "current-app-background-color": "#005b8d",
+ "types": "",
+ "enabled": "yes",
+ "text-color": "#ffffff",
+ "loader-color": "#339bd4",
+ "types": "",
+ "always-displayed": "0",
+ "big-menu": "0",
+ "side-with-categories": "0",
+ "background-color": "#0068a1",
+ "background-color-to": "#0068a1",
+ "icon-invert-filter": "0",
+ "icon-opacity": "100",
+ "opener": "side-menu-opener",
+ "dark-mode-background-color": "#0068a1",
+ "dark-mode-background-color-to": "#0068a1",
+ "dark-mode-background-color-opacity": "100",
+ "dark-mode-current-app-background-color": "#005b8d",
+ "dark-mode-text-color": "#ffffff",
+ "dark-mode-loader-color": "#ffffff",
+ "dark-mode-icon-invert-filter": "0",
+ "dark-mode-icon-opacity": "100",
+ "dark-mode-opener": "side-menu-opener",
+ "opener-position": "before",
+ "opener-only": "0",
+ "hide-when-no-apps": "0",
+ "opener-hover": "0",
+ "display-logo": "1",
+ "use-avatar": "0",
+ "add-logo-link": "1",
+ "big-menu-hidden-apps": "[]",
+ "show-settings": "0",
+ "size-icon": "normal",
+ "size-text": "normal",
+ "target-blank-apps": "[]",
+ "loader-enabled": "1",
+ "top-side-menu-apps": "[]",
+ "top-menu-mouse-over-hidden-label": "0",
+ "apps-order": "[\"dashboard\",\"mail\",\"calendar\",\"contacts\",\"notes\",\"tasks\",\"files\",\"deck\",\"bookmarks\",\"forms\",\"spreed\",\"photos\",\"activity\"]",
+ "categories-order-type": "default",
+ "categories-custom": "[]",
+ "apps-categories-custom": "[]",
+ "categories-order": "[\"other\",\"customization\",\"dashboard\",\"external_links\",\"files\",\"workflow\",\"games\",\"integration\",\"monitoring\",\"multimedia\",\"office\",\"organization\",\"search\",\"security\",\"social\",\"tools\"]",
+ "default-enabled": "1",
+ "force": "0",
+ "top-menu-apps": "[\"photos\",\"activity\",\"dashboard\",\"forms\",\"calendar\",\"tasks\",\"bookmarks\",\"deck\",\"contacts\",\"notes\",\"spreed\",\"mail\",\"files\"]",
+ "cache": "2"
+ }
+ }
+}
+EOF
+
+cat > /federated/apps/nextcloud/data/config.sh <<EOF
+#!/bin/sh
+
+PATH=/var/www/html:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/sbin:/bin
+
+/var/www/html/occ app:enable user_ldap
+/var/www/html/occ ldap:create-empty-config
+/var/www/html/occ ldap:set-config s01 ldapHost 'ldaps://ldap.$DOMAIN'
+/var/www/html/occ ldap:set-config s01 ldapAgentName cn=admin,dc=federatedcomputer,dc=cloud
+/var/www/html/occ ldap:set-config s01 ldapAgentPassword $LDAP_SECRET
+/var/www/html/occ ldap:set-config s01 ldapBase ou=people,dc=federatedcomputer,dc=cloud
+/var/www/html/occ ldap:set-config s01 ldapBaseGroups ou=groups,dc=federatedcomputer,dc=cloud
+/var/www/html/occ ldap:set-config s01 ldapBaseUsers ou=people,dc=federatedcomputer,dc=cloud
+/var/www/html/occ ldap:set-config s01 ldapEmailAttribute mail
+/var/www/html/occ ldap:set-config s01 ldapGidNumber gidNumber
+/var/www/html/occ ldap:set-config s01 ldapGroupDisplayName cn
+/var/www/html/occ ldap:set-config s01 ldapGroupFilter '(&(|(objectclass=posixGroup)))'
+/var/www/html/occ ldap:set-config s01 ldapGroupFilterMode 0
+/var/www/html/occ ldap:set-config s01 ldapGroupFilterObjectclass inetOrgPerson
+/var/www/html/occ ldap:set-config s01 ldapGroupMemberAssocAttr uniqueMember
+/var/www/html/occ ldap:set-config s01 ldapLoginFilter '(&(|(objectclass=inetOrgPerson))(mail=%uid))'
+/var/www/html/occ ldap:set-config s01 ldapLoginFilterEmail 0
+/var/www/html/occ ldap:set-config s01 ldapLoginFilterMode 0
+/var/www/html/occ ldap:set-config s01 ldapLoginFilterUsername 1
+/var/www/html/occ ldap:set-config s01 ldapLoginFilterEmail 0
+/var/www/html/occ ldap:set-config s01 ldapMatchingRuleInChainState unknown
+/var/www/html/occ ldap:set-config s01 ldapNestedGroups 0
+/var/www/html/occ ldap:set-config s01 ldapPagingSize 500
+/var/www/html/occ ldap:set-config s01 ldapPort 636
+/var/www/html/occ ldap:set-config s01 ldapTLS 1
+/var/www/html/occ ldap:set-config s01 ldapUserAvatarRule default
+/var/www/html/occ ldap:set-config s01 ldapUserDisplayName cn
+/var/www/html/occ ldap:set-config s01 ldapUserFilter '(|(objectclass=inetOrgPerson))'
+/var/www/html/occ ldap:set-config s01 ldapUserFilterMode 0
+/var/www/html/occ ldap:set-config s01 ldapUserFilterObjectclass inetOrgPerson
+/var/www/html/occ ldap:set-config s01 ldapUuidGroupAttribute auto
+/var/www/html/occ ldap:set-config s01 ldapUuidUserAttribute auto
+/var/www/html/occ ldap:set-config s01 turnOffCertCheck 0
+/var/www/html/occ ldap:set-config s01 turnOnPasswordChange 0
+/var/www/html/occ ldap:set-config s01 useMemberOfToDetectMembership 1
+/var/www/html/occ ldap:set-config s01 ldapConfigurationActive 1
+/var/www/html/occ ldap:set-config s01 ldap_expert_username_attr uid
+/var/www/html/occ ldap:set-config s01 ldap_display_name givenName
+/var/www/html/occ config:system:set overwriteprotocol --value=https
+/var/www/html/occ config:system:set default_phone_region --value="$COUNTRY"
+/var/www/html/occ config:system:delete trusted_domains
+/var/www/html/occ config:system:set trusted_domains 1 --value=*
+/var/www/html/occ group:adduser admin admin
+/var/www/html/occ user:delete nextcloud
+/var/www/html/occ app:enable mail
+/var/www/html/occ app:enable calendar
+/var/www/html/occ app:enable contacts
+/var/www/html/occ app:enable notes
+/var/www/html/occ app:enable deck
+/var/www/html/occ app:enable tasks
+/var/www/html/occ app:enable bookmarks
+/var/www/html/occ app:enable forms
+/var/www/html/occ app:enable spreed
+/var/www/html/occ app:enable side_menu
+/var/www/html/occ app:enable external
+/var/www/html/occ app:enable richdocuments
+/var/www/html/occ config:app:set --value https:\/\/collabora.$DOMAIN richdocuments public_wopi_url
+/var/www/html/occ config:app:set --value https:\/\/collabora.$DOMAIN richdocuments wopi_url
+/var/www/html/occ config:app:set --value ooxml richdocuments doc_format
+/var/www/html/occ config:app:set --value "" richdocuments disable_certificate_verification
+/var/www/html/occ config:app:set external sites "--value={\"1\":{\"icon\":\"external.svg\",\"lang\":\"\",\"type\":\"link\",\"device\":\"browser\",\"groups\":[],\"redirect\":true,\"id\":1,\"name\":\"Video Conference (Jitsi)\",\"url\":\"https:\/\/jitsi.$DOMAIN\"},\"2\":{\"icon\":\"external.svg\",\"lang\":\"\",\"type\":\"link\",\"device\":\"browser\",\"groups\":[],\"redirect\":true,\"id\":2,\"name\":\"Worldwide Chat (Element)\",\"url\":\"https:\/\/element.$DOMAIN\"},\"3\":{\"icon\":\"external.svg\",\"lang\":\"\",\"type\":\"link\",\"device\":\"browser\",\"groups\":[],\"redirect\":true,\"id\":3,\"name\":\"Mailing Lists (Listmonk)\",\"url\":\"https:\/\/listmonk.$DOMAIN\"},\"4\":{\"icon\":\"external.svg\",\"lang\":\"\",\"type\":\"link\",\"device\":\"browser\",\"groups\":[],\"redirect\":true,\"id\":4,\"name\":\"Databases (Baserow)\",\"url\":\"https:\/\/baserow.$DOMAIN\"},\"5\":{\"icon\":\"external.svg\",\"lang\":\"\",\"type\":\"link\",\"device\":\"browser\",\"groups\":[],\"redirect\":true,\"id\":5,\"name\":\"Passwords (Vaultwarden)\",\"url\":\"https:\/\/vaultwarden.$DOMAIN\"},\"7\":{\"icon\":\"external.svg\",\"lang\":\"\",\"type\":\"link\",\"device\":\"browser\",\"groups\":[],\"redirect\":true,\"id\":7,\"name\":\"Source code (Gitea)\",\"url\":\"https:\/\/gitea.$DOMAIN\"}}"
+/var/www/html/occ config:import configs.json
+EOF
+
+chmod +x /federated/apps/nextcloud/data/config.sh
+
+ kill -9 $SPINPID &> /dev/null
+ echo -ne "done."
+}
+
+start_nextcloud() {
+ # Start service with command to make sure it's up before proceeding
+ start_service "nextcloud" "nc -z 172.99.0.18 80 &> /dev/null" "35"
+
+ # Move config.sh and sidemenu config, set config.sh executable
+ mv /federated/apps/nextcloud/data/config.sh /federated/apps/nextcloud/data/configs.json /federated/apps/nextcloud/data/var/www/html/
+ docker exec nextcloud chown www-data:root /var/www/html/config.sh /var/www/html/configs.json
+ docker exec nextcloud chmod 755 /var/www/html/config.sh
+ [ $? -ne 0 ] && fail "Couldn't chown config.sh in /federated/apps/nextcloud container"
+
+ # Run config.sh - Setup LDAP, configuration for nextcloud
+ docker exec -u 33 nextcloud /var/www/html/config.sh &> /dev/null
+ [ $? -ne 0 ] && fail "Couldn't run config.sh inside /federated/apps/nextcloud container"
+
+ # Add admin user to group
+ # Have to do it this many times so it will query LDAP and populate admin user first
+ docker exec -u 33 nextcloud /var/www/html/occ ldap:search admin
+ docker exec -u 33 nextcloud /var/www/html/occ group:list
+ docker exec -u 33 nextcloud /var/www/html/occ group:adduser admin admin
+ docker exec -u 33 nextcloud /var/www/html/occ group:adduser admin admin
+ docker exec -u 33 nextcloud /var/www/html/occ group:list
+
+ # Setup admin email account
+ docker exec -u 33 nextcloud bash -c "/var/www/html/occ mail:account:create admin admin admin@$DOMAIN mail.$DOMAIN 993 ssl admin@$DOMAIN $ADMINPASS mail.$DOMAIN 465 ssl admin@$DOMAIN $ADMINPASS password" &> /dev/null
+
+ # Add missing indexes and disable activity app
+ docker exec -u 33 nextcloud /var/www/html/occ db:add-missing-indices
+ docker exec -u 33 nextcloud /var/www/html/occ app:disable activity
+
+ # Remove configs
+ rm /federated/apps/nextcloud/data/var/www/html/config.sh /federated/apps/nextcloud/data/var/www/html/configs.json
+
+ kill -9 $SPINPID &> /dev/null
+ echo -ne "done."
+}
diff --git a/lib/postgresql.sh b/lib/postgresql.sh
index 8c20ebf..37ebcb7 100644
--- a/lib/postgresql.sh
+++ b/lib/postgresql.sh
@@ -69,19 +69,7 @@ chmod 600 /federated/apps/postgresql/.env
PSQL_SECRET=$(create_password);
echo "$PSQL_SECRET" > /federated/apps/postgresql/.postgresql.secret
chmod 600 /federated/apps/postgresql/.postgresql.secret
-NEXTCLOUD_SECRET=$(create_password);
-VAULTWARDEN_SECRET=$(create_password);
-# cat postgresql/data/docker-entrypoint-initdb.d/init.sql
-cat > /federated/apps/postgresql/data/docker-entrypoint-initdb.d/init.sql <<EOF
-CREATE USER nextcloud WITH PASSWORD '$NEXTCLOUD_SECRET';
-CREATE DATABASE nextcloud;
-GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud;
-CREATE USER vaultwarden WITH PASSWORD '$VAULTWARDEN_SECRET';
-CREATE DATABASE vaultwarden;
-GRANT ALL PRIVILEGES ON DATABASE vaultwarden TO vaultwarden;
-EOF
-
kill -9 $SPINPID &> /dev/null
echo -ne "done."
}
diff --git a/lib/postgresql.sh.old b/lib/postgresql.sh.old
new file mode 100644
index 0000000..8c20ebf
--- /dev/null
+++ b/lib/postgresql.sh.old
@@ -0,0 +1,114 @@
+#!/bin/bash
+#
+# Postgresql Service
+
+PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+config_postgresql() {
+ echo -ne "\n* Configuring /federated/apps/postgresql container.."
+ spin &
+ SPINPID=$!
+
+ if [ ! -d "/federated/apps/postgresql" ]; then
+ mkdir -p /federated/apps/postgresql/data/var/lib/postgresql /federated/apps/postgresql/data/docker-entrypoint-initdb.d
+ cp /federated/certs/certs/$DOMAIN.crt /federated/apps/postgresql/data/var/lib/postgresql/server.crt
+ cp /federated/certs/private/$DOMAIN.key /federated/apps/postgresql/data/var/lib/postgresql/server.key
+ chown 999 /federated/apps/postgresql/data/var/lib/postgresql/server.crt /federated/apps/postgresql/data/var/lib/postgresql/server.key
+ chmod 600 /federated/apps/postgresql/data/var/lib/postgresql/server.crt /federated/apps/postgresql/data/var/lib/postgresql/server.key
+ fi
+
+cat > /federated/apps/postgresql/docker-compose.yml <<EOF
+version: "3.7"
+
+services:
+ postgresql:
+ image: postgres:\${IMAGE_VERSION}
+ container_name: postgresql
+ hostname: postgresql.$DOMAIN
+ domainname: $DOMAIN
+ restart: always
+ networks:
+ federated:
+ ipv4_address: 172.99.0.14
+ volumes:
+ - ./data/var/lib/postgresql/server.crt:/var/lib/postgresql/server.crt
+ - ./data/var/lib/postgresql/server.key:/var/lib/postgresql/server.key
+ - ./data/var/lib/postgresql/data:/var/lib/postgresql/data
+ - ./data/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
+ env_file:
+ - ./.env
+ secrets:
+ - federated_psql_password
+ command: >
+ -c ssl=on
+ -c ssl_cert_file=/var/lib/postgresql/server.crt
+ -c ssl_key_file=/var/lib/postgresql/server.key
+ healthcheck:
+ test: ["CMD-SHELL", "pg_isready -U postgres"]
+ interval: 10s
+ timeout: 5s
+ retries: 5
+
+secrets:
+ federated_psql_password:
+ file: ./.postgresql.secret
+networks:
+ federated:
+ external: true
+EOF
+
+cat > /federated/apps/postgresql/.env <<EOF
+IMAGE_VERSION="14"
+POSTGRES_DB=postgres
+POSTGRES_USER=postgres
+POSTGRES_PASSWORD_FILE=/run/secrets/federated_psql_password
+POSTGRES_INITDB_ARGS=--encoding='UTF8' --lc-collate='C' --lc-ctype='C'
+EOF
+chmod 600 /federated/apps/postgresql/.env
+
+PSQL_SECRET=$(create_password);
+echo "$PSQL_SECRET" > /federated/apps/postgresql/.postgresql.secret
+chmod 600 /federated/apps/postgresql/.postgresql.secret
+NEXTCLOUD_SECRET=$(create_password);
+VAULTWARDEN_SECRET=$(create_password);
+
+# cat postgresql/data/docker-entrypoint-initdb.d/init.sql
+cat > /federated/apps/postgresql/data/docker-entrypoint-initdb.d/init.sql <<EOF
+CREATE USER nextcloud WITH PASSWORD '$NEXTCLOUD_SECRET';
+CREATE DATABASE nextcloud;
+GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud;
+CREATE USER vaultwarden WITH PASSWORD '$VAULTWARDEN_SECRET';
+CREATE DATABASE vaultwarden;
+GRANT ALL PRIVILEGES ON DATABASE vaultwarden TO vaultwarden;
+EOF
+
+kill -9 $SPINPID &> /dev/null
+echo -ne "done."
+}
+start_postgresql() {
+ # Start service with command to make sure it's up before proceeding
+ start_service "postgresql" "nc -z 172.99.0.14 5432 &> /dev/null" "18"
+
+ # Tune PostgreSQL
+# if [[ "$BUNDLE" = "starter" ]]; then
+# sed -i "s#shared_buffers =.*#shared_buffers = 50MB#g" /federated/apps/postgresql/data/var/lib/postgresql/data/postgresql.conf
+# sed -i "s#max_connections =.*#max_connections = 400#g" /federated/apps/postgresql/data/var/lib/postgresql/data/postgresql.conf
+# sed -i "s/#work_mem =.*/work_mem = 4MB/g" /federated/apps/postgresql/data/var/lib/postgresql/data/postgresql.conf
+# sed -i "s/#maintenance_work_mem =.*/maintenance_work_mem = 50MB/g" /federated/apps/postgresql/data/var/lib/postgresql/data/postgresql.conf
+# else
+ sed -i "s#shared_buffers =.*#shared_buffers = 800MB#g" /federated/apps/postgresql/data/var/lib/postgresql/data/postgresql.conf
+ sed -i "s#max_connections =.*#max_connections = 400#g" /federated/apps/postgresql/data/var/lib/postgresql/data/postgresql.conf
+ sed -i "s/#work_mem =.*/work_mem = 16MB/g" /federated/apps/postgresql/data/var/lib/postgresql/data/postgresql.conf
+ sed -i "s/#maintenance_work_mem =.*/maintenance_work_mem = 128MB/g" /federated/apps/postgresql/data/var/lib/postgresql/data/postgresql.conf
+# fi
+
+ # Restart PostgreSQL
+ /federated/bin/stop postgresql &> /dev/null
+ /federated/bin/start postgresql &> /dev/null
+
+ # Remove init.sql
+# rm /federated/apps/postgresql/data/docker-entrypoint-initdb.d/init.sql
+
+ kill -9 $SPINPID &> /dev/null
+ echo -ne "done."
+}
diff --git a/lib/traefik.sh b/lib/traefik.sh
index 0ab75e6..5a87304 100644
--- a/lib/traefik.sh
+++ b/lib/traefik.sh
@@ -93,8 +93,12 @@ chmod 600 /federated/apps/traefik/.env
kill -9 $SPINPID &> /dev/null
echo -ne "done."
}
-
start_traefik() {
+ # Start service with command to make sure it's up before proceeding
+ start_service "traefik" "traefik-certs-dumper file --version v2 --source /federated/apps/traefik/data/letsencrypt/acme.json --dest /federated/certs &> /dev/null && ls /federated/certs/private/$DOMAIN.key /federat
+ed/certs/certs/$DOMAIN.crt &> /dev/null" "4"
+}
+start_traefik_old() {
echo -ne "\n* Starting /federated/apps/traefik service.."
spin &
diff --git a/lib/traefik.sh.old b/lib/traefik.sh.old
new file mode 100644
index 0000000..0ab75e6
--- /dev/null
+++ b/lib/traefik.sh.old
@@ -0,0 +1,132 @@
+#!/bin/bash
+#
+# Traefik Service
+
+PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+config_traefik() {
+ echo -ne "\n* Configuring /federated/apps/traefik container.."
+ spin &
+ SPINPID=$!
+
+ if [ ! -d "/federated/apps/traefik" ]; then
+ mkdir -p /federated/apps/traefik/data/letsencrypt
+ fi
+
+TRAEFIK_HTTPAUTH_STRING=$(echo `htpasswd -nb admin $ADMINPASS` | sed -e s/\\$/\\$\\$/g)
+
+cat > /federated/apps/traefik/docker-compose.yml <<EOF
+version: "3.7"
+
+services:
+ traefik:
+ image: traefik:\${IMAGE_VERSION}
+ container_name: traefik
+ hostname: traefik.$DOMAIN
+ domainname: $DOMAIN
+ restart: always
+ networks:
+ federated:
+ ipv4_address: 172.99.0.13
+ command:
+ # Tell Traefik to discover containers using the Docker API
+ - --providers.docker=true
+ # Enable the Trafik dashboard
+ - --api.dashboard=true
+ # Set up LetsEncrypt
+ - --certificatesresolvers.letsencrypt.acme.dnschallenge=true
+ - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=pdns
+ - --certificatesresolvers.letsencrypt.acme.email=hostmaster@$DOMAIN
+ - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
+ - --certificatesresolvers.letsencrypt.acme.dnschallenge.DisablePropagationCheck=true
+ # --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
+ # Added HTTP challenge
+ - --certificatesresolvers.httpresolver.acme.httpchallenge=true
+ - --certificatesresolvers.httpresolver.acme.httpchallenge.entrypoint=web
+ #- "--certificatesresolvers.httpresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
+ - --certificatesresolvers.httpresolver.acme.email=hostmaster@$DOMAIN
+ - --certificatesresolvers.httpresolver.acme.storage=/letsencrypt/httpacme.json
+ - --log.level=DEBUG
+ # Set up an insecure listener that redirects all traffic to HTTPS
+ - --entrypoints.web.address=:80
+ - --entrypoints.websecure.address=:443
+ - --entrypoints.web.http.redirections.entrypoint.to=websecure
+ - --entrypoints.web.http.redirections.entrypoint.scheme=https
+ # Set up the TLS configuration for our websecure listener
+ - --entrypoints.websecure.http.tls=true
+ - --entrypoints.websecure.http.tls.certResolver=letsencrypt
+ - --entrypoints.websecure.http.tls.domains[0].main=$DOMAIN
+ - --entrypoints.websecure.http.tls.domains[0].sans=*.$DOMAIN
+ env_file:
+ - ./.env
+ ports:
+ - 80:80
+ - 443:443
+ volumes:
+ - /var/run/docker.sock:/var/run/docker.sock:ro
+ - ./data/letsencrypt:/letsencrypt
+ labels:
+ - "traefik.enable=true"
+ - "traefik.http.routers.traefik.rule=Host(\`traefik.$DOMAIN\`)"
+ - "traefik.http.routers.traefik.entrypoints=websecure"
+ - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
+ - "traefik.http.routers.traefik.service=api@internal"
+ - "traefik.http.routers.traefik.middlewares=strip"
+ - "traefik.http.middlewares.strip.stripprefix.prefixes=/traefik"
+ - "traefik.http.routers.traefik.middlewares=traefik-auth"
+ - "traefik.http.middlewares.traefik-auth.basicauth.users=$TRAEFIK_HTTPAUTH_STRING"
+
+networks:
+ federated:
+ external: true
+EOF
+
+PDNS_APIKEY=`grep PDNS_api_key /federated/apps/pdns/.env | awk -F= '{ print $2 }'`
+
+cat > /federated/apps/traefik/.env <<EOF
+IMAGE_VERSION="v2.10.1"
+PDNS_API_KEY=$PDNS_APIKEY
+PDNS_API_URL=http://pdns.$DOMAIN:8081
+EOF
+chmod 600 /federated/apps/traefik/.env
+
+kill -9 $SPINPID &> /dev/null
+echo -ne "done."
+}
+
+start_traefik() {
+ echo -ne "\n* Starting /federated/apps/traefik service.."
+
+ spin &
+ SPINPID=$!
+
+ if [ $DEBUG ]; then
+ # Start /federated/apps/traefik with output to console for debug
+ docker-compose -f /federated/apps/traefik/docker-compose.yml -p traefik up
+ [ $? -eq 0 ] && echo -ne "done.\n" || fail "There was a problem starting service /federated/apps/traefik"
+ else
+ # Start /federated/apps/traefik with output to /dev/null
+ docker-compose -f /federated/apps/traefik/docker-compose.yml -p traefik up -d &> /dev/null
+
+ # Keep trying to see that certificates are generated
+ RETRY="20"
+ while [ $RETRY -gt 0 ]; do
+ traefik-certs-dumper file --version v2 --source /federated/apps/traefik/data/letsencrypt/acme.json --dest /federated/certs &> /dev/null
+
+ # Check if certs are generated
+ ls /federated/certs/private/$DOMAIN.key /federated/certs/certs/$DOMAIN.crt &> /dev/null
+ if [ $? -eq 0 ]; then
+ kill -9 $SPINPID &> /dev/null
+ echo -ne "done."
+ break
+ else
+ if [ "$RETRY" == 1 ]; then
+ docker-compose -f /federated/apps/traefik/docker-compose.yml -p traefik down &> /dev/null
+ fail "There was a problem starting service /federated/apps/traefik\nCheck the output of 'docker logs traefik' or turn on\ndebug with -d"
+ fi
+ ((RETRY--))
+ sleep 9
+ fi
+ done
+ fi
+}
diff --git a/lib/vaultwarden.sh b/lib/vaultwarden.sh
index 1f4a967..637cdba 100644
--- a/lib/vaultwarden.sh
+++ b/lib/vaultwarden.sh
@@ -3,6 +3,7 @@
# Vaultwarden Service
PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+get_appvars
config_vaultwarden() {
echo -ne "\n* Configuring /federated/apps/vaultwarden container.."
@@ -12,6 +13,7 @@ config_vaultwarden() {
if [ ! -d "/federated/apps/vaultwarden" ]; then
mkdir -p /federated/apps/vaultwarden/data/data
fi
+ VAULTWARDEN_SECRET=$(create_password)
cat > /federated/apps/vaultwarden/docker-compose.yml <<EOF
version: '3.7'
@@ -59,6 +61,11 @@ SIGNUPS_DOMAINS_WHITELIST=$DOMAIN
SIGNUPS_VERIFY=true
EOF
chmod 600 /federated/apps/vaultwarden/.env
+
+# Create database and user in postgresql
+docker exec postgresql psql -U postgres -c "CREATE DATABASE vaultwarden" &> /dev/null
+docker exec postgresql psql -U postgres -c "CREATE USER vaultwarden WITH PASSWORD '$VAULTWARDEN_SECRET'" &> /dev/null
+docker exec postgresql psql -U postgres -c "GRANT ALL PRIVILEGES ON DATABASE vaultwarden TO vaultwarden" &> /dev/null
kill -9 $SPINPID &> /dev/null
echo -ne "done."
diff --git a/lib/vaultwarden.sh.old b/lib/vaultwarden.sh.old
new file mode 100644
index 0000000..1f4a967
--- /dev/null
+++ b/lib/vaultwarden.sh.old
@@ -0,0 +1,72 @@
+#!/bin/bash
+#
+# Vaultwarden Service
+
+PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+config_vaultwarden() {
+ echo -ne "\n* Configuring /federated/apps/vaultwarden container.."
+ spin &
+ SPINPID=$!
+
+ if [ ! -d "/federated/apps/vaultwarden" ]; then
+ mkdir -p /federated/apps/vaultwarden/data/data
+ fi
+
+cat > /federated/apps/vaultwarden/docker-compose.yml <<EOF
+version: '3.7'
+
+services:
+ vaultwarden:
+ image: vaultwarden/server:\${IMAGE_VERSION}
+ container_name: vaultwarden
+ hostname: vaultwarden.$DOMAIN
+ domainname: $DOMAIN
+ restart: always
+ networks:
+ federated:
+ ipv4_address: 172.99.0.22
+ env_file:
+ - ./.env
+ volumes:
+ - ./data/data:/data
+ labels:
+ - "traefik.enable=true"
+ - "traefik.http.routers.vaultwarden.rule=Host(\`vaultwarden.$DOMAIN\`)"
+ - "traefik.http.routers.vaultwarden.entrypoints=websecure"
+ - "traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt"
+
+networks:
+ federated:
+ external: true
+EOF
+
+cat > /federated/apps/vaultwarden/.env <<EOF
+IMAGE_VERSION="1.28.1"
+DATABASE_URL=postgresql://vaultwarden:$VAULTWARDEN_SECRET@postgresql.$DOMAIN:5432/vaultwarden
+WEBSOCKET_ENABLED=true
+DOMAIN=https://vaultwarden.$DOMAIN
+ADMIN_TOKEN=$VAULTWARDEN_SECRET
+#- SIGNUPS_ALLOWED=false
+SMTP_HOST=mail.$DOMAIN
+SMTP_FROM=vaultwarden@$DOMAIN
+SMTP_PORT=587
+SMTP_SECURITY=starttls
+SMTP_USERNAME=fcore
+SMTP_PASSWORD=$ADMINPASS
+SIGNUPS_ALLOWED=false
+SIGNUPS_DOMAINS_WHITELIST=$DOMAIN
+SIGNUPS_VERIFY=true
+EOF
+chmod 600 /federated/apps/vaultwarden/.env
+
+kill -9 $SPINPID &> /dev/null
+echo -ne "done."
+}
+start_vaultwarden() {
+ # Start service with command to make sure it's up before proceeding
+ start_service "vaultwarden" "nc -z 172.99.0.22 80 &> /dev/null" "8"
+
+ kill -9 $SPINPID &> /dev/null
+ echo -ne "done."
+}