#!/bin/bash -x
#
# NextCloud Service
PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
config_nextcloud() {
echo -ne "* Configuring nextcloud container.."
if [ ! -d "/federated/apps/nextcloud" ]; then
mkdir -p /federated/apps/nextcloud/data/root &> /dev/null
mkdir -p /federated/apps/nextcloud/data/home &> /dev/null
mkdir -p /federated/apps/nextcloud/data/var/www/html &> /dev/null
mkdir -p /federated/apps/nextcloud/data/var/www/html/custom_apps &> /dev/null
mkdir -p /federated/apps/nextcloud/data/var/www/config &> /dev/null
mkdir -p /federated/apps/nextcloud/data/var/www/data &> /dev/null
mkdir -p /federated/apps/nextcloud/data/usr/local/etc/php/conf.d &> /dev/null
fi
get_appvars
cat > /federated/apps/nextcloud/docker-compose.yml <<EOF
services:
nextcloud:
image: nextcloud:\${IMAGE_VERSION}
container_name: nextcloud
hostname: nextcloud.$DOMAIN
restart: always
# working_dir: /var/www/html
networks:
core:
ipv4_address: 192.168.0.18
extra_hosts:
- "collabora.$DOMAIN:$EXTERNALIP"
volumes:
- ./data/root:/root
- ./data/home:/home
- ./data/var/www/html:/var/www/html
- ./data/var/www/html/custom_apps:/var/www/html/custom_apps
- ./data/var/www/config:/var/www/config
- ./data/var/www/data:/var/www/data
- ./data/usr/local/etc/php/conf.d/opcache-recommended.ini:/usr/local/etc/php/conf.d/opcache-recommended.ini
- ./data/usr/local/etc/php/conf.d/docker-php-ext-apcu.ini:/usr/local/etc/php/conf.d/docker-php-ext-apcu.ini
env_file:
- ./.env
secrets:
- federated_psql_password
- federated_nextcloud_password
labels:
- "traefik.enable=true"
- "traefik.http.routers.nextcloud.rule=Host(\`nextcloud.$DOMAIN\`)"
- "traefik.http.routers.nextcloud.entrypoints=websecure"
- "traefik.http.routers.nextcloud.tls.certresolver=letsencrypt"
- "traefik.http.routers.nextcloud.middlewares=nextcloud-redirectregex1,nextcloud-redirectregex2,nextcloudheader"
- "traefik.http.middlewares.nextcloud-redirectregex1.redirectregex.permanent=true"
- "traefik.http.middlewares.nextcloud-redirectregex1.redirectregex.regex=https?://([^/]*)/.well-known/(card|cal)dav"
- "traefik.http.middlewares.nextcloud-redirectregex1.redirectregex.replacement=https://\$\${1}/remote.php/dav/"
- "traefik.http.middlewares.nextcloud-redirectregex2.redirectregex.permanent=true"
- "traefik.http.middlewares.nextcloud-redirectregex2.redirectregex.regex=https?://([^/]*)(/.well-known[^#]*)"
- "traefik.http.middlewares.nextcloud-redirectregex2.redirectregex.replacement=https://\$\${1}/index.php\$\${2}"
- "traefik.http.middlewares.nextcloudheader.headers.stsSeconds=15552000"
- "traefik.http.middlewares.nextcloudheader.headers.stsIncludeSubdomains=true"
- "traefik.http.middlewares.nextcloudheader.headers.stsPreload=true"
- "traefik.http.middlewares.nextcloudheader.headers.forceSTSHeader=true"
secrets:
federated_psql_password:
file: ./.postgresql.secret
federated_nextcloud_password:
file: ./.nextcloud.secret
networks:
core:
external: true
EOF
NEXTCLOUD_SECRET=$(create_password)
echo "$NEXTCLOUD_SECRET" > /federated/apps/nextcloud/.postgresql.secret
echo "$ADMINPASS" > /federated/apps/nextcloud/.nextcloud.secret
chmod 600 /federated/apps/nextcloud/.postgresql.secret /federated/apps/nextcloud/.nextcloud.secret
# Create database and user in postgresql
docker exec postgresql psql -U postgres -c "CREATE DATABASE nextcloud" &> /dev/null
docker exec postgresql psql -U postgres -c "CREATE USER nextcloud WITH PASSWORD '$NEXTCLOUD_SECRET'" &> /dev/null
docker exec postgresql psql -U postgres -c "GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud" &> /dev/null
cat > /federated/apps/nextcloud/.env <<EOF
IMAGE_VERSION=$(current_version nextcloud)
NEXTCLOUD_UPDATE=1
PHP_MEMORY_LIMIT=2048M
PHP_UPLOAD_LIMIT=2048M
TRUSTED_PROXIES=192.168.0.0/16
NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.$DOMAIN
NEXTCLOUD_ADMIN_USER=nextcloud
NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/federated_nextcloud_password
POSTGRES_HOST=postgresql.$DOMAIN
POSTGRES_DB=nextcloud
POSTGRES_USER=nextcloud
POSTGRES_PASSWORD_FILE=/run/secrets/federated_psql_password
EOF
chmod 600 /federated/apps/nextcloud/.env
cat > /federated/apps/nextcloud/data/usr/local/etc/php/conf.d/opcache-recommended.ini <<EOF
opcache.enable=1
opcache.interned_strings_buffer=32
opcache.max_accelerated_files=18000
opcache.memory_consumption=256
opcache.save_comments=1
opcache.revalidate_freq=60
EOF
cat > /federated/apps/nextcloud/data/usr/local/etc/php/conf.d/docker-php-ext-apcu.ini <<EOF
extension=apcu
apc.enable_cli=1
apc.shm_size=256M
apc.ttl=3600
apc.user_ttl=7200
apc.gc_ttl=3600
apc.max_file_size=2M
EOF
#if [[ "$BUNDLE" = "starter" ]]; then
# sed -i "s/2048M/96M/g" /federated/apps/nextcloud/.env
# sed -i "s/256/64/g" /federated/apps/nextcloud/data/usr/local/etc/php/conf.d/opcache-recommended.ini
# sed -i "s/256M/64M/g" /federated/apps/nextcloud/data/usr/local/etc/php/conf.d/docker-php-ext-apcu.ini
#fi
cat > /federated/apps/nextcloud/data/configs.json <<EOF
{
"system": {
"mail_smtpmode": "smtp",
"mail_smtpsecure": "tls",
"mail_sendmailmode": "smtp",
"mail_from_address": "nextcloud",
"mail_domain": "$DOMAIN",
"mail_smtpauthtype": "LOGIN",
"mail_smtpauth": 1,
"mail_smtphost": "mail.$DOMAIN",
"mail_smtpport": "587",
"mail_smtpname": "fcore",
"mail_smtppassword": "$ADMINPASS"
},
"apps": {
"core": {
"backgroundjobs_mode": "cron"
}
}
}
EOF
cat > /federated/apps/nextcloud/data/config.sh <<EOF
#!/bin/sh
PATH=/var/www/html:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/sbin:/bin
/var/www/html/occ app:enable user_ldap
/var/www/html/occ ldap:create-empty-config
/var/www/html/occ ldap:set-config s01 ldapHost 'ldaps://ldap.$DOMAIN'
/var/www/html/occ ldap:set-config s01 ldapAgentName cn=admin,dc=$LDAP_DOMAIN_FIRST,dc=$LDAP_DOMAIN_LAST
/var/www/html/occ ldap:set-config s01 ldapAgentPassword $LDAP_SECRET
/var/www/html/occ ldap:set-config s01 ldapBase ou=people,dc=$LDAP_DOMAIN_FIRST,dc=$LDAP_DOMAIN_LAST
/var/www/html/occ ldap:set-config s01 ldapBaseGroups ou=groups,dc=$LDAP_DOMAIN_FIRST,dc=$LDAP_DOMAIN_LAST
/var/www/html/occ ldap:set-config s01 ldapBaseUsers ou=people,dc=$LDAP_DOMAIN_FIRST,dc=$LDAP_DOMAIN_LAST
/var/www/html/occ ldap:set-config s01 ldapEmailAttribute mail
/var/www/html/occ ldap:set-config s01 ldapGidNumber gidNumber
/var/www/html/occ ldap:set-config s01 ldapGroupDisplayName cn
/var/www/html/occ ldap:set-config s01 ldapGroupFilter '(&(|(objectclass=posixGroup)))'
/var/www/html/occ ldap:set-config s01 ldapGroupFilterMode 0
/var/www/html/occ ldap:set-config s01 ldapGroupFilterObjectclass inetOrgPerson
/var/www/html/occ ldap:set-config s01 ldapGroupMemberAssocAttr uniqueMember
/var/www/html/occ ldap:set-config s01 ldapLoginFilter '(&(|(objectclass=inetOrgPerson))(uid=%uid))'
/var/www/html/occ ldap:set-config s01 ldapLoginFilterEmail 0
/var/www/html/occ ldap:set-config s01 ldapLoginFilterMode 0
/var/www/html/occ ldap:set-config s01 ldapLoginFilterUsername 1
/var/www/html/occ ldap:set-config s01 ldapLoginFilterEmail 0
/var/www/html/occ ldap:set-config s01 ldapMatchingRuleInChainState unknown
/var/www/html/occ ldap:set-config s01 ldapNestedGroups 0
/var/www/html/occ ldap:set-config s01 ldapPagingSize 500
/var/www/html/occ ldap:set-config s01 ldapPort 636
/var/www/html/occ ldap:set-config s01 ldapTLS 1
/var/www/html/occ ldap:set-config s01 ldapUserAvatarRule default
/var/www/html/occ ldap:set-config s01 ldapUserDisplayName cn
/var/www/html/occ ldap:set-config s01 ldapUserFilter '(|(objectclass=inetOrgPerson))'
/var/www/html/occ ldap:set-config s01 ldapUserFilterMode 0
/var/www/html/occ ldap:set-config s01 ldapUserFilterObjectclass inetOrgPerson
/var/www/html/occ ldap:set-config s01 ldapUuidGroupAttribute auto
/var/www/html/occ ldap:set-config s01 ldapUuidUserAttribute auto
/var/www/html/occ ldap:set-config s01 turnOffCertCheck 0
/var/www/html/occ ldap:set-config s01 turnOnPasswordChange 0
/var/www/html/occ ldap:set-config s01 useMemberOfToDetectMembership 1
/var/www/html/occ ldap:set-config s01 ldapConfigurationActive 1
/var/www/html/occ ldap:set-config s01 ldap_expert_username_attr uid
/var/www/html/occ ldap:set-config s01 ldap_display_name cn
/var/www/html/occ config:system:set overwriteprotocol --value=https
/var/www/html/occ config:system:set default_phone_region --value="$COUNTRY"
/var/www/html/occ config:system:delete trusted_domains
/var/www/html/occ config:system:set trusted_domains 1 --value=*
/var/www/html/occ config:system:set auto_logout --value=false
/var/www/html/occ config:system:set allow_local_remote_servers --value=true
/var/www/html/occ group:adduser admin admin
/var/www/html/occ user:delete nextcloud
/var/www/html/occ app:enable mail
/var/www/html/occ app:enable calendar
/var/www/html/occ app:enable contacts
/var/www/html/occ app:enable notes
/var/www/html/occ app:enable deck
/var/www/html/occ app:enable tasks
/var/www/html/occ app:enable bookmarks
/var/www/html/occ app:enable forms
/var/www/html/occ app:enable spreed
/var/www/html/occ app:enable richdocuments
/var/www/html/occ config:app:set --value https:\/\/collabora.$DOMAIN richdocuments public_wopi_url
/var/www/html/occ config:app:set --value https:\/\/collabora.$DOMAIN richdocuments wopi_url
/var/www/html/occ config:app:set --value ooxml richdocuments doc_format
/var/www/html/occ config:app:set --value "" richdocuments disable_certificate_verification
/var/www/html/occ config:system:set maintenance_window_start --value=1 --type=integer
/var/www/html/occ config:import configs.json
EOF
chmod +x /federated/apps/nextcloud/data/config.sh
echo -ne "done.\n"
}
start_nextcloud() {
# Start service with command to make sure it's up before proceeding
start_service "nextcloud" "nc -z 192.168.0.18 80 &> /dev/null" "60"
# Move config.sh and sidemenu config, set config.sh executable
run_command "mv /federated/apps/nextcloud/data/config.sh /federated/apps/nextcloud/data/configs.json /federated/apps/nextcloud/data/var/www/html/"
run_command "docker exec nextcloud chown www-data:root /var/www/html/config.sh /var/www/html/configs.json"
run_command "docker exec nextcloud chmod 755 /var/www/html/config.sh"
# Run config.sh - Setup LDAP, configuration for nextcloud
run_command "docker exec -u 33 nextcloud /var/www/html/config.sh"
# Add admin user to group
# Have to do it this many times so it will query LDAP and populate admin user first
run_command "docker exec -u 33 nextcloud /var/www/html/occ ldap:search admin"
run_command "docker exec -u 33 nextcloud /var/www/html/occ group:list"
run_command "docker exec -u 33 nextcloud /var/www/html/occ group:adduser admin admin"
run_command "docker exec -u 33 nextcloud /var/www/html/occ group:adduser admin admin"
run_command "docker exec -u 33 nextcloud /var/www/html/occ group:list"
# Setup admin email account
# docker exec -u 33 nextcloud bash -c "/var/www/html/occ mail:account:create admin admin admin@$DOMAIN mail.$DOMAIN 993 ssl admin@$DOMAIN $ADMINPASS mail.$DOMAIN 465 ssl admin@$DOMAIN $ADMINPASS password" &> /dev/null || failts "ERROR - There was an error running occ mail:account:create"
run_command "docker exec -u 33 nextcloud /var/www/html/occ mail:account:create admin admin admin@$DOMAIN mail.$DOMAIN 993 ssl admin@$DOMAIN $ADMINPASS mail.$DOMAIN 465 ssl admin@$DOMAIN $ADMINPASS password"
# Add missing indexes and disable activity app
run_command "docker exec -u 33 nextcloud /var/www/html/occ db:add-missing-indices"
run_command "docker exec -u 33 nextcloud /var/www/html/occ app:disable activity"
# Make sure pdns is ready before adding the records
/federated/bin/fix pdnsmysql
run_command "docker exec pdns pdnsutil add-record $DOMAIN nextcloud A 86400 $EXTERNALIP"
# Remove configs
run_command "rm /federated/apps/nextcloud/data/var/www/html/config.sh /federated/apps/nextcloud/data/var/www/html/configs.json"
# Truncate nextcloud log file
run_command "docker exec -u 33 nextcloud truncate /var/www/html/data/nextcloud.log --size 0"
echo -ne "done.\n"
}
uninstall_nextcloud() {
echo -ne "* Uninstalling nextcloud container.."
# First stop the service
cd /federated/apps/nextcloud && docker compose -f docker-compose.yml -p nextcloud down &> /dev/null
# Delete database and user in postgresql
docker exec postgresql psql -U postgres -c "DROP DATABASE nextcloud" &> /dev/null
docker exec postgresql psql -U postgres -c "DROP USER nextcloud" &> /dev/null
# Delete the app directory
rm -rf /federated/apps/nextcloud
# Delete the image
docker image rm nextcloud:$IMAGE_VERSION &> /dev/null
# Delete the DNS record
docker exec pdns pdnsutil delete-rrset $DOMAIN nextcloud A
# Uninstall the SSO configuration if it exists in authelia (authelia must exist too)
if [[ $(grep "### Nextcloud" /federated/apps/authelia/data/config/idproviders.yml 2>/dev/null) ]]; then
sed -i '/### Nextcloud/,/### /{/### PowerDNS/!{/### /!d}}' /federated/apps/authelia/data/config/idproviders.yml
sed -i '/### Nextcloud/d' /federated/apps/authelia/data/config/idproviders.yml
/federated/bin/stop authelia &> /dev/null
/federated/bin/start authelia &> /dev/null
fi
echo -ne "done.\n"
}
configsso_nextcloud() {
echo -ne "* Configuring nextcloud container with SSO.."
[ ! -d "/federated/apps/authelia" ] && failcheck "Authelia is not installed. You need this first before continuing."
[ ! -f "/federated/apps/authelia/data/config/idproviders.yml" ] && failcheck "Authelia idproviders.yml is missing."
get_appvars
[[ $(grep "### Nextcloud" /federated/apps/authelia/data/config/idproviders.yml 2>/dev/null) ]] && failcheck "Authelia already has a Nextcloud configuration."
NEXTCLOUD_CLIENT_SECRET=$(create_password);
NEXTCLOUD_CLIENT_SECRET_HASH=$(docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --password $NEXTCLOUD_CLIENT_SECRET | awk '{ print $2 }')
echo "$NEXTCLOUD_CLIENT_SECRET" > /federated/apps/nextcloud/.nextcloud.client.secret
cat >> /federated/apps/authelia/data/config/idproviders.yml <<EOF
### Nextcloud
- client_id: 'nextcloud'
client_name: 'NextCloud'
client_secret: $NEXTCLOUD_CLIENT_SECRET_HASH
consent_mode: 'implicit'
public: false
authorization_policy: 'one_factor'
require_pkce: true
pkce_challenge_method: 'S256'
redirect_uris:
- 'https://nextcloud.$DOMAIN/apps/user_oidc/code'
scopes:
- 'openid'
- 'profile'
- 'email'
- 'groups'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_post'
EOF
add_authelia_config_to_dockercompose "nextcloud" "$EXTERNALIP"
# Restart Authelia for changes to take the above configuration
run_command "/federated/bin/stop authelia"
run_command "/federated/bin/start authelia"
run_command "docker exec -u 33 nextcloud /var/www/html/occ config:system:set allow_local_remote_servers --value=true"
run_command "docker exec -u 33 nextcloud /var/www/html/occ app:enable user_oidc"
run_command "docker exec -u 33 nextcloud /var/www/html/occ config:system:set --value=true --type=boolean user_oidc use_pkce"
run_command "docker exec -u 33 nextcloud /var/www/html/occ user_oidc:provider Authelia --clientid="nextcloud" --clientsecret="$NEXTCLOUD_CLIENT_SECRET" --discoveryuri="https://authelia.$DOMAIN/.well-known/openid-configuration" --mapping-uid=name --endsessionendpointuri=https://authelia.$DOMAIN/logout?rd=https://dashboard.$DOMAIN"
run_command "/federated/bin/stop nextcloud"
run_command "/federated/bin/start nextcloud"
echo -ne "done.\n"
}