...
| Code Block |
|---|
mkdir -p /docker/nextcloud/var/www/html
mkdir -p /docker/mariadb/var/lib/mysql
mkdir -p /docker/etc/nginx/sites-enabled/
mkdir -p /docker/etc/ssl/private/
mkdir -p /docker/etc/ssl/certs/
vi nextcloud.yml
vi ./nextcloud_update.sh
chmod +x ./nextcloud_update.sh
./nextcloud_update.sh |
nginx configuration
Update script
./nextcloud_update.sh
| Code Block | ||||
|---|---|---|---|---|
| ||||
#!/bin/bash
docker compose -f nextcloud.yml ps
docker compose -f nextcloud.yml down ;
docker compose -f nextcloud.yml up -d --build --force-recreate;
docker compose -f nextcloud.yml ps
docker compose -f nextcloud.yml logs --follow |
docker compose file
nextcloud.yml
| Code Block |
|---|
vi /docker/etc/nginx/nginx.conf |
| Code Block | ||||
|---|---|---|---|---|
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 1024;
multi_accept on;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
client_max_body_size 2048M;
server_names_hash_bucket_size 64;
| ||||
| Code Block | ||||
| ||||
services: db: image: mariadb:10.11.7 container_name: cloud-db restart: always command: --transaction-isolation=READ-COMMITTED --log-bin=mysqld-bin --binlog-format=ROW --innodb-file-per-table=1 --skip-innodb-read-only-compressed volumes: - include /dockeretc/mariadb/var/lib/mysql:/var/lib/mysql:rwnginx/mime.types; default_type application/octet-stream; ssl_protocols TLSv1.3 ; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; - access_log /etcvar/localtime:log/nginx/access.log; error_log /var/log/nginx/error.log; gzip on; gzip_disable "msie6"; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } |
| Code Block |
|---|
vi /docker/etc/nginx/sites-enabled/nextcloud.conf |
| Code Block |
|---|
server {
listen 80;
server_name cloud.example.com;
return 301 https://$server_name$request_uri;
location / {
}
}
server {
#listen 443 quic;
listen 443 ssl;
http2 on;
server_name cloud.example.com;
ssl_certificate /docker/etc/ssl/private/key-and-certificates.pem;
ssl_certificate_key /docker/etc/ssl/private/key-and-certificates.pem;
client_max_body_size 16G;
client_body_timeout 600s;
add_header Strict-Transport-Security 'max-age=15552000; includeSubDomains';
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 1h;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate "/docker/etc/ssl/certs/my-certificate-authotities.ca";
resolver 1.1.1.1 8.8.4.4 valid=300s;
resolver_timeout 5s;
location ^~ /.well-known {
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
return 301 /index.php$request_uri;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location / {
#add_header alt-svc 'h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400';
add_header X-protocol $server_protocol always;
include /etc/nginx/mime.types;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://192.168.0.1:8880;
}
}
|
| Code Block |
|---|
vi /docker/etc/nginx/mime.types |
| Code Block |
|---|
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/x-javascript mjs;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
|
| Code Block |
|---|
vi /docker/etc/ssl/private/key-and-certificates.pem |
your key and certs
| Code Block |
|---|
vi /docker/etc/ssl/certs/my-certificate-authotities.ca |
your ca certs
Update script
./nextcloud_update.sh
| Code Block | ||||
|---|---|---|---|---|
| ||||
#!/bin/bash
docker compose -f nextcloud.yml ps
docker compose -f nextcloud.yml down ;
docker compose -f nextcloud.yml up -d --build --force-recreate;
docker compose -f nextcloud.yml ps
docker compose -f nextcloud.yml logs --follow |
docker compose file
nextcloud.yml
| Code Block | ||||
|---|---|---|---|---|
| ||||
services: web: image: nginx container_name: cloud-web restart: always ports:etc/localtime:ro - /etc/timezone:/etc/timezone:ro - type: tmpfs target: /tmp environment: - MYSQL_ROOT_PASSWORD=db_admin_pass - MYSQL_PASSWORD=db_user_pass - MYSQL_DATABASE=nextcloud - MYSQL_USER=nextcloud80:80 - MARIADB_AUTO_UPGRADE=yes443:443/tcp - REDIS_HOST=redis443:443/udp - REDIS_PORT=6379 8080:8080 redisvolumes: image: redis:alpine - /docker/etc/nginx:/etc/nginx container_name: cloud-cache- /docker/etc/ssl:/etc/ssl:ro restart: always app:- /etc/localtime:/etc/localtime:ro image: nextcloud:29.0.1 container_name: cloud-server - /etc/timezone:/etc/timezone:ro db: hostnameimage: cloudmariadb:10.example11.com7 restartcontainer_name: alwayscloud-db portsrestart: - 8880:80 always linkscommand: - db - redis --transaction-isolation=READ-COMMITTED --log-bin=mysqld-bin --binlog-format=ROW --innodb-file-per-table=1 --skip-innodb-read-only-compressed volumes: - /docker/nextcloudmariadb/var/wwwlib/htmlmysql:/var/wwwlib/htmlmysql:rw - /etc/localtime:/etc/localtime:ro - /etc/timezone:/etc/timezone:ro/timezone:ro - type: tmpfs target: /tmp environment: - MYSQL_ROOT_PASSWORD=db_admin_pass - MYSQL_PASSWORD=db_user_pass - type: tmpfs MYSQL_DATABASE=nextcloud - MYSQL_USER=nextcloud target: /tmp:exec devices: - /dev/dri:/dev/dri environment:- MARIADB_AUTO_UPGRADE=yes - REDIS_HOST=redis - MYSQLREDIS_PASSWORD=db_user_passPORT=6379 redis: - MYSQL_DATABASE=nextcloud image: redis:alpine container_name: - MYSQL_USER=nextcloudcloud-cache restart: always - MYSQL_HOST=db app: - OVERWRITEHOST=cloud.example.comimage: nextcloud:29.0.1 container_name: - OVERWRITEPROTOCOL=httpscloud-server hostname: cloud.example.com - NEXTCLOUD_ADMIN_USER=nc_admin_user restart: always - NEXTCLOUD_ADMIN_PASSWORD=nc_admin_pass ports: - NEXTCLOUD_UPLOAD_LIMIT=20G 8880:80 links: - PHP_UPLOAD_LIMIT=32Gdb - PHP_MEMORY_LIMIT=32G redis volumes: - APACHE_BODY_LIMIT=0 |
nginx configuration
| Code Block |
|---|
server { /docker/nextcloud/var/www/html:/var/www/html:rw listen- /etc/localtime:/etc/localtime:ro 80;- /etc/timezone:/etc/timezone:ro - server_name cloud.example.com;type: tmpfs return 301 https://$server_name$request_uri;target: /tmp:exec devices: location / { - /dev/dri:/dev/dri environment: } } server {- MYSQL_PASSWORD=db_user_pass - MYSQL_DATABASE=nextcloud listen 443 ssl; - MYSQL_USER=nextcloud http2 on;- MYSQL_HOST=db server_name - OVERWRITEHOST=cloud.example.com; add_header Strict-Transport-Security 'max-age=15552000; includeSubDomains'; ssl_certificate /etc/ssl/private/cloud-example-com.pem; OVERWRITEPROTOCOL=https ssl_certificate_key /etc/ssl/private/cloud-example-com.pem;- NEXTCLOUD_ADMIN_USER=nc_admin_user ssl_trusted_certificate "/etc/ssl/certs/cloud-example-com.ca"; - NEXTCLOUD_ADMIN_PASSWORD=nc_admin_pass - clientNEXTCLOUD_max_body_size 36G;UPLOAD_LIMIT=20G - clientPHP_body_timeout 800s;UPLOAD_LIMIT=32G - ssl_protocols TLSv1.3 TLSv1.2; PHP_MEMORY_LIMIT=32G - APACHE_BODY_LIMIT=0 |
example of running
| Code Block |
|---|
root@server:~# docker ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; ps -a CONTAINER ID IMAGE COMMAND ssl_session_cache shared:SSL:20m; CREATED ssl_session_timeout 1h; STATUS ssl_prefer_server_ciphers on; PORTS ssl_stapling on; ssl_stapling_verify on; resolver 1.1.1.1 8.8.4.4 valid=300s; resolver_timeout 5s; location ^~ /.well-known { location = /.well-known/carddav { return 301 /remote.php/dav/; } location = /.well-known/caldav { return 301 /remote.php/dav/; } location /.well-known/acme-challenge { try_files $uri $uri/ =404; } NAMES d02e9b147afa nextcloud:29.0.1 "/entrypoint.sh apac…" 8 minutes ago Up 8 minutes 0.0.0.0:8880->80/tcp, :::8880->80/tcp location /.well-known/pki-validation { try_files $uri $uri/ =404; } return 301 /index.php$request_uri; cloud-server c917babfd03f redis:alpine } "docker-entrypoint.s…" 8 location = /robots.txt { minutes ago Up 8 minutes 6379/tcp allow all; log_not_found off; access_log off; } location / { add_header X-protocol $server_protocol always; include cloud-cache fdd3842ad78b /etc/nginx/mime.types; mariadb:10.11.7 "docker-entrypoint.s…" 8 minutes ago proxy_set_header X-Forwarded-Host Up 8 minutes $host; 3306/tcp proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; cloud-db 4c54e98fcbad nginx proxy_pass http://10.0.0.2:8880; } "/docker-entrypoint.…" 8 minutes ago location /s/blank.mp4 { return 501 'NO FILE'; } }Up 8 minutes 0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp cloud-web |
add plugins
- https://apps.nextcloud.com/apps/memories
- https://apps.nextcloud.com/apps/recognize or https://apps.nextcloud.com/apps/facerecognition
- https://apps.nextcloud.com/apps/previewgenerator
- https://apps.nextcloud.com/apps/workflow_media_converter
...