eightball/all-in-one
1
0
Fork 0
mirror of https://github.com/nextcloud/all-in-one.git synced 2025-12-22 15:36:52 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

Initial import

Browse source
This commit is contained in:
Nextcloud Team 2021-11-30 11:20:42 +01:00 committed by Lukas Reschke
commit 2295a33590
884 changed files with 93939 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

53
Containers/apache/Caddyfile Normal file
View file

@ -0,0 +1,53 @@
{
auto_https disable_redirects
storage file_system {
root /mnt/data/caddy
}
}
{$NC_DOMAIN}:443 {
# Notify Push
route /push/* {
uri strip_prefix /push
reverse_proxy {$NEXTCLOUD_HOST}:7867
}
# Talk
route /standalone-signaling/* {
uri strip_prefix /standalone-signaling
reverse_proxy {$TALK_HOST}:8081
}
# Collabora
route /browser/* {
reverse_proxy https://{$COLLABORA_HOST}:9980 {
transport http {
tls_insecure_skip_verify
}
}
}
route /hosting/* {
reverse_proxy https://{$COLLABORA_HOST}:9980 {
transport http {
tls_insecure_skip_verify
}
}
}
route /cool/* {
reverse_proxy https://{$COLLABORA_HOST}:9980 {
transport http {
tls_insecure_skip_verify
}
}
}
# Nextcloud
route {
rewrite /.well-known/carddav /remote.php/dav
rewrite /.well-known/caldav /remote.php/dav
header Strict-Transport-Security max-age=31536000;
reverse_proxy localhost:80
}
}

68
Containers/apache/Dockerfile Normal file
View file

@ -0,0 +1,68 @@
FROM debian:bullseye
EXPOSE 80
RUN mkdir -p /mnt/data; \
chown www-data:www-data /mnt/data;
VOLUME /mnt/data
RUN set -ex; \
\
apt-get update; \
apt-get install -y --no-install-recommends \
apache2 \
supervisor \
wget \
ca-certificates \
openssl \
netcat \
; \
rm -rf /var/lib/apt/lists/*
RUN wget "https://caddyserver.com/api/download?os=linux&arch=amd64" -O "/usr/bin/caddy" \
&& chmod +x /usr/bin/caddy \
&& /usr/bin/caddy version
RUN a2enmod rewrite \
headers \
proxy \
proxy_fcgi \
setenvif \
env \
mime \
dir \
authz_core \
alias
COPY nextcloud.conf /etc/apache2/sites-available/
RUN a2dissite 000-default && \
a2dissite default-ssl && \
a2ensite nextcloud.conf && \
rm -rf /var/www/html/* && \
service apache2 restart; \
chown www-data:www-data -R /var/log/apache2; \
chown -R www-data:www-data /var/run/apache2; \
chown -R www-data:www-data /var/www;
RUN mkdir /var/log/supervisord; \
mkdir /var/run/supervisord; \
chown www-data:www-data /var/run/supervisord; \
chown www-data:www-data /var/log/supervisord;
COPY Caddyfile /
COPY start.sh /usr/bin/
COPY supervisord.conf /
RUN chmod +x /usr/bin/start.sh; \
chmod +r /supervisord.conf; \
chmod +r /Caddyfile;
# Give root a random password
RUN echo "root:$(openssl rand -base64 12)" | chpasswd
USER www-data
ENTRYPOINT ["start.sh"]
CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]

22
Containers/apache/nextcloud.conf Normal file
View file

@ -0,0 +1,22 @@
<VirtualHost *:80>
# PHP match
<FilesMatch "\.php$">
SetHandler "proxy:fcgi://nextcloud-aio-nextcloud:9000"
</FilesMatch>
# Nextcloud dir
DocumentRoot /var/www/html/
<Directory /var/www/html/>
Options Indexes FollowSymLinks
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
Satisfy Any
<IfModule mod_dav.c>
Dav off
</IfModule>
</Directory>
# Deny access to .ht files
<Files ".ht*">
Require all denied
</Files>
</VirtualHost>

32
Containers/apache/start.sh Normal file
View file

@ -0,0 +1,32 @@
#!/bin/bash
if [ -z "$NC_DOMAIN" ]; then
echo "NC_DOMAIN and NEXTCLOUD_HOST need to be provided. Exiting!"
exit 1
fi
# Need write access to /mnt/data
if ! [ -w /mnt/data ]; then
echo "Cannot write to /mnt/data"
exit 1
fi
# Only start container if nextcloud is accessible
while ! nc -z "$NEXTCLOUD_HOST" 9000; do
echo "Waiting for Nextcloud to start..."
sleep 5
done
# Only start container if collabora is started
while ! nc -z "$COLLABORA_HOST" 9980; do
echo "Waiting for Collabora to start..."
sleep 5
done
# Add caddy path
mkdir -p /mnt/data/caddy/
# Fix apache sturtup
rm -f /var/run/apache2/apache2.pid
exec "$@"

23
Containers/apache/supervisord.conf Normal file
View file

@ -0,0 +1,23 @@
[supervisord]
nodaemon=true
nodaemon=true
logfile=/var/log/supervisord/supervisord.log
pidfile=/var/run/supervisord/supervisord.pid
childlogdir=/var/log/supervisord/
logfile_maxbytes=50MB
logfile_backups=10
loglevel=error
[program:apache]
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=apachectl -DFOREGROUND
[program:caddy]
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=/usr/bin/caddy run -config /Caddyfile

22
Containers/borgbackup/Dockerfile Normal file
View file

@ -0,0 +1,22 @@
FROM debian:bullseye
RUN set -ex; \
\
apt-get update; \
apt-get install -y --no-install-recommends \
borgbackup \
rsync \
fuse \
python3-llfuse \
; \
rm -rf /var/lib/apt/lists/*
VOLUME /root
COPY start.sh /usr/bin/
COPY backupscript.sh /
RUN chmod +x /usr/bin/start.sh; \
chmod +x /backupscript.sh
USER root
ENTRYPOINT ["start.sh"]

204
Containers/borgbackup/backupscript.sh Normal file
View file

@ -0,0 +1,204 @@
#!/bin/bash
# Variables
BORG_BACKUP_DIRECTORY="/mnt/borgbackup/borg"
# Functions
get_start_time(){
START_TIME=$(date +%s)
CURRENT_DATE=$(date --date @"$START_TIME" +"%Y%m%d_%H%M%S")
CURRENT_DATE_READABLE=$(date --date @"$START_TIME" +"%d.%m.%Y - %H:%M:%S")
}
get_expiration_time() {
END_TIME=$(date +%s)
END_DATE_READABLE=$(date --date @"$END_TIME" +"%d.%m.%Y - %H:%M:%S")
DURATION=$((END_TIME-START_TIME))
DURATION_SEC=$((DURATION % 60))
DURATION_MIN=$(((DURATION / 60) % 60))
DURATION_HOUR=$((DURATION / 3600))
DURATION_READABLE=$(printf "%02d hours %02d minutes %02d seconds" $DURATION_HOUR $DURATION_MIN $DURATION_SEC)
}
# Export defaults
export BORG_PASSPHRASE="$BORG_PASSWORD"
export BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes
export BORG_RELOCATED_REPO_ACCESS_IS_OK=yes
# Test if all volumes aren't empty
VOLUME_DIRS="$(find /nextcloud_aio_volumes -mindepth 1 -maxdepth 1 -type d)"
mapfile -t VOLUME_DIRS <<< "$VOLUME_DIRS"
for directory in "${VOLUME_DIRS[@]}"; do
if ! mountpoint -q "$directory"; then
echo "$directory is not a mountpoint which is not allowed."
exit 1
fi
done
# Check if target is mountpoint
if ! mountpoint -q /mnt/borgbackup; then
echo "/mnt/borgbackup is not a mountpoint which is not allowed"
exit 1
fi
# Check if target is empty
if [ "$BORG_MODE" != backup ] && ! [ -f "$BORG_BACKUP_DIRECTORY/config" ]; then
echo "The repository is empty. cannot perform check or restore."
exit 1
fi
# Break the borg lock if it exists
if [ -f "$BORG_BACKUP_DIRECTORY/lock.roster" ]; then
echo "Breaking the borg lock..."
if ! borg break-lock "$BORG_BACKUP_DIRECTORY"; then
echo "Could not break the borg lock!"
exit 1
fi
fi
# Create lockfile
if [ "$BORG_MODE" = backup ] || [ "$BORG_MODE" = restore ]; then
touch "/nextcloud_aio_volumes/nextcloud_aio_database_dump/backup-is-running"
fi
# Do the backup
if [ "$BORG_MODE" = backup ]; then
# Test if important files are present
if ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json" ]; then
echo "configuration.json not present. Cannot perform the backup!"
exit 1
elif ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/config/config.php" ]; then
echo "config.php is missing cannot perform backup"
exit 1
elif ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_database_dump/database-dump.sql" ]; then
echo "database-dump is missing. cannot perform backup"
exit 1
fi
# Test that nothing is empty
for directory in "${VOLUME_DIRS[@]}"; do
if [ -z "$(ls -A "$directory")" ]; then
echo "$directory is empty which is not allowed."
exit 1
fi
done
# Create backup folder
mkdir -p "$BORG_BACKUP_DIRECTORY"
# Initialize the repository if the target is empty
if ! [ -f "$BORG_BACKUP_DIRECTORY/config" ]; then
# Don't initialize if already initialized
if [ -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config" ]; then
echo "Cannot initialize a new repository as that was already done at least one time."
exit 1
fi
echo "initializing repository..."
if ! borg init --debug --encryption=repokey-blake2 "$BORG_BACKUP_DIRECTORY"; then
echo "Could not initialize borg repository."
rm -f "$BORG_BACKUP_DIRECTORY/config"
exit 1
fi
borg config "$BORG_BACKUP_DIRECTORY" additional_free_space 2G
# Fix too large Borg cache
# https://borgbackup.readthedocs.io/en/stable/faq.html#the-borg-cache-eats-way-too-much-disk-space-what-can-i-do
BORG_ID="$(borg config "$BORG_BACKUP_DIRECTORY" id)"
rm -r "/root/.cache/borg/$BORG_ID/chunks.archive.d"
touch "/root/.cache/borg/$BORG_ID/chunks.archive.d"
# Make a backup from the borg config file
if ! [ -f "$BORG_BACKUP_DIRECTORY/config" ]; then
echo "The borg config file wasn't created. Something is wrong."
exit 1
fi
rm -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config"
if ! cp "$BORG_BACKUP_DIRECTORY/config" "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config"; then
echo "Could not copy config file to second place. Cannot perform backup."
exit 1
fi
echo "Repository successfully initialized."
fi
# Perform backup
echo "Performing backup..."
# Borg options
# auto,zstd compression seems to has the best ratio based on:
# https://forum.level1techs.com/t/optimal-compression-for-borg-backups/145870/6
BORG_OPTS=(--stats --progress --compression "auto,zstd" --exclude-caches --checkpoint-interval 86400)
# Create the backup
echo "Starting the backup..."
get_start_time
if ! borg create "${BORG_OPTS[@]}" "$BORG_BACKUP_DIRECTORY::$CURRENT_DATE-nextcloud-aio" "/nextcloud_aio_volumes/"; then
echo "Deleting the failed backup archive..."
borg delete --stats --progress "$BORG_BACKUP_DIRECTORY::$CURRENT_DATE-nextcloud-aio"
echo "Backup failed!"
exit 1
fi
echo "$CURRENT_DATE,$CURRENT_DATE_READABLE" >> "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/backup_archives.list"
chmod +r "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/backup_archives.list"
# Prune options
BORG_PRUNE_OPTS=(--stats --progress --keep-within=7d --keep-weekly=4 --keep-monthly=6 "$BORG_BACKUP_DIRECTORY")
# Prune archives
echo "Pruning the archives..."
if ! borg prune --prefix '*_*-nextcloud-aio' "${BORG_PRUNE_OPTS[@]}"; then
echo "Failed to prune archives!"
exit 1
fi
# Inform user
get_expiration_time
echo "Backup finished successfully on $END_DATE_READABLE ($DURATION_READABLE)"
exit 0
fi
# Do the restore
if [ "$BORG_MODE" = restore ]; then
get_start_time
echo "Restoring the last backup..."
# Perform the restore
FIRST_ARCHIVE="$(borg list "$BORG_BACKUP_DIRECTORY" | grep "nextcloud-aio" | awk -F " " '{print $1}' | sort -r | head -1)"
mkdir -p /tmp/borg
if ! borg mount "$BORG_BACKUP_DIRECTORY::$FIRST_ARCHIVE" /tmp/borg; then
echo "Could not mount the backup!"
exit 1
fi
if ! rsync --stats --archive --human-readable -vv --delete --exclude "nextcloud_aio_mastercontainer/data/backup_archives.list" /tmp/borg/nextcloud_aio_volumes/ /nextcloud_aio_volumes; then
echo "Something failed while restoring the boot partition."
umount /tmp/borg
exit 1
fi
umount /tmp/borg
# TODO: reset fetchtimes in configuration.json so that it doesn't get the latest directly...
# Inform user
get_expiration_time
echo "Restore finished successfully on $END_DATE_READABLE ($DURATION_READABLE)"
exit 0
fi
# Do the Backup check
if [ "$BORG_MODE" = check ]; then
get_start_time
echo "Checking the backup integity..."
# Perform the check
if ! borg check --verify-data --progress "$BORG_BACKUP_DIRECTORY"; then
echo "Some errors were found while checking the backup integrity!"
exit 1
fi
# Inform user
get_expiration_time
echo "Check finished successfully on $END_DATE_READABLE ($DURATION_READABLE)"
exit 0
fi

31
Containers/borgbackup/start.sh Normal file
View file

@ -0,0 +1,31 @@
#!/bin/bash
# Validate BORG_PASSWORD
if [ -z "$BORG_PASSWORD" ]; then
echo "BORG_PASSWORD is not allowed to be empty."
exit 1
fi
export BORG_PASSWORD
# Validate BORG_MODE
if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != restore ] && [ "$BORG_MODE" != check ]; then
echo "No correct BORG_MODE mode applied. Valid are 'backup' and 'restore'."
exit 1
fi
export BORG_MODE
# Run the backup script
if ! bash /backupscript.sh; then
FAILED=1
fi
# Remove lockfile
rm -f "/nextcloud_aio_volumes/nextcloud_aio_database_dump/backup-is-running"
if [ -n "$FAILED" ]; then
exit 1
fi
exec "$@"

2
Containers/collabora/Dockerfile Normal file
View file

@ -0,0 +1,2 @@
# From a file located probably somewhere here: https://github.com/CollaboraOnline/online/tree/master/docker
FROM collabora/code:latest

15
Containers/domaincheck/Dockerfile Normal file
View file

@ -0,0 +1,15 @@
FROM alpine
RUN apk add --update --no-cache lighttpd bash
RUN adduser -S www-data -G www-data
RUN rm -rf /etc/lighttpd/lighttpd.conf
COPY lighttpd.conf /etc/lighttpd/lighttpd.conf
RUN chmod +r -R /etc/lighttpd && \
chown www-data:www-data -R /var/www
COPY start.sh /
RUN chmod +x /start.sh
USER www-data
RUN mkdir -p /var/www/domaincheck/
ENTRYPOINT ["/start.sh"]

16
Containers/domaincheck/lighttpd.conf Normal file
View file

@ -0,0 +1,16 @@
server.document-root = "/var/www/domaincheck/"
server.port = 443
server.username = "www-data"
server.groupname = "www-data"
mimetype.assign = (
".html" => "text/html",
".txt" => "text/plain",
".jpg" => "image/jpeg",
".png" => "image/png"
)
static-file.exclude-extensions = ( ".fcgi", ".php", ".rb", "~", ".inc" )
index-file.names = ( "index.html" )

16
Containers/domaincheck/start.sh Normal file
View file

@ -0,0 +1,16 @@
#!/bin/bash
if [ -z "$INSTANCE_ID" ]; then
echo "You need to provide an instance id."
exit 1
fi
echo "$INSTANCE_ID" > /var/www/domaincheck/index.html
# Check config file
lighttpd -tt -f /etc/lighttpd/lighttpd.conf
# Run server
lighttpd -D -f /etc/lighttpd/lighttpd.conf
exec "$@"

8
Containers/mastercontainer/.idea/.gitignore generated vendored Normal file
View file

@ -0,0 +1,8 @@
# Default ignored files
/shelf/
/workspace.xml
# Datasource local storage ignored files
/dataSources/
/dataSources.local.xml
# Editor-based HTTP Client requests
/httpRequests/

9
Containers/mastercontainer/.idea/mastercontainer.iml generated Normal file
View file

@ -0,0 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<module type="JAVA_MODULE" version="4">
<component name="NewModuleRootManager" inherit-compiler-output="true">
<exclude-output />
<content url="file://$MODULE_DIR$" />
<orderEntry type="inheritedJdk" />
<orderEntry type="sourceFolder" forTests="false" />
</component>
</module>

6
Containers/mastercontainer/.idea/misc.xml generated Normal file
View file

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="ProjectRootManager">
<output url="file://$PROJECT_DIR$/out" />
</component>
</project>

8
Containers/mastercontainer/.idea/modules.xml generated Normal file
View file

@ -0,0 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="ProjectModuleManager">
<modules>
<module fileurl="file://$PROJECT_DIR$/.idea/mastercontainer.iml" filepath="$PROJECT_DIR$/.idea/mastercontainer.iml" />
</modules>
</component>
</project>

6
Containers/mastercontainer/.idea/vcs.xml generated Normal file
View file

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="VcsDirectoryMappings">
<mapping directory="$PROJECT_DIR$/../.." vcs="Git" />
</component>
</project>

16
Containers/mastercontainer/Caddyfile Normal file
View file

@ -0,0 +1,16 @@
{
auto_https disable_redirects
storage file_system {
root /mnt/docker-aio-config/caddy/
}
}
https://:8443 {
reverse_proxy localhost:8000
tls {
on_demand
}
}

88
Containers/mastercontainer/Dockerfile Normal file
View file

@ -0,0 +1,88 @@
# From https://github.com/docker-library/php/blob/master/8.0/buster/apache/Dockerfile
FROM php:8.0-apache-bullseye
EXPOSE 80
# EXPOSE 8080
EXPOSE 8443
RUN mkdir -p /mnt/docker-aio-config/; \
chown www-data:www-data /mnt/docker-aio-config;
VOLUME /mnt/docker-aio-config/
RUN mkdir -p /var/www/docker-aio; \
chown -R www-data:www-data /var/www;
WORKDIR /var/www/docker-aio
RUN apt-get update; \
apt-get install -y --no-install-recommends \
git \
supervisor \
openssl \
sudo \
; \
rm -rf /var/lib/apt/lists/*
RUN curl "https://caddyserver.com/api/download?os=linux&arch=amd64" -o "/usr/bin/caddy" \
&& chmod 0755 /usr/bin/caddy \
&& /usr/bin/caddy version
RUN cd /var/www/docker-aio; \
git clone git@github.com:nextcloud/all-in-one.git .; \
chown -R www-data:www-data ./; \
chmod 770 -R ./
RUN mkdir -p /etc/apache2/certs && \
cd /etc/apache2/certs && \
openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout ./ssl.key -out ./ssl.crt; \
chown www-data:www-data -R /etc/apache2/certs;
COPY mastercontainer.conf /etc/apache2/sites-available/
RUN a2enmod rewrite \
headers \
env \
mime \
dir \
authz_core \
proxy \
proxy_http \
ssl
RUN rm /etc/apache2/ports.conf; \
sed -s -i -e "s/Include ports.conf//" /etc/apache2/apache2.conf; \
sed -i "/^Listen /d" /etc/apache2/apache2.conf
RUN a2dissite 000-default && \
a2dissite default-ssl && \
a2ensite mastercontainer.conf && \
service apache2 restart
RUN mkdir /var/log/supervisord; \
mkdir /var/run/supervisord; \
chown www-data:www-data /var/run/supervisord; \
chown www-data:www-data /var/log/supervisord;
RUN mkdir -p /usr/src/php/ext/apcu && curl -fsSL https://pecl.php.net/get/apcu | tar xvz -C "/usr/src/php/ext/apcu" --strip 1 && docker-php-ext-install apcu
COPY Caddyfile /
COPY start.sh /usr/bin/
COPY cron.sh /
COPY supervisord.conf /
RUN chmod +x /usr/bin/start.sh; \
chmod +r /supervisord.conf; \
chmod +r /Caddyfile; \
chmod +x /cron.sh
# add docker group
RUN groupadd -g 998 docker && \
usermod -aG docker www-data
# Give root a random password
RUN echo "root:$(openssl rand -base64 12)" | chpasswd
USER www-data
ENTRYPOINT ["start.sh"]
CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]

7
Containers/mastercontainer/cron.sh Normal file
View file

@ -0,0 +1,7 @@
#!/bin/sh
set -eu
while true; do
php /var/www/docker-aio/php/src/Cron/cron.php
sleep 1d
done

45
Containers/mastercontainer/mastercontainer.conf Normal file
View file

@ -0,0 +1,45 @@
Listen 8000
Listen 8080
CustomLog ${APACHE_LOG_DIR}/access.log combined
ErrorLog ${APACHE_LOG_DIR}/error.log
# Deny access to .ht files
<Files ".ht*">
Require all denied
</Files>
# Http host
<VirtualHost *:8000>
# PHP match
<FilesMatch "\.php$">
SetHandler application/x-httpd-php
</FilesMatch>
# Master dir
DocumentRoot /var/www/docker-aio/php/public/
<Directory /var/www/docker-aio/php/public/>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [QSA,L]
Options Indexes FollowSymLinks
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
Satisfy Any
<IfModule mod_dav.c>
Dav off
</IfModule>
</Directory>
</VirtualHost>
# Https host
<VirtualHost *:8080>
# Proxy to https
ProxyPass / http://localhost:8000/
ProxyPassReverse / http://localhost:8000/
# SSL
SSLCertificateKeyFile /etc/apache2/certs/ssl.key
SSLCertificateFile /etc/apache2/certs/ssl.crt
SSLEngine on
SSLProtocol -all +TLSv1.2 +TLSv1.3
</VirtualHost>

69
Containers/mastercontainer/start.sh Normal file
View file

@ -0,0 +1,69 @@
#!/bin/bash
# Function to show text in green
print_green() {
local TEXT="$1"
printf "%b%s%b\n" "\e[0;92m" "$TEXT" "\e[0m"
}
# Check if socket is available and readable
if ! [ -a "/var/run/docker.sock" ]; then
echo "Docker socket is not available. Cannot continue."
exit 1
elif ! test -r /var/run/docker.sock; then
echo "Docker socket is not readable by the www-data user. Cannot continue."
exit 1
fi
# Check if volume is writeable
if ! [ -w /mnt/docker-aio-config ]; then
echo "/mnt/docker-aio-config is not writeable."
exit 1
fi
# Check if api version is supported
API_VERSION_FILE="$(find ./ -name DockerActionManager.php | head -1)"
API_VERSION="$(grep -oP 'const API_VERSION.*\;' "$API_VERSION_FILE" | grep -oP [0-9]+.[0-9]+ | head -1)"
API_VERSION_NUMB="$(echo "$API_VERSION" | sed 's/\.//')"
LOCAL_API_VERSION_NUMB="$(curl -s --unix-socket /var/run/docker.sock http://"$API_VERSION"/version | sed 's/,/\n/g' | grep ApiVersion | grep -oP [0-9]+.[0-9]+ | head -1 | sed 's/\.//')"
if [ -n "$LOCAL_API_VERSION_NUMB" ] && [ -n "$API_VERSION_NUMB" ]; then
if ! [ "$LOCAL_API_VERSION_NUMB" -ge "$API_VERSION_NUMB" ]; then
echo "Docker v$API_VERSION is not supported by your docker engine. Cannot proceed."
exit 1
fi
else
echo "LOCAL_API_VERSION_NUMB or API_VERSION_NUMB are not set correctly. Cannot check if the API version is supported."
sleep 10
fi
# Adjust data permissions
mkdir -p /mnt/docker-aio-config/data/
mkdir -p /mnt/docker-aio-config/session/
# Adjust caddy permissions
mkdir -p /mnt/docker-aio-config/caddy/
# Adjust certs
GENERATED_CERTS="/mnt/docker-aio-config/certs"
TMP_CERTS="/etc/apache2/certs"
mkdir -p "$GENERATED_CERTS"
cd "$GENERATED_CERTS"
if ! [ -f ./ssl.crt ] && ! [ -f ./ssl.key ]; then
openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout ./ssl.key -out ./ssl.crt
fi
if [ -f ./ssl.crt ] && [ -f ./ssl.key ]; then
cd "$TMP_CERTS"
rm ./ssl.crt
rm ./ssl.key
cp "$GENERATED_CERTS/ssl.crt" ./
cp "$GENERATED_CERTS/ssl.key" ./
fi
print_green "Initial startup of Nextcloud All In One complete!
You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
E.g. https://internal.ip.of.this.server:8080
If your server has port 80 and 8443 open and you point a domain to your server, you can get a valid certificate automatially by opening the Nextcloud AIO Interface via:
https://your-domain-that-points-to-this-server.tld:8443"
exec "$@"

30
Containers/mastercontainer/supervisord.conf Normal file
View file

@ -0,0 +1,30 @@
[supervisord]
nodaemon=true
nodaemon=true
logfile=/var/log/supervisord/supervisord.log
pidfile=/var/run/supervisord/supervisord.pid
childlogdir=/var/log/supervisord/
logfile_maxbytes=50MB
logfile_backups=10
loglevel=error
[program:apache]
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=apache2-foreground
[program:caddy]
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=/usr/bin/caddy run -config /Caddyfile
[program:cron]
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=/cron.sh

244
Containers/nextcloud/Dockerfile Normal file
View file

@ -0,0 +1,244 @@
# From https://github.com/nextcloud/docker/blob/master/22/fpm/Dockerfile
FROM php:8.0-fpm-bullseye
# entrypoint.sh and cron.sh dependencies
RUN set -ex; \
\
apt-get update; \
apt-get install -y --no-install-recommends \
rsync \
bzip2 \
; \
rm -rf /var/lib/apt/lists/*;
# install the PHP extensions we need
# see https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html
ENV PHP_MEMORY_LIMIT 512M
ENV PHP_UPLOAD_LIMIT 512M
RUN set -ex; \
\
savedAptMark="$(apt-mark showmanual)"; \
\
apt-get update; \
apt-get install -y --no-install-recommends \
libcurl4-openssl-dev \
libevent-dev \
libfreetype6-dev \
libicu-dev \
libjpeg-dev \
libldap2-dev \
libmcrypt-dev \
libmemcached-dev \
libpng-dev \
libpq-dev \
libxml2-dev \
libmagickwand-dev \
libzip-dev \
libwebp-dev \
libgmp-dev \
; \
\
debMultiarch="$(dpkg-architecture --query DEB_BUILD_MULTIARCH)"; \
docker-php-ext-configure gd --with-freetype --with-jpeg --with-webp; \
docker-php-ext-configure ldap --with-libdir="lib/$debMultiarch"; \
docker-php-ext-install -j "$(nproc)" \
bcmath \
exif \
gd \
intl \
ldap \
opcache \
pcntl \
pdo_mysql \
pdo_pgsql \
zip \
gmp \
; \
\
# pecl will claim success even if one install fails, so we need to perform each install separately
pecl install APCu-5.1.20; \
pecl install memcached-3.1.5; \
pecl install redis-5.3.4; \
pecl install imagick-3.5.1; \
\
docker-php-ext-enable \
apcu \
memcached \
redis \
imagick \
; \
rm -r /tmp/pear; \
\
# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
apt-mark auto '.*' > /dev/null; \
apt-mark manual $savedAptMark; \
ldd "$(php -r 'echo ini_get("extension_dir");')"/*.so \
| awk '/=>/ { print $3 }' \
| sort -u \
| xargs -r dpkg-query -S \
| cut -d: -f1 \
| sort -u \
| xargs -rt apt-mark manual; \
\
apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
rm -rf /var/lib/apt/lists/*
# set recommended PHP.ini settings
# see https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/server_tuning.html#enable-php-opcache
RUN { \
echo 'opcache.enable=1'; \
echo 'opcache.interned_strings_buffer=8'; \
echo 'opcache.max_accelerated_files=10000'; \
echo 'opcache.memory_consumption=128'; \
echo 'opcache.save_comments=1'; \
echo 'opcache.revalidate_freq=1'; \
} > /usr/local/etc/php/conf.d/opcache-recommended.ini; \
\
echo 'apc.enable_cli=1' >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
\
{ \
echo 'memory_limit=${PHP_MEMORY_LIMIT}'; \
echo 'upload_max_filesize=${PHP_UPLOAD_LIMIT}'; \
echo 'post_max_size=${PHP_UPLOAD_LIMIT}'; \
} > /usr/local/etc/php/conf.d/nextcloud.ini; \
\
mkdir /var/www/data; \
chown -R www-data:root /var/www; \
chmod -R g=u /var/www
VOLUME /var/www/html
ENV NEXTCLOUD_VERSION 22.2.3
RUN set -ex; \
fetchDeps=" \
gnupg \
dirmngr \
"; \
apt-get update; \
apt-get install -y --no-install-recommends $fetchDeps; \
\
curl -fsSL -o nextcloud.tar.bz2 \
"https://download.nextcloud.com/server/releases/nextcloud-${NEXTCLOUD_VERSION}.tar.bz2"; \
curl -fsSL -o nextcloud.tar.bz2.asc \
"https://download.nextcloud.com/server/releases/nextcloud-${NEXTCLOUD_VERSION}.tar.bz2.asc"; \
export GNUPGHOME="$(mktemp -d)"; \
# gpg key from https://nextcloud.com/nextcloud.asc
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 28806A878AE423A28372792ED75899B9A724937A; \
gpg --batch --verify nextcloud.tar.bz2.asc nextcloud.tar.bz2; \
tar -xjf nextcloud.tar.bz2 -C /usr/src/; \
gpgconf --kill all; \
rm nextcloud.tar.bz2.asc nextcloud.tar.bz2; \
rm -rf "$GNUPGHOME" /usr/src/nextcloud/updater; \
mkdir -p /usr/src/nextcloud/data; \
mkdir -p /usr/src/nextcloud/custom_apps; \
chmod +x /usr/src/nextcloud/occ; \
\
apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false $fetchDeps; \
rm -rf /var/lib/apt/lists/*
COPY *.sh upgrade.exclude /
COPY config/* /usr/src/nextcloud/config/
ENTRYPOINT ["/entrypoint.sh"]
CMD ["php-fpm"]
# Template from https://github.com/nextcloud/docker/blob/master/.examples/dockerfiles/full/fpm/Dockerfile
RUN set -ex; \
\
apt-get update; \
apt-get install -y --no-install-recommends \
ffmpeg \
libmagickcore-6.q16-6-extra \
procps \
smbclient \
supervisor \
# libreoffice \
; \
rm -rf /var/lib/apt/lists/*
RUN set -ex; \
\
savedAptMark="$(apt-mark showmanual)"; \
\
apt-get update; \
apt-get install -y --no-install-recommends \
libbz2-dev \
libc-client-dev \
libkrb5-dev \
libsmbclient-dev \
; \
\
docker-php-ext-configure imap --with-kerberos --with-imap-ssl; \
docker-php-ext-install \
bz2 \
imap \
; \
pecl install smbclient; \
docker-php-ext-enable smbclient; \
\
# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
apt-mark auto '.*' > /dev/null; \
apt-mark manual $savedAptMark; \
ldd "$(php -r 'echo ini_get("extension_dir");')"/*.so \
| awk '/=>/ { print $3 }' \
| sort -u \
| xargs -r dpkg-query -S \
| cut -d: -f1 \
| sort -u \
| xargs -rt apt-mark manual; \
\
apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
rm -rf /var/lib/apt/lists/*
RUN mkdir -p \
/var/log/supervisord \
/var/run/supervisord \
;
COPY supervisord.conf /
ENV NEXTCLOUD_UPDATE=1
CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
# Custom:
RUN set -ex; \
\
apt-get update; \
apt-get install -y --no-install-recommends \
netcat \
openssl \
gnupg \
dirmngr \
; \
rm -rf /var/lib/apt/lists/*
RUN chown www-data:root -R /usr/src && \
chown www-data:root -R /usr/local/etc/php/conf.d && \
chown www-data:root -R /var/log/supervisord/ && \
chown www-data:root -R /var/run/supervisord/ && \
mkdir -p /var/log/nextcloud/ && \
chown -R www-data:root /var/log/nextcloud/
COPY start.sh /
COPY notify.sh /
RUN chmod +x /start.sh && \
chmod +r /supervisord.conf && \
chmod +x /entrypoint.sh && \
chmod +r /upgrade.exclude && \
chmod +x /cron.sh && \
chmod +x /notify.sh
RUN mkdir /mnt/ncdata; \
chown www-data:www-data /mnt/ncdata;
VOLUME /mnt/ncdata
# Give root a random password
RUN echo "root:$(openssl rand -base64 12)" | chpasswd
USER www-data
ENTRYPOINT ["/start.sh"]

4
Containers/nextcloud/config/apcu.config.php Normal file
View file

@ -0,0 +1,4 @@
<?php
$CONFIG = array (
'memcache.local' => '\OC\Memcache\APCu',
);

15
Containers/nextcloud/config/apps.config.php Normal file
View file

@ -0,0 +1,15 @@
<?php
$CONFIG = array (
'apps_paths' => array (
0 => array (
'path' => OC::$SERVERROOT.'/apps',
'url' => '/apps',
'writable' => false,
),
1 => array (
'path' => OC::$SERVERROOT.'/custom_apps',
'url' => '/custom_apps',
'writable' => true,
),
),
);

17
Containers/nextcloud/config/redis.config.php Normal file
View file

@ -0,0 +1,17 @@
<?php
if (getenv('REDIS_HOST')) {
$CONFIG = array(
'memcache.distributed' => '\OC\Memcache\Redis',
'memcache.locking' => '\OC\Memcache\Redis',
'redis' => array(
'host' => getenv('REDIS_HOST'),
'password' => (string) getenv('REDIS_HOST_PASSWORD'),
),
);
if (getenv('REDIS_HOST_PORT') !== false) {
$CONFIG['redis']['port'] = (int) getenv('REDIS_HOST_PORT');
} elseif (getenv('REDIS_HOST')[0] != '/') {
$CONFIG['redis']['port'] = 6379;
}
}

25
Containers/nextcloud/config/reverse-proxy.config.php Normal file
View file

@ -0,0 +1,25 @@
<?php
$overwriteHost = getenv('OVERWRITEHOST');
if ($overwriteHost) {
$CONFIG['overwritehost'] = $overwriteHost;
}
$overwriteProtocol = getenv('OVERWRITEPROTOCOL');
if ($overwriteProtocol) {
$CONFIG['overwriteprotocol'] = $overwriteProtocol;
}
$overwriteWebRoot = getenv('OVERWRITEWEBROOT');
if ($overwriteWebRoot) {
$CONFIG['overwritewebroot'] = $overwriteWebRoot;
}
$overwriteCondAddr = getenv('OVERWRITECONDADDR');
if ($overwriteCondAddr) {
$CONFIG['overwritecondaddr'] = $overwriteCondAddr;
}
$trustedProxies = getenv('TRUSTED_PROXIES');
if ($trustedProxies) {
$CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
}

7
Containers/nextcloud/cron.sh Normal file
View file

@ -0,0 +1,7 @@
#!/bin/sh
set -eu
while true; do
php -f /var/www/html/cron.php &
sleep 5m
done

254
Containers/nextcloud/entrypoint.sh Normal file
View file

@ -0,0 +1,254 @@
#!/bin/sh
# version_greater A B returns whether A > B
version_greater() {
[ "$(printf '%s\n' "$@" | sort -t '.' -n -k1,1 -k2,2 -k3,3 -k4,4 | head -n 1)" != "$1" ]
}
# return true if specified directory is empty
directory_empty() {
[ -z "$(ls -A "$1/")" ]
}
echo "Configuring Redis as session handler"
cat << REDIS_CONF > /usr/local/etc/php/conf.d/redis-session.ini
session.save_handler = redis
session.save_path = "tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}?auth=${REDIS_HOST_PASSWORD}"
redis.session.locking_enabled = 1
redis.session.lock_retries = -1
# redis.session.lock_wait_time is specified in microseconds.
# Wait 10ms before retrying the lock rather than the default 2ms.
redis.session.lock_wait_time = 10000
REDIS_CONF
if [ -f /var/www/html/version.php ]; then
# shellcheck disable=SC2016
installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
else
installed_version="0.0.0.0"
fi
if [ -f "/usr/src/nextcloud/version.php" ]; then
# shellcheck disable=SC2016
image_version="$(php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);')"
else
image_version="$installed_version"
fi
# unset admin password
if [ "$installed_version" != "0.0.0.0" ]; then
unset ADMIN_PASSWORD
fi
if version_greater "$image_version" "$installed_version"; then
# Check if it skips a major version
INSTALLED_MAJOR="${installed_version%%.*}"
IMAGE_MAJOR="${image_version%%.*}"
if [ "$installed_version" != "0.0.0.0" ] && [ "$((IMAGE_MAJOR - INSTALLED_MAJOR))" -gt 1 ]; then
set -ex
NEXT_MAJOR="$((INSTALLED_MAJOR + 1))"
curl -fsSL -o nextcloud.tar.bz2 "https://download.nextcloud.com/server/releases/latest-${NEXT_MAJOR}.tar.bz2"
curl -fsSL -o nextcloud.tar.bz2.asc "https://download.nextcloud.com/server/releases/latest-${NEXT_MAJOR}.tar.bz2.asc"
export GNUPGHOME="$(mktemp -d)"
# gpg key from https://nextcloud.com/nextcloud.asc
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 28806A878AE423A28372792ED75899B9A724937A
gpg --batch --verify nextcloud.tar.bz2.asc nextcloud.tar.bz2
mkdir -p /usr/src/tmp
tar -xjf nextcloud.tar.bz2 -C /usr/src/tmp/
gpgconf --kill all
rm nextcloud.tar.bz2.asc nextcloud.tar.bz2
rm -rf "$GNUPGHOME" /usr/src/tmp/nextcloud/updater
mkdir -p /usr/src/tmp/nextcloud/data
mkdir -p /usr/src/tmp/nextcloud/custom_apps
chmod +x /usr/src/tmp/nextcloud/occ
cp /usr/src/nextcloud/config/* /usr/src/tmp/nextcloud/config/
mv /usr/src/nextcloud /usr/src/temp-nextcloud
mv /usr/src/tmp/nextcloud /usr/src/nextcloud
rm -r /usr/src/tmp
rm -r /usr/src/temp-nextcloud
# shellcheck disable=SC2016
image_version="$(php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);')"
IMAGE_MAJOR="${image_version%%.*}"
set +ex
fi
if [ "$installed_version" != "0.0.0.0" ]; then
while true; do
echo -e "Checking connection to appstore"
CURL_STATUS="$(curl -LI "https://apps.nextcloud.com/" -o /dev/null -w '%{http_code}\n' -s)"
if [[ "$CURL_STATUS" = "200" ]]
then
echo "Appstore is reachable"
break
else
echo "Curl didn't produce a 200 status, is appstore reachable?"
fi
done
php /var/www/html/occ maintenance:mode --off
echo "Getting and backing up the status of apps for later, this might take a while..."
php /var/www/html/occ app:list | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_before
if [ "$((IMAGE_MAJOR - INSTALLED_MAJOR))" -eq 1 ]; then
php /var/www/html/occ config:system:delete app_install_overwrite
fi
php /var/www/html/occ app:update --all
fi
echo "Initializing nextcloud $image_version ..."
rsync -rlD --delete --exclude-from=/upgrade.exclude /usr/src/nextcloud/ /var/www/html/
for dir in config data custom_apps themes; do
if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then
rsync -rlD --include "/$dir/" --exclude '/*' /usr/src/nextcloud/ /var/www/html/
fi
done
rsync -rlD --include '/version.php' --exclude '/*' /usr/src/nextcloud/ /var/www/html/
echo "Initializing finished"
#install
if [ "$installed_version" = "0.0.0.0" ]; then
echo "New nextcloud instance"
INSTALL_OPTIONS=(-n --admin-user "$ADMIN_USER" --admin-pass "$ADMIN_PASSWORD")
if [ -n "${NEXTCLOUD_DATA_DIR}" ]; then
INSTALL_OPTIONS+=(--data-dir "$NEXTCLOUD_DATA_DIR")
fi
echo "Installing with PostgreSQL database"
INSTALL_OPTIONS+=(--database pgsql --database-name "$POSTGRES_DB" --database-user "$POSTGRES_USER" --database-pass "$POSTGRES_PASSWORD" --database-host "$POSTGRES_HOST")
echo "starting nextcloud installation"
max_retries=10
try=0
until php /var/www/html/occ maintenance:install "${INSTALL_OPTIONS[@]}" || [ "$try" -gt "$max_retries" ]
do
echo "retrying install..."
try=$((try+1))
sleep 10s
done
if [ "$try" -gt "$max_retries" ]; then
echo "installing of nextcloud failed!"
exit 1
fi
# unset admin password
unset ADMIN_PASSWORD
# Apply log settings
echo "Applying default settings..."
mkdir -p /var/www/html/data
php /var/www/html/occ config:system:set loglevel --value=2
php /var/www/html/occ config:system:set log_type --value=file
php /var/www/html/occ config:system:set logfile --value="/var/log/nextcloud/nextcloud.log"
php /var/www/html/occ config:system:set log_rotate_size --value="10485760"
php /var/www/html/occ app:enable admin_audit
php /var/www/html/occ config:app:set admin_audit logfile --value="/var/log/nextcloud/audit.log"
php /var/www/html/occ config:system:set log.condition apps 0 --value="admin_audit"
# Apply preview settings
echo "Applying preview settings..."
php /var/www/html/occ config:system:set preview_max_x --value="2048"
php /var/www/html/occ config:system:set preview_max_y --value="2048"
php /var/www/html/occ config:system:set jpeg_quality --value="60"
php /var/www/html/occ config:app:set preview jpeg_quality --value="60"
php /var/www/html/occ config:system:delete enabledPreviewProviders
php /var/www/html/occ config:system:set enabledPreviewProviders 1 --value="OC\\Preview\\Image"
php /var/www/html/occ config:system:set enabledPreviewProviders 2 --value="OC\\Preview\\MarkDown"
php /var/www/html/occ config:system:set enabledPreviewProviders 3 --value="OC\\Preview\\MP3"
php /var/www/html/occ config:system:set enabledPreviewProviders 4 --value="OC\\Preview\\TXT"
php /var/www/html/occ config:system:set enabledPreviewProviders 5 --value="OC\\Preview\\OpenDocument"
php /var/www/html/occ config:system:set enabledPreviewProviders 6 --value="OC\\Preview\\Movie"
php /var/www/html/occ config:system:set enable_previews --value=true --type=boolean
# Apply other settings
echo "Applying other settings..."
php /var/www/html/occ config:system:set upgrade.disable-web --type=bool --value=true
php /var/www/html/occ config:app:set updatenotification notify_groups --value="[]"
php /var/www/html/occ config:system:set mail_smtpmode --value="smtp"
php /var/www/html/occ config:system:set trashbin_retention_obligation --value="auto, 30"
php /var/www/html/occ config:system:set versions_retention_obligation --value="auto, 30"
php /var/www/html/occ config:system:set activity_expire_days --value="30"
php /var/www/html/occ config:system:set simpleSignUpLink.shown --type=bool --value=false
php /var/www/html/occ config:system:set share_folder --value="/Shared"
#upgrade
else
while [ -n "$(pgrep -f cron.php)" ]
do
echo "Waiting for Nextclouds cronjob to finish..."
sleep 5
done
echo "Upgrading nextcloud from $installed_version to $image_version..."
if ! php /var/www/html/occ upgrade || ! php /var/www/html/occ -V; then
echo "Upgrade failed. Please restore from backup."
exit 1
fi
php /var/www/html/occ app:list | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_after
echo "The following apps have been disabled:"
diff /tmp/list_before /tmp/list_after | grep '<' | cut -d- -f2 | cut -d: -f1
rm -f /tmp/list_before /tmp/list_after
# Apply optimization
echo "Doing some optimizations..."
php /var/www/html/occ maintenance:repair
php /var/www/html/occ db:add-missing-indices
php /var/www/html/occ db:add-missing-columns
php /var/www/html/occ db:add-missing-primary-keys
yes | php /var/www/html/occ db:convert-filecache-bigint
php /var/www/html/occ maintenance:mimetype:update-js
php /var/www/html/occ maintenance:mimetype:update-db
fi
fi
# Apply one-click-instance settings
echo "Applying one-click-instance settings..."
php /var/www/html/occ config:system:set one-click-instance --value=true --type=bool
php /var/www/html/occ config:system:set one-click-instance.user-limit --value=100 --type=int
# Apply network settings
echo "Applying network settings..."
php /var/www/html/occ config:system:set trusted_domains 1 --value="$NC_DOMAIN"
php /var/www/html/occ config:system:set overwrite.cli.url --value="https://$NC_DOMAIN/"
php /var/www/html/occ config:system:set htaccess.RewriteBase --value="/"
php /var/www/html/occ maintenance:update:htaccess
# Notify push
if ! [ -d "/var/www/html/custom_apps/notify_push" ]; then
php /var/www/html/occ app:install notify_push
elif [ "$(php /var/www/html/occ config:app:get notify_push enabled)" = "no" ]; then
php /var/www/html/occ app:enable notify_push
else
php /var/www/html/occ app:update notify_push
fi
php /var/www/html/occ config:app:set notify_push base_endpoint --value="https://$NC_DOMAIN/push"
# Collabora
if ! [ -d "/var/www/html/custom_apps/richdocuments" ]; then
php /var/www/html/occ app:install richdocuments
elif [ "$(php /var/www/html/occ config:app:get richdocuments enabled)" = "no" ]; then
php /var/www/html/occ app:enable richdocuments
else
php /var/www/html/occ app:update richdocuments
fi
php /var/www/html/occ config:app:set richdocuments wopi_url --value="https://$NC_DOMAIN/"
# php /var/www/html/occ richdocuments:activate-config
# Talk
if ! [ -d "/var/www/html/custom_apps/spreed" ]; then
php /var/www/html/occ app:install spreed
elif [ "$(php /var/www/html/occ config:app:get spreed enabled)" = "no" ]; then
php /var/www/html/occ app:enable spreed
else
php /var/www/html/occ app:update spreed
fi
STUN_SERVERS="[\"$NC_DOMAIN:3478\"]"
TURN_SERVERS="[{\"server\":\"$NC_DOMAIN:3478\",\"secret\":\"$TURN_SECRET\",\"protocols\":\"udp,tcp\"}]"
SIGNALING_SERVERS="{\"servers\":[{\"server\":\"https://$NC_DOMAIN/standalone-signaling/\",\"verify\":true}],\"secret\":\"$SIGNALING_SECRET\"}"
php /var/www/html/occ config:app:set spreed stun_servers --value="$STUN_SERVERS" --output json
php /var/www/html/occ config:app:set spreed turn_servers --value="$TURN_SERVERS" --output json
php /var/www/html/occ config:app:set spreed signaling_servers --value="$SIGNALING_SERVERS" --output json

29
Containers/nextcloud/notify.sh Normal file
View file

@ -0,0 +1,29 @@
#!/bin/bash
SUBJECT="$1"
MESSAGE="$2"
if [ "$(php /var/www/html/occ config:app:get notificaations enabled)" = "no" ]; then
echo "Cannot send notification as notification app is not enabled."
exit 1
fi
echo "Posting notifications to users that are admins..."
NC_USERS=$(php /var/www/html/occ user:list | sed 's|^ - ||g' | sed 's|:.*||')
mapfile -t NC_USERS <<< "$NC_USERS"
for user in "${NC_USERS[@]}"
do
if php /var/www/html/occ user:info "$user" | cut -d "-" -f2 | grep -x -q " admin"
then
NC_ADMIN_USER+=("$user")
fi
done
for admin in "${NC_ADMIN_USER[@]}"
do
echo "Posting '$SUBJECT' to: $admin"
php /var/www/html/occ notification:generate "$admin" "$NC_DOMAIN: $SUBJECT" -l "$MESSAGE"
done
echo "Done!"
exit 0

14
Containers/nextcloud/start.sh Normal file
View file

@ -0,0 +1,14 @@
#!/bin/bash
# Only start container if database is accessible
while ! nc -z "$POSTGRES_HOST" 5432; do
echo "Waiting for database to start..."
sleep 5
done
# Run original entrypoint
if ! bash /entrypoint.sh; then
exit 1
fi
exec "$@"

30
Containers/nextcloud/supervisord.conf Normal file
View file

@ -0,0 +1,30 @@
# From https://github.com/nextcloud/docker/blob/master/.examples/dockerfiles/full/fpm/supervisord.conf
[supervisord]
nodaemon=true
logfile=/var/log/supervisord/supervisord.log
pidfile=/var/run/supervisord/supervisord.pid
childlogdir=/var/log/supervisord/
logfile_maxbytes=50MB ; maximum size of logfile before rotation
logfile_backups=10 ; number of backed up logfiles
loglevel=error
[program:php-fpm]
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=php-fpm
[program:cron]
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=/cron.sh
[program:notify-push]
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=/var/www/html/custom_apps/notify_push/bin/x86_64/notify_push /var/www/html/config/config.php --port 7867 --redis-url redis://:%(ENV_REDIS_HOST_PASSWORD)s@%(ENV_REDIS_HOST)s

5
Containers/nextcloud/upgrade.exclude Normal file
View file

@ -0,0 +1,5 @@
/config/
/data/
/custom_apps/
/themes/
/version.php

24
Containers/postgresql/Dockerfile Normal file
View file

@ -0,0 +1,24 @@
# From https://github.com/docker-library/postgres/blob/master/13/buster/Dockerfile
FROM postgres:13-buster
RUN set -ex; \
\
apt-get update; \
apt-get install -y --no-install-recommends \
openssl \
; \
rm -rf /var/lib/apt/lists/*
COPY start.sh /usr/bin/
RUN chmod +x /usr/bin/start.sh
RUN mkdir /mnt/data; \
chown postgres:postgres /mnt/data;
VOLUME /mnt/data
# Give root a random password
RUN echo "root:$(openssl rand -base64 12)" | chpasswd
USER postgres
ENTRYPOINT ["start.sh"]

87
Containers/postgresql/start.sh Normal file
View file

@ -0,0 +1,87 @@
#!/bin/bash
# Variables
DATADIR="/var/lib/postgresql/data"
DUMP_DIR="/mnt/data"
DUMP_FILE="$DUMP_DIR/database-dump.sql"
export PGPASSWORD="$POSTGRES_PASSWORD"
# Don't start database as long as backup is running
while [ -f "$DUMP_DIR/backup-is-running" ]; do
echo "Waiting for backup container to finish..."
sleep 10
done
# Check if dump dir is writeable
if ! [ -w "$DUMP_DIR" ]; then
echo "DUMP dir is not writeable by postgres user."
exit 1
fi
# Test if some things match
if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSION")" ] ) \
|| ( ! [ -f "$DATADIR/PG_VERSION" ] && [ -f "$DUMP_FILE" ] ); then
# The DUMP_file must be provided
if ! [ -f "$DUMP_FILE" ]; then
echo "Unable to restore the database because the database dump is missing."
exit 1
fi
# Inform
echo "Restoring from database dump."
# Exit if any command fails
set -e
# Remove old database files
rm -rf "$DATADIR/"*
# Change database port to a random port temporarily
export PGPORT=11000
# Create new database
exec docker-entrypoint.sh postgres &
# Wait 2s for creation
sleep 2s
# Restore database
echo "Restoring the database from database dump"
psql "$POSTGRES_DB" -U "$POSTGRES_USER" < "$DUMP_FILE"
# Shut down the database to be able to start it again
pg_ctl stop -m fast
# Change database port back to default
export PGPORT=5432
# Don't exit if command fails anymore
set +e
fi
# Cover the last case
if ! [ -f "$DATADIR/PG_VERSION" ] && ! [ -f "$DUMP_FILE" ]; then
# Remove old database files if somehow there should be some
rm -rf "$DATADIR/"*
fi
# Catch docker stop attempts
trap 'true' SIGINT SIGTERM
# Start the database
exec docker-entrypoint.sh postgres &
wait $!
# Continue with shutdown procedure: do database dump, etc.
rm -f "$DUMP_FILE.temp"
if pg_dump --username "$POSTGRES_USER" "$POSTGRES_DB" > "$DUMP_FILE.temp"; then
rm -f "$DUMP_FILE"
mv "$DUMP_FILE.temp" "$DUMP_FILE"
pg_ctl stop -m fast
echo 'Database dump successful!'
exit 0
else
pg_ctl stop -m fast
echo "Database dump unsucessful!"
exit 1
fi

19
Containers/redis/Dockerfile Normal file
View file

@ -0,0 +1,19 @@
# From https://github.com/docker-library/redis/blob/master/6.2/Dockerfile
FROM redis:6.2-buster
RUN set -ex; \
\
apt-get update; \
apt-get install -y --no-install-recommends \
openssl \
; \
rm -rf /var/lib/apt/lists/*
COPY start.sh /usr/bin/
RUN chmod +x /usr/bin/start.sh
# Give root a random password
RUN echo "root:$(openssl rand -base64 12)" | chpasswd
USER redis
ENTRYPOINT ["start.sh"]

10
Containers/redis/start.sh Normal file
View file

@ -0,0 +1,10 @@
#!/bin/bash
# Run redis with a password if provided
if [ -n "$REDIS_HOST_PASSWORD" ]; then
exec redis-server --requirepass "$REDIS_HOST_PASSWORD"
else
exec redis-server
fi
exec "$@"

64
Containers/talk/Dockerfile Normal file
View file

@ -0,0 +1,64 @@
FROM ubuntu:focal
EXPOSE 3478
RUN set -ex; \
\
apt-get update; \
apt-get install -y --no-install-recommends \
openssl \
coturn \
supervisor \
curl \
ca-certificates \
; \
rm -rf /var/lib/apt/lists/*
RUN set -ex; \
curl -sL -o "/etc/apt/trusted.gpg.d/morph027-nats-server.asc" "https://packaging.gitlab.io/nats-server/gpg.key"; \
echo "deb https://packaging.gitlab.io/nats-server nats main" > /etc/apt/sources.list.d/morph027-nats-server.list; \
. /etc/lsb-release; \
curl -sL -o "/etc/apt/trusted.gpg.d/morph027-janus.asc" "https://packaging.gitlab.io/janus/gpg.key"; \
echo "deb https://packaging.gitlab.io/janus/$DISTRIB_CODENAME $DISTRIB_CODENAME main" > /etc/apt/sources.list.d/morph027-janus.list; \
curl -sL -o "/etc/apt/trusted.gpg.d/morph027-nextcloud-spreed-signaling.asc" "https://packaging.gitlab.io/nextcloud-spreed-signaling/gpg.key"; \
echo "deb https://packaging.gitlab.io/nextcloud-spreed-signaling signaling main" > /etc/apt/sources.list.d/morph027-nextcloud-spreed-signaling.list
RUN set -ex; \
\
apt-get update; \
apt-get install -y --no-install-recommends \
nats-server \
janus \
nextcloud-spreed-signaling \
; \
rm -rf /var/lib/apt/lists/*
RUN adduser --system --group talk
RUN mkdir /var/log/supervisord; \
mkdir /var/run/supervisord; \
chown talk:talk /var/run/supervisord; \
chown talk:talk /var/log/supervisord;
COPY start.sh /usr/bin/
COPY supervisord.conf /
RUN chmod +x /usr/bin/start.sh; \
chmod +r /supervisord.conf; \
touch /etc/turnserver.conf; \
chown talk:talk /etc/turnserver.conf; \
sed -i '/TURNSERVER_ENABLED/c\TURNSERVER_ENABLED=1' /etc/default/coturn; \
mkdir -p /var/tmp;
RUN mkdir -p /etc/nats; \
echo "listen: 127.0.0.1:4222" > /etc/nats/nats.conf; \
chown talk:talk -R /etc/nats; \
chown talk:talk -R /etc/janus; \
chown talk:talk -R /etc/signaling; \
chown talk:talk -R /usr/share/janus
# Give root a random password
RUN echo "root:$(openssl rand -base64 12)" | chpasswd
USER talk
ENTRYPOINT ["start.sh"]
CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]

67
Containers/talk/start.sh Normal file
View file

@ -0,0 +1,67 @@
#!/bin/bash
# Variables
if [ -z "$NC_DOMAIN" ]; then
echo "You need to provide the NC_DOMAIN."
exit 1
elif [ -z "$TURN_SECRET" ]; then
echo "You need to provide the TURN_SECRET."
exit 1
elif [ -z "$JANUS_API_KEY" ]; then
echo "You need to provide the JANUS_API_KEY."
exit 1
elif [ -z "$SIGNALING_SECRET" ]; then
echo "You need to provide the JANUS_API_KEY."
exit 1
fi
# Turn
cat << TURN_CONF > "/etc/turnserver.conf"
listening-port=3478
fingerprint
use-auth-secret
static-auth-secret=$TURN_SECRET
realm=$NC_DOMAIN
total-quota=100
bps-capacity=0
stale-nonce
no-multicast-peers
simple-log
pidfile=/var/tmp/turnserver.pid
TURN_CONF
# Janus
sed -i "s|#turn_rest_api_key.*|turn_rest_api_key = $JANUS_API_KEY|" /etc/janus/janus.jcfg
sed -i "s|#full_trickle|full_trickle|g" /etc/janus/janus.jcfg
sed -i 's|#interface.*|interface = "lo"|g' /etc/janus/janus.transport.websockets.jcfg
sed -i 's|#ws_interface.*|ws_interface = "lo"|g' /etc/janus/janus.transport.websockets.jcfg
# Signling
cat << SIGNALING_CONF > "/etc/signaling/server.conf"
[http]
listen = 0.0.0.0:8081
[app]
debug = false
[sessions]
hashkey = $(openssl rand -hex 16)
blockkey = $(openssl rand -hex 16)
[clients]
internalsecret = $(openssl rand -hex 16)
[backend]
allowed = ${NC_DOMAIN}
allowall = false
secret = ${SIGNALING_SECRET}
timeout = 10
connectionsperhost = 8
[nats]
url = nats://127.0.0.1:4222
[mcu]
type = janus
url = ws://127.0.0.1:8188
[turn]
apikey = ${JANUS_API_KEY}
secret = ${TURN_SECRET}
servers = turn:$NC_DOMAIN:3478?transport=tcp,turn:$NC_DOMAIN:3478?transport=udp
SIGNALING_CONF
exec "$@"

37
Containers/talk/supervisord.conf Normal file
View file

@ -0,0 +1,37 @@
[supervisord]
nodaemon=true
nodaemon=true
logfile=/var/log/supervisord/supervisord.log
pidfile=/var/run/supervisord/supervisord.pid
childlogdir=/var/log/supervisord/
logfile_maxbytes=50MB
logfile_backups=10
loglevel=error
[program:turnserver]
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=turnserver
[program:nats-server]
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=nats-server -c /etc/nats/nats.conf
[program:janus]
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=janus
[program:signaling]
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=signaling -config /etc/signaling/server.conf

28
Containers/watchtower/Dockerfile Normal file
View file

@ -0,0 +1,28 @@
# From https://github.com/containrrr/watchtower/blob/main/dockerfiles/Dockerfile.self-contained
FROM containrrr/watchtower:latest as watchtower
FROM debian:bullseye
RUN set -ex; \
\
apt-get update; \
apt-get install -y --no-install-recommends \
ca-certificates \
openssl \
; \
rm -rf /var/lib/apt/lists/*
COPY --from=watchtower /watchtower /
COPY start.sh /
RUN chmod +x /start.sh
# Give root a random password
RUN echo "root:$(openssl rand -base64 12)" | chpasswd
# add docker group
RUN groupadd -g 998 docker && \
usermod -aG docker nobody
USER nobody
ENTRYPOINT ["/start.sh"]

19
Containers/watchtower/start.sh Normal file
View file

@ -0,0 +1,19 @@
#!/bin/bash
# Check if socket is available and readable
if ! [ -a "/var/run/docker.sock" ]; then
echo "Docker socket is not available. Cannot continue."
exit 1
elif ! [ -r "/var/run/docker.sock" ]; then
echo "Docker socket is not readable by the nobody user. Cannot continue."
exit 1
fi
if [ -n "$CONTAINER_TO_UPDATE" ]; then
exec /watchtower --cleanup --run-once "$CONTAINER_TO_UPDATE"
else
echo "'CONTAINER_TO_UPDATE' is not set. Cannot update anything."
fi
exec "$@"