From 15ad146d9c70558700dc24129c8ff6efdb3f0b14 Mon Sep 17 00:00:00 2001 From: Josh Date: Thu, 16 Oct 2025 22:42:27 -0400 Subject: [PATCH 1/7] docs: Revise "how to use this" section of README Reorganized and updated instructions for clarity and approachability. Signed-off-by: Josh --- readme.md | 129 ++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 81 insertions(+), 48 deletions(-) diff --git a/readme.md b/readme.md index 11df8a73..0c412866 100644 --- a/readme.md +++ b/readme.md @@ -86,66 +86,99 @@ Included are: | ![image](https://github.com/user-attachments/assets/6ef5d7b5-86f2-402c-bc6c-b633af2ca7dd) | ![image](https://github.com/user-attachments/assets/939d0fdf-436f-433d-82d3-27548263a040) | ## How to use this? ->[!WARNING] -> You should first make sure that you are not using docker installed via snap. You can check this by running `sudo docker info | grep "Docker Root Dir" | grep "/var/snap/docker/"`. If the output should contain the mentioned string `/var/snap/docker/`, you should first uninstall docker snap via `sudo snap remove docker` and then follow the instructions below. ⚠️ Attention: only run the command if this is a clean new docker installation and you are not running any service already using this. -> [!NOTE] -> The following instructions are meant for installations without a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) already being in place. If you want to run AIO behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else), see the [reverse proxy documentation](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md). Also, the instructions below are especially meant for Linux. For macOS see [this](#how-to-run-aio-on-macos), for Windows see [this](#how-to-run-aio-on-windows) and for Synology see [this](#how-to-run-aio-on-synology-dsm). +The steps below are written for Linux. For platform-specific guidance see: +- macOS: [How to run AIO on macOS](#how-to-run-aio-on-macos) +- Windows: [How to run AIO on Windows](#how-to-run-aio-on-windows) +- Synology DSM: [How to run AIO on Synology DSM](#how-to-run-aio-on-synology-dsm) -1. Install Docker on your Linux installation by following the official documentation: https://docs.docker.com/engine/install/#supported-platforms. ->[!WARNING] -> You could use the convenience script below to install docker. However we recommend to not blindly download and execute scripts as sudo. But if you feel like it, you can of course use it. See below: +> [!IMPORTANT] +> These instructions assume there is no existing web server or reverse proxy (for example Apache, Nginx, Caddy, or Cloudflare Tunnel) that you intend to place in front of AIO. If you plan to run AIO behind an existing web server or reverse proxy, follow the AIO reverse proxy documentation: [Reverse proxy docs](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md) -
- Using the convenience script +You're encouraged to skim the attached [FAQ](#faq). While we've tried to make things straightforward, Nextcloud is a large and flexible platform. Reading the FAQ will save you time, particularly if edge cases come up. + +> [!TIP] +> Don't worry about getting everything perfect on the first try — test deployments are cheap and disposable. + +1. Install Docker on your Linux host by following the official documentation: [Docker install — supported platforms](https://docs.docker.com/engine/install/#supported-platforms) + +> [!WARNING] +> Snap-based Docker installations are not supported. Make sure you are not using a snap-based Docker installation (generally only applicable to Ubuntu). To check, run: +> ```sh +> sudo docker info | grep "Docker Root Dir" | grep "/var/snap/docker/" +> ``` +> If you see the following output: +> ``` +> /var/snap/docker/ +> ``` +> you should migrate to a standard Docker installation and remove the snap-based package before proceeding: [Install Docker on Ubuntu](https://docs.docker.com/engine/install/ubuntu/). +> +> ⚠️ To avoid losing data or interrupting services, only remove the Docker snap after you are certain you're not running any existing containers in it. +> +> Consult the official Docker documentation or other guides for instructions on migrating existing containers. Once you are certain it's safe, remove the snap-based Docker installation with: +> ```sh +> sudo snap remove docker +> ``` + +2. If you need IPv6 support, enable it by following: [Docker IPv6 support for AIO](https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md) + +3. AIO uses a special `mastercontainer` to orchestrate the various pieces of the Nextcloud stack. To start AIO, launch the `mastercontainer` with the command below: ```sh -curl -fsSL https://get.docker.com | sudo sh +# For Linux and without a web server or reverse proxy already in place: +sudo docker run \ + --init \ + --sig-proxy=false \ + --name nextcloud-aio-mastercontainer \ + --restart always \ + --publish 80:80 \ + --publish 8080:8080 \ + --publish 8443:8443 \ + --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \ + --volume /var/run/docker.sock:/var/run/docker.sock:ro \ + ghcr.io/nextcloud-releases/all-in-one:latest ``` +
+ Explanation of the command + + - `sudo docker run` — starts a new Docker container. Omit `sudo` if your user is in the `docker` group. + - `--init` — runs an init process inside the container to handle zombie processes. + - `--sig-proxy=false` — prevents Ctrl+C in the attached terminal from stopping the container. + - `--name nextcloud-aio-mastercontainer` — the container name. Do not change this name; mastercontainer updates rely on it. + - `--restart always` — ensures the container restarts automatically with the Docker daemon. + - `--publish 80:80` — publishes container port 80 on host port 80 (used for ACME http-challenge when obtaining certificates). Not required if you run AIO behind a reverse proxy. + - `--publish 8080:8080` — publishes the AIO interface (self-signed certificate) on host port 8080. You may map a different host port if 8080 is in use (e.g. `--publish 8081:8080`). + - `--publish 8443:8443` — publishes the AIO interface with a valid certificate on host port 8443 (requires ports 80 and 8443 to be reachable and a domain pointing to your server). Not required if you run AIO behind a reverse proxy. + - `--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config` — stores mastercontainer configuration in the named Docker volume. Do not change this volume name; built-in backups depend on it. + - `--volume /var/run/docker.sock:/var/run/docker.sock:ro` — mounts the Docker socket (read-only) so the mastercontainer can manage other containers. On Windows/macOS or when using rootless Docker, this path may need adjustment; see the platform-specific docs. If you change the socket path, also set `WATCHTOWER_DOCKER_SOCKET_PATH` accordingly. If you prefer not to expose the socket, see the manual-install documentation: [Manual install without docker socket access](https://github.com/nextcloud/all-in-one/tree/main/manual-install) + - `ghcr.io/nextcloud-releases/all-in-one:latest` — the mastercontainer image. + + Additional options can be set with environment variables (for example `--env NEXTCLOUD_DATADIR="/mnt/ncdata"` to change Nextcloud's datadir on first startup). See the Customization section and example compose file: [compose.yaml](https://github.com/nextcloud/all-in-one/blob/main/compose.yaml) for more options.
-2. If you need ipv6 support, you should enable it by following https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md. -3. Run the command below in order to start the container on Linux and without a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) already in place: - ``` - # For Linux and without a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) already in place: - sudo docker run \ - --init \ - --sig-proxy=false \ - --name nextcloud-aio-mastercontainer \ - --restart always \ - --publish 80:80 \ - --publish 8080:8080 \ - --publish 8443:8443 \ - --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \ - --volume /var/run/docker.sock:/var/run/docker.sock:ro \ - ghcr.io/nextcloud-releases/all-in-one:latest - ``` -
- Explanation of the command +> [!TIP] +> If you want Nextcloud’s data directory in a different location than the default Docker volume, see "How to change the default location of Nextcloud's Datadir" in this README: [How to change the default location of Nextcloud's Datadir](#how-to-change-the-default-location-of-nextclouds-datadir) - - `sudo docker run` This command spins up a new docker container. Docker commands can optionally be used without `sudo` if the user is added to the docker group (this is not the same as docker rootless, see FAQ below). - - `--init` This option makes sure that no zombie-processes are created, ever. See [the Docker documentation](https://docs.docker.com/reference/cli/docker/container/run/#init). - - `--sig-proxy=false` This option allows to exit the container shell that gets attached automatically when using `docker run` by using `[CTRL] + [C]` without shutting down the container. - - `--name nextcloud-aio-mastercontainer` This is the name of the container. This line is not allowed to be changed, since mastercontainer updates would fail. - - `--restart always` This is the "restart policy". `always` means that the container should always get started with the Docker daemon. See the Docker documentation for further detail about restart policies: https://docs.docker.com/config/containers/start-containers-automatically/ - - `--publish 80:80` This means that port 80 of the container should get published on the host using port 80. It is used for getting valid certificates for the AIO interface if you want to use port 8443. It is not needed if you run AIO behind a web server or reverse proxy and can get removed in that case as you can simply use port 8080 for the AIO interface then. - - `--publish 8080:8080` This means that port 8080 of the container should get published on the host using port 8080. This port is used for the AIO interface and uses a self-signed certificate by default. You can also use a different host port if port 8080 is already used on your host, for example `--publish 8081:8080` (only the first port can be changed for the host, the second port is for the container and must remain at 8080). - - `--publish 8443:8443` This means that port 8443 of the container should get published on the host using port 8443. If you publish port 80 and 8443 to the public internet, you can access the AIO interface via this port with a valid certificate. It is not needed if you run AIO behind a web server or reverse proxy and can get removed in that case as you can simply use port 8080 for the AIO interface then. - - `--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config` This means that the files that are created by the mastercontainer will be stored in a docker volume that is called `nextcloud_aio_mastercontainer`. This line is not allowed to be changed, since built-in backups would fail later on. - - `--volume /var/run/docker.sock:/var/run/docker.sock:ro` The docker socket is mounted into the container which is used for spinning up all the other containers and for further features. It needs to be adjusted on Windows/macOS and on docker rootless. See the applicable documentation on this. If adjusting, don't forget to also set `WATCHTOWER_DOCKER_SOCKET_PATH`! If you dislike this, see https://github.com/nextcloud/all-in-one/tree/main/manual-install. - - `ghcr.io/nextcloud-releases/all-in-one:latest` This is the docker container image that is used. - - Further options can be set using environment variables, for example `--env NEXTCLOUD_DATADIR="/mnt/ncdata"` (This is an example for Linux. See [this](https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir) for other OS' and for an explanation of what this value does. This specific one needs to be specified upon the first startup if you want to change it to a specific path instead of the default Docker volume). To see explanations and examples for further variables (like changing the location of Nextcloud's datadir or mounting some locations as external storage into the Nextcloud container), read through this readme and look at the docker-compose file: https://github.com/nextcloud/all-in-one/blob/main/compose.yaml -
+> [!NOTE] +> For production usage (and ease of upgrades and changes), we suggest using the example [Compose file](https://github.com/nextcloud/all-in-one/blob/main/compose.yaml) rather than `docker run`. - Note: You may be interested in adjusting Nextcloud’s datadir to store the files in a different location than the default docker volume. See [this documentation](https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir) on how to do it. +4. After the initial startup, open the Nextcloud AIO interface on port 8080 of this server **by IP address**, for example: +```txt +https://192.168.5.5:8080 +``` -4. After the initial startup, you should be able to open the Nextcloud AIO Interface now on port 8080 of this server.
-E.g. `https://ip.address.of.this.server:8080`
-⚠️ **Important:** do always use an ip-address if you access this port and not a domain as HSTS might block access to it later! (It is also expected that this port uses a self-signed certificate due to security concerns which you need to accept in your browser)

-If your firewall/router has port 80 and 8443 open/forwarded and you point a domain to your server, you can get a valid certificate automatically by opening the Nextcloud AIO Interface via:
-`https://your-domain-that-points-to-this-server.tld:8443` -5. Please do not forget to open port `3478/TCP` and `3478/UDP` in your firewall/router for the Talk container! +> [!CAUTION] +> Use an IP address (not a domain) when accessing the AIO interface on port 8080. Accessing via a domain may work temporarily but is likely to break later due to HSTS. + +Port 8080 uses a self-signed certificate that you must accept in your browser. + +It is also possible to obtain a valid certificate automatically if your firewall/router forwards ports 80 and 8443 and you point a domain to your server. In that case, access the AIO interface using the dedicated port for this purpose (8443), for example: +```txt +https://your-domain-that-points-to-this-server.tld:8443 +``` + +5. If you enable Nextcloud Talk, open port `3478/TCP` and `3478/UDP` in your firewall/router for the Talk (TURN) container. # FAQ - [TOC](#faq) From c2a040010cb416b0e7d49ddf7bf53c3e988fa86f Mon Sep 17 00:00:00 2001 From: Benjamin Brahmer Date: Fri, 17 Oct 2025 19:41:28 +0200 Subject: [PATCH 2/7] update nextcloud-exporter image tag to 0.9.0 Signed-off-by: Benjamin Brahmer --- community-containers/nextcloud-exporter/nextcloud-exporter.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/community-containers/nextcloud-exporter/nextcloud-exporter.json b/community-containers/nextcloud-exporter/nextcloud-exporter.json index f9159a36..e5bf74b8 100644 --- a/community-containers/nextcloud-exporter/nextcloud-exporter.json +++ b/community-containers/nextcloud-exporter/nextcloud-exporter.json @@ -5,7 +5,7 @@ "display_name": "Prometheus Nextcloud Exporter", "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter", "image": "ghcr.io/xperimental/nextcloud-exporter", - "image_tag": "0.8.0", + "image_tag": "0.9.0", "internal_port": "9205", "restart": "unless-stopped", "ports": [ From fdb34bd01acb1700f36d854344cf0f9c9d678baa Mon Sep 17 00:00:00 2001 From: Josh Date: Mon, 20 Oct 2025 08:10:25 -0400 Subject: [PATCH 3/7] Merge pull request #6949 from nextcloud/jtr/docs-containers-mastercontainer-readme docs: Add README for `mastercontainer` --- Containers/mastercontainer/README.md | 69 ++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 Containers/mastercontainer/README.md diff --git a/Containers/mastercontainer/README.md b/Containers/mastercontainer/README.md new file mode 100644 index 00000000..de6b535d --- /dev/null +++ b/Containers/mastercontainer/README.md @@ -0,0 +1,69 @@ +# Nextcloud All-in-One `mastercontainer` + +This folder contains the OCI/Docker container definition, along with associated resources and +configuration files, for building the `mastercontainer` as part of the Nextcloud All-in-One +project. This container hosts [the Nextcloud AIO interface]( +https://github.com/nextcloud/all-in-one/tree/main/php)[^app], and a dedicated PHP environment +for it (which is completely independent of the Nextcloud Server). + +## Overview + +The mastercontainer acts as the central orchestration service for the deployment and management +of all other containers in the Nextcloud All-in-One stack. It hosts: + +- A dedicated PHP SAPI/backend (php-fpm) for AIO itself (not Nextcloud Server) +- An Apache service for accessing the AIO interface via a self-signed HTTPS VirtualHost on 8080/tcp +- A Caddy reverse proxy service enabling HTTPS access to the AIO frontend on port 8443/tcp. + - Caddy will automatically issue a Let's Encrypt issued certificate if port 80 and 8443 + is open/forwarded and a domain pointer is in place; then, simply open the Nextcloud AIO interface using the + domain (`https://your-domain-that-points-to-this-server.tld:8443`). The Let's Encrypt certificate request will + use an [ACME HTTP-01](https://letsencrypt.org/docs/challenge-types/#http-01-challenge) challenge. +- Miscellaneous support services specific to AIO (backup management, health checks, etc.) + +## Key Responsibilities + +- Orchestrates the deployment and lifecycle of all Nextcloud service containers +- Handles initial setup and container configuration +- Coordinates image updates +- Monitors general system health + +It triggers the initial installation and ensures the smooth operation of the Nextcloud +All-in-One stack. + +## Contents + +- **Dockerfile**: Instructions for building the mastercontainer image. +- **Entrypoint script**: The `start.sh` script is used for container initialization and runtime + configuration before starting supervisord. +- [**Nextcloud All-in-One Controller App**](https://github.com/nextcloud/all-in-one/tree/main/php): The + core AIO orchestrator that handles configuration and settings for the containers. +- **Supervisor**: The `supervisord.conf` file defines the long-running services hosted within + the container (php-fpm, cron, etc.) + +## Usage + +This container should be used as the trigger image when deploying the Nextcloud All-in-One +stack in a Docker or other OCI-compliant container environment. For detailed deployment +instructions, refer to the [project documentation]( +https://github.com/nextcloud/all-in-one). + +## Related Resources + +- [Main Repository](https://github.com/nextcloud/all-in-one) +- [Documentation](https://github.com/nextcloud/all-in-one#readme) + +## Contributing + +Contributions are welcome! Please follow the Nextcloud project's guidelines and submit pull +requests or issues via the main repository. + +## License + +This folder and its contents are licensed under the +[GNU AGPLv3](https://www.gnu.org/licenses/agpl-3.0.html), in line with the rest of Nextcloud +All-in-One. + +[^app]: The Nextcloud All-in-One interface allows users to install, configure, and +manage their Nextcloud instance and related containers via a secure web interface and API. +It automates and simplifies complex tasks such as container orchestration, backups, updates, +and service management for users deploying Nextcloud in Docker environments. From 79824ac83b29812d96ee33668a63a46091fc4fb0 Mon Sep 17 00:00:00 2001 From: Josh Date: Mon, 20 Oct 2025 08:58:33 -0400 Subject: [PATCH 4/7] docs: add link to TrueNAS SCALE guidance --- readme.md | 1 + 1 file changed, 1 insertion(+) diff --git a/readme.md b/readme.md index 0c412866..9dfc2e77 100644 --- a/readme.md +++ b/readme.md @@ -91,6 +91,7 @@ The steps below are written for Linux. For platform-specific guidance see: - macOS: [How to run AIO on macOS](#how-to-run-aio-on-macos) - Windows: [How to run AIO on Windows](#how-to-run-aio-on-windows) - Synology DSM: [How to run AIO on Synology DSM](#how-to-run-aio-on-synology-dsm) +- TrueNAS SCALE: [Can I run AIO on TrueNAS SCALE?](#can-i-run-aio-on-truenas-scale) > [!IMPORTANT] > These instructions assume there is no existing web server or reverse proxy (for example Apache, Nginx, Caddy, or Cloudflare Tunnel) that you intend to place in front of AIO. If you plan to run AIO behind an existing web server or reverse proxy, follow the AIO reverse proxy documentation: [Reverse proxy docs](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md) From bf0267892003f2288f27a6e79b1e4c419c23e12b Mon Sep 17 00:00:00 2001 From: Zoey Date: Fri, 17 Oct 2025 21:01:58 +0200 Subject: [PATCH 5/7] replace apache with a second caddy Signed-off-by: Zoey --- Containers/mastercontainer/Caddyfile | 37 ----------- Containers/mastercontainer/Dockerfile | 52 ++-------------- Containers/mastercontainer/acme.Caddyfile | 39 ++++++++++++ Containers/mastercontainer/healthcheck.sh | 3 +- Containers/mastercontainer/internal.Caddyfile | 29 +++++++++ .../mastercontainer/mastercontainer.conf | 62 ------------------- Containers/mastercontainer/start.sh | 36 +---------- Containers/mastercontainer/supervisord.conf | 20 +++--- php/domain-validator.php | 10 +-- 9 files changed, 92 insertions(+), 196 deletions(-) delete mode 100644 Containers/mastercontainer/Caddyfile create mode 100644 Containers/mastercontainer/acme.Caddyfile create mode 100644 Containers/mastercontainer/internal.Caddyfile delete mode 100644 Containers/mastercontainer/mastercontainer.conf diff --git a/Containers/mastercontainer/Caddyfile b/Containers/mastercontainer/Caddyfile deleted file mode 100644 index da0e222d..00000000 --- a/Containers/mastercontainer/Caddyfile +++ /dev/null @@ -1,37 +0,0 @@ -{ - # auto_https will create redirects for https://{host}:8443 instead of https://{host} - # https redirects are added manually in the http://:80 block - auto_https disable_redirects - - storage file_system { - root /mnt/docker-aio-config/caddy/ - } - - log { - level ERROR - } - - servers { - protocols h1 h2 h2c - } - - on_demand_tls { - ask http://127.0.0.1:9876/ - } -} - -http://:80 { - redir https://{host}{uri} permanent -} - -https://:8443 { - - reverse_proxy 127.0.0.1:8000 - - tls { - on_demand - issuer acme { - disable_tlsalpn_challenge - } - } -} diff --git a/Containers/mastercontainer/Dockerfile b/Containers/mastercontainer/Dockerfile index c1cbaa59..7e64da04 100644 --- a/Containers/mastercontainer/Dockerfile +++ b/Containers/mastercontainer/Dockerfile @@ -18,9 +18,8 @@ COPY --from=docker /usr/local/bin/docker /usr/local/bin/docker COPY community-containers /var/www/docker-aio/community-containers COPY php /var/www/docker-aio/php COPY --chmod=775 Containers/mastercontainer/*.sh / -COPY --chmod=664 Containers/mastercontainer/Caddyfile /Caddyfile +COPY --chmod=664 Containers/mastercontainer/*.Caddyfile / COPY --chmod=664 Containers/mastercontainer/supervisord.conf /supervisord.conf -COPY Containers/mastercontainer/mastercontainer.conf /etc/apache2/sites-available/mastercontainer.conf WORKDIR /var/www/docker-aio @@ -34,13 +33,8 @@ RUN set -ex; \ apk add --no-cache \ util-linux-misc \ ca-certificates \ - wget \ bash \ - apache2 \ - apache2-proxy \ - apache2-ssl \ supervisor \ - openssl \ sudo \ netcat-openbsd \ curl \ @@ -64,11 +58,13 @@ RUN set -ex; \ sed -i 's/^pm = dynamic/pm = ondemand/' /usr/local/etc/php-fpm.d/www.conf; \ sed -i 's/^pm.max_children =.*/pm.max_children = 80/' /usr/local/etc/php-fpm.d/www.conf; \ sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \ - grep -q ';listen.allowed_clients' /usr/local/etc/php-fpm.d/www.conf; \ - sed -i 's|;listen.allowed_clients.*|listen.allowed_clients = 127.0.0.1,::1|' /usr/local/etc/php-fpm.d/www.conf; \ + grep -q 'listen =' /usr/local/etc/php-fpm.d/www.conf; \ + sed -i 's|listen =.*|;listen = /run/php.sock # handled in zz-docker.conf|' /usr/local/etc/php-fpm.d/www.conf; \ + grep -q 'listen =' /usr/local/etc/php-fpm.d/zz-docker.conf; \ + sed -i 's|listen =.*|listen = /run/php.sock|' /usr/local/etc/php-fpm.d/zz-docker.conf; \ \ apk add --no-cache git; \ - wget https://getcomposer.org/installer -O - | php -- --install-dir=/usr/local/bin --filename=composer; \ + curl https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer; \ chmod +x /usr/local/bin/composer; \ cd /var/www/docker-aio; \ rm -r ./php/tests; \ @@ -83,42 +79,6 @@ RUN set -ex; \ rm -r php/data; \ rm -r php/session; \ \ - mkdir -p /etc/apache2/certs; \ - cd /etc/apache2/certs; \ - openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout /etc/apache2/certs/ssl.key -out /etc/apache2/certs/ssl.crt; \ - \ - sed -i \ - -e '/^Listen /d' \ - -e 's/^LogLevel .*/LogLevel error/' \ - -e 's|^ErrorLog .*|ErrorLog /proc/self/fd/2|' \ - -e 's/User apache/User www-data/g' \ - -e 's/Group apache/Group www-data/g' \ - -e 's/^#\(LoadModule .*mod_rewrite.so\)/\1/' \ - -e 's/^#\(LoadModule .*mod_headers.so\)/\1/' \ - -e 's/^#\(LoadModule .*mod_env.so\)/\1/' \ - -e 's/^#\(LoadModule .*mod_mime.so\)/\1/' \ - -e 's/^#\(LoadModule .*mod_dir.so\)/\1/' \ - -e 's/^#\(LoadModule .*mod_authz_core.so\)/\1/' \ - -e 's/^#\(LoadModule .*mod_mpm_event.so\)/\1/' \ - -e 's/\(LoadModule .*mod_mpm_worker.so\)/#\1/' \ - -e 's/\(LoadModule .*mod_mpm_prefork.so\)/#\1/' \ - -e 's/\(ScriptAlias \)/#\1/' \ - /etc/apache2/httpd.conf; \ - mkdir -p /etc/apache2/logs; \ - rm /etc/apache2/conf.d/ssl.conf; \ - echo "ServerName localhost" | tee -a /etc/apache2/httpd.conf; \ - grep -q '^LoadModule lbmethod_heartbeat_module' /etc/apache2/conf.d/proxy.conf; \ - sed -i 's|^LoadModule lbmethod_heartbeat_module.*|#LoadModule lbmethod_heartbeat_module|' /etc/apache2/conf.d/proxy.conf; \ - echo "SSLSessionCache nonenotnull" | tee -a /etc/apache2/httpd.conf; \ - echo "LoadModule ssl_module modules/mod_ssl.so" | tee -a /etc/apache2/httpd.conf; \ - echo "LoadModule socache_shmcb_module modules/mod_socache_shmcb.so" | tee -a /etc/apache2/httpd.conf; \ - echo "Include /etc/apache2/sites-available/mastercontainer.conf" | tee -a /etc/apache2/httpd.conf; \ - \ - rm -f /etc/apache2/conf.d/default.conf \ - /etc/apache2/conf.d/userdir.conf \ - /etc/apache2/conf.d/info.conf; \ - \ - rm -rf /var/www/localhost/cgi-bin/; \ mkdir /var/log/supervisord; \ mkdir /var/run/supervisord; diff --git a/Containers/mastercontainer/acme.Caddyfile b/Containers/mastercontainer/acme.Caddyfile new file mode 100644 index 00000000..61eae552 --- /dev/null +++ b/Containers/mastercontainer/acme.Caddyfile @@ -0,0 +1,39 @@ +{ + # auto_https will create redirects for https://{host}:8443 instead of https://{host} + # https redirects are added manually in the http://:80 block + auto_https disable_redirects + + storage file_system { + root /mnt/docker-aio-config/caddy/ + } + + log { + level ERROR + } + + servers { + protocols h1 h2 h2c + } + + on_demand_tls { + ask http://127.0.0.1:9876/ + } +} + +http://:80 { + redir https://{host}{uri} permanent +} + +https://:8443 { + root * /var/www/docker-aio/php/public + encode + php_fastcgi unix//run/php.sock + file_server + + tls { + on_demand + issuer acme { + disable_tlsalpn_challenge + } + } +} diff --git a/Containers/mastercontainer/healthcheck.sh b/Containers/mastercontainer/healthcheck.sh index 72187591..29ad40a6 100644 --- a/Containers/mastercontainer/healthcheck.sh +++ b/Containers/mastercontainer/healthcheck.sh @@ -2,9 +2,8 @@ if [ -f "/mnt/docker-aio-config/data/configuration.json" ]; then nc -z 127.0.0.1 80 || exit 1 - nc -z 127.0.0.1 8000 || exit 1 nc -z 127.0.0.1 8080 || exit 1 nc -z 127.0.0.1 8443 || exit 1 - nc -z 127.0.0.1 9000 || exit 1 + [ -f /run/php.sock ] || exit 1 nc -z 127.0.0.1 9876 || exit 1 fi diff --git a/Containers/mastercontainer/internal.Caddyfile b/Containers/mastercontainer/internal.Caddyfile new file mode 100644 index 00000000..8e8ea311 --- /dev/null +++ b/Containers/mastercontainer/internal.Caddyfile @@ -0,0 +1,29 @@ +{ + auto_https off + + storage file_system { + root /mnt/docker-aio-config/caddy/ + } + + log { + level ERROR + } + + servers { + protocols h1 h2 + } + + skip_install_trust +} + +https://:8080 { + root * /var/www/docker-aio/php/public + encode + php_fastcgi unix//run/php.sock + file_server + + tls { + on_demand + issuer internal + } +} diff --git a/Containers/mastercontainer/mastercontainer.conf b/Containers/mastercontainer/mastercontainer.conf deleted file mode 100644 index 7d294694..00000000 --- a/Containers/mastercontainer/mastercontainer.conf +++ /dev/null @@ -1,62 +0,0 @@ -Listen 127.0.0.1:8000 -Listen 8080 https - -# Deny access to .ht files - - Require all denied - - -# Http host - - ServerName 127.0.0.1 - - # Add error log - CustomLog /proc/self/fd/1 proxy - LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy - ErrorLog /proc/self/fd/2 - ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]" - LogLevel warn - - # PHP match - - SetHandler "proxy:fcgi://127.0.0.1:9000" - - # Master dir - DocumentRoot /var/www/docker-aio/php/public/ - - RewriteEngine On - RewriteCond %{REQUEST_FILENAME} !-f - RewriteRule ^ index.php [QSA,L] - Options Indexes FollowSymLinks - Require all granted - AllowOverride All - Options FollowSymLinks MultiViews - Satisfy Any - - Dav off - - - - -# Https host - - # Proxy to https - ProxyPass / http://127.0.0.1:8000/ - ProxyPassReverse / http://127.0.0.1:8000/ - ProxyPreserveHost On - # SSL - SSLCertificateKeyFile /etc/apache2/certs/ssl.key - SSLCertificateFile /etc/apache2/certs/ssl.crt - SSLEngine on - SSLProtocol -all +TLSv1.2 +TLSv1.3 - SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 - SSLHonorCipherOrder off - SSLSessionTickets off - - -# Increase timeout in case e.g. the initial download takes a long time -Timeout 7200 -ProxyTimeout 7200 - -# See https://httpd.apache.org/docs/trunk/mod/core.html#traceenable -TraceEnable Off diff --git a/Containers/mastercontainer/start.sh b/Containers/mastercontainer/start.sh index 616068f3..faa725df 100644 --- a/Containers/mastercontainer/start.sh +++ b/Containers/mastercontainer/start.sh @@ -331,36 +331,6 @@ chown www-data:www-data -R /mnt/docker-aio-config/session/ chown www-data:www-data -R /mnt/docker-aio-config/caddy/ chown root:root -R /mnt/docker-aio-config/certs/ -# Don't allow access to the AIO interface from the Nextcloud container -# Probably more cosmetic than anything but at least an attempt -if ! grep -q '# nextcloud-aio-block' /etc/apache2/httpd.conf; then - cat << APACHE_CONF >> /etc/apache2/httpd.conf -# nextcloud-aio-block-start - -order allow,deny -deny from nextcloud-aio-nextcloud.nextcloud-aio -allow from all - -# nextcloud-aio-block-end -APACHE_CONF -fi - -# Adjust certs -GENERATED_CERTS="/mnt/docker-aio-config/certs" -TMP_CERTS="/etc/apache2/certs" -mkdir -p "$GENERATED_CERTS" -cd "$GENERATED_CERTS" || exit 1 -if ! [ -f ./ssl.crt ] && ! [ -f ./ssl.key ]; then - openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout ./ssl.key -out ./ssl.crt -fi -if [ -f ./ssl.crt ] && [ -f ./ssl.key ]; then - cd "$TMP_CERTS" || exit 1 - rm ./ssl.crt - rm ./ssl.key - cp "$GENERATED_CERTS/ssl.crt" ./ - cp "$GENERATED_CERTS/ssl.key" ./ -fi - print_green "Initial startup of Nextcloud All-in-One complete! You should be able to open the Nextcloud AIO Interface now on port 8080 of this server! E.g. https://internal.ip.of.this.server:8080 @@ -372,16 +342,14 @@ https://your-domain-that-points-to-this-server.tld:8443" # Set the timezone to Etc/UTC export TZ=Etc/UTC -# Fix apache startup -rm -f /var/run/apache2/httpd.pid - # Fix caddy startup if [ -d "/mnt/docker-aio-config/caddy/locks" ]; then rm -rf /mnt/docker-aio-config/caddy/locks/* fi # Fix the Caddyfile format -caddy fmt --overwrite /Caddyfile +caddy fmt --overwrite /acme.Caddyfile +caddy fmt --overwrite /internal.Caddyfile # Fix caddy log chmod 777 /root diff --git a/Containers/mastercontainer/supervisord.conf b/Containers/mastercontainer/supervisord.conf index fa5d0845..9fbb9516 100644 --- a/Containers/mastercontainer/supervisord.conf +++ b/Containers/mastercontainer/supervisord.conf @@ -16,20 +16,20 @@ stderr_logfile_maxbytes=0 command=php-fpm user=root -[program:apache] -# Stdout logging is disabled as otherwise the logs are spammed -stdout_logfile=NONE -stderr_logfile=/dev/stderr -stderr_logfile_maxbytes=0 -command=httpd -DFOREGROUND -user=root - -[program:caddy] +[program:caddy-internal] stdout_logfile=/dev/stdout stdout_logfile_maxbytes=0 stderr_logfile=/dev/stderr stderr_logfile_maxbytes=0 -command=/usr/bin/caddy run --config /Caddyfile +command=/usr/bin/caddy run --config /internal.Caddyfile +user=www-data + +[program:caddy-acme] +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 +command=/usr/bin/caddy run --config /acme.Caddyfile user=www-data [program:cron] diff --git a/php/domain-validator.php b/php/domain-validator.php index 57506b8a..4ac92690 100644 --- a/php/domain-validator.php +++ b/php/domain-validator.php @@ -3,15 +3,15 @@ $domain = $_GET['domain'] ?? ''; if (!str_contains($domain, '.')) { - http_response_code(400); + http_response_code(400); } elseif (str_contains($domain, '/')) { - http_response_code(400); + http_response_code(400); } elseif (str_contains($domain, ':')) { - http_response_code(400); + http_response_code(400); } elseif (filter_var($domain, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) === false) { - http_response_code(400); + http_response_code(400); } elseif (filter_var($domain, FILTER_VALIDATE_IP)) { - http_response_code(400); + http_response_code(400); } else { // Commented because logging is disabled as otherwise all attempts will be logged which spams the logs // error_log($domain . ' was accepted as valid domain.'); From 89e6ca5efa79a5636cdc6835b2eb27e317a3d958 Mon Sep 17 00:00:00 2001 From: Zoey Date: Mon, 20 Oct 2025 18:39:06 +0200 Subject: [PATCH 6/7] mastercontainer/README.md: apache=>caddy Signed-off-by: Zoey --- Containers/mastercontainer/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Containers/mastercontainer/README.md b/Containers/mastercontainer/README.md index de6b535d..7206a5f3 100644 --- a/Containers/mastercontainer/README.md +++ b/Containers/mastercontainer/README.md @@ -12,8 +12,8 @@ The mastercontainer acts as the central orchestration service for the deployment of all other containers in the Nextcloud All-in-One stack. It hosts: - A dedicated PHP SAPI/backend (php-fpm) for AIO itself (not Nextcloud Server) -- An Apache service for accessing the AIO interface via a self-signed HTTPS VirtualHost on 8080/tcp -- A Caddy reverse proxy service enabling HTTPS access to the AIO frontend on port 8443/tcp. +- A Caddy server enabling self-signed HTTPS access to the AIO frontend on port 8080/tcp. +- A Caddy server enabling trusted HTTPS access to the AIO frontend on port 8443/tcp. - Caddy will automatically issue a Let's Encrypt issued certificate if port 80 and 8443 is open/forwarded and a domain pointer is in place; then, simply open the Nextcloud AIO interface using the domain (`https://your-domain-that-points-to-this-server.tld:8443`). The Let's Encrypt certificate request will From 41b4a6b36bcd89834afed04f11c623559457b7c8 Mon Sep 17 00:00:00 2001 From: Zoey Date: Mon, 20 Oct 2025 18:41:27 +0200 Subject: [PATCH 7/7] Remove unused certs from docker-aio-config Signed-off-by: Zoey --- Containers/mastercontainer/start.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Containers/mastercontainer/start.sh b/Containers/mastercontainer/start.sh index faa725df..5d7ae954 100644 --- a/Containers/mastercontainer/start.sh +++ b/Containers/mastercontainer/start.sh @@ -342,6 +342,9 @@ https://your-domain-that-points-to-this-server.tld:8443" # Set the timezone to Etc/UTC export TZ=Etc/UTC +# Remove unused certs +rm -vrf /mnt/docker-aio-config/certs + # Fix caddy startup if [ -d "/mnt/docker-aio-config/caddy/locks" ]; then rm -rf /mnt/docker-aio-config/caddy/locks/*