From cdb6a72476f5fa0d855d87053d2518e3aa628ae1 Mon Sep 17 00:00:00 2001 From: Tom Olivier Date: Thu, 26 Oct 2023 16:01:54 +0200 Subject: [PATCH 01/16] Migration from Oracle MySQL to MariaDB --- overlay/root/migrations/1.sh | 2 +- .../usr/local/etc/{my.cnf => mysql/conf.d/nextcloud.cnf} | 0 post_install.sh | 8 ++++---- 3 files changed, 5 insertions(+), 5 deletions(-) rename overlay/usr/local/etc/{my.cnf => mysql/conf.d/nextcloud.cnf} (100%) diff --git a/overlay/root/migrations/1.sh b/overlay/root/migrations/1.sh index 0315659..fc7002f 100755 --- a/overlay/root/migrations/1.sh +++ b/overlay/root/migrations/1.sh @@ -10,7 +10,7 @@ sysrc -f /etc/rc.conf redis_enable="YES" sysrc -f /etc/rc.conf fail2ban_enable="YES" service redis start 2>/dev/null service fail2ban start 2>/dev/null -service mysql-server start 2>/dev/null +service mysql-server start > &2 /dev/null # Wait for mysql to be up until mysql --user dbadmin --password="$(cat /root/dbpassword)" --execute "SHOW DATABASES" > /dev/null diff --git a/overlay/usr/local/etc/my.cnf b/overlay/usr/local/etc/mysql/conf.d/nextcloud.cnf similarity index 100% rename from overlay/usr/local/etc/my.cnf rename to overlay/usr/local/etc/mysql/conf.d/nextcloud.cnf diff --git a/post_install.sh b/post_install.sh index a3894e2..65fbf86 100755 --- a/post_install.sh +++ b/post_install.sh @@ -21,7 +21,7 @@ sysrc -f /etc/rc.conf fail2ban_enable="YES" # Start the service service nginx start 2>/dev/null service php-fpm start 2>/dev/null -service mysql-server start 2>/dev/null +service mysql-server start > &2 /dev/null service redis start 2>/dev/null # https://docs.nextcloud.com/server/13/admin_manual/installation/installation_wizard.html do not use the same name for user and db @@ -42,8 +42,8 @@ NCPASS=$(cat /root/ncpassword) # Configure mysql mysqladmin -u root password "${PASS}" mysql -u root -p"${PASS}" --connect-expired-password <<-EOF -ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY '${PASS}'; -CREATE USER '${USER}'@'localhost' IDENTIFIED WITH mysql_native_password BY '${PASS}'; +ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password USING PASSWORD('${PASS}'); +CREATE USER '${USER}'@'localhost' IDENTIFIED WITH mysql_native_password USING PASSWORD('${PASS}'); GRANT ALL PRIVILEGES ON *.* TO '${USER}'@'localhost' WITH GRANT OPTION; GRANT ALL PRIVILEGES ON ${DB}.* TO '${USER}'@'localhost'; FLUSH PRIVILEGES; @@ -59,7 +59,7 @@ su -m www -c "php /usr/local/www/nextcloud/occ maintenance:install \ --database-name=\"nextcloud\" \ --database-user=\"$USER\" \ --database-pass=\"$PASS\" \ - --database-host=\"localhost\" \ + --database-host=\"127.0.0.1\" \ --admin-user=\"$NCUSER\" \ --admin-pass=\"$NCPASS\" \ --data-dir=\"/usr/local/www/nextcloud/data\"" From 4137a4879ea20d8f5611b9eda1ca9d7ed011bd74 Mon Sep 17 00:00:00 2001 From: Tom Olivier Date: Thu, 26 Oct 2023 16:31:42 +0200 Subject: [PATCH 02/16] Fix: mysql service start fail --- post_install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/post_install.sh b/post_install.sh index 65fbf86..6ef6ccb 100755 --- a/post_install.sh +++ b/post_install.sh @@ -21,7 +21,7 @@ sysrc -f /etc/rc.conf fail2ban_enable="YES" # Start the service service nginx start 2>/dev/null service php-fpm start 2>/dev/null -service mysql-server start > &2 /dev/null +service mysql-server start 2> /dev/null service redis start 2>/dev/null # https://docs.nextcloud.com/server/13/admin_manual/installation/installation_wizard.html do not use the same name for user and db From d4fdc8a2328367244f0c3412b13ff2c25a2590f2 Mon Sep 17 00:00:00 2001 From: Tom Olivier Date: Thu, 26 Oct 2023 20:20:41 +0200 Subject: [PATCH 03/16] Changing php.ini according to the new Nextcloud documentation (nextcloud load 2s faster avrg) --- overlay/usr/local/etc/php/php.truenas.ini | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/overlay/usr/local/etc/php/php.truenas.ini b/overlay/usr/local/etc/php/php.truenas.ini index 4377f4f..006e842 100644 --- a/overlay/usr/local/etc/php/php.truenas.ini +++ b/overlay/usr/local/etc/php/php.truenas.ini @@ -11,10 +11,12 @@ upload_max_filesize=513M opcache.enable=1 opcache.enable_cli=1 opcache.memory_consumption=512 -opcache.interned_strings_buffer=8 +opcache.interned_strings_buffer=64 opcache.max_accelerated_files=10000 -opcache.revalidate_freq=1 +opcache.revalidate_freq=0 opcache.save_comments=1 +opcache.jit = 1255 +opcache.jit_buffer_size = 128M [apcu] apc.enable_cli=1 From 2b85007656641e33222295c9fc038282d70f98fd Mon Sep 17 00:00:00 2001 From: Tom Olivier Date: Fri, 27 Oct 2023 13:26:57 +0200 Subject: [PATCH 04/16] trusted_domains set to subnet to allow DHCP configuration --- overlay/usr/local/bin/load_env | 1 + post_install.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/overlay/usr/local/bin/load_env b/overlay/usr/local/bin/load_env index 87b4530..fd90c87 100755 --- a/overlay/usr/local/bin/load_env +++ b/overlay/usr/local/bin/load_env @@ -50,3 +50,4 @@ fi IOCAGE_HOST_ADDRESS=$(grep HOST_ADDRESS= /etc/iocage-env | cut -d '=' -f 2) IOCAGE_HOST_ADDRESS_BCAST=$(grep HOST_ADDRESS_BCAST= /etc/iocage-env | cut -d '=' -f 2) +IOCAGE_HOST_SUBNET=$(echo "$IOCAGE_HOST_ADDRESS" | cut -d '.' -f 1-3) diff --git a/post_install.sh b/post_install.sh index 6ef6ccb..5532a94 100755 --- a/post_install.sh +++ b/post_install.sh @@ -66,7 +66,7 @@ su -m www -c "php /usr/local/www/nextcloud/occ maintenance:install \ su -m www -c "php /usr/local/www/nextcloud/occ background:cron" -su -m www -c "php /usr/local/www/nextcloud/occ config:system:set trusted_domains 1 --value='${IOCAGE_HOST_ADDRESS}'" +su -m www -c "php /usr/local/www/nextcloud/occ config:system:set trusted_domains 1 --value='${IOCAGE_HOST_SUBNET}.*'" su -m www -c "php /usr/local/www/nextcloud/occ app:install contacts" su -m www -c "php /usr/local/www/nextcloud/occ app:install calendar" From b90a9b44113e8fc2aca9797fd97558b84aedb0e0 Mon Sep 17 00:00:00 2001 From: Tom Olivier Date: Fri, 27 Oct 2023 15:53:00 +0200 Subject: [PATCH 05/16] Nginx configuration modified to comply with Nextcloud recommendation --- overlay/usr/local/etc/nginx/conf.d/nextcloud.inc | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/overlay/usr/local/etc/nginx/conf.d/nextcloud.inc b/overlay/usr/local/etc/nginx/conf.d/nextcloud.inc index ed3655d..21e712f 100644 --- a/overlay/usr/local/etc/nginx/conf.d/nextcloud.inc +++ b/overlay/usr/local/etc/nginx/conf.d/nextcloud.inc @@ -15,13 +15,13 @@ gzip_types application/atom+xml application/javascript application/json applicat #pagespeed off; # HTTP response headers borrowed from Nextcloud `.htaccess` -add_header Referrer-Policy "no-referrer" always; -add_header X-Content-Type-Options "nosniff" always; -add_header X-Download-Options "noopen" always; -add_header X-Frame-Options "SAMEORIGIN" always; -add_header X-Permitted-Cross-Domain-Policies "none" always; -add_header X-Robots-Tag "none" always; -add_header X-XSS-Protection "1; mode=block" always; +add_header Referrer-Policy "no-referrer" always; +add_header X-Content-Type-Options "nosniff" always; +add_header X-Download-Options "noopen" always; +add_header X-Frame-Options "SAMEORIGIN" always; +add_header X-Permitted-Cross-Domain-Policies "none" always; +add_header X-Robots-Tag "noindex, nofollow" always; +add_header X-XSS-Protection "1; mode=block" always; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; From 40d9cb34c931b40b98bdfe4b3ab654004a052382 Mon Sep 17 00:00:00 2001 From: Tom Olivier Date: Sun, 11 Feb 2024 11:53:04 +0100 Subject: [PATCH 06/16] Fix migration and add mjs, wasm mime type --- overlay/root/migrations/1.sh | 11 +++-------- overlay/usr/local/etc/nginx/nginx.conf | 5 +++++ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/overlay/root/migrations/1.sh b/overlay/root/migrations/1.sh index fc7002f..dbe0738 100755 --- a/overlay/root/migrations/1.sh +++ b/overlay/root/migrations/1.sh @@ -10,7 +10,7 @@ sysrc -f /etc/rc.conf redis_enable="YES" sysrc -f /etc/rc.conf fail2ban_enable="YES" service redis start 2>/dev/null service fail2ban start 2>/dev/null -service mysql-server start > &2 /dev/null +service mysql-server start 2> /dev/null # Wait for mysql to be up until mysql --user dbadmin --password="$(cat /root/dbpassword)" --execute "SHOW DATABASES" > /dev/null @@ -22,10 +22,5 @@ done # Change cron execution method su -m www -c "php /usr/local/www/nextcloud/occ background:cron" -# Install default applications -su -m www -c "php /usr/local/www/nextcloud/occ app:install contacts" -su -m www -c "php /usr/local/www/nextcloud/occ app:install calendar" -su -m www -c "php /usr/local/www/nextcloud/occ app:install notes" -su -m www -c "php /usr/local/www/nextcloud/occ app:install deck" -su -m www -c "php /usr/local/www/nextcloud/occ app:install spreed" -su -m www -c "php /usr/local/www/nextcloud/occ app:install mail" +# Upgrade Nextcloud +su -m www -c "php /usr/local/www/nextcloud/occ upgrade" diff --git a/overlay/usr/local/etc/nginx/nginx.conf b/overlay/usr/local/etc/nginx/nginx.conf index 66bcf11..2126d0b 100644 --- a/overlay/usr/local/etc/nginx/nginx.conf +++ b/overlay/usr/local/etc/nginx/nginx.conf @@ -50,6 +50,11 @@ http { include mime.types; default_type application/octet-stream; + # Set .mjs and .wasm MIME types + types { + text/javascript js mjs; + application/wasm wasm; + } # Logs format # ---------- From e304b13421852456ed13beaa237fa6f7fcf3bdba Mon Sep 17 00:00:00 2001 From: Tom Date: Tue, 30 Jul 2024 13:47:09 +0200 Subject: [PATCH 07/16] Update nextcloud.inc Update nginx config with updated recomandation: https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html --- .../usr/local/etc/nginx/conf.d/nextcloud.inc | 67 ++++++++++++++----- 1 file changed, 49 insertions(+), 18 deletions(-) diff --git a/overlay/usr/local/etc/nginx/conf.d/nextcloud.inc b/overlay/usr/local/etc/nginx/conf.d/nextcloud.inc index 21e712f..767399c 100644 --- a/overlay/usr/local/etc/nginx/conf.d/nextcloud.inc +++ b/overlay/usr/local/etc/nginx/conf.d/nextcloud.inc @@ -1,5 +1,17 @@ -# set max upload size +# Path to the root of your installation +root /usr/local/www/nextcloud/; + +# HSTS settings +# WARNING: Only add the preload option once you read about +# the consequences in https://hstspreload.org/. This option +# will add the domain to a hardcoded list that is shipped +# in all major browsers and getting removed from this list +# could take several months. +#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; + +# set max upload size and increase upload timeout: client_max_body_size 512M; +client_body_timeout 300s; fastcgi_buffers 64 4K; # Enable gzip but do not remove ETag headers @@ -8,26 +20,37 @@ gzip_vary on; gzip_comp_level 4; gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; -gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; +gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # Pagespeed is not supported by Nextcloud, so if your server is built # with the `ngx_pagespeed` module, uncomment this line to disable it. #pagespeed off; +# The settings allows you to optimize the HTTP2 bandwidth. +# See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/ +# for tuning hints +client_body_buffer_size 512k; + # HTTP response headers borrowed from Nextcloud `.htaccess` -add_header Referrer-Policy "no-referrer" always; -add_header X-Content-Type-Options "nosniff" always; -add_header X-Download-Options "noopen" always; -add_header X-Frame-Options "SAMEORIGIN" always; -add_header X-Permitted-Cross-Domain-Policies "none" always; -add_header X-Robots-Tag "noindex, nofollow" always; -add_header X-XSS-Protection "1; mode=block" always; +add_header Referrer-Policy "no-referrer" always; +add_header X-Content-Type-Options "nosniff" always; +add_header X-Frame-Options "SAMEORIGIN" always; +add_header X-Permitted-Cross-Domain-Policies "none" always; +add_header X-Robots-Tag "noindex, nofollow" always; +add_header X-XSS-Protection "1; mode=block" always; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; -# Path to the root of your installation -root /usr/local/www/nextcloud/; +# Set .mjs and .wasm MIME types +# Either include it in the default mime.types list +# and include that list explicitly or add the file extension +# only for Nextcloud like below: +include mime.types; +types { + text/javascript mjs; +application/wasm wasm; +} # Specify how to handle directories -- specifying `/index.php$request_uri` # here as the fallback means that Nginx always exhibits the desired behaviour @@ -36,7 +59,7 @@ root /usr/local/www/nextcloud/; # that file is correctly served; if it doesn't, then the request is passed to # the front-end controller. This consistent behaviour means that we don't need # to specify custom rules for certain paths (e.g. images and other assets, -# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus +# `/updater`, `/ocs-provider`), and thus # `try_files $uri $uri/ /index.php$request_uri` # always provides the desired behaviour. index index.php index.html /index.php$request_uri; @@ -62,8 +85,6 @@ location ^~ /.well-known { # The rules in this block are an adaptation of the rules # in `.htaccess` that concern `/.well-known`. - # Needed to prevent including the scheme, domain and port in the Location header. - absolute_redirect off; location = /.well-known/carddav { return 301 /remote.php/dav/; } location = /.well-known/caldav { return 301 /remote.php/dav/; } @@ -85,7 +106,7 @@ location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return # to the URI, resulting in a HTTP 500 error response. location ~ \.php(?:$|/) { # Required for legacy support - rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; + rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri; fastcgi_split_path_info ^(.+?\.php)(/.*)$; set $path_info $fastcgi_path_info; @@ -95,7 +116,7 @@ location ~ \.php(?:$|/) { include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $path_info; - # fastcgi_param HTTPS on; + fastcgi_param HTTPS on; fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice fastcgi_param front_controller_active true; # Enable pretty urls @@ -103,11 +124,21 @@ location ~ \.php(?:$|/) { fastcgi_intercept_errors on; fastcgi_request_buffering off; + + fastcgi_max_temp_file_size 0; } -location ~ \.(?:css|js|svg|gif|png|jpg|ico)$ { +# Serve static files +location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ { try_files $uri /index.php$request_uri; - expires 6M; # Cache-Control policy borrowed from `.htaccess` + # HTTP response headers borrowed from Nextcloud `.htaccess` + add_header Cache-Control "public, max-age=15778463$asset_immutable"; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "noindex, nofollow" always; + add_header X-XSS-Protection "1; mode=block" always; access_log off; # Optional: Don't log access to assets } From c478b5ad5f824a7574b3c881062b64b485287544 Mon Sep 17 00:00:00 2001 From: Tom Date: Tue, 30 Jul 2024 13:49:55 +0200 Subject: [PATCH 08/16] Remote https --- overlay/usr/local/etc/nginx/conf.d/nextcloud.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/overlay/usr/local/etc/nginx/conf.d/nextcloud.inc b/overlay/usr/local/etc/nginx/conf.d/nextcloud.inc index 767399c..3deeb7c 100644 --- a/overlay/usr/local/etc/nginx/conf.d/nextcloud.inc +++ b/overlay/usr/local/etc/nginx/conf.d/nextcloud.inc @@ -116,7 +116,7 @@ location ~ \.php(?:$|/) { include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $path_info; - fastcgi_param HTTPS on; + #fastcgi_param HTTPS on; fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice fastcgi_param front_controller_active true; # Enable pretty urls From 456a280954cf192b74d0341fe6b33861632c0d6d Mon Sep 17 00:00:00 2001 From: Tom Date: Tue, 30 Jul 2024 14:29:24 +0200 Subject: [PATCH 09/16] Update php.truenas.ini https://github.com/nextcloud/all-in-one/blob/7e56c912f742d96311388c9b6d2c9acf0e0f90a1/Containers/nextcloud/Dockerfile --- overlay/usr/local/etc/php/php.truenas.ini | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/overlay/usr/local/etc/php/php.truenas.ini b/overlay/usr/local/etc/php/php.truenas.ini index 006e842..44c49ac 100644 --- a/overlay/usr/local/etc/php/php.truenas.ini +++ b/overlay/usr/local/etc/php/php.truenas.ini @@ -3,18 +3,18 @@ [PHP] ; recommended value of 512MB for php memory limit (avoid warning when running occ) memory_limit=512M -post_max_size=513M -upload_max_filesize=513M +upload_max_filesize=0 +post_max_size=0 +output_buffering=0 [opcache] ; Modify opcache settings in php.ini according to Nextcloud documentation (remove comment and set recommended value) opcache.enable=1 opcache.enable_cli=1 -opcache.memory_consumption=512 +opcache.memory_consumption=256 opcache.interned_strings_buffer=64 -opcache.max_accelerated_files=10000 -opcache.revalidate_freq=0 opcache.save_comments=1 +opcache.revalidate_freq=60 opcache.jit = 1255 opcache.jit_buffer_size = 128M From 7cef9dd668d9d1831117bcb957f92242e9718762 Mon Sep 17 00:00:00 2001 From: Tom Olivier Date: Tue, 30 Jul 2024 17:10:27 +0200 Subject: [PATCH 10/16] Updating script and config to https://github.com/nextcloud/all-in-one/tree/main/Containers/nextcloud, and allow big upload with other things from Nextcloud wiki --- README.md | 2 +- overlay/root/config/aio.config.php | 5 +++++ overlay/root/config/apcu.config.php | 4 ++++ overlay/root/config/redis.config.php | 8 +++++++ overlay/root/config/truenas.config.php | 8 ------- overlay/usr/local/bin/sync_configuration | 2 +- .../nginx/conf.d/nextcloud.http.conf.template | 12 +++++----- .../conf.d/nextcloud.https.conf.template | 17 +++++++------- .../usr/local/etc/nginx/conf.d/nextcloud.inc | 8 ------- .../usr/local/etc/php-fpm.d/nextcloud.conf | 8 ++----- .../usr/local/etc/php/conf.d/nextcloud.ini | 7 ++++++ .../etc/php/conf.d/opcache-recommended.ini | 6 +++++ .../usr/local/etc/php/conf.d/php-ext-apcu.ini | 1 + .../local/etc/php/conf.d/php-ext-igbinary.ini | 2 ++ .../local/etc/php/conf.d/redis-session.ini | 5 +++++ overlay/usr/local/etc/php/php.truenas.ini | 22 ------------------- post_update.sh | 5 +++++ 17 files changed, 61 insertions(+), 61 deletions(-) create mode 100644 overlay/root/config/aio.config.php create mode 100644 overlay/root/config/apcu.config.php create mode 100644 overlay/root/config/redis.config.php create mode 100644 overlay/usr/local/etc/php/conf.d/nextcloud.ini create mode 100644 overlay/usr/local/etc/php/conf.d/opcache-recommended.ini create mode 100644 overlay/usr/local/etc/php/conf.d/php-ext-apcu.ini create mode 100644 overlay/usr/local/etc/php/conf.d/php-ext-igbinary.ini create mode 100644 overlay/usr/local/etc/php/conf.d/redis-session.ini delete mode 100644 overlay/usr/local/etc/php/php.truenas.ini diff --git a/README.md b/README.md index c95ec5d..54028d3 100644 --- a/README.md +++ b/README.md @@ -83,7 +83,7 @@ Example of `/root/jail_options.env`: ```shell # Allow insecure access to Nextcloud through HTTP. Useful when TrueNAS is behind an external proxy. -export ALLOW_INSECURE_ACCESS= # default: false +export ALLOW_INSECURE_ACCESS= # default: true ``` - `occ []`: diff --git a/overlay/root/config/aio.config.php b/overlay/root/config/aio.config.php new file mode 100644 index 0000000..65c5ab8 --- /dev/null +++ b/overlay/root/config/aio.config.php @@ -0,0 +1,5 @@ + true, + 'one-click-instance.user-limit' => 100, +); \ No newline at end of file diff --git a/overlay/root/config/apcu.config.php b/overlay/root/config/apcu.config.php new file mode 100644 index 0000000..298fcc3 --- /dev/null +++ b/overlay/root/config/apcu.config.php @@ -0,0 +1,4 @@ + '\OC\Memcache\APCu', +); \ No newline at end of file diff --git a/overlay/root/config/redis.config.php b/overlay/root/config/redis.config.php new file mode 100644 index 0000000..744001f --- /dev/null +++ b/overlay/root/config/redis.config.php @@ -0,0 +1,8 @@ + '\OC\Memcache\Redis', + 'memcache.locking' => '\OC\Memcache\Redis', + 'redis' => array( + 'host' => 'localhost', + ), +); \ No newline at end of file diff --git a/overlay/root/config/truenas.config.php b/overlay/root/config/truenas.config.php index 7dde64c..1b53d62 100644 --- a/overlay/root/config/truenas.config.php +++ b/overlay/root/config/truenas.config.php @@ -1,12 +1,4 @@ true, - 'one-click-instance.user-limit' => 100, - 'memcache.local' => '\\OC\\Memcache\\APCu', - 'memcache.distributed' => '\OC\Memcache\Redis', - 'memcache.locking' => '\OC\Memcache\Redis', - 'redis' => array( - 'host' => 'localhost', - ), 'logfile' => '/var/log/nextcloud/nextcloud.log' ); \ No newline at end of file diff --git a/overlay/usr/local/bin/sync_configuration b/overlay/usr/local/bin/sync_configuration index d26da22..3cb5020 100755 --- a/overlay/usr/local/bin/sync_configuration +++ b/overlay/usr/local/bin/sync_configuration @@ -23,6 +23,6 @@ fi envsubst "\${NEXTCLOUD_HTTPS_PORT}" < "/usr/local/etc/nginx/conf.d/nextcloud.$SCHEME.conf.template" > "/usr/local/etc/nginx/conf.d/nextcloud.conf" # Copy Nextcloud custom configuration -cp /root/config/truenas.config.php /usr/local/www/nextcloud/config/truenas.config.php +cp /root/config/*.php /usr/local/www/nextcloud/config/ chown -R www:www /usr/local/www/nextcloud/config chmod -R u+rw /usr/local/www/nextcloud/config diff --git a/overlay/usr/local/etc/nginx/conf.d/nextcloud.http.conf.template b/overlay/usr/local/etc/nginx/conf.d/nextcloud.http.conf.template index 19ea621..f39d14c 100644 --- a/overlay/usr/local/etc/nginx/conf.d/nextcloud.http.conf.template +++ b/overlay/usr/local/etc/nginx/conf.d/nextcloud.http.conf.template @@ -2,15 +2,15 @@ upstream php-handler { server unix:/var/run/nextcloud-php-fpm.sock; } +# Set the `immutable` cache control options only for assets with a cache busting `v` argument +map $arg_v $asset_immutable { + "" ""; + default ", immutable"; +} + server { listen 80 default_server; listen [::]:80; - location ^~ /.well-known/acme-challenge { - # Path to the root of your installation - root /usr/local/www/nextcloud/; - try_files $uri $uri/ =404; - } - include conf.d/nextcloud.inc; } diff --git a/overlay/usr/local/etc/nginx/conf.d/nextcloud.https.conf.template b/overlay/usr/local/etc/nginx/conf.d/nextcloud.https.conf.template index d9b685c..788c7da 100644 --- a/overlay/usr/local/etc/nginx/conf.d/nextcloud.https.conf.template +++ b/overlay/usr/local/etc/nginx/conf.d/nextcloud.https.conf.template @@ -2,20 +2,19 @@ upstream php-handler { server unix:/var/run/nextcloud-php-fpm.sock; } +# Set the `immutable` cache control options only for assets with a cache busting `v` argument +map $arg_v $asset_immutable { + "" ""; + default ", immutable"; +} + # Redirect to HTTPS server { listen 80 default_server; listen [::]:80; - location ^~ /.well-known/acme-challenge { - # Path to the root of your installation - root /usr/local/www/nextcloud/; - try_files $uri $uri/ =404; - } - - location / { - return 301 https://$host:$NEXTCLOUD_HTTPS_PORT$request_uri; - } + # Enforce HTTPS + return 301 https://$server_name$request_uri; } server { diff --git a/overlay/usr/local/etc/nginx/conf.d/nextcloud.inc b/overlay/usr/local/etc/nginx/conf.d/nextcloud.inc index 3deeb7c..0d46064 100644 --- a/overlay/usr/local/etc/nginx/conf.d/nextcloud.inc +++ b/overlay/usr/local/etc/nginx/conf.d/nextcloud.inc @@ -1,14 +1,6 @@ # Path to the root of your installation root /usr/local/www/nextcloud/; -# HSTS settings -# WARNING: Only add the preload option once you read about -# the consequences in https://hstspreload.org/. This option -# will add the domain to a hardcoded list that is shipped -# in all major browsers and getting removed from this list -# could take several months. -#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; - # set max upload size and increase upload timeout: client_max_body_size 512M; client_body_timeout 300s; diff --git a/overlay/usr/local/etc/php-fpm.d/nextcloud.conf b/overlay/usr/local/etc/php-fpm.d/nextcloud.conf index 23a0094..479ab4f 100644 --- a/overlay/usr/local/etc/php-fpm.d/nextcloud.conf +++ b/overlay/usr/local/etc/php-fpm.d/nextcloud.conf @@ -6,12 +6,8 @@ listen = /var/run/nextcloud-php-fpm.sock listen.owner = www listen.group = www -pm = dynamic -pm.max_children = 100 -pm.start_servers = 25 -pm.min_spare_servers = 25 -pm.max_spare_servers = 75 +pm = ondemand +pm.max_children = 5000 -php_admin_value[session.save_path] = "/usr/local/www/nextcloud-sessions-tmp" ; Nextcloud wants PATH environment variable set. env[PATH] = $PATH diff --git a/overlay/usr/local/etc/php/conf.d/nextcloud.ini b/overlay/usr/local/etc/php/conf.d/nextcloud.ini new file mode 100644 index 0000000..c812190 --- /dev/null +++ b/overlay/usr/local/etc/php/conf.d/nextcloud.ini @@ -0,0 +1,7 @@ +memory_limit=512M +upload_max_filesize=0 +post_max_size=0 +max_execution_time=3600 +max_input_time=3600 +default_socket_timeout=600 +output_buffering=0 \ No newline at end of file diff --git a/overlay/usr/local/etc/php/conf.d/opcache-recommended.ini b/overlay/usr/local/etc/php/conf.d/opcache-recommended.ini new file mode 100644 index 0000000..ad69ce7 --- /dev/null +++ b/overlay/usr/local/etc/php/conf.d/opcache-recommended.ini @@ -0,0 +1,6 @@ +opcache.memory_consumption=256 +opcache.interned_strings_buffer=64 +opcache.save_comments=1 +opcache.revalidate_freq=60 +opcache.jit=1255 +opcache.jit_buffer_size=128M \ No newline at end of file diff --git a/overlay/usr/local/etc/php/conf.d/php-ext-apcu.ini b/overlay/usr/local/etc/php/conf.d/php-ext-apcu.ini new file mode 100644 index 0000000..faca36b --- /dev/null +++ b/overlay/usr/local/etc/php/conf.d/php-ext-apcu.ini @@ -0,0 +1 @@ +apc.enable_cli=1 \ No newline at end of file diff --git a/overlay/usr/local/etc/php/conf.d/php-ext-igbinary.ini b/overlay/usr/local/etc/php/conf.d/php-ext-igbinary.ini new file mode 100644 index 0000000..ad05480 --- /dev/null +++ b/overlay/usr/local/etc/php/conf.d/php-ext-igbinary.ini @@ -0,0 +1,2 @@ +apc.serializer=igbinary +session.serialize_handler=igbinary \ No newline at end of file diff --git a/overlay/usr/local/etc/php/conf.d/redis-session.ini b/overlay/usr/local/etc/php/conf.d/redis-session.ini new file mode 100644 index 0000000..aa69175 --- /dev/null +++ b/overlay/usr/local/etc/php/conf.d/redis-session.ini @@ -0,0 +1,5 @@ +session.save_handler = redis +session.save_path = "tcp://127.0.0.1:6379" +redis.session.locking_enabled = 1 +redis.session.lock_retries = -1 +redis.session.lock_wait_time = 10000 \ No newline at end of file diff --git a/overlay/usr/local/etc/php/php.truenas.ini b/overlay/usr/local/etc/php/php.truenas.ini deleted file mode 100644 index 44c49ac..0000000 --- a/overlay/usr/local/etc/php/php.truenas.ini +++ /dev/null @@ -1,22 +0,0 @@ -; https://docs.nextcloud.com/server/22/admin_manual/installation/server_tuning.html?highlight=tuning - -[PHP] -; recommended value of 512MB for php memory limit (avoid warning when running occ) -memory_limit=512M -upload_max_filesize=0 -post_max_size=0 -output_buffering=0 - -[opcache] -; Modify opcache settings in php.ini according to Nextcloud documentation (remove comment and set recommended value) -opcache.enable=1 -opcache.enable_cli=1 -opcache.memory_consumption=256 -opcache.interned_strings_buffer=64 -opcache.save_comments=1 -opcache.revalidate_freq=60 -opcache.jit = 1255 -opcache.jit_buffer_size = 128M - -[apcu] -apc.enable_cli=1 diff --git a/post_update.sh b/post_update.sh index a981fc1..ee910db 100644 --- a/post_update.sh +++ b/post_update.sh @@ -25,6 +25,8 @@ do } done +# Remove old files +rm -fv /usr/local/etc/php/php.truenas.ini # Generate some configuration from templates. sync_configuration @@ -32,3 +34,6 @@ sync_configuration chmod -R o-rwx /usr/local/www/nextcloud # Give full ownership of the nextcloud directory to www chown -R www:www /usr/local/www/nextcloud + +# DB migration check +run_db_migrations From e43dc63f0c3f6d1d52105da65e8f8e92f693f29a Mon Sep 17 00:00:00 2001 From: Tom Olivier Date: Tue, 30 Jul 2024 18:21:06 +0200 Subject: [PATCH 11/16] PHP conf in wrong dir --- overlay/usr/local/etc/php/{conf.d => }/nextcloud.ini | 0 overlay/usr/local/etc/php/{conf.d => }/opcache-recommended.ini | 0 overlay/usr/local/etc/php/{conf.d => }/php-ext-apcu.ini | 0 overlay/usr/local/etc/php/{conf.d => }/php-ext-igbinary.ini | 0 overlay/usr/local/etc/php/{conf.d => }/redis-session.ini | 0 5 files changed, 0 insertions(+), 0 deletions(-) rename overlay/usr/local/etc/php/{conf.d => }/nextcloud.ini (100%) rename overlay/usr/local/etc/php/{conf.d => }/opcache-recommended.ini (100%) rename overlay/usr/local/etc/php/{conf.d => }/php-ext-apcu.ini (100%) rename overlay/usr/local/etc/php/{conf.d => }/php-ext-igbinary.ini (100%) rename overlay/usr/local/etc/php/{conf.d => }/redis-session.ini (100%) diff --git a/overlay/usr/local/etc/php/conf.d/nextcloud.ini b/overlay/usr/local/etc/php/nextcloud.ini similarity index 100% rename from overlay/usr/local/etc/php/conf.d/nextcloud.ini rename to overlay/usr/local/etc/php/nextcloud.ini diff --git a/overlay/usr/local/etc/php/conf.d/opcache-recommended.ini b/overlay/usr/local/etc/php/opcache-recommended.ini similarity index 100% rename from overlay/usr/local/etc/php/conf.d/opcache-recommended.ini rename to overlay/usr/local/etc/php/opcache-recommended.ini diff --git a/overlay/usr/local/etc/php/conf.d/php-ext-apcu.ini b/overlay/usr/local/etc/php/php-ext-apcu.ini similarity index 100% rename from overlay/usr/local/etc/php/conf.d/php-ext-apcu.ini rename to overlay/usr/local/etc/php/php-ext-apcu.ini diff --git a/overlay/usr/local/etc/php/conf.d/php-ext-igbinary.ini b/overlay/usr/local/etc/php/php-ext-igbinary.ini similarity index 100% rename from overlay/usr/local/etc/php/conf.d/php-ext-igbinary.ini rename to overlay/usr/local/etc/php/php-ext-igbinary.ini diff --git a/overlay/usr/local/etc/php/conf.d/redis-session.ini b/overlay/usr/local/etc/php/redis-session.ini similarity index 100% rename from overlay/usr/local/etc/php/conf.d/redis-session.ini rename to overlay/usr/local/etc/php/redis-session.ini From 170d09eca34d1b78df24ac0e1aef1163310cdc3c Mon Sep 17 00:00:00 2001 From: Tom Olivier Date: Tue, 30 Jul 2024 18:37:33 +0200 Subject: [PATCH 12/16] Remove cert renew if ALLOW_INSECURE_ACCESS = true --- overlay/usr/local/bin/renew_certificates | 7 +++++++ post_install.sh | 5 ++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/overlay/usr/local/bin/renew_certificates b/overlay/usr/local/bin/renew_certificates index d5bed3b..97fbf05 100755 --- a/overlay/usr/local/bin/renew_certificates +++ b/overlay/usr/local/bin/renew_certificates @@ -2,6 +2,13 @@ set -eu +. load_env + +if [ "${ALLOW_INSECURE_ACCESS:-false}" = "false" ] +then + exit 0 +fi + if certbot certificates | grep 'No certificates found' then # Limit self-signed certificate renewal to on month before expiration diff --git a/post_install.sh b/post_install.sh index 5532a94..cc01df8 100755 --- a/post_install.sh +++ b/post_install.sh @@ -9,7 +9,10 @@ set -eu sync_configuration # Generate self-signed TLS certificates -generate_self_signed_tls_certificates +if [ "${ALLOW_INSECURE_ACCESS:-false}" = "true" ] +then + generate_self_signed_tls_certificates +fi # Enable the necessary services sysrc -f /etc/rc.conf nginx_enable="YES" From e8042d344447cb06de2af4ed3c4355b166435b92 Mon Sep 17 00:00:00 2001 From: Tom Olivier Date: Tue, 30 Jul 2024 18:57:13 +0200 Subject: [PATCH 13/16] Default to ALLOW_INSECURE_ACCESS = true --- overlay/usr/local/bin/renew_certificates | 2 +- overlay/usr/local/bin/sync_configuration | 2 +- post_install.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/overlay/usr/local/bin/renew_certificates b/overlay/usr/local/bin/renew_certificates index 97fbf05..38e1167 100755 --- a/overlay/usr/local/bin/renew_certificates +++ b/overlay/usr/local/bin/renew_certificates @@ -4,7 +4,7 @@ set -eu . load_env -if [ "${ALLOW_INSECURE_ACCESS:-false}" = "false" ] +if [ "${ALLOW_INSECURE_ACCESS:-true}" = "true" ] then exit 0 fi diff --git a/overlay/usr/local/bin/sync_configuration b/overlay/usr/local/bin/sync_configuration index 3cb5020..cd1c460 100755 --- a/overlay/usr/local/bin/sync_configuration +++ b/overlay/usr/local/bin/sync_configuration @@ -15,7 +15,7 @@ fi # Generate nginx configuration from the base template SCHEME=https -if [ "${ALLOW_INSECURE_ACCESS:-false}" = "true" ] +if [ "${ALLOW_INSECURE_ACCESS:-true}" = "true" ] then SCHEME=http fi diff --git a/post_install.sh b/post_install.sh index cc01df8..1bd2653 100755 --- a/post_install.sh +++ b/post_install.sh @@ -9,7 +9,7 @@ set -eu sync_configuration # Generate self-signed TLS certificates -if [ "${ALLOW_INSECURE_ACCESS:-false}" = "true" ] +if [ "${ALLOW_INSECURE_ACCESS:-true}" = "false" ] then generate_self_signed_tls_certificates fi From 897e3d34af16b027239fcb924b415b58fe96b806 Mon Sep 17 00:00:00 2001 From: Tom Olivier Date: Tue, 30 Jul 2024 19:31:56 +0200 Subject: [PATCH 14/16] debuging issue (Saving debug log to /var/log/letsencrypt/letsencrypt.log) --- overlay/usr/local/bin/sync_configuration | 8 ++++---- overlay/usr/local/etc/nginx/conf.d/nextcloud.inc | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/overlay/usr/local/bin/sync_configuration b/overlay/usr/local/bin/sync_configuration index cd1c460..010b443 100755 --- a/overlay/usr/local/bin/sync_configuration +++ b/overlay/usr/local/bin/sync_configuration @@ -8,10 +8,10 @@ set -eu # - Nextcloud is accessed through : use port 443 # - Nextcloud is accessed through :: use port $IOCAGE_HOST_PORT_HTTPS export NEXTCLOUD_HTTPS_PORT=443 -if certbot certificates | grep "No certificates found." -then - NEXTCLOUD_HTTPS_PORT=$IOCAGE_HOST_PORT_HTTPS -fi +#if certbot certificates | grep "No certificates found." +#then +# NEXTCLOUD_HTTPS_PORT=$IOCAGE_HOST_PORT_HTTPS +#fi # Generate nginx configuration from the base template SCHEME=https diff --git a/overlay/usr/local/etc/nginx/conf.d/nextcloud.inc b/overlay/usr/local/etc/nginx/conf.d/nextcloud.inc index 0d46064..80e43c3 100644 --- a/overlay/usr/local/etc/nginx/conf.d/nextcloud.inc +++ b/overlay/usr/local/etc/nginx/conf.d/nextcloud.inc @@ -41,7 +41,7 @@ fastcgi_hide_header X-Powered-By; include mime.types; types { text/javascript mjs; -application/wasm wasm; + application/wasm wasm; } # Specify how to handle directories -- specifying `/index.php$request_uri` From 4bd5135d7982313839ad2718db612e2a74d89e98 Mon Sep 17 00:00:00 2001 From: Tom Olivier Date: Tue, 30 Jul 2024 20:36:41 +0200 Subject: [PATCH 15/16] verbose for post_install.sh --- overlay/usr/local/etc/nginx/nginx.conf | 7 +------ post_install.sh | 2 +- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/overlay/usr/local/etc/nginx/nginx.conf b/overlay/usr/local/etc/nginx/nginx.conf index 2126d0b..69bfba9 100644 --- a/overlay/usr/local/etc/nginx/nginx.conf +++ b/overlay/usr/local/etc/nginx/nginx.conf @@ -48,13 +48,8 @@ http { proxy_temp_path /var/tmp/nginx/proxy_temp; - include mime.types; + #include mime.types; default_type application/octet-stream; - # Set .mjs and .wasm MIME types - types { - text/javascript js mjs; - application/wasm wasm; - } # Logs format # ---------- diff --git a/post_install.sh b/post_install.sh index 1bd2653..95dad1e 100755 --- a/post_install.sh +++ b/post_install.sh @@ -1,6 +1,6 @@ #!/bin/sh -set -eu +set -xeu # Load environment variable from /etc/iocage-env . load_env From daeee263bed6b9d7aedee06db2d59e5ac6e66b85 Mon Sep 17 00:00:00 2001 From: Tom Olivier Date: Tue, 30 Jul 2024 20:47:42 +0200 Subject: [PATCH 16/16] i'm confused --- overlay/usr/local/bin/sync_configuration | 2 +- post_install.sh | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/overlay/usr/local/bin/sync_configuration b/overlay/usr/local/bin/sync_configuration index 010b443..864668c 100755 --- a/overlay/usr/local/bin/sync_configuration +++ b/overlay/usr/local/bin/sync_configuration @@ -1,6 +1,6 @@ #!/bin/sh -set -eu +set -xeu . load_env diff --git a/post_install.sh b/post_install.sh index 95dad1e..b3c2483 100755 --- a/post_install.sh +++ b/post_install.sh @@ -22,10 +22,10 @@ sysrc -f /etc/rc.conf redis_enable="YES" sysrc -f /etc/rc.conf fail2ban_enable="YES" # Start the service -service nginx start 2>/dev/null -service php-fpm start 2>/dev/null -service mysql-server start 2> /dev/null -service redis start 2>/dev/null +service nginx start #2>/dev/null +service php-fpm start #2>/dev/null +service mysql-server start #2> /dev/null +service redis start #2>/dev/null # https://docs.nextcloud.com/server/13/admin_manual/installation/installation_wizard.html do not use the same name for user and db USER="dbadmin"