diff --git a/README.md b/README.md index c95ec5d..54028d3 100644 --- a/README.md +++ b/README.md @@ -83,7 +83,7 @@ Example of `/root/jail_options.env`: ```shell # Allow insecure access to Nextcloud through HTTP. Useful when TrueNAS is behind an external proxy. -export ALLOW_INSECURE_ACCESS= # default: false +export ALLOW_INSECURE_ACCESS= # default: true ``` - `occ []`: diff --git a/overlay/root/config/aio.config.php b/overlay/root/config/aio.config.php new file mode 100644 index 0000000..65c5ab8 --- /dev/null +++ b/overlay/root/config/aio.config.php @@ -0,0 +1,5 @@ + true, + 'one-click-instance.user-limit' => 100, +); \ No newline at end of file diff --git a/overlay/root/config/apcu.config.php b/overlay/root/config/apcu.config.php new file mode 100644 index 0000000..298fcc3 --- /dev/null +++ b/overlay/root/config/apcu.config.php @@ -0,0 +1,4 @@ + '\OC\Memcache\APCu', +); \ No newline at end of file diff --git a/overlay/root/config/redis.config.php b/overlay/root/config/redis.config.php new file mode 100644 index 0000000..744001f --- /dev/null +++ b/overlay/root/config/redis.config.php @@ -0,0 +1,8 @@ + '\OC\Memcache\Redis', + 'memcache.locking' => '\OC\Memcache\Redis', + 'redis' => array( + 'host' => 'localhost', + ), +); \ No newline at end of file diff --git a/overlay/root/config/truenas.config.php b/overlay/root/config/truenas.config.php index 7dde64c..1b53d62 100644 --- a/overlay/root/config/truenas.config.php +++ b/overlay/root/config/truenas.config.php @@ -1,12 +1,4 @@ true, - 'one-click-instance.user-limit' => 100, - 'memcache.local' => '\\OC\\Memcache\\APCu', - 'memcache.distributed' => '\OC\Memcache\Redis', - 'memcache.locking' => '\OC\Memcache\Redis', - 'redis' => array( - 'host' => 'localhost', - ), 'logfile' => '/var/log/nextcloud/nextcloud.log' ); \ No newline at end of file diff --git a/overlay/root/migrations/1.sh b/overlay/root/migrations/1.sh index 0315659..dbe0738 100755 --- a/overlay/root/migrations/1.sh +++ b/overlay/root/migrations/1.sh @@ -10,7 +10,7 @@ sysrc -f /etc/rc.conf redis_enable="YES" sysrc -f /etc/rc.conf fail2ban_enable="YES" service redis start 2>/dev/null service fail2ban start 2>/dev/null -service mysql-server start 2>/dev/null +service mysql-server start 2> /dev/null # Wait for mysql to be up until mysql --user dbadmin --password="$(cat /root/dbpassword)" --execute "SHOW DATABASES" > /dev/null @@ -22,10 +22,5 @@ done # Change cron execution method su -m www -c "php /usr/local/www/nextcloud/occ background:cron" -# Install default applications -su -m www -c "php /usr/local/www/nextcloud/occ app:install contacts" -su -m www -c "php /usr/local/www/nextcloud/occ app:install calendar" -su -m www -c "php /usr/local/www/nextcloud/occ app:install notes" -su -m www -c "php /usr/local/www/nextcloud/occ app:install deck" -su -m www -c "php /usr/local/www/nextcloud/occ app:install spreed" -su -m www -c "php /usr/local/www/nextcloud/occ app:install mail" +# Upgrade Nextcloud +su -m www -c "php /usr/local/www/nextcloud/occ upgrade" diff --git a/overlay/usr/local/bin/load_env b/overlay/usr/local/bin/load_env index 87b4530..fd90c87 100755 --- a/overlay/usr/local/bin/load_env +++ b/overlay/usr/local/bin/load_env @@ -50,3 +50,4 @@ fi IOCAGE_HOST_ADDRESS=$(grep HOST_ADDRESS= /etc/iocage-env | cut -d '=' -f 2) IOCAGE_HOST_ADDRESS_BCAST=$(grep HOST_ADDRESS_BCAST= /etc/iocage-env | cut -d '=' -f 2) +IOCAGE_HOST_SUBNET=$(echo "$IOCAGE_HOST_ADDRESS" | cut -d '.' -f 1-3) diff --git a/overlay/usr/local/bin/renew_certificates b/overlay/usr/local/bin/renew_certificates index d5bed3b..38e1167 100755 --- a/overlay/usr/local/bin/renew_certificates +++ b/overlay/usr/local/bin/renew_certificates @@ -2,6 +2,13 @@ set -eu +. load_env + +if [ "${ALLOW_INSECURE_ACCESS:-true}" = "true" ] +then + exit 0 +fi + if certbot certificates | grep 'No certificates found' then # Limit self-signed certificate renewal to on month before expiration diff --git a/overlay/usr/local/bin/sync_configuration b/overlay/usr/local/bin/sync_configuration index d26da22..864668c 100755 --- a/overlay/usr/local/bin/sync_configuration +++ b/overlay/usr/local/bin/sync_configuration @@ -1,6 +1,6 @@ #!/bin/sh -set -eu +set -xeu . load_env @@ -8,14 +8,14 @@ set -eu # - Nextcloud is accessed through : use port 443 # - Nextcloud is accessed through :: use port $IOCAGE_HOST_PORT_HTTPS export NEXTCLOUD_HTTPS_PORT=443 -if certbot certificates | grep "No certificates found." -then - NEXTCLOUD_HTTPS_PORT=$IOCAGE_HOST_PORT_HTTPS -fi +#if certbot certificates | grep "No certificates found." +#then +# NEXTCLOUD_HTTPS_PORT=$IOCAGE_HOST_PORT_HTTPS +#fi # Generate nginx configuration from the base template SCHEME=https -if [ "${ALLOW_INSECURE_ACCESS:-false}" = "true" ] +if [ "${ALLOW_INSECURE_ACCESS:-true}" = "true" ] then SCHEME=http fi @@ -23,6 +23,6 @@ fi envsubst "\${NEXTCLOUD_HTTPS_PORT}" < "/usr/local/etc/nginx/conf.d/nextcloud.$SCHEME.conf.template" > "/usr/local/etc/nginx/conf.d/nextcloud.conf" # Copy Nextcloud custom configuration -cp /root/config/truenas.config.php /usr/local/www/nextcloud/config/truenas.config.php +cp /root/config/*.php /usr/local/www/nextcloud/config/ chown -R www:www /usr/local/www/nextcloud/config chmod -R u+rw /usr/local/www/nextcloud/config diff --git a/overlay/usr/local/etc/my.cnf b/overlay/usr/local/etc/mysql/conf.d/nextcloud.cnf similarity index 100% rename from overlay/usr/local/etc/my.cnf rename to overlay/usr/local/etc/mysql/conf.d/nextcloud.cnf diff --git a/overlay/usr/local/etc/nginx/conf.d/nextcloud.http.conf.template b/overlay/usr/local/etc/nginx/conf.d/nextcloud.http.conf.template index 19ea621..f39d14c 100644 --- a/overlay/usr/local/etc/nginx/conf.d/nextcloud.http.conf.template +++ b/overlay/usr/local/etc/nginx/conf.d/nextcloud.http.conf.template @@ -2,15 +2,15 @@ upstream php-handler { server unix:/var/run/nextcloud-php-fpm.sock; } +# Set the `immutable` cache control options only for assets with a cache busting `v` argument +map $arg_v $asset_immutable { + "" ""; + default ", immutable"; +} + server { listen 80 default_server; listen [::]:80; - location ^~ /.well-known/acme-challenge { - # Path to the root of your installation - root /usr/local/www/nextcloud/; - try_files $uri $uri/ =404; - } - include conf.d/nextcloud.inc; } diff --git a/overlay/usr/local/etc/nginx/conf.d/nextcloud.https.conf.template b/overlay/usr/local/etc/nginx/conf.d/nextcloud.https.conf.template index d9b685c..788c7da 100644 --- a/overlay/usr/local/etc/nginx/conf.d/nextcloud.https.conf.template +++ b/overlay/usr/local/etc/nginx/conf.d/nextcloud.https.conf.template @@ -2,20 +2,19 @@ upstream php-handler { server unix:/var/run/nextcloud-php-fpm.sock; } +# Set the `immutable` cache control options only for assets with a cache busting `v` argument +map $arg_v $asset_immutable { + "" ""; + default ", immutable"; +} + # Redirect to HTTPS server { listen 80 default_server; listen [::]:80; - location ^~ /.well-known/acme-challenge { - # Path to the root of your installation - root /usr/local/www/nextcloud/; - try_files $uri $uri/ =404; - } - - location / { - return 301 https://$host:$NEXTCLOUD_HTTPS_PORT$request_uri; - } + # Enforce HTTPS + return 301 https://$server_name$request_uri; } server { diff --git a/overlay/usr/local/etc/nginx/conf.d/nextcloud.inc b/overlay/usr/local/etc/nginx/conf.d/nextcloud.inc index ed3655d..80e43c3 100644 --- a/overlay/usr/local/etc/nginx/conf.d/nextcloud.inc +++ b/overlay/usr/local/etc/nginx/conf.d/nextcloud.inc @@ -1,5 +1,9 @@ -# set max upload size +# Path to the root of your installation +root /usr/local/www/nextcloud/; + +# set max upload size and increase upload timeout: client_max_body_size 512M; +client_body_timeout 300s; fastcgi_buffers 64 4K; # Enable gzip but do not remove ETag headers @@ -8,26 +12,37 @@ gzip_vary on; gzip_comp_level 4; gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; -gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; +gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # Pagespeed is not supported by Nextcloud, so if your server is built # with the `ngx_pagespeed` module, uncomment this line to disable it. #pagespeed off; +# The settings allows you to optimize the HTTP2 bandwidth. +# See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/ +# for tuning hints +client_body_buffer_size 512k; + # HTTP response headers borrowed from Nextcloud `.htaccess` -add_header Referrer-Policy "no-referrer" always; -add_header X-Content-Type-Options "nosniff" always; -add_header X-Download-Options "noopen" always; -add_header X-Frame-Options "SAMEORIGIN" always; -add_header X-Permitted-Cross-Domain-Policies "none" always; -add_header X-Robots-Tag "none" always; -add_header X-XSS-Protection "1; mode=block" always; +add_header Referrer-Policy "no-referrer" always; +add_header X-Content-Type-Options "nosniff" always; +add_header X-Frame-Options "SAMEORIGIN" always; +add_header X-Permitted-Cross-Domain-Policies "none" always; +add_header X-Robots-Tag "noindex, nofollow" always; +add_header X-XSS-Protection "1; mode=block" always; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; -# Path to the root of your installation -root /usr/local/www/nextcloud/; +# Set .mjs and .wasm MIME types +# Either include it in the default mime.types list +# and include that list explicitly or add the file extension +# only for Nextcloud like below: +include mime.types; +types { + text/javascript mjs; + application/wasm wasm; +} # Specify how to handle directories -- specifying `/index.php$request_uri` # here as the fallback means that Nginx always exhibits the desired behaviour @@ -36,7 +51,7 @@ root /usr/local/www/nextcloud/; # that file is correctly served; if it doesn't, then the request is passed to # the front-end controller. This consistent behaviour means that we don't need # to specify custom rules for certain paths (e.g. images and other assets, -# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus +# `/updater`, `/ocs-provider`), and thus # `try_files $uri $uri/ /index.php$request_uri` # always provides the desired behaviour. index index.php index.html /index.php$request_uri; @@ -62,8 +77,6 @@ location ^~ /.well-known { # The rules in this block are an adaptation of the rules # in `.htaccess` that concern `/.well-known`. - # Needed to prevent including the scheme, domain and port in the Location header. - absolute_redirect off; location = /.well-known/carddav { return 301 /remote.php/dav/; } location = /.well-known/caldav { return 301 /remote.php/dav/; } @@ -85,7 +98,7 @@ location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return # to the URI, resulting in a HTTP 500 error response. location ~ \.php(?:$|/) { # Required for legacy support - rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; + rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri; fastcgi_split_path_info ^(.+?\.php)(/.*)$; set $path_info $fastcgi_path_info; @@ -95,7 +108,7 @@ location ~ \.php(?:$|/) { include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $path_info; - # fastcgi_param HTTPS on; + #fastcgi_param HTTPS on; fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice fastcgi_param front_controller_active true; # Enable pretty urls @@ -103,11 +116,21 @@ location ~ \.php(?:$|/) { fastcgi_intercept_errors on; fastcgi_request_buffering off; + + fastcgi_max_temp_file_size 0; } -location ~ \.(?:css|js|svg|gif|png|jpg|ico)$ { +# Serve static files +location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ { try_files $uri /index.php$request_uri; - expires 6M; # Cache-Control policy borrowed from `.htaccess` + # HTTP response headers borrowed from Nextcloud `.htaccess` + add_header Cache-Control "public, max-age=15778463$asset_immutable"; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "noindex, nofollow" always; + add_header X-XSS-Protection "1; mode=block" always; access_log off; # Optional: Don't log access to assets } diff --git a/overlay/usr/local/etc/nginx/nginx.conf b/overlay/usr/local/etc/nginx/nginx.conf index 66bcf11..69bfba9 100644 --- a/overlay/usr/local/etc/nginx/nginx.conf +++ b/overlay/usr/local/etc/nginx/nginx.conf @@ -48,7 +48,7 @@ http { proxy_temp_path /var/tmp/nginx/proxy_temp; - include mime.types; + #include mime.types; default_type application/octet-stream; # Logs format diff --git a/overlay/usr/local/etc/php-fpm.d/nextcloud.conf b/overlay/usr/local/etc/php-fpm.d/nextcloud.conf index 23a0094..479ab4f 100644 --- a/overlay/usr/local/etc/php-fpm.d/nextcloud.conf +++ b/overlay/usr/local/etc/php-fpm.d/nextcloud.conf @@ -6,12 +6,8 @@ listen = /var/run/nextcloud-php-fpm.sock listen.owner = www listen.group = www -pm = dynamic -pm.max_children = 100 -pm.start_servers = 25 -pm.min_spare_servers = 25 -pm.max_spare_servers = 75 +pm = ondemand +pm.max_children = 5000 -php_admin_value[session.save_path] = "/usr/local/www/nextcloud-sessions-tmp" ; Nextcloud wants PATH environment variable set. env[PATH] = $PATH diff --git a/overlay/usr/local/etc/php/nextcloud.ini b/overlay/usr/local/etc/php/nextcloud.ini new file mode 100644 index 0000000..c812190 --- /dev/null +++ b/overlay/usr/local/etc/php/nextcloud.ini @@ -0,0 +1,7 @@ +memory_limit=512M +upload_max_filesize=0 +post_max_size=0 +max_execution_time=3600 +max_input_time=3600 +default_socket_timeout=600 +output_buffering=0 \ No newline at end of file diff --git a/overlay/usr/local/etc/php/opcache-recommended.ini b/overlay/usr/local/etc/php/opcache-recommended.ini new file mode 100644 index 0000000..ad69ce7 --- /dev/null +++ b/overlay/usr/local/etc/php/opcache-recommended.ini @@ -0,0 +1,6 @@ +opcache.memory_consumption=256 +opcache.interned_strings_buffer=64 +opcache.save_comments=1 +opcache.revalidate_freq=60 +opcache.jit=1255 +opcache.jit_buffer_size=128M \ No newline at end of file diff --git a/overlay/usr/local/etc/php/php-ext-apcu.ini b/overlay/usr/local/etc/php/php-ext-apcu.ini new file mode 100644 index 0000000..faca36b --- /dev/null +++ b/overlay/usr/local/etc/php/php-ext-apcu.ini @@ -0,0 +1 @@ +apc.enable_cli=1 \ No newline at end of file diff --git a/overlay/usr/local/etc/php/php-ext-igbinary.ini b/overlay/usr/local/etc/php/php-ext-igbinary.ini new file mode 100644 index 0000000..ad05480 --- /dev/null +++ b/overlay/usr/local/etc/php/php-ext-igbinary.ini @@ -0,0 +1,2 @@ +apc.serializer=igbinary +session.serialize_handler=igbinary \ No newline at end of file diff --git a/overlay/usr/local/etc/php/php.truenas.ini b/overlay/usr/local/etc/php/php.truenas.ini deleted file mode 100644 index 4377f4f..0000000 --- a/overlay/usr/local/etc/php/php.truenas.ini +++ /dev/null @@ -1,20 +0,0 @@ -; https://docs.nextcloud.com/server/22/admin_manual/installation/server_tuning.html?highlight=tuning - -[PHP] -; recommended value of 512MB for php memory limit (avoid warning when running occ) -memory_limit=512M -post_max_size=513M -upload_max_filesize=513M - -[opcache] -; Modify opcache settings in php.ini according to Nextcloud documentation (remove comment and set recommended value) -opcache.enable=1 -opcache.enable_cli=1 -opcache.memory_consumption=512 -opcache.interned_strings_buffer=8 -opcache.max_accelerated_files=10000 -opcache.revalidate_freq=1 -opcache.save_comments=1 - -[apcu] -apc.enable_cli=1 diff --git a/overlay/usr/local/etc/php/redis-session.ini b/overlay/usr/local/etc/php/redis-session.ini new file mode 100644 index 0000000..aa69175 --- /dev/null +++ b/overlay/usr/local/etc/php/redis-session.ini @@ -0,0 +1,5 @@ +session.save_handler = redis +session.save_path = "tcp://127.0.0.1:6379" +redis.session.locking_enabled = 1 +redis.session.lock_retries = -1 +redis.session.lock_wait_time = 10000 \ No newline at end of file diff --git a/post_install.sh b/post_install.sh index a3894e2..b3c2483 100755 --- a/post_install.sh +++ b/post_install.sh @@ -1,6 +1,6 @@ #!/bin/sh -set -eu +set -xeu # Load environment variable from /etc/iocage-env . load_env @@ -9,7 +9,10 @@ set -eu sync_configuration # Generate self-signed TLS certificates -generate_self_signed_tls_certificates +if [ "${ALLOW_INSECURE_ACCESS:-true}" = "false" ] +then + generate_self_signed_tls_certificates +fi # Enable the necessary services sysrc -f /etc/rc.conf nginx_enable="YES" @@ -19,10 +22,10 @@ sysrc -f /etc/rc.conf redis_enable="YES" sysrc -f /etc/rc.conf fail2ban_enable="YES" # Start the service -service nginx start 2>/dev/null -service php-fpm start 2>/dev/null -service mysql-server start 2>/dev/null -service redis start 2>/dev/null +service nginx start #2>/dev/null +service php-fpm start #2>/dev/null +service mysql-server start #2> /dev/null +service redis start #2>/dev/null # https://docs.nextcloud.com/server/13/admin_manual/installation/installation_wizard.html do not use the same name for user and db USER="dbadmin" @@ -42,8 +45,8 @@ NCPASS=$(cat /root/ncpassword) # Configure mysql mysqladmin -u root password "${PASS}" mysql -u root -p"${PASS}" --connect-expired-password <<-EOF -ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY '${PASS}'; -CREATE USER '${USER}'@'localhost' IDENTIFIED WITH mysql_native_password BY '${PASS}'; +ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password USING PASSWORD('${PASS}'); +CREATE USER '${USER}'@'localhost' IDENTIFIED WITH mysql_native_password USING PASSWORD('${PASS}'); GRANT ALL PRIVILEGES ON *.* TO '${USER}'@'localhost' WITH GRANT OPTION; GRANT ALL PRIVILEGES ON ${DB}.* TO '${USER}'@'localhost'; FLUSH PRIVILEGES; @@ -59,14 +62,14 @@ su -m www -c "php /usr/local/www/nextcloud/occ maintenance:install \ --database-name=\"nextcloud\" \ --database-user=\"$USER\" \ --database-pass=\"$PASS\" \ - --database-host=\"localhost\" \ + --database-host=\"127.0.0.1\" \ --admin-user=\"$NCUSER\" \ --admin-pass=\"$NCPASS\" \ --data-dir=\"/usr/local/www/nextcloud/data\"" su -m www -c "php /usr/local/www/nextcloud/occ background:cron" -su -m www -c "php /usr/local/www/nextcloud/occ config:system:set trusted_domains 1 --value='${IOCAGE_HOST_ADDRESS}'" +su -m www -c "php /usr/local/www/nextcloud/occ config:system:set trusted_domains 1 --value='${IOCAGE_HOST_SUBNET}.*'" su -m www -c "php /usr/local/www/nextcloud/occ app:install contacts" su -m www -c "php /usr/local/www/nextcloud/occ app:install calendar" diff --git a/post_update.sh b/post_update.sh index a981fc1..ee910db 100644 --- a/post_update.sh +++ b/post_update.sh @@ -25,6 +25,8 @@ do } done +# Remove old files +rm -fv /usr/local/etc/php/php.truenas.ini # Generate some configuration from templates. sync_configuration @@ -32,3 +34,6 @@ sync_configuration chmod -R o-rwx /usr/local/www/nextcloud # Give full ownership of the nextcloud directory to www chown -R www:www /usr/local/www/nextcloud + +# DB migration check +run_db_migrations