Nextcloud
NextCloud + MariaDB
- NextCloud Doc: https://nextcloud.com/
- Docker images: https://hub.docker.com/_/mariadb & https://hub.docker.com/_/nextcloud
Config - Setup
mdkir /opt/application/nextcloud
mkdir -p /opt/data/mariadb /opt/data/nextcloud/data /opt/data/nextcloud/html
# After docker-compose up -d #we use different root folder from /Var/www for security reasons
docker exec -it cloud chown -R www-data /opt/data
docker-compose.yml with Treafik options
---
version: "3.3"
networks:
zabra:
external: true
services:
db:
image: mariadb:10.8.8
container_name: mariadb
restart: always
networks:
- zabra
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
volumes:
- /opt/data/mariadb:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD="${MYSQL_ROOT_PASSWORD}"
- MYSQL_PASSWORD="${MYSQL_PASSWORD}"
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
# added to avoid error after upgrading to 10.8.8
# https://mariadb.com/kb/en/incorrect-definition-of-table-mysql-column_stats-after-upgrade-from-10-6-5-/
- MARIADB_AUTO_UPGRADE=1
nextcloud:
image: nextcloud:29.0.4
container_name: cloud
hostname: cloud.enoks.fr
restart: always
networks:
- zabra
links:
- db
volumes:
- /opt/data/nextcloud/html:/var/www/html
- /opt/data/nextcloud/data:/opt/data:rw
environment:
- NEXTCLOUD_DATA_DIR=/opt/data #security rec: dont use a default /var/www
- NEXTCLOUD_TRUSTED_DOMAINS="cloud.enoks.fr localhost"
- TRUSTED_PROXIES=traefik
- OVERWRITEPROTOCOL=https
- MYSQL_PASSWORD="${MYSQL_PASSWORD}"
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
- MYSQL_HOST=db
labels:
# Enable proxy through traefik and https
- "traefik.enable=true"
- "traefik.http.routers.nextcloud.rule=Host(`cloud.enoks.fr`)"
- "traefik.http.routers.nextcloud.entrypoints=websecure"
- "traefik.http.routers.nextcloud.tls=true"
- "traefik.http.routers.nextcloud.tls.certresolver=letsencrypt"
- "traefik.http.services.nextcloud.loadbalancer.server.port=80"
# Additionall security options
- "traefik.http.middlewares.nextcloudredir.redirectregex.permanent=true"
- "traefik.http.middlewares.nextcloudredir.redirectregex.regex=https://(.*)/.well-known/(card|cal)dav"
- "traefik.http.middlewares.nextcloudredir.redirectregex.replacement=https://$$1/remote.php/dav/"
- "traefik.http.middlewares.nextcloudsts.headers.stsincludesubdomains=false"
- "traefik.http.middlewares.nextcloudsts.headers.stspreload=true"
- "traefik.http.middlewares.nextcloudsts.headers.stsseconds=31536000"
- "traefik.http.middlewares.nextcloudsts.headers.isdevelopment=false"
- "traefik.http.routers.nextcloud.middlewares=nextcloudredir,nextcloudsts"
old docker-compose.yml with Treafik options
---
version: "3.3"
networks:
zabra:
external: true
services:
db:
image: mariadb:10.5.11
container_name: mariadb
restart: always
networks:
- zabra
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
volumes:
- /opt/data/mariadb:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD="${MYSQL_ROOT_PASSWORD}"
- MYSQL_PASSWORD="${MYSQL_PASSWORD}"
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
nextcloud:
image: nextcloud:22.2.7
container_name: cloud
hostname: nextcloud.example.com
restart: always
networks:
- zabra
links:
- db
volumes:
- /opt/data/nextcloud/html:/var/www/html
- /opt/data/nextcloud/data:/opt/data:rw
environment:
- NEXTCLOUD_DATA_DIR=/opt/data #security rec: dont use a default /var/www
- NEXTCLOUD_TRUSTED_DOMAINS="nextcloud.example.com localhost"
- TRUSTED_PROXIES=traefik
- OVERWRITEPROTOCOL=https
- MYSQL_PASSWORD="${MYSQL_PASSWORD}"
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
- MYSQL_HOST=db
labels:
# Enable proxy through traefik and https
- "traefik.enable=true"
- "traefik.http.routers.nextcloud.rule=Host(`netxcloud.example.com`)"
- "traefik.http.routers.nextcloud.entrypoints=websecure"
- "traefik.http.routers.nextcloud.tls=true"
- "traefik.http.routers.nextcloud.tls.certresolver=letsencrypt"
- "traefik.http.services.nextcloud.loadbalancer.server.port=80"
# Additionall security options
- "traefik.http.middlewares.nextcloudredir.redirectregex.permanent=true"
- "traefik.http.middlewares.nextcloudredir.redirectregex.regex=https://(.*)/.well-known/(card|cal)dav"
- "traefik.http.middlewares.nextcloudredir.redirectregex.replacement=https://$$1/remote.php/dav/"
- "traefik.http.middlewares.nextcloudsts.headers.stsincludesubdomains=false"
- "traefik.http.middlewares.nextcloudsts.headers.stspreload=true"
- "traefik.http.middlewares.nextcloudsts.headers.stsseconds=31536000"
- "traefik.http.middlewares.nextcloudsts.headers.isdevelopment=false"
- "traefik.http.routers.nextcloud.middlewares=nextcloudredir,nextcloudsts"
Operations
Background Jobs configuration
Enable CRON JOBS: https://docs.nextcloud.com/server/21/admin_manual/configuration_server/background_jobs_configuration.html
Need to adapt to a docker case
# Added in root crontab to run docker command
# container name is: cloud
*/5 * * * * docker exec -i -u www-data cloud php -f /var/www/html/cron.php
Upgrade
Nextcloud Upgrade Documentation : https://docs.nextcloud.com/server/latest/admin_manual/maintenance/upgrade.html
To ensure you can upgrade your current version to the target version like 24.0.12,
- Pull the tag
24.0.12image. - Run a temporary container with the image :
docker run --name upgrade-check --rm -dit nextcloud:24.0.12 - Check the variable
$OC_VersionCanBeUpgradedFromvalue in the theversion.phpfile :docker exec -it upgrade-check cat version.php, thendocker stop upgrade-check
version.php content
<?php
$OC_Version = array(24,0,12,1);
$OC_VersionString = '24.0.12';
$OC_Edition = '';
$OC_Channel = 'stable';
$OC_VersionCanBeUpgradedFrom = array (
'nextcloud' =>
array (
'23.0' => true,
'24.0' => true,
),
'owncloud' =>
array (
'10.5' => true,
),
);
$OC_Build = '2023-04-19T16:04:20+00:00 5b79bb15b510f52ab598fa45e6977857a9d4895a';
$vendor = 'nextcloud';
After the upgrade, check the administrator's dashboard, sometimes additional DB tasks are needed.
- Add missing indices :
docker exec -i -u www-data cloud ./occ db:add-missing-indices - Convert data type:
docker exec -i -u www-data cloud ./occ db:convert-filecache-bigint
php-imagick SVG support
To remove the warning php-imagick SVG support, install libmagickcore-6.q16-6-extra : apt install libmagickcore-6.q16-6-extra
To remove the warning ISO add 'default_phone_region' => 'fr' in config.php
Traefik v2 enable HSTS for Nextcloud Container
At first time, it is not easy to understand how to configure Traefik v2 for NextCloud
to meet the security recommendations : HSTS (HTTP Strict Transport Security) , STS (Strict Transport Security), proxy trusted.
Here is conf to make it fine
# Additionall security options
- "traefik.http.middlewares.nextcloudredir.redirectregex.permanent=true"
- "traefik.http.middlewares.nextcloudredir.redirectregex.regex=https://(.*)/.well-known/(card|cal)dav"
- "traefik.http.middlewares.nextcloudredir.redirectregex.replacement=https://$$1/remote.php/dav/"
- "traefik.http.middlewares.nextcloudsts.headers.stsincludesubdomains=false"
- "traefik.http.middlewares.nextcloudsts.headers.stspreload=true"
- "traefik.http.middlewares.nextcloudsts.headers.stsseconds=31536000"
- "traefik.http.middlewares.nextcloudsts.headers.isdevelopment=false"
- "traefik.http.routers.nextcloud.middlewares=nextcloudredir,nextcloudsts"