Comment on Getting started with NextCloud?
rtxn@lemmy.world 3 weeks ago
I use Docker Compose to run my Nextcloud server using the community image, which in turn lives inside an unprivileged LXC container.
:::spoiler compose.yaml
volumes: db: services: db: image: mariadb:lts container_name: mariadb restart: always command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW volumes: - db:/var/lib/mysql secrets: - mysql_root_password - mysql_nextcloud_password environment: - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password - MYSQL_PASSWORD_FILE=/run/secrets/mysql_nextcloud_password - MYSQL_DATABASE=nextcloud - MYSQL_USER=nextcloud nextcloud: image: nextcloud:latest container_name: nextcloud restart: always ports: - 8080:80 depends_on: - db volumes: - /var/www/html:/var/www/html - /srv/nextcloud:/srv environment: - MYSQL_PASSWORD_FILE=/run/secrets/mysql_nextcloud_password - MYSQL_DATABASE=nextcloud - MYSQL_USER=nextcloud - MYSQL_HOST=db secrets: mysql_root_password: file: ./secrets/mysql_root_password.txt mysql_nextcloud_password: file: ./secrets/mysql_nextcloud_password.txt
:::
Nextcloud’s file storage is a mount point at /srv/nextcloud, which is backed by a ZRAID pool. The secrets are stored in files with 600 permissions. The web server is initially exposed on port 8080.
When you run the container for the first time, it will show a first time setup dialog. You’ll have to fill it out manually, using mariadb for the database type and db for the database hostname.
If Nextcloud works through HTTP, you can then set up a proxy for HTTPS. I used Nginx running on the same LXC. I can’t guarantee that my config is adequately secure, use it at your own risk.
:::spoiler 10-nextcloud.conf
upstream php-handler { server 127.0.0.1:9000; } server { listen 80; listen [::]:80; server_name nextcloud.your.domain; return 301 https://$host$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name nextcloud.your.domain; keepalive_timeout 70; client_max_body_size 32G; ssl_certificate /etc/nginx/ssl/ssl.crt; ssl_certificate_key /etc/nginx/ssl/ssl.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; add_header X-XSS-Protection "1; mode=block" always; fastcgi_hide_header X-Powered-By; location / { proxy_pass http://127.0.0.1:8080/; } }
:::
To allow the web app to work using the DNS name, you’ll have to edit /var/www/html/config/config.php and change/add these values:
:::spoiler config.php (partial)
'trusted_domains' => array( 0 => '127.0.0.1:8080', 1 => 'nextcloud.your.domain', // 2 => whatever other addresses you want to use ), 'overwrite.cli.url' => 'https://nextcloud.your.domain/', 'overwriteprotocol' => 'https', 'overwritehost' => 'nextcloud.ng.local'
:::