From 3c1b6dff055b5463efa9b0d5dc46c1940f46865f Mon Sep 17 00:00:00 2001
From: Quentin Duchemin <quentinduchemin@tuta.io>
Date: Fri, 7 Aug 2020 15:52:39 +0200
Subject: [PATCH] [NextCloud] Add files for Picasoft and CeT
---
nextcloud-docker/README.md | 1 -
.../13.0/Dockerfile | 0
.../13.0/config/apache-pretty-urls.config.php | 0
.../13.0/config/apcu.config.php | 0
.../13.0/config/apps.config.php | 0
.../13.0/config/autoconfig.php | 0
.../13.0/cron.sh | 0
.../13.0/entrypoint.sh | 0
.../15.0/Dockerfile | 0
.../15.0/config/apache-pretty-urls.config.php | 0
.../15.0/config/apcu.config.php | 0
.../15.0/config/apps.config.php | 0
.../15.0/config/autoconfig.php | 0
.../15.0/config/redis.config.php | 0
.../15.0/cron.sh | 0
.../15.0/entrypoint.sh | 0
.../15.0/upgrade.exclude | 0
pica-nextcloud/README.md | 56 ++++++
pica-nextcloud/docker-compose-cet.yml | 35 ++++
pica-nextcloud/docker-compose-pica.yml | 58 +++++++
pica-nextcloud/nginx.conf | 161 ++++++++++++++++++
.../secrets/cloudcet.secrets.example | 5 +
pica-nextcloud/secrets/pica.secrets.example | 4 +
23 files changed, 319 insertions(+), 1 deletion(-)
delete mode 100644 nextcloud-docker/README.md
rename {nextcloud-docker => pica-nextcloud}/13.0/Dockerfile (100%)
rename {nextcloud-docker => pica-nextcloud}/13.0/config/apache-pretty-urls.config.php (100%)
rename {nextcloud-docker => pica-nextcloud}/13.0/config/apcu.config.php (100%)
rename {nextcloud-docker => pica-nextcloud}/13.0/config/apps.config.php (100%)
rename {nextcloud-docker => pica-nextcloud}/13.0/config/autoconfig.php (100%)
rename {nextcloud-docker => pica-nextcloud}/13.0/cron.sh (100%)
rename {nextcloud-docker => pica-nextcloud}/13.0/entrypoint.sh (100%)
rename {nextcloud-docker => pica-nextcloud}/15.0/Dockerfile (100%)
rename {nextcloud-docker => pica-nextcloud}/15.0/config/apache-pretty-urls.config.php (100%)
rename {nextcloud-docker => pica-nextcloud}/15.0/config/apcu.config.php (100%)
rename {nextcloud-docker => pica-nextcloud}/15.0/config/apps.config.php (100%)
rename {nextcloud-docker => pica-nextcloud}/15.0/config/autoconfig.php (100%)
rename {nextcloud-docker => pica-nextcloud}/15.0/config/redis.config.php (100%)
rename {nextcloud-docker => pica-nextcloud}/15.0/cron.sh (100%)
rename {nextcloud-docker => pica-nextcloud}/15.0/entrypoint.sh (100%)
rename {nextcloud-docker => pica-nextcloud}/15.0/upgrade.exclude (100%)
create mode 100644 pica-nextcloud/README.md
create mode 100644 pica-nextcloud/docker-compose-cet.yml
create mode 100644 pica-nextcloud/docker-compose-pica.yml
create mode 100644 pica-nextcloud/nginx.conf
create mode 100644 pica-nextcloud/secrets/cloudcet.secrets.example
create mode 100644 pica-nextcloud/secrets/pica.secrets.example
diff --git a/nextcloud-docker/README.md b/nextcloud-docker/README.md
deleted file mode 100644
index 890d6ff3..00000000
--- a/nextcloud-docker/README.md
+++ /dev/null
@@ -1 +0,0 @@
-**Ajouter le docker-compose et la documentation de mise à jour**
diff --git a/nextcloud-docker/13.0/Dockerfile b/pica-nextcloud/13.0/Dockerfile
similarity index 100%
rename from nextcloud-docker/13.0/Dockerfile
rename to pica-nextcloud/13.0/Dockerfile
diff --git a/nextcloud-docker/13.0/config/apache-pretty-urls.config.php b/pica-nextcloud/13.0/config/apache-pretty-urls.config.php
similarity index 100%
rename from nextcloud-docker/13.0/config/apache-pretty-urls.config.php
rename to pica-nextcloud/13.0/config/apache-pretty-urls.config.php
diff --git a/nextcloud-docker/13.0/config/apcu.config.php b/pica-nextcloud/13.0/config/apcu.config.php
similarity index 100%
rename from nextcloud-docker/13.0/config/apcu.config.php
rename to pica-nextcloud/13.0/config/apcu.config.php
diff --git a/nextcloud-docker/13.0/config/apps.config.php b/pica-nextcloud/13.0/config/apps.config.php
similarity index 100%
rename from nextcloud-docker/13.0/config/apps.config.php
rename to pica-nextcloud/13.0/config/apps.config.php
diff --git a/nextcloud-docker/13.0/config/autoconfig.php b/pica-nextcloud/13.0/config/autoconfig.php
similarity index 100%
rename from nextcloud-docker/13.0/config/autoconfig.php
rename to pica-nextcloud/13.0/config/autoconfig.php
diff --git a/nextcloud-docker/13.0/cron.sh b/pica-nextcloud/13.0/cron.sh
similarity index 100%
rename from nextcloud-docker/13.0/cron.sh
rename to pica-nextcloud/13.0/cron.sh
diff --git a/nextcloud-docker/13.0/entrypoint.sh b/pica-nextcloud/13.0/entrypoint.sh
similarity index 100%
rename from nextcloud-docker/13.0/entrypoint.sh
rename to pica-nextcloud/13.0/entrypoint.sh
diff --git a/nextcloud-docker/15.0/Dockerfile b/pica-nextcloud/15.0/Dockerfile
similarity index 100%
rename from nextcloud-docker/15.0/Dockerfile
rename to pica-nextcloud/15.0/Dockerfile
diff --git a/nextcloud-docker/15.0/config/apache-pretty-urls.config.php b/pica-nextcloud/15.0/config/apache-pretty-urls.config.php
similarity index 100%
rename from nextcloud-docker/15.0/config/apache-pretty-urls.config.php
rename to pica-nextcloud/15.0/config/apache-pretty-urls.config.php
diff --git a/nextcloud-docker/15.0/config/apcu.config.php b/pica-nextcloud/15.0/config/apcu.config.php
similarity index 100%
rename from nextcloud-docker/15.0/config/apcu.config.php
rename to pica-nextcloud/15.0/config/apcu.config.php
diff --git a/nextcloud-docker/15.0/config/apps.config.php b/pica-nextcloud/15.0/config/apps.config.php
similarity index 100%
rename from nextcloud-docker/15.0/config/apps.config.php
rename to pica-nextcloud/15.0/config/apps.config.php
diff --git a/nextcloud-docker/15.0/config/autoconfig.php b/pica-nextcloud/15.0/config/autoconfig.php
similarity index 100%
rename from nextcloud-docker/15.0/config/autoconfig.php
rename to pica-nextcloud/15.0/config/autoconfig.php
diff --git a/nextcloud-docker/15.0/config/redis.config.php b/pica-nextcloud/15.0/config/redis.config.php
similarity index 100%
rename from nextcloud-docker/15.0/config/redis.config.php
rename to pica-nextcloud/15.0/config/redis.config.php
diff --git a/nextcloud-docker/15.0/cron.sh b/pica-nextcloud/15.0/cron.sh
similarity index 100%
rename from nextcloud-docker/15.0/cron.sh
rename to pica-nextcloud/15.0/cron.sh
diff --git a/nextcloud-docker/15.0/entrypoint.sh b/pica-nextcloud/15.0/entrypoint.sh
similarity index 100%
rename from nextcloud-docker/15.0/entrypoint.sh
rename to pica-nextcloud/15.0/entrypoint.sh
diff --git a/nextcloud-docker/15.0/upgrade.exclude b/pica-nextcloud/15.0/upgrade.exclude
similarity index 100%
rename from nextcloud-docker/15.0/upgrade.exclude
rename to pica-nextcloud/15.0/upgrade.exclude
diff --git a/pica-nextcloud/README.md b/pica-nextcloud/README.md
new file mode 100644
index 00000000..a6aecadd
--- /dev/null
+++ b/pica-nextcloud/README.md
@@ -0,0 +1,56 @@
+## NextCloud
+
+Ce dossier contient les ressources nécessaires pour lancer une ou plusieurs instances NextCloud.
+
+Deux instances sont gérées : celle de Picasoft et celle de Compiègne en Transition.
+Celle de Picasoft utilise une image officielle ainsi que MySQL ; celle de CeT utilise une image construite par nos soins et une base PostgreSQL.
+
+### Lancement
+
+Pour l'instance de Compiègne en Transition :
+* Copier `cloudcet.secrets.example` dans `cloudcet.secrets` et remplacer les valeurs
+* Lancer `docker-compose -f docker-compose-cet.yml up -d`.
+
+Pour l'instance de Picasoft :
+* Copier `pica.secrets.example` dans `pica.secrets` et remplacer les valeurs
+* Lancer `docker-compose -f docker-compose-pica.yml up -d`.
+
+### Mise à jour
+
+Pour les prochaines mises à jour du cloud CeT, il est peut être plus pertinent de se baser sur l'image officielle.
+Dans ce cas, supprimer la directive `build` de Compose.
+
+Pour mettre à jour l'instance de Picasoft, il suffit de mettre à jour le tag de l'image de `nextcloud-app`.
+
+Attention : **toutes les mises à jour de version majeure doivent se faire une par une**.
+Exemple :
+* 15 -> 16, puis
+* 16 -> 17, puis
+* 17 -> 18.
+
+Sinon, il y a risque de casse.
+
+### Mise à jour de PostgreSQL (CeT)
+
+Il peut arriver que la version de PostgreSQL ne soit plus supportée par NextCloud.
+Sans en arriver là , il est bon de régulièrement mettre à jour PostgreSQL :
+> While upgrading will always contain some level of risk, PostgreSQL minor releases fix only frequently-encountered bugs, security issues, and data corruption problems to reduce the risk associated with upgrading. For minor releases, the community considers not upgrading to be riskier than upgrading. https://www.postgresql.org/support/versioning/
+
+Les mise à jours mineures (changement du Y de la version X.Y) peuvent se faire sans intervention humaine. On veillera à bien regarder les logs.
+
+En revanche, le passage d'une version majeure à une autre nécessitera une intervention manuelle.
+
+La documentation complète est ici : https://www.postgresql.org/docs/current/upgrading.html
+
+De manière générale, la façon la plus simple est de se rendre dans l'ancien conteneur, de réaliser un `pg_dumpall` et de le copier en lieu sûr (`docker cp`).
+Ensuite, on supprime l'ancien volume de base de données, on relance le nouveau conteneur de base de données (qui sera sans donnée), on monte le fichier de dump, et on lance un `psql -U <user> -d <db> -f <dump_file>` (valeurs de `user` et `db` à matcher avec le fichiers de secrets).
+
+On attend, et **si tout s'est bien passé**, on peut lancer le conteneur applicatif (NextCloud).
+
+### Mise à jour de MariaDB (Picasoft)
+
+[Selon la documentation](https://mariadb.com/kb/en/upgrading-between-major-mariadb-versions/) :
+
+> MariaDB is designed to allow easy upgrades. You should be able to trivially upgrade from ANY earlier MariaDB version to the latest one (for example MariaDB 5.5.x to MariaDB 10.5.x), usually in a few seconds.
+
+L'idée est d'éteindre le conteneur applicatif (NextCloud), puis de lancer la nouvelle version du conteneur, d'entrer dedans, de lancer la commande `mysql_upgrade` et de redémarrer le conteneur.
diff --git a/pica-nextcloud/docker-compose-cet.yml b/pica-nextcloud/docker-compose-cet.yml
new file mode 100644
index 00000000..6edc5ee9
--- /dev/null
+++ b/pica-nextcloud/docker-compose-cet.yml
@@ -0,0 +1,35 @@
+version: '3.7'
+# TODO switch to volumes
+networks:
+ docker_default:
+ name: docker_default:
+ cloud_cet:
+ name: cloud_cet
+
+services:
+ cloudcet:
+ build:
+ dockerfile: ./15.0/Dockerfile
+ container_name: cloudcet
+ image: registry.picasoft.net/nextcloud:15.0
+ labels:
+ - "traefik.frontend.rule=Host:cloudcet.picasoft.net"
+ - "traefik.port=80"
+ - "traefik.enable=true"
+ networks:
+ - docker_default
+ - cloud_cet
+ volumes:
+ - /DATA/docker/cet/nc:/var/www/html
+ depends_on:
+ - cloudcet_db
+ restart: unless-stopped
+
+ cloudcet_db:
+ container_name: cloudcet_db
+ image: postgres:9.6
+ volumes:
+ - /DATA/docker/cet/nc_db:/var/lib/postgresql/data
+ env_file:
+ - ./secrets/cloudcet.secrets
+ restart: unless-stopped
diff --git a/pica-nextcloud/docker-compose-pica.yml b/pica-nextcloud/docker-compose-pica.yml
new file mode 100644
index 00000000..b50386a3
--- /dev/null
+++ b/pica-nextcloud/docker-compose-pica.yml
@@ -0,0 +1,58 @@
+version: '3.7'
+
+volumes:
+ nextcloud-db:
+ nextcloud:
+
+networks:
+ nextcloud:
+ docker_default:
+ name: docker_default
+
+services:
+ nextcloud-app:
+ image: nextcloud:17.0.1-fpm-alpine
+ container_name: nextcloud-app
+ restart: unless-stopped
+ volumes:
+ - nextcloud:/var/www/html
+ environment:
+ - MYSQL_HOST=nextcloud-db
+ env_file:
+ - /DATA/docker/secrets/nextcloud-db.secrets
+ depends_on:
+ - nextcloud-db
+ networks:
+ - nextcloud
+ restart: unless-stopped
+
+ nextcloud-web:
+ image: nginx:alpine
+ container_name: nextcloud-web
+ volumes:
+ - nextcloud:/var/www/html:ro
+ - ./nginx.conf:/etc/nginx/nginx.conf:ro
+ env_file: ./pica.secrets
+ depends_on:
+ - nextcloud-app
+ networks:
+ - nextcloud
+ - docker_default
+ labels:
+ - "traefik.frontend.rule=Host:cloud.picasoft.net"
+ - "traefik.port=80"
+ - "traefik.enable=true"
+ # https://docs.nextcloud.com/server/16/admin_manual/configuration_server/reverse_proxy_configuration.html
+ - "traefik.frontend.redirect.permanent=true"
+ - "traefik.frontend.redirect.regex=https://(.*)/.well-known/(card|cal)dav"
+ - "traefik.frontend.redirect.replacement=https://$$1/remote.php/dav/"
+ restart: unless-stopped
+
+ nextcloud-db:
+ image: mariadb:10.3.17
+ container_name: nextcloud-db
+ volumes:
+ - nextcloud-db:/var/lib/mysql
+ networks:
+ - nextcloud
+ env_file: ./pica.secrets
diff --git a/pica-nextcloud/nginx.conf b/pica-nextcloud/nginx.conf
new file mode 100644
index 00000000..5ec547f7
--- /dev/null
+++ b/pica-nextcloud/nginx.conf
@@ -0,0 +1,161 @@
+worker_processes auto;
+
+error_log /var/log/nginx/error.log warn;
+pid /var/run/nginx.pid;
+
+
+events {
+ worker_connections 1024;
+}
+
+
+http {
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+ '$status $body_bytes_sent "$http_referer" '
+ '"$http_user_agent" "$http_x_forwarded_for"';
+
+ access_log /var/log/nginx/access.log main;
+
+ sendfile on;
+ #tcp_nopush on;
+
+ keepalive_timeout 65;
+
+ set_real_ip_from 10.0.0.0/8;
+ set_real_ip_from 172.16.0.0/12;
+ set_real_ip_from 192.168.0.0/16;
+ real_ip_header X-Real-IP;
+
+ #gzip on;
+
+ upstream php-handler {
+ server nextcloud-app:9000;
+ }
+
+ server {
+ listen 80;
+
+ # Add headers to serve security related headers
+ # Before enabling Strict-Transport-Security headers please read into this
+ # topic first.
+ add_header Strict-Transport-Security "max-age=15768000;
+ includeSubDomains";
+ #
+ # WARNING: Only add the preload option once you read about
+ # the consequences in https://hstspreload.org/. This option
+ # will add the domain to a hardcoded list that is shipped
+ # in all major browsers and getting removed from this list
+ # could take several months.
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
+ add_header X-Robots-Tag none;
+ add_header X-Download-Options noopen;
+ add_header X-Permitted-Cross-Domain-Policies none;
+ add_header Referrer-Policy no-referrer;
+
+ root /var/www/html;
+
+ location = /robots.txt {
+ allow all;
+ log_not_found off;
+ access_log off;
+ }
+
+ # The following 2 rules are only needed for the user_webfinger app.
+ # Uncomment it if you're planning to use this app.
+ #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+ #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
+ # last;
+
+ location = /.well-known/carddav {
+ return 301 $scheme://$host/remote.php/dav;
+ }
+ location = /.well-known/caldav {
+ return 301 $scheme://$host/remote.php/dav;
+ }
+
+ # set max upload size
+ client_max_body_size 10G;
+ fastcgi_buffers 64 4K;
+
+ # Enable gzip but do not remove ETag headers
+ gzip on;
+ gzip_vary on;
+ gzip_comp_level 4;
+ gzip_min_length 256;
+ gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+ gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+ # Uncomment if your server is build with the ngx_pagespeed module
+ # This module is currently not supported.
+ #pagespeed off;
+
+ location / {
+ rewrite ^ /index.php$request_uri;
+ }
+
+ location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
+ deny all;
+ }
+ location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
+ deny all;
+ }
+
+ location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
+ fastcgi_split_path_info ^(.+\.php)(/.*)$;
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_param PATH_INFO $fastcgi_path_info;
+ # fastcgi_param HTTPS on;
+ #Avoid sending the security headers twice
+ fastcgi_param modHeadersAvailable true;
+ fastcgi_param front_controller_active true;
+ fastcgi_pass php-handler;
+ fastcgi_intercept_errors on;
+ fastcgi_request_buffering off;
+ }
+
+ location ~ ^/(?:updater|ocs-provider)(?:$|/) {
+ try_files $uri/ =404;
+ index index.php;
+ }
+
+ # Adding the cache control header for js and css files
+ # Make sure it is BELOW the PHP block
+ location ~ \.(?:css|js|woff2?|svg|gif)$ {
+ try_files $uri /index.php$request_uri;
+ add_header Cache-Control "public, max-age=15778463";
+ # Add headers to serve security related headers (It is intended to
+ # have those duplicated to the ones above)
+ # Before enabling Strict-Transport-Security headers please read into
+ # this topic first.
+ add_header Strict-Transport-Security "max-age=15768000;
+ includeSubDomains";
+ #
+ # WARNING: Only add the preload option once you read about
+ # the consequences in https://hstspreload.org/. This option
+ # will add the domain to a hardcoded list that is shipped
+ # in all major browsers and getting removed from this list
+ # could take several months.
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
+ add_header X-Robots-Tag none;
+ add_header X-Download-Options noopen;
+ add_header X-Permitted-Cross-Domain-Policies none;
+ add_header Referrer-Policy no-referrer;
+
+ # Optional: Don't log access to assets
+ access_log off;
+ }
+
+ location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
+ try_files $uri /index.php$request_uri;
+ # Optional: Don't log access to other assets
+ access_log off;
+ }
+ }
+
+}
diff --git a/pica-nextcloud/secrets/cloudcet.secrets.example b/pica-nextcloud/secrets/cloudcet.secrets.example
new file mode 100644
index 00000000..80481752
--- /dev/null
+++ b/pica-nextcloud/secrets/cloudcet.secrets.example
@@ -0,0 +1,5 @@
+POSTGRES_USER=user
+POSTGRES_PASSWORD=password
+POSTGRES_DB=compi_en_trans
+NEXTCLOUD_ADMIN_USER=admin
+NEXTCLOUD_ADMIN_PASSWORD=password
diff --git a/pica-nextcloud/secrets/pica.secrets.example b/pica-nextcloud/secrets/pica.secrets.example
new file mode 100644
index 00000000..f50e9816
--- /dev/null
+++ b/pica-nextcloud/secrets/pica.secrets.example
@@ -0,0 +1,4 @@
+MYSQL_ROOT_PASSWORD=password
+MYSQL_DATABASE=nextcloud
+MYSQL_USER=nextcloud
+MYSQL_PASSWORD=password
--
GitLab