Build nextcloud with a self-signed https in docker

Requirements

1. docker and docker-compose
2. openssl

pacman -S docker docker-compose pwgen ssl-cert-check
sudo systemctl enable --now docker.service

Usage

git clone [email protected]:Lishux/nextcloud.git && cd nextcloud
./build.sh xxx

substitute xxx with your host’s real ip

Configuration

To change config.php for nextcloud

docker cp nc_app:/var/www/html/config/config.php config.php
..do some edit
docker cp config.php nc_app:/var/www/html/config/config.php
docker exec nc_app chown www-data:www-data /var/www/html/config/config.php

To see detail configurations on current running

docker exec -u www-data nc_app php occ config:system:get trusted_proxies 0

Details and tangle of build.sh

[ -z "$1" ] && host_ip=xxx || host_ip="$1"
# if inside GFW
[ -z "$2" ] && proxy= || proxy="host.docker.internal:$2"

host.docker.internal:$2 is for share host proxy

check if a certificate file is expire within 10 days

expired () {
  ssl-cert-check -c "$1" -x 10 | awk '{print $2}' | tail -1 | cut -c-5
}

Expired or expiring certificate (after 10 days) begins with “Expir”

create a self-signed certificate in your private directory (./.private here)

[ -d ./.private ] || mkdir ./.private/
key_file=./.private/"${host_ip}".crt
[ -f "$key_file" ] && [ "$(expired $key_file)" != "Expir" ] || openssl req -x509 -out ./.private/${host_ip}.crt -keyout ./.private/${host_ip}.key \
  -newkey rsa:4096 -nodes -sha256 -days 90\
  -subj "/CN=${host_ip}" -extensions EXT -config <( \
   printf "[dn]\nCN=${host_ip}\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:${host_ip}\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")

${host_ip} is your machine’s real ip. For more details see Generate_a_self-signed_certificate_with_private_key_in_a_single_command making-and-trusting-your-own-certificates.

./.private/db.env should have following contents.

[ -f ./.private/db.env ] || cat > ./.private/db.env <<EOF
MYSQL_ROOT_PASSWORD=$(pwgen -c -n -y -s -1 -r \$\#\,\&\=)
MYSQL_PASSWORD=$(pwgen -c -n -y -s -1 -r \$\#\,\&\=)
MYSQL_DATABASE=nextcloud
MYSQL_USER=nextcloud
REDIS_HOST_PASSWORD=$(pwgen -c -n -y -s -1 -r \$\#\,\&\=)
EOF

Bash Templating: How to build configuration files from templates with Bash? -…

envsub () {
    eval "cat <<EOF
$(<$1)
EOF"
}

. ./.private/db.env

# FIXME try built in =envsubst=
envsub ./templates/Caddyfile > Caddyfile
envsub ./templates/docker-compose.yaml > docker-compose.yaml

Notion

trusted_proxies

trust from named “caddy” container, not supported with docker-compose. And not convenient to change /var/www/html/config/config.php in docker

'trusted_proxies' =>
array (
  0 => gethostbyname('caddy'),
  # 1 => '192.168.1.0/24',
  # 2 => '172.18.0.0/12',
),

should cover docker container’s private ip

- TRUSTED_PROXIES=172.16.0.0/12 192.168.0.0/24

mainly after upgrade to v29

set via docker-compose, but not as a list of ip

Your “trusted_proxies” setting is not correctly set, it should be an array of IP addresses - optionally with range in CIDR notation.

If not set

The reverse proxy header configuration is incorrect.

add local external storage

Local — Nextcloud latest Administration Manual latest documentation

volumes:
  - /local/path:/docker/path

use host proxy

Configure Docker to use a proxy server | Docker Docs

but this cause all container use proxy, then there’s error with caddy for proxy only inside nextcloud app, see ./templates/docker-compose.yaml

Should I use Redis

Caching helps reduce the load on the primary storage and speeds up access to frequently accessed data. While Redis is fast, it is an in-memory data store, meaning it stores all data in RAM.

zotero self signed certificate

kb:cert override {Zotero Documentation} GitHub - Osmose/firefox-cert-override: Python library and CLI for reading and…

pipx install firefox-cert-override
~/.local/bin/firefox-cert-override xxx:443=xxx.crt[U] > cert_override.txt