nextcloud docker
old version with gui here
/scripts/constants
withip_cloud_srv
,ip_cloud_psql_srv
,ip_cloud_sync_srv
ip addresses of cloud containers/security/cloud_psql/postgres
clear text password of postgres db user ( must 600 mode )
file | variable | description |
---|---|---|
VARIABLES | CLOUD_ADMIN_PWDFILE |
path to cloud admin user pass file |
" | CLOUD_SERVER |
cloud server hostname |
" | CLOUD_LOCAL_FOLDER |
nas root or other host folder to sync with remote folder |
" | CLOUD_REMOTE_FOLDER |
cloud remote folder or empty |
example
CLOUD_SERVER=cloud.searchathing.com
CLOUD_ADMIN_PWDFILE=/security/cloud/admin
CLOUD_LOCAL_FOLDER=/nas/cloud
CLOUD_REMOTE_FOLDER=
- To avoid syncing some local folders ( relativ to CLOUD_NAS_ROOT ) insert these in sync-exclude.lst
- To avoid start sync after a local change in some folder edit list in cloud_sync_cmdline/imgdata/wait_changes ( eg. /nas/SoftCollect where /nas is the path in container local filesystem )
- wait_changes wait for changes on local filesystem using inotify ( may need to increase max_user_watches ) and notify changes to a /log file
- wait_changes2 wait for changes on /log file ( then changes coming from local ) or coming from remote by comparing /root/res_etag.xml ( generated by update_etag )
Timing variables in wait_changes2:
remotePollIntervalSec
( default=30 ) : time to compare etag for remote changes detectforceSyncAfterLocalSyncSec
( default=300 ) : when local changes happens a sync almost immediately ( 1sec ) starts and when finished etag of remote will also update but during this sync may a remote changes occurs in some minor cases so that to avoid lost of syncing between local remote in these cases a sync forced after 5 minutes. A better approach would to retrieve etag list from result of nextcloudcmd but actually log contains crowded information about sync scan recursive.forceSyncIntervalSec
( default=7200 1 hr ) : a sync to avoid any issue between local, remote changes detection.
- install cloud postgres
cd cloud_psql
./run.sh
cd ..
- install cloud
cd cloud
./run.sh
cd ..
-
edit your
/nas/data/cloud/config/config.php
so that matches requiredhttps
( see info ) -
install cloud_sync_cmdline
cd cloud_sync_cmdline
./build.sh
./run.sh
Use a nginx conf so that real source ip address gets encapsulated into header as x_forwarded_for; this will allow nginx when configured properly ( see below ) to extract sender ip and make brute force attack defense mechanism to block that ip. Note that if nginx proxy server is in use and nextcloud is not configured to handle x_forwarded_for protocol this could result in mitigation of login ( slower login ) for all users because nextcloud will classify all other non attacker users with the same ip address ( the nginx proxy one ).
server {
listen 443 ssl;
listen [::]:443 ssl;
root /var/www/html;
server_name cloud.mydomain.com;
location / {
include /etc/nginx/mime.types;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://cloud.mydomain.com;
proxy_set_header Host $host;
}
}
To configure nextcloud to work within x_forwarded_proto ensure follow lines into config/config.php
then restart container:
'trusted_proxies' => array('172.19.0.2'),
'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),
replacing 172.19.0.2 with your own nginx server ip address ( you can take a look at postgres db table oc_bruteforce_attempts
to see ip address that nextcloud recognizes afterwards an authentication failure )
dk-exec cloud_psql
su - postgres
psql
\c cloud
select * from oc_bruteforce_attempts;