Различия

Показаны различия между двумя версиями страницы.

--- application:nextcloud [2025/02/21 01:37] – создано mirocow
+++ application:nextcloud [2025/11/28 07:56] (текущий) – 78.138.161.134
@@ Строка 1: / Строка 1: @@
+{{tag>[server nextcloud office drawio]}}
 ====== Nextcloud ======
+  * /var/www/html - вная папка, необходимая для обновления
+  * /var/www/html/custom_apps - установленные/измененные приложения
+  * /var/www/html/config - локальная конфигурация
+  * /var/www/html/data - фактические данные вашего Nextcloud
+  * /var/www/html/themes/<YOUR_CUSTOM_THEME> - тематизация/брендинг
+====== Сборка ======
+<code bash>
+#!/bin/bash
+export PROD_V=9.04
+##################################################################################
+cd /opt
+git clone https://github.com/thomisus/Docker-DocumentServer.git --branch v$PROD_V
+cd /opt/Docker-DocumentServer
+docker build . -t onlyoffice-documentserver-unlimited:$PROD_V  && \
+docker tag onlyoffice-documentserver-unlimited:$PROD_V ghcr.io/thomisus/onlyoffice-documentserver-unlimited:$PROD_V && \
+docker tag onlyoffice-documentserver-unlimited:$PROD_V thomisus/onlyoffice-documentserver-unlimited:$PROD_V && \
+docker push ghcr.io/thomisus/onlyoffice-documentserver-unlimited:$PROD_V &&
+docker push thomisus/onlyoffice-documentserver-unlimited:$PROD_V && \
+docker tag onlyoffice-documentserver-unlimited:$PROD_V ghcr.io/thomisus/onlyoffice-documentserver-unlimited:latest && \
+docker tag onlyoffice-documentserver-unlimited:$PROD_V thomisus/onlyoffice-documentserver-unlimited:latest && \
+echo "all done" && \
+docker push ghcr.io/thomisus/onlyoffice-documentserver-unlimited:latest &&
+docker push thomisus/onlyoffice-documentserver-unlimited:latest
+</code>
+====== Установка ======
+  * https://github.com/nextcloud/docker
+  * https://hub.docker.com/_/nextcloud
+===== Установка Onlyoffice + Drawio + Drawio Export =====
+nano docker_compose.yml
+<code yaml>
+version: '3'
+services:
+  # http://192.168.1.6
+  nginx:
+    container_name: nextcloud-proxy
+    image: nginx:latest
+    restart: always
+    networks:
+      localnetwork:
+          ipv4_address: "192.168.1.6"
+      nextcloud_network:
+    depends_on:
+      - app
+      - drawio
+      - onlyoffice
+    ports:
+      - 192.168.1.6:80:80
+      # - 192.168.1.6:443:443
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - proxy:/etc/nginx
+      - nextcloud:/var/www/html:r
+    deploy:
+        resources:
+            limits:
+                cpus: '1'
+                memory: 2G
+  # docker exec -u www-data nextcloud-app php occ config:system:set trusted_domains 4 --value=178.140.10.58
+  # docker exec -u www-data nextcloud-app php occ --no-warnings config:system:set onlyoffice DocumentServerUrl --value="/ds-vpath/"
+  # docker exec -u www-data nextcloud-app php occ --no-warnings config:system:set onlyoffice DocumentServerInternalUrl --value="http://onlyoffice-document-server/"
+  # docker exec -u www-data nextcloud-app php occ --no-warnings config:system:set onlyoffice jwt_secret --value="secret"
+  # docker exec -u www-data nextcloud-app php occ upgrade
+  app:
+    image: nextcloud:31.0.8-apache
+    container_name: nextcloud-app
+    networks:
+      nextcloud_network:
+    expose:
+      - '80'
+      - '9000'
+    depends_on:
+      - db
+      - redis
+      - cron
+      - es01
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - nextcloud:/var/www/html:rw
+      - crontabs:/cron-scripts:ro
+    environment:
+      - TZ=Europe/Moscow
+      - MYSQL_HOST=db
+      - REDIS_HOST=redis
+      - SKIP_DOMAIN_VALIDATION=true
+    restart: unless-stopped
+    deploy:
+        resources:
+            limits:
+                cpus: '4'
+                memory: 10G
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:80/"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 90s
+  cron:
+    image: rcdailey/nextcloud-cronjob
+    restart: unless-stopped
+    network_mode: none
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - crontabs:/cron-scripts
+    environment:
+      - NEXTCLOUD_CONTAINER_NAME=nextcloud-app
+      - NEXTCLOUD_PROJECT_NAME=
+      - NEXTCLOUD_CRON_MINUTE_INTERVAL=5
+    deploy:
+        resources:
+            limits:
+                cpus: '1'
+                memory: 2G
+  # http://nextcloud-drawio
+  drawio:
+    image: jgraph/drawio:dev
+    container_name: nextcloud-drawio
+    networks:
+      nextcloud_network:
+    expose:
+      - '8080'
+    environment:
+      - DRAWIO_SELF_CONTAINED=1
+      - EXPORT_URL=http://image-export:8000/
+      - PLANTUML_URL=http://plantuml-server:8080/
+      # - PLANTUML_URL=http://plantuml-server:8080/
+      # - DRAWIO_BASE_URL=${DRAWIO_BASE_URL}
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "curl -f http://domain:8080 || exit 1"]
+      interval: 1m30s
+      timeout: 10s
+      retries: 5
+      start_period: 10s
+    deploy:
+        resources:
+            limits:
+                cpus: '2'
+                memory: 2G
+  # http://image-export:8000/
+  image-export:
+    image: jgraph/export-server
+    container_name: nextcloud-drawio-export
+    expose:
+      - "8000"
+    depends_on:
+      - drawio
+    networks:
+      nextcloud_network:
+    # environment:
+    #   - DRAWIO_SERVER_URL=${DRAWIO_BASE_URL}
+    #volumes:
+      #- ./fonts:/usr/share/fonts/drawio
+    restart: unless-stopped
+    # deploy:
+    #     resources:
+    #         limits:
+    #             cpus: '2'
+    #             memory: 2G
+  plantuml-server:
+    image: plantuml/plantuml-server
+    expose:
+      - "8080"
+    networks:
+      nextcloud_network:
+    depends_on:
+      - drawio
+    restart: unless-stopped
+    deploy:
+        resources:
+            limits:
+                cpus: '2'
+                memory: 2G
+  # ONLYOFFICE Docs address: /ds-vpath/
+  # ONLYOFFICE Docs address for internal requests from the server: /nextcloud-onlyoffice/
+  # This build of onlyoffice community edition ( documentserver ) has connections limits increased to 9999 ( instead of default 20 )
+  onlyoffice:
+    container_name: nextcloud-onlyoffice
+    # image: onlyoffice/documentserver:9.0.4
+    image: thomisus/onlyoffice-documentserver-unlimited:9.0.4
+    stdin_open: true
+    tty: true
+    environment:
+      - JWT_SECRET=secret
+    networks:
+      nextcloud_network:
+    restart: unless-stopped
+    expose:
+      - '80'
+    volumes:
+      - document_data:/var/www/onlyoffice/Data
+      - document_log:/var/log/onlyoffice
+    deploy:
+        resources:
+            limits:
+                cpus: '2'
+                memory: 2G
+  db:
+    image: mariadb:11.4.5
+    container_name: nextcloud-mariadb
+    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
+    networks:
+      nextcloud_network:
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - db:/var/lib/mysql:rw
+    environment:
+      - TZ=Europe/Moscow
+      - MYSQL_ROOT_PASSWORD=toor
+      - MYSQL_PASSWORD=mysql
+      - MYSQL_DATABASE=nextcloud
+      - MYSQL_USER=nextcloud
+    ports:
+      - 13306:3306
+    restart: unless-stopped
+    deploy:
+        resources:
+            limits:
+                cpus: '4'
+                memory: 8G
+  redis:
+    image: redis:alpine
+    restart: unless-stopped
+    volumes:
+      - redis01:/data
+    deploy:
+        resources:
+            limits:
+                cpus: '1'
+                memory: 2G
+    networks:
+      nextcloud_network:
+  es01:
+    image: elasticsearch:8.17.2
+    container_name: nextcloud-es01
+    restart: always
+    environment:
+      node.name: elasticsearch
+      bootstrap.memory_lock: true
+      ES_JAVA_OPTS: -Xms512m -Xmx512m
+      xpack.security.enabled: false
+      # Bootstrap password.
+      # Used to initialize the keystore during the initial startup of
+      # Elasticsearch. Ignored on subsequent runs.
+      # ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-pass}
+      # Use single node discovery in order to disable production mode and avoid bootstrap checks.
+      # see: https://www.elastic.co/guide/en/elasticsearch/reference/current/bootstrap-checks.html
+      discovery.type: single-node
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+    volumes:
+      - data01:/usr/share/elasticsearch/data
+    expose:
+      - 9200
+      - 9300
+    networks:
+      nextcloud_network:
+    deploy:
+        resources:
+            limits:
+                cpus: '2'
+                memory: 4G
+volumes:
+  proxy:
+  nextcloud:
+  crontabs:
+  db:
+  document_data:
+  document_log:
+  data01:
+  redis01:
+  screenshoter:
+networks:
+  nextcloud_network:
+  localnetwork:
+    name: localnetwork
+    driver: ipvlan
+    driver_opts:
+      parent: eno1
+      ipvlan_mode: l3
+    ipam:
+      config:
+        - subnet: "192.168.1.0/24"
+          ip_range: "192.168.1.1/24"
+          gateway: "192.168.1.1"
+</code>
+===== Настройка прокси-сервера =====
 nano /etc/nginx/nginx.conf
@@ Строка 19: / Строка 336: @@
     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent "$http_referer" '
+              '$status $body_bytes_sent "$http_referer" '
-                      '"$http_user_agent" "$http_x_forwarded_for"';
+              '"$http_user_agent" "$http_x_forwarded_for"';
     access_log  /var/log/nginx/access.log  main;
@@ Строка 50: / Строка 367: @@
         server_tokens off;
-        # Add headers to serve security related headers
+        # HSTS settings
-        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
+        # WARNING: Only add the preload option once you read about
-        add_header X-Content-Type-Options nosniff;
+        # the consequences in https://hstspreload.org/. This option
-        add_header X-XSS-Protection "1; mode=block";
+        # will add the domain to a hardcoded list that is shipped
-        add_header X-Robots-Tag none;
+        # in all major browsers and getting removed from this list
-        add_header X-Download-Options noopen;
+        # could take several months.
-        add_header X-Permitted-Cross-Domain-Policies none;
+        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
-        root /var/www/html;
+        # set max upload size and increase upload timeout:
-        client_max_body_size 10G; # 0=unlimited - set max upload size
+        client_max_body_size 512M;
+        client_body_timeout 300s;
         fastcgi_buffers 64 4K;
-        gzip off;
+        # Enable gzip but do not remove ETag headers
+        gzip on;
+        gzip_vary on;
+        gzip_comp_level 4;
+        gzip_min_length 256;
+        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+        gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+        # Pagespeed is not supported by Nextcloud, so if your server is built
+        # with the `ngx_pagespeed` module, uncomment this line to disable it.
+        #pagespeed off;
+        # The settings allows you to optimize the HTTP2 bandwidth.
+        # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
+        # for tuning hints
+        client_body_buffer_size 512k;
+        # HTTP response headers borrowed from Nextcloud `.htaccess`
+        add_header Referrer-Policy                               "no-referrer"               always;
+        add_header X-Content-Type-Options                        "nosniff"                   always;
+        add_header X-Frame-Options                               "SAMEORIGIN"                always;
+        add_header X-Permitted-Cross-Domain-Policies             "none"                      always;
+        add_header X-Robots-Tag                                  "noindex, nofollow"         always;
+        add_header X-XSS-Protection                              "1; mode=block"             always;
+        # Remove X-Powered-By, which is an information leak
+        fastcgi_hide_header X-Powered-By;
+        # Set .mjs and .wasm MIME types
+        # Either include it in the default mime.types list
+        # and include that list explicitly or add the file extension
+        # only for Nextcloud like below:
+        include mime.types;
+        types {
+                text/javascript mjs;
+                application/wasm wasm;
+        }
+        # Specify how to handle directories -- specifying `/index.php$request_uri`
+        # here as the fallback means that Nginx always exhibits the desired behaviour
+        # when a client requests a path that corresponds to a directory that exists
+        # on the server. In particular, if that directory contains an index.php file,
+        # that file is correctly served; if it doesn't, then the request is passed to
+        # the front-end controller. This consistent behaviour means that we don't need
+        # to specify custom rules for certain paths (e.g. images and other assets,
+        # `/updater`, `/ocs-provider`), and thus
+        # `try_files $uri $uri/ /index.php$request_uri`
+        # always provides the desired behaviour.
+        index index.php index.html /index.php$request_uri;
+        # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+        #location = / {
+        #        if ( $http_user_agent ~ ^DavClnt ) {
+        #                return 302 /remote.php/webdav/$is_args$args;
+        #        }
+        #}
+        location = /robots.txt {
+                allow all;
+                log_not_found off;
+                access_log off;
+        }
+        # Make a regex exception for `/.well-known` so that clients can still
+        # access it despite the existence of the regex rule
+        # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+        # for `/.well-known`.
+        location ^~ /.well-known {
+                # The rules in this block are an adaptation of the rules
+                # in `.htaccess` that concern `/.well-known`.
+                location = /.well-known/carddav { return 301 /remote.php/dav/; }
+                location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+                location /.well-known/acme-challenge        { try_files $uri $uri/ =404; }
+                location /.well-known/pki-validation        { try_files $uri $uri/ =404; }
+                # Let Nextcloud's API for `/.well-known` URIs handle all other
+                # requests by passing them to the front-end controller.
+                return 301 /index.php$request_uri;
+        }
+        # Rules borrowed from `.htaccess` to hide certain paths from clients
+        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                                { return 404; }
         index index.php;
@@ Строка 76: / Строка 478: @@
                 proxy_set_header X-Real-IP $remote_addr;
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                proxy_set_header X-Forwarded-Host $the_host/ds-vpath;
+                proxy_set_header X-Forwarded-Host $the_host;
                 proxy_set_header X-Forwarded-Proto $the_scheme;
+                # Correct handling of fallbacks for HTTP headers
+                proxy_hide_header X-Permitted-Cross-Domain-Policies;
+                proxy_hide_header  Referrer-Policy;
+                proxy_hide_header  X-Content-Type-Options;
+                proxy_hide_header  X-Frame-Options;
+                proxy_hide_header  X-XSS-Protection;
         }
@@ Строка 93: / Строка 501: @@
                 proxy_set_header X-Forwarded-Host $the_host/ds-vpath;
                 proxy_set_header X-Forwarded-Proto $the_scheme;
+                # Correct handling of fallbacks for HTTP headers
+                proxy_hide_header X-Permitted-Cross-Domain-Policies;
+                proxy_hide_header  Referrer-Policy;
+                proxy_hide_header  X-Content-Type-Options;
+                proxy_hide_header  X-Frame-Options;
+                proxy_hide_header  X-XSS-Protection;
         }
@@ Строка 101: / Строка 515: @@
                 client_max_body_size 100m;
                 proxy_http_version 1.1;
-                proxy_set_header Upgrade $http_upgrade;
+                #proxy_set_header Upgrade $http_upgrade;
-                proxy_set_header Connection "upgrade";
+                #proxy_set_header Connection "upgrade";
-                proxy_set_header Host $http_host;
+                #proxy_set_header Host $http_host;
-                proxy_set_header X-Real-IP $remote_addr;
+                #proxy_set_header X-Real-IP $remote_addr;
-                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                proxy_set_header X-Forwarded-Host $the_host/ds-vpath;
+                #proxy_set_header X-Forwarded-Host $the_host/ds-vpath;
-                proxy_set_header X-Forwarded-Proto $the_scheme;
+                #proxy_set_header X-Forwarded-Proto $the_scheme;
+        }
+        location /service/0 {
+                rewrite /\/service\/0/(.*) /$1  break;
+                proxy_pass http://nextcloud-drawio-export:8000;
+                proxy_redirect     off;
+                client_max_body_size 100m;
+                proxy_http_version 1.1;
+                #proxy_set_header Upgrade $http_upgrade;
+                #proxy_set_header Connection "upgrade";
+                #proxy_set_header Host $http_host;
+                #proxy_set_header X-Real-IP $remote_addr;
+                #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                #proxy_set_header X-Forwarded-Host $the_host/ds-vpath;
+                #proxy_set_header X-Forwarded-Proto $the_scheme;
         }
@@ Строка 113: / Строка 542: @@
 }
 </code>
+===== Продолжение настройки =====
+<code bash>
+$ docker exec nextcloud-app rm /var/spool/cron/crontabs/www-data
+</code>
+===== Установка контейнера и настройка приложения =====
+<code bash>
+$ docker compose up -d
+$ docker exec -u www-data nextcloud-app php occ config:system:set trusted_domains 4 --value=178.140.10.58
+$ docker exec -u www-data nextcloud-app php occ app:install onlyoffice
+$ docker exec -u www-data nextcloud-app php occ --no-warnings config:system:set onlyoffice DocumentServerUrl --value="/ds-vpath/"
+$ docker exec -u www-data nextcloud-app php occ --no-warnings config:system:set onlyoffice DocumentServerInternalUrl --value="http://nextcloud-onlyoffice/"
+$ docker exec -u www-data nextcloud-app php occ --no-warnings config:system:set onlyoffice jwt_secret --value="secret"
+</code>
+  * trusted_domains 1 - Индекс в массиве trusted_domains
+===== Fulltextsearch + Elasticsearch =====
+<code bash>
+$ docker exec nextcloud-app curl -XGET 'nextcloud-es01:9200/?pretty'
+$ docker exec -u www-data nextcloud-app php occ fulltextsearch:test
+$ docker exec -u www-data nextcloud-app php occ full:index
+</code>
+===== OCC =====
+<code bash>
+$ docker exec -u www-data nextcloud-app php occ config:app:set calendar publicCalendars --value '[{"name":"My custom calendar","source":"http://example.com/example.ics"}]'
+$ docker exec -u www-data nextcloud-app php occ config:app:set dav calendarSubscriptionRefreshRate --value "PT6H"
+$ docker exec -u www-data nextcloud-app php occ config:app:set dav webcalAllowLocalAccess --value yes
+$ docker exec -u www-data nextcloud-app php occ upgrade
+$ docker exec nextcloud-app php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
+$ docker exec nextcloud-app php composer-setup.php
+$ docker exec nextcloud-app mv /var/www/html/composer.phar /usr/local/bin/composer
+$ docker exec nextcloud-app chmod +x /usr/local/bin/composer
+</code>
+===== Maintenance =====
+<code bash>
+$ docker exec -u www-data nextcloud-app php occ maintenance:mode --on
+$ docker exec -u www-data nextcloud-app php occ maintenance:mode --off
+</code>
+===== Logfile =====
+<code bash>
+$ docker exec -u www-data nextcloud-app bash -c 'cd /var/www/html/data && echo "" > nextcloud.log'
+</code>
+===== Composer =====
+==== Install ====
+<code bash>
+$ docker exec nextcloud-app php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" && \
+docker exec nextcloud-app php composer-setup.php && \
+docker exec nextcloud-app mv composer.phar /usr/local/bin/composer && \
+docker exec nextcloud-app composer -v
+</code>
+==== Использование ====
+<code bash>
+$ docker exec -u www-data nextcloud-app bash -c 'cd /var/www/html && ls -la'
+$ docker exec -u www-data nextcloud-app bash -c 'cd /var/www/html/custom_apps/backup && composer install'
+</code>
+===== User Data =====
+<code bash>
+$ docker exec -u www-data nextcloud-app bash -c 'cd /var/www/html/data && ls -la'
+</code>
+===== Custom Application =====
+<code bash>
+$ docker exec nextcloud-app chown www-data:www-data -R custom_apps/
+$ docker exec -u www-data nextcloud-app bash -c 'cd /var/www/html/custom_apps && ls -la'
+</code>
+===== Debug =====
+<code bash>
+$ docker exec nextcloud-app pecl install xdebug && \
+docker exec nextcloud-app docker-php-ext-enable xdebug && \
+docker exec nextcloud-app rm -rf /tmp/pear && \
+docker exec nextcloud-app bash -c 'echo "xdebug.mode=debug
+xdebug.start_with_request=yes
+xdebug.client_host=host.docker.internal
+;# 9003 is now the default (set this for old PhpStorm settings).
+xdebug.client_port=9000" >> /usr/local/etc/php/conf.d/docker-php-ext-xdebug.ini;'; \
+    php -i|grep xdebug
+</code>