Различия

Показаны различия между двумя версиями страницы.

--- application:nextcloud [2025/02/21 13:34] – [Установка контейнера и настройка приложения] mirocow
+++ application:nextcloud [2025/03/05 22:22] (текущий) – mirocow
@@ Строка 3: / Строка 3: @@
 ====== Nextcloud ======
-===== Установка =====
+  * /var/www/html - Основная папка, необходимая для обновления
+  * /var/www/html/custom_apps - установленные/измененные приложения
+  * /var/www/html/config - локальная конфигурация
+  * /var/www/html/data - фактические данные вашего Nextcloud
+  * /var/www/html/themes/<YOUR_CUSTOM_THEME> - тематизация/брендинг
+====== Установка ======
+  * https://github.com/nextcloud/docker
+  * https://hub.docker.com/_/nextcloud
+===== Установка Onlyoffice + Drawio + Drawio Export =====
 nano docker_compose.yml
@@ Строка 15: / Строка 25: @@
   nginx:
     container_name: nextcloud-proxy
-    image: nginx
+    image: nginx:latest
     restart: always
     networks:
@@ Строка 29: / Строка 39: @@
       # - 192.168.1.6:443:443
     volumes:
+      - /etc/localtime:/etc/localtime:ro
       - proxy:/etc/nginx
-      - data:/var/www/html
+      - nextcloud:/var/www/html:r
   # docker exec -u www-data nextcloud-app php occ config:system:set trusted_domains 4 --value=178.140.10.58
   # docker exec -u www-data nextcloud-app php occ --no-warnings config:system:set onlyoffice DocumentServerUrl --value="/ds-vpath/"
   # docker exec -u www-data nextcloud-app php occ --no-warnings config:system:set onlyoffice DocumentServerInternalUrl --value="http://onlyoffice-document-server/"
+  # docker exec -u www-data nextcloud-app php occ --no-warnings config:system:set onlyoffice jwt_secret --value="secret"
+  # docker exec -u www-data nextcloud-app php occ upgrade
   app:
-    image: nextcloud:latest
+    image: nextcloud:30.0-apache
     container_name: nextcloud-app
     networks:
@@ Строка 48: / Строка 62: @@
     volumes:
       - /etc/localtime:/etc/localtime:ro
-      - data:/var/www/html:z
+      - nextcloud:/var/www/html:rw # Основная папка, необходимая для обновления
+      #- nextcloud_custom_apps:/var/www/html/custom_apps:rw # установленные/измененные приложения
+      #- nextcloud_config:/var/www/html/config:rw # локальная конфигурация
+      #- nextcloud_data:/var/www/html/data:rw # фактические данные вашего Nextcloud
+      #- nextcloud_themes:/var/www/html/themes:rw # тематизация/брендинг
     environment:
       - TZ=Europe/Moscow
@@ Строка 55: / Строка 73: @@
       - SKIP_DOMAIN_VALIDATION=true
     restart: unless-stopped
+    deploy:
+        resources:
+            limits:
+                cpus: '3'
+                memory: 7G
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:80/"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 90s
   # http://nextcloud-drawio
@@ Строка 105: / Строка 135: @@
   cron:
-    image: nextcloud:latest
+    image: rcdailey/nextcloud-cronjob
     restart: unless-stopped
+    network_mode: none
+    depends_on:
+    - app
     volumes:
-      - /etc/localtime:/etc/localtime:ro
+    - /etc/localtime:/etc/localtime:ro
-      - data:/var/www/html:z
+    - /var/run/docker.sock:/var/run/docker.sock:ro
+    - crontabs:/cron-scripts
     environment:
-      - TZ=Europe/Moscow
+    - NEXTCLOUD_CONTAINER_NAME=nextcloud-app
-    entrypoint: /cron.sh
+    - NEXTCLOUD_PROJECT_NAME=
-    depends_on:
+    - NEXTCLOUD_CRON_MINUTE_INTERVAL=5
-      - db
-      - redis
-    networks:
-      nextcloud_network:
   db:
@@ Строка 134: / Строка 164: @@
       - MYSQL_DATABASE=nextcloud
       - MYSQL_USER=nextcloud
+    ports:
+      - 13306:3306
     restart: unless-stopped
+    deploy:
+        resources:
+            limits:
+                cpus: '2'
+                memory: 4G
   redis:
     image: redis:alpine
     restart: unless-stopped
+    deploy:
+        resources:
+            limits:
+                cpus: '1'
+                memory: 2G
+    networks:
+      nextcloud_network:
+  es01:
+    image: elasticsearch:8.17.2
+    container_name: nextcloud-es01
+    restart: always
+    environment:
+      node.name: elasticsearch
+      bootstrap.memory_lock: true
+      ES_JAVA_OPTS: -Xms512m -Xmx512m
+      xpack.security.enabled: false
+      # Bootstrap password.
+      # Used to initialize the keystore during the initial startup of
+      # Elasticsearch. Ignored on subsequent runs.
+      # ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-pass}
+      # Use single node discovery in order to disable production mode and avoid bootstrap checks.
+      # see: https://www.elastic.co/guide/en/elasticsearch/reference/current/bootstrap-checks.html
+      discovery.type: single-node
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+    volumes:
+      - data01:/usr/share/elasticsearch/data
+    expose:
+      - 9200
+      - 9300
     networks:
       nextcloud_network:
@@ Строка 144: / Строка 214: @@
 volumes:
   proxy:
-  data:
+  nextcloud:
+  crontabs:
   db:
   document_data:
   document_log:
+  data01:
@@ Строка 165: / Строка 237: @@
 </code>
-===== Установка контейнера и настройка приложения =====
-<code bash>
-$ docker compose up -d
-$ docker exec -u www-data nextcloud-app php occ config:system:set trusted_domains 4 --value=178.140.10.58
-$ docker exec -u www-data -ti nextcloud-app php occ app:install onlyoffice
-$ docker exec -u www-data nextcloud-app php occ --no-warnings config:system:set onlyoffice DocumentServerUrl --value="/ds-vpath/"
-$ docker exec -u www-data nextcloud-app php occ --no-warnings config:system:set onlyoffice DocumentServerInternalUrl --value="http://nextcloud-onlyoffice/"
-$ docker exec -u www-data nextcloud-app php occ --no-warnings config:system:set onlyoffice jwt_secret --value="secret"
-$ docker exec -u www-data -ti nextcloud-app php occ upgrade
-</code>
-  * trusted_domains 1 - Индекс в массиве trusted_domains
 ===== Настройка прокси-сервера =====
@@ Строка 198: / Строка 258: @@
     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent "$http_referer" '
+              '$status $body_bytes_sent "$http_referer" '
-                      '"$http_user_agent" "$http_x_forwarded_for"';
+              '"$http_user_agent" "$http_x_forwarded_for"';
     access_log  /var/log/nginx/access.log  main;
@@ Строка 229: / Строка 289: @@
         server_tokens off;
-        # Add headers to serve security related headers
+        # HSTS settings
-        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
+        # WARNING: Only add the preload option once you read about
-        add_header X-Content-Type-Options nosniff;
+        # the consequences in https://hstspreload.org/. This option
-        add_header X-XSS-Protection "1; mode=block";
+        # will add the domain to a hardcoded list that is shipped
-        add_header X-Robots-Tag none;
+        # in all major browsers and getting removed from this list
-        add_header X-Download-Options noopen;
+        # could take several months.
-        add_header X-Permitted-Cross-Domain-Policies none;
+        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
-        root /var/www/html;
+        # set max upload size and increase upload timeout:
-        client_max_body_size 10G; # 0=unlimited - set max upload size
+        client_max_body_size 512M;
+        client_body_timeout 300s;
         fastcgi_buffers 64 4K;
-        gzip off;
+        # Enable gzip but do not remove ETag headers
+        gzip on;
+        gzip_vary on;
+        gzip_comp_level 4;
+        gzip_min_length 256;
+        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+        gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+        # Pagespeed is not supported by Nextcloud, so if your server is built
+        # with the `ngx_pagespeed` module, uncomment this line to disable it.
+        #pagespeed off;
+        # The settings allows you to optimize the HTTP2 bandwidth.
+        # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
+        # for tuning hints
+        client_body_buffer_size 512k;
+        # HTTP response headers borrowed from Nextcloud `.htaccess`
+        add_header Referrer-Policy                               "no-referrer"               always;
+        add_header X-Content-Type-Options                        "nosniff"                   always;
+        add_header X-Frame-Options                               "SAMEORIGIN"                always;
+        add_header X-Permitted-Cross-Domain-Policies             "none"                      always;
+        add_header X-Robots-Tag                                  "noindex, nofollow"         always;
+        add_header X-XSS-Protection                              "1; mode=block"             always;
+        # Remove X-Powered-By, which is an information leak
+        fastcgi_hide_header X-Powered-By;
+        # Set .mjs and .wasm MIME types
+        # Either include it in the default mime.types list
+        # and include that list explicitly or add the file extension
+        # only for Nextcloud like below:
+        include mime.types;
+        types {
+                text/javascript mjs;
+                application/wasm wasm;
+        }
+        # Specify how to handle directories -- specifying `/index.php$request_uri`
+        # here as the fallback means that Nginx always exhibits the desired behaviour
+        # when a client requests a path that corresponds to a directory that exists
+        # on the server. In particular, if that directory contains an index.php file,
+        # that file is correctly served; if it doesn't, then the request is passed to
+        # the front-end controller. This consistent behaviour means that we don't need
+        # to specify custom rules for certain paths (e.g. images and other assets,
+        # `/updater`, `/ocs-provider`), and thus
+        # `try_files $uri $uri/ /index.php$request_uri`
+        # always provides the desired behaviour.
+        index index.php index.html /index.php$request_uri;
+        # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+        #location = / {
+        #        if ( $http_user_agent ~ ^DavClnt ) {
+        #                return 302 /remote.php/webdav/$is_args$args;
+        #        }
+        #}
+        location = /robots.txt {
+                allow all;
+                log_not_found off;
+                access_log off;
+        }
+        # Make a regex exception for `/.well-known` so that clients can still
+        # access it despite the existence of the regex rule
+        # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+        # for `/.well-known`.
+        location ^~ /.well-known {
+                # The rules in this block are an adaptation of the rules
+                # in `.htaccess` that concern `/.well-known`.
+                location = /.well-known/carddav { return 301 /remote.php/dav/; }
+                location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+                location /.well-known/acme-challenge        { try_files $uri $uri/ =404; }
+                location /.well-known/pki-validation        { try_files $uri $uri/ =404; }
+                # Let Nextcloud's API for `/.well-known` URIs handle all other
+                # requests by passing them to the front-end controller.
+                return 301 /index.php$request_uri;
+        }
+        # Rules borrowed from `.htaccess` to hide certain paths from clients
+        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                                { return 404; }
         index index.php;
@@ Строка 250: / Строка 395: @@
                 client_max_body_size 100m;
                 proxy_http_version 1.1;
-                #proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Upgrade $http_upgrade;
-                #proxy_set_header Connection "upgrade";
+                proxy_set_header Connection "upgrade";
                 proxy_set_header Host $http_host;
                 proxy_set_header X-Real-IP $remote_addr;
-                #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                #proxy_set_header X-Forwarded-Host $the_host/ds-vpath;
+                proxy_set_header X-Forwarded-Host $the_host;
-                #proxy_set_header X-Forwarded-Proto $the_scheme;
+                proxy_set_header X-Forwarded-Proto $the_scheme;
+                # Correct handling of fallbacks for HTTP headers
+                proxy_hide_header X-Permitted-Cross-Domain-Policies;
+                proxy_hide_header  Referrer-Policy;
+                proxy_hide_header  X-Content-Type-Options;
+                proxy_hide_header  X-Frame-Options;
+                proxy_hide_header  X-XSS-Protection;
         }
-        # onlyoffice
         location ~* ^/ds-vpath/ {
                 rewrite /ds-vpath/(.*) /$1  break;
@@ Строка 273: / Строка 423: @@
                 proxy_set_header X-Forwarded-Host $the_host/ds-vpath;
                 proxy_set_header X-Forwarded-Proto $the_scheme;
+                # Correct handling of fallbacks for HTTP headers
+                proxy_hide_header X-Permitted-Cross-Domain-Policies;
+                proxy_hide_header  Referrer-Policy;
+                proxy_hide_header  X-Content-Type-Options;
+                proxy_hide_header  X-Frame-Options;
+                proxy_hide_header  X-XSS-Protection;
         }
-        # drawio
         location ~* ^/drawio/ {
                 rewrite /drawio/(.*) /$1  break;
@@ Строка 290: / Строка 445: @@
                 #proxy_set_header X-Forwarded-Proto $the_scheme;
         }
-        # drawio-export PDF
         location /service/0 {
                 rewrite /\/service\/0/(.*) /$1  break;
@@ Строка 306: / Строка 460: @@
                 #proxy_set_header X-Forwarded-Proto $the_scheme;
         }
     }
 }
 </code>
+===== Продолжение настройки =====
+<code bash>
+$ docker exec nextcloud-app rm /var/spool/cron/crontabs/www-data
+</code>
+===== Установка контейнера и настройка приложения =====
+<code bash>
+$ docker compose up -d
+$ docker exec -u www-data nextcloud-app php occ config:system:set trusted_domains 4 --value=178.140.10.58
+$ docker exec -u www-data nextcloud-app php occ app:install onlyoffice
+$ docker exec -u www-data nextcloud-app php occ --no-warnings config:system:set onlyoffice DocumentServerUrl --value="/ds-vpath/"
+$ docker exec -u www-data nextcloud-app php occ --no-warnings config:system:set onlyoffice DocumentServerInternalUrl --value="http://nextcloud-onlyoffice/"
+$ docker exec -u www-data nextcloud-app php occ --no-warnings config:system:set onlyoffice jwt_secret --value="secret"
+</code>
+  * trusted_domains 1 - Индекс в массиве trusted_domains
+===== Fulltextsearch + Elasticsearch =====
+<code bash>
+$ docker exec nextcloud-app curl -XGET 'nextcloud-es01:9200/?pretty'
+$ docker exec -u www-data nextcloud-app php occ fulltextsearch:test
+$ docker exec -u www-data nextcloud-app php occ full:index
+</code>
+===== OCC =====
+<code bash>
+$ docker exec -u www-data nextcloud-app php occ config:app:set calendar publicCalendars --value '[{"name":"My custom calendar","source":"http://example.com/example.ics"}]'
+$ docker exec -u www-data nextcloud-app php occ config:app:set dav calendarSubscriptionRefreshRate --value "PT6H"
+$ docker exec -u www-data nextcloud-app php occ config:app:set dav webcalAllowLocalAccess --value yes
+$ docker exec -u www-data nextcloud-app php occ upgrade
+$ docker exec nextcloud-app php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
+$ docker exec nextcloud-app php composer-setup.php
+$ docker exec nextcloud-app mv /var/www/html/composer.phar /usr/local/bin/composer
+$ docker exec nextcloud-app chmod +x /usr/local/bin/composer
+</code>
+===== Maintenance =====
+<code bash>
+$ docker exec -u www-data nextcloud-app php occ maintenance:mode --on
+$ docker exec -u www-data nextcloud-app php occ maintenance:mode --off
+</code>
+===== Logfile =====
+<code bash>
+$ docker exec -u www-data nextcloud-app bash -c 'cd /var/www/html/data && echo "" > nextcloud.log'
+</code>
+===== Composer =====
+==== Install ====
+<code bash>
+$ docker exec nextcloud-app php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" && \
+docker exec nextcloud-app php composer-setup.php && \
+docker exec nextcloud-app mv composer.phar /usr/local/bin/composer && \
+docker exec nextcloud-app composer -v
+</code>
+==== Использование ====
+<code bash>
+$ docker exec -u www-data nextcloud-app bash -c 'cd /var/www/html && ls -la'
+$ docker exec -u www-data nextcloud-app bash -c 'cd /var/www/html/custom_apps/backup && composer install'
+</code>
+===== User Data =====
+<code bash>
+$ docker exec -u www-data nextcloud-app bash -c 'cd /var/www/html/data && ls -la'
+</code>
+===== Custom Application =====
+<code bash>
+$ docker exec nextcloud-app chown www-data:www-data -R custom_apps/
+$ docker exec -u www-data nextcloud-app bash -c 'cd /var/www/html/custom_apps && ls -la'
+</code>
+===== Debug =====
+<code bash>
+$ docker exec nextcloud-app pecl install xdebug && \
+docker exec nextcloud-app docker-php-ext-enable xdebug && \
+docker exec nextcloud-app rm -rf /tmp/pear && \
+docker exec nextcloud-app bash -c 'echo "xdebug.mode=debug
+xdebug.start_with_request=yes
+xdebug.client_host=host.docker.internal
+;# 9003 is now the default (set this for old PhpStorm settings).
+xdebug.client_port=9000" >> /usr/local/etc/php/conf.d/docker-php-ext-xdebug.ini;'; \
+    php -i|grep xdebug
+</code>