nextcloud: works with sso and has a better setup/install script on first run

Makefile

@@ -5,6 +5,7 @@ MODULES += grafana
 MODULES += prometheus
 MODULES += mastodon
 MODULES += matrix
+MODULES += nextcloud
 #MODULES += pixelfed
 
 include env.production
@@ -41,6 +42,8 @@ matrix-shell:
 	$(DOCKER) exec matrix-synapse bash
 matrix-logs:
 	$(DOCKER) logs -f matrix-synapse
+nextcloud-logs:
+	$(DOCKER) logs -f nextcloud
 nginx-build: data/nginx/secrets
 	$(DOCKER) build nginx
 

env.production

@@ -24,3 +24,4 @@ PROMETHEUS_HOSTNAME=metrics
 AUTH_URL=https://${KEYCLOAK_HOSTNAME}.${DOMAIN_NAME}/realms/${REALM}/protocol/openid-connect/auth
 TOKEN_URL=https://${KEYCLOAK_HOSTNAME}.${DOMAIN_NAME}/realms/${REALM}/protocol/openid-connect/token
 USERINFO_URL=https://${KEYCLOAK_HOSTNAME}.${DOMAIN_NAME}/realms/${REALM}/protocol/openid-connect/userinfo
+LOGOUT_URL=https://${KEYCLOAK_HOSTNAME}.${DOMAIN_NAME}/realms/${REALM}/protocol/openid-connect/logout

nextcloud.yaml

@@ -0,0 +1,48 @@
+version: "3"
+
+services:
+  nextcloud-db:
+    image: postgres:13.4-alpine
+    container_name: nextcloud-db
+    restart: always
+    environment:
+      - POSTGRES_USER=nextcloud
+      - POSTGRES_PASSWORD=nextcloud
+      - POSTGRES_DB=nextcloud
+    volumes:
+      - ./data/nextcloud/database:/var/lib/postgresql/data
+
+  nextcloud:
+    image: nextcloud:25.0.1-apache
+    container_name: nextcloud
+    restart: always
+    env_file:
+      - env.production
+    environment:
+      POSTGRES_HOST: nextcloud-db
+      POSTGRES_DB: nextcloud
+      POSTGRES_USER: nextcloud
+      POSTGRES_PASSWORD: nextcloud
+      OVERWRITEPROTOCOL: https
+      NEXTCLOUD_ADMIN_USER: admin
+      NEXTCLOUD_ADMIN_PASSWORD: ${NEXTCLOUD_ADMIN_PASSWORD}
+      NEXTCLOUD_CLIENT_SECRET: ${NEXTCLOUD_CLIENT_SECRET}
+      NEXTCLOUD_TRUSTED_DOMAINS: ${NEXTCLOUD_HOSTNAME}.${DOMAIN_NAME}
+    volumes:
+      - ./data/nextcloud/nextcloud:/var/www/html
+      - ./nextcloud/setup.sh:/setup.sh:ro
+    depends_on:
+      - nextcloud-db
+    entrypoint: ["/setup.sh"]
+
+  # add the nginx configuration into the nginx volume
+  nginx:
+    volumes:
+      - ./nextcloud/nginx.conf:/etc/nginx/templates/nextcloud.conf.template:ro
+
+  # add the grafana client secrets to the keycloak-setup volume
+  keycloak-setup:
+    env_file:
+      - data/nextcloud/secrets
+    volumes:
+      - ./nextcloud/keycloak.sh:/keycloak-setup/nextcloud.sh:ro

nextcloud/docker-compose.yaml

@@ -1,36 +0,0 @@
-version: "3"
-
-services:
-  database:
-    image: postgres:13.4-alpine
-    restart: always
-    environment:
-      - POSTGRES_USER=nextcloud
-      - POSTGRES_PASSWORD=nextcloud
-      - POSTGRES_DB=nextcloud
-    volumes:
-      - ../data/nextcloud/database:/var/lib/postgresql/data
-
-  nextcloud:
-    image: nextcloud:23.0.4
-    restart: always
-    ports:
-      - 9000:80
-    env_file:
-      - ../env.production
-      - env.production
-      - ../data/nextcloud/env.secrets
-    environment:
-      POSTGRES_HOST: database
-      POSTGRES_DB: nextcloud
-      POSTGRES_USER: nextcloud
-      POSTGRES_PASSWORD: nextcloud
-      OVERWRITEPROTOCOL: https
-      NEXTCLOUD_ADMIN_USER: admin
-      # NEXTCLOUD_ADMIN_PASSWORD in env.secrets
-      # NEXTCLOUD_TRUSTED_DOMAINS also set in env.secrets
-    volumes:
-      - ../data/nextcloud/nextcloud:/var/www/html
-    depends_on:
-      - database
-

nextcloud/env.production

@@ -1 +0,0 @@
-# non-secret nextcloud config

nextcloud/keycloak.sh

@@ -0,0 +1,4 @@
+#!/bin/bash -x
+# Setup the OAuth client connection
+
+client-create nextcloud "$NEXTCLOUD_HOSTNAME.$DOMAIN_NAME" "$NEXTCLOUD_CLIENT_SECRET" </dev/null

nextcloud/nginx.conf

@@ -1,5 +1,5 @@
 server {
-	server_name ${NEXTCLOUD_HOSTNAME};
+	server_name ${NEXTCLOUD_HOSTNAME} ${NEXTCLOUD_HOSTNAME}.${DOMAIN_NAME};
 	client_max_body_size 128m;
 
 	sendfile on;
@@ -27,7 +27,7 @@ server {
 	}
 
 	location / {
-		proxy_pass http://host.docker.internal:9000;
+		proxy_pass http://nextcloud;
 		proxy_set_header Host $host;
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -42,5 +42,3 @@ server {
 	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
 
 }
-
-

nextcloud/setup

@@ -1,82 +0,0 @@
-#!/bin/bash
-die() { echo >&2 "$@" ; exit 1 ; }
-
-DIRNAME="$(dirname $0)"
-cd "$DIRNAME"
-source ../env.production || die "no top level env?"
-source env.production || die "no local env?"
-
-SECRETS="../data/nextcloud/env.secrets"
-if [ -r "$SECRETS" ]; then
-	docker-compose up -d || die "nextcloud: unable to start"
-	exit 0
-fi
-
-docker-compose down 2>/dev/null
-
-NEXTCLOUD_CLIENT_SECRET="$(openssl rand -hex 32)"
-NEXTCLOUD_ADMIN_PASSWORD="$(openssl rand -hex 6)"
-
-echo "Generating secrets: admin password $NEXTCLOUD_ADMIN_PASSWORD"
-mkdir -p "$(dirname "$SECRETS")"
-cat <<EOF > "$SECRETS"
-# Do not check in!
-NEXTCLOUD_ADMIN_PASSWORD=$NEXTCLOUD_ADMIN_PASSWORD
-NEXTCLOUD_TRUSTED_DOMAINS=$NEXTCLOUD_HOSTNAME
-NEXTCLOUD_CLIENT_SECRET=$NEXTCLOUD_CLIENT_SECRET
-EOF
-
-BASE="https://$KEYCLOAK_HOSTNAME/realms/$REALM/protocol/openid-connect"
-PROVIDER="$(jq -c . <<EOF
-{
-	"custom_oidc": [
-		{
-			"name":		"keycloak",
-			"title":	"Keycloak",
-			"clientId":	"nextcloud",
-			"clientSecret":	"$NEXTCLOUD_CLIENT_SECRET",
-			"authorizeUrl":	"$BASE/auth",
-			"tokenUrl":	"$BASE/token",
-			"userInfoUrl":	"$BASE/userinfo",
-			"logoutUrl":	"$BASE/logout",
-			"scope":	"openid",
-			"groupsClaim":	"roles",
-			"style":	"keycloak",
-			"displayNameClaim": "",
-			"defaultGroup":	""
-		}
-	]
-}
-EOF
-)"
-
-
-docker-compose up -d || die "unable to bring up docker"
-
-# wait for the nextcloud instance to be responsive
-# TODO: how to find out if it is ready?
-echo "Sleeping a minute while nextcloud installs"
-sleep 60
-
-
-docker-compose exec -u www-data -T nextcloud bash -x <<EOF || die "unable to configure sociallogin"
-./occ app:install calendar
-./occ app:install sociallogin
-./occ config:app:set sociallogin prevent_create_email_exists --value=1 || exit 1
-./occ config:app:set sociallogin update_profile_on_login --value=1 || exit 1
-./occ config:app:set sociallogin custom_providers --value='$PROVIDER' || exit 1
-EOF
-
-../keycloak/client-delete 'nextcloud' || echo "client did not exist?"
-
-../keycloak/client-create << EOF || die "unable to create client id"
-{
-	"clientId": "nextcloud",
-	"rootUrl": "https://$NEXTCLOUD_HOSTNAME/",
-	"adminUrl": "https://$NEXTCLOUD_HOSTNAME/",
-	"redirectUris": [ "https://$NEXTCLOUD_HOSTNAME/*" ],
-	"webOrigins": [ "https://$NEXTCLOUD_HOSTNAME" ],
-	"clientAuthenticatorType": "client-secret",
-	"secret": "$NEXTCLOUD_CLIENT_SECRET"
-}
-EOF

nextcloud/setup.sh

@@ -0,0 +1,52 @@
+#!/bin/bash -x
+
+SERVER="apache2-foreground"
+CANARY="/var/www/html/.installed"
+if [ -r "$CANARY" ]; then
+	exec "/entrypoint.sh" "$SERVER"
+fi
+
+echo >&2 "**** installing nextcloud"
+NEXTCLOUD_UPDATE=1 bash /entrypoint.sh date || exit 1
+
+echo >&2 "***** Setting up nextcloud for ${DOMAIN_NAME}"
+occ() { su -p www-data -s /bin/sh -c "php /var/www/html/occ $*" ; }
+#occ maintenance:install || exit 1
+
+PROVIDER="$(cat <<EOF
+{
+	"custom_oidc": [
+		{
+			"name":		"keycloak",
+			"title":	"Keycloak",
+			"clientId":	"nextcloud",
+			"clientSecret":	"$NEXTCLOUD_CLIENT_SECRET",
+			"authorizeUrl":	"$AUTH_URL",
+			"tokenUrl":	"$TOKEN_URL",
+			"userInfoUrl":	"$USERINFO_URL",
+			"logoutUrl":	"$LOGOUT_URL",
+			"scope":	"openid",
+			"groupsClaim":	"roles",
+			"style":	"keycloak",
+			"displayNameClaim": "",
+			"defaultGroup":	""
+		}
+	]
+}
+EOF
+)"
+
+for app in calendar sociallogin; do
+	if [ ! -r "$CANARY.$app" ]; then
+		echo >&2 "installing app $app"
+		occ app:install $app || exit 1
+		touch "$CANARY.$app"
+	fi
+done
+
+occ config:app:set sociallogin prevent_create_email_exists --value=1 || exit 1
+occ config:app:set sociallogin update_profile_on_login --value=1 || exit 1
+occ config:app:set sociallogin custom_providers --value=\'$PROVIDER\' || exit 1
+
+touch "$CANARY"
+exec "/entrypoint.sh" "$SERVER"