Merge branch 'local-dev' into 'nc-21'

We suggest you use our [ecloud-selfhosting](https://gitlab.e.foundation/e/infra/ecloud-selfhosting) project instead of this one directly. But if you wish to do so, then check our [releases page](https://gitlab.e.foundation/e/infra/ecloud/nextcloud/-/releases) and pull the latest tag from the container registry.

### To run ecloud locally(Tested on Ubuntu and Manjaro, should work on most linux distributions)

- Install [docker](https://docs.docker.com/engine/install/ubuntu/)(link is for Ubuntu)

- Install [docker-compose](https://docs.docker.com/compose/install/)

- Create a copy of the `ecloud_dev_example` directory locally where you want to install an `ecloud` development environment

- Use `cd` or file manager to enter the above directory

- Add a `.env` file with chosen attributes(example [.env](./ecloud_dev_example/.dev.env) file here, you can rename to `.env` to use same defaults)

- Pull the images and up the containers

  - `docker-compose pull`

  - `docker-compose up -d`

### Things to do on first installation locally

- Set config values, disable integrity check and refresh theme cache:

  - `docker exec -u www-data ecloud /var/www/html/occ config:system:set theme --value='eCloud'`

  - `docker exec -u www-data ecloud /var/www/html/occ config:system:set datadirectory --value='/var/www/data'`

  - `docker exec -u www-data ecloud /var/www/html/occ config:system:set logfile --value='/var/www/log/nextcloud.log'`

  - `docker exec -u www-data ecloud /var/www/html/occ config:system:set loglevel --value='2' --type=integer`

  - `docker exec -u www-data ecloud /var/www/html/occ config:system:set integrity.check.disabled --value='true' --type=boolean`

  - `docker exec -u www-data ecloud /var/www/html/occ maintenance:theme:update`

- Disable apps:

  - `docker exec -u www-data ecloud /var/www/html/occ app:disable firstrunwizard`

  - `docker exec -u www-data ecloud /var/www/html/occ app:disable theming`

  - `docker exec -u www-data ecloud /var/www/html/occ app:disable files_external`

- Enable\Install apps:

  - `docker exec -u www-data ecloud /var/www/html/occ app:enable ecloud-launcher`

  - `docker exec -u www-data ecloud /var/www/html/occ app:enable ecloud-theme-helper`

  - `docker exec -u www-data ecloud /var/www/html/occ app:enable notes`

  - `docker exec -u www-data ecloud /var/www/html/occ app:enable news`

  - `docker exec -u www-data ecloud /var/www/html/occ app:enable quota_warning`

  - `docker exec -u www-data ecloud /var/www/html/occ app:enable contacts`

  - `docker exec -u www-data ecloud /var/www/html/occ app:enable calendar`

  - `docker exec -u www-data ecloud /var/www/html/occ app:enable email-recovery`

  - `docker exec -u www-data ecloud /var/www/html/occ app:enable ecloud-accounts`

  - `docker exec -u www-data ecloud /var/www/html/occ app:enable integration_google`

  - To install more apps, use `docker exec -u www-data ecloud /var/www/html/occ app:install $app` where `$app` is the name of the app

- Add a new group in your bash shell to make the `html` folder editable(run commands with `sudo` if required):

  - `groupadd ecloud`

  - `usermod -a -G ecloud http`

  - `usermod -a -G ecloud $USER`

  - `chgrp -R ecloud volumes/nextcloud/html`

  - `chmod -R g+w volumes/nextcloud/html`

  - Log out and log back into your system

## Contributing

Anyone can fork a project on our GitLab instance, but to prevent abuse it's disabled by default. Get in touch with us [by e-mail](mailto:join@e.email) or through our support channels and we will let you create a fork and submit MRs.

MYSQL_ROOT_PASSWORD=iamroot

MYSQL_PASSWORD=iamnotroot

MYSQL_USER=nextcloud

NEXTCLOUD_ADMIN_USER=admin

NEXTCLOUD_ADMIN_PASSWORD=admin1234

NEXTCLOUD_EMAIL_RECOVERY_APP_SECRET=abcd1234

ECLOUD_ACCOUNTS_SECRET=1234abcd

ECLOUD_IMAGE_TAG=ecloud-21.0.7.18-privacy

worker_processes auto;

error_log  /var/log/nginx/error.log warn;

pid        /var/run/nginx.pid;

events {

    worker_connections  1024;

}

http {

    include       /etc/nginx/mime.types;

    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '

                      '$status $body_bytes_sent "$http_referer" '

                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;

    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    upstream php-handler {

        server nextcloud:9000;

    }

    server {

        listen 80;

        # Add headers to serve security related headers

        # Before enabling Strict-Transport-Security headers please read into this

        # topic first.

        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;

        #

        # WARNING: Only add the preload option once you read about

        # the consequences in https://hstspreload.org/. This option

        # will add the domain to a hardcoded list that is shipped

        # in all major browsers and getting removed from this list

        # could take several months.

        add_header Referrer-Policy "no-referrer" always;

        add_header X-Content-Type-Options "nosniff" always;

        add_header X-Download-Options "noopen" always;

        add_header X-Frame-Options "SAMEORIGIN" always;

        add_header X-Permitted-Cross-Domain-Policies "none" always;

        add_header X-Robots-Tag "none" always;

        add_header X-XSS-Protection "1; mode=block" always;

        # Remove X-Powered-By, which is an information leak

        fastcgi_hide_header X-Powered-By;

        # Path to the root of your installation

        root /var/www/html;

        location = /robots.txt {

            allow all;

            log_not_found off;

            access_log off;

        }

        # The following 2 rules are only needed for the user_webfinger app.

        # Uncomment it if you're planning to use this app.

        #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;

        #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

        # The following rule is only needed for the Social app.

        # Uncomment it if you're planning to use this app.

        #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;

        location = /.well-known/carddav {

            return 301 $scheme://$host:$server_port/remote.php/dav;

        }

        location = /.well-known/caldav {

            return 301 $scheme://$host:$server_port/remote.php/dav;

        }

        # set max upload size

        client_max_body_size 10G;

        fastcgi_buffers 64 4K;

        # Enable gzip but do not remove ETag headers

        gzip on;

        gzip_vary on;

        gzip_comp_level 4;

        gzip_min_length 256;

        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;

        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

        # Uncomment if your server is build with the ngx_pagespeed module

        # This module is currently not supported.

        #pagespeed off;

        location / {

            rewrite ^ /index.php;

        }

        location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {

            deny all;

        }

        location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {

            deny all;

        }

        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {

            fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;

            set $path_info $fastcgi_path_info;

            try_files $fastcgi_script_name =404;

            include fastcgi_params;

            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

            fastcgi_param PATH_INFO $path_info;

            # fastcgi_param HTTPS on;

            # Avoid sending the security headers twice

            fastcgi_param modHeadersAvailable true;

            # Enable pretty urls

            fastcgi_param front_controller_active true;

            fastcgi_pass php-handler;

            fastcgi_intercept_errors on;

            fastcgi_request_buffering off;

        }

        location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {

            try_files $uri/ =404;

            index index.php;

        }

        # Adding the cache control header for js, css and map files

        # Make sure it is BELOW the PHP block

        location ~ \.(?:css|js|woff2?|svg|gif|map)$ {

            try_files $uri /index.php$request_uri;

            add_header Cache-Control "public, max-age=15778463";

            # Add headers to serve security related headers (It is intended to

            # have those duplicated to the ones above)

            # Before enabling Strict-Transport-Security headers please read into

            # this topic first.

            #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;

            #

            # WARNING: Only add the preload option once you read about

            # the consequences in https://hstspreload.org/. This option

            # will add the domain to a hardcoded list that is shipped

            # in all major browsers and getting removed from this list

            # could take several months.

            add_header Referrer-Policy "no-referrer" always;

            add_header X-Content-Type-Options "nosniff" always;

            add_header X-Download-Options "noopen" always;

            add_header X-Frame-Options "SAMEORIGIN" always;

            add_header X-Permitted-Cross-Domain-Policies "none" always;

            add_header X-Robots-Tag "none" always;

            add_header X-XSS-Protection "1; mode=block" always;

            # Optional: Don't log access to assets

            access_log off;

        }

        location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ {

            try_files $uri /index.php$request_uri;

            # Optional: Don't log access to other assets

            access_log off;

        }

    }

}

version: "3"

services:

  mariadb:

    image: mariadb:10.3

    container_name: mariadb

    restart: always

    command: --transaction-isolation=READ-COMMITTED --log-bin --binlog-format=ROW

    volumes:

      - ./volumes/db/data:/var/lib/mysql

    environment:

      - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}

      - MYSQL_PASSWORD=${MYSQL_PASSWORD}

      - MYSQL_DATABASE=nextcloud

      - MYSQL_USER=${MYSQL_USER}

  nextcloud:

    image: registry.gitlab.e.foundation:5000/e/infra/ecloud/nextcloud:${ECLOUD_IMAGE_TAG}

    container_name: ecloud

    restart: always

    depends_on:

      - mariadb

    volumes:

      - ./volumes/nextcloud/html:/var/www/html/

      - ./volumes/nextcloud/log:/var/www/log/

      - ./volumes/nextcloud/data:/var/www/data

    environment:

      - MYSQL_PASSWORD=${MYSQL_PASSWORD}

      - MYSQL_DATABASE=nextcloud

      - MYSQL_USER=${MYSQL_USER}

      - MYSQL_HOST=mariadb

      - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER}

      - NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD}

      - NEXTCLOUD_EMAIL_RECOVERY_APP_SECRET=${NEXTCLOUD_EMAIL_RECOVERY_APP_SECRET}

      - ECLOUD_ACCOUNTS_SECRET=${ECLOUD_ACCOUNTS_SECRET}

  nginx:

    image: nginx:1.20-alpine

    container_name: nginx

    restart: always

    ports:

      - 8080:80

    depends_on:

      - nextcloud

    volumes:

      - ./config/nginx/nginx.conf:/etc/nginx/nginx.conf:ro

      - ./volumes/nextcloud/html:/var/www/html