Merge branch 'selfhost/dynamic-conf' into 'slim'

# docker compose

COMPOSE_BAKE=true

# Server

DOMAIN=localhost

# mail

SMTP_NAME=username

SMTP_PASSWORD=123456

SMTP_HOST=smtp.domain.com

MAIL_FROM_ADDRESS=no-reply

MAIL_DOMAIN=domain.com

# database

DB_HOST=db

DB_USER=nextcloud

DB_PASSWORD=123456

DB_NAME=nextcloud

# redis

REDIS_HOST=redis

REDIS_HOST_PASSWORD=12456

# nextcloud

NEXTCLOUD_DOCKERFILE=slim.Dockerfile 

NEXTCLOUD_DOCKER_IMG=registry.gitlab.e.foundation/e/infra/ecloud/nextcloud/slim

NEXTCLOUD_ADMIN_USER=admin

NEXTCLOUD_ADMIN_PASSWORD=@dm1n

# When using dind, it's wise to use the overlayfs driver for

# improved performance.

variables:

  DOCKER_DRIVER: overlay2

  DOCKER_TLS_CERTDIR: "/certs"

default:

  image: docker:24.0.6

.docker:

  image: docker:28.0

  services:

    - docker:24.0.6-dind

    - docker:28.0-dind

  before_script:

    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY

    - echo $CI_JOB_TOKEN | docker login -u $CI_REGISTRY_USER --password-stdin $CI_REGISTRY

  tags:

    - generic_privileged

.build-docker:

.build:

  extends: .docker

  stage: build

  script:

    - echo "TARGET $TARGET, BRANCH $CI_COMMIT_BRANCH, COMMIT_REF_SLUG $CI_COMMIT_REF_SLUG, COMMIT_TAG $CI_COMMIT_TAG"

    - docker build --target $TARGET  --pull -t "$CI_REGISTRY_IMAGE$SUBPATH:$CI_COMMIT_REF_SLUG" .

    - docker push "$CI_REGISTRY_IMAGE$SUBPATH:$CI_COMMIT_REF_SLUG"

    - docker build -t $CI_REGISTRY_IMAGE$REGISTRY_SUBPATH:$CI_COMMIT_REF_SLUG $DOCKER_BUILD_ARGS .

  rules:

    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'

build-branch:

  stage: build

.deploy:

  extends: .docker

  stage: deploy

  script:

    - docker build -t $CI_REGISTRY_IMAGE$REGISTRY_SUBPATH:${CI_COMMIT_TAG/v/} $DOCKER_BUILD_ARGS .

    - docker push $CI_REGISTRY_IMAGE$REGISTRY_SUBPATH:${CI_COMMIT_TAG/v/} 

  rules:

    - if: '$CI_COMMIT_TAG'

build-workspace:

  extends: .build

  variables:

    TARGET: ecloud

    SUBPATH: ''

  only:

    - branches

  extends: .build-docker

    DOCKER_BUILD_ARGS: "--target ecloud"

    REGISTRY_SUBPATH: ""

build-branch-selfhost:

  stage: build

build-slim-workspace:

  extends: .build

  variables:

    TARGET: selfhost

    SUBPATH: '/selfhost'

  only:

    - branches

  when: manual

  extends: .build-docker

    DOCKER_BUILD_ARGS: "-f slim.Dockerfile"

    REGISTRY_SUBPATH: "/slim"

build-tag:

  stage: build

publish-workspace:

  extends: .deploy

  variables:

    TARGET: ecloud

    SUBPATH: ''

  only:

    - tags

  extends: .build-docker

    DOCKER_BUILD_ARGS: "--target ecloud"

    REGISTRY_SUBPATH: ""

build-tag-selfhost:

  stage: build

publish-slim-workspace:

  extends: .deploy

  variables:

    TARGET: selfhost

    SUBPATH: '/selfhost'

  only:

    - tags

  extends: .build-docker

    DOCKER_BUILD_ARGS: "-f slim.Dockerfile"

    REGISTRY_SUBPATH: "/slim"

Files in Nextcloud are licensed under the Affero General Public License version 3,

the text of which can be found in LICENSE, or any later version of the AGPL,

unless otherwise noted.

Licensing of components:

* jQuery: MIT / GPL

* HTTP: 3 clause BSD

* MDB2: BSD style custom

* User: AGPL

* XML/RPC: MIT / PHP

* Elementary filetype icons: GPL v3+

* Material UI icons: APACHE LICENSE, VERSION 2.0

All unmodified files from these and other sources retain their original copyright

and license notices: see the relevant individual files.

Attribution information for Nextcloud is contained in the AUTHORS file: https://raw.githubusercontent.com/nextcloud/server/master/AUTHORS

# Custom nextcloud image for eCloud

# Murena Workspace

This project builds a custom docker image from the official Nextcloud one, applying workarounds or specific behaviour of interest only for a shared, private-by-default installation such as ecloud.global.

This project builds a custom docker image from the official [Nextcloud](https://nextcloud.com), applying patches to make Murena Workspace.

## Building

2 images are available the `default` and the `slim` ones.

Simply build as a standard docker image. Check `gitlab-ci.ym` for the commands we use.

## Getting started

## Using

You can configure default values from the `.env` file. See [.env.example](./.env.example).

By default, the `slim` Murena Workspace is configured.

We suggest you use our [ecloud-selfhosting](https://gitlab.e.foundation/e/infra/ecloud-selfhosting) project instead of this one directly. But if you wish to do so, then check our [releases page](https://gitlab.e.foundation/e/infra/ecloud/nextcloud/-/releases) and pull the latest tag from the container registry.

`slim` Murena Workspace

```

cp .env.example .env

docker compose up --build -d

```

### To run ecloud locally(Tested on Ubuntu and Manjaro, should work on most linux distributions)

- Install [docker](https://docs.docker.com/engine/install/ubuntu/)(link is for Ubuntu)

- Install [docker-compose](https://docs.docker.com/compose/install/)

- Create a copy of the `ecloud_dev_example` directory locally where you want to install an `ecloud` development environment

- Use `cd` or file manager to enter the above directory

- Add a `.env` file with chosen attributes(example [.env](./ecloud_dev_example/.dev.env) file here, you can rename to `.env` to use same defaults)

- Set correct permissions to volumes:

  - `chown -R '33':'33' volumes/nextcloud/{html,data,log}`

- Pull the images and up the containers

  - `docker-compose pull`

  - `docker-compose up -d`

### Things to do on first installation locally

- Set config values, disable integrity check and refresh theme cache:

  - `docker exec -u www-data ecloud /var/www/html/occ config:system:set theme --value='eCloud'`

  - `docker exec -u www-data ecloud /var/www/html/occ config:system:set logfile --value='/var/www/log/nextcloud.log'`

  - `docker exec -u www-data ecloud /var/www/html/occ config:system:set loglevel --value='2' --type=integer`

  - `docker exec -u www-data ecloud /var/www/html/occ config:system:set integrity.check.disabled --value='true' --type=boolean`

  - `docker exec -u www-data ecloud /var/www/html/occ maintenance:theme:update`

- Disable apps:

  - `docker exec -u www-data ecloud /var/www/html/occ app:disable firstrunwizard`

  - `docker exec -u www-data ecloud /var/www/html/occ app:disable theming`

  - `docker exec -u www-data ecloud /var/www/html/occ app:disable files_external`

- Enable\Install apps:

  - `docker exec -u www-data ecloud /var/www/html/occ app:enable murena_launcher`

  - `docker exec -u www-data ecloud /var/www/html/occ app:enable ecloud-theme-helper`

  - `docker exec -u www-data ecloud /var/www/html/occ app:enable notes`

  - `docker exec -u www-data ecloud /var/www/html/occ app:enable news`

  - `docker exec -u www-data ecloud /var/www/html/occ app:enable quota_warning`

  - `docker exec -u www-data ecloud /var/www/html/occ app:enable contacts`

  - `docker exec -u www-data ecloud /var/www/html/occ app:enable calendar`

  - `docker exec -u www-data ecloud /var/www/html/occ app:enable email-recovery`

  - `docker exec -u www-data ecloud /var/www/html/occ app:enable ecloud-accounts`

  - `docker exec -u www-data ecloud /var/www/html/occ app:enable integration_google`

  - To install more apps, use `docker exec -u www-data ecloud /var/www/html/occ app:install $app` where `$app` is the name of the app

- To make the `html` folder editable to current user(`$USER`)(run commands with `sudo` if required):

  - `usermod -a -G '33' $USER`

  - `chmod -R g+w volumes/nextcloud/html`

  - Log out and log back into your system

## Contributing

Anyone can fork a project on our GitLab instance, but to prevent abuse it's disabled by default. Get in touch with us [by e-mail](mailto:dev@murena.com) or through our support channels and we will let you create a fork and submit MRs.

Go to http://localhost:8000 then use admin credentials provided into `.env` file.

# Set the `immutable` cache control options only for assets with a cache busting `v` argument

map $arg_v $asset_immutable {

    "" "";

    default ", immutable";

}

upstream php-handler {

    server nextcloud:9000;

}

server {

    listen 80;

    listen [::]:80;

    server_name ${DOMAIN};

    # Path to the root of your installation

    root /var/www/html;

    # Prevent nginx HTTP Server Detection

    server_tokens off;

    # HSTS settings

    # WARNING: Only add the preload option once you read about

    # the consequences in https://hstspreload.org/. This option

    # will add the domain to a hardcoded list that is shipped

    # in all major browsers and getting removed from this list

    # could take several months.

    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;

    # set max upload size and increase upload timeout:

    client_max_body_size 512M;

    client_body_timeout 300s;

    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers

    gzip on;

    gzip_vary on;

    gzip_comp_level 4;

    gzip_min_length 256;

    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;

    gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Pagespeed is not supported by Nextcloud, so if your server is built

    # with the `ngx_pagespeed` module, uncomment this line to disable it.

    #pagespeed off;

    # The settings allows you to optimize the HTTP2 bandwidth.

    # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/

    # for tuning hints

    client_body_buffer_size 512k;

    # HTTP response headers borrowed from Nextcloud `.htaccess`

    add_header Referrer-Policy                   "no-referrer"       always;

    add_header X-Content-Type-Options            "nosniff"           always;

    add_header X-Frame-Options                   "SAMEORIGIN"        always;

    add_header X-Permitted-Cross-Domain-Policies "none"              always;

    add_header X-Robots-Tag                      "noindex, nofollow" always;

    add_header X-XSS-Protection                  "1; mode=block"     always;

    # Remove X-Powered-By, which is an information leak

    fastcgi_hide_header X-Powered-By;

    # Set .mjs and .wasm MIME types

    # Either include it in the default mime.types list

    # and include that list explicitly or add the file extension

    # only for Nextcloud like below:

    include mime.types;

    types {

        text/javascript mjs;

	application/wasm wasm;

    }

    # Specify how to handle directories -- specifying `/index.php$request_uri`

    # here as the fallback means that Nginx always exhibits the desired behaviour

    # when a client requests a path that corresponds to a directory that exists

    # on the server. In particular, if that directory contains an index.php file,

    # that file is correctly served; if it doesn't, then the request is passed to

    # the front-end controller. This consistent behaviour means that we don't need

    # to specify custom rules for certain paths (e.g. images and other assets,

    # `/updater`, `/ocs-provider`), and thus

    # `try_files $uri $uri/ /index.php$request_uri`

    # always provides the desired behaviour.

    index index.php index.html /index.php$request_uri;

    # Rule borrowed from `.htaccess` to handle Microsoft DAV clients

    location = / {

        if ( $http_user_agent ~ ^DavClnt ) {

            return 302 /remote.php/webdav/$is_args$args;

        }

    }

    location = /robots.txt {

        allow all;

        log_not_found off;

        access_log off;

    }

    # Make a regex exception for `/.well-known` so that clients can still

    # access it despite the existence of the regex rule

    # `location ~ /(\.|autotest|...)` which would otherwise handle requests

    # for `/.well-known`.

    location ^~ /.well-known {

        # The rules in this block are an adaptation of the rules

        # in `.htaccess` that concern `/.well-known`.

        location = /.well-known/carddav { return 301 /remote.php/dav/; }

        location = /.well-known/caldav  { return 301 /remote.php/dav/; }

        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }

        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

        # Let Nextcloud's API for `/.well-known` URIs handle all other

        # requests by passing them to the front-end controller.

        return 301 /index.php$request_uri;

    }

    # Rules borrowed from `.htaccess` to hide certain paths from clients

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }

    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }

    # Ensure this block, which passes PHP files to the PHP process, is above the blocks

    # which handle static assets (as seen below). If this block is not declared first,

    # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`

    # to the URI, resulting in a HTTP 500 error response.

    location ~ \.php(?:$|/) {

        # Required for legacy support

        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;

        fastcgi_split_path_info ^(.+?\.php)(/.*)$;

        set $path_info $fastcgi_path_info;

        try_files $fastcgi_script_name =404;

        include fastcgi_params;

        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

        fastcgi_param PATH_INFO $path_info;

        #fastcgi_param HTTPS on;

        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice

        fastcgi_param front_controller_active true;     # Enable pretty urls

        fastcgi_pass php-handler;

        fastcgi_intercept_errors on;

        fastcgi_request_buffering off;

        fastcgi_max_temp_file_size 0;

    }

    # Serve static files

    location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {

        try_files $uri /index.php$request_uri;

        # HTTP response headers borrowed from Nextcloud `.htaccess`

        add_header Cache-Control                     "public, max-age=15778463$asset_immutable";

        add_header Referrer-Policy                   "no-referrer"       always;

        add_header X-Content-Type-Options            "nosniff"           always;

        add_header X-Frame-Options                   "SAMEORIGIN"        always;

        add_header X-Permitted-Cross-Domain-Policies "none"              always;

        add_header X-Robots-Tag                      "noindex, nofollow" always;

        add_header X-XSS-Protection                  "1; mode=block"     always;

        access_log off;     # Optional: Don't log access to assets

    }

    location ~ \.(otf|woff2?)$ {

        try_files $uri /index.php$request_uri;

        expires 7d;         # Cache-Control policy borrowed from `.htaccess`

        access_log off;     # Optional: Don't log access to assets

    }

    # Rule borrowed from `.htaccess`

    location /remote {

        return 301 /remote.php$request_uri;

    }

    location / {

        try_files $uri $uri/ /index.php$request_uri;

    }

    # For the Rainloop admin message saying "data folder accessible"

    # It is a false positive as seen at https://github.com/pierre-alain-b/rainloop-nextcloud/issues/62

    location ^~/apps/rainloop/app/data {

        deny all;

    }

}