├── .gitignore ├── LICENSE ├── README.md ├── includes ├── Caddyfile ├── Caddyfile-dns ├── Caddyfile-nossl ├── Caddyfile-selfsigned ├── caddy ├── my-system.cnf ├── my.cnf ├── pgpass ├── php.ini ├── redis.conf ├── remove-staging.sh ├── www-crontab └── www.conf └── nextcloud-jail.sh /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | configs/acme_dns_issue.sh 3 | nextcloud-config 4 | .DS_Store 5 | *.pem 6 | *.log 7 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | 623 | How to Apply These Terms to Your New Programs 624 | 625 | If you develop a new program, and you want it to be of the greatest 626 | possible use to the public, the best way to achieve this is to make it 627 | free software which everyone can redistribute and change under these terms. 628 | 629 | To do so, attach the following notices to the program. It is safest 630 | to attach them to the start of each source file to most effectively 631 | state the exclusion of warranty; and each file should have at least 632 | the "copyright" line and a pointer to where the full notice is found. 633 | 634 | 635 | Copyright (C) 636 | 637 | This program is free software: you can redistribute it and/or modify 638 | it under the terms of the GNU General Public License as published by 639 | the Free Software Foundation, either version 3 of the License, or 640 | (at your option) any later version. 641 | 642 | This program is distributed in the hope that it will be useful, 643 | but WITHOUT ANY WARRANTY; without even the implied warranty of 644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 645 | GNU General Public License for more details. 646 | 647 | You should have received a copy of the GNU General Public License 648 | along with this program. If not, see . 649 | 650 | Also add information on how to contact you by electronic and paper mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | Copyright (C) 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands `show w' and `show c' should show the appropriate 661 | parts of the General Public License. Of course, your program's commands 662 | might be different; for a GUI interface, you would use an "about box". 663 | 664 | You should also get your employer (if you work as a programmer) or school, 665 | if any, to sign a "copyright disclaimer" for the program, if necessary. 666 | For more information on this, and how to apply and follow the GNU GPL, see 667 | . 668 | 669 | The GNU General Public License does not permit incorporating your program 670 | into proprietary programs. If your program is a subroutine library, you 671 | may consider it more useful to permit linking proprietary applications with 672 | the library. If this is what you want to do, use the GNU Lesser General 673 | Public License instead of this License. But first, please read 674 | . 675 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # freenas-iocage-nextcloud 2 | Script to create an iocage jail on FreeNAS for the latest Nextcloud 30 release, including Caddy 2.x, MariaDB 10.6/PostgreSQL 13, and Let's Encrypt 3 | 4 | This script will create an iocage jail on TrueNAS CORE 13.3 with the latest release of Nextcloud 28, along with its dependencies. It will obtain a trusted certificate from Let's Encrypt for the system, install it, and configure it to renew automatically. It will create the Nextcloud database and generate a strong root password and user password for the database system. It will configure the jail to store the database and Nextcloud user data outside the jail, so it will not be lost in the event you need to rebuild the jail. 5 | 6 | ## Status 7 | This script will work with TrueNAS CORE 13.3. Due to the EOL status of earlier FreeBSD versions, it is unlikely to work reliably with earlier releases of TrueNAS. It will not work with TrueNAS SCALE; use the Apps ecosystem instead to install Nextcloud there. 8 | 9 | ## Usage 10 | 11 | ### Prerequisites (Let's Encrypt) 12 | This script works best when your installation is able to obtain a certificate from [Let's Encrypt](https://letsencrypt.org/). When you use it this way, Caddy is able to handle all of the TLS-related configuration for you, obtain and renew certificates automatically, etc. In order for this to happen, you must meet the two requirements below: 13 | 14 | * First, you must own or control a real Internet domain name. This script obtains a TLS encryption certificate from Let's Encrypt, who will only issue for public domain names. Thus, domains like `cloud.local`, `mycloud.lan`, or `nextcloud.home` won't work. Domains can be very inexpensive, and in some cases, they can be free. [Freenom](https://www.freenom.com/), for example, provides domains for free if you jump through the right hoops. [EasyDNS](https://easydns.com/) is a fine domain registrar for paid domains, costing roughly US$15 per year (which varies slightly with the top-level domain). 15 | 16 | * Second, one of these two conditions must be met in order for Let's Encrypt to validate your control over the domain name: 17 | 18 | * You must be able and willing to open ports 80 and 443 from the entire Internet to the jail, and leave them open. If this applies, do it **before** running this script. 19 | * DNS hosting for the domain name needs to be with a provider that Caddy supports. At this time, only Cloudflare is supported. 20 | 21 | [Cloudflare](https://www.cloudflare.com/) provides DNS hosting at no cost, and it's well-supported by Caddy. Cloudflare also provides Dynamic DNS service, if your desired Dynamic DNS client supports their API. If it doesn't, [DNS-O-Matic](https://dnsomatic.com/) is a Dynamic DNS provider that will interface with many DNS hosts including Cloudflare, has a much simpler API that's more widely supported, and is also free of charge. 22 | 23 | This document previously had a discussion of using Freenom, Cloudflare, and DNS-O-Matic to give you free dynamic DNS and certificate validation with a free domain. However, due to abuse, Cloudflare has removed the ability to use its API with free domains when using Cloudflare's free plan. For this to work, you'll need to pay either for Cloudflare or for a domain (and the latter is likely less expensive). If you want to use a Freenom domain, you'll need to be able and willing to open ports 80 and 443 to your jail, so you can get your certificate without using DNS validation. 24 | 25 | If you aren't able or willing to obtain a certificate from Let's Encrypt, this script also supports configuring Caddy with a self-signed certificate, or with no certificate (and thus no HTTPS) at all. 26 | 27 | ### Prerequisites (Other) 28 | There are Three options when it comes to datasets and folder structure: 29 | - 1 Dataset with subfolders 30 | - 1 Dataset with 4 sub-datasets 31 | - 4 Datasets 32 | 33 | Although not required, it's recommended to create 1 Dataset with 4 sub-datasets on your main storage pool 34 | - 1 Dataset named `nextcloud` 35 | Under which you create 4 other datasets 36 | - one named `files`, which will store the Nextcloud user data. 37 | - one named `config`, which will store the Nextcloud configuration. 38 | - one named `themes`, which will store the Nextcloud themes. 39 | - one called `db`, which will store the SQL database. For optimal performance, set the record size of the `db` dataset to 16 KB (under Advanced Settings in the FreeNAS web GUI). It's also recommended to cache only metadata on the `db` dataset; you can do this by running `zfs set primarycache=metadata poolname/db`. 40 | 41 | If you use 1 dataset with subfolders it's recomended to use a similar structure. 42 | 43 | If these are not present, a directory `/nextcloud` will be created in `$POOL_PATH`, and subdirectories of `db` (with a subdirectory of either `mariadb` or `pgsql`, depending on which database you chose), `files`, `config`, and `themes` will be created there. But for a variety of reasons, it's preferred to keep these things in their own dataset. 44 | 45 | ### Installation 46 | Download the repository to a convenient directory on your FreeNAS system by changing to that directory and running `git clone https://github.com/danb35/freenas-iocage-nextcloud`. Then change into the new `freenas-iocage-nextcloud` directory and create a file called `nextcloud-config` with your favorite text editor. If you don't have a favorite text editor, `nano` is a good choice, so you'd create the file by running `nano nextcloud-config`. In its minimal form, it would look like this: 47 | ``` 48 | JAIL_IP="192.168.1.199" 49 | DEFAULT_GW_IP="192.168.1.1" 50 | POOL_PATH="/mnt/tank" 51 | TIME_ZONE="America/New_York" 52 | HOST_NAME="YOUR_FQDN" 53 | STANDALONE_CERT=1 54 | CERT_EMAIL="you@yourdomain.com" 55 | ``` 56 | Many of the options are self-explanatory, and all should be adjusted to suit your needs, but only a few are mandatory. The mandatory options are: 57 | 58 | * JAIL_IP is the IP address for your jail. You can optionally add the netmask in CIDR notation (e.g., 192.168.1.199/24). If not specified, the netmask defaults to 24 bits. Values of less than 8 bits or more than 30 bits are invalid. 59 | * DEFAULT_GW_IP is the address for your default gateway 60 | * POOL_PATH is the path for your data pool. 61 | * TIME_ZONE is the time zone of your location, in PHP notation--see the [PHP manual](http://php.net/manual/en/timezones.php) for a list of all valid time zones. 62 | * HOST_NAME is the fully-qualified domain name you want to assign to your installation. If you are planning to get a Let's Encrypt certificate (recommended), you must own (or at least control) this domain, because Let's Encrypt will test that control. If you're using a self-signed cert, or not getting a cert at all, it's only important that this hostname resolve to your jail inside your network. 63 | * DNS_CERT, STANDALONE_CERT, SELFSIGNED_CERT, and NO_CERT determine which method will be used to generate a TLS certificate (or, in the case of NO_CERT, indicate that you don't want to use SSL at all). DNS_CERT and STANDALONE_CERT indicate use of DNS or HTTP validation for Let's Encrypt, respectively. One **and only one** of these must be set to 1. 64 | * DNS_PLUGIN: If DNS_CERT is set, DNS_PLUGIN must contain the name of the DNS validation plugin you'll use with Caddy to validate domain control. At this time, the only valid value is `cloudflare` (but see below). 65 | * DNS_TOKEN: If DNS_CERT is set, this must be set to a properly-scoped Cloudflare API Token. You will need to create an API token through Cloudflare's dashboard, which must have "Zone / Zone / Read" and "Zone / DNS / Edit" permissions on the zone (i.e., the domain) you're using for your installation. See [this documentation](https://github.com/libdns/cloudflare) for further details. 66 | * CERT_EMAIL: If you're obtaining a cert from Let's Encrypt (i.e., either DNS_CERT or STANDALONE_CERT is set to 1), this must be set to a valid email address. You'll only receive mail there if your cert is about to expire (which should never happen), or if there are significant announcements from Let's Encrypt (which is unlikely to result in more than a few emails per year). 67 | 68 | In addition, there are some other options which have sensible defaults, but can be adjusted if needed. These are: 69 | 70 | * NEXTCLOUD_VERSION: You can set this to an earlier or later Nextcloud major release if desired, but be aware that this script is only tested with the default version. Currently defaults to 29. 71 | * COUNTRY_CODE: The two-letter ISO code for your country, which is required to validate phone numbers in profile settings with no country code. Defaults to "US". 72 | * JAIL_NAME: The name of the jail, defaults to "nextcloud" 73 | * JAIL_BASEJAIL: If set to "true", creates a base jail instead of the default 74 | clone jail. It is easier and faster to update the underlying FreeBSD OS in a 75 | base jail, but they might take up more space than clone jails. 76 | * DB_PATH, FILES_PATH, CONFIG_PATH, and THEMES_PATH: These are the paths to your database files, your data files, nextcloud config files, theme files and the FreeBSD Ports collection. They default to $POOL_PATH/nextcloud/db, $POOL_PATH/nextcloud/files, $POOL_PATH/nextcloud/config, and $POOL_PATH/nextcloud/themes, respectively. 77 | * DATABASE: Which database management system to use. Default is "mariadb", but can be set to "pgsql" if you prefer to use PostgreSQL. At this time, PostgreSQL does not seem to be working. 78 | * INTERFACE: The network interface to use for the jail. Defaults to `vnet0`. 79 | * JAIL_INTERFACES: Defaults to `vnet0:bridge0`, but you can use this option to select a different network bridge if desired. This is an advanced option; you're on your own here. 80 | * VNET: Whether to use the iocage virtual network stack. Defaults to `on`. 81 | * CERT_EMAIL is the email address Let's Encrypt will use to notify you of certificate expiration, or for occasional other important matters. This is optional. If you **are** using Let's Encrypt, though, it should be set to a valid address for the system admin. 82 | * PGP_KEYSERVER: Server from which to fetch the Nextcloud Security team signing key, which is used to verify the downloaded Nextcloud setup files. It is used when the key cannot be downloaded directly from nextcloud.com. 83 | * NEXTCLOUD_PGP_KEYID: The fingerprint of the Nextcloud Security team key id. 84 | * MX_WINDOW: This sets the beginning hour of a four-hour daily maintenance window in UTC. Routine maintenance tasks that are not time-sensitive will be run during this time to minimize system load during working hours. Defaults to 5, meaning maintenance tasks will run between 05:00 and 09:00 UTC. For more information, see [the Nextcloud docs](https://docs.nextcloud.com/server/28/admin_manual/configuration_server/background_jobs_configuration.html#maintenance-window-start). 85 | 86 | If you're going to open ports 80 and 443 from the outside world to your jail, do so before running the script, and set STANDALONE_CERT to 1. If not, but you use a DNS provider that's supported by Caddy, set DNS_CERT to 1. If neither of these is true, use either NO_CERT (if you want to run without SSL at all) or SELFSIGNED_CERT (to generate a self-signed certificate--this is also the setting to use if you want to use a certificate from another source). 87 | 88 | Also, HOST_NAME needs to resolve to your jail from **inside** your network. You'll probably need to configure this on your router, or on whatever other device provides DNS for your LAN. If you're unable to do so, you can edit the hosts file on your client computers to achieve this result, but consider installing something like [Pi-Hole](https://pi-hole.net/) to give you control over your DNS. 89 | 90 | ### Execution 91 | Once you've downloaded the script and prepared the configuration file, run this script (`script nextcloud.log ./nextcloud-jail.sh`). The script will run for several minutes. When it finishes, your jail will be created, Nextcloud will be installed and configured, and you'll be shown the randomly-generated password for the default user ("admin"). You can then log in and create users, add data, and generally do whatever else you like. 92 | 93 | ### Obtaining a trusted Let's Encrypt cert 94 | This configuration generated by this script will obtain certs from a non-trusted certificate authority by default. This is to prevent you from exhausting the [Let's Encrypt rate limits](https://letsencrypt.org/docs/rate-limits/) while you're testing things out. Once you're sure things are working, you'll want to get a trusted cert instead. To do this, you can use a simple script that's included. As long as you haven't changed the default jail name, you can do this by running `iocage exec nextcloud /root/remove-staging.sh` (if you have changed the jail name, replace "nextcloud" in that command with the jail name). 95 | 96 | ### DNS Providers 97 | At this writing (22 May 2023), Caddy v2 supports twenty-eight DNS authentication plugins: 98 | 99 | * AliDNS 100 | * Azure 101 | * Cloudflare 102 | * DDNSS 103 | * Desec 104 | * Digital Ocean 105 | * Dinahosting 106 | * DNSPod 107 | * DuckDNS 108 | * Gandi 109 | * GoDaddy 110 | * Google Domains 111 | * Hetzner 112 | * Metaname 113 | * Namecheap 114 | * Namesilo 115 | * Netcup 116 | * Netify 117 | * Njalla 118 | * Openstack-designate 119 | * OVH 120 | * Porkbun 121 | * PowerDNS 122 | * AWS Route53 123 | * Tencentcloud 124 | * Vercel 125 | * Vultr 126 | * `lego_deprecated` 127 | 128 | This script has only been tested with Cloudflare, which works well. Based on the documentation, it appears that DNSPod and Gandi would likely work as well, with no modification to the script or any of the configuration files. Route53 will require modification to the Caddyfile as described further in [its documentation](https://github.com/caddy-dns/route53). 129 | 130 | Visit the [Caddy download page](https://caddyserver.com/download) to see the DNS authentication plugins currently available. To build Caddy with your desired plugin, use the last part of the "Package" on that page as DNS_PLUGIN in your `nextcloud-config` file. E.g., if the package name is `github.com/caddy-dns/cloudflare`, you'd set `DNS_PLUGIN=cloudflare`. From that page, there are also links to the documentation for each plugin, which will describe what credentials are needed. If your provider needs only an API token (as is the case with Cloudflare, and apparently with DNSPod and Gandi), you'll likely be able to set `DNS_TOKEN=long_api_token` in the `nextcloud-config` file and not need to do anything else. If your provider requires different credentials, you'll need to modify the Caddyfile to account for them. 131 | 132 | ### HTTP Strict Transport Security 133 | When you log into your Nextcloud instance as administrator, you may see a configuration warning that HSTS is not enabled. This is intentional. HSTS is a useful security measure, but it can also lock you out of your site if certificate renewal isn't working properly. I recommend you let the system obtain its initial trusted cert, and then renewing at least once, before enabling HSTS, to ensure that automatic renewal works as intended. Ordinarily this will take about 60 days. To enable HSTS, follow these steps: 134 | 135 | * `iocage console nextcloud` 136 | * `nano /usr/local/www/Caddyfile` 137 | * Uncomment (remove the `#`) from the line that begins with `Strict-Transport-Security` 138 | * Save the edited file and exit `nano`. 139 | * `service caddy reload` 140 | 141 | ### Default SNI 142 | If you're going to run Nextcloud behind a reverse proxy, and you've used one of the options to enable TLS on the Nextcloud installation, you may see errors from Caddy indicating that it can't find the appropriate certificate. In this case, you'll need to enable the `default_sni` option in the Caddyfile. To do this, follow these steps: 143 | 144 | * `iocage console nextcloud` 145 | * `nano /usr/local/www/Caddyfile` 146 | * Uncomment (remove the `#`) from the line that begins with `default_sni` 147 | * Save the edited file and exit `nano`. 148 | * `service caddy reload` 149 | 150 | ### To Do 151 | This script has been around for a few years and appears to be pretty stable. If you have problems, either open an issue above, or post to one of the forum threads below: 152 | https://www.truenas.com/community/threads/scripted-installation-of-nextcloud-23-in-iocage-jail.62485/ 153 | https://forum.freenas-community.org/t/scripted-installation-of-nextcloud-23-in-an-iocage-jail/25/6 154 | 155 | -------------------------------------------------------------------------------- /includes/Caddyfile: -------------------------------------------------------------------------------- 1 | { 2 | # debug 3 | acme_ca https://acme-staging-v02.api.letsencrypt.org/directory 4 | email youremailhere 5 | # default_sni yourhostnamehere 6 | } 7 | 8 | yourhostnamehere { 9 | root * /usr/local/www/nextcloud 10 | file_server 11 | log { 12 | output file /var/log/yourhostnamehere.log 13 | } 14 | 15 | php_fastcgi 127.0.0.1:9000 { 16 | env front_controller_active true 17 | } 18 | 19 | header { 20 | # enable HSTS 21 | # Strict-Transport-Security max-age=31536000; 22 | } 23 | 24 | # client support (e.g. os x calendar / contacts) 25 | redir /.well-known/carddav /remote.php/dav/ 301 26 | redir /.well-known/caldav /remote.php/dav/ 301 27 | redir /.well-known/webfinger /index.php/.well-known/webfinger 301 28 | redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301 29 | 30 | # Required for legacy 31 | @notlegacy { 32 | path *.php 33 | not path /index* 34 | not path /remote* 35 | not path /public* 36 | not path /cron* 37 | not path /core/ajax/update* 38 | not path /status* 39 | not path /ocs/v1* 40 | not path /ocs/v2* 41 | not path /updater/* 42 | not path /ocs-provider/* 43 | not path */richdocumentscode/proxy* 44 | } 45 | rewrite @notlegacy /index.php{uri} 46 | 47 | # .htaccess / data / config / ... shouldn't be accessible from outside 48 | @forbidden { 49 | path /.htaccess 50 | path /data/* 51 | path /config/* 52 | path /db_structure 53 | path /.xml 54 | path /README 55 | path /3rdparty/* 56 | path /lib/* 57 | path /templates/* 58 | path /occ 59 | path /console.php 60 | } 61 | 62 | respond @forbidden 404 63 | } 64 | -------------------------------------------------------------------------------- /includes/Caddyfile-dns: -------------------------------------------------------------------------------- 1 | { 2 | # debug 3 | acme_ca https://acme-staging-v02.api.letsencrypt.org/directory 4 | email youremailhere 5 | # default_sni yourhostnamehere 6 | } 7 | 8 | yourhostnamehere { 9 | root * /usr/local/www/nextcloud 10 | file_server 11 | log { 12 | output file /var/log/yourhostnamehere.log 13 | } 14 | 15 | php_fastcgi 127.0.0.1:9000 { 16 | env front_controller_active true 17 | } 18 | 19 | tls { 20 | dns dns_plugin api_token 21 | } 22 | 23 | header { 24 | # enable HSTS 25 | # Strict-Transport-Security max-age=31536000; 26 | } 27 | 28 | # client support (e.g. os x calendar / contacts) 29 | redir /.well-known/carddav /remote.php/dav/ 301 30 | redir /.well-known/caldav /remote.php/dav/ 301 31 | redir /.well-known/webfinger /index.php/.well-known/webfinger 301 32 | redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301 33 | 34 | # Required for legacy 35 | @notlegacy { 36 | path *.php 37 | not path /index* 38 | not path /remote* 39 | not path /public* 40 | not path /cron* 41 | not path /core/ajax/update* 42 | not path /status* 43 | not path /ocs/v1* 44 | not path /ocs/v2* 45 | not path /updater/* 46 | not path /ocs-provider/* 47 | not path */richdocumentscode/proxy* 48 | } 49 | rewrite @notlegacy /index.php{uri} 50 | 51 | # .htaccess / data / config / ... shouldn't be accessible from outside 52 | @forbidden { 53 | path /.htaccess 54 | path /data/* 55 | path /config/* 56 | path /db_structure 57 | path /.xml 58 | path /README 59 | path /3rdparty/* 60 | path /lib/* 61 | path /templates/* 62 | path /occ 63 | path /console.php 64 | } 65 | 66 | respond @forbidden 404 67 | } 68 | -------------------------------------------------------------------------------- /includes/Caddyfile-nossl: -------------------------------------------------------------------------------- 1 | { 2 | # debug 3 | } 4 | 5 | yourhostnamehere:80, jail_ip:80 { 6 | root * /usr/local/www/nextcloud 7 | file_server 8 | log { 9 | output file /var/log/yourhostnamehere.log 10 | } 11 | 12 | php_fastcgi 127.0.0.1:9000 { 13 | env front_controller_active true 14 | } 15 | 16 | # client support (e.g. os x calendar / contacts) 17 | redir /.well-known/carddav /remote.php/dav/ 301 18 | redir /.well-known/caldav /remote.php/dav/ 301 19 | redir /.well-known/webfinger /index.php/.well-known/webfinger 301 20 | redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301 21 | 22 | # Required for legacy 23 | @notlegacy { 24 | path *.php 25 | not path /index* 26 | not path /remote* 27 | not path /public* 28 | not path /cron* 29 | not path /core/ajax/update* 30 | not path /status* 31 | not path /ocs/v1* 32 | not path /ocs/v2* 33 | not path /updater/* 34 | not path /ocs-provider/* 35 | not path */richdocumentscode/proxy* 36 | } 37 | rewrite @notlegacy /index.php{uri} 38 | 39 | # .htaccess / data / config / ... shouldn't be accessible from outside 40 | @forbidden { 41 | path /.htaccess 42 | path /data/* 43 | path /config/* 44 | path /db_structure 45 | path /.xml 46 | path /README 47 | path /3rdparty/* 48 | path /lib/* 49 | path /templates/* 50 | path /occ 51 | path /console.php 52 | } 53 | 54 | respond @forbidden 404 55 | } 56 | -------------------------------------------------------------------------------- /includes/Caddyfile-selfsigned: -------------------------------------------------------------------------------- 1 | { 2 | # debug 3 | # default_sni yourhostnamehere 4 | } 5 | 6 | yourhostnamehere { 7 | root * /usr/local/www/nextcloud 8 | file_server 9 | log { 10 | output file /var/log/yourhostnamehere.log 11 | } 12 | 13 | php_fastcgi 127.0.0.1:9000 { 14 | env front_controller_active true 15 | } 16 | 17 | tls /usr/local/etc/pki/tls/certs/fullchain.pem /usr/local/etc/pki/tls/private/privkey.pem 18 | 19 | # client support (e.g. os x calendar / contacts) 20 | redir /.well-known/carddav /remote.php/dav/ 301 21 | redir /.well-known/caldav /remote.php/dav/ 301 22 | redir /.well-known/webfinger /index.php/.well-known/webfinger 301 23 | redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301 24 | 25 | # Required for legacy 26 | @notlegacy { 27 | path *.php 28 | not path /index* 29 | not path /remote* 30 | not path /public* 31 | not path /cron* 32 | not path /core/ajax/update* 33 | not path /status* 34 | not path /ocs/v1* 35 | not path /ocs/v2* 36 | not path /updater/* 37 | not path /ocs-provider/* 38 | not path */richdocumentscode/proxy* 39 | } 40 | rewrite @notlegacy /index.php{uri} 41 | 42 | # .htaccess / data / config / ... shouldn't be accessible from outside 43 | @forbidden { 44 | path /.htaccess 45 | path /data/* 46 | path /config/* 47 | path /db_structure 48 | path /.xml 49 | path /README 50 | path /3rdparty/* 51 | path /lib/* 52 | path /templates/* 53 | path /occ 54 | path /console.php 55 | } 56 | 57 | respond @forbidden 404 58 | } 59 | -------------------------------------------------------------------------------- /includes/caddy: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # PROVIDE: caddy 4 | # REQUIRE: LOGIN DAEMON NETWORKING 5 | # KEYWORD: shutdown 6 | 7 | # To enable caddy, add 'caddy_enable="YES"' to /etc/rc.conf or 8 | # /etc/rc.conf.local 9 | 10 | # Optional settings: 11 | # caddy_config (string): Full path to caddy config file 12 | # (/usr/local/etc/caddy/Caddyfile) 13 | # caddy_adapter (string): Config adapter type (caddyfile) 14 | # caddy_directory (string): Root for caddy storage (ACME certs, etc.) 15 | # (/var/db/caddy) 16 | # caddy_extra_flags (string): Extra flags passed to caddy start 17 | # caddy_logdir (string): Where caddy logs are stored 18 | # (/var/log/caddy) 19 | # caddy_logfile (string): Location of process log (${caddy_logdir}/caddy.log) 20 | # This is for startup/shutdown/error messages. 21 | # To create an access log, see: 22 | # https://caddyserver.com/docs/caddyfile/directives/log 23 | # caddy_user (user): User to run caddy (root) 24 | # caddy_group (group): Group to run caddy (wheel) 25 | # 26 | # This script will honor XDG_CONFIG_HOME/XDG_DATA_HOME. Caddy will create a 27 | # .../caddy subdir in each of those. By default, they are subdirs of /var/db/caddy. 28 | # See https://caddyserver.com/docs/conventions#data-directory 29 | 30 | . /etc/rc.subr 31 | 32 | name=caddy 33 | rcvar=caddy_enable 34 | desc="Powerful, enterprise-ready, open source web server with automatic HTTPS written in Go" 35 | 36 | load_rc_config $name 37 | 38 | # Defaults 39 | : ${caddy_enable:=NO} 40 | : ${caddy_adapter:=caddyfile} 41 | : ${caddy_config:=/usr/local/etc/caddy/Caddyfile} 42 | : ${caddy_directory:=/var/db/caddy} 43 | : ${caddy_extra_flags:=""} 44 | : ${caddy_logdir:="/var/log/${name}"} 45 | : ${caddy_logfile:="${caddy_logdir}/${name}.log"} 46 | : ${caddy_user:="root"} 47 | : ${caddy_group:="wheel"} 48 | 49 | # Config and base directories 50 | : ${XDG_CONFIG_HOME:="${caddy_directory}/config"} 51 | : ${XDG_DATA_HOME:="${caddy_directory}/data"} 52 | export XDG_CONFIG_HOME XDG_DATA_HOME 53 | 54 | command="/usr/local/bin/${name}" 55 | caddy_flags="--config ${caddy_config} --adapter ${caddy_adapter}" 56 | pidfile="/var/run/${name}/${name}.pid" 57 | 58 | required_files="${caddy_config} ${command}" 59 | 60 | start_precmd="caddy_precmd" 61 | start_cmd="caddy_start" 62 | stop_cmd="caddy_stop" 63 | 64 | # Extra Commands 65 | extra_commands="configtest reload" 66 | configtest_cmd="caddy_command validate ${caddy_flags}" 67 | reload_cmd="caddy_command reload ${caddy_flags}" 68 | 69 | caddy_command() 70 | { 71 | /usr/bin/su -m "${caddy_user}" -c "${command} $*" 72 | } 73 | 74 | caddy_precmd() 75 | { 76 | # Create required directories and set permissions 77 | /usr/bin/install -d -m 755 -o "${caddy_user}" -g "${caddy_group}" ${caddy_directory} 78 | /usr/bin/install -d -m 700 -o "${caddy_user}" -g "${caddy_group}" ${caddy_directory}/config 79 | /usr/bin/install -d -m 700 -o "${caddy_user}" -g "${caddy_group}" ${caddy_directory}/data 80 | /usr/bin/install -d -m 755 -o "${caddy_user}" -g "${caddy_group}" ${caddy_logdir} 81 | /usr/bin/install -d -m 700 -o "${caddy_user}" -g "${caddy_group}" /var/run/caddy 82 | } 83 | 84 | caddy_start() 85 | { 86 | echo -n "Starting caddy... " 87 | /usr/bin/su -m ${caddy_user} -c "${command} start ${caddy_flags} \ 88 | ${caddy_extra_flags} --pidfile ${pidfile}" >> ${caddy_logfile} 2>&1 89 | if [ $? -eq 0 ] && ps -ax -o pid | grep -q "$(cat ${pidfile})"; then 90 | echo "done" 91 | echo "Log: ${caddy_logfile}" 92 | else 93 | echo "Error: Caddy failed to start" 94 | echo "Check the caddy log: ${caddy_logfile}" 95 | fi 96 | } 97 | 98 | caddy_stop() 99 | { 100 | echo -n "Stopping caddy... " 101 | if caddy_command stop; then 102 | echo "done" 103 | else 104 | echo "Error: Unable to stop caddy" 105 | echo "Check the caddy log: ${caddy_logfile}" 106 | fi 107 | } 108 | 109 | run_rc_command "$1" -------------------------------------------------------------------------------- /includes/my-system.cnf: -------------------------------------------------------------------------------- 1 | [mysqld] 2 | innodb_file_per_table=1 3 | transaction_isolation = READ-COMMITTED 4 | binlog_format = ROW 5 | -------------------------------------------------------------------------------- /includes/my.cnf: -------------------------------------------------------------------------------- 1 | # MySQL client config file 2 | [client] 3 | password=mypassword 4 | -------------------------------------------------------------------------------- /includes/pgpass: -------------------------------------------------------------------------------- 1 | *:*:*:root:mypassword 2 | *:*:*:postgres:mypassword 3 | -------------------------------------------------------------------------------- /includes/php.ini: -------------------------------------------------------------------------------- 1 | [PHP] 2 | 3 | ;;;;;;;;;;;;;;;;;;; 4 | ; About this file ; 5 | ;;;;;;;;;;;;;;;;;;; 6 | ; This is a customized php.ini with settings appropriate for Nextcloud, 7 | ; installed by a script. It is left fairly verbose, but includes only those 8 | ; settings that are changed from defaults. For more details, see: 9 | ; https://github.com/danb35/freenas-iocage-nextcloud 10 | 11 | 12 | ;;;;;;;;;;;;;;;;;;;; 13 | ; Language Options ; 14 | ;;;;;;;;;;;;;;;;;;;; 15 | 16 | ; Enable the PHP scripting language engine under Apache. 17 | ; http://php.net/engine 18 | engine = On 19 | 20 | ; This directive determines whether or not PHP will recognize code between 21 | ; tags as PHP source which should be processed as such. It is 22 | ; generally recommended that should be used and that this feature 23 | ; should be disabled, as enabling it may result in issues when generating XML 24 | ; documents, however this remains supported for backward compatibility reasons. 25 | ; Note that this directive does not control the is special; if you include them here, the rewriter will 703 | ; add a hidden field with the info which is otherwise appended 704 | ; to URLs.
tag's action attribute URL will not be modified 705 | ; unless it is specified. 706 | ; Note that all valid entries require a "=", even if no value follows. 707 | ; Default Value: "a=href,area=href,frame=src,form=" 708 | ; Development Value: "a=href,area=href,frame=src,form=" 709 | ; Production Value: "a=href,area=href,frame=src,form=" 710 | ; http://php.net/url-rewriter.tags 711 | session.trans_sid_tags = "a=href,area=href,frame=src,form=" 712 | 713 | ; Define how many bits are stored in each character when converting 714 | ; the binary hash data to something readable. 715 | ; Possible values: 716 | ; 4 (4 bits: 0-9, a-f) 717 | ; 5 (5 bits: 0-9, a-v) 718 | ; 6 (6 bits: 0-9, a-z, A-Z, "-", ",") 719 | ; Default Value: 4 720 | ; Development Value: 5 721 | ; Production Value: 5 722 | ; http://php.net/session.hash-bits-per-character 723 | session.sid_bits_per_character = 5 724 | 725 | [Assertion] 726 | ; Switch whether to compile assertions at all (to have no overhead at run-time) 727 | ; -1: Do not compile at all 728 | ; 0: Jump over assertion at run-time 729 | ; 1: Execute assertions 730 | ; Changing from or to a negative value is only possible in php.ini! (For turning assertions on and off at run-time, see assert.active, when zend.assertions = 1) 731 | ; Default Value: 1 732 | ; Development Value: 1 733 | ; Production Value: -1 734 | ; http://php.net/zend.assertions 735 | zend.assertions = -1 736 | 737 | [Tidy] 738 | ; Should tidy clean and repair output automatically? 739 | ; WARNING: Do not use this option if you are generating non-html content 740 | ; such as dynamic images 741 | ; http://php.net/tidy.clean-output 742 | tidy.clean_output = Off 743 | 744 | [soap] 745 | ; Enables or disables WSDL caching feature. 746 | ; http://php.net/soap.wsdl-cache-enabled 747 | soap.wsdl_cache_enabled=1 748 | 749 | ; Sets the directory name where SOAP extension will put cache files. 750 | ; http://php.net/soap.wsdl-cache-dir 751 | soap.wsdl_cache_dir="/tmp" 752 | 753 | ; (time to live) Sets the number of second while cached file will be used 754 | ; instead of original one. 755 | ; http://php.net/soap.wsdl-cache-ttl 756 | soap.wsdl_cache_ttl=86400 757 | 758 | ; Sets the size of the cache limit. (Max. number of WSDL files to cache) 759 | soap.wsdl_cache_limit = 5 760 | 761 | [ldap] 762 | ; Sets the maximum number of open links or -1 for unlimited. 763 | ldap.max_links = -1 764 | 765 | [opcache] 766 | ; Determines if Zend OPCache is enabled 767 | opcache.enable=1 768 | 769 | ; Determines if Zend OPCache is enabled for the CLI version of PHP 770 | opcache.enable_cli=1 771 | 772 | ; The OPcache shared memory storage size. 773 | opcache.memory_consumption=128 774 | 775 | ; The amount of memory for interned strings in Mbytes. 776 | opcache.interned_strings_buffer=16 777 | 778 | ; The maximum number of keys (scripts) in the OPcache hash table. 779 | ; Only numbers between 200 and 1000000 are allowed. 780 | opcache.max_accelerated_files=10000 781 | 782 | ; How often (in seconds) to check file timestamps for changes to the shared 783 | ; memory storage allocation. ("1" means validate once per second, but only 784 | ; once per request. "0" means always validate) 785 | opcache.revalidate_freq=1 786 | 787 | ; If disabled, all PHPDoc comments are dropped from the code to reduce the 788 | ; size of the optimized code. 789 | opcache.save_comments=1 790 | 791 | -------------------------------------------------------------------------------- /includes/redis.conf: -------------------------------------------------------------------------------- 1 | # Redis configuration file example. 2 | # 3 | # Note that in order to read the configuration file, Redis must be 4 | # started with the file path as first argument: 5 | # 6 | # ./redis-server /path/to/redis.conf 7 | 8 | # Note on units: when memory size is needed, it is possible to specify 9 | # it in the usual form of 1k 5GB 4M and so forth: 10 | # 11 | # 1k => 1000 bytes 12 | # 1kb => 1024 bytes 13 | # 1m => 1000000 bytes 14 | # 1mb => 1024*1024 bytes 15 | # 1g => 1000000000 bytes 16 | # 1gb => 1024*1024*1024 bytes 17 | # 18 | # units are case insensitive so 1GB 1Gb 1gB are all the same. 19 | 20 | ################################## INCLUDES ################################### 21 | 22 | # Include one or more other config files here. This is useful if you 23 | # have a standard template that goes to all Redis servers but also need 24 | # to customize a few per-server settings. Include files can include 25 | # other files, so use this wisely. 26 | # 27 | # Notice option "include" won't be rewritten by command "CONFIG REWRITE" 28 | # from admin or Redis Sentinel. Since Redis always uses the last processed 29 | # line as value of a configuration directive, you'd better put includes 30 | # at the beginning of this file to avoid overwriting config change at runtime. 31 | # 32 | # If instead you are interested in using includes to override configuration 33 | # options, it is better to use include as the last line. 34 | # 35 | # include /path/to/local.conf 36 | # include /path/to/other.conf 37 | 38 | ################################## NETWORK ##################################### 39 | 40 | # By default, if no "bind" configuration directive is specified, Redis listens 41 | # for connections from all the network interfaces available on the server. 42 | # It is possible to listen to just one or multiple selected interfaces using 43 | # the "bind" configuration directive, followed by one or more IP addresses. 44 | # 45 | # Examples: 46 | # 47 | # bind 192.168.1.100 10.0.0.1 48 | # bind 127.0.0.1 ::1 49 | # 50 | # ~~~ WARNING ~~~ If the computer running Redis is directly exposed to the 51 | # internet, binding to all the interfaces is dangerous and will expose the 52 | # instance to everybody on the internet. So by default we uncomment the 53 | # following bind directive, that will force Redis to listen only into 54 | # the IPv4 lookback interface address (this means Redis will be able to 55 | # accept connections only from clients running into the same computer it 56 | # is running). 57 | # 58 | # IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES 59 | # JUST COMMENT THE FOLLOWING LINE. 60 | # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 61 | bind 127.0.0.1 62 | 63 | # Protected mode is a layer of security protection, in order to avoid that 64 | # Redis instances left open on the internet are accessed and exploited. 65 | # 66 | # When protected mode is on and if: 67 | # 68 | # 1) The server is not binding explicitly to a set of addresses using the 69 | # "bind" directive. 70 | # 2) No password is configured. 71 | # 72 | # The server only accepts connections from clients connecting from the 73 | # IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain 74 | # sockets. 75 | # 76 | # By default protected mode is enabled. You should disable it only if 77 | # you are sure you want clients from other hosts to connect to Redis 78 | # even if no authentication is configured, nor a specific set of interfaces 79 | # are explicitly listed using the "bind" directive. 80 | protected-mode yes 81 | 82 | # Accept connections on the specified port, default is 6379 (IANA #815344). 83 | # If port 0 is specified Redis will not listen on a TCP socket. 84 | port 0 85 | 86 | # TCP listen() backlog. 87 | # 88 | # In high requests-per-second environments you need an high backlog in order 89 | # to avoid slow clients connections issues. Note that the Linux kernel 90 | # will silently truncate it to the value of /proc/sys/net/core/somaxconn so 91 | # make sure to raise both the value of somaxconn and tcp_max_syn_backlog 92 | # in order to get the desired effect. 93 | tcp-backlog 511 94 | 95 | # Unix socket. 96 | # 97 | # Specify the path for the Unix socket that will be used to listen for 98 | # incoming connections. There is no default, so Redis will not listen 99 | # on a unix socket when not specified. 100 | # 101 | unixsocket /var/run/redis/redis.sock 102 | unixsocketperm 770 103 | 104 | # Close the connection after a client is idle for N seconds (0 to disable) 105 | timeout 0 106 | 107 | # TCP keepalive. 108 | # 109 | # If non-zero, use SO_KEEPALIVE to send TCP ACKs to clients in absence 110 | # of communication. This is useful for two reasons: 111 | # 112 | # 1) Detect dead peers. 113 | # 2) Take the connection alive from the point of view of network 114 | # equipment in the middle. 115 | # 116 | # On Linux, the specified value (in seconds) is the period used to send ACKs. 117 | # Note that to close the connection the double of the time is needed. 118 | # On other kernels the period depends on the kernel configuration. 119 | # 120 | # A reasonable value for this option is 300 seconds, which is the new 121 | # Redis default starting with Redis 3.2.1. 122 | tcp-keepalive 300 123 | 124 | ################################# GENERAL ##################################### 125 | 126 | # By default Redis does not run as a daemon. Use 'yes' if you need it. 127 | # Note that Redis will write a pid file in /var/run/redis.pid when daemonized. 128 | daemonize yes 129 | 130 | # If you run Redis from upstart or systemd, Redis can interact with your 131 | # supervision tree. Options: 132 | # supervised no - no supervision interaction 133 | # supervised upstart - signal upstart by putting Redis into SIGSTOP mode 134 | # supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET 135 | # supervised auto - detect upstart or systemd method based on 136 | # UPSTART_JOB or NOTIFY_SOCKET environment variables 137 | # Note: these supervision methods only signal "process is ready." 138 | # They do not enable continuous liveness pings back to your supervisor. 139 | supervised no 140 | 141 | # If a pid file is specified, Redis writes it where specified at startup 142 | # and removes it at exit. 143 | # 144 | # When the server runs non daemonized, no pid file is created if none is 145 | # specified in the configuration. When the server is daemonized, the pid file 146 | # is used even if not specified, defaulting to "/var/run/redis.pid". 147 | # 148 | # Creating a pid file is best effort: if Redis is not able to create it 149 | # nothing bad happens, the server will start and run normally. 150 | pidfile /var/run/redis/redis.pid 151 | 152 | # Specify the server verbosity level. 153 | # This can be one of: 154 | # debug (a lot of information, useful for development/testing) 155 | # verbose (many rarely useful info, but not a mess like the debug level) 156 | # notice (moderately verbose, what you want in production probably) 157 | # warning (only very important / critical messages are logged) 158 | loglevel notice 159 | 160 | # Specify the log file name. Also the empty string can be used to force 161 | # Redis to log on the standard output. Note that if you use standard 162 | # output for logging but daemonize, logs will be sent to /dev/null 163 | logfile /var/log/redis/redis.log 164 | 165 | # To enable logging to the system logger, just set 'syslog-enabled' to yes, 166 | # and optionally update the other syslog parameters to suit your needs. 167 | # syslog-enabled no 168 | 169 | # Specify the syslog identity. 170 | # syslog-ident redis 171 | 172 | # Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7. 173 | # syslog-facility local0 174 | 175 | # Set the number of databases. The default database is DB 0, you can select 176 | # a different one on a per-connection basis using SELECT where 177 | # dbid is a number between 0 and 'databases'-1 178 | databases 16 179 | 180 | ################################ SNAPSHOTTING ################################ 181 | # 182 | # Save the DB on disk: 183 | # 184 | # save 185 | # 186 | # Will save the DB if both the given number of seconds and the given 187 | # number of write operations against the DB occurred. 188 | # 189 | # In the example below the behaviour will be to save: 190 | # after 900 sec (15 min) if at least 1 key changed 191 | # after 300 sec (5 min) if at least 10 keys changed 192 | # after 60 sec if at least 10000 keys changed 193 | # 194 | # Note: you can disable saving completely by commenting out all "save" lines. 195 | # 196 | # It is also possible to remove all the previously configured save 197 | # points by adding a save directive with a single empty string argument 198 | # like in the following example: 199 | # 200 | # save "" 201 | 202 | save 900 1 203 | save 300 10 204 | save 60 10000 205 | 206 | # By default Redis will stop accepting writes if RDB snapshots are enabled 207 | # (at least one save point) and the latest background save failed. 208 | # This will make the user aware (in a hard way) that data is not persisting 209 | # on disk properly, otherwise chances are that no one will notice and some 210 | # disaster will happen. 211 | # 212 | # If the background saving process will start working again Redis will 213 | # automatically allow writes again. 214 | # 215 | # However if you have setup your proper monitoring of the Redis server 216 | # and persistence, you may want to disable this feature so that Redis will 217 | # continue to work as usual even if there are problems with disk, 218 | # permissions, and so forth. 219 | stop-writes-on-bgsave-error yes 220 | 221 | # Compress string objects using LZF when dump .rdb databases? 222 | # For default that's set to 'yes' as it's almost always a win. 223 | # If you want to save some CPU in the saving child set it to 'no' but 224 | # the dataset will likely be bigger if you have compressible values or keys. 225 | rdbcompression yes 226 | 227 | # Since version 5 of RDB a CRC64 checksum is placed at the end of the file. 228 | # This makes the format more resistant to corruption but there is a performance 229 | # hit to pay (around 10%) when saving and loading RDB files, so you can disable it 230 | # for maximum performances. 231 | # 232 | # RDB files created with checksum disabled have a checksum of zero that will 233 | # tell the loading code to skip the check. 234 | rdbchecksum yes 235 | 236 | # The filename where to dump the DB 237 | dbfilename dump.rdb 238 | 239 | # The working directory. 240 | # 241 | # The DB will be written inside this directory, with the filename specified 242 | # above using the 'dbfilename' configuration directive. 243 | # 244 | # The Append Only File will also be created inside this directory. 245 | # 246 | # Note that you must specify a directory here, not a file name. 247 | dir /var/db/redis/ 248 | 249 | ################################# REPLICATION ################################# 250 | 251 | # Master-Slave replication. Use slaveof to make a Redis instance a copy of 252 | # another Redis server. A few things to understand ASAP about Redis replication. 253 | # 254 | # 1) Redis replication is asynchronous, but you can configure a master to 255 | # stop accepting writes if it appears to be not connected with at least 256 | # a given number of slaves. 257 | # 2) Redis slaves are able to perform a partial resynchronization with the 258 | # master if the replication link is lost for a relatively small amount of 259 | # time. You may want to configure the replication backlog size (see the next 260 | # sections of this file) with a sensible value depending on your needs. 261 | # 3) Replication is automatic and does not need user intervention. After a 262 | # network partition slaves automatically try to reconnect to masters 263 | # and resynchronize with them. 264 | # 265 | # slaveof 266 | 267 | # If the master is password protected (using the "requirepass" configuration 268 | # directive below) it is possible to tell the slave to authenticate before 269 | # starting the replication synchronization process, otherwise the master will 270 | # refuse the slave request. 271 | # 272 | # masterauth 273 | 274 | # When a slave loses its connection with the master, or when the replication 275 | # is still in progress, the slave can act in two different ways: 276 | # 277 | # 1) if slave-serve-stale-data is set to 'yes' (the default) the slave will 278 | # still reply to client requests, possibly with out of date data, or the 279 | # data set may just be empty if this is the first synchronization. 280 | # 281 | # 2) if slave-serve-stale-data is set to 'no' the slave will reply with 282 | # an error "SYNC with master in progress" to all the kind of commands 283 | # but to INFO and SLAVEOF. 284 | # 285 | slave-serve-stale-data yes 286 | 287 | # You can configure a slave instance to accept writes or not. Writing against 288 | # a slave instance may be useful to store some ephemeral data (because data 289 | # written on a slave will be easily deleted after resync with the master) but 290 | # may also cause problems if clients are writing to it because of a 291 | # misconfiguration. 292 | # 293 | # Since Redis 2.6 by default slaves are read-only. 294 | # 295 | # Note: read only slaves are not designed to be exposed to untrusted clients 296 | # on the internet. It's just a protection layer against misuse of the instance. 297 | # Still a read only slave exports by default all the administrative commands 298 | # such as CONFIG, DEBUG, and so forth. To a limited extent you can improve 299 | # security of read only slaves using 'rename-command' to shadow all the 300 | # administrative / dangerous commands. 301 | slave-read-only yes 302 | 303 | # Replication SYNC strategy: disk or socket. 304 | # 305 | # ------------------------------------------------------- 306 | # WARNING: DISKLESS REPLICATION IS EXPERIMENTAL CURRENTLY 307 | # ------------------------------------------------------- 308 | # 309 | # New slaves and reconnecting slaves that are not able to continue the replication 310 | # process just receiving differences, need to do what is called a "full 311 | # synchronization". An RDB file is transmitted from the master to the slaves. 312 | # The transmission can happen in two different ways: 313 | # 314 | # 1) Disk-backed: The Redis master creates a new process that writes the RDB 315 | # file on disk. Later the file is transferred by the parent 316 | # process to the slaves incrementally. 317 | # 2) Diskless: The Redis master creates a new process that directly writes the 318 | # RDB file to slave sockets, without touching the disk at all. 319 | # 320 | # With disk-backed replication, while the RDB file is generated, more slaves 321 | # can be queued and served with the RDB file as soon as the current child producing 322 | # the RDB file finishes its work. With diskless replication instead once 323 | # the transfer starts, new slaves arriving will be queued and a new transfer 324 | # will start when the current one terminates. 325 | # 326 | # When diskless replication is used, the master waits a configurable amount of 327 | # time (in seconds) before starting the transfer in the hope that multiple slaves 328 | # will arrive and the transfer can be parallelized. 329 | # 330 | # With slow disks and fast (large bandwidth) networks, diskless replication 331 | # works better. 332 | repl-diskless-sync no 333 | 334 | # When diskless replication is enabled, it is possible to configure the delay 335 | # the server waits in order to spawn the child that transfers the RDB via socket 336 | # to the slaves. 337 | # 338 | # This is important since once the transfer starts, it is not possible to serve 339 | # new slaves arriving, that will be queued for the next RDB transfer, so the server 340 | # waits a delay in order to let more slaves arrive. 341 | # 342 | # The delay is specified in seconds, and by default is 5 seconds. To disable 343 | # it entirely just set it to 0 seconds and the transfer will start ASAP. 344 | repl-diskless-sync-delay 5 345 | 346 | # Slaves send PINGs to server in a predefined interval. It's possible to change 347 | # this interval with the repl_ping_slave_period option. The default value is 10 348 | # seconds. 349 | # 350 | # repl-ping-slave-period 10 351 | 352 | # The following option sets the replication timeout for: 353 | # 354 | # 1) Bulk transfer I/O during SYNC, from the point of view of slave. 355 | # 2) Master timeout from the point of view of slaves (data, pings). 356 | # 3) Slave timeout from the point of view of masters (REPLCONF ACK pings). 357 | # 358 | # It is important to make sure that this value is greater than the value 359 | # specified for repl-ping-slave-period otherwise a timeout will be detected 360 | # every time there is low traffic between the master and the slave. 361 | # 362 | # repl-timeout 60 363 | 364 | # Disable TCP_NODELAY on the slave socket after SYNC? 365 | # 366 | # If you select "yes" Redis will use a smaller number of TCP packets and 367 | # less bandwidth to send data to slaves. But this can add a delay for 368 | # the data to appear on the slave side, up to 40 milliseconds with 369 | # Linux kernels using a default configuration. 370 | # 371 | # If you select "no" the delay for data to appear on the slave side will 372 | # be reduced but more bandwidth will be used for replication. 373 | # 374 | # By default we optimize for low latency, but in very high traffic conditions 375 | # or when the master and slaves are many hops away, turning this to "yes" may 376 | # be a good idea. 377 | repl-disable-tcp-nodelay no 378 | 379 | # Set the replication backlog size. The backlog is a buffer that accumulates 380 | # slave data when slaves are disconnected for some time, so that when a slave 381 | # wants to reconnect again, often a full resync is not needed, but a partial 382 | # resync is enough, just passing the portion of data the slave missed while 383 | # disconnected. 384 | # 385 | # The bigger the replication backlog, the longer the time the slave can be 386 | # disconnected and later be able to perform a partial resynchronization. 387 | # 388 | # The backlog is only allocated once there is at least a slave connected. 389 | # 390 | # repl-backlog-size 1mb 391 | 392 | # After a master has no longer connected slaves for some time, the backlog 393 | # will be freed. The following option configures the amount of seconds that 394 | # need to elapse, starting from the time the last slave disconnected, for 395 | # the backlog buffer to be freed. 396 | # 397 | # A value of 0 means to never release the backlog. 398 | # 399 | # repl-backlog-ttl 3600 400 | 401 | # The slave priority is an integer number published by Redis in the INFO output. 402 | # It is used by Redis Sentinel in order to select a slave to promote into a 403 | # master if the master is no longer working correctly. 404 | # 405 | # A slave with a low priority number is considered better for promotion, so 406 | # for instance if there are three slaves with priority 10, 100, 25 Sentinel will 407 | # pick the one with priority 10, that is the lowest. 408 | # 409 | # However a special priority of 0 marks the slave as not able to perform the 410 | # role of master, so a slave with priority of 0 will never be selected by 411 | # Redis Sentinel for promotion. 412 | # 413 | # By default the priority is 100. 414 | slave-priority 100 415 | 416 | # It is possible for a master to stop accepting writes if there are less than 417 | # N slaves connected, having a lag less or equal than M seconds. 418 | # 419 | # The N slaves need to be in "online" state. 420 | # 421 | # The lag in seconds, that must be <= the specified value, is calculated from 422 | # the last ping received from the slave, that is usually sent every second. 423 | # 424 | # This option does not GUARANTEE that N replicas will accept the write, but 425 | # will limit the window of exposure for lost writes in case not enough slaves 426 | # are available, to the specified number of seconds. 427 | # 428 | # For example to require at least 3 slaves with a lag <= 10 seconds use: 429 | # 430 | # min-slaves-to-write 3 431 | # min-slaves-max-lag 10 432 | # 433 | # Setting one or the other to 0 disables the feature. 434 | # 435 | # By default min-slaves-to-write is set to 0 (feature disabled) and 436 | # min-slaves-max-lag is set to 10. 437 | 438 | # A Redis master is able to list the address and port of the attached 439 | # slaves in different ways. For example the "INFO replication" section 440 | # offers this information, which is used, among other tools, by 441 | # Redis Sentinel in order to discover slave instances. 442 | # Another place where this info is available is in the output of the 443 | # "ROLE" command of a masteer. 444 | # 445 | # The listed IP and address normally reported by a slave is obtained 446 | # in the following way: 447 | # 448 | # IP: The address is auto detected by checking the peer address 449 | # of the socket used by the slave to connect with the master. 450 | # 451 | # Port: The port is communicated by the slave during the replication 452 | # handshake, and is normally the port that the slave is using to 453 | # list for connections. 454 | # 455 | # However when port forwarding or Network Address Translation (NAT) is 456 | # used, the slave may be actually reachable via different IP and port 457 | # pairs. The following two options can be used by a slave in order to 458 | # report to its master a specific set of IP and port, so that both INFO 459 | # and ROLE will report those values. 460 | # 461 | # There is no need to use both the options if you need to override just 462 | # the port or the IP address. 463 | # 464 | # slave-announce-ip 5.5.5.5 465 | # slave-announce-port 1234 466 | 467 | ################################## SECURITY ################################### 468 | 469 | # Require clients to issue AUTH before processing any other 470 | # commands. This might be useful in environments in which you do not trust 471 | # others with access to the host running redis-server. 472 | # 473 | # This should stay commented out for backward compatibility and because most 474 | # people do not need auth (e.g. they run their own servers). 475 | # 476 | # Warning: since Redis is pretty fast an outside user can try up to 477 | # 150k passwords per second against a good box. This means that you should 478 | # use a very strong password otherwise it will be very easy to break. 479 | # 480 | # requirepass foobared 481 | 482 | # Command renaming. 483 | # 484 | # It is possible to change the name of dangerous commands in a shared 485 | # environment. For instance the CONFIG command may be renamed into something 486 | # hard to guess so that it will still be available for internal-use tools 487 | # but not available for general clients. 488 | # 489 | # Example: 490 | # 491 | # rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52 492 | # 493 | # It is also possible to completely kill a command by renaming it into 494 | # an empty string: 495 | # 496 | # rename-command CONFIG "" 497 | # 498 | # Please note that changing the name of commands that are logged into the 499 | # AOF file or transmitted to slaves may cause problems. 500 | 501 | ################################### LIMITS #################################### 502 | 503 | # Set the max number of connected clients at the same time. By default 504 | # this limit is set to 10000 clients, however if the Redis server is not 505 | # able to configure the process file limit to allow for the specified limit 506 | # the max number of allowed clients is set to the current file limit 507 | # minus 32 (as Redis reserves a few file descriptors for internal uses). 508 | # 509 | # Once the limit is reached Redis will close all the new connections sending 510 | # an error 'max number of clients reached'. 511 | # 512 | # maxclients 10000 513 | 514 | # Don't use more memory than the specified amount of bytes. 515 | # When the memory limit is reached Redis will try to remove keys 516 | # according to the eviction policy selected (see maxmemory-policy). 517 | # 518 | # If Redis can't remove keys according to the policy, or if the policy is 519 | # set to 'noeviction', Redis will start to reply with errors to commands 520 | # that would use more memory, like SET, LPUSH, and so on, and will continue 521 | # to reply to read-only commands like GET. 522 | # 523 | # This option is usually useful when using Redis as an LRU cache, or to set 524 | # a hard memory limit for an instance (using the 'noeviction' policy). 525 | # 526 | # WARNING: If you have slaves attached to an instance with maxmemory on, 527 | # the size of the output buffers needed to feed the slaves are subtracted 528 | # from the used memory count, so that network problems / resyncs will 529 | # not trigger a loop where keys are evicted, and in turn the output 530 | # buffer of slaves is full with DELs of keys evicted triggering the deletion 531 | # of more keys, and so forth until the database is completely emptied. 532 | # 533 | # In short... if you have slaves attached it is suggested that you set a lower 534 | # limit for maxmemory so that there is some free RAM on the system for slave 535 | # output buffers (but this is not needed if the policy is 'noeviction'). 536 | # 537 | # maxmemory 538 | 539 | # MAXMEMORY POLICY: how Redis will select what to remove when maxmemory 540 | # is reached. You can select among five behaviors: 541 | # 542 | # volatile-lru -> remove the key with an expire set using an LRU algorithm 543 | # allkeys-lru -> remove any key according to the LRU algorithm 544 | # volatile-random -> remove a random key with an expire set 545 | # allkeys-random -> remove a random key, any key 546 | # volatile-ttl -> remove the key with the nearest expire time (minor TTL) 547 | # noeviction -> don't expire at all, just return an error on write operations 548 | # 549 | # Note: with any of the above policies, Redis will return an error on write 550 | # operations, when there are no suitable keys for eviction. 551 | # 552 | # At the date of writing these commands are: set setnx setex append 553 | # incr decr rpush lpush rpushx lpushx linsert lset rpoplpush sadd 554 | # sinter sinterstore sunion sunionstore sdiff sdiffstore zadd zincrby 555 | # zunionstore zinterstore hset hsetnx hmset hincrby incrby decrby 556 | # getset mset msetnx exec sort 557 | # 558 | # The default is: 559 | # 560 | # maxmemory-policy noeviction 561 | 562 | # LRU and minimal TTL algorithms are not precise algorithms but approximated 563 | # algorithms (in order to save memory), so you can tune it for speed or 564 | # accuracy. For default Redis will check five keys and pick the one that was 565 | # used less recently, you can change the sample size using the following 566 | # configuration directive. 567 | # 568 | # The default of 5 produces good enough results. 10 Approximates very closely 569 | # true LRU but costs a bit more CPU. 3 is very fast but not very accurate. 570 | # 571 | # maxmemory-samples 5 572 | 573 | ############################## APPEND ONLY MODE ############################### 574 | 575 | # By default Redis asynchronously dumps the dataset on disk. This mode is 576 | # good enough in many applications, but an issue with the Redis process or 577 | # a power outage may result into a few minutes of writes lost (depending on 578 | # the configured save points). 579 | # 580 | # The Append Only File is an alternative persistence mode that provides 581 | # much better durability. For instance using the default data fsync policy 582 | # (see later in the config file) Redis can lose just one second of writes in a 583 | # dramatic event like a server power outage, or a single write if something 584 | # wrong with the Redis process itself happens, but the operating system is 585 | # still running correctly. 586 | # 587 | # AOF and RDB persistence can be enabled at the same time without problems. 588 | # If the AOF is enabled on startup Redis will load the AOF, that is the file 589 | # with the better durability guarantees. 590 | # 591 | # Please check http://redis.io/topics/persistence for more information. 592 | 593 | appendonly no 594 | 595 | # The name of the append only file (default: "appendonly.aof") 596 | 597 | appendfilename "appendonly.aof" 598 | 599 | # The fsync() call tells the Operating System to actually write data on disk 600 | # instead of waiting for more data in the output buffer. Some OS will really flush 601 | # data on disk, some other OS will just try to do it ASAP. 602 | # 603 | # Redis supports three different modes: 604 | # 605 | # no: don't fsync, just let the OS flush the data when it wants. Faster. 606 | # always: fsync after every write to the append only log. Slow, Safest. 607 | # everysec: fsync only one time every second. Compromise. 608 | # 609 | # The default is "everysec", as that's usually the right compromise between 610 | # speed and data safety. It's up to you to understand if you can relax this to 611 | # "no" that will let the operating system flush the output buffer when 612 | # it wants, for better performances (but if you can live with the idea of 613 | # some data loss consider the default persistence mode that's snapshotting), 614 | # or on the contrary, use "always" that's very slow but a bit safer than 615 | # everysec. 616 | # 617 | # More details please check the following article: 618 | # http://antirez.com/post/redis-persistence-demystified.html 619 | # 620 | # If unsure, use "everysec". 621 | 622 | # appendfsync always 623 | appendfsync everysec 624 | # appendfsync no 625 | 626 | # When the AOF fsync policy is set to always or everysec, and a background 627 | # saving process (a background save or AOF log background rewriting) is 628 | # performing a lot of I/O against the disk, in some Linux configurations 629 | # Redis may block too long on the fsync() call. Note that there is no fix for 630 | # this currently, as even performing fsync in a different thread will block 631 | # our synchronous write(2) call. 632 | # 633 | # In order to mitigate this problem it's possible to use the following option 634 | # that will prevent fsync() from being called in the main process while a 635 | # BGSAVE or BGREWRITEAOF is in progress. 636 | # 637 | # This means that while another child is saving, the durability of Redis is 638 | # the same as "appendfsync none". In practical terms, this means that it is 639 | # possible to lose up to 30 seconds of log in the worst scenario (with the 640 | # default Linux settings). 641 | # 642 | # If you have latency problems turn this to "yes". Otherwise leave it as 643 | # "no" that is the safest pick from the point of view of durability. 644 | 645 | no-appendfsync-on-rewrite no 646 | 647 | # Automatic rewrite of the append only file. 648 | # Redis is able to automatically rewrite the log file implicitly calling 649 | # BGREWRITEAOF when the AOF log size grows by the specified percentage. 650 | # 651 | # This is how it works: Redis remembers the size of the AOF file after the 652 | # latest rewrite (if no rewrite has happened since the restart, the size of 653 | # the AOF at startup is used). 654 | # 655 | # This base size is compared to the current size. If the current size is 656 | # bigger than the specified percentage, the rewrite is triggered. Also 657 | # you need to specify a minimal size for the AOF file to be rewritten, this 658 | # is useful to avoid rewriting the AOF file even if the percentage increase 659 | # is reached but it is still pretty small. 660 | # 661 | # Specify a percentage of zero in order to disable the automatic AOF 662 | # rewrite feature. 663 | 664 | auto-aof-rewrite-percentage 100 665 | auto-aof-rewrite-min-size 64mb 666 | 667 | # An AOF file may be found to be truncated at the end during the Redis 668 | # startup process, when the AOF data gets loaded back into memory. 669 | # This may happen when the system where Redis is running 670 | # crashes, especially when an ext4 filesystem is mounted without the 671 | # data=ordered option (however this can't happen when Redis itself 672 | # crashes or aborts but the operating system still works correctly). 673 | # 674 | # Redis can either exit with an error when this happens, or load as much 675 | # data as possible (the default now) and start if the AOF file is found 676 | # to be truncated at the end. The following option controls this behavior. 677 | # 678 | # If aof-load-truncated is set to yes, a truncated AOF file is loaded and 679 | # the Redis server starts emitting a log to inform the user of the event. 680 | # Otherwise if the option is set to no, the server aborts with an error 681 | # and refuses to start. When the option is set to no, the user requires 682 | # to fix the AOF file using the "redis-check-aof" utility before to restart 683 | # the server. 684 | # 685 | # Note that if the AOF file will be found to be corrupted in the middle 686 | # the server will still exit with an error. This option only applies when 687 | # Redis will try to read more data from the AOF file but not enough bytes 688 | # will be found. 689 | aof-load-truncated yes 690 | 691 | ################################ LUA SCRIPTING ############################### 692 | 693 | # Max execution time of a Lua script in milliseconds. 694 | # 695 | # If the maximum execution time is reached Redis will log that a script is 696 | # still in execution after the maximum allowed time and will start to 697 | # reply to queries with an error. 698 | # 699 | # When a long running script exceeds the maximum execution time only the 700 | # SCRIPT KILL and SHUTDOWN NOSAVE commands are available. The first can be 701 | # used to stop a script that did not yet called write commands. The second 702 | # is the only way to shut down the server in the case a write command was 703 | # already issued by the script but the user doesn't want to wait for the natural 704 | # termination of the script. 705 | # 706 | # Set it to 0 or a negative value for unlimited execution without warnings. 707 | lua-time-limit 5000 708 | 709 | ################################ REDIS CLUSTER ############################### 710 | # 711 | # ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 712 | # WARNING EXPERIMENTAL: Redis Cluster is considered to be stable code, however 713 | # in order to mark it as "mature" we need to wait for a non trivial percentage 714 | # of users to deploy it in production. 715 | # ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 716 | # 717 | # Normal Redis instances can't be part of a Redis Cluster; only nodes that are 718 | # started as cluster nodes can. In order to start a Redis instance as a 719 | # cluster node enable the cluster support uncommenting the following: 720 | # 721 | # cluster-enabled yes 722 | 723 | # Every cluster node has a cluster configuration file. This file is not 724 | # intended to be edited by hand. It is created and updated by Redis nodes. 725 | # Every Redis Cluster node requires a different cluster configuration file. 726 | # Make sure that instances running in the same system do not have 727 | # overlapping cluster configuration file names. 728 | # 729 | # cluster-config-file nodes-6379.conf 730 | 731 | # Cluster node timeout is the amount of milliseconds a node must be unreachable 732 | # for it to be considered in failure state. 733 | # Most other internal time limits are multiple of the node timeout. 734 | # 735 | # cluster-node-timeout 15000 736 | 737 | # A slave of a failing master will avoid to start a failover if its data 738 | # looks too old. 739 | # 740 | # There is no simple way for a slave to actually have a exact measure of 741 | # its "data age", so the following two checks are performed: 742 | # 743 | # 1) If there are multiple slaves able to failover, they exchange messages 744 | # in order to try to give an advantage to the slave with the best 745 | # replication offset (more data from the master processed). 746 | # Slaves will try to get their rank by offset, and apply to the start 747 | # of the failover a delay proportional to their rank. 748 | # 749 | # 2) Every single slave computes the time of the last interaction with 750 | # its master. This can be the last ping or command received (if the master 751 | # is still in the "connected" state), or the time that elapsed since the 752 | # disconnection with the master (if the replication link is currently down). 753 | # If the last interaction is too old, the slave will not try to failover 754 | # at all. 755 | # 756 | # The point "2" can be tuned by user. Specifically a slave will not perform 757 | # the failover if, since the last interaction with the master, the time 758 | # elapsed is greater than: 759 | # 760 | # (node-timeout * slave-validity-factor) + repl-ping-slave-period 761 | # 762 | # So for example if node-timeout is 30 seconds, and the slave-validity-factor 763 | # is 10, and assuming a default repl-ping-slave-period of 10 seconds, the 764 | # slave will not try to failover if it was not able to talk with the master 765 | # for longer than 310 seconds. 766 | # 767 | # A large slave-validity-factor may allow slaves with too old data to failover 768 | # a master, while a too small value may prevent the cluster from being able to 769 | # elect a slave at all. 770 | # 771 | # For maximum availability, it is possible to set the slave-validity-factor 772 | # to a value of 0, which means, that slaves will always try to failover the 773 | # master regardless of the last time they interacted with the master. 774 | # (However they'll always try to apply a delay proportional to their 775 | # offset rank). 776 | # 777 | # Zero is the only value able to guarantee that when all the partitions heal 778 | # the cluster will always be able to continue. 779 | # 780 | # cluster-slave-validity-factor 10 781 | 782 | # Cluster slaves are able to migrate to orphaned masters, that are masters 783 | # that are left without working slaves. This improves the cluster ability 784 | # to resist to failures as otherwise an orphaned master can't be failed over 785 | # in case of failure if it has no working slaves. 786 | # 787 | # Slaves migrate to orphaned masters only if there are still at least a 788 | # given number of other working slaves for their old master. This number 789 | # is the "migration barrier". A migration barrier of 1 means that a slave 790 | # will migrate only if there is at least 1 other working slave for its master 791 | # and so forth. It usually reflects the number of slaves you want for every 792 | # master in your cluster. 793 | # 794 | # Default is 1 (slaves migrate only if their masters remain with at least 795 | # one slave). To disable migration just set it to a very large value. 796 | # A value of 0 can be set but is useful only for debugging and dangerous 797 | # in production. 798 | # 799 | # cluster-migration-barrier 1 800 | 801 | # By default Redis Cluster nodes stop accepting queries if they detect there 802 | # is at least an hash slot uncovered (no available node is serving it). 803 | # This way if the cluster is partially down (for example a range of hash slots 804 | # are no longer covered) all the cluster becomes, eventually, unavailable. 805 | # It automatically returns available as soon as all the slots are covered again. 806 | # 807 | # However sometimes you want the subset of the cluster which is working, 808 | # to continue to accept queries for the part of the key space that is still 809 | # covered. In order to do so, just set the cluster-require-full-coverage 810 | # option to no. 811 | # 812 | # cluster-require-full-coverage yes 813 | 814 | # In order to setup your cluster make sure to read the documentation 815 | # available at http://redis.io web site. 816 | 817 | ################################## SLOW LOG ################################### 818 | 819 | # The Redis Slow Log is a system to log queries that exceeded a specified 820 | # execution time. The execution time does not include the I/O operations 821 | # like talking with the client, sending the reply and so forth, 822 | # but just the time needed to actually execute the command (this is the only 823 | # stage of command execution where the thread is blocked and can not serve 824 | # other requests in the meantime). 825 | # 826 | # You can configure the slow log with two parameters: one tells Redis 827 | # what is the execution time, in microseconds, to exceed in order for the 828 | # command to get logged, and the other parameter is the length of the 829 | # slow log. When a new command is logged the oldest one is removed from the 830 | # queue of logged commands. 831 | 832 | # The following time is expressed in microseconds, so 1000000 is equivalent 833 | # to one second. Note that a negative number disables the slow log, while 834 | # a value of zero forces the logging of every command. 835 | slowlog-log-slower-than 10000 836 | 837 | # There is no limit to this length. Just be aware that it will consume memory. 838 | # You can reclaim memory used by the slow log with SLOWLOG RESET. 839 | slowlog-max-len 128 840 | 841 | ################################ LATENCY MONITOR ############################## 842 | 843 | # The Redis latency monitoring subsystem samples different operations 844 | # at runtime in order to collect data related to possible sources of 845 | # latency of a Redis instance. 846 | # 847 | # Via the LATENCY command this information is available to the user that can 848 | # print graphs and obtain reports. 849 | # 850 | # The system only logs operations that were performed in a time equal or 851 | # greater than the amount of milliseconds specified via the 852 | # latency-monitor-threshold configuration directive. When its value is set 853 | # to zero, the latency monitor is turned off. 854 | # 855 | # By default latency monitoring is disabled since it is mostly not needed 856 | # if you don't have latency issues, and collecting data has a performance 857 | # impact, that while very small, can be measured under big load. Latency 858 | # monitoring can easily be enabled at runtime using the command 859 | # "CONFIG SET latency-monitor-threshold " if needed. 860 | latency-monitor-threshold 0 861 | 862 | ############################# EVENT NOTIFICATION ############################## 863 | 864 | # Redis can notify Pub/Sub clients about events happening in the key space. 865 | # This feature is documented at http://redis.io/topics/notifications 866 | # 867 | # For instance if keyspace events notification is enabled, and a client 868 | # performs a DEL operation on key "foo" stored in the Database 0, two 869 | # messages will be published via Pub/Sub: 870 | # 871 | # PUBLISH __keyspace@0__:foo del 872 | # PUBLISH __keyevent@0__:del foo 873 | # 874 | # It is possible to select the events that Redis will notify among a set 875 | # of classes. Every class is identified by a single character: 876 | # 877 | # K Keyspace events, published with __keyspace@__ prefix. 878 | # E Keyevent events, published with __keyevent@__ prefix. 879 | # g Generic commands (non-type specific) like DEL, EXPIRE, RENAME, ... 880 | # $ String commands 881 | # l List commands 882 | # s Set commands 883 | # h Hash commands 884 | # z Sorted set commands 885 | # x Expired events (events generated every time a key expires) 886 | # e Evicted events (events generated when a key is evicted for maxmemory) 887 | # A Alias for g$lshzxe, so that the "AKE" string means all the events. 888 | # 889 | # The "notify-keyspace-events" takes as argument a string that is composed 890 | # of zero or multiple characters. The empty string means that notifications 891 | # are disabled. 892 | # 893 | # Example: to enable list and generic events, from the point of view of the 894 | # event name, use: 895 | # 896 | # notify-keyspace-events Elg 897 | # 898 | # Example 2: to get the stream of the expired keys subscribing to channel 899 | # name __keyevent@0__:expired use: 900 | # 901 | # notify-keyspace-events Ex 902 | # 903 | # By default all notifications are disabled because most users don't need 904 | # this feature and the feature has some overhead. Note that if you don't 905 | # specify at least one of K or E, no events will be delivered. 906 | notify-keyspace-events "" 907 | 908 | ############################### ADVANCED CONFIG ############################### 909 | 910 | # Hashes are encoded using a memory efficient data structure when they have a 911 | # small number of entries, and the biggest entry does not exceed a given 912 | # threshold. These thresholds can be configured using the following directives. 913 | hash-max-ziplist-entries 512 914 | hash-max-ziplist-value 64 915 | 916 | # Lists are also encoded in a special way to save a lot of space. 917 | # The number of entries allowed per internal list node can be specified 918 | # as a fixed maximum size or a maximum number of elements. 919 | # For a fixed maximum size, use -5 through -1, meaning: 920 | # -5: max size: 64 Kb <-- not recommended for normal workloads 921 | # -4: max size: 32 Kb <-- not recommended 922 | # -3: max size: 16 Kb <-- probably not recommended 923 | # -2: max size: 8 Kb <-- good 924 | # -1: max size: 4 Kb <-- good 925 | # Positive numbers mean store up to _exactly_ that number of elements 926 | # per list node. 927 | # The highest performing option is usually -2 (8 Kb size) or -1 (4 Kb size), 928 | # but if your use case is unique, adjust the settings as necessary. 929 | list-max-ziplist-size -2 930 | 931 | # Lists may also be compressed. 932 | # Compress depth is the number of quicklist ziplist nodes from *each* side of 933 | # the list to *exclude* from compression. The head and tail of the list 934 | # are always uncompressed for fast push/pop operations. Settings are: 935 | # 0: disable all list compression 936 | # 1: depth 1 means "don't start compressing until after 1 node into the list, 937 | # going from either the head or tail" 938 | # So: [head]->node->node->...->node->[tail] 939 | # [head], [tail] will always be uncompressed; inner nodes will compress. 940 | # 2: [head]->[next]->node->node->...->node->[prev]->[tail] 941 | # 2 here means: don't compress head or head->next or tail->prev or tail, 942 | # but compress all nodes between them. 943 | # 3: [head]->[next]->[next]->node->node->...->node->[prev]->[prev]->[tail] 944 | # etc. 945 | list-compress-depth 0 946 | 947 | # Sets have a special encoding in just one case: when a set is composed 948 | # of just strings that happen to be integers in radix 10 in the range 949 | # of 64 bit signed integers. 950 | # The following configuration setting sets the limit in the size of the 951 | # set in order to use this special memory saving encoding. 952 | set-max-intset-entries 512 953 | 954 | # Similarly to hashes and lists, sorted sets are also specially encoded in 955 | # order to save a lot of space. This encoding is only used when the length and 956 | # elements of a sorted set are below the following limits: 957 | zset-max-ziplist-entries 128 958 | zset-max-ziplist-value 64 959 | 960 | # HyperLogLog sparse representation bytes limit. The limit includes the 961 | # 16 bytes header. When an HyperLogLog using the sparse representation crosses 962 | # this limit, it is converted into the dense representation. 963 | # 964 | # A value greater than 16000 is totally useless, since at that point the 965 | # dense representation is more memory efficient. 966 | # 967 | # The suggested value is ~ 3000 in order to have the benefits of 968 | # the space efficient encoding without slowing down too much PFADD, 969 | # which is O(N) with the sparse encoding. The value can be raised to 970 | # ~ 10000 when CPU is not a concern, but space is, and the data set is 971 | # composed of many HyperLogLogs with cardinality in the 0 - 15000 range. 972 | hll-sparse-max-bytes 3000 973 | 974 | # Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in 975 | # order to help rehashing the main Redis hash table (the one mapping top-level 976 | # keys to values). The hash table implementation Redis uses (see dict.c) 977 | # performs a lazy rehashing: the more operation you run into a hash table 978 | # that is rehashing, the more rehashing "steps" are performed, so if the 979 | # server is idle the rehashing is never complete and some more memory is used 980 | # by the hash table. 981 | # 982 | # The default is to use this millisecond 10 times every second in order to 983 | # actively rehash the main dictionaries, freeing memory when possible. 984 | # 985 | # If unsure: 986 | # use "activerehashing no" if you have hard latency requirements and it is 987 | # not a good thing in your environment that Redis can reply from time to time 988 | # to queries with 2 milliseconds delay. 989 | # 990 | # use "activerehashing yes" if you don't have such hard requirements but 991 | # want to free memory asap when possible. 992 | activerehashing yes 993 | 994 | # The client output buffer limits can be used to force disconnection of clients 995 | # that are not reading data from the server fast enough for some reason (a 996 | # common reason is that a Pub/Sub client can't consume messages as fast as the 997 | # publisher can produce them). 998 | # 999 | # The limit can be set differently for the three different classes of clients: 1000 | # 1001 | # normal -> normal clients including MONITOR clients 1002 | # slave -> slave clients 1003 | # pubsub -> clients subscribed to at least one pubsub channel or pattern 1004 | # 1005 | # The syntax of every client-output-buffer-limit directive is the following: 1006 | # 1007 | # client-output-buffer-limit 1008 | # 1009 | # A client is immediately disconnected once the hard limit is reached, or if 1010 | # the soft limit is reached and remains reached for the specified number of 1011 | # seconds (continuously). 1012 | # So for instance if the hard limit is 32 megabytes and the soft limit is 1013 | # 16 megabytes / 10 seconds, the client will get disconnected immediately 1014 | # if the size of the output buffers reach 32 megabytes, but will also get 1015 | # disconnected if the client reaches 16 megabytes and continuously overcomes 1016 | # the limit for 10 seconds. 1017 | # 1018 | # By default normal clients are not limited because they don't receive data 1019 | # without asking (in a push way), but just after a request, so only 1020 | # asynchronous clients may create a scenario where data is requested faster 1021 | # than it can read. 1022 | # 1023 | # Instead there is a default limit for pubsub and slave clients, since 1024 | # subscribers and slaves receive data in a push fashion. 1025 | # 1026 | # Both the hard or the soft limit can be disabled by setting them to zero. 1027 | client-output-buffer-limit normal 0 0 0 1028 | client-output-buffer-limit slave 256mb 64mb 60 1029 | client-output-buffer-limit pubsub 32mb 8mb 60 1030 | 1031 | # Redis calls an internal function to perform many background tasks, like 1032 | # closing connections of clients in timeout, purging expired keys that are 1033 | # never requested, and so forth. 1034 | # 1035 | # Not all tasks are performed with the same frequency, but Redis checks for 1036 | # tasks to perform according to the specified "hz" value. 1037 | # 1038 | # By default "hz" is set to 10. Raising the value will use more CPU when 1039 | # Redis is idle, but at the same time will make Redis more responsive when 1040 | # there are many keys expiring at the same time, and timeouts may be 1041 | # handled with more precision. 1042 | # 1043 | # The range is between 1 and 500, however a value over 100 is usually not 1044 | # a good idea. Most users should use the default of 10 and raise this up to 1045 | # 100 only in environments where very low latency is required. 1046 | hz 10 1047 | 1048 | # When a child rewrites the AOF file, if the following option is enabled 1049 | # the file will be fsync-ed every 32 MB of data generated. This is useful 1050 | # in order to commit the file to the disk more incrementally and avoid 1051 | # big latency spikes. 1052 | aof-rewrite-incremental-fsync yes 1053 | -------------------------------------------------------------------------------- /includes/remove-staging.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Remove acme-staging CA from Caddyfile, so Caddy gets production certs 3 | 4 | sed -ri.bak 's/acme_ca/#acme_ca/' /usr/local/www/Caddyfile 5 | service caddy reload 6 | -------------------------------------------------------------------------------- /includes/www-crontab: -------------------------------------------------------------------------------- 1 | */5 * * * * /usr/local/bin/php -f /usr/local/www/nextcloud/cron.php 2 | -------------------------------------------------------------------------------- /includes/www.conf: -------------------------------------------------------------------------------- 1 | ; Start a new pool named 'www'. 2 | ; the variable $pool can be used in any directive and will be replaced by the 3 | ; pool name ('www' here) 4 | [www] 5 | 6 | ; Per pool prefix 7 | ; It only applies on the following directives: 8 | ; - 'access.log' 9 | ; - 'slowlog' 10 | ; - 'listen' (unixsocket) 11 | ; - 'chroot' 12 | ; - 'chdir' 13 | ; - 'php_values' 14 | ; - 'php_admin_values' 15 | ; When not set, the global prefix (or /usr/local) applies instead. 16 | ; Note: This directive can also be relative to the global prefix. 17 | ; Default Value: none 18 | ;prefix = /path/to/pools/$pool 19 | 20 | ; Unix user/group of processes 21 | ; Note: The user is mandatory. If the group is not set, the default user's group 22 | ; will be used. 23 | user = www 24 | group = www 25 | 26 | ; The address on which to accept FastCGI requests. 27 | ; Valid syntaxes are: 28 | ; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on 29 | ; a specific port; 30 | ; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on 31 | ; a specific port; 32 | ; 'port' - to listen on a TCP socket to all addresses 33 | ; (IPv6 and IPv4-mapped) on a specific port; 34 | ; '/path/to/unix/socket' - to listen on a unix socket. 35 | ; Note: This value is mandatory. 36 | listen = 127.0.0.1:9000 37 | 38 | ; Set listen(2) backlog. 39 | ; Default Value: 511 (-1 on FreeBSD and OpenBSD) 40 | ;listen.backlog = 511 41 | 42 | ; Set permissions for unix socket, if one is used. In Linux, read/write 43 | ; permissions must be set in order to allow connections from a web server. Many 44 | ; BSD-derived systems allow connections regardless of permissions. 45 | ; Default Values: user and group are set as the running user 46 | ; mode is set to 0660 47 | ;listen.owner = www 48 | ;listen.group = www 49 | ;listen.mode = 0660 50 | ; When POSIX Access Control Lists are supported you can set them using 51 | ; these options, value is a comma separated list of user/group names. 52 | ; When set, listen.owner and listen.group are ignored 53 | ;listen.acl_users = 54 | ;listen.acl_groups = 55 | 56 | ; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect. 57 | ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original 58 | ; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address 59 | ; must be separated by a comma. If this value is left blank, connections will be 60 | ; accepted from any ip address. 61 | ; Default Value: any 62 | ;listen.allowed_clients = 127.0.0.1 63 | 64 | ; Specify the nice(2) priority to apply to the pool processes (only if set) 65 | ; The value can vary from -19 (highest priority) to 20 (lower priority) 66 | ; Note: - It will only work if the FPM master process is launched as root 67 | ; - The pool processes will inherit the master process priority 68 | ; unless it specified otherwise 69 | ; Default Value: no set 70 | ; process.priority = -19 71 | 72 | ; Choose how the process manager will control the number of child processes. 73 | ; Possible Values: 74 | ; static - a fixed number (pm.max_children) of child processes; 75 | ; dynamic - the number of child processes are set dynamically based on the 76 | ; following directives. With this process management, there will be 77 | ; always at least 1 children. 78 | ; pm.max_children - the maximum number of children that can 79 | ; be alive at the same time. 80 | ; pm.start_servers - the number of children created on startup. 81 | ; pm.min_spare_servers - the minimum number of children in 'idle' 82 | ; state (waiting to process). If the number 83 | ; of 'idle' processes is less than this 84 | ; number then some children will be created. 85 | ; pm.max_spare_servers - the maximum number of children in 'idle' 86 | ; state (waiting to process). If the number 87 | ; of 'idle' processes is greater than this 88 | ; number then some children will be killed. 89 | ; ondemand - no children are created at startup. Children will be forked when 90 | ; new requests will connect. The following parameter are used: 91 | ; pm.max_children - the maximum number of children that 92 | ; can be alive at the same time. 93 | ; pm.process_idle_timeout - The number of seconds after which 94 | ; an idle process will be killed. 95 | ; Note: This value is mandatory. 96 | pm = dynamic 97 | 98 | ; The number of child processes to be created when pm is set to 'static' and the 99 | ; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. 100 | ; This value sets the limit on the number of simultaneous requests that will be 101 | ; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. 102 | ; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP 103 | ; CGI. The below defaults are based on a server without much resources. Don't 104 | ; forget to tweak pm.* to fit your needs. 105 | ; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' 106 | ; Note: This value is mandatory. 107 | pm.max_children = 10 108 | 109 | ; The number of child processes created on startup. 110 | ; Note: Used only when pm is set to 'dynamic' 111 | ; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 112 | pm.start_servers = 2 113 | 114 | ; The desired minimum number of idle server processes. 115 | ; Note: Used only when pm is set to 'dynamic' 116 | ; Note: Mandatory when pm is set to 'dynamic' 117 | pm.min_spare_servers = 1 118 | 119 | ; The desired maximum number of idle server processes. 120 | ; Note: Used only when pm is set to 'dynamic' 121 | ; Note: Mandatory when pm is set to 'dynamic' 122 | pm.max_spare_servers = 3 123 | 124 | ; The number of seconds after which an idle process will be killed. 125 | ; Note: Used only when pm is set to 'ondemand' 126 | ; Default Value: 10s 127 | ;pm.process_idle_timeout = 10s; 128 | 129 | ; The number of requests each child process should execute before respawning. 130 | ; This can be useful to work around memory leaks in 3rd party libraries. For 131 | ; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. 132 | ; Default Value: 0 133 | ;pm.max_requests = 500 134 | 135 | ; The URI to view the FPM status page. If this value is not set, no URI will be 136 | ; recognized as a status page. It shows the following informations: 137 | ; pool - the name of the pool; 138 | ; process manager - static, dynamic or ondemand; 139 | ; start time - the date and time FPM has started; 140 | ; start since - number of seconds since FPM has started; 141 | ; accepted conn - the number of request accepted by the pool; 142 | ; listen queue - the number of request in the queue of pending 143 | ; connections (see backlog in listen(2)); 144 | ; max listen queue - the maximum number of requests in the queue 145 | ; of pending connections since FPM has started; 146 | ; listen queue len - the size of the socket queue of pending connections; 147 | ; idle processes - the number of idle processes; 148 | ; active processes - the number of active processes; 149 | ; total processes - the number of idle + active processes; 150 | ; max active processes - the maximum number of active processes since FPM 151 | ; has started; 152 | ; max children reached - number of times, the process limit has been reached, 153 | ; when pm tries to start more children (works only for 154 | ; pm 'dynamic' and 'ondemand'); 155 | ; Value are updated in real time. 156 | ; Example output: 157 | ; pool: www 158 | ; process manager: static 159 | ; start time: 01/Jul/2011:17:53:49 +0200 160 | ; start since: 62636 161 | ; accepted conn: 190460 162 | ; listen queue: 0 163 | ; max listen queue: 1 164 | ; listen queue len: 42 165 | ; idle processes: 4 166 | ; active processes: 11 167 | ; total processes: 15 168 | ; max active processes: 12 169 | ; max children reached: 0 170 | ; 171 | ; By default the status page output is formatted as text/plain. Passing either 172 | ; 'html', 'xml' or 'json' in the query string will return the corresponding 173 | ; output syntax. Example: 174 | ; http://www.foo.bar/status 175 | ; http://www.foo.bar/status?json 176 | ; http://www.foo.bar/status?html 177 | ; http://www.foo.bar/status?xml 178 | ; 179 | ; By default the status page only outputs short status. Passing 'full' in the 180 | ; query string will also return status for each pool process. 181 | ; Example: 182 | ; http://www.foo.bar/status?full 183 | ; http://www.foo.bar/status?json&full 184 | ; http://www.foo.bar/status?html&full 185 | ; http://www.foo.bar/status?xml&full 186 | ; The Full status returns for each process: 187 | ; pid - the PID of the process; 188 | ; state - the state of the process (Idle, Running, ...); 189 | ; start time - the date and time the process has started; 190 | ; start since - the number of seconds since the process has started; 191 | ; requests - the number of requests the process has served; 192 | ; request duration - the duration in µs of the requests; 193 | ; request method - the request method (GET, POST, ...); 194 | ; request URI - the request URI with the query string; 195 | ; content length - the content length of the request (only with POST); 196 | ; user - the user (PHP_AUTH_USER) (or '-' if not set); 197 | ; script - the main script called (or '-' if not set); 198 | ; last request cpu - the %cpu the last request consumed 199 | ; it's always 0 if the process is not in Idle state 200 | ; because CPU calculation is done when the request 201 | ; processing has terminated; 202 | ; last request memory - the max amount of memory the last request consumed 203 | ; it's always 0 if the process is not in Idle state 204 | ; because memory calculation is done when the request 205 | ; processing has terminated; 206 | ; If the process is in Idle state, then informations are related to the 207 | ; last request the process has served. Otherwise informations are related to 208 | ; the current request being served. 209 | ; Example output: 210 | ; ************************ 211 | ; pid: 31330 212 | ; state: Running 213 | ; start time: 01/Jul/2011:17:53:49 +0200 214 | ; start since: 63087 215 | ; requests: 12808 216 | ; request duration: 1250261 217 | ; request method: GET 218 | ; request URI: /test_mem.php?N=10000 219 | ; content length: 0 220 | ; user: - 221 | ; script: /home/fat/web/docs/php/test_mem.php 222 | ; last request cpu: 0.00 223 | ; last request memory: 0 224 | ; 225 | ; Note: There is a real-time FPM status monitoring sample web page available 226 | ; It's available in: /usr/local/share/php/fpm/status.html 227 | ; 228 | ; Note: The value must start with a leading slash (/). The value can be 229 | ; anything, but it may not be a good idea to use the .php extension or it 230 | ; may conflict with a real PHP file. 231 | ; Default Value: not set 232 | ;pm.status_path = /status 233 | 234 | ; The ping URI to call the monitoring page of FPM. If this value is not set, no 235 | ; URI will be recognized as a ping page. This could be used to test from outside 236 | ; that FPM is alive and responding, or to 237 | ; - create a graph of FPM availability (rrd or such); 238 | ; - remove a server from a group if it is not responding (load balancing); 239 | ; - trigger alerts for the operating team (24/7). 240 | ; Note: The value must start with a leading slash (/). The value can be 241 | ; anything, but it may not be a good idea to use the .php extension or it 242 | ; may conflict with a real PHP file. 243 | ; Default Value: not set 244 | ;ping.path = /ping 245 | 246 | ; This directive may be used to customize the response of a ping request. The 247 | ; response is formatted as text/plain with a 200 response code. 248 | ; Default Value: pong 249 | ;ping.response = pong 250 | 251 | ; The access log file 252 | ; Default: not set 253 | ;access.log = log/$pool.access.log 254 | 255 | ; The access log format. 256 | ; The following syntax is allowed 257 | ; %%: the '%' character 258 | ; %C: %CPU used by the request 259 | ; it can accept the following format: 260 | ; - %{user}C for user CPU only 261 | ; - %{system}C for system CPU only 262 | ; - %{total}C for user + system CPU (default) 263 | ; %d: time taken to serve the request 264 | ; it can accept the following format: 265 | ; - %{seconds}d (default) 266 | ; - %{miliseconds}d 267 | ; - %{mili}d 268 | ; - %{microseconds}d 269 | ; - %{micro}d 270 | ; %e: an environment variable (same as $_ENV or $_SERVER) 271 | ; it must be associated with embraces to specify the name of the env 272 | ; variable. Some exemples: 273 | ; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e 274 | ; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e 275 | ; %f: script filename 276 | ; %l: content-length of the request (for POST request only) 277 | ; %m: request method 278 | ; %M: peak of memory allocated by PHP 279 | ; it can accept the following format: 280 | ; - %{bytes}M (default) 281 | ; - %{kilobytes}M 282 | ; - %{kilo}M 283 | ; - %{megabytes}M 284 | ; - %{mega}M 285 | ; %n: pool name 286 | ; %o: output header 287 | ; it must be associated with embraces to specify the name of the header: 288 | ; - %{Content-Type}o 289 | ; - %{X-Powered-By}o 290 | ; - %{Transfert-Encoding}o 291 | ; - .... 292 | ; %p: PID of the child that serviced the request 293 | ; %P: PID of the parent of the child that serviced the request 294 | ; %q: the query string 295 | ; %Q: the '?' character if query string exists 296 | ; %r: the request URI (without the query string, see %q and %Q) 297 | ; %R: remote IP address 298 | ; %s: status (response code) 299 | ; %t: server time the request was received 300 | ; it can accept a strftime(3) format: 301 | ; %d/%b/%Y:%H:%M:%S %z (default) 302 | ; The strftime(3) format must be encapsuled in a %{}t tag 303 | ; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t 304 | ; %T: time the log has been written (the request has finished) 305 | ; it can accept a strftime(3) format: 306 | ; %d/%b/%Y:%H:%M:%S %z (default) 307 | ; The strftime(3) format must be encapsuled in a %{}t tag 308 | ; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t 309 | ; %u: remote user 310 | ; 311 | ; Default: "%R - %u %t \"%m %r\" %s" 312 | ;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%" 313 | 314 | ; The log file for slow requests 315 | ; Default Value: not set 316 | ; Note: slowlog is mandatory if request_slowlog_timeout is set 317 | ;slowlog = log/$pool.log.slow 318 | 319 | ; The timeout for serving a single request after which a PHP backtrace will be 320 | ; dumped to the 'slowlog' file. A value of '0s' means 'off'. 321 | ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) 322 | ; Default Value: 0 323 | ;request_slowlog_timeout = 0 324 | 325 | ; Depth of slow log stack trace. 326 | ; Default Value: 20 327 | ;request_slowlog_trace_depth = 20 328 | 329 | ; The timeout for serving a single request after which the worker process will 330 | ; be killed. This option should be used when the 'max_execution_time' ini option 331 | ; does not stop script execution for some reason. A value of '0' means 'off'. 332 | ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) 333 | ; Default Value: 0 334 | ;request_terminate_timeout = 0 335 | 336 | ; Set open file descriptor rlimit. 337 | ; Default Value: system defined value 338 | ;rlimit_files = 1024 339 | 340 | ; Set max core size rlimit. 341 | ; Possible Values: 'unlimited' or an integer greater or equal to 0 342 | ; Default Value: system defined value 343 | ;rlimit_core = 0 344 | 345 | ; Chroot to this directory at the start. This value must be defined as an 346 | ; absolute path. When this value is not set, chroot is not used. 347 | ; Note: you can prefix with '$prefix' to chroot to the pool prefix or one 348 | ; of its subdirectories. If the pool prefix is not set, the global prefix 349 | ; will be used instead. 350 | ; Note: chrooting is a great security feature and should be used whenever 351 | ; possible. However, all PHP paths will be relative to the chroot 352 | ; (error_log, sessions.save_path, ...). 353 | ; Default Value: not set 354 | ;chroot = 355 | 356 | ; Chdir to this directory at the start. 357 | ; Note: relative path can be used. 358 | ; Default Value: current directory or / when chroot 359 | ;chdir = /var/www 360 | 361 | ; Redirect worker stdout and stderr into main error log. If not set, stdout and 362 | ; stderr will be redirected to /dev/null according to FastCGI specs. 363 | ; Note: on highloaded environement, this can cause some delay in the page 364 | ; process time (several ms). 365 | ; Default Value: no 366 | ;catch_workers_output = yes 367 | 368 | ; Clear environment in FPM workers 369 | ; Prevents arbitrary environment variables from reaching FPM worker processes 370 | ; by clearing the environment in workers before env vars specified in this 371 | ; pool configuration are added. 372 | ; Setting to "no" will make all environment variables available to PHP code 373 | ; via getenv(), $_ENV and $_SERVER. 374 | ; Default Value: yes 375 | ;clear_env = no 376 | 377 | ; Limits the extensions of the main script FPM will allow to parse. This can 378 | ; prevent configuration mistakes on the web server side. You should only limit 379 | ; FPM to .php extensions to prevent malicious users to use other extensions to 380 | ; execute php code. 381 | ; Note: set an empty value to allow all extensions. 382 | ; Default Value: .php 383 | ;security.limit_extensions = .php .php3 .php4 .php5 .php7 384 | 385 | ; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from 386 | ; the current environment. 387 | ; Default Value: clean env 388 | env[HOSTNAME] = $HOSTNAME 389 | env[PATH] = /usr/local/bin:/usr/bin:/bin 390 | env[TMP] = /tmp 391 | env[TMPDIR] = /tmp 392 | env[TEMP] = /tmp 393 | 394 | ; Additional php.ini defines, specific to this pool of workers. These settings 395 | ; overwrite the values previously defined in the php.ini. The directives are the 396 | ; same as the PHP SAPI: 397 | ; php_value/php_flag - you can set classic ini defines which can 398 | ; be overwritten from PHP call 'ini_set'. 399 | ; php_admin_value/php_admin_flag - these directives won't be overwritten by 400 | ; PHP call 'ini_set' 401 | ; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. 402 | 403 | ; Defining 'extension' will load the corresponding shared extension from 404 | ; extension_dir. Defining 'disable_functions' or 'disable_classes' will not 405 | ; overwrite previously defined php.ini values, but will append the new value 406 | ; instead. 407 | 408 | ; Note: path INI options can be relative and will be expanded with the prefix 409 | ; (pool, global or /usr/local) 410 | 411 | ; Default Value: nothing is defined by default except the values in php.ini and 412 | ; specified at startup with the -d argument 413 | ;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com 414 | ;php_flag[display_errors] = off 415 | ;php_admin_value[error_log] = /var/log/fpm-php.www.log 416 | ;php_admin_flag[log_errors] = on 417 | ;php_admin_value[memory_limit] = 32M 418 | -------------------------------------------------------------------------------- /nextcloud-jail.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Build an iocage jail under FreeNAS 11.3-13.0 using the current release of Nextcloud 26 3 | # https://github.com/danb35/freenas-iocage-nextcloud 4 | 5 | set -x 6 | 7 | # Check for root privileges 8 | if ! [ $(id -u) = 0 ]; then 9 | echo "This script must be run with root privileges" 10 | exit 1 11 | fi 12 | 13 | ##### 14 | # 15 | # General configuration 16 | # 17 | ##### 18 | 19 | # Initialize defaults 20 | JAIL_IP="" 21 | JAIL_INTERFACES="" 22 | DEFAULT_GW_IP="" 23 | INTERFACE="vnet0" 24 | VNET="on" 25 | POOL_PATH="" 26 | JAIL_NAME="nextcloud" 27 | TIME_ZONE="" 28 | HOST_NAME="" 29 | DATABASE="mariadb" 30 | DB_PATH="" 31 | FILES_PATH="" 32 | PORTS_PATH="" 33 | CONFIG_PATH="" 34 | THEMES_PATH="" 35 | STANDALONE_CERT=0 36 | SELFSIGNED_CERT=0 37 | DNS_CERT=0 38 | NO_CERT=0 39 | CERT_EMAIL="" 40 | DL_FLAGS="" 41 | DNS_SETTING="" 42 | CONFIG_NAME="nextcloud-config" 43 | NEXTCLOUD_VERSION="30" 44 | COUNTRY_CODE="US" 45 | JAIL_BASEJAIL="false" 46 | PGP_KEYSERVER="pgpkeys.eu" 47 | # Will not work with keys.openpgp.org because GPG requires keys to have a user ID, however, Nextcloud have not authenticated their key on openpgp. 48 | NEXTCLOUD_PGP_KEYID="28806A878AE423A28372792ED75899B9A724937A" 49 | MX_WINDOW="5" 50 | 51 | # Check for nextcloud-config and set configuration 52 | SCRIPT=$(readlink -f "$0") 53 | SCRIPTPATH=$(dirname "${SCRIPT}") 54 | if ! [ -e "${SCRIPTPATH}"/"${CONFIG_NAME}" ]; then 55 | echo "${SCRIPTPATH}/${CONFIG_NAME} must exist." 56 | exit 1 57 | fi 58 | . "${SCRIPTPATH}"/"${CONFIG_NAME}" 59 | INCLUDES_PATH="${SCRIPTPATH}"/includes 60 | 61 | ADMIN_PASSWORD=$(openssl rand -base64 12) 62 | DB_ROOT_PASSWORD=$(openssl rand -base64 16) 63 | DB_PASSWORD=$(openssl rand -base64 16) 64 | if [ "${DATABASE}" = "mariadb" ]; then 65 | DB_NAME="MariaDB" 66 | elif [ "${DATABASE}" = "pgsql" ]; then 67 | DB_NAME="PostgreSQL" 68 | fi 69 | 70 | RELEASE=$(freebsd-version | cut -d - -f -1)"-RELEASE" 71 | # If release is 13.3-RELEASE, change to 13.4-RELEASE 72 | if [ "${RELEASE}" = "13.3-RELEASE" ]; then 73 | RELEASE="13.4-RELEASE" 74 | fi 75 | JAILS_MOUNT=$(zfs get -H -o value mountpoint $(iocage get -p)/iocage) 76 | 77 | ##### 78 | # 79 | # Input/Config Sanity checks 80 | # 81 | ##### 82 | 83 | # Check that necessary variables were set by nextcloud-config 84 | if [ -z "${JAIL_IP}" ]; then 85 | echo 'Configuration error: JAIL_IP must be set' 86 | exit 1 87 | fi 88 | if [ -z "${JAIL_INTERFACES}" ]; then 89 | echo 'JAIL_INTERFACES not set, defaulting to: vnet0:bridge0' 90 | JAIL_INTERFACES="vnet0:bridge0" 91 | fi 92 | if [ -z "${DEFAULT_GW_IP}" ]; then 93 | echo 'Configuration error: DEFAULT_GW_IP must be set' 94 | exit 1 95 | fi 96 | if [ -z "${POOL_PATH}" ]; then 97 | echo 'Configuration error: POOL_PATH must be set' 98 | exit 1 99 | fi 100 | if [ -z "${TIME_ZONE}" ]; then 101 | echo 'Configuration error: TIME_ZONE must be set' 102 | exit 1 103 | fi 104 | if [ -z "${HOST_NAME}" ]; then 105 | echo 'Configuration error: HOST_NAME must be set' 106 | exit 1 107 | fi 108 | if [ $STANDALONE_CERT -eq 0 ] && [ $DNS_CERT -eq 0 ] && [ $NO_CERT -eq 0 ] && [ $SELFSIGNED_CERT -eq 0 ]; then 109 | echo 'Configuration error: Either STANDALONE_CERT, DNS_CERT, NO_CERT,' 110 | echo 'or SELFSIGNED_CERT must be set to 1.' 111 | exit 1 112 | fi 113 | if [ $STANDALONE_CERT -eq 1 ] && [ $DNS_CERT -eq 1 ] ; then 114 | echo 'Configuration error: Only one of STANDALONE_CERT and DNS_CERT' 115 | echo 'may be set to 1.' 116 | exit 1 117 | fi 118 | 119 | if [ $DNS_CERT -eq 1 ] && [ -z "${DNS_PLUGIN}" ] ; then 120 | echo "DNS_PLUGIN must be set to a supported DNS provider." 121 | echo "See https://caddyserver.com/download for available plugins." 122 | echo "Use only the last part of the name. E.g., for" 123 | echo "\"github.com/caddy-dns/cloudflare\", enter \"coudflare\"." 124 | exit 1 125 | fi 126 | 127 | if [ $DNS_CERT -eq 1 ] && [ "${CERT_EMAIL}" = "" ] ; then 128 | echo "CERT_EMAIL must be set when using Let's Encrypt certs." 129 | exit 1 130 | fi 131 | 132 | if [ $STANDALONE_CERT -eq 1 ] && [ "${CERT_EMAIL}" = "" ] ; then 133 | echo "CERT_EMAIL must be set when using Let's Encrypt certs." 134 | exit 1 135 | fi 136 | 137 | # If DB_PATH, FILES_PATH, CONFIG_PATH and PORTS_PATH weren't set in nextcloud-config, set them 138 | if [ -z "${DB_PATH}" ]; then 139 | DB_PATH="${POOL_PATH}"/nextcloud/db 140 | fi 141 | if [ -z "${FILES_PATH}" ]; then 142 | FILES_PATH="${POOL_PATH}"/nextcloud/files 143 | fi 144 | if [ -z "${CONFIG_PATH}" ]; then 145 | CONFIG_PATH="${POOL_PATH}"/nextcloud/config 146 | fi 147 | if [ -z "${THEMES_PATH}" ]; then 148 | THEMES_PATH="${POOL_PATH}"/nextcloud/themes 149 | fi 150 | if [ -z "${PORTS_PATH}" ]; then 151 | PORTS_PATH="${POOL_PATH}"/portsnap 152 | fi 153 | 154 | # Sanity check DB_PATH, FILES_PATH, and PORTS_PATH -- they all have to be different, 155 | # and can't be the same as POOL_PATH 156 | if [ "${DB_PATH}" = "${FILES_PATH}" ] || [ "${FILES_PATH}" = "${PORTS_PATH}" ] || [ "${PORTS_PATH}" = "${DB_PATH}" ] || [ "${CONFIG_PATH}" = "${FILES_PATH}" ] || [ "${CONFIG_PATH}" = "${PORTS_PATH}" ] || [ "${CONFIG_PATH}" = "${DB_PATH}" ] 157 | then 158 | echo "DB_PATH, FILES_PATH, CONFIG_PATH and PORTS_PATH must all be different!" 159 | exit 1 160 | elif [ "${THEMES_PATH}" = "${PORTS_PATH}" ] || [ "${THEMES_PATH}" = "${DB_PATH}" ] || [ "${THEMES_PATH}" = "${CONFIG_PATH}" ] 161 | then 162 | echo "DB_PATH, FILES_PATH, CONFIG_PATH, THEMES_PATH and PORTS_PATH must all be different!" 163 | exit 1 164 | fi 165 | 166 | if [ "${DB_PATH}" = "${POOL_PATH}" ] || [ "${FILES_PATH}" = "${POOL_PATH}" ] || [ "${PORTS_PATH}" = "${POOL_PATH}" ] || [ "${CONFIG_PATH}" = "${POOL_PATH}" ] || [ "${THEMES_PATH}" = "${POOL_PATH}" ] 167 | then 168 | echo "DB_PATH, FILES_PATH, CONFIG_PATH, THEMES_PATH and PORTS_PATH must all be different from POOL_PATH!" 169 | exit 1 170 | fi 171 | 172 | # Extract IP and netmask, sanity check netmask 173 | IP=$(echo ${JAIL_IP} | cut -f1 -d/) 174 | NETMASK=$(echo ${JAIL_IP} | cut -f2 -d/) 175 | if [ "${NETMASK}" = "${IP}" ] 176 | then 177 | NETMASK="24" 178 | fi 179 | if [ "${NETMASK}" -lt 8 ] || [ "${NETMASK}" -gt 30 ] 180 | then 181 | NETMASK="24" 182 | fi 183 | 184 | # Check for reinstall 185 | if [ "$(ls -A "${CONFIG_PATH}")" ]; then 186 | echo "Existing Nextcloud config detected... Checking Database compatibility for reinstall" 187 | if [ "$(ls -A "${DB_PATH}/${DATABASE}")" ]; then 188 | echo "Database is compatible, continuing..." 189 | REINSTALL="true" 190 | else 191 | echo "ERROR: You can not reinstall without the previous database" 192 | echo "Please try again after removing your config files or using the same database used previously" 193 | exit 1 194 | fi 195 | fi 196 | 197 | ##### 198 | # 199 | # Jail Creation 200 | # 201 | ##### 202 | 203 | # List packages to be auto-installed after jail creation 204 | # PHP Modules listed in order, as seen on "Installation of Linux" in Nextcloud Documentation 205 | # Notes: The php-hash and the php-json modules are part of PHP Core. 206 | # There is no php-libxml module for FreeBSD, instead we install php-xml 207 | # The last three modules (iconv, xsl, opcache) are not listed in the documentation for Nextcloud 23 208 | # Keeping them because original author put them there 209 | cat <<__EOF__ >/tmp/pkg.json 210 | { 211 | "pkgs": [ 212 | "nano", 213 | "sudo", 214 | "vim", 215 | "redis", 216 | "gnupg", 217 | "bash", 218 | "go", 219 | "git", 220 | "ffmpeg", 221 | "perl5", 222 | "p5-Locale-gettext", 223 | "help2man", 224 | "texinfo", 225 | "m4", 226 | "autoconf", 227 | "php83", 228 | "php83-ctype", 229 | "php83-curl", 230 | "php83-dom", 231 | "php83-filter", 232 | "php83-gd", 233 | "php83-xml", 234 | "php83-mbstring", 235 | "php83-posix", 236 | "php83-session", 237 | "php83-simplexml", 238 | "php83-xmlreader", 239 | "php83-xmlwriter", 240 | "php83-zip", 241 | "php83-zlib", 242 | "php83-fileinfo", 243 | "php83-bz2", 244 | "php83-intl", 245 | "php83-ldap", 246 | "php83-pecl-smbclient", 247 | "php83-ftp", 248 | "php83-imap", 249 | "php83-bcmath", 250 | "php83-gmp", 251 | "php83-exif", 252 | "php83-pecl-APCu", 253 | "php83-pecl-memcache", 254 | "php83-pecl-redis", 255 | "php83-pecl-imagick", 256 | "php83-pcntl", 257 | "php83-phar", 258 | "php83-iconv", 259 | "php83-sodium", 260 | "php83-sysvsem", 261 | "php83-xsl", 262 | "php83-opcache" 263 | ] 264 | } 265 | __EOF__ 266 | 267 | # Create the jail and install previously listed packages 268 | if [ "${JAIL_BASEJAIL}" = "true" ]; then 269 | JAIL_TYPE_OPTION="--basejail" 270 | echo "Creating jail ${JAIL_NAME} as a Basejail, this can take a while..." 271 | else 272 | JAIL_TYPE_OPTION="" 273 | echo "Creating jail ${JAIL_NAME} as a normal (clone) jail..." 274 | fi 275 | if ! iocage create --name "${JAIL_NAME}" -p /tmp/pkg.json -r "${RELEASE}" ${JAIL_TYPE_OPTION:+"${JAIL_TYPE_OPTION}"} interfaces="${JAIL_INTERFACES}" ip4_addr="${INTERFACE}|${IP}/${NETMASK}" defaultrouter="${DEFAULT_GW_IP}" boot="on" host_hostname="${JAIL_NAME}" vnet="${VNET}" 276 | then 277 | echo "Failed to create jail" 278 | exit 1 279 | fi 280 | rm /tmp/pkg.json 281 | 282 | ##### 283 | # 284 | # Directory Creation and Mounting 285 | # 286 | ##### 287 | 288 | mkdir -p "${DB_PATH}"/"${DATABASE}" 289 | chown -R 88:88 "${DB_PATH}"/ 290 | mkdir -p "${FILES_PATH}" 291 | chown -R 80:80 "${FILES_PATH}" 292 | mkdir -p "${CONFIG_PATH}" 293 | mkdir -p "${THEMES_PATH}" 294 | # Ports not currently used, Commented out for future use 295 | #mkdir -p "${PORTS_PATH}"/ports 296 | #mkdir -p "${PORTS_PATH}"/db 297 | iocage exec "${JAIL_NAME}" mkdir -p /mnt/files 298 | if [ "${DATABASE}" = "mariadb" ]; then 299 | iocage exec "${JAIL_NAME}" mkdir -p /var/db/mysql 300 | elif [ "${DATABASE}" = "pgsql" ]; then 301 | iocage exec "${JAIL_NAME}" mkdir -p /var/db/postgres 302 | fi 303 | iocage exec "${JAIL_NAME}" mkdir -p /mnt/includes 304 | iocage exec "${JAIL_NAME}" mkdir -p /mnt/files 305 | iocage exec "${JAIL_NAME}" mkdir -p /usr/local/www/nextcloud/config 306 | iocage exec "${JAIL_NAME}" mkdir -p /usr/local/www/nextcloud/themes 307 | 308 | # Ports not currently used, Commented out for future use 309 | #mkdir -p "${JAILS_MOUNT}"/jails/${JAIL_NAME}/root/var/db/portsnap 310 | #mkdir -p "${JAILS_MOUNT}"/jails/${JAIL_NAME}/root/usr/ports 311 | #iocage fstab -a "${JAIL_NAME}" "${PORTS_PATH}"/ports /usr/ports nullfs rw 0 0 312 | #iocage fstab -a "${JAIL_NAME}" "${PORTS_PATH}"/db /var/db/portsnap nullfs rw 0 0 313 | 314 | iocage fstab -a "${JAIL_NAME}" "${FILES_PATH}" /mnt/files nullfs rw 0 0 315 | iocage fstab -a "${JAIL_NAME}" "${CONFIG_PATH}" /usr/local/www/nextcloud/config nullfs rw 0 0 316 | iocage fstab -a "${JAIL_NAME}" "${THEMES_PATH}" /usr/local/www/nextcloud/themes nullfs rw 0 0 317 | if [ "${DATABASE}" = "mariadb" ]; then 318 | mkdir -p "${JAILS_MOUNT}"/jails/${JAIL_NAME}/root/var/db/mysql 319 | iocage fstab -a "${JAIL_NAME}" "${DB_PATH}"/"${DATABASE}" /var/db/mysql nullfs rw 0 0 320 | elif [ "${DATABASE}" = "pgsql" ]; then 321 | mkdir -p "${JAILS_MOUNT}"/jails/${JAIL_NAME}/root/var/db/postgres 322 | iocage fstab -a "${JAIL_NAME}" "${DB_PATH}"/"${DATABASE}" /var/db/postgres nullfs rw 0 0 323 | fi 324 | iocage fstab -a "${JAIL_NAME}" "${INCLUDES_PATH}" /mnt/includes nullfs rw 0 0 325 | iocage exec "${JAIL_NAME}" chown -R www:www /mnt/files 326 | iocage exec "${JAIL_NAME}" chmod -R 770 /mnt/files 327 | 328 | 329 | ##### 330 | # 331 | # Additional Dependency installation 332 | # 333 | ##### 334 | 335 | if [ "${DATABASE}" = "mariadb" ]; then 336 | iocage exec "${JAIL_NAME}" pkg install -y mariadb106-server php83-pdo_mysql php83-mysqli 337 | elif [ "${DATABASE}" = "pgsql" ]; then 338 | iocage exec "${JAIL_NAME}" pkg install -y postgresql13-server php83-pgsql php83-pdo_pgsql 339 | fi 340 | 341 | # Ports not currently used, Commented out for future use 342 | #iocage exec "${JAIL_NAME}" "if [ -z /usr/ports ]; then portsnap fetch extract; else portsnap auto; fi" 343 | 344 | # Build xcaddy, use it to build Caddy 345 | if ! iocage exec "${JAIL_NAME}" "go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest" 346 | then 347 | echo "Failed to get xcaddy, terminating." 348 | exit 1 349 | fi 350 | if ! iocage exec "${JAIL_NAME}" cp /root/go/bin/xcaddy /usr/local/bin/xcaddy 351 | then 352 | echo "Failed to move xcaddy to path, terminating." 353 | exit 1 354 | fi 355 | if [ ${DNS_CERT} -eq 1 ]; then 356 | if ! iocage exec "${JAIL_NAME}" xcaddy build --output /usr/local/bin/caddy --with github.com/caddy-dns/"${DNS_PLUGIN}" 357 | then 358 | echo "Failed to build Caddy with ${DNS_PLUGIN} plugin, terminating." 359 | exit 1 360 | fi 361 | else 362 | if ! iocage exec "${JAIL_NAME}" xcaddy build --output /usr/local/bin/caddy 363 | then 364 | echo "Failed to build Caddy without plugin, terminating." 365 | exit 1 366 | fi 367 | fi 368 | 369 | ##### 370 | # 371 | # Webserver Setup and Nextcloud Download 372 | # 373 | ##### 374 | 375 | FILE="latest-${NEXTCLOUD_VERSION}.tar.bz2" 376 | if ! iocage exec "${JAIL_NAME}" fetch -o /tmp https://download.nextcloud.com/server/releases/"${FILE}" https://download.nextcloud.com/server/releases/"${FILE}".asc 377 | then 378 | echo "Failed to download Nextcloud" 379 | exit 1 380 | fi 381 | if iocage exec "${JAIL_NAME}" fetch -o /tmp https://nextcloud.com/nextcloud.asc 382 | then 383 | iocage exec "${JAIL_NAME}" gpg --import /tmp/nextcloud.asc 384 | else 385 | if ! iocage exec "${JAIL_NAME}" gpg --keyserver "${PGP_KEYSERVER}" --recv-key "${NEXTCLOUD_PGP_KEYID}" 386 | then 387 | echo "Failed to download Nextcloud GPG signing key" 388 | exit 1 389 | fi 390 | fi 391 | if ! iocage exec "${JAIL_NAME}" gpg --verify /tmp/"${FILE}".asc 392 | then 393 | echo "GPG Signature Verification Failed!" 394 | echo "The Nextcloud download is corrupt." 395 | exit 1 396 | fi 397 | iocage exec "${JAIL_NAME}" tar xjf /tmp/"${FILE}" -C /usr/local/www/ 398 | iocage exec "${JAIL_NAME}" chown -R www:www /usr/local/www/nextcloud/ 399 | if [ "${DATABASE}" = "mariadb" ]; then 400 | iocage exec "${JAIL_NAME}" sysrc mysql_enable="YES" 401 | elif [ "${DATABASE}" = "pgsql" ]; then 402 | iocage exec "${JAIL_NAME}" sysrc postgresql_enable="YES" 403 | fi 404 | iocage exec "${JAIL_NAME}" sysrc redis_enable="YES" 405 | iocage exec "${JAIL_NAME}" sysrc php_fpm_enable="YES" 406 | 407 | 408 | # Generate and install self-signed cert, if necessary 409 | if [ $SELFSIGNED_CERT -eq 1 ]; then 410 | iocage exec "${JAIL_NAME}" mkdir -p /usr/local/etc/pki/tls/private 411 | iocage exec "${JAIL_NAME}" mkdir -p /usr/local/etc/pki/tls/certs 412 | openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=${HOST_NAME}" -keyout "${INCLUDES_PATH}"/privkey.pem -out "${INCLUDES_PATH}"/fullchain.pem 413 | iocage exec "${JAIL_NAME}" cp /mnt/includes/privkey.pem /usr/local/etc/pki/tls/private/privkey.pem 414 | iocage exec "${JAIL_NAME}" cp /mnt/includes/fullchain.pem /usr/local/etc/pki/tls/certs/fullchain.pem 415 | fi 416 | 417 | # Copy and edit pre-written config files 418 | if ! iocage exec "${JAIL_NAME}" cp -f /mnt/includes/php.ini /usr/local/etc/php.ini 419 | then 420 | echo "Failed to copy php.ini" 421 | exit 1 422 | fi 423 | iocage exec "${JAIL_NAME}" chown -R www:www /usr/local/etc/php.ini 424 | iocage exec "${JAIL_NAME}" cp -f /mnt/includes/redis.conf /usr/local/etc/redis.conf 425 | iocage exec "${JAIL_NAME}" cp -f /mnt/includes/www.conf /usr/local/etc/php-fpm.d/ 426 | if [ $STANDALONE_CERT -eq 1 ] || [ $DNS_CERT -eq 1 ]; then 427 | iocage exec "${JAIL_NAME}" cp -f /mnt/includes/remove-staging.sh /root/ 428 | fi 429 | if [ $NO_CERT -eq 1 ]; then 430 | echo "Copying Caddyfile for no SSL" 431 | iocage exec "${JAIL_NAME}" cp -f /mnt/includes/Caddyfile-nossl /usr/local/www/Caddyfile 432 | elif [ $SELFSIGNED_CERT -eq 1 ]; then 433 | echo "Copying Caddyfile for self-signed cert" 434 | iocage exec "${JAIL_NAME}" cp -f /mnt/includes/Caddyfile-selfsigned /usr/local/www/Caddyfile 435 | elif [ $DNS_CERT -eq 1 ]; then 436 | echo "Copying Caddyfile for Let's Encrypt DNS cert" 437 | iocage exec "${JAIL_NAME}" cp -f /mnt/includes/Caddyfile-dns /usr/local/www/Caddyfile 438 | else 439 | echo "Copying Caddyfile for Let's Encrypt cert" 440 | iocage exec "${JAIL_NAME}" cp -f /mnt/includes/Caddyfile /usr/local/www/ 441 | fi 442 | iocage exec "${JAIL_NAME}" cp -f /mnt/includes/caddy /usr/local/etc/rc.d/ 443 | 444 | if [ "${DATABASE}" = "mariadb" ]; then 445 | iocage exec "${JAIL_NAME}" cp -f /mnt/includes/my-system.cnf /usr/local/etc/mysql/conf.d/nextcloud.cnf 446 | fi 447 | iocage exec "${JAIL_NAME}" sed -i '' "s/yourhostnamehere/${HOST_NAME}/" /usr/local/www/Caddyfile 448 | #iocage exec "${JAIL_NAME}" sed -i '' "s/DNS-PLACEHOLDER/${DNS_SETTING}/" /usr/local/www/Caddyfile 449 | iocage exec "${JAIL_NAME}" sed -i '' "s/dns_plugin/${DNS_PLUGIN}/" /usr/local/www/Caddyfile 450 | iocage exec "${JAIL_NAME}" sed -i '' "s/api_token/${DNS_TOKEN}/" /usr/local/www/Caddyfile 451 | iocage exec "${JAIL_NAME}" sed -i '' "s/jail_ip/${IP}/" /usr/local/www/Caddyfile 452 | iocage exec "${JAIL_NAME}" sed -i '' "s/youremailhere/${CERT_EMAIL}/" /usr/local/www/Caddyfile 453 | iocage exec "${JAIL_NAME}" sed -i '' "s|mytimezone|${TIME_ZONE}|" /usr/local/etc/php.ini 454 | 455 | iocage exec "${JAIL_NAME}" sysrc caddy_enable="YES" 456 | iocage exec "${JAIL_NAME}" sysrc caddy_config="/usr/local/www/Caddyfile" 457 | 458 | iocage restart "${JAIL_NAME}" 459 | 460 | ##### 461 | # 462 | # Nextcloud Install 463 | # 464 | ##### 465 | 466 | # Add the www user to the redis group to allow it to access the socket 467 | iocage exec "${JAIL_NAME}" pw usermod www -G redis 468 | iocage exec "${JAIL_NAME}" chmod 777 /var/run/redis/redis.sock 469 | 470 | # Skip generation of config and database for reinstall (this already exists when doing a reinstall) 471 | if [ "${REINSTALL}" == "true" ]; then 472 | echo "Reinstall detected, skipping generation of new config and database" 473 | if [ "${DATABASE}" = "mariadb" ]; then 474 | iocage exec "${JAIL_NAME}" cp -f /mnt/includes/my.cnf /root/.my.cnf 475 | iocage exec "${JAIL_NAME}" sed -i '' "s|mypassword|${DB_ROOT_PASSWORD}|" /root/.my.cnf 476 | fi 477 | else 478 | 479 | # Secure database, set root password, create Nextcloud DB, user, and password 480 | if [ "${DATABASE}" = "mariadb" ]; then 481 | if ! iocage exec "${JAIL_NAME}" mysql -u root -e "CREATE DATABASE nextcloud;" 482 | then 483 | echo "Failed to create MariaDB database, aborting" 484 | exit 1 485 | fi 486 | iocage exec "${JAIL_NAME}" mysql -u root -e "GRANT ALL ON nextcloud.* TO nextcloud@localhost IDENTIFIED BY '${DB_PASSWORD}';" 487 | iocage exec "${JAIL_NAME}" mysql -u root -e "DELETE FROM mysql.user WHERE User='';" 488 | iocage exec "${JAIL_NAME}" mysql -u root -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');" 489 | iocage exec "${JAIL_NAME}" mysql -u root -e "DROP DATABASE IF EXISTS test;" 490 | iocage exec "${JAIL_NAME}" mysql -u root -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';" 491 | iocage exec "${JAIL_NAME}" mysqladmin --user=root password "${DB_ROOT_PASSWORD}" reload 492 | iocage exec "${JAIL_NAME}" cp -f /mnt/includes/my.cnf /root/.my.cnf 493 | iocage exec "${JAIL_NAME}" sed -i '' "s|mypassword|${DB_ROOT_PASSWORD}|" /root/.my.cnf 494 | elif [ "${DATABASE}" = "pgsql" ]; then 495 | iocage exec "${JAIL_NAME}" cp -f /mnt/includes/pgpass /root/.pgpass 496 | iocage exec "${JAIL_NAME}" chmod 600 /root/.pgpass 497 | iocage exec "${JAIL_NAME}" chown postgres /var/db/postgres/ 498 | iocage exec "${JAIL_NAME}" /usr/local/etc/rc.d/postgresql initdb 499 | iocage exec "${JAIL_NAME}" su -m postgres -c '/usr/local/bin/pg_ctl -D /var/db/postgres/data13 start' 500 | iocage exec "${JAIL_NAME}" sed -i '' "s|mypassword|${DB_ROOT_PASSWORD}|" /root/.pgpass 501 | if ! iocage exec "${JAIL_NAME}" psql -U postgres -c "CREATE DATABASE nextcloud;" 502 | then 503 | echo "Failed to create PostgreSQL database, aborting" 504 | exit 1 505 | fi 506 | iocage exec "${JAIL_NAME}" psql -U postgres -c "CREATE USER nextcloud WITH ENCRYPTED PASSWORD '${DB_PASSWORD}';" 507 | iocage exec "${JAIL_NAME}" psql -U postgres -c "GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud;" 508 | iocage exec "${JAIL_NAME}" psql -U postgres -c "SELECT pg_reload_conf();" 509 | fi 510 | 511 | # Save passwords for later reference 512 | echo "${DB_NAME} root password is ${DB_ROOT_PASSWORD}" > /root/${JAIL_NAME}_db_password.txt 513 | echo "Nextcloud database password is ${DB_PASSWORD}" >> /root/${JAIL_NAME}_db_password.txt 514 | echo "Nextcloud Administrator password is ${ADMIN_PASSWORD}" >> /root/${JAIL_NAME}_db_password.txt 515 | 516 | # Create Nextcloud log directory 517 | iocage exec "${JAIL_NAME}" mkdir -p /var/log/nextcloud/ 518 | iocage exec "${JAIL_NAME}" chown www:www /var/log/nextcloud 519 | 520 | # CLI installation and configuration of Nextcloud 521 | 522 | if [ "${DATABASE}" = "mariadb" ]; then 523 | if ! iocage exec "${JAIL_NAME}" su -m www -c "php /usr/local/www/nextcloud/occ maintenance:install --database=\"mysql\" --database-name=\"nextcloud\" --database-user=\"nextcloud\" --database-pass=\"${DB_PASSWORD}\" --database-host=\"localhost:/var/run/mysql/mysql.sock\" --admin-user=\"admin\" --admin-pass=\"${ADMIN_PASSWORD}\" --data-dir=\"/mnt/files\"" 524 | then 525 | echo "Failed to install Nextcloud, aborting" 526 | exit 1 527 | fi 528 | iocage exec "${JAIL_NAME}" su -m www -c "php /usr/local/www/nextcloud/occ config:system:set mysql.utf8mb4 --type boolean --value=\"true\"" 529 | elif [ "${DATABASE}" = "pgsql" ]; then 530 | if ! iocage exec "${JAIL_NAME}" su -m www -c "php /usr/local/www/nextcloud/occ maintenance:install --database=\"pgsql\" --database-name=\"nextcloud\" --database-user=\"nextcloud\" --database-pass=\"${DB_PASSWORD}\" --database-host=\"localhost:/tmp/.s.PGSQL.5432\" --admin-user=\"admin\" --admin-pass=\"${ADMIN_PASSWORD}\" --data-dir=\"/mnt/files\"" 531 | then 532 | echo "Failed to install Nextcloud, aborting" 533 | exit 1 534 | fi 535 | fi 536 | iocage exec "${JAIL_NAME}" su -m www -c "php /usr/local/www/nextcloud/occ db:add-missing-indices" 537 | iocage exec "${JAIL_NAME}" su -m www -c "php /usr/local/www/nextcloud/occ db:convert-filecache-bigint --no-interaction" 538 | iocage exec "${JAIL_NAME}" su -m www -c "php /usr/local/www/nextcloud/occ config:system:set logtimezone --value=\"${TIME_ZONE}\"" 539 | iocage exec "${JAIL_NAME}" su -m www -c "php /usr/local/www/nextcloud/occ config:system:set default_phone_region --value=\"${COUNTRY_CODE}\"" 540 | iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set log_type --value="file"' 541 | iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set logfile --value="/var/log/nextcloud/nextcloud.log"' 542 | iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set loglevel --value="2"' 543 | iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set logrotate_size --value="104847600"' 544 | iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set memcache.local --value="\OC\Memcache\APCu"' 545 | iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set redis host --value="/var/run/redis/redis.sock"' 546 | iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set redis port --value=0 --type=integer' 547 | iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set memcache.distributed --value="\OC\Memcache\Redis"' 548 | iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set memcache.locking --value="\OC\Memcache\Redis"' 549 | iocage exec "${JAIL_NAME}" su -m www -c "php /usr/local/www/nextcloud/occ config:system:set overwritehost --value=\"${HOST_NAME}\"" 550 | if [ $NO_CERT -eq 1 ]; then 551 | iocage exec "${JAIL_NAME}" su -m www -c "php /usr/local/www/nextcloud/occ config:system:set overwrite.cli.url --value=\"http://${HOST_NAME}/\"" 552 | iocage exec "${JAIL_NAME}" su -m www -c "php /usr/local/www/nextcloud/occ config:system:set overwriteprotocol --value=\"http\"" 553 | else 554 | iocage exec "${JAIL_NAME}" su -m www -c "php /usr/local/www/nextcloud/occ config:system:set overwrite.cli.url --value=\"https://${HOST_NAME}/\"" 555 | iocage exec "${JAIL_NAME}" su -m www -c "php /usr/local/www/nextcloud/occ config:system:set overwriteprotocol --value=\"https\"" 556 | fi 557 | iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set htaccess.RewriteBase --value="/"' 558 | iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ maintenance:update:htaccess' 559 | iocage exec "${JAIL_NAME}" su -m www -c "php /usr/local/www/nextcloud/occ config:system:set trusted_domains 1 --value=\"${HOST_NAME}\"" 560 | iocage exec "${JAIL_NAME}" su -m www -c "php /usr/local/www/nextcloud/occ config:system:set trusted_domains 2 --value=\"${IP}\"" 561 | iocage exec "${JAIL_NAME}" su -m www -c "php /usr/local/www/nextcloud/occ config:system:set trusted_proxies 1 --value=\"127.0.0.1\"" 562 | #iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ app:enable encryption' 563 | #iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ encryption:enable' 564 | #iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ encryption:disable' 565 | iocage exec "${JAIL_NAME}" su -m www -c 'php /usr/local/www/nextcloud/occ background:cron' 566 | fi 567 | 568 | iocage exec "${JAIL_NAME}" su -m www -c 'php -f /usr/local/www/nextcloud/cron.php' 569 | iocage exec "${JAIL_NAME}" crontab -u www /mnt/includes/www-crontab 570 | iocage exec "${JAIL_NAME}" su -m www -c "php /usr/local/www/nextcloud/occ config:system:set maintenance_window_start --type=integer --value=${MX_WINDOW}" 571 | 572 | # Don't need /mnt/includes any more, so unmount it 573 | iocage fstab -r "${JAIL_NAME}" "${INCLUDES_PATH}" /mnt/includes nullfs rw 0 0 574 | 575 | ##### 576 | # 577 | # Output results to console 578 | # 579 | ##### 580 | 581 | # Done! Turn off debug and print summary information 582 | set +x 583 | 584 | echo "Installation complete!" 585 | if [ $NO_CERT -eq 1 ]; then 586 | echo "Using your web browser, go to http://${HOST_NAME} to log in" 587 | else 588 | echo "Using your web browser, go to https://${HOST_NAME} to log in" 589 | fi 590 | 591 | if [ "${REINSTALL}" == "true" ]; then 592 | echo "You did a reinstall, please use your old database and account credentials" 593 | else 594 | 595 | echo "Default user is admin, password is ${ADMIN_PASSWORD}" 596 | echo "" 597 | echo "Database Information" 598 | echo "--------------------" 599 | echo "Database user = nextcloud" 600 | echo "Database password = ${DB_PASSWORD}" 601 | echo "The ${DB_NAME} root password is ${DB_ROOT_PASSWORD}" 602 | echo "" 603 | echo "All passwords are saved in /root/${JAIL_NAME}_db_password.txt" 604 | fi 605 | 606 | echo "" 607 | if [ $STANDALONE_CERT -eq 1 ] || [ $DNS_CERT -eq 1 ]; then 608 | echo "You have obtained your Let's Encrypt certificate using the staging server." 609 | echo "This certificate will not be trusted by your browser and will cause SSL errors" 610 | echo "when you connect. Once you've verified that everything else is working" 611 | echo "correctly, you should issue a trusted certificate. To do this, run:" 612 | echo " iocage exec ${JAIL_NAME} /root/remove-staging.sh" 613 | echo "" 614 | elif [ $SELFSIGNED_CERT -eq 1 ]; then 615 | echo "You have chosen to create a self-signed TLS certificate for your Nextcloud" 616 | echo "installation. This certificate will not be trusted by your browser and" 617 | echo "will cause SSL errors when you connect. If you wish to replace this certificate" 618 | echo "with one obtained elsewhere, the private key is located at:" 619 | echo "/usr/local/etc/pki/tls/private/privkey.pem" 620 | echo "The full chain (server + intermediate certificates together) is at:" 621 | echo "/usr/local/etc/pki/tls/certs/fullchain.pem" 622 | echo "" 623 | fi 624 | 625 | --------------------------------------------------------------------------------