Add garage and nextcloud configuration

This commit is contained in:
Alex 2020-07-05 22:54:47 +02:00
parent 5e83c8e5fe
commit c344dacb65
10 changed files with 353 additions and 1 deletions

View file

@ -29,3 +29,5 @@
!directory/*/*
!traefik/traefik.toml
!garage/config.toml

View file

@ -22,6 +22,8 @@
"*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=email,ou=groups,dc=deuxfleurs,dc=fr:*",
"*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=seafile,ou=groups,dc=deuxfleurs,dc=fr:*",
"*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=seafile,ou=groups,dc=deuxfleurs,dc=fr:*",
"*:cn=asso_deuxfleurs,ou=groups,dc=deuxfleurs,dc=fr:modifyAdd:cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr:*",
"*,ou=invitations,dc=deuxfleurs,dc=fr::modifyAdd:cn=seafile,ou=nextcloud,dc=deuxfleurs,dc=fr:*",
"cn=admin,dc=deuxfleurs,dc=fr::read add modify delete:*:*",
"*:cn=admin,ou=groups,dc=deuxfleurs,dc=fr:read add modify delete:*:*"

View file

@ -13,7 +13,8 @@
"invited_mail_format": "{}@deuxfleurs.fr",
"invited_auto_groups": [
"cn=email,ou=groups,dc=deuxfleurs,dc=fr",
"cn=seafile,ou=groups,dc=deuxfleurs,dc=fr"
"cn=seafile,ou=groups,dc=deuxfleurs,dc=fr",
"cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr"
],
"web_address": "https://guichet.deuxfleurs.fr",

View file

@ -0,0 +1,49 @@
<?php
$CONFIG = array (
'appstoreenabled' => false,
'instanceid' => '{{ key "secrets/nextcloud/instance_id" | trimSpace }}',
'passwordsalt' => '{{ key "secrets/nextcloud/password_salt" | trimSpace }}',
'secret' => '{{ key "secrets/nextcloud/secret" | trimSpace }}',
'trusted_domains' => array (
0 => 'nextcloud.deuxfleurs.fr',
),
'memcache.local' => '\\OC\\Memcache\\APCu',
'objectstore' => array(
'class' => '\\OC\\Files\\ObjectStore\\S3',
'arguments' => array(
'bucket' => 'nextcloud',
'autocreate' => false,
'key' => '{{ key "secrets/nextcloud/garage_access_key" | trimSpace }}',
'secret' => '{{ key "secrets/nextcloud/garage_secret_key" | trimSpace }}',
'hostname' => 'garage.deuxfleurs.fr',
'port' => 443,
'use_ssl' => true,
'region' => 'garage',
// required for some non Amazon S3 implementations
'use_path_style' => true
),
),
'dbtype' => 'pgsql',
'dbhost' => 'psql-proxy.service.2.cluster.deuxfleurs.fr',
'dbname' => 'nextcloud',
'dbtableprefix' => 'nc_',
'dbuser' => '{{ key "secrets/nextcloud/db_user" | trimSpace }}',
'dbpassword' => '{{ key "secrets/nextcloud/db_pass" | trimSpace }}',
'default_language' => 'fr',
'default_locale' => 'fr_FR',
'mail_domain' => 'deuxfleurs.fr',
'mail_from_address' => 'nextcloud@deuxfleurs.fr',
// TODO SMTP CONFIG
// TODO REDIS CACHE
'version' => '19.0.0.12',
'overwrite.cli.url' => 'https://nextcloud.deuxfleurs.fr',
'installed' => true,
);

View file

@ -0,0 +1,27 @@
FROM debian:10
RUN apt-get update && \
apt-get -qq -y full-upgrade
RUN apt-get install -y apache2 php php-gd php-mbstring php-pgsql php-curl php-dom php-xml php-zip \
php-intl php-ldap php-fileinfo php-exif php-apcu php-redis php-imagick unzip curl wget && \
phpenmod gd && \
phpenmod curl && \
phpenmod mbstring && \
phpenmod pgsql && \
phpenmod dom && \
phpenmod zip && \
phpenmod intl && \
phpenmod ldap && \
phpenmod fileinfo && \
phpenmod exif && \
phpenmod apcu && \
phpenmod redis && \
phpenmod imagick && \
phpenmod xml
COPY container-setup.sh /tmp
RUN /tmp/container-setup.sh
COPY entrypoint.sh /
CMD /entrypoint.sh

View file

@ -0,0 +1,37 @@
#!/bin/sh
set -ex
curl https://download.nextcloud.com/server/releases/nextcloud-19.0.0.zip > /tmp/nextcloud.zip
cd /var/www
unzip /tmp/nextcloud.zip
rm /tmp/nextcloud.zip
mv html html.old
mv nextcloud html
cd html
mkdir data
cd apps
wget https://github.com/nextcloud/tasks/releases/download/v0.13.1/tasks.tar.gz
tar xf tasks.tar.gz
wget https://github.com/nextcloud/maps/releases/download/v0.1.6/maps-0.1.6.tar.gz
tar xf maps-0.1.6.tar.gz
wget https://github.com/nextcloud/calendar/releases/download/v2.0.3/calendar.tar.gz
tar xf calendar.tar.gz
wget https://github.com/nextcloud/news/releases/download/14.1.11/news.tar.gz
tar xf news.tar.gz
wget https://github.com/nextcloud/notes/releases/download/v3.6.0/notes.tar.gz
tar xf notes.tar.gz
wget https://github.com/nextcloud/contacts/releases/download/v3.3.0/contacts.tar.gz
tar xf contacts.tar.gz
wget https://github.com/nextcloud/mail/releases/download/v1.4.0/mail.tar.gz
tar xf mail.tar.gz
wget https://github.com/nextcloud/groupfolders/releases/download/v6.0.6/groupfolders.tar.gz
tar xf groupfolders.tar.gz
rm *.tar.gz
chown -R www-data:www-data /var/www/html
cd /var/www/html
php occ

8
docker/nextcloud/entrypoint.sh Executable file
View file

@ -0,0 +1,8 @@
#!/bin/sh
set -xe
chown www-data:www-data /var/www/html/config/config.php
touch /var/www/html/data/.ocdata
exec apachectl -DFOREGROUND

60
man/nextcloud/README.md Normal file
View file

@ -0,0 +1,60 @@
# How to setup NextCloud
## First setup
It's complicated.
First, create a service user `nextcloud` and a database `nextcloud` it owns. Also create a Garage access key and bucket `nextcloud` it is allowed to use.
Fill in the following Consul keys with actual values:
```
secrets/nextcloud/db_user
secrets/nextcloud/db_pass
secrets/nextcloud/garage_access_key
secrets/nextcloud/garage_secret_key
```
Create the following Consul keys with empty values:
```
secrets/nextcloud/instance_id
secrets/nextcloud/password_salt
secrets/nextcloud/secret
```
Start the nextcloud.hcl nomad service. Enter the container and call `occ maintenance:install` with the correct database parameters as user `www-data`.
A possibility: call the admin user `nextcloud` and give it the same password as the `nextcloud` service user.
Cat the newly generated `config.php` file and copy the instance id, password salt, and secret from there to Consul
(they were generated by the install script and we want to keep them).
Restart the Nextcloud Nomad server.
You should now be able to log in to Nextcloud using the admin user (`nextcloud` if you called it that).
Go to the apps settings and enable desired apps.
## Configure LDAP login
LDAP login has to be configured from the admin interface. First, enable the LDAP authentification application.
Go to settings > LDAP/AD integration. Enter the following parameters:
- ldap server: `bottin2.service.2.cluster.deuxfleurs.fr`
- bind user: `cn=nextcloud,ou=services,ou=users,dc=deuxfleurs,dc=fr`
- bind password: password of the nextcloud service user
- base DN for users: `ou=users,dc=deuxfleurs,dc=fr`
- check "manually enter LDAP filters"
- in the users tab, edit LDAP query and set it to `(&(|(objectclass=inetOrgPerson))(|(memberof=cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr)))`
- in the login attributes tab, edit LDAP query and set it to `(&(&(|(objectclass=inetOrgPerson))(|(memberof=cn=nextcloud,ou=groups,dc=deuxfleurs,dc=fr)))(|(|(mailPrimaryAddress=%uid)(mail=%uid))(|(cn=%uid))))`
- in the groups tab, edit the LDAP query and set it to `(|(objectclass=groupOfNames))`
- in the advanced tab, enter the "directory setting" section and check/modify the following:
- user display name field: `displayname`
- base user tree: `ou=users,dc=deuxfleurs,dc=fr`
- user search attribute: `cn`
- groupe display name field: `displayname`
- **base group tree**: `ou=groups,dc=deuxfleurs,dc=fr`
- group search attribute: `cn`
That should be it. Go to the login attributes tab and enter a username (which should have been added to the nextcloud group) to check that nextcloud is able to find it and allows it for login.

99
nomad/garage.hcl Normal file
View file

@ -0,0 +1,99 @@
job "garage" {
datacenters = ["dc1", "belair", "saturne"]
type = "system"
constraint {
attribute = "${attr.cpu.arch}"
value = "amd64"
}
group "garage" {
task "server" {
driver = "docker"
config {
image = "lxpz/garage_amd64:3"
port_map {
rpc_port = 3901
api_port = 3900
}
volumes = [
"/mnt/storage/garage/data:/garage/data",
"/mnt/ssd/garage/meta:/garage/meta",
"secrets/garage.toml:/garage/config.toml",
"secrets/garage-ca.crt:/garage/garage-ca.crt",
"secrets/garage.crt:/garage/garage.crt",
"secrets/garage.key:/garage/garage.key",
]
}
template {
data = "{{ key \"configuration/garage/garage.toml\" }}"
destination = "secrets/garage.toml"
}
template {
data = "{{ key \"secrets/garage/garage-ca.crt\" }}"
destination = "secrets/garage-ca.crt"
}
template {
data = "{{ key \"secrets/garage/garage.crt\" }}"
destination = "secrets/garage.crt"
}
template {
data = "{{ key \"secrets/garage/garage.key\" }}"
destination = "secrets/garage.key"
}
resources {
memory = 500
cpu = 2000
network {
port "rpc_port" {
static = "3901"
}
port "api_port" {}
}
}
service {
tags = [
"garage_api",
"traefik.enable=true",
"traefik.frontend.entryPoints=https,http",
"traefik.frontend.rule=Host:garage.deuxfleurs.fr"
]
port = "api_port"
address_mode = "host"
name = "garage-api"
check {
type = "tcp"
port = "api_port"
interval = "60s"
timeout = "5s"
check_restart {
limit = 3
grace = "90s"
ignore_warnings = false
}
}
}
service {
tags = ["garage-rpc"]
port = "rpc_port"
address_mode = "host"
name = "garage-rpc"
check {
type = "tcp"
port = "rpc_port"
interval = "60s"
timeout = "5s"
check_restart {
limit = 3
grace = "90s"
ignore_warnings = false
}
}
}
}
}
}

67
nomad/nextcloud.hcl Normal file
View file

@ -0,0 +1,67 @@
job "nextcloud" {
datacenters = ["dc1", "belair"]
type = "service"
constraint {
attribute = "${attr.cpu.arch}"
value = "amd64"
}
group "nextcloud" {
count = 1
task "nextcloud" {
driver = "docker"
config {
image = "lxpz/deuxfleurs_nextcloud_amd64:8"
port_map {
web_port = 80
}
volumes = [
"secrets/config.php:/var/www/html/config/config.php"
]
}
artifact {
source = "http://127.0.0.1:8500/v1/kv/configuration/nextcloud/config.php.tpl?raw"
destination = "secrets/config.php.tpl"
mode = "file"
}
template {
source = "secrets/config.php.tpl"
destination = "secrets/config.php"
}
resources {
memory = 1000
cpu = 2000
network {
port "web_port" {}
}
}
service {
name = "nextcloud"
tags = [
"nextcloud",
"traefik.enable=true",
"traefik.frontend.entryPoints=https,http",
"traefik.frontend.rule=Host:nextcloud.deuxfleurs.fr",
]
port = "web_port"
address_mode = "host"
check {
type = "tcp"
port = "web_port"
interval = "60s"
timeout = "5s"
check_restart {
limit = 3
grace = "90s"
ignore_warnings = false
}
}
}
}
}
}