.gitignore

 .env
 data
 mysql
+docker-compose.override.yml

Dockerfile

-FROM nextcloud:13-fpm
-COPY /config/mail.config.php /usr/src/nextcloud/config/

README.md

@@ -2,43 +2,11 @@
 
 A safe home for all your data. Access & share your files, calendars, contacts, mail & more from any device, on your terms.
 
-# How to use this image
 
-The easiest is to use our `docker-compose.yml`.
-
-Make sure you have [docker-compose](http://docs.docker.com/compose/install/) installed. And then:
-
-```bash
-git clone https://github.com/indiehosters/nextcloud.git
-cd nextcloud
-MYSQL_ROOT_PASSWORD=mystrongpassword docker-compose up
-```
-
-You can now access your instance on the port 80 of the IP of your machine (not recommended for production).
-
-## Access it from Internet
-
-We recommend the usage of TLS, so the easiest is to use a TLS capable reverse proxy.
-Here are 2 examples:
-
- - [haproxy](https://github.com/indiehosters/haproxy)
- - [nginx](https://github.com/indiehosters/nginx)
-
-You can also modify manually the nginx configuration file and map the TLS port of the host to the container.
 
 ## Installation
 
-Once started, you'll arrive at the configuration wizard.
-At the `Database Setup` step, please enter the following:
-
-  -  Database Server: `db`
-  -  Login: `root`
-  -  Password: MYSQL_ROOT_PASSWORD
-  -  Database Name: nextcloud (or you can choose)
- 
-And leave the rest as default.
-
-Then you can continue the installation with the super user.
+Once started with libre.sh , You get to the login screen , the password is generated in your env file
 
 ## Backup
 
@@ -48,4 +16,4 @@ In order to backup, just run the `./pre-backup` script. And copy all the data to
 
 Pull requests are very welcome!
 
-We'd love to hear your feedback and suggestions in the issue tracker: [github.com/indiehosters/nextcloud/issues](https://github.com/indiehosters/nextcloud/issues).
+We'd love to hear your feedback and suggestions in the issue tracker: [https://lab.libreho.st/libre.sh/compose/nextcloud/issues](https://lab.libreho.st/libre.sh/compose/nextcloud/issues).

config/mail.config.php

-<?php
-$CONFIG = array (
-  'mail_domain' => getenv('MAIL_DOMAIN'),
-  'mail_from_address' => getenv('MAIL_DOMAIN'),
-  'mail_smtpmode' => 'smtp',
-  'mail_smtphost' => getenv('MAIL_HOST'),
-  'mail_smtpport' => getenv('MAIL_PORT'),
-  'mail_smtpauth' => 1,
-  'mail_smtpauthtype' => 'LOGIN',
-  'mail_smtpname' => getenv('MAIL_DOMAIN'),
-  'mail_smtppassword' => getenv('MAIL_PASS'),
-  'mail_smtpsecure' => 'tls',
-);
-

docker-compose.yml

-version: '2'
+version: '2.4'
 networks:
   lb_web:
     external: true
@@ -23,7 +23,7 @@ services:
     - back
     - lb_web
   app:
-    build: .
+    image: libresh/nextcloud:${NEXTCLOUD_VERSION:-latest}
     links:
       - db
     volumes:
@@ -32,21 +32,25 @@ services:
       - ./data/config:/var/www/html/config
       - ./data/data:/var/www/html/data
     environment:
-      - MAIL_HOST
-      - MAIL_FROM
-      - MAIL_PASS
-      - MAIL_PORT
+      - SMTP_HOST
+      - SMTP_SECURE
+      - SMTP_AUTHTYPE
+      - SMTP_PASSWORD
+      - SMTP_PORT
+      - SMTP_NAME
       - URL
       - MAIL_DOMAIN
-      - SMTP_NAME
-      - MYSQL_DATABASE=nextcloud
-      - MYSQL_HOST=db
-      - MYSQL_USER=root
+      - MYSQL_DATABASE
+      - MYSQL_HOST
+      - MYSQL_USER
       - MYSQL_PASSWORD
+      - NEXTCLOUD_ADMIN_USER
+      - NEXTCLOUD_ADMIN_PASSWORD
+      - NEXTCLOUD_TRUSTED_DOMAINS
     networks:
     - back
   db:
-    image: mysql
+    image: mariadb:${MYSQL_VERSION:-5.7}
     volumes:
       - ./mysql/runtime:/var/lib/mysql
     environment:
@@ -54,7 +58,7 @@ services:
     networks:
     - back
   cron:
-    image: nextcloud:13-fpm
+    image: libresh/nextcloud:${NEXTCLOUD_VERSION:-latest}
     links:
       - db
     volumes_from:

env-sample

@@ -9,4 +9,5 @@ MAIL_PORT=
 MAIL_PASS=
 MAIL_FROM=
 SMTP_NAME=
-
+NEXTCLOUD_ADMIN_USER=
+NEXTCLOUD_ADMIN_PASSWORD=

nginx.conf

@@ -12,6 +12,10 @@ http {
   default_type application/octet-stream;
 
   server {
+    set_real_ip_from  10.0.0.0/8;
+    set_real_ip_from  172.16.0.0/12;
+    set_real_ip_from  192.168.0.0/16;
+    real_ip_header  X-Forwarded-For;
     listen 80;
     
     # Add headers to serve security related headers
@@ -20,6 +24,7 @@ http {
     add_header X-Robots-Tag none;
     add_header X-Download-Options noopen;
     add_header X-Permitted-Cross-Domain-Policies none;
+    add_header Referrer-Policy no-referrer;
 
     root /var/www/html;
 
@@ -30,37 +35,36 @@ http {
     }
 
     location = /.well-known/carddav {
-      return 301 $scheme://$host/remote.php/dav;
+      return 301 https://$host/remote.php/dav;
     }
     location = /.well-known/caldav {
-      return 301 $scheme://$host/remote.php/dav;
+      return 301 https://$host/remote.php/dav;
     }
 
-    client_max_body_size 1G;
+    client_max_body_size 16G;
     fastcgi_buffers 64 4K;
 
-    gzip off;
-
-    index index.php;
-    error_page 403 /core/templates/403.php;
-    error_page 404 /core/templates/404.php;
+    gzip off; # handled at haproxy level
  
     location / {
-        rewrite ^ /index.php$uri;
+        rewrite ^ /index.php;
     }
-
-    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
+    
+    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
         deny all;
     }
-    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
+    
+    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
         deny all;
     }
 
-    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
-        include fastcgi_params;
+    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
         fastcgi_split_path_info ^(.+\.php)(/.*)$;
+        try_files $fastcgi_script_name =404;
+        set $path_info $fastcgi_path_info;
+        include fastcgi_params;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-        fastcgi_param PATH_INFO $fastcgi_path_info;
+        fastcgi_param PATH_INFO $path_info;
         fastcgi_param HTTPS on;
         #Avoid sending the security headers twice
         fastcgi_param modHeadersAvailable true;
@@ -70,16 +74,16 @@ http {
         fastcgi_request_buffering off;
     }
 
-    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
+    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
         try_files $uri/ =404;
         index index.php;
     }
 
     # Adding the cache control header for js and css files
     # Make sure it is BELOW the PHP block
-    location ~* \.(?:css|js)$ {
-        try_files $uri /index.php$uri$is_args$args;
-        add_header Cache-Control "public, max-age=7200";
+    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
+        try_files $uri /index.php$request_uri;
+        add_header Cache-Control "public, max-age=15778463";
         # Add headers to serve security related headers (It is intended to
         # have those duplicated to the ones above)
         # Before enabling Strict-Transport-Security headers please read into
@@ -92,12 +96,13 @@ http {
         add_header X-Robots-Tag none;
         add_header X-Download-Options noopen;
         add_header X-Permitted-Cross-Domain-Policies none;
+        add_header Referrer-Policy no-referrer;
         # Optional: Don't log access to assets
         access_log off;
     }
 
-    location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
-        try_files $uri /index.php$uri$is_args$args;
+    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
+        try_files $uri /index.php$request_uri;
         # Optional: Don't log access to other assets
         access_log off;
     }

scripts/install

 #!/bin/bash -eux
 
+source /etc/environment
+
+NEXTCLOUD_VERSION=24-fpm-eki
 MYSQL_ROOT_PASSWORD=`tr -dc A-Za-z0-9_ < /dev/urandom | head -c 20 | xargs`
+NEXTCLOUD_ADMIN_PASSWORD=`tr -dc A-Za-z0-9_ < /dev/urandom | head -c 20 | xargs`
+
 
-var=$(for folder in `ls /data/domains`; do cat /data/domains/$folder/.env | grep SUBNET | cut -d"=" -f2; done | sort | tail -n1)
+var=$(for folder in `ls /data/domains`; do cat /data/domains/$folder/.env | grep SUBNET | cut -d"=" -f2; done | sort -n | tail -n1)
 SUBNET=$(($var +1))
 
-echo "MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}" > .env
-echo "MYSQL_PASSWORD=${MYSQL_ROOT_PASSWORD}" >> .env
+
 echo "SUBNET=${SUBNET}" >> .env
-echo "MAIL_DOMAIN=${MAIL_DOMAIN}" >> .env
+
 echo "URL=${URL}" >> .env
-echo "MAIL_HOST=${MAIL_HOST}" >> .env
-echo "MAIL_PORT=${MAIL_PORT}" >> .env
-echo "MAIL_PASS=${MAIL_PASS}" >> .env
-echo "MAIL_FROM=noreply.${URL}" >> .env
-echo "SMTP_NAME=${MAIL_USER} >> .env
+
+#echo "VIRTUAL_HOST=${URL}" >> .env
+
+echo "MAIL_DOMAIN=${MAIL_DOMAIN}" >> .env
+echo "SMTP_HOST=${MAIL_HOST}" >> .env
+echo "SMTP_PORT=${MAIL_PORT}" >> .env
+echo "SMTP_PASSWORD=${MAIL_PASS}" >> .env
+echo "MAIL_FROM_ADDRESS=${MAIL_USER}" >> .env
+echo "SMTP_NAME=${MAIL_USER}" >> .env
+echo "SMTP_SECURE=ssl" >> .env
+
+echo "NEXTCLOUD_ADMIN_USER=admin" >> .env
+echo "NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD}" >> .env
+echo "NEXTCLOUD_TRUSTED_DOMAINS=${URL}" >> .env
+echo "NEXTCLOUD_VERSION=${NEXTCLOUD_VERSION}" >> .env
+
+echo "MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}" >> .env
+echo "MYSQL_PASSWORD=${MYSQL_ROOT_PASSWORD}" >> .env
+echo "MYSQL_USER=root" >> .env
+echo "MYSQL_DATABASE=nextcloud" >> .env
+echo "MYSQL_HOST=db" >> .env
 
 
+echo "MYSQL_VERSION=10.5" >> .env

scripts/pre-backup

 #!/bin/bash -eux
-URL=${PWD##*/}
-db_container_name=`echo ${URL}_db_1 | sed "s/\.//g" | sed "s/-//g"`; \
 
-docker exec $db_container_name bash -c 'mysqldump --all-databases --events -uroot -p$MYSQL_ROOT_PASSWORD' > ./mysql/dump.sql
+docker-compose exec -T db bash -c 'mysqldump --all-databases --events -uroot -p$MYSQL_ROOT_PASSWORD' > ./mysql/dump.sql