Update Nextcloud to the latest security and performance requirements, and switch to MariaDB

README.md

@@ -83,7 +83,7 @@ Example of `/root/jail_options.env`:
 
 ```shell
 # Allow insecure access to Nextcloud through HTTP. Useful when TrueNAS is behind an external proxy.
-export ALLOW_INSECURE_ACCESS=<boolean> # default: false
+export ALLOW_INSECURE_ACCESS=<boolean> # default: true
 ```
 
 - `occ [<occ command>]`:

overlay/root/config/aio.config.php

@@ -0,0 +1,5 @@
+<?php
+$CONFIG = array (
+  'one-click-instance' => true,
+  'one-click-instance.user-limit' => 100,
+);

overlay/root/config/apcu.config.php

@@ -0,0 +1,4 @@
+<?php
+$CONFIG = array (
+  'memcache.local' => '\OC\Memcache\APCu',
+);

overlay/root/config/redis.config.php

@@ -0,0 +1,8 @@
+<?php
+$CONFIG = array(
+  'memcache.distributed' => '\OC\Memcache\Redis',
+  'memcache.locking' => '\OC\Memcache\Redis',
+  'redis' => array(
+    'host' => 'localhost',
+  ),
+);

overlay/root/config/truenas.config.php

@@ -1,12 +1,4 @@
 <?php
 $CONFIG = array(
-  'one-click-instance' => true,
-  'one-click-instance.user-limit' => 100,
-  'memcache.local' => '\\OC\\Memcache\\APCu',
-  'memcache.distributed' => '\OC\Memcache\Redis',
-  'memcache.locking' => '\OC\Memcache\Redis',
-  'redis' => array(
-    'host' => 'localhost',
-  ),
   'logfile' => '/var/log/nextcloud/nextcloud.log'
 );

overlay/root/migrations/1.sh

@@ -10,7 +10,7 @@ sysrc -f /etc/rc.conf redis_enable="YES"
 sysrc -f /etc/rc.conf fail2ban_enable="YES"
 service redis start 2>/dev/null
 service fail2ban start 2>/dev/null
-service mysql-server start 2>/dev/null
+service mysql-server start 2> /dev/null
 
 # Wait for mysql to be up
 until mysql --user dbadmin --password="$(cat /root/dbpassword)" --execute "SHOW DATABASES" > /dev/null
@@ -22,10 +22,5 @@ done
 # Change cron execution method
 su -m www -c "php /usr/local/www/nextcloud/occ background:cron"
 
-# Install default applications
-su -m www -c "php /usr/local/www/nextcloud/occ app:install contacts"
-su -m www -c "php /usr/local/www/nextcloud/occ app:install calendar"
-su -m www -c "php /usr/local/www/nextcloud/occ app:install notes"
-su -m www -c "php /usr/local/www/nextcloud/occ app:install deck"
-su -m www -c "php /usr/local/www/nextcloud/occ app:install spreed"
-su -m www -c "php /usr/local/www/nextcloud/occ app:install mail"
+# Upgrade Nextcloud
+su -m www -c "php /usr/local/www/nextcloud/occ upgrade"

overlay/usr/local/bin/load_env

@@ -50,3 +50,4 @@ fi
 
 IOCAGE_HOST_ADDRESS=$(grep HOST_ADDRESS= /etc/iocage-env | cut -d '=' -f 2)
 IOCAGE_HOST_ADDRESS_BCAST=$(grep HOST_ADDRESS_BCAST= /etc/iocage-env | cut -d '=' -f 2)
+IOCAGE_HOST_SUBNET=$(echo "$IOCAGE_HOST_ADDRESS" | cut -d '.' -f 1-3)

overlay/usr/local/bin/renew_certificates

@@ -2,6 +2,13 @@
 
 set -eu
 
+. load_env
+
+if [ "${ALLOW_INSECURE_ACCESS:-true}" = "true" ]
+then
+	exit 0
+fi
+
 if certbot certificates | grep 'No certificates found'
 then
 	# Limit self-signed certificate renewal to on month before expiration

overlay/usr/local/bin/sync_configuration

@@ -1,28 +1,28 @@
 #!/bin/sh
 
-set -eu
+set -xeu
 
 . load_env
 
 # Two cases:
 # - Nextcloud is accessed through <domain_name>: use port 443
 # - Nextcloud is accessed through <ip>:<port>: use port $IOCAGE_HOST_PORT_HTTPS
 export NEXTCLOUD_HTTPS_PORT=443
-if certbot certificates | grep "No certificates found."
-then
-	NEXTCLOUD_HTTPS_PORT=$IOCAGE_HOST_PORT_HTTPS
-fi
+#if certbot certificates | grep "No certificates found."
+#then
+#	NEXTCLOUD_HTTPS_PORT=$IOCAGE_HOST_PORT_HTTPS
+#fi
 
 # Generate nginx configuration from the base template
 SCHEME=https
-if [ "${ALLOW_INSECURE_ACCESS:-false}" = "true" ]
+if [ "${ALLOW_INSECURE_ACCESS:-true}" = "true" ]
 then
 	SCHEME=http
 fi
 
 envsubst "\${NEXTCLOUD_HTTPS_PORT}" < "/usr/local/etc/nginx/conf.d/nextcloud.$SCHEME.conf.template" > "/usr/local/etc/nginx/conf.d/nextcloud.conf"
 
 # Copy Nextcloud custom configuration
-cp /root/config/truenas.config.php /usr/local/www/nextcloud/config/truenas.config.php
+cp /root/config/*.php /usr/local/www/nextcloud/config/
 chown -R www:www /usr/local/www/nextcloud/config
 chmod -R u+rw /usr/local/www/nextcloud/config

overlay/usr/local/etc/nginx/conf.d/nextcloud.http.conf.template

@@ -2,15 +2,15 @@ upstream php-handler {
     server unix:/var/run/nextcloud-php-fpm.sock;
 }
 
+# Set the `immutable` cache control options only for assets with a cache busting `v` argument
+map $arg_v $asset_immutable {
+    "" "";
+    default ", immutable";
+}
+
 server {
     listen 80 default_server;
     listen [::]:80;
 
-    location ^~ /.well-known/acme-challenge {
-        # Path to the root of your installation
-        root /usr/local/www/nextcloud/;
-        try_files $uri $uri/ =404;
-    }
-
     include conf.d/nextcloud.inc;
 }

overlay/usr/local/etc/nginx/conf.d/nextcloud.https.conf.template

@@ -2,20 +2,19 @@ upstream php-handler {
     server unix:/var/run/nextcloud-php-fpm.sock;
 }
 
+# Set the `immutable` cache control options only for assets with a cache busting `v` argument
+map $arg_v $asset_immutable {
+    "" "";
+    default ", immutable";
+}
+
 # Redirect to HTTPS
 server {
     listen 80 default_server;
     listen [::]:80;
 
-    location ^~ /.well-known/acme-challenge {
-        # Path to the root of your installation
-        root /usr/local/www/nextcloud/;
-        try_files $uri $uri/ =404;
-    }
-
-    location / {
-       return 301 https://$host:$NEXTCLOUD_HTTPS_PORT$request_uri;
-    }
+    # Enforce HTTPS
+    return 301 https://$server_name$request_uri;
 }
 
 server {

overlay/usr/local/etc/nginx/conf.d/nextcloud.inc

@@ -1,5 +1,9 @@
-# set max upload size
+# Path to the root of your installation
+root /usr/local/www/nextcloud/;
+
+# set max upload size and increase upload timeout:
 client_max_body_size 512M;
+client_body_timeout 300s;
 fastcgi_buffers 64 4K;
 
 # Enable gzip but do not remove ETag headers
@@ -8,26 +12,37 @@ gzip_vary on;
 gzip_comp_level 4;
 gzip_min_length 256;
 gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
 
 # Pagespeed is not supported by Nextcloud, so if your server is built
 # with the `ngx_pagespeed` module, uncomment this line to disable it.
 #pagespeed off;
 
+# The settings allows you to optimize the HTTP2 bandwidth.
+# See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
+# for tuning hints
+client_body_buffer_size 512k;
+
 # HTTP response headers borrowed from Nextcloud `.htaccess`
-add_header Referrer-Policy                      "no-referrer"   always;
-add_header X-Content-Type-Options               "nosniff"       always;
-add_header X-Download-Options                   "noopen"        always;
-add_header X-Frame-Options                      "SAMEORIGIN"    always;
-add_header X-Permitted-Cross-Domain-Policies    "none"          always;
-add_header X-Robots-Tag                         "none"          always;
-add_header X-XSS-Protection                     "1; mode=block" always;
+add_header Referrer-Policy                   "no-referrer"       always;
+add_header X-Content-Type-Options            "nosniff"           always;
+add_header X-Frame-Options                   "SAMEORIGIN"        always;
+add_header X-Permitted-Cross-Domain-Policies "none"              always;
+add_header X-Robots-Tag                      "noindex, nofollow" always;
+add_header X-XSS-Protection                  "1; mode=block"     always;
 
 # Remove X-Powered-By, which is an information leak
 fastcgi_hide_header X-Powered-By;
 
-# Path to the root of your installation
-root /usr/local/www/nextcloud/;
+# Set .mjs and .wasm MIME types
+# Either include it in the default mime.types list
+# and include that list explicitly or add the file extension
+# only for Nextcloud like below:
+include mime.types;
+types {
+    text/javascript mjs;
+	application/wasm wasm;
+}
 
 # Specify how to handle directories -- specifying `/index.php$request_uri`
 # here as the fallback means that Nginx always exhibits the desired behaviour
@@ -36,7 +51,7 @@ root /usr/local/www/nextcloud/;
 # that file is correctly served; if it doesn't, then the request is passed to
 # the front-end controller. This consistent behaviour means that we don't need
 # to specify custom rules for certain paths (e.g. images and other assets,
-# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
+# `/updater`, `/ocs-provider`), and thus
 # `try_files $uri $uri/ /index.php$request_uri`
 # always provides the desired behaviour.
 index index.php index.html /index.php$request_uri;
@@ -62,8 +77,6 @@ location ^~ /.well-known {
     # The rules in this block are an adaptation of the rules
     # in `.htaccess` that concern `/.well-known`.
 
-    # Needed to prevent including the scheme, domain and port in the Location header.
-    absolute_redirect off;
     location = /.well-known/carddav { return 301 /remote.php/dav/; }
     location = /.well-known/caldav  { return 301 /remote.php/dav/; }
 
@@ -85,7 +98,7 @@ location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return
 # to the URI, resulting in a HTTP 500 error response.
 location ~ \.php(?:$|/) {
     # Required for legacy support
-    rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+    rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
 
     fastcgi_split_path_info ^(.+?\.php)(/.*)$;
     set $path_info $fastcgi_path_info;
@@ -95,19 +108,29 @@ location ~ \.php(?:$|/) {
     include fastcgi_params;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     fastcgi_param PATH_INFO $path_info;
-    # fastcgi_param HTTPS on;
+    #fastcgi_param HTTPS on;
 
     fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
     fastcgi_param front_controller_active true;     # Enable pretty urls
     fastcgi_pass php-handler;
 
     fastcgi_intercept_errors on;
     fastcgi_request_buffering off;
+
+    fastcgi_max_temp_file_size 0;
 }
 
-location ~ \.(?:css|js|svg|gif|png|jpg|ico)$ {
+# Serve static files
+location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
     try_files $uri /index.php$request_uri;
-    expires 6M;         # Cache-Control policy borrowed from `.htaccess`
+    # HTTP response headers borrowed from Nextcloud `.htaccess`
+    add_header Cache-Control                     "public, max-age=15778463$asset_immutable";
+    add_header Referrer-Policy                   "no-referrer"       always;
+    add_header X-Content-Type-Options            "nosniff"           always;
+    add_header X-Frame-Options                   "SAMEORIGIN"        always;
+    add_header X-Permitted-Cross-Domain-Policies "none"              always;
+    add_header X-Robots-Tag                      "noindex, nofollow" always;
+    add_header X-XSS-Protection                  "1; mode=block"     always;
     access_log off;     # Optional: Don't log access to assets
 }
 

overlay/usr/local/etc/nginx/nginx.conf

@@ -48,7 +48,7 @@ http {
 
   proxy_temp_path /var/tmp/nginx/proxy_temp;
 
-  include mime.types;
+  #include mime.types;
   default_type application/octet-stream;
 
   # Logs format

overlay/usr/local/etc/php-fpm.d/nextcloud.conf

@@ -6,12 +6,8 @@ listen = /var/run/nextcloud-php-fpm.sock
 listen.owner = www
 listen.group = www
 
-pm = dynamic
-pm.max_children = 100
-pm.start_servers = 25
-pm.min_spare_servers = 25
-pm.max_spare_servers = 75
+pm = ondemand
+pm.max_children = 5000
 
-php_admin_value[session.save_path] = "/usr/local/www/nextcloud-sessions-tmp"
 ; Nextcloud wants PATH environment variable set.
 env[PATH] = $PATH

overlay/usr/local/etc/php/nextcloud.ini

@@ -0,0 +1,7 @@
+memory_limit=512M
+upload_max_filesize=0
+post_max_size=0
+max_execution_time=3600
+max_input_time=3600
+default_socket_timeout=600
+output_buffering=0

overlay/usr/local/etc/php/opcache-recommended.ini

@@ -0,0 +1,6 @@
+opcache.memory_consumption=256
+opcache.interned_strings_buffer=64
+opcache.save_comments=1
+opcache.revalidate_freq=60
+opcache.jit=1255
+opcache.jit_buffer_size=128M

overlay/usr/local/etc/php/php-ext-apcu.ini

@@ -0,0 +1 @@
+apc.enable_cli=1

overlay/usr/local/etc/php/php-ext-igbinary.ini

@@ -0,0 +1,2 @@
+apc.serializer=igbinary
+session.serialize_handler=igbinary

overlay/usr/local/etc/php/redis-session.ini

@@ -0,0 +1,5 @@
+session.save_handler = redis
+session.save_path = "tcp://127.0.0.1:6379"
+redis.session.locking_enabled = 1
+redis.session.lock_retries = -1
+redis.session.lock_wait_time = 10000