- Configuring just php-fpm is easier compared to configuring Apache + mod_php.
There is no need to configure trusted proxies as the requests are made using the
FastCGI protocol.
- There is no need for a full web server as we already run Apache.
- Place nextcloud data in /var/lib/container so that non-PHP files can be served
directly without php-fpm involved. This location is more suitable for switching
to nextcloud based on a .deb file (if ever). This is done by configuring the
volume to serve a bind mounted directory of our choice.
- Update Apache configuration to proxy to php-fpm instead of another web server.
Include the changes needed for Apache configuration to serve non-php files
directly.
- Managed the volume using quadlet podman systemd generator.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- This is not ideal and reduces security. However it simplifies quite a bit of
setup.
- Services on the host network are already exposed to the container (however,
they could easily be protected with firewall rules).
- Container has full access to external networks already. So this part does not
change.
- This setup would be at par with how other services run on FreedomBox right
now. We can think of generalized solution for all the apps later.
- FirewallLocalProtection for the single service the runs in the container works
as usual without change.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- See quadlet(5).
- Using 'podman generate systemd' is deprecated. Quadlets are recommended.
- When using the systemd generator, enable/disable is not possible. The
container is automatically started when system is booted or systemd is reloaded
after .container file changes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Also restart the container after restoring the database and its password. This
seems to be required (perhaps to flush caches) for a successful database
connection.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Put dump operation in a try/finally block.
- Create context manager to simplify.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Add documentation URL for Nextcloud cron.php.
- Use '-f' flag to php to match what documentation recommends.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- It choose highest security random number automatically.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- While nextcloud has a good prefix for all the keys it stores, flushing the
database (for nextcloud or other apps) is easier if it stores it's keys in a
separate database. Assign DB index at 8 (database number 9). Index 7 is taken by
rspamd on FreedomBox.
- Flush only Nextcloud's DB after restore instead of the entire server.
- Ignore errors during flush if redis server is not running.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Before we can enable this added protection, we need to address a couple of
issues:
- Redis password is restored after a restore. This means that if nextcloud's
backup is restored on a machine where redis server already has a password set,
then the password won't match with the password configured for other apps that
are using redis.
- When email server is already installed before this patch and then nextcloud
is installed. rspamd will fail to connect to redis server. This even with the
changes intended on the email server as the setup version in those changes has
not been incremented.
- Restart redis-server only when needed. This avoids major disruption caused due
un-persisted cache and locks removed.
- Don't use Redis for caching of server-local data as this APCu seems to be
preferred by upstream containers.
- Don't set filelocking.enabled=true as this is already the default.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Eliminate the need for parsing the complex file.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Connecting using Unix socket allows us to drop having to make redis listen on
the containers IP address.
- Instead configure redis to listen on unix socket.
- Keep the configuration file separate and include it the main configuration
file. This allows easier configuration changes in the future.
- Ensure that the drop-in configuration is available during setup.
- Ensure that redis is running during setup. This is important when app is
upgraded while it is disabled. Or when setup is re-run.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- GRANT with IDENTIFIED BY is not recommended anymore by MySQL. Use separate
CREATE and GRANT statements.
- Ensure that CREATE USER only runs when the user does not exist.
- Ensure that database password is always updated with a separate ALTER USER
statement.
- Factor out database querying into a separate method.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
It is unlikely that other containers will need the same volume with path for
/var/www/html.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Running ldap:test-config before enabling the 'user_ldap' app lead to bad output.
'app:enable' and 'ldap:set-config' are idempotent. So, re-run them in setup.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Use the status command to retrieve the accurate status of installation instead
of checking for existence of admin user account.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- This eliminates the need to reconfigure mysql.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Reduce nesting necessary nesting.
- Add some type annotations.
- Simplify writing command output to a file by passing file handle to
subprocess.run().
- Create a path for volume to eliminate some duplication.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- The network interface will not exist until it is created with podman network.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Configure caching for Nextcloud with Redis running on the host, create static
php file under
/var/lib/containers/storage/volumes/nextcloud-volume-fbx/_data/config. Nextcloud
communicates with Redis via the bridge adapter, which isn't a loopback device.
For this reason, setting a redis password is required. In addition, configure
the email app to accomodate the changes.
Signed-off-by: Benedek Nagy <contact@nbenedek.me>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
This setting is necessarry to pass the setup warning under
/nextcloud/settings/admin/overview
Note: during testing the field only becomes visible once
the freedombox-develop command is restarted
https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#default-phone-region
Signed-off-by: Benedek Nagy <contact@nbenedek.me>
[sunil: Add missing docstring]
[sunil: Update form label for consistency]
[sunil: Reduce number of success form messages]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Signed-off-by: Benedek Nagy <contact@nbenedek.me>
[sunil: Simplify method signature and name for setting maint. mode]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Nextcloud has long been a desired app for FreedomBox, however, due to
difficulties around Debian packaging, it hasn't yet been implemented. This
branch creates an app for Nextcloud with the help of Podman. Podman is a
containarization technology, like Docker, but with some extra features
that make its integration into FreedomBox convenient. If the podman
approach turns out to be favorable, we should consider writing a podman
specific module.
How does this work?
The app installs the podman and default-mysql-server Debian packages.
In other apps, such as MediaWiki, FreedomBox chooses SQLite
which eases maintenance and backup/restore. However, this
would bring a significant performance degrade for Nextcloud, hence the
choice of Mysql. Other apps, like Wordpress already use Mysql, so it is
installed on the host as opposed to installing it in a sepatate
container. A firewalld rich rule is created, so the Nextcloud container
can communicate with the db and OpenLDAP.
The podman package comes with a systemd service and timer for
automatically upgrading containers that are labeled as
"io.containers.autoupdate=registry". podman-auto-update.timer is managed
by FreedomBox. We might add a drop-in file for the timer to make it
more consistent with unattended-upgrades.
Podman natively supports creating systemd services for individual
containers. The generated systemd service is then managed by FreedomBox.
The current container image is based on Debian and runs apache inside the container.
To avoid running apache redundantly (both on the host and inside the
container) it would be preferable to use the nextcloud:stable-fpm image
instead, which seems to require creating a new virtual host.
Configure /.well-known URIs to redirect to /nextcloud. There is a conflict with
Radicale if both apps are running.
Put the podman1 interface into the trusted firewalld zone. This results in the
container gaining Internet access which is necessary to downloading Nextcloud
applications and federating with other Nextcloud instances. After applying the
patches, I opened my instance to the Internet to make sure this configuration
doesn't accidentally expose services. I scanned TCP ports 3306 and 6379 (after
installing and binding redis-server to the bridge interface). After that, I
installed the Tor app and put the default WAN interface to the external zone to
confirm that port 9050/TCP does not get exposed through the bridge interface.
To-do:
* test the fpm image
* test running the container in rootless mode for better security
Signed-off-by: Benedek Nagy <contact@nbenedek.me>
[sunil: Add missing docstrings]
[sunil: Make some methods private to module]
[sunil: Run yapf for formatting]
[sunil: Remove a comment to hide form when app is disabled]
[sunil: Update form labels]
[sunil: I18N for client names]
[sunil: Reduce number success messages in form for easy i18n and consistency]
[sunil: Reorganize patch series, squash fixes]
[sunil: Tweak auto update daemon component's ID]
[sunil: Add blank lines for formatting]
[sunil: Minor refactoring for _run_occ method]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
