Add Hub update script and document hardening changes
Co-Authored-By: Oz <oz-agent@warp.dev>
This commit is contained in:
Raghav
66
README.md
66
README.md
@ -5,6 +5,7 @@ Exposed ports:
|
||||
- HTTPS: `8446`
|
||||
Target hostname:
|
||||
- `nxt.bhatfamily.in`
|
||||
|
||||
## What changed
|
||||
The stack now includes:
|
||||
- Fixed Nginx mount path (`nginx/nginx.conf` mapped correctly)
|
||||
@ -12,11 +13,18 @@ The stack now includes:
|
||||
- Nginx reverse proxy mode for `nextcloud:apache` (no FastCGI mismatch)
|
||||
- Production TLS provisioning using Let's Encrypt DNS-01 with Cloudflare
|
||||
- Automated TLS renewal job support (cron)
|
||||
- Nextcloud app startup fixes for Apache `ServerName` and writable Fontconfig cache
|
||||
- Reverse-proxy trust configuration in Nextcloud (`trusted_proxies`, `forwarded_for_headers`)
|
||||
- Nginx hardening (`server_tokens off`, stronger HSTS, hide `X-Powered-By`, TLS session hardening)
|
||||
- Brute-force protection explicitly enabled and maintenance window configured
|
||||
- New scripted Nextcloud Hub upgrade workflow: `scripts/update-nextcloud-hub.sh`
|
||||
|
||||
## Prerequisites
|
||||
- Ubuntu host with Docker + Docker Compose plugin (or `docker-compose`)
|
||||
- Domain `nxt.bhatfamily.in` in Cloudflare DNS
|
||||
- DNS A record for `nxt` pointing to your server public IP (DNS-only)
|
||||
- Router/firewall forwarding for ports `8082` and `8446`
|
||||
|
||||
## Initial setup
|
||||
1. Create runtime env file:
|
||||
```bash
|
||||
@ -31,14 +39,47 @@ cp .env.example .env
|
||||
```bash
|
||||
./scripts/test.sh
|
||||
```
|
||||
|
||||
## Update Nextcloud Hub (scripted)
|
||||
Use the upgrade helper script to pull new images, apply the upgrade, run post-upgrade repairs, and validate endpoints.
|
||||
|
||||
Run update:
|
||||
```bash
|
||||
./scripts/update-nextcloud-hub.sh
|
||||
```
|
||||
|
||||
Optional flags:
|
||||
- Skip app marketplace updates:
|
||||
```bash
|
||||
RUN_APP_UPDATES=0 ./scripts/update-nextcloud-hub.sh
|
||||
```
|
||||
- Require strict TLS validation during smoke tests (no `-k`):
|
||||
```bash
|
||||
STRICT_TLS=1 ./scripts/update-nextcloud-hub.sh
|
||||
```
|
||||
|
||||
What the script does:
|
||||
- pulls latest `db`, `app`, and `web` images
|
||||
- recreates services via Compose
|
||||
- enables maintenance mode and runs `occ upgrade`
|
||||
- runs `occ app:update --all` (unless disabled)
|
||||
- runs schema and repair commands (`db:add-missing-*`, `maintenance:repair`)
|
||||
- disables maintenance mode
|
||||
- runs `occ status`, `occ setupchecks`, and `scripts/test.sh`
|
||||
|
||||
> Recommendation: take a filesystem/database backup before major Hub upgrades.
|
||||
|
||||
## Move Nextcloud data directory to external storage
|
||||
Use the migration helper to move existing data to a host path and switch the app to a bind mount.
|
||||
|
||||
Default target:
|
||||
- `/media/rbhat/DATA/nextcloud/NextCloudData`
|
||||
|
||||
Run migration:
|
||||
```bash
|
||||
./scripts/migrate-data-directory.sh /media/rbhat/DATA/nextcloud/NextCloudData
|
||||
```
|
||||
|
||||
What the script does:
|
||||
- enables maintenance mode
|
||||
- copies current `/var/www/html/data` content to target directory
|
||||
@ -46,6 +87,7 @@ What the script does:
|
||||
- updates `docker-compose.yml` app volume with `...:/var/www/html/data`
|
||||
- recreates `app` and `web` services
|
||||
- disables maintenance mode and verifies mount
|
||||
|
||||
Rollback (if needed):
|
||||
1. Remove the `:/var/www/html/data` bind mount line from `app` volumes in `docker-compose.yml`.
|
||||
2. `docker compose up -d app web`
|
||||
@ -72,6 +114,7 @@ docker compose restart web
|
||||
```bash
|
||||
echo | openssl s_client -connect nxt.bhatfamily.in:8446 -servername nxt.bhatfamily.in 2>/dev/null | openssl x509 -noout -subject -issuer -dates
|
||||
```
|
||||
|
||||
## Automated renewal job (cron)
|
||||
1. Ensure your Cloudflare token export script exists (default path used by renewal wrapper):
|
||||
- `~/bin/cloudflare-api-usertoken.sh`
|
||||
@ -87,6 +130,7 @@ This script will:
|
||||
```bash
|
||||
./scripts/renew-production-tls.sh
|
||||
```
|
||||
|
||||
## Admin password reset
|
||||
List existing users:
|
||||
```bash
|
||||
@ -102,6 +146,26 @@ NEW_NEXTCLOUD_PASSWORD={{NEW_NEXTCLOUD_PASSWORD}} ./scripts/reset-admin-password
|
||||
```
|
||||
You can target a different username by passing it as the first argument.
|
||||
|
||||
## Operational/security changes applied (Apr 2026)
|
||||
Applied and validated in this deployment:
|
||||
- `docker-compose.yml` (`app` service):
|
||||
- startup command now ensures writable `/var/cache/fontconfig`
|
||||
- sets Apache `ServerName nxt.bhatfamily.in`
|
||||
- sets `XDG_CACHE_HOME=/tmp/.cache`
|
||||
- `nginx/nginx.conf`:
|
||||
- `server_tokens off`
|
||||
- HSTS set to `max-age=63072000; includeSubDomains; preload`
|
||||
- `proxy_hide_header X-Powered-By`
|
||||
- `ssl_session_cache`, `ssl_session_timeout`, `ssl_session_tickets off`
|
||||
- Nextcloud `occ` settings:
|
||||
- `trusted_proxies` configured to Docker network subnet
|
||||
- `forwarded_for_headers` set to `HTTP_X_FORWARDED_FOR`
|
||||
- `auth.bruteforce.protection.enabled=true`
|
||||
- `maintenance_window_start=1`
|
||||
- `weather_status` app disabled to remove repeated PHP warning noise
|
||||
- Host security hygiene:
|
||||
- `.env` permission reduced to `600`
|
||||
|
||||
## Useful commands
|
||||
Start/update containers:
|
||||
```bash
|
||||
@ -119,6 +183,8 @@ Stop and remove containers/volumes:
|
||||
```bash
|
||||
./scripts/uninstall.sh
|
||||
```
|
||||
|
||||
## Security notes
|
||||
- `.env`, `.tls-renewal.env`, and runtime cert material under `nginx/ssl` are intentionally ignored by Git.
|
||||
- Keep `.env` mode restricted (`chmod 600 .env`).
|
||||
- If secrets were ever committed earlier, rotate them.
|
||||
|
||||
Reference in New Issue
Block a user