git/nextcloud-docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
08990f6420003843ac8cfda044e93605578a4362
nextcloud-docker/README.md
Raghav 08990f6420 Add automated TLS renewal and deployment documentation 
Co-Authored-By: Oz <oz-agent@warp.dev>
2026-04-17 08:44:28 +05:30

87 lines
2.4 KiB
Markdown
Raw Blame History

# Nextcloud on Ubuntu via Docker for nxt.bhatfamily.in
This repository deploys Nextcloud behind Nginx using Docker Compose.
Exposed ports:
- HTTP: `8082`
- HTTPS: `8446`
Target hostname:
- `nxt.bhatfamily.in`
## What changed
The stack now includes:
- Fixed Nginx mount path (`nginx/nginx.conf` mapped correctly)
- Fixed MariaDB command (`mariadbd`)
- Nginx reverse proxy mode for `nextcloud:apache` (no FastCGI mismatch)
- Production TLS provisioning using Let's Encrypt DNS-01 with Cloudflare
- Automated TLS renewal job support (cron)
## Prerequisites
- Ubuntu host with Docker + Docker Compose plugin (or `docker-compose`)
- Domain `nxt.bhatfamily.in` in Cloudflare DNS
- DNS A record for `nxt` pointing to your server public IP (DNS-only)
- Router/firewall forwarding for ports `8082` and `8446`
## Initial setup
1. Create runtime env file:
```bash
cp .env.example .env
```
2. Edit `.env` with strong values.
3. Start stack with bootstrap TLS:
```bash
./scripts/install.sh
```
4. Validate:
```bash
./scripts/test.sh
```
## Production TLS (Let's Encrypt + Cloudflare DNS-01)
1. Export credentials in shell:
```bash
export CF_DNS_API_TOKEN={{CF_DNS_API_TOKEN}}
export LETSENCRYPT_EMAIL={{LETSENCRYPT_EMAIL}}
```
2. Issue/renew and install production cert:
```bash
./scripts/provision-production-tls.sh
```
3. Reload Nginx container:
```bash
docker compose restart web
```
4. Verify cert:
```bash
echo | openssl s_client -connect nxt.bhatfamily.in:8446 -servername nxt.bhatfamily.in 2>/dev/null | openssl x509 -noout -subject -issuer -dates
```
## Automated renewal job (cron)
1. Ensure your Cloudflare token export script exists (default path used by renewal wrapper):
- `~/bin/cloudflare-api-usertoken.sh`
2. Install/update renewal cron entry:
```bash
./scripts/setup-renewal-cron.sh
```
This script will:
- create/update `.tls-renewal.env` (local only, not committed)
- install a daily cron job (`03:17` by default)
- write logs to `logs/tls-renew.log`
3. Manual renewal run (same path cron uses):
```bash
./scripts/renew-production-tls.sh
```
## Useful commands
Start/update containers:
```bash
docker compose up -d
```
Restart all services:
```bash
docker compose restart
```
Restart web only:
```bash
docker compose restart web
```
Stop and remove containers/volumes:
```bash
./scripts/uninstall.sh
```
## Security notes
- `.env`, `.tls-renewal.env`, and runtime cert material under `nginx/ssl` are intentionally ignored by Git.
- If secrets were ever committed earlier, rotate them.
Reference in New Issue View Git Blame Copy Permalink