102 lines
2.9 KiB
Markdown
102 lines
2.9 KiB
Markdown
# Nextcloud on Ubuntu via Docker for nxt.bhatfamily.in
|
|
This repository deploys Nextcloud behind Nginx using Docker Compose.
|
|
Exposed ports:
|
|
- HTTP: `8082`
|
|
- HTTPS: `8446`
|
|
Target hostname:
|
|
- `nxt.bhatfamily.in`
|
|
## What changed
|
|
The stack now includes:
|
|
- Fixed Nginx mount path (`nginx/nginx.conf` mapped correctly)
|
|
- Fixed MariaDB command (`mariadbd`)
|
|
- Nginx reverse proxy mode for `nextcloud:apache` (no FastCGI mismatch)
|
|
- Production TLS provisioning using Let's Encrypt DNS-01 with Cloudflare
|
|
- Automated TLS renewal job support (cron)
|
|
## Prerequisites
|
|
- Ubuntu host with Docker + Docker Compose plugin (or `docker-compose`)
|
|
- Domain `nxt.bhatfamily.in` in Cloudflare DNS
|
|
- DNS A record for `nxt` pointing to your server public IP (DNS-only)
|
|
- Router/firewall forwarding for ports `8082` and `8446`
|
|
## Initial setup
|
|
1. Create runtime env file:
|
|
```bash
|
|
cp .env.example .env
|
|
```
|
|
2. Edit `.env` with strong values.
|
|
3. Start stack with bootstrap TLS:
|
|
```bash
|
|
./scripts/install.sh
|
|
```
|
|
4. Validate:
|
|
```bash
|
|
./scripts/test.sh
|
|
```
|
|
## Production TLS (Let's Encrypt + Cloudflare DNS-01)
|
|
1. Export credentials in shell:
|
|
```bash
|
|
export CF_DNS_API_TOKEN={{CF_DNS_API_TOKEN}}
|
|
export LETSENCRYPT_EMAIL={{LETSENCRYPT_EMAIL}}
|
|
```
|
|
2. Issue/renew and install production cert:
|
|
```bash
|
|
./scripts/provision-production-tls.sh
|
|
```
|
|
3. Reload Nginx container:
|
|
```bash
|
|
docker compose restart web
|
|
```
|
|
4. Verify cert:
|
|
```bash
|
|
echo | openssl s_client -connect nxt.bhatfamily.in:8446 -servername nxt.bhatfamily.in 2>/dev/null | openssl x509 -noout -subject -issuer -dates
|
|
```
|
|
## Automated renewal job (cron)
|
|
1. Ensure your Cloudflare token export script exists (default path used by renewal wrapper):
|
|
- `~/bin/cloudflare-api-usertoken.sh`
|
|
2. Install/update renewal cron entry:
|
|
```bash
|
|
./scripts/setup-renewal-cron.sh
|
|
```
|
|
This script will:
|
|
- create/update `.tls-renewal.env` (local only, not committed)
|
|
- install a daily cron job (`03:17` by default)
|
|
- write logs to `logs/tls-renew.log`
|
|
3. Manual renewal run (same path cron uses):
|
|
```bash
|
|
./scripts/renew-production-tls.sh
|
|
```
|
|
## Admin password reset
|
|
List existing users:
|
|
```bash
|
|
docker exec --user www-data nextcloud-app php occ user:list
|
|
```
|
|
Reset password using helper script (interactive prompt):
|
|
```bash
|
|
./scripts/reset-admin-password.sh admin
|
|
```
|
|
Reset password non-interactively (for automation):
|
|
```bash
|
|
NEW_NEXTCLOUD_PASSWORD={{NEW_NEXTCLOUD_PASSWORD}} ./scripts/reset-admin-password.sh admin
|
|
```
|
|
You can target a different username by passing it as the first argument.
|
|
|
|
## Useful commands
|
|
Start/update containers:
|
|
```bash
|
|
docker compose up -d
|
|
```
|
|
Restart all services:
|
|
```bash
|
|
docker compose restart
|
|
```
|
|
Restart web only:
|
|
```bash
|
|
docker compose restart web
|
|
```
|
|
Stop and remove containers/volumes:
|
|
```bash
|
|
./scripts/uninstall.sh
|
|
```
|
|
## Security notes
|
|
- `.env`, `.tls-renewal.env`, and runtime cert material under `nginx/ssl` are intentionally ignored by Git.
|
|
- If secrets were ever committed earlier, rotate them.
|