KNet/knet-cloud
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
4 commits 1 branch 0 tags 39 KiB
Find a file
karmacoma b2895a4114 + changed oo auth header
2025-12-27 16:53:40 +01:00
.env intial commit 2025-12-27 00:36:05 +01:00
docker-compose.yml + changed oo auth header 2025-12-27 16:53:40 +01:00
LICENSE Initial commit 2025-12-26 22:06:02 +00:00
README.md intial commit 2025-12-27 00:36:05 +01:00

README.md

knet-cloud

Modern Nextcloud stack with MariaDB, Redis caching, and OnlyOffice Document Server. Auth is expected through your own authentik OIDC provider.

Stack

  • Nextcloud (Apache) + dedicated cron sidecar
  • MariaDB 11
  • Redis 7 (locking/file cache)
  • OnlyOffice Document Server

Quick start (local or generic Compose)

  1. Install Docker Engine + Docker Compose.

  2. Copy and edit .env for visibility; the compose file carries defaults for non-secrets, but you must set the secrets.

  3. Generate secrets (do not commit them):

    cp .env .env.local
# Fill these with strong randoms
openssl rand -hex 32 # set MARIADB_PASSWORD
openssl rand -hex 32 # set MARIADB_ROOT_PASSWORD
openssl rand -hex 32 # set NEXTCLOUD_ADMIN_PASSWORD
openssl rand -hex 32 # set REDIS_PASSWORD
openssl rand -hex 32 # set ONLYOFFICE_JWT_SECRET

  4. Bring the stack up:

    docker compose --env-file .env.local up -d

  5. First login at https://<your-domain> with NEXTCLOUD_ADMIN_USER and NEXTCLOUD_ADMIN_PASSWORD.

Required post-deploy hardening

Run these once after the first boot. Replace placeholders where noted.

# Set Redis as the locking cache (pick the same password as REDIS_PASSWORD)
docker compose exec nextcloud php occ config:system:set memcache.local --value='\OC\Memcache\APCu'
docker compose exec nextcloud php occ config:system:set memcache.locking --value='\OC\Memcache\Redis'
docker compose exec nextcloud php occ config:system:set redis host --value=redis
docker compose exec nextcloud php occ config:system:set redis port --value=6379 --type=integer
docker compose exec nextcloud php occ config:system:set redis password --value='<redis-password>'

# Force HTTPS and trusted domains
docker compose exec nextcloud php occ config:system:set overwriteprotocol --value=https
docker compose exec nextcloud php occ config:system:set trusted_domains 1 --value='<your-domain>'

# Install core apps we'll need
docker compose exec nextcloud php occ app:install user_oidc
docker compose exec nextcloud php occ app:install onlyoffice

Wire authentik (OIDC)

  1. In authentik create an OIDC Provider + Application:

    • Redirect URI: https://<your-domain>/apps/user_oidc/callback
    • Post-logout redirect: https://<your-domain>/logout
    • Scopes: openid email profile offline_access
    • Algorithm: RS256, with discovery enabled.

  2. Save the client ID and client secret.

  3. Configure the user_oidc app in Nextcloud (CLI example):

        docker compose exec nextcloud php occ config:app:set user_oidc oidc_login_provider_url --value='https://auth.example.com/application/o/<provider-slug>/'
    docker compose exec nextcloud php occ config:app:set user_oidc oidc_login_client_id --value='<client-id>'
    docker compose exec nextcloud php occ config:app:set user_oidc oidc_login_client_secret --value='<client-secret>'
    docker compose exec nextcloud php occ config:app:set user_oidc oidc_login_scope --value='openid email profile offline_access'
    docker compose exec nextcloud php occ config:app:set user_oidc oidc_login_button_text --value='Login with authentik'
    docker compose exec nextcloud php occ config:app:set user_oidc oidc_login_end_session_redirect --value='https://<your-domain>/logout'

  4. Test SSO and disable local password login for regular users once confirmed.

Hook up OnlyOffice

  1. In Nextcloud, enable the onlyoffice app (already installed above).

  2. Set URLs and JWT secret (internal URL keeps traffic inside the bridge network):

        docker compose exec nextcloud php occ config:app:set onlyoffice DocumentServerUrl --value='https://<your-domain-for-office>'
    docker compose exec nextcloud php occ config:app:set onlyoffice DocumentServerInternalUrl --value='http://onlyoffice/'
    docker compose exec nextcloud php occ config:app:set onlyoffice StorageUrl --value='http://nextcloud/'
    docker compose exec nextcloud php occ config:app:set onlyoffice jwt_secret --value='<onlyoffice-jwt-secret>'
    docker compose exec nextcloud php occ config:app:set onlyoffice jwt_header --value='Authorization'
    • <onlyoffice-jwt-secret> should match ONLYOFFICE_JWT_SECRET in .env.

Operational notes

  • Run behind a TLS reverse proxy (Traefik, Caddy, or NGINX). In Coolify, Traefik is managed for you and no host ports need to be exposed in the compose file.
  • Backups: snapshot nextcloud_data, nextcloud_config, and db_data; also export MariaDB dumps regularly.
  • Updates: bump the version tags in .env and docker compose pull && docker compose up -d.
  • Logs: docker compose logs -f nextcloud and onlyoffice are your primary places to debug.

Deploy with Coolify (step-by-step)

Coolify ignores .env files. Enter every variable in the UI. Use .env as a reference for names and defaults. Secrets must be generated per deployment.

  1. Create or select a Project in Coolify.
  2. Add Resource → Docker Compose → “Import from Git”; point to this repo/branch.
  3. In the Compose Resource settings, add environment variables:
    • Non-secret defaults (override as needed):
      • NEXTCLOUD_VERSION=32-apache
      • MARIADB_VERSION=11.4
      • REDIS_VERSION=7-alpine
      • ONLYOFFICE_VERSION=8.0
      • NEXTCLOUD_DOMAIN=cloud.example.com (set to your actual domain)
      • NEXTCLOUD_ADMIN_USER=ncadmin
      • MARIADB_DATABASE=nextcloud
      • MARIADB_USER=nextcloud
    • Required secrets (must be strong randoms):
      • MARIADB_PASSWORD
      • MARIADB_ROOT_PASSWORD
      • NEXTCLOUD_ADMIN_PASSWORD
      • REDIS_PASSWORD
      • ONLYOFFICE_JWT_SECRET
  4. Volumes: ensure the named volumes (nextcloud_data, nextcloud_apps, nextcloud_config, db_data, redis_data, onlyoffice_data, onlyoffice_logs) are set as persistent in Coolify (they map to Docker named volumes and will persist across deploys).
  5. Domains/ingress: no port mappings required. Assign your domain(s) to the service in Coolify; Traefik handles HTTPS. Keep NEXTCLOUD_DOMAIN matching the public hostname.
  6. Deploy and monitor logs until DB init and healthchecks are healthy.
  7. Run the hardening occ commands (Redis cache, trusted domains/HTTPS, app installs) via the Coolify Console against the nextcloud container.

Quality-of-life ideas

  • Offload primary storage to S3/MinIO using the Nextcloud object store config for simpler scaling.

  • Enable metrics/monitoring (Prometheus exporters for MariaDB/Redis, Traefik dashboard if used) plus alerting on failed healthchecks.

  • Configure TOTP/WebAuthn in authentik and enforce SSO-only login on Nextcloud for consistent access policy.

  • Use a dedicated backup tool (restic or Borg) with encryption and retention against a separate target.

  • Add a content-delivery rule (CDN or edge cache) for static assets if hosting for many remote users.