Last active
November 3, 2019 20:05
-
-
Save gdamjan/b85efc20e50dd401d83884376dee7a74 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pkgbase = nextcloud-uwsgi-service | |
pkgdesc = run nextcloud as a DynamicUser=yes, socket activated uwsgi service | |
pkgver = 0.4 | |
pkgrel = 1 | |
url = https://aur.archlinux.org/packages/nextcloud-uwsgi-service/ | |
arch = any | |
license = MIT | |
depends = nextcloud>=17.0.0 | |
depends = uwsgi-plugin-php | |
depends = nginx | |
depends = systemd | |
depends = php-gd | |
depends = php-sqlite | |
depends = php-redis | |
depends = php-xsl | |
depends = php-igbinary | |
optdepends = nextcloud-app-totp: TOTP 2FA support | |
optdepends = nextcloud-app-u2f: U2F 2FA support | |
options = !strip | |
backup = etc/uwsgi/nextcloud.ini | |
backup = etc/nginx/sites/nextcloud.conf | |
backup = etc/php/nextcloud/php.ini | |
source = nextcloud.ini | |
source = nextcloud.conf | |
source = nextcloud.service | |
source = nextcloud.socket | |
source = php.ini | |
sha256sums = a6edafd6aa007a366490225fd18078d0b906678f5293546a66bf9dce1ceb4ccd | |
sha256sums = e85b75c603e591608b8b481b0e166e8beff8648894912e2817e0cc14ebe244be | |
sha256sums = 836af07eaa8ad53f71398677d02ce6670ebd2d39e9f0d8be9d159612898d6b41 | |
sha256sums = 28d9f6e00e5c283f5b479fd12262d0f5d20025681fc454407c6c91138a7a91dd | |
sha256sums = 0779ec8c97508691aafc0b1428881e8160c90d4bf6f9e0378ed028614fad7939 | |
pkgname = nextcloud-uwsgi-service | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 443 ssl http2; | |
server_name cloud.example.com; | |
ssl_certificate ssl/cloud.example.com.crt; | |
ssl_certificate_key ssl/cloud.example.com.key; | |
root /usr/share/webapps/nextcloud; | |
client_max_body_size 1G; | |
add_header Strict-Transport-Security max-age=15768000; | |
add_header Referrer-Policy "no-referrer"; | |
add_header X-Content-Type-Options "nosniff"; | |
add_header X-Download-Options noopen; | |
add_header X-Frame-Options "SAMEORIGIN"; | |
add_header X-Permitted-Cross-Domain-Policies none; | |
add_header X-Robots-Tag "none"; | |
add_header X-XSS-Protection "1; mode=block"; | |
rewrite ^/.well-known/carddav $scheme://$host/remote.php/dav/ permanent; | |
rewrite ^/.well-known/caldav $scheme://$host/remote.php/dav/ permanent; | |
# The following 2 rules are only needed with webfinger | |
rewrite ^/.well-known/host-meta /public.php?service=host-meta last; | |
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; | |
location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ { | |
deny all; | |
} | |
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { | |
deny all; | |
} | |
location ~ \.php(?:$|/) { | |
include uwsgi_params; | |
uwsgi_modifier1 14; | |
uwsgi_pass unix:///run/nextcloud.sock; | |
} | |
error_page 403 /core/templates/403.php; | |
error_page 404 /core/templates/404.php; | |
index index.php; | |
location / { | |
try_files $uri $uri/ /index.php; | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[uwsgi] | |
; default for local testing run it like "uwsgi --ini nextcloud.ini" | |
ini = :nextcloud | |
http-socket = :8000 | |
http-socket-modifier1 = 14 | |
; use uwsgi static file server | |
static-check = %(nextcloud_dir) | |
static-skip-ext = .php | |
static-skip-ext = .inc | |
offload-threads = 2 | |
[service] | |
ini = :nextcloud | |
die-on-term = yes | |
logger = systemd | |
logformat = %(addr) (%(user)) (%(proto) %(status)) %(method) %(uri) => generated %(rsize) bytes in %(msecs) msecs %(headers) headers in %(hsize) bytes {%(vars) vars in %(pktsize) bytes} (%(switches) switches on core %(core)) | |
# nginx will set security headers | |
env = modHeadersAvailable=true | |
# pretty urls | |
env = front_controller_active=true | |
[nextcloud] | |
master = true | |
processes = 4 | |
plugins = php | |
nextcloud_dir = /usr/share/webapps/nextcloud | |
php-docroot = %(nextcloud_dir) | |
php-index = index.php | |
# recommended to only allow these php scripts: | |
php-allowed-ext = /index.php | |
php-allowed-ext = /cron.php | |
php-allowed-ext = /status.php | |
php-allowed-ext = /remote.php | |
php-allowed-ext = /public.php | |
php-allowed-ext = /core/templates/403.php | |
php-allowed-ext = /core/templates/404.php | |
php-allowed-ext = /core/ajax/update.php | |
php-allowed-ext = /ocs/v1.php | |
php-allowed-ext = /ocs/v2.php |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Unit] | |
Description=nextcloud uwsgi service | |
After=network.target redis.service | |
Before=nginx.service | |
Requires=nextcloud.socket | |
[Service] | |
Type=notify | |
DynamicUser=yes | |
User=nextcloud | |
Group=nextcloud | |
RuntimeDirectory=nextcloud | |
StateDirectory=nextcloud | |
WorkingDirectory=/var/lib/nextcloud/ | |
Environment=NEXTCLOUD_CONFIG_DIR=/var/lib/nextcloud/config | |
Environment=PHP_INI_SCAN_DIR=:/etc/php/nextcloud | |
ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/nextcloud.ini:service --master-fifo /run/nextcloud/master-fifo | |
ExecReload=/bin/bash -c 'echo w > /run/nextcloud/master-fifo' | |
ExecStop=/bin/bash -c 'echo q > /run/nextcloud/master-fifo' | |
Restart=always | |
TimeoutSec=infinity | |
IPAccounting=yes | |
LockPersonality=yes | |
PrivateDevices=yes | |
ProtectControlGroups=yes | |
ProtectHome=yes | |
ProtectHostname=yes | |
ProtectKernelModules=yes | |
ProtectKernelTunables=yes | |
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 | |
RestrictNamespaces=yes | |
RestrictRealtime=yes | |
SystemCallArchitectures=native | |
[Install] | |
WantedBy=multi-user.target | |
Also=nextcloud.socket |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Unit] | |
Description=nextcloud socket | |
[Socket] | |
ListenStream=/run/uwsgi/nextcloud.sock | |
SocketMode=0660 | |
SocketGroup=http | |
[Install] | |
WantedBy=sockets.target |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
extension=pdo_sqlite.so | |
extension=exif.so | |
extension=gmp.so | |
extension=iconv.so | |
extension=sockets.so | |
extension=xmlrpc.so | |
extension=xsl.so | |
extension=igbinary.so | |
extension=gd.so | |
extension=redis.so | |
zend_extension=opcache.so | |
extension=intl | |
extension=imagick.so | |
memory_limit=512M | |
open_basedir= | |
session.save_path=/tmp | |
post_max_size=1000M | |
upload_max_filesize=1000M | |
date.timezone=Europe/Berlin |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Maintainer: Damjan Georgievski <gdamjan@gmail.com> | |
pkgname=nextcloud-uwsgi-service | |
pkgver=0.4 | |
pkgrel=1 | |
pkgdesc="run nextcloud as a DynamicUser=yes, socket activated uwsgi service" | |
arch=('any') | |
url="https://aur.archlinux.org/packages/nextcloud-uwsgi-service/" | |
license=('MIT') | |
depends=('nextcloud>=17.0.0' 'uwsgi-plugin-php' 'nginx' 'systemd' | |
'php-gd' 'php-sqlite' 'php-redis' 'php-xsl' 'php-igbinary' | |
'php-intl' 'php-imagick') | |
optdepends=('nextcloud-app-totp: TOTP 2FA support' | |
'nextcloud-app-u2f: U2F 2FA support' | |
'certbot-nginx: TLS certificates for nginx') | |
makedepends=() | |
options=('!strip') | |
source=('nextcloud.ini' | |
'nextcloud.conf' | |
'nextcloud.service' | |
'nextcloud.socket' | |
'php.ini') | |
backup=('etc/uwsgi/nextcloud.ini' | |
'etc/nginx/sites/nextcloud.conf' | |
'etc/php/nextcloud/php.ini') | |
package() { | |
install -m0644 -D "${srcdir}"/nextcloud.ini "${pkgdir}"/etc/uwsgi/nextcloud.ini | |
install -m0644 -D "${srcdir}"/nextcloud.conf "${pkgdir}"/etc/nginx/sites/nextcloud.conf | |
install -m0644 -D "${srcdir}"/nextcloud.service "${pkgdir}"/usr/lib/systemd/system/nextcloud.service | |
install -m0644 -D "${srcdir}"/nextcloud.socket "${pkgdir}"/usr/lib/systemd/system/nextcloud.socket | |
install -m0644 -D "${srcdir}"/php.ini "${pkgdir}"/etc/php/nextcloud/php.ini | |
} | |
sha256sums=('a6edafd6aa007a366490225fd18078d0b906678f5293546a66bf9dce1ceb4ccd' | |
'e85b75c603e591608b8b481b0e166e8beff8648894912e2817e0cc14ebe244be' | |
'836af07eaa8ad53f71398677d02ce6670ebd2d39e9f0d8be9d159612898d6b41' | |
'28d9f6e00e5c283f5b479fd12262d0f5d20025681fc454407c6c91138a7a91dd' | |
'0779ec8c97508691aafc0b1428881e8160c90d4bf6f9e0378ed028614fad7939') |
nginx headers for increased security:
add_header X-Frame-Options "SAMEORIGIN";
add_header Referrer-Policy "origin";
Running occ
in the same context as the service:
systemd-run --pipe \
--setenv=NEXTCLOUD_CONFIG_DIR=/var/lib/nextcloud/config \
--setenv=PHP_INI_SCAN_DIR=:/etc/php/nextcloud \
--property=DynamicUser=yes \
--property=User=nextcloud \
--property=Group=nextcloud \
--property=RuntimeDirectory=nextcloud \
--property=StateDirectory=nextcloud \
/usr/share/webapps/nextcloud/occ
nginx headers for increased security:
add_header X-Frame-Options "SAMEORIGIN";
add_header Referrer-Policy "origin";
done
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
TODO: