Merge pull request #345 from nextcloud/add/shallow-server

Add shallow server using --depth 1 in git clone
nextcloud · Jan 10, 2022 · e7eecf2 · e7eecf2
2 parents 1539938 + a0bb49b
commit e7eecf2
Show file tree

Hide file tree

Showing 10 changed files with 226 additions and 0 deletions.
diff --git a/shallow-server/Dockerfile b/shallow-server/Dockerfile
@@ -0,0 +1,47 @@
+FROM debian:stable
+
+# Update repos install packages and cleanup
+# all in one step so we avoid large intermediate layers.
+RUN apt-get update && \ 
+    apt-get install -y wget gnupg2 git libzip4 apt-transport-https lsb-release ca-certificates && \
+    wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg && \
+    echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list && \
+    apt-get update && \
+    apt-get install -y php7.3-cli php7.3-common php7.3-mbstring \
+    php7.3-gd php-imagick php7.3-intl php7.3-bz2 php7.3-xml \
+    php7.3-mysql php7.3-zip php7.3-dev curl php7.3-curl \
+    php-dompdf php-apcu redis-server php-redis php-smbclient \
+    php7.3-ldap unzip php7.3-pgsql php7.3-sqlite make apache2 \
+    php7.3-json php7.3-opcache libmagickcore-6.q16-2-extra \
+    libapache2-mod-php7.3 && \
+    apt-get autoremove -y && apt-get autoclean && apt-get clean && \
+    rm -rf /tmp/* /var/tmp/* /var/lib/apt/lists/*
+
+COPY opcache-recommended.ini /usr/local/etc/php/conf.d/
+
+WORKDIR /var/www/html
+
+RUN rm -rf /var/www/html
+RUN mkdir -p /var/www/html
+
+RUN git clone --depth 1 https://github.com/nextcloud/server.git .
+RUN git submodule update --init
+
+RUN chown -R www-data:www-data .
+RUN chsh -s /bin/bash www-data
+
+ADD initnc.sh /usr/local/bin/
+ADD run.sh /usr/local/bin/
+ADD initAndRun.sh /usr/local/bin/
+
+# self signed cert
+ADD ssl/dhparam.pem /etc/ssl/certs/
+ADD ssl/default-ssl.conf /etc/apache2/conf-available/ssl-params.conf
+ADD ssl/nextcloud.crt /etc/ssl/certs/nextcloud.crt
+ADD ssl/nextcloud.key /etc/ssl/private/nextcloud.key
+ADD ssl/default-ssl.conf /etc/apache2/sites-available/default-ssl.conf
+
+RUN chmod +x /usr/local/bin/*
+
+EXPOSE 80
+ENTRYPOINT ["/usr/local/bin/initAndRun.sh"]
diff --git a/shallow-server/initAndRun.sh b/shallow-server/initAndRun.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+/usr/local/bin/initnc.sh
+/usr/local/bin/run.sh
diff --git a/shallow-server/initnc.sh b/shallow-server/initnc.sh
@@ -0,0 +1,49 @@
+#!/bin/sh
+
+export BRANCH=${BRANCH:=master}
+
+# Where we do all the work
+cd /var/www/html/
+
+# Update code
+su www-data -c "
+git fetch origin ${BRANCH} --depth 1
+git checkout origin/$BRANCH -B $BRANCH
+git submodule update
+
+# Creating data
+mkdir -p /var/www/html/data
+
+# Init
+php occ maintenance:install --admin-user=admin --admin-pass=admin
+OC_PASS=test php occ user:add --password-from-env -- test
+
+# Trusted domains
+php occ config:system:set trusted_domains 1 --value=*
+php occ config:system:set loglevel --value='0'
+"
+
+# allow eval script for executing javascript in webview (LoginIT test for Android)
+# it needs EVAL set to true within environment in .drone.yml
+
+if test -z "$EVAL"
+then
+	echo "\$EVAL not set, ignoring..."
+else
+    echo "\$EVAL is set, allowing eval script in ContentSecurityPolicy.php"
+	sed -i s'/protected $evalScriptAllowed = false;/protected $evalScriptAllowed = true;/' lib/public/AppFramework/Http/ContentSecurityPolicy.php
+fi
+
+
+if test -z "$REDIS" 
+then
+	  echo "\$REDIS not set, ignoring..."
+else
+    su www-data -c "
+	php occ config:system:set redis host --value=${REDIS}
+	php occ config:system:set redis port --value=6379 --type=integer
+	php occ config:system:set redis timeout --value=0 --type=integer
+	php occ config:system:set --type string --value '\\OC\\Memcache\\Redis' memcache.local
+	php occ config:system:set --type string --value '\\OC\\Memcache\\Redis' memcache.distributed
+	"
+fi
diff --git a/shallow-server/opcache-recommended.ini b/shallow-server/opcache-recommended.ini
@@ -0,0 +1,7 @@
+opcache.enable=1
+opcache.enable_cli=1
+opcache.interned_strings_buffer=8
+opcache.max_accelerated_files=10000
+opcache.memory_consumption=128
+opcache.save_comments=1
+opcache.revalidate_freq=1
diff --git a/shallow-server/run.sh b/shallow-server/run.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+set -e
+cd /var/www/html/
+
+. /etc/apache2/envvars
+
+# allow php and apache2 to create their run socket
+mkdir -p /run/php
+mkdir -p /var/run/apache2
+
+tail -f data/nextcloud.log &
+
+a2enmod ssl
+a2enmod headers
+a2ensite default-ssl
+a2enconf ssl-params
+apache2ctl configtest
+
+apache2 -DFOREGROUND "$@"
diff --git a/shallow-server/ssl/default-ssl.conf b/shallow-server/ssl/default-ssl.conf
@@ -0,0 +1,27 @@
+<IfModule mod_ssl.c>
+        <VirtualHost _default_:443>
+                ServerAdmin webmaster@localhost
+
+                DocumentRoot /var/www/html
+
+                ErrorLog ${APACHE_LOG_DIR}/error.log
+                CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+                SSLEngine on
+
+                SSLCertificateFile      /etc/ssl/certs/nextcloud.crt
+                SSLCertificateKeyFile /etc/ssl/private/nextcloud.key
+
+                <FilesMatch "\.(cgi|shtml|phtml|php)$">
+                                SSLOptions +StdEnvVars
+                </FilesMatch>
+                <Directory /usr/lib/cgi-bin>
+                                SSLOptions +StdEnvVars
+                </Directory>
+
+                BrowserMatch "MSIE [2-6]" \
+                               nokeepalive ssl-unclean-shutdown \
+                               downgrade-1.0 force-response-1.0
+
+        </VirtualHost>
+</IfModule>
diff --git a/shallow-server/ssl/dhparam.pem b/shallow-server/ssl/dhparam.pem
@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA26d/5lCEkFVOOHNm4BPAcT6XXjkTceBwk+XBBAJb95uUznJwknlu
+RaiH04o6gJb43sSdOzaXKkcehXlk+XFKC4OzSbzcVSatrrnvBbwsPG1t1kwZWWw6
+4HsNRVDFhPk+YGU3pViujS5KNRUU28XGJaGoEv6LkgvkoSDxW4n8w1W3xJgZwfH8
+oy4PiResVejsSpS50f6WmBDzGx1YqBKrQPezFzoOxb2WTASf3GBpW+VqkdcS2t2u
+ALh4r/CqSlQtLeOMVwvzc/shiW4ZJgpM9WIa7qoKJodt0CLn8/+FYjJab5PhfwKH
+Mm85wnMkkUpY4n3NqzTTZ9p9CI9rzAEUIwIBAg==
+-----END DH PARAMETERS-----
diff --git a/shallow-server/ssl/nextcloud.crt b/shallow-server/ssl/nextcloud.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDazCCAlOgAwIBAgIUX0P/knbu3gFXra20pX7t9NNcytIwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDAxMjcwODUyMjlaFw0zMDAx
+MjQwODUyMjlaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC+UfZFIMu1yWLrdWxH71WusFt832LUi8c28hzfFB0y
+g9q6Lhm/8peCqvldXq0t3/zGpTIwoHpmyQ9niiJXtwZYoYAtN3kfyO9NxRyCBpaM
+Dz3F5uOD2a/Ut0LV/+/RJMHIvjoeZ0FA0dBEZCgP38gTiXZYx+/RuyZ2ZMx81uo3
+jchluojHRUpLNSiQkmbTNe86rqNztKuUkQZhqImj/M1XxbpIQqdRuugh/B2/um3n
+H7Sxj8LoYRvZDIYoCD8GHcDK2ybxjfnboJwyOvr258vazqVAj7yfWFuBjP0qfnON
+InoR1AparLl2vaapHm1NO77vTQkYITWPioWFjKuxfNQ7AgMBAAGjUzBRMB0GA1Ud
+DgQWBBQvlNeRfCuEm1mJeoQVX4oJ78JL3zAfBgNVHSMEGDAWgBQvlNeRfCuEm1mJ
+eoQVX4oJ78JL3zAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA+
+MU+rJQH3cACCtHg9pIMfeNVpfix3VpiLBxjjsFvmKmsvZRre+hk2jhykVr2b5r4W
+RWhBhZeCa1s8QXq/YnY4I2oVeK3FTy417XI79okOUylzrqAgMJfvnigjQCz1N64I
+AbFpWqSwLGBezSFvxjkJtk7GuVEXBuD7REqZHfu6ksV9Axhv2pr6YFiGJMgsG3yC
+JI2hfkGjAIdqoguZc/qWJC7Vx8rYi/hoq+U+WHOsGD6C9/AMCGmlVQpdqYdw7g3+
+6+pwIqK1lSIhEP5WzJR3QawVqc9q4Wxnz7BYMo6/qpVpBSzhW4qPy0Gsx8Pa27OD
+4nAEqYAYpUMeLOzmpjyy
+-----END CERTIFICATE-----
diff --git a/shallow-server/ssl/nextcloud.key b/shallow-server/ssl/nextcloud.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC+UfZFIMu1yWLr
+dWxH71WusFt832LUi8c28hzfFB0yg9q6Lhm/8peCqvldXq0t3/zGpTIwoHpmyQ9n
+iiJXtwZYoYAtN3kfyO9NxRyCBpaMDz3F5uOD2a/Ut0LV/+/RJMHIvjoeZ0FA0dBE
+ZCgP38gTiXZYx+/RuyZ2ZMx81uo3jchluojHRUpLNSiQkmbTNe86rqNztKuUkQZh
+qImj/M1XxbpIQqdRuugh/B2/um3nH7Sxj8LoYRvZDIYoCD8GHcDK2ybxjfnboJwy
+Ovr258vazqVAj7yfWFuBjP0qfnONInoR1AparLl2vaapHm1NO77vTQkYITWPioWF
+jKuxfNQ7AgMBAAECggEBAKJyjTVWF+rzmVaHJMSF2enAqGZ+ufnX0VPp9pDGt2E9
+wH24CcyYAZDL5Qs4W7NTg4v+x0dQQwnmxhpHgqbCF02hlCmENwPVW8VS4NFvVCL6
+g2yfdkU9kuKLBiZpTcaDjFCPZkY7Nixgqlcl8jgSd9GNPJHtHpszFlJqGUzZmJOP
+HY0dSnhxfqIheHAgixuvcB/WT2RzqpAowpXDWaAXhFFtETgEpT/ckU2FIWsKS7qV
+l7A9vZk9k0WWQCNvVI/pkz2SZrg4R3q2nLk5gnuSz2/qDvt7pPUgK18MA7oK0Sj2
+Wij5z6VYN/rgdxFxsouZ6iF3j59muqEZ2ZKwb0uI8tkCgYEA5WV/aPwYkSZOGqKZ
++6RbkcacG2R41B6YXW0+IlVwk5+nv6U1yURI8/LWJ2r5oVX0Z7XsNtoFfkArPT8j
+uHyPFZuHPLDcWoH89Y9xnq+mXdaX+/AYKMea2rebeDdnUFl9aFZcEUewZ4vKcPDq
+GYZ143THOJElpjD5OWpqUvIB8M0CgYEA1GRWDcAEfwaBazePJ9AFyqCHvwFI2jGZ
+JZYecnBwpWg04rheKV0+sVOyuCHbBeMfQRzNWnYp8zUZG/F+g0FDWETMIauUn4PT
+AEZcOTamqPPo+iwo18asmaDth5zfcjpvESijnYgNCBTb2iHXw8c6eYhO64mVxEhd
+fTxkE+jhuScCgYEAwpRTfJPJquVY/tLJ1l/VpFNZewrASv0gtK7DM5BRi4azXaYf
+d3dKglKLQKhG0oj8ZTQ1B1nrqul3Q95YyFYvcF6aWeqTHtp/3TMtZzMK5THvfS5s
+77pQKhHv+ArWwZsG+we11JqAkXRL5X0UtU4OlT8q9Vp5Gv0TiZYwVecdqkkCgYAb
+dL0LGf96zER+r7f51ZJqF0Z1Ep1wV2kMytM0yARH3ai4hkzl2//2vHMmCnpd0HaB
+3E9Pmmbh4cNVMWrBXPZvurUIxT15QXlNV8skOkRhIubDMGI3Qp+dXIhYN5dLFPK2
+rSI5gxTsLoYdNLLHxEFy5IQPPsH1lcVAI0ZsrHZBkQKBgEyW0iUdIdIZDGR2R+wX
+NOnRfIN8o8Y4YUTLA6bkV6NPSHkz6l5kO27W36CO0+xmQWS4AH/4hpIgZBZZ4J/t
+XRf8zYRVGuAVZnlXMl4N8D8HZigRwCoP2UgrIUuC7aXB2WEu0ZZ2nWngws8vBOFf
+a6aexBOQw4Qgl6Mh3Ecw+7hP
+-----END PRIVATE KEY-----
diff --git a/shallow-server/ssl/ssl-params.conf b/shallow-server/ssl/ssl-params.conf
@@ -0,0 +1,16 @@
+# from https://cipherli.st/
+# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
+
+SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+SSLProtocol All -SSLv2 -SSLv3
+SSLHonorCipherOrder On
+Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
+Header always set X-Frame-Options DENY
+Header always set X-Content-Type-Options nosniff
+# Requires Apache >= 2.4
+SSLCompression off 
+SSLSessionTickets Off
+SSLUseStapling on 
+SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
+
+SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"