前回nextcloudの移行で試行錯誤していたら、気づいたら数か月経っていた。経っていたに。
おさらい
事前準備
前回の記事参照
nextcloud用のdockerを作成
drwxr-xr-x 2 nextcloud_docker users 4096 6月 29 00:19 cert
drwxr-xr-x 4 200081 200081 4096 3月 25 10:26 data
-rw-r--r-- 1 nextcloud_docker users 107 2月 27 00:32 db.env
-rw-r--r-- 1 nextcloud_docker root 2106 6月 28 06:02 docker-compose.yml
-rw-r--r-- 1 nextcloud_docker users 7797 6月 29 00:21 nginx.conf
db.env
---
MYSQL_ROOT_PASSWORD=********
MYSQL_PASSWORD=********
MYSQL_DATABASE=nextcloud
MYSQL_USER=nextcloud
docker-compose.yml
---
version: '3'
services:
db:
image: mariadb:10.5
command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
restart: always
volumes:
- ./data/db:/var/lib/mysql
environment:
- MARIADB_AUTO_UPGRADE=1
- MARIADB_DISABLE_UPGRADE_BACKUP=1
env_file:
- db.env
ports:
- 23306:3306
redis:
image: redis:alpine
restart: always
app:
image: nextcloud:fpm-alpine
restart: always
volumes:
- ./data/nextcloud:/var/www/html
environment:
- MYSQL_HOST=db
- REDIS_HOST=redis
- PHP_MEMORY_LIMIT=4096M
- PHP_UPLOAD_LIMIT=4096M
env_file:
- db.env
depends_on:
- db
- redis
web:
image: nginx
restart: always
ports:
- 28080:80
- 20443:443
volumes:
- ./data/nextcloud:/var/www/html:ro
- ./nginx.conf:/etc/nginx/nginx.conf:ro
- ./cert:/etc/letsencrypt/live/******.jp:ro
depends_on:
- app
cron:
image: nextcloud:fpm-alpine
restart: always
volumes:
- ./data/nextcloud:/var/www/html
entrypoint: /cron.sh
depends_on:
- db
- redis
volumes:
db:
nextcloud:
nginx.conf
---
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
# Prevent nginx HTTP Server Detection
server_tokens off;
keepalive_timeout 65;
upstream php-handler {
server app:9000;
}
server {
listen 80;
# SSL configuration
#
listen 443 ssl default_server;
#listen [::]:443 ssl default_server;
#ssl_certificate /etc/nginx/server.crt;
#ssl_certificate_key /etc/nginx/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_certificate /etc/letsencrypt/live/******.jp/nginx.pem;
ssl_certificate_key /etc/letsencrypt/live/******.jp/nginx.key;
server_name ******.jp;
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Pagespeed is not supported by Nextcloud, so if your server is built
# with the `ngx_pagespeed` module, uncomment this line to disable it.
#pagespeed off;
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Path to the root of your installation
root /var/www/html;
# Specify how to handle directories -- specifying `/index.php$request_uri`
# here as the fallback means that Nginx always exhibits the desired behaviour
# when a client requests a path that corresponds to a directory that exists
# on the server. In particular, if that directory contains an index.php file,
# that file is correctly served; if it doesn't, then the request is passed to
# the front-end controller. This consistent behaviour means that we don't need
# to specify custom rules for certain paths (e.g. images and other assets,
# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
# `try_files $uri $uri/ /index.php$request_uri`
# always provides the desired behaviour.
index index.php index.html /index.php$request_uri;
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`.
location ^~ /.well-known {
# The rules in this block are an adaptation of the rules
# in `.htaccess` that concern `/.well-known`.
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 /index.php$request_uri;
}
# Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
# Required for legacy support
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
#fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ \.(?:css|js|svg|gif)$ {
try_files $uri /index.php$request_uri;
expires 6M; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
# Rule borrowed from `.htaccess`
location /remote {
return 301 /remote.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
}
}
}
動作確認
docker-compose -H unix:///run/user/1004/docker.sock up
これで初期状態までは行けた
現行nextcloudからデータ引き継ぎ
現行サーバーからバックアップ作成
dbデータ
mysqldump --single-transaction -h localhost -u nextcloud -p nextcloud > nextcloud-sqlbkp.bak
dataファイル
sudo tar zcvf /mnt/4Traid1/nextcloud_data_20230713.tar.gz /mnt/4Traid1/nextcloud/data
バックアップデータを復元してみる
https://docs.nextcloud.com/server/latest/admin_manual/maintenance/index.html
https://docs.nextcloud.com/server/latest/admin_manual/maintenance/migrating.html#
dbデータ
mysql -h localhost --port=23306 -u root -p nextcloud < nextcloud-sqlbkp.bak
dataファイル
tar.gzを展開すると
sudo ls -l /mnt/backuparea/mnt/4Traid1/nextcloud/data/
合計 136064
drwxr-xr-x 7 www-data root 4096 2月 17 2019 admin
-rw-r--r-- 1 www-data root 0 2月 12 2022 index.html
drwxr-xr-x 4 www-data www-data 4096 2月 13 2022 kodi
-rw-r----- 1 www-data www-data 14385806 6月 18 19:18 nextcloud.log
-rw-r----- 1 www-data www-data 124743392 2月 7 2020 nextcloud.log.1
drwxr-xr-x 5 www-data www-data 4096 3月 9 2022 pf
のような感じ。 これを/mnt/backuparea/に上書きする
ls -l /mnt/backuparea/nextcloud_test/data/nextcloud/data/
合計 8
-rw-r--r-- 1 200081 200081 0 7月 13 10:36 index.html
-rw-r----- 1 200081 200081 5563 7月 13 10:36 nextcloud.log
sudo mv /mnt/backuparea/nextcloud_test/data/nextcloud/data /mnt/backuparea/nextcloud_test/data/nextcloud/data.org
/mnt/backuparea/mnt/4Traid1/nextcloud$ sudo mv data /mnt/backuparea/nextcloud_test/data/nextcloud/
$ sudo chown 200081 -R /mnt/backuparea/nextcloud_test/data/nextcloud/data
$ sudo chgrp 200081 -R /mnt/backuparea/nextcloud_test/data/nextcloud/data
起動
インストールウィザード
adminはadmin2にした
アップデートが動くのでしばらく待つ
ダッシュボード
セキュリティ&セットアップ警告
一見動いていそうだけど、チェックかけるとたくさん出てきたOrz
occ db:add-missing-indices
nextcloud_docker@blackcore:/mnt/backuparea/nextcloud_test$ docker -H unix:///run/user/1004/docker.sock exec -it nextcloud_test_app_1 sudo -u www-data /bin/php occ db:add-missing-indices
OCI runtime exec failed: exec failed: unable to start container process: exec: "sudo": executable file not found in $PATH: unknown
nextcloud_docker@blackcore:/mnt/backuparea/nextcloud_test$ docker -H unix:///run/user/1004/docker.sock exec -it nextcloud_test_app_1 php occ db:add-missing-indices
Console has to be executed with the user that owns the file config/config.php
Current user id: 0
Owner id of config.php: 82
Try adding 'sudo -u #82' to the beginning of the command (without the single quotes)
If running with 'docker exec' try adding the option '-u 82' to the docker command (without the single quotes)
sudoコマンドが使えない
こちらを参考にして実行するユーザーを選択した
https://qiita.com/tabimoba/items/c5467432d1a635f9ce5b
nextcloud_docker@blackcore:/mnt/backuparea/nextcloud_test$ docker -H unix:///run/user/1004/docker.sock exec -it -u 82 nextcloud_test_app_1 php occ db:add-missing-indices
Check indices of the share table.
Check indices of the filecache table.
Adding additional size index to the filecache table, this can take some time...
Filecache table updated successfully.
Adding additional size index to the filecache table, this can take some time...
Filecache table updated successfully.
Adding additional path index to the filecache table, this can take some time...
Filecache table updated successfully.
Check indices of the twofactor_providers table.
Check indices of the login_flow_v2 table.
Check indices of the whats_new table.
Check indices of the cards table.
Adding cards_abiduri index to the cards table, this can take some time...
cards table updated successfully.
Check indices of the cards_properties table.
Check indices of the calendarobjects_props table.
Adding calendarobject_calid_index index to the calendarobjects_props table, this can take some time...
calendarobjects_props table updated successfully.
Check indices of the schedulingobjects table.
Adding schedulobj_principuri_index index to the schedulingobjects table, this can take some time...
schedulingobjects table updated successfully.
Check indices of the oc_properties table.
Adding properties_path_index index to the oc_properties table, this can take some time...
Adding properties_pathonly_index index to the oc_properties table, this can take some time...
oc_properties table updated successfully.
Check indices of the oc_jobs table.
Adding job_lastcheck_reserved index to the oc_jobs table, this can take some time...
oc_properties table updated successfully.
Check indices of the oc_direct_edit table.
Adding direct_edit_timestamp index to the oc_direct_edit table, this can take some time...
oc_direct_edit table updated successfully.
Check indices of the oc_preferences table.
Adding preferences_app_key index to the oc_preferences table, this can take some time...
oc_properties table updated successfully.
Check indices of the oc_mounts table.
occ db:add-missing-primary-keys
nextcloud_docker@blackcore:/mnt/backuparea/nextcloud_test$ docker -H unix:///run/user/1004/docker.sock exec -it -u 82 nextcloud_test_app_1 php occ db:add-missing-primary-keys
Check primary keys.
Adding primary key to the federated_reshares table, this can take some time...
federated_reshares table updated successfully.
Adding primary key to the systemtag_object_mapping table, this can take some time...
systemtag_object_mapping table updated successfully.
Adding primary key to the comments_read_markers table, this can take some time...
comments_read_markers table updated successfully.
Adding primary key to the collres_resources table, this can take some time...
collres_resources table updated successfully.
Adding primary key to the collres_accesscache table, this can take some time...
collres_accesscache table updated successfully.
Adding primary key to the filecache_extended table, this can take some time...
filecache_extended table updated successfully.
occ db:add-missing-columns
nextcloud_docker@blackcore:/mnt/backuparea/nextcloud_test$ docker -H unix:///run/user/1004/docker.sock exec -it -u 82 nextcloud_test_app_1 php occ db:add-missing-columns
Check columns of the comments table.
Adding additional reference_id column to the comments table, this can take some time...
Comments table updated successfully.
occ db:convert-filecache-bigint
nextcloud_docker@blackcore:/mnt/backuparea/nextcloud_test$ docker -H unix:///run/user/1004/docker.sock exec -it -u 82 nextcloud_test_app_1 php occ db:convert-filecache-bigint
Following columns will be updated:
* federated_reshares.share_id
* filecache.mtime
* filecache.storage_mtime
* filecache_extended.fileid
* files_trash.auto_id
* mounts.storage_id
* mounts.root_id
* mounts.mount_id
* share_external.id
* share_external.parent
This can take up to hours, depending on the number of files in your instance!
Continue with the conversion (y/n)? [n] y
オレオレ証明書からLet’s Encryptへ
今までと同じように、Let’s Encryptを使用させていただく。ありがたや。
80と443を使用するのか・・・。ポート変換もだめ?
https://letsencrypt.org/ja/docs/challenge-types/
https://certbot.eff.org/instructions?ws=nginx&os=ubuntufocal&tab=standard
https://snapcraft.io/docs/installing-snap-on-linux-mint
nginxインストール
ここを参考に
https://zenn.dev/hitoshiro/articles/b8170ec36d1f01
sudo apt install nginx
sudo cat /etc/nginx/conf.d/conf.conf
server{
listen 80;
server_name ****.mydns.jp;
root /var/www/html;
}
これで、とりあえずのnginxは用意した。
certbotのインストール
https://certbot.eff.org/instructions?ws=nginx&os=ubuntufocal&tab=standard
インストールは上記サイトの通り
sudo certbot --nginx
で、cretbotさんがconfigに追記してくれた
sudo cat /etc/nginx/conf.d/conf.conf
server{
server_name ****.mydns.jp;
root /var/www/html;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/****.mydns.jp/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/****.mydns.jp/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server{
if ($host = ****.mydns.jp) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name ****.mydns.jp;
return 404; # managed by Certbot
}
証明書の取得
deno@blackcore:~$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: ****.mydns.jp
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for ****.mydns.jp
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/****.mydns.jp/fullchain.pem
Key is saved at: /etc/letsencrypt/live/****.mydns.jp/privkey.pem
This certificate expires on 2023-12-22.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for ****.mydns.jp to /etc/nginx/conf.d/conf.conf
Congratulations! You have successfully enabled HTTPS on https://****.mydns.jp
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
自動更新のテスト
sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/****.mydns.jp.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for ****.mydns.jp
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/****.mydns.jp/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
次回更新も自動でやってくれるらしい
deno@blackcore:~$ sudo systemctl list-timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
<略>
Sun 2023-09-24 09:54:00 JST 11h left n/a n/a snap.certbot.renew.timer snap.certbot.renew.service
へー便利。
証明書をdocker上のnginxから参照する
良いやり方が思いつかなかったので、単純に変更があったらコピーして所有者変更・コンテナ再起動を実施
cat chk_cert.sh
#!/bin/bash
#-----------------------------------------------------------------
# certbotが保存するcertの保存先
source_dir="/etc/letsencrypt/live/****.mydns.jp/"
# docker上のnginxの参照先
target_dir="/mnt/backuparea/nextcloud_test/cert/"
# コピー先を参照するユーザー名
target_username="nextcloud_docker"
#-----------------------------------------------------------------
# 更新フラグ
update_required=false
# ファイルの比較と更新
for file in "$source_dir"/*
do
# echo "$file"
# ファイル名を抽出
filename=$(basename "$file")
# 対応するファイルパスをターゲットディレクトリから取得
target_file="$target_dir/$filename"
# ファイルが存在しないか、差分がある場合に更新
if [ ! -e "$target_file" ] || ! cmp -s "$file" "$target_file"
then
cp "$file" "$target_file"
chown "$target_username" "$target_file"
# echo "ファイル $filename を更新しました。"
update_required=true
fi
done
# 更新がある場合にnginxを再起動する
if [ "$update_required" = true ]
then
/mnt/backuparea/nextcloud_test/chk_cert_restart.sh
echo "更新によるリスタートしました。"
else
echo "更新なし"
fi
cat chk_cert_restart.sh
#!/bin/bash
#dockerコンテナの再起動
sudo -u nextcloud_docker /bin/bash -c "cd /mnt/backuparea/nextcloud_test && docker-compose -H unix:///run/user/1004/docker.sock restart"
自動更新(コピー)する
今までcronしか使ったことがなかったので、systemdのtimerを使ってみる
https://gamingpc.one/dev/systemd-timer-cheat/
https://wiki.archlinux.jp/index.php/Systemd/タイマー
$ cat /etc/systemd/system/docker-nextcloud.cert.renew.service
[Unit]
Description=Docker NextCloud Cert Renew
RefuseManualStart=no
RefuseManualStop=yes
[Service]
Type=oneshot
ExecStart=/mnt/backuparea/nextcloud_test/chk_cert.sh
$ cat /etc/systemd/system/docker-nextcloud.cert.renew.timer
[Unit]
Description=Docker NextCloud Cert Renew
[Timer]
OnBootSec=5min
OnUnitActiveSec=1d
[Install]
WantedBy=timers.target
有効にするには
sudo systemctl daemon-reload
sudo systemctl enable docker-nextcloud.cert.renew.timer
sudo systemctl start docker-nextcloud.cert.renew.timer
sudo systemctl list-timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
(略)
Mon 2023-09-25 08:49:01 JST 23h left Sun 2023-09-24 08:49:01 JST 2min 7s ago docker-nextcloud.cert.renew.timer docker-nextcloud.cert.renew.service
これでOKなはず!