2023年9月24日日曜日

ホームサーバーの環境移行(5)

前回nextcloudの移行で試行錯誤していたら、気づいたら数か月経っていた。経っていたに。

おさらい

事前準備

前回の記事参照

nextcloud用のdockerを作成

drwxr-xr-x 2 nextcloud_docker users  4096  6月 29 00:19 cert
drwxr-xr-x 4           200081 200081 4096  3月 25 10:26 data
-rw-r--r-- 1 nextcloud_docker users   107  2月 27 00:32 db.env
-rw-r--r-- 1 nextcloud_docker root   2106  6月 28 06:02 docker-compose.yml
-rw-r--r-- 1 nextcloud_docker users  7797  6月 29 00:21 nginx.conf
db.env 
---
MYSQL_ROOT_PASSWORD=********
MYSQL_PASSWORD=********
MYSQL_DATABASE=nextcloud
MYSQL_USER=nextcloud
docker-compose.yml 
---
version: '3'

services:
  db:
    image: mariadb:10.5
    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
    restart: always
    volumes:
      - ./data/db:/var/lib/mysql
    environment:
      - MARIADB_AUTO_UPGRADE=1
      - MARIADB_DISABLE_UPGRADE_BACKUP=1
    env_file:
      - db.env
    ports:
      - 23306:3306

  redis:
    image: redis:alpine
    restart: always

  app:
    image: nextcloud:fpm-alpine
    restart: always
    volumes:
      - ./data/nextcloud:/var/www/html
    environment:
      - MYSQL_HOST=db
      - REDIS_HOST=redis
      - PHP_MEMORY_LIMIT=4096M
      - PHP_UPLOAD_LIMIT=4096M
    env_file:
      - db.env
    depends_on:
      - db
      - redis

  web:
    image: nginx
    restart: always
    ports:
      - 28080:80
      - 20443:443
    volumes:
      - ./data/nextcloud:/var/www/html:ro
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
      - ./cert:/etc/letsencrypt/live/******.jp:ro
    depends_on:
      - app

  cron:
    image: nextcloud:fpm-alpine
    restart: always
    volumes:
      - ./data/nextcloud:/var/www/html
    entrypoint: /cron.sh
    depends_on:
      - db
      - redis

volumes:
  db:
  nextcloud:
nginx.conf 
---
worker_processes auto;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    # Prevent nginx HTTP Server Detection
    server_tokens   off;

    keepalive_timeout  65;

    upstream php-handler {
        server app:9000;
    }

    server {
        listen 80;

	# SSL configuration
	#
	listen 443 ssl default_server;
	#listen [::]:443 ssl default_server;
 	#ssl_certificate /etc/nginx/server.crt;
	#ssl_certificate_key /etc/nginx/server.key;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers HIGH:!aNULL:!MD5;
	ssl_certificate     /etc/letsencrypt/live/******.jp/nginx.pem;
	ssl_certificate_key /etc/letsencrypt/live/******.jp/nginx.key;
	
	server_name ******.jp;


        # set max upload size
        client_max_body_size 512M;
        fastcgi_buffers 64 4K;

        # Enable gzip but do not remove ETag headers
        gzip on;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 256;
        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

        # Pagespeed is not supported by Nextcloud, so if your server is built
        # with the `ngx_pagespeed` module, uncomment this line to disable it.
        #pagespeed off;

        # HTTP response headers borrowed from Nextcloud `.htaccess`
        add_header Referrer-Policy                      "no-referrer"   always;
        add_header X-Content-Type-Options               "nosniff"       always;
        add_header X-Download-Options                   "noopen"        always;
        add_header X-Frame-Options                      "SAMEORIGIN"    always;
        add_header X-Permitted-Cross-Domain-Policies    "none"          always;
        add_header X-Robots-Tag                         "none"          always;
        add_header X-XSS-Protection                     "1; mode=block" always;

        # Remove X-Powered-By, which is an information leak
        fastcgi_hide_header X-Powered-By;

        # Path to the root of your installation
        root /var/www/html;

        # Specify how to handle directories -- specifying `/index.php$request_uri`
        # here as the fallback means that Nginx always exhibits the desired behaviour
        # when a client requests a path that corresponds to a directory that exists
        # on the server. In particular, if that directory contains an index.php file,
        # that file is correctly served; if it doesn't, then the request is passed to
        # the front-end controller. This consistent behaviour means that we don't need
        # to specify custom rules for certain paths (e.g. images and other assets,
        # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
        # `try_files $uri $uri/ /index.php$request_uri`
        # always provides the desired behaviour.
        index index.php index.html /index.php$request_uri;

        # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
        location = / {
            if ( $http_user_agent ~ ^DavClnt ) {
                return 302 /remote.php/webdav/$is_args$args;
            }
        }

        location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }

        # Make a regex exception for `/.well-known` so that clients can still
        # access it despite the existence of the regex rule
        # `location ~ /(\.|autotest|...)` which would otherwise handle requests
        # for `/.well-known`.
        location ^~ /.well-known {
            # The rules in this block are an adaptation of the rules
            # in `.htaccess` that concern `/.well-known`.

            location = /.well-known/carddav { return 301 /remote.php/dav/; }
            location = /.well-known/caldav  { return 301 /remote.php/dav/; }

            location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
            location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

            # Let Nextcloud's API for `/.well-known` URIs handle all other
            # requests by passing them to the front-end controller.
            return 301 /index.php$request_uri;
        }

        # Rules borrowed from `.htaccess` to hide certain paths from clients
        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }

        # Ensure this block, which passes PHP files to the PHP process, is above the blocks
        # which handle static assets (as seen below). If this block is not declared first,
        # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
        # to the URI, resulting in a HTTP 500 error response.
        location ~ \.php(?:$|/) {
            # Required for legacy support
            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;

            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
            set $path_info $fastcgi_path_info;

            try_files $fastcgi_script_name =404;

            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $path_info;
            #fastcgi_param HTTPS on;

            fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
            fastcgi_param front_controller_active true;     # Enable pretty urls
            fastcgi_pass php-handler;

            fastcgi_intercept_errors on;
            fastcgi_request_buffering off;
        }

        location ~ \.(?:css|js|svg|gif)$ {
            try_files $uri /index.php$request_uri;
            expires 6M;         # Cache-Control policy borrowed from `.htaccess`
            access_log off;     # Optional: Don't log access to assets
        }

        location ~ \.woff2?$ {
            try_files $uri /index.php$request_uri;
            expires 7d;         # Cache-Control policy borrowed from `.htaccess`
            access_log off;     # Optional: Don't log access to assets
        }

        # Rule borrowed from `.htaccess`
        location /remote {
            return 301 /remote.php$request_uri;
        }

        location / {
            try_files $uri $uri/ /index.php$request_uri;
        }
    }
}

動作確認

docker-compose -H unix:///run/user/1004/docker.sock up

これで初期状態までは行けた

現行nextcloudからデータ引き継ぎ

現行サーバーからバックアップ作成

dbデータ

  • mysqldump
mysqldump --single-transaction -h localhost -u nextcloud -p nextcloud > nextcloud-sqlbkp.bak

dataファイル

sudo tar zcvf /mnt/4Traid1/nextcloud_data_20230713.tar.gz /mnt/4Traid1/nextcloud/data

バックアップデータを復元してみる

https://docs.nextcloud.com/server/latest/admin_manual/maintenance/index.html
https://docs.nextcloud.com/server/latest/admin_manual/maintenance/migrating.html#

dbデータ

  • import
mysql -h localhost --port=23306 -u root -p nextcloud < nextcloud-sqlbkp.bak 
  • oc_storagesの変更

dataファイル

tar.gzを展開すると

sudo ls -l  /mnt/backuparea/mnt/4Traid1/nextcloud/data/
合計 136064
drwxr-xr-x  7 www-data root          4096  2月 17  2019 admin
-rw-r--r--  1 www-data root             0  2月 12  2022 index.html
drwxr-xr-x  4 www-data www-data      4096  2月 13  2022 kodi
-rw-r-----  1 www-data www-data  14385806  6月 18 19:18 nextcloud.log
-rw-r-----  1 www-data www-data 124743392  2月  7  2020 nextcloud.log.1
drwxr-xr-x  5 www-data www-data      4096  3月  9  2022 pf

のような感じ。 これを/mnt/backuparea/に上書きする

ls -l /mnt/backuparea/nextcloud_test/data/nextcloud/data/
合計 8
-rw-r--r-- 1 200081 200081    0  7月 13 10:36 index.html
-rw-r----- 1 200081 200081 5563  7月 13 10:36 nextcloud.log
sudo mv /mnt/backuparea/nextcloud_test/data/nextcloud/data /mnt/backuparea/nextcloud_test/data/nextcloud/data.org
/mnt/backuparea/mnt/4Traid1/nextcloud$ sudo mv data /mnt/backuparea/nextcloud_test/data/nextcloud/
$ sudo chown 200081 -R /mnt/backuparea/nextcloud_test/data/nextcloud/data
$ sudo chgrp 200081 -R /mnt/backuparea/nextcloud_test/data/nextcloud/data

起動

インストールウィザード

adminはadmin2にした



アップデートが動くのでしばらく待つ



ダッシュボード



セキュリティ&セットアップ警告

一見動いていそうだけど、チェックかけるとたくさん出てきたOrz



occ db:add-missing-indices
nextcloud_docker@blackcore:/mnt/backuparea/nextcloud_test$ docker -H unix:///run/user/1004/docker.sock exec -it nextcloud_test_app_1 sudo -u www-data /bin/php occ db:add-missing-indices
OCI runtime exec failed: exec failed: unable to start container process: exec: "sudo": executable file not found in $PATH: unknown
nextcloud_docker@blackcore:/mnt/backuparea/nextcloud_test$ docker -H unix:///run/user/1004/docker.sock exec -it nextcloud_test_app_1 php occ db:add-missing-indices
Console has to be executed with the user that owns the file config/config.php
Current user id: 0
Owner id of config.php: 82
Try adding 'sudo -u #82' to the beginning of the command (without the single quotes)
If running with 'docker exec' try adding the option '-u 82' to the docker command (without the single quotes)

sudoコマンドが使えない
こちらを参考にして実行するユーザーを選択した
https://qiita.com/tabimoba/items/c5467432d1a635f9ce5b

nextcloud_docker@blackcore:/mnt/backuparea/nextcloud_test$ docker -H unix:///run/user/1004/docker.sock exec -it -u 82 nextcloud_test_app_1 php occ db:add-missing-indices
Check indices of the share table.
Check indices of the filecache table.
Adding additional size index to the filecache table, this can take some time...
Filecache table updated successfully.
Adding additional size index to the filecache table, this can take some time...
Filecache table updated successfully.
Adding additional path index to the filecache table, this can take some time...
Filecache table updated successfully.
Check indices of the twofactor_providers table.
Check indices of the login_flow_v2 table.
Check indices of the whats_new table.
Check indices of the cards table.
Adding cards_abiduri index to the cards table, this can take some time...
cards table updated successfully.
Check indices of the cards_properties table.
Check indices of the calendarobjects_props table.
Adding calendarobject_calid_index index to the calendarobjects_props table, this can take some time...
calendarobjects_props table updated successfully.
Check indices of the schedulingobjects table.
Adding schedulobj_principuri_index index to the schedulingobjects table, this can take some time...
schedulingobjects table updated successfully.
Check indices of the oc_properties table.
Adding properties_path_index index to the oc_properties table, this can take some time...
Adding properties_pathonly_index index to the oc_properties table, this can take some time...
oc_properties table updated successfully.
Check indices of the oc_jobs table.
Adding job_lastcheck_reserved index to the oc_jobs table, this can take some time...
oc_properties table updated successfully.
Check indices of the oc_direct_edit table.
Adding direct_edit_timestamp index to the oc_direct_edit table, this can take some time...
oc_direct_edit table updated successfully.
Check indices of the oc_preferences table.
Adding preferences_app_key index to the oc_preferences table, this can take some time...
oc_properties table updated successfully.
Check indices of the oc_mounts table.
occ db:add-missing-primary-keys
nextcloud_docker@blackcore:/mnt/backuparea/nextcloud_test$ docker -H unix:///run/user/1004/docker.sock exec -it -u 82 nextcloud_test_app_1 php occ db:add-missing-primary-keys
Check primary keys.
Adding primary key to the federated_reshares table, this can take some time...
federated_reshares table updated successfully.
Adding primary key to the systemtag_object_mapping table, this can take some time...
systemtag_object_mapping table updated successfully.
Adding primary key to the comments_read_markers table, this can take some time...
comments_read_markers table updated successfully.
Adding primary key to the collres_resources table, this can take some time...
collres_resources table updated successfully.
Adding primary key to the collres_accesscache table, this can take some time...
collres_accesscache table updated successfully.
Adding primary key to the filecache_extended table, this can take some time...
filecache_extended table updated successfully.
occ db:add-missing-columns
nextcloud_docker@blackcore:/mnt/backuparea/nextcloud_test$ docker -H unix:///run/user/1004/docker.sock exec -it -u 82 nextcloud_test_app_1 php occ db:add-missing-columns
Check columns of the comments table.
Adding additional reference_id column to the comments table, this can take some time...
Comments table updated successfully.
occ db:convert-filecache-bigint
nextcloud_docker@blackcore:/mnt/backuparea/nextcloud_test$ docker -H unix:///run/user/1004/docker.sock exec -it -u 82 nextcloud_test_app_1 php occ db:convert-filecache-bigint
Following columns will be updated:

* federated_reshares.share_id
* filecache.mtime
* filecache.storage_mtime
* filecache_extended.fileid
* files_trash.auto_id
* mounts.storage_id
* mounts.root_id
* mounts.mount_id
* share_external.id
* share_external.parent

This can take up to hours, depending on the number of files in your instance!
Continue with the conversion (y/n)? [n] y

オレオレ証明書からLet’s Encryptへ

今までと同じように、Let’s Encryptを使用させていただく。ありがたや。
80と443を使用するのか・・・。ポート変換もだめ?

https://letsencrypt.org/ja/docs/challenge-types/

https://certbot.eff.org/instructions?ws=nginx&os=ubuntufocal&tab=standard

https://snapcraft.io/docs/installing-snap-on-linux-mint

nginxインストール

ここを参考に
https://zenn.dev/hitoshiro/articles/b8170ec36d1f01

sudo apt install nginx
sudo cat /etc/nginx/conf.d/conf.conf

server{

  listen  80;
  server_name ****.mydns.jp;
  root  /var/www/html;

}

これで、とりあえずのnginxは用意した。

certbotのインストール

https://certbot.eff.org/instructions?ws=nginx&os=ubuntufocal&tab=standard

インストールは上記サイトの通り

sudo certbot --nginx

で、cretbotさんがconfigに追記してくれた

sudo cat /etc/nginx/conf.d/conf.conf

server{
  server_name ****.mydns.jp;
  root  /var/www/html;

  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/****.mydns.jp/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/****.mydns.jp/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server{
    if ($host = ****.mydns.jp) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

  listen  80;
  server_name ****.mydns.jp;
  return 404; # managed by Certbot
}

証明書の取得

deno@blackcore:~$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: ****.mydns.jp
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for ****.mydns.jp

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/****.mydns.jp/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/****.mydns.jp/privkey.pem
This certificate expires on 2023-12-22.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for ****.mydns.jp to /etc/nginx/conf.d/conf.conf
Congratulations! You have successfully enabled HTTPS on https://****.mydns.jp

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

自動更新のテスト

sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/****.mydns.jp.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for ****.mydns.jp

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/****.mydns.jp/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

次回更新も自動でやってくれるらしい

deno@blackcore:~$ sudo systemctl list-timers
NEXT                        LEFT               LAST                        PASSED             UNIT                         ACTIVATES                     
<略>
Sun 2023-09-24 09:54:00 JST 11h left           n/a                         n/a                snap.certbot.renew.timer     snap.certbot.renew.service

へー便利。

証明書をdocker上のnginxから参照する

良いやり方が思いつかなかったので、単純に変更があったらコピーして所有者変更・コンテナ再起動を実施

cat chk_cert.sh 
#!/bin/bash

#-----------------------------------------------------------------
# certbotが保存するcertの保存先
source_dir="/etc/letsencrypt/live/****.mydns.jp/"

# docker上のnginxの参照先
target_dir="/mnt/backuparea/nextcloud_test/cert/"

# コピー先を参照するユーザー名
target_username="nextcloud_docker"

#-----------------------------------------------------------------


# 更新フラグ
update_required=false

# ファイルの比較と更新
for file in "$source_dir"/*
do
    # echo "$file"
    # ファイル名を抽出
    filename=$(basename "$file")

    # 対応するファイルパスをターゲットディレクトリから取得
    target_file="$target_dir/$filename"

    # ファイルが存在しないか、差分がある場合に更新
    if [ ! -e "$target_file" ] || ! cmp -s "$file" "$target_file"
    then
        cp "$file" "$target_file"
        chown "$target_username" "$target_file"
        # echo "ファイル $filename を更新しました。"
        update_required=true
    fi
done

# 更新がある場合にnginxを再起動する
if [ "$update_required" = true ]
then
    /mnt/backuparea/nextcloud_test/chk_cert_restart.sh
    echo "更新によるリスタートしました。"
else
    echo "更新なし"
fi


cat chk_cert_restart.sh 
#!/bin/bash

#dockerコンテナの再起動
sudo -u nextcloud_docker /bin/bash -c "cd /mnt/backuparea/nextcloud_test && docker-compose -H unix:///run/user/1004/docker.sock restart"

自動更新(コピー)する

今までcronしか使ったことがなかったので、systemdのtimerを使ってみる
https://gamingpc.one/dev/systemd-timer-cheat/
https://wiki.archlinux.jp/index.php/Systemd/タイマー

$ cat /etc/systemd/system/docker-nextcloud.cert.renew.service 
[Unit]
Description=Docker NextCloud Cert Renew
RefuseManualStart=no
RefuseManualStop=yes

[Service]
Type=oneshot
ExecStart=/mnt/backuparea/nextcloud_test/chk_cert.sh
$ cat /etc/systemd/system/docker-nextcloud.cert.renew.timer 
[Unit]
Description=Docker NextCloud Cert Renew

[Timer]
OnBootSec=5min
OnUnitActiveSec=1d

[Install]
WantedBy=timers.target

有効にするには

sudo systemctl daemon-reload
sudo systemctl enable docker-nextcloud.cert.renew.timer
sudo systemctl start docker-nextcloud.cert.renew.timer
sudo systemctl list-timers
NEXT                        LEFT               LAST                        PASSED             UNIT                              ACTIVATES                          
(略)
Mon 2023-09-25 08:49:01 JST 23h left           Sun 2023-09-24 08:49:01 JST 2min 7s ago        docker-nextcloud.cert.renew.timer docker-nextcloud.cert.renew.service

これでOKなはず!

0 件のコメント:

コメントを投稿