dotheevo / selfhosted-apps-docker Goto Github PK

There seems to be a general bug with authorizing desktop clients when forcing HTTPS, as this setup does. I've posted a way to fix the issue that is applicable to this setup over here: nextcloud/desktop#1521 (comment)

Not sure if there's a better way to fix it, but thought it might be worth referencing somewhere in this documentation :)

Hi!

As per the above question.

Thanks!

In here:

https://github.com/DoTheEvo/selfhosted-apps-docker/tree/master/caddy_v2#--create-docker-composeyml

I guess MY_DOMAIN should be $MY_DOMAIN

Jitsi-meet should be relatively easy, for who knows what to do

Below the network diagram

https://github.com/jitsi/jitsi-meet/blob/4824c8714aeb35bfa4bd373dbbada018e49dc0e2/doc/manual-install.md

I believe you already mentioned this in your Reddit post, but the only issue with the current configuration is that Nextcloud Security Scan says that "__Host-Prefix" isn't enabled configured.

A solution to this should ideally be found.

__Host-Prefix

The __Host prefix mitigates cookie injection vulnerabilities within potential third-party software sharing the same second level domain. It is an additional hardening on top of 'normal' same-site cookies.

Hi! im getting "Too many requests" after a fresh install.
I have removed Nextcloud form my phone(s) and also from my pc.. still getting this. How to i change this value?

Hello how are you doing! Glad to see that your repository has been growing since it was first introduced. Don't know if you took some inspiration from my repo, but I'm so glad to have been inspired by you originally! Don't know if you're interested in another wiki but a recent one I tried was this, outline-wiki

Anyways I spotted some typo screenshotted below

I am wondering how one would add support for another domain in the caddyfile? What do I have to keep in mind with the tor config? the following did not work:

torrc:
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:80

xyz123.onion:80 nextcloud.{$MY_DOMAIN} {
reverse_proxy nextcloud-web:80
header Strict-Transport-Security max-age=31536000;
...
}

I added the following lines to Caddyfile

redir /.well-known/webfinger /index.php/.well-known/webfinger 301
redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301

'nginx.conf' needs to be written as suggested in Nextcloud manual.

    location ^~ /.well-known {
    # The rules in this block are an adaptation of the rules
    # in `.htaccess` that concern `/.well-known`.

    location = /.well-known/carddav { return 301 /remote.php/dav/; }
    location = /.well-known/caldav  { return 301 /remote.php/dav/; }

    location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
    location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

    # Let Nextcloud's API for `/.well-known` URIs handle all other
    # requests by passing them to the front-end controller.
    return 301 /index.php$uri;
    }

Change the line in nginx.conf from
add_header X-Robots-Tag “none” always;
to
add_header X-Robots-Tag “noindex, nofollow” always;

From Nextcloud v 26.0, it does not recognize "none" as "noindex, nofollow".
They are equivalent based on Nginx server manual.

I'm having an issue where my database container restarts with the following error:

-------------------------------------
          _         ()
         | |  ___   _    __
         | | / __| | |  /  \ 
         | | \__ \ | | | () |
         |_| |___/ |_|  \__/


Brought to you by linuxserver.io
-------------------------------------

To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid:    911
User gid:    911
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 30-config: executing... 
[cont-init.d] 30-config: exited 0.
[cont-init.d] 40-initialise-db: executing... 
[cont-init.d] 40-initialise-db: exited 0.
[cont-init.d] 99-custom-scripts: executing... 
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-scripts: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
ifelse: fatal: unable to exec --transaction-isolation=READ-COMMITTED: No such file or directory
[cmd] --transaction-isolation=READ-COMMITTED exited 127
Caught SIGTERM signal!
cat: /var/run/mysqld/mysqld.pid: No such file or directory
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

I followed the tutorial quite closely. Here is my docker-compose.yml. The only modification is the different MariaDB image for the Raspberry Pi architecture.

version: '3'
services:

  nextcloud-db:
    image: linuxserver/mariadb:arm32v7-latest
    container_name: nextcloud-db
    hostname: nextcloud-db
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    restart: unless-stopped
    env_file: .env
    volumes:
      - ./nextcloud-data-db:/var/lib/mysql

  nextcloud-redis:
    image: redis:5.0.9-alpine
    container_name: nextcloud-redis
    hostname: nextcloud-redis
    restart: unless-stopped

  nextcloud-app:
    image: nextcloud:fpm-alpine
    container_name: nextcloud-app
    hostname: nextcloud-app
    restart: unless-stopped
    env_file: .env
    depends_on:
      - nextcloud-db
      - nextcloud-redis
    volumes:
      - ./nextcloud-data/:/var/www/html

  nextcloud-web:
    image: nginx:alpine
    container_name: nextcloud-web
    hostname: nextcloud-web
    restart: unless-stopped
    volumes:
      - ./nextcloud-data/:/var/www/html:ro
      - ./nginx.conf:/etc/nginx/nginx.conf:ro

  nextcloud-cron:
    image: nextcloud:fpm-alpine
    container_name: nextcloud-cron
    hostname: nextcloud-cron
    restart: unless-stopped
    volumes:
      - ./nextcloud-data/:/var/www/html
    entrypoint: /cron.sh
    depends_on:
      - nextcloud-db
      - nextcloud-redis

networks:
  default:
    external:
      name: $DOCKER_MY_NETWORK

My .env file:

# GENERAL
MY_DOMAIN=nextcloud.mydomain.com
DOCKER_MY_NETWORK=master
TZ=America/New_York

# NEXTCLOUD-MARIADB
MYSQL_ROOT_PASSWORD=<big_password>
MYSQL_PASSWORD=<big_password>
MYSQL_DATABASE=nextcloud
MYSQL_USER=nextcloud

# NEXTCLOUD
MYSQL_HOST=nextcloud-db
REDIS_HOST=nextcloud-redis

# USING SENDGRID FOR SENDING EMAILS
#MAIL_DOMAIN=nextcloud.mydomain.com
#MAIL_FROM_ADDRESS=nextcloud
#SMTP_SECURE=ssl
#SMTP_HOST=smtp.sendgrid.net
#SMTP_PORT=465
#SMTP_NAME=apikey
#SMTP_PASSWORD=<sendgrid-api-key-goes-here>

Any ideas? I can get to the Nextcloud "Create admin account" page, but after that I get the error:

Error while trying to create admin user: Failed to connect to the database: An exception occurred in driver: SQLSTATE[HY000] [2002] php_network_getaddresses: getaddrinfo failed: Name does not resolve

I've been working on getting Collabora going with Nextcloud. I'm struggling with the Built-In CODE server and also deploying my own with Docker. Have you worked on this at all?

Same creator as uptime-kuma, see here https://github.com/louislam/dockge

This repository has been such a great help to me building a private Nextcloud server. Its very thought out and extremely well documented. Thanks a lot!

Is there any chance you are going to add the High Performance Backend / standalone signaling server for Nextcloud Talk (Spread) to your setup? It allows for calls with 10-50 participants. Struktur-AG open-sourced it in May and his now also offering instructions for docker use.

Thanks for considering and all the work you put in this repo.

So far I figured out it needs extra-hosts in docker-compose :

extra_hosts:
  - "host.docker.internal:host-gateway"

The following config in caddy:

cocpit.example.com {
    reverse_proxy host.docker.internal:9090
}

/etc/cockpit/cockpit.conf:

[WebService]
Origins = https://example.com wss://example.com
AllowUnencrypted = true
ProtocolHeader = X-Forwarded-Proto

As a bonus this will showcase how to expose local non-docker apps.

Maybe also mention ufw / firewall

First of all, thanks for the guide.

I tried to implement this on rpi4 by changing the image from "mariadb" to "tobi312/rpi-mariadb:latest" since mariadb doesn't support arm natively. Except for that, nothing I touched.

I couldn't create the nextcloud administrative account and keep getting the following error.

"SQLSTATE[HY000] [2002] php_network_getaddresses: getaddrinfo failed: Try again"

Thanks in advance for any help.

I think a good setup is having a small VM, with this system, with the small servers too (dnsmasq and so on), then for serious/bigger servers I wish to use different VM, even on different phisical machines.

Nextcloud of course is one of them, how would I need to change the settings to achieve this?

https://docs.teslamate.org/docs/installation/docker

possible? Thanks

Thanks for the walkthrough, easy to follow and i'm able to use Caddy to access the bitwardenrs container from outside the network. Much appreciated. However, I'm not able to connect within the network via LAN.

I can see the homepage when using 192.168.1.8:8023, but receive an error message "This Browser requires HTTPS to use the web vault" So, tired using https://192.168.1.8:8023, but that results in a Secure Connection Failed PR_END_OF_FILE_ERROR. What settings are needed in Caddy for network access? yml and Caddy files are below. What is needed in Caddy to generate the cert for local access?

Also, using the passwd.mywebsite.com when in network says "The connection has timed out". Can you use the domain address while in network or are you forced to use a local IP?

Both Caddy and Bitwardenrs are on the same machine.

yml File

version: '3.7'
networks:
  default:
    external:
      name: $DEFAULT_NETWORK
services:
  caddy:
    image: caddy/caddy
    container_name: caddy
    hostname: caddy
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
      - 8023:8023
    environment:
      - MY_DOMAIN
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - ./data:/data
      - ./config:/config

  bitwardenrs:
    container_name: bitwarden
    image: bitwardenrs/server:latest
    hostname: bitwarden
    volumes:
      - /share/appdata/bitwarden-data/:/data/
    ports:
      - 8023:80
      - 3012:3012
    env_file: .env
    restart: unless-stopped

.env:

MY_DOMAIN=mywebsite.com
DEFAULT_NETWORK=caddy_net
TZ=America/New_York

# BITWARDEN
ADMIN_TOKEN= randomkey
SIGNUPS_ALLOWED=false
WEBSOCKET_ENABLED=true

Caddyfile:

# Bitwarden vai website
passwd.{$MY_DOMAIN} {
    header / {
       X-XSS-Protection "1; mode=block"
       X-Frame-Options "DENY"
       X-Robots-Tag "none"
       -Server
    }
    encode gzip
    reverse_proxy /notifications/hub/negotiate bitwarden:80
    reverse_proxy /notifications/hub bitwarden:3012
    reverse_proxy bitwarden:80
}

# Bitwarden local 
localhost:8023 {
    header / {
       X-XSS-Protection "1; mode=block"
       X-Frame-Options "DENY"
       X-Robots-Tag "none"
       -Server
    }
    encode gzip
    reverse_proxy /notifications/hub/negotiate bitwarden:80
    reverse_proxy /notifications/hub bitwarden:3012
    reverse_proxy bitwarden:80
}

Could you provide dockerfile + caddyfile for Seafile with WebDAV functionality & Snikketchat please?

I've tried a few things now, but it doesn't work that well with Seafile + WebDAV + Caddy. Same with Snikketchat.

I came across this project by chance today while searching for the Seafile problem. Really great something like this. Perfect for learning. Many thanks for that.

Hi,

first I'd like to thank you for your effort to share this guide, I find it really helpful to get started with Caddy+docker . Much appreciated.

Is it possible to add support for LDAP authentication? For example I have some accounts created at JumpCloud, and would like to use the username/password from JumpCloud for authentication to protect a service behind Caddy.

I've been experimenting with transitioning to Redis>6. Here are the changes I had to make to your setup:

users.acl:

user default on >SOME_STRONG_PASSWORD ~* &* +@all 

redis.conf (note: incomplete; these are just the modifications I found were required):

...
bind nextcloud-redis  # bind to redis container-name
...
aclfile /run/secrets/ACL_SECRET_NAME
...

docker-compose.yml

secrets:
  ACL_SECRET_NAME:
    - ./users.acl

services:
  nextcloud-redis:
    image: redis:alpine
    container_name: nextcloud-redis
    secrets:
      - ACL_SECRET_NAME
    command: redis-server /usr/local/etc/redis/redis.conf
    volumes:
      - ./redis.conf:/usr/local/etc/redis/redis.conf

Hello DoTheEvo Senpai,

It's now best to use image: vaultwarden/server:latest for the latest container image inside the docker-compose.yml since bitwarden_rs got renamed to vault warden.

The newer stuff has a cool new features such as "emergency access" which is like a dead man's switch!

P.S. I see that you also dove in to jellyfin as well! Welcome to the club!

Your solution can be simplified by using Caddy(V2) for both purposes.

Hi, on Jellyfin guide - there is bookstack guide.

TLS not working with basic auth, do you have any example how to use basicauth with tls chalange?

{"level":"error","ts":1616969230.677829,"logger":"tls","msg":"job failed","error":"domain.com: obtaining certificate: [domain.com] Obtain: [domain.com] solving challenges: [domain.com] context canceled (order=https://acme-v02.api.letsencrypt.org/acme/order/111281218/8727418911) (ca=https://acme-v02.api.letsencrypt.org/directory)"}

WebSockets are enabled by default from version 1.29.0 wiki, and it's not necessary now to configure them. Caddyfile is changed as well wiki

It'd be helpful to add a guide for proper ADMIN_TOKEN generation from here

Also, #31 could be closed as outdated and irrelevant

P.S.: Thank you for such useful and time-consuming work. It saved me tons of time setting up my home server.

Hi,

Thanks for the guides. It’s been a big help.

Would you consider adding something like Authelia or some type of auth.

Auth these days is a common question.

Hi, I installed first time this tool and was working great. I created multiple VM, and all is working fine. Haven't touched it for years, and now I am a bit rusty on how to fix things after a problem occured which is the following after trying to install a home PBX on a new VM.

I use cloudflare CNAME pbx.mydomain.com to forwarding to my internal VM ubuntu machine where I installed caddy (192.169.1.19)

On a different VM (192.168.1.14) I installed a Ubuntu VM with fusionpbx PBX.

In Caddyfile i added

pbx.{$MY_DOMAIN} {
    reverse_proxy 192.168.1.14
}

But when I point to pbx.adre.group I recieve an
Error 525 SSL handshake failed

Any help?

p.s. I ran this

xxx@caddy19:~$ curl -svo /dev/null https://pbx.mydomain --connect-to ::87.xx.xx.xx 2>&1 | egrep -v "^{.*$|^}.*$|^* http.*$" * Connecting to hostname: 87.xx.xx.xx
*   Trying 87.xx.xx.xx:443...
* TCP_NODELAY set
* Connected to 87.xx.xx.xx (87.xx.xx.xx) port 443 (#0)
* ALPN, offering h2
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_CHACHA20_POLY1305_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=pbx.adre.group
*  start date: Dec 13 14:08:06 2021 GMT
*  expire date: Mar 13 14:08:05 2022 GMT
*  subjectAltName: host "pbx.adre.group" matched cert's "pbx.adre.group"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55b700b1e9b0)
> GET / HTTP/2
> Host: pbx.adre.group
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 500
< server: Caddy
< content-length: 0
< date: Mon, 13 Dec 2021 17:01:57 GMT
<
* Connection #0 to host 87.18.222.75 left intact
claudio@caddy19:~$

I'm following the caddy_v2 guide, and wanting to add Cloudflare DNS challenge, When I docker compose up it eventually fails with:

126.7 2024/05/15 11:56:37 [INFO] exec (timeout=0s): /usr/local/go/bin/go get -d -v github.com/caddy-dns/cloudflare github.com/caddyserver/caddy/[email protected] 
128.1 go: downloading github.com/caddy-dns/cloudflare v0.0.0-20240405130444-44030f9306f4
132.5 go: github.com/caddy-dns/cloudflare@upgrade (v0.0.0-20240405130444-44030f9306f4) requires github.com/caddyserver/caddy/[email protected], not github.com/caddyserver/caddy/[email protected]
132.5 2024/05/15 11:56:43 [FATAL] exit status 1
------
failed to solve: process "/bin/sh -c xcaddy build     --with github.com/caddy-dns/cloudflare" did not complete successfully: exit code: 1

since it is quite clear in the output:

requires github.com/caddyserver/caddy/v2@v2.7.5, not github.com/caddyserver/caddy/v2@v2.6.2

I was able to fix by altering dockerfile-caddy/Dockerfile, replacing 2.6.2 with 2.7.5, and trying again.

This time it all works.

However, how do I know 2.7.5 is the best/latest/correct version? And also, will I need to continue manually incrementing this every time it gets "old"? Is there a way to simply replace with "latest" or is that ill-advised?

Thanks for all the guides and help!

I'd just like to say your writeup on RustDesk really helped! I've got it installed w/ WebUI if you want to check out my notes, you could maybe setup too!

https://www.reddit.com/r/rustdesk/comments/17yevvf/rustdesk_self_hosted_setup_guide/

https://github.com/DoTheEvo/selfhosted-apps-docker/tree/master/rustdesk

I have the exact config for every file except for...

• Caddyfile -- The nextcloud entry is the same except the caldav lines are commented out. This file includes other records for functioning apps
• .env -- I removed the email section (I won't be using it)

I'm receiving this error:

{"level":"error","ts":1617762089.7528145,"logger":"http.log.error","msg":"dial tcp: lookup nextcloud-web on 127.0.0.11:53: no such host","request":{"remote_addr":"172.18.0.1:46694","proto":"HTTP/1.1","method":"GET","host":"nextcloud.domain.xyz","uri":"/status.php","headers":{"Authorization":["Basic dGxvbmdlc3Q6VXMUZPUlN1dUt2TEhuM2NoVXpJcFk2aEY4Vm9wVFVPOVhOcndxekhIYmYyZ29CcjJLNHJmeWxrOVZH"],"User-Agent":["Mozilla/5.0 (Linux) mirall/2.6.4-1 (Nextcloud)"],"Accept":["*/*"],"X-Request-Id":["d9bb0c03-8dbe-4363-ace2-cbfc751bb4b3"],"Connection":["Keep-Alive"],"Accept-Encoding":["gzip, deflate"],"Accept-Language":["en-US,*"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"","proto_mutual":true,"server_name":"nextcloud.domain.xyz"}},"duration":0.00652746,"status":502,"err_id":"kschkyri1","err_trace":"reverseproxy.statusError (reverseproxy.go:783)"}

I have been troubleshooting but do not understand what could be causing this issue. Can you provide any suggestions?