11. Configuration files (full)
Frontend Caddyfile
# Global Options Block
{
# General Options
debug
}
# ACME Server
acme.roadrunner {
acme_server
tls internal
}
### REVERSE PROXY
## Nextcloud
nextcloud.example.com {
reverse_proxy https://nextcloud.roadrunner {
header_up Host {upstream_hostport}
}
}
## Bitwarden
bitwarden.example.com {
reverse_proxy https://bitwarden.roadrunner {
header_up Host {upstream_hostport}
}
respond /admin* "The admin panel is disabled, please configure the 'ADMIN_TOKEN' variable to enable it"
}
Backend Caddyfile
# Global Options Block
{
# General Options
debug
# TLS Options
acme_ca https://acme.roadrunner/acme/local/directory
acme_ca_root /etc/ssl/certs/root.crt
}
# Nextcloud and Collabora
nextcloud.roadrunner {
encode gzip
# enable HSTS
header Strict-Transport-Security max-age=31536000;
@collabora {
path /loleaflet/* # Loleaflet is the client part of LibreOffice Online
path /hosting/discovery # WOPI discovery URL
path /hosting/capabilities # Show capabilities as json
path /lool/* # Main websocket, uploads/downloads, presentations
}
handle @collabora {
reverse_proxy https://127.0.0.1:9980 {
header_up Host "nextcloud.example.com"
transport http {
tls_insecure_skip_verify
}
}
}
# .htaccess / data / config / ... shouldn't be accessible from outside
@forbidden {
path /.htaccess
path /data/*
path /config/*
path /db_structure
path /.xml
path /README
path /3rdparty/*
path /lib/*
path /templates/*
path /occ
path /console.php
}
handle @forbidden {
respond 404
}
handle {
root * /var/www/html
php_fastcgi 127.0.0.1:9000 {
# Tells nextcloud to remove /index.php from URLs in links
env front_controller_active true
}
file_server
}
}
# Bitwarden
bitwarden.roadrunner {
header {
# Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "DENY"
# Prevent search engines from indexing (optional)
X-Robots-Tag "none"
}
# Notifications proxied to the websockets server
handle /notifications/hub {
reverse_proxy /notifications/hub 127.0.0.1:3012 {
header_up Host "bitwarden.example.com"
}
}
# Proxy everything else to Rocket
handle {
reverse_proxy 127.0.0.1:8080 {
header_up Host "bitwarden.example.com"
}
}
}
Backend docker-compose files
~/nextcloud/docker-compose.yml
version: '3.7'
networks:
nextcloud:
services:
nextcloud:
# image: nextcloud:fpm
build: ./nc_smb_image
container_name: nextcloud
restart: unless-stopped
networks:
- nextcloud
ports:
- "9000:9000"
volumes:
- ${NEXTCLOUD_ROOT}/html:/var/www/html
- ${NEXTCLOUD_ROOT}/data:/srv/nextcloud/data
depends_on:
- mariadb
environment:
- NEXTCLOUD_TRUSTED_DOMAINS='${NEXTCLOUD_FQDN}'
# - NEXTCLOUD_DATA_DIR=/srv/nextcloud/data
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
- MYSQL_PASSWORD=${MYSQL_PASSWORD}
- MYSQL_HOST=nextcloud-mariadb
mariadb:
image: mariadb
container_name: nextcloud-mariadb
restart: unless-stopped
networks:
- nextcloud
volumes:
- ${NEXTCLOUD_ROOT}/mariadb:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
- MYSQL_PASSWORD=${MYSQL_PASSWORD}
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
collabora:
image: collabora/code
container_name: nextcloud-collabora
restart: unless-stopped
networks:
- nextcloud
ports:
- "9980:9980"
volumes:
- /etc/localtime:/etc/localtime
- /etc/timezone:/etc/timezone
environment:
- username=admin
- password=${COLLABORA_PASSWORD}
- domain=${NEXTCLOUD_FQDN}
- dictionaries=en nl du fr
- extra_params=--o:ssl.enable=true --o:ssl.termination=false # Set SSL options
cap_add:
- MKNOD
tty: true
~/nextcloud/nc_smb_image/Dockerfile
FROM nextcloud:fpm
RUN apt-get update -y && apt-get install -y smbclient
~/nextcloud/.env
NEXTCLOUD_ROOT=/var/www
NEXTCLOUD_IPADDRESS=nextcloud ip address
NEXTCLOUD_FQDN=nextcloud.example.com
COLLABORA_FQDN=nextcloud.example.com
MYSQL_ROOT_PASSWORD=your very difficult password
MYSQL_PASSWORD=your also very difficult password
COLLABORA_PASSWORD=your yet another difficult password
~/bitwarden_rs/docker-compose.yml
version: "3"
services:
bitwardenrs:
restart: unless-stopped
image: "bitwardenrs/server:latest" # Dani Garcia image https://github.com/dani-garcia/bitwarden_rs
container_name: bitwardenrs
environment:
- TZ=Europe/Amsterdam # Timezone settings, important for Fail2ban to work
- LOG_FILE=/data/bitwarden.log # Logging connection attemps
- EXTENDED_LOGGING='true'
- LOG_LEVEL=warn
- ROCKET_WORKERS=20
- WEBSOCKET_ENABLED='true'
- SIGNUPS_ALLOWED='false' # Hardening a bit
- DISABLE_ADMIN_TOKEN='false'
- ADMIN_TOKEN=some very long and complicated super secret password string
- SHOW_PASSWORD_HINT='false'
- DISABLE_ICON_DOWNLOAD='true'
networks:
- bitwarden_net
ports:
- 8080:80
- 3012:3012
volumes:
- /opt/bitwarden_rs/bw-data:/data
networks:
bitwarden_net: