OMV5, Portainer, MariaDB, Nextcloud, Let's encrypt - how do I make it work?

Gozo · 21. Januar 2020

I got all parts - but can't put it together.

I managed so far:
OMV5 - up and running on a small HP proliant Server Gen 1 (!) - 1,2GHZ and 8 GB Ram - 2x250mb HDD and 2x1TB HDD - as Raid
Installed:
Portainer
MariaDB
Nextcloud
Let's engcrypt
A dyndns domain is working too

But - I watched nearly every part of Techno Dad - I see all videos - but nothing matches and I don't understand everything to the last piece.
Of course an video from scratch would be "my" solution - but now I need your help.

How do I make the right connection to get letsencrypt worked in that way, that my dyndns url is called properly on https (green lock in browser) and forwards to my nextcloud docker installation?

Morlan · 21. Januar 2020

Judging from the ports on which your containers are exposed there is a lot of messed up configs.
I suggest you delete the dockers and the corresponding folders and try this guide: https://forum.openmediavault.o…g-OMV-and-docker-compose/

pug_ster · 23. Januar 2020

Agreed. For mariadb, you can map ports: 3306:3306. Letsencrypt is the web server ported outside and should own 443 and 80. For me, I would map something like 2443:443 and 2080:80. Have your router route ports 443:2443 and 80:2080 respectively. That way, you can still use your OMV port server at port 80.

For nextcloud, you can map something like 3443:443 and 3080:443.

Morlan · 23. Januar 2020

if you use letsencrypt docker you don't have to expose any ports of nextcloud or mariadb in the host. The containers communicate via the internal docker network (if they are connected there, which they should)

igonixio · 26. Januar 2020

Hello,

i use follow setup: Portainer > MariaDB > Nextcloud > traefik
HowTo:
Basics:
- My home network has IP 192.168.178.1, Server on 192.168.178.191
- Need a DynDNS Service and a own Domain. I use selfhost.de with my domain and FRITZ!Box.
- Needs a port forwarding in your Router (for me: FRITZ!Box). Map Port 80 and 443 from Router to the server (on FRITZ!Box change the port for "FRITZ!Box https" to 444 or what you want).
- Data store in this example on /home/user
- You need a console (ssh or direct)
- a lot of coffee

First: MariaDB
- on console go to home directory

Spoiler anzeigen

- create the directory you need

Spoiler anzeigen

- create config files for traefik

Spoiler anzeigen

- copy this in traefik.yml

Spoiler anzeigen

Code

api:
  dashboard: true


entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"


providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false


certificatesResolvers:
  http:
    acme:
      email: your@mail.address
      storage: acme.json
      httpChallenge:
        entryPoint: http

Alles anzeigen

change the mail address on line 18
- bring docker to swarm mode

Spoiler anzeigen

- create the networks

Spoiler anzeigen

- go to portainer and click on the left side on "Secrets"
- create a new secret:

Spoiler anzeigen

- go to "Stacks"
- create a new Stack. Name: MariaDB. Copy the following code in Web Editor field:

Code

version: '3.3'


services:
  db:
    image: mariadb
    restart: unless-stopped
    deploy:
      replicas: 1
      placement:
        constraints: [node.role == manager]
    environment:
      MYSQL_USER: nextcloud
      MYSQL_DATABASE: nextcloud
      MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db_root_password
      MYSQL_PASSWORD_FILE: /run/secrets/db_dba_password
    secrets:
      - db_root_password
      - db_dba_password
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - type: bind
        source: /home/<your_user>/mariadb/database
        target: /var/lib/mysql
      - type: bind
        source: /home/<your_user>/mariadb/config
        target: /etc/mysql/conf.d
      - type: bind
        source: /etc/localtime
        target: /etc/localtime
    ports:
      - 3306:3306
    networks:
      - appnet


  adminer:
    image: adminer
    restart: unless-stopped
    ports:
      - 9001:8080
    networks:
      - appnet


  backup:
    image: dsteinkopf/backup-all-mysql:latest
    restart: unless-stopped
    environment:
      - BACKUP_INTERVAL=86400 #24h
      - BACKUP_FIRSTDELAY=180
      - MYSQL_HOST=192.168.178.191
      - MYSQL_PASSWORD_FILE=/run/secrets/db_root_password
    volumes:
      - type: bind
        source: /home/<your_user>/mariadb/backup
        target: /var/dbdumps
      - /etc/localtime:/etc/localtime
      - /etc/timezone:/etc/timezone
    secrets:
      - db_root_password
    networks:
      - appnet


secrets:
  db_root_password:
    external: true
  db_dba_password:
    external: true


networks:
  appnet:
    external: true

Alles anzeigen

under "Actions" click on "Deploy the stack"

After a few minutes MariaDB is ready. Test it in your browser. Go to 192.168.178.191:9001.

Spoiler anzeigen

Second: traefik
- go to console
- install apache2-utils

Spoiler anzeigen

- use this command to creat credentials for traeffic

Spoiler anzeigen

- go to portainer > Stacks > Add Stack
- Name: traefik, this code

Code

version: '3'


services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/<your_user>/traefik/data/traefik.yml:/traefik.yml:ro
      - /home/<your_user>/traefik/data/acme.json:/acme.json
      - /home/<your_user>/traefik/data/config.yml:/config.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik.domain.tld`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=USER:PASSWORD"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.domain.tld`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=http"
      - "traefik.http.routers.traefik-secure.service=api@internal"


networks:
  proxy:
    external: true

Alles anzeigen

- change the domain on line 22 and 27. Change line 23, copy the credentials from console on USER:PASSWORD. Those credentials must be in htpasswd format.
- "Deploy the stack"
- visit traefik.domain.tld, you see the traefik dashboard

igonixio · 26. Januar 2020

Third: nextcloud
- on console create a database for nextcloud

Code

docker exec -it $(docker ps -f name=MariaDB_db -q) mysql -u root -p
### use your root password for MariaDB "db_root_password" ###


CREATE DATABASE nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
CREATE USER nextcloud@'%' IDENTIFIED BY 'your-password'; # use the db_dba_password
GRANT ALL PRIVILEGES ON nextcloud.* to nextcloud@'%' IDENTIFIED BY 'your-password'; # use the db_dba_password
FLUSH PRIVILEGES;
exit;

- copy this to /home/<your_user>/traefik/nextcloud_conf_files/nginx.conf

Spoiler anzeigen

Code

worker_processes auto;


error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;




events {
    worker_connections  1024;
}




http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;


    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';


    access_log  /var/log/nginx/access.log  main;


    sendfile        on;
    #tcp_nopush     on;


    keepalive_timeout  65;


    #gzip  on;


    upstream php-handler {
        server nextcloud_app:9000;
    }


    server {
        listen 80;


        # Add headers to serve security related headers
        # Before enabling Strict-Transport-Security headers please read into this
        # topic first.
        # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
        #
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header Referrer-Policy "no-referrer" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Download-Options "noopen" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Permitted-Cross-Domain-Policies "none" always;
        add_header X-Robots-Tag "none" always;
        add_header X-XSS-Protection "1; mode=block" always;


        # Remove X-Powered-By, which is an information leak
        fastcgi_hide_header X-Powered-By;


        # Path to the root of your installation
        root /var/www/html;


        location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }


        # The following 2 rules are only needed for the user_webfinger app.
        # Uncomment it if you're planning to use this app.
        #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
        #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;


        # The following rule is only needed for the Social app.
        # Uncomment it if you're planning to use this app.
        #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;


        location = /.well-known/carddav {
            return 301 $scheme://$host:$server_port/remote.php/dav;
        }


        location = /.well-known/caldav {
            return 301 $scheme://$host:$server_port/remote.php/dav;
        }


        # set max upload size
        client_max_body_size 10G;
        fastcgi_buffers 64 4K;


        # Enable gzip but do not remove ETag headers
        gzip on;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 256;
        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;


        # Uncomment if your server is build with the ngx_pagespeed module
        # This module is currently not supported.
        #pagespeed off;


        location / {
            rewrite ^ /index.php;
        }


        location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
            deny all;
        }
        location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
            deny all;
        }


        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
            fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
            set $path_info $fastcgi_path_info;
            try_files $fastcgi_script_name =404;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $path_info;
            # fastcgi_param HTTPS on;


            # Avoid sending the security headers twice
            fastcgi_param modHeadersAvailable true;


            # Enable pretty urls
            fastcgi_param front_controller_active true;
            fastcgi_pass php-handler;
            fastcgi_intercept_errors on;
            fastcgi_request_buffering off;
        }


        location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
            try_files $uri/ =404;
            index index.php;
        }


        # Adding the cache control header for js, css and map files
        # Make sure it is BELOW the PHP block
        location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
            try_files $uri /index.php$request_uri;
            add_header Cache-Control "public, max-age=15778463";
            # Add headers to serve security related headers (It is intended to
            # have those duplicated to the ones above)
            # Before enabling Strict-Transport-Security headers please read into
            # this topic first.
            #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
            #
            # WARNING: Only add the preload option once you read about
            # the consequences in https://hstspreload.org/. This option
            # will add the domain to a hardcoded list that is shipped
            # in all major browsers and getting removed from this list
            # could take several months.
            add_header Referrer-Policy "no-referrer" always;
            add_header X-Content-Type-Options "nosniff" always;
            add_header X-Download-Options "noopen" always;
            add_header X-Frame-Options "SAMEORIGIN" always;
            add_header X-Permitted-Cross-Domain-Policies "none" always;
            add_header X-Robots-Tag "none" always;
            add_header X-XSS-Protection "1; mode=block" always;


            # Optional: Don't log access to assets
            access_log off;
        }


        location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
            try_files $uri /index.php$request_uri;
            # Optional: Don't log access to other assets
            access_log off;
        }
    }
}

Alles anzeigen

igonixio · 26. Januar 2020

- portainer > Stacks > Add Stack
- Name: nextcloud, this code

Code

version: '3'


services:
  redis:
    image: redis:alpine
    restart: unless-stopped
    labels:
     - traefik.enable=false
    networks:
      - nextcloud


  app:
    image: nextcloud:fpm-alpine
    restart: unless-stopped
    labels:
      - traefik.enable=false
    volumes:
      - /home/<your_user>/nextcloud/html/:/var/www/html
      - /home/<your_user>/nextcloud/data/:/var/www/html/data
      - /home/<your_user>/nextcloud/config/:/var/www/html/config
      - /etc/localtime:/etc/localtime:ro
    user: 33:33
    environment:
      - MYSQL_HOST=192.168.178.191
      - MYSQL_PASSWORD=use the db_dba_password
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - REDIS_HOST=redis
    depends_on:
      - redis
    networks:
      - nextcloud


  cron:
    image: nextcloud:fpm-alpine
    restart: unless-stopped
    labels:
     - traefik.enable=false
    volumes:
      - /home/<your_user>/nextcloud/html/:/var/www/html
      - /home/<your_user>/nextcloud/data/:/var/www/html/data
      - /home/<your_user>/nextcloud/config/:/var/www/html/config
      - /etc/localtime:/etc/localtime:ro
    entrypoint: /cron.sh
    depends_on:
      - redis
    networks:
      - nextcloud


  web:
    image: nginx:alpine
    restart: unless-stopped
    ports:
      - 8080:80
    volumes:
      - /home/<your_user>/nextcloud/html/:/var/www/html
      - /home/<your_user>/traefik/nextcloud_conf_files/nginx.conf:/etc/nginx/nginx.conf:ro
      - /etc/localtime:/etc/localtime:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud_nginx.entrypoints=http"
      - "traefik.http.routers.nextcloud_nginx.rule=Host(`sub.domain.tld`)"
      - "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.nextcloud_nginx.middlewares=https-redirect"
      - "traefik.http.routers.nextcloud_nginx-secure.entrypoints=https"
      - "traefik.http.routers.nextcloud_nginx-secure.rule=Host(`sub.domain.tld`)"
      - "traefik.http.middlewares.nc-rep.redirectregex.regex=https://(.*)/.well-known/(card|cal)dav"
      - "traefik.http.middlewares.nc-rep.redirectregex.replacement=https://$$1/remote.php/dav/"
      - "traefik.http.middlewares.nc-rep.redirectregex.permanent=true"
      - "traefik.http.middlewares.nc-header.headers.referrerPolicy=no-referrer"
      - "traefik.http.middlewares.nc-header.headers.stsSeconds=31536000"
      - "traefik.http.middlewares.nc-header.headers.forceSTSHeader=true"
      - "traefik.http.middlewares.nc-header.headers.stsPreload=true"
      - "traefik.http.middlewares.nc-header.headers.stsIncludeSubdomains=true"
      - "traefik.http.middlewares.nc-header.headers.browserXssFilter=true"
      - "traefik.http.middlewares.nc-header.headers.customRequestHeaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.nextcloud_nginx-secure.middlewares=nc-rep,nc-header"
      - "traefik.http.routers.nextcloud_nginx-secure.tls=true"
      - "traefik.http.routers.nextcloud_nginx-secure.tls.certresolver=http"
      - "traefik.http.routers.nextcloud_nginx-secure.service=nextcloud_nginx"
      - "traefik.http.services.nextcloud_nginx.loadbalancer.server.port=80"
      - "traefik.docker.network=proxy"
    depends_on:
      - app
    networks:
      - proxy
      - nextcloud


networks:
  proxy:
    external: true
  nextcloud:
    external: true

Alles anzeigen

- change domain on line 62 and 66. You can use a subdomain like sub.domain.tld or domain.tld. Password on line 25.
- "Deploy the stack"
- Go to your domain and hope it works

Traefik manages the certficates from letsencrypt. You must noting do. The setup writes every 24h a backup of the database in folder backup. Use OMV to make a backup from this folder.

On this setup you can add many other things:
- emby
- Bitwarden
- FreshRSS
- Heimdall
.....

Hope this help.

gderf · 12. Juni 2020

Docker-compose files newer than version 2.x are not directly supported by Portainer for use in Stacks.

Tabletche · 12. Juni 2020

any chance to use it without stacks?

gderf · 12. Juni 2020

Zitat von Tabletche

any chance to use it without stacks?

Sure, read up on Docker-Compose.

gderf · 12. Juni 2020

I can't help you, sorry.

Tabletche · 12. Juni 2020

Zitat von igonixio

- go to portainer > Stacks > Add Stack
- Name: traefik, this code

Code

version: '3'


services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/<your_user>/traefik/data/traefik.yml:/traefik.yml:ro
      - /home/<your_user>/traefik/data/acme.json:/acme.json
      - /home/<your_user>/traefik/data/config.yml:/config.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik.domain.tld`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=USER:PASSWORD"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.domain.tld`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=http"
      - "traefik.http.routers.traefik-secure.service=api@internal"


networks:
  proxy:
    external: true

Alles anzeigen

- change the domain on line 22 and 27. Change line 23, copy the credentials from console on USER:PASSWORD. Those credentials must be in htpasswd format.
- "Deploy the stack"
- visit traefik.domain.tld, you see the traefik dashboard

i manage to do the first one, now can someone tell me what i have to change at line 22 and 27 do i have to fill all domain name and which one have to be,

and what to change in 23. Sorry for those questions, but i just starting with this. Thanks in advance!

tinh_x7 · 12. Juni 2020

Hey,

Traefik is a pain if you’re new to it.

I opened my own thread a few months ago and have some useful links if you want to check it out.

Tabletche · 12. Juni 2020

Zitat von tinh_x7

Hey,

Traefik is a pain if you’re new to it.
I opened my own thread a few months ago and have some useful links if you want to check it out.

I am new to all of this!!!

I found your thread and will see what i can get from there

Thanks!

OMV5, Portainer, MariaDB, Nextcloud, Let's encrypt - how do I make it work?

Jetzt mitmachen!

Tags