sudo pacman -S podman podman-dnsname podman-compose

# 配置Podman使用Docker源
sudo cp /etc/containers/registries.conf /etc/containers/registries.conf.bak
sudo vim /etc/containers/registries.conf

# 添加
unqualified-search-registries = ["docker.io"]

[[registry]]
location = "docker.io"
[[registry.mirror]]
location = "docker.mirrors.ustc.edu.cn"

Nginx_OnlyOffice_postgres

拉取镜像

podman pull nextcloud:fpm-alpine nginx:alpine postgres:12-alpine redis:alpine

NextCloud 的 nginx 方式部署与 Onlyoffice 桌面客户端不兼容，通过 Onlyoffice 客户端登录后链接丢失，原因未知 暂用 nextcloud:24-apache

https://github.com/nextcloud/docker/tree/master/.examples/docker-compose

Nginx_http

命令过程

sudo mkdir -p /opt/NextCloudData/{db,proxy} /opt/NextCloudData/cache/data /opt/NextCloudData/CloudData/{config,data,html} /opt/NextCloudData/OnlyOffice/fonts


sudo chown -R eonun:eonun /opt/NextCloudData

# 创建变量文件
cat > /opt/NextCloudData/postgres.env <<EOF
POSTGRES_USER=dbuser
POSTGRES_PASSWORD=WSKDXSF520
POSTGRES_DB=clouddb

EOF

# 下载 redis 配置文件
wget http://download.redis.io/redis-stable/redis.conf -O /opt/NextCloudData/cache/redis.conf

# 修改 redis 配置文件内容

requirepass Eonun_redis   # 设置密码
#bind 127.0.0.1   # 注释掉监听本地地址
protected-mode no   # 启用保护模式


# 目录结构
/opt/NextCloudData
├── cache
│   ├── data
│   └── redis.conf
├── CloudData
│   ├── config
│   ├── data
│   └── html
├── db
├── OnlyOffice
│   └── fonts
├── postgres.env
└── proxy
    └── nginx.conf

# 创建网络
podman network create CloudNet

# postgres 数据库
podman run --name db --network CloudNet -p 5432:5432 -v /opt/NextCloudData/db:/var/lib/postgresql/data --env-file=/opt/NextCloudData/postgres.env -d postgres:12-alpine

# redis 缓存库
podman run --name cache --network CloudNet -v /opt/NextCloudData/cache/data:/data -v /opt/NextCloudData/cache/redis.conf:/etc/redis/redis.conf:ro -d redis:alpine redis-server /etc/redis/redis.conf


# NextCloud
podman run --name app --network CloudNet -v /opt/NextCloudData/CloudData/html:/var/www/html -v /opt/NextCloudData/CloudData/data:/var/www/html/data -v /opt/NextCloudData/CloudData/config:/var/www/html/config --env-file=/opt/NextCloudData/postgres.env -e POSTGRES_HOST=db -d nextcloud:fpm-alpine

# nginx
podman run --name nginx --network CloudNet -p 8080:80 -v /opt/NextCloudData/CloudData/html:/var/www/html -v /opt/NextCloudData/proxy/nginx.conf:/etc/nginx/nginx.conf:ro -d nginx:alpine

# Onlyoffice
podman run --name onlyoffice --network CloudNet -p 8111:80 -v /opt/NextCloudData/OnlyOffice/fonts:/usr/share/fonts -e JWT_SECRET=office.secret -d onlyoffice/documentserver

# onlyoffice 从 7.2 版本开始，默认启用JWT
# 如果在安装期间未添加自定义密钥，则会自动生成随机密钥。要获取默认密码，请运行以下命令
podman exec onlyoffice /var/www/onlyoffice/documentserver/npm/json -f /etc/onlyoffice/documentserver/local.json
# 'services.CoAuthoring.secret.session.string'

# 通过参数设置 JWT 密钥
-e JWT_SECRET=office.secret

# 可通过以下命令获取 JWT 密钥
podman exec onlyoffice /var/www/onlyoffice/documentserver/npm/json -f /etc/onlyoffice/documentserver/local.json 'services.CoAuthoring.secret.session.string'

# 通过参数关闭 JWT
-e JWT_ENABLED=false

# onlyoffice 导入字体
# 将字体文件导入到容器
# podman cp /home/fonts/字体目录 onlyoffice:/usr/share/fonts/
# 刷新字体内容
podman exec onlyoffice bash /usr/bin/documentserver-generate-allfonts.sh

# 启用示例
podman exec onlyoffice sudo supervisorctl start ds:example

Nginx配置文件

worker_processes auto;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    # Prevent nginx HTTP Server Detection
    server_tokens   off;

    keepalive_timeout  65;

    #gzip  on;

    upstream php-handler {
        server app:9000;
    }

    server {
        listen 80;

        # HSTS settings
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;

        # set max upload size
        client_max_body_size 512M;
        fastcgi_buffers 64 4K;

        # Enable gzip but do not remove ETag headers
        gzip on;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 256;
        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

        # Pagespeed is not supported by Nextcloud, so if your server is built
        # with the `ngx_pagespeed` module, uncomment this line to disable it.
        #pagespeed off;

        # HTTP response headers borrowed from Nextcloud `.htaccess`
        add_header Referrer-Policy                      "no-referrer"   always;
        add_header X-Content-Type-Options               "nosniff"       always;
        add_header X-Download-Options                   "noopen"        always;
        add_header X-Frame-Options                      "SAMEORIGIN"    always;
        add_header X-Permitted-Cross-Domain-Policies    "none"          always;
        add_header X-Robots-Tag                         "none"          always;
        add_header X-XSS-Protection                     "1; mode=block" always;

        # Remove X-Powered-By, which is an information leak
        fastcgi_hide_header X-Powered-By;

        # Path to the root of your installation
        root /var/www/html;

        # Specify how to handle directories -- specifying `/index.php$request_uri`
        # here as the fallback means that Nginx always exhibits the desired behaviour
        # when a client requests a path that corresponds to a directory that exists
        # on the server. In particular, if that directory contains an index.php file,
        # that file is correctly served; if it doesn't, then the request is passed to
        # the front-end controller. This consistent behaviour means that we don't need
        # to specify custom rules for certain paths (e.g. images and other assets,
        # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
        # `try_files $uri $uri/ /index.php$request_uri`
        # always provides the desired behaviour.
        index index.php index.html /index.php$request_uri;

        # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
        location = / {
            if ( $http_user_agent ~
{ #DavClnt}
 ) {
                return 302 /remote.php/webdav/$is_args$args;
            }
        }

        location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }

        # Make a regex exception for `/.well-known` so that clients can still
        # access it despite the existence of the regex rule
        # `location ~ /(\.|autotest|...)` which would otherwise handle requests
        # for `/.well-known`.
        location ^~ /.well-known {
            # The rules in this block are an adaptation of the rules
            # in `.htaccess` that concern `/.well-known`.

            location = /.well-known/carddav { return 301 /remote.php/dav/; }
            location = /.well-known/caldav  { return 301 /remote.php/dav/; }

            location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
            location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

            # Let Nextcloud's API for `/.well-known` URIs handle all other
            # requests by passing them to the front-end controller.
            return 301 /index.php$request_uri;
        }

        # Rules borrowed from `.htaccess` to hide certain paths from clients
        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }

        # Ensure this block, which passes PHP files to the PHP process, is above the blocks
        # which handle static assets (as seen below). If this block is not declared first,
        # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
        # to the URI, resulting in a HTTP 500 error response.
        location ~ \.php(?:$|/) {
            # Required for legacy support
            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;

            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
            set $path_info $fastcgi_path_info;

            try_files $fastcgi_script_name =404;

            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $path_info;
            #fastcgi_param HTTPS on;

            fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
            fastcgi_param front_controller_active true;     # Enable pretty urls
            fastcgi_pass php-handler;

            fastcgi_intercept_errors on;
            fastcgi_request_buffering off;
        }

        location ~ \.(?:css|js|svg|gif)$ {
            try_files $uri /index.php$request_uri;
            expires 6M;         # Cache-Control policy borrowed from `.htaccess`
            access_log off;     # Optional: Don't log access to assets
        }

        location ~ \.woff2?$ {
            try_files $uri /index.php$request_uri;
            expires 7d;         # Cache-Control policy borrowed from `.htaccess`
            access_log off;     # Optional: Don't log access to assets
        }

        # Rule borrowed from `.htaccess`
        location /remote {
            return 301 /remote.php$request_uri;
        }

        location / {
            try_files $uri $uri/ /index.php$request_uri;
        }
    }
}

Nginx_https

命令过程

sudo mkdir -p /opt/NextCloudData/db /opt/NextCloudData/cache/data /opt/NextCloudData/CloudData/{config,data,html} /opt/NextCloudData/proxy/{conf.d,ssl_certs} /opt/NextCloudData/OnlyOffice/{certs,fonts}

sudo chown -R eonun:eonun /opt/NextCloudData

# 创建变量文件
cat > /opt/NextCloudData/postgres.env <<EOF
POSTGRES_USER=dbuser
POSTGRES_PASSWORD=WSKDXSF520
POSTGRES_DB=clouddb

EOF

# 下载 redis 配置文件
wget http://download.redis.io/redis-stable/redis.conf -O /opt/NextCloudData/cache/redis.conf


# 修改 redis 配置文件内容

requirepass Eonun_redis   # 设置密码
#bind 127.0.0.1   # 注释掉监听本地地址
protected-mode no   # 启用保护模式


/opt/NextCloudData
├── cache
│   ├── data
│   └── redis.conf
├── CloudData
│   ├── config
│   ├── data
│   └── html
├── db
├── OnlyOffice
│   ├── certs
│   │   ├── dhparam.pem
│   │   ├── onlyoffice.crt
│   │   ├── onlyoffice.csr
│   │   └── onlyoffice.key
│   └── fonts
├── postgres.env
└── proxy
    ├── conf.d
    │   └── nginx.nextcloud.conf
    └── ssl_certs
        ├── eonun.usercert.nopass.pem
        └── eonun.userkey.nopass.pem.key

# 创建网络
podman network create CloudNet

# postgres 数据库
podman run --name db --network CloudNet -p 5432:5432 -v /opt/NextCloudData/db:/var/lib/postgresql/data --env-file=/opt/NextCloudData/postgres.env -d postgres:12-alpine

# redis 缓存库
podman run --name cache --network CloudNet -v /opt/NextCloudData/cache/data:/data -v /opt/NextCloudData/cache/redis.conf:/etc/redis/redis.conf:ro -d redis:alpine redis-server /etc/redis/redis.conf

# NextCloud
sudo podman run --name app --network CloudNet -v /opt/NextCloudData/CloudData/html:/var/www/html -v /opt/NextCloudData/CloudData/data:/var/www/html/data -v /opt/NextCloudData/CloudData/config:/var/www/html/config --env-file=/opt/NextCloudData/postgres.env -e POSTGRES_HOST=db -d nextcloud:fpm-alpine

# nginx
sudo podman run --name nginx --network CloudNet -p 4433:443 -v /opt/NextCloudData/CloudData/html:/var/www/html -v /opt/NextCloudData/proxy/conf.d:/etc/nginx/conf.d:ro -v /opt/NextCloudData/proxy/ssl_certs:/etc/nginx/ssl_certs:ro -d nginx:alpine

# Onlyofiice
sudo podman run --name onlyoffice --network CloudNet -p 9443:443 -v /opt/NextCloudData/OnlyOffice/certs:/var/www/onlyoffice/Data/certs -v /opt/NextCloudData/OnlyOffice/fonts:/usr/share/fonts -e JWT_SECRET=office.secret -d onlyoffice/documentserver


# onlyoffice 从 7.2 版本开始，默认启用JWT
# 如果在安装期间未添加自定义密钥，则会自动生成随机密钥。要获取默认密码，请运行以下命令
podman exec onlyoffice /var/www/onlyoffice/documentserver/npm/json -f /etc/onlyoffice/documentserver/local.json
# 'services.CoAuthoring.secret.session.string'

# 通过参数设置 JWT 密钥
-e JWT_SECRET=office.secret

# 通过参数关闭 JWT
-e JWT_ENABLED=false

# 关闭 onlyoffice 的证书验证，
/etc/onlyoffice/documentserver/defaults.json
# 修改内容
services.CoAuthoring.requestDefaults.rejectUnauthorized=false
# 重启服务
supervisorctl restart all

# NextCloud 配置白名单
# config/config.php 中的 "trusted_domains" 设置 
'trusted_domains' =>
  array (
   0 => 'localhost',
   1 => 'server1.example.com',
   2 => '192.168.1.50',
   3 => '[fe80::1:50]',
),

Nginx配置文件

upstream php-handler {
    server app:9000;
}

server {
    listen 80;
    listen [::]:80;
    # 这里填写自己的域名
    server_name cloud.eonun.local;

    # Prevent nginx HTTP Server Detection
    server_tokens off;

    # enforce https
    # return '301 https://$host$request_uri'
    return 301 https://cloud.eonun.local:4433$request_uri;
}

server {
    listen 4433 ssl http2;
    listen [::]:4433 ssl http2;
	# 这里填写自己的域名
    server_name cloud.eonun.local;

    root /var/www/html;
    # Use Mozilla's guidelines for SSL/TLS settings
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
    #ssl_certificate /etc/nginx/ssl_certs/这里填写SSL证书的名字.pem;
    #ssl_certificate_key /etc/nginx/ssl_certs/这里填写SSL证书密钥的名字.key;
    ssl_certificate /etc/nginx/ssl_certs/cloud.crt.pem;
    ssl_certificate_key /etc/nginx/ssl_certs/cloud.key;

    # Prevent nginx HTTP Server Detection
    server_tokens off;

    # HSTS settings
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;

    # set max upload size and increase upload timeout:
    client_max_body_size 10G;
    fastcgi_buffers 64 4K;
    proxy_request_buffering off;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Pagespeed is not supported by Nextcloud, so if your server is built
    # with the `ngx_pagespeed` module, uncomment this line to disable it.
    #pagespeed off;

    # The settings allows you to optimize the HTTP2 bandwitdth.
    # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
    # for tunning hints
    client_body_buffer_size 512k;

    # HTTP response headers borrowed from Nextcloud `.htaccess`
    add_header Referrer-Policy                      "no-referrer"   always;
    add_header X-Content-Type-Options               "nosniff"       always;
    add_header X-Download-Options                   "noopen"        always;
    add_header X-Frame-Options                      "SAMEORIGIN"    always;
    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
    add_header X-Robots-Tag                         "none"          always;
    add_header X-XSS-Protection                     "1; mode=block" always;
    add_header Strict-Transport-Security  15552000;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # Specify how to handle directories -- specifying `/index.php$request_uri`
    # here as the fallback means that Nginx always exhibits the desired behaviour
    # when a client requests a path that corresponds to a directory that exists
    # on the server. In particular, if that directory contains an index.php file,
    # that file is correctly served; if it doesn't, then the request is passed to
    # the front-end controller. This consistent behaviour means that we don't need
    # to specify custom rules for certain paths (e.g. images and other assets,
    # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
    # `try_files $uri $uri/ /index.php$request_uri`
    # always provides the desired behaviour.
    index index.php index.html /index.php$request_uri;

    # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
    location = / {
        if ( $http_user_agent ~
{ #DavClnt}
 ) {
            return 302 /remote.php/webdav/$is_args$args;
        }
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # Make a regex exception for `/.well-known` so that clients can still
    # access it despite the existence of the regex rule
    # `location ~ /(\.|autotest|...)` which would otherwise handle requests
    # for `/.well-known`.
    location ^~ /.well-known {
        # The rules in this block are an adaptation of the rules
        # in `.htaccess` that concern `/.well-known`.

        #location = /.well-known/carddav { return 301 $scheme://$host:$server_port/remote.php/dav/; }
        #location = /.well-known/caldav  { return 301 $scheme://$host:4433/remote.php/dav/; }
        location = /.well-known/carddav { return 301 /remote.php/dav/; }
        location = /.well-known/caldav  { return 301 /remote.php/dav/; }
		
        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

        # Let Nextcloud's API for `/.well-known` URIs handle all other
        # requests by passing them to the front-end controller.
        return 301 /index.php$request_uri;
    }

    # Rules borrowed from `.htaccess` to hide certain paths from clients
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }

    # Ensure this block, which passes PHP files to the PHP process, is above the blocks
    # which handle static assets (as seen below). If this block is not declared first,
    # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
    # to the URI, resulting in a HTTP 500 error response.
    location ~ \.php(?:$|/) {
        # Required for legacy support
        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;

        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        set $path_info $fastcgi_path_info;

        try_files $fastcgi_script_name =404;

        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;

        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
        fastcgi_param front_controller_active true;     # Enable pretty urls
        fastcgi_pass php-handler;

        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;

        fastcgi_max_temp_file_size 0;
    }

    location ~ \.(?:css|js|svg|gif)$ {
        try_files $uri /index.php$request_uri;
        expires 6M;         # Cache-Control policy borrowed from `.htaccess`
        access_log off;     # Optional: Don't log access to assets
    }
    location ~ \.woff2?$ {
        try_files $uri /index.php$request_uri;
        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
        access_log off;     # Optional: Don't log access to assets
    }

    # Rule borrowed from `.htaccess`
    location /remote {
        return 301 /remote.php$request_uri;
    }

    location / {
        try_files $uri $uri/ /index.php$request_uri;
    }
}

Apache_http

命令过程

sudo mkdir -p /opt/NextCloudData/db /opt/NextCloudData/cache/data /opt/NextCloudData/CloudData/{config,data,html} /opt/NextCloudData/OnlyOffice/fonts


sudo chown -R eonun:eonun /opt/NextCloudData

# 创建变量文件
cat > /opt/NextCloudData/.postgres.env <<EOF
POSTGRES_USER=dbuser
POSTGRES_PASSWORD=WSKDXSF520
POSTGRES_DB=clouddb

EOF

# 下载 redis 配置文件
wget http://download.redis.io/redis-stable/redis.conf -O /opt/NextCloudData/cache/redis.conf

# 修改 redis 配置文件内容

requirepass Eonun_redis   # 设置密码
#bind 127.0.0.1   # 注释掉监听本地地址
protected-mode no   # 启用保护模式


# 目录结构
/opt/NextCloudData
├── cache
│   ├── data
│   └── redis.conf
├── CloudData
│   ├── config
│   ├── data
│   └── html
├── db
├── OnlyOffice
│   └── fonts
└── .postgres.env


# 创建网络
podman network create CloudNet

# postgres 数据库
podman run --name db --network CloudNet -p 5432:5432 -v /opt/NextCloudData/db:/var/lib/postgresql/data --env-file=/opt/NextCloudData/.postgres.env -d postgres:12-alpine

# redis 缓存库
podman run --name cache --network CloudNet -v /opt/NextCloudData/cache/data:/data -v /opt/NextCloudData/cache/redis.conf:/etc/redis/redis.conf:ro -d redis:alpine redis-server /etc/redis/redis.conf


# NextCloud ，25 版和 Onlyoffice 客户端不兼容，可使用老版本 nextcloud:24-apache
podman run --name app --network CloudNet -p 8080:80 -v /opt/NextCloudData/CloudData/html:/var/www/html -v /opt/NextCloudData/CloudData/data:/var/www/html/data -v /opt/NextCloudData/CloudData/config:/var/www/html/config --env-file=/opt/NextCloudData/.postgres.env -e POSTGRES_HOST=db -d nextcloud:latest

# Onlyoffice
podman run --name onlyoffice --network CloudNet -p 8111:80 -v /opt/NextCloudData/OnlyOffice/fonts:/usr/share/fonts -e JWT_SECRET=office.secret -d onlyoffice/documentserver

# onlyoffice 从 7.2 版本开始，默认启用JWT
# 如果在安装期间未添加自定义密钥，则会自动生成随机密钥。要获取默认密码，请运行以下命令
podman exec onlyoffice /var/www/onlyoffice/documentserver/npm/json -f /etc/onlyoffice/documentserver/local.json
# 'services.CoAuthoring.secret.session.string'

# 通过参数设置 JWT 密钥
-e JWT_SECRET=office.secret

# 通过参数关闭 JWT
-e JWT_ENABLED=false

# onlyoffice 导入字体
# 将字体文件导入到容器
# podman cp /home/fonts/字体目录 onlyoffice:/usr/share/fonts/truetype/custom
# 刷新字体内容
podman exec -it onlyoffice bash
./usr/bin/documentserver-generate-allfonts.sh

Apache_https

sudo mkdir -p /opt/NextCloudData/db /opt/NextCloudData/cache/data /opt/NextCloudData/CloudData/{config,data,html} /opt/NextCloudData/OnlyOffice/{certs,fonts}


sudo chown -R eonun:eonun /opt/NextCloudData

# 创建变量文件
cat > /opt/NextCloudData/.postgres.env <<EOF
POSTGRES_USER=dbuser
POSTGRES_PASSWORD=WSKDXSF520
POSTGRES_DB=clouddb

EOF

# 下载 redis 配置文件
wget http://download.redis.io/redis-stable/redis.conf -O /opt/NextCloudData/cache/redis.conf

# 修改 redis 配置文件内容

requirepass Eonun_redis   # 设置密码
#bind 127.0.0.1   # 注释掉监听本地地址
protected-mode no   # 启用保护模式


# 目录结构
/opt/NextCloudData
├── cache
│   ├── data
│   └── redis.conf
├── CloudData
│   ├── config
│   ├── data
│   └── html
├── db
├── OnlyOffice
│   ├── certs
│   │   ├── dhparam.pem
│   │   ├── onlyoffice.crt
│   │   ├── onlyoffice.csr
│   │   └── onlyoffice.key
│   └── fonts
├── postgres.env
├── eonun.usercert.nopass.pem
└── eonun.userkey.nopass.pem.key


# 创建网络
podman network create CloudNet

# postgres 数据库
podman run --name db --network CloudNet -p 5432:5432 -v /opt/NextCloudData/db:/var/lib/postgresql/data --env-file=/opt/NextCloudData/.postgres.env -d postgres:12-alpine

# redis 缓存库
podman run --name cache --network CloudNet -v /opt/NextCloudData/cache/data:/data -v /opt/NextCloudData/cache/redis.conf:/etc/redis/redis.conf:ro -d redis:alpine redis-server /etc/redis/redis.conf


# NextCloud
podman run --name app --network CloudNet -p 8080:80 -v /opt/NextCloudData/CloudData/html:/var/www/html -v /opt/NextCloudData/CloudData/data:/var/www/html/data -v /opt/NextCloudData/CloudData/config:/var/www/html/config --env-file=/opt/NextCloudData/.postgres.env -e POSTGRES_HOST=db -d nextcloud:latest

# Onlyoffice
podman run --name onlyoffice --network CloudNet -p 8111:80 -v /opt/NextCloudData/OnlyOffice/fonts:/usr/share/fonts -e JWT_SECRET=office.secret -d onlyoffice/documentserver

# onlyoffice 从 7.2 版本开始，默认启用JWT
# 如果在安装期间未添加自定义密钥，则会自动生成随机密钥。要获取默认密码，请运行以下命令
podman exec onlyoffice /var/www/onlyoffice/documentserver/npm/json -f /etc/onlyoffice/documentserver/local.json
# 'services.CoAuthoring.secret.session.string'

# 通过参数设置 JWT 密钥
-e JWT_SECRET=office.secret

# 通过参数关闭 JWT
-e JWT_ENABLED=false

# onlyoffice 导入字体
# 将字体文件导入到容器
# podman cp /home/fonts/字体目录 onlyoffice:/usr/share/fonts/truetype/custom
# 刷新字体内容
podman exec -it onlyoffice bash
./usr/bin/documentserver-generate-allfonts.sh

Apache_配置ssl

修改配置文件 server.xml

<!-- 找到以下内容，去掉前后的注释，并如下修改（或者直接其后添加以下代码亦可）： -->
<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->


<Connector
port="443"
protocol="org.apache.coyote.http11.Http11Protocol"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
keystoreFile="conf\yourdomain.jks" <!-- 此处填写你上传的证书的实际路径 -->
keystorePass="password"
clientAuth="false"
sslProtocol="TLS"
/>

NextCloud离线安装OnlyOffice应用

https://apps.nextcloud.com/apps/onlyoffice/releases
https://apps.nextcloud.com/apps/richdocuments/releases

cd apps
git clone https://github.com/ONLYOFFICE/onlyoffice-nextcloud.git onlyoffice
cd onlyoffice
git submodule update --init --recursive
chown -R www-data:www-data onlyoffice

redis加速

证书

mkdir CA

openssl req -x509 \
            -sha256 -days 35600 \
            -nodes \
            -newkey rsa:2048 \
            -subj "/CN=LOCAL CA_eonun/C=CN/ST=beijing/L=beijing/O=eonun Pty Ltd/OU=eonun" \
            -keyout ./CA/rootCA.key -out ./CA/rootCA.crt.pem

openssl genrsa -out cloud.key 2048

cat > cloud.csr.conf <<EOF
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
# 国家
C = CN
# 州或省
ST = beijing
# 城市名称
L = beijing
# 组织名称
O = eonun Pty Ltd
# 部门名称
OU = eonun
# 通用名
CN = cloud.eonun.local

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
#DNS.1 = demo.mlopshub.com
#DNS.2 = www.demo.mlopshub.com
#IP.1 = 192.168.1.5
#IP.2 = 192.168.1.6
DNS.1 = cloud.eonun.local
DNS.2 = www.cloud.eonun.local

EOF

openssl req -new -key cloud.key -out cloud.csr -config cloud.csr.conf

cat > cloud.cert.conf <<EOF

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = cloud.eonun.local

EOF

openssl x509 -req \
    -in cloud.csr \
    -CA ./CA/rootCA.crt.pem -CAkey ./CA/rootCA.key \
    -CAcreateserial -out cloud.crt.pem \
    -days 3650 \
    -sha256 -extfile cloud.cert.conf

openssl x509 -in cloud.crt.pem -text -noout

cat > CAssl.sh <<EOF
#! /bin/bash
if [ "\$#" -ne 1 ]
then
  echo "Error: 未提供 PQDN 参数 或 CA 名称"
  echo "使用方法: CAssl.sh demo.mlopshub.com 或 CAssl.sh LOCAL_CA_demo"
  exit 1
fi

DOMAIN=\$1

mkdir CA
echo "# 创建 CA & CA 私钥"
openssl req -x509 \\
            -sha256 -days 3560 \\
            -nodes \\
            -newkey rsa:2048 \\
            -subj "/CN=\${DOMAIN}/C=CN/ST=beijing/L=beijing" \\
            -keyout ./CA/rootCA.key -out ./CA/rootCA.crt.pem

openssl x509 -in ./CA/rootCA.crt.pem -text -noout

EOF

cat > USERssl.sh <<USE
#! /bin/bash
if [ "\$#" -ne 1 ]
then
  echo "Error: 未提供域名参数"
  echo "使用方法: USERssl.sh demo.mlopshub.com"
  exit 1
fi

DOMAIN=\$1

mkdir \$DOMAIN
echo "生成用户私钥"
openssl genrsa -out ./\$DOMAIN/\${DOMAIN}.key 2048

echo "创建证书签名请求(Certificate Signing Request , CSR)配置"
cat > ./\$DOMAIN/csr.conf <<EOF
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
# 国家
C = CN
# 州或省
ST = beijing
# 城市名称
L = beijing
# 组织名称
O = eonun Pty Ltd
# 部门名称
OU = eonun
# 通用名
CN = \${DOMAIN}

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = \${DOMAIN}
DNS.2 = www.\${DOMAIN}
#IP.1 = 192.168.1.5 
#IP.2 = 192.168.1.6

EOF

echo "使用请求配置和私钥生成请求"
openssl req -new -key ./\$DOMAIN/\${DOMAIN}.key -out ./\$DOMAIN/\${DOMAIN}.csr -config ./\$DOMAIN/csr.conf

echo "创建用户证书配置"
cat > ./\$DOMAIN/cert.conf <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = \${DOMAIN}

EOF

echo "生成用户证书"
openssl x509 -req \\
    -in ./\$DOMAIN/\${DOMAIN}.csr \\
    -CA ./CA/rootCA.crt.pem -CAkey ./CA/rootCA.key \\
    -CAcreateserial -out ./\$DOMAIN/\${DOMAIN}.crt.pem \\
    -days 3650 \\
    -sha256 -extfile ./\$DOMAIN/cert.conf
    
openssl x509 -in ./\$DOMAIN/\${DOMAIN}.crt.pem -text -noout

USE