feat: first commit

.gitea/workflows/cd.yaml

@@ -0,0 +1,20 @@
+name: Continuous Delivery
+
+on:
+  push:
+    tags:
+      - "v[0-9]+.[0-9]+.[0-9]+"
+
+jobs:
+  build_n_upload:
+    runs-on: self-hosted
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+      - run: make tarball
+      - run: rpmbuild -ba "$(make name).spec"
+      - run: make upload
+        env:
+          PKG_TOKEN: ${{ secrets.PKG_TOKEN }}

.gitea/workflows/ci.yaml

@@ -0,0 +1,17 @@
+name: Continuous Integration
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  lint_n_build:
+    runs-on: self-hosted 
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+      - run: make tarball
+      - run: rpmbuild -ba "$(make name).spec"

.gitignore

@@ -0,0 +1,3 @@
+*.swp
+*.env
+/.idea

Makefile

@@ -0,0 +1,86 @@
+NAME = netoik-cloud
+VERSION = $(shell git describe --abbrev=0)
+RELEASE = $(shell git rev-parse --short HEAD)
+ARCH = noarch
+OWNER = netoik
+SUMMARY = "Netoïk Cloud Server"
+LICENSE = "MIT"
+URL = "https://git.netoik.io/$(OWNER)/$(NAME)"
+SOURCE0 = "$(NAME)-$(VERSION)-$(RELEASE).tar.gz"
+
+RPM_RPMDIR = $(shell rpm --eval '%{_rpmdir}')
+RPM_SBINDIR = $(shell rpm --eval '%{_sbindir}')
+RPM_SOURCEDIR = $(shell rpm --eval '%{_sourcedir}')
+RPM_SYSCONFDIR = $(shell rpm --eval '%{_sysconfdir}')
+RPM_UNITDIR = $(shell rpm --eval '%{_unitdir}')
+
+RPM_TARBALL_PATH = $(RPM_SOURCEDIR)/$(SOURCE0)
+RPM_BUILD_PATH = $(RPM_RPMDIR)/$(ARCH)/$(NAME)-$(VERSION)-$(RELEASE).$(ARCH).rpm
+
+.PHONY: help
+help:
+	@grep -E '^[a-zA-Z0-9_-]+:.*?## .*' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
+
+.PHONY: name
+name:  ## Show project name
+	@echo "$(NAME)"
+
+.PHONY: version
+version:  ## Show current project version
+	@echo "$(VERSION)"
+
+.PHONY: release
+release:  ## Show current project release
+	@echo "$(RELEASE)"
+
+.PHONY: arch
+arch:  ## Show rpm arch target
+	@echo "$(ARCH)"
+
+.PHONY: owner
+owner:  ## Show project owner name
+	@echo "$(OWNER)"
+
+.PHONY: summary
+summary:  ## Show project summary
+	@echo "$(SUMMARY)"
+
+.PHONY: license
+license:  ## Show project license
+	@echo "$(LICENSE)"
+
+.PHONY: url
+url:  ## Show project homepage URL
+	@echo "$(URL)"
+
+.PHONY: source0
+source0:  ## Show rpm source0 file name
+	@echo "$(SOURCE0)"
+
+$(RPM_TARBALL_PATH): *
+	git archive --format=tar.gz \
+	            --output="$@" \
+	            --prefix="$(NAME)-$(VERSION)/" \
+	            --verbose \
+	            HEAD 
+
+.PHONY: tarball
+tarball: $(RPM_TARBALL_PATH)  ## Build rpm tarball
+
+.PHONY: install
+install:  ## Install files into rpm dest (requires env var DESTDIR)
+	@if [ -z "$(DESTDIR)" ]; then \
+		printf "[CRITICAL] Missing env var DESTDIR\n[CRITICAL] This command is designed to be called by rpmbuild only!\n" 1>&2; \
+		exit 1; \
+	fi
+	install --mode=755 --directory $(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d $(DESTDIR)$(RPM_SYSCONFDIR)/nextcloud
+	install --mode=644 --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d files/nginx/cloud.netoik.io.conf
+	install --mode=640 --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nextcloud files/nextcloud/config.php
+
+.PHONY: upload
+upload:  ## Upload rpm package to Gitea repository (requires env var PKG_TOKEN)
+	@if [ -z "$(PKG_TOKEN)" ]; then \
+		printf "[CRITICAL] Missing env var PKG_TOKEN\n[CRITICAL] This command is designed to be called by Gitea Actions only!\n" 1>&2; \
+		exit 1; \
+	fi
+	curl --fail-with-body --upload-file "$(RPM_BUILD_PATH)" --user "$(OWNER):$(PKG_TOKEN)" https://git.netoik.io/api/packages/$(OWNER)/rpm/upload

README.md

@@ -0,0 +1,79 @@
+# Netoïk Cloud Server ![badge](https://git.netoik.io/netoik/netoik-cloud/actions/workflows/ci.yaml/badge.svg)
+
+Build an RPM package which will install the cloud server called Nextcloud with custom configuration.
+
+- run through php-fpm
+- reversed by nginx
+- rely on postgres for database
+
+
+# Development
+
+A `Makefile` is integrated to let you run some basic commands.
+
+- Display some information about the project
+  ```shell
+  make help
+  make name
+  make version
+  make release
+  make arch
+  ```
+
+- Build a tarball:
+  ```shell
+  make tarball
+  ```
+
+- Build an rpm package:
+  ```shell
+  rpmbuild -ba netoik-cloud.spec
+  ```
+
+- Upload rpm package to Gitea repository (env var `PKG_TOKEN` is required):
+  ```shell
+  make upload
+  ```
+
+
+# CI / CD
+
+Two workflows are set up.
+
+- Continuous Integration:
+  - triggered by each push event on branch `main`
+  - builds tarball
+  - builds rpm package
+
+- Continuous Delivery:
+  - triggered by each tag push event
+  - builds tarball
+  - builds rpm package
+  - uploads rpm package to repository
+
+
+# Deployment
+
+Some commands to deploy the RPM package on server
+
+- Add Gitea repo to your repo list:
+  ```shell
+  dnf config-manager --add-repo https://git.netoik.io/api/packages/netoik/rpm.repo
+  ```
+
+- Show available versions:
+  ```shell
+  dnf --refresh search --showduplicates netoik-cloud
+  ```
+
+- Install or upgrade package:
+  ```shell
+  dnf --nogpgcheck --refresh --assumeyes --best install netoik-cloud
+  ```
+
+
+# Security Notes
+
+For security reasons, act runners does not have sudo privileges and so there is:
+- **no** Continuous Deployment because act runners cannot use `dnf`
+- **no** GPG signing because act runners cannot use `gpg`

files/nextcloud/config.php

@@ -0,0 +1,34 @@
+<?php
+$CONFIG = array (
+  'instanceid' => '',
+  'passwordsalt' => '',
+  'secret' => '',
+  'trusted_domains' => array (
+    0 => 'cloud.netoik.io',
+  ),
+  'datadirectory' => '/var/lib/nextcloud/data',
+  'dbtype' => 'pgsql',
+  'version' => '31.0.7.1',
+  'overwrite.cli.url' => 'https://cloud.netoik.io',
+  'dbname' => 'nextcloud',
+  'dbhost' => '/run/postgresql',
+  'dbport' => '',
+  'dbtableprefix' => 'oc_',
+  'dbuser' => 'nextcloud',
+  'dbpassword' => '',
+  'installed' => true,
+  'memcache.local' => '\\OC\\Memcache\\Redis',
+  'memcache.distributed' => '\\OC\\Memcache\\Redis',
+  'memcache.locking' => '\\OC\\Memcache\\Redis',
+  'redis' => array (
+    'host' => '/run/valkey/valkey.sock',
+    'port' => 0,
+  ),
+  'default_phone_region' => 'FR',
+  'maintenance' => false,
+  'maintenance_window_start' => 1,
+  'log_type' => 'systemd',
+  'loglevel' => 2,
+  'config_is_read_only' => true,
+);
+?>

files/nginx/cloud.netoik.io.conf

@@ -0,0 +1,139 @@
+upstream php-handler {
+	server unix:/var/run/php-fpm/nextcloud.sock;
+}
+
+# Set the `immutable` cache control options only for assets with a cache busting `v` argument
+map $arg_v $asset_immutable {
+	"" "";
+	default "immutable";
+}
+
+server {
+	listen 443 ssl;
+	http2 on;
+	server_name cloud.netoik.io;
+
+	# Path to the root of your installation
+	root /var/lib/nextcloud;
+
+	# set max upload size and increase upload timeout:
+	client_max_body_size 512M;
+	client_body_timeout 300s;
+	fastcgi_buffers 64 4K;
+
+	# Enable gzip but do not remove ETag headers
+	gzip on;
+	gzip_vary on;
+	gzip_comp_level 4;
+	gzip_min_length 256;
+	gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+	gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+	# Pagespeed is not supported by Nextcloud, so if your server is built
+	# with the `ngx_pagespeed` module, uncomment this line to disable it.
+	#pagespeed off;
+
+	# Remove X-Powered-By, which is an information leak
+	fastcgi_hide_header X-Powered-By;
+
+	# Specify how to handle directories -- specifying `/index.php$request_uri`
+	# here as the fallback means that Nginx always exhibits the desired behaviour
+	# when a client requests a path that corresponds to a directory that exists
+	# on the server. In particular, if that directory contains an index.php file,
+	# that file is correctly served; if it doesn't, then the request is passed to
+	# the front-end controller. This consistent behaviour means that we don't need
+	# to specify custom rules for certain paths (e.g. images and other assets,
+	# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
+	# `try_files $uri $uri/ /index.php$request_uri`
+	# always provides the desired behaviour.
+	index index.php index.html /index.php$request_uri;
+
+	# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+	location = / {
+		if ( $http_user_agent ~ ^DavClnt ) {
+			return 302 /remote.php/webdav/$is_args$args;
+		}
+	}
+
+	location = /robots.txt {
+		allow all;
+		log_not_found off;
+		access_log off;
+	}
+
+	# Make a regex exception for `/.well-known` so that clients can still
+	# access it despite the existence of the regex rule
+	# `location ~ /(\.|autotest|...)` which would otherwise handle requests
+	# for `/.well-known`.
+	location ^~ /.well-known {
+		# The rules in this block are an adaptation of the rules
+		# in `.htaccess` that concern `/.well-known`.
+
+		location = /.well-known/carddav { return 301 /remote.php/dav/; }
+		location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+
+		location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
+		location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
+
+		# Let Nextcloud's API for `/.well-known` URIs handle all other
+		# requests by passing them to the front-end controller.
+		return 301 /index.php$request_uri;
+	}
+
+	# Rules borrowed from `.htaccess` to hide certain paths from clients
+	location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+	location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+
+	# Ensure this block, which passes PHP files to the PHP process, is above the blocks
+	# which handle static assets (as seen below). If this block is not declared first,
+	# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+	# to the URI, resulting in a HTTP 500 error response.
+	location ~ \.php(?:$|/) {
+		# Required for legacy support
+		rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+
+		fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+		set $path_info $fastcgi_path_info;
+
+		try_files $fastcgi_script_name =404;
+
+		include fastcgi_params;
+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+		fastcgi_param PATH_INFO $path_info;
+		fastcgi_param HTTPS on;
+
+		fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
+		fastcgi_param front_controller_active true;     # Enable pretty urls
+		fastcgi_pass php-handler;
+
+		fastcgi_intercept_errors on;
+		fastcgi_request_buffering off;
+
+		fastcgi_max_temp_file_size 0;
+	}
+
+	location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
+		try_files $uri /index.php$request_uri;
+		add_header Cache-Control "public, max-age=15778463, $asset_immutable";
+		access_log off;     # Optional: Don't log access to assets
+
+		location ~ \.wasm$ {
+			default_type application/wasm;
+		}
+	}
+
+	location ~ \.woff2?$ {
+		try_files $uri /index.php$request_uri;
+		expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+		access_log off;     # Optional: Don't log access to assets
+	}
+
+	# Rule borrowed from `.htaccess`
+	location /remote {
+		return 301 /remote.php$request_uri;
+	}
+
+	location / {
+		try_files $uri $uri/ /index.php$request_uri;
+	}
+}

netoik-cloud.spec

@@ -0,0 +1,94 @@
+%define debug_package %{nil}
+
+Name:           %(make name)
+Version:        %(make version)
+Release:        %(make release)
+Summary:        %(make summary)
+License:        %(make license)
+URL:            %(make url)
+
+Source0:        %(make source0)
+Buildarch:      %(make arch)
+BuildRequires:  make
+Requires:       netoik-rp netoik-db netoik-cache php php-cli php-gd php-mbstring php-intl php-pecl-apcu php-mysqlnd php-opcache php-json php-zip php-redis php-imagick php-fpm
+
+%description
+Install the cloud server called Nextcloud.
+
+%prep
+%autosetup -v
+
+%install
+%make_install
+
+%post
+# Display commands and exit on error
+set -xe
+
+# Create nextcloud user
+if ! id nextcloud >/dev/null 2>&1; then
+  useradd --no-create-home --shell $SHELL --system nextcloud
+fi
+
+# Add nextcloud to postgres and valkey groups
+usermod --groups postgres,valkey --user nextcloud
+
+# Download nextcloud latest release
+wget --output-document %{_tmppath}/nextcloud-latest.tar.bz2 https://download.nextcloud.com/server/releases/latest.tar.bz2
+wget --output-document %{_tmppath}/nextcloud-latest.tar.bz2.asc https://download.nextcloud.com/server/releases/latest.tar.bz2.asc
+wget --output-document %{_tmppath}/nextcloud.asc https://nextcloud.com/nextcloud.asc
+gpg --import %{_tmppath}/nextcloud.asc
+gpg --verify %{_tmppath}/nextcloud-latest.tar.bz2.asc %{_tmppath}/nextcloud-latest.tar.bz2
+tar --extract --file=%{_tmppath}/nextcloud-latest.tar.bz2 --directory=%{_sharedstatedir}
+
+# Change rights an owner
+chown nextcloud:nextcloud %{_sharedstatedir}/nextcloud
+chmod 700 %{_sharedstatedir}/nextcloud
+
+# Create data dir
+runuser --user=nextcloud -- mkdir %{_sharedstatedir}/nextcloud/data
+
+# Add link to config
+runuser --user=nextcloud -- ln --symbolic --force %{_sysconfdir}/nextcloud/config.php %{_sharedstatedir}/nextcloud/config/config.php
+
+# Create postgres user and db
+if ! runuser --user=postgres -- psql --quiet --tuples-only --command='\du' | grep --quiet nextcloud; then
+  runuser --user=postgres -- createuser nextcloud
+fi
+if ! runuser --user=postgres -- psql --quiet --tuples-only --command='\l' | grep --quiet nextcloud; then
+  runuser --user=postgres -- createdb --owner=nextcloud nextcloud
+fi
+
+# Restart services
+systemctl daemon-reload
+systemctl reenable nginx.service php-fpm.service
+systemctl restart nginx.service php-fpm.service
+
+%postun
+# Display commands and exit on error
+set -xe
+
+# Stop service
+systemctl stop php-fpm
+
+# If uninstalling, then delete user and db
+if [ $1 == 0 ]; then
+  if id nextcloud; then
+    userdel --force --remove nextcloud
+  fi
+  if runuser --user=postgres -- psql --quiet --tuples-only --command='\l' | grep --quiet nextcloud; then
+    runuser --user=postgres -- dropdb nextcloud
+  fi
+  if runuser --user=postgres -- psql --quiet --tuples-only --command='\du' | grep --quiet nextcloud; then
+    runuser --user=postgres -- dropuser nextcloud
+  fi
+fi
+
+%files
+%dir %attr(755, root, root) %{_sysconfdir}/nextcloud
+%attr(640, root, -) %{_sysconfdir}/nextcloud/config.php
+
+%attr(644, root, root) %{_sysconfdir}/nginx/conf.d/cloud.netoik.io.conf
+
+%changelog
+%autochangelog