Optimized PHP performance

group_vars/all/07_applications.yml

@@ -257,31 +257,36 @@ defaults_applications:
 
   ## Nextcloud
   nextcloud:
-    version:                "production"                                  # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
+    version:                "production"                                            # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
     ldap:
-      enabled:              True                                          # Enables LDAP by default
+      enabled:              True                                                    # Enables LDAP by default
     oidc:
-      enabled:              "{{ _applications_nextcloud_oidc_enabled }}"  # Activate OIDC for Nextcloud
+      enabled:              "{{ _applications_nextcloud_oidc_enabled }}"            # Activate OIDC for Nextcloud
       # floavor decides which OICD plugin should be used. 
       # Available options: oidc_login, sociallogin
       # @see https://apps.nextcloud.com/apps/oidc_login
       # @see https://apps.nextcloud.com/apps/sociallogin
-      flavor:               "oidc_login"                                  # Keeping on sociallogin because the other option is not implemented yet                                             
-    force_import:           False                                         # Forces the import of the LDIF files
+      flavor:               "oidc_login"                                            # Keeping on sociallogin because the other option is not implemented yet                                             
+    force_import:           False                                                   # Forces the import of the LDIF files
     database:
-      central_storage:      True                                          # Activate Central Database Storage
+      central_storage:      True                                                    # Activate Central Database Storage
     credentials:
-#     database_password:    Null                                          # Needs to be set in inventory file
+#     database_password:    Null                                                    # Needs to be set in inventory file
     users:      
       administrator:
         username:           "{{users.administrator.username}}"
-        initial_password:   "{{users.administrator.initial_password}}"
-    default_quota:          '1000000000'                                  # Quota to assign if no quota is specified in the OIDC response (bytes)
+        initial_password:   "{{users.administrator.initial_password}}"              # Keep in mind to change the password fast after creation and activate 2FA
+    default_quota:          '1000000000'                                            # Quota to assign if no quota is specified in the OIDC response (bytes)
     legacy_login_mask:   
-      enabled:              False                                         # If true, then legacy  login mask is shown. Otherwise just SSO
+      enabled:              False                                                   # If true, then legacy  login mask is shown. Otherwise just SSO
     container:
-      application:          "nextcloud-application"                       # Nextcloud application container name
-      proxy:                "nextcloud-web"                               # Nextcloud Proxy Container Name
+      application:          "nextcloud-application"                                 # Nextcloud application container name
+      proxy:                "nextcloud-web"                                         # Nextcloud Proxy Container Name
+    performance:
+      php:
+        memory_limit:               "{{ ((ansible_memtotal_mb | int) / 30)|int }}M" # Dynamic set memory limit
+        upload_limit:               "5G"                                            # Set upload limit to 5GB for big media files
+        opcache_memory_consumption: "{{ ((ansible_memtotal_mb | int) / 30)|int }}M" # Dynamic set memory consumption
     plugins:                                                  
     # List for Nextcloud Plugin Routine
     # Decides if plugins should be activated or deactivated
@@ -434,7 +439,7 @@ defaults_applications:
         enabled: false # Deactivated because it let to bugs
       richdocuments:
         # Nextcloud Rich Documents: provides collaborative document editing capabilities (https://apps.nextcloud.com/apps/richdocuments)
-        enabled: true
+        enabled: false # @todo To set it default to true activate https://hub.docker.com/r/collabora/code before
       sociallogin:
         # Nextcloud social login: allows authentication using social networks (https://apps.nextcloud.com/apps/sociallogin)
         enabled:    "{{ _applications_nextcloud_oidc_flavor=='sociallogin' | lower }}"
@@ -443,7 +448,7 @@ defaults_applications:
           - oidc_login  # Will be disabled
       spreed:
         # Nextcloud Spreed: offers video conferencing and chat functionalities (https://apps.nextcloud.com/apps/spreed)
-        enabled: true
+        enabled: false # @todo to activate it first implement docker-coturn and activate it
       tables:
         # Nextcloud tables: allows creation and editing of tables within the interface (https://apps.nextcloud.com/apps/tables)
         enabled: true

roles/docker-nextcloud/tasks/main.yml

@@ -16,7 +16,8 @@
     owner:  "{{nextcloud_docker_user_id}}"
     group:  "{{nextcloud_docker_user_id}}"
   loop:     "{{ lookup('fileglob', role_path ~ '/templates/config/*.j2', wantlist=True) }}"
-  notify: docker compose restart
+  # Not all type of changes take instantly place. Due to this reason a rebuild is required.
+  notify: docker compose project setup
 
 - name: "include role for {{application_id}} to recieve certs & do modification routines"
   include_role:

roles/docker-nextcloud/templates/config/memcache.config.php.j2

@@ -4,10 +4,11 @@
 return array (
   # For single server setup APCu is recommended, for multi server setup Redis
   'memcache.local' => '\\OC\\Memcache\\{% if deployment_mode == "single" %}APCu{% else %}Redis{% endif %}',
-  'memcache.locking' => '\\OC\\Memcache\\Redis',
-  'redis' =>
-  array (
-    'host' => 'redis',
-    'port' => 6379,
-  )
+  # The following lines are configured via the environment variables
+  # 'memcache.locking' => '\\OC\\Memcache\\Redis',
+  # 'redis' =>
+  # array (
+  #   'host' => 'redis',
+  #   'port' => 6379,
+  # )
 );

roles/docker-nextcloud/templates/config/turnserver.config.php.j2.draft

@@ -1,6 +1,7 @@
 <?php
 # Activates the turn server
 # @see https://nextcloud-talk.readthedocs.io/en/latest/TURN/
+
 return 'turn_servers' => [
     [
         'host' => 'coturn',

roles/docker-nextcloud/templates/env.j2

@@ -2,27 +2,39 @@
 # @See https://github.com/nextcloud/docker/blob/master/README.md
 
 # Database Configuration
-MYSQL_DATABASE=             "{{database_name}}"
-MYSQL_USER=                 "{{database_username}}"
-MYSQL_PASSWORD=             "{{database_password}}"
-MYSQL_HOST=                 "{{database_host}}:{{database_port}}"
+MYSQL_DATABASE=                 "{{database_name}}"
+MYSQL_USER=                     "{{database_username}}"
+MYSQL_PASSWORD=                 "{{database_password}}"
+MYSQL_HOST=                     "{{database_host}}:{{database_port}}"
       
-# Memory
-PHP_MEMORY_LIMIT=           1G # Required for plugin duplicate finder
+# PHP
+PHP_MEMORY_LIMIT=               "{{applications[application_id].perfomance.php.memory_limit}}"
+PHP_UPLOAD_LIMIT=               "{{applications[application_id].perfomance.php.upload_limit}}"
+PHP_OPCACHE_MEMORY_CONSUMPTION= "{{applications[application_id].perfomance.php.opcache_memory_consumption}}"
       
 # Email Configuration
-SMTP_HOST=                  {{system_email.host}}
-SMTP_SECURE=                {{ 'ssl' if system_email.tls else '' }}
-SMTP_PORT=                  {{system_email.port}}
-SMTP_NAME=                  {{system_email.username}}
-SMTP_PASSWORD=              {{system_email.password}}
+SMTP_HOST=                      {{system_email.host}}
+SMTP_SECURE=                    {{ 'ssl' if system_email.tls else '' }}
+SMTP_PORT=                      {{system_email.port}}
+SMTP_NAME=                      {{system_email.username}}
+SMTP_PASSWORD=                  {{system_email.password}}
 
 # Email from configuration
-MAIL_FROM_ADDRESS=          "{{system_email.local}}"
-MAIL_DOMAIN=                "{{system_email.domain}}"
+MAIL_FROM_ADDRESS=              "{{system_email.local}}"
+MAIL_DOMAIN=                    "{{system_email.domain}}"
 
 # Initial Admin Data
-NEXTCLOUD_ADMIN_USER=       "{{applications[application_id].users.administrator.username}}"
-NEXTCLOUD_ADMIN_PASSWORD=   "{{applications[application_id].users.administrator.initial_password}}"
+NEXTCLOUD_ADMIN_USER=           "{{applications[application_id].users.administrator.username}}"
+NEXTCLOUD_ADMIN_PASSWORD=       "{{applications[application_id].users.administrator.initial_password}}"
 
-NEXTCLOUD_TRUSTED_DOMAINS=  "{{domains[application_id]}}"
+# Security
+
+NEXTCLOUD_TRUSTED_DOMAINS=      "{{domains[application_id]}}"
+# Whitelist local docker gateway in Nextcloud to prevent brute-force throtteling
+TRUSTED_PROXIES=                "192.168.102.65"
+OVERWRITECLIURL=                "https://{{domains[application_id]}}"
+OVERWRITEPROTOCOL=              "https"
+
+# Redis Configuration
+REDIS_HOST=                     redis
+REDIS_PORT=                     6379

roles/docker-nextcloud/vars/system.yml

@@ -12,12 +12,4 @@ nextcloud_system_config:
     value: "{{ on_calendar_nextcloud }}"
 
   - parameter: "default_phone_region"
-    value: "{{ locale | upper }}"
-
-  # Force https  
-  - parameter: "overwrite.cli.url"
-    value: "https://{{domains[application_id]}}"
-
-  # Force https
-  - parameter: "overwriteprotocol"
-    value: "https"
+    value: "{{ locale | upper }}"

roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2

@@ -9,6 +9,7 @@ location {{location | default("/")}}
   # headers
   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
+  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto $scheme;
   proxy_set_header X-Forwarded-Port 443;
   proxy_set_header Accept-Encoding "";