From 93ff9ea575d1620114656cfc95c304dadae6209c Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Fri, 28 Feb 2025 15:53:27 +0100 Subject: [PATCH] Optimized PHP performance --- group_vars/all/07_applications.yml | 33 ++++++++------ roles/docker-nextcloud/tasks/main.yml | 3 +- .../templates/config/memcache.config.php.j2 | 13 +++--- .../config/turnserver.config.php.j2.draft | 1 + roles/docker-nextcloud/templates/env.j2 | 44 ++++++++++++------- roles/docker-nextcloud/vars/system.yml | 10 +---- .../templates/proxy_pass.conf.j2 | 1 + 7 files changed, 59 insertions(+), 46 deletions(-) diff --git a/group_vars/all/07_applications.yml b/group_vars/all/07_applications.yml index 72cada37..dc3afb02 100644 --- a/group_vars/all/07_applications.yml +++ b/group_vars/all/07_applications.yml @@ -257,31 +257,36 @@ defaults_applications: ## Nextcloud nextcloud: - version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/ + version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/ ldap: - enabled: True # Enables LDAP by default + enabled: True # Enables LDAP by default oidc: - enabled: "{{ _applications_nextcloud_oidc_enabled }}" # Activate OIDC for Nextcloud + enabled: "{{ _applications_nextcloud_oidc_enabled }}" # Activate OIDC for Nextcloud # floavor decides which OICD plugin should be used. # Available options: oidc_login, sociallogin # @see https://apps.nextcloud.com/apps/oidc_login # @see https://apps.nextcloud.com/apps/sociallogin - flavor: "oidc_login" # Keeping on sociallogin because the other option is not implemented yet - force_import: False # Forces the import of the LDIF files + flavor: "oidc_login" # Keeping on sociallogin because the other option is not implemented yet + force_import: False # Forces the import of the LDIF files database: - central_storage: True # Activate Central Database Storage + central_storage: True # Activate Central Database Storage credentials: -# database_password: Null # Needs to be set in inventory file +# database_password: Null # Needs to be set in inventory file users: administrator: username: "{{users.administrator.username}}" - initial_password: "{{users.administrator.initial_password}}" - default_quota: '1000000000' # Quota to assign if no quota is specified in the OIDC response (bytes) + initial_password: "{{users.administrator.initial_password}}" # Keep in mind to change the password fast after creation and activate 2FA + default_quota: '1000000000' # Quota to assign if no quota is specified in the OIDC response (bytes) legacy_login_mask: - enabled: False # If true, then legacy login mask is shown. Otherwise just SSO + enabled: False # If true, then legacy login mask is shown. Otherwise just SSO container: - application: "nextcloud-application" # Nextcloud application container name - proxy: "nextcloud-web" # Nextcloud Proxy Container Name + application: "nextcloud-application" # Nextcloud application container name + proxy: "nextcloud-web" # Nextcloud Proxy Container Name + performance: + php: + memory_limit: "{{ ((ansible_memtotal_mb | int) / 30)|int }}M" # Dynamic set memory limit + upload_limit: "5G" # Set upload limit to 5GB for big media files + opcache_memory_consumption: "{{ ((ansible_memtotal_mb | int) / 30)|int }}M" # Dynamic set memory consumption plugins: # List for Nextcloud Plugin Routine # Decides if plugins should be activated or deactivated @@ -434,7 +439,7 @@ defaults_applications: enabled: false # Deactivated because it let to bugs richdocuments: # Nextcloud Rich Documents: provides collaborative document editing capabilities (https://apps.nextcloud.com/apps/richdocuments) - enabled: true + enabled: false # @todo To set it default to true activate https://hub.docker.com/r/collabora/code before sociallogin: # Nextcloud social login: allows authentication using social networks (https://apps.nextcloud.com/apps/sociallogin) enabled: "{{ _applications_nextcloud_oidc_flavor=='sociallogin' | lower }}" @@ -443,7 +448,7 @@ defaults_applications: - oidc_login # Will be disabled spreed: # Nextcloud Spreed: offers video conferencing and chat functionalities (https://apps.nextcloud.com/apps/spreed) - enabled: true + enabled: false # @todo to activate it first implement docker-coturn and activate it tables: # Nextcloud tables: allows creation and editing of tables within the interface (https://apps.nextcloud.com/apps/tables) enabled: true diff --git a/roles/docker-nextcloud/tasks/main.yml b/roles/docker-nextcloud/tasks/main.yml index ab545a0d..49654293 100644 --- a/roles/docker-nextcloud/tasks/main.yml +++ b/roles/docker-nextcloud/tasks/main.yml @@ -16,7 +16,8 @@ owner: "{{nextcloud_docker_user_id}}" group: "{{nextcloud_docker_user_id}}" loop: "{{ lookup('fileglob', role_path ~ '/templates/config/*.j2', wantlist=True) }}" - notify: docker compose restart + # Not all type of changes take instantly place. Due to this reason a rebuild is required. + notify: docker compose project setup - name: "include role for {{application_id}} to recieve certs & do modification routines" include_role: diff --git a/roles/docker-nextcloud/templates/config/memcache.config.php.j2 b/roles/docker-nextcloud/templates/config/memcache.config.php.j2 index a5b0cc13..968233cc 100644 --- a/roles/docker-nextcloud/templates/config/memcache.config.php.j2 +++ b/roles/docker-nextcloud/templates/config/memcache.config.php.j2 @@ -4,10 +4,11 @@ return array ( # For single server setup APCu is recommended, for multi server setup Redis 'memcache.local' => '\\OC\\Memcache\\{% if deployment_mode == "single" %}APCu{% else %}Redis{% endif %}', - 'memcache.locking' => '\\OC\\Memcache\\Redis', - 'redis' => - array ( - 'host' => 'redis', - 'port' => 6379, - ) + # The following lines are configured via the environment variables + # 'memcache.locking' => '\\OC\\Memcache\\Redis', + # 'redis' => + # array ( + # 'host' => 'redis', + # 'port' => 6379, + # ) ); diff --git a/roles/docker-nextcloud/templates/config/turnserver.config.php.j2.draft b/roles/docker-nextcloud/templates/config/turnserver.config.php.j2.draft index c01f85d4..5707ae9f 100644 --- a/roles/docker-nextcloud/templates/config/turnserver.config.php.j2.draft +++ b/roles/docker-nextcloud/templates/config/turnserver.config.php.j2.draft @@ -1,6 +1,7 @@ [ [ 'host' => 'coturn', diff --git a/roles/docker-nextcloud/templates/env.j2 b/roles/docker-nextcloud/templates/env.j2 index 1d49cb6e..ed6160f2 100644 --- a/roles/docker-nextcloud/templates/env.j2 +++ b/roles/docker-nextcloud/templates/env.j2 @@ -2,27 +2,39 @@ # @See https://github.com/nextcloud/docker/blob/master/README.md # Database Configuration -MYSQL_DATABASE= "{{database_name}}" -MYSQL_USER= "{{database_username}}" -MYSQL_PASSWORD= "{{database_password}}" -MYSQL_HOST= "{{database_host}}:{{database_port}}" +MYSQL_DATABASE= "{{database_name}}" +MYSQL_USER= "{{database_username}}" +MYSQL_PASSWORD= "{{database_password}}" +MYSQL_HOST= "{{database_host}}:{{database_port}}" -# Memory -PHP_MEMORY_LIMIT= 1G # Required for plugin duplicate finder +# PHP +PHP_MEMORY_LIMIT= "{{applications[application_id].perfomance.php.memory_limit}}" +PHP_UPLOAD_LIMIT= "{{applications[application_id].perfomance.php.upload_limit}}" +PHP_OPCACHE_MEMORY_CONSUMPTION= "{{applications[application_id].perfomance.php.opcache_memory_consumption}}" # Email Configuration -SMTP_HOST= {{system_email.host}} -SMTP_SECURE= {{ 'ssl' if system_email.tls else '' }} -SMTP_PORT= {{system_email.port}} -SMTP_NAME= {{system_email.username}} -SMTP_PASSWORD= {{system_email.password}} +SMTP_HOST= {{system_email.host}} +SMTP_SECURE= {{ 'ssl' if system_email.tls else '' }} +SMTP_PORT= {{system_email.port}} +SMTP_NAME= {{system_email.username}} +SMTP_PASSWORD= {{system_email.password}} # Email from configuration -MAIL_FROM_ADDRESS= "{{system_email.local}}" -MAIL_DOMAIN= "{{system_email.domain}}" +MAIL_FROM_ADDRESS= "{{system_email.local}}" +MAIL_DOMAIN= "{{system_email.domain}}" # Initial Admin Data -NEXTCLOUD_ADMIN_USER= "{{applications[application_id].users.administrator.username}}" -NEXTCLOUD_ADMIN_PASSWORD= "{{applications[application_id].users.administrator.initial_password}}" +NEXTCLOUD_ADMIN_USER= "{{applications[application_id].users.administrator.username}}" +NEXTCLOUD_ADMIN_PASSWORD= "{{applications[application_id].users.administrator.initial_password}}" -NEXTCLOUD_TRUSTED_DOMAINS= "{{domains[application_id]}}" \ No newline at end of file +# Security + +NEXTCLOUD_TRUSTED_DOMAINS= "{{domains[application_id]}}" +# Whitelist local docker gateway in Nextcloud to prevent brute-force throtteling +TRUSTED_PROXIES= "192.168.102.65" +OVERWRITECLIURL= "https://{{domains[application_id]}}" +OVERWRITEPROTOCOL= "https" + +# Redis Configuration +REDIS_HOST= redis +REDIS_PORT= 6379 \ No newline at end of file diff --git a/roles/docker-nextcloud/vars/system.yml b/roles/docker-nextcloud/vars/system.yml index 5f118b79..3b066e6e 100644 --- a/roles/docker-nextcloud/vars/system.yml +++ b/roles/docker-nextcloud/vars/system.yml @@ -12,12 +12,4 @@ nextcloud_system_config: value: "{{ on_calendar_nextcloud }}" - parameter: "default_phone_region" - value: "{{ locale | upper }}" - - # Force https - - parameter: "overwrite.cli.url" - value: "https://{{domains[application_id]}}" - - # Force https - - parameter: "overwriteprotocol" - value: "https" \ No newline at end of file + value: "{{ locale | upper }}" \ No newline at end of file diff --git a/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2 b/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2 index 7438a3bc..4c9815e4 100644 --- a/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2 +++ b/roles/nginx-docker-reverse-proxy/templates/proxy_pass.conf.j2 @@ -9,6 +9,7 @@ location {{location | default("/")}} # headers proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port 443; proxy_set_header Accept-Encoding "";