secure-nextcloud-lab

Self-hosted private cloud lab with Nextcloud, OpenLDAP, Nginx TLS, encrypted backups (Restic), and monitoring (Prometheus + Grafana).

Laboratorio de nube privada autoalojada con Nextcloud, OpenLDAP, Nginx con TLS, copias cifradas con Restic y monitorizacion con Prometheus + Grafana.

Quick Links / Enlaces Rapidos

• Default domain / Dominio por defecto: cloudlab.local
• Main app / App principal: https://cloudlab.local
• phpLDAPadmin: http://localhost:8080
• Prometheus: http://localhost:9090
• Grafana: http://localhost:3000
• Project documentation (Word-compatible, ES): DOCUMENTACION_PROYECTO.rtf
• Project documentation (Word-compatible, EN): PROJECT_DOCUMENTATION_EN.rtf

English Guide

Features

• Docker Compose based deployment.
• Nextcloud + MariaDB for private file sharing.
• OpenLDAP centralized identity.
• Nginx reverse proxy with HTTPS (self-signed cert generated by setup).
• Encrypted full backups with Restic.
• Monitoring stack with Prometheus, cAdvisor, Node Exporter, and Grafana.

Requirements

• Linux or WSL2 recommended.
• Docker + Docker Compose plugin.
• Python 3 (python3 or py -3).
• openssl available in PATH.

Installation

1. Clone repository:

git clone https://github.com/Jyzzu08/secure-nextcloud-lab.git
cd secure-nextcloud-lab

2. Bootstrap project and generate secure .env:

python3 setup.py

3. Add local DNS mapping:

127.0.0.1    cloudlab.local

4. Start services manually (if not started by setup):

docker compose --env-file .env up -d

5. Validate deployment:

./script/check_system.sh

Security Notes

• Do not commit .env, certificates, or generated data.
• Demo LDAP users are configurable through .env (LDAP_DEMO_*).
• Rotate generated passwords before production-like usage.

Guia en Espanol

Caracteristicas

• Despliegue reproducible con Docker Compose.
• Nextcloud + MariaDB para almacenamiento privado.
• OpenLDAP para identidad centralizada.
• Nginx como proxy inverso HTTPS (certificado autofirmado generado en setup).
• Backup cifrado completo con Restic.
• Monitorizacion con Prometheus, cAdvisor, Node Exporter y Grafana.

Requisitos

• Linux o WSL2 recomendado.
• Docker + plugin Docker Compose.
• Python 3 (python3 o py -3).
• openssl en PATH.

Instalacion

1. Clona el repositorio:

git clone https://github.com/Jyzzu08/secure-nextcloud-lab.git
cd secure-nextcloud-lab

2. Ejecuta el bootstrap para generar estructura y .env seguro:

python3 setup.py

3. Añade el dominio local en tu hosts:

127.0.0.1    cloudlab.local

4. Levanta servicios (si no arrancaron en setup):

docker compose --env-file .env up -d

5. Ejecuta la auditoria:

./script/check_system.sh

Scripts de Operacion

• script/add_users_ldap.sh: carga OUs, grupos y usuarios demo LDAP.
• script/full_backup.sh: backup completo (DB + archivos + LDAP) con Restic.
• script/restore.sh: restauracion desde snapshot Restic (requiere sudo).
• script/check_system.sh: comprobacion de salud de servicios y endpoint HTTPS.
• clean.sh: limpieza total de datos/secretos generados antes de publicar.

Restore note:

• Linux/WSL: run sudo ./script/restore.sh for full ownership correction.
• Windows Git Bash test mode: ALLOW_NON_ROOT_RESTORE=1 ./script/restore.sh.
• If ownership correction cannot be verified in non-root mode, the script exits with warning code 2.

CI

The repository includes a basic GitHub Actions workflow (.github/workflows/ci.yml) for static checks.

El repositorio incluye un workflow basico de GitHub Actions (.github/workflows/ci.yml) para validaciones estaticas.

Author

• Name: Jesus Manzanero
• GitHub: @Jyzzu08
• Contact: jyzzu08@users.noreply.github.com