Nextcloud

From Alpine Linux
Revision as of 23:05, 30 September 2021 by Earboxer (talk | contribs) (nginx is already in the www-data group)

Nextcloud is WedDAV-based solution for storing and sharing on-line your data, files, images, video, music, calendars and contacts. Nextcloud is a fork of ownCloud with enterprise features included.

Installation

nextcloud is available from Alpine 3.5 and greater.

Before you start installing anything, make sure you have the latest packages available. Make sure you are using an 'http' repository in your /etc/apk/repositories file, then:

apk update

Tip: Detailed information is found in this doc.

Database

First you have to decide which database to use. Use one of the databases listed below.

Sqlite

All you need to do is to install the package:

apk add nextcloud-sqlite

PostgreSQL

Install the package:

apk add nextcloud-pgsql postgresql postgresql-client

Next thing is to configure and start the database:

/etc/init.d/postgresql setup /etc/init.d/postgresql start

Next, you need to create a user and temporarily grant the CREATEDB privilege:

psql -U postgres CREATE USER mycloud WITH PASSWORD 'test123'; ALTER ROLE mycloud CREATEDB; \q

Note: Replace the above username 'mycloud' and password 'test123' with something secure. Remember these settings. You will need them later when setting up nextcloud.

MariaDB

Install the package:

apk add nextcloud-mysql mariadb mariadb-client

Now configure and start mariadb:

mysql_install_db --user=mysql --datadir=/var/lib/mysql /etc/init.d/mariadb start /usr/bin/mysql_secure_installation

Follow the wizard to setup passwords, etc.

Note: Remember the usernames/passwords that you set using the wizard. You will need them later.

Next, you need to create a user and database and set permissions:

mysql -u root -p CREATE DATABASE nextcloud; GRANT ALL ON nextcloud.* TO 'mycloud'@'localhost' IDENTIFIED BY 'test123'; GRANT ALL ON nextcloud.* TO 'mycloud'@'localhost.localdomain' IDENTIFIED BY 'test123'; FLUSH PRIVILEGES; EXIT

Note: Replace the above username 'mycloud' and password 'test123' with something secure. Remember these settings. You will need them later when setting up nextcloud.

mariadb-client is not needed anymore. Let's uninstall it:

apk del mariadb-client

Webserver

Next thing is to choose, install, and configure a webserver. In this example we will install nginx or lighttpd. Nginx is preferred over Lighttpd since the latter will consume a lot of memory when working with large files (see lighty bug #1283). You are free to install any other webserver of your choice as long as it supports PHP and FastCGI. Generating an SSL certificate for your webserver is outside of the scope of this document.

nextcloud-initscript facilitates running the webserver with php-fpm.

apk add nextcloud-sqlite

Nginx

Install the needed packages:

apk add nginx php7-fpm

Remove/comment any section like this in /etc/nginx/nginx.conf:

Contents of /etc/nginx/nginx.conf

server { listen ... }

Include the following directive in /etc/nginx/nginx.conf:

Contents of /etc/nginx/nginx.conf

http { ... include /etc/nginx/sites-enabled/*; ...

Create directories for your websites:

mkdir /etc/nginx/sites-available

mkdir /etc/nginx/sites-enabled

Create a configuration file for your site in /etc/nginx/sites-available/mysite.mydomain.com:

server {
        #listen       [::]:80; #uncomment for IPv6 support
        listen       80;
	return 301 https://$host$request_uri;
	server_name mysite.mydomain.com;
}

server {
        #listen       [::]:443 ssl; #uncomment for IPv6 support
        listen       443 ssl;
        server_name  mysite.mydomain.com;

	root /usr/share/webapps/nextcloud;
        index  index.php index.html index.htm;
	disable_symlinks off;

        ssl_certificate      /etc/ssl/cert.pem;
        ssl_certificate_key  /etc/ssl/key.pem;
        ssl_session_timeout  5m;

        #Enable Perfect Forward Secrecy and ciphers without known vulnerabilities
        #Beware! It breaks compatibility with older OS and browsers (e.g. Windows XP, Android 2.x, etc.)
	#ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA;
        #ssl_prefer_server_ciphers  on;


        location / {
            try_files $uri $uri/ /index.html;
        }

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        location ~ [^/]\.php(/|$) {
                fastcgi_split_path_info ^(.+?\.php)(/.*)$;
                if (!-f $document_root$fastcgi_script_name) {
                        return 404;
                }
                #fastcgi_pass 127.0.0.1:9000;
		#fastcgi_pass unix:/run/php-fpm/socket;
		fastcgi_pass unix:/run/nextcloud/fastcgi.sock; # From the nextcloud-initscript package
                fastcgi_index index.php;
                include fastcgi.conf;
	}
}

If you are running from RAM and you're dealing with large files you might need to move the FastCGI temp file from /tmp to /var/tmp or to a directory that is mounted on hdd:

fastcgi_temp_path /var/tmp/nginx/fastcgi 1 2;

Large file uploads take some time to be processed by php-fpm, so you need to bump the Nginx default read timeout:

fastcgi_read_timeout 300s;

Set user and group for php-fpm in /etc/php7/php-fpm.d/www.conf:

...
user = nginx
group = www-data
...
Note: If you are serving serveral users make sure to tune the *children settings in /etc/php7/php-fpm.d/www.conf

Also enable $PATH by uncommenting the following lines in /etc/php7/php-fpm.d/www.conf:

...
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
...

Enable your website:

ln -s ../sites-available/mysite.mydomain.com /etc/nginx/sites-enabled/mysite.mydomain.com

The default configuration of nginx shows a 404 page. Therefore, we have to edit /etc/nginx/nginx.conf:

...
# Includes virtual hosts configs.
# include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
...

Start services:

rc-service php-fpm7 start rc-service nginx start rc-service nextcloud start

Enable automatic startup of services:

rc-update add php-fpm7 rc-update add nginx rc-update add nextcloud

Lighttpd

Install the package:

apk add lighttpd php5-cgi

Make sure you have FastCGI enabled in lighttpd:

Contents of /etc/lighttpd/lighttpd.conf

... include "mod_fastcgi.conf" ...

Start up the webserver:

/etc/init.d/lighttpd start

Tip: You might want to follow the Lighttpd_Https_access doc in order to configure lighttpd to use https (securing your connections to your nextcloud server).

Link nextcloud installation to web server directory:

ln -s /usr/share/webapps/nextcloud /var/www/localhost/htdocs

Other settings

Hardening

Consider updating the variable url.access-deny in /etc/lighttpd/lighttpd.conf for additional security. Add "config.php" to the variable (that's where the database is stored) so it looks something like this:

Contents of /etc/lighttpd/lighttpd.conf

... url.access-deny = ("~", ".inc", "config.php") ...

Restart lighttpd to activate the changes:

/etc/init.d/lighttpd restart

Additional packages

Some large apps, such as pdfviewer, texteditor, notifications and videoplayer are in separate packages:

apk add nextcloud-pdfviewer nextcloud-texteditor nextcloud-notifications nextcloud-videoplayer

How To Create a Self-Signed SSL Certificate

Install openssl:

apk add openssl

Generate your self signed certificate and its private key:

openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

Edit your nginx configuration:

Contents of /etc/nginx/nginx.conf

ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

Configure and use Nextcloud

Configure

Point your browser at https://mysite.mydomain.com and follow the on-screen instructions to complete the installation, supplying the database user and password created before.

Hardening PostgreSQL

If you have chosen PGSQL backend, revoke CREATEDB privilege from 'mycloud' user:

psql -U postgres ALTER ROLE mycloud NOCREATEDB; \q

Increase upload size

Default configuration for php is limited to 2Mb file size. You might want to increase that size by editing the /etc/php/php.ini and change the following values to something that suits you:

upload_max_filesize = 2M
post_max_size = 8M

enable opcache for nginx/php7

To increase performace install

apk add php7-opcache

Now uncomment/edit lines in /etc/php7/php.ini:

...
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1
...

Restart php-fpm7

rc-service php-fpm7 restart

Clients

There are clients available for many platforms, Android included:

nextcloud-client is currently available in the testing repo.

Video Communication

One of the major features of Nextcloud 11, available on Alpine 3.6 (currently edge) is a WebRTC app, which relies on Spreed WebRTC server, which is available in the Alpine testing repository. Everything is still beta, so be aware of it :-). If you want a private video conferencing server install Nextcloud using Nginx and do the following (you can use Apache as well and follow the Apache config instructions nextcloud.com):

Put the following config in the server section of Nginx:

# Spreed WebRTC
location ^~ /webrtc {
  proxy_pass http://127.0.0.1:8080;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection $connection_upgrade;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header Host $http_host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

  proxy_buffering             on;
  proxy_ignore_client_abort   off;
  proxy_redirect              off;
  proxy_connect_timeout       90;
  proxy_send_timeout          90;
  proxy_read_timeout          90;
  proxy_buffer_size           4k;
  proxy_buffers               4 32k;
  proxy_busy_buffers_size     64k;
  proxy_temp_file_write_size  64k;
  proxy_next_upstream         error timeout invalid_header http_502 http_503 http_504;
}

Put the following section in the http section of Nginx:

map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}

Reload Nginx:

rc-service nginx reload

Install Spreed WedRTC server (make sure you have the testing repository enabled):

apk add spreed-web-server

Using the configuration file in /etc/spreed-webrtc/spreed-webrtc-server.conf follow the instructions at nextcloud.com to configure Spreed WebRTC server. Then start the server:

rc-service spreed-web-server start

rc-update add spreed-web-server

Install the Spreed video calls app in Nextcloud and enjoy your private video calls.