Nextcloud: Difference between revisions

From Alpine Linux
(typo)
m (added hint on how to use occ)
 
(58 intermediate revisions by 20 users not shown)
Line 1: Line 1:
{{Draft|This is just a fork of OwnCloud AL wiki page. Do not follow these instructions until this notice is removed}}
[https://nextcloud.com/ Nextcloud] is WedDAV-based solution for storing and sharing on-line your data, files, images, video, music, calendars and contacts. [https://karlitschek.de/2016/06/nextcloud/ Nextcloud is a fork of ownCloud with enterprise features included].
 
[http://nextcloud.com/ Next] is WedDAV-based solution for storing and sharing on-line your data, files, images, video, music, calendars and contacts. [http://karlitschek.de/2016/06/nextcloud/ Nextcloud is a fork of ownCloud with enterprise features included].


= Installation =
= Installation =
{{pkg|nextcloud}} is available from Alpine 3.5 (currently edge) and greater.
{{pkg|nextcloud}} is available in Alpine 3.5 and greater.


Before you start installing anything, make sure you have latest packages available. Make sure you are using a 'http' repository in your {{path|/etc/apk/repositories}} and then run:
Before you start installing anything, make sure you have the latest packages available. Make sure you are using an 'http' repository in your {{path|/etc/apk/repositories}} file, then:
{{cmd|apk update}}
{{cmd|apk update}}
{{tip|Detailed information is found in [[Include:Upgrading_to_latest_release|this]] doc.}}
{{tip|Detailed information is found in [[Include:Upgrading_to_latest_release|this]] doc.}}


== Database ==
== Database ==
First you have to decide which database to use. Follow one of the below database alternatives.
First you have to decide which database to use. Use one of the databases listed below.
=== sqlite ===
 
All you need to do is to install the package
=== Sqlite ===
All you need to do is to install the package:
{{cmd|apk add nextcloud-sqlite}}
{{cmd|apk add nextcloud-sqlite}}


=== postgresql ===
=== PostgreSQL ===
Install the package
Install the package:
{{cmd|apk add nextcloud-pgsql}}
{{cmd|apk add nextcloud-pgsql postgresql postgresql-client}}


Next thing is to configure and start the database
Next thing is to configure and start the database:
{{cmd|/etc/init.d/postgresql setup
{{cmd|rc-service postgresql setup
/etc/init.d/postgresql start}}
rc-service postgresql start}}


Next you need to create a user, and temporary grant CREATEDB privilege.
Next, you need to create a user and temporarily grant the CREATEDB privilege:
{{cmd|psql -U postgres
{{cmd|psql -U postgres
CREATE USER mycloud WITH PASSWORD 'test123';
CREATE USER mycloud WITH PASSWORD 'test123';
ALTER ROLE mycloud CREATEDB;
ALTER ROLE mycloud CREATEDB;
\q}}
\q}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up nextcloud.}}
{{Note|Replace the above username 'mycloud' and password 'test123' with something secure. Remember these settings. You will need them later when setting up nextcloud.}}


=== mysql ===
Set postgresql to start on boot/:
Install the package
{{cmd|rc-update add postgresql}}
{{cmd|apk add nextcloud-mysql mysql-client}}


Now configure and start {{pkg|mysql}}
=== MariaDB ===
{{cmd|/etc/init.d/mysql setup
Install the package:
/etc/init.d/mysql start
{{cmd|apk add nextcloud-mysql mariadb mariadb-client}}
/usr/bin/mysql_secure_installation}}
Follow the wizard to setup passwords etc.
{{Note|Remember the usernames/passwords that you set using the wizard, you will need them later.}}


Next you need to create a user, database and set permissions.
Now configure and start {{pkg|mariadb}}:
{{cmd|<nowiki>mysql_install_db --user=mysql --datadir=/var/lib/mysql</nowiki>
service mariadb start
rc-update add mariadb
mysql_secure_installation}}
Follow the wizard to setup passwords, etc.
{{Note|Remember the usernames/passwords that you set using the wizard. You will need them later.}}
 
Next, you need to create a user and database and set permissions:
{{cmd|mysql -u root -p
{{cmd|mysql -u root -p
CREATE DATABASE nextcloud;
CREATE DATABASE nextcloud;
Line 49: Line 52:
FLUSH PRIVILEGES;
FLUSH PRIVILEGES;
EXIT}}
EXIT}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up nextcloud.}}
{{Note|Replace the above username 'mycloud' and password 'test123' with something secure. Remember these settings. You will need them later when setting up nextcloud.}}


{{pkg|mysql-client}} is not needed anymore. Let's uninstall it:
{{pkg|mariadb-client}} is not needed anymore. Let's uninstall it:
{{cmd|apk del mysql-client}}
{{cmd|apk del mariadb-client}}


== Webserver ==
== Webserver ==
Next thing is to choose, install and configure a webserver. In this example we will install {{pkg|nginx}} or {{pkg|lighttpd}}. ''Nginx'' is preferred over ''Lighttpd'' since the latter when working with large files will consume a lot of memory (see [http://redmine.lighttpd.net/issues/1283 lighty bug #1283]). You are free to install any other webserver of your choice as long as it supports PHP and FastCGI. We're not explaining how to generate an SSL certificate for your webserver.
Next thing is to choose, install, and configure a webserver. In this example we will install {{pkg|nginx}} or {{pkg|lighttpd}}. You are free to install any other webserver of your choice as long as it supports PHP and FastCGI. Generating an SSL certificate for your webserver is outside of the scope of this document.


=== Nginx ===
{{pkg|nextcloud-initscript}} facilitates running the webserver with php-fpm.
Install the needed packages
{{cmd|apk add nginx php-fpm}}


'''Remove/comment''' any section like this in
{{cmd|apk add nextcloud-initscript}}
{{cat|/etc/nginx/nginx.conf|
server {
        listen ...
      }
}}


Include the following directive in
=== Nginx ===
{{cat|/etc/nginx/nginx.conf|
Install the needed packages:
http {
{{cmd|apk add nginx}}
      ...
      include /etc/nginx/sites-enabled/*;
      ...
}}


Create a directory for your websites
Delete the default nginx website configuration:
{{cmd|mkdir /etc/nginx/sites-available}}
{{cmd|rm /etc/nginx/http.d/default.conf}}


Create a configuration file for your site in /etc/nginx/sites-available/mysite.mydomain.com
Create a configuration file for your site in {{path|/etc/nginx/http.d/mysite.mydomain.com.conf}}:
<pre>
{{Cat|/etc/nginx/http.d/mysite.mydomain.com.conf|server {
server {
         #listen      [::]:80; #uncomment for IPv6 support
         #listen      [::]:80; #uncomment for IPv6 support
         listen      80;
         listen      80;
Line 93: Line 84:
         server_name  mysite.mydomain.com;
         server_name  mysite.mydomain.com;


root /var/www/vhosts/mysite.mydomain.com/www;
root /usr/share/webapps/nextcloud;
         index  index.php index.html index.htm;
         index  index.php index.html index.htm;
disable_symlinks off;
disable_symlinks off;
Line 99: Line 90:
         ssl_certificate      /etc/ssl/cert.pem;
         ssl_certificate      /etc/ssl/cert.pem;
         ssl_certificate_key  /etc/ssl/key.pem;
         ssl_certificate_key  /etc/ssl/key.pem;
        ssl_session_cache    shared:SSL:1m;
         ssl_session_timeout  5m;
         ssl_session_timeout  5m;


Line 114: Line 103:


         # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
         # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
         location ~ [^/]\.php(/|$) {
         location ~ [^/]\.php(/&#124;$) {
                 fastcgi_split_path_info ^(.+?\.php)(/.*)$;
                 fastcgi_split_path_info ^(.+?\.php)(/.*)$;
                 if (!-f $document_root$fastcgi_script_name) {
                 if (!-f $document_root$fastcgi_script_name) {
                         return 404;
                         return 404;
                 }
                 }
                 fastcgi_pass 127.0.0.1:9000;
                 #fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass unix:/var/run/php-fpm/socket;
#fastcgi_pass unix:/run/php-fpm/socket;
fastcgi_pass unix:/run/nextcloud/fastcgi.sock; # From the nextcloud-initscript package
                 fastcgi_index index.php;
                 fastcgi_index index.php;
                 include fastcgi.conf;
                 include fastcgi.conf;
}
}
        # Help pass nextcloud's configuration checks after install:
        # Per https://docs.nextcloud.com/server/22/admin_manual/issues/general_troubleshooting.html#service-discovery
        location ^~ /.well-known/carddav { return 301 /remote.php/dav/; }
        location ^~ /.well-known/caldav { return 301 /remote.php/dav/; }
        location ^~ /.well-known/webfinger { return 301 /index.php/.well-known/webfinger; }
        location ^~ /.well-known/nodeinfo { return 301 /index.php/.well-known/nodeinfo; }
}
}
}}
If you plan to enable uploads - and you probably do) - then you need to modify the default:
<pre>
client_max_body_size 1m;'
</pre>
setting in {{path|/etc/nginx/nginx.conf}}. For testing purposes, I disabled the limit by changing it to:
<pre>
client_max_body_size 0;
</pre>
This enabled large file uploads and auto-uploads to work. Note, this is a file-size restriction in addition to the restriction set in {{path|/etc/php81/php-fpm.d/nextcloud.conf}}. That second restriction defaults to:
<pre>
; Maximal size of a file that can be uploaded via web interface.
php_admin_value[memory_limit] = 512M
php_admin_value[post_max_size] = 513M
php_admin_value[upload_max_filesize] = 513M
</pre>
Another setting that may limit file-size is in configuration file {{path|/etc/php81/php.ini}}, where I set the restriction to to:
<pre>
upload_max_filesize = 513M
</pre>
</pre>
to match the {{path|/etc/php81/php-fpm.d/nextcloud.conf}} file-size restriction.


If you are running-from-RAM and you're dealing with large files you might need to move the FastCGI temp file from /tmp to /var/tmp or to a directory that is mounted on hdd
If you are running from RAM and you're dealing with large files you might need to move the FastCGI temp file from {{path|/tmp}} to {{path|/var/tmp}} or to a directory that is mounted on hdd:
<pre>
<pre>
fastcgi_temp_path /var/tmp/nginx/fastcgi 1 2;
fastcgi_temp_path /var/tmp/nginx/fastcgi 1 2;
</pre>
</pre>


Large files upload takes sometime to be processed by php-fpm. So you need to bump the Nginx read default timeout:
Large file uploads take some time to be processed by php-fpm, so you need to bump the Nginx default read timeout:


<pre>
<pre>
Line 138: Line 160:
</pre>
</pre>


Set user and group for php-fpm in /etc/php/php-fpm.conf
{{Note|If you are serving several users make sure to tune the *''pm.max_children'' setting in {{path|/etc/php81/php-fpm.d/nextcloud.conf}}}}
 
{{path|/etc/nginx/nginx.conf}} should already be configured to load your site config from this directory:
<pre>
<pre>
...
...
user = nginx
# Includes virtual hosts configs.
group = www-data
include /etc/nginx/http.d/*;
...
...
</pre>
</pre>


{{Note|If you are serving serveral users make sure to tune the *''children'' settings in /etc/php/php-fpm.conf}}
Start services:
{{cmd|service nginx start
service nextcloud start}}


Make nginx user member of www-data group
Enable automatic startup of services:
{{cmd|addgroup nginx www-data}}
{{cmd|rc-update add nginx
 
rc-update add nextcloud}}
Enable your website
{{cmd|ln -s ../sites-available/mysite.mydomain.com /etc/nginx/sites-enabled/mysite.mydomain.com}}
 
Start services
{{cmd|rc-service php-fpm start
rc-service nginx start}}


=== Lighttpd ===
=== Lighttpd ===
Install the package
Install the package:
{{cmd|apk add lighttpd php-cgi}}
{{cmd|apk add lighttpd php5-cgi}}


Make sure you have FastCGI enabled in {{pkg|lighttpd}}:
Make sure you have FastCGI enabled in {{pkg|lighttpd}}:
Line 167: Line 187:
...}}
...}}


Start up the webserver
Start up the webserver:
{{cmd|/etc/init.d/lighttpd start}}
{{cmd|rc-service lighttpd start}}


{{tip|You might want to follow the [http://wiki.alpinelinux.org/wiki/Lighttpd_Https_access Lighttpd_Https_access] doc in order to configure lighttpd to use https ''(securing your connections to your nextcloud server)''.}}
{{tip|You might want to follow the [[Lighttpd_Advanced_security#Https_access|Lighttpd_Https_access]] doc in order to configure lighttpd to use https ''(securing your connections to your nextcloud server)''.}}


Link {{pkg|nextcloud}} installation to web server directory:
Link {{pkg|nextcloud}} installation to web server directory:
{{cmd|ln -s /usr/share/webapps/nextcloud /var/www/localhost/htdocs}}
{{cmd|ln -s /usr/share/webapps/nextcloud /var/www/localhost/htdocs}}
== Firewall ==
Next up, open the desired port for the webserver in the firewall. You can use the following snippet as a reference for an nftable rule in a new file{{path|/etc/nftables.d/50-https.nft}}:
{{Cat|/etc/nftables.d/50-https.nft|
#!/usr/sbin/nft -f
table inet filter {
chain input {
# allow https
tcp dport 443 accept comment "accept HTTPS"
}
}
}}


== Other settings ==
== Other settings ==
Line 181: Line 214:
url.access-deny {{=}} ("~", ".inc", "config.php")
url.access-deny {{=}} ("~", ".inc", "config.php")
...}}
...}}
Restart {{pkg|lighttpd}} to activate the changes
Restart {{pkg|lighttpd}} to activate the changes:
{{cmd|/etc/init.d/lighttpd restart}}
{{cmd|rc-service lighttpd restart}}


=== Additional packages ===
=== Additional packages ===
Some large apps, such as texteditor, documents and videoviewer are in separate package:
Some large apps, such as pdfviewer, texteditor, notifications and videoplayer are in separate packages:
{{cmd|apk add nextcloud-texteditor nextcloud-documents nextcloud-videoviewer}}
{{cmd|apk add nextcloud-files_pdfviewer nextcloud-text nextcloud-notifications nextcloud-files_videoplayer nextcloud-files_external}}
You can also install the {{pkg|nextcloud-default-apps}} meta-package which installs all 30 core Nextcloud apps (listed as dependencies under aforementioned link):
{{cmd|apk add nextcloud-default-apps}}
 
=== How To Create a Self-Signed SSL Certificate ===
Install openssl:
{{cmd|apk add openssl}}
Generate your self signed certificate and its private key:
{{cmd|<nowiki>openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl1.1/private/nextcloud-selfsigned.key -out /etc/ssl1.1/certs/nextcloud-selfsigned.crt</nowiki>}}
Edit your nginx configuration:
{{cat|/etc/nginx/http.d/mysite.mydomain.com.conf|
ssl_certificate      /etc/ssl1.1/certs/nextcloud-selfsigned.crt;
ssl_certificate_key  /etc/ssl1.1/private/nextcloud-selfsigned.key;
}}
 
=== How To Install and Set Up Auto-Renewing LetsEncrypt SSL Certificate ===
After first setting up the Nextcloud server using the instructions in the 'Configure and use Nextcloud' section below, I then followed the SSL-setup instructions at: [[https://techjogging.com/create-letsencrypt-certificate-alpine-nginx.html Tech Jogging]].
 
I also had to add my Nextcloud servers Fully Qualified Domain Name (FQDN) to the list of trusted domains in /etc/nextcloud/config.php. In the section labelled: 'trusted_domains':
 
<pre>
'trusted_domains' =>
  array (
    0 => '<machine's local IP address>',
    1 => 'nextcloud.mydomain.com',
  ),
}}
</pre>
 
= Configure and use Nextcloud =


= Configure and use nextcloud =
== Configure ==
== Configure ==
Point your browser at <code><nowiki>https://mysite.mydomain.com</nowiki></code> and follow the on-screen instructions to complete the installation, supplying the database user and password created before.
Point your browser at <code><nowiki>https://mysite.mydomain.com</nowiki></code> and follow the on-screen instructions to complete the installation, supplying the database user and password created before.


== Hardening postgresql ==
== Hardening PostgreSQL ==
If you have chosen PGSQL backend, revoke CREATEDB privilege from 'mycloud' user:
If you have chosen PGSQL backend, revoke CREATEDB privilege from 'mycloud' user:
{{cmd|psql -U postgres
{{cmd|psql -U postgres
Line 199: Line 260:


== Increase upload size ==
== Increase upload size ==
Default configuration for php is limited to 2Mb file size. You might want to increase that size by editing the {{path|/etc/php/php.ini}} and change the following values to something that suits you:
{{path|/etc/php81/php-fpm.d/nextcloud.conf}} has overridden default file sizes, but they can be modified further to suit your needs:
<pre>
; Maximal size of a file that can be uploaded via web interface.
php_admin_value[memory_limit] = 512M
php_admin_value[post_max_size] = 513M
php_admin_value[upload_max_filesize] = 513M
</pre>
 
== Enable opcache for nginx/php81 ==
To increase performace install
{{cmd|apk add php81-opcache}}
 
Now uncomment/edit lines in /etc/php81/php.ini:
<pre>
...
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128 //you can reduce this slightly when short on RAM
opcache.save_comments=1
opcache.revalidate_freq=1
...
</pre>
 
Restart php-fpm81
{{cmd|rc-service php-fpm81 restart}}
 
 
== Enable thumbnail for video ==
 
To be able to generate thumbnails for videos, besides [https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/previews_configuration.html configuring] nextcloud, you will need to unlist <code>proc_open</code> from php's disabled functions. PHP relies on that function to call ffmpeg to generate the thumbnails, without that it will fail to do so even if you have it enabled on config.php.
 
Remove <code>proc_open</code> from the disabled function in {{path|/etc/php81/php-fpm.d/nextcloud.conf}}:
 
<pre>
<pre>
upload_max_filesize = 2M
; Disable certain functions for security reasons.
post_max_size = 8M
; http://php.net/disable-functions
php_admin_value[disable_functions] = exec,passthru,shell_exec,system,curl_multi_exec,show_source
</pre>
</pre>
Now add <code>'OC\\Preview\\Movie'</code> to the list of <code>'enabledPreviewProviders'</code> and have ffmpeg installed:
{{cmd|apk add ffmpeg}}
After restarting the fpm service it should start generating thumbnails for videos.


== Clients ==
== Clients ==
There are clients available for many platforms, Android included:
There are clients available for many platforms, Android included:
* http://nextcloud.org/sync-clients/ ''(nextcloud Sync clients)''
* https://nextcloud.org/sync-clients/{{dead link}} ''(nextcloud Sync clients)''
* http://nextcloud.org/support/android/ ''(Android client)''
* https://nextcloud.com/install/ ''(Android client)''
 
{{pkg|nextcloud-client}} is currently available in the community repo.
 
= Video Communication =
One of the major features of Nextcloud 11, available on Alpine 3.6 (currently edge) is a [https://nextcloud.com/webrtc/ WebRTC app], which relies on Spreed WebRTC server, which is available in the Alpine testing repository. Everything is still beta, so be aware of it :-). If you want a private video conferencing server install Nextcloud using Nginx and do the following (you can use Apache as well and follow the ''Apache config'' instructions [https://nextcloud.com/webrtc/ nextcloud.com]):
 
Put the following config in the ''server'' section of Nginx:
<pre>
# Spreed WebRTC
location ^~ /webrtc {
  proxy_pass http://127.0.0.1:8080;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection $connection_upgrade;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header Host $http_host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 
  proxy_buffering            on;
  proxy_ignore_client_abort  off;
  proxy_redirect              off;
  proxy_connect_timeout      90;
  proxy_send_timeout          90;
  proxy_read_timeout          90;
  proxy_buffer_size          4k;
  proxy_buffers              4 32k;
  proxy_busy_buffers_size    64k;
  proxy_temp_file_write_size  64k;
  proxy_next_upstream        error timeout invalid_header http_502 http_503 http_504;
}
</pre>
 
Put the following section in the ''http'' section of Nginx:
<pre>
map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}
</pre>
 
Reload Nginx:
{{cmd|rc-service nginx reload}}
 
Install Spreed WedRTC server (make sure you have the testing [https://wiki.alpinelinux.org/wiki/Alpine_Linux_package_management#Packages_and_Repositories repository] enabled):
{{cmd|apk add spreed-web-server}}
 
Using the configuration file in ''/etc/spreed-webrtc/spreed-webrtc-server.conf'' follow the instructions at [https://nextcloud.com/webrtc/ nextcloud.com] to configure Spreed WebRTC server. Then start the server:
{{cmd|rc-service spreed-web-server start}}
{{cmd|rc-update add spreed-web-server}}
 
Install the ''Spreed video calls'' app in Nextcloud and enjoy your private video calls.
 
= Nextcloud CLI occ =
 
Access to nextcloud's CLI tool occ:
 
{{cmd|sudo -u nextcloud php82 /usr/share/webapps/nextcloud/occ}}
 
= Upgrading =
 
If you're using alpine stable, rather than edge, be aware when an upgrade skips a major release version: Nextcloud doesn't support skipping a major release version in its upgrade path. For this reason, alpine also packages the previous nextcloud release as a separate package.
 
== See also ==
* [https://wiki.archlinux.org/title/Nextcloud Nextcloud - Archwiki]


[[Category:Server]]
[[Category:Server]]

Latest revision as of 19:31, 30 September 2024

Nextcloud is WedDAV-based solution for storing and sharing on-line your data, files, images, video, music, calendars and contacts. Nextcloud is a fork of ownCloud with enterprise features included.

Installation

nextcloud is available in Alpine 3.5 and greater.

Before you start installing anything, make sure you have the latest packages available. Make sure you are using an 'http' repository in your /etc/apk/repositories file, then:

apk update

Tip: Detailed information is found in this doc.

Database

First you have to decide which database to use. Use one of the databases listed below.

Sqlite

All you need to do is to install the package:

apk add nextcloud-sqlite

PostgreSQL

Install the package:

apk add nextcloud-pgsql postgresql postgresql-client

Next thing is to configure and start the database:

rc-service postgresql setup rc-service postgresql start

Next, you need to create a user and temporarily grant the CREATEDB privilege:

psql -U postgres CREATE USER mycloud WITH PASSWORD 'test123'; ALTER ROLE mycloud CREATEDB; \q

Note: Replace the above username 'mycloud' and password 'test123' with something secure. Remember these settings. You will need them later when setting up nextcloud.

Set postgresql to start on boot/:

rc-update add postgresql

MariaDB

Install the package:

apk add nextcloud-mysql mariadb mariadb-client

Now configure and start mariadb:

mysql_install_db --user=mysql --datadir=/var/lib/mysql service mariadb start rc-update add mariadb mysql_secure_installation

Follow the wizard to setup passwords, etc.

Note: Remember the usernames/passwords that you set using the wizard. You will need them later.

Next, you need to create a user and database and set permissions:

mysql -u root -p CREATE DATABASE nextcloud; GRANT ALL ON nextcloud.* TO 'mycloud'@'localhost' IDENTIFIED BY 'test123'; GRANT ALL ON nextcloud.* TO 'mycloud'@'localhost.localdomain' IDENTIFIED BY 'test123'; FLUSH PRIVILEGES; EXIT

Note: Replace the above username 'mycloud' and password 'test123' with something secure. Remember these settings. You will need them later when setting up nextcloud.

mariadb-client is not needed anymore. Let's uninstall it:

apk del mariadb-client

Webserver

Next thing is to choose, install, and configure a webserver. In this example we will install nginx or lighttpd. You are free to install any other webserver of your choice as long as it supports PHP and FastCGI. Generating an SSL certificate for your webserver is outside of the scope of this document.

nextcloud-initscript facilitates running the webserver with php-fpm.

apk add nextcloud-initscript

Nginx

Install the needed packages:

apk add nginx

Delete the default nginx website configuration:

rm /etc/nginx/http.d/default.conf

Create a configuration file for your site in /etc/nginx/http.d/mysite.mydomain.com.conf:

Contents of /etc/nginx/http.d/mysite.mydomain.com.conf

server { #listen [::]:80; #uncomment for IPv6 support listen 80; return 301 https://$host$request_uri; server_name mysite.mydomain.com; } server { #listen [::]:443 ssl; #uncomment for IPv6 support listen 443 ssl; server_name mysite.mydomain.com; root /usr/share/webapps/nextcloud; index index.php index.html index.htm; disable_symlinks off; ssl_certificate /etc/ssl/cert.pem; ssl_certificate_key /etc/ssl/key.pem; ssl_session_timeout 5m; #Enable Perfect Forward Secrecy and ciphers without known vulnerabilities #Beware! It breaks compatibility with older OS and browsers (e.g. Windows XP, Android 2.x, etc.) #ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA; #ssl_prefer_server_ciphers on; location / { try_files $uri $uri/ /index.html; } # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 location ~ [^/]\.php(/|$) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; if (!-f $document_root$fastcgi_script_name) { return 404; } #fastcgi_pass 127.0.0.1:9000; #fastcgi_pass unix:/run/php-fpm/socket; fastcgi_pass unix:/run/nextcloud/fastcgi.sock; # From the nextcloud-initscript package fastcgi_index index.php; include fastcgi.conf; } # Help pass nextcloud's configuration checks after install: # Per https://docs.nextcloud.com/server/22/admin_manual/issues/general_troubleshooting.html#service-discovery location ^~ /.well-known/carddav { return 301 /remote.php/dav/; } location ^~ /.well-known/caldav { return 301 /remote.php/dav/; } location ^~ /.well-known/webfinger { return 301 /index.php/.well-known/webfinger; } location ^~ /.well-known/nodeinfo { return 301 /index.php/.well-known/nodeinfo; } }

If you plan to enable uploads - and you probably do) - then you need to modify the default:

client_max_body_size 1m;'

setting in /etc/nginx/nginx.conf. For testing purposes, I disabled the limit by changing it to:

client_max_body_size 0;

This enabled large file uploads and auto-uploads to work. Note, this is a file-size restriction in addition to the restriction set in /etc/php81/php-fpm.d/nextcloud.conf. That second restriction defaults to:

; Maximal size of a file that can be uploaded via web interface.
php_admin_value[memory_limit] = 512M
php_admin_value[post_max_size] = 513M
php_admin_value[upload_max_filesize] = 513M

Another setting that may limit file-size is in configuration file /etc/php81/php.ini, where I set the restriction to to:

upload_max_filesize = 513M

to match the /etc/php81/php-fpm.d/nextcloud.conf file-size restriction.

If you are running from RAM and you're dealing with large files you might need to move the FastCGI temp file from /tmp to /var/tmp or to a directory that is mounted on hdd:

fastcgi_temp_path /var/tmp/nginx/fastcgi 1 2;

Large file uploads take some time to be processed by php-fpm, so you need to bump the Nginx default read timeout:

fastcgi_read_timeout 300s;
Note: If you are serving several users make sure to tune the *pm.max_children setting in /etc/php81/php-fpm.d/nextcloud.conf

/etc/nginx/nginx.conf should already be configured to load your site config from this directory:

...
# Includes virtual hosts configs.
include /etc/nginx/http.d/*;
...

Start services:

service nginx start service nextcloud start

Enable automatic startup of services:

rc-update add nginx rc-update add nextcloud

Lighttpd

Install the package:

apk add lighttpd php5-cgi

Make sure you have FastCGI enabled in lighttpd:

Contents of /etc/lighttpd/lighttpd.conf

... include "mod_fastcgi.conf" ...

Start up the webserver:

rc-service lighttpd start

Tip: You might want to follow the Lighttpd_Https_access doc in order to configure lighttpd to use https (securing your connections to your nextcloud server).

Link nextcloud installation to web server directory:

ln -s /usr/share/webapps/nextcloud /var/www/localhost/htdocs

Firewall

Next up, open the desired port for the webserver in the firewall. You can use the following snippet as a reference for an nftable rule in a new file/etc/nftables.d/50-https.nft:

Contents of /etc/nftables.d/50-https.nft

#!/usr/sbin/nft -f table inet filter { chain input { # allow https tcp dport 443 accept comment "accept HTTPS" } }

Other settings

Hardening

Consider updating the variable url.access-deny in /etc/lighttpd/lighttpd.conf for additional security. Add "config.php" to the variable (that's where the database is stored) so it looks something like this:

Contents of /etc/lighttpd/lighttpd.conf

... url.access-deny = ("~", ".inc", "config.php") ...

Restart lighttpd to activate the changes:

rc-service lighttpd restart

Additional packages

Some large apps, such as pdfviewer, texteditor, notifications and videoplayer are in separate packages:

apk add nextcloud-files_pdfviewer nextcloud-text nextcloud-notifications nextcloud-files_videoplayer nextcloud-files_external

You can also install the nextcloud-default-apps meta-package which installs all 30 core Nextcloud apps (listed as dependencies under aforementioned link):

apk add nextcloud-default-apps

How To Create a Self-Signed SSL Certificate

Install openssl:

apk add openssl

Generate your self signed certificate and its private key:

openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl1.1/private/nextcloud-selfsigned.key -out /etc/ssl1.1/certs/nextcloud-selfsigned.crt

Edit your nginx configuration:

Contents of /etc/nginx/http.d/mysite.mydomain.com.conf

ssl_certificate /etc/ssl1.1/certs/nextcloud-selfsigned.crt; ssl_certificate_key /etc/ssl1.1/private/nextcloud-selfsigned.key;

How To Install and Set Up Auto-Renewing LetsEncrypt SSL Certificate

After first setting up the Nextcloud server using the instructions in the 'Configure and use Nextcloud' section below, I then followed the SSL-setup instructions at: [Tech Jogging].

I also had to add my Nextcloud servers Fully Qualified Domain Name (FQDN) to the list of trusted domains in /etc/nextcloud/config.php. In the section labelled: 'trusted_domains':

'trusted_domains' =>
  array (
    0 => '<machine's local IP address>',
    1 => 'nextcloud.mydomain.com',
  ),
}}

Configure and use Nextcloud

Configure

Point your browser at https://mysite.mydomain.com and follow the on-screen instructions to complete the installation, supplying the database user and password created before.

Hardening PostgreSQL

If you have chosen PGSQL backend, revoke CREATEDB privilege from 'mycloud' user:

psql -U postgres ALTER ROLE mycloud NOCREATEDB; \q

Increase upload size

/etc/php81/php-fpm.d/nextcloud.conf has overridden default file sizes, but they can be modified further to suit your needs:
; Maximal size of a file that can be uploaded via web interface.
php_admin_value[memory_limit] = 512M
php_admin_value[post_max_size] = 513M
php_admin_value[upload_max_filesize] = 513M

Enable opcache for nginx/php81

To increase performace install

apk add php81-opcache

Now uncomment/edit lines in /etc/php81/php.ini:

...
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128 //you can reduce this slightly when short on RAM
opcache.save_comments=1
opcache.revalidate_freq=1
...

Restart php-fpm81

rc-service php-fpm81 restart


Enable thumbnail for video

To be able to generate thumbnails for videos, besides configuring nextcloud, you will need to unlist proc_open from php's disabled functions. PHP relies on that function to call ffmpeg to generate the thumbnails, without that it will fail to do so even if you have it enabled on config.php.

Remove proc_open from the disabled function in /etc/php81/php-fpm.d/nextcloud.conf:

; Disable certain functions for security reasons.
; http://php.net/disable-functions
php_admin_value[disable_functions] = exec,passthru,shell_exec,system,curl_multi_exec,show_source

Now add 'OC\\Preview\\Movie' to the list of 'enabledPreviewProviders' and have ffmpeg installed:

apk add ffmpeg

After restarting the fpm service it should start generating thumbnails for videos.

Clients

There are clients available for many platforms, Android included:

nextcloud-client is currently available in the community repo.

Video Communication

One of the major features of Nextcloud 11, available on Alpine 3.6 (currently edge) is a WebRTC app, which relies on Spreed WebRTC server, which is available in the Alpine testing repository. Everything is still beta, so be aware of it :-). If you want a private video conferencing server install Nextcloud using Nginx and do the following (you can use Apache as well and follow the Apache config instructions nextcloud.com):

Put the following config in the server section of Nginx:

# Spreed WebRTC
location ^~ /webrtc {
  proxy_pass http://127.0.0.1:8080;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection $connection_upgrade;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header Host $http_host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

  proxy_buffering             on;
  proxy_ignore_client_abort   off;
  proxy_redirect              off;
  proxy_connect_timeout       90;
  proxy_send_timeout          90;
  proxy_read_timeout          90;
  proxy_buffer_size           4k;
  proxy_buffers               4 32k;
  proxy_busy_buffers_size     64k;
  proxy_temp_file_write_size  64k;
  proxy_next_upstream         error timeout invalid_header http_502 http_503 http_504;
}

Put the following section in the http section of Nginx:

map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}

Reload Nginx:

rc-service nginx reload

Install Spreed WedRTC server (make sure you have the testing repository enabled):

apk add spreed-web-server

Using the configuration file in /etc/spreed-webrtc/spreed-webrtc-server.conf follow the instructions at nextcloud.com to configure Spreed WebRTC server. Then start the server:

rc-service spreed-web-server start

rc-update add spreed-web-server

Install the Spreed video calls app in Nextcloud and enjoy your private video calls.

Nextcloud CLI occ

Access to nextcloud's CLI tool occ:

sudo -u nextcloud php82 /usr/share/webapps/nextcloud/occ

Upgrading

If you're using alpine stable, rather than edge, be aware when an upgrade skips a major release version: Nextcloud doesn't support skipping a major release version in its upgrade path. For this reason, alpine also packages the previous nextcloud release as a separate package.

See also