John Galea's Blog

My blog on Gadgets and the like

Nextcloud VM install (final setup)

I’ve played a lot lately with Nextcloud and Owncloud, it’s been fun. So let’s quickly review. I really like the functionality you can achieve with Nextcloud, and it meets my basic needs once all of the additional functionality like email/calendar etc that I don’t want are removed. I’m looking simply for a self hosted, safe, secure drop box like space where prying eyes like Google are looking into my documents. The Nextcloud iOS app includes iPhone photo sync which was the killer feature that moved me from Owncloud. There are a number of ways you can install Owncloud/Nextcloud from a container, to a VM. I have not been able to get the container space to correctly map outside the OS drive, or other containers so there is the risk of users overflowing the available space. This can be managed through quotas at the OS and inside Nextcloud/Owncloud but this isn’t what I wanted. From a VM point of view I found an all in one install script from nextcloud, but as with anything like this, while it gets you up as painlessly as possible, it also will have a particular preferred method. For me, I didn’t like that they used Postgres (I prefer MySQL/MariaDB), and it used ZFS (instead of LVM) for the data drive. At some point I may need to extend the partition so I want to make that as painless as possible. I also tried the Owncloud VM template and hated that because it used, and exposed Univention, a container web front end. And so we have what I hope will be my final setup. So what I am wanting is Front end Apache, secured by SSL, Nextcloud with it’s data on it’s own drive, running on Ubuntu 20. I will then port forward this to my domain, since I have still been unable to find a way to reverse proxy this using a separate NGINX instance. Here’s how to get there. I will repeat myself a bit in the hope of this article being all inclusive.

First off install Ubuntu 20, and install ONLY SSH. There is an option at install time for Nextcloud but I’m not sure what that selects or does. I made the OS drive 20G which once installed leaves 13G free. I added a second drive which you can make any size and expand it in the future if need be. To do this you do the following from the OS. Partition the new drive using fdisk:

fdisk /dev/sdb

  • select n for new partition
  • select p for primary
  • accept all default for partition starting etc
  • select t to change this to a LVM drive
  • enter 8e to make it an LVM drive
  • select w to write it
  • quit fdisk
pvcreate /dev/sdb1
vgcreate nextclouddata /dev/sdb1
lvcreate -L 49.9G -n data nextclouddata
mkfs -t ext4 /dev/nextclouddata/data
next up you need a mount point for the new space:
mkdir /nextclouddata (or whatever you want)
vi /etc/fstab to add the mount point at boot
/dev/nextclouddata/data /nextclouddata  ext4 defaults 0 0

You can reboot to see if it maps correctly. 

Your now ready to start your install. First up you need to install a LAMP (Linux, Apache, MariaDB, PHP). This guide was perfect. At one point it talks about installing Apache for PHP-FPM, you can ignore this part of the guide. Personally, I already have a MySQL instance in the house so I will simply use that, so I don’t need to install MariaDB. Now your onto the Nextcloud install itself, which this guide . The configured default space is a little odd in that it mounts as owncloud.example.com. So I manually edited the config file vi /etc/apache2//sites-available/000-default.conf to look like this:

Listen 80
<VirtualHost *:80>
ServerAdmin webmaster@ssl-tutorials.com
DocumentRoot /var/www/nextcloud
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Your now ready to change the permissions on the mount point to allow Nextcloud to use this new LVM formatted drive for permissions.

chown www-data:root /nextclouddata
chmod 770 /nextclouddata

Your now ready to configure Nextcloud. hit http://ipaddress to get started. For me, I wanted to NOT install the standard code, wanted an external MySQL database, and wanted to mount the data to /nextclouddata created earlier. You do not need to do anything manually on the database, just give it your root or DBA account and it will create the database, create the account it will run on, and set everything up for you. It does NOT run as the DBA account you give it, so not to worry. Again remember to tick off the box install standard apps that’s just off this screenshot.

After a little bit of time Nextcloud is up ready for configuration. Logon with your admin account and configure the admin accounts email address by selecting settings. Then configure your email server settings, basic.

Be sure and test it out. Email is how your users are informed there account is setup, informed when something is shared with them, and how they can reset their own account. So this is a pretty important step to get done right up front. Next your going to want to go to the apps section and disable anything you don’t know you need. I also disabled the delete box to make sure anything deleted is gone immediately rather than be retained for 180 days or when the end user remembers to empty their deleted folder (sure they will remember ;)). I want the files on the server encrypted at rest so if Apache gets compromised, or SFTP gets hit the files are safe, so enable the default encryption module while your here. Your then ready to go to settings, security to enable server side encryption, read the warnings and move on …

I upload a file like a JPG into the file space, then use SFTP to go in and grab it out from under Nextcloud. If encryption is working correctly then this file will not be readable as a JPG, I like to test to be sure, as they say, trust but verify. Initial basic setup of the Nextcloud is now complete.

For me the next step is to add my own certs, but you could also use a self signed cert. The big issue with a self signed cert is users get an insecure warning and panic. So my own cert it is. You will need to add SSL support to apache by enabling the ssl module using the command a2enmod ssl and then editing your config file to point at your certs and change your port. You then need to go to your router to open up the port you chose. I know I’ve glossed over this last step but there are lots of guides and whomever you buy your cert will likely have an Apache config document. I bought mine from Positive SSL.

Update: I tripped over another great addition to my Nextcloud! using OnlyOffice I can add the abililty to create, and modify, spreadsheets, documents and presentations giving me Google Docs like functionality with local storage!. Installing it was pretty easy. First off you need to locate and edit your install.php file on your Nextcloud server to increase the timeout, seems OnlyOffice is BIG as called out in this post! Then it’s a simple two step process of installing the OnlyOffice plug in and then installing the document server as called out in this post.

I also discovered that Nextcloud supports WebDAV which can in turn be used to map a Nextcloud logon as a drive letter to a windows PC using windows explorer using add a custom network location. Which makes accessing your Nextcloud even more convenient, no web interface needed. And, anything saved is of course, encrypted at rest!

For a good giggle I took this and loaded it up on a VERY old dual core atom box with 4G of ram, and it ran perfectly fine. Encryption as you would expect was noticeably slower but otherwise …

I’ve been playing around with the right set of setting for properly backing up and iPhone’s pics. What I found is the best is to NOT select the default which is most compatible. That way live photos get left as HEICs. I also prefer to have them in their own folder on Owncloud so that the root doesn’t get cluttered, nor does your photo directory. And that way you can also have say another phone or tablet etc and have them all separate and not get merged. I also turned on maintain original filename to stop this from getting scrunched. With this I have an acceptable iPhone backup, off of iCloud with no limits but my own!

December 25, 2020 Posted by | Uncategorized | Leave a comment

NextCloud container

OpenSource is a collective of coders that get together for a project. Eventually, a parting of the ways happen and a group of those coders go there own way sometimes creating a new version of the project they were working on, referred to as a fork. Well, I previously wrote about Owncloud which did exactly what I wanted, provide a safe place for me to drop files for others to come and get without the prying eyes of cloud providers or governments. Not that I’m doing anything untoward, but it’s more about privacy. From the start my friend Lance told me to skip Owncloud and go to Nextcloud. When I first loaded Nextcloud I hated it. Way too much loaded, way too busy, way to complicated to hand to a non technocrat and expect them to be able to know how to drop a file so I went with Owncloud. And then I saw something about mobile sync and discovered Nextcloud iOS (iPhone) app supports photo syncing. I’ve long been irritated by Apple’s ransoming of my photos and the continuous nagging about iCloud being full … buy more or else. Sadly, Owncloud’s iOS app does not support this, and so I decided to have another look at Nextcloud. I have no need of Mail/calendar/chat and all kinds of other clutter Nextcloud loads up so the best place to start is at the install. I’ve decided to go with a container for the initial install, and I chose Ubuntu 20 as the host. I decided a separate host to play, and to segregate so that someone filling up my space doesn’t bring down my entire container host. While this could have been handled other ways this was how I went forward and why.

To cut to the chase, here is what I found as improvements of Next over Own:

two factor authentication support, forced at a system level or at a user level
photo sync on iphone support
you can set a default users password for them let them choose their own
notifications when something is shared with you

To deploy the container I used: (this container includes Apache, and Nextcloud).

docker run \
–name=nextcloud \
–hostname=nextcloud \
-p 192.168.2.223:8080:8080/tcp \
-p 192.168.2.223:80:80/tcp \
-e VERSION=latest \
-e TZ=”America/Montreal” \
-v nextcloud:/var/www/html:rw \
–restart=always \
nextcloud

This exposes both 8080 where I intend to publish an SSL secured site on as well as 80 for initial setup. I decided I’d use my already setup mysql backend. Nexcloud requires no prep of mysql, just give it the root or DBA account and it does everything for you. It will create the account it runs on, creates the DB etc. For me, one of the keys to tolerating the clutter of Nextcloud is on the opening screen where it says install default apps, um no thanks, it’s a tick box just out of view of the next image.

And with that it’s installed ready to be configured. I recommend an admin account called something other than admin, or administrator, too obvious. The next steps are very similar to Owncloud but I’ll replicate them anyway. First off set your admin’s email account (settings personal info) and set the smtp server so emails can be sent to users when their accounts are created (settings, basic settings). It also allows them reset their own passwords. Since Nextcloud allows you to set a users password when your creating it, this isn’t as critical as it was in Owncloud, but none the less, might as well get it done. Next up was to dramatically simplify the Nextcloud clutter by disabling what I don’t want from the apps. I removed dashboard, weather, status etc and cut it to the minimum. You can always put stuff back if you need to, or ever want it. I even disabled the disabled files so end users files are gone right away once deleted. I enabled the default encryption, and then turned on encryption. This insures that files are encrypted at rest. I double check this by downloading a file using SFTP out from under Nextcloud to ensure it’s unreadable.

With this you have a basic setup, but it isn’t ready to use since there’s no SSL. Fortunately apache is part of the container so it’s pretty easy to setup. Unfortunately they did not include the SSL module but this is pretty easy to fix. So to get all this done I manually customize the files and then copy them into the container using:

docker exec -i nextcloud a2enmod ssl
docker stop nextcloud
docker cp to copy all cert files somewhere in the container you can then reference
docker cp 000-default.conf nextcloud:/etc/apache2/sites-available
/000-default.conf
docker start -i nextcloud

and with that you have SSL enabled. I’ve not yet figured out NGINX reverse proxy, so for now I just open 8080 as SSL to the Nextcloud ip. I’ve been using VEEAM to backup my VMS, but I also grab a number of key Apache config files and do a database dump on mysql using the command:

docker exec mysql mysqldump –user=root –password=password nextcloud > /home/movi
es/nextcloud.sql

To update nextcloud I use the following commands and then call the create commands I started with. You will need to reconfigure apache as well using docker cp as above:

docker stop nextcloud
docker rm nextcloud
docker rmi nextcloud
./nextcloud-create (shown above)

So with this Nextcloud is now up. There’s really two things I’m not fond of with this setup, updating is little more complicated, but the above process works, but the biggest concern is I have not been able to get mapping the container space outside the OS drive, so you could have a situation where drive fills up and bring the OS drive down or paralyzed.

December 25, 2020 Posted by | Uncategorized | Leave a comment