NextCloud
Assumes Ubuntu 20.04, stable20 branch, and installing in /var/www/nextcloud for a cloud.example.com URL (c. December 2020).
Prerequisites
Install some stuff first. This NextCloud recipe uses PostgreSQL, Redis, Apache 2.4, FastCGI with PHP FPM, and Dehydrated for Letsencrypt SSL certificate maangement.
sudo apt install apache2 libapache2-mod-fcgid \ php7.4-{bcmath,bz2,curl,gd,fpm,gmp,intl,json,mbstring,opcache,pgsql,tidy,xmlrpc,xsl,zip} php-{imagick,redis} composer dehydrated postgresql redis-server
- NOTE
- NextCloud works fine under nginx, I just can't be bothered maintaining what goes in .htaccess which NextCloud expects to be writeable to keep itself updated.
Configuring Apache and PHP
- See the PHP page for setting up PHP with Apache, FPM and Event MPM.
Add a virtual host for NextCloud
It should look something like this:
<VirtualHost *:443> ServerName cloud.example.com DocumentRoot /var/www/nextcloud <Directory "/var/www/nexcloud"> Options FollowSymLinks MultiViews AllowOverride All Require all granted Satisfy Any SetEnv HOME /var/www/nextcloud SetEnv HTTP_HOME /var/www/nextcloud <IfModule mod_dav.c> Dav off </IfModule> </Directory> SSLEngine On SSLCertificateFile ... </VirtualHost>
PHP settings
Enable the opcache, increase the memory limit, and increase the maximum POST and file upload size so you can upload large files.
Create a database
Create a database in PostgreSQL:
sudo -u postgres createuser -SDRP <nextcloud-user> sudo -u postgres createdb -E UTF8 -O <nextcloud-user> <nextcloud-dbname>
Install NextCloud
We can just clone it from git:
git clone https://github.com/nextcloud/server.git nextcloud cd nextcloud git checkout stable20 # or whatever the latest stable version is git submodule update --init --recursive chown www-data:www-data config apps .htaccess
Create a directory for the cache and user data, which should not reside under the web root:
mkdir -p /var/lib/nextcloud/data /var/cache/nextcloud chown -R www-data:www-data /var/lib/nextcloud /var/cache/nextcloud
Configure NextCloud
Edit the configuration file in config/config.php and check or consider these settings, and add the database and SMTP connection details:
$config => [ # ... # 'passwordsalt' => "<very long random string>", 'secret' => "<a different very long random string>", 'trusted_domains' => [ 0 => "cloud.example.com", ], 'datadirectory' => '/var/lib/nextcloud/data', 'overwrite.cli.url' => 'https://cloud.example.com/', 'htaccess.RewriteBase' => '/', # Database connection details 'dbtype' => 'pgsql', 'dbhost' => 'localhost', 'dbuser' => "<nextcloud-dbuser>", 'dbpassword' => "<password>", 'dbname' => "<nextcloud-dbname>", 'dbtableprefix' => 'oc_', # Force all URLs to use SSL or it may trip up things like OAuth 'overwriteprotocol' => 'https', # Use Redis and caching to make everything go faster 'memcache.local' => '\\OC\\Memcache\\Redis', 'memcache.locking' => '\\OC\\Memcache\\Redis', 'redis' => [ 'host' => 'localhost', 'port' => 6379, ], 'cache_path' => '/var/cache/nextcloud', # Send email details 'mail_smtpmode' => 'smtp', 'mail_smtpsecure' => 'tls', 'mail_sendmailmode' => 'smtp', 'mail_from_address' => "nexcloud@example.com", 'mail_domain' => "example.com", 'mail_smtpauthtype' => 'PLAIN', 'mail_smtpauth' => 1, 'mail_smtphost' => "mail.example.com", 'mail_smtpport' => 587, 'mail_smtpname' => "<emailuser>", 'mail_smtppassword' => "<emailpassword>",
Then navigate to the URL in the browser to install (or run the NextCloud ./occ tool from the command line).
Clean URLs
For clean URLs, make sure AllowOverride All is set for the parent directory; the /var/www definition is in the main /etc/apache2/apache.conf. Then run the follwing OCC command to enable the rewrite rules:
sudo -u www-data ./occ maintenance:update:htaccess
Previews of other file types
Edit /etc/ImageMagick/policy.xml and remove this line to get PDF previews to work:
<policy domain="coder" rights="none" pattern="PDF" />
Then add the following to config.php to get lots of other useful file previews:
'enabledPreviewProviders' => [ # ... 8 => 'OC\\Preview\\MarkDown', 9 => 'OC\\Preview\\Movie', 10 => 'OC\\Preview\\PDF', 11 => 'OC\\Preview\\OpenDocument', 12 => 'OC\\Preview\\MSOfficeDoc', 13 => 'OC\\Preview\\MSOffice2003', 14 => 'OC\\Preview\\MSOffice2007', ],
Photos
Photos replaces the Gallery app, and is installed separately through the NC store or you can use git to manage it as a submodule. If it doesn't work you might need to build its JavaScript resources by running make in its apps/photos directory. Alternatively you can resuscitate the Gallery app, which stopped working after NextCloud version 17, by updating its JavaScript dompurify library to a newer version and bumping the app max version in apps/galleryappinfo/info.xml as follows (See also pull request #570):
<nextcloud min-version="17" max-version="20"/>
NextCloud Talk
To be at all useful, you need a TURN server. This is easiest achieved by installing and correctly configuring coturn, which also acts as a STUN server. STUN is for clients to figure out their external IP address, and TURN is for relaying UDP packets, e.g. for WebRTC.
sudo apt install coturn
For it to actually do anything (it is disabled by default!) you need to edit /etc/default/coturn and make sure it contains the following, and is not commented out:
TURNSERVER_ENABLED=1
Then in /etc/turnserver.conf you need to configure its IP addresses and ports, SSL certificate, and how it authenticates. See GitHub for a fully documented example turnserver.conf file:
server-name=turn.example.com realm=turn.example.com # When hosted on an internal LAN or DMZ, it might look like this: listening-ip=192.168.1.100 relay-ip=192.168.1.100 external-ip=123.45.67.8 # Or use the short-hand: external-ip=123.45.67.8/192.168.1.100 # Specify listening ports; traditionally 3478 was unencrypted, and 5349 was TLS, # but now TLS is supported on both. It is possible to listen on 443, which will # likely provide connectivity for people behind port-limited firewalls; this will # conflict with any HTTPS web hosting on the same server though, unless you set # up a second IP address for it. listening-port=3478 tls-listening-port=5349 #tls-listening-port=443 # Specify a UDP port range and ensure they are exposed through the firewall/router min-port=53490 max-port=59999 # SSL setup; cert=/path/to/talk.example.com/fullchain.cert pkey=/path/to/talk.example.com/privkey.pem no-tlsv1 no-tlsv1_1 # To use with NextCloud, set a shared secret here. use-auth-secret static-auth-secret=your-shared-secret-string-here stale-nonce=600 # Limit STUN attacks (coturn 4.5.2 no-rfc5780 nl-stun-backward-compatibility
In your NextCloud Administration section, you can now configure Talk to use the STUN/TURN server, using your server URLs, and provide the same shared secret you configured above. For maximum compatibility, use both UDP and TCP, and both turn and turns (TLS) connections:
stun: talk.example.com:5349 turn and turns: talk.example.com:5349
Test your server here. If STUN is working, you should get srflx candidates, and relay candidates if TURN is working.
Sources and further reading:
Maintenance
Keep the git checkout of NextCloud and its submodules up to date with git, and run the OCC upgrade command:
cd /var/www/nextcloud git pull git submodule update --init --recursive sudo -u www-data ./occ upgrade
Cron job
In the administrator settings select cron rather than other methods, and put this in /etc/cron.d/nextcloud
*/5 * * * * www-data /usr/bin/php /var/www/nextcloud/cron.php