Difference between revisions of "NextCloud"

Assumes Ubuntu 20.04, stable20 branch, and installing in /var/www/nextcloud for a cloud.example.com URL (c. December 2020).

Install some stuff first. This NextCloud recipe uses PostgreSQL, Redis, Apache 2.4, FastCGI with PHP FPM, and Dehydrated for Letsencrypt SSL certificate maangement.

sudo apt install apache2 libapache2-mod-fcgid \
   php7.4-{bcmath,bz2,curl,gd,fpm,gmp,intl,json,mbstring,opcache,pgsql,tidy,xmlrpc,xsl,zip}
   php-{imagick,redis} composer dehydrated postgresql redis-server

NOTE

NextCloud works fine under nginx, I just can't be bothered maintaining what goes in .htaccess which NextCloud expects to be writeable to keep itself updated.

See the PHP page for setting up PHP with Apache, FPM and Event MPM.

Add a virtual host for NextCloud

It should look something like this:

<VirtualHost *:443>
  ServerName cloud.example.com
  DocumentRoot /var/www/nextcloud 

  <Directory "/var/www/nexcloud">
    Options FollowSymLinks MultiViews
    AllowOverride All
    Require all granted
    Satisfy Any 
    SetEnv HOME /var/www/nextcloud
    SetEnv HTTP_HOME /var/www/nextcloud

    <IfModule mod_dav.c>
      Dav off
    </IfModule>
  </Directory>

  SSLEngine On
  SSLCertificateFile ...
</VirtualHost>

PHP settings

Enable the opcache, increase the memory limit, and increase the maximum POST and file upload size so you can upload large files.

Create a database in PostgreSQL:

sudo -u postgres createuser -SDRP <nextcloud-user>
sudo -u postgres createdb -E UTF8 -O <nextcloud-user> <nextcloud-dbname>

We can just clone it from git:

git clone https://github.com/nextcloud/server.git nextcloud
cd nextcloud
git checkout stable20  # or whatever the latest stable version is
git submodule update --init --recursive
chown www-data:www-data config apps .htaccess

Create a directory for the cache and user data, which should not reside under the web root:

mkdir -p /var/lib/nextcloud/data /var/cache/nextcloud
chown -R www-data:www-data /var/lib/nextcloud /var/cache/nextcloud

Edit the configuration file in config/config.php and check or consider these settings, and add the database and SMTP connection details:

$config => [
  # ...
  #
  'passwordsalt' => "<very long random string>",
  'secret' => "<a different very long random string>",
  'trusted_domains' => [
    0 => "cloud.example.com",
  ],
  'datadirectory' => '/var/lib/nextcloud/data',
  'overwrite.cli.url' => 'https://cloud.example.com/',
  'htaccess.RewriteBase' => '/',

  # Database connection details
  'dbtype' => 'pgsql',
  'dbhost' => 'localhost',
  'dbuser' => "<nextcloud-dbuser>",
  'dbpassword' => "<password>",
  'dbname' => "<nextcloud-dbname>",
  'dbtableprefix' => 'oc_',

  # Force all URLs to use SSL or it may trip up things like OAuth
  'overwriteprotocol' => 'https',

  # Use Redis and caching to make everything go faster
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => [
    'host' => 'localhost',
    'port' => 6379,
  ],
  'cache_path' => '/var/cache/nextcloud',

  # Send email details
  'mail_smtpmode' => 'smtp',
  'mail_smtpsecure' => 'tls',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => "nexcloud@example.com",
  'mail_domain' => "example.com",
  'mail_smtpauthtype' => 'PLAIN',
  'mail_smtpauth' => 1,
  'mail_smtphost' => "mail.example.com",
  'mail_smtpport' => 587,
  'mail_smtpname' => "<emailuser>",
  'mail_smtppassword' => "<emailpassword>",

Then navigate to the URL in the browser to install (or run the NextCloud ./occ tool from the command line).

Clean URLs

For clean URLs, make sure AllowOverride All is set for the parent directory; the /var/www definition is in the main /etc/apache2/apache.conf. Then run the follwing OCC command to enable the rewrite rules:

sudo -u www-data ./occ maintenance:update:htaccess

Previews of other file types

Edit /etc/ImageMagick/policy.xml and remove this line to get PDF previews to work:

<policy domain="coder" rights="none" pattern="PDF" /> 

Then add the following to config.php to get lots of other useful file previews:

  'enabledPreviewProviders' => [
    # ...
    8 => 'OC\\Preview\\MarkDown',
    9 => 'OC\\Preview\\Movie',
    10 => 'OC\\Preview\\PDF',
    11 => 'OC\\Preview\\OpenDocument',
    12 => 'OC\\Preview\\MSOfficeDoc',
    13 => 'OC\\Preview\\MSOffice2003',
    14 => 'OC\\Preview\\MSOffice2007',
  ],

Photos

Photos replaces the Gallery app, and is installed separately through the NC store or you can use git to manage it as a submodule. If it doesn't work you might need to build its JavaScript resources by running make in its apps/photos directory. Alternatively you can resuscitate the Gallery app, which stopped working after NextCloud version 17, by updating its JavaScript dompurify library to a newer version and bumping the app max version in apps/galleryappinfo/info.xml as follows (See also pull request #570):

<nextcloud min-version="17" max-version="20"/>

NextCloud Talk

To be at all useful, you need a TURN server. This is easiest achieved by installing and correctly configuring coturn, which also acts as a STUN server. STUN is for clients to figure out their external IP address, and TURN is for relaying UDP packets, e.g. for WebRTC.

sudo apt install coturn

For it to actually do anything (it is disabled by default!) you need to edit /etc/default/coturn and make sure it contains the following, and is not commented out:

TURNSERVER_ENABLED=1

Then in /etc/turnserver.conf you need to configure its IP addresses and ports, SSL certificate, and how it authenticates. See GitHub for a fully documented example turnserver.conf file:

server-name=turn.example.com
realm=turn.example.com

# When hosted on an internal LAN or DMZ, it might look like this: 
listening-ip=192.168.1.100
relay-ip=192.168.1.100
external-ip=123.45.67.8

# Or use the short-hand:
external-ip=123.45.67.8/192.168.1.100

# Specify listening ports; traditionally 3478 was unencrypted, and 5349 was TLS,
# but now TLS is supported on both. It is possible to listen on 443, which will
# likely provide connectivity for people behind port-limited firewalls; this will
# conflict with any HTTPS web hosting on the same server though, unless you set
# up a second IP address for it.
listening-port=3478
tls-listening-port=5349
#tls-listening-port=443

# Specify a UDP port range and ensure they are exposed through the firewall/router
min-port=53490
max-port=59999

# SSL setup; 
cert=/path/to/talk.example.com/fullchain.cert
pkey=/path/to/talk.example.com/privkey.pem
no-tlsv1
no-tlsv1_1

# To use with NextCloud, set a shared secret here.
use-auth-secret
static-auth-secret=your-shared-secret-string-here
stale-nonce=600

# Limit STUN amplification/gain attacks (coturn 4.5.2+)
no-stun-backward-compatibility
response-origin-only-with-rfc5780

# RFC-5780 support requires two listening IP addresses and is for serious-cat
# usage, so you can safely disable it for a small home NextCloud instance.
no-rfc5780

In your NextCloud Administration section, you can now configure Talk to use the STUN/TURN server, using your server URLs, and provide the same shared secret you configured above. For maximum compatibility, use both UDP and TCP, and both turn and turns (TLS) connections:

stun: talk.example.com:5349
turn and turns: talk.example.com:5349

Test your server here. If STUN is working, you should get srflx candidates, and relay candidates if TURN is working.

Sources and further reading:

• NextCloud Talk documentation: TURN, coturn
• NextCloud Help, 1 2
• Stack Overflow 1
• Testing STUN/TURN

Keep the git checkout of NextCloud and its submodules up to date with git, and run the OCC upgrade command:

cd /var/www/nextcloud
git pull
git submodule update --init --recursive
sudo -u www-data ./occ upgrade

Cron job

In the administrator settings select cron rather than other methods, and put this in /etc/cron.d/nextcloud

*/5 * * * * www-data /usr/bin/php /var/www/nextcloud/cron.php