NextCloud
Updated 14 April 2021
Contents
Introduction
Nextcloud is a web software for data synchronization, cloud storage and file-sharing.
Preparing a LXC container
We recommend installing Nextcloud in a separate container which you would have configured according to the manual.
Installing and configuring PostgreSQL
Install and configure PostgreSQL according to the manual. Replace the dbtest database from the example with nextcloud, and instead of the test user create nextcloud.
Installing and configuring Nginx
Install and configure the Nginx web server and PHP-FPM according to the manual.
Installing Nextcloud
Below is explained how to install Nextcloud from the source code.
Subsequent updates will be made from the web interface or directly from the command line of the service.
Downloading and extracting Nextcloud
To unpack the Nextcloud archive, you will need an unzip archiver. If the package is not on the system, install it first:
emerge -a app-arch/unzip
Create the necessary paths, then download and unpack the service:
mkdir -p /var/calculate/www/nextcloud/{upload,save}
cd /var/calculate/www/nextcloud
wget https://download.nextcloud.com/server/releases/latest.zip
unzip latest.zip
mv nextcloud htdocs
rm latest.zip
Edit the privileges:
chown -R nginx. .
Configuring Nginx for NextCloud
Configure Nginx for the ~cloud.example.org~ domain name:
upstream php-handler { server unix:/run/php-fpm.socket; } server { listen 80; server_name cloud.example.org; # Path to the root of your installation root /var/calculate/www/nextcloud/htdocs/; # Logs access_log /var/log/nginx/cloud.example.org.access.log main; error_log /var/log/nginx/cloud.example.org.error.log; # Max upload size client_max_body_size 10G; fastcgi_buffers 64 4K; # Enable gzip but do not remove ETag headers gzip on; gzip_vary on; gzip_comp_level 4; gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # WARNING: Only add the preload option once you read about # the consequences in https://hstspreload.org/. This option # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; add_header X-XSS-Protection "1; mode=block" always; location = /robots.txt { allow all; log_not_found off; access_log off; } # Для получения сертификата ssl location ~ /.well-known { allow all; } location = /.well-known/carddav { return 301 $scheme://$host:$server_port/remote.php/dav; } location = /.well-known/caldav { return 301 $scheme://$host:$server_port/remote.php/dav; } location / { rewrite ^ /index.php$uri; } location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { deny all; } location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; } location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) { fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; set $path_info $fastcgi_path_info; try_files $fastcgi_script_name =404; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $path_info; fastcgi_param HTTPS on; # Avoid sending the security headers twice fastcgi_param modHeadersAvailable true; # Enable pretty urls fastcgi_param front_controller_active true; fastcgi_pass php-handler; fastcgi_intercept_errors on; fastcgi_request_buffering off; } location ~ ^/(?:updater|ocs-provider)(?:$|/) { try_files $uri/ =404; index index.php; } # Adding the cache control header for js and css files # Make sure it is BELOW the PHP block location ~ \.(?:css|js|woff|woff2?|svg|gif)$ { try_files $uri /index.php$uri$is_args$args; add_header Cache-Control "public, max-age=15778463"; # WARNING: Only add the preload option once you read about # the consequences in https://hstspreload.org/. This option # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; # Optional: Don't log access to assets access_log off; } location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { try_files $uri /index.php$uri$is_args$args; # Optional: Don't log access to other assets access_log off; } }
PHP-FPM configuration
Configure PHP-FPM environment variables:
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from ; the current environment. ; Default Value: clean env env[HOSTNAME] = $HOSTNAME env[PATH] = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin env[TMP] = /tmp env[TMPDIR] = /tmp env[TEMP] = /tmp
Configure the PHP-FPM OPcache:
[PHP] ; Maximum amount of memory a script may consume ; http://php.net/memory-limit memory_limit = 512M [opcache] ; Determines if Zend OPCache is enabled for the CLI version of PHP opcache.enable_cli=1 ; How often (in seconds) to check file timestamps for changes to the shared ; memory storage allocation. ("1" means validate once per second, but only ; once per request. "0" means always validate) opcache.revalidate_freq=1
Restart Nginx and PHP-FPM to validate:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
nginx | * Checking nginx configuration ... [ ok ] nginx | * Refreshing nginx configuration ... [ ok ]
php-fpm | * Stopping PHP FastCGI Process Manager ... [ ok ] php-fpm | * Testing PHP FastCGI Process Manager config ... [ ok ] php-fpm | * Starting PHP FastCGI Process Manager ... [ ok ]
Configuring Nextcloud
Add cloud.example.org running on IP ~192.168.0.1~~ to the DNS server on your local network or edit the line:
192.168.0.1 cloud.example.org
Go to ~http://cloud.example.org~~ in your browser and make the final configuration of Nextcloud.
HTTPS configuration
Getting the Let's Encrypt certificate
Get a domain certificate for cloud.example.org for Nginx according to the manual.
Setting up HTTPS support in Nginx
Configure Nginx to support HTTPS according to the manual.
Configuring HTTPS for Nextcloud
Configure Nginx for the ~cloud.example.org~ domain:
upstream php-handler { server unix:/run/php-fpm.socket; } server { listen 80; server_name cloud.example.org; rewrite ^ https://$server_name$request_uri? permanent; } server { listen 443 ssl http2; ssl_certificate /etc/letsencrypt/live/cloud.example.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/cloud.example.org/privkey.pem; include ssl.conf; server_name cloud.example.org; # Path to the root of your installation root /var/calculate/www/nextcloud/htdocs/; # Logs access_log /var/log/nginx/cloud.example.org.access.log main; error_log /var/log/nginx/cloud.example.org.error.log; # Max upload size client_max_body_size 10G; fastcgi_buffers 64 4K; # Enable gzip but do not remove ETag headers gzip on; gzip_vary on; gzip_comp_level 4; gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # WARNING: Only add the preload option once you read about # the consequences in https://hstspreload.org/. This option # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; add_header X-XSS-Protection "1; mode=block" always; location = /robots.txt { allow all; log_not_found off; access_log off; } # Для получения сертификата ssl location ~ /.well-known { allow all; } location = /.well-known/carddav { return 301 $scheme://$host:$server_port/remote.php/dav; } location = /.well-known/caldav { return 301 $scheme://$host:$server_port/remote.php/dav; } location / { rewrite ^ /index.php$uri; } location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { deny all; } location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; } location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) { fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; set $path_info $fastcgi_path_info; try_files $fastcgi_script_name =404; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $path_info; fastcgi_param HTTPS on; # Avoid sending the security headers twice fastcgi_param modHeadersAvailable true; # Enable pretty urls fastcgi_param front_controller_active true; fastcgi_pass php-handler; fastcgi_intercept_errors on; fastcgi_request_buffering off; } location ~ ^/(?:updater|ocs-provider)(?:$|/) { try_files $uri/ =404; index index.php; } # Adding the cache control header for js and css files # Make sure it is BELOW the PHP block location ~ \.(?:css|js|woff|woff2?|svg|gif)$ { try_files $uri /index.php$uri$is_args$args; add_header Cache-Control "public, max-age=15778463"; # WARNING: Only add the preload option once you read about # the consequences in https://hstspreload.org/. This option # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; # Optional: Don't log access to assets access_log off; } location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { try_files $uri /index.php$uri$is_args$args; # Optional: Don't log access to other assets access_log off; } }
Configuring cache
Redis is an in-memory data structure store that can be used for cache management. To use Redis, first install the necessary software:
emerge dev-db/redis dev-php/pecl-redis virtual/pkgconfig
Add Redis to autostart, run it and restart PHP-FPM:
* service redis added to runlevel defaultphp-fpm | * Starting redis ... [ ok ]
php-fpm | * Stopping PHP FastCGI Process Manager ... [ ok ] php-fpm | * Testing PHP FastCGI Process Manager config ... [ ok ] php-fpm | * Starting PHP FastCGI Process Manager ... [ ok ]
Add the Redis settings to Nextcloud:
<?php
$CONFIG = array (
'instanceid' => 'secret',
'passwordsalt' => 'secret',
'secret' => 'secret',
'trusted_domains' =>
array (
0 => 'cloud.example.org',
),
'datadirectory' => '/var/calculate/www/nextcloud/htdocs/data',
'overwrite.cli.url' => 'https://cloud.example.org',
'dbtype' => 'pgsql',
'version' => '13.0.2',
'dbname' => 'nextcloud',
'dbhost' => 'localhost',
'dbport' => '',
'dbtableprefix' => 'oc_',
'dbuser' => 'nextcloud',
'dbpassword' => 'secret',
'installed' => true,
'maintenance' => false,
'memcache.local' => '\\OC\\Memcache\\Redis',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'redis' => array(
'host' => 'localhost',
'port' => 6379,
),
);
By default, Redis uses 64Mb of RAM. This may not be sufficient for Nextcloud operating normally, causing the OOM command not allowed when used memory > 'maxmemory' error. Set the max size of RAM to be used by Redis:
/etc/redis.conf
... maxmemory 256mb
Conclusion
Nextcloud is up and running! But this is just the first step. You will be discovering the amazing possibilities of your personal Nextcloud cloud. Read [Working_with_nextcloud] (working_with_nextcloud) to learn more.
Note
Subscribe to our group @nextcloud@calculate.social in Mastodon.