NextCloud

Introduction

Nextcloud is a web software for data synchronization, cloud storage and file-sharing.

Installing and configuring PostgreSQL

Install and configure PostgreSQL according to the manual. Replace the dbtest database from the example with nextcloud, and instead of the test user create nextcloud.

Installing and configuring Nginx

Install and configure the Nginx web server and PHP-FPM according to the manual.

Installing Nextcloud

Below is explained how to install Nextcloud from the source code.
Subsequent updates will be made from the web interface or directly from the command line of the service.

Downloading and extracting Nextcloud

To unpack the Nextcloud archive, you will need an unzip archiver. If the package is not installed on the system, install it first:

emerge -a unzip

Create the necessary paths, then download and unpack the service:

mkdir -p /var/calculate/www/nextcloud/{upload,save}

wget https://download.nextcloud.com/server/releases/latest.zip -P /var/calculate/www/nextcloud

unzip /var/calculate/www/nextcloud/latest.zip -d /var/calculate/www/nextcloud

mv /var/calculate/www/nextcloud/nextcloud /var/calculate/www/nextcloud/htdocs

rm /var/calculate/www/nextcloud/latest.zip

Edit the privileges:

chown -R nginx. /var/calculate/www/nextcloud

Configuring Nginx for NextCloud

Configure Nginx for the ~cloud.example.org~ domain name:

/etc/nginx/sites-enabled/cloud.example.org.conf
upstream php-handler {
    server unix:/run/php-fpm.socket;
}
server {
    listen 80;
    server_name cloud.example.org;
    # Path to the root of your installation
    root /var/calculate/www/nextcloud/htdocs/;
    # Logs
    access_log /var/log/nginx/cloud.example.org.access.log main;
    error_log /var/log/nginx/cloud.example.org.error.log;
    # Max upload size
    client_max_body_size 10G;
    fastcgi_buffers 64 4K;
    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    # Для получения сертификата ssl
    location ~ /.well-known {
               allow all;
    }
    location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }
    location / {
        rewrite ^ /index.php$uri;
    }
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }
    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        # Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }
    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri/ =404;
        index index.php;
    }
    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff|svg|gif)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=15778463";
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
    }
    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

PHP-FPM configuration

Configure PHP-FPM environment variables:

/etc/php/fpm-php7.2/fpm.d/www.conf
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

Configure the PHP-FPM OPcache:

/etc/php/fpm-php7.2/php.ini
[opcache]
; Determines if Zend OPCache is enabled for the CLI version of PHP
opcache.enable_cli=1

; How often (in seconds) to check file timestamps for changes to the shared
; memory storage allocation. ("1" means validate once per second, but only
; once per request. "0" means always validate)
opcache.revalidate_freq=1

Restart Nginx and PHP-FPM for the modifications to take effect:

nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
/etc/init.d/nginx reload
nginx | * Checking nginx configuration ...                                    [ ok ]
nginx | * Refreshing nginx configuration ...                                  [ ok ]


/etc/init.d/php-fpm restart
php-fpm | * Stopping PHP FastCGI Process Manager ...                          [ ok ]
php-fpm | * Testing PHP FastCGI Process Manager config ...                    [ ok ]
php-fpm | * Starting PHP FastCGI Process Manager ...                          [ ok ]


Configuring Nextcloud

Add ~cloud.example.org as the name of the host running on IP ~192.168.0.1 to the DNS server on your local network, or edit as shown below:

/etc/hosts
192.168.0.1 cloud.example.org

Go to ~http://cloud.example.org~~ in your browser and make the final configuration of Nextcloud.

HTTPS configuration

Getting the Let's Encrypt certificate

Get a domain certificate for cloud.example.org for Nginx according to the manual.

Setting up HTTPS support in Nginx

Configure Nginx to support HTTPS according to the manual.

Configuring HTTPS for Nextcloud

Configure Nginx support for domain name ~cloud.example.org~~:

/etc/nginx/sites-enabled/cloud.example.org.conf
upstream php-handler {
    server unix:/run/php-fpm.socket;
}

server {
    listen 80;
    server_name cloud.example.org;
    rewrite ^ https://$server_name$request_uri? permanent;
}

server {
    listen 443 ssl http2;
    ssl_certificate /etc/letsencrypt/live/cloud.example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/cloud.example.org/privkey.pem;
    include ssl.conf;
    server_name cloud.example.org;
    # Path to the root of your installation
    root /var/calculate/www/nextcloud/htdocs/;
    # Logs
    access_log /var/log/nginx/cloud.example.org.access.log main;
    error_log /var/log/nginx/cloud.example.org.error.log;
    # Max upload size
    client_max_body_size 10G;
    fastcgi_buffers 64 4K;
    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    # Get the ssl certificate
    location ~ /.well-known {
               allow all;
    }
    location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }
    location / {
        rewrite ^ /index.php$uri;
    }
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }
    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        # Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }
    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri/ =404;
        index index.php;
    }
    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff|svg|gif)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=15778463";
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
    }
    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

Configuring cache

Redis is an in-memory data structure store that can be used for cache management. To use Redis, first install the necessary software:

emerge dev-db/redis pecl-redis virtual/pkgconfig

Add Redis to autostart, run it and restart PHP-FPM:

rc-update add redis
 * service redis added to runlevel default


/etc/init.d/redis start
php-fpm | * Starting redis ...                                                [ ok ]


/etc/init.d/php-fpm restart
php-fpm | * Stopping PHP FastCGI Process Manager ...                          [ ok ]
php-fpm | * Testing PHP FastCGI Process Manager config ...                    [ ok ]
php-fpm | * Starting PHP FastCGI Process Manager ...                          [ ok ]


Add the Redis settings to Nextcloud:

/var/calculate/www/nextcloud/htdocs/config/config.php
<?php
$CONFIG = array (
  'instanceid' => 'secret',
  'passwordsalt' => 'secret',
  'secret' => 'secret',
  'trusted_domains' =>
  array (
    0 => 'cloud.example.org',
  ),
  'datadirectory' => '/var/calculate/www/nextcloud/htdocs/data',
  'overwrite.cli.url' => 'https://cloud.example.org',
  'dbtype' => 'pgsql',
  'version' => '13.0.2',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nextcloud',
  'dbpassword' => 'secret',
  'installed' => true,
  'maintenance' => false,
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => array(
    'host' => 'localhost',
    'port' => 6379,
  ),
);

Заключение

Nextcloud настроен и готов к работе! Но это только начало пути. Впереди вас ждет открытие удивительных возможностей вашего персонального облака Nextcloud. Частично вам в этом может помочь статья Работа с Nextcloud.