NextCloud

Introduction

Nextcloud is a web software for data synchronization, cloud storage and file-sharing.

Installing and configuring Nginx

Install and configure your Nginx server according to the manual.

Installing and configuring PostgreSQL

Install and configure PostgreSQL according to the manual. Replace dbtest with the nextcloud database and the test user with nextcloud.

Installing Nextcloud

The installation is from source, in three steps:

  • creating the paths and fetching the source code;
  • creating a Nginx configuration file for your cloud;
  • reconfiguring some services for NextCloud to operate correctly.

Prerequisites

Install the unzip tool for unpacking NextCloud:

emerge -a unzip

Create the necessary paths:

mkdir -p /var/calculate/www/nextcloud/{upload,save}

Download, unpack and rename the directory as necessary. Before downloading, please visit download.nextcloud.com to check the latest version of NextCloud:

wget https://download.nextcloud.com/server/releases/nextcloud-13.0.2.zip -P /var/calculate/www/nextcloud

unzip /var/calculate/www/nextcloud/nextcloud-13.0.2.zip -d /var/calculate/www/nextcloud

mv /var/calculate/www/nextcloud/nextcloud /var/calculate/www/nextcloud/htdocs

Edit the privileges:

chown -R nginx. /var/calculate/www/nextcloud

Configuring Nginx for NextCloud

Create Nginx settings for Nextcloud in cloud.example.org:

/etc/nginx/sites-enabled/cloud.example.org.conf
upstream php-handler {
    server unix:/run/php-fpm.socket;
}
server {
    listen 80;
    server_name cloud.example.org;
    # Path to the root of your installation
    root /var/calculate/www/nextcloud/htdocs/;
    # Logs
    access_log /var/log/nginx/cloud.example.org.access.log main;
    error_log /var/log/nginx/cloud.example.org.error.log;
    # Max upload size
    client_max_body_size 10G;
    fastcgi_buffers 64 4K;
    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    # Для получения сертификата ssl
    location ~ /.well-known {
               allow all;
    }
    location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }
    location / {
        rewrite ^ /index.php$uri;
    }
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }
    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        # Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }
    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri/ =404;
        index index.php;
    }
    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff|svg|gif)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=15778463";
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
    }
    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

Configuring fpm-php

Configure the fpm-php environment variables:

/etc/php/fpm-php7.1/fpm.d/www.conf

; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

Configure opcache fpm-php:

/etc/php/fpm-php7.1/php.ini

[opcache]
; Determines if Zend OPCache is enabled for the CLI version of PHP
opcache.enable_cli=1

; How often (in seconds) to check file timestamps for changes to the shared
; memory storage allocation. ("1" means validate once per second, but only
; once per request. "0" means always validate)
opcache.revalidate_freq=1

Now restart Nginx and Php-fpm:

nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
/etc/init.d/nginx reload
nginx | * Checking nginx configuration ...                                    [ ok ]
nginx | * Refreshing nginx configuration ...                                  [ ok ]


/etc/init.d/php-fpm restart
php-fpm | * Stopping PHP FastCGI Process Manager ...                          [ ok ]
php-fpm | * Testing PHP FastCGI Process Manager config ...                    [ ok ]
php-fpm | * Starting PHP FastCGI Process Manager ...                          [ ok ]


Launching the installation process

Before installing NextCloud add cloud.example.org, hosted on IP 192.168.0.1, to the local DNS server, or edit manually the configuration file:

/etc/hosts

192.168.0.1 cloud.example.org

Open cloud.example.org and configure NextCloud.

Installing Let's Encrypt

See the Nginx manual on how to get a certificate for cloud.example.org.

Use the following settings with HTTPS support:

/etc/nginx/sites-enabled/cloud.example.org.conf
upstream php-handler {
    server unix:/run/php-fpm.socket;
}

server {
    listen 80;
    server_name cloud.example.org;
    rewrite ^ https://$server_name$request_uri? permanent;
}

server {
    listen 443 ssl http2;
    ssl_certificate /etc/letsencrypt/live/cloud.example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/cloud.example.org/privkey.pem;
    include ssl.conf;
    server_name cloud.example.org;
    # Path to the root of your installation
    root /var/calculate/www/nextcloud/htdocs/;
    # Logs
    access_log /var/log/nginx/cloud.example.org.access.log main;
    error_log /var/log/nginx/cloud.example.org.error.log;
    # Max upload size
    client_max_body_size 10G;
    fastcgi_buffers 64 4K;
    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    # Get the ssl certificate
    location ~ /.well-known {
               allow all;
    }
    location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }
    location / {
        rewrite ^ /index.php$uri;
    }
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }
    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        # Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }
    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri/ =404;
        index index.php;
    }
    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff|svg|gif)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=15778463";
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
    }
    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

Configuring cache

Redis is an in-memory data structure store that can be used for cache management. To use Redis, first install the necessary software:

emerge pecl-redis virtual/pkgconfig

Add Redis to autostart, then start it and restart php-fpm:

rc-update add redis
 * service redis added to runlevel default


/etc/init.d/redis start
php-fpm | * Starting redis ...                                                [ ok ]


/etc/init.d/php-fpm restart
php-fpm | * Stopping PHP FastCGI Process Manager ...                          [ ok ]
php-fpm | * Testing PHP FastCGI Process Manager config ...                    [ ok ]
php-fpm | * Starting PHP FastCGI Process Manager ...                          [ ok ]


Add your Redis configuration to Nextcloud:

/var/calculate/www/nextcloud/htdocs/config/config.php
<?php
$CONFIG = array (
  'instanceid' => 'secret',
  'passwordsalt' => 'secret',
  'secret' => 'secret',
  'trusted_domains' =>
  array (
    0 => 'cloud.example.org',
  ),
  'datadirectory' => '/var/calculate/www/nextcloud/htdocs/data',
  'overwrite.cli.url' => 'https://cloud.example.org',
  'dbtype' => 'pgsql',
  'version' => '13.0.2',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nextcloud',
  'dbpassword' => 'secret',
  'installed' => true,
  'maintenance' => false,
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => array(
    'host' => 'localhost',
    'port' => 6379,
  ),
);