NextCloud

Updated 14 April 2021

Nextcloud

Introduction

Nextcloud is a web software for data synchronization, cloud storage and file-sharing.

Preparing a LXC container

We recommend installing Nextcloud in a separate container which you would have configured according to the manual.

Installing and configuring PostgreSQL

Install and configure PostgreSQL according to the manual. Replace the dbtest database from the example with nextcloud, and instead of the test user create nextcloud.

Installing and configuring Nginx

Install and configure the Nginx web server and PHP-FPM according to the manual.

Installing Nextcloud

Below is explained how to install Nextcloud from the source code.
Subsequent updates will be made from the web interface or directly from the command line of the service.

Downloading and extracting Nextcloud

To unpack the Nextcloud archive, you will need an unzip archiver. If the package is not on the system, install it first:

emerge -a app-arch/unzip

Create the necessary paths, then download and unpack the service:

mkdir -p /var/calculate/www/nextcloud/{upload,save}

cd /var/calculate/www/nextcloud

wget https://download.nextcloud.com/server/releases/latest.zip

unzip latest.zip

mv nextcloud htdocs

rm latest.zip

Edit the privileges:

chown -R nginx. .

Configuring Nginx for NextCloud

Configure Nginx for the ~cloud.example.org~ domain name:

/etc/nginx/sites-enabled/cloud.example.org.conf
upstream php-handler {
    server unix:/run/php-fpm.socket;
}
server {
    listen 80;
    server_name cloud.example.org;
    # Path to the root of your installation
    root /var/calculate/www/nextcloud/htdocs/;
    # Logs
    access_log /var/log/nginx/cloud.example.org.access.log main;
    error_log /var/log/nginx/cloud.example.org.error.log;
    # Max upload size
    client_max_body_size 10G;
    fastcgi_buffers 64 4K;
    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # Для получения сертификата ssl
    location ~ /.well-known {
               allow all;
    }

    location = /.well-known/carddav {
        return 301 $scheme://$host:$server_port/remote.php/dav;
    }

    location = /.well-known/caldav {
        return 301 $scheme://$host:$server_port/remote.php/dav;
    }

    location / {
        rewrite ^ /index.php$uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }

    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) {
        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;
        # Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        # Enable pretty urls
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff|woff2?|svg|gif)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=15778463";
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
    }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

PHP-FPM configuration

Configure PHP-FPM environment variables:

/etc/php/fpm-php7.4/fpm.d/www.conf
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

Configure the PHP-FPM OPcache:

/etc/php/fpm-php7.4/php.ini
[PHP]
; Maximum amount of memory a script may consume
; http://php.net/memory-limit
memory_limit = 512M

[opcache]
; Determines if Zend OPCache is enabled for the CLI version of PHP
opcache.enable_cli=1

; How often (in seconds) to check file timestamps for changes to the shared
; memory storage allocation. ("1" means validate once per second, but only
; once per request. "0" means always validate)
opcache.revalidate_freq=1

Restart Nginx and PHP-FPM to validate:

nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
/etc/init.d/nginx reload
nginx | * Checking nginx configuration ...                                    [ ok ]
nginx | * Refreshing nginx configuration ...                                  [ ok ]
/etc/init.d/php-fpm restart
php-fpm | * Stopping PHP FastCGI Process Manager ...                          [ ok ]
php-fpm | * Testing PHP FastCGI Process Manager config ...                    [ ok ]
php-fpm | * Starting PHP FastCGI Process Manager ...                          [ ok ]

Configuring Nextcloud

Add cloud.example.org running on IP ~192.168.0.1~~ to the DNS server on your local network or edit the line:

/etc/hosts
192.168.0.1 cloud.example.org

Go to ~http://cloud.example.org~~ in your browser and make the final configuration of Nextcloud.

HTTPS configuration

Getting the Let's Encrypt certificate

Get a domain certificate for cloud.example.org for Nginx according to the manual.

Setting up HTTPS support in Nginx

Configure Nginx to support HTTPS according to the manual.

Configuring HTTPS for Nextcloud

Configure Nginx for the ~cloud.example.org~ domain:

/etc/nginx/sites-enabled/cloud.example.org.conf
upstream php-handler {
    server unix:/run/php-fpm.socket;
}

server {
    listen 80;
    server_name cloud.example.org;
    rewrite ^ https://$server_name$request_uri? permanent;
}

server {
    listen 443 ssl http2;
    ssl_certificate /etc/letsencrypt/live/cloud.example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/cloud.example.org/privkey.pem;
    include ssl.conf;
    server_name cloud.example.org;
    # Path to the root of your installation
    root /var/calculate/www/nextcloud/htdocs/;
    # Logs
    access_log /var/log/nginx/cloud.example.org.access.log main;
    error_log /var/log/nginx/cloud.example.org.error.log;
    # Max upload size
    client_max_body_size 10G;
    fastcgi_buffers 64 4K;
    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # Для получения сертификата ssl
    location ~ /.well-known {
               allow all;
    }

    location = /.well-known/carddav {
        return 301 $scheme://$host:$server_port/remote.php/dav;
    }

    location = /.well-known/caldav {
        return 301 $scheme://$host:$server_port/remote.php/dav;
    }

    location / {
        rewrite ^ /index.php$uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }

    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) {
        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;
        # Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        # Enable pretty urls
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff|woff2?|svg|gif)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=15778463";
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
    }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

Configuring cache

Redis is an in-memory data structure store that can be used for cache management. To use Redis, first install the necessary software:

emerge dev-db/redis dev-php/pecl-redis virtual/pkgconfig

Add Redis to autostart, run it and restart PHP-FPM:

rc-update add redis
 * service redis added to runlevel default
/etc/init.d/redis start
php-fpm | * Starting redis ...                                                [ ok ]
/etc/init.d/php-fpm restart
php-fpm | * Stopping PHP FastCGI Process Manager ...                          [ ok ]
php-fpm | * Testing PHP FastCGI Process Manager config ...                    [ ok ]
php-fpm | * Starting PHP FastCGI Process Manager ...                          [ ok ]

Add the Redis settings to Nextcloud:

/var/calculate/www/nextcloud/htdocs/config/config.php
<?php
$CONFIG = array (
  'instanceid' => 'secret',
  'passwordsalt' => 'secret',
  'secret' => 'secret',
  'trusted_domains' =>
  array (
    0 => 'cloud.example.org',
  ),
  'datadirectory' => '/var/calculate/www/nextcloud/htdocs/data',
  'overwrite.cli.url' => 'https://cloud.example.org',
  'dbtype' => 'pgsql',
  'version' => '13.0.2',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nextcloud',
  'dbpassword' => 'secret',
  'installed' => true,
  'maintenance' => false,
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => array(
    'host' => 'localhost',
    'port' => 6379,
  ),
);

By default, Redis uses 64Mb of RAM. This may not be sufficient for Nextcloud operating normally, causing the OOM command not allowed when used memory > 'maxmemory' error. Set the max size of RAM to be used by Redis:

/etc/redis.conf

...
maxmemory 256mb

Conclusion

Nextcloud is up and running! But this is just the first step. You will be discovering the amazing possibilities of your personal Nextcloud cloud. Read [Working_with_nextcloud] (working_with_nextcloud) to learn more.

Note

Subscribe to our group @nextcloud@calculate.social in Mastodon.