I recently setup Nextcloud 12 inside a FreeBSD jail in order to allow me access to files i might need while at University. I figured this would be a optimal solution for files that I might need access to unexpectedly, on computers where I am not in complete control. My Nextcloud instance is externally accessible, and yet if someone were to get inside my Jail, I could rest easy knowing they still didn’t have access to the rest of my host server. I chronicled the setup process including jail setup using iocage, https with Lets Encrypt, and full setup of the web stack.
Nextcloud has a variety of features such as calendar synchronization, email, collaborative editing, and even video conferencing. I haven’t had time to play with all these different offerings and have only utilized the file synchronization, but even if file sync is not needed, Nextcloud has many offerings that make it worth setting up.
On my latest install I am not making use of the file synchronization at all, I’ve attached external storage over NFS and am synchronizing the files using Syncthing. This lets me use my preferred sync client, but I’m still able to access all my files from the web interface or Nextcloud client. So far this has been the configuration I am most satisfied with.
- jail Management
- Pre Configuration Setup
- Configure Web Server
- Configure Nextcloud
- Post Setup
Given that I wanted my Nextcloud install to be accessible from the internet, security was paramount as a consideration when planning the set up of my ‘cloud’. In order to maintain network security, and at the same time allow my Nextcloud to be open to the internet, I utilized a combination of tools.
My server that houses the install is in my DMZ, where very limited access is given to the rest of my network. I also put Nextloud inside a FreeBSD jail which is incredibly convenient. My Nextcloud instance is externally accessible, and yet if someone were to get inside my Jail, I could rest easy knowing they still didn’t have access to the rest of my host server. While I obviously wouldn’t rely on this fact alone, it does increase security greatly. It also means I can give the jail even less access to my network than my hosting server has.
In regards to configuration I went with the recommended setup for running Nextcloud.
- PHP 7.0 +
- Apache 2.4 with mod_php
I would have liked to use Nginx and Postgres, but the majority of the documentation for setting up Nextcloud is for Apache - with only a small mention of Nginx, and no mention of Postgres. Not being an expert in either of the areas of database or webserver administration I went with the recommended settings.
To manage my jails I’m using iocage. In terms of jail managers it’s a fairly new player in the game of jail management and is being very actively developed. It just had a full rewrite in Python, and while the code in the background might be different, the actual user interface has stayed the same.
Iocage makes use of ZFS clones in order to create “base jails”, which allow for sharing of one set of system packages between multiple jails, reducing the amount of resources necessary. Alternatively, jails can be completely independent from each other; however, using a base jail makes it easier to update multiple jails as well.
A fork of the old version written in shell script, iocell can be installed from the FreeBSD ports tree as
sysutils/iocell, or as a package with
pkg install iocell.
The new version written in Python can be installed from the ports tree as either the Python2.7 version
sysutils/py-iocage, or the Python3 version with
sysutils/py3-iocage. Binary packages only exist for the Python2.7 version so to install the package run
pkg install py27-iocage. As of this moment the Python 2.7 version is fairly old, so if using ports is a possibility, or you’re able to compile your own binary packages, the Python 3.6 version is more up-to-date.
Enable iocage to autostart at boot:
Fetch the freebsd jail template.This will create the following datasets and then fetch and extract the requested release.
Create the jail
With the shared ip set up, create a new jail. In order to make it easier to keep track of different jails, a “tag” can be added. I called mine “stratus”:
This creates a jail with the following properties.
tag=stratus- Set a tag for the jail to make it easier to refer to.
jail_zfs=on- Allow any assigned datasets to be controlled by the jail.
vnet=off- Do not use VIMAGE, a shared IP will be used instead.
ip4_addr="sge0|172.20.0.100/32"- Assign an interface and IP address.
boot=on- Start jail at boot
The properties can be either assigned one by one or all at once during the creation phase They will be explained in the following sections.
To view the Current properties run
iocage get all stratus.
VIMAGE allows a virtualized NIC to be used inside of a jail, but it isn’t quite stable. Since having a virtualized interface isn’t a necessity with Nextcloud, I have turned VIMAGE off and used a shared IP instead.
In order to use a shared ip, add it with ifconfig.
As the man page mentions, a different netmask then what is in use for the existing IP must be used.
alias Establish an additional network address for this interface. This is sometimes useful when changing network numbers, and one wishes to accept packets addressed to the old interface. If the address is on the same subnet as the first network address for this interface, a non-conflicting netmask must be given. Usually 0xffffffff is most appropriate.
So if the original network is /24, a netmask of 255.255.255.255 should be used.
For an interface
sge0, with a target ip 172.20.0.100 run:
Don’t forget to add it to rc.conf so that after reboot the IP is re-enabled.
iocage and ZFS
iocage integrates well with ZFS. You may have noticed the command syntax is very similar to the syntax used by ZFS.
It’s possible to ‘jail’ a dataset which gives the jail control of any jailed datasets.
Start the jail
With the setup out of the way the jail can be used.
Start the jail:
Tell iocage if you want the jail to start at boot:
Drop down to the jail’s console:
Inside the jail the process should now be similar to the setup on a regular server.
I have chosen to provide storage to the Nextcloud Jail by mounting a dataset over NFS on my host box. This means my server can focus on serving Nextcloud and my storage box can focus on housing the data. The Nextcloud Jail is not even aware of this since the NFS Mount is simply mounted by the host server into the jail. The other benefit of this is the Nextcloud jail doesn’t need to be able to see my storage server, nor the ability to mount the NFS share itself.
Using a seperate server for storage isn’t neccesary and if the storage for my Nextcloud server was being stored on the same server I would have created a ZFS dataset on the host and mounted it into the jail. I show how to do this in the next section.
On my NFS server I set up a share and noted the permissions.
The next step was to setup an NFS mount on the Nextcloud jail’s host.
Enable NFS in rc.conf and start the NFS service.
Mount NFS Shares in jail
I’m mounting two shares at
/mnt/sync Will be for nextcloud external storage.
/mnt/data will be for regular Nextcloud storage.
Note: Make sure the www user, or whichever user Nextcloud is being run by, has permission to access the external storage.
Setup the mountpoints in the jail.
Set iocage to mount the shares after boot
Also set it to unmount the shares when the jail is stopped
Next I set up a dataset for the database and delegated it into the jail. Using a separate dataset allows me to specify certain properties that are better for a database, it also makes migration easier in case I ever need to move or backup the database.
Make sure the jail has access to the default jailed dataset.
Set the mountpoint.
Create the dataset in the jail.
Since MySQL uses it’s own cache, it isn’t necessary to cache both metadata and data in the ARC. Set the dataset to only cache metadata.
Inside the jail it is now possible to mount the specified dataset normally with ZFS. Mount it to
Check it’s mounted:
With most of the requirements in place it was time to start setting up Nextcloud. The requirements for Nextcloud include your basic web stack of a web server, database, and PHP.
The recommended setup for Nextcloud is:
- PHP 7.0 +
- Apache 2.4 with mod_php
While my preferred setup would be PostgreSQL, and Nginx, the majority of the documentation is based on the recommended setup. It would be nice to see these options better supported in the future. As of now there is no ‘official’ documentation for Nginx.
Pre Configuration Setup
Install Apache and enable it to start on boot.
Navigate to the jail’s ip and, “It Works!” should be displayed.
With Apache up and running, I configured https using let’s encrypt.
In order to properly automate the renewal of certificates I set up an ‘acme’ user which renews the certificate on a cron job using acme.sh.
Add the ‘acme’ user to a ‘certs’ group.
Lets Encrypt Client
Install acme.sh to the acme user’s home directory.
Alternate configuration is described in the documentation but by default this will install to
~/.acme.sh and do the following.
[Wed May 10 03:10:42 UTC 2017] Installing to /home/acme/.acme.sh [Wed May 10 03:10:42 UTC 2017] Installed to /home/acme/.acme.sh/acme.sh [Wed May 10 03:10:42 UTC 2017] Installing alias to '/home/acme/.profile' [Wed May 10 03:10:42 UTC 2017] OK, Close and reopen your terminal to start using acme.sh [Wed May 10 03:10:42 UTC 2017] Installing alias to '/home/acme/.cshrc' [Wed May 10 03:10:42 UTC 2017] Installing cron job crontab: no crontab for acme crontab: no crontab for acme [Wed May 10 03:10:43 UTC 2017] OK
The default way to acquire a certificate involves creating a challenge in the webroot of a server.
This can be done by specifying the webroot and domain to issue a certificate for.
At the time of setting up my server, it was not exposed to the internet. I had recently configured certificates for unexposed services using dns validation. Due to my familiarity, and the convenience of not needing to have a server accessible from the web, I issued my challenge this way.
To use DNS validation I used cloudflare - which along with a few other DNS providers has an api which supports a DNS challenge. I found my API key on my web dashboard.
I set the necesary environment variables.
And issued a certificate for my domain.
Letsencrypt should give a TXT record to add to your DNS records. Once the record has been added, run renew and your certificates should be issued.
<domain name> In the place of my domain for the remainder of this article.
Along with issuing a certificate, this wrote the required configuration file for future certificates to
~/.acme.sh/<domain name>/<domain name>.conf.
In order to give my acme user access to the location it issues the certificate to, Earlier I created a ‘certs’ group and added the ‘acme’ user, add the ‘www’ user.
Set the proper permissions in the directory the certificate will be located in.
After creating a new certificate, the web server should be reloaded. To give the acme user permission to reload the server, I used visudo.
Edit visudo to allow a reload without a password.:
This will allow the user to run the following in a cron job:
As the ‘acme’ user, add the reload command to the configuration file we used earlier,
~/.acme.sh/<domain name>/<domain name>.conf.
Now add the crontab that will periodically renew the certificate.
To set the location the different certificate files will be deployed to, tell ‘acme.sh’ where they should end up.
This will write the configuration to
~/.acme.sh/<domain name>/<domain name>.conf.
After obtaining the cert, the following PEM-encoded files will be located in
||The domain certificate|
||The Let’s Encrypt chain certificate|
||cert.pem and chain.pem combined|
||The certificate’s private key|
Next to set up the database. Install Mariadb and set it to start on boot.
The different configuration options can be found in
Use the appropriate configuration file for the size of database. I used the small configuration. Copy it to
Set maximum packet size to 32M in
max_allowed_packet = 32M
Start MySQL and run the script to secure the configuration.
Login to the database.
Create user nextcloud_admin and add a password.
With the database configured, it can now be restarted.
Install PHP and all modules you require. I’m using PHP 7.1. Nextcloud recommends using a version 7.0 or newer.
You can check the compiled in modules with:
php -r “phpinfo();”. The following packages are required:
These were not listed as required by Nextcloud, but my setup wouldn’t work without them.
Required for specific apps:
Required for specific apps: (optional):
For enhanced server performance (optional). I used redis. The options are:
- pecl-APCu (broken on FreeBSD)
For preview generation (optional):
For command line processing (optional):
Install Required Modules
I installed the following.
Configure Web Server
Configure Apache and PHP and confirm they are working properly.
Add the location for the certificate we configured earlier.
Make sure the ssl and rewrite modules are uncommented.
Make sure the php7 module is uncommented.
After libphp7.so line add
IFModule mime_module block add:
Add a PHP handler, in
I used the following configuration in
date.timezone = UTC- Set
date.timezoneto your timezone zone, or UTC.
post_max_size = 10240M- This is the maximum size of POST data accepted by PHP. Setting it to zero removes the limit.
upload_max_filesize = 10240M- Maximum allowed size for uploaded files.
memory_limit = 512M- Adjust memory limit, change this based on your server.
It’s also recommended to enable opcache in
/usr/local/etc/php.ini, which caches precompiled bytecode. It’s bundled in with PHP after version 5.5.
Nextcloud recommends these settings:
With PHP configured we can restart the Web server and check if PHP is working properly.
Check if everything is working by checking
phpinfo(). Enable it by adding the following to
Check your domain or ip address in a browser
http://<ip address>/info.php. All of the PHP info should be listed there.
It’s recommended to use some sort of database cache, I used redis.
Install redis and set it to start at boot.
Next we will configure redis in
Change the port to
0 so Redis will not listen on a TCP socket.
Instead we will configure a UNIX socket.
unixsocket /tmp/redis.sock unixsocketperm 777
Redis can now be started.
ls -al /tmp you should see redis.sock and mysql.sock in the list.
Finally we can install nextcloud. Download it and check it’s hash.
If the hash matches, the archive can be extracted.
Nextcloud Server Configuration
Create a file for nextcloud under
/usr/local/etc/apache24/Includes/. I put mine in
If you set https earlier you can use the following virtual host. I used HSTS here which means the server will always expect to use an https certificate, and removing it in the future will be difficult. If you are considering removing one at a later date, make sure you know how HSTS works.
Add the following virtual host replacing the
ServerAdmin email, and
ServerName domain name.
If you didn’t set up https your virtual host would look something like this.
If you setup https, find ‘Listen 80’ and add underneath ‘Listen 443’ in
Ask search engine bots not to index your site
Make sure the permissions are still correct.
Set the permissions more securely.
Nextcloud should now be working, restart the webserver, visit your domain and edit the settings.
Filling the different options with the locations and values we used earlier. The password should be the one that was used when setting up the database.
Enable the Nextcloud crontab which runs periodic tasks.
Verify it’s scheduled with:
All sorts of Nextcloud commands can be set on the command line using the occ tool. These are the providers I set. It is fairly self-explanatory what they do.
That should be the end of the set up. Some things you might want to do now are look through the administrator settings and enable some defaults depending on your use case. You’ll probably also want to create some users and setup email so that the Nextcloud server can contact you. I recommend using SMTP for simplicity.