I configured Nextcloud inside a FreeBSD jail in order to allow me access to files i might need while at University. I figured this would be a optimal solution for files that I might need access to unexpectedly, on computers where I am not in complete control. My Nextcloud instance is externally accessible, and yet if someone were to get inside my Jail, I could rest easy knowing they still didn’t have access to the rest of my host server. I chronicled the setup process including jail setup using iocage, https with Lets Encrypt, and full setup of the web stack.
Updated on Febuary, 23rd, 2018
Nextcloud has a variety of features such as calendar synchronization, email, collaborative editing, and even video conferencing. I haven’t had time to play with all these different offerings and have only utilized the file synchronization, but even if file sync is not needed, Nextcloud has many offerings that make it worth setting up.
On my latest install I am not making use of the file synchronization at all, I’ve attached external storage over NFS and am synchronizing the files using Syncthing. This lets me use my preferred sync client, but I’m still able to access all my files from the web interface or Nextcloud client. So far this has been the configuration I am most satisfied with.
Security Link to heading
Given that I wanted my Nextcloud install to be accessible from the internet, security was paramount as a consideration when planning the set up of my ‘cloud’. In order to maintain network security, and at the same time allow my Nextcloud to be open to the internet, I utilized a combination of tools.
My server that houses the install is in my DMZ, where very limited access is given to the rest of my network. I also put Nextloud inside a FreeBSD jail which is incredibly convenient. My Nextcloud instance is externally accessible, and yet if someone were to get inside my Jail, I could rest easy knowing they still didn’t have access to the rest of my host server. While I obviously wouldn’t rely on this fact alone, it does increase security greatly. It also means I can give the jail even less access to my network than my hosting server has.
Configuration Link to heading
In regards to configuration I went with the recommended setup for running Nextcloud.
- MySQL/MariaDB
- PHP 7.0 +
- Apache 2.4 with mod_php
I would have liked to use Nginx and Postgres, but the majority of the documentation for setting up Nextcloud is for Apache - with only a small mention of Nginx, and no mention of Postgres. Not being an expert in either of the areas of database or webserver administration I went with the recommended settings.
jail Management Link to heading
To manage my jails I’m using iocage. In terms of jail managers it’s a fairly new player in the game of jail management and is being very actively developed. It just had a full rewrite in Python, and while the code in the background might be different, the actual user interface has stayed very similar.
Iocage makes use of ZFS clones in order to create “base jails”, which allow for sharing of one set of system packages between multiple jails, reducing the amount of resources necessary. Alternatively, jails can be completely independent from each other; however, using a base jail makes it easier to update multiple jails as well.
A fork of the old version written in shell script, iocell can be installed from the FreeBSD ports tree as sysutils/iocell, or as a package with pkg install iocell.
The new version written in Python can be installed from the ports tree as either the Python2.7 version sysutils/py-iocage, or the Python3 version with sysutils/py3-iocage. Binary packages only exist for the Python2.7 version so to install the package run pkg install py27-iocage. As of this moment the Python 2.7 version is fairly old, so if using ports is a possibility, or you’re able to compile your own binary packages, the Python 3.6 version is more up-to-date.
NOTE Regarding FreeNAS:
Due to using a different location for the pool mountpoint, i.e./mnt/<zpool> - zfs datasets can’t be delegated into an iocage jail on FreeNAS. I too ran into this issue while trying to use ZFS mounts on FreeNAS with iocage.
The solution I use, which is in fact how FreeNAS mounts datasets into the old style jails, is to use nullfs mounts. They’re fairly simple to use. While I didn’t intend this article for FreeNAS, and I can’t promise it will work since I haven’t tried it myself, it seems like a lot of people are trying to use Nextcloud on it, since it’s been mentioned to me a few times now.
I have added a note at the bottom regarding how this is done, and if you’re using FreeNAS you should probably take a look at it before continuing.
Setup iocage Link to heading
Enable iocage to autostart at boot:
[root]# sysrc iocage_enable=YES
Fetch the freebsd jail template.This will create the following datasets and then fetch and extract the requested release.
[root]# iocage fetch -r 11.0-RELEASE
Creating vault/iocage
Creating vault/iocage/download
Creating vault/iocage/images
Creating vault/iocage/jails
Creating vault/iocage/log
Creating vault/iocage/releases
Creating vault/iocage/templates
Fetching 11.0-RELEASE...
Create the jail Link to heading
With the shared ip set up, create a new jail. In order to make it easier to keep track of different jails, a “tag” can be added. I called mine “stratus”:
[root]# iocage create --name stratus -r 11.0-RELEASE jail_zfs=on vnet=off ip4_addr="sge0|172.20.0.100/32"
This creates a jail with the following properties.
--name stratus- Set a name for the jail to make it easier to refer to.-r 11.0-RELEASE- Specify a release.jail_zfs=on- Allow any assigned datasets to be controlled by the jail.vnet=off- Do not use VIMAGE, a shared IP will be used instead.ip4_addr="sge0|172.20.0.100/32"- Assign an interface and IP address.boot=on- Start jail at boot
The properties can be either assigned one by one or all at once during the creation phase They will be explained in the following sections.
To view the Current properties run iocage get all stratus.
Shared ip Link to heading
VIMAGE allows a virtualized NIC to be used inside of a jail, but it isn’t quite stable. Since having a virtualized interface isn’t a necessity with Nextcloud, I have turned VIMAGE off and used a shared IP instead.
[root]# iocage set vnet=off stratus
In order to use a shared ip, add it with ifconfig.
As the man page mentions, a different netmask then what is in use for the existing IP must be used.
alias Establish an additional network address for this interface. This
is sometimes useful when changing network numbers, and one wishes
to accept packets addressed to the old interface. If the address
is on the same subnet as the first network address for this
interface, a non-conflicting netmask must be given. Usually
0xffffffff is most appropriate.
So if the original network is /24, a netmask of 255.255.255.255 should be used.
For an interface sge0, with a target ip 172.20.0.100 run:
[root]# ifconfig sge0 172.20.0.100 netmask 255.255.255.255 alias
Don’t forget to add it to rc.conf so that after reboot the IP is re-enabled.
ifconfig_sge0_alias0="inet 172.20.0.100 netmask 255.255.255.255"
iocage and ZFS Link to heading
iocage integrates well with ZFS. You may have noticed the command syntax is very similar to the syntax used by ZFS.
It’s possible to ‘jail’ a dataset which gives the jail control of any jailed datasets.
[root]# iocage set jail_zfs=on stratus
Start the jail Link to heading
With the setup out of the way the jail can be used.
Start the jail:
[root]# iocage start stratus
Tell iocage if you want the jail to start at boot:
[root]# iocage set boot=on stratus
Drop down to the jail’s console:
[root]# iocage console stratus
Inside the jail the process should now be similar to the setup on a regular server.
Storage Link to heading
I have chosen to provide storage to the Nextcloud Jail by mounting a dataset over NFS on my host box. This means my server can focus on serving Nextcloud and my storage box can focus on housing the data. The Nextcloud Jail is not even aware of this since the NFS Mount is simply mounted by the host server into the jail. The other benefit of this is the Nextcloud jail doesn’t need to be able to see my storage server, nor the ability to mount the NFS share itself.
Using a seperate server for storage isn’t neccesary and if the storage for my Nextcloud server was being stored on the same server I would have created a ZFS dataset on the host and mounted it into the jail. I show how to do this in the next section.
NFS Server Link to heading
On my NFS server I set up a share and noted the permissions.
| Parameter | Value |
|---|---|
| Server | <nfs server ip> |
| Share | /mnt/tank/data/stratus/data |
| Owner | www:www |
| UID | 80 |
NFS Client Link to heading
The next step was to setup an NFS mount on the Nextcloud jail’s host.
Setup NFS Link to heading
Enable NFS in rc.conf and start the NFS service.
[root]# sysrc nfs_client_enable=YES
[root]# service nfsclient start
Enable locking
[root]# sysrc rpc_lockd_enable=YES rpc_statd_enable=YES
[root]# service lockd start && service statd start
Mount NFS Shares in jail Link to heading
I’m mounting two shares at /mnt/sync and /mnt/data. /mnt/sync Will be for nextcloud external storage. /mnt/data will be for regular Nextcloud storage.
Note: Make sure the www user, or whichever user Nextcloud is being run by, has permission to access the external storage.
Setup the mountpoints in the jail.
[root@stratus]# mkdir -p /mnt/{data,sync}
Create a script to mount the shares after boot.
[root]# nano /iocage/scripts/stratus/nfsmount.sh
#!/bin/sh
SERVER="${1}"
mount ${SERVER}:/mnt/tank/data/stratus/data /iocage/jails/stratus/root/mnt/data
mount ${SERVER}:/mnt/tank/data/syncthing/sync /iocage/jails/stratus/root/mnt/sync
Set it executable.
[root]# chmod +x /iocage/scripts/stratus/nfsmount.sh
And tell iocage to run it post boot.
[root]# iocage set exec_poststart='/iocage/scripts/stratus/nfsmount.sh <nfs server ip>' stratus
Also create one to unmount the shares when the jail is stopped.
[root]# nano /iocage/scripts/stratus/nfsumount.sh
#!/bin/sh
umount /iocage/jails/stratus/root/mnt/data
umount /iocage/jails/stratus/root/mnt/sync
Set it executable.
[root]# chmod +x /iocage/scripts/stratus/nfsumount.sh
And tell iocage to run it post boot.
[root]# iocage set exec_poststop='/iocage/scripts/stratus/nfsumount.sh' stratus
Database Link to heading
Next I set up a dataset for the database and delegated it into the jail. Using a separate dataset allows me to specify certain properties that are better for a database, it also makes migration easier in case I ever need to move or backup the database.
Make sure the jail has access to the jailed dataset.
[root]# iocage set jail_zfs_dataset=data/jails/stratus/data stratus
Set the mountpoint to none, this way it can just be manipulated in the jail.
[root]# iocage set jail_zfs_mountpoint='none' stratus
Create the dataset that will be used in the jail. I keep my different jail’s datasets separate from iocage organized in vault/data/jails/<jail name> so I put my database in vault/data/jails/stratus/data/db.
[root]# zfs create vault/data/jails/stratus/data/db
Since MySQL uses it’s own cache, it isn’t necessary to cache both metadata and data in the ARC. Set the dataset to only cache metadata.
[root]# zfs set primarycache=metadata vault/data/jails/stratus/data/db
Inside the jail it is now possible to mount the specified dataset normally with ZFS. Mount it to /var/db/mysql
[root@stratus]# mkdir -p /var/db/mysql
[root@stratus]# zfs set mountpoint=/var/db/mysql vault/data/jails/stratus/data/db
[root@stratus]# chown mysql:mysql /var/db/mysql
In the jail, tell ZFS to auto-mount datasets.
[root@stratus]# sysrc zfs_enable=YES
In the jail, check it’s mounted:
[root@stratus]# zfs list
NAME USED AVAIL REFER MOUNTPOINT
zfs list
NAME USED AVAIL REFER MOUNTPOINT
vault 63.5G 828G 96K none
vault/data 4.19G 828G 96K none
vault/data/jails 4.19G 828G 96K none
vault/data/jails/stratus 208M 828G 96K none
vault/data/jails/stratus/data 207M 828G 88K none
vault/data/jails/stratus/data/db 207M 828G 108M /var/db/mysql
Separate Datasets Link to heading
If you need more data sets they can be created in the jail under the jailed dataset vault/data/jails/stratus/data.
If you wanted to use a separate dataset for your files in nextcloud, and you’re not storing your data on a separate server like the example above of using the NFS server, you would simply create a new dataset.
[root@stratus]# mkdir -p /mnt/files
[root@stratus]# zfs create -o mountpoint=/mnt/files vault/data/jails/stratus/data/files
[root@stratus]# zfs list
NAME USED AVAIL REFER MOUNTPOINT
vault 63.5G 828G 96K none
vault/data 4.19G 828G 96K none
vault/data/jails 4.19G 828G 96K none
vault/data/jails/stratus 208M 828G 96K none
vault/data/jails/stratus/data 207M 828G 88K none
vault/data/jails/stratus/data/db 207M 828G 108M /var/db/mysql
vault/data/jails/stratus/data/files 88K 828G 88K /mnt/files
Nextcloud Link to heading
With most of the requirements in place it was time to start setting up Nextcloud. The requirements for Nextcloud include your basic web stack of a web server, database, and PHP.
The recommended setup for Nextcloud is:
- MySQL/MariaDB
- PHP 7.0 +
- Apache 2.4 with mod_php
While my preferred setup would be PostgreSQL, and Nginx, the majority of the documentation is based on the recommended setup. It would be nice to see these options better supported in the future. As of now there is no ‘official’ documentation for Nginx.
Pre Configuration Setup Link to heading
Install Apache and enable it to start on boot.
[root@stratus]# pkg install apache24
[root@stratus]# sysrc apache24_enable=YES
[root@stratus]# service apache24 start
Navigate to the jail’s ip and, “It Works!” should be displayed.
TLS Certificate Link to heading
With Apache up and running, I configured https using let’s encrypt.
I used the acme.sh client which can be installed from ports.
[root@stratus]# pkg install acme.sh
acme.sh’s configuration will be located in /var/db/acme/.
I switched to the ‘acme’ user which renews the certificate on a cron job using acme.sh. In order to allow the acme user permissions I created a ‘certs’ group.
Add the ‘acme’ user to the ‘certs’ group.
[root@stratus]# pw groupadd certs
[root@stratus]# pw groupmod certs -m acme
Confgure Challenge Link to heading
The common way to acquire a certificate involves creating a challenge in the webroot of a server.
This can be done by specifying the webroot and domain to issue a certificate for.
[acme@stratus]$ acme.sh --issue -d <domain> -w <webroot>
At the time of setting up my server, it was not exposed to the internet. I had recently configured certificates for unexposed services using dns validation. Due to my familiarity, and the convenience of not needing to have a server accessible from the web, I issued my challenge this way.
To use DNS validation I used cloudflare - which along with a few other DNS providers has an api which supports a DNS challenge. I found my API key on my web dashboard.
I set the necesary environment variables.
[acme@stratus]$ su acme
[acme@stratus]$ export CF_Email="<cloudflare email>"
[acme@stratus]$ export CF_Key="<cloudflare api key>"
And issued a certificate for my domain.
[acme@stratus]$ acme.sh --issue --dns dns_cf -d <domain name>
Letsencrypt should add a TXT record to your DNS records using the api. Once the record has been added, run renew and your certificates should be issued.
I use <domain name> In the place of my domain for the remainder of this article.
Along with issuing a certificate, this wrote the required configuration file for future certificates to ~/.acme.sh/<domain name>/<domain name>.conf.
To renew manually use:
[acme@stratus]$ acme.sh --renew -d <domain name>
Security Link to heading
In order to give my acme user access to the location it issues the certificate to, Earlier I created a ‘certs’ group and added the ‘acme’ user, add the ‘www’ user.
[root@stratus]# pw groupmod certs -M acme,www
Set the proper permissions in the directory the certificate will be located in.
[root@stratus]# chown -R www:certs /usr/local/etc/apache24/ssl
[root@stratus]# chmod -R 770 /usr/local/etc/apache24/ssl
After creating a new certificate, the web server should be reloaded. To give the acme user permission to reload the server, I used visudo.
Edit visudo to allow a reload without a password.:
[root@stratus]# pkg install sudo
[root@stratus]# visudo
acme ALL=(ALL) NOPASSWD: /usr/sbin/service apache24 reload
This will allow the user to run the following in a cron job:
[root@stratus]# sudo /usr/sbin/service apache24 reload
Cron Job Link to heading
As the ‘acme’ user, add the reload command to the configuration file we used earlier, ~/.acme.sh/<domain name>/<domain name>.conf.
Le_ReloadCmd='/usr/local/bin/sudo /usr/sbin/service apache24 reload'
Now add the crontab that will periodically renew the certificate.
[root@stratus]# crontab -u acme -e
36 0 * * * /usr/local/sbin/acme.sh --cron --home "/var/db/acme/.acme.sh"
To set the location the different certificate files will be deployed to, tell ‘acme.sh’ where they should end up.
[acme@stratus]$ acme.sh --installcert -d <domain name> \
--certpath /usr/local/etc/apache24/ssl/<domain name>.cer \
--keypath /usr/local/etc/apache24/ssl/<domain name>.key \
--capath /usr/local/etc/apache24/ssl/ca.cer \
--fullchainpath /usr/local/etc/apache24/ssl/fullchain.cer \
--reloadcmd "sudo /usr/sbin/service apache24 reload"
This will write the configuration to ~/.acme.sh/<domain name>/<domain name>.conf.
After obtaining the cert, the following PEM-encoded files will be located in /usr/local/etc/apache24/ssl/.
[acme@stratus]$ ls -la /usr/local/etc/apache24/ssl/
total 35
drwxrwx--- 2 www certs 6 May 31 02:45 .
drwxr-xr-x 7 root wheel 13 May 31 02:15 ..
-rw-r--r-- 1 www certs 1647 May 31 02:45 ca.cer
-rw-r--r-- 1 www certs 3465 May 31 02:45 fullchain.cer
-rw-r--r-- 1 www certs 1818 May 31 02:45 <domain name>.cer
-rw-r--r-- 1 www certs 1675 May 31 02:45 <domain name>.key
| Certificate | |
|---|---|
<domain name>.cer | The domain certificate |
ca.cer | The Let’s Encrypt chain certificate |
fullchain.cer | cert.pem and chain.pem combined |
<domain name>.key | The certificate’s private key |
MySQL Link to heading
Next to set up the database. Install Mariadb and set it to start on boot.
[root@stratus]# pkg install mariadb102-server
[root@stratus]# sysrc mysql_enable=YES
Setup Link to heading
The different configuration options can be found in /usr/local/share/mysql/
[root@stratus]# ls -l /usr/local/share/mysql/my*.cnf
Use the appropriate configuration file for the size of database. I used the small configuration. Copy it to /usr/local/etc/my.cnf.
[root@stratus]# cp /usr/local/share/mysql/my-small.cnf /usr/local/etc/my.cnf
Set maximum packet size to 32M in /usr/local/etc/my.cnf
max_allowed_packet = 32M
Start MySQL and run the script to secure the configuration.
[root@stratus]# service mysql-server start && /usr/local/bin/mysql_secure_installation
Prepare Database Link to heading
Login to the database.
[root@stratus]# mysql -u root -p
Create user nextcloud_admin and add a password.
CREATE DATABASE nextcloud;
CREATE USER 'nextcloud_admin'@'localhost' IDENTIFIED BY '<your password here>';
GRANT ALL ON nextcloud.* TO 'nextcloud_admin'@'localhost';
FLUSH PRIVILEGES;
exit
With the database configured, it can now be restarted.
[root@stratus]# service mysql-server restart
PHP Link to heading
Install PHP and all modules you require. I’m using PHP 7.1. Nextcloud recommends using a version 7.0 or newer.
[root@stratus]# pkg install php71 mod_php71
You can check the compiled in modules with: php -r “phpinfo();”. The following packages are required:
- php71-ctype
- php71-dom
- php71-gd
- php71-iconv
- php71-json
- php71-mbstring
- php71-posix
- php71-simplexml
- php71-xmlreader
- php71-xmlwriter
- php71-zip
- php71-zlib
- php71-pdo_mysql
These were not listed as required by Nextcloud, but they seem to be required on FreeBSD.
- php71-hash
- php71-xml
- php71-session
- php71-mysqli
- php71-filter
- php71-xsl
- php71-wddx
Recommended packages:
- php71-curl
- php71-fileinfo
- php71-bz2
- php71-intl
- php71-mcrypt
- php71-openssl
Required for specific apps:
- php71-ldap
- php71-ftp
- php71-imap
Required for specific apps: (optional):
- php71-exif
- php71-gmp
For enhanced server performance (optional). I used redis. The options are:
- pecl-APCu (broken on FreeBSD at the time of writing)
- php71-memcache
- pecl-redis
- php71-opcache
For preview generation (optional):
- pecl-imagick
- ffmpeg
- libreoffice
For command line processing (optional):
- php71-pcntl
Install Required Modules Link to heading
I installed the following.
[root@stratus]# pkg install php71-ctype php71-dom php71-gd php71-iconv php71-json php71-mbstring php71-posix php71-simplexml php71-xmlreader php71-xmlwriter php71-zip php71-zlib php71-pdo_mysql php71-curl php71-fileinfo php71-bz2 php71-intl php71-mcrypt php71-openssl php71-exif pecl-redis pecl-imagick php71-pcntl ffmpeg libreoffice php71-hash php71-xml php71-session php71-mysqli php71-wddx php71-xsl php71-filter php71-opcache
Configure Web Server Link to heading
Configure Apache and PHP and confirm they are working properly.
Apache Link to heading
Uncomment rewrite_module and ssl_module in /usr/local/etc/apache24/httpd.conf.
Add the location for the certificate we configured earlier.
SSLCertificateFile /usr/local/etc/apache24/ssl/fullchain.cer
SSLCertificateKeyFile /usr/local/etc/apache24/ssl/<domain name>.key
Make sure the ssl and rewrite modules are uncommented.
LoadModule ssl_module libexec/apache24/mod_ssl.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
Make sure the php7 module is uncommented.
LoadModule php7_module libexec/apache24/libphp7.so
After libphp7.so line add
<IfModule php7_module>
<FilesMatch "\.(php|phps|php7|phtml)$">
SetHandler php7-script
</FilesMatch>
DirectoryIndex index.php
</IfModule>
Inside the IFModule mime_module block add:
AddType application/x-httpd-php-source .phps
AddType application/x-httpd-php .php
Add a PHP handler, in /usr/local/etc/apache24/modules.d/001_mod_php.conf.
<FilesMatch "\.php$">
SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.phps$">
SetHandler application/x-httpd-php-source
</FilesMatch>
Restart apache:
[root@stratus]# service apache24 restart
PHP Link to heading
Grab php.ini
[root@stratus]# cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini && rehash
I used the following configuration in /usr/local/etc/php.ini:
cgi.fix_pathinfo=0- Changecgi.fix_pathinfo=1tocgi.fix_pathinfo=0date.timezone = UTC- Setdate.timezoneto your timezone zone, or UTC.post_max_size = 10240M- This is the maximum size of POST data accepted by PHP. Setting it to zero removes the limit.upload_max_filesize = 10240M- Maximum allowed size for uploaded files.memory_limit = 512M- Adjust memory limit, change this based on your server.
Opcache Link to heading
It’s also recommended to enable opcache in /usr/local/etc/php.ini, which caches precompiled bytecode. It’s bundled in with PHP after version 5.5.
Nextcloud recommends these settings:
opcache.enable=1opcache.enable_cli=1opcache.interned_strings_buffer=8opcache.max_accelerated_files=10000opcache.memory_consumption=128opcache.save_comments=1opcache.revalidate_freq=1
Test PHP Link to heading
With PHP configured we can restart the Web server and check if PHP is working properly.
Restart apache
[root@stratus]# service apache24 restart
Check if everything is working by checking phpinfo(). Enable it by adding the following to /usr/local/www/apache24/data/info.php
<?php
phpinfo();
?>
Check your domain or ip address in a browser http://<ip address>/info.php. All of the PHP info should be listed there.
Redis Link to heading
It’s recommended to use some sort of database cache, I used redis.
Install redis and set it to start at boot.
[root@stratus]# pkg install redis
[root@stratus]# sysrc redis_enable=YES
Note: in order to use pecl-redis with php71, pecl-redis needs to be built with php71. It defaults to using php56 which is how it is built in the package. I built a package using poudriere with my required compile options.
Next we will configure redis in /usr/local/etc/redis.conf
Change the port to 0 so Redis will not listen on a TCP socket.
port 0
Instead we will configure a UNIX socket.
unixsocket /tmp/redis.sock
unixsocketperm 777
Redis can now be started.
[root@stratus]# service redis start
Run ls -al /tmp you should see redis.sock and mysql.sock in the list.
[root@stratus]# ls -al /tmp
total 43
srwxrwxrwx 1 mysql wheel 0 May 31 09:29 mysql.sock
srwxrwxrwx 1 redis wheel 0 May 31 09:30 redis.sock
Configure Nextcloud Link to heading
Finally we can install nextcloud. Download it and check it’s hash.
[root@stratus]# cd /usr/local/www/apache24/data/
[root@stratus]# fetch https://download.nextcloud.com/server/releases/nextcloud-12.0.3.tar.bz2
[root@stratus]# fetch https://download.nextcloud.com/server/releases/nextcloud-12.0.3.tar.bz2.md5
[root@stratus]# md5 nextcloud-12.0.3.tar.bz2
[root@stratus]# cat nextcloud-12.0.3.tar.bz2.md5
If the hash matches, the archive can be extracted.
[root@stratus]# tar -xjf nextcloud-12.0.3.tar.bz2
Nextcloud Server Configuration Link to heading
Create a file for nextcloud under /usr/local/etc/apache24/Includes/. I put mine in /usr/local/etc/apache24/Includes/<domain name>.conf
If you set https earlier you can use the following virtual host. I used HSTS here which means the server will always expect to use an https certificate, and removing it in the future will be difficult. If you are considering removing one at a later date, make sure you know how HSTS works.
Add the following virtual host replacing the ServerAdmin email, and ServerName domain name.
<VirtualHost *:443>
ServerAdmin admin@<domain name>
ServerName <domain name>
DirectoryIndex index.php
DocumentRoot /usr/local/www/apache24/data/nextcloud
SSLCertificateFile /usr/local/etc/apache24/ssl/fullchain.cer
SSLCertificateKeyFile /usr/local/etc/apache24/ssl/<domain name>.key
SSLEngine on
# Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
SSLCompression off
SSLOptions +StrictRequire
<Directory /usr/local/www/apache24/data/nextcloud>
AllowOverride all
</Directory>
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
</VirtualHost>
If you didn’t set up https your virtual host would look something like this.
<VirtualHost *:80>
DocumentRoot "/usr/local/www/apache24/data/nextcloud"
ServerName <domain name>
RewriteEngine on
RewriteCond %{SERVER_NAME} =<domain name>
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
#ErrorLog ${APACHE_LOG_DIR}/error.log
#CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /usr/local/www/apache24/data/nextcloud/>
Options +FollowSymlinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /usr/local/www/apache24/data/nextcloud
SetEnv HTTP_HOME /usr/local/www/apache24/data/nextcloud
Satisfy Any
</Directory>
</VirtualHost>
If you setup https, find ‘Listen 80’ and add underneath ‘Listen 443’ in/usr/local/etc/apache24/httpd.conf.
Ask search engine bots not to index your site
[root@stratus]# ln -s /usr/local/www/apache24/data/nextcloud/robots.txt /usr/local/www
Make sure the permissions are still correct.
[root@stratus]# chown -R www:www /usr/local/www/apache24/data/nextcloud /mnt/data
Set the permissions more securely.
[root@stratus]# find /usr/local/www/apache24/data/nextcloud/ -type d -exec chmod 750 {} \;
[root@stratus]# find /usr/local/www/apache24/data/nextcloud/ -type f -exec chmod 640 {} \;
WebUI Link to heading
Nextcloud should now be working, restart the webserver, visit your domain and edit the settings.
[root@stratus]# service apache24 restart
Filling the different options with the locations and values we used earlier. The password should be the one that was used when setting up the database.
| Option | Value |
|---|---|
| Data folder | /mnt/data |
| Database user | nextcloud_admin |
| Database password | <your password> |
| Database name | nextcloud |
| Database host | localhost:/tmp/mysql.sock |
cron Link to heading
Enable the Nextcloud crontab which runs periodic tasks.
[root@stratus]# crontab -u www -e
*/15 * * * * /usr/local/bin/php -f /usr/local/www/apache24/data/nextcloud/cron.php
Verify it’s scheduled with:
[root@stratus]# crontab -u www -l
Nextcloud Providers Link to heading
All sorts of Nextcloud commands can be set on the command line using the occ tool. These are the providers I set. It is fairly self-explanatory what they do.
[root@stratus]# su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set enable_previews --value=true --type=boolean'
[root@stratus]# su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set enabledPreviewProviders 0 --value="OC\Preview\PNG"'
[root@stratus]# su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set enabledPreviewProviders 1 --value="OC\Preview\JPEG"'
[root@stratus]# su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set enabledPreviewProviders 2 --value="OC\Preview\GIF"'
[root@stratus]# su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set enabledPreviewProviders 3 --value="OC\Preview\BMP"'
[root@stratus]# su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set enabledPreviewProviders 4 --value="OC\Preview\XBitmap"'
[root@stratus]# su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set enabledPreviewProviders 5 --value="OC\Preview\MarkDown"'
[root@stratus]# su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set enabledPreviewProviders 6 --value="OC\Preview\MP3"'
[root@stratus]# su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set enabledPreviewProviders 7 --value="OC\Preview\TXT"'
[root@stratus]# su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set enabledPreviewProviders 8 --value="OC\Preview\Illustrator"'
[root@stratus]# su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set enabledPreviewProviders 9 --value="OC\Preview\Movie"'
[root@stratus]# su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set enabledPreviewProviders 10 --value="OC\Preview\MSOffice2003"'
[root@stratus]# su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set enabledPreviewProviders 11 --value="OC\Preview\MSOffice2007"'
[root@stratus]# su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set enabledPreviewProviders 12 --value="OC\Preview\MSOfficeDoc"'
[root@stratus]# su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set enabledPreviewProviders 13 --value="OC\Preview\OpenDocument"'
[root@stratus]# su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set enabledPreviewProviders 14 --value="OC\Preview\PDF"'
[root@stratus]# su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set enabledPreviewProviders 15 --value="OC\Preview\Photoshop"'
[root@stratus]# su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set enabledPreviewProviders 16 --value="OC\Preview\Postscript"'
[root@stratus]# su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set enabledPreviewProviders 17 --value="OC\Preview\StarOffice"'
[root@stratus]# su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set enabledPreviewProviders 18 --value="OC\Preview\SVG"'
[root@stratus]# su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set enabledPreviewProviders 19 --value="OC\Preview\TIFF"'
[root@stratus]# su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ config:system:set enabledPreviewProviders 20 --value="OC\Preview\Font"'
Redis Link to heading
If redis was setup, add the settings manually to the config /usr/local/www/apache24/data/nextcloud/config/config.php. Adding with occ caused problems for me.
'memcache.local' => '\\OC\\Memcache\\Redis',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'redis' => array(
'host' => '/tmp/redis.sock',
'port' => 0,
),
Post Setup Link to heading
That should be the end of the set up. Some things you might want to do now are look through the administrator settings and enable some defaults depending on your use case. You’ll probably also want to create some users and setup email so that the Nextcloud server can contact you. I recommend using SMTP for simplicity.
{% include centered_caption_image.html url="/images/nextcloud/stratus-interface.png" description=“Nextcloud file browser.” %}
SMTP Email Link to heading
Install msmtp to send email via SMTP. Since SSMTP was depreciated i’ve been using msmtp.
pkg install msmtp
Create a config file for the system in /usr/local/etc/msmtprc, or user in $HOME/.msmtprc.
Here’s an example system config, minus account setup.
# msmtp system wide configuration file
# A system wide configuration file with default account.
defaults
# The SMTP smarthost.
host smtp.fastmail.com
port 465
# Construct envelope-from addresses of the form "user@oursite.example".
#auto_from on
maildomain <your domain>
# Use TLS.
tls on
tls_starttls off
# Activate server certificate verification
tls_trust_file /usr/local/share/certs/ca-root-nss.crt
# Syslog logging with facility LOG_MAIL instead of the default LOG_USER.
syslog LOG_MAIL
aliases /etc/aliases
Lock down the file:
pw groupadd msmtp
chown :msmtp /usr/local/etc/msmtprc
chown :msmtp /usr/local/bin/msmtp
chmod 640 /usr/local/etc/msmtprc
chmod g+s /usr/local/bin/msmtp
pw groupmod msmtp -M root,www
Tell sendmail where msmtp lives. Edit /etc/mail/mailer.conf.
sendmail /usr/local/bin/msmtp
send-mail /usr/local/bin/msmtp
mailq /usr/local/bin/msmtp
newaliases /usr/local/bin/msmtp
hoststat /usr/bin/true
purgestat /usr/bin/true
Manual Upgrade Link to heading
I’ve had problems with the WebUI updater and it has always failed on me. I do the upgrades manually from the commandline, but it doesn’t hurt to try the WebUI updater since it can be completed from the commandline if it fails.
Setup Link to heading
Stop Apache and enter maintenance mode
[root@stratus]# service apache24 stop
[root@stratus]# su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ maintenance:mode --on'
Create a backup directory and enter it.
[root@stratus]# mkdir -p /mnt/ncbup && cd /mnt/ncbup
Backup Database and Nextcloud Directory Link to heading
Just to be safe, dump the database.
[root@stratus]# mysqldump --lock-tables -h localhost -u root -p nextcloud > nextcloud-sqlbkp_`date +"%Y%m%d"`.bak
Make a backup of the old Nextcloud directory. This contains the old configuration, so for now it must be held onto.
[root@stratus]# mv /usr/local/www/apache24/data/nextcloud /mnt/ncbup/nextcloud-old-`date +"%Y%m%d"`.bak
Prepare Upgrade Link to heading
Download source.
[root@stratus]# cd /mnt/ncbup
[root@stratus]# fetch https://download.nextcloud.com/server/releases/nextcloud-12.0.2.tar.bz2
[root@stratus]# fetch https://download.nextcloud.com/server/releases/nextcloud-12.0.2.tar.bz2.md5
check hash of files, they should be the same.
[root@stratus]# md5 nextcloud-12.0.2.tar.bz2
[root@stratus]# cat nextcloud-12.0.2.tar.bz2.md5
If good, extract
[root@stratus]# tar -xjf nextcloud-12.0.2.tar.bz2
Move updated files to nextcloud location.
[root@stratus]# mv nextcloud /usr/local/www/apache24/data/
[root@stratus]# chown -R www:www /usr/local/www/apache24/data/nextcloud
Copy the config.php file from your old Nextcloud directory to your new Nextcloud directory.
[root@stratus]# cp /mnt/ncbup/nextcloud-old-`date +"%Y%m%d"`.bak/config/config.php /usr/local/www/apache24/data/nextcloud/config/config.php
Compare old apps with new ones. If any are missing from the new directory, copy them over from the original.
[root@stratus]# ls /mnt/ncbup/nextcloud-old-`date +"%Y%m%d"`.bak/apps/
[root@stratus]# ls /usr/local/www/apache24/data/nextcloud/apps/
I needed to move:
- bruteforcesettings
- files_markdown
- twofactor_totp
[root@stratus]# cd /mnt/ncbup/nextcloud-old-`date +"%Y%m%d"`.bak/apps
[root@stratus]# cp -r bruteforcesettings files_markdown twofactor_totp /usr/local/www/apache24/data/nextcloud/apps/
Make sure the permissions on the new directory are correct.
[root@stratus]# chown -R www:www /usr/local/www/apache24/data/nextcloud
[root@stratus]# find /usr/local/www/apache24/data/nextcloud/ -type d -exec chmod 750 {} \;
[root@stratus]# find /usr/local/www/apache24/data/nextcloud/ -type f -exec chmod 640 {} \;
Upgrade Link to heading
Start the upgrade.
[root@stratus]# su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ upgrade'
Assuming the upgrade succeeded, disable the maintenance mode and start apache.
[root@stratus]# su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ maintenance:mode --off'
[root@stratus]# service apache24 start
Archive Backup Link to heading
It might be a good idea to hold on to the files in case there are ever needed. I archive my different backups into a tarball.
Create a directory with all the upgrade files.
[root@stratus]# mkdir archive
[root@stratus]# tar -cvzf archive/12.0.0-12.0.2-upgrade-`date +"%Y%m%d"`.tar.gz nextcloud-12.0.2.tar.bz2 nextcloud-old-20170818.bak nextcloud-12.0.2.tar.bz2.md5 nextcloud-sqlbkp_20170818.bak
Now the old files can be removed.
[root@stratus]# rm -rf nextcloud-12.0.2.tar.bz2 nextcloud-old-20170818.bak nextcloud-12.0.2.tar.bz2.md5 nextcloud-sqlbkp_20170818.bak
You probably also want to take ZFS snapshots of your jail and dataset, as it needs for easy rollback and transfer of data.
Iocage ZFS mounts on FreeNAS Link to heading
To set up a nullfs mount for a dataset, you can use the iocage fstab command.
[root]# iocage fstab --add <jail> '<host path> <jail path> nullfs rw 0 0'
For example, the analogous commands to the ones I used earlier to set up the dataset vault/data/jails/stratus/data/db would be:
[root]# iocage fstab --add stratus '/mnt/tank/data/jails/stratus/data/db /var/db/mysql nullfs rw 0 0'
This is assuming the name of your jail is stratus, your zpool name is tank, the path you want to mount is located at /mnt/tank/data/jails/stratus/data/db (it must be mounted here on the host), and the location you want to mount it to inside the jail is /var/db/mysql. You would then not be using any ZFS commands in the jail at all, you would do all the manipulation of datasets on the host, including setting of any properties you want.
Before doing this you’re also going to want to unset jailing of datasets, iocage set jail_zfs=off stratus.
You can repeat the command for any other datasets you want to mount. Use the full path from the host, and the full path you want it to be mounted to inside the jail.
If you get a message about the datasets being jailed if you try to manipulate them, you might just want to destroy all the datasets and then recreate them - assuming you don’t have anything in them.
You can also list nullfs mounts to check they are correct with
[root]# iocage fstab --list <jail>
and remove or edit them with
[root]# iocage fstab --remove <jail> <fstab id>
[root]# iocage fstab --edit <jail>