NextCloud setup on B3, complete How-To

[pompopom]

I just finished setting up NextCloud on my freshly installed B3
see here: https://forum.excito.com/viewtopic.php?f=7&t=6139

I chose NextCloud in favor of OwnCloud, if you prefer OwnCloud you can still use this How-To besides some details as it's basically the same software. I would say read up on NextCloud.

Next to that I used Nginx as my webserver. I did this mostly out of curiosity. I'm quite used to Apache and just wanted to try something else. Also 'they say' Nginx is more lightweight then Apache. With the B3 in mind that would make sense.

As a db backend I went for MariaDB (which is just a renamed MySQL) as you all may be aware of. So nothing fancy here.

I'm going to be posting a few posts here, with as goal to split it up in chapters.

I also tried to add the links to the webpages where I found the info.
1) just for reference
2) to credit the other people

Ok let's do this!

[pompopom]

In addition to the fresh install of my B3 I have chosen to put /home underneath / and no longer in a dedicated partition as my /home will stay rather small, it's not that I'm using my B3 as my desktop.

The "large" partition (originally /home) has been renamed /data
To do so:

Code: Select all

root@b3:~# mkdir /data
root@b3:~# nano /etc/fstab
root@b3:~# cat /etc/fstab
root@b3:~# reboot

Reconnect back to your B3

Code: Select all

root@b3:~# cp -r /data/* /home
root@b3:~# exit

Reconnect back to your B3

These next few steps might be optional if your system is already running for a while.
If you start from a clean setup after completely re-installing your B3,
do a quick crosscheck to see if everything is in place.

Add user + set password:

Code: Select all

root@b3:~# useradd -m newuser
root@b3:~# passwd newuser
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

Change default root password:

Code: Select all

root@b3:~# passwd

edit /etc/passwd + added /bin/bash at the end of the newly created user:

Code: Select all

root@b3:~# nano /etc/passwd
root@b3:~# cat /etc/passwd
**SNIP**
newuser:x:1001:1001::/home/newuser:/bin/bash

Test newly created user login.
Do this before deleting default user excito, as by default you are not able to
login over ssh with user root!! If login over ssh works with the new user, continue

Add b3 into /etc/hosts:

Code: Select all

root@b3:~# nano /etc/hosts
root@b3:~# cat /etc/hosts
127.0.0.1	localhost b3
::1 		localhost ip6-localhost ip6-loopback
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters

Delete default user excito:

Code: Select all

root@b3:~# passwd -l excito
passwd: password expiry information changed.
root@b3:~# userdel -r excito
userdel: excito mail spool (/var/mail/excito) not found

Set locales and timezone:

Code: Select all

root@b3:~# dpkg-reconfigure locales
root@b3:~# dpkg-reconfigure tzdata

Get latest updates:

Code: Select all

root@b3:~# apt-get update
Ign:1 http://deb.debian.org/debian stretch InRelease
Get:2 http://deb.debian.org/debian stretch Release [118 kB]
**SNIP**
Get:9 http://deb.debian.org/debian stretch/main Translation-en [5394 kB]
Get:10 http://repo.excito.org stretch/main armel Packages [1702 B]
Fetched 13.0 MB in 25s (511 kB/s)
Reading package lists... Done

And upgrade:

Code: Select all

root@b3:~# apt-get upgrade

Install sudo:

Code: Select all

root@b3:~# apt-get install sudo

Install + config ddclient (for dyndns and the like):
=> If you have a fixed IP, this can off course be skipped

Code: Select all

root@b3:~# apt-get install ddclient

Install ntp:

Code: Select all

root@b3:~# apt-get install ntp

Install net-tools (ifconfig, ...):

Code: Select all

root@b3:~# apt-get install net-tools

Install openssl:

Code: Select all

root@b3:~# apt-get install openssl

Optional: Install tcpdump
I would only do this if in the end, nothing is working and you are out of clues why.

Code: Select all

root@b3:~# apt-get install tcpdump

Reboot:

Code: Select all

root@b3:~# reboot

And off course login...

Cleanup:

Code: Select all

root@b3:~# apt-get autoremove --purge

Ready for config!

[pompopom]

Let's set some fixed IP-addresses.
I prefer to do this one by one. So leave at least one of both interfaces in dhcp mode untill you are sure the config from the second network card is completely functional.

First edit /etc/network/interfaces
Pay special attention to the "source" line, there's an error in the default one.
Basically I commented out the default values and added the correct "source" line

Code: Select all

root@b3:~# nano /etc/network/interfaces
root@b3:~# cat /etc/network/interfaces
# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:
#source-directory /etc/network/interfaces.d
source /etc/network/interfaces.d/*

#auto lo
#iface lo inet loopback

#allow-hotplug eth0
#iface eth0 inet dhcp

#allow-hotplug eth1
#iface eth1 inet dhcp

Then create 3 files in /etc/network/interfaces.d
Off course make the IP's suite your network.
I added the Google DNS servers:

Code: Select all

root@b3:~# nano /etc/network/interfaces.d/eth0
root@b3:~# cat /etc/network/interfaces.d/eth0
allow-hotplug eth0
iface eth0 inet static
address 192.168.1.50
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 8.8.8.8 8.8.4.4
root@b3:~# nano /etc/network/interfaces.d/eth1
root@b3:~# cat /etc/network/interfaces.d/eth1
allow-hotplug eth1
iface eth1 inet static
address 192.168.1.55
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 8.8.8.8 8.8.4.4
root@b3:~# nano /etc/network/interfaces.d/lo
root@b3:~# cat /etc/network/interfaces.d/lo
auto lo
iface lo inet loopback

Like I said, create this one by one!!
Do a reboot in between each config change, and make sure you can ping the interface you just edited.
Yes a reboot, not a simple network restart.
systemctl restart networking.service does not bring up the interface so you're shooting in your own foot

[pompopom]

The actual installation of everything needed for NextCloud

Install certbot - Let's encrypt (https://letsencrypt.org/)
If you're going to use another CA, or you already have your SSL-certs, you can skip this. Either way it's strongly recommended to use SSL (httpS) nowadays.
Edit sources.list

Code: Select all

root@b3:~# nano /etc/apt/sources.list

Add:

Code: Select all

deb http://ftp.debian.org/debian stretch-backports main

Get a Public DNS name. I always use DynDNS. (https://dyn.com)
See ddclient above to keep your dynamic DNS in sync.

Depending on your setup networkwise:
forward port 443(https) + 80(http) on router/firewall to B3
You can choose to only forward 443.
The webserver config will force SSL (443) anyway.
In short: Make sure your B3 port 80 and/or 443 is visible by 'the internet'

Install LEMP stack (nginx MariaDB php):

Code: Select all

root@b3:~# apt-get install nginx mariadb-server php-fpm php-mysql

Enable nginx after reboot:

Code: Select all

root@b3:~# systemctl enable nginx
root@b3:~# systemctl status nginx

If you see an error about a PID file that can't be read in the status:

Code: Select all

root@b3:~# mkdir /etc/systemd/system/nginx.service.d
root@b3:~# printf "[Service]\nExecStartPost=/bin/sleep 0.1\n" > /etc/systemd/system/nginx.service.d/override.conf
root@b3:~# systemctl daemon-reload
root@b3:~# systemctl restart nginx
root@b3:~# systemctl status nginx

...and error should be gone.
source: https://stackoverflow.com/questions/420 ... d-argument

Start and check PHP:

Code: Select all

root@b3:~# systemctl start php7.0-fpm.service
root@b3:~# systemctl status php7.0-fpm.service

Enable php7.0-fpm after reboot:

Code: Select all

root@b3:~# systemctl enable php7.0-fpm

Add required php modules. I had to add:

Code: Select all

root@b3:~# apt-get install php-dom php-gd php-mbstring php-zip php-curl php-bz2 php-intl php-smbclient php-imap php-apcu php-imagick

But it depends on what you had previously, crosscheck here:
https://docs.nextcloud.com/server/13/ad ... ation.html

Cleanup:

Code: Select all

root@b3:~# apt-get autoremove

Moving on...

[pompopom]

Now that we have everything running, let's do some configuring:

Configure PHP:
You have been adding modules to php in previous post so let's restart (it probably does that automatically, but I want to make sure)

Code: Select all

root@b3:~# systemctl restart php7.0-fpm

source: https://docs.nextcloud.com/server/12/ad ... ion-wizard

Prepare database.
Enable MariaDB after reboot:

Code: Select all

root@b3:~# systemctl enable mariadb

Edit /etc/mysql/mariadb.conf.d/50-server.cnf
add this:

Code: Select all

[mysqld]
innodb_large_prefix=on
innodb_file_format=barracuda
innodb_file_per_table=true

Restart MariaDB

Code: Select all

root@b3:~# systemctl restart mariadb

source: https://docs.nextcloud.com/server/12/ad ... ation.html

Secure MariaDB

Code: Select all

root@b3:~#  mysql_secure_installation

Login to MariaDB:

Code: Select all

root@b3:~# mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 10.1.26-MariaDB-0+deb9u1 Debian 9.1

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

Create a user for nextcloud:

Code: Select all

MariaDB [(none)]> create user nextcloud@localhost identified by '1234';
Query OK, 0 rows affected (0.01 sec)

Create the database:

Code: Select all

MariaDB [(none)]> CREATE DATABASE IF NOT EXISTS nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
Query OK, 1 row affected (0.01 sec)

You will probably find also find another smaller query than this one on the internet, but this one activates support for emoji's in your database.

Grant privileges:

Code: Select all

MariaDB [(none)]> GRANT ALL PRIVILEGES ON nextcloud.* TO nextcloud@localhost IDENTIFIED BY '1234';
Query OK, 0 rows affected (0.00 sec)

And we're set:

Code: Select all

MariaDB [(none)]> quit
Bye

Test connection:

Code: Select all

root@b3:~# mysql -unextcloud -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 4
Server version: 10.1.26-MariaDB-0+deb9u1 Debian 9.1

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show variables like "version";
+---------------+--------------------------+
| Variable_name | Value                    |
+---------------+--------------------------+
| version       | 10.1.26-MariaDB-0+deb9u1 |
+---------------+--------------------------+
1 row in set (0.04 sec)

MariaDB [(none)]> quit
Bye

next chapter here we come!

[pompopom]

Prepare nginx for NextCloud. This was the most difficult part for me, as it was a new frontier.
source: https://docs.nextcloud.com/server/13/ad ... nginx.html
Create your website config:

Code: Select all

root@b3:~#  cd /etc/nginx/sites-available
root@b@:~#  nano cloud.example.com

Off course you can rename cloud.example.com

Paste the below virtualhost config into the file and save + exit:

Code: Select all

upstream php-handler {
    #server 127.0.0.1:9000;
    server unix:/var/run/php/php7.0-fpm.sock;
}

server {
    listen 80;
    listen [::]:80;
    server_name cloud.example.com;
    # enforce https
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name cloud.example.com;

    include snippets/cloud.example.com.conf;
    include snippets/ssl-params.conf;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    # add_header Strict-Transport-Security "max-age=15768000;
    # includeSubDomains; preload;";
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

    # Path to the root of your installation
    root /var/www/nextcloud/;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
    # last;

    location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }

    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    location / {
        rewrite ^ /index.php$uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        #Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
		# Added this for countering B3 resource limitations
		fastcgi_read_timeout 600;
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff|svg|gif)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=15778463";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
        #
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
    }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

Create sym link of this config:

Code: Select all

root@b3:~#  cd /etc/nginx/sites-enabled
root@b3:~#  ln -s ../sites-available/cloud.example.com ../sites-enabled/cloud.example.com
root@b3:~#  ls -l
lrwxrwxrwx 1 root root 36 mrt 28 17:08 cloud.example.com -> ../sites-available/cloud.example.com

Create the following files:
source: https://www.digitalocean.com/community/ ... untu-16-04
Don't mind the fact the above link talks about selfsigned certs fact if you have 'official certs'
It's just to illustrate the way how to adapt nginx config.

Code: Select all

root@b3:~# nano /etc/nginx/snippets/cloud.example.com.conf;
root@b3:~# cat /etc/nginx/snippets/cloud.example.com.conf;
ssl_certificate /etc/letsencrypt/live/cloud.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cloud.example.com/privkey.pem;
root@b3:~# nano /etc/nginx/snippets/ssl-params.conf;
root@b3:~# cat /etc/nginx/snippets/ssl-params.conf;
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;
# ends here

Create your certificates (you really need to stop nginx):

Code: Select all

root@b3:~# systemctl stop nginx.service
root@b3:~# certbot certonly --standalone -d cloud.example.com

Create a diffie-hellman key:

Code: Select all

root@b3:~# openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Go grab some coffee(s)
You can also initiate:

Code: Select all

root@b3:~# openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

But then you can go grab some beers in the local pub

Restart webserver (you did stop it earlier, did you?):

Code: Select all

root@b3:~# systemctl start nginx.service

[pompopom]

Still here?? nice

Configure PHP:
Edit /etc/php/7.0/fpm/php.ini

Code: Select all

root@b3:~# nano /etc/php/7.0/fpm/php.ini
replace:
;cgi.fix_pathinfo=1 		with 	cgi.fix_pathinfo=0
max_execution_time = 30 	with	max_execution_time = 300
post_max_size = 8M		with	post_max_size = 128M 		(or more or less, depends on what you need to upload)
upload_max_filesize = 2M	with	upload_max_filesize = 64M 	(or more or less, depends on what you need to upload, but at least less then post_max_size)

add the following lines, at the bottom of the file, right before "; Local Variables:"

Code: Select all

opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1 

Edit /etc/php/7.0/fpm/pool.d/www.conf

Code: Select all

root@b3:~# nano /etc/php/7.0/fpm/pool.d/www.conf

uncomment these lines:

Code: Select all

;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp

Restart PHP + Nginx

Code: Select all

root@b3:~# systemctl stop nginx.service
root@b3:~# systemctl restart php7.0-fpm.service
root@b3:~# systemctl start nginx.service

Check if you have any errors:

Code: Select all

root@b3:~# systemctl status nginx.service
root@b3:~# systemctl status php7.0-fpm.service
root@b3:~# tail -n 20 /var/log/nginx/error.log
root@b3:~# tail -n 20 /var/log/php7.0-fpm.log

Solve the errors, if any, before continuing!!

[pompopom]

Download NextCloud (check the site for most recent version)
At the writing of this step-by-step it was 13.0.1

Code: Select all

root@b3:~# wget https://download.nextcloud.com/server/releases/nextcloud-13.0.1.tar.bz2

Untar:

Code: Select all

root@b3:~# tar -xf nextcloud-13.0.1.tar.bz2

Following link is for Apache, but it has off course thngs in common with Nginx
source: https://help.nextcloud.com/t/complete-n ... date/21881

Copy the extracted folder to /var/www and change ownership:

Code: Select all

root@b3:~# mv nextcloud /var/www
root@b3:~# chown -R www-data:www-data /var/www/nextcloud/

Install NextCloud via occ
(must be done with sudo -u www-data from within the nextcloud folder)
admin user + password is the user you like to be created as a default administrator within NextCloud
Although we use MariaDB you put "mysql" as database type (they are the same in th end)

Code: Select all

root@b3:~# cd /var/www/nextcloud/
root@b3:~# sudo -u www-data php occ maintenance:install --database "mysql" --database-name "nextcloud"  --database-user "nextcloud" --database-pass "1234" --admin-user "nc_admin" --admin-pass "nc_admin_pass"
Nextcloud is not installed - only a limited number of commands are available
Nextcloud was successfully installed

Move contents of NextCloud data folder to the data folder you prepared in the beginning.
I made a subdir first in /data to keep things separated if I needed to add something else.
It is by the way recommended that you never edit the data folder contents manually.
NextCloud needs to be the ONLY one writing into that folder.
So:

Code: Select all

root@b3:~# mkdir /data/nextcloud/data
root@b3:~# mv /var/www/nextcloud/data /data/nextcloud/data

Configure NextCloud:

Code: Select all

root@b3:~# nano /var/www/nextcloud/config/config.php

Add 'trusted domains'

Code: Select all

array (
0 => 'localhost',
1 => 'cloud.example.com',
)

Change 'datadirectory' to wherever you're going to write your data (/data/nextcloud/data)

Code: Select all

'datadirectory' => '/data/nextcloud/data',

Create the following script, set permissions and execute. It will set permissions left and right,
don't forget to edit the first lines according to your setup.

Code: Select all

root@b3:~# nano setperms.sh
root@b3:~# chmod 750 setperms.sh
root@b3:~# ./setperms.sh

Script:

Code: Select all

#!/bin/bash
ncpath='/var/www/nextcloud'
ncdata='/data/nextcloud/data'
htuser='www-data'
htgroup='www-data'
rootuser='root'

printf "Creating possible missing Directories\n"
mkdir -p $ncpath/data
mkdir -p $ncpath/updater

printf "chmod Files and Directories\n"
find ${ncpath} -type f -print0 | xargs -0 chmod 0640
find ${ncpath} -type d -print0 | xargs -0 chmod 0750
find ${ncdata} -type f -print0 | xargs -0 chmod 0640
find ${ncdata} -type d -print0 | xargs -0 chmod 0750

printf "chown Directories\n"
chown -R ${rootuser}:${htgroup} ${ncpath}
chown -R ${htuser}:${htgroup} ${ncpath}/apps/
chown -R ${htuser}:${htgroup} ${ncpath}/config/
chown -R ${htuser}:${htgroup} ${ncdata}/
chown -R ${htuser}:${htgroup} ${ncpath}/themes/
chown -R ${htuser}:${htgroup} ${ncpath}/updater/

chmod +x ${ncpath}/occ

printf "chmod/chown .htaccess\n"
if [ -f ${ncpath}/.htaccess ]
then
        chmod 0644 ${ncpath}/.htaccess
        chown ${rootuser}:${htgroup} ${ncpath}/.htaccess
fi
if [ -f ${ncdata}/.htaccess ]
then
        chmod 0644 ${ncdata}/.htaccess
        chown ${rootuser}:${htgroup} ${ncdata}/.htaccess
fi
## END SCRIPT

When all is done:

Code: Select all

root@b3:~# systemctl stop nginx.service
root@b3:~# systemctl restart php7.0-fpm.service
root@b3:~# systemctl start nginx.service

[pompopom]

Connect to cloud.example.com and login with the admin account and password.
Setup regular users
Install the desktop/mobile clients
Sync away!

Useful logs:

Code: Select all

/data/nextcloud/data/nextcloud.log
/var/log/ngnix/error.log
/var/log/php7.0-fpm.log

Remark:
- The "fastcgi_read_timeout 600" in your webhost config, can be reduced to 300 (php.ini max_execution_time)
I have put it somewhat higher for initial syncing => 50GB data (higher load). Once the initial is finished,
I'm going to put it back to a lower value also. You'll notice (a lot) fast_cgi timeouts in the logging
otherwise, which makes the sync last 'forever'.
- I do not recommend to use the webinterface on a daily basis. It is sloooow. Remember that after all you are
running this quite resource intensive tool on a small box. Install the sync clients and let it run on it's own
pace in the background. I have used OwnCloud on my B3 previously with 7 desktopclients (win/linux mix) and never had
an issue performance wise. It's the initial sync that matters.
- That said: try not to rename/move/... large folders every 5 minutes
- If you're connecting your box to the internet so you can sync your files from anywhere, I would recommend installing some firewalling, like ufw. As we have 2 interfaces on our B3, I would lock down everything (besides 80 and 443) on the port connected to the
internet, and have ssh opened only on the port connected to the internal network.
https://wiki.debian.org/Uncomplicated%2 ... 0%28ufw%29
and
https://serverfault.com/questions/27071 ... face-basis
- Do a test for security when finished: https://www.ssllabs.com/ssltest/

[pompopom]

That was it.

Hope it can help someone!

Fire away.

[ahoff]

Great How-To. Works perfect for me. Tank you!

The next lab challenge is to integrate a mail server with nextcloud, like this one. But it may be on another B3. I have a few lying around.

[stasheck]

It's been a while since you wrote this guide, huh?

Fortunately, this still works. I used PHP 7.4 (it's the latest currently available for our little ARM), which forced me to use NextCloud 25.0.5, as the latest only works with PHP 8.0. Perhaps I'll set up cross compilation toolchain to build PHP 8.0 from scratch, but it's not my priority ATM.

I also used tips from here: https://che-adrian.medium.com/optimize- ... c0dd2ea67f to improve performance a bit. I think Redis sped things up quite a bit.

Kudos, mate!