Configuring Nextcloud (revision 2.3) – www.pasta.freemyip.com

Introduction

This page describes how Alexis Huxley installed the Nextcloud (a fork of ownCloud) server software on his own systems.

The basic procedure is:

install Apache as a dumb back-end webserver
configure Apache on the front-end webserver as a proxy
install Nextcloud on the back-end webserver
install Nextcloud plugins
review security

Apache installation on the back-end

Run:
```
apt -y install apache2
```

Disable default sites and ports by running:

rm /etc/apache2/sites-available/*
sed -r -i 's/^(Listen 80)/#\1/' /etc/apache2/ports.conf

Set some environment varialbes needed in the rest of the procedure:
```
FQHN=$(hostname -f)
```

Create /etc/apache2/sites-available/$FQHN-ssl.conf, containing:

<VirtualHost *:443>
    ServerName FQHN
    CustomLog ${APACHE_LOG_DIR}/FQHN-access.log combined
    ErrorLog ${APACHE_LOG_DIR}/FQHN-error.log
    LogLevel warn
    ServerSignature Off  

    SSLEngine On
    SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

    DocumentRoot /var/www/html
</VirtualHost>

and substitute the markers by running:

sed -i "s/FQHN/$FQHN/g" /etc/apache2/sites-available/$FQHN-ssl.conf

Run:

a2enmod ssl
a2ensite $FQHN-ssl
systemctl restart apache2

Test by running:

date > /var/www/html/index.html
w3m -dump https://$FQHN/
rm /var/www/html/index.html

Configuring Apache on the front-end as a proxy

See the section ‘Heavyweight web services: proxying to a backend webserver’ of Configuring web services (revision 2).

Nextcloud installation

On the backend webserver run:

PHP_VER=8.2
PKGS=(
    php$PHP_VER
    php$PHP_VER-common # provides php-ctype
    php$PHP_VER-curl
    php$PHP_VER-xml  #   provides php-dom
    php$PHP_VER-gd
    php$PHP_VER-common  # provides php-iconf
    php-json
    php$PHP_VER-xml
    php$PHP_VER-mbstring
    #  php/openssl not identified
    #  php/posix not identified
    #  php/session not identified
    php$PHP_VER-xml # contains SimpleXML
    # php/xmlreader not identified
    # php/xmlwriter not identified
    php$PHP_VER-zip
    php-db php$PHP_VER-mysql
    # php/fileinfo not identified
    php$PHP_VER-bz2
    php$PHP_VER-intl
    php$PHP_VER-ldap
    php-redis
    php-imagick
    ffmpeg
    php$PHP_VER-cli   # provides pcntl
    php-bcmath
    php-gmp
)
apt -y install "${PKGS[@]}"

A few notes regarding that list:

It’s taken from the official documentation.
Don’t be tempted to use APCu instead of Redis; APCu has a bug.

A good command for working out what provides various virtual pages is:

apt-cache showpkg <virt-pkg>    #  e.g. apt-cache showpkg php-ctype

(Still on the back-end webserver) edit /etc/apache2/sites-available/$FQHN-ssl.conf and add:

<VirtualHost *:443>
    ...
    <Directory /var/www/html/>
      Require all granted
      AllowOverride All
      Options FollowSymLinks MultiViews
      <IfModule mod_dav.c>
        Dav off
      </IfModule>
    </Directory>
    ...
</VirtualHost>

Run:

a2enmod rewrite
a2enmod env
a2enmod dir
a2enmod mime
systemctl reload apache2

Go here, open the ‘Community Projects’ area, scroll down to the ‘tar.bz2’ link, copy that link.

On the backend webserver run:

wget <link>
tar xjf ~/*.tar.bz2 --strip-components=1 --directory=/var/www/html

Create /var/www/html/config/config.php containing only:
```
<?php
$CONFIG = array(
);
```

Run:

chown -R www-data:www-data /var/www/html/

Configure pretty URLs within Nextcloud by adding to /var/www/html/config/config.php between the round brackets:
```
'overwrite.cli.url' => 'https://nextcloud.pasta.freemyip.com',
'htaccess.RewriteBase' => '/',
```

Add both the back-end and front-end webserver names to /var/www/html/config/config.php between the round brackets:

'trusted_domains' => array (
    0 => 'nuvole.pasta.net',
    1 => 'nextcloud.pasta.freemyip.com',
  ),
'overwritehost' => 'nextcloud.pasta.freemyip.com',

Also add:

'trusted_proxies' => array (
    0 => '<front-end-web-server-ip-addr>'
 ),

Visit https://$FQHN/ or preferably the front-end webserver, which should prompt for admin account details and database details. Don’t fill anything in yet; we’ll do that in a moment.

Create a database as follows:

apt -y install mariadb-server
mariadb
create database nextcloud;
create user 'nextcloud'@localhost identified by '<set-a-password>';
grant all on nextcloud.* to 'nextcloud'@localhost;
\q

Go to https://<nextcloud-server>/.
Set the admin’s login to admin.
Set the admin’s password.
Expand the ‘Storage & database’ section.
Leave the default data folder.
There is probably no option except to use MariaDB/Mysql, but if there is then set the database type to MySQL/MariaDB.
Set the database user to ‘nextcloud’.
Set the database user’s password as set above.
Set the database name to ‘nextcloud’.
Click ‘Install’ and wait.
At the ‘Recommended apps’, click ‘Skip’.
At the introduction pages, click the X to close.
If you have a dedicated filesystem for Nextcloud data then:
1. Edit config.php and set:
```
'datadirectory' => '<path-to-that-location>',
```
  (Do not be tempted to just replace /var/www/html/data with a symlink as that will trigger a security warning ‘Your data directory and files are probably accessible from the internet.’)
2. Run:
```
chown -R www-data:www-data <path-to-that-location>
chown root:root <path-to-that-location>/lost+found/
```
If you have data to migrate then DO NOT DO IT YET! (the procedure is not straightforward).
Login as admin and delete all of admin’s (example) files.
Configure mail as follows:
1. On the mail server, edit /etc/aliases and add an entry like:
```
nextcloud: root
```
  and then run:
```
newaliases
```
2. Navigate to Menu–>Personal settings.
3. Set the admin’s email address to a real human’s email address (e.g. alexis@pasta.net); a test mail will be sent to this address in a moment.
4. Navigate to Administration Settings–>Basic Settings.
5. In the Email Server section set:
  - Send mode: sendmail
  - Sendmail mode: smtp (-bs)
  - From address: nextcloud@pasta.net
  and then send a test mail.
Configure cron as follows:
1. Navigate to Menu–>Administration Settings–>Basic Settings.
2. In Background Jobs section, select ‘Cron’.
3. Run:
```
apt -y install cron
```
4. Run the following command but don’t panic if it fails:
```
su - www-data -s /bin/bash -c "echo '*/5 * * * * /usr/bin/php -f /var/www/html/cron.php' | crontab -"
```
  (The environment under which www-data’s cron jobs run is very restricted; hence the full path to the php command.)
5. If it failed with:
```
/var/spool/cron/: mkstemp: Permission denied
```
  then run:
```
apt-get install --reinstall cron
```
  and then retry.
6. I had some problems with the cronjob consuming 100% CPU and never exiting, so that several were running in parallel. I googled but found no recent reports of the same issue. I disabled the cronjob, left it overnight, then ran php -f /var/www/html/cron.php manually, which was quick and then re-enabled cron.

Disable Flows (I don’t need them) as follows:

Run:

su - www-data -s /bin/bash
cd html
php occ config:app:set workflowengine user_scope_disabled --value yes

(See here for more details.)

Install plugins

Navigate to Menu–>Apps –> Active apps.
Disable the following apps:
1. Activity (pointless)
2. Collaborative tags (just not useful for me)
3. Comments (just not useful for me)
4. Dashboard (just not useful for me)
5. Federation
6. File reminders
7. File download limit
8. Monitoring
9. Recommendations
10. Related resources
11. Teams
12. Usage survey
13. Weather status
Install the following apps:
1. Customization->App Order
2. Customization->Custom Menu
3. Office & Text ->Calendar
4. Office & Text–>Carnet
5. Office & Text–>Deck
6. Multimedia–>News
7. Organization–>Cookbook
8. Tools–>User Migration

Dealing with installation warnings and errors

Navigate to Menu–>Administration Settings; several alerts will be displayed.
“Your data directory and files are probably accessible from the internet”:
1. Ignore this message, which is caused by a bug.
“Your webserver does not serve `.mjs` files”:
1. From another machine run:
```
curl -s -I https://nextcloud.pasta.freemyip.com/apps/settings/js/esm-test.mjs | grep Content-Type
```
2. If that returned text/javascript then ignore the error, which is probably due to the same bug mentioned above.
“The PHP memory limit is below the recommended value …”:
1. Edit /etc/php/8.2/apache2/php.ini and set:
```
memory_limit = 512M
```
  (Without this the download of the beta version will fail integrity checks.)
2. Run:
```
systemctl restart apache2
```
“Server has no maintenance window start time configured”:
1. Edit /var/www/html/config/config.php and add:
```
'maintenance_window_start' => 1,
```
“The database is used for transactional file locking. To enhance performance, please configure memcache, if available”:
1. Install redis-server.
2. Edit /etc/redis/redis.conf and change:
```
port 0
unixsocket /run/redis/redis-server.sock
unixsocketperm 770
```
  (port 0 disables redis listening on TCP; unixsocketperm 770 allows those users in group redis to communicate with the redis server over the Unix socket.)
3. Edit /var/www/html/config/config.php and add:
```
'memcache.local' => '\OC\Memcache\Redis',
'memcache.locking' => '\OC\Memcache\Redis',
'filelocking.enabled' => 'true',
'redis' => array (
    'host' => '/run/redis/redis-server.sock',
    'port' => 0,
    'timeout' => 0.0,
),
```
4. Edit /etc/group and modify:
```
redis:...:www-data
```
5. Reboot.
“No memory cache has been configured. To enhance performance, please configure a memcache, if available”:
1. This should have been fixed by the previous step.
“Your installation has no default phone region set”:
1. Edit/var/www/html/config/config.php and add:
```
'default_phone_region' => '49'
```

“Some headers … Strict-Transport-Security … 15552000 …”:

Edit /etc/apache2/sites-available/$FQHN-ssl.conf and add:

<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>

Run:

a2enmod headers
systemctl restart apache2

“The database is missing some indexes” or “Detected some missing optional indices.”
1. Run:
```
su - www-data -s /bin/bash
cd html
php occ db:add-missing-indices
```
“… errors in the logs since …”:
1. Navigate to Menu–>Administration Settings–>Administration–>Logging
2. Review the logs.
3. Unfortunately, they cannot be cleared (more details here) and, given the nature of some of them (e.g. use of deprecated APIs) are likely to continue.
“The PHP OPcache module is not properly configured. The OPcache interned strings buffer is nearly full.”:
1. Edit /etc/php/8.2/apache2/php.ini and apply the following setting:
```
opcache.interned_strings_buffer=32
```
“One or more mimetype migrations are available …”:
1. Run:
```
su - www-data -s /bin/bash
cd html
php occ maintenance:repair --include-expensive
```
2. If that fails to fix it then this may be due to bug 47359, which was submitted in August 2024; the bug has been fixed but has not been included in a release yet.

Migrating users

There is a user migration app but it seems to have some bugs. This is the approach I used.

Connect to the old Nextcloud web interface, log in as admin, ensure that the User Migration app (see above) is installed.
For each user to be migrated, do the following:
1. Log in to the old Nextcloud web interface as the user and:
  1. export the news feeds to an .opml file
  2. note what calendars you have
  3. note the calendar colours
2. Log in to the new Nextcloud web interface as admin, ensure that the to-be-migrated user does not exist.
3. Log in to the old Nextcloud host as root and run:
```
su - www-data -s /bin/bash
LOGIN=<account-name>
cd html
php occ user:export --types=account,calendar $LOGIN /tmp/
```
4. Copy the resulting zip file from the old Nextcloud server to the new Nextcloud server; ensure that the file belongs to www-data:www-data on the new Nextcloud server.
5. Log in to the new Nextcloud host as root and run:
```
su - www-data -s /bin/bash
LOGIN=<account-name>
cd html
php occ user:import /tmp/$LOGIN*.zip
```
6. Log in to the new Nextcloud web interface and reset the user’s password.
7. Copy the contents of user’s subdirectory in the data directory (e.g. /var/www/html/data/alexis, /srv/nextcloud/alexis) from the old Nextcloud server to the new Nextcloud server; ensure that the files belongs to www-data:www-data on the new Nextcloud server.
8. On the new Nextcloud host, still under the su - www-data shell, run:
```
php occ files:scan $LOGIN
```
9. If it complains about mkdir failing then just rerun it.
10. Log in to the new Nextcloud web interface as the user and:
  1. import the news feeds from the .opml file
  2. fix missing calendars, e.g.:
    - https://onlinekalender.info/feiertage/slowakei/ics
    - https://onlinekalender.info/feiertage/deutschland/ics
  3. set the calendar colours
11. Fix recipes – wasn’t needed.
12. Fix photo – wasn’t needed.
13. Special:
  1. Alexis should regenerate share link for Poprad calendar

The particular problems I had the migration app were:

1. when --types=account used then the password on the target system did not match the password on the source system
2. if that option is not given and the account is pre-created then the import tool complains that the user already exists
3. While the calendars stored in nextcloud were present, those that had been imported from other sources were missing.
4. Nextcloud Cookbook recipes were not automatically detected (though the recipes themselves are just files so all is not lost)
5. Nextcloud News RSS feeds were not saved
6. when the export was done via the web interface then a notification appeared say that the export had failed even though it seemed to have worked (not confidence inspiring!)

Epilogue

Configure the logging of client IPs.
Go to https://scan.nextcloud.com/ and enter the server URL.

Notes from installation of earlier versions that I might still need

To Fix the warning ‘The database is missing some indexes’:

Run:

su - www-data -s /bin/bash
cd html
php occ db:add-missing-indices
exit

Although I did not do it, I note it here for next time: The trash expiry needs to be set to something otherwise files hang around forever. See here for instructions on configuring.

Introduction

Apache installation on the back-end

Configuring Apache on the front-end as a proxy

Nextcloud installation

Install plugins

Dealing with installation warnings and errors

Migrating users

Epilogue

Notes from installation of earlier versions that I might still need

See also