====== NextCloud 14 Install on Ubuntu 16.04.5 with NGINX ======
Prerequisite packages for NextCloud
$ sudo apt install nginx mariadb-server
$ sudo apt install php7.0-gd php7.0-json php7.0-mysql php7.0-curl php7.0-mbstring php7.0-fpm
$ sudo apt install php7.0-intl php7.0-mcrypt php-imagick php7.0-xml php7.0-zip
$ sudo apt install php7.0-gmp ffmpeg libreoffice ufw
$ sudo apt install php-apcu php-redis redis-server
Download the nextcloud server file and matching sha256 from the official website
$ wget https://download.nextcloud.com/server/releases/latest-14.tar.bz2
$ wget https://download.nextcloud.com/server/releases/latest-14.tar.bz2.sha256
Verify the sha256
$ sha256sum -c latest-14.tar.bz2.sha256 < latest-14.tar.bz2
Extract the tarball after verifying the file is valid
$ tar -xjf latest-14.tar.bz2
Copy the nextcloud folder to the webroot, in this case /var/www.
$ sudo cp -r nextcloud /var/www
===== Create the Database =====
To start the MySQL command line mode use:
$ sudo mysql -uroot -p
Then a mysql> or MariaDB [root]> prompt will appear. Now enter the following lines and confirm them with the enter key. **''username'' can be whatever you like, but be sure to replace ''password'' with a good password** These will be used later when initially configuring NextCloud from the browser.
CREATE USER 'username'@'localhost' IDENTIFIED BY 'password';
CREATE DATABASE IF NOT EXISTS nextcloud;
GRANT ALL PRIVILEGES ON nextcloud.* TO 'username'@'localhost' IDENTIFIED BY 'password';
===== Let's Encrypt =====
For SSL use the EFF's PPA for the Let's Encrypt certbot.
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt update; sudo apt upgrade
$ sudo apt install python-certbot-nginx
$ sudo certbot --nginx certonly
Cert and Key locations:
''/etc/letsencrypt/live/sub.domain.tld/fullchain.pem''
''/etc/letsencrypt/live/sub.domain.tld/privkey.pem''
By default, a generic DH key is used which weakens the key exchange. Generate a non-generic Diffie-Hellman key with OpenSSL, the line in the Nginx configuration file has already been added in the config below.
$ sudo openssl dhparam -dsaparam -out /etc/ssl/dhparam.pem 4096
===== NGINX =====
Create the nginx config, and fill with a base config.
$ sudo nano /etc/nginx/sites-available/nextcloud.conf
upstream php-handler {
server 127.0.0.1:9000;
server unix:/var/run/php/php7.0-fpm.sock;
}
server {
listen 80;
listen [::]:80;
server_name sub.domain.tld;
# enforce https
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name sub.domain.tld;
ssl_certificate /etc/letsencrypt/live/sub.domain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sub.domain.tld/privkey.pem;
ssl_session_timeout 5m;
ssl_ecdh_curve prime256v1;
ssl_session_tickets off;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:AES256+EECDH:AES256+EDH:!aNULL';
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
ssl_dhparam /etc/ssl/dhparam.pem;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
# Path to the root of your installation
root /var/www/nextcloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location / {
rewrite ^ /index.php$request_uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff|svg|gif)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$request_uri;
# Optional: Don't log access to other assets
access_log off;
}
}
Remove the default nginx config.
$ sudo rm /etc/nginx/sites-enabled/default
Allow access to web root for nginx.
$ sudo chown -R www-data:www-data /var/www/nextcloud
Enable the configuration
$ sudo ln -s /etc/nginx/sites-available/nextcloud.conf /etc/nginx/sites-enabled/nextcloud.conf
===== UFW =====
You will need to restart to start ufw and enable the rules.
$ sudo ufw allow "Nginx Full"
$ sudo ufw allow OpenSSH
$ sudo ufw enable
===== php-fpm configuration =====
When you are using php-fpm, system environment variables like PATH, TMP or others are not automatically populated in the same way as when using php-cli. A PHP call like getenv('PATH'); can therefore return an empty result. So you may need to manually configure environment variables in the appropropriate php-fpm ini/config file. I found that this necessary to make NextCloud stop complaining, although I did not see any bugs or issues as a result of having not changed anything here.
In the file ''/etc/php/7.0/fpm/pool.d/www.conf'' uncomment the line
'';env[PATH] = /usr/local/bin:/usr/bin:/bin'' by removing the semicolon.
===== PHP OPcache =====
There is a built in caching function built for php called opcache. The configuration file for php is massively verbose, so just skip to the [opcache] section and copy in this config from the official documentation.
[''/etc/php/7.0/fpm/php.ini'']
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1
===== Startup =====
To start NextCloud nginx and php fpm.
$ sudo systemctl start nginx php7.0-fpm
$ sudo systemctl enable php7.0-fpm
Navigate to the FQDM (sub.domain.tld) and enter the necessary details. Afterwards, we can setup the caching server.
===== MemCache: APCu and Redis =====
Using a memory cache should improve the performance of the server. Using the [[https://docs.nextcloud.com/server/13/admin_manual/configuration_server/caching_configuration.html|official documentation]] as a guide, they recommend for a single, small organization server, using APCu for local cache and Redis for remote.
All we need to do to get everthing working is add a few lines to the nextcloud config.php.
[''/var/www/nextcloud/config/config.php'']
'memcache.local' => '\OC\Memcache\APCu',
'memcache.locking' => '\OC\Memcache\Redis',
'redis' => array(
'host' => 'localhost',
'port' => 6379,
),
===== Email Server =====
Install the mailutils package by typing:
$ sudo apt install mailutils
Near the end of the installation process, you will be presented with a dialog window with options on how to configure Postfix. Select the default option which is **Internet Site**.
After that, you'll get another dialog window requesting to enter the **System mail name** enter the same domain name as the server.
Now you will edit the main Postfix configuration file
sudo nano /etc/postfix/main.cf
With the file open, scroll down until you see the entries shown in this code block.
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
Change the line that reads ''inet_interfaces = all'' to ''inet_interfaces = localhost''. When you're done, that same section of the file should now read:
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = localhost
After that, restart Postfix by typing:
sudo service postfix restart
To send a test email, type:
echo "This is the body of the email" | mail -s "This is the subject line"
If everything is working correctly you should receive an email from the server.
Source [[https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-postfix-as-a-send-only-smtp-server-on-ubuntu-14-04|How To Install and Configure Postfix as a Send-Only SMTP Server on Ubuntu 14.04]]
====== Collabora ======
Install the docker image
$ sudo apt install docker.io
$ sudo systemctl enable docker
$ sudo docker pull collabora/code
$ sudo docker run -t -d -p 127.0.0.1:9980:9980 -e 'domain=sub\\.domain\\.tld' --restart always --cap-add MKNOD collabora/code
Add this to the bottom of the main nextcloud server block ''/etc/nginx/sites-available/nextcloud.conf''
# Collabora Config
# static files
location ^~ /loleaflet {
proxy_pass https://127.0.0.1:9980;
proxy_set_header Host $http_host;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
proxy_pass https://127.0.0.1:9980;
proxy_set_header Host $http_host;
}
# main websocket
location ~ ^/lool/(.*)/ws$ {
proxy_pass https://127.0.0.1:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
}
# download, presentation and image upload
location ~ ^/lool {
proxy_pass https://127.0.0.1:9980;
proxy_set_header Host $http_host;
}
# Admin Console websocket
location ^~ /lool/adminws {
proxy_pass https://127.0.0.1:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
}
In the Nextcloud web interface under the admin account, go to Settings > Collabora Online and type in the domain name of the server ex:**https://sub.domain.tld** Wait a bit for Nextcloud to sort out itself and you should be able to edit documents in Nextcloud from the web browser.
====== Talk ======
To allow Talk sessions between firewall, a TURN needs to be installed on a separate server, it serves as a mid point for connecting two WebRTC sessions in NextCloud Talk, given that P2P and STUN connections fail beforehand (that is what the documentation says?).
Install coturn, an open source TURN server.
$ sudo apt install coturn
A firewall rule needs to be added to allow coturn to function
$ sudo ufw allow Turnserver
Edit **''/etc/default/coturn''** so that coturn starts at boot as system daemon.
#
# Uncomment it if you want to have the turnserver running as
# an automatic system service daemon
#
TURNSERVER_ENABLED=1
Now we are going to write the turnserver config, there is a lot of commenting in the default file, you can ignore that and just paste the following lines then edit to your needs, but these, given that they are filled out correctly will result in a working turn server **''/etc/turnserver.conf''**
listening-ip=
relay-ip=
listening-port=3478
tls-listening-port=5349
fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=
realm=sub.domain.tld
total-quota=100
bps-capacity=0
stale-nonce
cert=/etc/letsencrypt/live/sub.domain.tld/fullchain.pem
pkey=/etc/letsencrypt/live/sub.domain.tld/privkey.pem
cipher-list="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5"
no-stun
no-loopback-peers
no-multicast-peers
Restart coturn
$ sudo systemctl restart coturn
Once you are done, install the Talk app in the web client, then in the admin settings, add the **server URL** and the **secret** that you generated earlier.
Source: [[https://help.nextcloud.com/t/howto-setup-nextcloud-talk-with-turn-server/30794|HowTo: Setup Nextcloud Talk with TURN server]]
===== Linux Desktop Sharing =====
You can share the desktop right away on any OS with the tool built into the browser, but in order to share the desktop at greater then 2fps, you need to implement a hack.
On Arch:
$ yaourt -S v4l2loopback-dkms-git
I think that the aur package enables the kernel module automatically so...
# rmmode v4l2loopback
then, the exclusive_caps=1 options does something to make it work better in chromium
# insmod v4l2loopback exclusive_caps=1
Now to stream the desktop or video to /dev/video0.
Where ''-r 24'' is the frames per second and ''-s 1920x1080'' is the size to capture.
$ ffmpeg -f x11grab -r 24 -s 1920x1080 -i :0.0+0,0 -vcodec rawvideo -pix_fmt yuv420p -threads 0 -f v4l2 /dev/video0
====== Keeweb ======
Keeweb is a webapp that allows you to use keepass databases from the browser. It is no longer being developed so it does not work out the box with the latest version of Nextcloud.
Download and extract the last release of keeweb.
$ wget https://github.com/jhass/nextcloud-keeweb/releases/download/v0.4.0/keeweb-0.4.0.tar.gz
$ tar xvf keeweb-0.4.0.tar.gz
Before you add this to Nextcloud some modifications need to be done. The ''**info.xml**'' needs a minor tweak to allow keeweb to run on the newer versions of Nextcloud, just changing 12 to 14.
**''[keeweb/appinfo/info.xml]''**
#app {
overflow-y: hidden;
width: 100%;
}
#app > iframe {
width: 100%;
height: 100%;
}
Copy the inner folder named keeweb to Nextcloud's app directory, then change ownership to the www-data user.
$ sudo cp -R nextcloud-keeweb/keeweb /var/www/nextcloud/apps
$ sudo chown www-data:www-data -R /var/www/nextcloud/apps/keeweb
FIXME
Mimetype detection
Unfortunately, apps can't declare new mimetypes on the fly. To make
Keeweb work properly, you need to add a new mimetype in the
**''mimetypemapping.json''** file (at Nextcloud level).
To proceed, just copy **''/resources/config/mimetypemapping.dist.json''** to
`/config/mimetypemapping.json
$ sudo cp /var/www/nextcloud/resources/config/mimetypemapping.dist.json /var/www/nextcloud/config/mimetypemapping.json
Afterwards add the following line to **''/var/www/nextcloud/config/mimetypemapping.json''**. You should see a large list of other mime definitions in this file, if you do not, you did something wrong.
"kdbx": ["x-application/kdbx"],
After that, run the following command:
$ sudo -u www-data php occ files:scan --all
Source: [[https://github.com/jhass/nextcloud-keeweb/pull/81/files|Compabilitiy with NC13 and documentation about mimetype mapping for Keeweb]]