61.1 Nextcloud Installation

20221227

We will set up our illustrative nextcloud server on the imaginary example.com, with a reverse proxy for cloud.example.com. This cloud.example.com domain could alternatively be a dedicated server with an external reference (A record) set up through your DNS provider, using the IP address of the server. If you have only an IP address and no domain name for your server have a look at Section 60.18 to access your server remotely by the IP address.

Connect to the server and prepare it for running nextcloud:

ssh kayon@example.com

Install nextcloud as a snap package:

sudo snap install nextcloud

The Nextcloud configuration is contained in /var/snap/nextcloud/current/nextcloud/config/config.php and we will come back to editing this file shortly, if needed.

Configure a user as the administrator of the nextcloud server, using the command line. This will also avoid a small risk with using the web-based mechanism to set this up whereby someone could visit the web site before you have set up the user.

sudo nextcloud.manual-install kayon <password>

For a reverse proxy setup using Caddy (see Section 94.3), we’ll set the Nextcloud server to listen to port 81:

sudo snap set nextcloud ports.http=81

The caddy configuration file /etc/caddy/Caddyfile should then have the following appended to it so that anything sent to cloud.example.com is redirected to the localhost’s port 81. The Strict-Transport-Security setting is suggested by the security & setup warnings message: The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds.

cloud.example.com {
    rewrite /.well-known/carddav /remote.php/dav
    rewrite /.well-known/caldav /remote.php/dav

    reverse_proxy localhost:81

    header {
        Strict-Transport-Security max-age=15552000;
    }
}

After making this update reload the configuration into the caddy server:

systemctl reload caddy

Next ensure the subdomain is a trusted domain and ensure Nextcloud can redirect correctly by overriding automatic hostname detection. The trusted_proxies is suggested by the security & setup warnings message: The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Use ip a to find the IP address of the server. See the reverse proxy configuration documentation for details.

sudo nextcloud.occ config:system:set trusted_domains 0 --value=cloud.example.com
sudo nextcloud.occ config:system:set trusted_proxies 0 --value='["172.103.117.71/24"]'

Also set up the overwrite settings as suggested by the security & setup warnings message: You are accessing your instance over a secure connection, however your instance is generating insecure URLs. This most likely means that you are behind a reverse proxy and the overwrite config variables are not set correctly. See the reverse proxy configuration documentation for details.

Another symptom of not having the overwriteprotocol setting is the message The polling url does not start with https despite the login url started with https. Login will not be possible because this might be a security issue. on attempting to connect to the server from a desktop or mobile client.

nextcloud.occ config:system:set overwrite.cli.url --value='https://cloud.example.com'
nextcloud.occ config:system:set overwritehost --value='cloud.example.com'
nextcloud.occ config:system:set overwriteprotocol --value='https'

Install the recommended Nextcloud apps and two extra ones that I find useful:

nextcloud.occ app:install calendar
nextcloud.occ app:install richdocumentscode
nextcloud.occ app:install contacts
nextcloud.occ app:install mail
nextcloud.occ app:install richdocuments
nextcloud.occ app:install spreed
nextcloud.occ app:install groupfolders
nextcloud.occ app:install maps

This basic Nextcloud server is now set up and will use for storage the server’s local volume. You can visit https://cloud.example.com, log in as the admin user and visit the Settings Overiew for a review of any security and setup warnings. Also it is good to visit https://scan.nextcloud.com and enter your server URL to check for any security issues with your server. You should see an A+ rating.

Note that the theming app requires the PHP imagick module which is not shipped with the Nextcloud snap due to security concerns. The theming app can not be disabled, and so we can only ignore the security and setup warning: The PHP module “imagick” is not enabled although the theming app is. For favicon generation to work correctly, you need to install and enable this module.

To migrate to using an object store (cheaper and larger data store) see Section 61.13.

---

Your donation will support ongoing availability and give you access to the PDF version of this book. Desktop Survival Guides include Data Science, GNU/Linux, and MLHub. Books available on Amazon include Data Mining with Rattle and Essentials of Data Science. Popular open source software includes rattle, wajig, and mlhub. Hosted by Togaware, a pioneer of free and open source software since 1984. Copyright © 1995-2022 Graham.Williams@togaware.com Creative Commons Attribution-ShareAlike 4.0