Scripted installation of Nextcloud 28 in iocage jail 2018-03-23

[RedPull]

here is what my caddyfile looks like.

Code:

{
        # debug
        #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
        email name@domain.com
        # default_sni cloud.domain.com
}

cloud.domain.com {
        root * /usr/local/www/nextcloud
        file_server
        log {
                output file /var/log/cloud.domain.com.log
        }

        php_fastcgi 127.0.0.1:9000 {
                env front_controller_active true
        }

        tls {
                dns ******my_new_api_token******
        }

        header {
                enable HSTS
                Strict-Transport-Security max-age=31536000;
        }

        # client support (e.g. os x calendar / contacts)
        redir /.well-known/carddav /remote.php/dav 301
        redir /.well-known/caldav /remote.php/dav 301
        redir /.well-known/webfinger /index.php/.well-known/webfinger 301
        redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301

        # .htaccess / data / config / ... shouldn't be accessible from outside
        @forbidden {
                path /.htaccess
                path /data/*
                path /config/*
                path /db_structure
                path /.xml
                path /README
                path /3rdparty/*
                path /lib/*
                path /templates/*
                path /occ
                path /console.php
        }

        respond @forbidden 404
}

Shouldn't Cloudflare be mentioned somewhere?

I changed it back to

Code:

tls {
                dns cloudflare ******my_new_api_token******
        }

and now it works ;-)
(Probably been a bit too enthusiastic with the backspace.)
Yet another reminder for myself to always make a backup of a configuration file before making any changes to it.

 

[danb35]

Shouldn't Cloudflare be mentioned somewhere?

Yes, it should. You should have:

Code:

        tls {
                dns cloudflare (token)
        }

 

[danb35]

The script now installs Nextcloud 28 by default.

 

[ChrisChros]

@danb35 thanks for the script.
I would like to use nextcloud only internally within my network, what are the recommended configurations for the nextcloud-config file?
At the moment I have the following settings:

Code:

JAIL_IP="192.168.1.18"
DEFAULT_GW_IP="192.168.1.1"
POOL_PATH="/mnt/VirtualMachine"
TIME_ZONE="Europe/Berlin"
HOST_NAME="192.168.1.18"
SELFSIGNED_CERT=1
COUNTRY_CODE=DE
JAIL_BASEJAIL=true

I would like to use https to access nextcloud to get ride of some error messages, so I decided to use a self signed certificate. Are my choices correct or is something missing?

Got it running with the above presets.
But I run into a small issue, I figured out the following Error-Messages within the Log of nextcloud:

How can I get rid of this?

Thanks for your support.

 

[RedPull]

@danb35 thanks for the script.
I would like to use nextcloud only internally within my network, what are the recommended configurations for the nextcloud-config file?
At the moment I have the following settings:

Code:

JAIL_IP="192.168.1.18"
DEFAULT_GW_IP="192.168.1.1"
POOL_PATH="/mnt/VirtualMachine"
TIME_ZONE="Europe/Berlin"
HOST_NAME="192.168.1.18"
SELFSIGNED_CERT=1
COUNTRY_CODE=DE
JAIL_BASEJAIL=true

I would like to use https to access nextcloud to get ride of some error messages, so I decided to use a self signed certificate. Are my choices correct or is something missing?

Got it running with the above presets.
But I run into a small issue, I figured out the following Error-Messages within the Log of nextcloud:
View attachment 73911
How can I get rid of this?

Thanks for your support.

I have a 'Host override' and 'DNS resolver' enabled on my pfSense router to get rid of that problem. I just followed the installation step by step with the DNS_PLUGIN='cloudflare' option, and after a successful install, I disabled the forwarded ports 80 and 443 to the Nextcloud LAN IP, and it works like a charm.

 

[ChrisChros]

I have a 'Host override' and 'DNS resolver' enabled on my pfSense router to get rid of that problem. I just followed the installation step by step with the DNS_PLUGIN='cloudflare' option, and after a successful install, I disabled the forwarded ports 80 and 443 to the Nextcloud LAN IP, and it works like a charm.

I renamed the old nextcloud logfile so it is forced to create a new one. Since then no new entry has been created.

 

[danb35]

DNS_PLUGIN='cloudflare' option, and after a successful install, I disabled the forwarded ports 80 and 443

If you're getting the cert using DNS validation, you shouldn't have needed the forwarded ports. But regardless, good that it's working.

 

[RedPull]

If you're getting the cert using DNS validation, you shouldn't have needed the forwarded ports. But regardless, good that it's working.

True that! But I like having the option if it is needed in the future.

 

[Aephir]

Hi, I have noticed a couple of new things in my "Security and setup warnings":

Code:

5264 errors in the logs since 15. januar 2024
This instance is missing some recommended PHP modules. For improved performance and better compatibility it is highly recommended to install them: sodium. For more details see the documentation ↗.

If I go the the logs, I get an "Could not load log entries". I'm not sure the two are connected, but I noticed them at the same time.

I found your old suggestions in this thread about pkg install php73-bcmath (changed to pkg install php81-bcmath to reflect php version). But this didn't change anything.

Any idea what else I could try? And any idea whether the two are in fact related?

 

[victort]

Hi, I have noticed a couple of new things in my "Security and setup warnings":

Code:

5264 errors in the logs since 15. januar 2024
This instance is missing some recommended PHP modules. For improved performance and better compatibility it is highly recommended to install them: sodium. For more details see the documentation ↗.

If I go the the logs, I get an "Could not load log entries". I'm not sure the two are connected, but I noticed them at the same time.

I found your old suggestions in this thread about pkg install php73-bcmath (changed to pkg install php81-bcmath to reflect php version). But this didn't change anything.

Any idea what else I could try? And any idea whether the two are in fact related?

Depending on which version of php you installed as, you will have to remove them, and install the up to date versions.

 

[Aephir]

... you will have to remove them

You mean remove all the ones listed here one by one? Or just remove php (v8.1 is installed) and install php?

 

[victort]

Good question. I usually just rename my nextcloud jail to nextcloud1 or something, then I run the script overtop of my existing data. That way I get the updated php versions.

@Patrick M. Hausen What is the recommended way to update php?

 

[NASNEWBY]

Hi everyone,

I'm a bit new to all of this, but I've been slowly hacking away at it.
I do think I've reached the point where I need some help.

Unfortunately, I get to the point below and Caddy fails to install:

2024/01/29 04:48:15 [INFO] Initializing Go module
2024/01/29 04:48:15 [INFO] exec (timeout=0s): /usr/local/bin/go mod init caddy
go: creating new go.mod: module caddy
go: to add module requirements and sums:
go mod tidy
2024/01/29 04:48:15 [INFO] Pinning versions
2024/01/29 04:48:15 [INFO] exec (timeout=0s): /usr/local/bin/go get -d -v github.com/caddyserver/caddy/v2
go: module github.com/caddyserver/caddy/v2: Get "https://proxy.golang.org/github.com/caddyserver/caddy/v2/@v/list": dial tcp [2404:6800:4015:800::2011]:443: connect: no route to host
2024/01/29 04:48:15 [FATAL] exit status 1
Command: xcaddy build --output /usr/local/bin/caddy failed!
+ echo 'Failed to build Caddy without plugin, terminating.'
Failed to build Caddy without plugin, terminating.
+ exit 1

Could anyone point me in the right direction?

Feel free to treat me like an idiot.

Kind Regards,

 

[Mugiwara]

Hey all,

First of all, thanks for the script, it ran super smoothly and I am able to access the service inside of my network. Outside of my network, unfortunately, I am running into some challenges.

I am unable to use port 443 as it is blocked upstream, so I am using port 8443. I have a redirection in my firewall to translate 8443 to 443, and that seems to be working fine. However, once I hit the service externally, I get redirected from https://example.com:443 to https://example.com/login, and since the port has been stripped off, I can no longer get to the server.

Sorry if this has been answered before, but I couldn't seem to find an answer in the thread and have been struggling a bit to understand the caddy configuration options, but if you have any tips for me I would appreciate it! I would prefer to leave caddy listening on 443 and just not strip out the port designator on the redirects.

 

[Gblenn]

Hi all,

I have tried installing, reinstalling and modifying my settings so many times now that I'm about to give up. I just can't seem to get this to work as expected, or at all even.

I already have Nextcloud running since two years back (using the official plugin) and I am using Nginx Proxy Manager to access it and some other servers from the outside. Setting it up back then was a breeze, including getting it to work through Nginx reverse proxy. Same thing with the other servers I am using. No matter if they use HTTPS or HTTP between them and Nginx Proxy Manager, it just works...

So I thought this would be an easy ride, especially with everyone else seemingly being able to make it work without a hitch.

My current setup with the plugin:
TrueNAS : IP 192.168.1.38
Nextcloud : NATed on truenas with port 8283 for HTTPS towards Nginx.
Nginx Proxy Manager (IP 192.168.1.18) - Host setup with myddns.example.com, 192.168.1.38 and port 8283
Nextcloud config.php has trusted proxies (Nginx internal IP).

I'm perfectly fine having the new install running with an IP separate from TrueNAS. I'd prefer DHCP but I suppose that is possible to change later by editing the jail once it's up. I have made myddns2.example.com available and set it up in Nginx towards Host Nextcloud2 being set up with the script, using IP 192.168.1.37.

I would also like to be able to select which ports to use for accessing nextcloud, is that possible using the script??

I have tried installing with SELFSIGNED_CERT and I have tried installing with NO_CERT. I have tried installing with HOST_NAME="192.168.1.37" as well as "myddns2.example.com".
The closest I have come to making it work was with NO_CERT and the internal IP as HOST_NAME. This way I was able to login and use Nextcloud from the LAN. But trying to access it via myddns2.example.com gave me a completely empty white page (nothing). Tried from multiple browsers and via VPN as well from the phone (not connected to wifi), with the same result. Setting any other port than 80 in Nginx renders the "502 Bad gateway" error.
Rerunning the script again changing to SELFSIGNED_CERT made it possible to access via HTTPS internally but now Nginx gave "502 Bad gateway" no matter which port I chose.
Installing from scratch with HOST_NAME="myddns2.example.com" won't allow me to access nextcloud at all, from anywhere, regardless of how I try.

I have been fiddling with trusted domains and trusted proxies and added pretty much everything I can think of (for both), including my PC's IP, Nginx internal IP as well as myddns2.example.com.

The Caddyfile seems to allow adding multiple "domains" and just now as I'm writing this, I tried adding some more, including adding the port to the domain listing:

myddns.example.com, 192.168.1.37, 192.168.1.37:443, 192.168.1.18:8283 {
root * /usr/local/www/nextcloud
file_server
.... etc etc

Now I'm able to select port 443 OR 8283 in Nginx and it "works" but not completely.

If I enter 192.168.1.37/login, I get an unsecure connection https://192.168.1.37/login and the nextcloud login page, completely internal.

If I enter 192.168.1.37 it changes to myddns2.example.com/login . Clearly there is communication going on, since it adds the /login extension to the URL and it does show a secure connection (through Nginx with letsencrypt certificate as expected), but there is literally nothing on the page (verified using dev tool in browser).

Entering only myddns2.example.com also gives me the empty page but it stays like that without the /login extension.

Clearly this must have something to do with Caddy? Or am I missing something in the nextcloud configuration?

nextcloud-config for install has nothing more than the following: (current install with ddns and selfsigned cert).

JAIL_IP="192.168.1.37"
DEFAULT_GW_IP="192.168.1.1"
POOL_PATH="/mnt/TruePool"
TIME_ZONE="Europe/Stockholm"
HOST_NAME="internal IP" OR "myddns2.example.com"
NO_CERT=0 OR SELFSIGNED_CERT=1
COUNTRY_CODE=SE
CERT_EMAIL="mymail@gmail.com"

 

[Gblenn]

Hi all,

I have tried installing, reinstalling and modifying my settings so many times now that I'm about to give up. I just can't seem to get this to work as expected, or at all even.

The Caddyfile seems to allow adding multiple "domains" and just now as I'm writing this, I tried adding some more, including adding the port to the domain listing:

myddns.example.com, 192.168.1.37, 192.168.1.37:443, 192.168.1.18:8283 {
root * /usr/local/www/nextcloud
file_server
.... etc etc

Now I'm able to select port 443 OR 8283 in Nginx and it "works" but not completely.

If I enter 192.168.1.37/login, I get an unsecure connection https://192.168.1.37/login and the nextcloud login page, completely internal.

If I enter 192.168.1.37 it changes to myddns2.example.com/login . Clearly there is communication going on, since it adds the /login extension to the URL and it does show a secure connection (through Nginx with letsencrypt certificate as expected), but there is literally nothing on the page (verified using dev tool in browser).

Entering only myddns2.example.com also gives me the empty page but it stays like that without the /login extension.

Clearly this must have something to do with Caddy? Or am I missing something in the nextcloud configuration?

Replying to my own post since I got it to work...

The only thing I changed was to add the port (8283) to the FQDN in the Caddyfile, and now it just works...

myddns.example.com:8283, 192.168.1.37, 192.168.1.37:443 {
root * /usr/local/www/nextcloud
file_server
.... etc etc

 

[danb35]

I'd prefer DHCP

Services should always be run on static IPs, so the script does not and will not support DHCP. As you say, you can edit the jail after installation if you like.

I would also like to be able to select which ports to use for accessing nextcloud, is that possible using the script??

No. Why on earth would you care? Nextcloud is running on its own IP with the standard ports for HTTP (and ordinarily HTTPS). It can't possibly have a port conflict with anything else, so it makes zero sense to have it use any other ports. But if you want to for some reason, you can do so by editing the Caddyfile after installation.

Clearly this must have something to do with Caddy? Or am I missing something in the nextcloud configuration?

I think it is something in the Nextcloud configuration. And I know it's documented in this thread, but at almost 3000 posts that's a lot to read through. I'll see if I can find more detail (or if someone else responds with more detail), but I'd start with (1) putting a single IP (and port, if you insist) in the Caddyfile, and (2) changing your Nextcloud config following their docs:

Reverse proxy — Nextcloud latest Administration Manual latest documentation

 

[Gblenn]

Thanks for your reply danb35!!

Services should always be run on static IPs, so the script does not and will not support DHCP. As you say, you can edit the jail after installation if you like.

Yes, I always use static IP's for such things, but I prefer to set that in pfsense...

No. Why on earth would you care? Nextcloud is running on its own IP with the standard ports for HTTP (and ordinarily HTTPS). It can't possibly have a port conflict with anything else, so it makes zero sense to have it use any other ports. But if you want to for some reason, you can do so by editing the Caddyfile after installation.

I run backups for some servers in separate subnets. And the only way I have found that allows me to automagically shift to backup if master is down is using HAProxy. Keepalived which I also have been using works fine but not across different subnets. HAProxy uses ports to identify which server is being "requested". I suppose there may another way (?) but that's how I have it set up. So unless I can use unique ports, I can't go that route. It is a bit moot when nextcloud is concerned, as I have no way of running a backup server towards the same data, but nevertheless I chose to passed via HA (getting notifications in case things are down).

I think it is something in the Nextcloud configuration. And I know it's documented in this thread, but at almost 3000 posts that's a lot to read through. I'll see if I can find more detail (or if someone else responds with more detail), but I'd start with (1) putting a single IP (and port, if you insist) in the Caddyfile, and (2) changing your Nextcloud config following their docs:

Reverse proxy — Nextcloud latest Administration Manual latest documentation

As I am new to the forum, and it takes a little while for my posts to appear, i suppose... So you answered before my post after getting it to work...
Still interesting to learn how it should have been done from the beginning...

 

[danb35]

So you answered before my post after getting it to work

Indeed--they'll take off the delay for you after a few posts, but I don't recall exactly what the threshold is.

I didn't write this script with any thought toward being behind a reverse proxy--I wasn't using one at the time, and the guide I used as a starting point didn't really account for it either. But it's coming up frequently enough that I should at least document how to do it.

 

[Gblenn]

I didn't write this script with any thought toward being behind a reverse proxy--I wasn't using one at the time, and the guide I used as a starting point didn't really account for it either. But it's coming up frequently enough that I should at least document how to do it.

That would be quite useful. I don't know how common it is to run reverse proxies, but there are plenty of instructions out there. And Nginx is rather easy to set up.

I actually went back and completely reinstalled everything to figure out the minimal changes I would need. And it turns out the only thing needed to work behind Nginx in my case (selfsigned cert) was to add the port (443 for standard installation).

So my Caddyfile now reads:

myddns.example.com:443, localhost {
root * /usr/local/www/nextcloud
file_server
.... etc etc

To access it locally using the LAN IP, I added that as well.

As I'm using your script to create a new installation, to which I'm hoping I will be able to move all my data from the existing one. I noticed that the database user and the admin users are different from what you get with the plugin. Would this create a problem when moving data? I'm thinking it might be worth it to modify your script to use the same for everything?
Not super worried about this, as it's the actual users that are important. I use admin (or ncadmin) only to manage the accounts.

I noticed that in my existing user folder I have, besides files there is files_versions and files_trashbin with lot's of data. Do I need to run some command to get this synced up once I have copied everthing over to the new setup?