Blog Nextcloud and TrueNAS Collaborate to Help You Build Your Private Cloud

[Basil Hendroff]

Scenario 2: NC plugin using DHCP

Choosing DHCP for the NC plugin network setting:



The plugin installs with the following install notes:

Code:

Install Notes:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No certificates found.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No certificates found.
Generating a RSA private key
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
................+++++
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
.+++++
writing new private key to '/usr/local/etc/letsencrypt/live/truenas/root.key'
No certificates found.
-----
No certificates found.
Generating a RSA private key
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
...........................................................................+++++
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
No certificates found.
.....................................................+++++
No certificates found.
writing new private key to '/usr/local/etc/letsencrypt/live/truenas/server.key'
-----
No certificates found.
Signature ok
subject=O = TrueNAS (Nextcloud), CN = localhost
No certificates found.
Getting CA Private Key
You can install the following CA on your devices to trust the TLS certificate: /usr/local/etc/letsencrypt/live/truenas/root.cer
Getting CA Private Key
nginx_enable: -> YES
Getting CA Private Key
mysql_enable: -> YES
Getting CA Private Key
php_fpm_enable: -> YES
Getting CA Private Key
redis_enable: -> YES
Getting CA Private Key
fail2ban_enable: -> YES
Getting CA Private Key
Performing sanity check on nginx configuration:
Getting CA Private Key
Starting nginx.
Getting CA Private Key
Performing sanity check on php-fpm configuration:
Getting CA Private Key
Starting php_fpm.
Getting CA Private Key
Starting mysql.
Getting CA Private Key
Starting redis.
Getting CA Private Key
Starting redis.
mysqladmin: [Warning] Using a password on the command line interface can be insecure.
Warning: Since password will be sent to server in plain text, use ssl connection to ensure password safety.
Starting redis.
Starting redis.
mysql: [Warning] Using a password on the command line interface can be insecure.
Nextcloud was successfully installed
[Warning] Using a password on the command line interface can be insecure.
Set mode for background jobs to 'cron'
[Warning] Using a password on the command line interface can be insecure.
System config value trusted_domains => 1 set to string 10.1.1.14
[Warning] Using a password on the command line interface can be insecure.
contacts 4.0.3 installed
[Warning] Using a password on the command line interface can be insecure.
contacts enabled
[Warning] Using a password on the command line interface can be insecure.
calendar 2.3.4 installed
[Warning] Using a password on the command line interface can be insecure.
calendar enabled
[Warning] Using a password on the command line interface can be insecure.
notes 4.1.1 installed
[Warning] Using a password on the command line interface can be insecure.
notes enabled
[Warning] Using a password on the command line interface can be insecure.
deck 1.5.3 installed
[Warning] Using a password on the command line interface can be insecure.
deck enabled
[Warning] Using a password on the command line interface can be insecure.
spreed 12.1.2 installed
[Warning] Using a password on the command line interface can be insecure.
spreed enabled
[Warning] Using a password on the command line interface can be insecure.
mail 1.10.5 installed
[Warning] Using a password on the command line interface can be insecure.
mail enabled
[Warning] Using a password on the command line interface can be insecure.
Server ready
[Warning] Using a password on the command line interface can be insecure.
Admin Portal:
http://10.1.1.129

There's a problem here. From the install notes, you can see that the trusted domain has been set to the IP of the TN server rather than the NC jail. Accessing the jail at http://10.1.1.129 results in the following:



Examining and correcting trusted domains in the NC config.php:

Code:

root@ncdhcp:~ # su -m www -c 'php /usr/local/www/nextcloud/occ config:system:get trusted_domains'
localhost
10.1.1.14
root@ncdhcp:~ # su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set trusted_domains 1 --value="10.1.1.129"'
System config value trusted_domains => 1 set to string 10.1.1.129
root@ncdhcp:~ # su -m www -c 'php /usr/local/www/nextcloud/occ config:system:get trusted_domains'
localhost
10.1.1.129

This time, accessing the jail at http://10.1.1.129 gives the correct behaviour:



Injecting other parameters in the NC config.php required for the RP:

Code:

root@ncdhcp:~ # su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set trusted_domains 2 --value="ncdhcp.udance.com.au"'
System config value trusted_domains => 2 set to string ncdhcp.udance.com.au
root@ncdhcp:~ # su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set overwriteprotocol --value="https"'
System config value overwriteprotocol set to string https
root@ncdhcp:~ # su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set overwritehost --value="ncdhcp.udance.com.au"'
Systemroot@ncdhcp:~ # su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set overwrite.cli.url --value="http://ncdhcp.udance.com.au/"'
System config value overwrite.cli.url set to string http://ncdhcp.udance.com.au/ config value overwritehost set to string ncdhcp.udance.com.au

In the Caddyfile for the Caddy RP, I map ncdhcp.udance.com.au to 10.1.1.129. Attempting to connect to the NC instance, I'm greeted with the following:



Clearing cookies doesn't help.

Scenario 2: Test result: FAIL

Scenario 3 testing to follow.

 

[Basil Hendroff]

Scenario 3: NC app on SCALE



The startup log:

Code:

2021-10-16 00:15:10.536426+00:00Initializing nextcloud 22.2.0.2 ...
2021-10-16 00:15:16.887079+00:00Initializing finished
2021-10-16 00:15:16.887169+00:00New nextcloud instance
2021-10-16 00:15:16.916119+00:00Installing with PostgreSQL database
2021-10-16 00:15:16.916166+00:00starting nextcloud installation
2021-10-16 00:16:16.632869+00:00Nextcloud was successfully installed
2021-10-16 00:16:16.641479+00:00setting trusted domains…
2021-10-16 00:16:16.934874+00:00System config value trusted_domains => 1 set to string 10.1.1.12
2021-10-16 00:16:17.108729+00:00AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.16.0.30. Set the 'ServerName' directive globally to suppress this message
2021-10-16 00:16:17.129290+00:00AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.16.0.30. Set the 'ServerName' directive globally to suppress this message
2021-10-16 00:16:17.159065+00:00[Sat Oct 16 00:16:17.158905 2021] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.51 (Debian) PHP/8.0.11 configured -- resuming normal operations
2021-10-16 00:16:17.159156+00:00[Sat Oct 16 00:16:17.158943 2021] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'
2021-10-16 00:16:37.397117+00:0010.1.1.222 - - [16/Oct/2021:00:16:37 +0000] "GET / HTTP/1.1" 302 1329 "http://10.1.1.12/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36"
2021-10-16 00:16:39.529728+00:0010.1.1.222 - - [16/Oct/2021:00:16:37 +0000] "GET /login HTTP/1.1" 200 6758 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36"
2021-10-16 00:16:40.370558+00:0010.1.1.222 - - [16/Oct/2021:00:16:40 +0000] "GET /cron.php HTTP/1.1" 200 931 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36"
2021-10-16 00:17:28.495643+00:0010.1.1.222 - - [16/Oct/2021:00:17:28 +0000] "-" 408 0 "-" "-"

Accessing NC via the portal:



I have found the NC config.php under the pod shell, and it's missing RP parameters. What editors are available to me under the shell? I've tried nano and vi, but neither appears to be available.

I'll have to pick this up later as I'm running out of time. In the meantime, I have a couple of other observations:

Plugin version under CORE and SCALE

What's presented is the version of NC, but plugin revision status is absent. I'm wondering whether it should be included as well?

NC database + webserver

NC under SCALE uses PostgreSQL as the db and Apache as the webserver. NC under CORE uses MySQL as the db and nginx as the webserver. While I'm all for choice and diversity, I'm just wondering if there's an opportunity to streamline at all? There may be support benefits in doing so.

Side note: Others (e.g. @danb35's NC script) use MariaDB as the default db and/or Caddy as the webserver.

Catch you all later this evening local time.

 

[morganL]

Lets focus on getting the new CORE plugin so that it is set-up well. THen we can discuss what changes should be made to the SCALE App.

 

[Basil Hendroff]

Continuing with the testing of scenario 3...

Injecting other parameters in the NC config.php required for the RP:

Code:

root@ncscale-nextcloud-576b8fb777-lts7n:~# su -m www-data -c 'php /var/www/html/occ config:system:set trusted_domains 2 --value="ncscale.udance.com.au"'
System config value trusted_domains => 2 set to string ncscale.udance.com.au
root@ncscale-nextcloud-576b8fb777-lts7n:~# su -m www-data -c 'php /var/www/html/occ config:system:set overwriteprotocol --value="https"'
System config value overwriteprotocol set to string https
root@ncscale-nextcloud-576b8fb777-lts7n:~# su -m www-data -c 'php /var/www/html/occ config:system:set overwritehost --value="ncscale.udance.com.au"'
System config value overwritehost set to string ncscale.udance.com.au
root@ncscale-nextcloud-576b8fb777-lts7n:~# su -m www-data -c 'php /var/www/html/occ config:system:set overwrite.cli.url --value="http://ncscale.udance.com.au/"'
System config value overwrite.cli.url set to string http://ncscale.udance.com.au/

In the Caddyfile for the Caddy RP, I map ncscale.udance.com.au to 10.1.1.12:9001. Attempting to connect to the NC instance, I'm greeted with the following:



Scenario 3: Test result: PASS

This is a really good outcome as it reveals a lot about the test environment and the CORE NC plugin. It tells us that:

1. The Caddy RP is working as it should.
2. The correct parameters required for operating NC behind an RP have been injected into the NC config.php.
3. The SCALE NC app has, in @morganL's words, 'adopted the middle ground' and works behind an RP.
4. There's some work required on the CORE NC plugin to normalise it to work behind an RP.

 

[morganL]

@Basil Hendroff OK, So SCALE app works fine behind Caddy reverse Proxy.
CORE plugin does not...
Should we focus on Scenario 1 first?
Suggest we report it as a bug and get it an Id, with the information you collected.
Any suggestions on how to fix the baug are alse welcome from you and @danb35

 

[Basil Hendroff]

OK, So SCALE app works fine behind Caddy reverse Proxy.
CORE plugin does not...

There's a reason why this is the case. SCALE NC is designed to work behind an RP. Here's an extract from the Nextcloud Quick reference under Docker Hub:

HTTPS - SSL encryption
There are many different possibilities to introduce encryption depending on your setup.

We recommend using a reverse proxy in front of our Nextcloud installation. Your Nextcloud will only be reachable through the proxy, which encrypts all traffic to the clients. You can mount your manually generated certificates to the proxy or use a fully automated solution which generates and renews the certificates for you.

The CORE NC plugin implements TLS in the jail and this conflicts with the RP, as @danb35 suggested might occur.

Should we focus on Scenario 1 first?
Suggest we report it as a bug

I don't believe it's a bug as such. I think what we're talking about here is a change in the scope of the plugin. Should the NC plugin continue to implement TLS? If the answer is 'Yes', then no change is required to the plugin. If the intention is to have the NC plugin work behind an RP, then the answer is probably 'No'. That decision may need to be formally sanctioned within iXsystems.

Still require encrypted communication between the plugin and the RP? This can be implemented later, if required. Current thinking separates internal PKI and web PKI; TLS is used on the public-facing side and mTLS replaces TLS/SSL on private infrastructure.

Assuming a scope change is approved, should I report it as a bug or an improvement?

Any suggestions on how to fix the baug are alse welcome from you and @danb35

The easiest approach would probably be to rework the nginx webserver so it continues to serve NC PHP files, but doesn't implement TLS. Of course, selfishly, both @danb35 and I would prefer to see Caddy replace nginx.

 

[adrianwi]

Good to see this collaboration, although there are lots of moving parts and getting them all to work from the click of a few buttons sounds challenging. Any reason why Collabora would be used for the Office integration and not ONLYOFFICE, which from my experience is actually more compatible with the Office Daddy?

 

[morganL]

Still require encrypted communication between the plugin and the RP? This can be implemented later, if required. Current thinking separates internal PKI and web PKI; TLS is used on the public-facing side and mTLS replaces TLS/SSL on private infrastructure.

Assuming a scope change is approved, should I report it as a bug or an improvement?

The easiest approach would probably be to rework the nginx webserver so it continues to serve NC PHP files, but doesn't implement TLS. Of course, selfishly, both @danb35 and I would prefer to see Caddy replace nginx.

Let's treat it as an improvement. We'll need the engineering teams to discuss.
Is it possible to make the use of TLS an option?

 

[morganL]

Good to see this collaboration, although there are lots of moving parts and getting them all to work from the click of a few buttons sounds challenging. Any reason why Collabora would be used for the Office integration and not ONLYOFFICE, which from my experience is actually more compatible with the Office Daddy?

We had to pick one combination that could be supported both for Community and with Enterprise support. Collabora were willing participants and recommended by Nextcloud.

 

[Basil Hendroff]

Any reason why Collabora would be used for the Office integration and not ONLYOFFICE, which from my experience is actually more compatible with the Office Daddy?

It's a good question. OnlyOffice was bundled in NC Hub with NC18. Since NC19 (I think?), Collabora was bundled in NC Hub instead of OnlyOffice. Why the switch? I think the reason has to do with clustering and scalability. Collabora scales well with NC. OnlyOffice isn't yet scalable. For smaller NC deployments, you can install both Collabora and OnlyOffice. For very large NC deployments, Collabora is the only Office option.

 

[Basil Hendroff]

Let's treat it as an improvement. We'll need the engineering teams to discuss.
Is it possible to make the use of TLS an option?

I don't use plugins so I don't know whether it's possible to have TLS a selectable option. This is one for the engineering team to advise.

JIRA ticket NAS-112894

I've had to raise the ticket as a suggestion rather than an improvement...

 

[kiriak]

Just wait until you see the updated plugin. ;)

Having a brand new TrueNAS,
I'm split between waiting for the new plugin, using the current one right now, using the @danb35 's script or setting up a separate Linux machine with docker compose.

 

[danb35]

Does this mean that the Nextcloud plugin is going to start to, well, not suck?

Looks like the answer is "no", or at least, "not yet":

Nextcloud won't install

I am trying to install nextcloud on my truenas but every time I try to install it it gives me an error. I can install all the other plugins on it just not nextcloud. I tried to fortmat the drives and reinstall truenas. I tried to install it on a pool made out of two 500gb ssd's that are...

www.truenas.com