NextCloud plugin vs NextCloud on a linux server

Inxsible

Guru
Joined
Aug 14, 2017
Messages
1,123
I had a 1U Supermicro box with 4x500GB drives lying around and I installed ESXi 6.7U2 on it. I created 3 VMs on it, -- one to serve as a PCOIP so that I can connect to a desktop linux and make use of the CPU and RAM on the server to perform tasks instead of having my measly Chromebook do it, another VM is only to test various distros etc and for general tinkering and the third to possibly host a linux VM and install NextCloud along with a LAMP stack. This third VM has 600GB of disk space available to it from the 930GB total(after accounting for RAID6 for ESXi)

My question is how is NextCloud plugin on FreeNAS different than on a standalone OS with Apache and PHP stack? I tried finding some articles on this, but I found a lot of howtos, but nothing that really laid out the differences. Is it just slower to update to the latest?

Secondly, I intend to provide my family members login accounts to this self-hosted cloud. So it will have about 5 accounts in total. Each member will have 100GB of data that they can store. These users will connect from different countries. Would installing a plugin on FreeNAS require me to expose my freenas box to the world? I don't want to do this particularly because I don't want to share everything I have on my local NAS.

However, even if I go the standalone OS route, I'd still like a way to move the data from the cloud to my NAS. I was thinking of using the cloud to instantly delta backup my phones when I get home and then at a later time (possibly in the dead of the night) to copy or move that data to my NAS. It should also allow my family to share some data between each other.

I know this is the FreeNAS forums and I might not get all the details here, but I just wanted to know mainly the difference between the plugin and installing it on a standalone VM. And whether the plugin would be able to support my use-case.

Thank you,
 

samuel-emrys

Contributor
Joined
Dec 14, 2018
Messages
136
So, I chose to install Nextcloud in a jail rather than spinning up a linux vm, though they achieve similar things. Jails are the native route for FreeNAS, though. The FreeNAS Nextcloud plugin is designed predominantly to remove a lot of the configuration headaches involved with setting up a FAMP/LAMP stack, and configuring everything appropriately. It automates a lot of this for you in a jail, with the exception that it uses Nginx instead of Apache as the web server.

The limitations that you get in exchange for this convenience is that you rely on the plugin maintainer to update the plugin, which seems to not be too much of an issue right now, though historically the plugin has fallen a number of major releases behind. Additionally, it's less convenient to make changes to the environment in the jail as it's configured to use a specific iocage-plugin repository to pull packages from.

I chose to configure it manually because:
1. It was a good learning process to get comfortable with the CLI and application configuration
2. It allowed me to apply further hardening configuration to the jail, which was important to me because I was making the web server face publicly
3. Moved the onus of package update to the FreeBSD repo maintainer rather than iocage-plugin maintainer (You could also install directly from nextcloud if you didn't want to use pkg or ports

The guide I wrote is in my signature. Alternatively, @danb35 wrote a scripted installation minus the hardening configurations
 

Heracles

Wizard
Joined
Feb 2, 2018
Messages
1,401
Hi,

Here, I chose best of both world : I use the Docker version of Nextcloud. In my ESXi, I have a few Docker hosts and one I use for Nextcloud. The storage is mapped from FreeNAS over NFS by the Docker host and the mount is remapped inside the container. Thanks to this, the Nextcloud container sees local storage despite it is remote.

Not to expose the FreeNAS server to Internet is one of the reason why I do it this way. To update easily and quickly is another plus. To have the storage directly in the FreeNAS is the third plus.

Have fun with your own setup,
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
Would installing a plugin on FreeNAS require me to expose my freenas box to the world?
If remote users are going to be accessing your Nextcloud installation, that installation (whether the jail it's in on FreeNAS, or the Linux server that's running it) needs to be accessible to them. The ideal situation would probably be that it's on a VPN of some sort, if your users are tech-savvy enough to use one. Failing that, the installation would need to be exposed to the world. In no case, however, should the FreeNAS box itself be exposed to the world, and it also wouldn't need to be.

I wouldn't recommend the plugin, though--if you're going to put it in a jail, do either a manual or a scripted installation in a jail. Last I heard, the plugin still doesn't give you a complete installation.

As to whether to do it in a jail or elsewhere, I'd think the main deciding factor would be if you want to run it on your FreeNAS box in the first place. If you do, use a jail--there's just no reason to spin up a Linux VM to run software that runs perfectly well under FreeBSD. The decision is really going to be based on external factors that will be different for everyone.

Alternatively, @danb35 wrote a scripted installation minus the hardening configurations
Well, minus some of the hardening configurations. My script does the SSL configuration (minus HSTS, which is a deliberate decision for reasons I explain), but doesn't include some of the OS-level stuff. And, of course, there are some differences in approach--I prefer acme.sh to certbot, for example.
 
Last edited:

Inxsible

Guru
Joined
Aug 14, 2017
Messages
1,123
Thanks. I guess I wasn't clear in my first post, but I was always going to spin up a Linux VM separate from FreeNAS. I don't like using VMs under FreeNAS for some reason. I created a Archlinux VM under ESXi for this. In any case, everything is set up as I would like it.

I am now exploring whether my family can use VPN or if I should expose the server to the world after I create a DMZ in my pfSense router and add the server to the DMZ instead of my LAN.

Thanks.
 

Inxsible

Guru
Joined
Aug 14, 2017
Messages
1,123
I have a follow up question regarding setting up the SSL certs.

I found this video from Jim Pingle regarding setting up Let's Encrypt certs on pfSense. Should I be doing a network wide cert on pfSense or should I be getting a cert individually for my NextCloud server. Are there any benefits or pitfalls for either option?

If my users are willing to use VPN to connect to my network, would the cert work across a VPN and if so, would that cert need to be installed in the pfSense (which hosts my personal VPN server)
 

gt2416

Patron
Joined
Feb 4, 2018
Messages
262
I am now exploring whether my family can use VPN or if I should expose the server to the world after I create a DMZ in my pfSense router and add the server to the DMZ instead of my LAN.

Thanks.

You shouldn't expose your entire server using DMZ. This is a bad idea as this will expose all ports on your server to the internet. Just port forward the ports used for Nextcloud.
 

Inxsible

Guru
Joined
Aug 14, 2017
Messages
1,123
You shouldn't expose your entire server using DMZ. This is a bad idea as this will expose all ports on your server to the internet. Just port forward the ports used for Nextcloud.
Wait, so you are saying that exposing ports on your LAN is safer than putting a public server on a DMZ?? If the public facing server does get compromised, they could theoretically access the LAN that way.

The whole point of a DMZ is to separate the public facing servers and the internal servers. If I have NextCloud installed on a Linux server, and nothing else, it's better to put that on a DMZ than to blast holes in your existing LAN firewall. Being on the DMZ prevents access to your LAN provided it has been configured properly -- that is no access from LAN to DMZ or vice-versa & physically separated as much as possible including using different ethernet ports and a completely separate switch etc..
 

gt2416

Patron
Joined
Feb 4, 2018
Messages
262
Why wouldnt you want your LAN to communicate with your server ? If you really want to be safe about it create a VLAN with just your server and port forward only the needed ports to it. You can setup rules about it accessing your LAN however you want.
Edit: The way my old router does DMZ is not what your talking about which is what I was referring to. I just looked up the proper DMZ networking definition.
Yes I guess using DMZ on your server is secure but if you use VLAN, you could have more control, plus it effectively creates a DMZ right ?
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
VLAN vs DMZ are orthogonal questions. A DMZ is a mostly-isolated network. A VLAN is one possible way of creating it, though it has plenty of other applications as well.
 

Inxsible

Guru
Joined
Aug 14, 2017
Messages
1,123
Why wouldnt you want your LAN to communicate with your server ?
Because public facing servers have a higher probability of getting compromised. No point in having that as an entryway into your local network.
Edit: The way my old router does DMZ is not what your talking about which is what I was referring to. I just looked up the proper DMZ networking definition.
Yes I guess using DMZ on your server is secure but if you use VLAN, you could have more control, plus it effectively creates a DMZ right ?
Correct. Usually off the shelf routers just port forward depending on what ports you want and call it a DMZ. But it's not really a DMZ. It's just a misappropriation of the the term.
 

Inxsible

Guru
Joined
Aug 14, 2017
Messages
1,123
In any case, the whole DMZ question might be moot for me anyway. Two of the 4 non-local users have successfully tested the vpn and can get into it via the VPN -- which is even more secure than setting up a DMZ.

This allows me to access my Nextcloud server from within the LAN. The other 2 users-- I might have to hand hold a bit more.
 

Hellrazorx

Dabbler
Joined
Apr 30, 2021
Messages
29
This topic forked to Network management philosophical questions.
My concern are:
-is the Nextcloud Plugin as reliable as deploying a VM outside Truenas?
-In the eventuality that plugin configuration breaks, is it possible to have a replication on a separate VM

Plugins seems the most ''secure way'' for making sure all your eggs are under a resilient storage. But how can we safely affirm that a future plugin update will not cause problems to users database eventually?

Is waiting for updates a couple of months after a new release to check in forums if problems occurs's the way to go?

Thanks
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,739
@Hellrazorx Install Nextcloud like you would in a Linux VM but use a standard jail. No breakage due to plugin issues. A lot less overhead compare d to a VM and resilient storage. Nextcloud does run on FreeBSD without any OS related issues. I have customer instances with as much as 3 TB of data.
 

Hellrazorx

Dabbler
Joined
Apr 30, 2021
Messages
29
@Hellrazorx Install Nextcloud like you would in a Linux VM but use a standard jail. No breakage due to plugin issues. A lot less overhead compare d to a VM and resilient storage. Nextcloud does run on FreeBSD without any OS related issues. I have customer instances with as much as 3 TB of data.
Hi Patrick, thanks for the reply.
If I understand correctly, your recommendation is to create an empty jail and install Nextcloud on it, just like a vm?

In my Case, the ZFS2 array will be of 24Tb of disk space. (6x6tb) and will Hold more than 8tb of data at first. Your last answers makes me anxious. It's a bit off topic for this one but should I worry about something?

Finally, assuming I got you right:
The whole system will be backed up onto a portable storage with decrypted files in case the whole system crashed.
If ever this happens, I will rely on this unit to give back access to users to their files. Is it doable to replicate the nextcloud ''jail'' installation into a full VM in order to deploy it to access this backup storage?

Thank you
 

adrianwi

Guru
Joined
Oct 15, 2013
Messages
1,231
The advice to create this in a TrueNAS jail is spot on. You don't have enough control with the plugin, and while @danb35 script is a great way to simplify the process, I'd strongly encourage you to have a go at building it from one of the excellent guides you'll find from a quick Google search.

Getting an understanding of how it's set up and configured will prove invaluable when it comes to maintaining it assuming you expect to use it for some time. I've been running Nextcloud (and Owncloud before that) in a FreeBSD jail for several years, and without gaining some of that knowledge it would have been much more difficult to keep up and running. My preference is for a FEMP stack, but you could use Apache and whatever your preferred MySQL is (don't use sqlite)
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,739
Adding to @adrianwi:

Essentially it is as simple as pkg install nextcloud-php74. This installs Nextcloud and all runtime dependencies except the web and database server. I use Nginx and MySQL, so that would be pkg install nginx mysql80-server.

The Nginx configuration - which needs to be modified a bit, of course - can be found here:

It is all rather simple, really - come back if there is a particular step that you cannot find out yourself. Although I regularly point out that this is not the Nextcloud support forum, there are many regulars here running Nextcloud, so we will probably be able to help.

I really think the "plugins" were a mistake. And I think this way because the existence of a plugin raises expectations:
  • There's a plugin, so it's an official part of TrueNAS features - no, it's not.
  • There's a plugin, so it's supported by iXsystems - no, it's not.
  • There's a plugin, so Nextcloud is just a simple one-click-install application - no, it's not. It's a modern 3-tier web application with a codebase at least as large and complex as the entire TrueNAS system and it demands familiarity with system administration, database administration, DNS, SSL certificates (if you want to publish to the Internet), ...
  • There's a plugin, so it will receive regular updates and they will "just work" - er ... no.
The plugin is just a convenient way to get another open source product up and running in a jail with all dependencies and versions at the time the plugin was last updated. I have not seen any official commitment to regular security or feature updates for plugins. The updates frequently break things, because the plugin mechanism is great for bootstrapping something, but not really well suited for regular updates of existing installations without a lot of work.

With a little bit of knowledge it's much more reliable to use a jail:
  • Update the jail to the latest FreeBSD patch release: iocage update <jail>
  • Update all packages in the jail to their latest version: iocage console <jail>; pkg update; pkg upgrade; pkg autoremove
  • Update the database tables as per the MySQL documentation: mysql_upgrade -p
  • Update the Nextcloud installation as per the Nextcloud documentation: su -m www -c "php /usr/local/www/nextcloud/occ upgrade"
  • Restart the jail: exit; iocage stop <jail>; iocage start <jail>
See? None of the mandatory additional steps regarding MySQL or Nextcloud is mentioned in "plugin documentation" and this is all really not a TrueNAS topic. If you want to run Nextcloud on your own system, you are expected to know these things, e.g. that after every update of a MySQL database server, you must run mysql_upgrade. It's in the MySQL docs, not in TrueNAS'.


As for the question about backup: you can use a snapshot and replication task to recursively backup the entire jail dataset structure and the data in your Nextcloud, database with users and everything. In case of a system failure, restore by ZFS means to a suitable system, start the jail, run a mysqlcheck --all-databases --auto-repair (see? another one of these things you are supposed to know when running your own MySQL) - and you should be good to go.


HTH, kind regards,
Patrick
 
Last edited:

Hellrazorx

Dabbler
Joined
Apr 30, 2021
Messages
29
Adding to @adrianwi:

Essentially it is as simple as pkg install nextcloud-php74. This installs Nextcloud and all runtime dependencies except the web and database server. I use Nginx and MySQL, so that would be pkg install nginx mysql80-server.

The Nginx configuration - which needs to be modified a bit, of course - can be found here:

It is all rather simple, really - come back if there is a particular step that you cannot find out yourself. Although I regularly point out that this is not the Nextcloud support forum, there are many regulars here running Nextcloud, so we will probably be able to help.

I really think the "plugins" were a mistake. And I think this way because the existence of a plugin raises expectations:
  • There's a plugin, so it's an official part of TrueNAS features - no, it's not.
  • There's a plugin, so it's supported by iXsystems - no, it's not.
  • There's a plugin, so Nextcloud is just a simple one-click-install application - no, it's not. It's a modern 3-tier web application with a codebase at least as large and complex as the entire TrueNAS system and it demands familiarity with system administration, database administration, DNS, SSL certificates (if you want to publish to the Internet), ...
  • There's a plugin, so it will receive regular updates and they will "just work" - er ... no.
The plugin is just a convenient way to get another open source product up and running in a jail with all dependencies and versions at the time the plugin was last updated. I have not seen any official commitment to regular security or feature updates for plugins. The updates frequently break things, because the plugin mechanism is great for bootstrapping something, but not really well suited for regular updates of existing installations without a lot of work.

With a little bit of knowledge it's much more reliable to use a jail:
  • Update the jail to the latest FreeBSD patch release: iocage update <jail>
  • Update all packages in the jail to their latest version: iocage console <jail>; pkg update; pkg upgrade; pkg autoremove
  • Update the database tables as per the MySQL documentation: mysql_upgrade -p
  • Update the Nextcloud installation as per the Nextcloud documentation: su -m www -c "php /usr/local/www/nextcloud/occ upgrade"
  • Restart the jail: exit; iocage stop <jail>; iocage start <jail>
See? None of the mandatory additional steps regarding MySQL or Nextcloud is mentioned in "plugin documentation" and this is all really not a TrueNAS topic. If you want to run Nextcloud on your own system, you are expected to know these things, e.g. that after every update of a MySQL database server, you must run mysql_upgrade. It's in the MySQL docs, not in TrueNAS'.


As for the question about backup: you can use a snapshot and replication task to recursively backup the entire jail dataset structure and the data in your Nextcloud, database with users and everything. In case of a system failure, restore by ZFS means to a suitable system, start the jail, run a mysqlcheck --all-databases --auto-repair (see? another one of these things you are supposed to know when running your own MySQL) - and you should be good to go.


HTH, kind regards,
Patrick
Thanks a lot for these precisions. Are you active on NC community?

Yes I've been playing with NC for evaluations and went through the whole setup a couple of times.
Even with TN's plugin, still had to recoat some of the configs to test it out. (I wanted to use WEBDAV on windows.. Until they ''kinda implement'' it directly with the client ''sort of'')

We agree and share the same opinion about the uncertainty of how the plugin is managed.

The information you shared is very valuable thanks a lot.
 

jayecin

Explorer
Joined
Oct 12, 2020
Messages
79
The nextcloud plugin is udder rubbish, it doesnt even work with the current build of TrueNAS
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,739
Are you active on NC community?
Not actively. But my company offers Nextcloud hosting. We use jails for that - so I probably know how set up and run it. :wink:

Kind regards,
Patrick
 
Top