Nextcloud: Difference between revisions

From CSCWiki
Jump to navigation Jump to search
← Older edit
Content deleted Content added
VisualWikitext
S23adhik (talk | contribs)
65 edits
mNo edit summary
Migration and debian 13 upgrade
 
Line 1: Line 1:
== Installation Details ==
<span id="general-administration-notes"></span>
=== Container setup ===
= General Administration Notes =

* To use the admin account, use https://files.csclub.uwaterloo.ca/login?direct=1&noredir=1 with the admin credentials found in syscom machine.

<span id="storage-setup"></span>
= Storage setup =

NFS mount. Add this to <code>/etc/fstab</code>.

<pre>fs00.csclub.uwaterloo.ca:/nextcloud /var/lib/machines/nextcloud/data nfs bg,vers=3,sec=sys,nosuid,nodev 0 0
</pre>
<span id="container-setup"></span>
= Container setup =

See https://wiki.csclub.uwaterloo.ca/Systemd-nspawn .
See https://wiki.csclub.uwaterloo.ca/Systemd-nspawn .


<span id="inside-the-container"></span>
=== Inside the container ===
= Inside the container =

Use <code>machinectl shell nextcloud</code> to obtain a root shell inside the container.
Use <code>machinectl shell nextcloud</code> to obtain a root shell inside the container.


<span id="network-configuration"></span>
=== Network configuration ===
== Network configuration ==

Add IPv4 and IPv6 address to <code>/etc/network/interfaces</code> as usual.
Add IPv4 and IPv6 address to <code>/etc/network/interfaces</code> as usual.


<span id="install-server-software"></span>
=== Install server software ===
== Install server software ==

Grab the essentials first.
Grab the essentials first.


<syntaxhighlight lang="bash">apt install apt-transport-https curl unzip
<syntaxhighlight lang="bash">apt install apt-transport-https curl unzip
</syntaxhighlight>
</syntaxhighlight>
Nextcloud recommends PHP 8.0 (have JIT support, performance go brrr), but debian bullseye doesn't have it in official repository. So add a thrid-party repository.


We use PHP 8.4 from the upstream debian trixie (13) repository.
Create <code>/etc/apt/sources.list.d/sury-php.list</code>.
<x>

apt install nginx php8.4-fpm php8.4-curl php8.4-gd php8.4-mbstring php8.4-zip php8.4-mysql php8.4-bz2 php8.4-intl php8.4-redis php8.4-imagick ffmpeg php8.4-bcmath php8.4-ldap php8.4-apcu php8.4-xml php8.4-gmp
<pre>deb https://packages.sury.org/php/ bullseye main
</pre>
</x>
And obtain the repository signing key.

<syntaxhighlight lang="bash">curl -O /etc/apt/trusted.gpg.d/sury-php.gpg https://packages.sury.org/php/apt.gpg
</syntaxhighlight>
Finally we can install server software packages.

<syntaxhighlight lang="bash">apt install nginx php8.0-fpm php8.0-curl php8.0-dom php8.0-gd php8.0-mbstring php8.0-zip php8.0-mysql php8.0-bz2 php8.0-intl php8.0-redis php8.0-imagick ffmpeg php8.0-bcmath php8.0-ldap php8.0-apcu libmagickcore-6.q16-6-extra/stable
</syntaxhighlight>
<span id="setup-nginx"></span>
== Setup Nginx ==


=== Setup Nginx ===
See full configuration at https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html. Change the PHP upstream to this:
See full configuration at https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html. Change the PHP upstream to this:


<syntaxhighlight lang="nginx">upstream php-handler {
<syntaxhighlight lang="nginx">upstream php-handler {
server unix:/var/run/php/php8.0-fpm.sock;
server unix:/var/run/php/php8.4-fpm.sock;
}
}
</syntaxhighlight>
</syntaxhighlight>
Line 60: Line 31:
We will use the Mozilla intermediate SSL configuration. See https://ssl-config.mozilla.org/. As of SSL certificate, we will use our wildcard <code>csclub.uwaterloo.ca</code> certificate. Copy them from xylitol.
We will use the Mozilla intermediate SSL configuration. See https://ssl-config.mozilla.org/. As of SSL certificate, we will use our wildcard <code>csclub.uwaterloo.ca</code> certificate. Copy them from xylitol.


=== Database setup ===
<span id="database-setup"></span>
== Database setup ==

We'll use the MariaDB instance at coffee. Create a db user and database for nextcloud there. Make sure it will allow connection from ip address of the nextcloud container.
We'll use the MariaDB instance at coffee. Create a db user and database for nextcloud there. Make sure it will allow connection from ip address of the nextcloud container.


=== Install Nextcloud ===
<span id="install-nextcloud"></span>
== Install Nextcloud ==

Download zip from https://nextcloud.com/install/ (find the Archive version). Extract to <code>/var/www/nextcloud</code>. Change owner of the folder to <code>www-data:www-data</code>.
Download zip from https://nextcloud.com/install/ (find the Archive version). Extract to <code>/var/www/nextcloud</code>. Change owner of the folder to <code>www-data:www-data</code>.


The DNS should be configured by now. Go to https://files.csclub.uwaterloo.ca. Installation page should be up. Fill in the details to finish the installation.
The DNS should be configured by now. Go to https://files.csclub.uwaterloo.ca. Installation page should be up. Fill in the details to finish the installation.


<span id="setup-cron-job"></span>
=== Setup cron job ===
We goes the <code>systemd</code> approach. See https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/background_jobs_configuration.html#systemd.
== Setup cron job ==

We goes the <code>systemd</code> approach. See https://docs.nextcloud.com/server/24/admin_manual/configuration_server/background_jobs_configuration.html#systemd.


Basically, setup a service and a timer. Enable the timer.
Basically, setup a service and a timer. Enable the timer.


<span id="ldap-and-oidc-setup"></span>
=== LDAP and OIDC setup ===
= LDAP and OIDC setup =

In our setup, OIDC will be used for SSO (Single Sign On) only. User and group information will then be handled via the LDAP plugin. This ensures user can sign in with their WatIM credential (just like Quest and Learn), and their group information is correctly assigned in Nextcloud.
In our setup, OIDC will be used for SSO (Single Sign On) only. User and group information will then be handled via the LDAP plugin. This ensures user can sign in with their WatIM credential (just like Quest and Learn), and their group information is correctly assigned in Nextcloud.


Line 106: Line 69:
If things goes okay, csc users should appear in Nextcloud's user list.
If things goes okay, csc users should appear in Nextcloud's user list.


For OIDC, we use [https://github.com/nextcloud/user_oidc user_oidc] plugin maintained by Nextcloud. First, make sure OIDC won't create any user account (we use LDAP for that) by adding this line to <code>config.php</code>:
<span id="oidc-setup"></span>
== OIDC setup ==


<pre>
We use https://github.com/pulsejet/nextcloud-oidc-login for OIDC integration with KeyCloak.
'user_oidc' => [
'auto_provision' => false,
]
</pre>


First setup Keycloak. See https://github.com/pulsejet/nextcloud-oidc-login#usage-with-keycloak.
Then, create an app in Keycloak (see https://github.com/pulsejet/nextcloud-oidc-login#usage-with-keycloak and [[Keycloak]]) and navigate to "OpenID Connect" tab on the admin panel and add a registered provider. You should only need to fill in "Client ID", "Client secret" and "Discovery endpoint" taken from Keycloak.


=== ''Speed'' ===
Then install this plugin in Nextcloud. Then, edit Nextcloud's config file at <code>/var/www/nextcloud/config/config.php</code>. Here're some highlights.

<syntaxhighlight lang="php">'oidc_login_client_id' => 'nextcloud',
'oidc_login_client_secret' => 'REDACTED',
'oidc_login_provider_url' => 'https://keycloak.csclub.uwaterloo.ca/auth/realms/csc',
'oidc_login_end_session_redirect' => true,
'oidc_login_logout_url' => 'https://files.csclub.uwaterloo.ca/apps/oidc_login/oidc',
'oidc_login_auto_redirect' => true,
'oidc_login_redir_fallback' => true,
'oidc_login_attributes' =>
array (
'id' => 'preferred_username',
'mail' => 'email',
'ldap_uid' => 'preferred_username',
),
'oidc_login_webdav_enabled' => true,
'oidc_login_disable_registration' => false,
'oidc_login_proxy_ldap' => true,
</syntaxhighlight>
<span id="speed"></span>
= ''Speed'' =


<span id="memory-caching"></span>
==== Memory caching ====
== Memory caching ==


<code>redis</code> and <code>APCu</code> are used for caching. See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/caching_configuration.html. Note that since it's a local setup, we use a UNIX socket to connect to Redis.
<code>redis</code> and <code>APCu</code> are used for caching. See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/caching_configuration.html. Note that since it's a local setup, we use a UNIX socket to connect to Redis.


<span id="dedicated-push-notification-server"></span>
<span id="dedicated-push-notification-server"></span>
== Dedicated push notification server ==
==== Dedicated push notification server ====


There's a dedicated nextcloud client push notification server available, which should drastically reduce server load if a lot of people are using the Nextcloud client.
There's a dedicated nextcloud client push notification server available, which should drastically reduce server load if a lot of people are using the Nextcloud client.
Line 154: Line 99:


<span id="miscellaneous"></span>
<span id="miscellaneous"></span>
= Miscellaneous =
=== Miscellaneous ===


* Email setup
* Email setup
Line 161: Line 106:
** We use https://github.com/mwalbeck/nextcloud-breeze-dark for some KDE vibe. Oh, change the icon too.
** We use https://github.com/mwalbeck/nextcloud-breeze-dark for some KDE vibe. Oh, change the icon too.


=== Common Issues ===
== Common Issues ==


==== 409: Resource in conflict, when auto-uploading ====
=== 409: Resource in conflict, when auto-uploading ===
Normally caused by Nextcloud not being able to create a folder for whatever, you can just manually create the folder
Normally caused by Nextcloud not being able to create a folder for whatever, you can just manually create the folder

== Historical ==
No-longer-valid information under here.

=== General Administration Notes (2022) ===
* To use the admin account, use https://files.csclub.uwaterloo.ca/login?direct=1&noredir=1 with the admin credentials found in syscom machine.

=== Storage setup (2022) ===
NFS mount. Add this to <code>/etc/fstab</code>.

<pre>fs00.csclub.uwaterloo.ca:/nextcloud /var/lib/machines/nextcloud/data nfs bg,vers=3,sec=sys,nosuid,nodev 0 0
</pre>
<span id="container-setup"></span>

=== Installing PHP (2022) ===
Nextcloud recommends PHP 8.0 (have JIT support, performance go brrr), but debian bullseye doesn't have it in official repository. So add a thrid-party repository.

Create <code>/etc/apt/sources.list.d/sury-php.list</code>.

<pre>deb https://packages.sury.org/php/ bullseye main
</pre>
And obtain the repository signing key.

<syntaxhighlight lang="bash">curl -O /etc/apt/trusted.gpg.d/sury-php.gpg https://packages.sury.org/php/apt.gpg
</syntaxhighlight>
Finally we can install server software packages.

<syntaxhighlight lang="bash">apt install nginx php8.0-fpm php8.0-curl php8.0-dom php8.0-gd php8.0-mbstring php8.0-zip php8.0-mysql php8.0-bz2 php8.0-intl php8.0-redis php8.0-imagick ffmpeg php8.0-bcmath php8.0-ldap php8.0-apcu libmagickcore-6.q16-6-extra/stable
</syntaxhighlight>
<span id="setup-nginx"></span>

=== OIDC setup (2022) ===
We use https://github.com/pulsejet/nextcloud-oidc-login for OIDC integration with KeyCloak.

First setup Keycloak. See https://github.com/pulsejet/nextcloud-oidc-login#usage-with-keycloak.

Then install this plugin in Nextcloud. Then, edit Nextcloud's config file at <code>/var/www/nextcloud/config/config.php</code>. Here're some highlights.

<syntaxhighlight lang="php">'oidc_login_client_id' => 'nextcloud',
'oidc_login_client_secret' => 'REDACTED',
'oidc_login_provider_url' => 'https://keycloak.csclub.uwaterloo.ca/auth/realms/csc',
'oidc_login_end_session_redirect' => true,
'oidc_login_logout_url' => 'https://files.csclub.uwaterloo.ca/apps/oidc_login/oidc',
'oidc_login_auto_redirect' => true,
'oidc_login_redir_fallback' => true,
'oidc_login_attributes' =>
array (
'id' => 'preferred_username',
'mail' => 'email',
'ldap_uid' => 'preferred_username',
),
'oidc_login_webdav_enabled' => true,
'oidc_login_disable_registration' => false,
'oidc_login_proxy_ldap' => true,
</syntaxhighlight>

Latest revision as of 14:21, 21 November 2025

Installation Details

Container setup

See https://wiki.csclub.uwaterloo.ca/Systemd-nspawn .

Inside the container

Use machinectl shell nextcloud to obtain a root shell inside the container.

Network configuration

Add IPv4 and IPv6 address to /etc/network/interfaces as usual.

Install server software

Grab the essentials first. 

apt install apt-transport-https curl unzip

We use PHP 8.4 from the upstream debian trixie (13) repository. <x> apt install nginx php8.4-fpm php8.4-curl php8.4-gd php8.4-mbstring php8.4-zip php8.4-mysql php8.4-bz2 php8.4-intl php8.4-redis php8.4-imagick ffmpeg php8.4-bcmath php8.4-ldap php8.4-apcu php8.4-xml php8.4-gmp </x>

Setup Nginx

See full configuration at https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html. Change the PHP upstream to this: 

upstream php-handler {
    server unix:/var/run/php/php8.4-fpm.sock;
}

Also change root to /var/www/nextcloud.

We will use the Mozilla intermediate SSL configuration. See https://ssl-config.mozilla.org/. As of SSL certificate, we will use our wildcard csclub.uwaterloo.ca certificate. Copy them from xylitol.

Database setup

We'll use the MariaDB instance at coffee. Create a db user and database for nextcloud there. Make sure it will allow connection from ip address of the nextcloud container.

Install Nextcloud

Download zip from https://nextcloud.com/install/ (find the Archive version). Extract to /var/www/nextcloud. Change owner of the folder to www-data:www-data.

The DNS should be configured by now. Go to https://files.csclub.uwaterloo.ca. Installation page should be up. Fill in the details to finish the installation.

Setup cron job

We goes the systemd approach. See https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/background_jobs_configuration.html#systemd.

Basically, setup a service and a timer. Enable the timer.

LDAP and OIDC setup

In our setup, OIDC will be used for SSO (Single Sign On) only. User and group information will then be handled via the LDAP plugin. This ensures user can sign in with their WatIM credential (just like Quest and Learn), and their group information is correctly assigned in Nextcloud.

First setup LDAP plugin. Enable LDAP/AD integration in Apps, then navigate to Settings-Administration-LDAP/AD integration (must be admin). Fill in the information as follows:

  • Server
    • ldaps://ldap1.csclub.uwaterloo.ca 636
    • User DN && Password: blank
    • Base DN: dc=csclub,dc=uwaterloo,dc=ca
  • User
    • LDAP Query: (&(objectClass=member)(!(shadowExpire=1)))
  • Login attributes
    • LDAP Query: (&(|(objectclass=member))(uid=%uid))
  • Group
    • LDAP Query: (&(objectClass=posixGroup)(uniqueMember=*))
  • Advanced
    • Backup (Replica) Host: ldaps://ldap2.csclub.uwaterloo.ca
    • Base User Tree: ou=People,dc=csclub,dc=uwaterloo,dc=ca
    • Base Group Tree: ou=Group,dc=csclub,dc=uwaterloo,dc=ca
    • Group-Member association: uniqueMember
    • Special Attributes: mailLocalAddress
    • Internal Username: uid

If things goes okay, csc users should appear in Nextcloud's user list.

For OIDC, we use user_oidc plugin maintained by Nextcloud. First, make sure OIDC won't create any user account (we use LDAP for that) by adding this line to config.php: 

  'user_oidc' => [
    'auto_provision' => false,
  ]

Then, create an app in Keycloak (see https://github.com/pulsejet/nextcloud-oidc-login#usage-with-keycloak and Keycloak) and navigate to "OpenID Connect" tab on the admin panel and add a registered provider. You should only need to fill in "Client ID", "Client secret" and "Discovery endpoint" taken from Keycloak.

Speed

Memory caching

redis and APCu are used for caching. See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/caching_configuration.html. Note that since it's a local setup, we use a UNIX socket to connect to Redis.

Dedicated push notification server

There's a dedicated nextcloud client push notification server available, which should drastically reduce server load if a lot of people are using the Nextcloud client.

See https://github.com/nextcloud/notify_push. To set it up:

  1. Install "Client Push" app from Nextcloud app store
  2. Create and enable a systemd service
  3. Add reverse proxy configuration to nextcloud's Nginx config file

You should test the setup, use https://github.com/nextcloud/notify_push/tree/main/test_client. To those who are unfamiliar with Rust, just clone it and run cargo build --release. You'll find the binary at target/release.

Miscellaneous

Common Issues

409: Resource in conflict, when auto-uploading

Normally caused by Nextcloud not being able to create a folder for whatever, you can just manually create the folder

Historical

No-longer-valid information under here.

General Administration Notes (2022)

Storage setup (2022)

NFS mount. Add this to /etc/fstab. 

fs00.csclub.uwaterloo.ca:/nextcloud /var/lib/machines/nextcloud/data nfs bg,vers=3,sec=sys,nosuid,nodev 0 0

Installing PHP (2022)

Nextcloud recommends PHP 8.0 (have JIT support, performance go brrr), but debian bullseye doesn't have it in official repository. So add a thrid-party repository.

Create /etc/apt/sources.list.d/sury-php.list. 

deb https://packages.sury.org/php/ bullseye main

And obtain the repository signing key. 

curl -O /etc/apt/trusted.gpg.d/sury-php.gpg https://packages.sury.org/php/apt.gpg

Finally we can install server software packages. 

apt install nginx php8.0-fpm php8.0-curl php8.0-dom php8.0-gd php8.0-mbstring php8.0-zip php8.0-mysql php8.0-bz2 php8.0-intl php8.0-redis php8.0-imagick ffmpeg php8.0-bcmath php8.0-ldap php8.0-apcu libmagickcore-6.q16-6-extra/stable

OIDC setup (2022)

We use https://github.com/pulsejet/nextcloud-oidc-login for OIDC integration with KeyCloak.

First setup Keycloak. See https://github.com/pulsejet/nextcloud-oidc-login#usage-with-keycloak.

Then install this plugin in Nextcloud. Then, edit Nextcloud's config file at /var/www/nextcloud/config/config.php. Here're some highlights. 

'oidc_login_client_id' => 'nextcloud',
'oidc_login_client_secret' => 'REDACTED',
'oidc_login_provider_url' => 'https://keycloak.csclub.uwaterloo.ca/auth/realms/csc',
'oidc_login_end_session_redirect' => true,
'oidc_login_logout_url' => 'https://files.csclub.uwaterloo.ca/apps/oidc_login/oidc',
'oidc_login_auto_redirect' => true,
'oidc_login_redir_fallback' => true,
'oidc_login_attributes' =>
array (
  'id' => 'preferred_username',
  'mail' => 'email',
  'ldap_uid' => 'preferred_username',
),
'oidc_login_webdav_enabled' => true,
'oidc_login_disable_registration' => false,
'oidc_login_proxy_ldap' => true,
Retrieved from "https://wiki.csclub.uwaterloo.ca/index.php?title=Nextcloud&oldid=5478"