Nextcloud

From CSCWiki
Revision as of 17:38, 30 August 2022 by Y266shen (talk | contribs) (Created page with "<span id="general-administration-notes"></span> = General Administration Notes = * To use the admin account, use https://files.csclub.uwaterloo.ca/login?direct=1&noredir=1 wi...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

General Administration Notes

Storage setup

NFS mount. Add this to /etc/fstab.

fs00.csclub.uwaterloo.ca:/nextcloud /var/lib/machines/nextcloud/data nfs bg,vers=3,sec=sys,nosuid,nodev 0 0

Container setup

Create container config at /etc/systemd/nspawn/nextcloud.nspawn. The host machine should have br0 set-up already.

[Exec]
Boot=yes
Hostname=nextcloud
PrivateUsers=no

[Network]
Bridge=br0

Create minimal debian installation.

debootstrap bullseye /var/lib/machines/nextcloud http://mirror.csclub.uwaterloo.ca/debian

Start container with systemctl enable --now systemd-nspawn@nextcloud.

Inside the container

Use machinectl shell nextcloud to obtain a root shell inside the container.

Network configuration

Add IPv4 and IPv6 address to /etc/network/interfaces as usual.

Install server software

Grab the essentials first.

apt install apt-transport-https curl unzip

Nextcloud recommends PHP 8.0 (have JIT support, performance go brrr), but debian bullseye doesn't have it in official repository. So add a thrid-party repository.

Create /etc/apt/sources.list.d/sury-php.list.

deb https://packages.sury.org/php/ bullseye main

And obtain the repository signing key.

curl -O /etc/apt/trusted.gpg.d/sury-php.gpg https://packages.sury.org/php/apt.gpg

Finally we can install server software packages.

apt install nginx php8.0-fpm php8.0-curl php8.0-dom php8.0-gd php8.0-mbstring php8.0-zip php8.0-mysql php8.0-bz2 php8.0-intl php8.0-redis php8.0-imagick ffmpeg php8.0-bcmath php8.0-ldap php8.0-apcu libmagickcore-6.q16-6-extra/stable

Setup Nginx

See full configuration at https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html. Change the PHP upstream to this:

upstream php-handler {
    server unix:/var/run/php/php8.0-fpm.sock;
}

Also change root to /var/www/nextcloud.

We will use the Mozilla intermediate SSL configuration. See https://ssl-config.mozilla.org/. As of SSL certificate, we will use our wildcard csclub.uwaterloo.ca certificate. Copy them from xylitol.

Database setup

We'll use the MariaDB instance at coffee. Create a db user and database for nextcloud there. Make sure it will allow connection from ip address of the nextcloud container.

Install Nextcloud

Download zip from https://nextcloud.com/install/ (find the Archive version). Extract to /var/www/nextcloud. Change owner of the folder to www-data:www-data.

The DNS should be configured by now. Go to https://files.csclub.uwaterloo.ca. Installation page should be up. Fill in the details to finish the installation.

Setup cron job

We goes the systemd approach. See https://docs.nextcloud.com/server/24/admin_manual/configuration_server/background_jobs_configuration.html#systemd.

Basically, setup a service and a timer. Enable the timer.

LDAP and OIDC setup

In our setup, OIDC will be used for SSO (Single Sign On) only. User and group information will then be handled via the LDAP plugin. This ensures user can sign in with their WatIM credential (just like Quest and Learn), and their group information is correctly assigned in Nextcloud.

First setup LDAP plugin. Enable LDAP/AD integration in Apps, then navigate to Settings-Administration-LDAP/AD integration (must be admin). Fill in the information as follows:

  • Server
    • ldaps://ldap1.csclub.uwaterloo.ca 636
    • User DN && Password: blank
    • Base DN: dc=csclub,dc=uwaterloo,dc=ca
  • User
    • LDAP Query: (&(objectClass=bruh)(!(shadowExpire=1)))
  • Login attributes
    • LDAP Query: (&(|(objectclass=member))(uid=%uid))
  • Group
    • LDAP Query: (&(objectClass=posixGroup)(uniqueMember=*))
  • Advanced
    • Backup (Replica) Host: ldaps://ldap2.csclub.uwaterloo.ca
    • Base User Tree: ou=People,dc=csclub,dc=uwaterloo,dc=ca
    • Base Group Tree: ou=Group,dc=csclub,dc=uwaterloo,dc=ca
    • Group-Member association: uniqueMember
    • Special Attributes: mailLocalAddress
    • Internal Username: uid

If things goes okay, csc users should appear in Nextcloud's user list.

OIDC setup

We use https://github.com/pulsejet/nextcloud-oidc-login for OIDC integration with KeyCloak.

First setup Keycloak. See https://github.com/pulsejet/nextcloud-oidc-login#usage-with-keycloak.

Then install this plugin in Nextcloud. Then, edit Nextcloud's config file at /var/www/nextcloud/config/config.php. Here're some highlights.

'oidc_login_client_id' => 'nextcloud',
'oidc_login_client_secret' => 'REDACTED',
'oidc_login_provider_url' => 'https://keycloak.csclub.uwaterloo.ca/auth/realms/csc',
'oidc_login_end_session_redirect' => true,
'oidc_login_logout_url' => 'https://files.csclub.uwaterloo.ca/apps/oidc_login/oidc',
'oidc_login_auto_redirect' => true,
'oidc_login_redir_fallback' => true,
'oidc_login_attributes' =>
array (
  'id' => 'preferred_username',
  'mail' => 'email',
  'ldap_uid' => 'preferred_username',
),
'oidc_login_webdav_enabled' => true,
'oidc_login_disable_registration' => false,
'oidc_login_proxy_ldap' => true,

Speed

Memory caching

redis and APCu are used for caching. See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/caching_configuration.html. Note that since it's a local setup, we use a UNIX socket to connect to Redis.

Dedicated push notification server

There's a dedicated nextcloud client push notification server available, which should drastically reduce server load if a lot of people are using the Nextcloud client.

See https://github.com/nextcloud/notify_push. To set it up:

  1. Install "Client Push" app from Nextcloud app store
  2. Create and enable a systemd service
  3. Add reverse proxy configuration to nextcloud's Nginx config file

You should test the setup, use https://github.com/nextcloud/notify_push/tree/main/test_client. To those who are unfamiliar with Rust, just clone it and run cargo build --release. You'll find the binary at target/release.

Miscellaneous