Nextcloud
General Administration Notes
- To use the admin account, use https://files.csclub.uwaterloo.ca/login?direct=1&noredir=1 with the admin credentials found in syscom machine.
Storage setup
NFS mount. Add this to /etc/fstab
.
fs00.csclub.uwaterloo.ca:/nextcloud /var/lib/machines/nextcloud/data nfs bg,vers=3,sec=sys,nosuid,nodev 0 0
Container setup
Create container config at /etc/systemd/nspawn/nextcloud.nspawn
. The host machine should have br0
set-up already.
[Exec] Boot=yes Hostname=nextcloud PrivateUsers=no [Network] Bridge=br0
Create minimal debian installation.
debootstrap bullseye /var/lib/machines/nextcloud http://mirror.csclub.uwaterloo.ca/debian
Start container with systemctl enable --now systemd-nspawn@nextcloud
.
Inside the container
Use machinectl shell nextcloud
to obtain a root shell inside the container.
Network configuration
Add IPv4 and IPv6 address to /etc/network/interfaces
as usual.
Install server software
Grab the essentials first.
apt install apt-transport-https curl unzip
Nextcloud recommends PHP 8.0 (have JIT support, performance go brrr), but debian bullseye doesn't have it in official repository. So add a thrid-party repository.
Create /etc/apt/sources.list.d/sury-php.list
.
deb https://packages.sury.org/php/ bullseye main
And obtain the repository signing key.
curl -O /etc/apt/trusted.gpg.d/sury-php.gpg https://packages.sury.org/php/apt.gpg
Finally we can install server software packages.
apt install nginx php8.0-fpm php8.0-curl php8.0-dom php8.0-gd php8.0-mbstring php8.0-zip php8.0-mysql php8.0-bz2 php8.0-intl php8.0-redis php8.0-imagick ffmpeg php8.0-bcmath php8.0-ldap php8.0-apcu libmagickcore-6.q16-6-extra/stable
Setup Nginx
See full configuration at https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html. Change the PHP upstream to this:
upstream php-handler { server unix:/var/run/php/php8.0-fpm.sock; }
Also change root
to /var/www/nextcloud
.
We will use the Mozilla intermediate SSL configuration. See https://ssl-config.mozilla.org/. As of SSL certificate, we will use our wildcard csclub.uwaterloo.ca
certificate. Copy them from xylitol.
Database setup
We'll use the MariaDB instance at coffee. Create a db user and database for nextcloud there. Make sure it will allow connection from ip address of the nextcloud container.
Install Nextcloud
Download zip from https://nextcloud.com/install/ (find the Archive version). Extract to /var/www/nextcloud
. Change owner of the folder to www-data:www-data
.
The DNS should be configured by now. Go to https://files.csclub.uwaterloo.ca. Installation page should be up. Fill in the details to finish the installation.
Setup cron job
We goes the systemd
approach. See https://docs.nextcloud.com/server/24/admin_manual/configuration_server/background_jobs_configuration.html#systemd.
Basically, setup a service and a timer. Enable the timer.
LDAP and OIDC setup
In our setup, OIDC will be used for SSO (Single Sign On) only. User and group information will then be handled via the LDAP plugin. This ensures user can sign in with their WatIM credential (just like Quest and Learn), and their group information is correctly assigned in Nextcloud.
First setup LDAP plugin. Enable LDAP/AD integration
in Apps, then navigate to Settings-Administration-LDAP/AD integration (must be admin). Fill in the information as follows:
- Server
- ldaps://ldap1.csclub.uwaterloo.ca 636
- User DN && Password: blank
- Base DN: dc=csclub,dc=uwaterloo,dc=ca
- User
- LDAP Query: (&(objectClass=bruh)(!(shadowExpire=1)))
- Login attributes
- LDAP Query: (&(|(objectclass=member))(uid=%uid))
- Group
- LDAP Query: (&(objectClass=posixGroup)(uniqueMember=*))
- Advanced
- Backup (Replica) Host: ldaps://ldap2.csclub.uwaterloo.ca
- Base User Tree: ou=People,dc=csclub,dc=uwaterloo,dc=ca
- Base Group Tree: ou=Group,dc=csclub,dc=uwaterloo,dc=ca
- Group-Member association: uniqueMember
- Special Attributes: mailLocalAddress
- Internal Username: uid
If things goes okay, csc users should appear in Nextcloud's user list.
OIDC setup
We use https://github.com/pulsejet/nextcloud-oidc-login for OIDC integration with KeyCloak.
First setup Keycloak. See https://github.com/pulsejet/nextcloud-oidc-login#usage-with-keycloak.
Then install this plugin in Nextcloud. Then, edit Nextcloud's config file at /var/www/nextcloud/config/config.php
. Here're some highlights.
'oidc_login_client_id' => 'nextcloud',
'oidc_login_client_secret' => 'REDACTED',
'oidc_login_provider_url' => 'https://keycloak.csclub.uwaterloo.ca/auth/realms/csc',
'oidc_login_end_session_redirect' => true,
'oidc_login_logout_url' => 'https://files.csclub.uwaterloo.ca/apps/oidc_login/oidc',
'oidc_login_auto_redirect' => true,
'oidc_login_redir_fallback' => true,
'oidc_login_attributes' =>
array (
'id' => 'preferred_username',
'mail' => 'email',
'ldap_uid' => 'preferred_username',
),
'oidc_login_webdav_enabled' => true,
'oidc_login_disable_registration' => false,
'oidc_login_proxy_ldap' => true,
Speed
Memory caching
redis
and APCu
are used for caching. See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/caching_configuration.html. Note that since it's a local setup, we use a UNIX socket to connect to Redis.
Dedicated push notification server
There's a dedicated nextcloud client push notification server available, which should drastically reduce server load if a lot of people are using the Nextcloud client.
See https://github.com/nextcloud/notify_push. To set it up:
- Install "Client Push" app from Nextcloud app store
- Create and enable a systemd service
- Add reverse proxy configuration to nextcloud's Nginx config file
You should test the setup, use https://github.com/nextcloud/notify_push/tree/main/test_client. To those who are unfamiliar with Rust, just clone it and run cargo build --release
. You'll find the binary at target/release
.
Miscellaneous
- Email setup
- Just fill it in admin panel.
- Theme
- We use https://github.com/mwalbeck/nextcloud-breeze-dark for some KDE vibe. Oh, change the icon too.