Nextcloud: Difference between revisions

From CSCWiki
Jump to navigation Jump to search
(Created page with "<span id="general-administration-notes"></span> = General Administration Notes = * To use the admin account, use https://files.csclub.uwaterloo.ca/login?direct=1&noredir=1 wi...")
 
No edit summary
 
(2 intermediate revisions by the same user not shown)
Line 14: Line 14:
= Container setup =
= Container setup =


See https://wiki.csclub.uwaterloo.ca/Systemd-nspawn .
Create container config at <code>/etc/systemd/nspawn/nextcloud.nspawn</code>. The host machine should have <code>br0</code> set-up already.

<pre class="config">[Exec]
Boot=yes
Hostname=nextcloud
PrivateUsers=no

[Network]
Bridge=br0
</pre>
Create minimal debian installation.

<syntaxhighlight lang="shell">debootstrap bullseye /var/lib/machines/nextcloud http://mirror.csclub.uwaterloo.ca/debian
</syntaxhighlight>
Start container with <code>systemctl enable --now systemd-nspawn@nextcloud</code>.


<span id="inside-the-container"></span>
<span id="inside-the-container"></span>
Line 66: Line 52:
See full configuration at https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html. Change the PHP upstream to this:
See full configuration at https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html. Change the PHP upstream to this:


<pre class="config">upstream php-handler {
<syntaxhighlight lang="nginx">upstream php-handler {
server unix:/var/run/php/php8.0-fpm.sock;
server unix:/var/run/php/php8.0-fpm.sock;
}
}
</syntaxhighlight>
</pre>
Also change <code>root</code> to <code>/var/www/nextcloud</code>.
Also change <code>root</code> to <code>/var/www/nextcloud</code>.


Line 105: Line 91:
** Base DN: dc=csclub,dc=uwaterloo,dc=ca
** Base DN: dc=csclub,dc=uwaterloo,dc=ca
* User
* User
** LDAP Query: (&amp;(objectClass=bruh)(!(shadowExpire=1)))
** LDAP Query: (&amp;(objectClass=member)(!(shadowExpire=1)))
* Login attributes
* Login attributes
** LDAP Query: (&amp;(|(objectclass=member))(uid=%uid))
** LDAP Query: (&amp;(|(objectclass=member))(uid=%uid))

Latest revision as of 22:29, 30 August 2022

General Administration Notes

Storage setup

NFS mount. Add this to /etc/fstab.

fs00.csclub.uwaterloo.ca:/nextcloud /var/lib/machines/nextcloud/data nfs bg,vers=3,sec=sys,nosuid,nodev 0 0

Container setup

See https://wiki.csclub.uwaterloo.ca/Systemd-nspawn .

Inside the container

Use machinectl shell nextcloud to obtain a root shell inside the container.

Network configuration

Add IPv4 and IPv6 address to /etc/network/interfaces as usual.

Install server software

Grab the essentials first.

apt install apt-transport-https curl unzip

Nextcloud recommends PHP 8.0 (have JIT support, performance go brrr), but debian bullseye doesn't have it in official repository. So add a thrid-party repository.

Create /etc/apt/sources.list.d/sury-php.list.

deb https://packages.sury.org/php/ bullseye main

And obtain the repository signing key.

curl -O /etc/apt/trusted.gpg.d/sury-php.gpg https://packages.sury.org/php/apt.gpg

Finally we can install server software packages.

apt install nginx php8.0-fpm php8.0-curl php8.0-dom php8.0-gd php8.0-mbstring php8.0-zip php8.0-mysql php8.0-bz2 php8.0-intl php8.0-redis php8.0-imagick ffmpeg php8.0-bcmath php8.0-ldap php8.0-apcu libmagickcore-6.q16-6-extra/stable

Setup Nginx

See full configuration at https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html. Change the PHP upstream to this:

upstream php-handler {
    server unix:/var/run/php/php8.0-fpm.sock;
}

Also change root to /var/www/nextcloud.

We will use the Mozilla intermediate SSL configuration. See https://ssl-config.mozilla.org/. As of SSL certificate, we will use our wildcard csclub.uwaterloo.ca certificate. Copy them from xylitol.

Database setup

We'll use the MariaDB instance at coffee. Create a db user and database for nextcloud there. Make sure it will allow connection from ip address of the nextcloud container.

Install Nextcloud

Download zip from https://nextcloud.com/install/ (find the Archive version). Extract to /var/www/nextcloud. Change owner of the folder to www-data:www-data.

The DNS should be configured by now. Go to https://files.csclub.uwaterloo.ca. Installation page should be up. Fill in the details to finish the installation.

Setup cron job

We goes the systemd approach. See https://docs.nextcloud.com/server/24/admin_manual/configuration_server/background_jobs_configuration.html#systemd.

Basically, setup a service and a timer. Enable the timer.

LDAP and OIDC setup

In our setup, OIDC will be used for SSO (Single Sign On) only. User and group information will then be handled via the LDAP plugin. This ensures user can sign in with their WatIM credential (just like Quest and Learn), and their group information is correctly assigned in Nextcloud.

First setup LDAP plugin. Enable LDAP/AD integration in Apps, then navigate to Settings-Administration-LDAP/AD integration (must be admin). Fill in the information as follows:

  • Server
    • ldaps://ldap1.csclub.uwaterloo.ca 636
    • User DN && Password: blank
    • Base DN: dc=csclub,dc=uwaterloo,dc=ca
  • User
    • LDAP Query: (&(objectClass=member)(!(shadowExpire=1)))
  • Login attributes
    • LDAP Query: (&(|(objectclass=member))(uid=%uid))
  • Group
    • LDAP Query: (&(objectClass=posixGroup)(uniqueMember=*))
  • Advanced
    • Backup (Replica) Host: ldaps://ldap2.csclub.uwaterloo.ca
    • Base User Tree: ou=People,dc=csclub,dc=uwaterloo,dc=ca
    • Base Group Tree: ou=Group,dc=csclub,dc=uwaterloo,dc=ca
    • Group-Member association: uniqueMember
    • Special Attributes: mailLocalAddress
    • Internal Username: uid

If things goes okay, csc users should appear in Nextcloud's user list.

OIDC setup

We use https://github.com/pulsejet/nextcloud-oidc-login for OIDC integration with KeyCloak.

First setup Keycloak. See https://github.com/pulsejet/nextcloud-oidc-login#usage-with-keycloak.

Then install this plugin in Nextcloud. Then, edit Nextcloud's config file at /var/www/nextcloud/config/config.php. Here're some highlights.

'oidc_login_client_id' => 'nextcloud',
'oidc_login_client_secret' => 'REDACTED',
'oidc_login_provider_url' => 'https://keycloak.csclub.uwaterloo.ca/auth/realms/csc',
'oidc_login_end_session_redirect' => true,
'oidc_login_logout_url' => 'https://files.csclub.uwaterloo.ca/apps/oidc_login/oidc',
'oidc_login_auto_redirect' => true,
'oidc_login_redir_fallback' => true,
'oidc_login_attributes' =>
array (
  'id' => 'preferred_username',
  'mail' => 'email',
  'ldap_uid' => 'preferred_username',
),
'oidc_login_webdav_enabled' => true,
'oidc_login_disable_registration' => false,
'oidc_login_proxy_ldap' => true,

Speed

Memory caching

redis and APCu are used for caching. See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/caching_configuration.html. Note that since it's a local setup, we use a UNIX socket to connect to Redis.

Dedicated push notification server

There's a dedicated nextcloud client push notification server available, which should drastically reduce server load if a lot of people are using the Nextcloud client.

See https://github.com/nextcloud/notify_push. To set it up:

  1. Install "Client Push" app from Nextcloud app store
  2. Create and enable a systemd service
  3. Add reverse proxy configuration to nextcloud's Nginx config file

You should test the setup, use https://github.com/nextcloud/notify_push/tree/main/test_client. To those who are unfamiliar with Rust, just clone it and run cargo build --release. You'll find the binary at target/release.

Miscellaneous