Nextcloud

From Michael's Information Zone
Jump to navigation Jump to search

Purpose

Installation

Amazon Linux

Amazon Linux ARM64

PHP 8.0
#!/bin/bash
timedatectl set-timezone America/New_York
yum upgrade -y
dd if=/dev/zero of=/SWAP bs=1024M count=2
chmod 0600 /SWAP
mkswap /SWAP
swapon /SWAP
amazon-linux-extras install -y php8.0 libreoffice
yum install -y httpd yum-cron autofs php-bcmath php-gd php-intl php-ldap php-process php-gmp php-bcmath php-sodium php-xml php-mbstring php-opcache php-pecl-imagick php-devel gcc libsmbclient-devel
sed -i 's/update_cmd\ \=\ default/update_cmd\ \=\ security/; s/apply_updates\ \=\ no/apply_updates\ \=\ yes/' /etc/yum/yum-cron.conf
wget https://pecl.php.net/get/redis-5.3.7.tgz
tar -xf redis-5.3.7.tgz && cd redis-5.3.7
phpize && ./configure && make && make install
cd ~
wget https://pecl.php.net/get/apcu-5.1.21.tgz
tar -xf apcu-5.1.21.tgz && cd apcu-5.1.21
phpize && ./configure && make && make install
cd ~
wget https://pecl.php.net/get/smbclient-1.0.6.tgz
tar -xf smbclient-1.0.6.tgz && cd smbclient-1.0.6
phpize && ./configure && make && make install
cd ~
echo -e '/var/www /etc/auto1.mnt\n/mnt    /etc/auto2.mnt' >> /etc/auto.master
echo -e 'html    nfs.yourdomain.com:/mnt/nfs/nextcloud/webdir' >> /etc/auto1.mnt
echo -e 'conf    nfs.yourdomain.com:/mnt/nfs/nextcloud/conf/2022' >> /etc/auto2.mnt
systemctl enable --now autofs
cp /mnt/conf/nextcloud.conf /etc/httpd/conf.d/nextcloud.conf
cp /mnt/conf/www.conf /etc/php-fpm.d/www.conf
cp /mnt/conf/php.ini /etc/php.ini
echo 'LoadModule mpm_event_module modules/mod_mpm_event.so' > /etc/httpd/conf.modules.d/00-mpm.conf
echo 'extension=redis.so' > /etc/php.d/10-redis.ini
echo 'extension=apcu.so' > /etc/php.d/10-apcu.ini
echo 'extension=smbclient.so' > /etc/php.d/40-smbclient.ini 
systemctl enable --now php-fpm
systemctl enable --now httpd
systemctl enable --now yum-cron
<pre>
=====Notes=====
*These are notes from a production environment. Please note that they assume files are stored on an NFS server and it copies config files from that server, you should only use this as general reference.
*NOTE : Both PHP 7.3 and 7.4 were created for Amazon Linux ARM based instances. That is why I am downloading some of the php modules from pecl.php.net .
=====General Setup Pre PHP=====
<pre>
yum install -y yum-cron autofs
sed -i 's/update_cmd\ \=\ default/update_cmd\ \=\ security/; s/apply_updates\ \=\ no/apply_updates\ \=\ yes/' /etc/yum/yum-cron.conf
echo -e '/var/www /etc/auto.mnt\n/mnt    /etc/auto.mnt' >> /etc/auto.master
echo -e 'html    nfs.your.domain:/mnt/nfs/nextcloud/webdir\nconf    nfs.your.domain:/mnt/nfs/nextcloud/conf' >> /etc/auto.mnt
systemctl enable --now autofs
PHP 7.3 Specific
yum upgrade -y
amazon-linux-extras install php7.3 libreoffice -y
yum install -y httpd mod_ssl php-fpm php-gd php-pecl-zip php-mysqlnd php-intl php-ldap libsmbclient-devel php-devel php-pecl-imagick php-process php-gmp php-bcmath php-pecl-apcu php-xml php-mbstring php-opcache php-pecl-redis
wget https://pecl.php.net/get/smbclient-1.0.6.tgz
tar -xf smbclient-1.0.6.tgz
cd smbclient-1.0.6
phpize
./configure
make
make install
#echo 'extension="smbclient.so"'>> /etc/php.ini
PHP 7.4 Specific
amazon-linux-extras install php7.4 libreoffice -y
yum install -y httpd mod_ssl php-fpm php-gd php-pecl-zip php-mysqlnd php-intl php-ldap libsmbclient-devel php-devel *** php-process php-gmp php-bcmath php-pecl-apcu php-xml php-mbstring php-opcache php-pecl-redis yum-cron autofs gcc ImageMagick-devel
wget https://pecl.php.net/get/imagick-3.4.4.tgz
wget wget https://pecl.php.net/get/smbclient-1.0.6.tgz
tar -xf imagick-3.4.4.tgz; cd imagick-3.4.4
phpize
./configure
make
make test
make install
cd ../
tar -xf smbclient-1.0.6.tgz
cd smbclient-1.0.6
phpize
./configure
make
make install
General Steps Post PHP
echo -e '#!/bin/bash\ncp /mnt/conf/php.ini /etc/php.ini\ncp /mnt/conf/nextcloud.conf /etc/httpd/conf.d/nextcloud.conf\ncp /mnt/conf/www.conf /etc/php-fpm.d/www.conf\ncp /mnt/conf/php.conf /etc/httpd/conf.d/php.conf' > /root/conf.sh
chmod +x /root/conf.sh
/root/conf.sh
echo '@daily /root/conf.sh' >> /var/spool/cron/root

echo 'LoadModule mpm_event_module modules/mod_mpm_event.so' > /etc/httpd/conf.modules.d/00-mpm.conf
sed -i 's/LoadModule\ mpm_prefork_module\ modules\/mod_mpm_prefork.so/#&/' /etc/httpd/conf.modules.d/00-mpm.conf
sed -i 's|listen\ =\ 127\.0\.0\.1\:9000|listen\ =\ /run/www.sock|; s|^\;listen\.group\ =\ nobody|listen\.group\ =\ apache|; s|^\;listen\.mode\ =\ 0660|listen\.mode\ =\ 0660|' /etc/php-fpm.d/www.conf

systemctl enable --now php-fpm
systemctl enable --now httpd
systemctl enable --now yum-cron

Amazon Linux x86

This is from production on a single on-prem instance. The database will be held on the same server for the time being as this is more a PoC for a client.

Mariadb 10.5 / PHP 8.0
sudo amazon-linux-extras install mariadb10.5
sudo amazon-linux-extras install php8.0
sudo yum install httpd
yum install -y php-fpm php-gd php-pecl-zip php-mysqlnd php-intl php-ldap php-process php-gmp php-bcmath php-pecl-apcu php-xml php-mbstring php-opcache
wget https://download.nextcloud.com/server/releases/nextcloud-22.2.0.zip
unzip nextcloud-22.2.0.zip
sudo rsync -a nextcloud/* /var/www/html/ && sudo chown -R apache:apache /var/www/html
sudo systemctl enable --now httpd
sudo systemctl enable --now mariadb
sudo mysql_secure_installation

CentOS

WIP

CentOS 7

[1][2]

yum upgrade -y
yum -y install http://rpms.remirepo.net/enterprise/remi-release-7.rpm
yum -y install wget httpd mod_ssl php74-php-fpm php74-php-gd php74-php-pecl-zip php74-php-mysqlnd php74-php-intl php74-php-ldap php74-php-smbclient php74-php-pecl-imagick php74-php-process php74-php-gmp php74-php-bcmath php74-php-pecl-apcu php74-php-xml php74-php-mbstring php74-php-opcache php74-php-pecl-redis5 libreoffice-writer libreoffice-calc libreoffice-impress yum-cron autofs
sed -i 's/update_cmd\ \=\ default/update_cmd\ \=\ security/; s/apply_updates\ \=\ no/apply_updates\ \=\ yes/' /etc/yum/yum-cron.conf

***************
This is a holder as I am using autofs in my environment.
Just put your web files here. I will come back with more details.
***************

***************
Holder for php-fpm config
***************

echo 'LoadModule mpm_event_module modules/mod_mpm_event.so' > /etc/httpd/conf.modules.d/00-mpm.conf
sed -i 's/LoadModule\ mpm_prefork_module\ modules\/mod_mpm_prefork.so/#&/' /etc/httpd/conf.modules.d/00-mpm.conf
sed -i 's|listen\ =\ 127\.0\.0\.1\:9000|listen\ =\ /run/www.sock|; s|^\;listen\.group\ =\ nobody|listen\.group\ =\ apache|; s|^\;listen\.mode\ =\ 0660|listen\.mode\ =\ 0660|' /etc/opt/remi/php74/php-fpm.d/www.conf
setsebool -P httpd_can_network_connect_db on
setsebool -P httpd_can_connect_ldap on
setsebool -P httpd_can_network_connect on
setsebool -P httpd_can_sendmail on
setsebool -P httpd_use_cifs on
setsebool -P httpd_use_nfs on
systemctl enable --now php74-php-fpm
systemctl enable --now httpd
systemctl enable --now yum-cron

CentOS 8

Make sure to change remi release and update commands for CentOS 7.

mkswap -U a507cc29-e07c-46ee-8486-350111e8edf9 /dev/nvme1n1
swapon UUID=a507cc29-e07c-46ee-8486-350111e8edf9
bash -c "echo 'UUID=a507cc29-e07c-46ee-8486-350111e8edf9 swap swap defaults' >> /etc/fstab"
dnf upgrade -y
dnf -y install http://rpms.remirepo.net/enterprise/remi-release-8.rpm
dnf -y install wget php74-php php74-php-gd php74-php-pecl-zip php74-php-mysqlnd php74-php-intl php74-php-ldap php74-php-smbclient php74-php-pecl-imagick php74-php-process php74-php-gmp php74-php-bcmath php74-php-pecl-apcu libreoffice-writer libreoffice-calc libreoffice-impress redis

wget https://download.nextcloud.com/server/releases/nextcloud-19.0.0.zip
unzip nextcloud-19.0.0.zip
mv nextcloud /var/www/html/
mkdir /var/www/html/nextcloud/data
chown -R apache:apache /var/www/html/nextcloud
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/data(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/config(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/apps(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/.htaccess'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/.user.ini'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/3rdparty/aws/aws-sdk-php/src/data/logs(/.*)?'
restorecon -R '/var/www/html/nextcloud/'

CentOS 8

sed -i 's|#\ maxmemory\ <bytes>|maxmemory 1g|; s|#\ maxmemory-policy\ noeviction|maxmemory-policy\ allkeys-lfu|' /etc/redis.conf

CentOS 7

sed -i 's|#\ maxmemory\ <bytes>|maxmemory 1g|; s|#\ maxmemory-policy\ noeviction|maxmemory-policy\ allkeys-lru|' /etc/redis.conf
setsebool -P httpd_can_network_connect_db on
setsebool -P httpd_can_connect_ldap on
setsebool -P httpd_can_network_connect on
setsebool -P httpd_can_sendmail on
setsebool -P httpd_use_cifs on
systemctl enable --now redis
systemctl enable --now php74-php-fpm
systemctl enable --now httpd

General

FPM Tweaking

Not for CentOS 7.
From the nextcloud documentation.[3] Editing the /etc/opt/remi/php74/php-fpm.d/www.conf file to match.

pm = dynamic
pm.max_children = 120
pm.start_servers = 12
pm.min_spare_servers = 6
pm.max_spare_servers = 18

Troubleshooting

caldav not rewriting

To fix the caldav issues, had to edit the rewrite rules in the htaccess file.[4][5]

RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]

to

RewriteRule ^\.well-known/carddav https://server.com/remote.php/dav/ [R=301,L]
RewriteRule ^\.well-known/caldav https://server.com/remote.php/dav/ [R=301,L]

HSTS

Basic http conf file example.

<VirtualHost *:80>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
  DocumentRoot /var/www/html/nextcloud
  ServerName  server.com

  <Directory /var/www/html/nextcloud>
    Require all granted
    AllowOverride All
    Options FollowSymLinks MultiViews
    <IfModule mod_dav.c>
      Dav off
    </IfModule>
  </Directory>
</VirtualHost>

LDAPS Server Error

When trying to enable LDAPS lookup I would run into server errors. Needed to disable the config[6]

sudo -u apache php74 /var/www/html/nextcloud/occ ldap:show-config
sudo -u apache php74 /var/www/html/nextcloud/occ ldap:set-config s01 ldapConfigurationActive 0

Stuck Updates

  • Update was stuck at step 5 because of memory limits. Ran the following[7] to clear it.
sudo -u www-data php occ maintenance:repair

config.php modifications

caching

If everything is installed on a single instance.

'memcache.local' => '\OC\Memcache\APCu',
'memcache.distributed' => '\OC\Memcache\Redis',
'memcache.locking' => '\OC\Memcache\Redis',
'redis' => [
     'host' => 'localhost',
     'port' => 6379,
],

Behind TLS Proxy

'overwriteprotocol' => 'https',
  • Under the standard config array
'trusted_proxies'   => '192.168.20.0/24', '192.168.18.0/24',
'forwarded_for_headers' => array('HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR'),
  • Edit apache vhost file for the site and add the following[8]
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog "logs/access_log" combined env=!forwarded
CustomLog "logs/access_log" proxy env=forwarded

Remove Default Directory Listing

'skeletondirectory' => '',

OCC Options

Disable Signup Link

[9]

sudo -u apache php74 /var/www/html/nextcloud/occ config:system:set --type=bool --value=false simpleSignUpLink.shown

Update

Using CLI

sudo -u apache php74 /var/www/nextcloud/updater/updater.phar --no-interaction

Custom Mail Template

There should be a better way to do this, I just haven't spent enough time looking for it. For now I edit the following directly.

/var/www/html/nextcloud/apps/activity/lib/MailQueueHandler.php

For basic string changes I change

                 $template->addBodyText(
                         $l->t('There was some activity at %s', [$homeLink]),
                         $l->t('There was some activity at %s', [$this->urlGenerator->getAbsoluteURL('/')])
                 );

to

                 $template->addBodyText(
                         $l->t('New files have been received in the external file upload folder under G:\CSPFX. Please retrieve and remove the files and notify the appropriate staff in your office. The files in this folder will be automatically deleted after 10 days.'),