Summary
NextCloud, a folk of OwnCloud, is one of the files sharing applications. It’s open source and suitable for self-hosted service. I will show how to install it in OpenBSD, well known for the ongoing efforts to archive proactive security.
The table of contents is:
- Create database
- Prepare the application
- Configure PHP and PHP-FPM
- Build web server
- Install NextCloud
Environment
- OS: OpenBSD 6.6
- Database: MariaDB 10.3
- Application Engine: PHP 7.3 and PHP-FPM
- File Sharing Application: NextCloud 16/17
- Web server: OpenBSD httpd
Tutorial
1. Create database
In my case, the database is MariaDB.
What I did was to run mysql so as to connect the DB server and execute:
CREATE DATABASE <db-name> DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
GRANT ALL PRIVILEGES ON <db-name>.* TO <db-user> IDENTIFIED BY '<db-pass>';
FLUSH PRIVILEGES;
\q
Alternatively, you can use SQLite.
2. Prepare the application
There are two ways:
- One is to build it from source code.
- The other is to use pkg_add and get the official package from OpenBSD Package Management System.
2-1. Case: Build from source code
My option was this way because it is possible to build multiple services in the single computer. 16.0.6 is the version its stable channel recommends.
$ ftp https://download.nextcloud.com/server/releases/nextcloud-16.0.6.tar.bz2
$ tar xvjf nextcloud-16.0.6.tar.bz2
$ mv nextcloud-16.0.6 <some-dir>/nextcloud
Be careful not to copy nextcloud/config/config.sample.php
to nextcloud/config/config.php here. config.php will be made by the web installer afterwards.
2-2. Case: OpenBSD Package Management System
Just run:
# pkg_add nextcloud
It will be installed in /var/www/nextcloud.
The version may be 17.0.0.
You will have the useful document about the package as /usr/local/share/doc/pkg-readmes/nextcloud.
The good point to use the package is its default configurations by the great mainteners. The bad point is that it’s installed in the OS specific path instead of users/sites specific ones, and so it’s difficult to have multiple services.
3. (Optional) Configure PHP and PHP-FPM
Edit /etc/php-7.3.ini:
- opcache.memory_consumption=128
+ opcache.memory_consumption=512
Also do /etc/php-fpm.conf:
- ;env[PATH] = /usr/local/bin:/usr/bin:/bin
+ env[PATH] = /usr/local/bin:/usr/bin:/bin
4. Build web server
Edit /etc/httpd.conf to add the definitions for your service:
server "<domain.tld>" {
listen on $ext_addr port 80
block return 301 "https://$SERVER_NAME$REQUEST_URI"
}
server "<domain.tld>" {
listen on egress tls port 443
root "<some-dir-after-chroot>/nextcloud"
directory index index.php
hsts max-age 15768000
tls {
certificate "/etc/ssl/<domain.tld>_fullchain.pem"
key "/etc/ssl/private/<domain.tld>_private.pem"
}
# deny access to confidential data/programs first
location "/.ht*" { block }
location "/.user*" { block }
location "/3rdparty*" { block }
location "/README" { block }
location "/autotest*" { block }
location "/build*" { block }
location "/config*" { block }
location "/console*" { block }
location "/data*" { block }
location "/db_*" { block }
location "/indie*" { block }
location "/issue*" { block }
location "/lib*" { block }
location "/occ*" { block }
location "/templates*" { block }
location "/tests*" { block }
location "/*.php" {
fastcgi socket "/run/php-fpm.sock"
}
location "/*.php[/?]*" {
fastcgi socket "/run/php-fpm.sock"
}
location "/.well-known/host-meta" {
block return 301 "/public.php?service=host-meta"
}
location "/.well-known/host-meta.json" {
block return 301 "/public.php?service=host-meta-json"
}
location "/.well-known/webfinger" {
block return 301 "/public.php?service=webfinger"
}
location "/.well-known/carddav" {
block return 301 "/remote.php/dav/"
}
location "/.well-known/caldav" {
block return 301 "/remote.php/dav/"
}
}
Then run:
# rcctl restart httpd
5. Install NextCloud
Access to the service with your web browser. The web installer will start. Enter the forms and click “Finish setup”:
If the installation is successful, you will meet the login page:
Well, again, nextcloud/config/config.php is made through the web installation.
Remember the “datadirectory” setting in it is affected by chroot.
This means that the value is /nextcloud/data when the real data directory is /var/www/nextcloud/data, because chroot strips “/var/www” from the path.
Conclusion
Thank you for your reading :) I hope you enjoy your secure files sharing.