NextCloud 16/17 on OpenBSD 6.6

created
( modified )
@nabbisen

Summary

NextCloud, a folk of OwnCloud, is one of the files sharing applications. It’s open source and suitable for self-hosted service. I will show how to install it in OpenBSD, well known for the ongoing efforts to archive proactive security.

The table of contents is:

  1. Create database
  2. Prepare the application
  3. Configure PHP and PHP-FPM
  4. Build web server
  5. Install NextCloud

Environment

  • OS: OpenBSD 6.6
  • Database: MariaDB 10.3
  • Application Engine: PHP 7.3 and PHP-FPM
  • File Sharing Application: NextCloud 16/17
  • Web server: OpenBSD httpd

Tutorial

1. Create database

In my case, the database is MariaDB. What I did was to run mysql so as to connect the DB server and execute:

CREATE DATABASE <db-name> DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
GRANT ALL PRIVILEGES ON <db-name>.* TO <db-user> IDENTIFIED BY '<db-pass>';
FLUSH PRIVILEGES;
\q

Alternatively, you can use SQLite.

2. Prepare the application

There are two ways:

  • One is to build it from source code.
  • The other is to use pkg_add and get the official package from OpenBSD Package Management System.

2-1. Case: Build from source code

My option was this way because it is possible to build multiple services in the single computer. 16.0.6 is the version its stable channel recommends.

$ ftp https://download.nextcloud.com/server/releases/nextcloud-16.0.6.tar.bz2
$ tar xvjf nextcloud-16.0.6.tar.bz2
$ mv nextcloud-16.0.6 <some-dir>/nextcloud

Be careful not to copy nextcloud/config/config.sample.php to nextcloud/config/config.php here. config.php will be made by the web installer afterwards.

2-2. Case: OpenBSD Package Management System

Just run:

# pkg_add nextcloud

It will be installed in /var/www/nextcloud. The version may be 17.0.0. You will have the useful document about the package as /usr/local/share/doc/pkg-readmes/nextcloud.

The good point to use the package is its default configurations by the great mainteners. The bad point is that it’s installed in the OS specific path instead of users/sites specific ones, and so it’s difficult to have multiple services.

3. (Optional) Configure PHP and PHP-FPM

Edit /etc/php-7.3.ini:

- opcache.memory_consumption=128
+ opcache.memory_consumption=512

Also do /etc/php-fpm.conf:

- ;env[PATH] = /usr/local/bin:/usr/bin:/bin
+ env[PATH] = /usr/local/bin:/usr/bin:/bin

4. Build web server

Edit /etc/httpd.conf to add the definitions for your service:

server "<domain.tld>" {
        listen on $ext_addr port 80
        block return 301 "https://$SERVER_NAME$REQUEST_URI"
}
server "<domain.tld>" {
    listen on egress tls port 443

    root "<some-dir-after-chroot>/nextcloud"
    directory index index.php

    hsts max-age 15768000

    tls {
        certificate "/etc/ssl/<domain.tld>_fullchain.pem"
        key         "/etc/ssl/private/<domain.tld>_private.pem"
    }

    # deny access to confidential data/programs first
    location "/.ht*"        { block }
    location "/.user*"      { block }
    location "/3rdparty*"   { block }
    location "/README"      { block }
    location "/autotest*"   { block }
    location "/build*"      { block }
    location "/config*"     { block }
    location "/console*"    { block }
    location "/data*"       { block }
    location "/db_*"        { block }
    location "/indie*"      { block }
    location "/issue*"      { block }
    location "/lib*"        { block }
    location "/occ*"        { block }
    location "/templates*"  { block }
    location "/tests*"      { block }

    location "/*.php" {
        fastcgi socket "/run/php-fpm.sock"
    }
    location "/*.php[/?]*" {
        fastcgi socket "/run/php-fpm.sock"
    }

    location "/.well-known/host-meta" {
        block return 301 "/public.php?service=host-meta"
    }
    location "/.well-known/host-meta.json" {
        block return 301 "/public.php?service=host-meta-json"
    }
    location "/.well-known/webfinger" {
        block return 301 "/public.php?service=webfinger"
    }
    location "/.well-known/carddav" {
        block return 301 "/remote.php/dav/"
    }
    location "/.well-known/caldav" {
        block return 301 "/remote.php/dav/"
    }
}

Then run:

# rcctl restart httpd

5. Install NextCloud

Access to the service with your web browser. The web installer will start. Enter the forms and click “Finish setup”:

web installer

If the installation is successful, you will meet the login page:

login

Well, again, nextcloud/config/config.php is made through the web installation. Remember the “datadirectory” setting in it is affected by chroot. This means that the value is /nextcloud/data when the real data directory is /var/www/nextcloud/data, because chroot strips “/var/www” from the path.

Conclusion

Thank you for your reading :) I hope you enjoy your secure files sharing.

Series

NextCloud on OpenBSD
  1. NextCloud 16/17 on OpenBSD 6.6
  2. Nextcloud 16/17 on OpenBSD 6.7: Update via command line

Comments or feedbacks are welcomed and appreciated.