wiki:nextcloud-admin

nextcloud

Our nextcloud installation is running on lucius, which is currently running Debian jessie. The nextcloud application is instatlled from source.

Important details

  • The application runs as the www-data user
  • Directories:
    • The code is in /var/www/nextcloud.
    • The data (files) are in /var/lib/nextcloud/data.
    • Our configuration is in /etc/nextcloud (symlinked from /var/www/nextcloud/config)
  • We're using the postgres package not the mysql package. If you want to muck around in the database: su - www-data and then psql nextcloud
  • We're authenticating using the login-service (web api).
  • The admin username (mfpl-admin) and password are in keyringer. However, try to avoid logging in as mfpl-admin, and if you change any configuration options, /etc/nextcloud/config.php will get overwritten
  • A 5GB per user quota is set. This is configured by logging in as mfpl-admin and then clicking to administer users. Quotas can be changed on a per user basis.
  • To fix #8125, we've added our own custom theme called "mayfirst", which is in lucius.mayfirst.org:/var/lib/nextcloud/themes and it is activated via the theme => "mayfirst" line in lucius.mayfirst.org:/etc/nextcloud/config.php. Currently, it only adds a style sheet that simply hides the password change form.
  • We have committed to maintaining the following extra apps, which are installed in /var/lib/nextcloud/apps-local:

Upgrading

Steps to upgrade from source:

  • Visit https://nextcloud.com/changelog/ and download the appropriate version to /root using wget and unpack
  • Create symlinks that mirror the symlinks in /var/www/nextcloud
  • If upgrading a major version, backup /var/lib/nextcloud/apps-local and download new versions of all apps in /var/lib/nextcloud/apps-local, replacing the existing apps with the new ones.
  • Copy /etc/nextcloud/config.php to /etc/nextcloud/config.php.bak
  • Enter maintenance mode (edit to /etc/nextcloud/config.php)
  • Backup the database with:
    su -c "pg_dump nextcloud" -s /bin/bash www-data | gzip -c > nextcloud.pre.$(date +%Y.%m.%d).backup.sql.gz
    
  • Make a backup of the current nextcloud installation:
    mv /var/www/nextcloud /var/www/nextcloud.version.n.n.n
    
  • Move the new copy in:
    mv /root/nextcloud /var/www/
    
  • Ensure all database udpates have been run, su to the www-data user and then:
    su - -s /bin/bash www-data
    cd /var/www/nextcloud
    php occ upgrade
    
  • Clear out brute force log
    su - -s/bin/bash www-data
    psql nextcloud
    DELETE FROM oc_bruteforce_attempts;
    
  • Fix the libre office template language selection (see #13626):
    /root/fix-nextcloud-templates /var/www/nextcloud/core/templates/filetemplates/template.odp
    /root/fix-nextcloud-templates /var/www/nextcloud/core/templates/filetemplates/template.odt
    /root/fix-nextcloud-templates /var/www/nextcloud/core/templates/filetemplates/template.ods
    

Only Office

We are using Only Office for web-based editing of documents, spreadsheets and presentations.

Nginx and php fpm

A working nginx configuration file for nextcloud is available.

In addition, php5-fpm should work mostly out of the box but requires these tweaks:

  • /etc/php/7.3/fpm/pool.d/www.conf:
    • Uncomment the the lines starting with env (so environment variables are available to nextcloud)
    • Change:
      pm.max_children = 50
      pm.start_servers = 10
      pm.min_spare_servers = 10
      pm.max_spare_servers = 15
      
  • Add the file /etc/php5/fpm/conf.d/100-nextcloud.ini with the contents:
    always_populate_raw_post_data = -1
    

Brute force rate limits

See how to unblock an IP for more information. In short, if an IP is wrongly blocked:

su - www-data
psql nextcloud
DELETE FROM oc_bruteforce_attempts WHERE ip = 'aaa.bbb.ccc.ddd';

Resetting an e2e passphrase

This seems to be a flaw in the e2e model, but it is possible for an administrator to reset a user's e2e key if they lose the passphrase. Check out this issue for the latst.

At the time of this writing, the following works:

  • Enter the end_to_end_encryption folder in your appdata folder. Your appdata folder is a folder inside your data folder (the folder containing all your nextcloud files). It has a randomly generated name that starts with appdata like appdata_487461775a51. The end_to_end_encryption folder has three folders: meta-data, private-keys and public-keys.
  • If your username is joe, then remove meta-data/joe, private-keys/joe.private.key, public-keys/joe.public.key
  • In the database (replace joe with your username):
    DELETE FROM oc_filecache WHERE path LIKE 'appdata_%/end_to_end_encryption/meta-data/joe%';
    DELETE FROM oc_filecache WHERE path LIKE 'appdata_%/end_to_end_encryption/%-keys/joe.%.key';
    
  • launch the maintenance crontab manually as the www-data user (/usr/bin/php -f /var/www/nextcloud/cron.php)

Last modified 5 weeks ago Last modified on Oct 17, 2019, 8:23:13 AM