Version 34 (modified by 4 years ago) ( diff ) | ,
---|
nextcloud
Our nextcloud installation is running on lucius, which is currently running Debian jessie. The nextcloud application is instatlled from source.
Important details
- The application runs as the www-data user
- Directories:
- The code is in /var/www/nextcloud.
- The data (files) are in /var/lib/nextcloud/data.
- Our configuration is in /etc/nextcloud (symlinked from /var/www/nextcloud/config)
- We're using the postgres package not the mysql package. If you want to muck around in the database:
su - www-data
and thenpsql nextcloud
- We're authenticating using the login-service (web api).
- That happens via our own mfplauth app, which depends on the external user auth app
- The admin username (mfpl-admin) and password are in keyringer. However, try to avoid logging in as mfpl-admin, and if you change any configuration options, /etc/nextcloud/config.php will get overwritten
- A 5GB per user quota is set. This is configured by logging in as mfpl-admin and then clicking to administer users. Quotas can be changed on a per user basis.
- To fix #8125, we've added our own custom theme called "mayfirst", which is in lucius.mayfirst.org:/var/lib/nextcloud/themes and it is activated via the theme => "mayfirst" line in lucius.mayfirst.org:/etc/nextcloud/config.php. Currently, it only adds a style sheet that simply hides the password change form.
- We have committed to maintaining the following extra apps, which are installed in /var/lib/nextcloud/apps-local:
- Calendar - allows users to create, share and sync calendars
- Contacts - allows users to create, share and sync contacts
- markdown friendly text editor - provides a useful WYSIWYG mardown editor that supports collaborative editing
- circles - allows users to create "circles" of people to share documents, calendars, etc. with.
- Bookmarks (see #10696) - save, sync and share bookmarks
- External user authentication - The base application allowing us to write our own external auth plugin (see below). The full nextcloud apps repository is checked out in /srv/nextcloud-apps. The user_external app is copied from /srv/nextcloud-apps/user_external to /var/lib/nextcloud/apps-local.
- MF/PL custom auth app (git://git.mayfirst.org/mfpl/mfplauth) - Allowing users to login using their own May First/People Link username and password. this module is checkout via git directly in /var/lib/nextcloud/apps-local/mfplauth.
- https://apps.nextcloud.com/apps/onlyoffice - web edit word and spreadsheet files using only office.
- end to end encryption.
- Notes
- tasks
- news - woops! Not yet enabled. See #13737
Upgrading
Steps to upgrade from source:
- Visit https://nextcloud.com/changelog/ and download the appropriate version to /root using wget and unpack
- Create symlinks that mirror the symlinks in /var/www/nextcloud
- If upgrading a major version, make a backup of the local apps directory /var/lib/nextcloud/local-apps and then download new versions of all apps to a temporary location (e.g. /root/nextclout/apps).
- Copy /etc/nextcloud/config.php to /etc/nextcloud/config.php.bak
- Enter maintenance mode (edit to /etc/nextcloud/config.php)
- Backup the database with:
su -c "pg_dump nextcloud" -s /bin/bash www-data | gzip -c > nextcloud.pre.$(date +%Y.%m.%d).backup.sql.gz
- Make a backup of the current nextcloud installation:
mv /var/www/nextcloud /var/www/nextcloud.version.n.n.n
- Move the new copy in:
mv /root/nextcloud /var/www/
- If major upgrade, delete the contents of
/var/lib/nextcloud/local-apps
and move in the new versions. - Ensure all database udpates have been run, su to the www-data user and then:
su - -s /bin/bash www-data cd /var/www/nextcloud php occ upgrade
- Clear out brute force log
su - -s/bin/bash www-data psql nextcloud DELETE FROM oc_bruteforce_attempts;
- Fix the libre office template language selection (see #13626):
/root/fix-nextcloud-templates /var/www/nextcloud/core/templates/filetemplates/template.odp /root/fix-nextcloud-templates /var/www/nextcloud/core/templates/filetemplates/template.odt /root/fix-nextcloud-templates /var/www/nextcloud/core/templates/filetemplates/template.ods
Only Office
We are using Only Office for web-based editing of documents, spreadsheets and presentations.
Nginx and php fpm
A working nginx configuration file for nextcloud is available.
In addition, php5-fpm should work mostly out of the box but requires these tweaks:
- /etc/php/7.3/fpm/pool.d/www.conf:
- Uncomment the the lines starting with env (so environment variables are available to nextcloud)
- Change:
pm.max_children = 50 pm.start_servers = 10 pm.min_spare_servers = 10 pm.max_spare_servers = 15
- Add the file
/etc/php5/fpm/conf.d/100-nextcloud.ini
with the contents:always_populate_raw_post_data = -1
Brute force rate limits
See how to unblock an IP for more information. In short, if an IP is wrongly blocked:
su - www-data psql nextcloud DELETE FROM oc_bruteforce_attempts WHERE ip = 'aaa.bbb.ccc.ddd';
Resetting an e2e passphrase
This seems to be a flaw in the e2e model, but it is possible for an administrator to reset a user's e2e key if they lose the passphrase. Check out this issue for the latst.
At the time of this writing, the following works:
- Enter the end_to_end_encryption folder in your appdata folder. Your appdata folder is a folder inside your data folder (the folder containing all your nextcloud files). It has a randomly generated name that starts with appdata like appdata_487461775a51. The end_to_end_encryption folder has three folders: meta-data, private-keys and public-keys.
- If your username is joe, then remove meta-data/joe, private-keys/joe.private.key, public-keys/joe.public.key
- In the database (replace joe with your username):
DELETE FROM oc_filecache WHERE path LIKE 'appdata_%/end_to_end_encryption/meta-data/joe%'; DELETE FROM oc_filecache WHERE path LIKE 'appdata_%/end_to_end_encryption/%-keys/joe.%.key';
- launch the maintenance crontab manually as the www-data user (/usr/bin/php -f /var/www/nextcloud/cron.php)