Nextcloud on OpenBSD
Intro
Wanna run your own Nextcloud Server on OpenBSD … ? Give a Try ! It’s quite trivial as you can see. Just fireup an empty machine, assign an Hostname / DNS Record, and follow the Examples below. This Setup is done on the current Version, 6.9. Have Fun !
Inspired by: https://dev.to/nabbisen/nextcloud-on-openbsd-installation-15d6
Packages
install some packages. i use sqlite as db because i don’t expect a lot of users/traffic/files.
$ doas pkg_add nextcloud
quirks-3.633 signed on 2021-09-27T19:58:00Z
Ambiguous: choose package for nextcloud
a 0: <None>
1: nextcloud-20.0.12
2: nextcloud-21.0.4
Your choice: 2
Ambiguous: choose dependency for nextcloud-21.0.4:
a 0: php-pdo_mysql-7.4.23
1: php-pdo_pgsql-7.4.23
2: php-pdo_sqlite-7.4.23
Your choice: 2
nextcloud-21.0.4:argon2-20190702: ok
nextcloud-21.0.4:libsodium-1.0.18p1: ok
nextcloud-21.0.4:libxml-2.9.10p3: ok
nextcloud-21.0.4:oniguruma-6.9.6: ok
...
nextcloud-21.0.4: ok
Running tags: ok
The following new rcscripts were installed: /etc/rc.d/php74_fpm
See rcctl(8) for details.
New and changed readme(s):
/usr/local/share/doc/pkg-readmes/femail-chroot
/usr/local/share/doc/pkg-readmes/nextcloud
/usr/local/share/doc/pkg-readmes/php-7.4
Preare Chroot
Create some Folders and stuff in the Chrooted Environment
doas mkdir -p /var/www/{etc,run}
doas cp /etc/resolv.conf /var/www/etc
doas ln -sf /var/www/nextcloud /nextcloud
httpd
configure and start httpd
cat << 'EOF' |doas tee /etc/httpd.conf
# http
server "box-amsterdam.puffy.work" {
listen on * port 80
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location * {
block return 302 "https://$HTTP_HOST$REQUEST_URI"
}
}
EOF
doas rcctl enable httpd
doas rcctl restart httpd
SSL Cert
get let’s encrypt ssl cert
cat << 'EOF' |doas tee -a /etc/acme-client.conf
domain box-amsterdam.puffy.work {
domain key "/etc/ssl/private/box-amsterdam.puffy.work.key"
domain full chain certificate "/etc/ssl/box-amsterdam.puffy.work.fullchain.pem"
sign with letsencrypt
}
EOF
doas acme-client -v box-amsterdam.puffy.work
https
add https config to /etc/httpd.conf
cat << 'EOF' |doas tee -a /etc/httpd.conf
# https
server "box-amsterdam.puffy.work" {
listen on * tls port 443
hsts max-age 15768000
tls {
certificate "/etc/ssl/box-amsterdam.puffy.work.fullchain.pem"
key "/etc/ssl/private/box-amsterdam.puffy.work.key"
}
# Set max upload size to 513M (in bytes)
connection max request body 537919488
connection max requests 1000
connection request timeout 3600
connection timeout 3600
block drop
# Ensure that no '*.php*' files can be fetched from these directories
location "/nextcloud/config/*" {
block drop
}
location "/nextcloud/data/*" {
block drop
}
# Note that this matches "*.php*" anywhere in the request path.
location "/nextcloud/*.php*" {
root "/nextcloud"
request strip 1
fastcgi socket "/run/php-fpm.sock"
pass
}
location "/nextcloud/apps/*" {
root "/nextcloud"
request strip 1
pass
}
location "/nextcloud/core/*" {
root "/nextcloud"
request strip 1
pass
}
location "/nextcloud" {
block return 301 "$DOCUMENT_URI/index.php"
}
location "/nextcloud/" {
block return 301 "$DOCUMENT_URI/index.php"
}
location "/.well-known/carddav" {
block return 301 "https://$SERVER_NAME/nextcloud/remote.php/dav"
}
location "/.well-known/caldav" {
block return 301 "https://$SERVER_NAME/nextcloud/remote.php/dav"
}
location "/.well-known/webfinger" {
block return 301 "https://$SERVER_NAME/nextcloud/index.php/.well-known/webfinger"
}
location "/.well-known/nodeinfo" {
block return 301 "https://$SERVER_NAME/nextcloud/index.php/.well-known/nodeinfo"
}
location match "/nextcloud/oc[ms]%-provider/*" {
directory index index.php
pass
}
}
EOF
doas rcctl restart httpd
PHP
some tuning and other php configs
cat << 'EOF' |doas tee -a /etc/php-7.4.ini
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1
EOF
# Enable Modules
cd /etc/php-7.4.sample
for i in *; do doas ln -sf ../php-7.4.sample/$i ../php-7.4/; done
# Create Folders and install ssl stuff
doas mkdir -p /var/www/etc/ssl
doas install -m 444 -o root -g bin /etc/ssl/cert.pem /etc/ssl/openssl.cnf /var/www/etc/ssl/
# Enable and Start Service
doas rcctl enable php74_fpm
doas rcctl restart php74_fpm
PF
nothing special. allow TCP/80 for World (-> Let’s Encrypt …) and redirect Port 80 to 443. IP Filerlist, based on ASN / Country would make sense. Have to think about it.
Nextcloud Setup
doas touch /var/www/nextcloud/config/CAN_INSTALL
open https://box-amsterdam.puffy.work/nextcloud/ and start configuration
-> Empfohlene Apps nicht installieren
open https://box-amsterdam.puffy.work/nextcloud/index.php/apps/files/ and finish configuration
Crontab
do some regular maintenance
*/15 * * * * su -m www -c "/usr/local/bin/php-7.4 -f /var/www/nextcloud/cron.php"
Backup
db export and file system backup make sense. i normally use borgbackup for this kind of stuff
Cronjob for Daily DB Backup
5 1 * * * /usr/local/bin/sqlite3 /var/www/nextcloud/data/owncloud.db ".dump" |gzip -c > /backup/nextcloud.db.gz
Upgrade to 21.0.5
after upgrade (pkg_add -Vu), there was a new Version of NextCloud (21.0.5). The follwing Step is needed, either from via Webinterface or from the CLI.
/var/www/nextcloud# su -m www -c "./occ upgrade"
Upgrade to 23.0.5
after upgrade (pkg_add -Vu) to v23.0.5 there was the same Command required:
doas su -
cd /var/www/nextcloud; su -m www -c "./occ upgrade"
Upgrade to 23.0.9
after upgrade (pkg_add -Vu) to v23.0.9 there was the same Command required:
doas su -
cd /var/www/nextcloud; su -m www -c "./occ upgrade"
Upgrade to 23.0.12
after upgrade (pkg_add -Vu) to v23.0.9 there was the same Command required:
doas su -
cd /var/www/nextcloud; su -m www -c "./occ upgrade"
Open Topics
- Redis ? Needed ?
- Upgrade Procedure, for OpenBSD 7.0 ?
Any Comments ?
sha256: 982bfcaf21bf4f01c061f47fbf9fe1a38477f7d76e396f10c17e005410339711