# Nextcloud # Nextcloud @Nginx @Oracle Linux v9.5 with self-signed cert (for virtualization) # preparations disable IPv6 ```bash TODO: sysclt ipv6... ``` ```bash dnf update dnf install \ mariadb \ wget \ unzip ``` # Create database Connect to database server, create database and user for application from wherever it is possible. When safe post-script installation been executed, most probably remote root access is not permitted. Login locally to create new database and user. ```bash ssh anton@lt58ncp1dbn1 sudo su mariadb -u maxscale -p -h 10.120.12.xxx ``` ```sql CREATE DATABASE ncp1 CHARACTER SET utf8mb4; CREATE USER 'ncp1rw'@'%' IDENTIFIED BY 'superpass'; GRANT ALL ON ncp1.* TO 'ncp1rw'@'%'; FLUSH PRIVILEGES; SHOW GRANTS FOR ncp1rw; ``` ``` +-------------------------------------------------------------------------------------------------------+ | Grants for ncp1rw@% | +-------------------------------------------------------------------------------------------------------+ | GRANT USAGE ON *.* TO `ncp1rw`@`%` IDENTIFIED BY PASSWORD '*BD9925F1D4C650B93F105762F0FC7F494AD66AC8' | | GRANT ALL PRIVILEGES ON `ncp1`.* TO `ncp1rw`@`%` | +-------------------------------------------------------------------------------------------------------+ 2 rows in set (0.009 sec) ``` Check connectivity to database server from application server ```bash [root@lt58ncp1app1 anton]# mariadb -h lt58ncp1dbn1 -u ncp1rw -p ``` # Generate certificates (self-signed) Prepare storage ```bash export fqdn="host" export dir="/data/certs/" mkdir -p ${dir}/CA mkdir -p ${dir}/${fqdn} cd ${dir}/CA pwd ``` Create CSR and certificate ```bash TODO: add echoing pass to file and from ${fqdn}.pass ``` create key for CA, give passpharase minimum of four(4) symbols (you want complicated for stronger setups) ```bash openssl genrsa -out ca.key 2048 ``` create request for CA certificate ```bash openssl req -new -sha256 -key ca.key -out ca.csr ``` create a CA certificate ```bash openssl x509 -req -days 3600 -in ca.csr -out ca.crt -signkey ca.key ``` generate a key for new certicate for server (modern systems accept key size minimum 2048) ```bash openssl genrsa -out server.key 2048 ``` create request for the new certificate ```bash openssl req -new -sha256 -key server.key -out server.csr ``` sign request for new certificate with the CA ```bash openssl x509 -req -sha256 -days 3600 -in server.csr -signkey server.key -out server.crt ``` Now we have pair of certificate and key, we can rename them ```bash ls -la mv ${dir}/CA/server.* ${dir}/${fqdn}/ cd ${dir}/${fqdn}/ mv server.csr ${fqdn}.csr mv server.crt ${fqdn}.crt mv server.key ${fqdn}.key ``` Fix SElinux contexts for certificates ```bash setenforce 0 ``` # Install Nginx webserver ```bash dnf install nginx systemctl enable nginx systemctl start nginx systemctl status nginx ss -ntap | grep nginx ``` ```bash LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=3459,fd=6),("nginx",pid=3457,fd=6)) LISTEN 0 511 [::]:80 [::]:* users:(("nginx",pid=3459,fd=7),("nginx",pid=3457,fd=7)) ``` Create firewall rules for webserver ```bash firewall-cmd --remove-service=http --permanent firewall-cmd --add-service=https --permanent systemctl restart firewalld firewall-cmd --list-all ``` Prepare local storage for application (not for data) ```bash sudo su export dir="/var/www/" mkdir -p ${dir} cd $dir pwd ``` Download nextcloud and check integrity. Decide which version is going to be deployed. Rule of thumb is to go current major version minus one. ```bash # export v=21 export v=29 wget https://download.nextcloud.com/server/releases/latest-$v.zip curl https://download.nextcloud.com/server/releases/latest-$v.zip.sha256 sha256sum latest-$v.zip unzip latest-$v.zip ``` Change permission to nginx's configuration and applications directories ```bash cat /etc/nginx/nginx.conf | grep user mkdir -p ${dir}/nextcloud/data/ chown -R nginx:nginx ${dir}/nextcloud/data/ chown -R nginx:nginx ${dir}/nextcloud/config/ chown -R nginx:nginx ${dir}/nextcloud/apps/ namei -mo ${dir}/nextcloud/config ``` Disable default config by commenting or deleting the lines ```bash vi /etc/nginx/nginx.conf ``` [![](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2025-07/scaled-1680-/uSNqrQbv2V3Hmc0p-image-1753070889284.png)](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2025-07/uSNqrQbv2V3Hmc0p-image-1753070889284.png) Create nginx configuration file ```bash vi /etc/nginx/conf.d/server.conf ``` ```ini https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html ``` Change certificates pointing to the created ones ```ini ssl_certificate /data/certs/lt58nct1app21/lt58nct1app21.crt; ssl_certificate_key /data/certs/lt58nct1app21/lt58nct1app21.key; ``` Check and reload config ```bash nginx -t nginx -s reload ``` [![](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2025-07/scaled-1680-/43SCBnHCV36AQ9gg-image-1753071001517.png)](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2025-07/43SCBnHCV36AQ9gg-image-1753071001517.png) Enable latest supported PHP module: ```bash dnf module list php dnf module enable php:8.3 ``` [![](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2025-07/scaled-1680-/yuHLuSSjCksOFM9s-image-1753071074526.png)](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2025-07/yuHLuSSjCksOFM9s-image-1753071074526.png) Install prerequsitives ```bash dnf install \ php \ php-fpm \ php-mysqlnd \ php-zip \ php-xml \ php-mbstring \ php-curl \ php-gd ``` Enable php-fpm service ```bash systemctl enable php-fpm systemctl start php-fpm systemctl status php-fpm ``` Modify webserver config to forward requests to correct socket. Config file comes with php-fpm package, but check and adjust configs: ```bash cat /etc/nginx/conf.d/php-fpm.conf ``` Determine where PHP socket is listening ```bash fgrep -irn www.sock /etc/php-fpm.d/ ``` ```bash /etc/php-fpm.d/www.conf:38:listen = /run/php-fpm/www.sock ``` Reconfigure config ```bash vi /etc/nginx/conf.d/host.conf ``` ```bash upstream php-handler { # server 127.0.0.1:9000; # server unix:/run/php/php8.2-fpm.sock; server unix:/run/php-fpm/www.sock; } ``` [![](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2025-07/scaled-1680-/aCN7pxxB7FNvPmyX-image-1753071378807.png)](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2025-07/aCN7pxxB7FNvPmyX-image-1753071378807.png) Enable logging: check log file is created after reloading nextcloud page and it can be tail'ed ```bash mkdir -p /var/www/nextcloud/log chown -R www-data:www-data /var/www/nextcloud/log/ vi /var/www/nextcloud/config/config.php ls -la /var/www/nextcloud/log/ tail -f /var/www/nextcloud/log/nextcloud.log ``` # Big-Files upload To enable big files management, there are several components need to be fine-tuned. Good practise is to backup configuration file by copying and renaming it by adding timestamp prefix. Also, duplicate the line to be modified and add timestamped and signed comment. # Prepare location for temporary storage Ensure, disk used has enough storage to allocate for temporary file (if limit of the big file is 16GB, it must be 16GB (per one upload process, if two users upload two files, it should be double). ```bash export host="$(hostname)" export dir="/mnt/${host}-data/ncp1/tmp/" mkdir -p ${dir}/php-fpm/ mkdir -p ${dir}/nginx/ df -h ${dir} chmod 775 ${dir}/php-fpm/ chmod 775 ${dir}/nginx/ chown -R www-data:www-data ${dir} ls -latr ${dir} ``` First, let's see current settings, which will be modifed, note them, adjust values and extract them again. By doing so, we ensure that new values are applied. This facilitate troubleshooting. # PHP (php-fpm) Initally, it is important to understand that 'php' and 'php-fpm' are to different packages AND configuration files are different for them as well. To show PHP related info is to enable show php button in the admin page. The reason to use it that exactly like that PHP modules and versions are seen from application perspective. System might have packages installed, but for some reason are not seen by application. But.. ```bash root@(host):/var/www/nextcloud# sudo -u www-data php ./occ config:app:set --value=yes serverinfo phpinfo ``` ``` Config value 'phpinfo' for app 'serverinfo' is now set to 'yes', stored as mixed in fast cache ``` The PHP info will be displayed on admin page, navigate to: ``` https://(nextcloud)/settings/admin/serverinfo ``` Click on "Show phpinfo()". Search for (CTRL+F or CMD+F in Firefox) "configuration file", which will indicate which file to modify. In my case, it is ``` Configuration File (php.ini) Path /etc/php/8.3/fpm Loaded Configuration File /etc/php/8.3/fpm/php.ini ``` We are interested in values defining max filesize and timeouts (in seconds) Let's modify these values. Backup first, then load editor ```bash file="/etc/php/8.3/fpm/php.ini" cp ${file} ${file}.$(date +"%Y-%m-%d.%H%M") ls -latr ${file}* vi ${file} ``` Duplicate, modify, comment and save file. Final result and documenting style should be as below ```bash # max_execution_time = 30 # 2025-03-23 * for big files /A max_execution_time = 3600 # max_input_time = 60 # 2025-03-23 * for big files /A max_input_time = 60 # memory_limit = 128M # 2025-03-23 * for big files /A memory_limit = 1G # post_max_size = 8M # 2025-03-23 * for big files /A post_max_size = 16G # a;upload_tmp_dir = # 2025-03-23 * for big files /A upload_tmp_dir = /mnt/gcp1ncp1app1-data/ncp1/tmp/php-fpm/ # upload_max_filesize = 2M # 2025-03-23 * for big files /A upload_max_filesize = 16G ``` Restart php-fpm ```bash systemctl restart php8.3-fpm ``` # Webserver (nginx): ```bash root@(host):/home/anton# vi /etc/nginx/sites-enabled/(host).conf ``` ```bash # 2025-03-23 * for big files /A # client_max_body_size 512M; client_max_body_size 16G; # client_body_timeout 300s; client_body_timeout 3600s; # 2025-03-23 * for big files /A client_body_temp_path /mnt/gcp1ncp1app1-data/ncp1/tmp/nginx/; ``` # Application Adjusting chunk size (use smaller chunks for higher bandwidth). In this example it will be set to 20 MB, default is 100 MB. `--value 0` for no chunking. ```bash cd /var/www/nextcloud/ sudo -u www-data php occ config:system:get files.chunked_upload.max_size sudo -u www-data php occ config:system:set --type int --value 20971520 files.chunked_upload.max_size ``` ``` System config value files.chunked_upload.max_size set to integer 20971520 ``` ```bash sudo -u www-data php occ config:system:get files.chunked_upload.max_size ``` ``` 20971520 ``` ref. ``` https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/big_file_upload_configuration.html ``` # Replicate Nextcloud instance to another server ## Destination: Prepare ```bash export user="user" export src="(source host)" export dst="(destination host)" export path="/home/${user}/delme/${src}--${dst}/" mkdir -p ${path} chown -R ${user}:${user} /home/${user}/delme/ ls -la ${path} namei -mo ${path} ``` Clean before bringing new stuff here (carefully here) ```bash echo ${path} ls -la ${path} read -p "Correct path to clean?" rm -i ${path}/* ls -la ${path} ``` ## Source Prepare ```bash sudo su export user="user" export src="(source host)" export dst="(destination host)" export path="/home/${user}/delme/${src}--${dst}/" export file="nextcloud.tgz.$(date +"%Y-%m-%d.%H%M")" mkdir -p ${path} ls -lahtr ${path} ``` Compress application directory (takes little time, coffee time) ```bash tar -czvf ${path}/${file} /var/www/nextcloud/ ls -lahtr ${path} ``` Transfer file to the second instance ```bash scp -v ${path}/${file} ${user}@${dst}:delme/${src}--${dst}/ ``` ## Destination (continues): Observe, that has been transferred correctly ```bash ls -lahtr ${path} ``` Move aside current Nextcloud application instance before bring new one. ```bash export dir_current="nextcloud.$(date +"%Y-%m-%d.%H%M")" echo ${dir_current} mv /var/www/nextcloud /var/www/${dir_current} ls -latr /var/www ``` Extract it ```bash # that is number one, not L letter export file=$(ls -1 ${path}/nextcloud*) echo ${file} tar -xzvf ${file} -C / ``` After successful testing, remove old version, as they might occupy disk space. ```bash ls -dlr /var/www/nextcloud* du -h --max-depth=1 /var/www ``` # Encryption Enable encryption app (functionality) ```bash sudo -u www-data php /var/www/nextcloud/occ app:enable encryption ``` Enable encryption ```bash sudo -u www-data php /var/www/nextcloud/occ encryption:enable ``` Enable master key mode ```bash sudo -u www-data php /var/www/nextcloud/occ encryption:enable-master-key ``` Initialize encryption ```bash sudo -u www-data php /var/www/nextcloud/occ encryption:init ``` Verify status ```bash sudo -u www-data php /var/www/nextcloud/occ encryption:status ``` Enable a recovery key ```bash sudo -u www-data php /var/www/nextcloud/occ encryption:enable-recovery ``` Enable encryption for group folders By default group folders are excluded from server-side encryption.To enable encryption for group folders, execute command ```bash ./occ config:app:set groupfolders enable_encryption --value='true' ``` Restart scheduled jobs ```bash systemctl restart nextcloud-cron systemctl restart cron ``` Verify ```bash ls -lh /var/www/nextcloud/data//files/ cat /var/www/nextcloud/data//files/ ```