# Nextcloud @Nginx @Oracle Linux v9.5 with self-signed cert (for virtualization)

# preparations

disable IPv6
```bash
TODO: sysclt ipv6...
```

```bash
dnf update
dnf install \
    mariadb \
    wget \
    unzip
```

# Create database

Connect to database server, create database and user for application from wherever it is possible. When safe post-script installation been executed, most probably remote root access is not permitted. Login locally to create new database and user.

```bash
ssh anton@lt58ncp1dbn1
sudo su
mariadb -u maxscale -p -h 10.120.12.xxx
```
```sql
CREATE DATABASE ncp1 CHARACTER SET utf8mb4;
CREATE USER 'ncp1rw'@'%' IDENTIFIED BY 'superpass';
GRANT ALL ON ncp1.* TO 'ncp1rw'@'%';
FLUSH PRIVILEGES;
SHOW GRANTS FOR ncp1rw;
```
```
+-------------------------------------------------------------------------------------------------------+
| Grants for ncp1rw@%                                                                                   |
+-------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO `ncp1rw`@`%` IDENTIFIED BY PASSWORD '*BD9925F1D4C650B93F105762F0FC7F494AD66AC8' |
| GRANT ALL PRIVILEGES ON `ncp1`.* TO `ncp1rw`@`%`                                                      |
+-------------------------------------------------------------------------------------------------------+
2 rows in set (0.009 sec)
```

Check connectivity to database server from application server

```bash
[root@lt58ncp1app1 anton]#
mariadb -h lt58ncp1dbn1 -u ncp1rw -p
```




# Generate certificates (self-signed)

Prepare storage
```bash
export fqdn="host"
export dir="/data/certs/"
mkdir -p ${dir}/CA
mkdir -p ${dir}/${fqdn}
cd ${dir}/CA
pwd
```

Create CSR and certificate
```bash
TODO: add echoing pass to file and from ${fqdn}.pass
```

create key for CA, give passpharase minimum of four(4) symbols (you want complicated for stronger setups)
```bash
openssl genrsa -out ca.key 2048
```

create request for CA certificate
```bash
openssl req -new -sha256 -key ca.key -out ca.csr
```

create a CA certificate
```bash
openssl x509 -req -days 3600 -in ca.csr -out ca.crt -signkey ca.key
```

generate a key for new certicate for server (modern systems accept key size minimum 2048)
```bash
openssl genrsa -out server.key 2048
```

create request for the new certificate
```bash
openssl req -new -sha256 -key server.key -out server.csr
```

sign request for new certificate with the CA
```bash
openssl x509 -req -sha256 -days 3600 -in server.csr -signkey server.key -out server.crt
```

Now we have pair of certificate and key, we can rename them
```bash
ls -la

mv ${dir}/CA/server.* ${dir}/${fqdn}/
cd ${dir}/${fqdn}/
mv server.csr ${fqdn}.csr
mv server.crt ${fqdn}.crt
mv server.key ${fqdn}.key
```

Fix SElinux contexts for certificates
```bash
setenforce 0
```





# Install Nginx webserver
```bash
dnf install nginx
systemctl enable nginx
systemctl start nginx
systemctl status nginx
ss -ntap | grep nginx
```
```bash
LISTEN 0      511           0.0.0.0:80          0.0.0.0:*     users:(("nginx",pid=3459,fd=6),("nginx",pid=3457,fd=6))
LISTEN 0      511              [::]:80             [::]:*     users:(("nginx",pid=3459,fd=7),("nginx",pid=3457,fd=7))
```


Create firewall rules for webserver
```bash
firewall-cmd --remove-service=http  --permanent
firewall-cmd    --add-service=https --permanent
systemctl restart firewalld
firewall-cmd --list-all
```

Prepare local storage for application (not for data)
```bash
sudo su
export dir="/var/www/"
mkdir -p ${dir}
cd $dir
pwd
```

Download nextcloud and check integrity. Decide which version is going to be deployed. Rule of thumb is to go current major version minus one.
```bash
# export v=21
export v=29
wget https://download.nextcloud.com/server/releases/latest-$v.zip
curl https://download.nextcloud.com/server/releases/latest-$v.zip.sha256
sha256sum latest-$v.zip
unzip latest-$v.zip
```

Change permission to nginx's configuration and applications directories
```bash
cat /etc/nginx/nginx.conf  | grep user
mkdir -p ${dir}/nextcloud/data/
chown -R nginx:nginx ${dir}/nextcloud/data/
chown -R nginx:nginx ${dir}/nextcloud/config/
chown -R nginx:nginx ${dir}/nextcloud/apps/
namei -mo ${dir}/nextcloud/config
```

Disable default config by commenting or deleting the lines
```bash
vi /etc/nginx/nginx.conf
```
[![](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2025-07/scaled-1680-/uSNqrQbv2V3Hmc0p-image-1753070889284.png)](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2025-07/uSNqrQbv2V3Hmc0p-image-1753070889284.png)

Create nginx configuration file
```bash
vi /etc/nginx/conf.d/server.conf
```
```ini
https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html
```

Change certificates pointing to the created ones
```ini
    ssl_certificate     /data/certs/lt58nct1app21/lt58nct1app21.crt;
    ssl_certificate_key /data/certs/lt58nct1app21/lt58nct1app21.key;
```

Check and reload config
```bash
nginx -t
nginx -s reload
```

[![](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2025-07/scaled-1680-/43SCBnHCV36AQ9gg-image-1753071001517.png)](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2025-07/43SCBnHCV36AQ9gg-image-1753071001517.png)


Enable latest supported PHP module:
```bash
dnf module list php
dnf module enable php:8.3
```
[![](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2025-07/scaled-1680-/yuHLuSSjCksOFM9s-image-1753071074526.png)](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2025-07/yuHLuSSjCksOFM9s-image-1753071074526.png)

Install prerequsitives
```bash
dnf install \
  php \
  php-fpm \
  php-mysqlnd \
  php-zip \
  php-xml \
  php-mbstring \
  php-curl \
  php-gd
```

Enable php-fpm service
```bash
systemctl enable php-fpm
systemctl start php-fpm
systemctl status php-fpm
```

Modify webserver config to forward requests to correct socket. Config file comes with php-fpm package, but check and adjust configs:
```bash
cat /etc/nginx/conf.d/php-fpm.conf
```

Determine where PHP socket is listening
```bash
fgrep -irn www.sock /etc/php-fpm.d/
```
```bash
/etc/php-fpm.d/www.conf:38:listen = /run/php-fpm/www.sock
```


Reconfigure config
```bash
vi /etc/nginx/conf.d/host.conf
```
```bash
upstream php-handler {
    # server 127.0.0.1:9000;
    # server unix:/run/php/php8.2-fpm.sock;
    server unix:/run/php-fpm/www.sock;
}
```


[![](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2025-07/scaled-1680-/aCN7pxxB7FNvPmyX-image-1753071378807.png)](https://storage.googleapis.com/iau-data-dox/uploads/images/gallery/2025-07/aCN7pxxB7FNvPmyX-image-1753071378807.png)


Enable logging:
check log file is created after reloading nextcloud page and it can be tail'ed
```bash
mkdir -p /var/www/nextcloud/log
chown -R www-data:www-data /var/www/nextcloud/log/
vi /var/www/nextcloud/config/config.php
ls -la /var/www/nextcloud/log/

tail -f /var/www/nextcloud/log/nextcloud.log
```