Nextcloud, properly

I’ve been running a Nextcloud instance privately for years. I set it up back then because I personally don’t get on with paper calendars and notebooks. I find it more useful to have a device that is able to remind me of appointments, tasks and the like. And because it is practical to have such digital notes available across devices, a server platform in the background is a good idea.

The easiest way to do this is certainly to use the services of Google, Apple or similar providers, but I personally avoid such platforms out of concern for the protection of my privacy. And if you are able to manage servers yourself thanks to your studies, it can only be interesting to use a self-hosted alternative such as Nextcloud. And it’s actually a very sophisticated product that is amazingly easy to install.

So I rented a virtual server with Ubuntu as the operating system from a hoster and installed Nextcloud on it. For the sake of simplicity, I used the snap package at the time. Snaps are a software package format that is mainly developed by Canonical, the company behind the Linux distribution Ubuntu. This snap package had the advantage that you didn’t even have to install the web server separately during installation, the command “snap install nextcloud” installed the web server, PHP modules etc. completely. In addition, snap packages update themselves automatically. This is good for security and especially for software that is accessible from the network. Basically, I only had to take care of securing the Nextcloud instance with a Let’s Encrypt certificate, the rest was done via the Nextcloud web interface.

This Nextcloud instance has served me faithfully over the last few years. It manages my calendars so that I can access them from all my devices. Selected documents and images are also synchronized across all devices. I can even create and manage Canban boards via the browser interface or an app.

Recently, unfortunately, I’ve noticed that my old Nextcloud server is starting to act up. It is repeatedly unavailable. And since I’ve been wanting to move the Nextcloud instance to another hoster for a while anyway and just have time to spare, the time had come for a migration. And this time I didn’t want to cheat. No snap package, no ready-made scripts. Instead: Set up the web server, configure the database and, ideally, learn something from it. I’m not claiming that this would be smarter or better than using the snap package - I basically just wanted to implement the installation differently this time for the sake of curiosity.

So I set up a server with the latest Ubuntu at the new hoster - as with the other hoster, this was done in seconds - and looked at the official Nextcloud documentation. The installation according to the official procedure is also pleasingly simple.

I’ve gotten into the habit of documenting complex processes that I’m learning. This is simply because I don’t like having to research things twice. Accordingly, I have also made a note of this Nextcloud installation on the side. I’m adding to this transcript here - perhaps a reader can benefit from it? Please note, however, that I am not a professional administrator. Accordingly, I strongly recommend taking a look at the official documentation. This applies in particular to software versions that are newer than those listed below.

Installation: Nextcloud 18.04 on Ubuntu 20.04

Initial Server Security

For the sake of completeness, I will start this documentation directly after the initial setup of the virtualized Ubuntu server. There are some common steps you can take to secure remote access to a Linux server after the initial connection via SSH. The usual first step is to add a non-root user with sudo privileges.

Server> sudo adduser username
Server> sudo adduser username sudo

It is also advisable not to log in via SSH using a password, but to generate a key pair on the accessing computer that is used for this purpose. This means that no password is sent in plain text, which would enable both man-in-the-middle attacks and brute force attacks. The first step is therefore to generate a secure key pair on the accessing client.

Client> ssh-keygen -b 4096

After entering the command, you are asked what the key file should be called and where it should be stored. Two files are created there, a private key and a public key, which can be recognized by the file extension .pub. The content of this .pub file must now be transferred to the server so that the key pair can be used to log in to the server. There are several ways to do this, although I personally generally prefer copy-and-paste from the .pub file into a text editor on the server. To do this, the appropriate folder must first be created in which a file with the authorized keys is stored.

Server> mkdir ~/.ssh	# Anlegen des Ordners
Server> touch ~/.ssh/authorized_keys	# Anlegen der Datei
Server> nano ~/.ssh/authorized_keys	# Öffnen der Datei

The content of the .pub file on the client is inserted into this file. The session is then closed as root and a login with the identity of the new sudo user follows.

Server> ssh prieblinger@<ip>

Now the SSH configuration on the server is secured by deactivating the SSH login as root, as well as the login with a password.

Server> sudo nano /etc/ssh/sshd_config

The following two options are set in this file:

PermitRootLogin no
PasswordAuthentication no

The SSH service is then restarted:

Server> sudo service ssh restart

Preparing to install Nextcloud

Like many web server-based software, the installation of Nextcloud requires the installation of the usual LAMP stack (Linux, Apache2 web server, MySQL/MariaDB, PHP). The “unzip” package is also required for later unpacking of the Nextcloud software.

Server> apt-get install apache2 mariadb-server libapache2-mod-php7.4
Server> apt-get install php7.4-gd php7.4-json php7.4-mysql php7.4-curl php7.4-mbstring
Server> apt-get install php7.4-intl php-imagick php7.4-xml php7.4-zip
Server> apt-get install unzip

For the MariaDB database, we recommend using the first of the following commands for interactive protection. You should make a note of the MariaDB root password, for example in a password manager. A database and a user for Nextcloud are then created in MariaDB.

Server> sudo mysql_secure_installation
Server> sudo mysql -u root -p
Server> CREATE DATABASE nextcloudDB;
Server> CREATE USER 'nextcloud'@'localhost' IDENTIFIED BY '<sicheres Passwort eingeben>'
Server> GRANT ALL PRIVILEGES ON nextcloudDB.* TO 'nextcloud'@'localhost';
Server> FLUSH PRIVILEGES;
Server> exit

Installation of Nextcloud

Nextcloud itself can be downloaded as a zip archive from the Nextcloud website. This can be done by accessing the website on the client, copying the download link and inserting it into the SSH terminal to the server in a wget command. This will download the file behind the link to the server. The downloaded zip archive is then decompressed and the unzipped nextcloud folder is moved to the /var/www/html/nextcloud directory on the Apache web server. Finally, the access rights are adjusted.

Server> cd ~
Server> wget https://download.nextcloud.com/server/releases/nextcloud-18.0.4.zip
Server> unzip nextcloud-18.0.4.zip
Server> sudo mv ~/nextcloud /var/www/html/nextcloud
Server> sudo chown -R www-data:www-data /var/www/html/nextcloud/

The next step is to create a configuration file for Nextcloud in relation to the web server.

Server> sudo nano /etc/apache2/sites-available/nextcloud.conf

The following lines are entered there:

Alias / "/var/www/html/nextcloud/"
<Directory /var/www/html/nextcloud/>
  Require all granted
  AllowOverride All
  Options FollowSymLinks MultiViews

  <IfModule mod_dav.c>
    Dav off
  </IfModule>
</Directory>

The Nextcloud configuration is now activated, as are a number of Apache2 modules. The Apache2 service is then restarted to make the changes effective.

a2ensite nextcloud.conf
a2enmod rewrite headers env dir mime
sudo service apache2 restart

From here, there are various ways to complete the installation of Nextcloud. One of the options is the wizard in the web interface. Entering passwords and usernames on a website that is not yet encrypted is an insecure matter, so you should avoid this method as long as you have not yet set up security via https. Alternatively, this setup can also be created in advance in the command line.

cd /var/www/nextcloud/
sudo -u www-data php occ maintenance:install --database "mysql" --database-name "nextcloudDB" --database-user "nextcloud" --database-pass "passowrd_of_database" --admin-user "adminprieblinger" --admin-pass "password_of_nextcloud_admin"

Nextcloud is now almost ready for use. All that remains is to enter the IP address and domain of the server in a configuration file:

sudo nano /var/www/nextcloud/config/config.php

The file is adapted as follows, with the IP address and domain purchased being entered under 1 and 2:

array (
    0 => 'localhost',
    1 => 'ip_addr_des_servers',
    2 => 'www.meineclouddomain.de',
  ),

The login screen of the Nextcloud instance can now be accessed via the IP address of the server in the browser. It can also be accessed via the domain you have just entered as soon as this is entered in a DNS server, for example with the provider from whom you have rented the server.

Before logging in for the first time, however, the login page should be secured via https to prevent the possibility of access data being intercepted from the outset. Fortunately, thanks to the CertBot published by the Electronic Frontiers Foundation (EFF), this can be done easily and free of charge; exact details can be found on the CertBot page.

If required, there are various additional security measures that can be applied to the system, but these are beyond the scope of this entry.