Prerequisites

What we will do

1. Step 1 - Install Nginx Web server
2. Step 2 - Install and Configure PHP7.4-FPM
3. Step 3 - Install and Configure MySQL Server
4. Step 4 - Generate SSL Letsencrypt
5. Step 5 - Download Nextcloud</a></li>
6. Step 6 - Configure Nginx Virtual Host for Nextcloud
7. Step 7 - Configure UFW Firewall
8. Step 8 - Nextcloud Post-Installation
9. Reference

Ubuntu Server 18.04 LTS Root privileges

You can have a look at the official doc how to install nextcloud with nginx from the compressed archive. It is more or less what is explain in this document. Exception is that we will detail the MySQL installation. It is strongly recommended to install MySQL or PostGRe or Maria instead of the SQLite database to mange the data.

https://docs.nextcloud.com/server/15/admin_manual/installation/nginx.html

1. Install Nginx Web server
2. Install and Configure PHP7.2-FPM
3. nstall and Configure MySQL Server
4. Generate SSL Letsencrypt
5. Download Nextcloud 15
6. Configure Nginx Virtual Host for Nextcloud
7. UFW Firewall Configuration
8. Nextcloud Post-Installation

We will use Nginx instead of Apache because we think that Nginx is more simple to configure with multiple instance of web app and if you have got more than one web site on your server.

To install nginx :

sudo apt-get install nginx

Nothing more to do, everything is starting up automatically. At the end we will configure the server file configuration. it is located is /etc/nginx/site-available You should create a file like nextcloud and a sym link in /etc/nginx/site-enabled

We will install PHP-7.4

sudo apt-get install php7.4

You can add several packages like:

php -m

bcmath
bz2
calendar
Core
ctype
curl
date
dom
exif
fileinfo
filter
ftp
gd
gettext
gmp
hash
iconv
intl
json
ldap
libxml
mbstring
mysqli
mysqlnd
openssl
pcntl
pcre
PDO
pdo_mysql
pdo_sqlite
Phar
posix
readline
Reflection
session
shmop
SimpleXML
sockets
sodium
SPL
sqlite3
standard
sysvmsg
sysvsem
sysvshm
tokenizer
wddx
xdebug
xml
xmlreader
xmlrpc
xmlwriter
xsl
Zend OPcache
zip
zlib

[Zend Modules]
Xdebug
Zend OPcache

It is a quite complete list to enable installation of a lot of plugins from nextcloud. PRobably that you can install less modules in your server if you do not want plugin like thumbnails, calendar, sync with a foreign directory, etc.

You have to adjust parameters in php.ini for optimal usage:*

https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/big_file_upload_configuration.html?highlight=php%20timeout#configuring-your-web-server

sudo apt-get install mysql mysql-server mysql-client

After installation of the server then you need to create a admin user in the DB and the DB dedicated to nextcloud.

Configuration of the DB : setting up the root password

sudo mysql_secure_installation

At this MySQL 5.8 version, there is a security improvement for the MySQL password policy. You need to choose the password policy - 0 for the LOW policy, 1 for the MEDIUM policy, and 2 for a STRONG password policy.

For this guide, we will be using the 'MEDIUM' password policy, and it's recommended to use the 'STRONG' password policy on the production server.

Choose number '1' and press Enter, then type your new MySQL 'root' password

Remove anonymous users? (Press y|Y for Yes, any other key for No) : Y
Disallow root login remotely? (Press y|Y for Yes, any other key for No) : Y
Remove test database and access to it? (Press y|Y for Yes, any other key for No) : Y
Reload privilege tables now? (Press y|Y for Yes, any other key for No) : Y

Next, we will create a new database for nextcloud installation. We will create a new database named 'nextcloud' with the user 'nextclouduser' and password 'Nextclouduser421@'. The user name and the password are free, it's an exemple, up to you to change it !

mysql -u root -p

CREATE DATABASE nextcloud_db;
CREATE USER stephane@localhost IDENTIFIED BY 'password';
GRANT ALL privileges ON nextcloud_db.* TO nextclouduser@localhost IDENTIFIED BY 'password';
FLUSH privileges;

postgres@tabasco:/home/stephane$ psql
psql (10.10 (Ubuntu 10.10-0ubuntu0.18.04.1))
TYPE "help" FOR help.

postgres=# CREATE USER clearcloud WITH password 'password';
CREATE ROLE
postgres=# CREATE DATABASE clearcloud_db WITH owner clearcloud template template0 encoding 'UTF8';
CREATE DATABASE
postgres=# END
postgres-# ;
WARNING:  there IS no TRANSACTION IN progress
COMMIT
postgres=# \q

upstream php-handler {
    #server 127.0.0.1:9000;
    server unix:/run/php/php7.2-fpm.sock;
}

server {
    listen 80;
    listen [::]:80;
    server_name nextcloud.hakase-labs.pw;
    # enforce https
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name nextcloud.hakase-labs.pw;

    ssl_certificate /etc/letsencrypt/live/nextcloud.hakase-labs.pw/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/nextcloud.hakase-labs.pw/privkey.pem;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    # add_header Strict-Transport-Security "max-age=15552000;
    # includeSubDomains; preload;";
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

    # Path to the root of your installation
    root /var/www/nextcloud/;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
    # last;

    location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }
CleaRWiki : The CleanRoom Wiki for C2N
CleaRWiki : The CleanRoom Wiki for C2N


    location = /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }

    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Uncomment if your server is built with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    location / {
        rewrite ^ /index.php$uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        #Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff|svg|gif)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=15778463";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
        #
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
    }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

'http://tabasco' Then You have to check the config file of NextCloud in /var/www/nextcloud/config/config.php

<?php
$CONFIG = array (
  'instanceid' => 'oco1xrbofsp9',
  'passwordsalt' => 'MBTnbj+U*************t1GgMQce8pAC',
  'secret' => 'xMuYHol*************************lio12niLSZMp43nK7g',
  'trusted_domains' =>
  array (
    0 => 'tabasco',
    1 => 'clearcloud',
    2 => '192.168.70.96',
    3 => 'localhost',
    4 => 'tabasco.c2n.u-psud.fr',
    5 => 'clearcloud.c2n.u-psud.fr',
    6 => 'clearoffice',
    7 => 'clearoffice.c2n.u-psud.fr',
  ),
  'datadirectory' => '/data',
  'dbtype' => 'pgsql',
  'version' => '16.0.6.1',
  'dbname' => 'clearcloud_db',
  'dbhost' => '127.0.0.1',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'clearcloud',
  'dbpassword' => '**********',
  'installed' => true,
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 2,
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => 'stephane.guilet',
  'mail_domain' => 'u-psud.fr',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtphost' => 'smtp.u-psud.fr',
  'mail_smtpport' => '587',
  'mail_smtpauth' => 1,
  'mail_smtpname' => 'stephane.guilet',
  'mail_smtppassword' => '************',
  'mail_smtpsecure' => 'tls',
  'app_install_overwrite' =>
  array (
    0 => 'user_cas',
    1 => 'calendar',
  ),
  'updater.release.channel' => 'production',
  'overwrite.cli.url' => 'https://clearcloud.c2n.u-psud.fr',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'updater.secret' => '$2y$10$QYv96PHPlsBkYSMdxs6hMOsrS7YhuMMhjma4K30cmHRMTZxz8RApC',
);

Pour L'installation du CAS, il faut choisir un module user_cas l'installer et l'activer.

Le plus simple est de la faire via le store app de NextCloud.

Dans le menu de configuration et pour spécifiquement le SSO de l'u-psud:

1. Version du Serveur CAS : 2.0
2. Server Host : sso.u-psud.fr
3. Server Port : 443
4. Server Path : /cas
5. Service URL : http:/ /$HOSTNAME.c2n.u-psud.fr/apps/user_cas/login
6. Vous pouvez activer de forcer le login par le CAS mais ne pas oublier de spécifier quelques adresses IP pour pouvoir se connecter en tant que admin local.
7. Activate : Autocreate user after first CAS login?
8. Activate Le mise à jour automatique à chaque connexion…
9. Dans l'onglet Mapping, sélectionner Groups et écrire : departmentNumber;
10. Dans l'onglet Groups: Sélectionner un group par défaut pour les nouveaux utilisateurs (ex: users)
11. Sélectionner les group autorisés : 9022 pour le C2N (fonctionne avec le code ci-dessous)
12. Mettre un quota à 10GB pour les nouveaux utilisateurs

Dans la dernière version de user_cas le mapping fonctionne donc la modification de code est inutile.

Dans le fichier /var/www/nextcloud/apps/user_cas/lib/Service/UserService.php Il faut installer le code suivant

# Test for standard 'groups' attribute
                else if (array_key_exists('departmentNumber', $casAttributes)) {

                    $casGroups = json_decode($casAttributes['departmentNumber']);
                }

en effet dans les serveurs CAS, les attributs sont libres. Et dans celui de u-psud il n'y a pas de mot comme groups

la structure est :

'phpCAS' =>
    array (size=2)
      'user' => string 'stephane.guilet' (length=15)
      'attributes' =>
        array (size=11)
          'mail' => string 'stephane.guilet@u-psud.fr' (length=25)
          'eduPersonAffiliation' => string '[member, staff]' (length=15)
          'sn' => string 'Guilet' (length=6)
          'supannEtablissement' => string '{CNRS}C2N' (length=9)
          'eduPersonPrimaryAffiliation' => string 'staff' (length=5)
          'supannEntiteAffectation' => string '9260' (length=4)
          'ou' => string 'Centre de Nanosciences et de Nanotechnologies' (length=45)
          'supannEntiteAffectationPrincipale' => string '9260' (length=4)
          'departmentNumber' => string '[9260, 9253, 9145, 9022, 2211]' (length=30)
          'cn' => string 'Guilet Stephane' (length=15)
          'givenName' => string 'Stephane' (length=8)

On constate donc que les numéros de groupes sont dans l'attribut departmentNumber

https://medium.com/@cetteup/how-to-access-nextcloud-using-webdav-and-php-2c00a04e35b9

https://nextcloud.com/blog/using-webdav-fs-to-access-files-in-nextcloud/

https://clearcloud.c2n.u-psud.fr/

The main server of clearcloud is tabasco. So log in with tabasco and mount the remote directory for saving data if not already mounted

sshfs stephane@paprika.c2n.u-psud.fr:/clearcloud /paprika/

You should find the directory /paprika already mounted on tabasco. The file /etc/fstab should contain:

# safe data on DigiCleaR/Tabasco
192.168.70.95:/clearcloud		/paprika	nfs	auto	0	0

Then do the synchronization for data transfer

rsync -rlDxv /data/ /paprika/data/
rsync -rlDxv /var/www/ /paprika/backup/
rsync -rlDxv /etc/ /paprika/etc/
?

A script has been created = /usr/local/bin/synchro_with_paprika
use it as simple user, do not understand why it doesn't work with sudo !

original article

Let's assume you have already installed PostgreSQL by typing the “sudo apt install postgresql postgresql-contrib”-command and the database is running on port 5432. Now let's head to the prompt and create a new database “nextcloud”. Additionally, we create a user, assign a password him and grant all permissions of the new database to this account. User as well as database are entitled “nextcloud” in this example. Switch to the “postgres”-user from the prompt. Now you can either look which databases are already present (just a hint) or change straight into the “postgresql”-database.

su - postgres psql -l psql postgres

Here we create a new database:

CREATE DATABASE nextcloud;

After exiting, we enter the newly created database:

psql nextcloud

Now we create a user (remember: “nextcloud” as well), assign a password (“test_password” - please change with your preferred, ultra-secret password!) and grant him all privileges on the “nextcloud”-database:

CREATE USER nextcloud WITH PASSWORD 'test_password'; GRANT ALL PRIVILEGES ON DATABASE "nextcloud" TO nextcloud;

Remenber Finish the whole thing by typing \q under the psql prompt.

DO NOT forget to allow the connection to database using MD5 instead of peer unix socket by changing the file /etc/postgresql/10/main/pg_hba.conf

# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             all                                     md5

After we have made all pre-arrangements, Nextcloud's task is now to transfer everything from database engine A (MySQL/MariaDB) to B (PostgreSQL). Like we already know from Nextcloud, the “occ”-command is a pretty nice Swiss knife-tool belonging to each Nextcloud-installation. In my example, the command

sudo -u www-data php occ db:convert-type --all-apps pgsql clearcloud_db 127.0.0.1 clearcloud

sudo -u www-data php /var/www/nextcloud/occ maintenance:repair

https://doc.owncloud.org/server/admin_manual/configuration/database/db_conversion.html

php occ db:convert-type [options] type username hostname database

takes care that the migration process starts (the “occ”-file should be executable - if you haven't used it before, a “chmod +x occ” should change this state). Nextcloud's “occ” asks for the PostgreSQL-database password now:

Just enter it and you are ready to go - after doing some magic, everything's ready. Quite ordinary, but effective!

The status at the end of the migration should tell you that your Nextcloud-instance is now running on PostgreSQL. Now enter your browser and check the availability of your installation - if everything went well, you should be able to log in without problems.

As a proof that the database is now really based on PostgreSQL, just check your config.php-file. It is available in the “config”-folder located within your Nextcloud-webroot.

The “dbtype” should now be “pgsql” instead of “mysql” - a good sign that the magic we conjured with a single command finally worked without problems! You may now drop your MySQL-/MariaDB user and database after - of course - having backed up the old database credentials and contents. As always I recommend to backup anyway, no matter what you are doing on a system in production. Have fun once you ever should need this, too - and don't forget to leave your comments in case of any questions!

If you want to find the original help from nextcloud: here you go

If you can't access to the web version of your adminitration account on nextcloud, you can do the upgrade in commande line. Instead of clicking buttons you can now invoke the command line based updater by going into the updater/ directory in the Nextcloud directory and executing the updater.phar as the web server user. (i.e.

sudo -u www-data php updater.phar

For more help : https://docs.nextcloud.com/server/18/admin_manual/maintenance/update.html#using-the-command-line-based-updater

Most of the time for minor versions you can use the online web upgrade. As an adminitrator you access to the settings and then process to upgrade the version of your nextcloud. But for major versions (from 16 to 17 by example) it can happened that Nextcloud can get stuck in a upgrade if the web based upgrade process is used. This is usually due to the process taking too long and encountering a PHP time-out.

Then you will need the following commands to be run in console mode. go to /var/www/nextcloud on tabasco.c2n.u-psud.fr.

sudo -u www-data php occ maintenance:mode --off
sudo -u www-data php occ upgrade
sudo -u www-data php occ maintenance:repair

You can have a look @ https://docs.nextcloud.com/server/13.0.0/admin_manual/maintenance/manual_upgrade.htmY

There is occ the command line executable for nextcloud configuration and control operations.
It is really useful f you have a remote access to the server hosting NexCloud but not graphical interface of the admin for security reasons.
occ is accessible in the root directory of NextCloud: exemple = /var/www/nextcloud

The settings of the users can be access via the following command line

sudo -u www-data php occ user:setting stephane.guilet [...]

sudo -u www-data php occ user:setting stephane.guilet files quota 50GB

sudo -u www-data php occ files:scan --all

cd /var/www/nextcloud/
sudo -u www-data php ./updater/updater.phar

#!/bin/bash

#This script should be executed after sudo su command
#you should be in the data directory of nextcloud
#the following command should be used:
# su -s /bin/bash www-data -c 'create_users'

echo "***************************************************"
echo "* script to create users in NextCloud from a list *"
echo "*  1 - move existing (folder to folder.1)          *"
echo "*  2 - create user using occ command line         *"
echo "*  3 - delete user folder                         *"
echo "*  4 - move folder.1 to folder                    *"
echo "*  5 - execute an update of the data base         *"
echo "***************************************************"

option="0"

if [ "$1" = "1" ]; then
   echo "Moving folders"
   option="1"
   if [ "$2" = "" ]; then
      echo " No list provided "
   else
      Liste=(`cat $2`)
      #echo "the files are : ${T[*]}"
      for i in "${Liste[@]}";
         do
            echo "move from $i to $i.1";
            mv $i $i.1;
      done
   fi
fi

if [ "$1" = "2" ]; then
   echo "Creating users from a list : ${2}"
   option="1"
   if [ "$2" = "" ]; then
      echo " No list provided "
   else
      Liste=(`cat $2`)
      export OC_PASS=3csBu5PFqNCM9Md
      for i in "${Liste[@]}";
         do
            echo "create user : $i";   
            php /var/www/nextcloud/occ user:add --password-from-env  --display-name="${i}" --group="users" ${i}
      done

   fi
fi


if [ "$1" = "4" ]; then
   echo "Moving folders (delete the current user empty folder)"
   option="1"
   if [ "$2" = "" ]; then
      echo " No list provided "
   else
      Liste=(`cat $2`)
      for i in "${Liste[@]}";
         do
            echo "move from $i.1 to $i";
            rm $i -R;
            mv $i.1 $i;
      done
   fi
fi

if [ "$1" = "5" ]; then
   echo "Updating database in NextCloud for new files for all users"
   option="1"
   php /var/www/nextcloud/occ files:scan --all
fi

   
if [ "$option" = "0" ]; then
   echo "Bad option : ${1}"
fi

if [ "$1" = ""  ]; then
    echo "Undefined option"
fi
#echo $T


# 
# sudo -u www-data php occ user:add --display-name="$_name" --group="9022" $_user --password="3csBu5PFqNCM9Md"
# export OC_PASS=3csBu5PFqNCM9Md
# su -s /bin/sh www-data -c 'php occ user:add --password-from-env  --display-name="Fred Jones" --group="users" fred'