Nextcloud on OpenBSD

Page content

Intro

Wanna run your own Nextcloud Server on OpenBSD … ? Give a Try ! It’s quite trivial as you can see. Just fireup an empty machine, assign an Hostname / DNS Record, and follow the Examples below. This Setup is done on the current Version, 6.9. Have Fun !

Inspired by: https://dev.to/nabbisen/nextcloud-on-openbsd-installation-15d6

Packages

install some packages. i use sqlite as db because i don’t expect a lot of users/traffic/files.

$ doas pkg_add nextcloud
quirks-3.633 signed on 2021-09-27T19:58:00Z
Ambiguous: choose package for nextcloud
a 0: <None>
  1: nextcloud-20.0.12
  2: nextcloud-21.0.4
Your choice: 2
Ambiguous: choose dependency for nextcloud-21.0.4:
a 0: php-pdo_mysql-7.4.23
  1: php-pdo_pgsql-7.4.23
  2: php-pdo_sqlite-7.4.23
Your choice: 2
nextcloud-21.0.4:argon2-20190702: ok
nextcloud-21.0.4:libsodium-1.0.18p1: ok
nextcloud-21.0.4:libxml-2.9.10p3: ok
nextcloud-21.0.4:oniguruma-6.9.6: ok
...
nextcloud-21.0.4: ok
Running tags: ok
The following new rcscripts were installed: /etc/rc.d/php74_fpm
See rcctl(8) for details.
New and changed readme(s):
  /usr/local/share/doc/pkg-readmes/femail-chroot
  /usr/local/share/doc/pkg-readmes/nextcloud
  /usr/local/share/doc/pkg-readmes/php-7.4

Stuff

Create some Folders and stuff in the Chrooted Environement

doas mkdir -p /var/www/{etc,run}
doas cp /etc/resolv.conf /var/www/etc
doas ln -sf /var/www/nextcloud /nextcloud

httpd

configure and start httpd

cat << 'EOF' |doas tee /etc/httpd.conf

# http
server "box-amsterdam.puffy.work" {
  listen on * port 80
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
  location * {
    block return 302 "https://$HTTP_HOST$REQUEST_URI"
  }
}
EOF

doas rcctl enable httpd
doas rcctl restart httpd

SSL Cert

get let’s encrypt ssl cert

cat << 'EOF' |doas tee -a /etc/acme-client.conf

domain box-amsterdam.puffy.work {
  domain key "/etc/ssl/private/box-amsterdam.puffy.work.key"
  domain full chain certificate "/etc/ssl/box-amsterdam.puffy.work.fullchain.pem"
  sign with letsencrypt
}
EOF

doas acme-client -v box-amsterdam.puffy.work

https

add https config to /etc/httpd.conf

cat << 'EOF' |doas tee -a /etc/httpd.conf

# https
server "box-amsterdam.puffy.work" {
  listen on * tls port 443
  tls {
    certificate "/etc/ssl/box-amsterdam.puffy.work.fullchain.pem"
    key "/etc/ssl/private/box-amsterdam.puffy.work.key"
  }

  # Set max upload size to 513M (in bytes)
  connection max request body 537919488
  connection max requests 1000
  connection request timeout 3600
  connection timeout 3600

  block drop

  # Ensure that no '*.php*' files can be fetched from these directories
  location "/nextcloud/config/*" {
    block drop
  }

  location "/nextcloud/data/*" {
    block drop
  }

  # Note that this matches "*.php*" anywhere in the request path.
  location "/nextcloud/*.php*" {
    root "/nextcloud"
    request strip 1
    fastcgi socket "/run/php-fpm.sock"
    pass
  }

  location "/nextcloud/apps/*" {
    root "/nextcloud"
    request strip 1
    pass
  }

  location "/nextcloud/core/*" {
    root "/nextcloud"
    request strip 1
    pass
  }

  location "/nextcloud" {
    block return 301 "$DOCUMENT_URI/index.php"
  }

  location "/nextcloud/" {
    block return 301 "$DOCUMENT_URI/index.php"
  }

  location "/.well-known/carddav" {
    block return 301 "https://$SERVER_NAME/nextcloud/remote.php/dav"
  }

  location "/.well-known/caldav" {
    block return 301 "https://$SERVER_NAME/nextcloud/remote.php/dav"
  }

  location "/.well-known/webfinger" {
    block return 301 "https://$SERVER_NAME/nextcloud/public.php?service=webfinger"
  }

  location match "/nextcloud/oc[ms]%-provider/*" {
    directory index index.php
    pass
  }

}
EOF

doas rcctl restart httpd

PHP

some tuning and other php configs

cat << 'EOF' |doas tee -a /etc/php-7.4.ini
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1
EOF

# Enable Modules
cd /etc/php-7.4.sample
for i in *; do doas ln -sf ../php-7.4.sample/$i ../php-7.4/; done

# Create Folders and install ssl stuff
doas mkdir -p /var/www/etc/ssl
doas install -m 444 -o root -g bin /etc/ssl/cert.pem /etc/ssl/openssl.cnf /var/www/etc/ssl/

# Enable and Start Service
doas rcctl enable php74_fpm
doas rcctl restart php74_fpm

PF

nothing special. allow TCP/80 for World (-> Let’s Encrypt …) and redirect Port 80 to 443. IP Filerlist, based on ASN / Country would make sense. Have to think about it.

Nextcloud Setup

doas touch /var/www/nextcloud/config/CAN_INSTALL

open https://box-amsterdam.puffy.work/nextcloud/ and start configuration

-> Empfohlene Apps nicht installieren

open https://box-amsterdam.puffy.work/nextcloud/index.php/apps/files/ and finish configuration

Crontab

do some regular maintenance

*/15 * * * * su -m www -c "/usr/local/bin/php-7.4 -f /var/www/nextcloud/cron.php"

Backup

db export and file system backup make sense. i normally use borgbackup for this kind of stuff

Cronjob for Daily DB Backup

5 1 * * * /usr/local/bin/sqlite3 /var/www/nextcloud/data/owncloud.db ".dump" |gzip -c > /backup/nextcloud.db.gz

Upgrade to 21.0.5

after upgrade (pkg_add -VU), there was a new Version of NextCloud (21.0.5). The follwing Step is needed, either from via Webinterface or from the CLI.

/var/www/nextcloud# su -m www -c "./occ upgrade"

Open Topics

  • Redis ? Needed ?
  • Upgrade Procedure, for OpenBSD 7.0 ?

sha256: 43a0192259fd2cd3ceb2cc6d6fe5e4a286f887c9c24a6501cd30c07c4ddc8ef9