How to manually install Nextcloud on FreeNAS in an iocage jail with hardened security v2.0.1

[G8One2]

I originally ended up attempting the DNS verification following your guide, but I couldn't get that working either because I couldn't figure out AWS, and php install-dns-route53 command didn't work. Which is why I used pkg install py36-certbot. It was the only way I could get it to work. I'm not skilled so it could have very well been something I was doing wrong. I was just going step by step through your guide.

 

[Bashern]

Looks like php 7.3 is now required for the passwords app, can we get a guide update for installing with php 7.3 or migrating to 7.3?

 

[samuel-emrys]

Looks like php 7.3 is now required for the passwords app, can we get a guide update for installing with php 7.3 or migrating to 7.3?

This should be as simple as selecting nextcloud-php73 when you install. There doesn't appear to be a good way to migrate from one version to another at this point; the easiest thing would probably be to nuke your jail, rebuild it with php73 and restore your previous data, which should be straight forward if you've followed the instructions to store the important data outside of the jail.

My plan is to update this guide at some stage soon; will depend on how busy I get with upcoming studies though.

 

[G8One2]

Might be beneficial to add sudo to the build, because many of the nextcloud help articles you find through searches, show commands using sudo. Unless doing so could potentially break the nextcloud install. For me, specifically this https://docs.nextcloud.com/server/17/admin_manual/configuration_database/bigint_identifiers.html

 

[samuel-emrys]

Might be beneficial to add sudo to the build, because many of the nextcloud help articles you find through searches, show commands using sudo. Unless doing so could potentially break the nextcloud install. For me, specifically this https://docs.nextcloud.com/server/17/admin_manual/configuration_database/bigint_identifiers.html

Interesting idea. Installing sudo is functionally pointless as all of the commands I give are run as the root user, so no privilege escalation is necessary. Additionally, this guide isn't meant to just provide you with a list of commands to run; it's also supposed to give you some understanding about what's happening when you execute those commands. That is to say; ideally at the end of this guide you aren't going and copying commands willy nilly hoping it will solve your issue. To use the link you provided as an example, one of the commands provided is:

Code:

sudo -u www-data php occ db:convert-filecache-bigint

Here, sudo is simply being used to switch user to the www-data user (sudo -u). Aside from the fact that the sudo package isn't installed, this command won't work. In FreeBSD, the user that runs the web server is www, not www-data. My guide already provides some exemplars of how to issue commands like this, as an example:

Code:

su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set redis host --value="/tmp/redis.sock"'

The equivalent command from your link would be:

Code:

su -m www -c 'php /usr/local/www/nextcloud/occ db:convert-filecache-bigint'

Both commands use the same program, occ, the only difference is that I provide the full path so that it can be called from any current working directory. I guess my point is that by the end of the guide, if the user has read and understood it and not just copied the commands, they should be at a point where they are able to draw parallels between the instructions my guide provides and other documentation with slight variations on commands. I would also expect users to be able to install the packages they need if they want to go beyond the guide; pkg install sudo is all you would need to achieve this; I'm not sure that needs specific direction.

 

[G8One2]

Your right. Its probably not needed, but i did read and follow your guide step by step, i did understand what was going on and why it was being done to an extent. Even so, my lack of knowledge in script makes it difficult to know how to manage certain things such as the big init command. I did not know how to properly issue that command because it was different from a FreeBSD command, and i didnt want to nilly willy issue commands that could break the install. I was only suggesting a sudo install, so that some of the easier things to manage wouldn't require and inquiry to you or one of your threads, to apply a command to simply manage things that are in Nextclouds documentation. I understand you guide was not meant to just be copy and pasted, but to those who are inexperienced in scirpt, some of that guide, even though you go into lengths to explain, doesnt actually teach everything you need to know about script. However, I am very thankful, for the effort you put into this, and the active responses you give to all who inquire.

 

[NASbox]

I Hope I'm not posting in the wrong place, if so, appologies in advance. @danb35 I just saw your NextCloud setup script, and I was wondering if it is possible to easily modify your script to use self signed certificates INSIDE the firewall. I don't really want (or need) the server to be exposed to the internet at large. If I need access, I'll use a VPN.

Before I waste a lot of time on the project, I wanted to get an idea if this was going to be easy or a lot of work. This is the first I've heard of Caddy, but it looks way lighter/easier to setup/less resourse intensive than Nginx or Apache!

Any input/suggestions wioud be much appreciated.

 

[danb35]

I Hope I'm not posting in the wrong place

Since you seem to be asking about my script, I'd think your question would be better posted in the thread about that script than here, which is dealing with a completely different guide.

I was wondering if it is possible to easily modify your script to use self signed certificates

No modification is necessary; this is a supported configuration option.

 

[fahadshery]

You need to run inside the jail:

su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ maintenance:mode --on'
su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ db:convert-filecache-bigint'
su -m www -c 'php /usr/local/www/apache24/data/nextcloud/occ maintenance:mode --off'


my occ file was located here: /usr/local/www/nextcloud/occ
but other than that it worked beautifully so thanks :)

 

[G8One2]

The website actually has a plug in app for the OCC commands. I just use that. Its called OCC web. You can search for in the apps tab and install it.

 

[baztardo.snow]

Hi all,

Not sure if this is the right spot for this, but recently I went through the process of standing up a NextCloud instance, and found that there were a number of points of difficulty not addressed in the current guides. Specifically, this includes how to properly secure the web server, including proper SSL configuration, php handling and tamper detection. Additionally, I found that many of the current guides on the matter were essentially a list of steps with little to no explanation of what was happening at each stage, so I've put together a guide on the installation and configuration of Nextcloud with the aim of being as complete as possible to make this guide accessible as a learning resource for complete beginners.

I'm by no means an expert, and wrote this in the process of learning it, so if you find any inaccurate information, or you have feedback/suggestions, or questions, just leave a comment below!

The Guide: https://www.samueldowling.com/2018/...n-freenas-iocage-jail-with-hardened-security/

18/12/2018: The latest branch of the FreeBSD repository now ships with Nextcloud 15. I've run through the installation process and made a couple of minor caching modifications to ensure compatibility. My brief test showed everything working as expected.

I tried to follow your guide but as of Today and Version: FreeNAS-11.3-U2.1 I get this Error and cant proceed <sigh>

There a lot of this in FreeNas that has changed and make following guide difficult this isn't your fault but FreeNas keeps changing so much stuff it breaks a lot of guides out there it very frustrating...

root@freenas[/mnt/NAS1/steve]# iocage fstab -a nextcloud /mnt/NAS1/cloud /mnt/data nullfs rw 0 0
Destination: /mnt/SSD/iocage/jails/nextcloud/root/mnt/data does not exist or is not a directory.
root@freenas[/mnt/NAS1/steve]#

is There a way to fix this did miss some thing in trying to make it work.. I would greatly appreciate any help ..

 

[fahadshery]

if you look closely, the error is (or should be) easy to fix.

root@freenas[/mnt/NAS1/steve]# iocage fstab -a nextcloud /mnt/NAS1/cloud /mnt/data nullfs rw 0 0
Destination: /mnt/SSD/iocage/jails/nextcloud/root/mnt/data does not exist or is not a directory.

If you were following my guide then this address: /mnt/SSD/iocage/jails/nextcloud/root/mnt/data is for my local mounted storage address. yours will be different. Make sure you check your storage path and it should be ok afterwards

 

[fahadshery]

For you the path /mnt/SSD/iocage/jails/nextcloud/root/mnt/data simply doesnt exist....

 

[baztardo.snow]

this part does exist /mnt/SSD/iocage/jails/nextcloud/root I posted a picture of my drive pool

 

[baztardo.snow]

If i try to add /mnt/SSD/iocage/jails/nextcloud/root/mnt to ROOT is say it already exist an I get an error..

 

[fahadshery]

but your error status: Destination: /mnt/SSD/iocage/jails/nextcloud/root/mnt/data
do you have root/mnt/data? How have you mapped your external storage to jail storage?

 

[baztardo.snow]

Here a pic

 

[fahadshery]

also check the permissions

 

[baztardo.snow]

It says /ROOT/mnt is there even tho the pool does nt show it .

 

[fahadshery]

Here a pic

i meant the mount points and not the dataset