Scripted installation of Nextcloud 28 in iocage jail 2018-03-23

[danb35]

mkdir -p "${POOL_PATH}"/iocage/jails/${JAIL_NAME}/root/var/db/portsnap

There's been some inconsistency in how iocage presents its path to the filesystem, and in at least some cases it has used /mnt/iocage/... I recall some discussion of how to determine that mountpoint programatically, and I thought I'd implemented it in one of my scripts, but I'm not finding it at the moment. I don't like this fix because it will fail if the jails are on a different pool than the main storage pool (as they are in my main system). I'll have to see if I can find that discussion.

Edit: Found it:

Simple GUI to centralize all jail's web services

Hi, I am just looking for some sort of GUI that would give me a centralize all the web GUIs hosted on the different FreeNAS jails, I run Plex, Emby, Qbit, etc and they all have their own IPs and ports to get to their web interfaces. I am thinking of just making a simple webpage and hosting it...

www.ixsystems.com

This change should be pushed out to the repo now.

 

[danb35]

@InGenetic, I don't do support by PM, I haven't made a video, and I don't intend to. But if you have questions about this script, this is the place to post them.

 

[ykhodo]

@danb35 I'm on 11.2-RELEASE-p15 and nextcloud 16/postgres 10. Is there a recommended upgrade process or post you can direct me to? Last time I tried to upgrade via `pkg upgrade` my jail was DOA.

 

[beltet]

Hi!
I'm trying to run the script, but have some problem with assigning an IP adress. I want to use DHCP from my router and set a static ip from there. Because when the clients set their own IP the router blocks the traffic somehow. What shall I set in the config file to get ip from the DHCP server?

 

[danb35]

At this time, the script doesn't support using DHCP for the jail. It should be a pretty straightforward change to make, but right now you'd need to edit the script itself. Though if your router can't handle devices with static IP addresses, it sounds like that's the problem you need to be tracking down.

 

[beltet]

At this time, the script doesn't support using DHCP for the jail. It should be a pretty straightforward change to make, but right now you'd need to edit the script itself. Though if your router can't handle devices with static IP addresses, it sounds like that's the problem you need to be tracking down.

Yeah I know. But I like to configure all my clients through the router. I will check out that later on. But It worked when I edited the JAIL_IP to "DHCP". So now it gets the IP from DHCP on the router.

But I have another problem now. I tested to connect to Nextcloud through internal IP(checked in jail with ifconfig). But can't connect to it?
I had to restart the jail after the script ran. Do you need to start the some services after a jail restart?
And is Caddy the package that update the Cloudfare DNS? Because that does not seem to work either.

EDIT: Thanks for the fast reply!!!

 

[danb35]

I tested to connect to Nextcloud through internal IP(checked in jail with ifconfig). But can't connect to it?

That's to be expected; this isn't supported. You need to connect using the hostname.

Do you need to start the some services after a jail restart?

That shouldn't be necessary.

And is Caddy the package that update the Cloudfare DNS?

Caddy only updates the TXT records necessary to issue a certificate from Let's Encrypt. Any other updates would need to be done by a different method.

 

[Pctravel]

First thanks so much for this script, it made this very simple. I am not skilled clearly in coding but have learned alot. I never would have gotten to this point without the script. I have an issue with the final step but let me summarize. I upgraded to 11.3 and decided to rerun a brand new install script to create my new jail with the updated DB, jail version, etc. The script ran perfectly, I can access my Nextcloud, login as admin, set my users and save files with the browser "not secure" message.

The last step "iocage exec nextcloud /root/remove-staging.sh" fails with "/bin/sh: /root/remove-staging.sh: Permission denied" I have this option in my Config: STANDALONE_CERT=1. I assume this may be causing an issue as well, I am using my same domain I used previously where I used an earlier script and that install worked fine. I'm assuming that because of that cert it prevented or blocked this install??? I appreciate any assistance. I have my old files from the previous install in a different folder if I need to move some certs??

 

[danb35]

"/bin/sh: /root/remove-staging.sh: Permission denied"

It looks like I didn't set that script to executable--I thought I'd done that long ago, but maybe I missed it, or maybe something's happened since then to change it. In any event, you can get a trusted cert by running the following commands:

Code:

iocage console nextcloud
nano /usr/local/www/Caddyfile

The top of that file will look like this:

Code:

yourhostnamehere JAIL-IP {

    root   /usr/local/www/nextcloud
    log    /var/log/nextcloud_access.log
    errors /var/log/nextcloud_errors.log

    tls {
        ca https://acme-staging-v02.api.letsencrypt.org/directory
    }

    fastcgi / 127.0.0.1:9000 php {
        env PATH /bin
        env modHeadersAvailable true
        env front_controller_active true

In the tls{ } block, remove -staging from the ca line, so it looks like this:

Code:

        ca https://acme-v02.api.letsencrypt.org/directory

Then save the file, and run service caddy restart.

 

[Pctravel]

Worked like a charm!!! Thank you. Thought I was going to have much more. Nice.

 

[beltet]

That's to be expected; this isn't supported. You need to connect using the hostname.

Aaah Ok! Isn't it supported because of firewall rules? Then I maybe can dive in later and try to change them? Or is it something else? I scimmed the firewall rules very fast and could not see something that would hinder it.
Would it not be faster to just transfer files through your own network then routing the traffic over the internet? I'm sorry if these are n00b questions. But I'm totally new to nextcloud.

That shouldn't be necessary.

Ok. Great, thanks!

Caddy only updates the TXT records necessary to issue a certificate from Let's Encrypt. Any other updates would need to be done by a different method.

OK. Seems that my router does not support Cloudfare with the built in functions of it. Saw that ddclient was a method to use. Do you have any recommendation? Otherwise I find my own way.

And again! Thanks for the support! And the time you spend on this!

 

[danb35]

Isn't it supported because of firewall rules?

No, it isn't supported for two different reasons:

• You'll always have a certificate error if you're browsing to an IP address, because that IP address isn't on your certificate
• Caddy is configured to serve the site based on its FQDN, not its IP address

The preferred way to do this is for the jail's FQDN to resolve to the internal IP address of your jail. If your router doesn't suck, you can configure this there.

Saw that ddclient was a method to use. Do you have any recommendation?

I'm afraid not--I have a static IP address, so haven't needed to mess with dynamic DNS for several years. But it looks like pfSense can handle this, and will also make short work of the local DNS issue I raised above:

How to use Cloudflare’s free dynamic DNS with pfSense

This guide will show you how to use Cloudflare’s free dynamic DNS to automatically update your domain’s “A” (or address) record natively within pfSense Before we get started there are three things …

azurevn.wordpress.com

 

[Basil Hendroff]

Saw that ddclient was a method to use. Do you have any recommendation?

Here are your options to update Cloudflare Manage dynamic IPs in Cloudflare DNS programmatically. DNS-O-Matic worked well for me.

 

[danb35]

DNS-O-Matic worked well for me.

...and is supported by the DDNS service in FreeNAS, IIRC.

Edit: but IMO, this is something that should be handled by the edge device--like pfSense.

 

[beltet]

No, it isn't supported for two different reasons:

• You'll always have a certificate error if you're browsing to an IP address, because that IP address isn't on your certificate
• Caddy is configured to serve the site based on its FQDN, not its IP address

The preferred way to do this is for the jail's FQDN to resolve to the internal IP address of your jail. If your router doesn't suck, you can configure this there.

Great. Thanks for the explanation. I don't really care about the certificate problem in my own network. But I found out that you could link your datasets to the jail and import them through a application in Nextcloud. So I did that instead. Much better solution for me, did not know that before.

And if I wanted to add another host to my nextcloud server(my provider had a sale and I grabbed another one, for the "good to have"). I would do that in Caddy right? Can you point me in some direction where to read up on it? I'm not afraid to learn myself, but i'm not certain in what direction I should go... Or maybe you made a script for that aswell?

I'm afraid not--I have a static IP address, so haven't needed to mess with dynamic DNS for several years. But it looks like pfSense can handle this, and will also make short work of the local DNS issue I raised above:

How to use Cloudflare’s free dynamic DNS with pfSense

This guide will show you how to use Cloudflare’s free dynamic DNS to automatically update your domain’s “A” (or address) record natively within pfSense Before we get started there are three things …

azurevn.wordpress.com

Great! Thanks. I have now found out that my router also support DNS-o-Matic but the DNS recording have been a real hassle to set up for me. Maybe I will later on also opt out for a static IP. But I haven't looked up that option yet. It's seems to be working atm so that's great.

And if you could point me out how to add another host I would really appreciate it. That's the negative thing about using a script. You are not aware how it is built as you did not do it yourself.

And again! Thanks for this wonderful script! And thank you for the support! You are a hero!

 

[danb35]

And if I wanted to add another host to my nextcloud server, I would do that in Caddy right?

I'm not quite sure what you're wanting to do here--could you explain a bit more?

 

[profzelonka]

What do I do if I change the nextcloud domain? Should I be rerunning something? How about SSL certification?

 

[danb35]

What do I do if I change the nextcloud domain?

You'd need to change the hostname in the Caddyfile and restart Caddy, which would take care of the certificates. You'd also need to change the "trusted domains" setting in Nextcloud's config, which you can do either by editing config.php directly, or using the occ command--the script demonstrates the latter near the end.

 

[norskman]

I used your script - brilliant.

I now want to add my SSL certificates.
I have created my ssl certs and received back signed files from my ssl certificate provider.

Where do I add them? which files need editing. I can;t seem to find notes on which files are in use based on your script.

 

[danb35]

I now want to add my SSL certificates.

Was there a reason you didn't just use the built-in Let's Encrypt support? And given that you didn't, did you install using the NO_CERT or SELFSIGNED_CERT option?