Scripted installation of Nextcloud 28 in iocage jail 2018-03-23

[NasKar]

My setup is using DNS-o-Matic on my pfsense router, cloudflare for DNS and freenom domain in a Virtual box for testing. FN 11.3U1

Ran the script and got these errors with fstab

Code:

Destination: /mnt/v1/iocage/jails/nextcloudDNS/root/usr/ports does not exist or is not a directory.
 Successfully added mount to nextcloudDNS's fstab
 Successfully added mount to nextcloudDNS's fstab
 Malformed fstab at line 0: '\t/mnt/v1/iocage/jails/nextcloudDNS/root/usr/local/www/nextcloud/config\tnullfs\trw\t0\t0'
 Successfully added mount to nextcloudDNS's fstab
 Successfully added mount to nextcloudDNS's fstab

My config file

Code:

JAIL_IP="192.168.5.81"
DEFAULT_GW_IP="192.168.5.1"
POOL_PATH="/mnt/v1"
TIME_ZONE="America/New_York"
HOST_NAME="mydomain.ml"
DNS_CERT=1
CERT_EMAIL="******@gmail.com"
DNS_PLUGIN="cloudflare"
DNS_ENV="CLOUDFLARE_EMAIL=******@gmail.com CLOUDFLARE_API_KEY=*****************"
JAIL_NAME="nextcloudDNS"
DB=db
FILES=files
PORTS=portsnap
DATABASE="mariadb"
INTERFACE="vnet0"
VNET="on"

When I run https://mydomain.ml/nextcloud on my cell network I get a nextcloud screen with the Access through untrusted domain error and https://myjailip/nextcloud on my computer I get this site can't be reached.

 

[Basil Hendroff]

DB=db
FILES=files
PORTS=portsnap

These lines look a bit strange to me. This is what I have in my config file.

DB_PATH="/mnt/tank/nextcloud/db"
FILES_PATH="/mnt/tank/nextcloud/files"
PORTS_PATH="/mnt/tank/nextcloud/portsnap"

 

[Basil Hendroff]

(though he inexplicably included a link to the FreeNAS docs, when the "local hosts file" you need to edit is on the computer you're using to (try to) access your jail)

I'll be the first to admit I don't fully understand this stuff. It's possible I led @mistermanko and @ornias astray by suggesting that the local hosts file on the FreeNAS server with the Nextcloud jail, rather than the computer being used, needed to be edited. Apologies to both.

I can't speak for Fritzbox, but this link (https://en.avm.de/service/fritzbox/...63_No-DNS-resolution-of-private-IP-addresses/) indicates there may be a way to do it there as well.

In my humble opinion, the issue for the Fritz!Box is that I don't believe it's possible to configure it to make the association between the domain name and the IP address in the first place. The DNS rebind protection article you've referred to is about suppressing that association in a DNS response. To get around this limitation on the Fritz!Box, I use DNSMasq for local DNS queries so I don't have to edit the local hosts file.

 

[mistermanko]

I led @mistermanko and @ornias astray by suggesting that the local hosts file on the FreeNAS server with the Nextcloud jail, rather than the computer being used, needed to be edited. Apologies to both.

Hey @Basil Hendroff , no worries, we're all still learning this stuff. Besides, you pointed me to the crucial part of my setup: my Fritz!Box. After further investigation, AVM and many more forum users across the internet are suggesting to use the myfritz.net DynDNS service to forward to local HTTP sites.

As for the DNS Rebind Protection suggested by @danb35, this also is mandatory for hosting behind a Fritz!Box, as I found out. And I already added mydomain.de there.

I see 0 enabled, are you sure the forward is enabled?

I rechecked the forwarding in my router, and yes it is enabled. Any way to confirm that over the jail shell? pinging and nslookup and stuff is working inside the jail shell.
Just like in Basils screenshot, this is exactly how the port forwarding looks in my router.

0 enabled refers to a function inside the Fritz!Box which opens all ports to the internet, totally not recommend for obvious reasons.

All thought in simple terms: I instructed cloudflare to direct mydomain.de to my public IP adress given to me by my ISP. Now I need to instruct my IAD (Fritz!Box) to direct traffic over ports 80 and 443 via my public IP to my local IP of the nextcloud jail. Unfortunately this not possible with Fritz!Box it seems. As mentioned before, I'm now investigating a way to get the jail working together with the myfritz.net DDNS service provided with my Fritz!Box.

 

[dimitrow]

Anybody?

Hello ,

First of all -Thanks to @danb35 for the script!

I did everything as described in the description, but encountered a strange problem.

After the installation was successful, I tried to open NextCloud, but instead of the NC interface page - its loading the Freenas login page.

This is the content of the nextcloud-config file:

Code:

JAIL_IP="10.10.1.12"
DEFAULT_GW_IP="10.10.1.1"
POOL_PATH="/mnt/tank"
TIME_ZONE="Europe/Sofia"
HOST_NAME="cloud.betaone.eu"
STANDALONE_CERT=1
CERT_EMAIL="v.dimitrow@gmail.com"
INTERFACE="em0"
VNET="off"

No matter if I try to open the domain or the local IP of the jail where the NC is located - the result is the same :( Any suggestions?

View attachment 36545

 

[danb35]

instead of the NC interface page - its loading the Freenas login page.

That's a pretty common result when you aren't using VNET--why aren't you?

 

[dimitrow]

That's a pretty common result when you aren't using VNET--why aren't you?

Thanks for reply.
I don't use VNET since I have two NICs that are in two different subnets (10.10.0.1 - LAN and 10.10.1.1 - DMZ). I chose a specific interface (em0) to which the cable to the DMZ subnet is attached.

 

[ornias]

He hasn't even addressed your point, and you've completely misunderstood Basil's recommendation (though he inexplicably included a link to the FreeNAS docs, when the "local hosts file" you need to edit is on the computer you're using to (try to) access your jail).

Which is completely not needed at all for this type of config to work.

The recommendation is odd too, if the DNS request returns the router WAN IP, just reroutes within LAN anyway... Just it does so via the router, but shouldn;t be much of an issue.

You should have read my guide more carefully; this has been in there since day 1. Not as a "requirement", it's true, but as a strong recommendation.

Why a personal attack when you yourself admit it's not a requirement for letsencrypt to work?

He hasn't even addressed your point...

Indeed I didn't... At least it wasn't meant to make his point indeed...

Anyway:
The pointI was trying to make was:
It is not NEEDED (aka a REQUIREMENT) to do this for letsencrypt to work. Like "Not needed at all", I myself do reroute internal traffic internally using DNS, but it has nothing to do at all with Letsencrypt issues.

 

[danb35]

Which is completely not needed at all for this type of config to work.

The FQDN needs to go to the jail, and the jail needs to be accessed by the FQDN. The simplest way, in my experience, to make this happen is on the DNS side.

if the DNS request returns the router WAN IP, just reroutes within LAN anyway... Just it does so via the router, but shouldn;t be much of an issue.

...as long as the router supports hairpin NAT, which is its own set of issues, and means a lot more things need to work in order to access the jail from your LAN. It also means that you'll be unable to access the jail at all unless you open it to the world, which many people won't want to do--which is the whole reason I've spent so much energy on DNS validation.

Why a personal attack

In what way was that a personal attack? I've always recommended this configuration (though as I review it, I don't think that recommendation is as clear as it should be). Your apparent surprise at that, combined with your demonstrably-false statement that "that's not how DNS works", made it look like, well, you hadn't read my guide very carefully.

It is not NEEDED (aka a REQUIREMENT) to do this for letsencrypt to work.

Fair enough. What is required is that the FQDN you assign to the jail actually point to the jail. What I recommend is that you do this by way of name resolution (a DNS host override in your router, or the local hosts file on your client computer if your router is too brain-dead to do this) to point that FQDN to the LAN IP of your jail.

 

[ornias]

Considering you seem to have the time/energy to have this negative attitude towards me, but do not seem to care enough about your projects to even evaluate my submitted PR's and the recent significant bugs. I'm out and I suggest others reevaluate their options.

 

[dimitrow]

Guys, you don't have to argue about such things.
Can any of those who understand here pay attention to me, I really need help.
Thanks in advance :)

 

[danb35]

I'm out

Make your own decisions; I'll leave to other readers to decide whether I've shown a negative attitude toward you.

even evaluate my submitted PR's

Clearly the only possible reason that I haven't addressed your most recent PR (despite having reviewed and merged your others) is apathy or some imagined negative attitude toward you. Heaven forbid that I have other things going on in my life.

 

[tebra]

Hi all,
thanks again for this installation script.
I want to make a backup of db files and portsnap directories before upgrade my nextcloud jail. But these directoies ends in my main/root pool and not to a sub-pool. Is it possible to move these directories to a sub-pool without breaking nextcloud ?

 

[dimitrow]

Can I modify the network settings, after install the NextCloud by this script?

 

[Basil Hendroff]

db files and portsnap directories

You do mean db, files and portsnap datasets?

But these directoies ends in my main/root pool and not to a sub-pool. Is it possible to move these directories to a sub-pool without breaking nextcloud ?

Sub-pool? You mean parent dataset? eg. instead of pool/db, you would like something like pool/nextcloud/db?

I want to make a backup of db files and portsnap directories before upgrade my nextcloud jail.

Ideally, you should have a backup already of these datasets before considering moving them.

 

[tebra]

Sub-pool? You mean parent dataset? eg. instead of pool/db, you would like something like pool/nextcloud/db?

Yes exactly

 

[rio236]

I installed the script on 11.3-U1
and I'm getting the following error after realizing that nextcloud was not started:

[root@fn ~]# iocage exec nextcloud service nextcloud start
nextcloud does not exist in /etc/rc.d or the local startup
directories (/usr/local/etc/rc.d), or is not executable
Command: service nextcloud start failed!

What does this mean and how do I get nextcloud working?

Thanks for your help!

 

[Basil Hendroff]

@rio236 Please show us your config file (see post #1201 above for an example).

 

[Basil Hendroff]

@tebra Relatively easy to do, but if you proceed without a backup, you do so at your own risk.

Outline of the steps:

1. Create the parent dataset.
2. Stop the Nextcloud jail.
3. From the CLI, use zfs rename to move the db, files and portsnap datasets under the parent dataset (This thread will be helpful).
4. Alter the mount points for the Nextcloud jail to reflect the change to nested datasets.
5. Restart the Nextcloud jail.

Apart from step #3, all other steps can be accomplished using the GUI.

 

[danb35]

realizing that nextcloud was not started:

What made you "realize" this?

service nextcloud start

There is no service called nextcloud, so this wouldn't be expected to work.