Resource icon

Scripted installation of Nextcloud 28 in iocage jail 2018-03-23

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
Pretty much. I'm working on getting it working with Caddy v2, which is what you're going to need to get a DNS cert. As an interim measure, you could use a self-signed cert instead. Otherwise, you can join in trying to track down and fix the issues with the caddyv2 branch of the script.

I just pushed a commit that will make it "work" with DNS validation, though right now only with Cloudflare. "Work" is in quotes because there's something in the Caddyfile that keeps caddy from starting automatically when the jail starts--but you can start it manually from the command line, and from there it seems to work. There's still more to be done, and I remain less than happy with just including the compiled binary in my repo, but I'm making progress.

Edit: If you want to play with this branch, run git clone -b caddyv2 https://github.com/danb35/freenas-iocage-nextcloud.

Edit 2: Looks like it's actually in the rc script. Basil has tracked it down, now it seems it's just a matter of adding logging to that script.

Edit 3: Logging is added, and the rc script is working for me.

Edit 4: I've updated the script to build Caddy from source and include the specified DNS plugin. At this point, the only DNS host I've tested is Cloudflare. But it seems to be working so far.
 
Last edited:
Joined
Jan 4, 2014
Messages
1,644
Extract from the current README.md:
DB_PATH, FILES_PATH, CONFIG_PATH, THEMES_PATH and PORTS_PATH: These are the paths to your database files, your data files, nextcloud config files, theme files and the FreeBSD Ports collection. They default to $POOL_PATH/nextcloud/db, $POOL_PATH/nextcloud/files, $POOL_PATH/nextcloud/config, $POOL_PATH/nextcloud/themes and $POOL_PATH/portsnap, respectively

I'm curious to understand your rationale for not having portsnap a nested directory of the nextcloud root by default?
 
Last edited:

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
I'm curious to understand your rationale for not having portsnap a nested directory of the nextcloud root by default?
Well, first, at the moment, the script doesn't use ports at all. But second, the ports tree can easily be shared among multiple jails, so it made more sense to leave it separate.
 

xames

Patron
Joined
Jun 1, 2020
Messages
235
How i could resolve that?

RELEASE: 12.1-RELEASE not found!
Failed to create jail

thanks.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
How i could resolve that?
You could start by telling me which version of FreeNAS or TrueNAS you're using, which version of the script you're using, and at least a few lines of context surrounding that message. I just tested the master branch to install fine on TrueNAS 12.0-BETA1; the caddyv2 branch works fine for me and others under 11.3-U3.2, and I'm installing it now under 12.0-BETA1 without apparent problems so far.

Edit: As expected, the caddyv2 branch installed fine under 12.0-BETA1 as well. Strongly suspect a problem in your FreeNAS network configuration, in particular its ability to reach the Internet.
 
Last edited:

xames

Patron
Joined
Jun 1, 2020
Messages
235
I run a TrueNAS-12.0-BETA, and i download the script 3 days ago and put some thinks in config with the same things as last good config, but without dns cloudflare because no implemented on default github script, but say this release message after run the script. My TrueNas is resolving pings on internet, but i check that perhaps i found some, thanks.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
without dns because no implemented yet,
Well, that's going to be a problem. Your FreeNAS server (and the jail you'll be creating) need to be able to access the Internet, including DNS resolution, in order for this script to work.
 

xames

Patron
Joined
Jun 1, 2020
Messages
235
Sorry i resolved only deleting previous download RELEASE 12.1 dataset, could be corrupted i don't know why. Thanks.

caddyv2 is in the script or is other command apart?
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
caddyv2 is a different branch of the script which I haven't yet merged into the master branch--it's in testing. But it's looking pretty much ready to release; I'll probably do that in a day or two.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
OK, "in a day or two" was now--this is now released as master. Some of the more-significant changes:
  • Obviously, it's using Caddy v2 rather than v1. To make that work, the script compiles Caddy for you in the jail.
  • A number of miscellaneous bugs have been fixed.
  • DNS validation support has changed significantly. At this time, the only "supported" DNS host (in that I know much of anything about using it) is Cloudflare. Caddy also has a plugin for DNSpod (which I believe is used in China) and AWS Route53. I suspect, but can't test, that DNSpod will work in the same way as Cloudflare. Route53 will require manual edits to the Caddyfile. Other DNS provider plugins will no doubt be added over time; I may update the README to discuss them. There's also a "lego_deprecated" plugin which incorporates all the previous DNS validation plugins. It depends on environment variables to work, and right now I'm not seeing a way to pass those to Caddy.
  • This installation of Nextcloud should work behind a reverse proxy with or without TLS. My own testing has been limited, but behind HAProxy on a OPNsense router, it worked as expected.
  • Updates to the README describe enabling HSTS, DNS validation, and use behind a reverse proxy.
  • And though this isn't directly tied to Caddy v2, I've recently learned of the "script" command, which will let you log all the output of the script. It's now documented in the README, but to invoke the script, run script nextcloud.log ./nextcloud-jail.sh. On completion, the nextcloud.log file will contain all the script output.
 
Last edited:
Joined
Jan 4, 2014
Messages
1,644
Well, a major milestone reached. It's great to see the NextCloud resource fully active again and one of the first, if not the first, real example of Caddy V2 in action, and available on a community level, in the FreeNAS/FreeBSD environments. Congratulations!
 
Last edited:

IronRobi

Explorer
Joined
Apr 15, 2016
Messages
52
@danb35 I'm having what appears to be a certificate issue while trying to get this setup.

I'm using a subdomain setup on cloudflare with dnsomatic updating the IP. I've already got port 443 opened to another system in my router so I'm trying to set this up using forwarding from an external port of 8443 to port 443 of my nextcloud jail.

When trying to access nextcloud through the web address I get the following error:


And when I try browsing to the IP address of the jail I get:


I'm noticing browsing back through the setup script I'm getting this message


I'm not sure if it's related, but everything else looks like it completes fine.

Here's what my nextcloud-config file looks like


EDIT: Here's the output from caddy.log


When I do a test through ssllabs.com all tests return "Failed to communicate with the secure server"

Any thoughts?
Just gave the new version a try. Install completes, but still can't reach nextcloud.

Trying with the domain I get:
SSL_ERROR_NO_CYPHER_OVERLAP.

Using internal IP I just get an unable to connect error.

SSLlabs fails with a "failed to communicate with the secure server".

EDIT: service caddy status returns "caddy is not running". service caddy start does nothing.

Port forwarding on the router is set to forward port 8443 to the nextcloud server port 443
 

NasKar

Guru
Joined
Jan 8, 2016
Messages
739
OK, "in a day or two" was now--this is now released as master
Very impressive. Will you update the caddy reverse proxy thread with new directions as well? Is there an advantage to using PFSense as my reverse proxy instead? If so I will look into it.
 

RSVP

Explorer
Joined
Feb 11, 2016
Messages
73
Very impressive. Will you update the caddy reverse proxy thread with new directions as well? Is there an advantage to using PFSense as my reverse proxy instead? If so I will look into it.

If you have a pfsense box you might want to use it. The acme wildard cert in conjuntion with ssl termination in haproxy, is great security at your firewall that allows you to have a backend for every single jail or server you can imagine. So it solves the entire issue for everything not just nextcloud. This solution with caddy v2 for now , is for people not so lucky to have this option in my view...Pfsense is designed for this. I also will not even waste time on caddy any more after this last go around and endless time spent not getting results that are easily done on larger scale with pfsense that is supported and stable.. Check out youtube video at bottom and another link that goes over this solution. will get this done in minutes if you just watch and follow... https://www.ixsystems.com/community/threads/secure-my-nextcloud-server-with-https.84975/#post-599792.

 
Last edited:

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
EDIT: service caddy status returns "caddy is not running". service caddy start does nothing.
What's in /var/log/caddy.log?
Will you update the caddy reverse proxy thread with new directions as well?
That's going to need a complete rewrite too--fortunately Basil has done most of the work of putting it into a script
Is there an advantage to using PFSense as my reverse proxy instead? If so I will look into it.
If you're using pfSense or OPNsense as your router, putting the reverse proxy there makes more sense, IMO, than forwarding ports to a jail on your FreeNAS box where you'd run other reverse proxy software. This really seems like a job for the edge device.
This solution with caddy v2 for now , is for people not so lucky to have this option in my view
Your view is significantly misinformed.
Pfsense is designed for this.
pfSense is designed to be a general purpose web server? That's news to me.
 

IronRobi

Explorer
Joined
Apr 15, 2016
Messages
52
What's in /var/log/caddy.log?
{"level":"info","ts":1596234070.145848,"msg":"using provided configuration","config_file":"/usr/local/www/Caddyfile","config_adapter":"caddyfile"}
run: adapting config using caddyfile: parsing caddyfile tokens for 'tls': /usr/local/www/Caddyfile:21 - Error during parsing: missing API token
start: caddy process exited with error: exit status 1

My config file does have CLOUDFLARE_API_KEY=MYKEYHERE
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
My config file does have CLOUDFLARE_API_KEY=MYKEYHERE
That's your problem; review the README again. Caddy v2 uses API tokens, not the global API key.
 

RSVP

Explorer
Joined
Feb 11, 2016
Messages
73
What's in /var/log/caddy.log?

That's going to need a complete rewrite too--fortunately Basil has done most of the work of putting it into a script

If you're using pfSense or OPNsense as your router, putting the reverse proxy there makes more sense, IMO, than forwarding ports to a jail on your FreeNAS box where you'd run other reverse proxy software. This really seems like a job for the edge device.

Your view is significantly misinformed.

pfSense is designed to be a general purpose web server? That's news to me.
I know you have an affinity for caddy and soimething against nginx or apache. But you basically agree with me above that it makes more sense to do this in pfsense. So not sure what your on about. Pfsense makes more sense then opening ports etc. or whatever you want to do.. And sorry your push for caddy is not going to work for everyone.. And why would I want to test anythign with them after what just happened to caddyv1. that is your choice, but there is another option that works for people that do have pfsense. If you have it. the packages avail that are supported handle this well. Best of luck in your caddy testing.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
I know you have an affinity for caddy and soimething against nginx or apache.
Once again you demonstrate your ignorance--I have nothing against nginx or apache (or HAProxy or Traefik). But if I can replace a 500+-line config file with one of less than 50 lines, that's pretty nice. If that automatically implements a modern, rational TLS policy, obtains and manages certs, even better.
But you basically agree with me above that it makes more sense to do this in pfsense.
It makes no sense at all to serve Nextcloud (which is what this thread's about) in pfSense. If you're going to point a reverse proxy at your Nextcloud installation (which is, at best, only tangentially related to what this thread's about), and you have a pfSense or OPNsense box, it makes more sense to do that on the router than to spin up a separate Caddy instance to be a reverse proxy. If the only reason for that reverse proxy is to handle TLS termination for one service (Nextcloud) behind it, IMO it makes more sense to dispense with the reverse proxy entirely, forward 80/443 to the jail, and run non-brain-dead software in the jail. Did you confuse this for the "Caddy as a reverse proxy" thread?
And sorry your push for caddy is not going to work for everyone.
It isn't intended to "work for everyone" (and it isn't a "push for Caddy", really--it's what I've decided to do for a couple of guides I've written. Don't like it? Write your own guide, or follow a different one), but I haven't yet seen an example (nor have you) of someone for whom it won't work--though since it's barely been 24 hours since I pushed this to master, I doubt many have tried yet. I can say that I've used Nextcloud, as installed by this script, successfully behind a HAProxy reverse proxy, so I know it can work.
And why would I want to test anythign with them after what just happened to caddyv1.
A valid concern. The transition was managed badly, and at this point it's pure speculation what might happen with Caddy v3, whenever that might be released. One can hope Matt has learned a bit from the experience, and he's certainly got no reason to be changing config syntax willy-nilly.
 
Top