A quick start guide for setting up a NextCloud server on a Gentoo or Artix Linux server.

For installing NextCloud on Arch Linux you really can't beat the Arch Linux reference. I recommend you follow that instead of what is below.

NextCloud docs

My suggested server minimum specs:

Put the following into /etc/portage/make.conf.

USE, FEATURES, CONFIG_PROTECT, etc.

USE="apache apache2 bcmath calendar curl exif fpm freetype ftp gd gmp imap
     intl lvm mysql mysqli odbc opcache pdo postgres soap sockets sodium
     sqlite sysvipc threads truetype xmlreader xmlwriter zip -X"

FEATURES="parallel-fetch strict" 
MAKEOPTS="-j4"
CONFIG_PROTECT="/etc/fstab /etc/bash /etc/conf.d/consolefont /etc/conf.d/hostname /etc/conf.d/domainname"
CURL_SSL="openssl"
LINGUAS="en en_GB"
L10N="en-GB"

Apache modules

APACHE2_MODULES="access_compat \
	actions \
	alias \
	auth_basic \
	authn_core \
	authn_dbm \
	authn_file \
	authz_core \
	authz_dbm \
	authz_host \
	authz_user \
	autoindex \
	cgi \
	cgid \
	dav \
	dav_fs \
	dav_lock \
	dbd \
	deflate \
	dir \
	env \
	expires \
	ext_filter \
	filter \
	headers \
	http2 \
	include \
	info \
	log_config \
	log_forensic \
	logio \
	mime \
	mime_magic \
	negotiation \
	proxy \
	proxy_balancer \
	proxy_connect \
	proxy_fcgi \
	proxy_ftp \
	proxy_html \
	proxy_http \
	proxy_http2 \
	proxy_wstunnel \
	ratelimit \
	remoteip \
	rewrite \
	session \
	session_cookie \
	setenvif \
	slotmem_shm \
	socache_shmcb \
	speling \
	status \
	unique_id \
	unixd \
	userdir \
	vhost_alias \
	xml2enc"

ACCT_USER_APACHE_GROUPS="http"

The next commands assume you have a fresh VM with just the base O/S installed. If much of the software is already installed you can re-install it or remove it from the list, as you prefer.

Many of the necessary packages will be installed as dependencies, so I've tried to focus on the main ones that need to be specified.

emerge -va apache apache-tools apr apr-util awk bash bc bind-tools binutils binutils-config binutils-libs bison bzip2 ca-certificates chrony clamav coreutils cpio cronie curl dhcp diffutils e2fsprogs expat file findutils gawk gcc gcc-config gd gdb gdbm gentoolkit gentoo-sources geoip gettext git glib glibc gmp gnupg gnutls grep grub gzip htop hwdata icu iftop imagemagick ipcalc iproute2 iptables iputils logrotate lsof lvm2 mailx make man-db mandoc man-pages mariadb mariadb-connector-c mariadb-connector-odbc memcached mlocate ncurses netkit-fingerd netkit-telnetd net-tools nfs-utils openssh openssl patch pciutils pecl-apcu pecl-imagick pecl-memcached perl perl-cleaner php portage-utils postfix postgresql procmail procps psmisc psutils qemu-guest-agent readline rpcbind rsync sed sqlite subversion app-admin/sudo sysvinit tar tcpdump tmux traceroute ufed unzip util-linux vim wget which whois xz-utils zlib

The nextcloud-git package in AUR is quite old—version 19.0.0 as of this writing, versus the latest release 27.0.1—so I have steps here to install the package from nextcloud.org.

As your non-root user:

sudo pacman -Sy apache-openrc certbot-apache php-fpm php-gd postgresql-openrc php-pgsql wget libiconv
yay -Sy php82-imagick
sudo cp -av /
sudo mkdir -m 775 -p /var/www/nextcloud
sudo chown http:$(id -g) /var/www/nextcloud
cd /var/www/nextcloud
wget https://download.nextcloud.com/server/installer/setup-nextcloud.php

Edit /etc/php/php.ini and make sure you have extension=iconv active (i.e., the comment symbol removed in column 1).

Configure a web site to point to that directory so you can run that file.

Show/hide PostgreSQL installation

Before starting the server you need to establish the directories it needs.

Gentoo

emerge --config dev-db/postgresql:16

Artix

(anything needed?)

Now start Postgres:

Gentoo

/etc/init.d/postgresql-16 start

Artix

/etc/init.d/postgresql start

NextCloud.com reference

If it is a new installation then setup the initial configuration:

su - postgres -c "initdb --locale en_GB.UTF-8 -D '/var/lib/postgres/data'"

Then configure the database for NextCloud:

sudo -u postgres psql -hlocalhost -Upostgres
CREATE USER nextcloud WITH PASSWORD '<password>' CREATEDB;
CREATE DATABASE nextcloud TEMPLATE template0 ENCODING 'UTF8';
ALTER DATABASE nextcloud OWNER TO nextcloud;
GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud;
GRANT ALL PRIVILEGES ON SCHEMA public TO nextcloud;

Next create pg_hba.conf with these lines to set the DB access to trust. You will likely find all of these settings already exist as shown below.

Gentoo

# TYPE  DATABASE    USER      ADDRESS          METHOD

# "local" is for Unix domain socket connections only
local   all         all                        trust
# IPv4 local connections:
host    all         all       127.0.0.1/32     trust
# IPv6 local connections:
host    all         all       ::1/128          trust
# Allow replication connections from localhost
# by a user with the replication privilege.
local   replication all                        trust
host    replication all       127.0.0.1/32     trust
host    replication all       ::1/128          trust

Arch / Artix

# TYPE  DATABASE    USER      ADDRESS          METHOD

# "local" is for Unix domain socket connections only
local   all         all                        trust
# IPv4 local connections:
host    all         all       127.0.0.1/32     trust
# IPv6 local connections:
host    all         all       ::1/128          trust
# Allow replication connections from localhost
# by a user with the replication privilege.
local   replication all                        trust
host    replication all       127.0.0.1/32     trust
host    replication all       ::1/128          trust

If you are running NextCloud and PostgreSQL on the same server, then you can disable listening on a TCP socket by editing /etc/postgresql-15/postgresql.conf (Gentoo) or /var/lib/postgres/data/postgresql.conf (Arch/Artix) and setting the listen_addresses directive to be blank, i.e.:

listen_addresses = ''

Restart Postgres to read your new settings:

Gentoo

/etc/init.d/postgresql-16 restart

Artix

/etc/init.d/postgresql restart

Create the NextCloud Database

As of version 27 I notice that PostgreSQL is no longer an installation option. My server that is using PostgreSQL is still working, so operation with PostgreSQL still appears to be supported just not with their installation script.

Now configure the NextCloud database schema. Change the e-mail and passwords below for your Postgres installation. Set the following to your preferred admin e-mail address then copy and paste the occ command following.

ADMAIL=<your desired tech support e-mail address>
cd /var/www/nextcloud

…in your shell and then paste one of the below commands.

For Gentoo

sudo -u apache php -f occ maintenance:install \
    --database=pgsql \
    --database-name=nextcloud \
    --database-host=/run/postgresql \
    --database-user=nextcloud \
    --admin-email=$ADMAIL \
    --data-dir=/var/lib/postgresql/16/data

For Artix/Arch Linux

sudo -u http php -f occ maintenance:install \
    --database=pgsql \
    --database-name=nextcloud \
    --database-host=/run/postgresql \
    --database-user=nextcloud \
    --admin-email=$ADMAIL \
    --data-dir=/var/lib/nextcloud/data

You will be prompted for the database password that you set above and a password for the admin user. It may then take a couple of minutes to create everything (it took 90 seconds on a 4-core VM).

Show/Hide MariaDB installation

As of version 27 things seem to have changed. The NextCloud docs say:

Supported databases are:

- sqlite (SQLite3 - Nextcloud Community edition only)
- mysql (MySQL/MariaDB)
- pgsql (PostgreSQL)
- oci (Oracle - Nextcloud Enterprise edition only)

However, if you try according to follow their instructions to install with PostgreSQL the occ script will tell you it is not supported:

In Install.php line 126:

  Database <pgsql> is not supported. sqlite, mysql are supported.

The admin manual also mentions nothing about creating the MySQL admin user. Instead they show an example of using 'root' for database access (a bad idea, right?). So it seems their documentation and underlying code is currently in flux and that they appear to be dropping support for PostgreSQL.

Installation with MariaDB, then, can be done like so:

# mariadb
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 47
Server version: 11.1.2-MariaDB-log Artix Linux

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

(server) 1| create database nextcloud;
(server) 2| grant all privileges on nextcloud.* to nextcloud@localhost identified by 'secret pass phrase';
(server) 3| \q

# sudo -u http php occ  maintenance:install \
--database='mysql' --database-name='nextcloud' \
--database-user='nextcloud' --database-pass='secret pass phrase' \
--admin-user='admin user name' --admin-pass='admin pass phrase'

Nextcloud was successfully installed

Create the NextCloud Database

Now configure the NextCloud database schema. Change the e-mail and passwords below for your Postgres installation. Set the following to your preferred admin e-mail address then copy and paste the occ command following.

NCPASS=<nextcloud database pass phrase>
ASUSER=<admin user name>
ADPASS=<admin user pass phrase>
cd /var/www/nextcloud

…in your shell and then paste one of the below commands.

For Gentoo

sudo -u apache php -f occ maintenance:install \
    --database=mysql \
    --database-name=nextcloud \
    --database-user=nextcloud \
    --database-pass="$NCPASS" \
    --admin-user="$ADUSER" \
    --admin-pass="$ADPASS"

For Artix/Arch Linux

sudo -u http php -f occ maintenance:install \
    --database=mysql \
    --database-name=nextcloud \
    --database-user=nextcloud \
    --database-pass="$NCPASS" \
    --admin-user="$ADUSER" \
    --admin-pass="$ADPASS"

Unlike other Linux variants that use loadable modules, Gentoo builds the modules into the PHP binaries (except for external PECL ones). So you don't need to enable any extensions in the php.ini file. You can see the extensions available with php -m.

These are the settings I enable and/or change in /etc/php/fpm-php8.1/fpm.d/www.conf, choosing to call my pool “vault” rather than the default “www” (modify to suit yourself):

[vault]
prefix = /var/log/php-fpm
user = apache
group = apache
listen = /run/php-fpm/vault.sock
listen.owner = apache
listen.group = apache
pm = static
pm.max_children = 10
pm.max_requests = 500
pm.status_path = /status
pm.status_listen = 127.0.0.1:9001
access.log = $pool.access.log
access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}dms %{kilo}MkB %C%%"
slowlog = $pool.slow.log
request_slowlog_timeout = 5
php_admin_value[error_log] = /var/log/php-fpm/error.log
php_admin_flag[log_errors] = on

In /etc/php/fpm-php8.1/php-fpm.conf I changed the error log location to group it with the other FPM logs:

error_log = log/php-fpm/php-fpm.log

Increase the memory limit and max upload to allow for large files:

memory_limit = 512M

upload_max_filesize = 128M

post_max_size = 128M

You need to add a line to enable apc or running occ from the command line will not work.

extension=apcu.so
apc.enable_cli=1

Now you can start PHP FPM to see if it works.

/etc/init.d/php-fpm start
tail /var/log/php-fpm/error.log

Assuming that you will be putting the NextCloud code in /var/www/nextcloud¹⁾ then in /etc/apache2/vhosts.d/ make a file for the NextCloud site that is roughly like this:

Show/hide Gentoo config example

# vim: ts=4 filetype=apache                       
<Directory /var/www/nextcloud>
	Require all granted
	AllowOverride All
	Options FollowSymLinks MultiViews
	<IfModule mod_dav.c>
		Dav off
		# From docs.nexcloud.com:  You don’t need the WebDAV module for your
		# Web server (i.e. Apache’s mod_webdav), as Nextcloud has a built-in
		# WebDAV server of its own, SabreDAV. If mod_webdav is enabled you must
		# disable it for Nextcloud.
	</IfModule>
	SetEnv HOME /var/www/nextcloud
	SetEnv HTTP_HOME /var/www/nextcloud
</Directory>

<VirtualHost *:80>
	ServerName cloud.mydomain.ca
	DocumentRoot /var/www/nextcloud
	CustomLog /var/log/apache2/nc-access.log combined
	ErrorLog /var/log/apache2/nc-error.log
	RewriteEngine on
	# If you are using NextCloud behind a proxy and the proxy will be the one requesting SSL certificates, then you can remove the following RewriteCond and RewriteRule.
	# Let through the .well-known directory for Let's Encrypt, redirect the rest to https
	RewriteCond %{REQUEST_FILENAME} !^(.*\.well-known/.+)$ [nocase]
	# Use temporary redirection R=302 rather than permanent R=301 because
	# using 301 causes the browser to NEVER send HTTP requests to the server
	# after the first time, which prevents testing using port 80 later.
	RewriteRule ^/(.*)$ https://%{SERVER_NAME}/$1 [redirect=302,last]
	#
	# If you are using NextCloud behind an Nginx proxy then you need these extra lines
	# or authentication will fail.
	RewriteEngine On
	RewriteCond %{HTTP:Authorization} ^(.*)
	RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
	#
	<Files "*">
		<RequireAll>
			Require all granted
			# Block countries and hosters from which come armies of robots to break our site
			Include /etc/apache2/block-lists
		</RequireAll>
	</Files>
</VirtualHost>

<IfModule ssl_module>
	<VirtualHost *:443>
		ServerName cloud.<DOMAIN>
		# Modify /var/www/nextcloud for your installation.
		DocumentRoot /var/www/nextcloud
		<IfModule log_config_module>
			CustomLog /var/log/apache2/cloud-access.log combined
			ErrorLog /var/log/apache2/cloud-error.log
		</IfModule>
		# Modify /var/www/nextcloud for your installation.
		ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php-fpm/www.sock|fcgi://cloud.<DOMAIN>/var/www/nextcloud/
		#
		# If you are using NextCloud behind an Nginx proxy then you need these extra lines
		# or authentication will fail.
		RewriteEngine On
		RewriteCond %{HTTP:Authorization} ^(.*)
		RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
		#
		SSLEngine on
		SSLCertificateFile      /etc/letsencrypt/live/<DOMAIN>/cert.pem
		SSLCertificateChainFile /etc/letsencrypt/live/<DOMAIN>/fullchain.pem
		SSLCertificateKeyFile   /etc/letsencrypt/live/<DOMAIN>/privkey.pem
		# SSLVerifyClient causes browser to request user authentication unless set to "none"
		# Possible settings:  require, optional, none.
		SSLVerifyClient none
		SSLVerifyDepth  10
		<FilesMatch "\.(cgi|shtml|phtml|php)$">
			SSLOptions +StdEnvVars
		</FilesMatch>
		<IfModule setenvif_module>
			BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
			BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
		</IfModule>
		<IfModule mod_headers.c>
			Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
		</IfModule>
		<Files "*">
			<RequireAll>
				Require all granted
				# Block countries and hosters from which come armies of robots to break our site
				Include /etc/apache2/block-lists/
			</RequireAll>
		</Files>
	</VirtualHost>
</IfModule>

Show/hide Arch config example

# vim: ts=4 filetype=apache
<Directory /usr/share/webapps/nextcloud>
    Require all granted
    AllowOverride All
    Options FollowSymLinks MultiViews
    <IfModule mod_dav.c>
        Dav off
        # From docs.nexcloud.com:  You don’t need the WebDAV module for your
        # Web server (i.e. Apache’s mod_webdav), as Nextcloud has a built-in
        # WebDAV server of its own, SabreDAV. If mod_webdav is enabled you must
        # disable it for Nextcloud.
    </IfModule>
    SetEnv HOME /usr/share/webapps/nextcloud
    SetEnv HTTP_HOME /usr/share/webapps/nextcloud
</Directory>
 
<VirtualHost *:80>
    ServerName cloud.<DOMAIN>
    DocumentRoot /var/www/nextcloud
    CustomLog /var/log/httpd/cloud-access.log combined
    ErrorLog /var/log/httpd/cloud-error.log
    RewriteEngine on
    # Let through the .well-known directory for Let's Encrypt, redirect the rest to https
    RewriteCond %{REQUEST_FILENAME} !^(.*\.well-known/.+)$ [nocase]
    # Use temporary redirection R=302 rather than permanent R=301 because
    # using 301 causes the browser to NEVER send HTTP requests to the server
    # after the first time, which prevents testing using port 80 later.
    RewriteRule ^/(.*)$ https://%{SERVER_NAME}/$1 [redirect=302,last]
    <Files "*">
        <RequireAll>
            Require all granted
            # Block countries and hosters from which come armies of robots to break our site
            Include /etc/httpd/block-lists
        </RequireAll>
    </Files>
</VirtualHost>
 
<IfDefine SSL>
    <IfModule ssl_module>
        <VirtualHost *:443>
            ServerName cloud.<DOMAIN>
            DocumentRoot /var/www/nextcloud
            ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php-fpm-legacy/nextcloud.sock|fcgi://localhost/usr/share/webapps/nextcloud/
            <IfModule log_config_module>
                CustomLog /var/log/httpd/cloud-access.log combined
                ErrorLog /var/log/httpd/cloud-error.log
            </IfModule>
            SSLEngine on
            SSLCertificateFile      /etc/letsencrypt/live/<DOMAIN>/cert.pem
            SSLCertificateChainFile /etc/letsencrypt/live/<DOMAIN>/fullchain.pem
            SSLCertificateKeyFile   /etc/letsencrypt/live/<DOMAIN>/privkey.pem
            # SSLVerifyClient causes browser to request user authentication unless set to "none"
            # Possible settings:  require, optional, none.
            SSLVerifyClient none
            SSLVerifyDepth  10
            <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
            </FilesMatch>
            <IfModule setenvif_module>
                BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
                BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
            </IfModule>
            <IfModule mod_headers.c>
                Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
            </IfModule>
            <Files "*">
                <RequireAll>
                    Require all granted
                    # Block countries and hosters from which come armies of robots to break our site
                    Include /etc/apache2/block-lists/
                </RequireAll>
            </Files>
        </VirtualHost>
    </IfModule>
</IfDefine>

Start Apache and see if it works:

/etc/init.d/apache2 start