NextCloud
A quick start guide for setting up a NextCloud server on a Gentoo or Artix Linux server.
For installing NextCloud on Arch Linux you really can't beat the Arch Linux reference. I recommend you follow that instead of what is below.
My suggested server minimum specs:
RAM | 8GB |
---|---|
CPU | 4 |
O/S disk | 30GB |
Data disk | As appropriate |
Web server | Apache 2.x |
PHP | PHP 8.1 (official docs say PHP 8.2 is recommended, but as of 20-03-2024 I can only get 8.1 to work in Gentoo) |
Database | PostgreSQL 16 (or the latest supported release) |
Gentoo Portage config
Put the following into /etc/portage/make.conf.
- USE, FEATURES, CONFIG_PROTECT, etc.
-
USE="apache apache2 bcmath calendar curl exif fpm freetype ftp gd gmp imap intl lvm mysql mysqli odbc opcache pdo postgres soap sockets sodium sqlite sysvipc threads truetype xmlreader xmlwriter zip -X" FEATURES="parallel-fetch strict" MAKEOPTS="-j4" CONFIG_PROTECT="/etc/fstab /etc/bash /etc/conf.d/consolefont /etc/conf.d/hostname /etc/conf.d/domainname" CURL_SSL="openssl" LINGUAS="en en_GB" L10N="en-GB"
- Apache modules
-
APACHE2_MODULES="access_compat \ actions \ alias \ auth_basic \ authn_core \ authn_dbm \ authn_file \ authz_core \ authz_dbm \ authz_host \ authz_user \ autoindex \ cgi \ cgid \ dav \ dav_fs \ dav_lock \ dbd \ deflate \ dir \ env \ expires \ ext_filter \ filter \ headers \ http2 \ include \ info \ log_config \ log_forensic \ logio \ mime \ mime_magic \ negotiation \ proxy \ proxy_balancer \ proxy_connect \ proxy_fcgi \ proxy_ftp \ proxy_html \ proxy_http \ proxy_http2 \ proxy_wstunnel \ ratelimit \ remoteip \ rewrite \ session \ session_cookie \ setenvif \ slotmem_shm \ socache_shmcb \ speling \ status \ unique_id \ unixd \ userdir \ vhost_alias \ xml2enc" ACCT_USER_APACHE_GROUPS="http"
Install packages
The next commands assume you have a fresh VM with just the base O/S installed. If much of the software is already installed you can re-install it or remove it from the list, as you prefer.
Gentoo
Many of the necessary packages will be installed as dependencies, so I've tried to focus on the main ones that need to be specified.
emerge -va apache apache-tools apr apr-util awk bash bc bind-tools binutils binutils-config binutils-libs bison bzip2 ca-certificates chrony clamav coreutils cpio cronie curl dhcp diffutils e2fsprogs expat file findutils gawk gcc gcc-config gd gdb gdbm gentoolkit gentoo-sources geoip gettext git glib glibc gmp gnupg gnutls grep grub gzip htop hwdata icu iftop imagemagick ipcalc iproute2 iptables iputils logrotate lsof lvm2 mailx make man-db mandoc man-pages mariadb mariadb-connector-c mariadb-connector-odbc memcached mlocate ncurses netkit-fingerd netkit-telnetd net-tools nfs-utils openssh openssl patch pciutils pecl-apcu pecl-imagick pecl-memcached perl perl-cleaner php portage-utils postfix postgresql procmail procps psmisc psutils qemu-guest-agent readline rpcbind rsync sed sqlite subversion app-admin/sudo sysvinit tar tcpdump tmux traceroute ufed unzip util-linux vim wget which whois xz-utils zlib
Artix
The nextcloud-git
package in AUR is quite old—version 19.0.0 as of this writing, versus the latest release 27.0.1—so I have steps here to install the package from nextcloud.org.
As your non-root user:
sudo pacman -Sy apache-openrc certbot-apache php-fpm php-gd postgresql-openrc php-pgsql wget libiconv yay -Sy php82-imagick sudo cp -av / sudo mkdir -m 775 -p /var/www/nextcloud sudo chown http:$(id -g) /var/www/nextcloud cd /var/www/nextcloud wget https://download.nextcloud.com/server/installer/setup-nextcloud.php
Edit /etc/php/php.ini and make sure you have extension=iconv
active (i.e., the comment symbol removed in column 1).
Configure a web site to point to that directory so you can run that file.
PostgreSQL
- Show/hide PostgreSQL installation
-
Before starting the server you need to establish the directories it needs.
Gentoo
emerge --config dev-db/postgresql:16
Artix
(anything needed?)
Now start Postgres:
If it is a new installation then setup the initial configuration:
su - postgres -c "initdb --locale en_GB.UTF-8 -D '/var/lib/postgres/data'"
Then configure the database for NextCloud:
sudo -u postgres psql -hlocalhost -Upostgres CREATE USER nextcloud WITH PASSWORD '<password>' CREATEDB; CREATE DATABASE nextcloud TEMPLATE template0 ENCODING 'UTF8'; ALTER DATABASE nextcloud OWNER TO nextcloud; GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud; GRANT ALL PRIVILEGES ON SCHEMA public TO nextcloud;
Next create
pg_hba.conf
with these lines to set the DB access to trust. You will likely find all of these settings already exist as shown below.Gentoo
# TYPE DATABASE USER ADDRESS METHOD # "local" is for Unix domain socket connections only local all all trust # IPv4 local connections: host all all 127.0.0.1/32 trust # IPv6 local connections: host all all ::1/128 trust # Allow replication connections from localhost # by a user with the replication privilege. local replication all trust host replication all 127.0.0.1/32 trust host replication all ::1/128 trust
Arch / Artix
# TYPE DATABASE USER ADDRESS METHOD # "local" is for Unix domain socket connections only local all all trust # IPv4 local connections: host all all 127.0.0.1/32 trust # IPv6 local connections: host all all ::1/128 trust # Allow replication connections from localhost # by a user with the replication privilege. local replication all trust host replication all 127.0.0.1/32 trust host replication all ::1/128 trust
If you are running NextCloud and PostgreSQL on the same server, then you can disable listening on a TCP socket by editing
/etc/postgresql-15/postgresql.conf
(Gentoo) or/var/lib/postgres/data/postgresql.conf
(Arch/Artix) and setting thelisten_addresses
directive to be blank, i.e.:listen_addresses = ''
Restart Postgres to read your new settings:
Gentoo
/etc/init.d/postgresql-16 restart
Artix
/etc/init.d/postgresql restart
Create the NextCloud Database
As of version 27 I notice that PostgreSQL is no longer an installation option. My server that is using PostgreSQL is still working, so operation with PostgreSQL still appears to be supported just not with their installation script.Now configure the NextCloud database schema. Change the e-mail and passwords below for your Postgres installation. Set the following to your preferred admin e-mail address then copy and paste the
occ
command following.ADMAIL=<your desired tech support e-mail address> cd /var/www/nextcloud
…in your shell and then paste one of the below commands.For Gentoo
sudo -u apache php -f occ maintenance:install \ --database=pgsql \ --database-name=nextcloud \ --database-host=/run/postgresql \ --database-user=nextcloud \ --admin-email=$ADMAIL \ --data-dir=/var/lib/postgresql/16/data
For Artix/Arch Linux
sudo -u http php -f occ maintenance:install \ --database=pgsql \ --database-name=nextcloud \ --database-host=/run/postgresql \ --database-user=nextcloud \ --admin-email=$ADMAIL \ --data-dir=/var/lib/nextcloud/data
You will be prompted for the database password that you set above and a password for the admin user. It may then take a couple of minutes to create everything (it took 90 seconds on a 4-core VM).
MariaDB (MySQL)
- Show/Hide MariaDB installation
-
As of version 27 things seem to have changed. The NextCloud docs say:
Supported databases are: - sqlite (SQLite3 - Nextcloud Community edition only) - mysql (MySQL/MariaDB) - pgsql (PostgreSQL) - oci (Oracle - Nextcloud Enterprise edition only)
However, if you try according to follow their instructions to install with PostgreSQL the
occ
script will tell you it is not supported:In Install.php line 126: Database <pgsql> is not supported. sqlite, mysql are supported.
The admin manual also mentions nothing about creating the MySQL admin user. Instead they show an example of using 'root' for database access (a bad idea, right?). So it seems their documentation and underlying code is currently in flux and that they appear to be dropping support for PostgreSQL.
Installation with MariaDB, then, can be done like so:
# mariadb Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 47 Server version: 11.1.2-MariaDB-log Artix Linux Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. (server) 1| create database nextcloud; (server) 2| grant all privileges on nextcloud.* to nextcloud@localhost identified by 'secret pass phrase'; (server) 3| \q # sudo -u http php occ maintenance:install \ --database='mysql' --database-name='nextcloud' \ --database-user='nextcloud' --database-pass='secret pass phrase' \ --admin-user='admin user name' --admin-pass='admin pass phrase' Nextcloud was successfully installed
Create the NextCloud Database
Now configure the NextCloud database schema. Change the e-mail and passwords below for your Postgres installation. Set the following to your preferred admin e-mail address then copy and paste the
occ
command following.NCPASS=<nextcloud database pass phrase> ASUSER=<admin user name> ADPASS=<admin user pass phrase> cd /var/www/nextcloud
…in your shell and then paste one of the below commands.For Gentoo
sudo -u apache php -f occ maintenance:install \ --database=mysql \ --database-name=nextcloud \ --database-user=nextcloud \ --database-pass="$NCPASS" \ --admin-user="$ADUSER" \ --admin-pass="$ADPASS"
For Artix/Arch Linux
sudo -u http php -f occ maintenance:install \ --database=mysql \ --database-name=nextcloud \ --database-user=nextcloud \ --database-pass="$NCPASS" \ --admin-user="$ADUSER" \ --admin-pass="$ADPASS"
PHP FPM
Unlike other Linux variants that use loadable modules, Gentoo builds the modules into the PHP binaries (except for external PECL ones). So you don't need to enable any extensions in the php.ini
file. You can see the extensions available with php -m
.
www.conf
These are the settings I enable and/or change in /etc/php/fpm-php8.1/fpm.d/www.conf
, choosing to call my pool “vault” rather than the default “www” (modify to suit yourself):
[vault] prefix = /var/log/php-fpm user = apache group = apache listen = /run/php-fpm/vault.sock listen.owner = apache listen.group = apache pm = static pm.max_children = 10 pm.max_requests = 500 pm.status_path = /status pm.status_listen = 127.0.0.1:9001 access.log = $pool.access.log access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}dms %{kilo}MkB %C%%" slowlog = $pool.slow.log request_slowlog_timeout = 5 php_admin_value[error_log] = /var/log/php-fpm/error.log php_admin_flag[log_errors] = on
In /etc/php/fpm-php8.1/php-fpm.conf
I changed the error log location to group it with the other FPM logs:
error_log = log/php-fpm/php-fpm.log
/etc/php/fpm-php8.1/php.ini
Increase the memory limit and max upload to allow for large files:
memory_limit = 512M
upload_max_filesize = 128M
post_max_size = 128M
CLI setting for APCU / Memcache
You need to add a line to enable apc or running occ
from the command line will not work.
extension=apcu.so apc.enable_cli=1
Finish
Now you can start PHP FPM to see if it works.
/etc/init.d/php-fpm start tail /var/log/php-fpm/error.log
Apache
Assuming that you will be putting the NextCloud code in /var/www/nextcloud1) then in /etc/apache2/vhosts.d/ make a file for the NextCloud site that is roughly like this:
- Show/hide Gentoo config example
-
# vim: ts=4 filetype=apache <Directory /var/www/nextcloud> Require all granted AllowOverride All Options FollowSymLinks MultiViews <IfModule mod_dav.c> Dav off # From docs.nexcloud.com: You don’t need the WebDAV module for your # Web server (i.e. Apache’s mod_webdav), as Nextcloud has a built-in # WebDAV server of its own, SabreDAV. If mod_webdav is enabled you must # disable it for Nextcloud. </IfModule> SetEnv HOME /var/www/nextcloud SetEnv HTTP_HOME /var/www/nextcloud </Directory> <VirtualHost *:80> ServerName cloud.mydomain.ca DocumentRoot /var/www/nextcloud CustomLog /var/log/apache2/nc-access.log combined ErrorLog /var/log/apache2/nc-error.log RewriteEngine on # If you are using NextCloud behind a proxy and the proxy will be the one requesting SSL certificates, then you can remove the following RewriteCond and RewriteRule. # Let through the .well-known directory for Let's Encrypt, redirect the rest to https RewriteCond %{REQUEST_FILENAME} !^(.*\.well-known/.+)$ [nocase] # Use temporary redirection R=302 rather than permanent R=301 because # using 301 causes the browser to NEVER send HTTP requests to the server # after the first time, which prevents testing using port 80 later. RewriteRule ^/(.*)$ https://%{SERVER_NAME}/$1 [redirect=302,last] # # If you are using NextCloud behind an Nginx proxy then you need these extra lines # or authentication will fail. RewriteEngine On RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] # <Files "*"> <RequireAll> Require all granted # Block countries and hosters from which come armies of robots to break our site Include /etc/apache2/block-lists </RequireAll> </Files> </VirtualHost> <IfModule ssl_module> <VirtualHost *:443> ServerName cloud.<DOMAIN> # Modify /var/www/nextcloud for your installation. DocumentRoot /var/www/nextcloud <IfModule log_config_module> CustomLog /var/log/apache2/cloud-access.log combined ErrorLog /var/log/apache2/cloud-error.log </IfModule> # Modify /var/www/nextcloud for your installation. ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php-fpm/www.sock|fcgi://cloud.<DOMAIN>/var/www/nextcloud/ # # If you are using NextCloud behind an Nginx proxy then you need these extra lines # or authentication will fail. RewriteEngine On RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] # SSLEngine on SSLCertificateFile /etc/letsencrypt/live/<DOMAIN>/cert.pem SSLCertificateChainFile /etc/letsencrypt/live/<DOMAIN>/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/<DOMAIN>/privkey.pem # SSLVerifyClient causes browser to request user authentication unless set to "none" # Possible settings: require, optional, none. SSLVerifyClient none SSLVerifyDepth 10 <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <IfModule setenvif_module> BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown </IfModule> <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload" </IfModule> <Files "*"> <RequireAll> Require all granted # Block countries and hosters from which come armies of robots to break our site Include /etc/apache2/block-lists/ </RequireAll> </Files> </VirtualHost> </IfModule>
- Show/hide Arch config example
-
# vim: ts=4 filetype=apache <Directory /usr/share/webapps/nextcloud> Require all granted AllowOverride All Options FollowSymLinks MultiViews <IfModule mod_dav.c> Dav off # From docs.nexcloud.com: You don’t need the WebDAV module for your # Web server (i.e. Apache’s mod_webdav), as Nextcloud has a built-in # WebDAV server of its own, SabreDAV. If mod_webdav is enabled you must # disable it for Nextcloud. </IfModule> SetEnv HOME /usr/share/webapps/nextcloud SetEnv HTTP_HOME /usr/share/webapps/nextcloud </Directory> <VirtualHost *:80> ServerName cloud.<DOMAIN> DocumentRoot /var/www/nextcloud CustomLog /var/log/httpd/cloud-access.log combined ErrorLog /var/log/httpd/cloud-error.log RewriteEngine on # Let through the .well-known directory for Let's Encrypt, redirect the rest to https RewriteCond %{REQUEST_FILENAME} !^(.*\.well-known/.+)$ [nocase] # Use temporary redirection R=302 rather than permanent R=301 because # using 301 causes the browser to NEVER send HTTP requests to the server # after the first time, which prevents testing using port 80 later. RewriteRule ^/(.*)$ https://%{SERVER_NAME}/$1 [redirect=302,last] <Files "*"> <RequireAll> Require all granted # Block countries and hosters from which come armies of robots to break our site Include /etc/httpd/block-lists </RequireAll> </Files> </VirtualHost> <IfDefine SSL> <IfModule ssl_module> <VirtualHost *:443> ServerName cloud.<DOMAIN> DocumentRoot /var/www/nextcloud ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php-fpm-legacy/nextcloud.sock|fcgi://localhost/usr/share/webapps/nextcloud/ <IfModule log_config_module> CustomLog /var/log/httpd/cloud-access.log combined ErrorLog /var/log/httpd/cloud-error.log </IfModule> SSLEngine on SSLCertificateFile /etc/letsencrypt/live/<DOMAIN>/cert.pem SSLCertificateChainFile /etc/letsencrypt/live/<DOMAIN>/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/<DOMAIN>/privkey.pem # SSLVerifyClient causes browser to request user authentication unless set to "none" # Possible settings: require, optional, none. SSLVerifyClient none SSLVerifyDepth 10 <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <IfModule setenvif_module> BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown </IfModule> <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload" </IfModule> <Files "*"> <RequireAll> Require all granted # Block countries and hosters from which come armies of robots to break our site Include /etc/apache2/block-lists/ </RequireAll> </Files> </VirtualHost> </IfModule> </IfDefine>
Start Apache and see if it works:
/etc/init.d/apache2 start