Install Nextcloud on DreamCompute (DreamHost non-administrated VPS)

readme.md

Install Nextcloud on DreamCompute

These are the steps and commands i used to install Nextcloud on DreamCompute, a cloud-vps hosting of DreamHost, which i recommend. At least for personal use is enough to use a 1Gb RAM VPS. I also share how to enable and install other interesting complements, like for example OnlyOffice server (community edition, now limited to 20 users, so enough for personal use).

Also include how to install a Let's Encrypt Certificate. So, i think that it give us a really functional and complete NC-Office server. I avoided to use snap and docker whenever it was possible. With manual installations you've better control. It's my personal opinion.

Please, be free to add your suggestions/fixes if you detect something wrong. Until to arrive to this guide, i had to try to install NC at least 3 times. For example, the first one i tried with a 512Mb RAM VPS and it didn't run, generating all kind of odd errors.

Another question i realized during this process is that every X months we probably need to UPDATE ANY INSTALLATION GUIDE, because it probably there are any new version of Ubuntu, NC, Apache, Let's Encrypt-certbot, etc... So you doesn't must desperate if you find problems applying this guide. Find the error and share here with others your solution.

Note: i use Ubuntu (Gnu/Linux) on my local machine and in the VPS. But you probably can follow the guide with minor changes with other operative systems.

guides included in this gist:

• Install Nextcloud on Ubuntu VPS
• After to install Nextcloud
• Installing OnlyOffice on a second VPS DreamCompute
• Renew SSL Let's Encrypt certificate

After_to_install_Nextcloud.md

After to install Nextcloud

These are some of the things you probably should do after get installed Nextcloud.

---

Enable Redis caching

Using your local terminal connect with VPS:

ssh ubuntu@nextcloud.mydomain.com

Edit Nextcloud config file:

sudo nano /var/www/html/config/config.php

And add this:

'memcache.distributed' => '\\OC\\Memcache\\Redis',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'redis' => [
   'host' => 'localhost',
   'port' => 6379,
],

Save & exit with CTRL+X.

Restart server with:

sudo service apache2 restart

---

Basic & required/recommended settings as administrator

Log in as administrator on Nextcloud, using browser. And set these questions:

Apps > install some usual ones:

• AppOrder, Mind Map, QOwnNotesAPI, News, Talk
• Calendar, Contacts, Deck, Markdown editor
• Social sharing via email, Social sharing via Facebook

Settings > Basic settings > Email server (SMTP)

• SMTP, encrypt: None, From: info@mydomain.com
• Auth: login, required (check)
• server: mail.mydomain.com:587
• cred: info@mydomain.com | ****

Obviously: replace with the SMTP settings of one email of yours

Settings > Basic settings > Background jobs

• check the third option: [] CRON
• you need to do this on terminal:

sudo chmod +x /var/www/html/cron.php
echo "*/15 * * * * php -f /var/www/html/cron.php" >> cron.tmp  
sudo crontab -u www-data cron.tmp  
rm cron.tmp  

• to check the last executions of CRON, run this on SHELL:

grep CRON /var/log/syslog

Settings > Sharing

• check Enforce password protection around
• uncheck all on "Federated Cloud Sharing" (if you do not use it)
• on Share by email uncheck Send password by email and check Enforce password protection

Settings > Security > Password policy

• Set "Minimal length" to 4 (to be able to share files protected with an only 4 digits, which is more friendly to third people don't using our Nextcloud)
• uncheck "Forbid common passwords" (for the same question above, to let us to use simple passwords like a 4 numeric digits, instead to force to us to use symbols, upper/lower case letters, bla bla bla, when sharing files)

Install_OnlyOffice_in_second_VPS.md

Installing OnlyOffice on a second VPS DreamCompute

By now, to test purposes, i decided to create a second VPS on DreamCompute, also with 1Gb of RAM and install there OnlyOffice to online edition of text/spreadsheets documents from Nextcloud.

I supose that it could run on the same VPS where i installed NC, but i preferred to test it first on a separate instance. In this way, i can use also this office instance to be used by other projects of mine, like some instances of social networking HumHub project.

Source: https://www.linuxbabe.com/ubuntu/integrate-nextcloud-onlyoffice

---

On DreamCompute panel

You probably has created the security group (when installing NC) but if not, then:

• on Network > Security Groups
• name it for example: nextcloud-sgrp

Create instance for Nextcloud server: onlyoffice -> 107.XXX.YYY.ZZZ (different that the NC instance IP)

• 20Gb storage, from image Ubuntu 18.04, gp1.subsonic (1 core 1Gb RAM)
• security group: nextcloud-sgrp
• key pair for SSH: take it from ~/.ssh/id_rsa.pub and name it mymachine-name or you can use a previous one already imported, if you created other instances before

---

On domain name panel

Add a new DNS record for the subdomain that we want to use to access the OnlyOffice server, for example "onlyoffice.mydomain.com":

A | nextcloud | 107.XXX.YYY.ZZZ

Note: _i recommend to use literally "onlyoffice" word, because this suite use somtimes this name as a default name for a lot of questions (database name, i think, etc.), so its more prudent to use "onlyoffice" around. Yeah, i should preferred to use "office" instead.

---

Install postgresql, nodejs, redis & OnlyOffice

Connect to the new instance with:

ssh ubuntu@107.XXX.YYY.ZZZ

Install Postgresql database and create db & user for OO:

sudo su
apt update
apt install postgresql
service postgresql status

sudo -u postgres psql -c "CREATE DATABASE onlyoffice;"
sudo -u postgres psql -c "CREATE USER onlyoffice WITH password '********';"
sudo -u postgres psql -c "GRANT ALL privileges ON DATABASE onlyoffice TO onlyoffice;"

Install NodeJS from official repository:

curl -sL https://deb.nodesource.com/setup_10.x | sudo -E bash -
apt install -y nodejs
node -v

Install Redis server and Rabbitmq:

apt install redis-server rabbitmq-server

Check their status:

service redis-server status
service rabbitmq-server status

Add OnlyOffice repository with the following command.

echo "deb http://download.onlyoffice.com/repo/debian squeeze main" | sudo tee /etc/apt/sources.list.d/onlyoffice.list

Import OnlyOffice public key:

apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys CB2DE8E5

Install OnlyOffice:

apt install onlyoffice-documentserver

Note: you will be ask for the password of the user onlyoffice at database

---

Enabling HTTPS

nano /etc/nginx/conf.d/ds.conf

Put inside (replace mydomain.com):

include /etc/nginx/includes/http-common.conf;

server {
  listen 0.0.0.0:80;
  listen [::]:80 default_server;
  server_name onlyoffice.mydomain.com;
  server_tokens off;

  include /etc/nginx/includes/ds-*.conf;

  location ~ /.well-known/acme-challenge {
      root /var/www/onlyoffice/;
      allow all;
  }
}

Save and close the file with CTRL+X.

Reload Nginx for the changes to take effect:

service nginx reload

Then install certbot (Let’s Encrypt) client:

apt install letsencrypt

Get & install SSL certificate from Let's Encrypt (replace email & mydomain.com):

letsencrypt certonly --webroot --agree-tos --email your@email.com -d onlyoffice.mydomain.com -w /var/www/onlyoffice/

Edit onlyoffice-documentserver.conf file:

nano /etc/nginx/conf.d/ds.conf

Delete everything in that file and paste the following text into the file. Replace onlyoffice.mydomain.com accordingly:

include /etc/nginx/includes/http-common.conf;

## Normal HTTP host
server {
  listen 0.0.0.0:80;
  listen [::]:80 default_server;
  server_name onlyoffice.mydomain.com;
  server_tokens off;
  ## Redirects all traffic to the HTTPS host
  root /nowhere; ## root doesn't have to be a valid path since we are redirecting
  rewrite ^ https://$host$request_uri? permanent;
}

##HTTP host for internal services
server {
  listen 127.0.0.1:80;
  listen [::1]:80;
  server_name localhost;
  server_tokens off;
  include /etc/nginx/includes/ds-*.conf;
}

## HTTPS host
server {
  listen 0.0.0.0:443 ssl;
  listen [::]:443 ssl default_server;
  server_name onlyoffice.mydomain.com;
  server_tokens off;
  root /usr/share/nginx/html;
  
  ssl_certificate /etc/letsencrypt/live/onlyoffice.mydomain.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/onlyoffice.mydomain.com/privkey.pem;

  # modern configuration. tweak to your needs.
  ssl_protocols TLSv1.2;
  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
  ssl_prefer_server_ciphers on;

  # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
  add_header Strict-Transport-Security max-age=15768000;

  ssl_session_cache builtin:1000 shared:SSL:10m;
  # add_header X-Frame-Options SAMEORIGIN;
  add_header X-Content-Type-Options nosniff;
 
  # ssl_stapling on;
  # ssl_stapling_verify on;
  # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
  # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
  # resolver_timeout 10s;
  ## [Optional] Generate a stronger DHE parameter:
  ##   cd /etc/ssl/certs
  ##   sudo openssl dhparam -out dhparam.pem 4096
  ##
  #ssl_dhparam {{SSL_DHPARAM_PATH}};

  location ~ /.well-known/acme-challenge {
     root /var/www/onlyoffice/;
     allow all;
  }

  include /etc/nginx/includes/ds-*.conf;

}

Save and close the file: CTRL+X

Then test Nginx configuration and reload:

nginx -t
service nginx reload

---

Installing Nextcloud OnlyOffice Integration App

Connect to Nextloud server using SSH, and then change directory to the Nextcloud apps directory:

sudo su	
cd /var/www/nextcloud/apps/

Next, download Nextcloud OnlyOffice integration app using the following command.

git clone https://github.com/ONLYOFFICE/onlyoffice-owncloud.git onlyoffice

Login to Nextcloud through browser panel as administrador and go to Settings > ONLYOFFICE and populate the box Document Editing Service address with the https address of the subdomain where you installed OnlyOffice, something like this:

https://onlyoffice.mydomain.com

Also you sgould take a view to the available options in the same settings page ;-)

It's all. Enjoy it!

Renew_SSL_certificate.md

Renew SSL Let's Encrypt certificate on the VPS

It's not so easy as run certbot renew, so i share here a detailed list of steps to make the renew. We need to have installed tmux to be able to split the terminal on 2 panes on the server side (not on client side like with terminator, hehehe).

We identify as root user:

sudo su -

We run tmux:

tmux

then create a second horizontal pane using this keyboard shortcut:

CTRL+b "

Other shortcuts for tmux here. We will move between panes using the shortcut CTRL+b (vertical arrow).

Call the certbot script (you should have installed it since you installed the first certificate):

/opt/certbot/certbot-auto --manual -d "nextcloud.mydomain.com" --server https://acme-v02.api.letsencrypt.org/directory certonly

It will detect that you have already installed a certificate and then will proceed with *renew. When it show you a long string hash to be accessible from an URL then change to the other tmux pane (CTRL+b arrow).

Create the requested file, something like:

nano /var/www/html/.well-known/acme-challenge/irV9o4bkgjmpk-_8Ww6RBqFvYZrzYu8IX9N-kj3HN1U

And copy the hash on the other pane and paste inside the nano editor.

Then we need to "silent" .htaccess file of Nextcloud to make the new file accesible:

mv /var/www/html/.htaccess /var/www/html/htaccess

So, now you must move to the other pane (CTRL+b arrow) and press RETURN to continue with certificate renew.

Once finished the certbot renew process, we enable again the .htaccess of Nextcloud:

mv /var/www/html/htaccess /var/www/html/.htaccess

We restart apache:

service apache2 restart

And finally close tmux panes with shortcut CTRL+b x.

Ubuntu_VPS_with_Nextcloud.md

Install Nextcloud on Ubuntu VPS

---

On DreamCompute panel

Create a Security Group:

• on Network > Security Groups
• name it for example: nextcloud-sgrp

Create instance for Nextcloud server: nextcloud -> 64.XXX.YYY.ZZZ

• 30Gb storage, from image Ubuntu 18.04, gp1.subsonic (1 core 1Gb RAM)
• security group: nextcloud-sgrp
• key pair for SSH: take it from ~/.ssh/id_rsa.pub from your local machine and name it mymachine-name or you can use a previous one already imported, if you created other VPS before

---

On domain name panel

Go to the panel where you has hosted your domain and add a new DNS record for the subdomain that we want to use to access the Nextcloud server, for example nextcloud.mydomain.com, because we will access to Nextcloud throgh a subdomain:

A | nextcloud | 64.XXX.YYY.ZZZ

Is convenient to do this now, before to continue with the installation, because in this way we give more time to the DNS propagation and it probably the subdomain will be active when we finished all this installation guide. Indeed, we will need it to install de Let's Encrypt certificate.

---

First SSH to create MariaDB & Apache

Connect from terminal to the new VPS instance with user ubuntu:

ssh ubuntu@64.XXX.YYY.ZZZ

Install MariaDB:

sudo su -
apt update
apt install mariadb-server mariadb-client

Set config for mariadb:

nano /etc/mysql/my.cnf

And must let so:

[server]
skip-name-resolve
innodb_buffer_pool_size = 128M
innodb_buffer_pool_instances = 1
innodb_flush_log_at_trx_commit = 2
innodb_log_buffer_size = 32M
innodb_max_dirty_pages_pct = 90
query_cache_type = 1
query_cache_limit = 2M
query_cache_min_res_unit = 2k
query_cache_size = 64M
tmp_table_size= 64M
max_heap_table_size= 64M
slow-query-log = 1
slow-query-log-file = /var/log/mysql/slow.log
long_query_time = 1

[client-server]
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mariadb.conf.d/

[client]
default-character-set = utf8mb4

[mysqld]
character-set-server = utf8mb4
collation-server = utf8mb4_general_ci
transaction_isolation = READ-COMMITTED
binlog_format = ROW
innodb_large_prefix=on
innodb_file_format=barracuda
innodb_file_per_table=1

Restart mariadb:

service mariadb restart

Create database a user for nextcloud:

mysql -u root
> CREATE DATABASE nextcloud CHARACTER SET = 'utf8mb4' COLLATE = 'utf8mb4_general_ci';
> GRANT ALL ON nextcloud.* TO 'nc'@'localhost' IDENTIFIED BY '********';
> select user from mysql.db where db='nextcloud'; 
> flush privileges;
> quit;
service mysql restart

Update & install Apache modules extra:

sudo su -
apt install apache2 libapache2-mod-php7.2 unzip
apt install php7.2-gd php7.2-json php7.2-mysql php7.2-curl php7.2-mbstring php7.2-intl php-imagick php7.2-xml php7.2-zip
apt install redis-server php-redis

a2enmod rewrite
a2enmod ssl
a2enmod headers
service apache2 restart

Apply recommended settings to php.ini (it's not strictly required):

nano /etc/php/7.2/apache2/php.ini

Modify these lines (you choose your own limits):

max_execution_time = 60
max_input_time = 120
memory_limit = 256M (recommended by Nextclout team: min. 512M)

post_max_size = 100M

upload_max_filesize = 100M
max_file_uploads = 50

Apply the same to this other file (to php executed by server cron):

nano /etc/php/7.2/cli/php.ini

Enable OPcache:

nano /etc/php/7.2/apache2/conf.d/10-opcache.ini

Add this:

opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1

We log out from SSH:

exit;

---

Automated install Let's Encrypt certificate (to test yet)

During the installation of DB it probably finished the DNS update to let us to use the new subdomain, check it visiting making a PING:

ping nextcloud.mydomain.com

When you see that the answer returns the assigned IP then begin a new SSH connection to the VPS.

sudo apt install python-certbot-apache
sudo certbot --apache

Populate asked info: email, agree, yes/not, (server hostname)

---

Alternative manual install of Let's Encrypt certificate

These are the steps i really followed to install the certificate, so i know that they works (2019-July), but i readed that the above process (using python-certbot-apache) is fully functional and better, but i have not tested yet.

ssh ubuntu@nextcloud.bimex.tech

We will need to have tmux installed to work with more than one terminal at the same time. Install it with:

apt install tmux

Then start it with 2 windows:

tmux
CTRL+b "

To get a Let's Encrypt certificate:

sudo su -
cd /opt
git clone git://github.com/certbot/certbot

/opt/certbot/certbot-auto --manual -d "nextcloud.mydomain.com" --server https://acme-v02.api.letsencrypt.org/directory certonly

But if you need to install the certificate in "multi-subdomain" style then alternative use this other command:

/opt/certbot/certbot-auto --manual -d "example.com" -d "*.example.com" --server https://acme-v02.api.letsencrypt.org/directory certonly

When executing command above you must answer:

1) 'y' (continue w installation)
2) [email address] (one you have access to) -> proyectos@imasdeweb.com
3) 'A' (agree terms of service)
4) 'y'/'n' (choose to share your email with EFF)
5) 'y' (agree your IP will be logged)
6) when appears "Press Enter to Continue"... 
*** DON'T PRESS ENTER YET !!! ***

Go to the other tmux window with:

CTRL+b (up arrow)

Create a file with the content showed by the wizzard in the las output:

mkdir -p /var/www/html/.well-known/acme-challenge/
nano /var/www/html/.well-known/acme-challenge/hcqA0ajIr0tsCSJ5yZAqD7z8LcvOJuMHb2qVPGtt9Yk

Note: replace hcqA0ajIr0tsCSJ5yZAqD7z8LcvOJuMHb2qVPGtt9Yk with the name of the file requested by the installation wizard.

And then put the long string requested by the wizard's output: (Tzx6Gae....) and CTRL+X to save and close. Something like this:

ZwnpFzZt0BoD7lIgdk4ZAy1Zz1CzoJASv8de9ZaMRKk.FqlplqmtcJ5UT_y8LAuYwueovHphmmdi3U7rN8__lCE

Return again to the other tmux window with:

CTRL+b (down arrow)

And press ENTER. Wait for a couple of seconds and you must see a confirmation text like this:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/nextcloud.mydomain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/nextcloud.mydomain.com/privkey.pem
   Your cert will expire on 2019-09-10. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

You can close tmux closing each one of the windows sessions:

exit;

Create the vitualhost on Apache

We edit the default vhost on this VPS:

nano /etc/apache2/sites-available/default-ssl.conf

and replace this:

SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

with this copied from above instructions from certbot (replace mydomain.com):

SSLCertificateFile /etc/letsencrypt/live/nextcloud.mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.mydomain.com/privkey.pem

On the nano text edito add this:

<Directory /var/www/html/>
  Options +FollowSymlinks
  AllowOverride All

 <IfModule mod_dav.c>
  Dav off
 </IfModule>

 SetEnv HOME /var/www/html
 SetEnv HTTP_HOME /var/www/html

</Directory>

<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
</IfModule>

Activate the SSL virtualhost:

a2ensite default-ssl

And then exit saving with CTRL+X, and reload apache:

sudo service apache2 reload

Voilà!!! We have the Apache server installed with the subdomain nextcloud. correctly installed and we're ready to download the last nextcloud release and install it.

---

Download NC release and install from browser

Download and unzip:

sudo su -
cd /var/www/html/
rm -f *.*
wget https://download.nextcloud.com/server/releases/nextcloud-16.0.1.zip
unzip nextcloud-16.0.1.zip
cp -r nextcloud/. .
rm -rf next*

Create directory for data & set permissions:

mkdir /var/www/html/data
chmod -R 777 data
chown -R www-data:www-data /var/www/html

Visit Nextcloud on web browser, but *** DON'T POPULATE THE FORM ***

https://nextcloud.mydomain.com

When loaded the webform (administrator user & database connection), got to SSH terminal and edit the recently created (almost empty) config file:

sudo nano /var/www/html/config/config.php

And populate with this:

'mysql.utf8mb4' => true,
'dbtype' => 'mysql',

Once saved the config file, reload the URL on web browser and continue.

Note: regarding to utf8mb4, also make sure your backup strategy still work, because if you use mysqldump you must be sure to add the --default-character-set=utf8mb4 option.

With a little of lucky then you will get the NextCloud installed and running!

---

LOGS for debugging

Remember that if you have any problem during installation of NC or later installations of apps, you can check these 3 log files:

sudo tail -n 100 /var/log/syslog
sudo tail -n 100 /var/log/apache2/error.log
sudo tail -n 100 /var/www/html/data/nextcloud.log

awsome :-)