Nextcloud Notes

-nextcloud

install nextcloud on AWS AMI Instance

backup-import.md

Importing Backup Data to New Server

• Follow instructions in create-server.md to create empty nextcloud server (don't install new instance though)
• Copy backup user data directory into new nextcloud instance data directory:
  • rsync --rsync-path="sudo rsync" -avxe "ssh -i /Users/djunker/.ssh/aws-key.pem" /Users/djunker/nextcloud/recent/dirbkp/ ec2-user@18.216.33.123:/var/www/html/nextcloud/;
  • Update permissions: sudo chown -R apache:ec2-user /var/www/html/nextcloud
• Create new mysql database
• mysql -u admin -p -e "CREATE DATABASE nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci
• Import mysql into new nextcloud database:
  • mysql -u admin -p nextcloud < nextcloud-sql.bak
• Create user from config file and grant permissions
  • CREATE USER <user_name>@'%' IDENTIFIED BY '<password>'
  • GRANT ALL PRIVILEGES ON nextcloud.* TO '<username>'@'%';
• Update some properties in config/config.php
  • Comment out memcache.local
  • Comment out htaccess.RewriteBase
  • Add IP address to trusted_domains
• Reset account password
  • sudo -u apache php ./occ user:resetpassword djunker

backup.md

Backing Up Data

Create Backup

• Put in maintenance mode: sudo -u apache php /var/www/html/nextcloud/occ maintenance:mode --on
• Create backup and then archive:

rsync -Aavx /var/www/html/nextcloud/ /home/ec2-user/bak/nextcloud-dirbkp_`date +"%Y%m%d"`/;
tar -czvf nextcloud-dirbkp_20211130.tar.gz nextcloud-dirbkp_2021113;

• Above doesn't backup ..nextcloud/data/ dir

sudo rsync -Aavx /var/www/html/nextcloud/ /home/ec2-user/bak/nextcloud-databkp_`date +"%Y%m%d"`/;
tar -czvf nextcloud-databkp_20211130.tar.gz nextcloud-databkp_2021113;

• Create mysql backup:

sudo mysqldump --single-transaction --default-character-set=utf8mb4 -h localhost -u root -pmichelle nextcloud > bak/nextcloud-sqlbkp_`date +"%Y%m%d"`.bak

Restoring Backups:

https://docs.nextcloud.com/server/latest/admin_manual/maintenance/restore.html

Adding Larger HD

• On AWS Volumes section of AWS Panel
• Modify Volume
• Reboot Instance
  • Check httpd running
  • check mysql running
  • check coolwsd running (collabora)
• Needed to Update OS Level Firewall after reboot

sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload

backup.sh

#! /bin/bash

# Enable Exit on Error
set -e

# Definitions
AWS_KEY=/Users/djunker/.ssh/aws-key.pem
BACKUP_DIR=/Users/djunker/nextcloud
BACKUP_DATE=$(date +"%Y%m%d")


# Create Compressed Archive of last backup
tar -cvzf new.tar.gz "$BACKUP_DIR"/recent

# delete older archives
find . -name 'nextcloud-*.tar.gz' -delete

# rename new archive with date
mv new.tar.gz nextcloud-"$BACKUP_DATE".tar.gz


# Backup nextcloud directory
rsync --rsync-path="sudo rsync" -avxe "ssh -i $AWS_KEY" ec2-user@dev-junk.com:/var/www/html/nextcloud/ "$BACKUP_DIR"/recent/dirbkp/;

# Backup SQL
ssh -i $AWS_KEY ec2-user@dev-junk.com 'sudo mysqldump --single-transaction --default-character-set=utf8mb4 -h localhost -u root -pmichelle nextcloud > nextcloud-sql.bak'

## Copy SQL to local
rsync --rsync-path="sudo rsync" -avxe "ssh -i $AWS_KEY" ec2-user@dev-junk.com:/home/ec2-user/nextcloud-sql.bak "$BACKUP_DIR"/recent/sql.bak;

## TODO
### - save on server somewhere to be read in nextcloud
### - script to send notification in nextcloud? https://github.com/nextcloud/notifications/blob/master/docs/notification-workflow.md
##### curl -H "OCS-APIREQUEST: true" -X POST https://<user>:<app_password>@dev-junk.com/cloud/ocs/v2.php/apps/notifications/api/v2/admin_notifications/djunker   -d "shortMessage=test" -d "longMessage=testing test"
### - email? https://vitux.com/how-to-use-gmail-from-the-ubuntu-terminal-to-send-emails/

bookmarks-app.md

Enabling Bookmarks app

• Error when enabling: The library intl is not available, remained disabled
• Installed php-intl module for php7.4
  • sudo yum install php74-php-intl.x86_64
  • added to php.ini file: extension=/opt/remi/php74/root/usr/lib64/php/modules/intl.so
• Restarted apache (sudo service httpd restart)

cache.md

Adding Caching Settings for Performance

Add PHP OpCache

• Install opcache sudo yum install php74-php-opcache
• Update php.ini zend_extension=/opt/remi/php74/root/usr/lib64/php/modules/opcache.so

Add APCu

• Install apcu sudo yum install php74-php-apcu
• Update php.ini

extension=/opt/remi/php74/root/usr/lib64/php/modules/apcu.so
[apcu]
apc.enabled=1
apc.enable_cli=1

collabora.md

Setting up Collabora CODE

• Installed Collabora CODE App via Nextcloud App Store UI
• Failed to connect to Collabora Instance though
• Enabled debug_logs inside of apps/richdocumentscode/proxy.php
• Saw error in /etc/httpd/ssl_error_log Loolwsd server is not running

From: https://community.nethserver.org/t/how-to-install-collabora-online-development-edition-code/10319

• Attempted to install loolwsd on my own.. but this required a lot more space than is available on server

cd ~; wget https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-centos7/repodata/repomd.xml.key && sudo rpm --import repomd.xml.key
sudo yum-config-manager --add-repo https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-centos7
sudo yum install loolwsd CODE-brand

• cleaned up hard disk space
• need to create /bin/jails/ dir and chown root:cool /bin/jails and chmod g+w /bin/jails
• run as cool user: sudo -u cool loolwsd

Still not working though....

• Seem to now be able to run sudo service start coolwsd
• Probably needed to configure /etc/coolwsd/coolwsd.xml

 <ssl desc="SSL settings">
        <!-- switches from https:// + wss:// to http:// + ws:// -->
<enable type="bool" desc="Controls whether SSL encryption between coolwsd and the network is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">false</enable>
        <!-- SSL off-load can be done in a proxy, if so disable SSL, and enable termination below in production -->
        <termination desc="Connection via proxy where coolwsd acts as working via https, but actually uses http." type="bool" default="true">true</termination>
        <cert_file_path desc="Path to the cert file" relative="false">/etc/letsencrypt/live/docs.dev-junk.com/cert.pem</cert_file_path>
        <key_file_path desc="Path to the key file" relative="false">/etc/letsencrypt/live/docs.dev-junk.com/privkey.pem</key_file_path>
        <ca_file_path desc="Path to the ca file" relative="false">/etc/letsencrypt/live/docs.dev-junk.com/fullchain.pem</ca_file_path
        ..more settings..
 </ssl>

• Add Virtual Host and new subdomain to dev-junk.com
  • docs.dev-junk.com
  • add to ssl.conf (SSL termination: https://sdk.collaboraonline.com/docs/installation/Proxy_settings.html#reverse-proxy-settings-in-apache2-config-ssl-termination)

<VirtualHost *:443>
 ServerName docs.dev-junk.com

 SSLStrictSNIVHostCheck off

 AllowEncodedSlashes NoDecode
 ProxyPreserveHost On

 ErrorLog logs/proxy_error_log
 TransferLog logs/proxy_access_log

 # static html, js, images, etc. served from coolwsd
 # browser is the client part of Collabora Online
 ProxyPass           /browser http://127.0.0.1:9980/browser retry=0
 ProxyPassReverse    /browser http://127.0.0.1:9980/browser
 # WOPI discovery URL
 ProxyPass           /hosting/discovery http://127.0.0.1:9980/hosting/discovery retry=0
 ProxyPassReverse    /hosting/discovery http://127.0.0.1:9980/hosting/discovery


 # Capabilities
 ProxyPass           /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities retry=0
 ProxyPassReverse    /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities


 # Main websocket
 ProxyPassMatch      "/cool/(.*)/ws$"      ws://127.0.0.1:9980/cool/$1/ws nocanon


 # Admin Console websocket
 ProxyPass           /cool/adminws ws://127.0.0.1:9980/cool/adminws


 # Download as, Fullscreen presentation and Image upload operations
 ProxyPass           /cool http://127.0.0.1:9980/cool
 ProxyPassReverse    /cool http://127.0.0.1:9980/cool
 # Compatibility with integrations that use the /lool/convert-to endpoint
 ProxyPass           /lool http://127.0.0.1:9980/cool
 ProxyPassReverse    /lool http://127.0.0.1:9980/cool

SSLCertificateFile /etc/letsencrypt/live/docs.dev-junk.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/docs.dev-junk.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

• On httpd restart
  • can access https://docs.dev-junk.com/browser/dist/admin/adminLog.html
  • errors on attempting to access https://docs.dev-junk.com/browser/dist/cool.html?file_path=file:///var/www/html/nextcloud/data/djunker/files/test2.odt&host=ws://docs.dev-junk.com/
  • Also able to update settings in collabora nextcloud app
    • https://dev-junk.com/cloud/settings/admin/richdocuments
    • Use your own server set port to https://docs.dev-junk.com
  • tried accessing files from nextcloud, but error still
    • Saw in Admin Log: No acceptable WOPI hosts found matching the target host [dev-junk.com] in config.
    • added dev-junk.com to /etc/coolwsd/coolwsd.xml WOPI Hosts
    • restarted coolwsd sudo service coolwsd restart
    • IT WORKS!!
  • Failed a couple of weeks later, saw error message in /var/log/coolwsd.log:

[ websrv_poll ] WRN  convert-to: Requesting address is denied: 3.16.248.66| wsd/COOLWSD.cpp:2631

 - Added WOPI host in `/etc/coolwsd/coolwsd.xml` WOPI Hosts

<host desc="Regex pattern of hostname to allow or deny." allow="true">3.16.248.66</host>

create-server.md

Creating a Server from Scratch

• Start up AWS Amazon Linux Box (Amazon Linux 2023, 100GB, td.micro)
• ssh to box: ssh -i <PATH_TO_KEY> ec2-user@<IP_ADDRESS>
• sudo yum install httpd
  • Started httpd with sudo service httpd start
• sudo yum install php8.1
• Download archive from Nextcloud wget https://download.nextcloud.com/server/releases/latest.tar.bz2
  • Extract tar file
  • Move to /var/www/html
  • Update ownership to nextcloud and nextcloud with sudo chown -R apache /var/www/html/nextcloud
• Says missing gd and zip PHP extensions
  • Installed gd with sudo yum install php8.1-gd
  • No zip extension available with yum though...
    • followed instructions from amazonlinux/amazon-linux-2023#320
    • sudo yum install php8.1-devel php-pear libzip libzip-devel
    • sudo pecl install zip
    • echo "extension=zip.so" | sudo tee /etc/php.d/20-zip.ini
    • Also needed:
      • sudo service php-fpm restart
      • sudo chmod a+x /usr/lib64/php/modules/zip.so (unsure if this was necessary)
  • Also looks like php mysql extension is not installed
    • sudo yum install php8.1-mysqlnd
• Installed mariadb 10.5 sudo yum install mariadb105-server
  • Started with sudo service mariadb start
  • Login to database with sudo mysql -uroot -p
  • Create Admin User in DB
    • CREATE USER 'admin'@'%' IDENTIFIED BY '<PASSWORD>';
    • GRANT ALL PRIVILEGES ON *.* TO 'admin'@'%' WITH GRANT OPTION;
  • Create Nextcloud DB:
    • CREATE DATABASE IF NOT EXISTS nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
• Opened browser to webpage http://<IP_ADDRESS>/nextcloud
  • Entered nextcloud admin username/password
  • Selected MariaDB
  • Left Data Directory as default
  • Entered SQL admin username password
  • Entered DB name nextcloud
  • Entered host/port: localhost:3306

enable-talk-app.md

Talk app

• Was throwing error when attempting to enable in Web UI: Syntax error or access violation: 1071 Specified key was too long; max key length is 767 bytes
• Followed instructions here: https://docs.nextcloud.com/server/latest/admin_manual/configuration_database/mysql_4byte_support.html
• Add to /etc/my.conf:

  [mysqld]
  innodb_large_prefix=true
  innodb_file_format=barracuda
  innodb_file_per_table=1
  

• Update DB Settings: ALTER DATABASE nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
• Set nextcloud config value: sudo -u apache php occ config:system:set mysql.utf8mb4 --type boolean --value="true"
• Run occ repair: sudo -u apache php occ maintenance:repair

fix-setup-checks.md

Setup checks were failing due to missing /.well-known/nodeinfo and /.well-known/webfinger

Made some changes to the apps/settings/js/admin.js file:

var setupChecks = function () {
    var checks = [
    // run setup checks then gather error messages
            OC.SetupChecks.checkWebDAV(),
            OC.SetupChecks.checkWellKnownUrl('PROPFIND', '/.well-known/caldav', OC.theme.docPlaceholderUrl, $('#postsetupchecks').data('check-wellknown') === true),
            OC.SetupChecks.checkWellKnownUrl('PROPFIND', '/.well-known/carddav', OC.theme.docPlaceholderUrl, $('#postsetupchecks').data('check-wellknown') === true),
            OC.SetupChecks.checkProviderUrl(OC.getRootPath() + '/ocm-provider/', OC.theme.docPlaceholderUrl, $('#postsetupchecks').data('check-wellknown') === true),
            OC.SetupChecks.checkProviderUrl(OC.getRootPath() + '/ocs-provider/', OC.theme.docPlaceholderUrl, $('#postsetupchecks').data('check-wellknown') === true),
            OC.SetupChecks.checkSetup(),
            OC.SetupChecks.checkGeneric(),
            OC.SetupChecks.checkWOFF2Loading(OC.filePath('core', '', 'fonts/NotoSans-Regular-latin.woff2'), OC.theme.docPlaceholderUrl),
            OC.SetupChecks.checkDataProtected()
    ];

    $.getJSON(OC.linkToOCS('core/navigation', 2) + 'apps?format=json').done(function(response){
            var apps = response.ocs.data;
            for (var i = 0; i < apps.length; i++) {
                    if(apps[i].id === 'social') {
                            checks.push(OC.SetupChecks.checkWellKnownUrl('GET', '/.well-known/webfinger', OC.theme.docPlaceholderUrl, $('#postsetupchecks').data('check-wellknown') === true, [200, 404], true));
                            checks.push(OC.SetupChecks.checkWellKnownUrl('GET', '/.well-known/nodeinfo', OC.theme.docPlaceholderUrl, $('#postsetupchecks').data('check-wellknown') === true, [200, 404], true));
                    }
            }

            $.when(...checks
            )

mail.md

Adding mail app on Nextcloud

• Enable Nextcloud Mail app
• Manual configuration of settings from https://support.google.com/mail/answer/7126229?#zippy=%2Cstep-change-smtp-other-settings-in-your-email-client
• Enable less secure apps on google account: https://myaccount.google.com/lesssecureapps
• Navigate to https://accounts.google.com/b/1/DisplayUnlockCaptcha in browser to enable authentication from external app
• Submit in mail app to create account

Set up SMTP for Nextcloud Emails (reset passwords)

Settings at https://dev-junk.com/cloud/settings/admin

• use settings from https://support.google.com/mail/answer/7126229?#zippy=%2Cstep-change-smtp-other-settings-in-your-email-client
• Encryption STARTTLS
• Authentication: Login
• smtp.gmail.com:587

nextcloud-aws.md

Setting Up Nextcloud on AWS

• Download archive from Nextcloud Server
  • wget ...tar.bz2
  • extract tar file
• move extracted to /var/www/html/
  • Update ownership to apache with chown
• Add to http config

Alias "/cloud/" "/var/www/html/nextcloud/"


<Directory /var/www/html/nextcloud/>
 Require all granted
 AllowOverride All
 Options FollowSymLinks MultiViews

 <IfModule mod_dav.c>
   Dav off
 </IfModule>
</Directory>

• Missing Zip PHP Module
  • tried to install php zip module sudo yum install php74-php-zip
  • Error due to missing dependencies Error: Package: libzip5-1.8.0-2.el7.remi.x86_64 (remi-safe) Requires: libzstd(x86-64) >= 1.3.6 Available: libzstd-1.3.3-1.amzn2.x86_64 (amzn2-core)
    • fixed with sudo yum remove libzip.x86_64; sudo yum install php74-php-zip --disablerepo=amzn2-core
    • Installed in /opt/remi/php74/root/usr/lib64/php/modules/
  • Added extension to /etc/php.ini: extension=/opt/remi/php74/root/usr/lib64/php/modules/zip.so
• Also needed to add Posix Module
• sudo yum install php72-php-process
• add to /etc/php.ini: extension=/opt/remi/php74/root/usr/lib64/php/modules/posix.so

Setting up App

• Create Admin Account
• Set Mysql/MariaDB settings in Wizard
• Create Mysql DB: CREATE DATABASE IF NOT EXISTS nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;

Cron Jobs

• sudo crontab -u apache -e
• Added */5 * * * * php -f /var/www/html/nextcloud/cron.php

nextcloud-local.md

Install Nextcloud on Macbook Pro

PHP 8

• Install PHP 8 apache module (installs php 8):
  • sudo port install php81-apache2handler
• Enable PHP Module
  • cd /opt/local/lib/apache2/modules
  • sudo /opt/local/bin/apxs -a -e -n php mod_php81.so
  • Edit /opt/local/etc/apache2/httpd.conf
    • Add Line: Include etc/apache2/extra/mod_php81.conf
    • Enable Modules:
      • LoadModule session_module lib/apache2/modules/mod_session.so
      • LoadModule session_cookie_module lib/apache2/modules/mod_session_cookie.so
• Enable Apache2 (Startup Item and Server): sudo port load apache2
  • Test with test.php: <?php phpinfo() ?> at /opt/local/www/apache2/html/test.php
  • Open http://localhost/test.php
• Install mariadb-server: sudo port install mariadb-10.11-server
  • sudo port load mariadb-10.11-server
  • sudo -u _mysql /opt/local/lib/mariadb/bin/mysql_install_db
• Create nextcloud_admin user:
  • sudo /opt/local/lib/mariadb-10.11/bin/mysql -uroot
  • CREATE USER 'nextcloud_admin'@'localhost' IDENTIFIED BY '<PASSWORD>';
  • GRANT ALL PRIVILEGES ON *.* TO 'nextcloud_admin'@'%' WITH GRANT OPTION;
• Download nextcloud and extracted to unzip ~/Downloads/latest.zip /opt/local/www/apache2/html/nextcloud
• Set permissions for nextcloud/ dir
  • sudo chown -R devlinjunker:_www nextcloud
  • sudo chmod -R g+w nextcloud/config
  • sudo chmod -R g+w nextcloud/apps
• Create missing directory
  • sudo mkdir nextcloud/data
  • sudo chown devlinjunker:_www nextcloud/data
  • sudo chmod o-rx nextcloud/data
  • Important for running setup: sudo chmod g+w nextcloud/data
• Add missing php8 extensions
  • sudo port install php81-zip php81-mbstring php81-curl php81-openssl php81-gd php81-mysql
  • Create php.ini: sudo cp /opt/local/etc/php81/php.ini-development /opt/local/etc/php81/php.ini
  • Add Line: `extension_dir = "/opt/local/lib/php81/extensions/no-debug-non-zts-20210902/"
• Reload apache: sudo port reload apache2
• Create Nextcloud DB:
  • sudo /opt/local/lib/mariadb-10.11/bin/mysql -uroot
  • CREATE DATABASE IF NOT EXISTS nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
• Enable Network Connections for MariaDB:
  • Open /opt/local/etc/mariadb-10.11/my.cnf
  • Add:

[mysqld] 
skip-networking=0

• Run Nextcloud Web UI Installer: http://localhost/nextcloud

For Nextcloud News Development

• Clone news repo
  • cd nextcloud/apps
  • sudo git clone git@github.com:devlinjunker/news.git
  • sudo chown -R devlinjunker:_www news
• Install iconv php extension:
  • sudo port install php81-iconv
  • restart apache: sudo port load apache2
• Checkout and build:
  • cd news
  • git checkout <branch>
  • npm install -D
  • npm run build
• Enable App in Nextcloud > Admin > Apps
• Open http://localhost/nextcloud/index.php/apps/news/

PHP 7

• Configure httpd (apache2) on Macbook
  • edit /etc/apache2/httpd.conf
    • enable php (uncomment LoadModule php7_module libexec/apache2/libphp7.so)
    • Set ServerName: ServerName localhost:80
    • Enable session: LoadModule session_module libexec/apache2/mod_session.so
    • and session cookie: LoadModule session_cookie_module libexec/apache2/mod_session_cookie.so
• Start httpd (apache2) with sudo httpd -k start
• Install mariadb with Macports: sudo port install mariadb (was this necessary?)
  • config file at: /opt/local/etc/mariadb/my.cnf
• Install mariadb-server with MacPorts: sudo port install mariadb-server
• Started daemon with sudo port load mariadb-server
• Run initial setup: sudo -u _mysql /opt/local/lib/mariadb/bin/mysql_install_db
• Downloaded phpMyAdmin and extracted to /Library/WebServer/Documents/phpmyadmin
• Copied phpmyadmin/config.sample.inc.php to phpmyadmin/config.inc.php
  • Added line cfg['Servers'][$i]['socket'] = '/opt/local/var/run/mariadb/mysqld.sock'; (location based on output of starting mariadb daemon)
• Downlaoded nextcloud and extracted to /Library/WebServer/Documents/nextcloud
• Copy
• Set permissions for nextcloud/ dir
  • sudo chown -R devlinjunker:_www nextcloud
  • sudo chmod -R g+x nextcloud
  • sudo chmod -R g+w nextcloud/config
  • sudo chmod -R g+w nextcloud/apps
• Created Missing Dirs
  • sudo mkdir nextcloud/data
  • sudo chown devlinjunker:_www nextcloud/data
• Installed php-zip
  • sudo port install php73-zip
  • Added to /etc/php.ini: extension=/opt/local/lib/php73/extensions/no-debug-non-zts-20180731/zip.so
• Ran Nextcloud Web UI Installer
  • Mysql settings: 127.0.0.1:3306 (important: 12.0.0.1 vs localhost)

pretty-url.md

Pretty URLs

For hosted endpoint (e.g. www.dev-junk.com/cloud)

• Added to end of .htaccess

<IfModule mod_rewrite.c>
  Options -MultiViews
  RewriteRule ^core/js/oc.js$ index.php [PT,E=PATH_INFO:$1]
  RewriteRule ^core/preview.png$ index.php [PT,E=PATH_INFO:$1]
  RewriteRule ^apps/tasks/settings/initialRoute$ index.php [PT,E=PATH_INFO:$1]
  RewriteRule ^settings/ajax/.* index.php [PT,E=PATH_INFO:$1]
  RewriteRule ^apps/user_status/heartbeat$ index.php [PT,E=PATH_INFO:$1]
  RewriteRule ^heartbeat$ index.php [PT,E=PATH_INFO:$1]
  RewriteRule ^login$ index.php [PT,E=PATH_INFO:$1]
  RewriteRule ^apps/news/feeds(/.+)? index.php [PT,E=PATH_INFO:$1]
  RewriteRule ^apps/news/folders(/.+)? index.php [PT,E=PATH_INFO:$1]
  RewriteRule ^apps/news/items(/.+)? index.php [PT,E=PATH_INFO:$1]
  RewriteRule ^login/confirm$ index.php [PT,E=PATH_INFO:$1]
  RewriteRule ^logout$ index.php [PT,E=PATH_INFO:$1]
  RewriteRule ^settings/apps/enable index.php [PT,E=PATH_INFO:$1]
  RewriteRule ^apps/apporder/p.+ index.php [PT,E=PATH_INFO:$1]
  RewriteRule ^apps/richdocumentscode/proxy.php apps/richdocumentscode/proxy.php [PT,E=PATH_INFO:$1]
  RewriteRule ^apps/richdocuments/index index.php [PT,E=PATH_INFO:$1]
  RewriteRule ^apps/text/.+ index.php [PT,E=PATH_INFO:$1]
  RewriteRule ^apps/notes/notes/.+ index.php [PT,E=PATH_INFO:$1]
  RewriteRule ^apps/theming/ajax/.+ index.php [PT,E=PATH_INFO:$1]
  RewriteCond %{REQUEST_FILENAME}  \.(css|js|svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$
  RewriteCond %{REQUEST_FILENAME} !core/img/favicon.ico$
  RewriteCond %{REQUEST_FILENAME} !core/img/manifest.json$
  RewriteCond %{REQUEST_FILENAME} !/remote.php
  RewriteCond %{REQUEST_FILENAME} !/public.php
  RewriteCond %{REQUEST_FILENAME} !/cron.php
  RewriteCond %{REQUEST_FILENAME} !/core/ajax/update.php
  RewriteCond %{REQUEST_FILENAME} !/status.php
  RewriteCond %{REQUEST_FILENAME} !/ocs/v1.php
  RewriteCond %{REQUEST_FILENAME} !/ocs/v2.php
  RewriteCond %{REQUEST_FILENAME} !/robots.txt
  RewriteCond %{REQUEST_FILENAME} !/updater/
  RewriteCond %{REQUEST_FILENAME} !/ocs-provider/
  RewriteCond %{REQUEST_FILENAME} !/ocs-provider/
  RewriteCond %{REQUEST_URI} !^/.well-known/(acme-challenge|pki-validation)/.*
  RewriteRule /cloud/. index.php [PT,E=PATH_INFO:$1,L]
  RewriteBase /cloud
  <IfModule mod_env.c>
    SetEnv front_controller_active true
    <IfModule mod_dir.c>
      DirectorySlash off
    </IfModule>
  </IfModule>
</IfModule>

reduce-volume.md

Reduce EBS Volume

• from: https://medium.com/@m.yunan.helmy/decrease-the-size-of-ebs-volume-in-your-ec2-instance-ea326e951bce
• tips: https://fateslayer.medium.com/i-used-this-process-with-my-amazon-linux-2-instance-and-xfs-volume-f36a312dcaff

Steps

• Create & Attach Volume in AWS
• Mount Volume on Machine: sudo mount /dev/xvdf /mnt/reduced-volume
• Copy Files from Old Volume to New: sudo rsync -axv --exclude '/mnt' / /mnt/reduced-volume/ > sync.out &
• Install Grub: sudo grub2-install --root-directory=/mnt/reduced-volume/ --force /dev/xvdf
• Copy Old Volume Block ID: sudo blkid
• Find Old Volume Label: sudo lsblk -o name,mountpoint,label,size,uuid
• Set Block ID to Match on New Volume: sudo tune2fs -U COPIED_UUID /dev/xvdf
• Set Label to Match on New Volume: sudo e2label /dev/xvdf <NEW_LABEL>
• Turn Off Instance
• Detach Volumes
• Attach New Volume as /dev/xvda
• Start Instance

Problems:

• Collabora Not Working...
  • Started coolwsd sudo service coolwsd start
  • 502 Proxy Error accessing https://docs.dev-junk.com/browser/dist/admin/adminLog.html
  • Checked Service Logs sudo journalctl -f -n100 -u coolwsd

Dec 14 16:51:31 dev-junk.com systemd[1]: coolwsd.service: main process exited, code=exited, status=70/n/a
Dec 14 16:51:31 dev-junk.com systemd[1]: Unit coolwsd.service entered failed state.
Dec 14 16:51:31 dev-junk.com systemd[1]: coolwsd.service failed.

• Checked coolwsd logs in /var/log/coolwsd.log

frk-09137-09137 2022-12-14 17:00:00.845361 +0000 [ coolforkit ] ERR  Capability cap_sys_chroot is not set for the coolforkit program.| kit/ForKit.cpp:234
frk-09137-09137 2022-12-14 17:00:00.845375 +0000 [ coolforkit ] ERR  Capability cap_mknod is not set for the coolforkit program.| kit/ForKit.cpp:234
frk-09137-09137 2022-12-14 17:00:00.845393 +0000 [ coolforkit ] ERR  Capability cap_fowner is not set for the coolforkit program.| kit/ForKit.cpp:234
frk-09137-09137 2022-12-14 17:00:00.845403 +0000 [ coolforkit ] ERR  Capability cap_chown is not set for the coolforkit program.| kit/ForKit.cpp:234
frk-09137-09137 2022-12-14 17:00:00.845711 +0000 [ coolforkit ] FTL  Capabilities are not set for the coolforkit program.| kit/ForKit.cpp:696
frk-09137-09137 2022-12-14 17:00:00.846010 +0000 [ coolforkit ] FTL  Please make sure that the current partition was *not* mounted with the 'nosuid' option.| kit/ForKit.cpp:697
frk-09137-09137 2022-12-14 17:00:00.846290 +0000 [ coolforkit ] FTL  If you are on SLES11, please set 'file_caps=1' as kernel boot option.| kit/ForKit.cpp:698

• Updated coolwsd config: /etc/coolwsd/coolwsd.xml

<security>
...
<capabilities desc="Should we require capabilities to isolate processes into chroot jails" type="bool" default="true">false</capabilities>
...

• This worked!!! TODO: Figure out how to re-enable

security.md

Improving Security on Nextcloud on AWS

Antivirus

Followed instructions from https://devopsmyway.com/install-clamav-on-amazon-linuxec2/

• Already had EPEL repo installed in package manager (sudo amazon-linux-extras install epel)
• Installed clamav and clamd (sudo yum install clamav clamd)
• Removed example lines in conf files
  • /etc/freshclam.conf
  • /etc/clamd.d/scan.conf
• Also uncommented line in /etc/clamd.d/scan.: #LocalSocket /var/run/clamd.scan/clamd.sock
• Start clamd and restart on fail: sudo systemctl start clamd@scan; sudo systemctl enable clamd@scan
• Not Needed: Modify SELinux to enable command: sudo setsebool -P antivirus_can_scan_system 1; sudo setsebool -P clamd_use_jit 1
• Add to crontab crontab -e

33 3 * * * /usr/bin/freshclam > /var/log/clamav/freshclam.log
40 3 * * * /usr/bin/clamscan -ir / -l /var/log/clamav/clamd.log –copy=/usr/local/src/virusdetectiondirectory

• Add directories to server: sudo mkdir /var/log/clamav/; sudo mkdir /usr/local/src/virusdetectiondirectory

Tried to enable socket based Antivirus connection Error: Cannot connect to "/var/run/clamd.scan/clamd.sock": Permission denied (code 13)

• Need to set permissions on new directories:

sudo chown clamscan:virusgroup -R /var/log/clamav;
sudo chown clamscan:virusgroup /usr/local/src/virusdetectiondirectory

Saw error: ERROR: Malformed database

• Deleted databases: sudo rm /var/lib/clamav/*.cvd
• Re-downloaded: sudo freshclam

Now see memory error on t2.small (2gb) with httpd, coolwsd and now clamscan running

LibClamAV Error: mpool_malloc(): Can't allocate memory (262144 bytes).

NOTE: Stopped for now until I decided this is necessary and bump up ec2 instance size

sudo service clamd@scan stop;
sudo systemctl disable clamd@scan

• Noticed that clamscan was still running in top the next day
• killed this by finding parent process with ps -o ppid <PID_OF_CLAMSCAN> then kill -9 <PARENT_ID>
• restarted clamd service

sudo service clamd@scan start;
sudo systemctl enable clamd@scan

This also maxed out memory and killed the server, so seems like I need more memory to do this properly

Fail2Ban

Followed instructions from https://docs.nextcloud.com/server/22/admin_manual/installation/harden_server.html#setup-fail2ban

• Installed fail2ban sudo yum install fail2ban
• Added fail2ban filter config in /etc/fail2ban/filter.d/nextcloud.conf:

[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
            ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"

• Add to vim /etc/fail2ban/jail.d/nextcloud.local

[nextcloud]
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
maxretry = 3
bantime = 86400
findtime = 43200
logpath = /var/www/html/nextcloud/data/nextcloud.log

• Start fail2ban service sudo service fail2ban start
• Check status of jail with fail2ban-client status nextcloud

video-previews.md

Preview images for movies/videos

from https://gist.github.com/willmasters/382fe6caba44a4345a3de95d98d3aae5

old releases of ffmpeg at: https://www.johnvansickle.com/ffmpeg/old-releases/

sudo mkdir -v -p /usr/local/bin/ffmpeg
cd /usr/local/bin/ffmpeg
sudo wget https://www.johnvansickle.com/ffmpeg/old-releases/ffmpeg-4.4-amd64-static.tar.xz
sudo tar xvf ffmpeg-4.4-amd64-static.tar.xz
sudo mv ffmpeg-4.4-amd64-static/ffmpeg .
sudo ln -s /usr/local/bin/ffmpeg/ffmpeg /usr/bin/ffmpeg

TODO: Convert any uploaded .mov files to .mp4