- Follow instructions in
create-server.md
to create empty nextcloud server (don't install new instance though) - Copy backup user data directory into new nextcloud instance data directory:
rsync --rsync-path="sudo rsync" -avxe "ssh -i /Users/djunker/.ssh/aws-key.pem" /Users/djunker/nextcloud/recent/dirbkp/ ec2-user@18.216.33.123:/var/www/html/nextcloud/;
- Update permissions:
sudo chown -R apache:ec2-user /var/www/html/nextcloud
- Create new mysql database
mysql -u admin -p -e "CREATE DATABASE nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci
- Import mysql into new nextcloud database:
mysql -u admin -p nextcloud < nextcloud-sql.bak
- Create user from config file and grant permissions
CREATE USER <user_name>@'%' IDENTIFIED BY '<password>'
GRANT ALL PRIVILEGES ON nextcloud.* TO '<username>'@'%';
- Update some properties in
config/config.php
- Comment out
memcache.local
- Comment out
htaccess.RewriteBase
- Add IP address to
trusted_domains
- Comment out
- Reset account password
- sudo -u apache php ./occ user:resetpassword djunker
-
-
Save devlinjunker/9a832e85a874ec1f0653cdf54ad93996 to your computer and use it in GitHub Desktop.
install nextcloud on AWS AMI Instance |
- Put in maintenance mode:
sudo -u apache php /var/www/html/nextcloud/occ maintenance:mode --on
- Create backup and then archive:
rsync -Aavx /var/www/html/nextcloud/ /home/ec2-user/bak/nextcloud-dirbkp_`date +"%Y%m%d"`/;
tar -czvf nextcloud-dirbkp_20211130.tar.gz nextcloud-dirbkp_2021113;
- Above doesn't backup
..nextcloud/data/
dir
sudo rsync -Aavx /var/www/html/nextcloud/ /home/ec2-user/bak/nextcloud-databkp_`date +"%Y%m%d"`/;
tar -czvf nextcloud-databkp_20211130.tar.gz nextcloud-databkp_2021113;
- Create mysql backup:
sudo mysqldump --single-transaction --default-character-set=utf8mb4 -h localhost -u root -pmichelle nextcloud > bak/nextcloud-sqlbkp_`date +"%Y%m%d"`.bak
https://docs.nextcloud.com/server/latest/admin_manual/maintenance/restore.html
- On AWS
Volumes
section of AWS Panel Modify Volume
- Reboot Instance
- Check httpd running
- check mysql running
- check coolwsd running (collabora)
- Needed to Update OS Level Firewall after reboot
sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload
#! /bin/bash | |
# Enable Exit on Error | |
set -e | |
# Definitions | |
AWS_KEY=/Users/djunker/.ssh/aws-key.pem | |
BACKUP_DIR=/Users/djunker/nextcloud | |
BACKUP_DATE=$(date +"%Y%m%d") | |
# Create Compressed Archive of last backup | |
tar -cvzf new.tar.gz "$BACKUP_DIR"/recent | |
# delete older archives | |
find . -name 'nextcloud-*.tar.gz' -delete | |
# rename new archive with date | |
mv new.tar.gz nextcloud-"$BACKUP_DATE".tar.gz | |
# Backup nextcloud directory | |
rsync --rsync-path="sudo rsync" -avxe "ssh -i $AWS_KEY" ec2-user@dev-junk.com:/var/www/html/nextcloud/ "$BACKUP_DIR"/recent/dirbkp/; | |
# Backup SQL | |
ssh -i $AWS_KEY ec2-user@dev-junk.com 'sudo mysqldump --single-transaction --default-character-set=utf8mb4 -h localhost -u root -pmichelle nextcloud > nextcloud-sql.bak' | |
## Copy SQL to local | |
rsync --rsync-path="sudo rsync" -avxe "ssh -i $AWS_KEY" ec2-user@dev-junk.com:/home/ec2-user/nextcloud-sql.bak "$BACKUP_DIR"/recent/sql.bak; | |
## TODO | |
### - save on server somewhere to be read in nextcloud | |
### - script to send notification in nextcloud? https://github.com/nextcloud/notifications/blob/master/docs/notification-workflow.md | |
##### curl -H "OCS-APIREQUEST: true" -X POST https://<user>:<app_password>@dev-junk.com/cloud/ocs/v2.php/apps/notifications/api/v2/admin_notifications/djunker -d "shortMessage=test" -d "longMessage=testing test" | |
### - email? https://vitux.com/how-to-use-gmail-from-the-ubuntu-terminal-to-send-emails/ |
- Error when enabling:
The library intl is not available
, remained disabled - Installed php-intl module for php7.4
sudo yum install php74-php-intl.x86_64
- added to
php.ini
file:extension=/opt/remi/php74/root/usr/lib64/php/modules/intl.so
- Restarted apache (
sudo service httpd restart
)
- Install opcache
sudo yum install php74-php-opcache
- Update php.ini
zend_extension=/opt/remi/php74/root/usr/lib64/php/modules/opcache.so
- Install apcu
sudo yum install php74-php-apcu
- Update php.ini
extension=/opt/remi/php74/root/usr/lib64/php/modules/apcu.so
[apcu]
apc.enabled=1
apc.enable_cli=1
- Installed Collabora CODE App via Nextcloud App Store UI
- Failed to connect to Collabora Instance though
- Enabled debug_logs inside of
apps/richdocumentscode/proxy.php
- Saw error in /etc/httpd/ssl_error_log
Loolwsd server is not running
From: https://community.nethserver.org/t/how-to-install-collabora-online-development-edition-code/10319
- Attempted to install loolwsd on my own.. but this required a lot more space than is available on server
cd ~; wget https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-centos7/repodata/repomd.xml.key && sudo rpm --import repomd.xml.key
sudo yum-config-manager --add-repo https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-centos7
sudo yum install loolwsd CODE-brand
- cleaned up hard disk space
- need to create
/bin/jails/
dir andchown root:cool /bin/jails
andchmod g+w /bin/jails
- run as
cool
user:sudo -u cool loolwsd
Still not working though....
- Seem to now be able to run
sudo service start coolwsd
- Probably needed to configure
/etc/coolwsd/coolwsd.xml
<ssl desc="SSL settings">
<!-- switches from https:// + wss:// to http:// + ws:// -->
<enable type="bool" desc="Controls whether SSL encryption between coolwsd and the network is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">false</enable>
<!-- SSL off-load can be done in a proxy, if so disable SSL, and enable termination below in production -->
<termination desc="Connection via proxy where coolwsd acts as working via https, but actually uses http." type="bool" default="true">true</termination>
<cert_file_path desc="Path to the cert file" relative="false">/etc/letsencrypt/live/docs.dev-junk.com/cert.pem</cert_file_path>
<key_file_path desc="Path to the key file" relative="false">/etc/letsencrypt/live/docs.dev-junk.com/privkey.pem</key_file_path>
<ca_file_path desc="Path to the ca file" relative="false">/etc/letsencrypt/live/docs.dev-junk.com/fullchain.pem</ca_file_path
..more settings..
</ssl>
- Add Virtual Host and new subdomain to dev-junk.com
- docs.dev-junk.com
- add to ssl.conf (SSL termination: https://sdk.collaboraonline.com/docs/installation/Proxy_settings.html#reverse-proxy-settings-in-apache2-config-ssl-termination)
<VirtualHost *:443>
ServerName docs.dev-junk.com
SSLStrictSNIVHostCheck off
AllowEncodedSlashes NoDecode
ProxyPreserveHost On
ErrorLog logs/proxy_error_log
TransferLog logs/proxy_access_log
# static html, js, images, etc. served from coolwsd
# browser is the client part of Collabora Online
ProxyPass /browser http://127.0.0.1:9980/browser retry=0
ProxyPassReverse /browser http://127.0.0.1:9980/browser
# WOPI discovery URL
ProxyPass /hosting/discovery http://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse /hosting/discovery http://127.0.0.1:9980/hosting/discovery
# Capabilities
ProxyPass /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities retry=0
ProxyPassReverse /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities
# Main websocket
ProxyPassMatch "/cool/(.*)/ws$" ws://127.0.0.1:9980/cool/$1/ws nocanon
# Admin Console websocket
ProxyPass /cool/adminws ws://127.0.0.1:9980/cool/adminws
# Download as, Fullscreen presentation and Image upload operations
ProxyPass /cool http://127.0.0.1:9980/cool
ProxyPassReverse /cool http://127.0.0.1:9980/cool
# Compatibility with integrations that use the /lool/convert-to endpoint
ProxyPass /lool http://127.0.0.1:9980/cool
ProxyPassReverse /lool http://127.0.0.1:9980/cool
SSLCertificateFile /etc/letsencrypt/live/docs.dev-junk.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/docs.dev-junk.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
- On httpd restart
- can access https://docs.dev-junk.com/browser/dist/admin/adminLog.html
- errors on attempting to access https://docs.dev-junk.com/browser/dist/cool.html?file_path=file:///var/www/html/nextcloud/data/djunker/files/test2.odt&host=ws://docs.dev-junk.com/
- Also able to update settings in collabora nextcloud app
- https://dev-junk.com/cloud/settings/admin/richdocuments
Use your own server
set port tohttps://docs.dev-junk.com
- tried accessing files from nextcloud, but error still
- Saw in Admin Log:
No acceptable WOPI hosts found matching the target host [dev-junk.com] in config.
- added dev-junk.com to
/etc/coolwsd/coolwsd.xml
WOPI Hosts - restarted coolwsd
sudo service coolwsd restart
- IT WORKS!!
- Saw in Admin Log:
- Failed a couple of weeks later, saw error message in
/var/log/coolwsd.log
:
[ websrv_poll ] WRN convert-to: Requesting address is denied: 3.16.248.66| wsd/COOLWSD.cpp:2631
- Added WOPI host in `/etc/coolwsd/coolwsd.xml` WOPI Hosts
<host desc="Regex pattern of hostname to allow or deny." allow="true">3.16.248.66</host>
- Start up AWS Amazon Linux Box (Amazon Linux 2023, 100GB, td.micro)
- ssh to box:
ssh -i <PATH_TO_KEY> ec2-user@<IP_ADDRESS>
sudo yum install httpd
- Started httpd with
sudo service httpd start
- Started httpd with
sudo yum install php8.1
- Download archive from Nextcloud
wget https://download.nextcloud.com/server/releases/latest.tar.bz2
- Extract tar file
- Move to
/var/www/html
- Update ownership to
nextcloud
andnextcloud
withsudo chown -R apache /var/www/html/nextcloud
- Says missing
gd
andzip
PHP extensions- Installed gd with
sudo yum install php8.1-gd
- No zip extension available with yum though...
- followed instructions from amazonlinux/amazon-linux-2023#320
sudo yum install php8.1-devel php-pear libzip libzip-devel
sudo pecl install zip
echo "extension=zip.so" | sudo tee /etc/php.d/20-zip.ini
- Also needed:
sudo service php-fpm restart
sudo chmod a+x /usr/lib64/php/modules/zip.so
(unsure if this was necessary)
- Also looks like php mysql extension is not installed
sudo yum install php8.1-mysqlnd
- Installed gd with
- Installed mariadb 10.5
sudo yum install mariadb105-server
- Started with
sudo service mariadb start
- Login to database with
sudo mysql -uroot -p
- Create Admin User in DB
CREATE USER 'admin'@'%' IDENTIFIED BY '<PASSWORD>';
GRANT ALL PRIVILEGES ON *.* TO 'admin'@'%' WITH GRANT OPTION;
- Create Nextcloud DB:
CREATE DATABASE IF NOT EXISTS nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
- Started with
- Opened browser to webpage http://<IP_ADDRESS>/nextcloud
- Entered nextcloud admin username/password
- Selected MariaDB
- Left Data Directory as default
- Entered SQL admin username password
- Entered DB name
nextcloud
- Entered host/port:
localhost:3306
https://nextcloud.com/blog/how-to-install-the-nextcloud-all-in-one-on-linux/
- Started new EC2 Instance
- Installed Docker
sudo yum install docker
- Started Docker
sudo systemctl start docker
- Created directory on host to store data
mkdir /home/ec2-user/nextcloud/
- Start Docker Container:
sudo docker run --init --sig-proxy=false --name nextcloud-aio-mastercontainer --restart always --publish 80:80 --publish 8080:8080 --publish 8443:8443 --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config --volume /var/run/docker.sock:/var/run/docker.sock:ro --env NEXTCLOUD_DATADIR="/home/ec2-user/nextcloud" nextcloud/all-in-one:latest
- Made sure AWS Security Group allowed port 8080 inbound
- Open
https://<IP_ADDRESS>:8080/
- MAKE SURE TO COPY PASSWORD or you can retrieve with
sudo docker exec nextcloud-aio-mastercontainer grep password /mnt/docker-aio-config/data/configuration.json
- Set up Subdomain to point at IP address
- Run Setup on Server with browser
https://actualbudget.org/docs/install/docker/
Make directory mkdir ~/actual
- Start Docker Container
sudo docker run --pull=always --restart=unless-stopped -d -p 5006:5006 -v ~/actual:/data --name my_actual_budget actualbudget/actual-server:latest
- Add Actual Budget container to nextcloud-aio network:
sudo docker network connect nextcloud-aio my_actual_budget
- Create caddyfile import directive for path on nextcloud host (cloud.dev-junk.com/budget):
sudo vim /var/lib/docker/volumes/nextcloud_aio_apache/_data/caddy-imports/actual
- Add lines NOTE: This only allows cloud.dev-junk.com/budget to work... would be better with budget.dev-junk.com but needs better caddy file config
route /budget* {
reverse_proxy my_actual_budget:5006
}
route /static/js/* {
reverse_proxy my_actual_budget:5006
}
route /static/css/* {
reverse_proxy my_actual_budget:5006
}
@actual header_regexp Referer (/budget/|static/js/)
handle @actual {
reverse_proxy my_actual_budget:5006
}
- Login to docker to restart caddy:
sudo docker exec -u 0 -it nextcloud-aio-apache /bin/bash
- Restart caddy:
cd /tmp; caddy reload
https://github.com/zadam/trilium/wiki/Docker-server-installation
- Make directory
mkdir ~/trilium
- Start docker container:
sudo docker run -d -p 0.0.0.0:8888:8080 -v ~/trilium:/home/node/trilium-data zadam/trilium:0.62.6 --name trilium
- Add Trilium container to nextcloud-aio network:
sudo docker network connect nextcloud-aio
- Create caddyfile:
sudo vim /var/lib/docker/volumes/nextcloud_aio_apache/_data/caddy-imports/trilium
- Add lines:
route /notes* {
reverse_proxy trilium:8080
}
- Login to docker to restart caddy:
sudo docker exec -u 0 -it nextcloud-aio-apache /bin/bash
- Restart caddy:
cd /tmp; caddy reload
- [] TODO....
- [] Need to install caddy on host and use reverse proxy to all of the containers?
- What about certificates though?
- Was throwing error when attempting to enable in Web UI:
Syntax error or access violation: 1071 Specified key was too long; max key length is 767 bytes
- Followed instructions here: https://docs.nextcloud.com/server/latest/admin_manual/configuration_database/mysql_4byte_support.html
- Add to
/etc/my.conf
:[mysqld] innodb_large_prefix=true innodb_file_format=barracuda innodb_file_per_table=1
- Update DB Settings:
ALTER DATABASE nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
- Set nextcloud config value:
sudo -u apache php occ config:system:set mysql.utf8mb4 --type boolean --value="true"
- Run occ repair:
sudo -u apache php occ maintenance:repair
Setup checks were failing due to missing /.well-known/nodeinfo
and /.well-known/webfinger
Made some changes to the apps/settings/js/admin.js
file:
var setupChecks = function () {
var checks = [
// run setup checks then gather error messages
OC.SetupChecks.checkWebDAV(),
OC.SetupChecks.checkWellKnownUrl('PROPFIND', '/.well-known/caldav', OC.theme.docPlaceholderUrl, $('#postsetupchecks').data('check-wellknown') === true),
OC.SetupChecks.checkWellKnownUrl('PROPFIND', '/.well-known/carddav', OC.theme.docPlaceholderUrl, $('#postsetupchecks').data('check-wellknown') === true),
OC.SetupChecks.checkProviderUrl(OC.getRootPath() + '/ocm-provider/', OC.theme.docPlaceholderUrl, $('#postsetupchecks').data('check-wellknown') === true),
OC.SetupChecks.checkProviderUrl(OC.getRootPath() + '/ocs-provider/', OC.theme.docPlaceholderUrl, $('#postsetupchecks').data('check-wellknown') === true),
OC.SetupChecks.checkSetup(),
OC.SetupChecks.checkGeneric(),
OC.SetupChecks.checkWOFF2Loading(OC.filePath('core', '', 'fonts/NotoSans-Regular-latin.woff2'), OC.theme.docPlaceholderUrl),
OC.SetupChecks.checkDataProtected()
];
$.getJSON(OC.linkToOCS('core/navigation', 2) + 'apps?format=json').done(function(response){
var apps = response.ocs.data;
for (var i = 0; i < apps.length; i++) {
if(apps[i].id === 'social') {
checks.push(OC.SetupChecks.checkWellKnownUrl('GET', '/.well-known/webfinger', OC.theme.docPlaceholderUrl, $('#postsetupchecks').data('check-wellknown') === true, [200, 404], true));
checks.push(OC.SetupChecks.checkWellKnownUrl('GET', '/.well-known/nodeinfo', OC.theme.docPlaceholderUrl, $('#postsetupchecks').data('check-wellknown') === true, [200, 404], true));
}
}
$.when(...checks
)
- Enable Nextcloud Mail app
- Manual configuration of settings from https://support.google.com/mail/answer/7126229?#zippy=%2Cstep-change-smtp-other-settings-in-your-email-client
- Enable less secure apps on google account: https://myaccount.google.com/lesssecureapps
- Navigate to https://accounts.google.com/b/1/DisplayUnlockCaptcha in browser to enable authentication from external app
- Submit in mail app to create account
Settings at https://dev-junk.com/cloud/settings/admin
- use settings from https://support.google.com/mail/answer/7126229?#zippy=%2Cstep-change-smtp-other-settings-in-your-email-client
- Encryption STARTTLS
- Authentication: Login
- smtp.gmail.com:587
- Download archive from Nextcloud Server
wget ...tar.bz2
- extract tar file
- move extracted to
/var/www/html/
- Update ownership to
apache
withchown
- Update ownership to
- Add to http config
Alias "/cloud/" "/var/www/html/nextcloud/"
<Directory /var/www/html/nextcloud/>
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
<IfModule mod_dav.c>
Dav off
</IfModule>
</Directory>
- Missing Zip PHP Module
- tried to install php zip module
sudo yum install php74-php-zip
- Error due to missing dependencies
Error: Package: libzip5-1.8.0-2.el7.remi.x86_64 (remi-safe) Requires: libzstd(x86-64) >= 1.3.6 Available: libzstd-1.3.3-1.amzn2.x86_64 (amzn2-core)
- fixed with
sudo yum remove libzip.x86_64; sudo yum install php74-php-zip --disablerepo=amzn2-core
- Installed in /opt/remi/php74/root/usr/lib64/php/modules/
- fixed with
- Added extension to
/etc/php.ini
:extension=/opt/remi/php74/root/usr/lib64/php/modules/zip.so
- tried to install php zip module
- Also needed to add Posix Module
sudo yum install php72-php-process
- add to
/etc/php.ini
:extension=/opt/remi/php74/root/usr/lib64/php/modules/posix.so
- Create Admin Account
- Set Mysql/MariaDB settings in Wizard
- Create Mysql DB:
CREATE DATABASE IF NOT EXISTS nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
- sudo crontab -u apache -e
- Added
*/5 * * * * php -f /var/www/html/nextcloud/cron.php
- Install PHP 8 apache module (installs php 8):
sudo port install php81-apache2handler
- Enable PHP Module
cd /opt/local/lib/apache2/modules
sudo /opt/local/bin/apxs -a -e -n php mod_php81.so
- Edit
/opt/local/etc/apache2/httpd.conf
- Add Line:
Include etc/apache2/extra/mod_php81.conf
- Enable Modules:
LoadModule session_module lib/apache2/modules/mod_session.so
LoadModule session_cookie_module lib/apache2/modules/mod_session_cookie.so
- Add Line:
- Enable Apache2 (Startup Item and Server):
sudo port load apache2
- Test with test.php:
<?php phpinfo() ?>
at/opt/local/www/apache2/html/test.php
- Open http://localhost/test.php
- Test with test.php:
- Install mariadb-server:
sudo port install mariadb-10.11-server
sudo port load mariadb-10.11-server
sudo -u _mysql /opt/local/lib/mariadb/bin/mysql_install_db
- Create
nextcloud_admin
user:sudo /opt/local/lib/mariadb-10.11/bin/mysql -uroot
CREATE USER 'nextcloud_admin'@'localhost' IDENTIFIED BY '<PASSWORD>';
GRANT ALL PRIVILEGES ON *.* TO 'nextcloud_admin'@'%' WITH GRANT OPTION;
- Download nextcloud and extracted to
unzip ~/Downloads/latest.zip /opt/local/www/apache2/html/nextcloud
- Set permissions for
nextcloud/
dirsudo chown -R devlinjunker:_www nextcloud
sudo chmod -R g+w nextcloud/config
sudo chmod -R g+w nextcloud/apps
- Create missing directory
sudo mkdir nextcloud/data
sudo chown devlinjunker:_www nextcloud/data
sudo chmod o-rx nextcloud/data
- Important for running setup:
sudo chmod g+w nextcloud/data
- Add missing php8 extensions
sudo port install php81-zip php81-mbstring php81-curl php81-openssl php81-gd php81-mysql
- Create
php.ini
:sudo cp /opt/local/etc/php81/php.ini-development /opt/local/etc/php81/php.ini
- Add Line: `extension_dir = "/opt/local/lib/php81/extensions/no-debug-non-zts-20210902/"
- Reload apache:
sudo port reload apache2
- Create Nextcloud DB:
sudo /opt/local/lib/mariadb-10.11/bin/mysql -uroot
CREATE DATABASE IF NOT EXISTS nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
- Enable Network Connections for MariaDB:
- Open
/opt/local/etc/mariadb-10.11/my.cnf
- Add:
- Open
[mysqld]
skip-networking=0
- Run Nextcloud Web UI Installer: http://localhost/nextcloud
- Clone news repo
cd nextcloud/apps
sudo git clone git@github.com:devlinjunker/news.git
sudo chown -R devlinjunker:_www news
- Install iconv php extension:
sudo port install php81-iconv
- restart apache:
sudo port load apache2
- Checkout and build:
cd news
git checkout <branch>
npm install -D
npm run build
- Enable App in
Nextcloud > Admin > Apps
- Open http://localhost/nextcloud/index.php/apps/news/
- Configure httpd (apache2) on Macbook
- edit
/etc/apache2/httpd.conf
- enable php (uncomment
LoadModule php7_module libexec/apache2/libphp7.so
) - Set ServerName:
ServerName localhost:80
- Enable session:
LoadModule session_module libexec/apache2/mod_session.so
- and session cookie:
LoadModule session_cookie_module libexec/apache2/mod_session_cookie.so
- enable php (uncomment
- edit
- Start httpd (apache2) with
sudo httpd -k start
- Install mariadb with Macports:
sudo port install mariadb
(was this necessary?)- config file at:
/opt/local/etc/mariadb/my.cnf
- config file at:
- Install mariadb-server with MacPorts:
sudo port install mariadb-server
- Started daemon with
sudo port load mariadb-server
- Run initial setup:
sudo -u _mysql /opt/local/lib/mariadb/bin/mysql_install_db
- Downloaded phpMyAdmin and extracted to
/Library/WebServer/Documents/phpmyadmin
- Copied
phpmyadmin/config.sample.inc.php
tophpmyadmin/config.inc.php
- Added line
cfg['Servers'][$i]['socket'] = '/opt/local/var/run/mariadb/mysqld.sock';
(location based on output of starting mariadb daemon)
- Added line
- Downlaoded nextcloud and extracted to
/Library/WebServer/Documents/nextcloud
- Copy
- Set permissions for
nextcloud/
dirsudo chown -R devlinjunker:_www nextcloud
sudo chmod -R g+x nextcloud
sudo chmod -R g+w nextcloud/config
sudo chmod -R g+w nextcloud/apps
- Created Missing Dirs
sudo mkdir nextcloud/data
sudo chown devlinjunker:_www nextcloud/data
- Installed php-zip
sudo port install php73-zip
- Added to
/etc/php.ini
:extension=/opt/local/lib/php73/extensions/no-debug-non-zts-20180731/zip.so
- Ran Nextcloud Web UI Installer
- Mysql settings: 127.0.0.1:3306 (important: 12.0.0.1 vs localhost)
For hosted endpoint (e.g. www.dev-junk.com/cloud)
- Added to end of
.htaccess
<IfModule mod_rewrite.c>
Options -MultiViews
RewriteRule ^core/js/oc.js$ index.php [PT,E=PATH_INFO:$1]
RewriteRule ^core/preview.png$ index.php [PT,E=PATH_INFO:$1]
RewriteRule ^apps/tasks/settings/initialRoute$ index.php [PT,E=PATH_INFO:$1]
RewriteRule ^settings/ajax/.* index.php [PT,E=PATH_INFO:$1]
RewriteRule ^apps/user_status/heartbeat$ index.php [PT,E=PATH_INFO:$1]
RewriteRule ^heartbeat$ index.php [PT,E=PATH_INFO:$1]
RewriteRule ^login$ index.php [PT,E=PATH_INFO:$1]
RewriteRule ^apps/news/feeds(/.+)? index.php [PT,E=PATH_INFO:$1]
RewriteRule ^apps/news/folders(/.+)? index.php [PT,E=PATH_INFO:$1]
RewriteRule ^apps/news/items(/.+)? index.php [PT,E=PATH_INFO:$1]
RewriteRule ^login/confirm$ index.php [PT,E=PATH_INFO:$1]
RewriteRule ^logout$ index.php [PT,E=PATH_INFO:$1]
RewriteRule ^settings/apps/enable index.php [PT,E=PATH_INFO:$1]
RewriteRule ^apps/apporder/p.+ index.php [PT,E=PATH_INFO:$1]
RewriteRule ^apps/richdocumentscode/proxy.php apps/richdocumentscode/proxy.php [PT,E=PATH_INFO:$1]
RewriteRule ^apps/richdocuments/index index.php [PT,E=PATH_INFO:$1]
RewriteRule ^apps/text/.+ index.php [PT,E=PATH_INFO:$1]
RewriteRule ^apps/notes/notes/.+ index.php [PT,E=PATH_INFO:$1]
RewriteRule ^apps/theming/ajax/.+ index.php [PT,E=PATH_INFO:$1]
RewriteCond %{REQUEST_FILENAME} \.(css|js|svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$
RewriteCond %{REQUEST_FILENAME} !core/img/favicon.ico$
RewriteCond %{REQUEST_FILENAME} !core/img/manifest.json$
RewriteCond %{REQUEST_FILENAME} !/remote.php
RewriteCond %{REQUEST_FILENAME} !/public.php
RewriteCond %{REQUEST_FILENAME} !/cron.php
RewriteCond %{REQUEST_FILENAME} !/core/ajax/update.php
RewriteCond %{REQUEST_FILENAME} !/status.php
RewriteCond %{REQUEST_FILENAME} !/ocs/v1.php
RewriteCond %{REQUEST_FILENAME} !/ocs/v2.php
RewriteCond %{REQUEST_FILENAME} !/robots.txt
RewriteCond %{REQUEST_FILENAME} !/updater/
RewriteCond %{REQUEST_FILENAME} !/ocs-provider/
RewriteCond %{REQUEST_FILENAME} !/ocs-provider/
RewriteCond %{REQUEST_URI} !^/.well-known/(acme-challenge|pki-validation)/.*
RewriteRule /cloud/. index.php [PT,E=PATH_INFO:$1,L]
RewriteBase /cloud
<IfModule mod_env.c>
SetEnv front_controller_active true
<IfModule mod_dir.c>
DirectorySlash off
</IfModule>
</IfModule>
</IfModule>
- from: https://medium.com/@m.yunan.helmy/decrease-the-size-of-ebs-volume-in-your-ec2-instance-ea326e951bce
- tips: https://fateslayer.medium.com/i-used-this-process-with-my-amazon-linux-2-instance-and-xfs-volume-f36a312dcaff
- Create & Attach Volume in AWS
- Mount Volume on Machine:
sudo mount /dev/xvdf /mnt/reduced-volume
- Copy Files from Old Volume to New:
sudo rsync -axv --exclude '/mnt' / /mnt/reduced-volume/ > sync.out &
- Install Grub:
sudo grub2-install --root-directory=/mnt/reduced-volume/ --force /dev/xvdf
- Copy Old Volume Block ID:
sudo blkid
- Find Old Volume Label:
sudo lsblk -o name,mountpoint,label,size,uuid
- Set Block ID to Match on New Volume:
sudo tune2fs -U COPIED_UUID /dev/xvdf
- Set Label to Match on New Volume:
sudo e2label /dev/xvdf <NEW_LABEL>
- Turn Off Instance
- Detach Volumes
- Attach New Volume as
/dev/xvda
- Start Instance
- Collabora Not Working...
- Started coolwsd
sudo service coolwsd start
- 502 Proxy Error accessing https://docs.dev-junk.com/browser/dist/admin/adminLog.html
- Checked Service Logs
sudo journalctl -f -n100 -u coolwsd
- Started coolwsd
Dec 14 16:51:31 dev-junk.com systemd[1]: coolwsd.service: main process exited, code=exited, status=70/n/a
Dec 14 16:51:31 dev-junk.com systemd[1]: Unit coolwsd.service entered failed state.
Dec 14 16:51:31 dev-junk.com systemd[1]: coolwsd.service failed.
- Checked coolwsd logs in /var/log/coolwsd.log
frk-09137-09137 2022-12-14 17:00:00.845361 +0000 [ coolforkit ] ERR Capability cap_sys_chroot is not set for the coolforkit program.| kit/ForKit.cpp:234
frk-09137-09137 2022-12-14 17:00:00.845375 +0000 [ coolforkit ] ERR Capability cap_mknod is not set for the coolforkit program.| kit/ForKit.cpp:234
frk-09137-09137 2022-12-14 17:00:00.845393 +0000 [ coolforkit ] ERR Capability cap_fowner is not set for the coolforkit program.| kit/ForKit.cpp:234
frk-09137-09137 2022-12-14 17:00:00.845403 +0000 [ coolforkit ] ERR Capability cap_chown is not set for the coolforkit program.| kit/ForKit.cpp:234
frk-09137-09137 2022-12-14 17:00:00.845711 +0000 [ coolforkit ] FTL Capabilities are not set for the coolforkit program.| kit/ForKit.cpp:696
frk-09137-09137 2022-12-14 17:00:00.846010 +0000 [ coolforkit ] FTL Please make sure that the current partition was *not* mounted with the 'nosuid' option.| kit/ForKit.cpp:697
frk-09137-09137 2022-12-14 17:00:00.846290 +0000 [ coolforkit ] FTL If you are on SLES11, please set 'file_caps=1' as kernel boot option.| kit/ForKit.cpp:698
- Updated coolwsd config:
/etc/coolwsd/coolwsd.xml
<security>
...
<capabilities desc="Should we require capabilities to isolate processes into chroot jails" type="bool" default="true">false</capabilities>
...
- This worked!!! TODO: Figure out how to re-enable
Followed instructions from https://devopsmyway.com/install-clamav-on-amazon-linuxec2/
- Already had EPEL repo installed in package manager (
sudo amazon-linux-extras install epel
) - Installed clamav and clamd (
sudo yum install clamav clamd
) - Removed example lines in conf files
/etc/freshclam.conf
/etc/clamd.d/scan.conf
- Also uncommented line in
/etc/clamd.d/scan.
:#LocalSocket /var/run/clamd.scan/clamd.sock
- Start clamd and restart on fail:
sudo systemctl start clamd@scan; sudo systemctl enable clamd@scan
- Not Needed: Modify SELinux to enable command:
sudo setsebool -P antivirus_can_scan_system 1; sudo setsebool -P clamd_use_jit 1
- Add to crontab
crontab -e
33 3 * * * /usr/bin/freshclam > /var/log/clamav/freshclam.log
40 3 * * * /usr/bin/clamscan -ir / -l /var/log/clamav/clamd.log –copy=/usr/local/src/virusdetectiondirectory
- Add directories to server:
sudo mkdir /var/log/clamav/; sudo mkdir /usr/local/src/virusdetectiondirectory
Tried to enable socket based Antivirus connection
Error: Cannot connect to "/var/run/clamd.scan/clamd.sock": Permission denied (code 13)
- Need to set permissions on new directories:
sudo chown clamscan:virusgroup -R /var/log/clamav;
sudo chown clamscan:virusgroup /usr/local/src/virusdetectiondirectory
Saw error: ERROR: Malformed database
- Deleted databases:
sudo rm /var/lib/clamav/*.cvd
- Re-downloaded:
sudo freshclam
Now see memory error on t2.small (2gb) with httpd, coolwsd and now clamscan running
LibClamAV Error: mpool_malloc(): Can't allocate memory (262144 bytes).
NOTE: Stopped for now until I decided this is necessary and bump up ec2 instance size
sudo service clamd@scan stop;
sudo systemctl disable clamd@scan
- Noticed that
clamscan
was still running intop
the next day - killed this by finding parent process with
ps -o ppid <PID_OF_CLAMSCAN>
thenkill -9 <PARENT_ID>
- restarted clamd service
sudo service clamd@scan start;
sudo systemctl enable clamd@scan
This also maxed out memory and killed the server, so seems like I need more memory to do this properly
Followed instructions from https://docs.nextcloud.com/server/22/admin_manual/installation/harden_server.html#setup-fail2ban
- Installed fail2ban
sudo yum install fail2ban
- Added fail2ban filter config in
/etc/fail2ban/filter.d/nextcloud.conf
:
[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
- Add to
vim /etc/fail2ban/jail.d/nextcloud.local
[nextcloud]
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
maxretry = 3
bantime = 86400
findtime = 43200
logpath = /var/www/html/nextcloud/data/nextcloud.log
- Start fail2ban service
sudo service fail2ban start
- Check status of jail with
fail2ban-client status nextcloud
from https://gist.github.com/willmasters/382fe6caba44a4345a3de95d98d3aae5
old releases of ffmpeg at: https://www.johnvansickle.com/ffmpeg/old-releases/
sudo mkdir -v -p /usr/local/bin/ffmpeg
cd /usr/local/bin/ffmpeg
sudo wget https://www.johnvansickle.com/ffmpeg/old-releases/ffmpeg-4.4-amd64-static.tar.xz
sudo tar xvf ffmpeg-4.4-amd64-static.tar.xz
sudo mv ffmpeg-4.4-amd64-static/ffmpeg .
sudo ln -s /usr/local/bin/ffmpeg/ffmpeg /usr/bin/ffmpeg