General knowledge
Resources, apps, tutorials and several knowledge sources are mentioned in the Nebuchadnezzar page.
Docker
Please refer to Docker to see how I re-deployed everything on my server through Docker.
Good practices
update Ubuntu (-y parameter is used to accept by default any question)
sudo apt update -y && sudo apt upgrade -yremove debris
sudo apt autoremove -y && sudo apt autoclean -yLimited user
It is always better not to work and setup stuff straight from root user, it’s easy to mess everything up and very risky if you’re not 100% sure of what you’re doing (for me, most of the time).
add user
adduser tommi # “tommi”, in this case, is the usernamegrant that user sudo permissions
adduser -aG tommi sudoFirewall
Enable default configuration
ufw allow OpenSSHenable firewall
ufw enablecheck if everything is working
ufw statusfirst things firts:
sudo ufw allow 'Apache'SSH keys
create SSH folder to store allowed keys
ssh-keygen -t ed -a 100 -c 'tommi@tommi.space'on local client:
ssh-copy-id tommi@100.100.010.1 -p 5002Alternatively:
scp -P 5002 ~/.ssh/id_rsa.pub tommi@100.100.010.1:~/.ssh/authorized_keysSubstitute 100.100.010.1 with the server’s IP address, tommi with the wanted username, and 5002 with your port
More information
- SSH keys explained, a comprehensive yet simple guide to understand how SSH keys management should be done
- Linode’s tutorial on the topic
SSH port
Enable the new SSH port from the firewall. In this case, the process I will be following configures port 5522
sudo ufw allow 5522/tcpOpen the SSH configuration file /etc/ssh/sshd_config
sudo vim /etc/ssh/sshd_configIn this file, replace #Port 22 with Port 5522
after this, disable connections from port 22
sudo ufw deny 22restart ssh
sudo systemctl restart sshDisable root access
PermitRootLoogin no # was: yesInstall git
install git
apt install gitInstall zsh
install zsh
apt install zshset zsh as default shell
chsh -s /usr/bin/zsh rootinstall zsh syntax highlighting
apt install zsh-syntax-highlightinginstall oh-my-zsh
sh -c '$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/install.sh)'enable zsh syntax highlighting
echo 'source /usr/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh' >> ~/.zshrcNextcloud
Nextcloud installation, configuration and troubleshooting.
Resources
- official installation documentation
- complete installation tutorial for Ubuntu 20.04, in dutch
- in-depth guide for Nextcloud 15
- check vulnerabilities with Nextcloud Scan
Permissions
Firstly, it’s necessary to create the folder where Nextcloud interface, thus public application files, will be stored.
In this case, I configured a directory which is named exactly as the domain where the content it’s hosting will be found, for simplicity.
sudo mkdir /var/www/cloud.tommi.spacethen, permissions can be changed, such that Nextcloud itself can handle this data, once installed. As you can see, these permissions must be set -R recursively.
sudo chown -R $USER:$USER /var/www/cloud.tommi.space
sudo chmod -R 755 /var/www/cloud.tommi.spacemake the (private) directory where all of Nextcloud data will be stored, and change its permissions, too
mkdir /home/tommi/nextcloud-data
sudo chown -R www-data:www-data /home/tommi/nextcloud-data/Apache
This is the essential content of an Apache configuration fil for nextcloud. It should be placed in /etc/apache2/sites-available/
create the configuration file by running
sudo vim /etc/apache2/sites-available/cloud.tommi.space.confthen, add this content:
<VirtualHost *:80>
ServerAdmin tommiboom@protonmail.com
ServerName cloud.tommi.space
ServerAlias www.cloud.tommi.space
DocumentRoot /var/www/cloud.tommi.space/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>Install MariaDB
sudo apt install mariadb-serverBasic database configuration
sudo mysql_secure_installation
log into MariaDB
sudo mariadb
Create a new database for Nextcloud (in MariaDB):
mysql> CREATE DATABASE nextcloud;Create a new Nextcloud user
mysql> GRANT ALL ON nextcloud.* TO 'user_name'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;
mysql> FLUSH PRIVILEGES;Install PHP
Install PHP modules
sudo apt install php libapache2-mod-php php-mysqlinstall Nextcloud dependencies
sudo apt install php-curl php-dom php-gd php-json php-xml php-mbstring php-zipadjust PHP.ini
sudo vim /etc/php/7.4/apache2/php.iniedits:
memory_limit = 1024M # based on how much RAM the server has
upload_max_filesize = 16G # max size of uploaded files
post_max_size = 16G # something similar to the above
date.timezone = Europe/Rome # or your timezoneInstall Nextcloud
download Nextcloud and place it in the virtual host directory
sudo cd /var/www/cloud.tommi.space/public_html && sudo wget https://download.nextcloud.com/server/releases/nextcloud-18.0.4.zipextract the downloaded package
unzip nextcloud-18.0.4.zipInstall Let’s Encrypt
Certbot will be use to establish a secure connection to the instance. To make things simple, it’s the one which makes an unencrypted http:// connection magically become an encrypted https:// connection
sudo apt install certbot python3-certbot-apacheEnable port 443 instead of port 80
sudo ufw allow 'Apache Full'
sudo ufw delete allow 'Apache'Generate TLS certificate
sudo certbot --apache -d cloud.tommi.space -d www.cloud.tommi.spaceEnable HTTP/2, and rewrite module
sudo apt install php7.4-fpm
sudo a2enmod proxy_fcgi
sudo a2enconf php7.4-fpm
sudo a2dismod php7.4
sudo a2dismod mpm_prefork
sudo a2enmod mpm_event
sudo service apache2 restart
sudo a2enmod http2
sudo service apache2 restartEnable HSTS
In cloud.tommi.space-le-ssl.conf add
<IfModule mod_headers.c>
Header always set Strict-Transport-Security 'max-age=15552000; includeSubDomains'
</IfModule>to enable what has just been inserted, headers must be enabled
sudo a2enmod headersthen, enable .htaccess
sudo vim /etc/apache2/sites-available/cloud.tommi.space/cloud.tommi.space-le-ssl.confpaste in <VirtualHost *:443>
<Directory '/var/www/cloud.tommi.space/public_html'>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>restart Apache
systemctl restart apache2Domain linking
- point the chosen domain and subdomain to the server IP address
- wait for the domain to propagate (it could take up to 48 hours)
- go to
cloud.example.com, where you should get this page:
https://. To obtain a SSL Certificate, thus an encrypted connection, follow the next step.Final adjustments
Final adjustments are to be performed from the Nextcloud GUI.
There are a lot of very useful Nextcloud apps which are trivial to install.
fixes
- fix this encryption error
Nextcloud Cheat Sheet
Using OCC
sudo -u nextcloud php8.0 --define apc.enable_cli=1 /var/www/nextcloud/occ
Manually install applications
move to the Nextcloud apps folder
cd /var/www/nextcloud/appsdownload the application package from Nextcloud apps website
wget https://github.com/nextcloud/documentserver_community/releases/download/v0.1.5/documentserver_community.tar.gz # url to the packageextract it (by substituting package_name with the name of the app package)
tar -xvzf package_name.tar.gzremove compressed package
rm -rf package_name.tar.gzchange permissions for the app’s directory
chown -R www-data:www-data /var/www/nextcloud/apps/app_name
chmod -R 755 /var/www/nextcloud/apps/app-nameMaintenance mode
Toggle maintenance mode
sudo -u nextcloud php8.0 --define apc.enable_cli=1 /var/www/nextcloud/occ --on # or --offDockerized commands
Using the occ command in a dockerized instance
docker-compose exec --user www-data app php occMore information on the Nextcloud Docker Hub page
Jitsi Meet
allow firewall for ports 100000 to 200000
sudo ufw allow in 10000:20000/udpJitsi requires the Java Runtime Environment. Install OpenJDK JRE 8.
sudo apt install -y openjdk-8-jre-headlesscheck if installation went the right way and if the right version is installed
java -versionsetup Java Runtime
sudo echo 'JAVA_HOME=$(readlink -f /usr/bin/java | sed 's:bin/java::')' | sudo tee -a /etc/profile
sudo source /etc/profiledownload Jitsi Meet and add it to apt downloadable list
wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | sudo apt-key add -
echo 'deb https://download.jitsi.org stable/' | sudo tee -a /etc/apt/sources.list.d/jitsi-stable.listinstall Jitsi Meet
sudo apt install -y jitsi-meetrun and enable Certbot
sudo sed -i 's/\.\/certbot-auto/certbot/g' /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh
sudo ln -s /usr/bin/certbot /usr/sbin/certbot
sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.shlast tweaks should be done in here
sudo vim /etc/apache2/conf-enabled/security.confThere are a few very nice things, such as hiding the “Jitsi” watermark from calls, which can be improved by editing Jitsi’s css file. Here’s a customizations guide.
OpenVPN
To install OpenVPN, I followed exactly this super simple and quick guide. It actualy took me 15 minutes to make everything work perfectly, and it still does after several months.
Installation
I chose to deploy RSS-Bridge through Docker. The process is not thoroughly and simply explained for a dumb newbie like me, nevertheless I somehow figured out how to deploy the app.
My version of the default Docker build:
sudo docker create \
--name=rss-bridge \
--volume /home/tommi/whitelist.txt:/app/whitelist.txt \
--publish 3001:80 \
rssbridge/rss-bridge:latestMy whitelist.txt file:
*
Customization
What’s the real issue, to my surprise, wasn’t get RSS-Bridge up and running as much as making it actually work.
Below I collected some articles useful to sort thing out.