Today I would like to share a setup of Nextcloud 13 running on a FreeBSD system. To make things more interesting it would be running inside a FreeBSD Jail. I will not describe the Nextcloud setup itself here as its large enough for several blog posts.
Official Nextcloud 13 documentation recommends following setup:
- MySQL/MariaDB
- PHP 7.0 (or newer)
- Apache 2.4 (with mod_php)
I prefer PostgreSQL database to MySQL/MariaDB and I prefer fast and lean Nginx web server to Apache, so my setup is based on these components:
- PostgreSQL 10.3
- PHP 7.2.4
- Nginx 1.12.2 (with php-fpm)
- Memcached 1.5.7
The Memcached subsystem is least important, it can be easily changed into something more modern like Redis for example. I prefer not to use any third party tools for FreeBSD Jails management. Not because they are bad or something like that. There are just many choices for good FreeBSD Jails management and I want to provide a GENERIC example for Nextcloud 13 in a Jail, not for a specific management tool.
Host
Lets start with preparing the FreeBSD Host with needed settings. We need to allow using raw sockets in Jails. For the future optional upgrades of the Jail we will also allow using chflags(1) in Jails.
host # cat >> /etc/sysctl.conf << __EOF # ALLOW JAIL RAW SOCKETS security.jail.allow_raw_sockets=1 # ALLOW UPGRADES IN JAIL security.jail.chflags_allowed=1 __EOF host # sysctl security.jail.allow_raw_sockets=1 security.jail.allow_raw_sockets: 0 -> 1 host # sysctl security.jail.chflags_allowed=1 security.jail.chflags_allowed: 0 -> 1
I would also enable rctl(8) limits for convenient resource limitations on the host system.
host # cat >> /boot/loader.conf << __EOF # RACCT/RCTL RESOURCE LIMITS kern.racct.enable=1 __EOF
The complete Jail after finished installation takes less size then 800 MB if You remove not needed parts after installation is finished. With complete FreeBSD Ports tree and current portsnap(8) information it takes about 1.6 GB of space.
MB PATH DESC 1670 /jail/nextcloud (complete Nextcloud 13 Jail) 726 /jail/nextcloud/usr/ports (can be removed after install) 178 /jail/nextcloud/var/db/portsnap (can be removed after install)
I have used my laptop for the Jail host. This is why Jail will configured to use the wireless wlan0 interface and 192.168.43.100 address.
To distinguish the commands I type on the host system and nextcloud.local Jail I use two different prompts, this way it should be obvious what command to execute and where.
Command on the host system.
host # command
Command on the nextcloud.local Jail.
root@nextcloud:/ # command
Here is the running Jail and its processes.
host # jls
JID IP Address Hostname Path
10 192.168.43.100 nextcloud.local /jail/nextcloud
host # ps axwww -o %cpu,rss,time,command -J nextcloud %CPU RSS TIME COMMAND 0.0 2032 0:00.01 /usr/sbin/syslogd -s -s 0.0 5504 0:00.00 /usr/sbin/sshd 0.0 2056 0:00.01 /usr/sbin/cron -s 0.0 24196 0:00.04 postgres: checkpointer process (postgres) 0.0 23040 0:00.04 postgres: writer process (postgres) 0.0 23036 0:00.07 postgres: wal writer process (postgres) 0.0 23328 0:00.06 postgres: autovacuum launcher process (postgres) 0.0 12764 0:00.24 postgres: stats collector process (postgres) 0.0 23204 0:00.00 postgres: bgworker: logical replication launcher (postgres) 0.0 23036 0:00.23 /usr/local/bin/postgres -D /var/db/postgres/data 0.0 6072 0:00.00 nginx: master process /usr/local/sbin/nginx 0.0 6548 0:00.00 nginx: worker process (nginx) 0.0 7604 0:00.15 nginx: worker process (nginx) 0.0 6548 0:00.00 nginx: worker process (nginx) 0.0 6544 0:00.00 nginx: worker process (nginx) 0.0 17600 0:01.25 /usr/local/bin/memcached -l 192.168.43.100 -d -P /var/run/memcached/memcached.pid 0.0 31372 0:00.01 php-fpm: master process (/usr/local/etc/php-fpm.conf) (php-fpm) 0.0 31388 0:00.00 php-fpm: pool www (php-fpm) 0.0 31388 0:00.00 php-fpm: pool www (php-fpm) 0.0 31388 0:00.00 php-fpm: pool www (php-fpm) 0.0 31388 0:00.00 php-fpm: pool www (php-fpm)
Jail
First we will prepare the Jail for our Nextcloud 13 installation. Lets create some ZFS datasets for that purpose. I will use my local ZFS pool. I will also create the ZFS dataset for PostgreSQL data with 8k record size.
host # zfs create -o mountpoint=/jail local/jail host # zfs create -o mountpoint=/jail/nextcloud local/jail/nextcloud host # zfs create -o mountpoint=/jail/nextcloud/var/db/postgres/data -o recordsize=8k local/jail/nextcloud/pgsql host # zfs get -r recordsize local/jail NAME PROPERTY VALUE SOURCE local/jail recordsize 128K default local/jail/nextcloud recordsize 128K default local/jail/nextcloud/pgsql recordsize 8K local
Now lets fetch the FreeBSD base into /jail/nextcloud path.
host # cd /jail/nextcloud host # fetch -o - http://ftp.freebsd.org/pub/FreeBSD/releases/amd64/11.1-RELEASE/base.txz | tar --unlink -xpJf - -C /jail/nextcloud - 100% of 99 MB 689 kBps 02m28s host # ls /jail/nextcloud .cshrc bin/ COPYRIGHT etc/ libexec/ mnt/ proc/ root/ sys usr/ .profile boot/ dev/ lib/ media/ net/ rescue/ sbin/ tmp/ var/
We have base FreeBSD Jail fetched into /jail/nextcloud path, lets configure host for that Jail.
We will only have one Jail configured (for simplicity), the nextcloud.local Jail.
host # cat >> /etc/jail.conf << __EOF
nextcloud {
host.hostname = nextcloud.local;
ip4.addr = 192.168.43.100;
interface = wlan0;
path = /jail/nextcloud;
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
mount.devfs;
allow.raw_sockets;
allow.sysvipc;
}
__EOF
After creating/modifying the /etc/jail.conf file there should not be any running Jails.
host # jls JID IP Address Hostname Path
Lets enable Jails on the host system.
host # cat >> /etc/rc.conf << __EOF # JAILS jail_enable=YES __EOF
We can now start out nextcloud.local Jail for the first time.
host # service jail start nextcloud Starting jails: nextcloud.
host #Β jls
JID IP Address Hostname Path
1 192.168.43.100 nextcloud.local /jail/nextcloud
Now lets configure the nextcloud.local name on both host and Jail.
host # cat >> /etc/hosts << __EOF # NEXTCLOUD 192.168.43.100 nextcloud.local nextcloud __EOF
host # jexec 1 /bin/csh root@nextcloud:/ # cat >> /etc/hosts << __EOF # NEXTCLOUD 192.168.43.100 nextcloud.local nextcloud __EOF
One has to remember that there is no localhost (127.0.0.1) in the FreeBSD Jail. The Jail only has itself configure IP address for listening purposes (192.168.43.100 in our example). This is important because if You configure services on the host that listen on localhost (127.0.0.1) they will work as usual, when You do the same in a FreeBSD Jail you will not able to connect to them (even from this very Jail).
Lets make some basic configuration of the Nextcloud Jail.
host # jexec 1 /bin/csh root@nextcloud:/ # newaliases -v WARNING: local host name (nextcloud) is not qualified; see cf/README: WHO AM I? /etc/mail/aliases: 29 aliases, longest 10 bytes, 297 bytes total root@nextcloud:/ # cp /usr/share/zoneinfo/Europe/Warsaw /etc/localtime
Lets create basic /etc/rc.conf file for out Jail. I will leave some services commented out as they are not yet configured to run, we do not want to imitate Debian here and start services with default configs π
root@nextcloud:/ # cat >> /etc/rc.conf << __EOF # DAEMONS | yes syslogd_flags="-s -s" sshd_enable=YES # php_fpm_enable=YES # postgresql_enable=YES # postgresql_class=postgres # postgresql_data=/var/db/postgres/data # memcached_enable=YES # memcached_flags="-l 192.168.43.100" # nginx_enable=YES # DAEMONS | no sendmail_enable=NONE sendmail_submit_enable=NO sendmail_outbound_enable=NO sendmail_msp_queue_enable=NO # OTHER clear_tmp_enable=YES clear_tmp_X=YES extra_netfs_types=NFS dumpdev=NO update_motd=NO keyrate=fast __EOF
As we will disable sendmail(8) we need to make sure that the /var/spool/clientmqueue would not fill up with time. Lets configure simple cron job for that.
root@nextcloud:/ # cat > /etc/cron.d/sendmail-clean-clientmqueue << __EOF # CLEAN SENDMAIL 0 * * * * root /bin/rm -r -f /var/spool/clientmqueue/* __EOF
As we have some basic configuration lets restart our Jail.
root@nextcloud:/ # exit
host # service jail restart nextcloud
Stopping jails: nextcloud.
Starting jails: nextcloud.
host # jls
JID IP Address Hostname Path
2 192.168.43.100 nextcloud.local /jail/nextcloud
host # jexec nextcloud /bin/csh
After restart we only have sshd(8) daemon listening for connections.
root@nextcloud:/ # sockstat -l4 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root sshd 97823 3 tcp4 192.168.43.100:22 *:*
Packages
Lets configure network connectivity on the Jail as it will be needed to get the packages from Internet.
root@nextcloud:/ # echo nameserver 1.1.1.1 > /etc/resolv.conf root@nextcloud:/ # ping -c 3 -t 3 freebsd.org PING freebsd.org (8.8.178.110): 56 data bytes 64 bytes from 8.8.178.110: icmp_seq=0 ttl=52 time=180.860 ms 64 bytes from 8.8.178.110: icmp_seq=1 ttl=52 time=180.373 ms 64 bytes from 8.8.178.110: icmp_seq=2 ttl=52 time=181.363 ms --- freebsd.org ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 180.373/180.865/181.363/0.404 ms
As we want the latest packages lets set that in the pkg(8) repository config file.
root@nextcloud:/ # grep quarterly /etc/pkg/FreeBSD.conf
url: "pkg+http://pkg.FreeBSD.org/${ABI}/quarterly",
root@nextcloud:/ # sed -i '' s/quarterly/latest/g /etc/pkg/FreeBSD.conf
root@nextcloud:/ # grep latest /etc/pkg/FreeBSD.conf
url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
Now lets setup pkg(8) and fetch latest repository metadata.
root@nextcloud:/ # pkg update -f The package management tool is not yet installed on your system. Do you want to fetch and install it now? [y/N]: y Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/latest, please wait... Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done [nextcloud] Installing pkg-1.10.5... [nextcloud] Extracting pkg-1.10.5: 100% Updating FreeBSD repository catalogue... pkg: Repository FreeBSD load error: access repo file(/var/db/pkg/repo-FreeBSD.sqlite) failed: No such file or directory [nextcloud] Fetching meta.txz: 100% 944 B 0.9kB/s 00:01 [nextcloud] Fetching packagesite.txz: 100% 6 MiB 530.8kB/s 00:12 Processing entries: 100% FreeBSD repository update completed. 31134 packages processed. All repositories are up to date.
… and up to date FreeBSD Ports tree.
root@nextcloud:/ # portsnap fetch extract Looking up portsnap.FreeBSD.org mirrors... 6 mirrors found. Fetching public key from ec2-eu-west-1.portsnap.freebsd.org... done. Fetching snapshot tag from ec2-eu-west-1.portsnap.freebsd.org... done. Fetching snapshot metadata... done. Fetching snapshot generated at Mon Apr 2 02:06:03 CEST 2018: 7cd019f9e1af8a9d637a56ba3d2bbc2025f54d9931cd8b100% of 79 MB 624 kBps 02m10s Extracting snapshot... done. Verifying snapshot integrity... (...) Building new INDEX files... done. root@nextcloud:/ # portsnap fetch update Looking up portsnap.FreeBSD.org mirrors... 6 mirrors found. Fetching snapshot tag from ec2-eu-west-1.portsnap.freebsd.org... done. Ports tree hasn't changed since last snapshot. No updates needed. Ports tree is already up to date.
By default Nextcloud 13 package in repository is built with MySQL 5.6 and older PHP 5.6, thus we can not use packages for everything, some (automated) compilation is unavoidable.
root@nextcloud:/ # cd /usr/ports/www/nextcloud root@nextcloud:/usr/ports/www/nextcloud # make run-depends-list | grep -m 1 php /usr/ports/lang/php56 root@nextcloud:/usr/ports/www/nextcloud # make run-depends-list | grep -m 1 database /usr/ports/databases/mysql56-client
Lets check what are the FreeBSD Ports default packages versions.
root@nextcloud:/ # grep -E '^[A-Z]+_DEFAULT' /usr/ports/Mk/bsd.default-versions.mk | column -t
APACHE_DEFAULT?= 2.4
BDB_DEFAULT?= 5
FIREBIRD_DEFAULT?= 2.5
FORTRAN_DEFAULT?= gfortran
FPC_DEFAULT?= 3.0.4
GCC_DEFAULT?= 6
GHOSTSCRIPT_DEFAULT?= agpl
LAZARUS_DEFAULT?= 1.8.2
LINUX_DEFAULT?= c6_64
LINUX_DEFAULT?= c6
LUA_DEFAULT?= 5.2
MYSQL_DEFAULT?= 5.6
PGSQL_DEFAULT?= 9.5
PHP_DEFAULT?= 5.6
PYTHON_DEFAULT?= 2.7
RUBY_DEFAULT?= 2.4
SAMBA_DEFAULT?= 4.6
SSL_DEFAULT= base
SSL_DEFAULT:= ${OPENSSL_INSTALLED:T}
SSL_DEFAULT?= base
TCLTK_DEFAULT?= 8.6
VARNISH_DEFAULT?= 4
Its PostgreSQL 9.5 and PHP 5.6. We will override that in /etc/make.conf file with the following settings. We will also force using PGSQL option and disable MYSQL option for all Ports.
root@nextcloud:/ # cat >> /etc/make.conf << __EOF
WRKDIRPREFIX=\${PORTSDIR}/obj
DEFAULT_VERSIONS+= php=7.2
DEFAULT_VERSIONS+= pgsql=10
OPTIONS_UNSET+= MYSQL
OPTIONS_SET+= PGSQL
__EOF
Now, lets display the default Nextcloud port configuration.
root@nextcloud:/usr/ports/www/nextcloud # make showconfig
===> The following configuration options are available for nextcloud-13.0.0:
EXIF=on: Image rotation support
LDAP=on: LDAP protocol support
SMB=on: SMB network protocol support
SSL=on: SSL protocol support
====> Database backend(s): you have to choose at least one of them
MYSQL=on: MySQL database support
PGSQL=off: PostgreSQL database support
SQLITE=off: SQLite database support
===> Use 'make config' to modify these settings
PostgreSQL support is not even enabled. Lets configure the Nextcloud port to our needs.
root@nextcloud:/usr/ports/www/nextcloud # make config
Lets check current port configuration.
root@nextcloud:/usr/ports/www/nextcloud # make showconfig
===> The following configuration options are available for nextcloud-13.0.0:
EXIF=on: Image rotation support
LDAP=on: LDAP protocol support
SMB=on: SMB network protocol support
SSL=on: SSL protocol support
====> Database backend(s): you have to choose at least one of them
MYSQL=off: MySQL database support
PGSQL=on: PostgreSQL database support
SQLITE=off: SQLite database support
===> Use 'make config' to modify these settings
Good. In case You wandered where these settings are stored below is the answer. Yes, if you delete /var/db/ports/www_nextcloud directory, they will be brought back to defaults without PostgreSQL and with MySQL.
root@nextcloud:/ # cat /var/db/ports/www_nextcloud/options
# This file is auto-generated by 'make config'.
# Options for nextcloud-13.0.0
_OPTIONS_READ=nextcloud-13.0.0
_FILE_COMPLETE_OPTIONS_LIST=EXIF LDAP SMB SSL MYSQL PGSQL SQLITE
OPTIONS_FILE_SET+=EXIF
OPTIONS_FILE_SET+=LDAP
OPTIONS_FILE_SET+=SMB
OPTIONS_FILE_SET+=SSL
OPTIONS_FILE_UNSET+=MYSQL
OPTIONS_FILE_SET+=PGSQL
OPTIONS_FILE_UNSET+=SQLITE
Now lets check again for the run-depends-list after our configuration.
root@nextcloud:/ # make -C /usr/ports/www/nextcloud run-depends-list | grep -m 1 php /usr/ports/lang/php72 root@nextcloud:/ # make -C /usr/ports/www/nextcloud run-depends-list | grep -m 1 sql /usr/ports/databases/postgresql10-client
Better.
To make things little faster and to not build everything from FreeBSD Ports we may add most of needed software from packages. We will have to switch for /bin/sh shell for that purpose.
root@nextcloud:/usr/ports/www/nextcloud # exit host # jexec nextcloud /bin/sh root@nextcloud:/ # make -C /usr/ports/www/nextcloud run-depends-list | while read I; do echo pkg install -y $( basename $I );done pkg install -y gettext-runtime pkg install -y postgresql10-client pkg install -y pecl-smbclient pkg install -y php72 pkg install -y php72-bz2 pkg install -y php72-ctype pkg install -y php72-curl pkg install -y php72-dom pkg install -y php72-fileinfo pkg install -y php72-filter pkg install -y php72-gd pkg install -y php72-hash pkg install -y php72-iconv pkg install -y php72-json pkg install -y php72-mbstring pkg install -y php72-pdo pkg install -y php72-posix pkg install -y php72-session pkg install -y php72-simplexml pkg install -y php72-xml pkg install -y php72-xmlreader pkg install -y php72-xmlwriter pkg install -y php72-xsl pkg install -y php72-wddx pkg install -y php72-zip pkg install -y php72-zlib pkg install -y php72-exif pkg install -y php72-ldap pkg install -y php72-openssl pkg install -y php72-pdo_pgsql pkg install -y php72-pgsql
So we have our list of commands to install most packages, lets paste them one by one into the nextcloud.local prompt. As packages are build, they sometimes get a prefix against what version of ‘upstream’ port it has been built, the ‘pecl-smbclient’ port is a good example here:
root@nextcloud:/ # pkg install -y pecl-smbclient Updating FreeBSD repository catalogue... FreeBSD repository is up to date. All repositories are up to date. pkg: No packages available to install matching 'pecl-smbclient' have been found in the repositories root@nextcloud:/ # pkg search pecl-smbclient php56-pecl-smbclient-0.9.0_3 Smbclient wrapper extension php70-pecl-smbclient-0.9.0_3 Smbclient wrapper extension php71-pecl-smbclient-0.9.0_3 Smbclient wrapper extension php72-pecl-smbclient-0.9.0_3 Smbclient wrapper extension
Here is complete list of packages that we need to install.
root@nextcloud:/ # pkg install -y gettext-runtime root@nextcloud:/ # pkg install -y postgresql10-client root@nextcloud:/ # pkg install -y pecl-smbclient root@nextcloud:/ # pkg install -y php72 root@nextcloud:/ # pkg install -y php72-bz2 root@nextcloud:/ # pkg install -y php72-ctype root@nextcloud:/ # pkg install -y php72-curl root@nextcloud:/ # pkg install -y php72-dom root@nextcloud:/ # pkg install -y php72-fileinfo root@nextcloud:/ # pkg install -y php72-filter root@nextcloud:/ # pkg install -y php72-gd root@nextcloud:/ # pkg install -y php72-hash root@nextcloud:/ # pkg install -y php72-iconv root@nextcloud:/ # pkg install -y php72-json root@nextcloud:/ # pkg install -y php72-mbstring root@nextcloud:/ # pkg install -y php72-pdo root@nextcloud:/ # pkg install -y php72-posix root@nextcloud:/ # pkg install -y php72-session root@nextcloud:/ # pkg install -y php72-simplexml root@nextcloud:/ # pkg install -y php72-xml root@nextcloud:/ # pkg install -y php72-xmlreader root@nextcloud:/ # pkg install -y php72-xmlwriter root@nextcloud:/ # pkg install -y php72-xsl root@nextcloud:/ # pkg install -y php72-wddx root@nextcloud:/ # pkg install -y php72-zip root@nextcloud:/ # pkg install -y php72-zlib root@nextcloud:/ # pkg install -y php72-exif root@nextcloud:/ # pkg install -y php72-ldap root@nextcloud:/ # pkg install -y php72-openssl root@nextcloud:/ # pkg install -y php72-pdo_pgsql root@nextcloud:/ # pkg install -y php72-pgsql root@nextcloud:/ # pkg install -y php72-pecl-smbclient root@nextcloud:/ # pkg install -y nginx root@nextcloud:/ # pkg install -y memcached root@nextcloud:/ # pkg install -y portmaster root@nextcloud:/ # pkg install -y sudo root@nextcloud:/ # pkg install -y php72-pecl-memcached root@nextcloud:/ # pkg install -y php72-pcntl root@nextcloud:/ # pkg install -y postgresql10-server
Some packages like postgresql10-server will remove packages build against the PostgreSQL 9.5 version like below.
root@nextcloud:/ # pkg install postgresql10-server
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (2 conflicting)
- postgresql10-client-10.3 conflicts with postgresql95-client-9.5.12 on /usr/local/bin/clusterdb
- postgresql10-client-10.3 conflicts with postgresql95-client-9.5.12 on /usr/local/bin/clusterdb
Checking integrity... done (0 conflicting)
The following 5 package(s) will be affected (of 0 checked):
Installed packages to be REMOVED:
postgresql95-client-9.5.12
php72-pdo_pgsql-7.2.4
php72-pgsql-7.2.4
New packages to be INSTALLED:
postgresql10-server: 10.3
postgresql10-client: 10.3
Number of packages to be removed: 3
Number of packages to be installed: 2
The process will require 21 MiB more space.
Proceed with this action? [y/N]: y
Now we need to build the rest.
root@nextcloud:/ # portmaster databases/php72-pgsql databases/php72-pdo_pgsql www/nextcloud www/php72-opcache devel/php72-intl mail/cclient mail/php72-imap math/php72-gmp ftp/php72-ftp
(...)
===>>> The following actions were performed:
Installation of devel/gmake (gmake-4.2.1_2)
Installation of devel/gettext-tools (gettext-tools-0.19.8.1)
Installation of devel/p5-Locale-gettext (p5-Locale-gettext-1.07)
Installation of misc/help2man (help2man-1.47.6)
Installation of print/texinfo (texinfo-6.5,1)
Installation of devel/m4 (m4-1.4.18,1)
Installation of devel/autoconf-wrapper (autoconf-wrapper-20131203)
Installation of devel/autoconf (autoconf-2.69_1)
Installation of databases/php72-pgsql (php72-pgsql-7.2.4)
Installation of databases/php72-pdo_pgsql (php72-pdo_pgsql-7.2.4)
Installation of www/nextcloud (nextcloud-13.0.0)
Installation of www/php72-opcache (php72-opcache-7.2.4)
Installation of devel/php72-intl (php72-intl-7.2.4)
Installation of mail/cclient (cclient-2007f_3,1)
Installation of mail/php72-imap (php72-imap-7.2.4)
Installation of math/php72-gmp (php72-gmp-7.2.4)
Installation of ftp/php72-ftp (php72-ftp-7.2.4)
Alternatively to not juggle between packages and ports you may build everything from the FreeBSD Ports tree with command below.
root@nextcloud:/ # portmaster -y www/nextcloud www/nginx databases/memcached security/sudo databases/postgresql10-server www/php72-opcache devel/php72-intl mail/cclient mail/php72-imap math/php72-gmp ftp/php72-ftp
Whichever method you choose, You must end up with these packages installed. This list does not contain dependencies.
root@nextcloud:/ # pkg info | grep -E 'php|nginx|memcached|postgresql|sudo|nextcloud|portmaster' libmemcached-1.0.18_6 C and C++ client library to the memcached server memcached-1.5.7 High-performance distributed memory object cache system nextcloud-13.0.0 Personal cloud which runs on your own server nginx-1.12.2_11,2 Robust and small WWW server php72-7.2.4 PHP Scripting Language php72-bz2-7.2.4 The bz2 shared extension for php php72-ctype-7.2.4 The ctype shared extension for php php72-curl-7.2.4 The curl shared extension for php php72-dom-7.2.4 The dom shared extension for php php72-exif-7.2.4 The exif shared extension for php php72-fileinfo-7.2.4 The fileinfo shared extension for php php72-filter-7.2.4 The filter shared extension for php php72-ftp-7.2.4 The ftp shared extension for php php72-gd-7.2.4 The gd shared extension for php php72-gmp-7.2.4 The gmp shared extension for php php72-hash-7.2.4 The hash shared extension for php php72-iconv-7.2.4 The iconv shared extension for php php72-imap-7.2.4 The imap shared extension for php php72-intl-7.2.4 The intl shared extension for php php72-json-7.2.4 The json shared extension for php php72-ldap-7.2.4 The ldap shared extension for php php72-mbstring-7.2.4 The mbstring shared extension for php php72-opcache-7.2.4 The opcache shared extension for php php72-openssl-7.2.4 The openssl shared extension for php php72-pcntl-7.2.4 The pcntl shared extension for php php72-pdo-7.2.4 The pdo shared extension for php php72-pdo_pgsql-7.2.4 The pdo_pgsql shared extension for php php72-pecl-memcached-3.0.4 PHP extension for interfacing with memcached via libmemcached library php72-pecl-smbclient-0.9.0_3 Smbclient wrapper extension php72-pgsql-7.2.4 The pgsql shared extension for php php72-posix-7.2.4 The posix shared extension for php php72-session-7.2.4 The session shared extension for php php72-simplexml-7.2.4 The simplexml shared extension for php php72-wddx-7.2.4 The wddx shared extension for php php72-xml-7.2.4 The xml shared extension for php php72-xmlreader-7.2.4 The xmlreader shared extension for php php72-xmlwriter-7.2.4 The xmlwriter shared extension for php php72-xsl-7.2.4 The xsl shared extension for php php72-zip-7.2.4 The zip shared extension for php php72-zlib-7.2.4 The zlib shared extension for php portmaster-3.19_7 Manage your ports without external databases or languages postgresql10-client-10.3 PostgreSQL database (client) postgresql10-server-10.3 PostgreSQL is the most advanced open-source database available anywhere sudo-1.8.22 Allow others to run commands as root
PostgreSQL Database
Now we have to configure the PostgreSQL database. First lets start with FreeBSD login class.
root@nextcloud:/ # cat >> /etc/login.conf << __EOF
postgres:\
:lang=en_US.UTF-8:\
:setenv=LC_COLLATE=C:\
:tc=default:
__EOF
root@nextcloud:/ # grep -A 4 postgres /etc/login.conf
postgres:\
:lang=en_US.UTF-8:\
:setenv=LC_COLLATE=C:\
:tc=default:
root@nextcloud:/ # cap_mkdb /etc/login.conf
Lets make sure that PostgreSQL data directory belongs to the postgres user.
root@nextcloud:/ # chown postgres:postgres /var/db/postgres/data
Lets enable the PostgreSQL service in the /etc/rc.conf file. It will look like that for now.
root@nextcloud:/ # cat /etc/rc.conf
# DAEMONS | yes
syslogd_flags="-s -s"
sshd_enable=YES
postgresql_enable=YES
postgresql_class=postgres
postgresql_data=/var/db/postgres/data
# php_fpm_enable=YES
# memcached_enable=YES
# memcached_flags="-l 192.168.43.100"
# nginx_enable=YES
# DAEMONS | no
sendmail_enable=NONE
sendmail_submit_enable=NO
sendmail_outbound_enable=NO
sendmail_msp_queue_enable=NO
# OTHER
clear_tmp_enable=YES
clear_tmp_X=YES
extra_netfs_types=NFS
dumpdev=NO
update_motd=NO
keyrate=fast
Now we may initialize and start the database.
root@nextcloud:/ # /usr/local/etc/rc.d/postgresql initdb
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.
The database cluster will be initialized with locales
COLLATE: C
CTYPE: en_US.UTF-8
MESSAGES: en_US.UTF-8
MONETARY: en_US.UTF-8
NUMERIC: en_US.UTF-8
TIME: en_US.UTF-8
The default text search configuration will be set to "english".
Data page checksums are disabled.
fixing permissions on existing directory /var/db/postgres/data ... ok
creating subdirectories ... ok
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting dynamic shared memory implementation ... posix
creating configuration files ... ok
running bootstrap script ... ok
performing post-bootstrap initialization ... ok
syncing data to disk ... ok
WARNING: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the option -A, or
--auth-local and --auth-host, the next time you run initdb.
Success. You can now start the database server using:
/usr/local/bin/pg_ctl -D /var/db/postgres/data -l logfile start
Now lets start it.
root@nextcloud:/ # /usr/local/etc/rc.d/postgresql start 2018-04-03 13:41:49.289 CEST [14522] LOG: could not create IPv6 socket for address "::1": Protocol not supported 2018-04-03 13:41:49.291 CEST [14522] LOG: listening on IPv4 address "127.0.0.1", port 5432 2018-04-03 13:41:49.297 CEST [14522] LOG: listening on Unix socket "/tmp/.s.PGSQL.5432" 2018-04-03 13:41:49.328 CEST [14522] LOG: ending log output to stderr 2018-04-03 13:41:49.328 CEST [14522] HINT: Future log output will go to log destination "syslog". root@nextcloud:/ # sockstat -l4 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS postgres postgres 14522 4 tcp4 192.168.43.100:5432 *:* root sshd 14178 3 tcp4 192.168.43.100:22 *:*
Ok, its working and listening for connections.
Next we will have to connect to create user and database for the Nextcloud server.
root@nextcloud:/ # psql -h nextcloud.local -U postgres psql: FATAL: no pg_hba.conf entry for host "192.168.43.100", user "postgres", database "postgres", SSL off
Remmeber the rule about localhost in a Jail? There is no localhost in a Jail. We have to add 192.168.43.100/32 address to the /var/db/postgres/data/pg_hba.conf file as shown below.
root@nextcloud:/ # grep -C 1 192.168.43.100 /var/db/postgres/data/pg_hba.conf
# IPv4 local connections:
host all all 192.168.43.100/32 trust
host all all 127.0.0.1/32 trust
Now lets restart the PostgreSQL database.
root@nextcloud:/ # /usr/local/etc/rc.d/postgresql restart 2018-04-03 13:44:01.264 CEST [14692] LOG: could not create IPv6 socket for address "::1": Protocol not supported 2018-04-03 13:44:01.266 CEST [14692] LOG: listening on IPv4 address "127.0.0.1", port 5432 2018-04-03 13:44:01.271 CEST [14692] LOG: listening on Unix socket "/tmp/.s.PGSQL.5432" 2018-04-03 13:44:01.296 CEST [14692] LOG: ending log output to stderr 2018-04-03 13:44:01.296 CEST [14692] HINT: Future log output will go to log destination "syslog".
Now we can connect and create needed user and database for Nextcloud 13 installation.
root@nextcloud:/ # psql -h nextcloud.local -U postgres
psql (10.3)
Type "help" for help.
postgres=# CREATE USER nextcloud WITH PASSWORD '{NEXTCLOUD_DB_PASSWORD}';
CREATE ROLE
postgres=# CREATE DATABASE nextcloud TEMPLATE template0 ENCODING 'UNICODE';
CREATE DATABASE
postgres=# ALTER DATABASE nextcloud OWNER TO nextcloud;
ALTER DATABASE
postgres-# \q
root@nextcloud:/ #
I will also create ‘daily maintenance’ script for PostgreSQL database.
root@nextcloud:/ # cat >> /var/db/postgres/data/vacuum.sh /dev/null /usr/local/bin/reindexdb -a 1> /dev/null 2> /dev/null /usr/local/bin/reindexdb -s 1> /dev/null 2> /dev/null __EOF root@nextcloud:/ # chmod +x /var/db/postgres/data/vacuum.sh root@nextcloud:/ # chown postgres:postgres /var/db/postgres/data/vacuum.sh
Lets add it as a cron job on the postgres user.
root@nextcloud:/ # su - postgres -c 'crontab -e' /tmp/crontab.ruG73E5ivZ: 1 lines, 42 characters. crontab: installing new crontab root@nextcloud:/ # su - postgres -c 'crontab -l' 0 0 * * * /var/db/postgres/data/vacuum.sh
Nginx Webserver
Now we have to configure Nginx, lets start by creating the self signed certificate. If You do not want to see warnings that this certificate is not signed then You may want to use service such as letsencrypt.org for example.
root@nextcloud:/ # mkdir -p /usr/local/etc/nginx/ssl
root@nextcloud:/ # cd /usr/local/etc/nginx/ssl
root@nextcloud:/usr/local/etc/nginx/ssl # openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout nginx.key -out nginx.crt
Enter pass phrase for server.key: {NEXTCLOUD_SERVER_PASSWORD}
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:PL
State or Province Name (full name) [Some-State]:lodzkie
Locality Name (eg, city) []:Lodz
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Vermaden Enterprises Ltd.
Organizational Unit Name (eg, section) []:Nextcloud Departament
Common Name (e.g. server FQDN or YOUR name) []:nextcloud.local
Email Address []:vermaden@nextcloud.com
root@nextcloud:/ # chmod 400 /usr/local/etc/nginx/ssl/nginx.key
root@nextcloud:/ # ls -l /usr/local/etc/nginx/ssl
total 14
-rw-r--r-- 1 root wheel 2220 Apr 3 14:43 nginx.crt
-rw------- 1 root wheel 3272 Apr 3 14:43 nginx.key
Lets tak care of rights for Nginx log files.
root@nextcloud:/ # ls -l /var/log | grep nginx drwxr-xr-x 2 root wheel 2 Apr 3 01:10 nginx root@nextcloud:/ # chown -R www:www /var/log/nginx root@nextcloud:/ # ls -l /var/log/ | grep nginx drwxr-xr-x 2 www www 2 Apr 3 01:10 nginx
… and last but not least, the Nginx main configuration file.
root@nextcloud:/ # cat /usr/local/etc/nginx/nginx.conf
user www;
worker_processes 4;
worker_rlimit_nofile 51200;
error_log /var/log/nginx/error.log;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" ';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
upstream php-handler {
server unix:/var/run/php-fpm.sock;
}
server {
# ENFORCE HTTPS
listen 80;
server_name nextcloud.local;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name nextcloud.local;
ssl_certificate /usr/local/etc/nginx/ssl/nginx.crt;
ssl_certificate_key /usr/local/etc/nginx/ssl/nginx.key;
# HEADERS SECURITY RELATED
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
# HEADERS
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# PATH TO THE ROOT OF YOUR INSTALLATION
root /usr/local/www/nextcloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# BUFFERS TIMEOUTS UPLOAD SIZES
client_max_body_size 16400M;
client_body_buffer_size 1048576k;
send_timeout 3000;
# ENABLE GZIP BUT DO NOT REMOVE ETag HEADERS
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
location / {
rewrite ^ /index.php$uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_keep_conn off;
fastcgi_buffers 16 256K;
fastcgi_buffer_size 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_send_timeout 3000s;
fastcgi_read_timeout 3000s;
fastcgi_connect_timeout 3000s;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# ADDING THE CACHE CONTROL HEADER FOR JS AND CSS FILES
# MAKE SURE IT IS BELOW PHP BLOCK
location ~ \.(?:css|js|woff|svg|gif)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=15778463";
# HEADERS SECURITY RELATED
# IT IS INTENDED TO HAVE THOSE DUPLICATED TO ONES ABOVE
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
# HEADERS
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# OPTIONAL: DONT LOG ACCESS TO ASSETS
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# OPTIONAL: DONT LOG ACCESS TO OTHER ASSETS
access_log off;
}
}
}
If at any point later You would get following error in the browser then there is a problem between Nginx and PHP (php-fpm) configuration.
502 Bad Gateway --------------- nginx/1.12.2
PHP
Now we have to configure PHP for our needs. First PostgreSQL related settings.
root@nextcloud:/ # cat /usr/local/etc/php/ext-20-pgsql.ini extension=pgsql.so root@nextcloud:/ # cat >> /usr/local/etc/php/ext-20-pgsql.ini << __EOF [PostgresSQL] pgsql.allow_persistent = On pgsql.auto_reset_persistent = Off pgsql.max_persistent = -1 pgsql.max_links = -1 pgsql.ignore_notice = 0 pgsql.log_notice = 0 __EOF root@nextcloud:/ # cat /usr/local/etc/php/ext-20-pgsql.ini extension=pgsql.so [PostgresSQL] pgsql.allow_persistent = On pgsql.auto_reset_persistent = Off pgsql.max_persistent = -1 pgsql.max_links = -1 pgsql.ignore_notice = 0 pgsql.log_notice = 0
root@nextcloud:/ # cat /usr/local/etc/php/ext-30-pdo_pgsql.ini extension=pdo_pgsql.so root@nextcloud:/ # cat >> /usr/local/etc/php/ext-30-pdo_pgsql.ini << __EOF [PostgresSQL] pgsql.allow_persistent = On pgsql.auto_reset_persistent = Off pgsql.max_persistent = -1 pgsql.max_links = -1 pgsql.ignore_notice = 0 pgsql.log_notice = 0 __EOF root@nextcloud:/ # cat /usr/local/etc/php/ext-30-pdo_pgsql.ini extension=pdo_pgsql.so [PostgresSQL] pgsql.allow_persistent = On pgsql.auto_reset_persistent = Off pgsql.max_persistent = -1 pgsql.max_links = -1 pgsql.ignore_notice = 0 pgsql.log_notice = 0
Lets make sure php-fpm log file exists and has right owner.
root@nextcloud:/ # :> /var/log/php-fpm.log root@nextcloud:/ # chown www:www /var/log/php-fpm.log
No modifications needed to the /usr/local/etc/php-fpm.conf file.
root@nextcloud:/ # grep '^[^;]' /usr/local/etc/php-fpm.conf [global] pid = run/php-fpm.pid include=/usr/local/etc/php-fpm.d/*.conf
Lets create www profile for php-fpm daemon.
root@nextcloud:/ # cat /usr/local/etc/php-fpm.d/www.conf [www] user = www group = www listen = /var/run/php-fpm.sock listen.backlog = -1 listen.owner = www listen.group = www listen.mode=0660 pm = static pm.max_children = 4 pm.start_servers = 2 pm.min_spare_servers = 2 pm.max_spare_servers = 4 pm.process_idle_timeout = 1000s; pm.max_requests = 500 request_terminate_timeout = 0 rlimit_files = 51200 env[HOSTNAME] = $HOSTNAME env[PATH] = /usr/local/bin:/usr/bin:/bin env[TMP] = /tmp env[TMPDIR] = /tmp env[TEMP] = /tmp
… and the main PHP /usr/local/etc/php.ini configuration file.
root@nextcloud:/ # cat /usr/local/etc/php.ini [PHP] max_input_time=3600 engine = On short_open_tag = On precision = 14 output_buffering = OFF zlib.output_compression = Off implicit_flush = Off unserialize_callback_func = serialize_precision = 17 disable_functions = disable_classes = zend.enable_gc = On expose_php = On max_execution_time = 3600 max_input_time = 30000 memory_limit = 1024M error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT display_errors = Off display_startup_errors = Off log_errors = On log_errors_max_len = 1024 ignore_repeated_errors = Off ignore_repeated_source = Off report_memleaks = On track_errors = Off html_errors = On error_log = /var/log/php.log variables_order = "GPCS" request_order = "GP" register_argc_argv = Off auto_globals_jit = On post_max_size = 16400M auto_prepend_file = auto_append_file = default_mimetype = "text/html" default_charset = "UTF-8" doc_root = user_dir = enable_dl = Off file_uploads = On upload_max_filesize = 16400M max_file_uploads = 64 allow_url_fopen = On allow_url_include = Off default_socket_timeout = 300 [CLI Server] cli_server.color = On [Date] date.timezone = Europe/Warsaw [filter] [iconv] [intl] [sqlite3] [Pcre] [Pdo] [Pdo_mysql] pdo_mysql.cache_size = 2000 pdo_mysql.default_socket= [Phar] [mail function] SMTP = localhost smtp_port = 25 mail.add_x_header = On [SQL] sql.safe_mode = Off [ODBC] odbc.allow_persistent = On odbc.check_persistent = On odbc.max_persistent = -1 odbc.max_links = -1 odbc.defaultlrl = 4096 odbc.defaultbinmode = 1 [Interbase] ibase.allow_persistent = 1 ibase.max_persistent = -1 ibase.max_links = -1 ibase.timestampformat = "%Y-%m-%d %H:%M:%S" ibase.dateformat = "%Y-%m-%d" ibase.timeformat = "%H:%M:%S" [MySQLi] mysqli.max_persistent = -1 mysqli.allow_persistent = On mysqli.max_links = -1 mysqli.cache_size = 2000 mysqli.default_port = 3306 mysqli.default_socket = mysqli.default_host = mysqli.default_user = mysqli.default_pw = mysqli.reconnect = Off [mysqlnd] mysqlnd.collect_statistics = On mysqlnd.collect_memory_statistics = Off [OCI8] [PostgreSQL] pgsql.allow_persistent = On pgsql.auto_reset_persistent = Off pgsql.max_persistent = -1 pgsql.max_links = -1 pgsql.ignore_notice = 0 pgsql.log_notice = 0 [bcmath] bcmath.scale = 0 [browscap] [Session] session.save_handler = files session.save_path = "/tmp" session.use_strict_mode = 0 session.use_cookies = 1 session.use_only_cookies = 1 session.name = PHPSESSID session.auto_start = 0 session.cookie_lifetime = 0 session.cookie_path = / session.cookie_domain = session.cookie_httponly = session.serialize_handler = php session.gc_probability = 1 session.gc_divisor = 1000 session.gc_maxlifetime = 1440 session.referer_check = session.cache_limiter = nocache session.cache_expire = 180 session.use_trans_sid = 0 session.hash_function = 0 session.hash_bits_per_character = 5 url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry" [Assertion] zend.assertions = -1 [COM] [mbstring] [gd] [exif] [Tidy] tidy.clean_output = Off [soap] soap.wsdl_cache_enabled=1 soap.wsdl_cache_dir="/tmp" soap.wsdl_cache_ttl=86400 soap.wsdl_cache_limit = 5 [sysvshm] [ldap] ldap.max_links = -1 [mcrypt] [dba] [opcache] opcache.enable=1 opcache.enable_cli=1 opcache.interned_strings_buffer=8 opcache.max_accelerated_files=10000 opcache.memory_consumption=128 opcache.save_comments=1 opcache.revalidate_freq=1 [curl] [openssl]
Daemons
Now, we should enable all daemons and start them, here is the final /etc/rc.conf file.
root@nextcloud:/ # cat /etc/rc.conf # DAEMONS | yes syslogd_flags="-s -s" sshd_enable=YES postgresql_enable=YES postgresql_class=postgres postgresql_data=/var/db/postgres/data php_fpm_enable=YES memcached_enable=YES memcached_flags="-l 192.168.43.100" nginx_enable=YES # DAEMONS | no sendmail_enable=NONE sendmail_submit_enable=NO sendmail_outbound_enable=NO sendmail_msp_queue_enable=NO # OTHER clear_tmp_enable=YES clear_tmp_X=YES extra_netfs_types=NFS dumpdev=NO update_motd=NO keyrate=fast
Lets start the services then.
Memcached.
root@nextcloud:/ # /usr/local/etc/rc.d/memcached start Starting memcached.
The PHP php-fpm daemon.
root@nextcloud:/ # /usr/local/etc/rc.d/php-fpm start Performing sanity check on php-fpm configuration: [03-Apr-2018 14:28:22] NOTICE: configuration file /usr/local/etc/php-fpm.conf test is successful Starting php_fpm.
PostgreSQL database sohuld be running already.
root@nextcloud:/ # /usr/local/etc/rc.d/postgresql status pg_ctl: server is running (PID: 17751) /usr/local/bin/postgres "-D" "/var/db/postgres/data"
… and the Nginx webserver.
root@nextcloud:/ # /usr/local/etc/rc.d/nginx start Performing sanity check on nginx configuration: nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful Starting nginx.
Lets see what daemon is listening on what port.
root@nextcloud:/ # sockstat -l4 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS www nginx 28583 6 tcp4 192.168.43.100:80 *:* www nginx 28583 7 tcp4 192.168.43.100:443 *:* www nginx 28582 6 tcp4 192.168.43.100:80 *:* www nginx 28582 7 tcp4 192.168.43.100:443 *:* www nginx 28581 6 tcp4 192.168.43.100:80 *:* www nginx 28581 7 tcp4 192.168.43.100:443 *:* www nginx 28580 6 tcp4 192.168.43.100:80 *:* www nginx 28580 7 tcp4 192.168.43.100:443 *:* root nginx 28579 6 tcp4 192.168.43.100:80 *:* root nginx 28579 7 tcp4 192.168.43.100:443 *:* nobody memcached 28239 16 tcp4 192.168.43.100:11211 *:* postgres postgres 28211 4 tcp4 192.168.43.100:5432 *:* root sshd 28205 3 tcp4 192.168.43.100:22 *:*
Remember that php-fpm daemon uses /var/run/php-fpm.sock socket.
root@nextcloud:/ # ls -l /var/run/php-fpm.sock srw-rw---- 1 www www 0 Apr 3 18:27 /var/run/php-fpm.sock
Nextcloud
Now lets prepare the directory for Nextcloud data.
root@nextcloud:/ # mkdir -p /var/db/nextcloud/data root@nextcloud:/ # chown -R www:www /var/db/nextcloud
We also need to make sure that whole Nextcloud installation directory is owned by www user.
root@nextcloud:/ # chown -R www:www /usr/local/www/nextcloud
Now we should be able to access the Nextcloud 13 using a browser, lets type the https://nextcloud.local/ on the host in the browser of your choice.
Viola! Its alive.
Here are last configuration bits etered directly in the browser.
ADMIN USER: admin
ADMIN PASS: {NEXTCLOUD_ADMIN_PASSWORD}
DATA FOLDER: /var/db/nextcloud/data
DATABASE USER: nextcloud
DATABASE PASS: {NEXTCLOUD_DB_PASSWORD}
DATABASE NAME: nextcloud
DATABASE HOST: nextcloud.local
Here is how it looks in the browser.
After we click the Finish setup button we should see the Nextcloud welcome message as shown below.
We may close this message and we will see our files.
The Nextcloud settings page yelds about lack of cache daemon.
Lets configure our memcached daemon into the Nextcloud configuration file.
Here are added lines to the /usr/local/www/nextcloud/config/config.php file.
root@nextcloud:/usr/local/www/nextcloud/config # diff -u config.php.ORG config.php
--- config.php.ORG 2018-04-03 16:39:04.531258000 +0200
+++ config.php 2018-04-03 16:40:01.509956000 +0200
@@ -18,4 +18,14 @@
'dbuser' => 'nextcloud',
'dbpassword' => '',
'installed' => true,
+ 'memcache.local' => '\\OC\\Memcache\\Memcached',
+ 'memcache.distributed' => '\\OC\\Memcache\\Memcached',
+ 'memcached_servers' =>
+ array (
+ 0 =>
+ array (
+ 0 => 'nextcloud.local',
+ 1 => 11211,
+ ),
+ ),
);
Here is complete Nextcloud 13 main configuration file /usr/local/www/nextcloud/config/config.php after changes.
root@nextcloud:/ # cat /usr/local/www/nextcloud/config/config.php
'oc70jc009i5e',
'passwordsalt' => 'anVkM4F5kJwhInurq0N6eq65JmL3xZ',
'secret' => '2RjnOfiMfrdW6rJEcpxORL39+E1gvS38+sys+G0uI6vZOOSc',
'trusted_domains' =>
array (
0 => 'nextcloud.local',
),
'datadirectory' => '/var/db/nextcloud/data',
'overwrite.cli.url' => 'https://nextcloud.local',
'dbtype' => 'pgsql',
'version' => '13.0.0.14',
'dbname' => 'nextcloud',
'dbhost' => 'nextcloud.local',
'dbport' => '',
'dbtableprefix' => 'oc_',
'dbuser' => 'nextcloud',
'dbpassword' => '',
'installed' => true,
'memcache.local' => '\\OC\\Memcache\\Memcached',
'memcache.distributed' => '\\OC\\Memcache\\Memcached',
'memcached_servers' =>
array (
0 =>
array (
0 => 'nextcloud.local',
1 => 11211,
),
)
);
Alternatively You may want to get that config directly from the Nextcloud application using occ command.
root@nextcloud:/ # sudo -u www php /usr/local/www/nextcloud/occ config:list system
{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"nextcloud.local"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"overwrite.cli.url": "https:\/\/nextcloud.local",
"dbtype": "pgsql",
"version": "13.0.0.14",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"memcache.local": "\\OC\\Memcache\\Memcached",
"memcache.distributed": "\\OC\\Memcache\\Memcached",
"memcached_servers": [
[
"nextcloud.local",
11211
]
]
}
}
Logs
To not end with filled /var/log directory with tons of logs we need to configure their rotation.
Here are lines add to the /etc/newsyslog.conf file.
root@nextcloud:/ # cat >> /etc/newsyslog.conf << __EOF /var/db/nextcloud/data/nextcloud.log www:www 640 7 * @T00 JC /var/log/php-fpm.log www:www 640 7 * @T00 JC /var/log/nginx/error.log www:www 640 7 * @T00 JC /var/log/nginx/access.log www:www 640 7 * @T00 JC __EOF
Lets verify the rotation.
root@nextcloud:/ # newsyslog -v | tail -4 /var/db/nextcloud/data/nextcloud.log : --> will trim at Fri Jul 21 00:00:00 2017 /var/log/php-fpm.log : --> will trim at Fri Jul 21 00:00:00 2017 /var/log/nginx/error.log : --> will trim at Fri Jul 21 00:00:00 2017 /var/log/nginx/access.log : --> will trim at Fri Jul 21 00:00:00 2017
Yep. Works like a charm.
Cleanup (Optional)
We may now remove not needed parts of the Jail, for example downloaded packages and distfiles.
root@nextcloud:/ # rm -rf /var/cache/pkg
root@nextcloud:/ # rm -rf /usr/ports/obj
root@nextcloud:/ # rm -rf usr/ports/distfiles
root@nextcloud:/ # pkg autoremove
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 8 packages:
Installed packages to be REMOVED:
autoconf-2.69_1
autoconf-wrapper-20131203
gettext-tools-0.19.8.1
gmake-4.2.1_2
help2man-1.47.6
m4-1.4.18,1
p5-Locale-gettext-1.07
texinfo-6.5,1
Number of packages to be removed: 8
The operation will free 26 MiB.
Proceed with deinstalling packages? [y/N]: y
You have reached the end, good luck with Your Nextcloud setup π
UPDATE 1 – SysV IPC in Jails
Since FreeBSD 11.0-RELEASE and FreeBSD 10.4-RELEASE the allow.sysvipc Jail parameter in /etc/jail.conf has been deprecated in favor of sysvmsg/sysvsem/sysvshm parameters. This information is available in man 8 jail manual page for example.
host # man 8 jail
(...)
allow.sysvipc
A process within the jail has access to System V IPC
primitives. This is deprecated in favor of the per-
module parameters (see below). When this parameter is
set, it is equivalent to setting sysvmsg, sysvsem, and
sysvshm all to βinheritβ.
(...)
Before this change there was problem with SysV IPC calls because each PostgreSQL server user postgres need to have different UID for each Jail running on that host. Now You can have 100 Jails with each postgres user UID 500 and everything works like a charm.
Its described broadly in this blog post – Postgres in FreeBSD Jails – https://planet.freebsd.org/brd/2017/11/07/postgres-in-freebsd-jails/.
Using newer approach these are the changes in the configuration in the /etc/jail.conf file.
host # diff -u /etc/jail.conf.OLD /etc/jail.conf --- /etc/jail.conf.OLD 2018-04-05 13:04:18.556904000 +0200 +++ /etc/jail.conf 2018-04-05 13:04:10.828127000 +0200 @@ -8,5 +8,7 @@ exec.clean; mount.devfs; allow.raw_sockets; - allow.sysvipc; + sysvsem = new; + sysvshm = new; + sysvmsg = new; }
… and the whole /etc/jail.conf file after modification.
host # cat /etc/jail.conf
nextcloud {
host.hostname = nextcloud.local;
ip4.addr = 192.168.43.100;
interface = wlan0;
path = /jail/nextcloud;
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
mount.devfs;
allow.raw_sockets;
sysvsem = new;
sysvshm = new;
sysvmsg = new;
}
UPDATE 2 – Setup without Sockets
To run this setup without sockets you may want to modify the PHP php-fpm daemon to listen in IPv4 address instead of using /var/run/php-fpm.sock socket for communication. These are the changes in /usr/local/etc/php-fpm.d/www.conf php-rpm profile and Nginx webserver main configuration /usr/local/etc/nginx/nginx.conf file.
root@nextcloud:/ # diff -u /usr/local/etc/php-fpm.d/www.conf.SOCKET /usr/local/etc/php-fpm.d/www.conf --- /usr/local/etc/php-fpm.d/www.conf.SOCKET 2018-04-05 12:46:06.351550000 +0200 +++ /usr/local/etc/php-fpm.d/www.conf 2018-04-05 12:46:09.324277000 +0200 @@ -1,7 +1,8 @@ [www] user = www group = www -listen = /var/run/php-fpm.sock +listen = 192.168.43.100:9000 +listen.allowed_clients = 192.168.43.100 listen.backlog = -1 listen.owner = www listen.group = www
root@nextcloud:/ # diff -u /usr/local/etc/nginx/nginx.conf.SOCKET /usr/local/etc/nginx/nginx.conf
--- /usr/local/etc/nginx/nginx.conf.SOCKET 2018-04-05 12:42:09.051583000 +0200
+++ /usr/local/etc/nginx/nginx.conf 2018-04-05 12:42:30.491819000 +0200
@@ -16,7 +16,7 @@
keepalive_timeout 65;
upstream php-handler {
- server unix:/var/run/php-fpm.sock;
+ server 192.168.43.100:9000;
}
server {
UPDATE 3 – Nextcloud 13.0.1 Update
After update to latest Nextcloud 13.0.1 the setup is broken. The symptom is that after the login page it keeps redirecting. The fix has been described in the /usr/ports/UPDATING file, here is the message with the fix itself.
20180404: AFFECTS: users of www/nextcloud AUTHOR: brnrd@FreeBSD.org With the 13.0.1 update the path for Apps bundled with the package has changed from "apps" to "apps-pkg". You must add an entry to the "apps_paths" array in config/config.php of your nextcloud installation, a patch for the default installation can be applied with: # cd /usr/local/www/nextcloud # su -m www -c "php ./occ config:import < /usr/local/share/nextcloud/fix-apps_paths.json"
So to fix the installation after eventual upgrade to 13.0.1 these instructions need to be executed in the Jail.
root@nextcloud:/ # su -m www -c "php /usr/local/www/nextcloud/occ config:import < /usr/local/share/nextcloud/fix-apps_paths.json"
Hope that helps to resolve the issue.
UPDATE 4
The Nextcloud 13 on FreeBSD article was featured in the BSD Now 245 – ZFS User Conf 2018 episode.
Thanks for mentioning!
ππππππππ 
Pingback: In Other BSDs for 2018/04/07 – DragonFly BSD Digest
Pingback: In Other BSDs for 2018/04/07 – FreshBSD.com
Pingback: Nextcloud 13 on FreeBSD | 0ddn1x: tricks with *nix
Pingback: [How-To] Nextcloud 13 on FreeBSD - FreeBSDNews.com
Pingback: In Other BSDs for 2018/04/21 – DragonFly BSD Digest
Pingback: In Other BSDs for 2018/04/21 – FreshBSD.com
Hey, great guide.
Just one thing: Nginx is good at serving *static* content. That’s why Nextcloud feels snappy in the GUI because you are loading static php files. Nextcloud isn’t a website though, it’s a filesync software (and more), so Apache is better suited for that.
LikeLike
Thanks π
Any links/benchmarks for Nginx/Apache non-static content comparison?
LikeLiked by 1 person
Pingback: ZFS User Conf 2018 | BSD Now 245 | Jupiter Broadcasting
Pingback: Home | vermaden
Good guide, thanks for sharing.
Have you tried setting up a reverse proxy with this config? Any idea how to adjust the nginx.conf in your guide to accommodate this incoming traffic? I keep hitting too many redirects on SSL and I’m probably doing something embarrassingly badly π
The traffic is coming from another nginx server with a proxy_set_header Host $host;
and proxy_pass https://local.network.ip;
LikeLike
Thank You.
I havent tried that, and as I like Nginx very much its sometimes ‘non-obvious’ to configure it properly.
From my experience with Nginx is sometime that one single option or parameter that changes everything, but till you find it, its a mystery.
These are some quick searches that may or may not be relevant for your case, but I would focus on search for that one little parameter/option that would fix the situation.
https://stackoverflow.com/questions/41583088/http-to-https-nginx-too-many-redirects
https://www.digitalocean.com/community/questions/error-too-many-redirect-on-nginx
https://serverfault.com/questions/779920/nginx-too-many-redirects
Regards
LikeLiked by 1 person
Figured it out – had nothing to do with nginx config, was a red herring. What did happen was that i pulled nextcloud 13.0.2 instead of 13 while following the instructions of the guide, which has an additional config step needed as outlined in this link https://help.nextcloud.com/t/freebsd-nextcloud-13-0-1-update-too-many-redirects-error-bug/30494/3 — hope this helps anyone else following the steps
LikeLike
Seems this was covered in the UPDATE 3 – Nextcloud 13.0.1 Update at the bottom of the article, but these problems are often not that obvious, glad you have it worked out π
LikeLike
I will set up a NextCloud environment using HaProxy with TLS offloading. Will post something here or on https://fd0.freebsd.amserdam (which is currently empty, for testing HaProxy and Let’s Encrypt certificates)
LikeLike
Ok, good luck, please share your result π
LikeLike
with nextcloud in a jail and database in own jail, only accessible through rfc. 1918 addressing
LikeLike
Hey, thanks for the guide. Did you get CalDav to work? I am seriously stuck, neither Calender nor Tasks works. In my nextcloud log it says Undefined table: 7 ERROR: relation \\\”oc_calendars\\\” does not exist. My firefox console says a whole bunch of stuff:
Source map error: SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSON data
Resource URL: https://cloud.favier.pw/core/vendor/core.js?v=cf7ce964-0
Source Map URL: purify.min.js.map[Learn More]
Content Security Policy: The pageβs settings blocked the loading of a resource at self (βscript-srcβ). Source: ondrop attribute on INPUT element.
tasks
uncaught exception: CalDAV client could not be initialized – Querying calendars failed
I would provide the PostgreSQL logs if I knew where to find them.
Thanks in advance
LikeLike
Thanks.
I was able to successfully connect Nextcloud with LDAP’s Active Directory to get users and permissions from there but I haven’t tried to sync with Outlook calendar, so no experience here.
Create an ISSUE here – https://github.com/nextcloud – they are very helpful and reply fast.
Regards.
LikeLike
Will do, sorry for bothering you π
LikeLike
No problem π
LikeLike
Hi Michiel,
same problem here. Apps like Calendar are not working. Did you already find a solution or open an ISSUE? The PostgreSQL logs are in /var/log/messages and it’s something like:
ERROR: relation “oc_addressbooks” does not exist at character 84
STATEMENT: SELECT “id”, “uri”, “displayname”, “principaluri”, “description”, “synctoken” FROM “oc_addressbooks” WHERE “principaluri” = $1
Does anyone else have an idea how to fix this?
Thanks in advance
BTW: This guide is great! Thanks vermaden
LikeLike
Ok, the following command fixt it for me:
sudo -u www php /usr/local/www/nextcloud/occ app:enable dav
LikeLike
Hello and thank you for the guide although it suppose to be useful for very experienced user only.
My issues: Following the guide, a jail.conf has to be created and the rc.conf has to be updated. These changings are lost after rebooting the image. (as mentioned in the CLI). A jail “nextcloud” will not start (message: no such jail). So the jail creation fails. Creating the jail from the UI leads to a mismatch problem since 11.0 is downloaded instead of the requested 11.1. Configuring with a DHCP is not foreseen. If a zfs pool is created, it will be mounted on /mnt/local rather then /local. The jail will be found on /mnt/jail/… wich causes problems in the UI again.
The howto seems to be the most sophisticated all around but due to a mismatch between the writer and my poor knowledge not successful (yet).
Some further hints would be highly appreciated. (such as initial prerequisites for freenas)
LikeLike
Well, I know the reason for my issues are solely in the fact that I try to set it up on freenas instead of a plain FreeBSD… (just to have that cleared.)
LikeLike
I would start to follow the guide using plain FreeBSD (maybe in VirtualBox for example) to not mess with FreeNAS here.
They (FreeNAS) do a lot of things by themselves and they use IOCAGE instead of using ‘plain’ Jails subsystem so first You would have to ‘learn’ IOCAGE to use it properly and then try to implement such Jail on FreeNAS using IOCAGE – which is different the using ‘plain’ Jails mechanism.
As FreeNAS (at least recent ones) support Bhyve for the virtual machines you may as well create new FreeBSD VM there and follow the guide with Nextcloud.
LikeLike
Pingback: Syncthing on FreeBSD | vermaden
So I have followed your guide and I cannot get connectivity from inside the jail. Turns out routing tables are screwed:
netstat -r
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 192.168.0.1 UGS bridge0
localhost link#6 UH lo0
192.168.0.0/24 link#7 U bridge0
192.168.0.100 link#7 UHS lo0
192.168.0.150 link#7 UHS lo0
192.168.0.150/32 link#7 U bridge0
cat /etc/jail.conf
nextcloud {
host.hostname = nextcloud.local;
ip4.addr = 192.168.0.150;
interface = bridge0;
path = /jail/nextcloud;
exec.start = “/bin/sh /etc/rc”;
exec.stop = “/bin/sh /etc/rc.shutdown”;
exec.clean;
mount.devfs;
allow.raw_sockets;
allow.sysvipc;
}
ifconfig bridge0
bridge0: flags=8843 metric 0 mtu 1500
ether 02:24:48:05:0e:00
inet 192.168.0.100 netmask 0xffffff00 broadcast 192.168.0.255
inet 192.168.0.150 netmask 0xffffffff broadcast 192.168.0.150
nd6 options=9
groups: bridge
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: re0 flags=143
ifmaxaddr 0 port 5 priority 128 path cost 55
member: igb3 flags=143
ifmaxaddr 0 port 4 priority 128 path cost 2000000
member: igb2 flags=143
ifmaxaddr 0 port 3 priority 128 path cost 2000000
member: igb1 flags=143
ifmaxaddr 0 port 2 priority 128 path cost 2000000
member: igb0 flags=143
ifmaxaddr 0 port 1 priority 128 path cost 2000000
LikeLike
I learn a lot of FreeBSD basic operation skills from this POST! thank you very much!
LikeLike
Welcome π
LikeLike
Pingback: Silent Fanless FreeBSD Server – Redundant Backup | ππππππππ
Thanks for this post! I was able to follow it and got it working on my Freenas server in an IOCAGE jail. Could you possibly show us what steps you take to update Nextcloud and whatever else you typically update with it?
LikeLike
Welcome π
Every time I needed to update Nextcloud I just followed Nextcloud update instructions, so I will be only copy-pasting them π
LikeLike
Hello,
Thanks for sharing this wonderful howto. The nextcloud security check showed a warning that the Referrer-Policy is not set to “no-referrer”. Might be a security problem. I added it to nginx.conf.
add_header Referrer-Policy “no-referrer”;
Best regards
Alex
LikeLike
Pingback: Nextcloud 17 on FreeBSD 12.1 | ππππππππ
Good info. Lucky me I discovered your blog by accident (stumbleupon). I have saved as a favorite for later!
LikeLike
I would like to duplicate and update this post. Is that ok?
LikeLike
You may find updated version here:
https://vermaden.wordpress.com/2020/01/04/nextcloud-17-on-freebsd-12-1/
LikeLike