Benutzer-Werkzeuge

Webseiten-Werkzeuge


server:nextcloud:installation:start

Dies ist eine alte Version des Dokuments!


Installation

Nachfolgend werden die Schritte beschrieben, die nötig sind, um Nextcloud unter Ubuntu 26.04 LTS zu installieren.

Software-Konfiguration

Übersicht über Shortcuts des Editors “nano”: https://www.nano-editor.org/dist/latest/cheatsheet.html

nginx

Sicherung der Standard-Konfiguration:

cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak

Allgemeine Einstellungen nginx:

nano /etc/nginx/nginx.conf

Folgende Einstellungen sollten hier gesetzt bzw. kontrolliert werden:

• user www-data;
• worker_processes auto;
• server_tokens off;

Komplette nginx.conf:

user  www-data;
worker_processes  auto;
error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;
 
events {
    worker_connections  1024;
}
http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile        on;
    #tcp_nopush     on;
    keepalive_timeout  65;
    server_tokens off;
    #gzip  on;
    include /etc/nginx/conf.d/*.conf;
}

Deaktivierung der “Dummy-Webseite”:

mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf_disabled

“Selbsttest” der Konfiguration:

nginx -t

nginx neu starten:

service nginx restart

MariaDB

mysql_secure_installation für MariaDB nachinstallieren, weil in der aktuellen Version nicht mehr enthalten:

apt install mariadb-client-compat

Absicherung des Datenbanksystems:

mysql_secure_installation

Kopieren der Original-Einstellungen:

cp /etc/mysql/mariadb.conf.d/50-server.cnf /etc/mysql/mariadb.conf.d/50-server.cnf.bak

Öffnen der allgemeinen Konfiguration von MariaDB:

nano /etc/mysql/mariadb.conf.d/50-server.cnf

Fügen Sie folgende Zeilen direkt nach der Definition der Sektion [mysqld] ein:

innodb_read_only_compressed=OFF
slave_connections_needed_for_purge=0
Die komplette Datei 50-server.cnf:
#
# These groups are read by MariaDB server.
# Use it for options that only the server (but not clients) should see
# this is read by the standalone daemon and embedded servers
[server]
# this is only for the mysqld standalone daemon
[mysqld]
# Allow write access to tables with format 'compressed'
innodb_read_only_compressed=OFF
slave_connections_needed_for_purge=0
#
# * Basic Settings
#
#user                    = mysql
pid-file                = /run/mysqld/mysqld.pid
basedir                 = /usr
#datadir                 = /var/lib/mysql
#tmpdir                  = /tmp
# Broken reverse DNS slows down connections considerably and name resolve is
# safe to skip if there are no "host by domain name" access grants
#skip-name-resolve
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address            = 127.0.0.1
#
# * Fine Tuning
#
#key_buffer_size        = 128M
#max_allowed_packet     = 1G
#thread_stack           = 192K
#thread_cache_size      = 8
# This replaces the startup script and checks MyISAM tables if needed
# the first time they are touched
#myisam_recover_options = BACKUP
#max_connections        = 100
#table_cache            = 64
#
# * Logging and Replication
#
# Both location gets rotated by the cronjob.
# Be aware that this log type is a performance killer.
# Recommend only changing this at runtime for short testing periods if needed!
#general_log_file       = /var/log/mysql/mysql.log
#general_log            = 1
# When running under systemd, error logging goes via stdout/stderr to journald
# and when running legacy init error logging goes to syslog due to
# /etc/mysql/conf.d/mariadb.conf.d/50-mysqld_safe.cnf
# Enable this if you want to have error logging into a separate file
#log_error = /var/log/mysql/error.log
# Enable the slow query log to see queries with especially long duration
#slow_query_log_file    = /var/log/mysql/mariadb-slow.log
#long_query_time        = 10
#log_slow_verbosity     = query_plan,explain
#log-queries-not-using-indexes
#min_examined_row_limit = 1000
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
#       other settings you may need to change.
#server-id              = 1
#log_bin                = /var/log/mysql/mysql-bin.log
expire_logs_days        = 10
#max_binlog_size        = 100M
#
# * SSL/TLS
#
# For documentation, please read
# https://mariadb.com/kb/en/securing-connections-for-client-and-server/
#ssl-ca = /etc/mysql/cacert.pem
#ssl-cert = /etc/mysql/server-cert.pem
#ssl-key = /etc/mysql/server-key.pem
#require-secure-transport = on
#
# * Character sets
#
# MySQL/MariaDB default is Latin1, but in Debian we rather default to the full
# utf8 4-byte character set. See also client.cnf
character-set-server  = utf8mb4
collation-server      = utf8mb4_general_ci
#
# * InnoDB
#
# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
# Read the manual for more InnoDB related options. There are many!
# Most important is to give InnoDB 80 % of the system RAM for buffer use:
# https://mariadb.com/kb/en/innodb-system-variables/#innodb_buffer_pool_size
#innodb_buffer_pool_size = 8G
# this is only for embedded server
[embedded]
# This group is only read by MariaDB servers, not by MySQL.
# If you use the same .cnf file for MySQL and MariaDB,
# you can put MariaDB-only options here
[mariadb]
# This group is only read by MariaDB-10.6 servers.
# If you use the same .cnf file for MariaDB of different versions,
# use this group for options that older servers don't understand
[mariadb-11.8]

Neustarten des Datenbank-Dienstes:

service mariadb restart

PHP

Sichern der originalen Konfigurationsdateien:

cp /etc/php/8.5/fpm/pool.d/www.conf /etc/php/8.5/fpm/pool.d/www.conf.bak
cp /etc/php/8.5/cli/php.ini /etc/php/8.5/cli/php.ini.bak
cp /etc/php/8.5/fpm/php.ini /etc/php/8.5/fpm/php.ini.bak
cp /etc/php/8.5/fpm/php-fpm.conf /etc/php/8.5/fpm/php-fpm.conf.bak

Anpassen der Konfiguration des PHP-Thread-Pools mittels sed:

sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/8.5/fpm/pool.d/www.conf
sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/8.5/fpm/pool.d/www.conf
sed -i "s/;env\[TMPDIR\] = /env[TMPDIR] = /" /etc/php/8.5/fpm/pool.d/www.conf
sed -i "s/;env\[TEMP\] = /env[TEMP] = /" /etc/php/8.5/fpm/pool.d/www.conf
sed -i "s/;env\[PATH\] = /env[PATH] = /" /etc/php/8.5/fpm/pool.d/www.conf

Anpassen der FPM-Konfiguration:

sed -i "s/;cgi.fix_pathinfo=.*/cgi.fix_pathinfo=0/" /etc/php/8.5/fpm/php.ini
sed -i "s/memory_limit = 128M/memory_limit = 512M/" /etc/php/8.5/fpm/php.ini
sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/8.5/fpm/php.ini
sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/8.5/fpm/php.ini
sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=128/" /etc/php/8.5/fpm/php.ini
sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=32/" /etc/php/8.5/fpm/php.ini
sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=10000/" /etc/php/8.5/fpm/php.ini
sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=60/" /etc/php/8.5/fpm/php.ini
sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/8.5/fpm/php.ini

Anpassen der CLI-Konfiguration:

sed -i "s/;cgi.fix_pathinfo=.*/cgi.fix_pathinfo=0/" /etc/php/8.5/cli/php.ini
sed -i '$aapc.enable_cli=1' /etc/php/8.5/cli/php.ini

Neustarten des PHP-Dienstes:

service php8.5-fpm restart

acme.sh

Wechseln in den Kontext des Users “letsencrypt”:

su - letsencrypt

Let’s Encrypt als Default-Provider für TLS-Zertifikate definieren:

acme.sh --set-default-ca --server letsencrypt

Wechsel auf den normalen User:

exit

Redis

Sichern der originalen Konfiguration:

cp /etc/redis/redis.conf /etc/redis/redis.conf.bak

Öffnen der Redis-Konfiguration:

nano /etc/redis/redis.conf

Konfigurations-Einträge, damit Redis über einen Socket anstatt eines Ports erreichbar ist:

port 0 
unixsocket /var/run/redis/redis-server.sock 
unixsocketperm 770

Hinzufügen des Users “www-data” zur Gruppe “redis”:

usermod -a -G redis www-data

Neustart des Redis-Dienstes:

service redis-server restart

ufw

Firewall-Regeln festlegen:

ufw default deny
ufw allow 22 comment "SSH"
ufw allow 80 comment "HTTP"
ufw allow 443 comment "HTTPS"

Firewall aktivieren:

ufw enable

Regeln der Firewall anzeigen:

ufw status numbered

Generierung der TLS-Zertifikate für Nextcloud

Verzeichnisse für die Zertifikate anlegen

Bei der Anlage bitte Ihre echte Domain angeben, da diese Teil der Verzeichnisstruktur ist.

mkdir -p /etc/letsencrypt/nextcloud.hoeglinger.name/rsa
mkdir -p /etc/letsencrypt/nextcloud.hoeglinger.name/ecdsa
chown -R www-data:www-data /etc/letsencrypt
chmod -R 775 /etc/letsencrypt

Den ersten virtuellen Host für nginx erstellen

Erstellen des Verzeichnisses für die Let’s Encrypt Challenge:

mkdir -p /var/www/letsencrypt/.well-known/acme-challenge
chown -R www-data:www-data /var/www/letsencrypt
chmod -R 775 /var/www/letsencrypt

Anlegen des virtuellen Hosts:

nano /etc/nginx/conf.d/HttpGateway.conf

Inhalt des “HTTP-Gateways”:

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name nextcloud.hoeglinger.name;
 
    root /var/www;
 
    location ^~ /.well-known/acme-challenge {
        default_type text/plain;
        root /var/www/letsencrypt;
    }
 
    location / {
        return 301 https://$host$request_uri;
    }
}

nginx Selbsttest und Service neu starten:

nginx -t
service nginx restart

Funktion des Webservers zur Zertifikats-Generierung überprüfen

Anlegen einer Text-Datei mit beliebigem Inhalt:

echo "Test" >> /var/www/letsencrypt/.well-known/acme-challenge/test.txt

Test-Datei im Browser abrufen: http://nextcloud.hoeglinger.name/.well-known/acme-challenge/test.txt Test-Datei nach erfolgreichem Test löschen:

rm -f /var/www/letsencrypt/.well-known/acme-challenge/test.txt

TLS-Zertifikate für Nextcloud generieren

In den Kontext des Users ’letsencrypt’´wechseln:

su - letsencrypt

Ausstellen des RSA-Zertifikats:

acme.sh --issue -d nextcloud.hoeglinger.name --keylength 4096 -w /var/www/letsencrypt --key-file /etc/letsencrypt/nextcloud.hoeglinger.name/rsa/key.pem --ca-file /etc/letsencrypt/nextcloud.hoeglinger.name/rsa/ca.pem --cert-file /etc/letsencrypt/nextcloud.hoeglinger.name/rsa/cert.pem --fullchain-file /etc/letsencrypt/nextcloud.hoeglinger.name/rsa/fullchain.pem --reloadcmd "sudo /bin/systemctl reload nginx.service"

Ausstellen des ECDSA-Zertifikats:

acme.sh --issue -d nextcloud.hoeglinger.name --keylength ec-384 -w /var/www/letsencrypt --key-file /etc/letsencrypt/nextcloud.hoeglinger.name/ecdsa/key.pem --ca-file /etc/letsencrypt/nextcloud.hoeglinger.name/ecdsa/ca.pem --cert-file /etc/letsencrypt/nextcloud.hoeglinger.name/ecdsa/cert.pem --fullchain-file /etc/letsencrypt/nextcloud.hoeglinger.name/ecdsa/fullchain.pem --reloadcmd "sudo /bin/systemctl reload nginx.service"

Abmelden des Benutzers ’letsencrypt'

exit

Diffie-Hellman-Parameter generieren

Das kann schon mal einige Zeit dauern. Nur Geduld.

mkdir -p /etc/nginx/dhparams 
openssl dhparam -out /etc/nginx/dhparams/dhparams.pem 4096

Den Webserver für Nextcloud vorbereiten

SSL konfigurieren

Anlegen der allgemeinen SSL-Konfiguration:

mkdir -p /etc/nginx/snippets
nano /etc/nginx/snippets/ssl.conf

Inhalt der Datei:

#
# SSL Configuration
#
ssl_protocols TLSv1.2 TLSv1.3;
# SSL ciphers: RSA + ECDSA
# Two certificate types (ECDSA, RSA) are needed.
ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384';
# Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits
ssl_dhparam /etc/nginx/dhparams/dhparams.pem;
# Use multiple curves.
ssl_ecdh_curve secp521r1:secp384r1;
# Server should determine the ciphers, not the client
ssl_prefer_server_ciphers on;
# SSL session handling
ssl_session_timeout 1d; 
ssl_session_cache shared:SSL:50m; 
ssl_session_tickets off;
# See https://letsencrypt.org/2024/12/05/ending-ocsp/
#ssl_stapling on;
#ssl_stapling_verify on;
# DNS resolver
resolver 192.168.178.1;

Header-Konfiguration vornehmen

Anlegen einer allgemeinen Konfiguration für die vom Webserver auszuliefernden Header:

nano /etc/nginx/snippets/headers.conf

Inhalt der Datei:

#
# Header configuration
#  
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;" always; 
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-Download-Options noopen always;
add_header X-Permitted-Cross-Domain-Policies none always;
add_header Referrer-Policy no-referrer always;
add_header X-Frame-Options "SAMEORIGIN" always;
fastcgi_hide_header X-Powered-By;

Einen virtuellen Host für Nextcloud anlegen

Virtuellen Host anlegen:

nano /etc/nginx/conf.d/nextcloud.hoeglinger.name.conf

Inhalt des virtuellen Hosts:

upstream php-handler {
    server unix:/run/php/php8.5-fpm.sock;
}
# Set the `immutable` cache control options only for assets with a cache busting `v` argument
map $arg_v $asset_immutable {
    "" "";
    default "immutable";
}
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name nextcloud.hoeglinger.name 192.168.178.55;
# Path to the root of your installation
    root /var/www/nextcloud;
 
    # SSL configuration
    # RSA certificates
    ssl_certificate /etc/letsencrypt/nextcloud.hoeglinger.name/rsa/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/nextcloud.hoeglinger.name/rsa/key.pem;
    # ECC certificates
    ssl_certificate /etc/letsencrypt/nextcloud.hoeglinger.name/ecdsa/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/nextcloud.hoeglinger.name/ecdsa/key.pem;
 
    # This should be ca.pem (certificate with the additional intermediate certificate)
    # See here: https://certbot.eff.org/docs/using.html
    # ECC
    ssl_trusted_certificate /etc/letsencrypt/nextcloud.hoeglinger.name/ecdsa/ca.pem;
 
    # Include SSL configuration
    include /etc/nginx/snippets/ssl.conf;
 
    # Include headers
    include /etc/nginx/snippets/headers.conf;
 
	# The settings allows you to optimize the HTTP2 bandwidth.
    # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
    # for tuning hints
    client_body_buffer_size 512k;
 
    include mime.types;
    types {
        text/javascript mjs;
    }
# set max upload size and increase upload timeout:
    client_max_body_size 10G;
    client_body_timeout 300s;
    fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Pagespeed is not supported by Nextcloud, so if your server is built
    # with the `ngx_pagespeed` module, uncomment this line to disable it.
    #pagespeed off;
# Specify how to handle directories -- specifying `/index.php$request_uri`
    # here as the fallback means that Nginx always exhibits the desired behaviour
    # when a client requests a path that corresponds to a directory that exists
    # on the server. In particular, if that directory contains an index.php file,
    # that file is correctly served; if it doesn't, then the request is passed to
    # the front-end controller. This consistent behaviour means that we don't need
    # to specify custom rules for certain paths (e.g. images and other assets,
    # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
    # `try_files $uri $uri/ /index.php$request_uri`
    # always provides the desired behaviour.
    index index.php index.html /index.php$request_uri;
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
    location = / {
        if ( $http_user_agent ~ ^DavClnt ) {
            return 302 /remote.php/webdav/$is_args$args;
        }
    }
location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
# Make a regex exception for `/.well-known` so that clients can still
    # access it despite the existence of the regex rule
    # `location ~ /(\.|autotest|...)` which would otherwise handle requests
    # for `/.well-known`.
    location ^~ /.well-known {
        # The rules in this block are an adaptation of the rules
        # in `.htaccess` that concern `/.well-known`.
location = /.well-known/carddav { return 301 /remote.php/dav/; }
        location = /.well-known/caldav  { return 301 /remote.php/dav/; }
location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
# Let Nextcloud's API for `/.well-known` URIs handle all other
        # requests by passing them to the front-end controller.
        return 301 /index.php$request_uri;
    }
# Rules borrowed from `.htaccess` to hide certain paths from clients
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
    # which handle static assets (as seen below). If this block is not declared first,
    # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
    # to the URI, resulting in a HTTP 500 error response.
    location ~ \.php(?:$|/) {
        # Required for legacy support
        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
        fastcgi_param front_controller_active true;     # Enable pretty urls
        fastcgi_pass php-handler;
fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
fastcgi_max_temp_file_size 0;
 
    	fastcgi_read_timeout 600;
		fastcgi_send_timeout 600;
		fastcgi_connect_timeout 600;
fastcgi_param PHP_VALUE "upload_max_filesize = 10G
			post_max_size = 10G
			max_execution_time = 3600
			output_buffering = off";
    }
location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463, $asset_immutable";
        access_log off;     # Optional: Don't log access to assets
location ~ \.wasm$ {
            default_type application/wasm;
        }
    }
location ~ \.woff2?$ {
        try_files $uri /index.php$request_uri;
        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
        access_log off;     # Optional: Don't log access to assets
    }
# Rule borrowed from `.htaccess`
    location /remote {
        return 301 /remote.php$request_uri;
    }
location / {
        try_files $uri $uri/ /index.php$request_uri;
    }
}

Test der nginx-Konfiguration:

nginx -t

Neustart des Webservers:

service nginx restart

Installation Nextcloud

Nextcloud herunterladen

Download der aktuellsten Nextcloud-Version, Entpacken und anschließendes Löschen des Archivs:

cd
wget https://download.nextcloud.com/server/releases/latest.tar.bz2
tar -xjf latest.tar.bz2 -C /var/www
rm latest.tar.bz2

Verzeichnisrechte setzen:

chown -R www-data:www-data /var/www/nextcloud

Anlegen des Datenverzeichnisses

Datenverzeichnis außerhalb des Web-Roots anlegen und entsprechende Verzeichnis-Rechte setzen.

mkdir -p /var/nextcloud_data 
chown -R www-data:www-data /var/nextcloud_data
mkdir -p /mnt/dataSSD/nextcloud/data/
chown -R www-data:www-data /mnt/dataSSD/nextcloud/data/

Eine Datenbank für Nextcloud erstellen

Anmeldung an die Datenbank:

mysql -u root -p

Nach erfolgreicher Anmeldung stehen Sie dann im Prompt von MariaDB:

MariaDB [(none)]>

Anlegen eines Datenbank-Benutzers für die Nextcloud:

CREATE USER nextclouduser@localhost IDENTIFIED BY 'pfmipLkHGKoBlE23';

Anlegen einer Datenbank für Nextcloud:

CREATE DATABASE nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;

Berechtigungen des Nextcloud-Datenbank-Benutzers für die Datenbank setzen:

GRANT ALL PRIVILEGES on nextcloud.* to nextclouduser@localhost;

Berechtigungen der Datenbank neu laden:

FLUSH privileges;

MariaDB-Kommandozeile beenden:

exit;

Das Setup von Nextcloud ausführen # Aufruf der Nextcloud-URL im Browser (nextcloudfuerdummies.decatec.de ist durch eigenen Domain zu ersetzen): https://nextcloudfuerdummies.decatec.de Daten für das Setup für Nextcloud:

• **Anmelden**: beliebiger Benutzername (automatisch Benutzer mit Admin-Rechten in der Cloud)
• **Passwort**: Ein beliebiges, sicheres Passwort
• **Datenverzeichnis**: ///var/nextcloud/data//
• **Datenbank einrichten**: MySQL/MariaDB (falls hier eine Auswahl angeboten wird)
• **Datenbankkonto**: Der Datenbank-Benutzer für Nextcloud (//nextclouduser//)
• **Datenbank-Passwort**: Das Passwort des Datenbank-Benutzers für Nextcloud
• **Datenbank-Name**: Name der Datenbank, welche für Nextcloud angelegt wurde (//nextcloud//)
• **Datenbank-Host**: Maschine, auf der die Datenbank zu finden ist (//localhost//)

Weiter mit einem Klick auf “Installieren” Die Installation der “Empfohlenen Apps sollte” mit “Überspringen” abgelehnt werden.

Die Nextcloud-Installation optimieren

Sichern der config.php von Nextcloud. Den Benutzernamen ‘jan’ müssen Sie natürlich durch Ihren eigenen Benutzernamen unter Linux ersetzen. Diese Datei enthält sensible Informationen, daher die Datei an einem Ort speichern, auf den nur Sie Zugriff haben.

cp /var/www/nextcloud/config/config.php /home/eugen/config.php

Festlegen einer Startzeit für das Wartungsfenster

Öffnen der Konfigurationsdatei von Nextcloud:

nano /var/www/nextcloud/config/config.php

Angabe der Startzeit des Wartungszeitfensters am Ende der Datei, aber noch vor der schließenden Klammer:

'maintenance_window_start' => 1,

Hinweis: Angabe erfolgt hier in UTC. Ein Wert von ‘1’ bedeutet hier also 01:00 UTC und dementsprechend 02:00 MEZ/03:00 MESZ.

Redis für transaktionale Dateisperren nutzen

config.php öffnen:

nano /var/www/nextcloud/config/config.php

Folgende Zeilen am Ende der Datei (aber vor der letzten schließenden Klammer) einfügen:

'filelocking.enabled' => true,
'memcache.locking' => '\OC\Memcache\Redis',
'redis' => array (
    'host' => '/var/run/redis/redis-server.sock',
    'port' => 0,
    'timeout' => 0.0,
),

Die Änderungen werden mit dem Speichern der config.php aktiv.

Konfiguration eines Speichercaches

config.php öffnen:

nano /var/www/nextcloud/config/config.php

Am Ende (aber wieder vor der letzten schließenden Klammer) folgende Zeile einfügen:

'memcache.local' => '\OC\Memcache\APCu',
'memcache.distributed' => '\OC\Memcache\Redis',

Standard-Telefonregion festlegen

Öffnen der Konfigurationsdatei von Nextcloud:

nano /var/www/nextcloud/config/config.php

Angabe der Standard-Telefonregion am Ende der Datei, aber noch vor der schließenden Klammer:

'default_phone_region' => 'AT',

Einstellungen zum E-Mail-Server

Tragen Sie zunächst in den persönlichen Einstellungen Ihre private Mail-Adresse unter “E-Mail-Adresse” ein. Anschließend legen Sie ein neues E-Mail-Postfach an, welches nur für den Versand von Mail über die Nextcloud dient. Dazu können Sie auch einen beliebigen Freemail-Service nutzen. In den Admin-Einstellungen unter “Grundeinstellungen” muss anschließend der SMTP-Zugang konfiguriert werden. Hier eine Auswahl an SMTP-Einstellungen einiger Freemail-Anbieter:

• Google Mail:  https://support.google.com/mail/answer/7126229?hl=de#zippy=%2Cschritt-smtp--und-andere-einstellungen-im-e-mail-client-%C3%A4ndern
• GMX:  https://hilfe.gmx.net/pop-imap/pop3/serverdaten.html
• web.de:  https://hilfe.web.de/pop-imap/imap/imap-serverdaten.html

Einen Cronjob für Nextcloud einrichten

Crontab des Users www-data bearbeiten:

crontab -u www-data -e

Fügen Sie folgende Zeile ein:

*/5 * * * * php -f /var/www/nextcloud/cron.php > /dev/null 2>&1

In den Admin-Einstellungen unter ‘Grundeinstellungen’ sollte in der Nextcloud nun automatisch der Eintrag ‘Cron (Empfohlen)’

Die Nextcloud-Installation anpassen, wenn am Server auch andere Programme laufen sollen

Die Configuration von Nextcloud verschieben

mv /etc/nginx/conf.d/nextcloudfuerdummies.decatec.de.conf /etc/nginx/sites-available/nextcloud.conf

Oder wenn die nicht existiert, dann

mv /etc/nginx/conf.d/nextcloud.conf /etc/nginx/sites-available/nextcloud.conf

Symlink setzen

ln -s /etc/nginx/sites-available/nextcloud.conf /etc/nginx/sites-enabled/nextcloud.conf

Nginx testen und neu laden

nginx -t
systemctl reload nginx

Fehlende Include‑Zeile einfügen

Datei öffnen

nano /etc/nginx/nginx.conf

Und füge innerhalb des http { … }‑Blocks, direkt unter der Zeile:

include /etc/nginx/conf.d/*.conf;

diese Zeile ein:

include /etc/nginx/sites-enabled/*.conf;

Der Block muss danach so aussehen:

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
access_log  /var/log/nginx/access.log  main;
sendfile        on;
    keepalive_timeout  65;
    server_tokens off;
include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*.conf;
}

Speichern: CTRL+O Enter Beenden: CTRL+X Nginx testen

nginx -t

Muss „successful“ melden. Nginx neu laden

systemctl reload nginx

Port 443 testen

openssl s_client -connect wiki.hoeglinger.name:443 -servername wiki.hoeglinger.name | grep subject=
server/nextcloud/installation/start.1780007353.txt.gz · Zuletzt geändert: von 91.115.82.214