• nextcloud

nextcloud

About

• https://nextcloud.com/

• NextCloud Docs latest

• github.com nextcloud

• Compare Nextcloud with competitors

Resources

Minimum

• 4 Cores
• 4 GiB RAM
• Fast Storage
• 1x 1Gbit/s NIC

Installation

I chose installation via snap

   1 apt install snap
   2 snap install nextcloud

snap

snap logs

This is an important feature to get info about the internal state of the application

   1 snap logs nextcloud

There are more logs at
/var/snap/nextcloud/current/logs

   1 ll /var/snap/nextcloud/current/logs/*.log
   2 -rw-r----- 1 root root 5054656 Okt  1 10:27 /var/snap/nextcloud/current/logs/apache_access.log
   3 -rw-r----- 1 root root    3800 Sep 28 11:42 /var/snap/nextcloud/current/logs/apache_errors.log
   4 -rw-r----- 1 root root       0 Sep 26 00:03 /var/snap/nextcloud/current/logs/mysql_errors.log
   5 -rw-r----- 1 root root      56 Sep 26 00:03 /var/snap/nextcloud/current/logs/php-fpm_errors.log
   6 -rw-r----- 1 root root       0 Jun 13 00:04 /var/snap/nextcloud/current/logs/php_errors.log
   7 -rw-r----- 1 root root  541447 Okt  1 10:25 /var/snap/nextcloud/current/logs/redis.log

snap get and set

There are some tuneables from the cli that can be queried with snap get

   1 # snap get nextcloud 
   2 Key        Value
   3 mode       production
   4 nextcloud  {...}
   5 php        {...}
   6 ports      {...}
   7 private    {...}
   8 # snap get nextcloud nextcloud
   9 Key                      Value
  10 nextcloud.cron-interval  5m
  11 # snap get nextcloud php      
  12 Key               Value
  13 php.memory-limit  512M
  14 # snap get nextcloud ports
  15 Key          Value
  16 ports.http   80
  17 ports.https  443
  18 Key                Value
  19 private.mode       production
  20 private.nextcloud  {...}
  21 private.php        {...}
  22 private.ports      {...}
  23 private.snap       {...}
  24 # …
  25 

They can also be set like this

   1 snap set nextcloud mode=production
   2 snap set nextcloud php.memory-limit=512M

Access MySQL-Database

Write the access tokens to your users client configuration.

   1 cat /var/snap/nextcloud/20498/mysql/root.ini >> ~root/.my.cnf
   2 
   3 ### NOW CALL YOUR CLIENT
   4 mysql
   5 mysqltuner

Login on Android App

The login on the Android App is probably case sensitive.

Nextcloud Client

Debian has a version in the repo

   1 apt install nextcloud-desktop

There is also an AppImage (pkg, msi, … ) that may be used when you need another version than the one in the repository.

• https://github.com/nextcloud/desktop/releases

• https://github.com/nextcloud/desktop/releases/tag/v3.3.6

The man-page show the configuration directory.

   1        On Linux distributions:
   2               $HOME/.config/Nextcloud/nextcloud.cfg
   3 
   4        On Microsoft Windows systems:
   5               %APPDATA%\Nextcloud\nextcloud.cfg
   6 
   7        On macOS systems:
   8               $HOME/Library/Preferences/Nextcloud/nextcloud.cfg

When the client is not running, you may change the configuration file. This is useful, if you want to disable synchronization before startup.

nextcloud.cfg

   1 [Accounts]
   2 0\Folders\1\paused=false
   3 1\Folders\2\paused=true

To get some log output you may start the client like this

   1 nextcloud --logflush --logdir /tmp/Nextcloud-logdir
   2 ls -drt1 /tmp/Nextcloud-logdir/* |tail -n1 |xargs tail -f

No Reboot After Installation on Windows

The Nextcloud client schedules a reboot on upgrade, which is totally annoying.
help.nextcloud.com - Why does the Nextcloud Windows client require a restart each update?

I guess this is motivated by the alternative locking mechanisms in Windows.

But there is a workaround
Nextcloud Client Manual - No Reboot After Installation

The Nextcloud Client schedules a reboot after installation to make sure the Explorer extension is correctly (un)loaded. If you’re taking care of the reboot yourself, you can set the REBOOT property:

   1 msiexec /i Nextcloud-x.y.z-x64.msi REBOOT=ReallySuppress

This will make msiexec exit with error ERROR_SUCCESS_REBOOT_REQUIRED (3010). If your deployment tooling interprets this as an actual error and you want to avoid that, you may want to set the DO_NOT_SCHEDULE_REBOOT instead:

   1 msiexec /i Nextcloud-x.y.z-x64.msi DO_NOT_SCHEDULE_REBOOT="1"

NextCloud Apps

Bruteforce Settings App

Install the "Bruteforce Settings App" to configure a whitelist of IPs which is not blocked by the bruteforce protection.

NextCloud Talk

• Github nextcloud/spreed

WebRTC

WebRTC (Web Real-Time Communication)

• https://www.html5rocks.com/en/tutorials/webrtc/infrastructure/

• https://webrtc.org

• https://www.w3.org/TR/webrtc/

• https://www.w3.org/TR/webrtc-identity/

• https://tools.ietf.org/wg/rtcweb/

Stun and Turn Server

Please refer to this howto matrix#TURN_Server

Signaling Server

Candidates

The only supported signaling server is: Nextcloud Spreed Signaling

There are other unsupported systems in the ecosystem (just for the sake of completeness)

• SaltyRTC

• SaltyRTC Protocols

• EasyRTC

• Sigver

Deprecations

• SimpleWebRTC (frozen)
• webRTC.io (no commit since May 2013)

Nextcloud Spreed Signaling

Clone and build

   1 cd /opt
   2 git clone https://github.com/strukturag/nextcloud-spreed-signaling.git
   3 cd nextcloud-spreed-signaling
   4 aptitude install golang-go make curl
   5 make build
   6 ln -s /opt/nextcloud-spreed-signaling/bin/signaling \
   7         /usr/bin/signaling

Create group and user

   1 adduser --system --group \
   2         --home /var/lib/signaling \
   3         --shell /usr/sbin/nologin \
   4         --gecos "Standalone signaling server for Nextcloud Talk.,,," \
   5         signaling
   6 adduser signaling ssl-cert

Create config

   1 install -o root -g signaling -m 0750 -d /etc/signaling
   2 install -o root -g signaling -m 0640 \
   3         /opt/nextcloud-spreed-signaling/server.conf.in \
   4         /etc/signaling/server.conf

Adjust config

• uncomment listen

• sessions.blockkey

• sessions.hashkey

• https.certificate

• https.key

• clients.internalsecret

• backend.allowed

• backend.secret

• nats.url !!!

Old version of the
/etc/signaling/server.conf

   1 [http]
   2 # IP and port to listen on for HTTP requests.
   3 # Comment line to disable the listener.
   4 listen = 127.0.0.1:8080
   5 
   6 # HTTP socket read timeout in seconds.
   7 #readtimeout = 15
   8 
   9 # HTTP socket write timeout in seconds.
  10 #writetimeout = 15
  11 
  12 [https]
  13 # IP and port to listen on for HTTPS requests.
  14 # Comment line to disable the listener.
  15 #listen = 127.0.0.1:8443
  16 
  17 # HTTPS socket read timeout in seconds.
  18 #readtimeout = 15
  19 
  20 # HTTPS socket write timeout in seconds.
  21 #writetimeout = 15
  22 
  23 # Certificate / private key to use for the HTTPS server.
  24 #certificate = /etc/nginx/ssl/server.crt
  25 certificate = /etc/letsencrypt/live/coturn.rockstable.it/fullchain.pem
  26 #key = /etc/nginx/ssl/server.key
  27 key = /etc/letsencrypt/live/coturn.rockstable.it/privkey.pem
  28 
  29 [app]
  30 # Set to "true" to install pprof debug handlers.
  31 # See "https://golang.org/pkg/net/http/pprof/" for further information.
  32 debug = false
  33 
  34 [sessions]
  35 # Secret value used to generate checksums of sessions. This should be a random
  36 # string of 32 or 64 bytes.
  37 hashkey = the-secret-for-session-checksums
  38 
  39 # Optional key for encrypting data in the sessions. Must be either 16, 24 or
  40 # 32 bytes.
  41 # If no key is specified, data will not be encrypted (not recommended).
  42 blockkey = -encryption-key-
  43 
  44 [clients]
  45 # Shared secret for connections from internal clients. This must be the same
  46 # value as configured in the respective internal services.
  47 internalsecret = the-shared-secret-for-internal-clients
  48 
  49 
  50 [backend]
  51 # Comma-separated list of hostnames that are allowed to be used as backend
  52 # endpoints.
  53 allowed = cloud.rockstable.it,nextcloud1.rockstable.it
  54 
  55 # Allow any hostname as backend endpoint. This is extremely insecure and should
  56 # only be used while running the benchmark client against the server.
  57 allowall = false
  58 
  59 # Shared secret for requests from and to the backend servers. This must be the
  60 # same value as configured in the Nextcloud admin ui.
  61 secret = the-shared-secret
  62 
  63 # Timeout in seconds for requests to the backend.
  64 timeout = 10
  65 
  66 # Maximum number of concurrent backend connections per host.
  67 #connectionsperhost = 8
  68 connectionsperhost = 16
  69 
  70 # If set to "true", certificate validation of backend endpoints will be skipped.
  71 # This should only be enabled during development, e.g. to work with self-signed
  72 # certificates.
  73 #skipverify = false
  74 
  75 [nats]
  76 # Url of NATS backend to use. This can also be a list of URLs to connect to
  77 # multiple backends. For local development, this can be set to ":loopback:"
  78 # to process NATS messages internally instead of sending them through an
  79 # external NATS backend.
  80 #url = nats://localhost:4222
  81 url = :loopback:
  82 
  83 [mcu]
  84 # The type of the MCU to use. Currently only "janus" is supported.
  85 type = janus
  86 
  87 # The URL to the websocket endpoint of the MCU server. Leave empty to disable
  88 # MCU functionality.
  89 url =
  90 
  91 # The maximum bitrate per publishing stream (in bits per second).
  92 # Defaults to 1 mbit/sec.
  93 #maxstreambitrate = 1048576
  94 
  95 # The maximum bitrate per screensharing stream (in bits per second).
  96 # Default is 2 mbit/sec.
  97 #maxscreenbitrate = 2097152
  98 
  99 [turn]
 100 # API key that the MCU will need to send when requesting TURN credentials.
 101 #apikey = the-api-key-for-the-rest-service
 102 
 103 # The shared secret to use for generating TURN credentials. This must be the
 104 # same as on the TURN server.
 105 #secret = 6d1c17a7-c736-4e22-b02c-e2955b7ecc64
 106 
 107 # A comma-separated list of TURN servers to use. Leave empty to disable the
 108 # TURN REST API.
 109 #servers = turn:1.2.3.4:9991?transport=udp,turn:1.2.3.4:9991?transport=tcp
 110 
 111 [geoip]
 112 # License key to use when downloading the MaxMind GeoIP database. You can
 113 # register an account at "https://www.maxmind.com/en/geolite2/signup" for
 114 # free. See "https://dev.maxmind.com/geoip/geoip2/geolite2/"" for further
 115 # information.
 116 # Leave empty to disable GeoIP lookups.
 117 #license =

Newer versions need a different backend configuration. Instead of allow servers and a common shared secret. They define backends with their own configuration and enable them individually. Newer version of the
/etc/signaling/server.conf

   1 [http]
   2 # IP and port to listen on for HTTP requests.
   3 # Comment line to disable the listener.
   4 listen = 127.0.0.1:8080
   5 
   6 # HTTP socket read timeout in seconds.
   7 #readtimeout = 15
   8 
   9 # HTTP socket write timeout in seconds.
  10 #writetimeout = 15
  11 
  12 [https]
  13 # IP and port to listen on for HTTPS requests.
  14 # Comment line to disable the listener.
  15 #listen = 127.0.0.1:8443
  16 
  17 # HTTPS socket read timeout in seconds.
  18 #readtimeout = 15
  19 
  20 # HTTPS socket write timeout in seconds.
  21 #writetimeout = 15
  22 
  23 # Certificate / private key to use for the HTTPS server.
  24 #certificate = /etc/nginx/ssl/server.crt
  25 certificate = /etc/letsencrypt/live/coturn.rockstable.it/fullchain.pem
  26 #key = /etc/nginx/ssl/server.key
  27 key = /etc/letsencrypt/live/coturn.rockstable.it/privkey.pem
  28 
  29 
  30 [app]
  31 # Set to "true" to install pprof debug handlers.
  32 # See "https://golang.org/pkg/net/http/pprof/" for further information.
  33 #debug = false
  34 #debug = true
  35 
  36 [sessions]
  37 # Secret value used to generate checksums of sessions. This should be a random
  38 # string of 32 or 64 bytes.
  39 hashkey = the-secret-for-session-checksums
  40 
  41 # Optional key for encrypting data in the sessions. Must be either 16, 24 or
  42 # 32 bytes.
  43 # If no key is specified, data will not be encrypted (not recommended).
  44 blockkey = -encryption-key-
  45 
  46 [clients]
  47 # Shared secret for connections from internal clients. This must be the same
  48 # value as configured in the respective internal services.
  49 internalsecret = the-shared-secret-for-internal-clients
  50 
  51 [backend]
  52 # Comma-separated list of backend ids from which clients are allowed to connect
  53 # from. Each backend will have isolated rooms, i.e. clients connecting to room
  54 # "abc12345" on backend 1 will be in a different room than clients connected to
  55 # a room with the same name on backend 2. Also sessions connected from different
  56 # backends will not be able to communicate with each other.
  57 #backends = backend-id, another-backend
  58 backends = rockstable_nextcloud1, rockstable_cloud
  59 
  60 ### OLD STYLE
  61 # Comma-separated list of hostnames that are allowed to be used as backend
  62 # endpoints.
  63 #allowed = cloud.rockstable.it,nextcloud1.rockstable.it
  64 
  65 # Allow any hostname as backend endpoint. This is extremely insecure and should
  66 # only be used while running the benchmark client against the server.
  67 allowall = false
  68 
  69 # Common shared secret for requests from and to the backend servers if
  70 # "allowall" is enabled. This must be the same value as configured in the
  71 # Nextcloud admin ui.
  72 #secret = the-shared-secret
  73 
  74 # Timeout in seconds for requests to the backend.
  75 timeout = 10
  76 
  77 # Maximum number of concurrent backend connections per host.
  78 #connectionsperhost = 8
  79 connectionsperhost = 16
  80 
  81 # If set to "true", certificate validation of backend endpoints will be skipped.
  82 # This should only be enabled during development, e.g. to work with self-signed
  83 # certificates.
  84 #skipverify = false
  85 
  86 # Backend configurations as defined in the "[backend]" section above. The
  87 # section names must match the ids used in "backends" above.
  88 [rockstable_nextcloud1]
  89 # URL of the Nextcloud instance
  90 url = https://nextcloud1.rockstable.it/
  91 
  92 # Shared secret for requests from and to the backend servers. This must be the
  93 # same value as configured in the Nextcloud admin ui.
  94 secret = the-shared-secret
  95 
  96 [rockstable_cloud]
  97 # URL of the Nextcloud instance
  98 url = https://cloud.rockstable.it/
  99 
 100 # Shared secret for requests from and to the backend servers. This must be the
 101 # same value as configured in the Nextcloud admin ui.
 102 secret = the-shared-secret
 103 
 104 [nats]
 105 # Url of NATS backend to use. This can also be a list of URLs to connect to
 106 # multiple backends. For local development, this can be set to ":loopback:"
 107 # to process NATS messages internally instead of sending them through an
 108 # external NATS backend.
 109 #url = nats://localhost:4222
 110 url = :loopback:
 111 
 112 [mcu]
 113 # The type of the MCU to use. Currently only "janus" and "proxy" are supported.
 114 # Leave empty to disable MCU functionality.
 115 #type = janus
 116 type =
 117 
 118 # The URL to the websocket endpoint of the MCU server. Leave empty to disable
 119 # MCU functionality.
 120 # For type "janus": the URL to the websocket endpoint of the MCU server.
 121 # For type "proxy": a space-separated list of proxy URLs to connect to.
 122 url =
 123 
 124 # The maximum bitrate per publishing stream (in bits per second).
 125 # Defaults to 1 mbit/sec.
 126 #maxstreambitrate = 1048576
 127 
 128 # For type "janus": the maximum bitrate per screensharing stream (in bits per
 129 # second).
 130 # Default is 2 mbit/sec.
 131 #maxscreenbitrate = 2097152
 132 
 133 # For type "proxy": timeout in seconds for requests to the proxy server.
 134 #proxytimeout = 2
 135 
 136 # For type "proxy": type of URL configuration for proxy servers.
 137 # Defaults to "static".
 138 #
 139 # Possible values:
 140 # - static: A space-separated list of proxy URLs is given in the "url" option.
 141 # - etcd: Proxy URLs are retrieved from an etcd cluster (see below).
 142 #urltype = static
 143 
 144 # For type "proxy": the id of the token to use when connecting to proxy servers.
 145 #token_id = server1
 146 
 147 # For type "proxy": the private key for the configured token id to use when
 148 # connecting to proxy servers.
 149 #token_key = privkey.pem
 150 
 151 # For url type "etcd": Comma-separated list of static etcd endpoints to
 152 # connect to.
 153 #endpoints = 127.0.0.1:2379,127.0.0.1:22379,127.0.0.1:32379
 154 
 155 # For url type "etcd": Options to perform endpoint discovery through DNS SRV.
 156 # Only used if no endpoints are configured manually.
 157 #discoverysrv = example.com
 158 #discoveryservice = foo
 159 
 160 # For url type "etcd": Path to private key, client certificate and CA
 161 # certificate if TLS authentication should be used.
 162 #clientkey = /path/to/etcd-client.key
 163 #clientcert = /path/to/etcd-client.crt
 164 #cacert = /path/to/etcd-ca.crt
 165 
 166 # For url type "etcd": Key prefix of MCU proxy entries. All keys below will be
 167 # watched and assumed to contain a JSON document. The entry "address" from this
 168 # document will be used as proxy URL, other contents in the document will be
 169 # ignored.
 170 #
 171 # Example:
 172 # "/signaling/proxy/server/one" -> {"address": "https://proxy1.domain.invalid"}
 173 # "/signaling/proxy/server/two" -> {"address": "https://proxy2.domain.invalid"}
 174 #keyprefix = /signaling/proxy/server
 175 
 176 [turn]
 177 # API key that the MCU will need to send when requesting TURN credentials.
 178 #apikey = the-api-key-for-the-rest-service
 179 
 180 # The shared secret to use for generating TURN credentials. This must be the
 181 # same as on the TURN server.
 182 #secret = 6d1c17a7-c736-4e22-b02c-e2955b7ecc64
 183 
 184 # A comma-separated list of TURN servers to use. Leave empty to disable the
 185 # TURN REST API.
 186 #servers = turn:1.2.3.4:9991?transport=udp,turn:1.2.3.4:9991?transport=tcp
 187 #servers = turn:178.63.149.236:5349?transport=udp,turn:178.63.149.236:5349?transport=tcp
 188 
 189 [geoip]
 190 # License key to use when downloading the MaxMind GeoIP database. You can
 191 # register an account at "https://www.maxmind.com/en/geolite2/signup" for
 192 # free. See "https://dev.maxmind.com/geoip/geoip2/geolite2/" for further
 193 # information.
 194 # Leave empty to disable GeoIP lookups.
 195 #license =

Create, enable and start systemd service

   1 install -o root -g signaling -m 0644 \
   2         /opt/nextcloud-spreed-signaling/dist/init/systemd/signaling.service \
   3         /etc/systemd/system/signaling.service
   4 systemctl enable signaling.service
   5 systemctl start signaling.service

Install nginx-light as reverse proxy

   1 aptitude install nginx-light
   2 unlink /etc/nginx/sites-enabled/default

Configure reverse proxy /etc/nginx/sites-available/signaling

   1 server {
   2         # SSL configuration
   3         #
   4         listen 443 ssl default_server;
   5         listen [::]:443 ssl default_server;
   6 
   7         ssl_certificate         /etc/letsencrypt/live/coturn.rockstable.it/fullchain.pem;
   8         ssl_certificate_key     /etc/letsencrypt/live/coturn.rockstable.it/privkey.pem;
   9 
  10         root /var/www/html;
  11 
  12         # Add index.php to the list if you are using PHP
  13         index index.html index.htm index.nginx-debian.html;
  14 
  15         server_name _;
  16 
  17         location / {
  18                 # First attempt to serve request as file, then
  19                 # as directory, then fall back to displaying a 404.
  20                 try_files $uri $uri/ =404;
  21         }
  22 
  23         # deny access to .htaccess files, if Apache's document root
  24         # concurs with nginx's one
  25         #
  26         location ~ /\.ht {
  27                 deny all;
  28         }
  29 
  30         location /standalone-signaling/ {
  31                 proxy_pass http://signaling/;
  32                 proxy_http_version 1.1;
  33                 proxy_set_header Host $host;
  34                 proxy_set_header X-Real-IP $remote_addr;
  35                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  36         }
  37 
  38         location /standalone-signaling/spreed {
  39                 proxy_pass http://signaling/spreed;
  40                 proxy_http_version 1.1;
  41                 proxy_set_header Upgrade $http_upgrade;
  42                 proxy_set_header Connection "Upgrade";
  43                 proxy_set_header Host $host;
  44                 proxy_set_header X-Real-IP $remote_addr;
  45                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  46         }
  47 }

Trouble Shooting Nextcloud Talk

Follow the log

   1 #su - www-data
   2 cd /var/www/html
   3 ./occ log:tail -f |tee /tmp/nc.log

Internal server error after upgrade

After NC Upgrade from 20.0.7 to 20.0.8 "Internal Server Error" and SQL Error "'oc_talk_participants' doesn't exist" · Issue #5324 · nextcloud/spreed - GitHub

Nextcloud shows a HTTP 500 page an the log states

   1 SQLSTATE[42P01]: Undefined table: 7 FEHLER:  Relation »oc_talk_participants« doesn't exist

There is a problem with the migation of the database schema especially table oc_talk_participants to oc_talk_attendees. This did not work out with v10.0.6 and has been fixed in v10.1.3, which cannot be aquired on the usual way with the webinterface. You need to doenload and install the app manually.

Fix it by upgrading the talk app manually.
Nextcloud is installed in /var/www/html in this case (docker).

   1 su www-data
   2 ./occ app:disable spreed
   3 cd /tmp
   4 wget -O https://github.com/nextcloud/spreed/releases/download/v10.1.3/spreed-10.1.3.tar.gz
   5 tar -xzf spreed-10.1.3.tar.gz
   6 mv /var/www/html/spreed/ /tmp/spreed_old; \
   7 mv /tmp/spreed /var/www/html/apps/
   8 ./occ app:enable spreed

Default phone region

If you are getting the message, that no default phone region has been set, just add the Wiki EN ISO 3166-1 country code to your configuration.

/var/snap/nextcloud/current/nextcloud/config/config.php

   1 $CONFIG = array (
   2   // DETAILS SKIPPED …
   3   'default_phone_region' => 'DE',
   4 );

A restart/reload should not be necessary.

Collabora Online

About

• Collabora Online is a powerful online office suite, which you can integrate into your own infrastructure. We take digital sovereignty seriously and provide you with all the tools to keep your data secure, without compromising on features.

  -- https://www.collaboraoffice.com/

Links

• NextCloud Collabora Online

• CODE - Collabora Online Development Edition

• Enterprise Collabora Office subscriptions

• Collabora Online Development Edition (CODE)

• Collabora Online SDK - Installation Guide CODE Docker image

• Collabora Online SDK - Installation Guide Proxy settings

• hub.docker.com collabora/code

• github.com CollaboraOnline/online

• github.com CollaboraOnline/online - Compile a working docker container with Collabora Online

Web-interface

Find the webinterface at
https://your-office-domain.example.com/browser/dist/admin/admin.html

Installation and Configuration

1. Setup DNS names

   • label office.rockstable.it with CNAME cloud.rockstable.it

2. Request certificate with LetsEncrypt on reverse proxy

3. Install docker

4. Pull collabora/CODE.

   (If you don't want to bind it to the loopback interface
   omit 127.0.0.1.)

      1 docker pull collabora/code:latest
   

5. Start collabora/CODE.
   • CODE 6 (deprecated)

        1 docker run -t -d \
        2         -p 127.0.0.1:9980:9980 \
        3         -e 'domain=cloud\\.rockstable\\.it' \
        4         --restart always \
        5         --cap-add MKNOD \
        6         collabora/code:latest
     

   • CODE 7+

        1 read -r ADMIN_USERNAME
        2 read -r ADMIN_PASSWORD
        3 docker run -t -d \
        4         -p 9980:9980 \
        5         -e "aliasgroup1=https://cloud\\.rockstable\\.it" \
        6         -e "username=$ADMIN_USERNAME" \
        7         -e "password=$ADMIN_PASSWORD" \
        8         --restart always \
        9         collabora/code
     

6. Setup reverse proxy

   • CODE 6.4 (deprecated)
     /etc/nginx/sites-available/proxy_office_6

        1 ##
        2 # You should look at the following URL's in order to grasp a solid understanding
        3 # of Nginx configuration files in order to fully unleash the power of Nginx.
        4 # https://www.nginx.com/resources/wiki/start/
        5 # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
        6 # https://wiki.debian.org/Nginx/DirectoryStructure
        7 #
        8 # In most cases, administrators will remove this file from sites-enabled/ and
        9 # leave it as reference inside of sites-available where it will continue to be
       10 # updated by the nginx packaging team.
       11 #
       12 # This file will automatically load configuration files provided by other
       13 # applications, such as Drupal or Wordpress. These applications will be made
       14 # available underneath a path with that package name, such as /drupal8.
       15 #
       16 # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
       17 ##
       18 
       19 
       20 upstream office1.1a.rockstable.it {
       21     server office1.1a.rockstable.it:9980;
       22 }
       23 
       24 ## Redirects all HTTP traffic to the HTTPS host
       25 server {
       26   ## Either remove "default_server" from the listen line below,
       27   ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
       28   ## to be served if you visit any address that your server responds to, eg.
       29   ## the ip address of the server (http://x.x.x.x/)
       30   listen        0.0.0.0:80;
       31   listen        [::]:80;
       32   server_name   office.rockstable.it; ## Replace this with something like gitlab.example.com
       33   server_tokens off; ## Don't show the nginx version number, a security best practice
       34   # redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
       35   return 301    https://$server_name$request_uri;
       36   access_log    /var/log/nginx/proxy_office_access.log;
       37   error_log     /var/log/nginx/proxy_office_error.log;
       38 }
       39 
       40 
       41 # HTTPS host
       42 server {
       43         listen          443 http2 ssl;
       44         #listen         [::]:443 ipv6only=on http2 ssl;
       45 
       46         server_name     office.rockstable.it;
       47         server_tokens   off; ## Don't show the nginx version number, a security best practice
       48 
       49         ## Strong SSL Security
       50         ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
       51         ssl on;
       52         ssl_certificate                 /etc/letsencrypt/live/office.rockstable.it/fullchain.pem;
       53         ssl_certificate_key             /etc/letsencrypt/live/office.rockstable.it/privkey.pem;
       54         #ssl_trusted_certificate        /etc/ssl/CAcert/certs/.pem;
       55 
       56         # Backwards compatible ciphers to retain compatibility with Java IDEs
       57         ssl_ciphers                     "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
       58         ssl_protocols                   TLSv1.3 TLSv1.2;
       59         ssl_prefer_server_ciphers       on;
       60         ssl_session_cache               shared:SSL:10m;
       61         ssl_session_timeout             1d;
       62 
       63         ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
       64         ## Replace with your ssl_trusted_certificate. For more info see:
       65         ## - https://medium.com/devops-programming/4445f4862461
       66         ## - https://www.ruby-forum.com/topic/4419319
       67         ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
       68         ssl_stapling on;
       69         ssl_stapling_verify on;
       70         # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
       71         # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
       72         # resolver_timeout 5s;
       73 
       74         ## [Optional] Generate a stronger DHE parameter:
       75         ##   sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
       76         ##
       77         ssl_dhparam /etc/ssl/private/dhparam.pem;
       78 
       79         # HSTS (ngx_http_headers_module is required) (63072000 seconds)
       80         add_header Strict-Transport-Security "max-age=63072000" always;
       81 
       82         ## Individual nginx logs for this GitLab vhost
       83         access_log  /var/log/nginx/proxy_office_access.log;
       84         error_log   /var/log/nginx/proxy_office_error.log;
       85 
       86         #proxy_set_header        Host               $host;
       87         proxy_set_header         Host               $http_host;
       88         proxy_set_header         X-Real-IP          $remote_addr;
       89         proxy_set_header         X-Forwarded-For    $proxy_add_x_forwarded_for;
       90         proxy_set_header         X-Forwarded-Proto  $scheme;
       91         proxy_set_header         X-Forwarded-Ssl    on;
       92 
       93         proxy_set_header         Upgrade            $http_upgrade;
       94         proxy_set_header         Connection         "Upgrade";
       95         proxy_set_header         Host               $http_host;
       96 
       97         #
       98         #proxy_ssl_certificate          /etc/nginx/client.pem;
       99         #proxy_ssl_certificate_key      /etc/nginx/client.key;
      100         #proxy_ssl_trusted_certificate  /etc/nginx/trusted_ca_cert.crt;
      101         #proxy_ssl_verify               on;
      102         #proxy_ssl_verify_depth         2;
      103         proxy_ssl_session_reuse        on;
      104         proxy_ssl_protocols            TLSv1.3 TLSv1.2;
      105         proxy_ssl_ciphers              "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
      106 
      107         client_max_body_size 0;
      108         #gzip off;
      109 
      110         ## Some requests take more than 30 seconds.
      111         proxy_read_timeout      300;
      112         proxy_connect_timeout   300;
      113         proxy_redirect          off;
      114 
      115         #proxy_http_version 1.1;
      116 
      117         # static files
      118         location ^~ /loleaflet {
      119                 proxy_pass https://office1.1a.rockstable.it;
      120         }
      121 
      122         # WOPI discovery URL
      123         location ^~ /hosting {
      124                 proxy_pass https://office1.1a.rockstable.it;
      125         }
      126 
      127         # main websocket
      128         location ~ ^/lool/(.*)/ws$ {
      129                 proxy_pass https://office1.1a.rockstable.it;
      130                 proxy_read_timeout 36000s;
      131         }
      132 
      133         # download, presentation and image upload
      134         location ~ ^/lool {
      135                 proxy_pass https://office1.1a.rockstable.it;
      136         }
      137 
      138         # Admin Console websocket
      139         location ^~ /lool/adminws {
      140                 proxy_pass https://office1.1a.rockstable.it;
      141                 proxy_read_timeout 36000s;
      142         }
      143 
      144         # Capabilities
      145         location ^~ /hosting/capabilities {
      146                 proxy_pass https://office1.1a.rockstable.it;
      147         }
      148 }
     

   • CODE 7.0+ 21.11
     /etc/nginx/sites-available/proxy_office_7

        1 ##
        2 # You should look at the following URL's in order to grasp a solid understanding
        3 # of Nginx configuration files in order to fully unleash the power of Nginx.
        4 # https://www.nginx.com/resources/wiki/start/
        5 # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
        6 # https://wiki.debian.org/Nginx/DirectoryStructure
        7 #
        8 # In most cases, administrators will remove this file from sites-enabled/ and
        9 # leave it as reference inside of sites-available where it will continue to be
       10 # updated by the nginx packaging team.
       11 #
       12 # This file will automatically load configuration files provided by other
       13 # applications, such as Drupal or Wordpress. These applications will be made
       14 # available underneath a path with that package name, such as /drupal8.
       15 #
       16 # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
       17 ##
       18 
       19 
       20 upstream office1.1a.rockstable.it {
       21     server office1.1a.rockstable.it:9980;
       22 }
       23 
       24 ## Redirects all HTTP traffic to the HTTPS host
       25 server {
       26   ## Either remove "default_server" from the listen line below,
       27   ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
       28   ## to be served if you visit any address that your server responds to, eg.
       29   ## the ip address of the server (http://x.x.x.x/)
       30   listen        0.0.0.0:80;
       31   listen        [::]:80;
       32   server_name   office.rockstable.it;
       33   server_tokens off; ## Don't show the nginx version number, a security best practice
       34   # redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
       35   return 301    https://$server_name$request_uri;
       36   access_log    /var/log/nginx/proxy_office_access.log;
       37   error_log     /var/log/nginx/proxy_office_error.log;
       38 }
       39 
       40 
       41 # HTTPS host
       42 server {
       43         listen          443 http2 ssl;
       44         #listen         [::]:443 ipv6only=on http2 ssl;
       45 
       46         server_name     office.rockstable.it;
       47         server_tokens   off; ## Don't show the nginx version number, a security best practice
       48 
       49         ## Strong SSL Security
       50         ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
       51 
       52         ssl_certificate                 /etc/letsencrypt/live/office.rockstable.it/fullchain.pem;
       53         ssl_certificate_key             /etc/letsencrypt/live/office.rockstable.it/privkey.pem;
       54         #ssl_trusted_certificate        /etc/ssl/CAcert/certs/.pem;
       55 
       56         # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
       57         ssl_ciphers                     "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
       58         ssl_protocols                   TLSv1.3 TLSv1.2;
       59         ssl_prefer_server_ciphers       on;
       60         ssl_session_cache               shared:SSL:10m;
       61         ssl_session_timeout             1d;
       62 
       63         ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
       64         ## Replace with your ssl_trusted_certificate. For more info see:
       65         ## - https://medium.com/devops-programming/4445f4862461
       66         ## - https://www.ruby-forum.com/topic/4419319
       67         ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
       68         ssl_stapling on;
       69         ssl_stapling_verify on;
       70         # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
       71         # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
       72         # resolver_timeout 5s;
       73 
       74         ## [Optional] Generate a stronger DHE parameter:
       75         ##   sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
       76         ##
       77         ssl_dhparam /etc/ssl/private/dhparam.pem;
       78 
       79         # HSTS (ngx_http_headers_module is required) (63072000 seconds)
       80         add_header Strict-Transport-Security "max-age=63072000" always;
       81 
       82         ## Individual nginx logs for this GitLab vhost
       83         access_log  /var/log/nginx/proxy_office_access.log;
       84         error_log   /var/log/nginx/proxy_office_error.log;
       85 
       86         #proxy_set_header        Host               $host;
       87         proxy_set_header         Host               $http_host;
       88         proxy_set_header         X-Real-IP          $remote_addr;
       89         proxy_set_header         X-Forwarded-For    $proxy_add_x_forwarded_for;
       90         proxy_set_header         X-Forwarded-Proto  $scheme;
       91         proxy_set_header         X-Forwarded-Ssl    on;
       92 
       93         proxy_set_header         Upgrade            $http_upgrade;
       94         proxy_set_header         Connection         "Upgrade";
       95         proxy_set_header         Host               $http_host;
       96 
       97         #
       98         #proxy_ssl_certificate          /etc/nginx/client.pem;
       99         #proxy_ssl_certificate_key      /etc/nginx/client.key;
      100         #proxy_ssl_trusted_certificate  /etc/nginx/trusted_ca_cert.crt;
      101         #proxy_ssl_verify               on;
      102         #proxy_ssl_verify_depth         2;
      103         proxy_ssl_session_reuse        on;
      104         proxy_ssl_protocols            TLSv1.3 TLSv1.2;
      105         proxy_ssl_ciphers              "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
      106 
      107         client_max_body_size 0;
      108         #gzip off;
      109 
      110         ## Some requests take more than 30 seconds.
      111         proxy_read_timeout      300;
      112         proxy_connect_timeout   300;
      113         proxy_redirect          off;
      114 
      115         #proxy_http_version 1.1;
      116 
      117         # static files
      118         location ^~ /browser {
      119                 proxy_pass https://office1.1a.rockstable.it;
      120                 proxy_set_header Host $http_host;
      121         }
      122 
      123         # WOPI discovery URL
      124         location ^~ /hosting/discovery {
      125                 proxy_pass https://office1.1a.rockstable.it;
      126                 proxy_set_header Host $http_host;
      127         }
      128 
      129         # Capabilities
      130         location ^~ /hosting/capabilities {
      131                 proxy_pass https://office1.1a.rockstable.it;
      132                 proxy_set_header Host $http_host;
      133         }
      134 
      135         # main websocket
      136         location ~ ^/cool/(.*)/ws$ {
      137                 proxy_pass https://office1.1a.rockstable.it;
      138                 proxy_set_header Upgrade $http_upgrade;
      139                 proxy_set_header Connection "Upgrade";
      140                 proxy_set_header Host $http_host;
      141                 proxy_read_timeout 36000s;
      142         }
      143 
      144         # download, presentation and image upload
      145         location ~ ^/(c|l)ool {
      146                 proxy_pass https://office1.1a.rockstable.it;
      147                 proxy_set_header Host $http_host;
      148         }
      149 
      150         # Admin Console websocket
      151         location ^~ /cool/adminws {
      152                 proxy_pass https://office1.1a.rockstable.it;
      153                 proxy_set_header Upgrade $http_upgrade;
      154                 proxy_set_header Connection "Upgrade";
      155                 proxy_set_header Host $http_host;
      156                 proxy_read_timeout 36000s;
      157         }
      158 }
     

7. Download and configure CollaboraOnline App in NextCloud

8. Done

Update Colabora Online

1. Load updated image

      1 docker pull collabora/code:latest
   

2. Identify and stop old container

      1 docker container ls \
      2         --filter ancestor=collabora/code \          
      3         --no-trunc
      4 docker container stop __your_container_name
   

3. Start new container

      1 read -r ADMIN_USERNAME
      2 read -r ADMIN_PASSWORD
      3 docker run -t -d \
      4         -p 9980:9980 \
      5         -e "aliasgroup1=https://cloud\\.rockstable\\.it" \
      6         -e "username=$ADMIN_USERNAME" \
      7         -e "password=$ADMIN_PASSWORD" \
      8         --restart always \
      9         collabora/code
   

4. Delete old containers

      1 docker container ls \
      2         --filter status=exited \
      3         --filter ancestor=collabora/code \
      4         --no-trunc
      5 docker container ls \
      6         --filter status=exited \
      7         --filter ancestor=collabora/code \
      8         --format "{{.ID}}" \
      9         |xargs docker container rm
   

Have fun!

Trouble Shooting

Cannot sync due to invalid modification time

In German:
"Synchronisierung wegen ungültiger Änderungszeit nicht möglich"

• github.com nextcloud/desktop Wiki - How to fix the error invalid or negative modification date

For usage with the nextcloud "snap"

   1 data_dir="/var/snap/nextcloud/common/nextcloud/data"
   2 db_type="mysql"
   3 db_host="localhost"
   4 db_user="root"
   5 read db_pwd
   6 db_name="nextcloud"
   7 #action="${7:-list}"
   8 #scan_action="${8:-noscan}"
   9 #use_birthday="${9:-dont_use_birthday}"
  10 #verbose="${10:-noverbose}"
  11 
  12 # Usage: ./solvable_files.sh <data_dir> \
  13 #               <mysql|pgsql> <db_host> <db_user> <db_pwd> <db_name> \
  14 #               <fix,list> <scan,noscan> <use_birthday,dont_use_birthday>
  15 
  16 ### LIST FILES WITH INVALID TIME
  17 ./solvable_files.sh \
  18         "$data_dir" \
  19         "$db_type" "$db_host" \
  20         "$db_user" "$db_pwd" \
  21         "$db_name" \
  22         list
  23 
  24 ### FIX FILES WITH INVALID TIME (TODAY)
  25 ./solvable_files.sh \
  26         "$data_dir" \
  27         "$db_type" "$db_host" \
  28         "$db_user" "$db_pwd" \
  29         "$db_name" \
  30         fix
  31 ### TRIGGER A SCAN OF THE FIXED FILES
  32 ./solvable_files.sh \
  33         "$data_dir" \
  34         "$db_type" "$db_host" \
  35         "$db_user" "$db_pwd" \
  36         "$db_name" \
  37         scan
  38 
  39 ### THE SCAN DID NOT WORK OUT IN MY CASE
  40 ### SO I TRIGGERED THE SCAN WITH
  41 snap run nextcloud.occ files:scan --all

Problem fixed.

nextcloud desktop client hangs

Disable upload bandwidth limit.
[Bug]: setting speed limit causes client hang. #5242

Nextcloud emails are not sent

Nextcloud emails send duriong polls never arrive.

The following error is shown in
/var/log/mail.log

   1 Jul  5 09:43:51 nextcloud1 postfix/smtpd[589111]: connect from localhost[::1]                                                                          
   2 Jul  5 09:43:51 nextcloud1 postfix/smtpd[589111]: lost connection after STARTTLS from localhost[::1]                                                                                                                                                                                                           
   3 Jul  5 09:43:51 nextcloud1 postfix/smtpd[589111]: disconnect from localhost[::1] ehlo=1 starttls=1 commands=2                                                                                                                                                                                                  

Workaround

Nextcloud is configured to relay emails via localhost:25. So this introduces no security issue.

Disable opportunistic TLS in
/etc/postfix/main.cf

   1 #smtpd_use_tls = yes
   2 smtpd_tls_security_level = none

Reload postfix

   1 postfix reload

Try again - works.

I haven't figured out the Nextcloud bug, yet.

Import and sync contacts and calenders to your mobile

DAVx5

On Android install DAVx⁵ from F-Droid.

If you just click on the link the appointments will imported to a existing calender and no synchronization will happen.

With public links

1. Open DAVx⁵

2. Add a new account
   1. Chose "Extended Login"
   2. Paste the public link to the URL field
   3. Leave Username/Password and client certificate unchecked
3. Withing the new account select caldav and the calender to be be imported.

With a nextcloud account

1. Open DAVx⁵

2. Add a new account
   1. Chose "Login with URL and Username"
   2. Paste the baselink link to the URL field
   3. Enter Username and Password
3. Withing the new account select caldav and the calender to be be imported.

Using Google

The Google Calender App has no Button "Add a new calender". But the web-version has an integrated CalDAV client, which can import and sync the calender with its source and publish it via the Google services to your smartphone.

Well than we also could have used a native Google Calender, right. Privacy aspects are not honored anymore.