nextcloud-installieren/README.md

# NextCloud installieren

Ordner erstellen

```
mkdir -p /opt/nextcloud/{database,app,daten}
```

Docker-Datei anlegen (`/opt/nextcloud/Dockerfile`)

```
FROM nextcloud
USER root
RUN apt update && apt install -y libmagickcore-6.q16-6-extra
```

Docker-Compose-Datei anlegen

`/opt/nextcloud/docker-compose.yml`

```
version: '3.3'

services:
  nextcloud-db:
    image: mariadb
    container_name: nextcloud-db
    command: --transaction-isolation=READ-COMMITTED --log-bin=ROW
    restart: unless-stopped
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /etc/timezone:/etc/timezone:ro
      - /opt/nextcloud/database:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=<SQL_root_Passwort>
      - MYSQL_PASSWORD=<SQL_Benutzer_Passwort>
      - MYSQL_DATABASE=nextcloud #Datenbank Name
      - MYSQL_USER=nextcloud #SQL Nutzername
      - MYSQL_INITDB_SKIP_TZINFO=1 
    networks:
      - default

  nextcloud-redis:
    image: redis:alpine
    container_name: nextcloud-redis
    hostname: nextcloud-redis
    networks:
        - default
    restart: unless-stopped
    command: redis-server --requirepass <Redis_Passwort>

  nextcloud-app:
    build: .
    container_name: nextcloud-app
    ports:
	  - 127.0.0.1:8080:80
    restart: unless-stopped
    depends_on:
      - nextcloud-db
      - nextcloud-redis
    environment:
        REDIS_HOST: nextcloud-redis
        REDIS_HOST_PASSWORD: <Redis_Passwort>
    volumes:
      - /opt/nextcloud/app:/var/www/html
      - /opt/nextcloud/daten:/var/www/html/data

    networks:
      - default

  collabora:
    image: collabora/code
    container_name: nextcloud-collabora
    restart: unless-stopped
    networks:
      - default
    ports:
      - 127.0.0.1:9980:9980
    environment:
      - "domain=cloud\\.domain\\.tld"
      - "dictionaries=de en"
      - "username=<benutzername>"
      - "password=<passwort>"
```

NC starten

```
cd /opt/nextcloud
docker-compose up -d
```

Seite aufrufen `<ip-adresse>:8080` und Setup abschließen.

## reverse Proxy anlegen

Zertifikat erstellen

```
certbot certonly --agree-tos --email admin@domain.tld --webroot -w /var/lib/letsencrypt/ -d cloud.domain.tld
```

Datei `/etc/apache2/sites-available/cloud.domain.tld.conf`

```
<VirtualHost *:80>
    
    ServerName cloud.domain.tld

    SSLEngine off

    DocumentRoot /var/www/html/

    RewriteEngine on
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

</VirtualHost>

<VirtualHost *:443>

    ServerName cloud.domain.tld

    DocumentRoot /var/www/html/

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/cloud.domain.tld/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/cloud.domain.tld/privkey.pem

    Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

    RewriteEngine On
    RewriteRule ^/\.well-known/carddav https://cloud.domain.tld/remote.php/dav/ [R=301,L]
    RewriteRule ^/\.well-known/caldav https://cloud.domain.tld/remote.php/dav/ [R=301,L]

    ProxyRequests Off
    ProxyPreserveHost On

    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off

    <Location "/">

        ProxyPass http://127.0.0.1:8080/
        ProxyPassReverse http://127.0.0.1:8080/

    </Location>

    <Location "/.well-known/acme-challenge">
        ProxyPass "!"
    </Location>

    CustomLog /var/log/apache2/cloud.domain.tld.log combined
    ErrorLog /var/log/apache2/cloud.domain.tld.error.log

</VirtualHost>
```

Konfiguration aktivieren

```
a2ensite cloud.domain.tld.conf
systemctl reload apache2
```

## Konfiguration anpassen

Datei `/opt/nextcloud/app/config/config.php`

```
...
  'trusted_domains' =>.
  array (
    0 => '10.4.0.1:8080',
    1 => 'cloud.domain.tld',
  ),
...
  'overwrite.cli.url' => 'https://cloud.domain.tld',
...
  'trusted_proxies' => '<IP-Adresse des Servers>',
  'overwriteprotocol' => 'https',
  'overwritehost' => 'cloud.domain.tld',
  'default_phone_region' => 'DE',
  'app.mail.verify-tls-peer' => false,
...
```

Container neu starten

```
docker-compose restart
```

Wenn beim Sicherheitscheck angezeigt wird, dass der Header `X-Content-Type-Options` nicht konfiguriert ist, kann das daran liegen, dass er doppelt gesetzt ist und muss in der NC-Konfiguration entfernt werden.

Datei `/opt/nextcloud/app/.htaccess`

```
...
    #Header onsuccess unset X-Content-Type-Options
    #Header always set X-Content-Type-Options "nosniff"
...
```

## Cron Dienst anpassen

NC kennt mehrere Möglichkeiten, Hintergrund-Aufgaben zu erledigen. Da in einem Kontainer kein Dienst läuft, wird der cron-Dienst des Host-Servers verwendet.

In der ssh-Konsole als Benutzer root:

```
crontab -e
```

Befehl eintragen:

```
*/5 * * * * docker exec -t -u www-data nextcloud-app php -f /var/www/html/cron.php
```

NC-Einstellungen anpassen:

![](bilder/nc_004.png)

## Colabora Office

Eigene Domain in Apache als Reverse Proxy anlegen

```
certbot certonly --agree-tos --email admin@domain.tld --webroot -w /var/lib/letsencrypt/ -d office.domain.tld
```

Datei `/etc/apache2/sites-available/office.domain.tld.conf`

```
<VirtualHost *:80>

    ServerName office.domain.tld

    SSLEngine off

    DocumentRoot /var/www/html/

    RewriteEngine on
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

</VirtualHost>

<VirtualHost *:443>

    ServerName office.domain.tld

    # SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/srv3.domain.tld/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/srv3.domain.tld/privkey.pem
    SSLProtocol             all -SSLv2 -SSLv3
    SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
    SSLHonorCipherOrder     on

    # Encoded slashes need to be allowed
    AllowEncodedSlashes NoDecode

    # Container uses a unique non-signed certificate
    SSLProxyEngine On
    SSLProxyVerify None
    SSLProxyCheckPeerCN Off
    SSLProxyCheckPeerName Off

    # keep the host
    ProxyPreserveHost On

    # static html, js, images, etc. served from loolwsd
    # loleaflet is the client part of LibreOffice Online
    ProxyPass           /loleaflet https://127.0.0.1:9980/loleaflet retry=0
    ProxyPassReverse    /loleaflet https://127.0.0.1:9980/loleaflet

    # WOPI discovery URL
    ProxyPass           /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
    ProxyPassReverse    /hosting/discovery https://127.0.0.1:9980/hosting/discovery

    # Main websocket
    ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon

    # Admin Console websocket
    ProxyPass   /lool/adminws wss://127.0.0.1:9980/lool/adminws

    # Download as, Fullscreen presentation and Image upload operations
    ProxyPass           /lool https://127.0.0.1:9980/lool
    ProxyPassReverse    /lool https://127.0.0.1:9980/lool

    # Endpoint with information about availability of various features
    ProxyPass           /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities retry=0
    ProxyPassReverse    /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities

    CustomLog /var/log/apache2/office.domain.tld.log combined
    ErrorLog /var/log/apache2/office.domain.tld.error.log

</VirtualHost>
```

Konfiguration aktivieren

```
a2ensite office.domain.tld.conf
a2enmod ssl proxy proxy_http proxy_wstunnel rewrite headers
systemctl restart apache2
```

In NC den eigenen Server eintragen:

![https://office.jgz.energie.net](bilder/nc_001.png)

## NextCloud Talk mit Signaling-Server

### Turn-Server installieren

```
apt install coturn
```

In `/etc/default/coturn` aktivieren

```
TURNSERVER_ENABLED=1
```

Datei `/etc/turnserver.conf` anpassen

```
listening-port=3478
listening-ip=<IPv4-Adresse des Servers>
listening-ip=<IPv6-Adresse des Servers>
fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=<Secret>
realm=<FQDN des Servers>
total-quota=0
bps-capacity=0
no-tls
no-dtls
stale-nonce
no-loopback-peers
no-multicast-peers
proc-user=turnserver
proc-group=turnserver
```

Coturn-Server (neu) starten:

```
service coturn restart
```

Firewall anpassen

```
iptables -A INPUT -p tcp -m tcp --dport 3478 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 3478 -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p tcp -m tcp --dport 3478 -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p udp -m udp --dport 3478 -m state --state NEW,ESTABLISHED -j ACCEPT
netfilter-persistent save
```

NC-Einstellungen anpassen

![](bilder/nc_002.png)

### Janus installieren

```
add-apt-repository ppa:fancycode/janus
apt update
apt install janus
```

Konfiguration anpassen:

Datei `/etc/janus/janus.jcfg`

```
nat: {
        stun_server = "<server>"
        stun_port = 3478
        nice_debug = false
        full_trickle = true
# ...
        turn_rest_api_key = "<key>"
# ...
}
```

Mit dem Befehl `openssl rand -hex 16` kann der `<key>` erzeugt werden.

Datei `/etc/janus/janus.transport.http.jcfg`

```
general: {
# ...
        base_path = "/janus"
        http = true
        port = 8088
        ip = 127.0.0.1
        https = false
# ...
}
```

Datei `/etc/janus/janus.transport.websockets.jcfg`

```
general: {
# ...
        ws = true
        ws_port = 8188
        ws_ip = 127.0.0.1
        wss = false
# ...
}
```

Dienst (neu) starten:

```
systemctl restart janus
```

### NATS einrichten

```
docker pull nats:latest
docker run --name=natsserver -d -p 127.0.0.1:4222:4222 -ti --restart=always nats:latest
```

### Signaling-Server einrichten

```
apt install golang-go
cd /etc/
git clone https://github.com/strukturag/nextcloud-spreed-signaling.git
cd /etc/nextcloud-spreed-signaling
make build
```

Lokale Konfiguration erzeugen:

```
cd /etc/nextcloud-spreed-signaling
cp server.conf.in server.conf
```

Datei `/etc/nextcloud-spreed-signaling/server.conf`:

```
[http]
listen = 127.0.0.1:8086

[sessions]
hashkey = <session-hashkey>
blockkey = <session-blockkey>

[backend]
backends = backend1

[backend1]
url = <URL des Nextcloud-Servers>
secret = <Nextcloud-Secret>

[nats]
url = nats://localhost:4222

[mcu]
type = janus
url = ws://127.0.0.1:8188

[turn]
apikey = <API-Key von Janus (turn_rest_api_key)>
secret = <Secret von Coturn (static-auth-secret)>
```

Für `<session-hashkey>` kann `openssl rand -hex 32` verwendet werden, `<session-blockkey>` darf nur 32 bytes haben und kann mit `openssl rand -hex 16` gebildet werden. 

Der Schlüssel `<Nextcloud-Secret>` kann ebenfalls mit `openssl rand -hex 32` erzeugt werden und wird dann in NC eingetragen.

Benutzer und Dienst anlegen:

```
groupadd signaling
useradd --system --gid signaling --shell /bin/false --comment "Nextcloud Signaling" signaling
```

Datei `/etc/systemd/system/nextcloud-signaling.service` anlegen

```
[Unit]
Description=Nextcloud Talk signaling server

[Service]
ExecStart=/etc/nextcloud-spreed-signaling/bin/signaling --config /etc/nextcloud-spreed-signaling/server.conf
User=signaling
Group=signaling
Restart=on-failure

[Install]
WantedBy=multi-user.target
```

Dienst aktivieren und starten:

```
systemctl daemon-reload
systemctl enable nextcloud-signaling
systemctl start nextcloud-signaling
```

Dienste überprüfen:

Janus:

```
journalctl -u janus
```

Signaling-Server:

```
journalctl -u nextcloud-signaling
```

### Apache-Proxy konfigurieren

Entweder als eigene Subdomain, oder in die NC-Konfiguration integrieren:

```
RewriteEngine On
RewriteRule ^/standalone-signaling/spreed$ - [L]
RewriteRule ^/standalone-signaling/api/(.*) http://127.0.0.1:8086/api/$1 [L,P]
ProxyPass "/standalone-signaling/" "ws://127.0.0.1:8086/"
```

NC-Konfiguration anpassen:

Die URL wird mit `https://<servername>/standalone-signaling` angegeben, als "Gemeinsames Geheimnis" trägt man `<Nextcloud-Secret>` aus der Konfiguration des Signaling-Servers ein.

![](bilder/nc_003.png)
erster commit 2021-03-17 23:12:59 +01:00			`# NextCloud installieren`
Initial commit 2021-03-17 23:01:23 +01:00
erster commit 2021-03-17 23:12:59 +01:00			`Ordner erstellen`

			```
			`mkdir -p /opt/nextcloud/{database,app,daten}`
			```

			Docker-Datei anlegen (`/opt/nextcloud/Dockerfile`)

			```
			`FROM nextcloud`
			`USER root`
			`RUN apt update && apt install -y libmagickcore-6.q16-6-extra`
			```

			`Docker-Compose-Datei anlegen`

			`/opt/nextcloud/docker-compose.yml`

			```
			`version: '3.3'`

			`services:`
			`nextcloud-db:`
			`image: mariadb`
			`container_name: nextcloud-db`
			`command: --transaction-isolation=READ-COMMITTED --log-bin=ROW`
			`restart: unless-stopped`
			`volumes:`
			`- /etc/localtime:/etc/localtime:ro`
			`- /etc/timezone:/etc/timezone:ro`
			`- /opt/nextcloud/database:/var/lib/mysql`
			`environment:`
			`- MYSQL_ROOT_PASSWORD=<SQL_root_Passwort>`
			`- MYSQL_PASSWORD=<SQL_Benutzer_Passwort>`
			`- MYSQL_DATABASE=nextcloud #Datenbank Name`
			`- MYSQL_USER=nextcloud #SQL Nutzername`
			`- MYSQL_INITDB_SKIP_TZINFO=1`
			`networks:`
			`- default`

			`nextcloud-redis:`
			`image: redis:alpine`
			`container_name: nextcloud-redis`
			`hostname: nextcloud-redis`
			`networks:`
			`- default`
			`restart: unless-stopped`
			`command: redis-server --requirepass <Redis_Passwort>`

			`nextcloud-app:`
			`build: .`
			`container_name: nextcloud-app`
			`ports:`
			`- 127.0.0.1:8080:80`
			`restart: unless-stopped`
			`depends_on:`
			`- nextcloud-db`
			`- nextcloud-redis`
			`environment:`
			`REDIS_HOST: nextcloud-redis`
			`REDIS_HOST_PASSWORD: <Redis_Passwort>`
			`volumes:`
			`- /opt/nextcloud/app:/var/www/html`
			`- /opt/nextcloud/daten:/var/www/html/data`

			`networks:`
			`- default`

			`collabora:`
			`image: collabora/code`
			`container_name: nextcloud-collabora`
			`restart: unless-stopped`
			`networks:`
			`- default`
			`ports:`
			`- 127.0.0.1:9980:9980`
			`environment:`
			`- "domain=cloud\\.domain\\.tld"`
			`- "dictionaries=de en"`
			`- "username=<benutzername>"`
			`- "password=<passwort>"`
			```

			`NC starten`

			```
			`cd /opt/nextcloud`
			`docker-compose up -d`
			```

			Seite aufrufen `<ip-adresse>:8080` und Setup abschließen.

			`## reverse Proxy anlegen`

			`Zertifikat erstellen`

			```
			`certbot certonly --agree-tos --email admin@domain.tld --webroot -w /var/lib/letsencrypt/ -d cloud.domain.tld`
			```

			Datei `/etc/apache2/sites-available/cloud.domain.tld.conf`

			```
			`<VirtualHost *:80>`

			`ServerName cloud.domain.tld`

			`SSLEngine off`

			`DocumentRoot /var/www/html/`

			`RewriteEngine on`
			`RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}`

			`</VirtualHost>`

			`<VirtualHost *:443>`

			`ServerName cloud.domain.tld`

			`DocumentRoot /var/www/html/`

			`SSLEngine on`
			`SSLCertificateFile /etc/letsencrypt/live/cloud.domain.tld/fullchain.pem`
			`SSLCertificateKeyFile /etc/letsencrypt/live/cloud.domain.tld/privkey.pem`

			`Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"`

			`RewriteEngine On`
			`RewriteRule ^/\.well-known/carddav https://cloud.domain.tld/remote.php/dav/ [R=301,L]`
			`RewriteRule ^/\.well-known/caldav https://cloud.domain.tld/remote.php/dav/ [R=301,L]`

			`ProxyRequests Off`
			`ProxyPreserveHost On`

			`SSLProxyCheckPeerCN off`
			`SSLProxyCheckPeerName off`

			`<Location "/">`

			`ProxyPass http://127.0.0.1:8080/`
			`ProxyPassReverse http://127.0.0.1:8080/`

			`</Location>`

			`<Location "/.well-known/acme-challenge">`
			`ProxyPass "!"`
			`</Location>`

			`CustomLog /var/log/apache2/cloud.domain.tld.log combined`
			`ErrorLog /var/log/apache2/cloud.domain.tld.error.log`

			`</VirtualHost>`
			```

			`Konfiguration aktivieren`

			```
			`a2ensite cloud.domain.tld.conf`
			`systemctl reload apache2`
			```

			`## Konfiguration anpassen`

			Datei `/opt/nextcloud/app/config/config.php`

			```
			`...`
			`'trusted_domains' =>.`
			`array (`
			`0 => '10.4.0.1:8080',`
			`1 => 'cloud.domain.tld',`
			`),`
			`...`
			`'overwrite.cli.url' => 'https://cloud.domain.tld',`
			`...`
			`'trusted_proxies' => '<IP-Adresse des Servers>',`
			`'overwriteprotocol' => 'https',`
			`'overwritehost' => 'cloud.domain.tld',`
			`'default_phone_region' => 'DE',`
			`'app.mail.verify-tls-peer' => false,`
			`...`
			```

			`Container neu starten`

			```
			`docker-compose restart`
			```

			Wenn beim Sicherheitscheck angezeigt wird, dass der Header `X-Content-Type-Options` nicht konfiguriert ist, kann das daran liegen, dass er doppelt gesetzt ist und muss in der NC-Konfiguration entfernt werden.

			Datei `/opt/nextcloud/app/.htaccess`

			```
			`...`
			`#Header onsuccess unset X-Content-Type-Options`
			`#Header always set X-Content-Type-Options "nosniff"`
			`...`
			```

			`## Cron Dienst anpassen`

			`NC kennt mehrere Möglichkeiten, Hintergrund-Aufgaben zu erledigen. Da in einem Kontainer kein Dienst läuft, wird der cron-Dienst des Host-Servers verwendet.`

			`In der ssh-Konsole als Benutzer root:`

			```
			`crontab -e`
			```

			`Befehl eintragen:`

			```
			`/5 * * * docker exec -t -u www-data nextcloud-app php -f /var/www/html/cron.php`
			```

			`NC-Einstellungen anpassen:`

			`![](bilder/nc_004.png)`

			`## Colabora Office`

			`Eigene Domain in Apache als Reverse Proxy anlegen`

			```
			`certbot certonly --agree-tos --email admin@domain.tld --webroot -w /var/lib/letsencrypt/ -d office.domain.tld`
			```

			Datei `/etc/apache2/sites-available/office.domain.tld.conf`

			```
			`<VirtualHost *:80>`

			`ServerName office.domain.tld`

			`SSLEngine off`

			`DocumentRoot /var/www/html/`

			`RewriteEngine on`
			`RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}`

			`</VirtualHost>`

			`<VirtualHost *:443>`

			`ServerName office.domain.tld`

			`# SSL configuration, you may want to take the easy route instead and use Lets Encrypt!`
			`SSLEngine on`
			`SSLCertificateFile /etc/letsencrypt/live/srv3.domain.tld/fullchain.pem`
			`SSLCertificateKeyFile /etc/letsencrypt/live/srv3.domain.tld/privkey.pem`
			`SSLProtocol all -SSLv2 -SSLv3`
			SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
			`SSLHonorCipherOrder on`

			`# Encoded slashes need to be allowed`
			`AllowEncodedSlashes NoDecode`

			`# Container uses a unique non-signed certificate`
			`SSLProxyEngine On`
			`SSLProxyVerify None`
			`SSLProxyCheckPeerCN Off`
			`SSLProxyCheckPeerName Off`

			`# keep the host`
			`ProxyPreserveHost On`

			`# static html, js, images, etc. served from loolwsd`
			`# loleaflet is the client part of LibreOffice Online`
			`ProxyPass /loleaflet https://127.0.0.1:9980/loleaflet retry=0`
			`ProxyPassReverse /loleaflet https://127.0.0.1:9980/loleaflet`

			`# WOPI discovery URL`
			`ProxyPass /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0`
			`ProxyPassReverse /hosting/discovery https://127.0.0.1:9980/hosting/discovery`

			`# Main websocket`
			`ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon`

			`# Admin Console websocket`
			`ProxyPass /lool/adminws wss://127.0.0.1:9980/lool/adminws`

			`# Download as, Fullscreen presentation and Image upload operations`
			`ProxyPass /lool https://127.0.0.1:9980/lool`
			`ProxyPassReverse /lool https://127.0.0.1:9980/lool`

			`# Endpoint with information about availability of various features`
			`ProxyPass /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities retry=0`
			`ProxyPassReverse /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities`

			`CustomLog /var/log/apache2/office.domain.tld.log combined`
			`ErrorLog /var/log/apache2/office.domain.tld.error.log`

			`</VirtualHost>`
			```

			`Konfiguration aktivieren`

			```
			`a2ensite office.domain.tld.conf`
			`a2enmod ssl proxy proxy_http proxy_wstunnel rewrite headers`
			`systemctl restart apache2`
			```

			`In NC den eigenen Server eintragen:`

			`![https://office.jgz.energie.net](bilder/nc_001.png)`

			`## NextCloud Talk mit Signaling-Server`

			`### Turn-Server installieren`

			```
			`apt install coturn`
			```

			In `/etc/default/coturn` aktivieren

			```
			`TURNSERVER_ENABLED=1`
			```

			Datei `/etc/turnserver.conf` anpassen

			```
			`listening-port=3478`
			`listening-ip=<IPv4-Adresse des Servers>`
			`listening-ip=<IPv6-Adresse des Servers>`
			`fingerprint`
			`lt-cred-mech`
			`use-auth-secret`
			`static-auth-secret=<Secret>`
			`realm=<FQDN des Servers>`
			`total-quota=0`
			`bps-capacity=0`
			`no-tls`
			`no-dtls`
			`stale-nonce`
			`no-loopback-peers`
			`no-multicast-peers`
			`proc-user=turnserver`
			`proc-group=turnserver`
			```

			`Coturn-Server (neu) starten:`

			```
			`service coturn restart`
			```

			`Firewall anpassen`

			```
			`iptables -A INPUT -p tcp -m tcp --dport 3478 -m state --state NEW,ESTABLISHED -j ACCEPT`
			`iptables -A INPUT -p udp -m udp --dport 3478 -m state --state NEW,ESTABLISHED -j ACCEPT`
			`ip6tables -A INPUT -p tcp -m tcp --dport 3478 -m state --state NEW,ESTABLISHED -j ACCEPT`
			`ip6tables -A INPUT -p udp -m udp --dport 3478 -m state --state NEW,ESTABLISHED -j ACCEPT`
			`netfilter-persistent save`
			```

			`NC-Einstellungen anpassen`

			`![](bilder/nc_002.png)`

			`### Janus installieren`

			```
			`add-apt-repository ppa:fancycode/janus`
			`apt update`
			`apt install janus`
			```

			`Konfiguration anpassen:`

			Datei `/etc/janus/janus.jcfg`

			```
			`nat: {`
			`stun_server = "<server>"`
			`stun_port = 3478`
			`nice_debug = false`
			`full_trickle = true`
			`# ...`
			`turn_rest_api_key = "<key>"`
			`# ...`
			`}`
			```

Änderungen 2021-03-17 23:15:39 +01:00			Mit dem Befehl `openssl rand -hex 16` kann der `<key>` erzeugt werden.
erster commit 2021-03-17 23:12:59 +01:00
			Datei `/etc/janus/janus.transport.http.jcfg`

			```
			`general: {`
			`# ...`
			`base_path = "/janus"`
			`http = true`
			`port = 8088`
			`ip = 127.0.0.1`
			`https = false`
			`# ...`
			`}`
			```

			Datei `/etc/janus/janus.transport.websockets.jcfg`

			```
			`general: {`
			`# ...`
			`ws = true`
			`ws_port = 8188`
			`ws_ip = 127.0.0.1`
			`wss = false`
			`# ...`
			`}`
			```

			`Dienst (neu) starten:`

			```
			`systemctl restart janus`
			```

			`### NATS einrichten`

			```
			`docker pull nats:latest`
			`docker run --name=natsserver -d -p 127.0.0.1:4222:4222 -ti --restart=always nats:latest`
			```

			`### Signaling-Server einrichten`

			```
			`apt install golang-go`
			`cd /etc/`
			`git clone https://github.com/strukturag/nextcloud-spreed-signaling.git`
			`cd /etc/nextcloud-spreed-signaling`
			`make build`
			```

			`Lokale Konfiguration erzeugen:`

			```
			`cd /etc/nextcloud-spreed-signaling`
			`cp server.conf.in server.conf`
			```

			Datei `/etc/nextcloud-spreed-signaling/server.conf`:

			```
			`[http]`
			`listen = 127.0.0.1:8086`

			`[sessions]`
			`hashkey = <session-hashkey>`
			`blockkey = <session-blockkey>`

			`[backend]`
			`backends = backend1`

			`[backend1]`
			`url = <URL des Nextcloud-Servers>`
			`secret = <Nextcloud-Secret>`

			`[nats]`
			`url = nats://localhost:4222`

			`[mcu]`
			`type = janus`
			`url = ws://127.0.0.1:8188`

			`[turn]`
			`apikey = <API-Key von Janus (turn_rest_api_key)>`
			`secret = <Secret von Coturn (static-auth-secret)>`
			```

Änderungen 2021-03-17 23:15:39 +01:00			Für `<session-hashkey>` kann `openssl rand -hex 32` verwendet werden, `<session-blockkey>` darf nur 32 bytes haben und kann mit `openssl rand -hex 16` gebildet werden.
erster commit 2021-03-17 23:12:59 +01:00
Korrekturen 2021-03-18 08:47:23 +01:00			Der Schlüssel `<Nextcloud-Secret>` kann ebenfalls mit `openssl rand -hex 32` erzeugt werden und wird dann in NC eingetragen.
erster commit 2021-03-17 23:12:59 +01:00
			`Benutzer und Dienst anlegen:`

			```
			`groupadd signaling`
			`useradd --system --gid signaling --shell /bin/false --comment "Nextcloud Signaling" signaling`
			```

			Datei `/etc/systemd/system/nextcloud-signaling.service` anlegen

			```
			`[Unit]`
			`Description=Nextcloud Talk signaling server`

			`[Service]`
			`ExecStart=/etc/nextcloud-spreed-signaling/bin/signaling --config /etc/nextcloud-spreed-signaling/server.conf`
			`User=signaling`
			`Group=signaling`
			`Restart=on-failure`

			`[Install]`
			`WantedBy=multi-user.target`
			```

			`Dienst aktivieren und starten:`

			```
			`systemctl daemon-reload`
			`systemctl enable nextcloud-signaling`
			`systemctl start nextcloud-signaling`
			```

			`Dienste überprüfen:`

			`Janus:`

			```
			`journalctl -u janus`
			```

			`Signaling-Server:`

			```
			`journalctl -u nextcloud-signaling`
			```

			`### Apache-Proxy konfigurieren`

			`Entweder als eigene Subdomain, oder in die NC-Konfiguration integrieren:`

			```
			`RewriteEngine On`
			`RewriteRule ^/standalone-signaling/spreed$ - [L]`
			`RewriteRule ^/standalone-signaling/api/(.*) http://127.0.0.1:8086/api/$1 [L,P]`
			`ProxyPass "/standalone-signaling/" "ws://127.0.0.1:8086/"`
			```

			`NC-Konfiguration anpassen:`

Änderungen 2021-03-17 23:15:39 +01:00			Die URL wird mit `https://<servername>/standalone-signaling` angegeben, als "Gemeinsames Geheimnis" trägt man `<Nextcloud-Secret>` aus der Konfiguration des Signaling-Servers ein.
erster commit 2021-03-17 23:12:59 +01:00
			`![](bilder/nc_003.png)`