diff --git a/README.md b/README.md index 8ac8555..20c89b7 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,545 @@ -# nextcloud-installieren +# NextCloud installieren +Ordner erstellen + +``` +mkdir -p /opt/nextcloud/{database,app,daten} +``` + +Docker-Datei anlegen (`/opt/nextcloud/Dockerfile`) + +``` +FROM nextcloud +USER root +RUN apt update && apt install -y libmagickcore-6.q16-6-extra +``` + +Docker-Compose-Datei anlegen + +`/opt/nextcloud/docker-compose.yml` + +``` +version: '3.3' + +services: + nextcloud-db: + image: mariadb + container_name: nextcloud-db + command: --transaction-isolation=READ-COMMITTED --log-bin=ROW + restart: unless-stopped + volumes: + - /etc/localtime:/etc/localtime:ro + - /etc/timezone:/etc/timezone:ro + - /opt/nextcloud/database:/var/lib/mysql + environment: + - MYSQL_ROOT_PASSWORD= + - MYSQL_PASSWORD= + - MYSQL_DATABASE=nextcloud #Datenbank Name + - MYSQL_USER=nextcloud #SQL Nutzername + - MYSQL_INITDB_SKIP_TZINFO=1 + networks: + - default + + nextcloud-redis: + image: redis:alpine + container_name: nextcloud-redis + hostname: nextcloud-redis + networks: + - default + restart: unless-stopped + command: redis-server --requirepass + + nextcloud-app: + build: . + container_name: nextcloud-app + ports: + - 127.0.0.1:8080:80 + restart: unless-stopped + depends_on: + - nextcloud-db + - nextcloud-redis + environment: + REDIS_HOST: nextcloud-redis + REDIS_HOST_PASSWORD: + volumes: + - /opt/nextcloud/app:/var/www/html + - /opt/nextcloud/daten:/var/www/html/data + + networks: + - default + + collabora: + image: collabora/code + container_name: nextcloud-collabora + restart: unless-stopped + networks: + - default + ports: + - 127.0.0.1:9980:9980 + environment: + - "domain=cloud\\.domain\\.tld" + - "dictionaries=de en" + - "username=" + - "password=" +``` + +NC starten + +``` +cd /opt/nextcloud +docker-compose up -d +``` + +Seite aufrufen `:8080` und Setup abschließen. + +## reverse Proxy anlegen + +Zertifikat erstellen + +``` +certbot certonly --agree-tos --email admin@domain.tld --webroot -w /var/lib/letsencrypt/ -d cloud.domain.tld +``` + +Datei `/etc/apache2/sites-available/cloud.domain.tld.conf` + +``` + + + ServerName cloud.domain.tld + + SSLEngine off + + DocumentRoot /var/www/html/ + + RewriteEngine on + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} + + + + + + ServerName cloud.domain.tld + + DocumentRoot /var/www/html/ + + SSLEngine on + SSLCertificateFile /etc/letsencrypt/live/cloud.domain.tld/fullchain.pem + SSLCertificateKeyFile /etc/letsencrypt/live/cloud.domain.tld/privkey.pem + + Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" + + RewriteEngine On + RewriteRule ^/\.well-known/carddav https://cloud.domain.tld/remote.php/dav/ [R=301,L] + RewriteRule ^/\.well-known/caldav https://cloud.domain.tld/remote.php/dav/ [R=301,L] + + ProxyRequests Off + ProxyPreserveHost On + + SSLProxyCheckPeerCN off + SSLProxyCheckPeerName off + + + + ProxyPass http://127.0.0.1:8080/ + ProxyPassReverse http://127.0.0.1:8080/ + + + + + ProxyPass "!" + + + CustomLog /var/log/apache2/cloud.domain.tld.log combined + ErrorLog /var/log/apache2/cloud.domain.tld.error.log + + +``` + +Konfiguration aktivieren + +``` +a2ensite cloud.domain.tld.conf +systemctl reload apache2 +``` + +## Konfiguration anpassen + +Datei `/opt/nextcloud/app/config/config.php` + +``` +... + 'trusted_domains' =>. + array ( + 0 => '10.4.0.1:8080', + 1 => 'cloud.domain.tld', + ), +... + 'overwrite.cli.url' => 'https://cloud.domain.tld', +... + 'trusted_proxies' => '', + 'overwriteprotocol' => 'https', + 'overwritehost' => 'cloud.domain.tld', + 'default_phone_region' => 'DE', + 'app.mail.verify-tls-peer' => false, +... +``` + +Container neu starten + +``` +docker-compose restart +``` + +Wenn beim Sicherheitscheck angezeigt wird, dass der Header `X-Content-Type-Options` nicht konfiguriert ist, kann das daran liegen, dass er doppelt gesetzt ist und muss in der NC-Konfiguration entfernt werden. + +Datei `/opt/nextcloud/app/.htaccess` + +``` +... + #Header onsuccess unset X-Content-Type-Options + #Header always set X-Content-Type-Options "nosniff" +... +``` + +## Cron Dienst anpassen + +NC kennt mehrere Möglichkeiten, Hintergrund-Aufgaben zu erledigen. Da in einem Kontainer kein Dienst läuft, wird der cron-Dienst des Host-Servers verwendet. + +In der ssh-Konsole als Benutzer root: + +``` +crontab -e +``` + +Befehl eintragen: + +``` +*/5 * * * * docker exec -t -u www-data nextcloud-app php -f /var/www/html/cron.php +``` + +NC-Einstellungen anpassen: + +![](bilder/nc_004.png) + +## Colabora Office + +Eigene Domain in Apache als Reverse Proxy anlegen + +``` +certbot certonly --agree-tos --email admin@domain.tld --webroot -w /var/lib/letsencrypt/ -d office.domain.tld +``` + +Datei `/etc/apache2/sites-available/office.domain.tld.conf` + +``` + + + ServerName office.domain.tld + + SSLEngine off + + DocumentRoot /var/www/html/ + + RewriteEngine on + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} + + + + + + ServerName office.domain.tld + + # SSL configuration, you may want to take the easy route instead and use Lets Encrypt! + SSLEngine on + SSLCertificateFile /etc/letsencrypt/live/srv3.domain.tld/fullchain.pem + SSLCertificateKeyFile /etc/letsencrypt/live/srv3.domain.tld/privkey.pem + SSLProtocol all -SSLv2 -SSLv3 + SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS + SSLHonorCipherOrder on + + # Encoded slashes need to be allowed + AllowEncodedSlashes NoDecode + + # Container uses a unique non-signed certificate + SSLProxyEngine On + SSLProxyVerify None + SSLProxyCheckPeerCN Off + SSLProxyCheckPeerName Off + + # keep the host + ProxyPreserveHost On + + # static html, js, images, etc. served from loolwsd + # loleaflet is the client part of LibreOffice Online + ProxyPass /loleaflet https://127.0.0.1:9980/loleaflet retry=0 + ProxyPassReverse /loleaflet https://127.0.0.1:9980/loleaflet + + # WOPI discovery URL + ProxyPass /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0 + ProxyPassReverse /hosting/discovery https://127.0.0.1:9980/hosting/discovery + + # Main websocket + ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon + + # Admin Console websocket + ProxyPass /lool/adminws wss://127.0.0.1:9980/lool/adminws + + # Download as, Fullscreen presentation and Image upload operations + ProxyPass /lool https://127.0.0.1:9980/lool + ProxyPassReverse /lool https://127.0.0.1:9980/lool + + # Endpoint with information about availability of various features + ProxyPass /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities retry=0 + ProxyPassReverse /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities + + CustomLog /var/log/apache2/office.domain.tld.log combined + ErrorLog /var/log/apache2/office.domain.tld.error.log + + +``` + +Konfiguration aktivieren + +``` +a2ensite office.domain.tld.conf +a2enmod ssl proxy proxy_http proxy_wstunnel rewrite headers +systemctl restart apache2 +``` + +In NC den eigenen Server eintragen: + +![https://office.jgz.energie.net](bilder/nc_001.png) + +## NextCloud Talk mit Signaling-Server + +### Turn-Server installieren + +``` +apt install coturn +``` + +In `/etc/default/coturn` aktivieren + +``` +TURNSERVER_ENABLED=1 +``` + +Datei `/etc/turnserver.conf` anpassen + +``` +listening-port=3478 +listening-ip= +listening-ip= +fingerprint +lt-cred-mech +use-auth-secret +static-auth-secret= +realm= +total-quota=0 +bps-capacity=0 +no-tls +no-dtls +stale-nonce +no-loopback-peers +no-multicast-peers +proc-user=turnserver +proc-group=turnserver +``` + +Coturn-Server (neu) starten: + +``` +service coturn restart +``` + +Firewall anpassen + +``` +iptables -A INPUT -p tcp -m tcp --dport 3478 -m state --state NEW,ESTABLISHED -j ACCEPT +iptables -A INPUT -p udp -m udp --dport 3478 -m state --state NEW,ESTABLISHED -j ACCEPT +ip6tables -A INPUT -p tcp -m tcp --dport 3478 -m state --state NEW,ESTABLISHED -j ACCEPT +ip6tables -A INPUT -p udp -m udp --dport 3478 -m state --state NEW,ESTABLISHED -j ACCEPT +netfilter-persistent save +``` + +NC-Einstellungen anpassen + +![](bilder/nc_002.png) + +### Janus installieren + +``` +add-apt-repository ppa:fancycode/janus +apt update +apt install janus +``` + +Konfiguration anpassen: + +Datei `/etc/janus/janus.jcfg` + +``` +nat: { + stun_server = "" + stun_port = 3478 + nice_debug = false + full_trickle = true +# ... + turn_rest_api_key = "" +# ... +} +``` + +Mit dem Befehl `openssl rand -hex 16` kann der erzeugt werden. + +Datei `/etc/janus/janus.transport.http.jcfg` + +``` +general: { +# ... + base_path = "/janus" + http = true + port = 8088 + ip = 127.0.0.1 + https = false +# ... +} +``` + +Datei `/etc/janus/janus.transport.websockets.jcfg` + +``` +general: { +# ... + ws = true + ws_port = 8188 + ws_ip = 127.0.0.1 + wss = false +# ... +} +``` + +Dienst (neu) starten: + +``` +systemctl restart janus +``` + +### NATS einrichten + +``` +docker pull nats:latest +docker run --name=natsserver -d -p 127.0.0.1:4222:4222 -ti --restart=always nats:latest +``` + +### Signaling-Server einrichten + +``` +apt install golang-go +cd /etc/ +git clone https://github.com/strukturag/nextcloud-spreed-signaling.git +cd /etc/nextcloud-spreed-signaling +make build +``` + +Lokale Konfiguration erzeugen: + +``` +cd /etc/nextcloud-spreed-signaling +cp server.conf.in server.conf +``` + +Datei `/etc/nextcloud-spreed-signaling/server.conf`: + +``` +[http] +listen = 127.0.0.1:8086 + +[sessions] +hashkey = +blockkey = + +[backend] +backends = backend1 + +[backend1] +url = +secret = + +[nats] +url = nats://localhost:4222 + +[mcu] +type = janus +url = ws://127.0.0.1:8188 + +[turn] +apikey = +secret = +``` + +Für kann `openssl rand -hex 32` verwendet werden, darf nur 32 bytes haben und kann mit `openssl rand -hex 16` gebildet werden. + +Der Schlüssel kann ebenfalls mit `openssl rand -hex 32` erzeugt werden und wird dann in NC eingetragen. + +Benutzer und Dienst anlegen: + +``` +groupadd signaling +useradd --system --gid signaling --shell /bin/false --comment "Nextcloud Signaling" signaling +``` + +Datei `/etc/systemd/system/nextcloud-signaling.service` anlegen + +``` +[Unit] +Description=Nextcloud Talk signaling server + +[Service] +ExecStart=/etc/nextcloud-spreed-signaling/bin/signaling --config /etc/nextcloud-spreed-signaling/server.conf +User=signaling +Group=signaling +Restart=on-failure + +[Install] +WantedBy=multi-user.target +``` + +Dienst aktivieren und starten: + +``` +systemctl daemon-reload +systemctl enable nextcloud-signaling +systemctl start nextcloud-signaling +``` + +Dienste überprüfen: + +Janus: + +``` +journalctl -u janus +``` + +Signaling-Server: + +``` +journalctl -u nextcloud-signaling +``` + +### Apache-Proxy konfigurieren + +Entweder als eigene Subdomain, oder in die NC-Konfiguration integrieren: + +``` +RewriteEngine On +RewriteRule ^/standalone-signaling/spreed$ - [L] +RewriteRule ^/standalone-signaling/api/(.*) http://127.0.0.1:8086/api/$1 [L,P] +ProxyPass "/standalone-signaling/" "ws://127.0.0.1:8086/" +``` + +NC-Konfiguration anpassen: + +Die URL wird mit `https:///standalone-signaling` angegeben, als "Gemeinsames Geheimnis" trägt man aus der Konfiguration des Signaling-Servers ein. + +![](bilder/nc_003.png) \ No newline at end of file diff --git a/bilder/nc_001.png b/bilder/nc_001.png new file mode 100644 index 0000000..3f9cb88 Binary files /dev/null and b/bilder/nc_001.png differ diff --git a/bilder/nc_002.png b/bilder/nc_002.png new file mode 100644 index 0000000..7486147 Binary files /dev/null and b/bilder/nc_002.png differ diff --git a/bilder/nc_003.png b/bilder/nc_003.png new file mode 100644 index 0000000..320f455 Binary files /dev/null and b/bilder/nc_003.png differ diff --git a/bilder/nc_004.png b/bilder/nc_004.png new file mode 100644 index 0000000..6d31115 Binary files /dev/null and b/bilder/nc_004.png differ