NextCloud installieren

Ordner erstellen

mkdir -p /opt/nextcloud/{database,app,daten}

Docker-Datei anlegen (/opt/nextcloud/Dockerfile)

FROM nextcloud
USER root
RUN apt update && apt install -y libmagickcore-6.q16-6-extra

Docker-Compose-Datei anlegen

/opt/nextcloud/docker-compose.yml

version: '3.3'

services:
  nextcloud-db:
    image: mariadb
    container_name: nextcloud-db
    command: --transaction-isolation=READ-COMMITTED --log-bin=ROW
    restart: unless-stopped
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /etc/timezone:/etc/timezone:ro
      - /opt/nextcloud/database:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=<SQL_root_Passwort>
      - MYSQL_PASSWORD=<SQL_Benutzer_Passwort>
      - MYSQL_DATABASE=nextcloud #Datenbank Name
      - MYSQL_USER=nextcloud #SQL Nutzername
      - MYSQL_INITDB_SKIP_TZINFO=1 
    networks:
      - default

  nextcloud-redis:
    image: redis:alpine
    container_name: nextcloud-redis
    hostname: nextcloud-redis
    networks:
        - default
    restart: unless-stopped
    command: redis-server --requirepass <Redis_Passwort>

  nextcloud-app:
    build: .
    container_name: nextcloud-app
    ports:
	  - 127.0.0.1:8080:80
    restart: unless-stopped
    depends_on:
      - nextcloud-db
      - nextcloud-redis
    environment:
        REDIS_HOST: nextcloud-redis
        REDIS_HOST_PASSWORD: <Redis_Passwort>
    volumes:
      - /opt/nextcloud/app:/var/www/html
      - /opt/nextcloud/daten:/var/www/html/data

    networks:
      - default

  collabora:
    image: collabora/code
    container_name: nextcloud-collabora
    restart: unless-stopped
    networks:
      - default
    ports:
      - 127.0.0.1:9980:9980
    environment:
      - "domain=cloud\\.domain\\.tld"
      - "dictionaries=de en"
      - "username=<benutzername>"
      - "password=<passwort>"

NC starten

cd /opt/nextcloud
docker-compose up -d

Seite aufrufen <ip-adresse>:8080 und Setup abschließen.

reverse Proxy anlegen

Zertifikat erstellen

certbot certonly --agree-tos --email admin@domain.tld --webroot -w /var/lib/letsencrypt/ -d cloud.domain.tld

Datei /etc/apache2/sites-available/cloud.domain.tld.conf

<VirtualHost *:80>
    
    ServerName cloud.domain.tld

    SSLEngine off

    DocumentRoot /var/www/html/

    RewriteEngine on
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

</VirtualHost>

<VirtualHost *:443>

    ServerName cloud.domain.tld

    DocumentRoot /var/www/html/

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/cloud.domain.tld/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/cloud.domain.tld/privkey.pem

    Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

    RewriteEngine On
    RewriteRule ^/\.well-known/carddav https://cloud.domain.tld/remote.php/dav/ [R=301,L]
    RewriteRule ^/\.well-known/caldav https://cloud.domain.tld/remote.php/dav/ [R=301,L]

    ProxyRequests Off
    ProxyPreserveHost On

    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off

    <Location "/">

        ProxyPass http://127.0.0.1:8080/
        ProxyPassReverse http://127.0.0.1:8080/

    </Location>

    <Location "/.well-known/acme-challenge">
        ProxyPass "!"
    </Location>

    CustomLog /var/log/apache2/cloud.domain.tld.log combined
    ErrorLog /var/log/apache2/cloud.domain.tld.error.log

</VirtualHost>

Konfiguration aktivieren

a2ensite cloud.domain.tld.conf
systemctl reload apache2

Konfiguration anpassen

Datei /opt/nextcloud/app/config/config.php

...
  'trusted_domains' =>.
  array (
    0 => '10.4.0.1:8080',
    1 => 'cloud.domain.tld',
  ),
...
  'overwrite.cli.url' => 'https://cloud.domain.tld',
...
  'trusted_proxies' => '<IP-Adresse des Servers>',
  'overwriteprotocol' => 'https',
  'overwritehost' => 'cloud.domain.tld',
  'default_phone_region' => 'DE',
  'app.mail.verify-tls-peer' => false,
...

Container neu starten

docker-compose restart

Wenn beim Sicherheitscheck angezeigt wird, dass der Header X-Content-Type-Options nicht konfiguriert ist, kann das daran liegen, dass er doppelt gesetzt ist und muss in der NC-Konfiguration entfernt werden.

Datei /opt/nextcloud/app/.htaccess

...
    #Header onsuccess unset X-Content-Type-Options
    #Header always set X-Content-Type-Options "nosniff"
...

Cron Dienst anpassen

NC kennt mehrere Möglichkeiten, Hintergrund-Aufgaben zu erledigen. Da in einem Kontainer kein Dienst läuft, wird der cron-Dienst des Host-Servers verwendet.

In der ssh-Konsole als Benutzer root:

crontab -e

Befehl eintragen:

*/5 * * * * docker exec -t -u www-data nextcloud-app php -f /var/www/html/cron.php

NC-Einstellungen anpassen:

Colabora Office

Eigene Domain in Apache als Reverse Proxy anlegen

certbot certonly --agree-tos --email admin@domain.tld --webroot -w /var/lib/letsencrypt/ -d office.domain.tld

Datei /etc/apache2/sites-available/office.domain.tld.conf

<VirtualHost *:80>

    ServerName office.domain.tld

    SSLEngine off

    DocumentRoot /var/www/html/

    RewriteEngine on
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

</VirtualHost>

<VirtualHost *:443>

    ServerName office.domain.tld

    # SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/srv3.domain.tld/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/srv3.domain.tld/privkey.pem
    SSLProtocol             all -SSLv2 -SSLv3
    SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
    SSLHonorCipherOrder     on

    # Encoded slashes need to be allowed
    AllowEncodedSlashes NoDecode

    # Container uses a unique non-signed certificate
    SSLProxyEngine On
    SSLProxyVerify None
    SSLProxyCheckPeerCN Off
    SSLProxyCheckPeerName Off

    # keep the host
    ProxyPreserveHost On

    # static html, js, images, etc. served from loolwsd
    # loleaflet is the client part of LibreOffice Online
    ProxyPass           /loleaflet https://127.0.0.1:9980/loleaflet retry=0
    ProxyPassReverse    /loleaflet https://127.0.0.1:9980/loleaflet

    # WOPI discovery URL
    ProxyPass           /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
    ProxyPassReverse    /hosting/discovery https://127.0.0.1:9980/hosting/discovery

    # Main websocket
    ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon

    # Admin Console websocket
    ProxyPass   /lool/adminws wss://127.0.0.1:9980/lool/adminws

    # Download as, Fullscreen presentation and Image upload operations
    ProxyPass           /lool https://127.0.0.1:9980/lool
    ProxyPassReverse    /lool https://127.0.0.1:9980/lool

    # Endpoint with information about availability of various features
    ProxyPass           /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities retry=0
    ProxyPassReverse    /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities

    CustomLog /var/log/apache2/office.domain.tld.log combined
    ErrorLog /var/log/apache2/office.domain.tld.error.log

</VirtualHost>

Konfiguration aktivieren

a2ensite office.domain.tld.conf
a2enmod ssl proxy proxy_http proxy_wstunnel rewrite headers
systemctl restart apache2

In NC den eigenen Server eintragen:

NextCloud Talk mit Signaling-Server

Turn-Server installieren

apt install coturn

In /etc/default/coturn aktivieren

TURNSERVER_ENABLED=1

Datei /etc/turnserver.conf anpassen

listening-port=3478
listening-ip=<IPv4-Adresse des Servers>
listening-ip=<IPv6-Adresse des Servers>
fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=<Secret>
realm=<FQDN des Servers>
total-quota=0
bps-capacity=0
no-tls
no-dtls
stale-nonce
no-loopback-peers
no-multicast-peers
proc-user=turnserver
proc-group=turnserver

Coturn-Server (neu) starten:

service coturn restart

Firewall anpassen

iptables -A INPUT -p tcp -m tcp --dport 3478 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 3478 -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p tcp -m tcp --dport 3478 -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p udp -m udp --dport 3478 -m state --state NEW,ESTABLISHED -j ACCEPT
netfilter-persistent save

NC-Einstellungen anpassen

Janus installieren

add-apt-repository ppa:fancycode/janus
apt update
apt install janus

Konfiguration anpassen:

Datei /etc/janus/janus.jcfg

nat: {
        stun_server = "<server>"
        stun_port = 3478
        nice_debug = false
        full_trickle = true
# ...
        turn_rest_api_key = "<key>"
# ...
}

Mit dem Befehl openssl rand -hex 16 kann der erzeugt werden.

Datei /etc/janus/janus.transport.http.jcfg

general: {
# ...
        base_path = "/janus"
        http = true
        port = 8088
        ip = 127.0.0.1
        https = false
# ...
}

Datei /etc/janus/janus.transport.websockets.jcfg

general: {
# ...
        ws = true
        ws_port = 8188
        ws_ip = 127.0.0.1
        wss = false
# ...
}

Dienst (neu) starten:

systemctl restart janus

NATS einrichten

docker pull nats:latest
docker run --name=natsserver -d -p 127.0.0.1:4222:4222 -ti --restart=always nats:latest

Signaling-Server einrichten

apt install golang-go
cd /etc/
git clone https://github.com/strukturag/nextcloud-spreed-signaling.git
cd /etc/nextcloud-spreed-signaling
make build

Lokale Konfiguration erzeugen:

cd /etc/nextcloud-spreed-signaling
cp server.conf.in server.conf

Datei /etc/nextcloud-spreed-signaling/server.conf:

[http]
listen = 127.0.0.1:8086

[sessions]
hashkey = <session-hashkey>
blockkey = <session-blockkey>

[backend]
backends = backend1

[backend1]
url = <URL des Nextcloud-Servers>
secret = <Nextcloud-Secret>

[nats]
url = nats://localhost:4222

[mcu]
type = janus
url = ws://127.0.0.1:8188

[turn]
apikey = <API-Key von Janus (turn_rest_api_key)>
secret = <Secret von Coturn (static-auth-secret)>

Für kann openssl rand -hex 32 verwendet werden, darf nur 32 bytes haben und kann mit openssl rand -hex 16 gebildet werden.

Der Schlüssel kann ebenfalls mit openssl rand -hex 32 erzeugt werden und wird dann in NC eingetragen.

Benutzer und Dienst anlegen:

groupadd signaling
useradd --system --gid signaling --shell /bin/false --comment "Nextcloud Signaling" signaling

Datei /etc/systemd/system/nextcloud-signaling.service anlegen

[Unit]
Description=Nextcloud Talk signaling server

[Service]
ExecStart=/etc/nextcloud-spreed-signaling/bin/signaling --config /etc/nextcloud-spreed-signaling/server.conf
User=signaling
Group=signaling
Restart=on-failure

[Install]
WantedBy=multi-user.target

Dienst aktivieren und starten:

systemctl daemon-reload
systemctl enable nextcloud-signaling
systemctl start nextcloud-signaling

Dienste überprüfen:

Janus:

journalctl -u janus

Signaling-Server:

journalctl -u nextcloud-signaling

Apache-Proxy konfigurieren

Entweder als eigene Subdomain, oder in die NC-Konfiguration integrieren:

RewriteEngine On
RewriteRule ^/standalone-signaling/spreed$ - [L]
RewriteRule ^/standalone-signaling/api/(.*) http://127.0.0.1:8086/api/$1 [L,P]
ProxyPass "/standalone-signaling/" "ws://127.0.0.1:8086/"

NC-Konfiguration anpassen:

Die URL wird mit https://<servername>/standalone-signaling angegeben, als "Gemeinsames Geheimnis" trägt man aus der Konfiguration des Signaling-Servers ein.