Nextcloud is an amazingly powerful cloud file system that allows you to sync folders from your client machine. The system is build to meet enterprise level needs but it is free to download and host on your private server. You can set up user permissions to share only specific files to specific users. There are many apps that improve the functions of Nextcloud. Such as, document version control and collablortive editing with Collabora, free home version for 20 users. Nextcloud can be used as a mail client and for video chat.
Next cloud is much like the business versions Google Drive or Drop Box. But if you host your own Nextcloud server, you do not have to pay for each member’s license. Great for tech savvy start-ups without much cash.
It's Open Source
If you are not familiar with the Open Source Business Model, the code is free and downloadable to everyone on GitHub. You can change the code to make improvements, but as part of the open source license, you are required to post your improvements to the original developer’s GitHuB page. Nextcloud makes their cash by offering white glove support and guaranteed stability. You can read more about the open source business model here.
Easy With DigitalOcean Docs
I used Digital Ocean’s Nextcloud guide which uses Snap. It was really easy to get Nextcloud up and running with their docs. But it does not have apps such as Collabora, BitWarden, or the many other apps offered in the VM below installed from the start. You can read more about installing Collabora here if you would like to install Collabora home edition on your Droplet.
Nextcloud VM - With Apps
This remainder of this article will follow Daniel Hansson’s video for setting up a Nextcloud file server on DigitalOcean. Daniel has documentation for this install. You can find a link to Daniel’s video on Nextcloud’s GitHub page in the README.md.
Official Nextcloud documentation is found here.
I was initially interested in this VM because it installs Collabora. A platform that teams can use to collaborate on documentation, spreadsheets, and presentations. Callabora also includes version control. Which is of course very important for any company.
Later I found that there are many apps included in this VM. Such as:
- Bitwarden – A password management app
- Many othes
.The first thing to do is Set Up a Droplet on Digital Ocean. Do not use DigitalOcean’s automated bash script to configure a user. The VM will set up the ncadmin user for you.
Simply set up a standard Droplet using the standard options available in the create droplet page.
Note: Daniel recommends using a CPU optimized droplet, if that is available to you, but it is not required – if you would like this option made available to you, open a ticket with digital ocean to request it.
- Create a standard droplet
- Choose droplet size (See minimum requirements)
- Enable Block Storage – Choose at least 50gb, & Manually Format And Mount
- Choose a data center that is close to you (or your users)
- Add any SSH keys you will be using
- Choose a unique name that describes the use of your file server
- Nextcloud recommends at least 2 GB of RAM (Some of the VM apps need 4gb)
- The package requires a secondary volume, set this up during initial setup, manually formate and mount
Collabora Needs More
- 2 CPUs are required to run Collabora
If you want to run the newer document editing app, use a system with 4gb RAM
Minimum For All Included Apps
For the apps I have found you will need 3gb of ram for Bitwarden and 4gb ram for a newer document collaboration app.
Run The Install Script
In Nextcloud’s github click on the nextcloud_install_production.sh file.
Click raw, then copy the URL text.
Daniel passes this command to login to the root user of his local machine. You can see the Sudo Manual for more about flags. He then uses SSH to connect to his remote server. If you are on a mac, you will need to include the username, such as ssh [email protected] external IP address. On Daniel’s linux machine, he does not have to specify a user.
The install script should be ran as a root user. The install script will prompt you to set up a user soon.
Use wget to retrieve the package located in the copied GitHub URL. Once that package is loaded, use the bash command below to run the shell script. A file with the .sh is a shell script.
We then follow the directions. The software has been updated since Daniel made this video. So some parts will look different. You may be asked different questions too.
Set Up A User - ncadmin
You will be prompted about the user user. after : you will see : .
This means blank and you are in the root user. Hit OK and your will be prompted to set up a new user. Read through everything carefully and set up a user named: ncadmin
If You Run Into Trouble
Read through the installation’s terminal output. It will tell you what failed.
Remember, you can always scroll up. As you read the terminal output you will see which parts of the installation were successful. Perhaps more importantly, you will see what part of the installation failed.
If you like, you can save the terminal output as a text file. This way you can share the installation log with someone that can help you.
Sometimes errors are way up there in the terminal, just keep scrolling. Reading through the terminal output will also help track your progress along with Daniel’s video.
Setting Up DNS
The install script will take a while to run. You can set up the DNS records in the meantime.
Daniel Hensson sets up his DNS in Cloudflare, this is a great choice because Cloudflare sells domain names at wholesale price and they have their own Content Delivery Network (CDN). Your DNS record updates happen at lightning speed with Cloudflare. Even compared to SiteGround, which is a Cloudflare partner.
Daniel starts by adding an A Record named cloud at the IP Address of his DigitalOcean Droplet. He sets Automatic TTL and selects the cloud icon to set the Hostname to not pass through Cloudflare (Grey Cloud)
He repeats these steps to set up an A Record for:
If you are installing this on a remote server, you do not need to set up port forwarding. All ports are open by default in a DigitalOcean droplet.
If you are installing Nextcloud on a server that sits behind your router on your private network, you will need to port forward your local server’s external IP.
To get the SSL certificate, you will need to allow both incoming and outgoing traffic on ports 80 and 443.
If you are having trouble, double check you are not making a simple mistake. Such as forgetting to update your DNS records when you start a new droplet. A new droplet will be on a new IP.
Also, see our guide for more DNS troubleshooting tools.
More About Installation
Most of the time if you select the defaults in an installation script you will have a successful installation. The packages are designed to work. So if you are not sure about something, the best bet is to choose the default setting.
Auto-select Data Disk
You will be asked if you want to choose which disk should be used to run the OS and which disk to hold the data. Let the script choose the data disk.
│ Formatting your DigitalOcean secondary volume (/dev/sda) when you hit OK. │ │ │ │ *** WARNING: ALL YOUR DATA WILL BE ERASED! ***
It chooses /dev/sda
│ /mnt/ncdata mounted successfully as a ZFS volume. │ │ Automatic scrubbing is done monthly via a cronjob that you can find here: │ /etc/cron.d/zfsutils-linux │ │ Automatic snapshots are taken with 'zfs-auto-snapshot'. You can list current │ snapshots with: │ 'sudo zfs list -t snapshot'. │ Manpage is here: │ http://manpages.ubuntu.com/manpages/bionic/man8/zfs-auto-snapshot.8.html │ │ CURRENT STATUS: │ pool: ncdata │ state: ONLINE │ scan: none requested │ config:
Again, Read The Terminal Output
There is good information in the terminal output. If you are planning on using this file server, there is a good chance you will want to refer back to this information in the future.
It is good practice to copy and paste important looking section into a text file and save the text file on your local machine somewhere you will remember. Such as:
Or, maybe even back it up in your soon to be Nextcloud file server.
Installing Apps - Part 1
Daniel only recommends installing Webmin, if you are expert at setting up Webmin.
I was not able to install IssueTemplate. More on this below.
┌───────────────────┤ Install apps or software ├────────────────────┐ │ Automatically configure and install selected apps or software │ │ Deselect by pressing the spacebar │ │ │ │ [*] Calendar │ │ [*] Contacts │ │ [ ] IssueTemplate │ │ [*] PDFViewer │ │ [ ] Webmin │ │ │ │ │ │
│ │ │ └───────────────────────────────────────────────────────────────────┘
The installation prompted that IssueTemplate may not be compatible with Nextcloud 15 and I could install it later.
┌─────────────────────────────────────────────────────────────────────────┐ │ │ │ The issuetemplate app could not be installed. │ │ Probably it's not compatible with Nextcloud 15.0.5. │ │ │ │ You can try to install the app manually after the script has finished, │ │ or when a new version of the app is released with the following command: │ │ │ │ 'sudo -u www-data php /var/www/nextcloud/occ app:install issuetemplate' │ │ │ │
│ │ │ └──────────────────────────────────────────────────────────────────────────────
The issuetemplate app could not be installed. │ │ Probably it's not compatible with Nextcloud 15.0.5. │ │ │ │ You can try to install the app manually after the script has finished, │ │ or when a new version of the app is released with the following command: │ │ │ │ 'sudo -u www-data php /var/www/nextcloud/occ app:install issuetemplate'
I also saw many instances where there was a newer version of the package available compared to what was installed locally. Again, if you are not sure what to choose, in most cases it is best to choose the default action. This is one of those cases, select keep the local version currently installed.
The files the installation refers to are files that DigitalOcean has previously modified to run on DigitalOceans system.
──────────────────────┤ Configuring openssh-server ├──────────────────────┐ │ A new version (/tmp/file52Kx9g) of configuration file │ │ /etc/ssh/sshd_config is available, but the version installed currently │ │ has been locally modified. │ │ │ │ What do you want to do about modified configuration file sshd_config? │ │ │ │ install the package maintainer's version │ │ * keep the local version currently installed │ │ show the differences between the versions │ │ show a side-by-side difference between the versions │ │ show a 3-way difference between available versions │ │ do a 3-way merge between available versions │ │ start a new shell to examine the situation │ │ │ │ │ │
│ │ │ └──────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────┤ ├─────────────────────────────────┐ │ A new version of /boot/grub/menu.lst is available, but the version │ │ installed currently has been locally modified. │ │ │ │ What would you like to do about menu.lst? │ │ │ │ install the package maintainer's version │ │ * keep the local version currently installed │ │ show the differences between the versions │ │ show a side-by-side difference between the versions │ │ show a 3-way difference between available versions │ │ do a 3-way merge between available versions (experimental) │ │ start a new shell to examine the situation │ │ │ │ │ │
│ │ │ └──────────────────────────────────────────────────────────────────────┘
Again, when installing the SSL certificate, the installation recommends to forward port 80 & 443. But, keep in mind you only need to forward port 80 & 443 if you are running the server on your local machine.
The DigitalOcean droplet does not need your ports to be forwarded because your DigitalOcean droplet has a public IP. and that IP is linked to your domain via an A Record. Remember setting that up in Cloudflare in the DNS records section? So despite the installers warnings, no need to worry about port forwarding.
Daniel provides this documentation for port forwarding.
Router Firewall - Open Ports
│ Important! Please read this: │ │ This script will install SSL from Let's Encrypt. │ It's free of charge, and very easy to maintain. │ │ Before we begin the installation you need to have │ a domain that the SSL certs will be valid for. │ If you don't have a domain yet, get one before │ you run this script! │ │ You also have to open port 80+443 against this VMs │ IP address: 126.96.36.199 - do this in your router/FW. │ Here is a guide: https://goo.gl/Uyuf65 │ │ You can find the script here: /var/scripts/activate-ssl.sh │ and you can run it after you got a domain.
It took me a couple of tries to get past this section. As it turned out I had port 80 blocked on my router’s firewall. Once I had that sorted (and I stopped trying to port forward from my local machine) I was able to successfully install the VM.
You need to open up ports 80 & 443 for both incoming and outgoing transmission in your router’s firewall.
Your local router’s firewall should have a section called IPV4 Firewall or something similar. You will need to set up for firewall so Let’s Encrypt can come in through port 80 and port 443 via your local machines terminal and set up the SSL certificate on your remote server
You may also want to check if your local machine’s OS has another firewall that might block these ports. Open those ports up too.
Here is the installation’s prompt about ports and firewalls.
System Admin Email
An e-mail needs to be provided. The system will send various items to this email, just as user password resets.
You can choose to if you like share that e-mail with the Electronic Frontier Foundation. Daniel chooses not to share his e-mail in the video.
The first time installing the SSL certificate, the VM was not able to connect. It said it would try two more times, then gave me a TXT record to add to Cloudflare. I waited until I saw the TXT record had propagated, by checking this record in whatsmydns.net
While I was waiting, I also refreshed my router’s firewall. I regret this because it is hard to know what solved it – the router refresh or the new TXT record.
Either way, the SSL certificate installed successfully. I’ll update this section when I install another VM.
New settings works! SSL is now activated and OK! │ │ │ │ This cert will expire in 90 days if you don't renew it. │ │ There are several ways of renewing this cert and here are some tips and tricks: │ │ https://goo.gl/c1JHR0 │ │ │ │ To do your job a little bit easier we have added a autorenew script as a cronjob. │ │ If you need to edit the crontab please type: crontab -u root -e │ │ If you need to edit the script itself, please check: /var/scripts/letsencryptrenew.sh │ │ │ │ Feel free to contribute to this project: https://goo.gl/3fQD65
Part 2 - Startup Script
Once the installation script finishes your server will reboot. This will log you out of your SSH session.
SSH back into your DigitalOcean droplet using ssh [email protected]your ip address
Daniel notes in his video: The Startup Script should be ran as the user that was set up during the configuration of your server. In our case, that is ncadmin
Running The Startup Script
sudo -u ncadmin sudo bash /var/scripts/nextcloud-startup-script.sh
This command allows super user privileges to run the nextcloud-startup-script.sh as user ncadmin at the file path /var/scripts/
The -u flag runs the script as a user other than the default user. In this case the default user is root and the -u flag runs the script as the user ncadmin. See the Sudo Manual for more information about flags.
Read Installation Prompts Carefully
+-----------------------------------------------------------------------+ | Thanks for downloading this Nextcloud VM by the Nextcloud Community! | | | | To run the startup script type the sudoer password. This will either | | be the default ('nextcloud') or the one chosen during installation. | | | | If you have never done this before you can follow the complete | | installation instructions here: https://bit.ly/2S8eGfS | | | | You can schedule the Nextcloud update process using a cron job. | | This is done using a script built into this VM that automatically | | updates Nextcloud, sets secure permissions, and logs the successful | | update to /var/log/cronjobs_success.log | | Detailed instructions for setting this up can be found here: | | https://www.techandme.se/nextcloud-update-is-now-fully-automated/ | | | | ##################### T&M Hansson IT - 2019 ####################### | +-----------------------------------------------------------------------+
Again, copy and past important sections into a text file so you can refer to these later. (If you prefer, you can save your installation notes as a blog, like I am doing now.)
One of the first notices provided by the startup script is a link to the complete installation instructions.
This section is not finished yet, but here for reference. For most items you will need to just follow the prompts.
Information about each app needs to be added. Some apps have higher minimum requirements than just min requirements for nextcloud.
Collabora instructions need to be added. To access collabora use the + sign and open a spreadsheet. It will not be accessible though collabora.yourdomain.com
│ Netdata is now installed and can be accessed from this address: │ │ │ │ http://192.333.22.111:19999 │ │ │ │ If you want to reach it from the internet you need to open port 19999 in your firewall. │ │ If you don't know how to open ports, please follow this guide: │ │ https://www.techandme.se/open-port-80-443/ │ │ │ │ After you have opened the correct port, then you can visit Netdata from your domain: │ │ │ │ http://cloud.yadafaber.com:19999 and or http://yourdomanin.com:19999 │ │ │ │ You can find more configuration options in their WIKI: │ │ https://github.com/firehol/netdata/wiki/Configuration
imagick - Worth It?
│ Please note that this will put your server at risk as it will install a package called │ │ 'imagick' which is known to have several flaws. │ │ │ │ You can check this issue to understand why: https://github.com/nextcloud/vm/issues/743 │ │ │ │ You can choose to cancel installing this in the next step.
There are some security flaws with imagick, so I decided not to install it.
Nextcloud - Talk
You have to open 5349 TCP/UDP in your firewall or your TURN/STUN server won't work! │ │ After you hit OK the script will check for the firewall and eventually exit on failure. │ │ │ │ To run again the setup, after fixing your firewall: │ │ sudo wget https://raw.githubusercontent.com/nextcloud/vm/master/apps/talk.sh │ │ sudo bash talk.sh
Solve Man In The Middle "Attack"
After the reboot: Man in the middle error. Use this to ……
– Run as root.
ssh-keygen -f "/root/.ssh/known_hosts" -R your server's IP Address
Congrats! That should be it! If you need any assistance, here are a few options:
To login to PostgreSQL just type:
sudo -u postgres psql nextcloud_db
Please Comment Below
If you found this article useful or if you have found errors or omissions, please comment below. Yadafaber is dedicated to improving based on customer and user feedback.