Nextcloud

From Organic Design wiki
Revision as of 16:10, 19 February 2018 by Nad (talk | contribs)

This is our procedure for installing NextCloud and LibreOffice Online on a Debian-based server. LibreOffice has included a component to allow it to be served over HTTP since version 5.3 but to use it you need to integrate it with a cloud file system that supports it. NextCloud which is a brilliant groupware suite in its own right supports LibreOffice Online and integrates perfectly with it.

I'm following the instructions created by Collabora and NextCloud from here, and more specifically the Nginx variation here. I'm documenting here my specific configuration to include the LetsEncrypt and other specific configuration aspects that are out of the scope of those instructions so that we have a more easily reproducible procedure.

I'm using two domains here which you'll need to change for your own purposes, office.organicdesign.host for the main LibreOffice Online entry point, and files.organicdesign.host for the NextCloud.

Set up the server

Bring the machine up to date and install the following dependencies.

apt install git net-tools apt-transport-https locales-all \
            nginx php7.0-fpm php7.0-mysqlnd php7.0-zip php7.0-gd php7.0-curl php7.0-simplexml php7.0-mbstring

Set up MariaDB from their repositories here, and create a database and user ready for NextCloud.

Run through the Docker installation.

Configure the web-server and SSL certificates

In the Nginx configuration for this site, add a basic block for handling non-HTTP requests as follows. This will allow the LetsEncrypt domain validation requests to pass, but all other requests will be bounced to their respective HTTPS counterparts.

server {
	listen 80;
	listen [::]:80;
	server_name ~^;
	rewrite ^/\.well-known $uri last;
	return 301 https://$server_name$request_uri;
}


We can now install LetsEncrypt.

cd /var/www
git clone https://github.com/certbot/certbot.git letsencrypt


And then run it to make our certificates, after it has successfully created them add the command to be called from crontab daily.

letsencrypt/letsencrypt-auto certonly -q --keep --renew-with-new-domains --expand --webroot -w /var/www --agree-tos \
    --email "admin@organicdesign.host" -d office.organicdesign.host -d files.organicdesign.host


Now create /var/www/nginx.ssl.conf with the following content that will be included from all SSL blocks. You'll need to replace the certificate paths with the ones that LetsEncrypt created for you. This block uses a set of secure cyphers suggested by SSLlabs, see SSL for more details.

ssl on;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EDH+aRSA:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS; # SSLlabs
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /var/www/dhparams.pem;
ssl_certificate /etc/letsencrypt/live/office.organicdesign.host/fullchain.pem;
ssl_client_certificate /etc/letsencrypt/live/office.organicdesign.host/chain.pem;
ssl_certificate_key /etc/letsencrypt/live/office.organicdesign.host/privkey.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;


Don't forget to create the strong Diffi-Hellman parameters which we referred to in nginx.ssl.conf.

openssl dhparam -out /var/www/dhparams.pem 2048

Install and configure NextCloud

NextCloud is a "drop-box" style web-application which is completely open-source so you can install it on your own server, and it has built-in integration for working with LibreOffice Online. NextCloud is PHP so first download the source and unpack it into /var/www/nextcloud, ensure it's accessible by www-data, and then add the Nginx configuration recommended here. In this configuration we need to adjust the domain names and delete the port 80 block since we have an existing one described above to handle LetsEncrypt domain validation requests. Also remove the SSL lines and replace them with an include of the nginx.ssl.conf we made above.

A database and user will need to be created and then you can run through the install by going to the files.organicdesign.host domain. After you've successfully installed NextCloud, go to the admin updater to check for any problems or optimisations and upgrade to the latest stable version.

  • I changed the URL in config/config.php to https
  • I noticed the install had used the wrong DB user once so may need editing in config.php
  • I removed the upstream block and used unix:/run/php/php7.0-fpm.sock directly for the fastcgi_pass parameter

Install LibreOffice Online

From the Docker image

docker pull collabora/code
docker run -t -d -p 127.0.0.1:9980:9980 -e 'domain=files\\.organicdesign\\.host' --restart always --cap-add MKNOD collabora/code

Using the Debian package

The Docker image is the simplest method, but Docker is heavy and you may prefer to install loolwsd from the native package.

echo "deb https://collaboraoffice.com/repos/CollaboraOnline/CODE /" >> /etc/apt/sources.list.d/collabora.list
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 6CCEA47B2281732DF5D504D00C54D189F4BA284D
apt update
apt install loolwsd code-brand


If you want to add dictionaries for various languages

apt install collaboraoffice5.3-dict* collaboraofficebasis5.3*
mkdir -p /usr/share/hunspell
mkdir -p /usr/share/hyphen
mkdir -p /usr/share/mythes
mkdir -p /opt/lool/systemplate/usr/share/hyphen
for i in `find /opt/collaboraoffice5.3/share/extensions/ -name hyph*.dic`;do cp $i /opt/lool/systemplate/usr/share/hyphen;done
for i in `find /opt/collaboraoffice5.3/share/extensions/ -name hyph*.dic`;do cp $i /usr/share/hyphen;done
cp /opt/collaboraoffice5.3/share/extensions/dict-en/en_US.* /usr/share/hunspell
cp /opt/collaboraoffice5.3/share/extensions/dict-en/en_GB.* /usr/share/hunspell
cp /opt/collaboraoffice5.3/share/extensions/dict-pt-BR/pt_BR.* /usr/share/hunspell
apt remove --purge collaboraoffice5.3-dict*
rm -rf /var/lib/apt/lists/*


This is needed to fix a domain resolving bug:

rm /opt/lool/systemplate/etc/resolv.conf
ln -s /etc/resolv.conf /opt/lool/systemplate/etc/resolv.conf


Copy the LetsEncrypt certs (replace with your own cert path):

cp /etc/letsencrypt/live/office.organicdesign.host/privkey.pem /etc/loolwsd/key.pem
cp /etc/letsencrypt/live/office.organicdesign.host/cert.pem /etc/loolwsd/cert.pem
cp /etc/letsencrypt/live/office.organicdesign.host/chain.pem /etc/loolwsd/ca-chain.cert.pem
chown lool:lool /etc/loolwsd/*.pem


Change the host configuration settings from localhost to your NextCloud domain (you can just edit loolwsd.xml directly if you prefer):

perl -pi -e "s/localhost<\/host>/files.organicdesign.host<\/host>/g" /etc/loolwsd/loolwsd.xml


Then finally run the the daemon as the lool user in the background (you may also like to make a @reboot crontab entry for it as well).

sudo -u lool loolwsd --version --o:sys_template_path=/opt/lool/systemplate --o:lo_template_path=/opt/collaboraoffice5.3 \
    --o:child_root_path=/opt/lool/child-roots --o:file_server_root_path=/usr/share/loolwsd &

Finishing up

Now you can enable the Collabora Online application in your NextCloud from settings/apps and then go to Collabora Online in the administration section of settings and set the URL of your application to https://office.organicdesign.host. Now you should be ready to testing out creating and editing some office documents in our files!

See also