Changelog

2021-07-12

  • changed all uses of service commands to systemctl

2021-07-11

Fix Permissions of localhost Folder

The folder /var/www/localhost was created with the wrong permissions. Was 640, is now 750. The www-data user could not enter the folder to run user scripts. This was not an issue for phppgadmin, because it's files were included from another path which www-data had read access to.

To apply this change to an existing installation:

# chmod 750 /var/www/localhost

Enable APCu for CLI

Nextlcoud 21 seems to require APCu to be enabled for occ commands. It is not enabled by default for the command line interface, i.e. Bash. To enable it, add in /etc/php/7.3/mods-available/apcu.ini

apc.enable_cli=1

2021-06-08

Remove Auto Mail Accounts App

Auto Mail Accounts Nextcloud app is no longer used to provision accounts for the Nextcloud mail app. A test of the Mail app 1.9.5 yielded that all desired functionality is now included in the Mail app.

To apply this change to an existing installation:

  1. remove Auto Mail Accounts from the installed Apps in Nextcloud
  2. in database nextcloud, empty table oc_mail_accounts (this will of course also delete any mail accounts settings users created manually, which is maybe not what you want)
  3. set up the automatic provisioning of the Mail app as described in the Webmail section and be sure to use the Apply and create/update for all users button afterwards
  4. check oc_mail_accounts to verify that mail account settings have been created for all users

Nextcloud 19 -> 21

Updated instructions to use Nextcloud 21 instead of 19.

Phone Country Code

Nextcloud 21 requires a setting of the default phone country code to be able to deduce telephone numbers that do not include this country code. See new section in tutorial.

To apply this change to an existing installation add to /var/www/nextcloud/config/config.php the setting 'default_phone_region' => 'DE', if you live in Germany or whatever ISO 3166-1 alpha-2 code you wish to use.

2020-10-15

  • No longer use syslog for Nextcloud logs
    • Nextcloud logs in JSON which is already hard to read for humans, but syslog escapes many non-letters with a backslash and makes the log virtually unreadable.
    • I recommend using jq to parse the log file, see the new tip above Nextcloud's Setup Database section for an example. Please shoot me an e-mail if you know a better way to read JSON logs in a terminal.
    • to apply this change on an existing installation edit /var/www/nextcloud/config/config.php and remove

      'log_type' => 'syslog',
      'syslog_tag' => 'nextcloud',
      

      The Nextcloud log will now be written to /var/www/nextcloud/data/nextcloud.log. With syslog it was at /var/log/nextcloud.log.

2020-10-06

  • Fixed Nextcloud links to use Nextcloud 19 instead of 18.

2020-09-28

  • Updated Nextcloud from 18 to 19
    • Nextcloud 19 requires two new PHP modules for passwordless login. In an existing installation, add them using
      # apt install php-bcmath php-gmp
      
    • the Nextcloud update script still sucks and can't create missing db elements. Add them as usual
      # cd /var/www/nextcloud
      # su -s /bin/bash -c 'php occ db:add-missing-indices' www-data
      # su -s /bin/bash -c 'php occ db:add-missing-columns' www-data
      

Changes since the Debian 9 (Stretch) Tutorial - 2020-05-09

  • Due to newer packages in Debian 10:
    • Postfix: 3.1 → 3.4
    • PostgreSQL: 9.6 → 11
    • Dovecot: 2.2.x → 2.3.4.x
  • Rspamd has now an official Debian package and installed like a normal package instead through a 3d party repository.
  • apt used instead of apt-get
  • Using Nextcloud 18
  • everything but PostgreSQL uses state-of-the-art ARGON2ID password hashing
    • UPGRADE CAVEAT: Dovecot can not dynamically detect the password hash mechanism during a password check (as opposed to Nextcloud which can) and only works with the one you set in the configuration statically. Therefore updating an existing installation is hard. You can just stay with SHA512-CRYPT if you followed the previous tutorial. It is secure enough.
  • several simplifications of the Apache configuration due to the use of Certbot instead of acme.sh
  • Nextcloud cron job (cron.php) now runs every 5 minutes, instead of every 15 minutes.
  • Installation of Libreoffice and ffmpeg is not suggested anymore because preview feature is unsupported by Nextcloud.
  • Fixed the order of tags in the DMARC record. According to RFC7489 v= must be first , directly followed by p=.

    v=DMARC1; p=reject; rua=mailto:postmaster@example.com; adkim=s; aspf=s; pct=100;

  • Only one (used to be ~7) PHP opcache option is changed in php.ini, because all all the other options have the desired values by default already.

  • Enforce modern TLS as much as possible:
    • TLS 1.3 for Postfix (SMTP submission 587) but remain lenient for SMTP 25
    • TLS 1.2 for Dovecot (IMAP). Unfortunately Dovecot does not support TLS 1.3 yet.
    • TLS 1.3 for Apache (HTTP)
  • Many small improvements in explanation
  • Grammar corrections

Comments