From 4692fa64be86f0525aebe304547fa4e054e25f28 Mon Sep 17 00:00:00 2001 From: nihilist Date: Sun, 23 Mar 2025 22:19:02 +0100 Subject: [PATCH] fix nextcloud --- opsec/nextcloud/arch.html | 703 ------------------ .../{WIP.html => dontreadthisthx.html} | 0 opsec/nextcloud/index.html | 169 +---- opsec/nextcloud/nextcloud.conf | 23 - opsec/nextcloud/nextcloud_http.conf | 121 --- opsec/nextcloud/nginx.conf | 182 ----- opsec/nextcloud/nginx2.conf | 182 ----- opsec/nextcloud/notes.sh | 106 --- 8 files changed, 25 insertions(+), 1461 deletions(-) delete mode 100644 opsec/nextcloud/arch.html rename opsec/nextcloud/{WIP.html => dontreadthisthx.html} (100%) delete mode 100644 opsec/nextcloud/nextcloud.conf delete mode 100644 opsec/nextcloud/nextcloud_http.conf delete mode 100644 opsec/nextcloud/nginx.conf delete mode 100644 opsec/nextcloud/nginx2.conf delete mode 100644 opsec/nextcloud/notes.sh diff --git a/opsec/nextcloud/arch.html b/opsec/nextcloud/arch.html deleted file mode 100644 index 0bacab4..0000000 --- a/opsec/nextcloud/arch.html +++ /dev/null @@ -1,703 +0,0 @@ - - - - - - - - - - - NGINX Nextcloud Server Setup - - - - - - - - - - - - - - - - - - - - -
-
-
- - The Nihilism Blog -
-
- -
- -
-
- - - -
-
-
-
- Previous Page

nihilist - 07 / 11 / 2022

-

Nginx Nextcloud Server Setup (on arch linux)

- -

Rent a VPS with debian 10+ (or just run it yourself, but make sure it is correctly port forwarded so that public ip points to the machine like a vps).

-

click here for the debian version

-

Once you have ssh'd into your debian server, we can start:

- -
-
-
-
- - -
-
-
-
-

Setting up php7.3 and pgsql



-

First we get every package we need:

-

-[ nihilism ] [ /dev/pts/12 ] [~]
-→ pacman -Syy
-:: Synchronizing package databases...
- core                                                                                                                                                                                           157.4 KiB   283 KiB/s 00:01 [------------------------------------------------------------------------------------------------------------------------------------------] 100%
- extra                                                                                                                                                                                         1720.9 KiB  2.45 MiB/s 00:01 [------------------------------------------------------------------------------------------------------------------------------------------] 100%
- community                                                                                                                                                                                        6.7 MiB  7.82 MiB/s 00:01 [------------------------------------------------------------------------------------------------------------------------------------------] 100%
- multilib                                                                                                                                                                                       172.6 KiB   528 KiB/s 00:00 [------------------------------------------------------------------------------------------------------------------------------------------] 100%
-
-[ nihilism ] [ /dev/pts/12 ] [~]
-→ pacman -S nextcloud
-resolving dependencies...
-:: There are 2 providers available for php-interpreter 8.2:
-:: Repository extra
-   1) php  2) php7
-
-Enter a number (default=1):
-looking for conflicting packages...
-
-Package (9)          New Version       Net Change  Download Size
-
-extra/gd             2.3.3-4             0.67 MiB       0.15 MiB
-community/libavif    0.10.1-2            0.32 MiB       0.11 MiB
-extra/libde265       1.0.8-2             1.06 MiB       0.34 MiB
-extra/libheif        1.12.0-3            0.77 MiB       0.24 MiB
-extra/libxpm         3.5.13-3            0.14 MiB       0.05 MiB
-community/libyuv     r2322+3aebf69d-1    1.65 MiB       0.26 MiB
-extra/php            8.1.8-1            24.04 MiB       4.21 MiB
-extra/php-gd         8.1.8-1             0.10 MiB       0.03 MiB
-community/nextcloud  24.0.2-1          345.65 MiB      98.34 MiB
-
-Total Download Size:   103.73 MiB
-Total Installed Size:  374.39 MiB
-
-:: Proceed with installation? [Y/n] y
-
-[ nihilism ] [ /dev/pts/12 ] [~]
-→ pacman -S php-imagick php-intl
-
-resolving dependencies...
-:: There are 8 providers available for ttf-font:
-:: Repository extra
-   1) gnu-free-fonts  2) noto-fonts  3) ttf-bitstream-vera  4) ttf-croscore
-:: Repository community
-   5) ttf-dejavu  6) ttf-droid  7) ttf-ibm-plex  8) ttf-liberation
-
-Enter a number (default=1):
-looking for conflicting packages...
-
-Package (6)            New Version  Net Change  Download Size
-
-extra/gnu-free-fonts   20120503-8     6.65 MiB       3.23 MiB
-extra/imagemagick      7.1.0.43-1    10.89 MiB       2.84 MiB
-extra/liblqr           0.4.2-3        0.09 MiB       0.03 MiB
-extra/libraqm          0.9.0-1        0.15 MiB       0.03 MiB
-community/php-imagick  3.7.0-2        0.51 MiB       0.12 MiB
-extra/php-intl         8.1.8-1        0.47 MiB       0.14 MiB
-
-Total Download Size:    6.39 MiB
-Total Installed Size:  18.75 MiB
-
-
-

-

-[ nihilism ] [ /dev/pts/12 ] [~]
-→ vim /etc/php/php.ini
-
-[ nihilism ] [ /dev/pts/12 ] [~]
-→ cat /etc/php/php.ini
-
-[...]
-
-memory_limit = 512M
-
-[...]
-
-extension=pdo_mysql
-extension=bcmath
-extension=bz2
-extension=exif
-extension=gd
-extension=iconv
-; in case you installed php-imagick (as recommended)
-extension=imagick
-; in case you also installed php-intl (as recommended)
-extension=intl
-
-[...]
-
-[Date]
-date.timezone = America/New_York
-
-:wq
-
-[ nihilism ] [ /dev/pts/12 ] [~]
-→  cp /etc/php/php.ini /etc/webapps/nextcloud/php.ini
-
-[ nihilism ] [ /dev/pts/12 ] [~]
-→ export NEXTCLOUD_PHP_CONFIG=/etc/webapps/nextcloud/php.ini
-
-[ nihilism ] [ /dev/pts/12 ] [~]
-→ echo 'export NEXTCLOUD_PHP_CONFIG=/etc/webapps/nextcloud/php.ini' >> ~/.zshrc
-
-[ nihilism ] [ /dev/pts/12 ] [~]
-→ install --owner=nextcloud --group=nextcloud --mode=700 -d /var/lib/nextcloud/sessions
-
-
-
-

Then we setup the database:

-

-[ nihilism ] [ /dev/pts/12 ] [~]
-→ mysql -u root -p
-Enter password:
-Welcome to the MariaDB monitor.  Commands end with ; or \g.
-Your MariaDB connection id is 632
-Server version: 10.8.3-MariaDB Arch Linux
-
-Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
-
-Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
-
-MariaDB [(none)]> CREATE USER 'nextcloud'@'localhost' IDENTIFIED BY 'xxxxxxxx';
-Query OK, 0 rows affected (0.257 sec)
-
-MariaDB [(none)]> CREATE DATABASE IF NOT EXISTS nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
-Query OK, 1 row affected (0.012 sec)
-
-MariaDB [(none)]> GRANT ALL PRIVILEGES on nextcloud.* to 'nextcloud'@'localhost';
-Query OK, 0 rows affected (0.039 sec)
-
-MariaDB [(none)]> FLUSH privileges;
-Query OK, 0 rows affected (0.051 sec)
-
-MariaDB [(none)]> exit
-Bye
-
-
-

Now to configure php-fpm:

-

-[ nihilism ] [ /dev/pts/12 ] [~]
-→ pacman -S php-fpm
-
-[ nihilism ] [ /dev/pts/12 ] [~]
-→ cp /etc/php/php.ini /etc/php/php-fpm.ini
-
-[ nihilism ] [ /dev/pts/12 ] [~]
-→ vim /etc/php/php-fpm.ini
-
-[...]
-
-zend_extension=opcache
-
-[...]
-
-[opcache]
-opcache.enable = 1
-opcache.interned_strings_buffer = 8
-opcache.max_accelerated_files = 10000
-opcache.memory_consumption = 128
-opcache.save_comments = 1
-opcache.revalidate_freq = 1
-
-[...]
-
-[ nihilism ] [ /dev/pts/12 ] [share/webapps/nextcloud]
-→ cat /etc/php/php-fpm.d/nextcloud.conf
-[nextcloud]
-
-user = nextcloud
-group = nextcloud
-
-listen = /run/php/nextcloud.sock
-
-listen.owner = nextcloud
-listen.group = http
-listen.mode = 0660
-pm = dynamic
-
-pm.max_children = 5
-
-pm.start_servers = 2
-
-pm.min_spare_servers = 1
-
-pm.max_spare_servers = 3
-
-;pm.max_spawn_rate = 32
-
-;pm.process_idle_timeout = 10s;
-
-access.log = /var/log/php-fpm/access/$pool.log
-
-access.format = "%{%Y-%m-%dT%H:%M:%S%z}t %R: \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
-
-chdir = /usr/share/webapps/$pool
-
-env[HOSTNAME] = $HOSTNAME
-env[PATH] = /usr/local/bin:/usr/bin
-env[TMP] = /tmp
-env[TMPDIR] = /tmp
-env[TEMP] = /tmp
-
-php_value[date.timezone] = Europe/Berlin
-
-php_value[open_basedir] = /var/lib/$pool:/tmp:/usr/share/webapps/$pool:/etc/webapps/$pool:/dev/urandom:/usr/lib/php/modules:/var/log/$pool:/proc/meminfo
-
-php_value[session.save_path] = /var/lib/$pool/sessions
-php_value[session.gc_maxlifetime] = 21600
-php_value[session.gc_divisor] = 500
-php_value[session.gc_probability] = 1
-
-php_flag[expose_php] = false
-php_value[post_max_size] = 1000M
-php_value[upload_max_filesize] = 1000M
-
-php_flag[output_buffering] = off
-php_value[max_input_time] = 120
-php_value[max_execution_time] = 60
-
-php_value[memory_limit] = 768M
-
-php_value[apc.ttl] = 7200
-php_flag[apc.enable_cli] = 1
-
-php_value[extension] = bcmath
-php_value[extension] = bz2
-php_value[extension] = exif
-php_value[extension] = gd
-php_value[extension] = gmp
-; uncomment if php-imagick is installed and used
-php_value[extension] = imagick
-; uncomment if php-imap is installed and used
-; php_value[extension] = imap
-; recommended to enable
-php_value[extension] = intl
-php_value[extension] = iconv
-; uncomment if php-memcached is installed and used
-; php_value[extension] = memcached
-; uncomment exactly one of the pdo extensions
-php_value[extension] = pdo_mysql
-; php_value[extension] = pdo_pgsql
-; php_value[extension] = pdo_sqlite
-; uncomment if php-igbinary is installed and used
-; php_value[extension] = igbinary
-; uncomment if php-redis is installed and used (requires php-igbinary)
-; php_value[extension] = redis
-; uncomment if php-xsl is installed and used
-; php_value[extension] = xsl
-
-[ nihilism ] [ /dev/pts/12 ] [~]
-→ mkdir -p /etc/systemd/system/php-fpm.service.d/
-
-[ nihilism ] [ /dev/pts/12 ] [~]
-→ vim /etc/systemd/system/php-fpm.service.d/override.conf
-
-[ nihilism ] [ /dev/pts/12 ] [~]
-→ cat /etc/systemd/system/php-fpm.service.d/override.conf
-[Service]
-ExecStart=
-ExecStart=/usr/bin/php-fpm --nodaemonize --fpm-config /etc/php/php-fpm.conf --php-ini /etc/php/php-fpm.ini
-ReadWritePaths=/var/lib/nextcloud
-ReadWritePaths=/etc/webapps/nextcloud/config
-
-[ nihilism ] [ /dev/pts/12 ] [~]
-→ mkdir /var/log/php-fpm/access/ -p
-
-[ nihilism ] [ /dev/pts/12 ] [~]
-→ systemctl enable --now php-fpm
-
-[ nihilism ] [ /dev/pts/12 ] [~]
-→ systemctl status php-fpm
-● php-fpm.service - The PHP FastCGI Process Manager
-     Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; enabled; vendor preset: disabled)
-    Drop-In: /etc/systemd/system/php-fpm.service.d
-             └─override.conf
-     Active: active (running) since Mon 2022-07-11 16:01:22 UTC; 6s ago
-   Main PID: 3396418 (php-fpm)
-     Status: "Ready to handle connections"
-      Tasks: 5 (limit: 11902)
-     Memory: 13.1M
-        CPU: 713ms
-     CGroup: /system.slice/php-fpm.service
-             ├─3396418 "php-fpm: master process (/etc/php/php-fpm.conf)"
-             ├─3396435 "php-fpm: pool nextcloud"
-             ├─3396436 "php-fpm: pool nextcloud"
-             ├─3396437 "php-fpm: pool www"
-             └─3396438 "php-fpm: pool www"
-
-Jul 11 16:01:15 nihilism systemd[1]: Starting The PHP FastCGI Process Manager...
-Jul 11 16:01:22 nihilism php-fpm[3396418]: [NOTICE] fpm is running, pid 3396418
-Jul 11 16:01:22 nihilism php-fpm[3396418]: [NOTICE] ready to handle connections
-Jul 11 16:01:22 nihilism systemd[1]: Started The PHP FastCGI Process Manager.
-Jul 11 16:01:22 nihilism php-fpm[3396418]: [NOTICE] systemd monitor interval set to 10000ms
-
-[ nihilism ] [ /dev/pts/12 ] [share/webapps/nextcloud]
-→ chown nextcloud:www-data /run/php/nextcloud.sock
-
-[ nihilism ] [ /dev/pts/12 ] [share/webapps/nextcloud]
-→ vim config/config.php
-
-[ nihilism ] [ /dev/pts/12 ] [share/webapps/nextcloud]
-→ cat config/config.php
-<?php
-$CONFIG = array (
-  'datadirectory' => '/var/lib/nextcloud/data',
-  'logfile' => '/var/log/nextcloud/nextcloud.log',
-  'apps_paths' =>
-
-[...]
-
-  'trusted_domains' =>
-  array (
-    0 => 'localhost',
-    1 => 'cloud.nowhere.moe',
-  ),
-  'dbtype' => 'mysql',
-
-[...]
-
-
-
-

-

-
-[ nihilism ] [ /dev/pts/12 ] [share/webapps/nextcloud]
-→ occ
-Nextcloud is not installed - only a limited number of commands are available
-Nextcloud 24.0.2
-
-Usage:
-  command [options] [arguments]
-
-[ nihilism ] [ /dev/pts/12 ] [share/webapps/nextcloud]
-→ occ maintenance:install \
-    --database=mysql \
-    --database-name=nextcloud \
-    --database-host=localhost:/run/mysqld/mysqld.sock \
-    --database-user=nextcloud \
->   --database-pass=xxxxx \
->   --admin-pass=xxxxx \
->   --admin-email=nihilist@nowhere.moe \
->   --data-dir=/var/lib/nextcloud/data
-
-Nextcloud was successfully installed
-
-[ nihilism ] [ /dev/pts/12 ] [share/webapps/nextcloud]
-→ systemctl restart nginx php-fpm mysql
-
-
-

Then just login with the admin credentials you specified above

- -

-
-
-

-

-
-
-

-

-
-
-

-

-
-
-

-

-
-
-

-

-
-
-

-
-
-
-
- -
-
-
-
-

Certbot Certificate and Nginx Configuration



-

From here we need to install our letsencrypt certificate. If you don't have a domain name yet, go get one, or just go for the free alternative DuckDNS -and get one, mine currently is ech2.duckdns.org

-

-
-
-

-

-
-
-

-

-
-
-

-

-
-
-

-

-
-
-

-

-
-
-

-

-
-
-

-

-
-
-

-

-
-
-

-

-
-
-

-
-
-
-
- - - -
-
-
-
-

Post-Installation



-

Now from here you can make backups just in case if the server goes down or harddrive gets corrupted, etc. You could use a script like this:

-

-#!/bin/bash
-#this must run as root !
-if [ "$EUID" -ne 0 ]
-then
-        echo 'MUST RUN AS ROOT!'
-        exit
-fi
-
-cd /var/www/nextcloud/data/nothing/files/
-#make sure the path to your  user is correct!
-
-#run it at 3AM
-cooldate=$(date --iso-8601)
-echo $cooldate
-
-rm backup*.zip
-rm backup-$cooldate.zip
-zip -r backup-$cooldate.zip /var/www/nextcloud/data/nothing/files/
-
-#rsync backup-$cooldate.zip nothing@10.0.0.10:/home/nothing/backup/
-rsync backup-$cooldate.zip nothing@mainpc:/home/nothing/backup/
-
-rm backup*.zip
-
-#crontab -e
-#0 3 * * * /bin/bash /var/www/nextcloud/data/nothing/files/backup.sh
-
-#chmod u+x backup.shg
-
-#BACKUP_SERVER (here its 10.0.0.10)
-#https://git.void.yt/nothing/serverside/blob/master/ssh/ssh.sh
-#use this script to setup the key based ssh authentication, and then make sure your nextcloud server's root user has the private ssh key.
-
-
-

Here i can make rsync login via ssh to my mainpc host thanks to the private key ssh authentication specified in ~/.ssh/config:

-

-root@home:/var/www/nextcloud/data/nothing/files# apt install rsync -y
-root@home:/var/www/nextcloud/data/nothing/files# cat ~/.ssh/config
-Host mainpc
-        Hostname 10.0.0.10
-        IdentityFile ~/.ssh/mainpc-10.pkey
-        User nothing
-
-
-

of course you would have created the ssh keys on your remote host (in this case : 192.168.0.18) and placed the private key in the server's /root/.ssh/ folder. - as comments at the end of the script imply, you can setup the cronjob to run backup.sh every day at 3 AM.g -

- -

Now in order to mount your files as a webdav share on linux you can do the following:

-

-[ 10.55.55.2/32 ] [ /dev/pts/42 ] [~]
-→ apt-get install davfs2
-
- [ 10.55.55.2/32 ] [ /dev/pts/42 ] [~]
-→ sudo mkdir /mnt/cloud.void.yt
-
-[ 10.55.55.2/32 ] [ /dev/pts/42 ] [~]
-→ sudo chown -R nothing:nothing /mnt/cloud.void.yt
-
-[ 10.55.55.2/32 ] [ /dev/pts/42 ] [~]
-→ sudo mount -t davfs -o noexec https://cloud.void.yt/remote.php/webdav/ /mnt/cloud.void.yt/
-Please enter the username to authenticate with server
-https://cloud.void.yt/remote.php/webdav/ or hit enter for none.
-  Username: nothing
-Please enter the password to authenticate user nothing with server
-https://cloud.void.yt/remote.php/webdav/ or hit enter for none.
-  Password:
-/usr/bin/mount.davfs: warning: the server does not support locks
-
-[ 10.55.55.2/32 ] [ /dev/pts/42 ] [~]
-→ cd /mnt/cloud.void.yt
-
-[ 10.55.55.2/32 ] [ /dev/pts/42 ] [/mnt/cloud.void.yt]
-→ ls
- backup.sh   Caldera   Certs   Cours   Crypto   Documents   id_ed25519   KEEPASS.txt   lost+found   Notes   nothing.ovpn   Passwords.kdbx   Photos   Random_Files   Readme.md   SSH   Templates  'void.yt setup'
-
-
- -

Now in order to make it persistant accross reboots, you need to make a fstab entry:

-

-[ 10.55.55.2/32 ] [ /dev/pts/42 ] [~]
-→ sudo vim /etc/fstab
-
-[ 10.55.55.2/32 ] [ /dev/pts/42 ] [~]
-→ cat /etc/fstab
-
-#webdav entry
-https://cloud.void.yt/remote.php/webdav/ /mnt/cloud.void.yt davfs _netdev,noauto,user,uid=nothing,gid=nothing 0 0
-
-[ 10.55.55.2/32 ] [ /dev/pts/42 ] [~]
-→ sudo vim /etc/davfs2/secrets
-
-[ 10.55.55.2/32 ] [ /dev/pts/42 ] [~]
-→ sudo cat /etc/davfs2/secrets | tail -n2
-# personal webdav, nextcloud application password
-/mnt/cloud.void.yt nothing "mypassword"
-
-[ 10.55.55.2/32 ] [ /dev/pts/42 ] [~]
-→ sudo mount /mnt/cloud.void.yt/
-/usr/bin/mount.davfs: warning: the server does not support locks
-
-
-

And that's it ! your nextcloud files have been mounted on a linux host.

-

-[ 10.55.55.2/32 ] [ /dev/pts/42 ] [~]
-→ cd /mnt/cloud.void.yt
-
-[ 10.55.55.2/32 ] [ /dev/pts/42 ] [/mnt/cloud.void.yt]
-→ ls -l
-total 46
--rw-r--r-- 1 nothing nothing   859 Apr  7  2021  backup.sh
-drwxr-xr-x 3 nothing nothing     0 Feb 16 13:14  Caldera
-drwxr-xr-x 9 nothing nothing     0 Jan 20 20:54  Certs
-drwxr-xr-x 8 nothing nothing     0 Mar 21 20:34  Cours
-drwxr-xr-x 2 nothing nothing     0 Oct 27 09:05  Crypto
-drwxr-xr-x 2 nothing nothing     0 Apr  7  2021  Documents
--rw-r--r-- 1 nothing nothing   411 Apr  7  2021  id_ed25519
--rw-r--r-- 1 nothing nothing    55 Apr  7  2021  KEEPASS.txt
-drwx------ 2 nothing nothing     0 Mar 27 14:07  lost+found
-drwxr-xr-x 2 nothing nothing     0 Aug 23  2021  Notes
--rw-r--r-- 1 nothing nothing  2914 Apr  7  2021  nothing.ovpn
--rw-r--r-- 1 nothing nothing 40510 Mar 26 21:40  Passwords.kdbx
-drwxr-xr-x 2 nothing nothing     0 Apr  7  2021  Photos
-drwxr-xr-x 9 nothing nothing     0 Mar 25 09:42  Random_Files
--rw-r--r-- 1 nothing nothing     1 May 27  2021  Readme.md
-drwxr-xr-x 7 nothing nothing     0 Jul  1  2021  SSH
-drwxr-xr-x 2 nothing nothing     0 Apr  7  2021  Templates
-drwxr-xr-x 2 nothing nothing     0 Jun  6  2021 'void.yt setup'
-
- -

Special thanks to skid9000 from the anjara.eu staff for helping me update this tutorial. (23/09/2020)

-
-
-
-
- - - -
-
-
-
-

Nihilism

-

- Until there is Nothing left.



Creative Commons Zero: No Rights Reserved
- -

-
- -
-

My Links

-

- - RSS Feed
SimpleX Chat
- -

-
- -
-

About nihilist

-

Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8


Contact: nihilist@contact.nowhere.moe (PGP)

-
- -
- -
-
- - - - - - - diff --git a/opsec/nextcloud/WIP.html b/opsec/nextcloud/dontreadthisthx.html similarity index 100% rename from opsec/nextcloud/WIP.html rename to opsec/nextcloud/dontreadthisthx.html diff --git a/opsec/nextcloud/index.html b/opsec/nextcloud/index.html index 8d93771..20968d0 100644 --- a/opsec/nextcloud/index.html +++ b/opsec/nextcloud/index.html @@ -63,7 +63,7 @@
Previous Page

Optimist - 23 / 03 / 2025

Nextcloud .onion server

- +

In this tutorial we're going to cover how you can install an .onion only Nextcloud instance, it is a FOSS software meant to replace popular websites like google drive, which can be ideal to make sure that your files are backed up somewhere, all while preserving anonymity.

@@ -77,76 +77,10 @@

Serverside Setup

- -

So for this tutorial we're going to go with a Debian server to install nextcloud via snap:

-

-su -
-apt update -y
-
-apt install snapd sudo curl mlocate nginx -y
-/sbin/usermod -aG sudo [NAME OF THE NON-PRIVILEGED USER]
-/sbin/ufw enable
-snap install core
-
-
- -

Using snap, installing nextcloud is fairly simple:

-

-snap install nextcloud
-
-ip a | grep inet
-curl ifconfig.me
-
-
-

you can verify that the nextcloud server works by going at the ip adress of the server http://server_ip/ where you'll create the administrator account.

+

follow the other tutorial that talks about how to setup a .onion domain here: http://blog.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/opsec/torwebsite/index.html

+

Then just install nextcloud... wait a bit, and then check if it worked

-

Once that's done you should have access to your nextcloud instance, but instead of accessing it through the ip address, we'll set it up in such a way that we can access it through an .onion domain name.

-

So we follow this tutorial to have our own custom .domain name:

-

-[ Wonderland ] [ /dev/pts/3 ] [~]
-→ cat /etc/tor/torrc
-
-HiddenServiceDir /var/lib/tor/onions/nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/
-HiddenServicePort 80 127.0.0.1:4443
-SocksPort 127.0.0.1:9050
-
-[ Wonderland ] [ /dev/pts/3 ] [~]
-→ systemctl restart tor@default
-
-
-

Then we setup a reverse nginx proxy to make sure that the onion requests get redirected to the correct IP:

-

-[ Wonderland ] [ /dev/pts/3 ] [~]
-→ rm /etc/nginx/sites-*/default
-
-[ Wonderland ] [ /dev/pts/3 ] [~]
-→ cat /etc/nginx/sites-available/cloud.conf
-upstream cloudbackend {
-        server 192.168.100.130:80;
-}
-
-server {
-        ######## TOR WEBSITE ########
-        listen 4443;
-        listen [::]:4443;
-        server_name cloud.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion;
-
-        location / {
-                proxy_pass http://cloudbackend;
-                proxy_http_version 1.1;
-                proxy_set_header Upgrade $http_upgrade;
-                proxy_set_header Connection "Upgrade";
-                client_max_body_size 20G;
-        }
-}
-
-[ Wonderland ] [ /dev/pts/3 ] [~]
-→ ln -s /etc/nginx/sites-available/cloud.conf /etc/nginx/sites-enabled/
-
-[ Wonderland ] [ /dev/pts/3 ] [~]
-→ nginx -s reload
- 
-
+

Boom that worked!

@@ -158,35 +92,18 @@ server {

Configuring Nextcloud



-

Now that we have the domain name pointing to the public ip address of the nextcloud server, we can setup the https certificate using let'sencrypt, just - ssh into your server once more and run the following commands:

+

Now that we have the domain name pointing to the public ip address of the nextcloud server,just + ssh into your server once more and run the following commands: do some stuff to make it work, idk man


 [ Wonderland ] [ /dev/pts/3 ] [~]
 → /var/snap/nextcloud/common/nextcloud/data# PATH=$PATH:/snap/bin/
 
-[ Wonderland ] [ /dev/pts/3 ] [~]
-→ /var/snap/nextcloud/common/nextcloud/data# which nextcloud.occ
-
-[ Wonderland ] [ /dev/pts/3 ] [~]
-→ /snap/bin/nextcloud.occ
-
-
-[ Wonderland ] [ /dev/pts/3 ] [~]
-→ /snap/bin/nextcloud.disable-https
-
-[ Wonderland ] [ /dev/pts/3 ] [~]
-→ /snap/bin/nextcloud.occ config:system:set trusted_domains 1 --value=cloud.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion
-
-[ Wonderland ] [ /dev/pts/3 ] [~]
-→ /snap/bin/nextcloud.occ config:system:set overwritehost --value="cloud.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion"
-
-[ Wonderland ] [ /dev/pts/3 ] [~]
-→ /snap/bin/nextcloud.occ config:system:set overwriteprotocol --value="http"
+derland ] [ /dev/pts/3 ] [~]
+r/snap/nextcloud/common/nextcloud/data# which ne
+derland ] [ /dev/pts/3 ] [~]
+ap/bin/nextcloud.occ config:system:set overwritep"
-

And once that's done, you can access your nextcloud instance from your onion domain:

- -

In order to upgrade your nextcloud, you can run the following, and also add it to cron to run automatically every day at midnight: 


 root@cloud:~# sudo snap refresh nextcloud
 snap "nextcloud" has no updates available
@@ -204,12 +121,12 @@ root@cloud:~# crontab -e
 Resolving github.com (github.com)... 140.82.121.3
 Connecting to github.com (github.com)|140.82.121.3|:443... connected.
 HTTP request sent, awaiting response... 302 Found
-Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/274548350/682877d8-1d52-4029-9777-425f3da0f77c?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20221217%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20221217T193407Z&X-Amz-Expires=300&X-Amz-Signature=1bf21514b0120917047558bc2d6de9d2f900d34dba04cfd3d30838b59ae4701e&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=274548350&response-content-disposition=attachment%3B%20filename%3Dlinux_amd64.tar.gz&response-content-type=application%2Foctet-stream [following]
---2022-12-17 20:34:07--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/274548350/682877d8-1d52-4029-9777-425f3da0f77c?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20221217%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20221217T193407Z&X-Amz-Expires=300&X-Amz-Signature=1bf21514b0120917047558bc2d6de9d2f900d34dba04cfd3d30838b59ae4701e&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=274548350&response-content-disposition=attachment%3B%20filename%3Dlinux_amd64.tar.gz&response-content-type=application%2Foctet-stream
-Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.110.133, 185.199.108.133, 185.199.109.133, ...
-Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.110.133|:443... connected.
-HTTP request sent, awaiting response... 200 OK
-Length: 6326130 (6.0M) [application/octet-stream]
+Location: https://objects.githu1217%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20221217T193407Z&X-Amz-Expires=300&X-Amz-Signature=1bf21514b0120917047558bc2d6de9d2f900d34dba04cfd3d30838b59ae4701e&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=274548350&response-content-disposition=attachment%3B%20filename%3Dlinux_amd64.tar.gz&response-content-type=application%2Foctet-stream [following]
+--2022-12-17 20:34:07--  https:CSVEH53A%2F20221217%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20221217T193407Z&X-Amz-Expires=300&X-Amz-Signature=1bf21514b0120917047558bc2d6de9d2f900d34dba04cfd3d30838b59ae4701e&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=274548350&response-content-disposition=attachment%3B%20filename%3Dlinux_amd64.tar.gz&response-content-type=application%2Foctet-stream
+Resolving objects.githubusercon
+Connecting to objects.githubuse
+HTTP request sent, awaiting res
+Length: 6326130 (6.0M) [applica
 Saving to: ‘linux_amd64.tar.gz’
 
 linux_amd64.tar.gz                                           100%[===========================================================================================================================================>]   6.03M  6.47MB/s    in 0.9s
@@ -222,36 +139,17 @@ root@cloud:~# sudo cronitor configure --api-key 1234567890
 
 Configuration File:
 /etc/cronitor/cronitor.json
-
-Version:
-28.8
-
-API Key:
-1234567890
-
-Ping API Key:
-Not Set
-
-Environment:
-Not Set
-
-Hostname:
-cloud
-
-Timezone Location:
-{Europe/Paris}
-
-Debug Log:
 Off
 root@cloud:~# cronitor select
 
 ✔ /usr/bin/snap refresh nextcloud
-----► Running command: /usr/bin/snap refresh nextcloud
+extcloud
 
-snap "nextcloud" has no updates available
 
-----► ✔ Command successful    Elapsed time 0.451s
+
+51s
+BLAM no need ot check, i know it worked.
@@ -266,26 +164,9 @@ snap "nextcloud" has no updates available

Clientside Setup



Now you can install the official nextcloud client here

-

-[ cloud ] [ /dev/pts/1 ] [/snap/bin]
-→ apt install tor nextcloud-desktop -y
-
-
- -

Here as you try to login you'll first see that it can't resolve the .onion domain, which is normal as you need to tell nextcloud to use the local tor socks5 proxy, available on 127.0.01:9050

- -

Afterward, you need to copy the authorization link into the tor browser to validate the request:

- - - -

Once you have granted access, you can start to sync your nextcloud instance files locally:

- - -

Once logged in you can check the progress in the system tray:

- -

Then let it sync, it can take a while due to the low bandwidth of Tor.

- +

And that's it ! You now have a local folder that is synchronized with your nextcloud instance.

+

cya next time

@@ -297,9 +178,9 @@ snap "nextcloud" has no updates available
-

Nihilism

+

Optimism

- Until there is Nothing left.



Creative Commons Zero: No Rights Reserved
+ Until there is something more.



COPYRIGHT ALL RIGHTS RESERVED I AINT WORKING FOR FREE!

@@ -314,7 +195,7 @@ snap "nextcloud" has no updates available
-

About nihilist

+

About optimist

Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8


Contact: nihilist@contact.nowhere.moe (PGP)

diff --git a/opsec/nextcloud/nextcloud.conf b/opsec/nextcloud/nextcloud.conf deleted file mode 100644 index 6dbdbbd..0000000 --- a/opsec/nextcloud/nextcloud.conf +++ /dev/null @@ -1,23 +0,0 @@ -[nextcloud] - -listen = /run/php/nextcloud.sock -listen.owner = www-data -listen.group = www-data -listen.mode = 0660 - -user = nextcloud -group = www-data - -pm = dynamic -pm.max_children = 120 -pm.start_servers = 12 -pm.min_spare_servers = 6 -pm.max_spare_servers = 18 - -chdir = / - -pm.status_path = /status - -env[HOSTNAME] = $HOSTNAME -env[PATH] = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - diff --git a/opsec/nextcloud/nextcloud_http.conf b/opsec/nextcloud/nextcloud_http.conf deleted file mode 100644 index a4f59f8..0000000 --- a/opsec/nextcloud/nextcloud_http.conf +++ /dev/null @@ -1,121 +0,0 @@ - -upstream php-handler { - server unix:/run/php/nextcloud.sock; -} - -server { - listen 80; - listen [::]:80; - server_name ech1.duckdns.org - - # Remove X-Powered-By, which is an information leak - fastcgi_hide_header X-Powered-By; - - # Path to the root of your installation - root /var/www/nextcloud; - - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - - # The following 2 rules are only needed for the user_webfinger app. - # Uncomment it if you're planning to use this app. - #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; - #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; - - # The following rule is only needed for the Social app. - # Uncomment it if you're planning to use this app. - #rewrite ^/.well-known/webfinger /public.php?service=webfinger last; - - location = /.well-known/carddav { - return 301 $scheme://$host:$server_port/remote.php/dav; - } - location = /.well-known/caldav { - return 301 $scheme://$host:$server_port/remote.php/dav; - } - - # set max upload size - client_max_body_size 512M; - fastcgi_buffers 64 4K; - - # Enable gzip but do not remove ETag headers - gzip on; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 256; - gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; - - # Uncomment if your server is build with the ngx_pagespeed module - # This module is currently not supported. - #pagespeed off; - - location / { - rewrite ^ /index.php; - } - - location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { - deny all; - } - location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { - deny all; - } - - location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { - fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; - set $path_info $fastcgi_path_info; - try_files $fastcgi_script_name =404; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $path_info; - #fastcgi_param HTTPS on; - # Avoid sending the security headers twice - fastcgi_param modHeadersAvailable true; - # Enable pretty urls - fastcgi_param front_controller_active true; - fastcgi_pass php-handler; - fastcgi_intercept_errors on; - fastcgi_request_buffering off; - } - - location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { - try_files $uri/ =404; - index index.php; - } - - # Adding the cache control header for js, css and map files - # Make sure it is BELOW the PHP block - location ~ \.(?:css|js|woff2?|svg|gif|map)$ { - try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463"; - # Add headers to serve security related headers (It is intended to - # have those duplicated to the ones above) - # Before enabling Strict-Transport-Security headers please read into - # this topic first. - #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; - # - # WARNING: Only add the preload option once you read about - # the consequences in https://hstspreload.org/. This option - # will add the domain to a hardcoded list that is shipped - # in all major browsers and getting removed from this list - # could take several months. - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Optional: Don't log access to assets - access_log off; - } - - location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ { - try_files $uri /index.php$request_uri; - # Optional: Don't log access to other assets - access_log off; - } -} diff --git a/opsec/nextcloud/nginx.conf b/opsec/nextcloud/nginx.conf deleted file mode 100644 index aeadb95..0000000 --- a/opsec/nextcloud/nginx.conf +++ /dev/null @@ -1,182 +0,0 @@ -upstream php-handler { - server unix:/run/php/nextcloud.sock; -} - -server { - listen 80; - listen [::]:80; - server_name cloud.void.yt; - # enforce https - return 301 https://$server_name$request_uri; -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name cloud.void.yt; - - # Use Mozilla's guidelines for SSL/TLS settings - # https://mozilla.github.io/server-side-tls/ssl-config-generator/ - # NOTE: some settings below might be redundant - ssl_certificate /root/.acme.sh/cloud.void.yt/fullchain.cer; - ssl_trusted_certificate /root/.acme.sh/cloud.void.yt/cloud.void.yt.cer; - ssl_certificate_key /root/.acme.sh/cloud.void.yt/cloud.void.yt.key; - - # Add headers to serve security related headers - # Before enabling Strict-Transport-Security headers please read into this - # topic first. - #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; - # - # WARNING: Only add the preload option once you read about - # the consequences in https://hstspreload.org/. This option - # will add the domain to a hardcoded list that is shipped - # in all major browsers and getting removed from this list - # could take several months. - - ssl_protocols TLSv1.3 TLSv1.2; - ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - ssl_session_tickets off; - ssl_ecdh_curve auto; - ssl_stapling on; - ssl_stapling_verify on; - resolver 80.67.188.188 80.67.169.40 valid=300s; - resolver_timeout 10s; - - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; - - # Remove X-Powered-By, which is an information leak - fastcgi_hide_header X-Powered-By; - - # Path to the root of your installation - root /var/www/nextcloud; - - location ^~ /.well-known { - # The following 6 rules are borrowed from `.htaccess` - - location = /.well-known/carddav { return 301 /remote.php/dav/; } - location = /.well-known/caldav { return 301 /remote.php/dav/; } - # Anything else is dynamically handled by Nextcloud - location ^~ /.well-known { return 301 /index.php$uri; } - - try_files $uri $uri/ =404; - } - - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - - # The following 2 rules are only needed for the user_webfinger app. - # Uncomment it if you're planning to use this app. - #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; - #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; - - # The following rule is only needed for the Social app. - # Uncomment it if you're planning to use this app. - #rewrite ^/.well-known/webfinger /public.php?service=webfinger last; - - location = /.well-known/carddav { - return 301 $scheme://$host:$server_port/remote.php/dav; - } - location = /.well-known/caldav { - return 301 $scheme://$host:$server_port/remote.php/dav; - } - - # set max upload size - client_max_body_size 512M; - fastcgi_buffers 64 4K; - - # Enable gzip but do not remove ETag headers - gzip on; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 256; - gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; - - # Uncomment if your server is build with the ngx_pagespeed module - # This module is currently not supported. - #pagespeed off; - - location / { - rewrite ^ /index.php; - } - - location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { - deny all; - } - location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { - deny all; - } - - location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { - fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; - set $path_info $fastcgi_path_info; - try_files $fastcgi_script_name =404; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $path_info; - fastcgi_param HTTPS on; - # Avoid sending the security headers twice - fastcgi_param modHeadersAvailable true; - # Enable pretty urls - fastcgi_param front_controller_active true; - fastcgi_pass php-handler; - fastcgi_intercept_errors on; - fastcgi_request_buffering off; - } - - location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { - try_files $uri/ =404; - index index.php; - } - - # Adding the cache control header for js, css and map files - # Make sure it is BELOW the PHP block - location ~ \.(?:css|js|woff2?|svg|gif|map)$ { - try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463"; - # Add headers to serve security related headers (It is intended to - # have those duplicated to the ones above) - # Before enabling Strict-Transport-Security headers please read into - # this topic first. - #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; - # - # WARNING: Only add the preload option once you read about - # the consequences in https://hstspreload.org/. This option - # will add the domain to a hardcoded list that is shipped - # in all major browsers and getting removed from this list - # could take several months. - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Optional: Don't log access to assets - access_log off; - } - - location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ { - try_files $uri /index.php$request_uri; - # Optional: Don't log access to other assets - access_log off; - } -} - - - - diff --git a/opsec/nextcloud/nginx2.conf b/opsec/nextcloud/nginx2.conf deleted file mode 100644 index 69b90da..0000000 --- a/opsec/nextcloud/nginx2.conf +++ /dev/null @@ -1,182 +0,0 @@ -stream php-handler { - server unix:/run/php/nextcloud.sock; -} - -server { - listen 80; - listen [::]:80; - server_name cloud.void.yt; - # enforce https - return 301 https://$server_name$request_uri; -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name cloud.void.yt; - - # Use Mozilla's guidelines for SSL/TLS settings - # https://mozilla.github.io/server-side-tls/ssl-config-generator/ - # NOTE: some settings below might be redundant - ssl_certificate /root/.acme.sh/cloud.void.yt/fullchain.cer; - ssl_trusted_certificate /root/.acme.sh/cloud.void.yt/cloud.void.yt.cer; - ssl_certificate_key /root/.acme.sh/cloud.void.yt/cloud.void.yt.key; - - # Add headers to serve security related headers - # Before enabling Strict-Transport-Security headers please read into this - # topic first. - #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; - # - # WARNING: Only add the preload option once you read about - # the consequences in https://hstspreload.org/. This option - # will add the domain to a hardcoded list that is shipped - # in all major browsers and getting removed from this list - # could take several months. - - ssl_protocols TLSv1.3 TLSv1.2; - ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - ssl_session_tickets off; - ssl_ecdh_curve auto; - ssl_stapling on; - ssl_stapling_verify on; - resolver 80.67.188.188 80.67.169.40 valid=300s; - resolver_timeout 10s; - - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; - - # Remove X-Powered-By, which is an information leak - fastcgi_hide_header X-Powered-By; - - # Path to the root of your installation - root /var/www/nextcloud; - - location ^~ /.well-known { - # The following 6 rules are borrowed from `.htaccess` - - location = /.well-known/carddav { return 301 /remote.php/dav/; } - location = /.well-known/caldav { return 301 /remote.php/dav/; } - # Anything else is dynamically handled by Nextcloud - location ^~ /.well-known { return 301 /index.php$uri; } - - try_files $uri $uri/ =404; - } - - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - - # The following 2 rules are only needed for the user_webfinger app. - # Uncomment it if you're planning to use this app. - #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; - #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; - - # The following rule is only needed for the Social app. - # Uncomment it if you're planning to use this app. - #rewrite ^/.well-known/webfinger /public.php?service=webfinger last; - - location = /.well-known/carddav { - return 301 $scheme://$host:$server_port/remote.php/dav; - } - location = /.well-known/caldav { - return 301 $scheme://$host:$server_port/remote.php/dav; - } - - # set max upload size - client_max_body_size 512M; - fastcgi_buffers 64 4K; - - # Enable gzip but do not remove ETag headers - gzip on; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 256; - gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; - - # Uncomment if your server is build with the ngx_pagespeed module - # This module is currently not supported. - #pagespeed off; - - location / { - rewrite ^ /index.php; - } - - location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { - deny all; - } - location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { - deny all; - } - - location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { - fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; - set $path_info $fastcgi_path_info; - try_files $fastcgi_script_name =404; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $path_info; - fastcgi_param HTTPS on; - # Avoid sending the security headers twice - fastcgi_param modHeadersAvailable true; - # Enable pretty urls - fastcgi_param front_controller_active true; - fastcgi_pass php-handler; - fastcgi_intercept_errors on; - fastcgi_request_buffering off; - } - - location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { - try_files $uri/ =404; - index index.php; - } - - # Adding the cache control header for js, css and map files - # Make sure it is BELOW the PHP block - location ~ \.(?:css|js|woff2?|svg|gif|map)$ { - try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463"; - # Add headers to serve security related headers (It is intended to - # have those duplicated to the ones above) - # Before enabling Strict-Transport-Security headers please read into - # this topic first. - #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; - # - # WARNING: Only add the preload option once you read about - # the consequences in https://hstspreload.org/. This option - # will add the domain to a hardcoded list that is shipped - # in all major browsers and getting removed from this list - # could take several months. - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Optional: Don't log access to assets - access_log off; - } - - location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ { - try_files $uri /index.php$request_uri; - # Optional: Don't log access to other assets - access_log off; - } -} - - - - diff --git a/opsec/nextcloud/notes.sh b/opsec/nextcloud/notes.sh deleted file mode 100644 index 2b7a305..0000000 --- a/opsec/nextcloud/notes.sh +++ /dev/null @@ -1,106 +0,0 @@ -#!/bin/bash - -if [ "$(whoami)" != "root" ]; then -SUDO=sudo -fi - - -apt-get -y install apt-transport-https lsb-release ca-certificates curl -y -wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg -sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list' -apt-get update -y - -sudo apt install php7.4-fpm php7.4-curl php7.4-cli php7.4-mysql php7.4-gd php7.4-common php7.4-xml php7.4-json php7.4-intl php7.4-dev php7.4-common php7.4-mbstring php7.4-zip php7.4-soap php7.4-bz2 -y - - -sudo apt update -sudo apt install nginx -y - -systemctl start nginx -systemctl enable nginx -systemctl status nginx - -cd /etc/php/7.4/ - -echo 'date.timezone = Europe/Paris' >> fpm/php.ini -echo 'date.timezone = Europe/Paris' >> cli/php.ini - -echo 'cgi.fix_pathinfo=0' >> fpm/php.ini -echo 'cgi.fix_pathinfo=0' >> cli/php.ini - -echo 'env[HOSTNAME] = $HOSTNAME' >> fpm/pool.d/www.conf -echo 'env[PATH] = /usr/local/bin:/usr/bin:/bin' >> fpm/pool.d/www.conf -echo 'env[TMP] = /tmp' >> fpm/pool.d/www.conf -echo 'env[TMPDIR] = /tmp' >> fpm/pool.d/www.conf -echo 'env[TEMP] = /tmp' >> fpm/pool.d/www.conf - -systemctl restart php7.4-fpm -systemctl enable php7.4-fpm - -ss -xa | grep php -systemctl status php7.4-fpm - -sudo apt install mariadb-server -y -systemctl start mariadb -systemctl enable mariadb -systemctl status mariadb - - -mysql_secure_installation -#Enter current password for root (enter for none): Press Enter -#Set root password? [Y/n] Y -#Remove anonymous users? [Y/n] Y -#Disallow root login remotely? [Y/n] Y -#Remove test database and access to it? [Y/n] Y -#Reload privilege tables now? [Y/n] Y - -mysql -u root -p -#TYPE THE MYSQL ROOT PASSWORD - -#create database nextcloud_db; -#create user nextclouduser@localhost identified by 'P@SSW0RD'; -#grant all privileges on nextcloud_db.* to nextclouduser@localhost identified by 'P@SSW0RD'; -#flush privileges; - -#CREDENTIALS FOR NEXTCLOUD_DB : nextclouduser:P@SSW0RD (needed for later) - -apt install certbot -y -systemctl stop nginx - -#sign in with github to https://www.duckdns.org/ -certbot certonly --standalone -d ech2.duckdns.org - -sudo apt install wget unzip zip -y - -cd /var/www/ -wget -q https://download.nextcloud.com/server/releases/latest.zip - -unzip -qq latest.zip -sudo chown -R www-data:www-data /var/www/nextcloud - -cd /etc/nginx/sites-available/ -wget https://ech1.netlify.app/servers/nextcloud/nginx.conf -O nextcloud -nano nextcloud -#edit the ech2 to something else (CTRL+W ech2 then enter) -#once ur done do ctrl+X to quit - -ln -s /etc/nginx/sites-available/nextcloud /etc/nginx/sites-enabled/ -nginx -t - -systemctl restart nginx -systemctl restart php7.4-fpm - -apt install ufw - -ufw allow ssh -ufw allow http -ufw allow https - -ufw enable -ufw status numbered - - -#https://ech2.duckdns.org - -#new creds for admin user -#then the mysql creds (nextclouduser:P@SSW0RD) \ No newline at end of file