diff --git a/graphs/.$Blog Maintainers.drawio.bkp b/graphs/.$Blog Maintainers.drawio.bkp index 8615490..78f950c 100644 --- a/graphs/.$Blog Maintainers.drawio.bkp +++ b/graphs/.$Blog Maintainers.drawio.bkp @@ -1,6 +1,6 @@ - + diff --git a/graphs/Blog Maintainers.drawio b/graphs/Blog Maintainers.drawio index 0165238..8615490 100644 --- a/graphs/Blog Maintainers.drawio +++ b/graphs/Blog Maintainers.drawio @@ -1,6 +1,6 @@ - + diff --git a/opsec/contribute/14.png b/opsec/contribute/14.png index fd34d40..8827e9c 100644 Binary files a/opsec/contribute/14.png and b/opsec/contribute/14.png differ diff --git a/opsec/contribute/15.png b/opsec/contribute/15.png index fdef7ee..a9f40d0 100644 Binary files a/opsec/contribute/15.png and b/opsec/contribute/15.png differ diff --git a/opsec/maintainers/10.png b/opsec/maintainers/10.png new file mode 100644 index 0000000..34202a9 Binary files /dev/null and b/opsec/maintainers/10.png differ diff --git a/opsec/maintainers/11.png b/opsec/maintainers/11.png new file mode 100644 index 0000000..a51bf3b Binary files /dev/null and b/opsec/maintainers/11.png differ diff --git a/opsec/maintainers/2.png b/opsec/maintainers/2.png index 85e18c2..c3bc805 100644 Binary files a/opsec/maintainers/2.png and b/opsec/maintainers/2.png differ diff --git a/opsec/maintainers/7.png b/opsec/maintainers/7.png new file mode 100644 index 0000000..08b2cf9 Binary files /dev/null and b/opsec/maintainers/7.png differ diff --git a/opsec/maintainers/8.png b/opsec/maintainers/8.png new file mode 100644 index 0000000..60a3f2b Binary files /dev/null and b/opsec/maintainers/8.png differ diff --git a/opsec/maintainers/9.png b/opsec/maintainers/9.png new file mode 100644 index 0000000..37b9abc Binary files /dev/null and b/opsec/maintainers/9.png differ diff --git a/opsec/maintainers/index.html b/opsec/maintainers/index.html index 6cad73d..67ea09f 100644 --- a/opsec/maintainers/index.html +++ b/opsec/maintainers/index.html @@ -63,7 +63,7 @@ Previous Page

nihilist@Mainpc-PrivateVM-Debian12 - 2025-03-21

How to become a Maintainer

-

Becoming a Maintainer is the next step to contribute to the Opsec blog and Darknet Lantern projects, where you get to assist the other contributors contribute just like you did.

+

Becoming a Maintainer is the next step to contribute to the Opsec blog and Darknet Lantern projects, where you get to assist the other contributors contribute just like you did. The requirement is simple: You should have contributed at least 3 times, having submitted contributions that were already nearly finished (95%) in one go. If you are still submitting contributions that are 75% finished in one go, you are not ready to become a maintainer yet, maintainers are supposed to know the quality standard perfectly, therefore i expect that they show that they understand it.

@@ -82,8 +82,13 @@

In the Contributors chatroom, the contributors will be able to communicate with maintainers directly:

-

For example, to brainstorm and adjust todolists:

+

For example, to brainstorm with the contributors and adjust todolists:

+

As a maintainer, you are getting rewarded 2 euros per todolist that you correctly write for each git issue, so if you edit one, please make sure that you save the link to the todolists you wrote so that you get to recieve payment at the end of the month for them.

+ +

If there are any valid criticisms to tutorials that are supposed to be finished, write the todolist on the issue (in the completed column), and move it back to the "to be assigned" column

+ +

Make sure that you also take part in the criticisms and debates in the public OPSEC chatroom, as this is the place where you'll see the most criticism coming from, so if there are any valid criticisms coming from there, make sure that the criticism is at least saved somewhere (ideally on the targeted git issue, or on a new one that you created yourself.)

@@ -96,13 +101,12 @@

Assigning contributors onto todolists

-

Or to assign people to work on todolists:

+

As a maintainer you also get to assign people to work on todolists:

-

As a maintainer, you get to have authority on what todolists get to contain, you can validate them or edit them however you wish. In fact as it takes time to convert valid criticism into todolist, there is also incentive to write them as a maintainer (at the end of each month you'll get rewarded 2 euros per todolist that you correctly write)

+

You get to have authority on deciding what todolists get to contain (with only the other maintainers and administrators being able to overrule your decisions), you can validate them or edit them however you wish, only if they are not yet assigned (do not change a todolist if there's already someone working on it).

(don't forget to move the issue into the "assigned" column on the project board aswell:

-
@@ -114,94 +118,72 @@

Reviewing Contributions

-

And lastly, the maintainer's role is to review contributions whenever a contributor submits one.

-

As you are most likely already aware since you are supposed to already be a contributor, whenever someone submits a contribution, they need to follow the quality standard.

-

-

-

-

-

-

-

-

- -

-	
-
+

And lastly, the maintainer's role is to review contributions whenever a contributor submits one, That's probably the most time consumming part. For example, we have the following contributor that's assigned on this issue:

+ +

As you are most likely already aware since you are supposed to already be a contributor, whenever someone submits a contribution, they need to follow the quality standard, as a maintainer, you are supposed to make sure that they follow it whenever they try to contribute new content.

-

- +

Here for example, the contributor "optimist" submits a contribution after having followed the "how to contribute" guide, and lets you know in the contributors chatroom:

+ +

Going there you see that the contributor correctly made a PR, but you need to git clone it to review the changes:

+ 

-	
-
+[ Mainpc-PrivateVM-Debian12 ] [ /dev/pts/11 ] [~] +→ cd Documents -

- +[ Mainpc-PrivateVM-Debian12 ] [ /dev/pts/11 ] [~/Documents] +→ torsocks git clone http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/optimist/blog-contributions blog-contributions.optimist +Cloning into 'blog-contributions'... +remote: Enumerating objects: 6608, done. +remote: Counting objects: 100% (6608/6608), done. +remote: Compressing objects: 100% (5362/5362), done. +remote: Total 6608 (delta 3302), reused 3611 (delta 1133), pack-reused 0 (from 0) +Receiving objects: 100% (6608/6608), 342.55 MiB | 522.00 KiB/s, done. +Resolving deltas: 100% (3302/3302), done. + +[ Mainpc-PrivateVM-Debian12 ] [ /dev/pts/11 ] [~/Documents] +→ cd blog-contributions.optimist + + +

If they wrote their changes in a separate git branch, switch to the correct branch like so:


-	
-
+ + +[ Mainpc-PrivateVM-Debian12 ] [ /dev/pts/11 ] [blog-contributions.optimist/opsec/nextcloud] +→ git switch branchname + +

+
+[ Mainpc-PrivateVM-Debian12 ] [ /dev/pts/11 ] [~/Documents/blog-contributions.optimist]
+→ cd opsec/nextcloud
+
+[ Mainpc-PrivateVM-Debian12 ] [ /dev/pts/11 ] [blog-contributions.optimist/opsec/nextcloud]
+→ pwd
+/home/nihilist/Documents/blog-contributions.optimist/opsec/nextcloud
+
+
+

And in there from your local browser you can assess if the contribution is completed, and if it follows the quality standard:

+ +

Here as you can see, this is clearly garbage, so you can make the following assessment:

+

Then they push some more commits to fix their mistakes and ask for a second review, so since you already git cloned their repository you just need to do a git clone to pull their new commits:

+

+[ Mainpc-PrivateVM-Debian12 ] [ /dev/pts/11 ] [blog-contributions.optimist/opsec/nextcloud]
+→ cd ../..
+
+[ Mainpc-PrivateVM-Debian12 ] [ /dev/pts/11 ] [~/Documents/blog-contributions.optimist]
+→ torsocks git pull
+
+
+ +

Then, locally you can do a git pull to review their updates:

+

From there, there are still a few minor mistakes that they can improve on:

+

And lastly they fixed the remaining issues and now upon reviewing that's now an OK contribution:

+

So on the issue you mark it as good to go, and you add the label "good to merge" so that the administrators knows that it's good to be merged.

+

Then the administrator issues payment for both the contributor and to you the maintainer, for correctly reviewing a contribution.

-
-
-
-
-

How to become a m



-

- -

-	
-
- -

- -

-	
-
- -

- -

-	
-
- -
-
-
-
- - - -
-
-
-
-

Setup



-

-

-	
-
- -

-

-	
-
- -

-

-	
-
- -
-
-
-
- - -
diff --git a/opsec/nextcloud/0.png b/opsec/nextcloud/0.png new file mode 100644 index 0000000..4fed8e1 Binary files /dev/null and b/opsec/nextcloud/0.png differ diff --git a/opsec/nextcloud/1.png b/opsec/nextcloud/1.png new file mode 100644 index 0000000..38a5bc6 Binary files /dev/null and b/opsec/nextcloud/1.png differ diff --git a/opsec/nextcloud/10.png b/opsec/nextcloud/10.png new file mode 100644 index 0000000..4e2a40a Binary files /dev/null and b/opsec/nextcloud/10.png differ diff --git a/opsec/nextcloud/2.png b/opsec/nextcloud/2.png new file mode 100644 index 0000000..05a8233 Binary files /dev/null and b/opsec/nextcloud/2.png differ diff --git a/opsec/nextcloud/20.png b/opsec/nextcloud/20.png new file mode 100644 index 0000000..5c58464 Binary files /dev/null and b/opsec/nextcloud/20.png differ diff --git a/opsec/nextcloud/21.png b/opsec/nextcloud/21.png new file mode 100644 index 0000000..673abb4 Binary files /dev/null and b/opsec/nextcloud/21.png differ diff --git a/opsec/nextcloud/22.png b/opsec/nextcloud/22.png new file mode 100644 index 0000000..fcf81d5 Binary files /dev/null and b/opsec/nextcloud/22.png differ diff --git a/opsec/nextcloud/23.png b/opsec/nextcloud/23.png new file mode 100644 index 0000000..da3381b Binary files /dev/null and b/opsec/nextcloud/23.png differ diff --git a/opsec/nextcloud/25.png b/opsec/nextcloud/25.png new file mode 100644 index 0000000..046aaf9 Binary files /dev/null and b/opsec/nextcloud/25.png differ diff --git a/opsec/nextcloud/26.png b/opsec/nextcloud/26.png new file mode 100644 index 0000000..dd137ea Binary files /dev/null and b/opsec/nextcloud/26.png differ diff --git a/opsec/nextcloud/27.png b/opsec/nextcloud/27.png new file mode 100644 index 0000000..fa96332 Binary files /dev/null and b/opsec/nextcloud/27.png differ diff --git a/opsec/nextcloud/28.png b/opsec/nextcloud/28.png new file mode 100644 index 0000000..298e79e Binary files /dev/null and b/opsec/nextcloud/28.png differ diff --git a/opsec/nextcloud/29.png b/opsec/nextcloud/29.png new file mode 100644 index 0000000..1802922 Binary files /dev/null and b/opsec/nextcloud/29.png differ diff --git a/opsec/nextcloud/3.png b/opsec/nextcloud/3.png new file mode 100644 index 0000000..3e45a76 Binary files /dev/null and b/opsec/nextcloud/3.png differ diff --git a/opsec/nextcloud/30.png b/opsec/nextcloud/30.png new file mode 100644 index 0000000..5c80530 Binary files /dev/null and b/opsec/nextcloud/30.png differ diff --git a/opsec/nextcloud/31.png b/opsec/nextcloud/31.png new file mode 100644 index 0000000..5c0918c Binary files /dev/null and b/opsec/nextcloud/31.png differ diff --git a/opsec/nextcloud/32.png b/opsec/nextcloud/32.png new file mode 100644 index 0000000..a190ad1 Binary files /dev/null and b/opsec/nextcloud/32.png differ diff --git a/opsec/nextcloud/4.png b/opsec/nextcloud/4.png new file mode 100644 index 0000000..560134e Binary files /dev/null and b/opsec/nextcloud/4.png differ diff --git a/opsec/nextcloud/41.png b/opsec/nextcloud/41.png new file mode 100644 index 0000000..bfbd13f Binary files /dev/null and b/opsec/nextcloud/41.png differ diff --git a/opsec/nextcloud/42.png b/opsec/nextcloud/42.png new file mode 100644 index 0000000..97c1a1c Binary files /dev/null and b/opsec/nextcloud/42.png differ diff --git a/opsec/nextcloud/43.png b/opsec/nextcloud/43.png new file mode 100644 index 0000000..1ce18a5 Binary files /dev/null and b/opsec/nextcloud/43.png differ diff --git a/opsec/nextcloud/44.png b/opsec/nextcloud/44.png new file mode 100644 index 0000000..dabfc73 Binary files /dev/null and b/opsec/nextcloud/44.png differ diff --git a/opsec/nextcloud/45.png b/opsec/nextcloud/45.png new file mode 100644 index 0000000..587d5eb Binary files /dev/null and b/opsec/nextcloud/45.png differ diff --git a/opsec/nextcloud/46.png b/opsec/nextcloud/46.png new file mode 100644 index 0000000..87dd9a8 Binary files /dev/null and b/opsec/nextcloud/46.png differ diff --git a/opsec/nextcloud/47.png b/opsec/nextcloud/47.png new file mode 100644 index 0000000..70404e3 Binary files /dev/null and b/opsec/nextcloud/47.png differ diff --git a/opsec/nextcloud/5.png b/opsec/nextcloud/5.png new file mode 100644 index 0000000..f63e5bd Binary files /dev/null and b/opsec/nextcloud/5.png differ diff --git a/opsec/nextcloud/6.png b/opsec/nextcloud/6.png new file mode 100644 index 0000000..b53f18f Binary files /dev/null and b/opsec/nextcloud/6.png differ diff --git a/opsec/nextcloud/7.png b/opsec/nextcloud/7.png new file mode 100644 index 0000000..4a03057 Binary files /dev/null and b/opsec/nextcloud/7.png differ diff --git a/opsec/nextcloud/8.png b/opsec/nextcloud/8.png new file mode 100644 index 0000000..8e03c6d Binary files /dev/null and b/opsec/nextcloud/8.png differ diff --git a/opsec/nextcloud/9.png b/opsec/nextcloud/9.png new file mode 100644 index 0000000..60d7f87 Binary files /dev/null and b/opsec/nextcloud/9.png differ diff --git a/opsec/nextcloud/WIP.html b/opsec/nextcloud/WIP.html new file mode 100644 index 0000000..8d93771 --- /dev/null +++ b/opsec/nextcloud/WIP.html @@ -0,0 +1,332 @@ + + + + + + + + + + + Nextcloud .onion server + + + + + + + + + + + + + + + + + + + + +
+
+
+ + The Nihilism Blog +
+
+ +
+ +
+
+ + + +
+
+
+
+ Previous Page

Optimist - 23 / 03 / 2025

+

Nextcloud .onion server

+ +

In this tutorial we're going to cover how you can install an .onion only Nextcloud instance, it is a FOSS software meant to replace popular websites like google drive, which can be ideal to make sure that your files are backed up somewhere, all while preserving anonymity.

+ +
+
+
+
+ + +
+
+
+
+

Serverside Setup

+ +

So for this tutorial we're going to go with a Debian server to install nextcloud via snap:

+

+su -
+apt update -y
+
+apt install snapd sudo curl mlocate nginx -y
+/sbin/usermod -aG sudo [NAME OF THE NON-PRIVILEGED USER]
+/sbin/ufw enable
+snap install core
+
+
+ +

Using snap, installing nextcloud is fairly simple:

+

+snap install nextcloud
+
+ip a | grep inet
+curl ifconfig.me
+
+
+

you can verify that the nextcloud server works by going at the ip adress of the server http://server_ip/ where you'll create the administrator account.

+ +

Once that's done you should have access to your nextcloud instance, but instead of accessing it through the ip address, we'll set it up in such a way that we can access it through an .onion domain name.

+

So we follow this tutorial to have our own custom .domain name:

+

+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ cat /etc/tor/torrc
+
+HiddenServiceDir /var/lib/tor/onions/nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/
+HiddenServicePort 80 127.0.0.1:4443
+SocksPort 127.0.0.1:9050
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ systemctl restart tor@default
+
+
+

Then we setup a reverse nginx proxy to make sure that the onion requests get redirected to the correct IP:

+

+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ rm /etc/nginx/sites-*/default
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ cat /etc/nginx/sites-available/cloud.conf
+upstream cloudbackend {
+        server 192.168.100.130:80;
+}
+
+server {
+        ######## TOR WEBSITE ########
+        listen 4443;
+        listen [::]:4443;
+        server_name cloud.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion;
+
+        location / {
+                proxy_pass http://cloudbackend;
+                proxy_http_version 1.1;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection "Upgrade";
+                client_max_body_size 20G;
+        }
+}
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ ln -s /etc/nginx/sites-available/cloud.conf /etc/nginx/sites-enabled/
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ nginx -s reload
+ 
+
+ +
+
+
+
+ +
+
+
+
+

Configuring Nextcloud



+

Now that we have the domain name pointing to the public ip address of the nextcloud server, we can setup the https certificate using let'sencrypt, just + ssh into your server once more and run the following commands:

+

+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ /var/snap/nextcloud/common/nextcloud/data# PATH=$PATH:/snap/bin/
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ /var/snap/nextcloud/common/nextcloud/data# which nextcloud.occ
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ /snap/bin/nextcloud.occ
+
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ /snap/bin/nextcloud.disable-https
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ /snap/bin/nextcloud.occ config:system:set trusted_domains 1 --value=cloud.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ /snap/bin/nextcloud.occ config:system:set overwritehost --value="cloud.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion"
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ /snap/bin/nextcloud.occ config:system:set overwriteprotocol --value="http"
+
+
+

And once that's done, you can access your nextcloud instance from your onion domain:

+ +

In order to upgrade your nextcloud, you can run the following, and also add it to cron to run automatically every day at midnight:

+

+root@cloud:~# sudo snap refresh nextcloud
+snap "nextcloud" has no updates available
+
+root@cloud:~# crontab -e
+
+[...]
+
+0 0 * * * /usr/bin/snap refresh nextcloud
+
+:wq
+
+
+--2022-12-17 20:34:07--  https://github.com/cronitorio/cronitor-cli/releases/download/28.8/linux_amd64.tar.gz
+Resolving github.com (github.com)... 140.82.121.3
+Connecting to github.com (github.com)|140.82.121.3|:443... connected.
+HTTP request sent, awaiting response... 302 Found
+Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/274548350/682877d8-1d52-4029-9777-425f3da0f77c?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20221217%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20221217T193407Z&X-Amz-Expires=300&X-Amz-Signature=1bf21514b0120917047558bc2d6de9d2f900d34dba04cfd3d30838b59ae4701e&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=274548350&response-content-disposition=attachment%3B%20filename%3Dlinux_amd64.tar.gz&response-content-type=application%2Foctet-stream [following]
+--2022-12-17 20:34:07--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/274548350/682877d8-1d52-4029-9777-425f3da0f77c?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20221217%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20221217T193407Z&X-Amz-Expires=300&X-Amz-Signature=1bf21514b0120917047558bc2d6de9d2f900d34dba04cfd3d30838b59ae4701e&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=274548350&response-content-disposition=attachment%3B%20filename%3Dlinux_amd64.tar.gz&response-content-type=application%2Foctet-stream
+Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.110.133, 185.199.108.133, 185.199.109.133, ...
+Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.110.133|:443... connected.
+HTTP request sent, awaiting response... 200 OK
+Length: 6326130 (6.0M) [application/octet-stream]
+Saving to: ‘linux_amd64.tar.gz’
+
+linux_amd64.tar.gz                                           100%[===========================================================================================================================================>]   6.03M  6.47MB/s    in 0.9s
+
+2022-12-17 20:34:09 (6.47 MB/s) - ‘linux_amd64.tar.gz’ saved [6326130/6326130]
+
+root@cloud:~# sudo tar xvf linux_amd64.tar.gz -C /usr/bin/
+cronitor
+root@cloud:~# sudo cronitor configure --api-key 1234567890
+
+Configuration File:
+/etc/cronitor/cronitor.json
+
+Version:
+28.8
+
+API Key:
+1234567890
+
+Ping API Key:
+Not Set
+
+Environment:
+Not Set
+
+Hostname:
+cloud
+
+Timezone Location:
+{Europe/Paris}
+
+Debug Log:
+Off
+root@cloud:~# cronitor select
+
+✔ /usr/bin/snap refresh nextcloud
+----► Running command: /usr/bin/snap refresh nextcloud
+
+snap "nextcloud" has no updates available
+
+----► ✔ Command successful    Elapsed time 0.451s
+
+
+
+
+
+ + + +
+
+
+
+

Clientside Setup



+ +

Now you can install the official nextcloud client here

+

+[ cloud ] [ /dev/pts/1 ] [/snap/bin]
+→ apt install tor nextcloud-desktop -y
+
+
+ +

Here as you try to login you'll first see that it can't resolve the .onion domain, which is normal as you need to tell nextcloud to use the local tor socks5 proxy, available on 127.0.01:9050

+ +

Afterward, you need to copy the authorization link into the tor browser to validate the request:

+ + + +

Once you have granted access, you can start to sync your nextcloud instance files locally:

+ + +

Once logged in you can check the progress in the system tray:

+ +

Then let it sync, it can take a while due to the low bandwidth of Tor.

+ +

And that's it ! You now have a local folder that is synchronized with your nextcloud instance.

+
+
+
+
+ + + +
+
+
+
+

Nihilism

+

+ Until there is Nothing left.



Creative Commons Zero: No Rights Reserved
+ +

+
+ +
+

My Links

+

+ + RSS Feed
SimpleX Chat
+ +

+
+ +
+

About nihilist

+

Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8


Contact: nihilist@contact.nowhere.moe (PGP)

+
+ +
+ +
+
+ + + + + + + diff --git a/opsec/nextcloud/arch.html b/opsec/nextcloud/arch.html new file mode 100644 index 0000000..0bacab4 --- /dev/null +++ b/opsec/nextcloud/arch.html @@ -0,0 +1,703 @@ + + + + + + + + + + + NGINX Nextcloud Server Setup + + + + + + + + + + + + + + + + + + + + +
+
+
+ + The Nihilism Blog +
+
+ +
+ +
+
+ + + +
+
+
+
+ Previous Page

nihilist - 07 / 11 / 2022

+

Nginx Nextcloud Server Setup (on arch linux)

+ +

Rent a VPS with debian 10+ (or just run it yourself, but make sure it is correctly port forwarded so that public ip points to the machine like a vps).

+

click here for the debian version

+

Once you have ssh'd into your debian server, we can start:

+ +
+
+
+
+ + +
+
+
+
+

Setting up php7.3 and pgsql



+

First we get every package we need:

+

+[ nihilism ] [ /dev/pts/12 ] [~]
+→ pacman -Syy
+:: Synchronizing package databases...
+ core                                                                                                                                                                                           157.4 KiB   283 KiB/s 00:01 [------------------------------------------------------------------------------------------------------------------------------------------] 100%
+ extra                                                                                                                                                                                         1720.9 KiB  2.45 MiB/s 00:01 [------------------------------------------------------------------------------------------------------------------------------------------] 100%
+ community                                                                                                                                                                                        6.7 MiB  7.82 MiB/s 00:01 [------------------------------------------------------------------------------------------------------------------------------------------] 100%
+ multilib                                                                                                                                                                                       172.6 KiB   528 KiB/s 00:00 [------------------------------------------------------------------------------------------------------------------------------------------] 100%
+
+[ nihilism ] [ /dev/pts/12 ] [~]
+→ pacman -S nextcloud
+resolving dependencies...
+:: There are 2 providers available for php-interpreter 8.2:
+:: Repository extra
+   1) php  2) php7
+
+Enter a number (default=1):
+looking for conflicting packages...
+
+Package (9)          New Version       Net Change  Download Size
+
+extra/gd             2.3.3-4             0.67 MiB       0.15 MiB
+community/libavif    0.10.1-2            0.32 MiB       0.11 MiB
+extra/libde265       1.0.8-2             1.06 MiB       0.34 MiB
+extra/libheif        1.12.0-3            0.77 MiB       0.24 MiB
+extra/libxpm         3.5.13-3            0.14 MiB       0.05 MiB
+community/libyuv     r2322+3aebf69d-1    1.65 MiB       0.26 MiB
+extra/php            8.1.8-1            24.04 MiB       4.21 MiB
+extra/php-gd         8.1.8-1             0.10 MiB       0.03 MiB
+community/nextcloud  24.0.2-1          345.65 MiB      98.34 MiB
+
+Total Download Size:   103.73 MiB
+Total Installed Size:  374.39 MiB
+
+:: Proceed with installation? [Y/n] y
+
+[ nihilism ] [ /dev/pts/12 ] [~]
+→ pacman -S php-imagick php-intl
+
+resolving dependencies...
+:: There are 8 providers available for ttf-font:
+:: Repository extra
+   1) gnu-free-fonts  2) noto-fonts  3) ttf-bitstream-vera  4) ttf-croscore
+:: Repository community
+   5) ttf-dejavu  6) ttf-droid  7) ttf-ibm-plex  8) ttf-liberation
+
+Enter a number (default=1):
+looking for conflicting packages...
+
+Package (6)            New Version  Net Change  Download Size
+
+extra/gnu-free-fonts   20120503-8     6.65 MiB       3.23 MiB
+extra/imagemagick      7.1.0.43-1    10.89 MiB       2.84 MiB
+extra/liblqr           0.4.2-3        0.09 MiB       0.03 MiB
+extra/libraqm          0.9.0-1        0.15 MiB       0.03 MiB
+community/php-imagick  3.7.0-2        0.51 MiB       0.12 MiB
+extra/php-intl         8.1.8-1        0.47 MiB       0.14 MiB
+
+Total Download Size:    6.39 MiB
+Total Installed Size:  18.75 MiB
+
+
+

+

+[ nihilism ] [ /dev/pts/12 ] [~]
+→ vim /etc/php/php.ini
+
+[ nihilism ] [ /dev/pts/12 ] [~]
+→ cat /etc/php/php.ini
+
+[...]
+
+memory_limit = 512M
+
+[...]
+
+extension=pdo_mysql
+extension=bcmath
+extension=bz2
+extension=exif
+extension=gd
+extension=iconv
+; in case you installed php-imagick (as recommended)
+extension=imagick
+; in case you also installed php-intl (as recommended)
+extension=intl
+
+[...]
+
+[Date]
+date.timezone = America/New_York
+
+:wq
+
+[ nihilism ] [ /dev/pts/12 ] [~]
+→  cp /etc/php/php.ini /etc/webapps/nextcloud/php.ini
+
+[ nihilism ] [ /dev/pts/12 ] [~]
+→ export NEXTCLOUD_PHP_CONFIG=/etc/webapps/nextcloud/php.ini
+
+[ nihilism ] [ /dev/pts/12 ] [~]
+→ echo 'export NEXTCLOUD_PHP_CONFIG=/etc/webapps/nextcloud/php.ini' >> ~/.zshrc
+
+[ nihilism ] [ /dev/pts/12 ] [~]
+→ install --owner=nextcloud --group=nextcloud --mode=700 -d /var/lib/nextcloud/sessions
+
+
+
+

Then we setup the database:

+

+[ nihilism ] [ /dev/pts/12 ] [~]
+→ mysql -u root -p
+Enter password:
+Welcome to the MariaDB monitor.  Commands end with ; or \g.
+Your MariaDB connection id is 632
+Server version: 10.8.3-MariaDB Arch Linux
+
+Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
+
+Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
+
+MariaDB [(none)]> CREATE USER 'nextcloud'@'localhost' IDENTIFIED BY 'xxxxxxxx';
+Query OK, 0 rows affected (0.257 sec)
+
+MariaDB [(none)]> CREATE DATABASE IF NOT EXISTS nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
+Query OK, 1 row affected (0.012 sec)
+
+MariaDB [(none)]> GRANT ALL PRIVILEGES on nextcloud.* to 'nextcloud'@'localhost';
+Query OK, 0 rows affected (0.039 sec)
+
+MariaDB [(none)]> FLUSH privileges;
+Query OK, 0 rows affected (0.051 sec)
+
+MariaDB [(none)]> exit
+Bye
+
+
+

Now to configure php-fpm:

+

+[ nihilism ] [ /dev/pts/12 ] [~]
+→ pacman -S php-fpm
+
+[ nihilism ] [ /dev/pts/12 ] [~]
+→ cp /etc/php/php.ini /etc/php/php-fpm.ini
+
+[ nihilism ] [ /dev/pts/12 ] [~]
+→ vim /etc/php/php-fpm.ini
+
+[...]
+
+zend_extension=opcache
+
+[...]
+
+[opcache]
+opcache.enable = 1
+opcache.interned_strings_buffer = 8
+opcache.max_accelerated_files = 10000
+opcache.memory_consumption = 128
+opcache.save_comments = 1
+opcache.revalidate_freq = 1
+
+[...]
+
+[ nihilism ] [ /dev/pts/12 ] [share/webapps/nextcloud]
+→ cat /etc/php/php-fpm.d/nextcloud.conf
+[nextcloud]
+
+user = nextcloud
+group = nextcloud
+
+listen = /run/php/nextcloud.sock
+
+listen.owner = nextcloud
+listen.group = http
+listen.mode = 0660
+pm = dynamic
+
+pm.max_children = 5
+
+pm.start_servers = 2
+
+pm.min_spare_servers = 1
+
+pm.max_spare_servers = 3
+
+;pm.max_spawn_rate = 32
+
+;pm.process_idle_timeout = 10s;
+
+access.log = /var/log/php-fpm/access/$pool.log
+
+access.format = "%{%Y-%m-%dT%H:%M:%S%z}t %R: \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
+
+chdir = /usr/share/webapps/$pool
+
+env[HOSTNAME] = $HOSTNAME
+env[PATH] = /usr/local/bin:/usr/bin
+env[TMP] = /tmp
+env[TMPDIR] = /tmp
+env[TEMP] = /tmp
+
+php_value[date.timezone] = Europe/Berlin
+
+php_value[open_basedir] = /var/lib/$pool:/tmp:/usr/share/webapps/$pool:/etc/webapps/$pool:/dev/urandom:/usr/lib/php/modules:/var/log/$pool:/proc/meminfo
+
+php_value[session.save_path] = /var/lib/$pool/sessions
+php_value[session.gc_maxlifetime] = 21600
+php_value[session.gc_divisor] = 500
+php_value[session.gc_probability] = 1
+
+php_flag[expose_php] = false
+php_value[post_max_size] = 1000M
+php_value[upload_max_filesize] = 1000M
+
+php_flag[output_buffering] = off
+php_value[max_input_time] = 120
+php_value[max_execution_time] = 60
+
+php_value[memory_limit] = 768M
+
+php_value[apc.ttl] = 7200
+php_flag[apc.enable_cli] = 1
+
+php_value[extension] = bcmath
+php_value[extension] = bz2
+php_value[extension] = exif
+php_value[extension] = gd
+php_value[extension] = gmp
+; uncomment if php-imagick is installed and used
+php_value[extension] = imagick
+; uncomment if php-imap is installed and used
+; php_value[extension] = imap
+; recommended to enable
+php_value[extension] = intl
+php_value[extension] = iconv
+; uncomment if php-memcached is installed and used
+; php_value[extension] = memcached
+; uncomment exactly one of the pdo extensions
+php_value[extension] = pdo_mysql
+; php_value[extension] = pdo_pgsql
+; php_value[extension] = pdo_sqlite
+; uncomment if php-igbinary is installed and used
+; php_value[extension] = igbinary
+; uncomment if php-redis is installed and used (requires php-igbinary)
+; php_value[extension] = redis
+; uncomment if php-xsl is installed and used
+; php_value[extension] = xsl
+
+[ nihilism ] [ /dev/pts/12 ] [~]
+→ mkdir -p /etc/systemd/system/php-fpm.service.d/
+
+[ nihilism ] [ /dev/pts/12 ] [~]
+→ vim /etc/systemd/system/php-fpm.service.d/override.conf
+
+[ nihilism ] [ /dev/pts/12 ] [~]
+→ cat /etc/systemd/system/php-fpm.service.d/override.conf
+[Service]
+ExecStart=
+ExecStart=/usr/bin/php-fpm --nodaemonize --fpm-config /etc/php/php-fpm.conf --php-ini /etc/php/php-fpm.ini
+ReadWritePaths=/var/lib/nextcloud
+ReadWritePaths=/etc/webapps/nextcloud/config
+
+[ nihilism ] [ /dev/pts/12 ] [~]
+→ mkdir /var/log/php-fpm/access/ -p
+
+[ nihilism ] [ /dev/pts/12 ] [~]
+→ systemctl enable --now php-fpm
+
+[ nihilism ] [ /dev/pts/12 ] [~]
+→ systemctl status php-fpm
+● php-fpm.service - The PHP FastCGI Process Manager
+     Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; enabled; vendor preset: disabled)
+    Drop-In: /etc/systemd/system/php-fpm.service.d
+             └─override.conf
+     Active: active (running) since Mon 2022-07-11 16:01:22 UTC; 6s ago
+   Main PID: 3396418 (php-fpm)
+     Status: "Ready to handle connections"
+      Tasks: 5 (limit: 11902)
+     Memory: 13.1M
+        CPU: 713ms
+     CGroup: /system.slice/php-fpm.service
+             ├─3396418 "php-fpm: master process (/etc/php/php-fpm.conf)"
+             ├─3396435 "php-fpm: pool nextcloud"
+             ├─3396436 "php-fpm: pool nextcloud"
+             ├─3396437 "php-fpm: pool www"
+             └─3396438 "php-fpm: pool www"
+
+Jul 11 16:01:15 nihilism systemd[1]: Starting The PHP FastCGI Process Manager...
+Jul 11 16:01:22 nihilism php-fpm[3396418]: [NOTICE] fpm is running, pid 3396418
+Jul 11 16:01:22 nihilism php-fpm[3396418]: [NOTICE] ready to handle connections
+Jul 11 16:01:22 nihilism systemd[1]: Started The PHP FastCGI Process Manager.
+Jul 11 16:01:22 nihilism php-fpm[3396418]: [NOTICE] systemd monitor interval set to 10000ms
+
+[ nihilism ] [ /dev/pts/12 ] [share/webapps/nextcloud]
+→ chown nextcloud:www-data /run/php/nextcloud.sock
+
+[ nihilism ] [ /dev/pts/12 ] [share/webapps/nextcloud]
+→ vim config/config.php
+
+[ nihilism ] [ /dev/pts/12 ] [share/webapps/nextcloud]
+→ cat config/config.php
+<?php
+$CONFIG = array (
+  'datadirectory' => '/var/lib/nextcloud/data',
+  'logfile' => '/var/log/nextcloud/nextcloud.log',
+  'apps_paths' =>
+
+[...]
+
+  'trusted_domains' =>
+  array (
+    0 => 'localhost',
+    1 => 'cloud.nowhere.moe',
+  ),
+  'dbtype' => 'mysql',
+
+[...]
+
+
+
+

+

+
+[ nihilism ] [ /dev/pts/12 ] [share/webapps/nextcloud]
+→ occ
+Nextcloud is not installed - only a limited number of commands are available
+Nextcloud 24.0.2
+
+Usage:
+  command [options] [arguments]
+
+[ nihilism ] [ /dev/pts/12 ] [share/webapps/nextcloud]
+→ occ maintenance:install \
+    --database=mysql \
+    --database-name=nextcloud \
+    --database-host=localhost:/run/mysqld/mysqld.sock \
+    --database-user=nextcloud \
+>   --database-pass=xxxxx \
+>   --admin-pass=xxxxx \
+>   --admin-email=nihilist@nowhere.moe \
+>   --data-dir=/var/lib/nextcloud/data
+
+Nextcloud was successfully installed
+
+[ nihilism ] [ /dev/pts/12 ] [share/webapps/nextcloud]
+→ systemctl restart nginx php-fpm mysql
+
+
+

Then just login with the admin credentials you specified above

+ +

+
+
+

+

+
+
+

+

+
+
+

+

+
+
+

+

+
+
+

+

+
+
+

+
+
+
+
+ +
+
+
+
+

Certbot Certificate and Nginx Configuration



+

From here we need to install our letsencrypt certificate. If you don't have a domain name yet, go get one, or just go for the free alternative DuckDNS +and get one, mine currently is ech2.duckdns.org

+

+
+
+

+

+
+
+

+

+
+
+

+

+
+
+

+

+
+
+

+

+
+
+

+

+
+
+

+

+
+
+

+

+
+
+

+

+
+
+

+
+
+
+
+ + + +
+
+
+
+

Post-Installation



+

Now from here you can make backups just in case if the server goes down or harddrive gets corrupted, etc. You could use a script like this:

+

+#!/bin/bash
+#this must run as root !
+if [ "$EUID" -ne 0 ]
+then
+        echo 'MUST RUN AS ROOT!'
+        exit
+fi
+
+cd /var/www/nextcloud/data/nothing/files/
+#make sure the path to your  user is correct!
+
+#run it at 3AM
+cooldate=$(date --iso-8601)
+echo $cooldate
+
+rm backup*.zip
+rm backup-$cooldate.zip
+zip -r backup-$cooldate.zip /var/www/nextcloud/data/nothing/files/
+
+#rsync backup-$cooldate.zip nothing@10.0.0.10:/home/nothing/backup/
+rsync backup-$cooldate.zip nothing@mainpc:/home/nothing/backup/
+
+rm backup*.zip
+
+#crontab -e
+#0 3 * * * /bin/bash /var/www/nextcloud/data/nothing/files/backup.sh
+
+#chmod u+x backup.shg
+
+#BACKUP_SERVER (here its 10.0.0.10)
+#https://git.void.yt/nothing/serverside/blob/master/ssh/ssh.sh
+#use this script to setup the key based ssh authentication, and then make sure your nextcloud server's root user has the private ssh key.
+
+
+

Here i can make rsync login via ssh to my mainpc host thanks to the private key ssh authentication specified in ~/.ssh/config:

+

+root@home:/var/www/nextcloud/data/nothing/files# apt install rsync -y
+root@home:/var/www/nextcloud/data/nothing/files# cat ~/.ssh/config
+Host mainpc
+        Hostname 10.0.0.10
+        IdentityFile ~/.ssh/mainpc-10.pkey
+        User nothing
+
+
+

of course you would have created the ssh keys on your remote host (in this case : 192.168.0.18) and placed the private key in the server's /root/.ssh/ folder. + as comments at the end of the script imply, you can setup the cronjob to run backup.sh every day at 3 AM.g +

+ +

Now in order to mount your files as a webdav share on linux you can do the following:

+

+[ 10.55.55.2/32 ] [ /dev/pts/42 ] [~]
+→ apt-get install davfs2
+
+ [ 10.55.55.2/32 ] [ /dev/pts/42 ] [~]
+→ sudo mkdir /mnt/cloud.void.yt
+
+[ 10.55.55.2/32 ] [ /dev/pts/42 ] [~]
+→ sudo chown -R nothing:nothing /mnt/cloud.void.yt
+
+[ 10.55.55.2/32 ] [ /dev/pts/42 ] [~]
+→ sudo mount -t davfs -o noexec https://cloud.void.yt/remote.php/webdav/ /mnt/cloud.void.yt/
+Please enter the username to authenticate with server
+https://cloud.void.yt/remote.php/webdav/ or hit enter for none.
+  Username: nothing
+Please enter the password to authenticate user nothing with server
+https://cloud.void.yt/remote.php/webdav/ or hit enter for none.
+  Password:
+/usr/bin/mount.davfs: warning: the server does not support locks
+
+[ 10.55.55.2/32 ] [ /dev/pts/42 ] [~]
+→ cd /mnt/cloud.void.yt
+
+[ 10.55.55.2/32 ] [ /dev/pts/42 ] [/mnt/cloud.void.yt]
+→ ls
+ backup.sh   Caldera   Certs   Cours   Crypto   Documents   id_ed25519   KEEPASS.txt   lost+found   Notes   nothing.ovpn   Passwords.kdbx   Photos   Random_Files   Readme.md   SSH   Templates  'void.yt setup'
+
+
+ +

Now in order to make it persistant accross reboots, you need to make a fstab entry:

+

+[ 10.55.55.2/32 ] [ /dev/pts/42 ] [~]
+→ sudo vim /etc/fstab
+
+[ 10.55.55.2/32 ] [ /dev/pts/42 ] [~]
+→ cat /etc/fstab
+
+#webdav entry
+https://cloud.void.yt/remote.php/webdav/ /mnt/cloud.void.yt davfs _netdev,noauto,user,uid=nothing,gid=nothing 0 0
+
+[ 10.55.55.2/32 ] [ /dev/pts/42 ] [~]
+→ sudo vim /etc/davfs2/secrets
+
+[ 10.55.55.2/32 ] [ /dev/pts/42 ] [~]
+→ sudo cat /etc/davfs2/secrets | tail -n2
+# personal webdav, nextcloud application password
+/mnt/cloud.void.yt nothing "mypassword"
+
+[ 10.55.55.2/32 ] [ /dev/pts/42 ] [~]
+→ sudo mount /mnt/cloud.void.yt/
+/usr/bin/mount.davfs: warning: the server does not support locks
+
+
+

And that's it ! your nextcloud files have been mounted on a linux host.

+

+[ 10.55.55.2/32 ] [ /dev/pts/42 ] [~]
+→ cd /mnt/cloud.void.yt
+
+[ 10.55.55.2/32 ] [ /dev/pts/42 ] [/mnt/cloud.void.yt]
+→ ls -l
+total 46
+-rw-r--r-- 1 nothing nothing   859 Apr  7  2021  backup.sh
+drwxr-xr-x 3 nothing nothing     0 Feb 16 13:14  Caldera
+drwxr-xr-x 9 nothing nothing     0 Jan 20 20:54  Certs
+drwxr-xr-x 8 nothing nothing     0 Mar 21 20:34  Cours
+drwxr-xr-x 2 nothing nothing     0 Oct 27 09:05  Crypto
+drwxr-xr-x 2 nothing nothing     0 Apr  7  2021  Documents
+-rw-r--r-- 1 nothing nothing   411 Apr  7  2021  id_ed25519
+-rw-r--r-- 1 nothing nothing    55 Apr  7  2021  KEEPASS.txt
+drwx------ 2 nothing nothing     0 Mar 27 14:07  lost+found
+drwxr-xr-x 2 nothing nothing     0 Aug 23  2021  Notes
+-rw-r--r-- 1 nothing nothing  2914 Apr  7  2021  nothing.ovpn
+-rw-r--r-- 1 nothing nothing 40510 Mar 26 21:40  Passwords.kdbx
+drwxr-xr-x 2 nothing nothing     0 Apr  7  2021  Photos
+drwxr-xr-x 9 nothing nothing     0 Mar 25 09:42  Random_Files
+-rw-r--r-- 1 nothing nothing     1 May 27  2021  Readme.md
+drwxr-xr-x 7 nothing nothing     0 Jul  1  2021  SSH
+drwxr-xr-x 2 nothing nothing     0 Apr  7  2021  Templates
+drwxr-xr-x 2 nothing nothing     0 Jun  6  2021 'void.yt setup'
+
+ +

Special thanks to skid9000 from the anjara.eu staff for helping me update this tutorial. (23/09/2020)

+
+
+
+
+ + + +
+
+
+
+

Nihilism

+

+ Until there is Nothing left.



Creative Commons Zero: No Rights Reserved
+ +

+
+ +
+

My Links

+

+ + RSS Feed
SimpleX Chat
+ +

+
+ +
+

About nihilist

+

Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8


Contact: nihilist@contact.nowhere.moe (PGP)

+
+ +
+ +
+
+ + + + + + + diff --git a/opsec/nextcloud/index.html b/opsec/nextcloud/index.html new file mode 100644 index 0000000..8d93771 --- /dev/null +++ b/opsec/nextcloud/index.html @@ -0,0 +1,332 @@ + + + + + + + + + + + Nextcloud .onion server + + + + + + + + + + + + + + + + + + + + +
+
+
+ + The Nihilism Blog +
+
+ +
+ +
+
+ + + +
+
+
+
+ Previous Page

Optimist - 23 / 03 / 2025

+

Nextcloud .onion server

+ +

In this tutorial we're going to cover how you can install an .onion only Nextcloud instance, it is a FOSS software meant to replace popular websites like google drive, which can be ideal to make sure that your files are backed up somewhere, all while preserving anonymity.

+ +
+
+
+
+ + +
+
+
+
+

Serverside Setup

+ +

So for this tutorial we're going to go with a Debian server to install nextcloud via snap:

+

+su -
+apt update -y
+
+apt install snapd sudo curl mlocate nginx -y
+/sbin/usermod -aG sudo [NAME OF THE NON-PRIVILEGED USER]
+/sbin/ufw enable
+snap install core
+
+
+ +

Using snap, installing nextcloud is fairly simple:

+

+snap install nextcloud
+
+ip a | grep inet
+curl ifconfig.me
+
+
+

you can verify that the nextcloud server works by going at the ip adress of the server http://server_ip/ where you'll create the administrator account.

+ +

Once that's done you should have access to your nextcloud instance, but instead of accessing it through the ip address, we'll set it up in such a way that we can access it through an .onion domain name.

+

So we follow this tutorial to have our own custom .domain name:

+

+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ cat /etc/tor/torrc
+
+HiddenServiceDir /var/lib/tor/onions/nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/
+HiddenServicePort 80 127.0.0.1:4443
+SocksPort 127.0.0.1:9050
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ systemctl restart tor@default
+
+
+

Then we setup a reverse nginx proxy to make sure that the onion requests get redirected to the correct IP:

+

+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ rm /etc/nginx/sites-*/default
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ cat /etc/nginx/sites-available/cloud.conf
+upstream cloudbackend {
+        server 192.168.100.130:80;
+}
+
+server {
+        ######## TOR WEBSITE ########
+        listen 4443;
+        listen [::]:4443;
+        server_name cloud.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion;
+
+        location / {
+                proxy_pass http://cloudbackend;
+                proxy_http_version 1.1;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection "Upgrade";
+                client_max_body_size 20G;
+        }
+}
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ ln -s /etc/nginx/sites-available/cloud.conf /etc/nginx/sites-enabled/
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ nginx -s reload
+ 
+
+ +
+
+
+
+ +
+
+
+
+

Configuring Nextcloud



+

Now that we have the domain name pointing to the public ip address of the nextcloud server, we can setup the https certificate using let'sencrypt, just + ssh into your server once more and run the following commands:

+

+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ /var/snap/nextcloud/common/nextcloud/data# PATH=$PATH:/snap/bin/
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ /var/snap/nextcloud/common/nextcloud/data# which nextcloud.occ
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ /snap/bin/nextcloud.occ
+
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ /snap/bin/nextcloud.disable-https
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ /snap/bin/nextcloud.occ config:system:set trusted_domains 1 --value=cloud.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ /snap/bin/nextcloud.occ config:system:set overwritehost --value="cloud.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion"
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ /snap/bin/nextcloud.occ config:system:set overwriteprotocol --value="http"
+
+
+

And once that's done, you can access your nextcloud instance from your onion domain:

+ +

In order to upgrade your nextcloud, you can run the following, and also add it to cron to run automatically every day at midnight:

+

+root@cloud:~# sudo snap refresh nextcloud
+snap "nextcloud" has no updates available
+
+root@cloud:~# crontab -e
+
+[...]
+
+0 0 * * * /usr/bin/snap refresh nextcloud
+
+:wq
+
+
+--2022-12-17 20:34:07--  https://github.com/cronitorio/cronitor-cli/releases/download/28.8/linux_amd64.tar.gz
+Resolving github.com (github.com)... 140.82.121.3
+Connecting to github.com (github.com)|140.82.121.3|:443... connected.
+HTTP request sent, awaiting response... 302 Found
+Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/274548350/682877d8-1d52-4029-9777-425f3da0f77c?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20221217%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20221217T193407Z&X-Amz-Expires=300&X-Amz-Signature=1bf21514b0120917047558bc2d6de9d2f900d34dba04cfd3d30838b59ae4701e&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=274548350&response-content-disposition=attachment%3B%20filename%3Dlinux_amd64.tar.gz&response-content-type=application%2Foctet-stream [following]
+--2022-12-17 20:34:07--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/274548350/682877d8-1d52-4029-9777-425f3da0f77c?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20221217%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20221217T193407Z&X-Amz-Expires=300&X-Amz-Signature=1bf21514b0120917047558bc2d6de9d2f900d34dba04cfd3d30838b59ae4701e&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=274548350&response-content-disposition=attachment%3B%20filename%3Dlinux_amd64.tar.gz&response-content-type=application%2Foctet-stream
+Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.110.133, 185.199.108.133, 185.199.109.133, ...
+Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.110.133|:443... connected.
+HTTP request sent, awaiting response... 200 OK
+Length: 6326130 (6.0M) [application/octet-stream]
+Saving to: ‘linux_amd64.tar.gz’
+
+linux_amd64.tar.gz                                           100%[===========================================================================================================================================>]   6.03M  6.47MB/s    in 0.9s
+
+2022-12-17 20:34:09 (6.47 MB/s) - ‘linux_amd64.tar.gz’ saved [6326130/6326130]
+
+root@cloud:~# sudo tar xvf linux_amd64.tar.gz -C /usr/bin/
+cronitor
+root@cloud:~# sudo cronitor configure --api-key 1234567890
+
+Configuration File:
+/etc/cronitor/cronitor.json
+
+Version:
+28.8
+
+API Key:
+1234567890
+
+Ping API Key:
+Not Set
+
+Environment:
+Not Set
+
+Hostname:
+cloud
+
+Timezone Location:
+{Europe/Paris}
+
+Debug Log:
+Off
+root@cloud:~# cronitor select
+
+✔ /usr/bin/snap refresh nextcloud
+----► Running command: /usr/bin/snap refresh nextcloud
+
+snap "nextcloud" has no updates available
+
+----► ✔ Command successful    Elapsed time 0.451s
+
+
+
+
+
+ + + +
+
+
+
+

Clientside Setup



+ +

Now you can install the official nextcloud client here

+

+[ cloud ] [ /dev/pts/1 ] [/snap/bin]
+→ apt install tor nextcloud-desktop -y
+
+
+ +

Here as you try to login you'll first see that it can't resolve the .onion domain, which is normal as you need to tell nextcloud to use the local tor socks5 proxy, available on 127.0.01:9050

+ +

Afterward, you need to copy the authorization link into the tor browser to validate the request:

+ + + +

Once you have granted access, you can start to sync your nextcloud instance files locally:

+ + +

Once logged in you can check the progress in the system tray:

+ +

Then let it sync, it can take a while due to the low bandwidth of Tor.

+ +

And that's it ! You now have a local folder that is synchronized with your nextcloud instance.

+
+
+
+
+ + + +
+
+
+
+

Nihilism

+

+ Until there is Nothing left.



Creative Commons Zero: No Rights Reserved
+ +

+
+ +
+

My Links

+

+ + RSS Feed
SimpleX Chat
+ +

+
+ +
+

About nihilist

+

Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8


Contact: nihilist@contact.nowhere.moe (PGP)

+
+ +
+ +
+
+ + + + + + + diff --git a/opsec/nextcloud/logo.png b/opsec/nextcloud/logo.png new file mode 100644 index 0000000..8791e44 Binary files /dev/null and b/opsec/nextcloud/logo.png differ diff --git a/opsec/nextcloud/nextcloud.conf b/opsec/nextcloud/nextcloud.conf new file mode 100644 index 0000000..6dbdbbd --- /dev/null +++ b/opsec/nextcloud/nextcloud.conf @@ -0,0 +1,23 @@ +[nextcloud] + +listen = /run/php/nextcloud.sock +listen.owner = www-data +listen.group = www-data +listen.mode = 0660 + +user = nextcloud +group = www-data + +pm = dynamic +pm.max_children = 120 +pm.start_servers = 12 +pm.min_spare_servers = 6 +pm.max_spare_servers = 18 + +chdir = / + +pm.status_path = /status + +env[HOSTNAME] = $HOSTNAME +env[PATH] = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + diff --git a/opsec/nextcloud/nextcloud_http.conf b/opsec/nextcloud/nextcloud_http.conf new file mode 100644 index 0000000..a4f59f8 --- /dev/null +++ b/opsec/nextcloud/nextcloud_http.conf @@ -0,0 +1,121 @@ + +upstream php-handler { + server unix:/run/php/nextcloud.sock; +} + +server { + listen 80; + listen [::]:80; + server_name ech1.duckdns.org + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + # Path to the root of your installation + root /var/www/nextcloud; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # The following 2 rules are only needed for the user_webfinger app. + # Uncomment it if you're planning to use this app. + #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + + # The following rule is only needed for the Social app. + # Uncomment it if you're planning to use this app. + #rewrite ^/.well-known/webfinger /public.php?service=webfinger last; + + location = /.well-known/carddav { + return 301 $scheme://$host:$server_port/remote.php/dav; + } + location = /.well-known/caldav { + return 301 $scheme://$host:$server_port/remote.php/dav; + } + + # set max upload size + client_max_body_size 512M; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + # Uncomment if your server is build with the ngx_pagespeed module + # This module is currently not supported. + #pagespeed off; + + location / { + rewrite ^ /index.php; + } + + location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { + deny all; + } + location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { + fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; + set $path_info $fastcgi_path_info; + try_files $fastcgi_script_name =404; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + #fastcgi_param HTTPS on; + # Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + # Enable pretty urls + fastcgi_param front_controller_active true; + fastcgi_pass php-handler; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { + try_files $uri/ =404; + index index.php; + } + + # Adding the cache control header for js, css and map files + # Make sure it is BELOW the PHP block + location ~ \.(?:css|js|woff2?|svg|gif|map)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + # Add headers to serve security related headers (It is intended to + # have those duplicated to the ones above) + # Before enabling Strict-Transport-Security headers please read into + # this topic first. + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + # + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Optional: Don't log access to assets + access_log off; + } + + location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ { + try_files $uri /index.php$request_uri; + # Optional: Don't log access to other assets + access_log off; + } +} diff --git a/opsec/nextcloud/nginx.conf b/opsec/nextcloud/nginx.conf new file mode 100644 index 0000000..aeadb95 --- /dev/null +++ b/opsec/nextcloud/nginx.conf @@ -0,0 +1,182 @@ +upstream php-handler { + server unix:/run/php/nextcloud.sock; +} + +server { + listen 80; + listen [::]:80; + server_name cloud.void.yt; + # enforce https + return 301 https://$server_name$request_uri; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name cloud.void.yt; + + # Use Mozilla's guidelines for SSL/TLS settings + # https://mozilla.github.io/server-side-tls/ssl-config-generator/ + # NOTE: some settings below might be redundant + ssl_certificate /root/.acme.sh/cloud.void.yt/fullchain.cer; + ssl_trusted_certificate /root/.acme.sh/cloud.void.yt/cloud.void.yt.cer; + ssl_certificate_key /root/.acme.sh/cloud.void.yt/cloud.void.yt.key; + + # Add headers to serve security related headers + # Before enabling Strict-Transport-Security headers please read into this + # topic first. + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + # + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_session_tickets off; + ssl_ecdh_curve auto; + ssl_stapling on; + ssl_stapling_verify on; + resolver 80.67.188.188 80.67.169.40 valid=300s; + resolver_timeout 10s; + + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + # Path to the root of your installation + root /var/www/nextcloud; + + location ^~ /.well-known { + # The following 6 rules are borrowed from `.htaccess` + + location = /.well-known/carddav { return 301 /remote.php/dav/; } + location = /.well-known/caldav { return 301 /remote.php/dav/; } + # Anything else is dynamically handled by Nextcloud + location ^~ /.well-known { return 301 /index.php$uri; } + + try_files $uri $uri/ =404; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # The following 2 rules are only needed for the user_webfinger app. + # Uncomment it if you're planning to use this app. + #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + + # The following rule is only needed for the Social app. + # Uncomment it if you're planning to use this app. + #rewrite ^/.well-known/webfinger /public.php?service=webfinger last; + + location = /.well-known/carddav { + return 301 $scheme://$host:$server_port/remote.php/dav; + } + location = /.well-known/caldav { + return 301 $scheme://$host:$server_port/remote.php/dav; + } + + # set max upload size + client_max_body_size 512M; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + # Uncomment if your server is build with the ngx_pagespeed module + # This module is currently not supported. + #pagespeed off; + + location / { + rewrite ^ /index.php; + } + + location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { + deny all; + } + location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { + fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; + set $path_info $fastcgi_path_info; + try_files $fastcgi_script_name =404; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + fastcgi_param HTTPS on; + # Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + # Enable pretty urls + fastcgi_param front_controller_active true; + fastcgi_pass php-handler; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { + try_files $uri/ =404; + index index.php; + } + + # Adding the cache control header for js, css and map files + # Make sure it is BELOW the PHP block + location ~ \.(?:css|js|woff2?|svg|gif|map)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + # Add headers to serve security related headers (It is intended to + # have those duplicated to the ones above) + # Before enabling Strict-Transport-Security headers please read into + # this topic first. + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + # + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Optional: Don't log access to assets + access_log off; + } + + location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ { + try_files $uri /index.php$request_uri; + # Optional: Don't log access to other assets + access_log off; + } +} + + + + diff --git a/opsec/nextcloud/nginx2.conf b/opsec/nextcloud/nginx2.conf new file mode 100644 index 0000000..69b90da --- /dev/null +++ b/opsec/nextcloud/nginx2.conf @@ -0,0 +1,182 @@ +stream php-handler { + server unix:/run/php/nextcloud.sock; +} + +server { + listen 80; + listen [::]:80; + server_name cloud.void.yt; + # enforce https + return 301 https://$server_name$request_uri; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name cloud.void.yt; + + # Use Mozilla's guidelines for SSL/TLS settings + # https://mozilla.github.io/server-side-tls/ssl-config-generator/ + # NOTE: some settings below might be redundant + ssl_certificate /root/.acme.sh/cloud.void.yt/fullchain.cer; + ssl_trusted_certificate /root/.acme.sh/cloud.void.yt/cloud.void.yt.cer; + ssl_certificate_key /root/.acme.sh/cloud.void.yt/cloud.void.yt.key; + + # Add headers to serve security related headers + # Before enabling Strict-Transport-Security headers please read into this + # topic first. + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + # + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_session_tickets off; + ssl_ecdh_curve auto; + ssl_stapling on; + ssl_stapling_verify on; + resolver 80.67.188.188 80.67.169.40 valid=300s; + resolver_timeout 10s; + + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + # Path to the root of your installation + root /var/www/nextcloud; + + location ^~ /.well-known { + # The following 6 rules are borrowed from `.htaccess` + + location = /.well-known/carddav { return 301 /remote.php/dav/; } + location = /.well-known/caldav { return 301 /remote.php/dav/; } + # Anything else is dynamically handled by Nextcloud + location ^~ /.well-known { return 301 /index.php$uri; } + + try_files $uri $uri/ =404; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # The following 2 rules are only needed for the user_webfinger app. + # Uncomment it if you're planning to use this app. + #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + + # The following rule is only needed for the Social app. + # Uncomment it if you're planning to use this app. + #rewrite ^/.well-known/webfinger /public.php?service=webfinger last; + + location = /.well-known/carddav { + return 301 $scheme://$host:$server_port/remote.php/dav; + } + location = /.well-known/caldav { + return 301 $scheme://$host:$server_port/remote.php/dav; + } + + # set max upload size + client_max_body_size 512M; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + # Uncomment if your server is build with the ngx_pagespeed module + # This module is currently not supported. + #pagespeed off; + + location / { + rewrite ^ /index.php; + } + + location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { + deny all; + } + location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { + fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; + set $path_info $fastcgi_path_info; + try_files $fastcgi_script_name =404; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + fastcgi_param HTTPS on; + # Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + # Enable pretty urls + fastcgi_param front_controller_active true; + fastcgi_pass php-handler; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { + try_files $uri/ =404; + index index.php; + } + + # Adding the cache control header for js, css and map files + # Make sure it is BELOW the PHP block + location ~ \.(?:css|js|woff2?|svg|gif|map)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + # Add headers to serve security related headers (It is intended to + # have those duplicated to the ones above) + # Before enabling Strict-Transport-Security headers please read into + # this topic first. + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + # + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Optional: Don't log access to assets + access_log off; + } + + location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ { + try_files $uri /index.php$request_uri; + # Optional: Don't log access to other assets + access_log off; + } +} + + + + diff --git a/opsec/nextcloud/notes.sh b/opsec/nextcloud/notes.sh new file mode 100644 index 0000000..2b7a305 --- /dev/null +++ b/opsec/nextcloud/notes.sh @@ -0,0 +1,106 @@ +#!/bin/bash + +if [ "$(whoami)" != "root" ]; then +SUDO=sudo +fi + + +apt-get -y install apt-transport-https lsb-release ca-certificates curl -y +wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg +sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list' +apt-get update -y + +sudo apt install php7.4-fpm php7.4-curl php7.4-cli php7.4-mysql php7.4-gd php7.4-common php7.4-xml php7.4-json php7.4-intl php7.4-dev php7.4-common php7.4-mbstring php7.4-zip php7.4-soap php7.4-bz2 -y + + +sudo apt update +sudo apt install nginx -y + +systemctl start nginx +systemctl enable nginx +systemctl status nginx + +cd /etc/php/7.4/ + +echo 'date.timezone = Europe/Paris' >> fpm/php.ini +echo 'date.timezone = Europe/Paris' >> cli/php.ini + +echo 'cgi.fix_pathinfo=0' >> fpm/php.ini +echo 'cgi.fix_pathinfo=0' >> cli/php.ini + +echo 'env[HOSTNAME] = $HOSTNAME' >> fpm/pool.d/www.conf +echo 'env[PATH] = /usr/local/bin:/usr/bin:/bin' >> fpm/pool.d/www.conf +echo 'env[TMP] = /tmp' >> fpm/pool.d/www.conf +echo 'env[TMPDIR] = /tmp' >> fpm/pool.d/www.conf +echo 'env[TEMP] = /tmp' >> fpm/pool.d/www.conf + +systemctl restart php7.4-fpm +systemctl enable php7.4-fpm + +ss -xa | grep php +systemctl status php7.4-fpm + +sudo apt install mariadb-server -y +systemctl start mariadb +systemctl enable mariadb +systemctl status mariadb + + +mysql_secure_installation +#Enter current password for root (enter for none): Press Enter +#Set root password? [Y/n] Y +#Remove anonymous users? [Y/n] Y +#Disallow root login remotely? [Y/n] Y +#Remove test database and access to it? [Y/n] Y +#Reload privilege tables now? [Y/n] Y + +mysql -u root -p +#TYPE THE MYSQL ROOT PASSWORD + +#create database nextcloud_db; +#create user nextclouduser@localhost identified by 'P@SSW0RD'; +#grant all privileges on nextcloud_db.* to nextclouduser@localhost identified by 'P@SSW0RD'; +#flush privileges; + +#CREDENTIALS FOR NEXTCLOUD_DB : nextclouduser:P@SSW0RD (needed for later) + +apt install certbot -y +systemctl stop nginx + +#sign in with github to https://www.duckdns.org/ +certbot certonly --standalone -d ech2.duckdns.org + +sudo apt install wget unzip zip -y + +cd /var/www/ +wget -q https://download.nextcloud.com/server/releases/latest.zip + +unzip -qq latest.zip +sudo chown -R www-data:www-data /var/www/nextcloud + +cd /etc/nginx/sites-available/ +wget https://ech1.netlify.app/servers/nextcloud/nginx.conf -O nextcloud +nano nextcloud +#edit the ech2 to something else (CTRL+W ech2 then enter) +#once ur done do ctrl+X to quit + +ln -s /etc/nginx/sites-available/nextcloud /etc/nginx/sites-enabled/ +nginx -t + +systemctl restart nginx +systemctl restart php7.4-fpm + +apt install ufw + +ufw allow ssh +ufw allow http +ufw allow https + +ufw enable +ufw status numbered + + +#https://ech2.duckdns.org + +#new creds for admin user +#then the mysql creds (nextclouduser:P@SSW0RD) \ No newline at end of file