DIY

Private Cloud Storage

Posted ulysses

Nowadays, cloud file storage and sharing services are common. However, almost all cloud service providers
store your data in their file servers which are outside your private home network. To obey our principle that data generated in the smart home system are accessible to only smart home system users, by using Nextcloud we can build a private cloud storage service that can be accessed anywhere. In what follows, we assume

  • An always-online server (in the form of a laptop/desktop/server/Raspberry Pi) runing an Ubuntu/Debian/Raspbian OS.
  • A port forward rule has been set up in the home router with
    • Internal host: the local IP address of the server
    • Internal port number: 443
    • External port number: 443
    • Protocal: TCP

For Raspberry Pi, we recommend to use an external harddrive to reduce wearing the microSD card.

Installation via Snap

The simplest way to install Nextcloud is via snap.

sudo snap install nextcloud

# set up user and password
# replace smartopia with your username
# replace 123456 with your password
sudo nextcloud.manual-install smartopia 123456

# set trusted_domain, replace IP address and domain with yours
sudo nextcloud.occ config:system:set trusted_domains 1 --value=192.168.1.2
sudo nextcloud.occ config:system:set trusted_domains 2 --value=smartopia.duckdns.org

# now Nextcloud can be visited by http://192.168.1.2
# but we shall configure it to use https
sudo nextcloud.enable-https self-signed

# configure firewall if needed
sudo ufw allow 80,443/tcp

Finally, we are able to access the Nextcloud web interface via https://192.168.1.2. The Web browser
likely will complain that the certi cate is not trusted. This is because the certi cate we generated is self-
signed. If your server has a public domain, you can also obtain a certi cate from Let’s Encrypt. Nevertheless,
we know that the server is trusty, so we can safely proceed to connect to our own server. To log in the server,
you need to provide the user name and password that you set during installation, e.g., smartopia and 123456 in the above. This user is also by default an admin of the cloud. You can then configure the Nextcloud service, e.g., adding more users, turning on server-side encryption, etc.

Installation with Apache Server

This method allows one to install Nextcloud side by side with other Apache-based services, as either a subdirectory (e.g., https://www.smartopia.ai/nextcloud) or a subdomain (e.g., https://nextcloud.smartopia.ai).

First, we install required packages and prepare a database.

# at the time of writing, the nextcloud require php7.4
sudo apt update
sudo apt install -y apache2 mariadb-server libapache2-mod-php7.4 php7.4-gd php7.4-mysql php7.4-curl php7.4-mbstring php7.4-intl php7.4-gmp php7.4-bcmath php-imagick php7.4-xml php7.4-zip

# MariaDB is assumed
# run sudo mysql_secure_installation to make db more secure if not done yet
sudo mysql -uroot -p

# in the prompt, provide the following, with username/password replaced properly
CREATE USER 'username'@'localhost' IDENTIFIED BY 'password';
CREATE DATABASE IF NOT EXISTS nextcloud CHARACTER SET utf8mb4 COLLATE
 utf8mb4_general_ci;
GRANT ALL PRIVILEGES ON nextcloud .* TO 'username'@'localhost';
FLUSH PRIVILEGES;
quit;

Next, we download and install Nextcloud.

# you might check the nextcloud website for newer version
wget https://download.nextcloud.com/server/releases/nextcloud-21.0.1.tar.bz2
tar -xjvf nextcloud-21.0.1.tar.bz2
cp -r nextcloud /var/www

# grant access permissions
sudo chmod -R ugo+rw /var/www/nextcloud
sudo chown -R www-data:www-data /var/www/nextcloud

# enable required modules
sudo a2enmod rewrite
sudo a2enmod headers
sudo a2enmod env
sudo a2enmod dir
sudo a2enmod mime

Now Nextcloud is installed. We shall configure Apache2 to make it accessible. To make it accessible by https://xxx.xxx.xxx/nextcloud, create a new file nextcloud.conf in the folder /etc/apache2/sites-available with 

Alias / nextcloud "/ var / www / nextcloud /"

<Directory /var/www/nextcloud/>
   Require all granted
   AllowOverride All
   Options FollowSymLinks MultiViews
   
   <IfModule mod_dav.c>
      Dav off
   </IfModule>
</Directory>

Alternatively, to make it accessible by for example https://cloud.smartopia.ai, the content of nextcloud.conf shall be replaced with

<VirtualHost *:443>
   DocumentRoot /var/www/nextcloud/
   ServerName  cloud.smartopia.ai

   SSLEngine on
   SSLCertificateFile  /etc/letsencrypt/live/cloud.smartopia.ai/fullchain.pem
   SSLCertificateKeyFile /etc/letsencrypt/live/cloud.smartopia.ai/privkey.pem
   
   <Directory /var/www/nextcloud/>
       Require all granted
       AllowOverride All
       Options FollowSymLinks MultiViews
   
       <IfModule mod_dav.c>
          Dav off
       </IfModule>
   </Directory>
</VirtualHost>

where we shall use the command sudo certbot certonly --apache to generate the certificates; see here for more details. Now we can start the nextcloud service.

cd /etc/apache2/sites-avaiable
sudo a2ensite nextcloud.conf

sudo a2enmod ssl
sudo a2ensite default-ssl
sudo service apache2 reload

To login Nextcloud, navigate the web browser to https://cloud.xxx.xx/nextcloud or https://xxx.xxx.xxx/nextcloud and provide the username/password that you created for MariaDB; the port is 3306.

Self-signed Certificate

If you do not want to use DDNS but still want to use https for your nextcloud service, a self-signed certificate can be used. In this case, nextcloud shall be installed as a subdirectory of Apache2 and accessed by https://localhost/nextcloud or https://local-ip/nextcloud, where local-ip is the IP address of your server. Note that the nextcloud service can be still accessed globally via VPN. Below we generate the certificate and configure nextcloud.conf properly.

# generate certificate
openssl req -x509 -newkey rsa:2048 -keyout nextcloud.key -out nextcloud.pem -days 365 -nodes

sudp cp nextcloud.key/etc/ssl/private/
sudo cp nextcloud.pem /etc/ssl/certs/

# in nextcloud.conf, replace 
# SSLCertificateFile  /etc/letsencrypt/live/cloud.smartopia.ai/fullchain.pem
# SSLCertificateKeyFile /etc/letsencrypt/live/cloud.smartopia.ai/privkey.pem
# with 
# SSLCertificateFile  /etc/ssl/certs/nextcloud.pem
# SSLCertificateKeyFile /etc/ssl/private/nextcloud.key

sudo service apache2 restart

Now If we can access the nextcloud for example by https://local-ip/nextcloud. The browser might complain that the certificate is untrusted. We can simply manually trust the certificate (since it is the one we generated!).