Migration and new network schema

Hello,

I want to migrate my current standalone NextCloud server to a 3 VM schema with pfSense that has haProxy package.
3 VM:

  • Nextcloud frontend
  • mariadb (image is wrong)
  • NFS Storage with Samba (any other ideas for the storage will be more than welcome)

A general concept is to have frontend network with NextCloud and then 2 servers in a another network that NextCloud will only have access to certain ports.

With this in mind, I have questions that I didn’t find anywhere so hoping that someone shed some light into this.

NextCloud frontend will always need an webserver or haProxy can manage that?

if there is a need for webserver lets say nginx can I change the default 443 to something else or docker as a better usage for this scenario?

From docker perspective how is the upgrade done? (OS and app)

I know that is possible to have a connection from the docker to 2 normal server without docker.
As anyone used this concept? Does it have constrains or known issues at all and works as expected?

As far as security from the NextCloud front end only ports 3306 for database and 139 for SMB need to open? are there are any other ports between front end and back end?

As a migration stand point since I’m starting fresh what is the best way to migrate it?

Looking forward for your inputs.

Do you mean primary or external storage? With regard to primary storage, you can also look at object storage.

Maybe you like for the beginning Nextcloud All-in-One.

thank you for the feedback. forgot to mention that is a migration, tough that I could move the NextCloud to a new environment without depending in old one.

According to the migration KB article I actually have to use the previous instance since it has some hardcode ID (e.g. instanceID) i can’t simply just grab the DB and data folder and pass it to a new server. I actually need to copy the www/nextcloud, /data and dbdump or nothing is going to work.

As per the storage yes it is primary, but all VMs. I don’t believe that delays would be problematic.

Honestly, at the moment I’m copying all the data to another server just to keep things safe, but there is no good option.

To provide a solution on this topic, the database and storage systems are placed in a DMZ with no internet access. The web server is located in a LAN with public IP NAT. All hosts are running Ubuntu 22.04.5. The front end uses Apache, the database is MariaDB, and the storage is SMB.

Additionally, I use HAProxy to serve multiple applications. Instead of nginx or Apache, I chose HAProxy due to its extensive documentation and the embedded packages in pfSense, which simplify management.

For configuration, I set up SMB on the data server. Below are the relevant entries in the /etc/samba/smb.conf file:

[data]
    comment = data storage for NextCloud
    path = /data
    writable = yes
    browsable = no
    create mask = 0770
    directory mask = 0770
    force create mode = 0770
    force directory mode = 0770

I also created a user for SMB access:

sudo adduser nextcloud_data
sudo smbpasswd -a nextcloud_data

For the database, I modified the /etc/mysql/mariadb.conf.d/50-server.cnf file to listen on all interfaces by commenting out the line with 127.0.0.1 and changing it to 0.0.0.0:

# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address            = 127.0.0.1
bind-address            = 0.0.0.0

On the front end, I installed Apache, created credentials for the SMB login with the user created before in the storage node, and edited the /etc/fstab file.

Credentials file:

username=nextcloud_data
password=xxxxxxx

In the fstab file, I referenced the credentials file and set the permissions for storage:

//storage_ip/data     /data   cifs    seal,rw,credentials=/home/user/.smbcredentials,uid=www-data,gid=www-data,file_mode=0770,dir_mode=0770         0       0

For port configurations, I opened ports 139 and 445 for SMB and port 3306 for MySQL/MariaDB from the front end to the back end.

In the Nextcloud config.php file, I specified the database and storage remote IP addresses.

I haven’t included details about Apache virtual hosts, the full Nextcloud config.php, or .htaccess configurations, as my focus was on storage and the necessity of having the different services divided.