Totally baffled how to get started *newbie alert*

ā„¹ļø Support šŸ“¦ Appliances (Docker, Snappy, VM, NCP, AIO)
14

No because:
1: Only discovered SSH is a module not installed
2: Chrome won;t allow access to my URL
3: FF won;t allow it to be indtalled as it doesn;t have java
This couldnā€™t get more difficult

15

Do you maybe have physical access to your server? Then you could try to log in directly in the consoleā€¦

16

No just URL

17

So then I am out of ideas. Without SSH and physical access there is nothing you can do.

18

Although it seems like webmin is installed. Maybe you can use that to enable SSH?

19

hi @digitalgerry if you mind clean start I could share docker-compose.yml running fine on Qnap TS-453ā€¦ (given Container Station app is installed). I didnā€™t try it from UI but starting it from console is pretty easy. the only issue you need to start it manually on each NAS restartā€¦

1 Like
20

Yes, Iā€™d also suggest to use a different solution or to start all over again with the NcVM.

1 Like
21

A clean strart is where I was heading to. I assume I delete the images and the folders nothing else to do?

22

HI thanks
if the instructions are logical and no assumption on any linx coding then I should be fine

23

Yes, this should do it :+1:

24

@digitalgerry donā€™t expect too much here. hosting your own service enforces the admin to understand what happens under the hood. engaged people will help you but you have to follow the guides and understand what you do.

My personal recommendation and disclaimer: never ever just copy&paste something to your system until you are safe this will cause no harm. this applies to commands, scripts, programs and apps.

The setup I share here is Nextcloud with MariaDB, Redis behind Traefik Reverse proxy ready to be used from Internet with Letsencrypt certificates. I skipped additional functionality like Collabora and Turn server for the sake of simplicity.

I had slightly different setup on my Qnap so I tried to build simple possible Docker Compose file - if it doesnā€™t work just follow the logs maybe there is some typo or other mistakeā€¦

  • First you need to login with ssh to your Qnap NAS (putty, powershell) using admin credentials. Newer version have menu which you simply quit by ā€œQā€ > ā€œYā€ keys.
  • once reached command line proceed to the Container Station root (cd /share/Container)
  • here you can create a folder for your application and persistent docker volumes
mkdir nextcloud
mkdir nextcloud/db
mkdir nextcloud/apps
mkdir nextcloud/config
mkdir nextcloud/files
mkdir nextcloud/traefik
mkdir nextcloud/traefik/config
cd nextcloud

  • Qnap has special Docker network which allow you to connect container directly to your LAN - just provide free fixed IP address - this is useful for Nextcloud WebServer as ports 80/443 may be used by Qnap itself
    ā€“ identify this network be command docker network ls this is called like qnap-static-[part of the MAC address] if it doesnā€™t exist review this article to create it
    ā€“ you need the name to adjust traefik container networks section

  • in your /share/Container/nextcloud folder you can create the
    ā€“ docker-compose.yaml and
    ā€“ .env and
    ā€“ traefik/config/tls.yaml
    files (you may copy the files with file manager your are familiar with - the Container folder is exposed with SMB)

  • adjust the files with your values
    ā€“ use secure passwords
    ā€“ provide public fqdn for your Nextcloud instance (dynDNS)
    ā€“ provide fixed IP for traefik (reverse proxy)
    ā€“ adjust container image version (I prefer to use fixed version for better control)
    ā€“ adjust the Qnap network you noted before

Hint: docker-compose file uses variables from .env file almost everywhere (if some value is used multiple times you can reuse it). Once you are ready run docker-compose config and this will display the config with all value replaced by values from .env (and complain about syntax errors).

  • setup public FQDN (like dynDNS/your own domain)
  • activate port forwarding to the IP you defined in traefik service (for TLS certificates)
  • start your application with docker-compose up - this is an interactive start showing all the logs from build and start of the containers to command output. you can access the IP/FQDN you provided and setup Nextcloud. Once itā€™s starts successfull just Ctrl+Z (or Ctrl+C which stops everything and start with docker-compose up -d)

/share/Container/nextcloud/docker-compose.yaml

    ---
    version: '3.3'

    services:
      reverse-proxy:
        image: traefik:v2.3
        container_name: traefik
        hostname: traefik
        restart: always
        command:
          - "--api=true"
          - "--api.insecure=true"
          - "--api.dashboard=true"
          - "--log.level=WARNING"
          - "--log.filePath=/etc/traefik/traefik.log"
          - "--providers.docker.endpoint=unix:///var/run/docker.sock"
          - "--providers.docker.exposedbydefault=false"
          - "--providers.docker.network=lan"
          - "--providers.docker.network=traefik_proxy"
          - "--providers.file.filename=/etc/traefik/config/tls.yaml"
          - "--providers.file.watch=true"
          - "--entrypoints.web.address=:80"
          - "--entrypoints.web-secure.address=:443"
          # Let's Encrypt
          - "--certificatesresolvers.letsencryptresolver.acme.httpchallenge.entrypoint=web"
          - "--certificatesresolvers.letsencryptresolver.acme.httpchallenge=true"
          - "--certificatesresolvers.letsencryptresolver.acme.email=<your@email>"
          - "--certificatesresolvers.letsencryptresolver.acme.storage=/etc/traefik/acme.json"
          # Logging options, what to log
          - "--accesslog=true"
          - "--accesslog.format=json"
          - "--accessLog.filters.statusCodes=400-499"      
        volumes:
          - ./traefik:/etc/traefik
          - /var/run/docker.sock:/var/run/docker.sock:ro
        networks:
          qnet-static-eth0-24b018:
            #static IP address
            ipv4_address: 192.168.1.199
          traefik_proxy:
        labels:
            - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
            - "traefik.http.routers.http-catchall.entrypoints=web"
            - "traefik.http.routers.http-catchall.middlewares=redirect-to-https@docker"
            - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"

      nextcloud-db:
        image: mariadb
        container_name: nextcloud-db
        command: --transaction-isolation=READ-COMMITTED --log-bin=ROW
        restart: always
        volumes:
          - ./db:/var/lib/mysql
        environment:
          - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
          - MYSQL_PASSWORD=${MYSQL_PASSWORD}
          - MYSQL_DATABASE=nextcloud
          - MYSQL_USER=nextcloud
          - MYSQL_INITDB_SKIP_TZINFO=1 # Behebt die bekannten Startprobleme der Datenbank
          
      nextcloud-redis:
        image: redis:alpine
        container_name: nextcloud-redis
        hostname: nextcloud-redis
        command: redis-server --requirepass ${REDIS_HOST_PASSWORD}
        networks:
            - default
        restart: always
        
      nextcloud-app:
        image: nextcloud:19.0.8
        container_name: nextcloud-app
        restart: always
        depends_on:
          - nextcloud-db
          - nextcloud-redis
        environment:
          - REDIS_HOST=nextcloud-redis
          - REDIS_HOST_PASSWORD=${REDIS_HOST_PASSWORD}
          - OVERWRITEHOST=${NEXTCLOUD_FQDN}
          - OVERWRITEPROTOCOL=https
          - overwrite.cli.url=https://${NEXTCLOUD_FQDN}
          - NEXTCLOUD_TRUSTED_DOMAINS='${NEXTCLOUD_FQDN}'
        volumes: 
          - ./app:/var/www/html
          - ./config:/var/www/config
          - ./files:/var/www/html/data 
        labels:
          - "traefik.enable=true"
          - "traefik.http.middlewares.nextcloud-https.redirectscheme.scheme=https"
          - "traefik.http.routers.nextcloud-http.entrypoints=web"
          - "traefik.http.routers.nextcloud-http.rule=Host(`<NEXTCLOUD_FQDN>`)" #Domain anpassen
          - "traefik.http.routers.nextcloud-http.middlewares=nextcloud-https@docker"
          - "traefik.http.routers.nextcloud.entrypoints=web-secure"
          - "traefik.http.routers.nextcloud.rule=Host(`<NEXTCLOUD_FQDN>`)" #Domain anpassen
          - "traefik.http.routers.nextcloud.tls=true"
          - "traefik.http.routers.nextcloud.tls.certresolver=letsencryptresolver"
          - "traefik.http.routers.nextcloud.middlewares=nextcloud-dav,secHeaders@file"
          - "traefik.http.services.nextcloud.loadbalancer.server.port=80"
          - "traefik.http.middlewares.nextcloud-dav.replacepathregex.regex=https://(.*)/.well-known/(card|cal)dav"
          - "traefik.http.middlewares.nextcloud-dav.replacepathregex.replacement=https://$${1}/remote.php/dav/"
        networks:
          - traefik_proxy
          - default
         
      nextcloud-cron:
        image: nextcloud:19.0.8
        container_name: nextcloud-cron
        restart: unless-stopped
        volumes:
          - ./app:/var/www/html
          - ./config:/var/www/config
          - ./files:/var/www/html/data 
        entrypoint: /cron.sh
        depends_on:
          - nextcloud-db
          - nextcloud-redis
            
    networks:
      traefik_proxy:
        external:
          name: traefik_proxy
      default:
        driver: bridge
      lan:
        external:
          name: qnet-static-eth0-24b018

/share/Container/nextcloud/.env

NEXTCLOUD_FQDN=<your public fqdn>
MYSQL_HOST=nextcloud-db
MYSQL_DATABASE=nextcloud
MYSQL_USER=nextcloud
MYSQL_PASSWORD=<your mysql nextcloud user pwd>
MYSQL_ROOT_PASSWORD=<mysql root user pwd>
REDIS_HOST=nextcloud-redis
REDIS_HOST_PASSWORD=<redis pwd>

/share/Container/nextcloud/traefik/config/tls.yaml

tls:
  options:
    TLSv13:
      minVersion: VersionTLS13
      cipherSuites:
        - TLS_AES_128_GCM_SHA256
        - TLS_AES_256_GCM_SHA384
        - TLS_CHACHA20_POLY1305_SHA256
      curvePreferences:
        - CurveP521
        - CurveP384
      sniStrict: true
        
    default:
      minVersion: VersionTLS12
      cipherSuites:
      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
      curvePreferences:
        - CurveP521
        - CurveP384
      sniStrict: true

http:
  middlewares:
    secHeaders:
      headers:
        browserXssFilter: true
        contentTypeNosniff: true
        frameDeny: true
        sslRedirect: true
        #HSTS Configuration
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15768000
    secHeaders2:
      headers:
        browserXssFilter: true
        contentTypeNosniff: true
        frameDeny: true
        customFrameOptionsValue: SAMEORIGIN
        referrerPolicy: same-origin
        sslRedirect: true
        #HSTS Configuration
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15768000
        forceSTSHeader: true
        sslForceHost: true
        browserXssFilter: true
        customResponseHeaders:
          server: "" # removes "Server" header
          X-Powered-By: "" # Removes X-Powered-By
          # for some reason NC doesn't like additiona directives
          #X-Robots-Tag: "none, noarchive, nosnippet, notranslate, noimageindex"
          X-Robots-Tag: "none"
          #https://securityheaders.com/ is camera+mic enough?
          Permissions-Policy:	camera=('self'), microphone=('self'), autoplay=('self'), payment=(), screen-wake-lock=('self'), geolocation=()
          Feature-Policy:	"camera 'self'; microphone 'self'; payment 'none'; screen-wake-lock 'self'; geolocation 'none'; usb 'none'; vr 'none';"
1 Like
25

@wwe Kudos to that extensive guide. Itā€™s rare to see.

@digitalgerry Even though being one of the Nextcloud VM developers, Iā€™d say go with Docker if you find that to be easier.

Basically, running the VM on a QNAP though is like 1, 2, 3:

  1. Download the VM from here
  2. Mount the VM in Virtualization station on QNAP
  3. Start it and follow the instructions on screen.

For a more detailed instruction, check this out.

1 Like
26

Thank you, I definately did 1.

Iā€™m not sure how to do 2, and started to follow 3, but got lost!

The instructions asusme some knowledge of linx I suspect, which I donā€™t have so donā€™t understand some of the ā€˜askā€™.

The reason I wanted to install your package it seemed painlessā€¦ but Iā€™ve gone wrong somewhere

27

I see from earlier you were willing to start from scratch so if thatā€™s the case would you not install ubuntu server with snap install of Nextcloud during the server install onto your QNAP system. A much easier install.

28

Maybe easier but also much more restricted. But might be very suitable here.

1 Like
29

This is how I installed it, I am not seeing any restriction - what restrictions do you see?

30

e.g.:

1 Like
31

OK - got you :slight_smile:
I donā€™t use Nextcloud for photoā€™s or videos, instead I created another site using Lychee but I havenā€™t considered using face recognition.
With this I just installed and enabled external site that pointed to my external site - EG: my site is cloud.site.tld and it points to albums.site.tld

This maybe also an option for you. :neutral_face:

32

Got lost there tooā€¦ hence why I like @enoch85 approach. I shall try again :slight_smile:

33

@Mark_F @enoch85 @szaimen @wwe - I got there in the end.
I don;t know what the issue was, but I followed @enoch85 solution, I didn;t do anything different than last time, but I could tell by the way it was installing it was giving me the right result.

It gave me a couple of errors like: document erver collobara integration didnā€™t install. I want it to host everything rather than on dropbox etc.

Thanks to all, and any general get started tips appreciated.

Thank you Gerry

2 Likes