Install NextCloud 11 on Fedora 25 with SaltStack


  • Service Provider

    This is a single SaLt State file approach (with two ancillary configuration files) to building a complete, fully functional NextCloud 11.0.2 server on Fedora 25 with MariaDB configured, Redis used for locking, a local memcache to speed deployments, the data directory moved to /data and more. All needed packages are handled by the state file, as is the installation. The file is idempotent so can safely be run over and over again, once installed it will not attempt to install NextCloud again. The setup here also creates a swapfile as part of the setup.

    To use nextcloud.sls you will need to copy all three files to your /srv/salt/ directory as it will pull the two configuration files from there to put them on the server.

    /srv/salt/nextcloud.sls

    install_network_packages:
      pkg.installed:
        - pkgs:
          - wget
          - unzip
          - firewalld
          - net-tools
          - php 
          - mariadb 
          - mariadb-server 
          - mod_ssl
          - php-pecl-apcu
          - httpd 
          - php-xml 
          - php-gd 
          - php-pecl-zip
          - php-mbstring
          - redis
          - php-pecl-redis
          - php-process
          - php-pdo
          - certbot
          - php-mysqlnd
          - policycoreutils
          - policycoreutils-python
          - policycoreutils-python-utils
          - dnf-automatic
          - python2-certbot-apache
          - sysstat
          - php-ldap
      archive:
        - extracted
        - name: /var/www/html/
        - source: https://download.nextcloud.com/server/releases/nextcloud-11.0.2.zip
        - source_hash: md5=720cb50f98a94f2888f2d07d5d4e91b4
        - archive_format: zip
        - if_missing: /var/www/html/nextcloud 
    
    /swapfile:
      cmd.run:
        - name: |
            [ -f /swapfile ] || dd if=/dev/zero of=/swapfile bs=1M count={{ grains["mem_total"] * 2 }}
            chmod 0600 /swapfile
            mkswap /swapfile
            swapon -a
        - unless:
          - file /swapfile 2>&1 | grep -q "Linux/i386 swap"
      mount.swap:
        - persist: true
    
    configure_swappiness:
      file.append:
        - name: /etc/sysctl.conf
        - text: vm.swappiness = 10
    
    /var/www/html/:
      file.directory:
        - user: apache
        - group: apache
        - recurse:
          - user
          - group
    
    /etc/httpd/conf.d/ssl.conf:
      file.managed:
        - source: 
          - salt://ssl.conf
        - user: root
        - group: root
        - mode: 644
    
    /data:
      file.directory:
        - user: apache
        - group: apache
    
    /var/run/redis:
      file.directory:
        - user: redis
        - group: redis
    
    /etc/redis.conf:
      file.managed:
        - source:
          - salt://redis.conf
        - user: root
        - group: root
        - mode: 644
    
    httpd:
      pkg.installed: []
      service.running:
        - enable: True
        - require:
          - pkg: httpd
    
    mariadb:
      pkg.installed: []
      service.running:
        - enable: True
        - require:
          - pkg: mariadb
    
    redis:
      pkg.installed: []
      service.running:
        - enable: True
        - require:
          - pkg: redis
    
    FedoraServer:
      firewalld.present:
        - name: FedoraServer
        - block_icmp:
          - echo-reply
          - echo-request
        - default: False
        - masquerade: True
        - ports:
          - 443/tcp
    
    permissive:
      selinux.mode
    
    install-foo:
      cmd.run:
        - name: |
            cd /var/www/html/nextcloud
            setenforce 0
            sudo -u apache php occ maintenance:install --database="mysql" --database-name "nextcloud" --database-user "root" --database-pass "" --admin-user "admin" --admin-pass "superdupercrazysecretepasswordthatnooneknows" --data-dir "/data"
            sed -i "/0 => 'localhost',/a \ \ \ \ 1 => '*'," config/config.php
            sed -i "/'installed' => true,/a \ \ 'memcache.local' => '\\\OC\\\Memcache\\\APCu',\n\ \ 'filelocking.enabled' => true,\n\ \ 'memcache.locking' => '\\\OC\\\Memcache\\\Redis',\n\ \ 'redis' => array(\n\ \ \ \ \ \ \ 'host' => '/var/run/redis/redis.sock',\n\ \ \ \ \ \ \ 'port' => 0,\n\ \ \ \ \ \ \ 'timeout' => 0.0,\n\ \ \ \ \ \ \ \ )," config/config.php
            semanage fcontext -a -t httpd_sys_rw_content_t '/data'
            restorecon '/data'
            semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/config(/.*)?'
            semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/apps(/.*)?'
            semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/assets(/.*)?'
            semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/.htaccess'
            semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/.user.ini'
            restorecon -Rv '/var/www/html/nextcloud/' > /dev/null
            systemctl restart httpd
            touch install_complete
        - cwd: /var/www/html/nextcloud
        - shell: /bin/bash
        - timeout: 300
        - creates: /var/www/html/nextcloud/install_complete
    
    

    /srv/salt/ssl.conf

    #
    # When we also provide SSL we have to listen to the 
    # the HTTPS port in addition.
    #
    Listen 443 https
    
    ##
    ##  SSL Global Context
    ##
    ##  All SSL configuration in this context applies both to
    ##  the main server and all SSL-enabled virtual hosts.
    ##
    
    #   Pass Phrase Dialog:
    #   Configure the pass phrase gathering process.
    #   The filtering dialog program (`builtin' is a internal
    #   terminal dialog) has to provide the pass phrase on stdout.
    SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
    
    #   Inter-Process Session Cache:
    #   Configure the SSL Session Cache: First the mechanism 
    #   to use and second the expiring timeout (in seconds).
    SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
    SSLSessionCacheTimeout  300
    
    SSLRandomSeed startup file:/dev/urandom  256
    SSLRandomSeed connect builtin
    #SSLRandomSeed startup file:/dev/random  512
    #SSLRandomSeed connect file:/dev/random  512
    #SSLRandomSeed connect file:/dev/urandom 512
    
    #
    # Use "SSLCryptoDevice" to enable any supported hardware
    # accelerators. Use "openssl engine -v" to list supported
    # engine names.  NOTE: If you enable an accelerator and the
    # server does not start, consult the error logs and ensure
    # your accelerator is functioning properly. 
    #
    SSLCryptoDevice builtin
    #SSLCryptoDevice ubsec
    
    ##
    ## SSL Virtual Host Context
    ##
    
    <VirtualHost _default_:443>
    
    # General setup for the virtual host, inherited from global configuration
    DocumentRoot "/var/www/html/nextcloud"
    #ServerName www.example.com:443
    
      <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
      </IfModule>
    
    # Use separate log files for the SSL virtual host; note that LogLevel
    # is not inherited from httpd.conf.
    ErrorLog logs/ssl_error_log
    TransferLog logs/ssl_access_log
    LogLevel warn
    
    #   SSL Engine Switch:
    #   Enable/Disable SSL for this virtual host.
    SSLEngine on
    
    #   List the protocol versions which clients are allowed to connect with.
    #   Disable SSLv3 by default (cf. RFC 7525 3.1.1).  TLSv1 (1.0) should be
    #   disabled as quickly as practical.  By the end of 2016, only the TLSv1.2
    #   protocol or later should remain in use.
    SSLProtocol all -SSLv3
    SSLProxyProtocol all -SSLv3
    
    #   User agents such as web browsers are not configured for the user's
    #   own preference of either security or performance, therefore this
    #   must be the prerogative of the web server administrator who manages
    #   cpu load versus confidentiality, so enforce the server's cipher order.
    SSLHonorCipherOrder on
    
    #   SSL Cipher Suite:
    # List the ciphers that the client is permitted to negotiate.
    # See the mod_ssl documentation for a complete list.
    # The OpenSSL system profile is configured by default.  See
    # update-crypto-policies(8) for more details.
    SSLCipherSuite PROFILE=SYSTEM
    SSLProxyCipherSuite PROFILE=SYSTEM
    
    #   Server Certificate:
    # Point SSLCertificateFile at a PEM encoded certificate.  If
    # the certificate is encrypted, then you will be prompted for a
    # pass phrase.  Note that a kill -HUP will prompt again.  A new
    # certificate can be generated using the genkey(1) command.
    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
    
    #   Server Private Key:
    #   If the key is not combined with the certificate, use this
    #   directive to point at the key file.  Keep in mind that if
    #   you've both a RSA and a DSA private key you can configure
    #   both in parallel (to also allow the use of DSA ciphers, etc.)
    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
    
    #   Server Certificate Chain:
    #   Point SSLCertificateChainFile at a file containing the
    #   concatenation of PEM encoded CA certificates which form the
    #   certificate chain for the server certificate. Alternatively
    #   the referenced file can be the same as SSLCertificateFile
    #   when the CA certificates are directly appended to the server
    #   certificate for convinience.
    #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
    
    #   Certificate Authority (CA):
    #   Set the CA certificate verification path where to find CA
    #   certificates for client authentication or alternatively one
    #   huge file containing all of them (file must be PEM encoded)
    #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
    
    #   Client Authentication (Type):
    #   Client certificate verification type and depth.  Types are
    #   none, optional, require and optional_no_ca.  Depth is a
    #   number which specifies how deeply to verify the certificate
    #   issuer chain before deciding the certificate is not valid.
    #SSLVerifyClient require
    #SSLVerifyDepth  10
    
    #   Access Control:
    #   With SSLRequire you can do per-directory access control based
    #   on arbitrary complex boolean expressions containing server
    #   variable checks and other lookup directives.  The syntax is a
    #   mixture between C and Perl.  See the mod_ssl documentation
    #   for more details.
    #<Location />
    #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
    #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
    #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
    #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
    #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
    #           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
    #</Location>
    
    #   SSL Engine Options:
    #   Set various options for the SSL engine.
    #   o FakeBasicAuth:
    #     Translate the client X.509 into a Basic Authorisation.  This means that
    #     the standard Auth/DBMAuth methods can be used for access control.  The
    #     user name is the `one line' version of the client's X.509 certificate.
    #     Note that no password is obtained from the user. Every entry in the user
    #     file needs this password: `xxj31ZMTZzkVA'.
    #   o ExportCertData:
    #     This exports two additional environment variables: SSL_CLIENT_CERT and
    #     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
    #     server (always existing) and the client (only existing when client
    #     authentication is used). This can be used to import the certificates
    #     into CGI scripts.
    #   o StdEnvVars:
    #     This exports the standard SSL/TLS related `SSL_*' environment variables.
    #     Per default this exportation is switched off for performance reasons,
    #     because the extraction step is an expensive operation and is usually
    #     useless for serving static content. So one usually enables the
    #     exportation for CGI and SSI requests only.
    #   o StrictRequire:
    #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
    #     under a "Satisfy any" situation, i.e. when it applies access is denied
    #     and no other module can change it.
    #   o OptRenegotiate:
    #     This enables optimized SSL connection renegotiation handling when SSL
    #     directives are used in per-directory context. 
    #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
    </Files>
    <Directory "/var/www/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>
    
    BrowserMatch "MSIE [2-5]" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0
    
    #   Per-Server Logging:
    #   The home of a custom SSL log file. Use this when you want a
    #   compact non-error SSL logfile on a virtual host basis.
    CustomLog logs/ssl_request_log \
              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    
    </VirtualHost>
    

    /srv/salt/redis.conf

    bind 127.0.0.1
    protected-mode yes
    port 0
    tcp-backlog 511
    unixsocket /var/run/redis/redis.sock
    unixsocketperm 777
    timeout 0
    tcp-keepalive 0
    daemonize no
    supervised no
    pidfile /var/run/redis_6379.pid
    loglevel notice
    logfile /var/log/redis/redis.log
    databases 16
    save 900 1
    save 300 10
    save 60 10000
    stop-writes-on-bgsave-error yes
    rdbcompression yes
    rdbchecksum yes
    dbfilename dump.rdb
    dir /var/lib/redis
    slave-serve-stale-data yes
    slave-read-only yes
    repl-diskless-sync no
    repl-diskless-sync-delay 5
    repl-disable-tcp-nodelay no
    slave-priority 100
    

    To apply from your Salt Master, just run...

    salt 'servername' state.apply nextcloud
    

    It's that simple. Once done, simply navigate to your IP address with a web browser and you should see your fully installed and configured Nextcloud 11 system.


  • Service Provider

    To Do: There is an issue with Redis socks and Apache with SELinux so that is permissive currently. The state file is ready for that to be adjusted, though. Most SELinux settings are there.


  • Service Provider

    Why Fedora 25?

    Fedora 25 gives us PHP 7.1 for the latest in features and performance with NextCloud 11. We also get the latest MariaDB and Redis platforms. This helps to speed the overall platform and makes for a snappy experience that gets maximum benefits from a singularly tested and integrated base. The only package that we download and add onto the tested Fedora system here is NextCloud itself. Everything else is fully integrated by the Fedora team.


  • Service Provider

    In the default configuration that I have provided here, neither port 22 nor 80 are left open. Port 443 for HTTPS is the sole access to the outside world. This makes our NextCloud system easier to secure and reduces the attack surface. We can improve memory by stopping the OpenSSH process, if we feel that it is warranted.



  • Hey Scott, Drew here (CrimsonKidA) from SW. I think there might be something wrong with my Salt Master install. The salt-master service doesn't auto start at boot, so I manually start it. Also, it didn't seem to make /var/cache/salt/master either, so I manually created it. When I try to run your last command here, this is what I get:
    [[email protected] /srv/salt]# salt 'NextCloud.ourdomain.com' state.apply nextcloud
    No minions matched the target. No command was sent, no jid was assigned.
    ERROR: No return received

    Any ideas? Thanks.


  • Service Provider

    @CrimsonKidA said in Install NextCloud 11 on Fedora 25 with SaltStack:

    Hey Scott, Drew here (CrimsonKidA) from SW. I think might be wrong with my Salt Master install. The salt-master service doesn't auto start at boot, so I manually start it. Also, it didn't seem to make /var/cache/salt/master either, so I manually created it. When I try to run your last command here, this is what I get:
    [[email protected] /srv/salt]# salt 'NextCloud.ourdomain.com' state.apply nextcloud
    No minions matched the target. No command was sent, no jid was assigned.
    ERROR: No return received

    Any ideas? Thanks.

    So that error means that the key has not been accepted for that host. Start with this...

    salt-key --list-all


  • @scottalanmiller [[email protected] salt]# salt-key --list-all
    Accepted Keys:
    Denied Keys:
    Unaccepted Keys:
    Rejected Keys:


  • Service Provider

    @CrimsonKidA said in Install NextCloud 11 on Fedora 25 with SaltStack:

    @scottalanmiller [[email protected] salt]# salt-key --list-all
    Accepted Keys:
    Denied Keys:
    Unaccepted Keys:
    Rejected Keys:

    There we go. Your minion has not reached out to your master yet. Nothing will work until those two are taking to each other. Is Salt definitely running on the minion and pointing to the master?



  • @scottalanmiller Sorry, I don't follow. I only have one VM and it's the Fedora 25 Server. It's running everything.


  • Service Provider

    @CrimsonKidA said in Install NextCloud 11 on Fedora 25 with SaltStack:

    @scottalanmiller Sorry, I don't follow. I only have one VM and it's the Fedora 25 Server. It's running everything.

    That's no problem. You just have to configure both sides on one machine. That's standard actually.

    Look at /etc/salt/minion

    add the line:

    master: localhost



  • @scottalanmiller Thanks, I just appended it on to the end of /etc/salt/minion via Nano and restarted salt-minion service. No change though...?


  • Service Provider

    @CrimsonKidA said in Install NextCloud 11 on Fedora 25 with SaltStack:

    @scottalanmiller Thanks, I just appended it on to the end of /etc/salt/minion via Nano and restarted salt-minion service. No change though...?

    The salt-key --list-all didn't list it?



  • @scottalanmiller Afraid not. I did find where to change the salt master in the /etc/salt/minion file (line 16), so I un-commented it out and changed that to master:localhost and restarted the salt-minion service again, but no change. Also tried restarting salt-master service.


  • Service Provider

    @CrimsonKidA said in Install NextCloud 11 on Fedora 25 with SaltStack:

    @scottalanmiller Afraid not. I did find where to change the salt master in the /etc/salt/minion file (line 16), so I un-commented it out and changed that to master:localhost and restarted the salt-minion service again, but no change. Also tried restarting salt-master service.

    Make sure that there is a space after the colon.

    You can go in /var/log and look in the salt minion logs to see what it is complaining about.



  • @scottalanmiller Thanks, I have DNS lookup failures for 'salt' and master hostname 'salt' not found as a result.


  • Service Provider

    @CrimsonKidA said in Install NextCloud 11 on Fedora 25 with SaltStack:

    @scottalanmiller Thanks, I have DNS lookup failures for 'salt' and master hostname 'salt' not found as a result.

    Something is wrong with your minion file. That means that the minion is looking for a machine named salt rather than for localhost.

    In /etc/hosts you can just name the local machine "salt" to resolve that, too.


  • Service Provider

    "salt" is the default. so that's why that specific one shows up.



  • @scottalanmiller Perfect, thanks. I just added '127.0.0.0 salt' to my /etc/hosts file and that got the DNS issue cleared up. But then the key was still not accepted. Got that sorted by running:
    salt-key -A
    from directory /etc/salt



  • ...just CD'd back to /srv/salt and your scripts are working now!! 😃



  • The script seemed run fine, but I still have no NextCloud installation. 😞 I thought it was just the firewall getting enabled in Fedora, but I turned it off and still nothing is there on 443 at the IP (other than Cockpit at 9090 of course).


  • Service Provider

    @CrimsonKidA said in Install NextCloud 11 on Fedora 25 with SaltStack:

    The script seemed run fine, but I still have no NextCloud installation. 😞 I thought it was just the firewall getting enabled in Fedora, but I turned it off and still nothing is there on 443 at the IP (other than Cockpit at 9090 of course).

    What was the feedback from the state.apply? Any errors should be there.



  • @scottalanmiller Thanks, Scott. I ran the your final command again and it worked this time: Succeeded: 19 (changed=5)! The firewall seems to be too aggressive, so I just turned it off since this will be LAN-use only (at least for now).


  • Service Provider

    @CrimsonKidA said in Install NextCloud 11 on Fedora 25 with SaltStack:

    @scottalanmiller Thanks, Scott. I ran the your final command again and it worked this time: Succeeded: 19 (changed=5)! The firewall seems to be too aggressive, so I just turned it off since this will be LAN-use only (at least for now).

    Should be "just aggressive enough"... shutting off Cockpit and SSH. 🙂


  • Service Provider

    One of the great things about a state machine system like this is that running it over and over again isn't a problem. You can run this on a live system safely.



  • Thanks again, Scott! Just one last question: how do I get this to "stick" after a reboot? It seems to be reverting back to having nothing installed after I reboot the Fedora Svr VM...


  • Service Provider

    @CrimsonKidA said in Install NextCloud 11 on Fedora 25 with SaltStack:

    Thanks again, Scott! Just one last question: how do I get this to "stick" after a reboot? It seems to be reverting back to having nothing installed after I reboot the Fedora Svr VM...

    What? The packages VANISH? Or just the configuration?



  • @scottalanmiller Well, it doesn't lose my NextCloud config (I changed the admin PW) but Apache2.4, Salt (master and minion) and NextCloud are just not auto starting up. I've set the salt services to auto-start up, so I'll see if that's all it needs...


  • Service Provider

    @CrimsonKidA said in Install NextCloud 11 on Fedora 25 with SaltStack:

    @scottalanmiller Well, it doesn't lose my NextCloud config (I changed the admin PW) but Apache2.4, Salt (master and minion) and NextCloud are just not auto starting up. I've set the salt services to auto-start up, so I'll see if that's all it needs...

    Ah okay, at one point I had that issue but I thought that I fixed it in the state file. They were set to start when it runs, but not to start on their own. Which is actually a legitimate way to use a system like this, but not how I intended this one. If you set it that way, then you want the state file to run on start up. That's not uncommon, to have the state file determine what to run when the system files up. But I didn't intend it here. In a pinch, though, you can just re-run it and it will take care of that for you.



  • @scottalanmiller Thanks, I'll look at making a cron job for it to run at boot. I'm having to manually disable the firewall at each boot too, so that will need to be added. Salt master and minion are starting up on their own now, so that's good.


  • Service Provider

    @CrimsonKidA said in Install NextCloud 11 on Fedora 25 with SaltStack:

    @scottalanmiller Thanks, I'll look at making a cron job for it to run at boot. I'm having to manually disable the firewall at each boot too, so that will need to be added. Salt master and minion are starting up on their own now, so that's good.

    Let's fix the issue. That will be better than that anyway.



Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.