UX

Build your own personal cloud

On this page

Introduction

Hardware setup

Hardware
Processor: Intel i3
Memory: 8 GB
SSD: 256 GB

Software setup

Diagram

Red Hat Enterprise Linux

System requirements.

Cockpit

Cockpit is a web-based graphical interface for managing servers and virtual machines.

Nextcloud

Registration

Get a Red Hat account

The first step is to create a free Red Hat account.

  1. Go to redhat.com
  2. Click on Log in
  3. Click on Register now
  4. Fill in the form and click on Create my account

Get the No-Cost Red Hat Developer Subscription

For downloading Red Hat Enterpise Linux you need a No-Cost Red Hat Developer Subscription. You can get this No-Cost Red Hat Developer Subscription when you join the Red Hat Developer Program

  1. Go to developers.redhat.com/register
  2. Use the same e-mail address as in the previous step.
  3. You are now asked to log in, instead of filling in the complete form.
  4. Confirm when asked.

After joining the Red Hat Developer Program, the No-Cost Red Hat Developer Subscription is added automatically to your account. This No-Cost subscription gives you the right to install Red Hat Enterprise Linux on 16 machines

Create installation disk

Download Red Hat Enterprise Linux

  1. Go to Red Hat Customer Portal
  2. Click on Products & Services
  3. Click on Red Hat Enterprise Linux
  4. Click on Download Latest - Red Hat Enterprise Linux 8
  5. Download Red Hat Enterprise Linux 8.4 Binary DVD (9.43 GB)

You can download Red Hat Enterprise Linux on multiple locations on the website of Red Hat but the advantage of this location is that it also shows the checksums of the ISO files.

The ISO file is so big (9.43 GB) because it contains all the versions of Red Hat Enterprise Linux (server, workstation, etc.) and all kinds of development tools.

Verify the download

It's important to know that the ISO file that we downloaded hasn't been corrupted during the download. To verify that the ISO file hasn't been corrupted, follow the steps below.

1. Go to the location where you saved the ISO image.

2. Run the following command.

sha256sum rhel-8.4-x86_64-dvd.iso

3. Check if the output is the same as the checksum on the website.

Create a bootable USB

For creating an bootable USB drive with Red Hat Enterprise Linux you need and USB drive with at least 8 GB (the image of Red Hat Enterprise Linux on the USB drive is 4.7 GB).

1. Insert the USB drive into your computer or laptop.

2. Find the device name of the USB drive:

a. Install the command lsscsi.

On Fedora:

sudo dnf install lsscsi

Or on Ubuntu:

sudo apt install lsscsi

b. Run the following command.

lsscsi

Example output:

[0:0:0:0]    disk    Kingston DataTraveler 3.0       /dev/sda 
[N:0:4:1]    disk    PM981 NVMe Samsung 512GB__1     /dev/nvme0n1

In the output above you can read that the USB drive with the name Kingston DataTraveler 3.0 is attached to device sda in the directory dev.

3. Use the command dd to write the ISO file to the USB drive.

Structure

sudo dd if=[absolute path to the ISO file] of=[absolute path to the device]

Example

sudo dd if=/var/home/verhoeckx/Downloads/rhel-8.4-x86_64-dvd.iso of=/dev/sda

On my system it took 15 minutes to write the ISO file to the USB drive.

4. Unmount the USB drive:

a. Find the mount point.

lsblk

Example output

NAME        MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
sda           8:0    1  28.8G  0 disk 
└─sda1        8:1    1  28.8G  0 part /run/media/verhoeckx/KINGSTON
zram0       252:0    0     8G  0 disk [SWAP]
nvme0n1     259:0    0 476.9G  0 disk 
├─nvme0n1p1 259:1    0   600M  0 part /boot/efi
├─nvme0n1p2 259:2    0     1G  0 part /boot
└─nvme0n1p3 259:3    0 475.4G  0 part /var/home

Here you can see that the main partition on the USB drive (sda1) is mounted ('connected') to the location /run/media/verhoeckx/KINGSTON

b. Unmount the USB drive.

umount /run/media/verhoeckx/KINGSTON

5. Keep the RHEL ISO file.

You will need the RHEL ISO image to install it in a virtual machine.

Install Red Hat Enterprise Linux

Pre-installation

  1. Connect the Intel NUC with a network cable to the router.
  2. Connect the Intel NUC with a HDMI cable to a monitor.
  3. Connect a mouse and a keyboard to the Intel NUC.
  4. Connect the adapter and power cable to a power outlet.
  5. Insert the USB drive in a free USB port.

The actual installation

Warrning: it's only possible to enable the ethernet connection in step 12 if there is a network cable connected to the Intel NUC. The ethernet connection must be enabled because otherwise you won't have a network connection after the installation!

Don't use the automatic storage configuration. It creates multiple maximised XFS partitions (one for the normal user and one for root) which can't be shrunk!

  1. Press the power button;-)
    If the Intel NUC doesn't boot from the USB device, you can press F10 to get into the boot menu.
  2. Select Test this media & install Red Hat Enterprise Linux 8.4
  3. Select the language for the installation.
  4. Keyboard: change if necessary.
  5. Language Support: change if necessary.
  6. Time & Date: select a city to set the time and date.
  7. Connect to Red Hat: keep it on Not Registered
  8. Installation Source: keep it on Local media
  9. Software Selection: select the base environment Minimal Install
  10. Installation Destination:

    Select Custom Storage Configuration and click on Done

    To add a partition click on the plus sign (+).

    a. Add a partition with the mount point /boot/efi and a capacity of 600 MiB
    b. Add a partition with the mount point /boot and a capacity of 1 GiB
    c. Add a partition with the mount point swap (without the / ) and a capacity of 8 GiB
    d. Add a partition with the mount point / and leave the capacity empty
        (When you leave the capacity empty all available space will be used.)

    For setting up the above partition scheme, I used the documentation below.
    RHEL 8: Appendix B. Partitioning reference
    What is the recommended swap size for Red Hat platforms? 

    Click on Done
    Click Accept Changes

  11. KDUMP: keep it on enabled.
  12. Network & Host name: enable the ethernet connection.
    Disable the WIFI connection if there is one.
    Here you can also change the host name of the Intel NUC.
  13. Security Policy: set the switch Apply security policy on OFF
  14. Root Password: set a root password.
  15. User Creation: create at least one user.
    Make this user administrator (or in other words: give it sudo / root rights).
  16. Calmly review all the settings ;-)
  17. Start the Installation by clicking on Begin Installation
    On my system the installation took around 3 minutes.
  18. Reboot the system by clicking on Reboot system
  19. Log in and power-off the system with the command poweroff

Connect the Intel NUC to the network

Now you installed Red Hat Enterprise Linux it's time to place the Intel NUC at the location that you want and connect the Intel NUC with an ethernet cable to the router or switch. After you have done so, press the power button on the Intel NUC to power-on the device.

To log back in the system we need to know the IP-address it got from the router. The only way to know this, is to log in to the router and see which IP address was assigned to the device.

  1. Open a browser and go to the IP address 192.168.1.1
    It's possible that your router can be found on another IP address. In that case, consult the documentation of your router.
  2. Log in the router with the username and password.
    If you don't know the username and password, consult the documentation of your router.
  3. Look up the IP address in the network table
    On my router (Netgear) this table is called 'Attached Devices' but the manufacturer of your router may have given it another name. Try to find something similar. Look for the device name to find its IP address.
  4. Write down the IP address.
    We need this IP address to log into the system with SSH.

Log in to the system with SSH

Now that we have the IP address of the Intel NUC, we can log in to the system with SSH.

1. Open a terminal.

2. Run the command below.

ssh [username]@[IP address]

3. Enter your password.

Yes, we are back in!

Register the system

Get the username of your Red Hat account

To register the system with Red Hat you need to know the username (Red Hat login) of your Red Hat account. Follow the steps below to find your Red Hat username.

  1. Go to redhat.com
  2. Click on Log in and log in with your e-mail address and password.
  3. Click on Account Details
  4. Click on Login & password
  5. Your Red Hat username is your Red Hat login
  6. Write it down somewhere.

The actual registration

1.  Register your No-Cost Red Hat Developer Subscription.

sudo subscription-manager register --username [username Red Hat account] --password [password Red Hat account]

2. Set the role of the system to Red Hat Enterprise Linux Server

sudo subscription-manager role --set="Red Hat Enterprise Linux Server"

3. Set the service level the the system to Self-Support

sudo subscription-manager service-level --set="Self-Support"

4. Set the usage of the system to Development/Test

sudo subscription-manager usage --set="Development/Test"

5. Attach the Intel NUC to your No-Cost Red Hat Developer Subscription.

sudo subscription-manager attach

The No-Cost Red Hat developer subscription gives you the right to install Red Hat Enterprise Linux on 16 (virtual) machines. When you attach the Intel NUC to your subscription it is counted as one of those 16 machines / installations.

When you go to the Red Hat Customer Portal you will see that you have one "Red Hat Developer Subscription for Individuals" and that 1 of 16 installations (6%) is being used (see Entitlement Usage).

Update the system

Run the following command.

sudo dnf upgrade

Enable auto update

1. Install the package dnf-automatic

sudo dnf install dnf-automatic

2. Install the command line text editor vim

sudo dnf install vim

3. Open the file /etc/dnf/automatic.conf

sudo vim /etc/dnf/automatic.conf

4. Press i to get into insert mode.

5. Set apply_updates to yes

6. Press Esc to exit insert mode.

7. Type :wq and press enter to save and exit vim.

8. Enable and start the service.

sudo systemctl enable --now dnf-automatic.timer

9. Check if the service is running (exit with CTRL + C).

sudo systemctl list-timers *dnf-*

The system will now check every day at 06:00 for available updates. If there is an update the packages will be downloaded and installed.

You can check the default schedule here:

cat /usr/lib/systemd/system/dnf-automatic.timer

Install Cockpit

Now that we finished the installation of Red Hat Enterprise Linux we can start installing Cockpit on the server.

1. Log in to your server.

ssh [username]@[IP address]

2. Install Cockpit.

sudo dnf install cockpit

3. Enable Cockpit in systemd

sudo systemctl enable cockpit.socket

4. Start the application Cockpit.

sudo systemctl start cockpit.socket

5. Open Cockpit in a browser.

Open a browser and go to the address below.

[IP address Intel NUC]:9090

When you visit the address you probably get a warning that the website can't be trusted. Ignore this message and add a security exception to the website. After you have added the security exception you get the login page of Cockpit.

You can now log in with the user account that you created during the installation of Red Hat Enterprise Linux.

Securing the system

Securing SSH

Enable public-key authentication

By default SSH uses a username and password to log in to the system. While this is a safe way to log in to the system, it doesn't prevent your machine from a brute force SSH attack. If we configure the system in such a way that it uses public-key authentication this has the advantage that a brute force SSH attack becomes impossible (because the length of the public-key) and we can configure the server in such a way that logging in with a password isn't necessary anymore.

After you configured the server with public-key encryption, you will only be able to log in to the server with the laptop or computer on which you configured the key-pair (the public and private key).

How public-key encryption exactly works is out of the scope of this installation but you can find many great articles on the internet!

   

1. Go back to the laptop or computer that you used to log in to the server.

2. Log in to with your normal user account.

3. Open a terminal.

4. Generate the public and private key pair utilising the RSA-algorithm.

ssh-keygen -t rsa

When you get the question to enter a passphrase, just press enter. This way you don't configure a passphrase and you will be able to log in to the Intel NUC without a password.

The private key can be found here:

~/.ssh/id_rsa

And the public key can be found here: 

~/.ssh/id_rsa.pub

5. Copy the public key to the user account on your Intel NUC.

ssh-copy-id -i ~/.ssh/id_rsa.pub [username]@[IP address]

After you have installed the public key on the server, you can log in to the Intel NUC without a password. This may seem insecure but remember that you now use public-key authentication in the background!

Disable all password authentication

While we have enabled public-key authentication for one user on the server for one account on your laptop, it's still possible to log in to the server with just a password from another account or from another computer! In other words: we are, by far, not protected from a brute force SSH attack!

To finish our protection to a brute force SSH attack we have to disable all password authentication on the server. This has the advantage that the root account is now also blocked.

1. Open the file /etc/ssh/sshd_config

sudo vim /etc/ssh/sshd_config

2. Find the line with the text PasswordAuthentication

Enter:

/PasswordAuthentication

With the forward slash (/) you can search for a word in the document.

3. Change yes into no

  • Press i
  • Change yes into no
  • Press Esc
  • Type :wq

4. Reload the SSH daemon.

sudo systemctl reload sshd

Now that we have enabled public-key authentication and disabled all password authentication, there is only one way to log in to the server and that's from your user account on your laptop to the user account on the server. Save the usernames and passwords of both user accounts (otherwise you won't be able to log in to the server anymore)!

Secure Cockpit

Block the root account

  1. Log in to Cockpit
  2. Open the tab Accounts
  3. Check Lock account

It's now not possible anymore to log in to Cockpit with the root account.

Connect to the internet

Now we have secured SSH and Cockpit we can safely connect the Intel NUC to the internet. The first step is to enable port forwarding on the router so that internet traffic, that arrives at the router, can reach the Intel NUC.

Enable port forwarding

Port forwarding has to be enabled for the following ports: 22 (SSH), 80 (HTTP), 443 (HTTPS) and 9090 (Cockpit).

  1. Open a browser and go to the IP address 192.168.1.1
    It's possible that your router can be found on another IP address. In that case, consult the documentation of your router.
  2. Log in to the router with the username and password.
    If you don't know the username and password, consult the documentation of your router.
  3. Enable port forwarding on the router.

    How you have to do this, is different on every router. On my Netgear router I had to follow the following steps:

    a. Click on the tab Advanced
    b. Click on Advanced Setup
    c. Click on Port Forwarding / Port Triggering

    For every service / port:

    d. Click on Add Custom Service
    e. Give the service a name (SSH / HTTP / HTTPS /Cockpit).
    f.  External Starting Port and External Ending Port: the port number (22 / 80 / 443 / 9090)
    g. Internal Starting Port and Internal Ending Port: the port number (22 / 80 / 443 / 9090)
    h. Internal IP address: the local IP-address of the Intel NUC.
    i.  Click on Apply

You can now reach the Intel NUC using the public IP address of your router. 

You can find the public IP address of your router with the following command:

host myip.opendns.com resolver1.opendns.com

Try to log in to the server with SSH and the public IP address:

ssh [username]@[Public IP address router]

And try to log in to Cockpit with the public IP address:

[Public IP address router]:9090

Configuring DNS

To be able to reach the server with a domain name, you have to add a domain name to a DNS server on the internet.

Here you have a few options:

  1. If you already have a registered domain you can add a subdomain and point it to the public IP address of the router. The advantage is that you can add the DNS entry yourself and you don't have to pay for an extra service. The disadvantage is that the IP address can change and if it does, you loose the connection with the server. If this happens, the only solution is to edit the DNS entry manually again.
  2. You register a new domain name and make it point to the public IP address of the router. This has the same disadvantage as the first solution.
  3. You register a domain name with a Dynamic DNS service provider (for example NoIP.com) and make it point to the public IP address of your router.
    The advantage of using a Dynamic DNS service provider is that they actively monitor your router and that they change the DNS entry automatically if they see that the public IP address of your router has changed. The disadvantage of such a service is that it you have to rely on a third party service and that it cost you money.

Whatever solution you choose, make sure that at the end of this step you have a registered domain (or subdomain) name pointing to your router. If necessary, call your web hosting provider for more information. 

Check if DNS works correctly by entering the domain name followed by the port number of Cockpit (:9090). If successful, you get the login screen of Cockpit.

Install Apache 

For our installation we have to install Apache twice: once on the host and once in a virtual machine. The installation on the host is only used to forward requests to the virtual machine. We are going to install Apache on the host now and we will install Apache later on the virtual machine.

1. Log in to the server.

ssh [username]@[local or public IP address]

2. Install the Apache web server.

sudo dnf install httpd

3. Enable the Apache web server in systemd

sudo systemctl enable httpd

4. Start the Apache web server.

sudo systemctl start httpd

5. Open port 80 and 443 in the firewall.

sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload

6. Add a new configuration file.

a. Go to the directory /etc/httpd/conf.d

cd /etc/httpd/conf.d

b. Create a new configuration file. 

Give it the name virtualhosts.conf

sudo vim virtualhosts.conf

c. Add the following code.

ServerName localhost
DocumentRoot /var/www/html/

Use i to get into insert mode, copy and past the code, press Esc to exit insert mode and type :wq to save and close the file.

7. Enable HTTP connections in SELinux

sudo setsebool -P httpd_can_network_connect on

8. Restart Apache.

sudo systemctl restart httpd

9. Check if the connection works.

If you now enter the domain name you should see the Red Hat Enterprise Linux Test Page. If you see this page it means that Apache is installed and configured correctly on the server!

Install a virtual machine

Log in to the server with SSH.

ssh [username]@[IP address server]

Install the Cockpit-app Virtual Machines

1. Install the package cockpit-machines

sudo dnf install cockpit-machines

2. Start the libvirtd service. 

sudo systemctl start libvirtd.service

Install a virtual network

1. Install the package libvirt-daemon-config-network

sudo dnf install libvirt-daemon-config-network

2. Start the virtual network with the name default

sudo virsh net-start default

Create a new storage pool

1. First create a new directory on the root file system

sudo mkdir /storage

2. Log in to Cockpit
3. Open the tab Virtual Machines
     (If you don't see this tab, press F5 to refresh the interface.)
4. Click on Storage pools
5. Click on Create storage pool

    Settings
    Connection: System
    Name: Give the storage pool a distinctive name.
    Type: Filesystem directory
    Target path: select /storage
    Startup: Start pool when host boots.

6. Click on Create
7. Click on the just created storage pool and click Activate

Create a new volume for Nextcloud

  1. Go to Storage pools
  2. Click on the storage pool you just created.
  3. Click on tab Storage volumes
  4. Click on Create volume

    Settings
    Name: Give the volume a distinctive name.
    Size: Set the size of the virtual volume (e.g. 100 GB).

  5. Format: keep qcow2
  6. Click on Create

Copy the ISO image to the server

1. Go to the location where you saved the RHEL ISO image.

2. Run the command below to copy the RHEL ISO image to the server.

   We use root because we copy the file to a directory on the root file system.

scp rhel-8.4-x86_64-dvd.iso root@[IP addresss server]:/var/lib/libvirt/images/

3. Wait until the system has finished copying the file (on my system it took 12 minutes).

Create the virtual machine

  1. Log into Cockpit
  2. Go to tab Virtual Machines
  3. Click on Create VM
  4. Name: give the virtual machine a distinctive name (e.g. Nextcloud).
  5. Connection: choose System
  6. Installation type: choose Local install media
  7. Installation source: select /var/lib/libvirt/images/rhel-8.4-x86_64-dvd.iso
  8. Operating system: Red Hat Enterprise Linux 8.4 (Ootpa)
  9. Storage: select the storage pool that you created earlier.
  10. Volume: select the volume you created earlier.
  11. Memory: Nextcloud needs at least 4 GB
  12. Keep Run unattended installation unchecked.
  13. Deselect Immediately start VM
  14. Click on Create

Install RHEL in the VM

Install RHEL

  1. Go to tab Virtual Machines
  2. Click on the just created virtual machine.
  3. Click on Install
  4. Click in the VNC console
  5. Select Test this media & install Red Hat Enterprise Linux 8.4
  6. Select the language you want to use during the installation.
  7. Keyboard: change if necessary.
  8. Language Support: change if necessary.
  9. Time & Date: select a city to set the time and the date.
  10. Connect to Red Hat: keep it on Not Registered
  11. Installation Source: keep it on Local media
  12. Software Selection: select the base environment Minimal Install
  13. Installation Destination:

    Select Custom Storage Configuration and click on Done

    To add a partition click on the plus sign (+).

    a. Add a partition with the mount point biosboot (without the/ ) and a capacity of 1 MiB
    b. Add a partition with the mount point /boot and a capacity of 1 GiB
    c. Add a partition with the mount point swap (without the / ) and a capacity of 4 GiB
    d. Add a partition with the mount point / and leave the capacity empty.
        (When you leave the capacity empty all available space will be used.)

    Click on Done
    Click on Accept Changes

  14. KDUMP: keep it on enabled.
  15. Network & Host name: enable the ethernet connection.
    Here you can also change the host name of the virtual machine.
  16. Security Policy: set the switch Apply security policy on OFF
  17. Root Password: set a root password.
  18. User Creation: create at least one user.
    Make this user administrator (or in other words: give it sudo / root rights).
  19. Calmly review all the settings ;-).
  20. Start the Installation by clicking onBegin Installation
    On my system the installation took around 3 minutes.
  21. Reboot the system by clicking on Reboot system
  22. Keep the system running.

Registering

We are going to use a standard terminal instead of the VNC console because the VNC console doesn't support copy and paste.

1. Log in to your Intel NUC

ssh [username]@[IP address Intel NUC]

2. Log in to the virtual machine

ssh [username]@[IP address virtual machine]

You can find the IP address of the virtual machine in Cockpit:

  1. Go to the tab Virtual Machines
  2. Click on the just created virtual machine.
  3. You can find the IP address in the section Networks

3. Register the virtual machine.

You can find the username (Red Hat login) of your Red Hat account here:

Redhat.com >> Account Details >> Login & password >> Red Hat login

sudo subscription-manager register --username [username Red Hat account] --password [password Red Hat account]
sudo subscription-manager role --set="Red Hat Enterprise Linux Server"
sudo subscription-manager service-level --set="Self-Support"
sudo subscription-manager usage --set="Development/Test"
sudo subscription-manager attach

Update the virtual machine

sudo dnf upgrade

Enable auto update in the virtual machine

1. Install the package dnf-automatic

sudo dnf install dnf-automatic

2. Install the command line text editor vim.

sudo dnf install vim

3. Open the file /etc/dnf/automatic.conf

sudo vim /etc/dnf/automatic.conf

4. Press i to get into insert mode.

5. Set apply_updates to yes

6. Press Esc to exit insert mode.

7. Type :wq and press enter to save and exit vim.

7. Enable and start the service.

sudo systemctl enable --now dnf-automatic.timer

8. Check if the service is running (exit with CTRL + C).

sudo systemctl list-timers *dnf-*

The system will now check every day at 06:00 for available updates. If there is an update the packages will be downloaded and installed.

Enable autostart on reboot

Make sure the virtual machine starts when the host machine starts.

  1. Go to the tab Virtual Machines
  2. Click on the just created virtual machine.
  3. Autostart: check Run when the host boots

Install Nextcloud

Log in the virtual machine

a. Log in to the server.

ssh [username]@[IP address Intel NUC]

b. Log in to the virtual machine

ssh [username]@[IP address virtual machine]

Install Apache

1. Install the Apache web server.

sudo dnf install httpd

2. Enable the Apache web server in systemd

sudo systemctl enable httpd

3. Start the Apache web server.

sudo systemctl start httpd

4. Open port 80 and 443 of the firewall.

sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd –reload

5. Enable HTTP connections in SELinux

sudo setsebool -P httpd_can_network_connect on

Add a virtual host file

1. Go to the directory /etc/httpd/conf.d

cd /etc/httpd/conf.d

2. Create a new virtual host file.

sudo vim nextcloud.conf

3. Add the following code.

ServerName localhost

<VirtualHost *:80 >
  DocumentRoot /var/www/html/
  ServerName  [your.domain.com]

  <Directory /var/www/html/>
    Require all granted
    AllowOverride All
    Options FollowSymLinks MultiViews

    <IfModule mod_dav.c>
      Dav off
    </IfModule>

  </Directory>
</VirtualHost>

Use i to get into insert mode, copy and paste the code (but change the domain name), press Esc to exit insert mode and type :wq to save and close the file.

4. Restart Apache.

sudo systemctl restart httpd

Add a reverse proxy

Now we installed Apache in the virtual machine, we need to add a reverse proxy to the Apache configuration file on the host

1. Exit the virtual machine.

exit

Make sure that you are on the host

2. Go the directory /etc/httpd/conf.d

cd /etc/httpd/conf.d

3. Open the file virtualhosts.conf

sudo vim virtualhosts.conf

4. Add the virtual host that will act as the reverse proxy.

ServerName localhost
DocumentRoot /var/www/html/

<VirtualHost *:80 >
    ServerName [your.domain.com]
    ProxyPreserveHost On
    ProxyPass / http://[IP address virtual machine]/
    ProxyPassReverse / http://[IP address virtual machine]/
</VirtualHost>

Use i to get into insert mode, copy and paste the code (but change the domain name and the IP addresses), press Esc to exit insert mode and type :wq to save and close the file.

5. Check the configuration file for syntax errors.

apachectl configtest

6. Restart Apache.

sudo systemctl restart httpd

7. Check the connection.

a. Log in to the virtual machine

ssh [username]@[IP address virtual machine]

b. Go to the document root directory of Apache.

cd /var/www/html

c. Create the file index.html

sudo vim index.html

d. Add the following HTML.

<html>
        <head>
                <title>Test page for the back-end server</title>
        </head>
        <body>
                This is a simple test page hosted on the back-end server.
        </body>
</html>

Use i to get into insert mode, copy and paste the code, press Esc to exit insert mode and type :wq to save and close the file.

e. Open a browser and go to your domain name. 

If you have done everything correctly, you should see the web page with the text This is a simple test page hosted on the back-end server

Congratulations: you have successfully configured the reverse proxy!

After this test, you can remove the file index.html because you won't need it anymore.

Install MariaDB

1. Install the MariaDB database client and server.

sudo dnf install mariadb mariadb-server

2. Enable the MariaDB database server in systemd

sudo systemctl enable mariadb

3. Start the MariaDB database server.

sudo systemctl start mariadb

4. Secure the MariaDB installation.

sudo mysql_secure_installation

5. Create the Nextcloud database and database user.

a. Log in to MariaDB.

mysql -u root -p

b. Create a new database.

create database nextcloud;

c. Create a new database user.

CREATE USER '[username]'@'localhost' IDENTIFIED BY '[password]';

d. Give the user the right to access the nextcloud database.

GRANT ALL PRIVILEGES on nextcloud.* to '[username]'@'localhost';

e. Reload the MariaDB grant tables that are responsible for the user privileges.

flush privileges;

F. Log out of MariaDB.

exit;

Install PHP

1. Enable PHP version 7.3.

sudo dnf module enable php:7.3

2. Install PHP and all the needed modules.

sudo dnf install php php-gd php-mbstring php-intl php-pecl-apcu php-mysqlnd php-opcache php-json php-zip php-dom php-posix

Install Nextcloud

1. Go to the DocumentRoot directory of Apache.

cd /var/www/html

2. Install wget and unzip

sudo dnf install wget unzip

3. Download Nextcloud 22

sudo wget https://download.nextcloud.com/server/releases/nextcloud-22.1.0.zip

4. Optional: check the integrity of the zip file.

a. Download the MD5 or SHA256 checksum (hash).

sudo wget https://download.nextcloud.com/server/releases/nextcloud-22.1.0.zip.md5
sudo wget https://download.nextcloud.com/server/releases/nextcloud-22.1.0.zip.sha256

b. Compare the Nextcloud zip file with the checksum.

md5sum -c nextcloud-22.1.0.zip.md5
sha256sum -c nextcloud-22.1.0.zip.sha256

6. Optional: check the authenticity of the zip file.

a. Download the digital signature (encrypted hash) of the zip file.

sudo wget https://download.nextcloud.com/server/releases/nextcloud-22.1.0.zip.asc

b. Download the public key of Nextcloud.

sudo wget https://nextcloud.com/nextcloud.asc

c. Add the public key to GNU Privacy Guard (gpg).

sudo gpg --import nextcloud.asc

d. Verify the signature (check if the hashes match).

gpg --verify nextcloud-22.1.0.zip.asc nextcloud-22.1.0.zip

7. Optional: remove the digital signature, public key and checksum files.

sudo rm nextcloud-22.1.0.zip.asc nextcloud.asc nextcloud-22.1.0.zip.md5 nextcloud-22.1.0.zip.sha256

8. Unpack the zip file.

sudo unzip nextcloud-22.1.0.zip

9. Remove the zip file.

sudo rm nextcloud-22.1.0.zip

10. Move the content of the folder nextcloud (including hidden files) to the folder html

sudo mv nextcloud/* nextcloud/.* .

11. Remove the, now empty, folder nextcloud

sudo rmdir nextcloud

12. Add the folder data

sudo mkdir data

13. Set Apache as the owner of all the files in the DocumentRoot

sudo chown -R apache:apache .

Configure SELinux

1. Install the package policycoreutils-python-utils

sudo dnf install policycoreutils-python-utils

2. Give Nextcloud read and write access to several internal files and directories.

sudo semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/data(/.*)?'
sudo semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/config(/.*)?'
sudo semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/apps(/.*)?'
sudo semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/.htaccess'
sudo semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/.user.ini'
sudo semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/3rdparty/aws/aws-sdk-php/src/data/logs(/.*)?'

3. Enable the above security settings.

sudo restorecon -R '/var/www/html/'

Nextcloud installation wizard

Open a browser and go to your domain name. If you have configured everything correctly, you see the Nextcloud installation wizard.

  1. Create an admin account.
    Enter a username and a password
  2. Click on Storage & databases.
  3. Keep the data folder as it is (/var/www/html/data).
  4. Select MySQL/MariaDB as the database back-end.
  5. Enter the database settings (see Install MariaBD, step 5).
    Enter the name of the database user.
    Enter the password of the database user.
    Enter the name of database (nextcloud).
    Keep the server name on localhost.
  6. Unselect Install recommended apps.
  7. Click on Finish setup.

    If Nextcloud doesn't correctly redirects to the dashboard, enter the address manually:
    [your domain name]/index.php

Enable HTTPS

Add a second virtual host

The SSL-certificate needs to be installed on the host so make sure that you are on the host.

1. Exit the virtual machine.

exit

Make sure that you are on the host

2. Install the Apache module mod_ssl

sudo dnf install mod_ssl

3. Go the directory /etc/httpd/conf.d

cd /etc/httpd/conf.d

4. Open the file virtualhosts.conf

sudo vim virtualhosts.conf

5. Add a second virtual host.

<VirtualHost *:443 >
    ServerName [your.domain.com]
    SSLProxyEngine on
    ProxyPreserveHost On
    ProxyPass / http://[IP address virtual machine]/
    ProxyPassReverse / http://[IP address virtual machine]/
</VirtualHost>

Use i to get into insert mode, copy and paste the code (but change the domain name and the IP addresses), press Esc to exit insert mode and type :wq to save and close the file.

So the complete code is:

ServerName localhost
DocumentRoot /var/www/html/

<VirtualHost *:80 >
    ServerName [your.domain.com]
    ProxyPreserveHost On
    ProxyPass / http://[IP address virtual machine]/
    ProxyPassReverse/ http://[IP address virtual machine]/
</VirtualHost>

<VirtualHost *:443 >
    ServerName [your.domain.com]
    SSLProxyEngine on
    ProxyPreserveHost On
    ProxyPass / http://[IP address virtual machine]/
    ProxyPassReverse / http://[IP address virtual machine]/
</VirtualHost>

6. Check the configuration file for syntax errors.

apachectl configtest

7. Restart Apache.

sudo systemctl restart httpd

Get a SSL certificate

For requesting the SSL certificate we are going to use the application certbot from the Electronic Frontier Foundation (EFF). When you use this tool you will get a SSL certificate from the certificate authority Let's Encrypt.

Make sure that you are on the host

1. Install the application certbot

a. Add the Extra Packages for Enterprise Linux (EPEL) repository.

sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

b. Install snapd

sudo dnf install snapd

c. Enable the snap daemon in systemd

sudo systemctl enable snapd

d. Start the snap daemon.

sudo systemctl start snapd

e. Enable "classic" snap support (give snaps the same permissions as RPM packages).

sudo ln -s /var/lib/snapd/snap /snap

f. Reboot the server to finalise the installation of snapd

sudo reboot

g. Log back in.

ssh [username]@[IP address server]

h. Install the latest version of snap core

sudo snap install core

i. Install the snap certbot with "classic" permissions.

sudo snap install --classic certbot

j. Make sure that the command certbot can be run.

sudo ln -s /snap/bin/certbot /usr/bin/certbot

2. Get a Let's Encrypt certificate and configure Apache.

sudo certbot --apache
  1. Enter your e-mail address
  2. Agree to the Terms of Service
  3. Agree or disagree to share your e-mail address with the Electronic Frontier Foundation (EFF).
  4. Select the domain name for which you want to request the SSL certificate.

    Wait until the certificate is deployed successfully.

3. Restart Apache.

sudo systemctl restart httpd

4. Test if the renewal of the certificates works fine.

sudo certbot renew --dry-run

5. Test if your website can be reached with HTTPS.

Open a browser and typehttps:// followed by your domain name.

When you now open the virtual host file again (/etc/httpd/conf.d/virtualhosts.conf) you will see that certbot has added all the necessary directives to configure the SSL certificate!

ServerName localhost
DocumentRoot /var/www/html/

<VirtualHost *:80 >
    ServerName [your.domain.com]
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =[your.domain.com]
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443 >
    ServerName [your.domain.com]
    ProxyPreserveHost On
    ProxyPass / http://[IP address virtual machine]/
    ProxyPassReverse / http://[IP address virtual machine]/
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/[your.domain.com]/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/[your.domain.com]/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

Post installation

Force Nextcloud to always use HTTPS

1. Log in on the virtual machine.

ssh [username]@[IP address virtual machine]

2. Go to the configuration folder of Nextcloud.

cd /var/www/html/config/

3. Open the configuration file config.php

sudo vim config.php

4. Add the following two lines to PHP array.

  'overwrite.cli.url' => 'https://[your.domain.com]',
  'overwriteprotocol' => 'https',

Use i to get into insert mode, copy and paste the code (but change the domain name), press Esc to exit insert mode and type :wq to save and close the file.

Increase the PHP memory limit to 512MB

1. Open the file /etc/php.ini

sudo vim /etc/php.ini

2. Search for directive memory_limit

/memory_limit

3. Change the value from 128MB to 512MB

; Maximum amount of memory a script may consume (128MB)
; http://php.net/memory-limit
memory_limit = 512M

Use i to get into insert mode, change 128 into 512, press Esc to exit insert mode and type :wq to save and close the file.

4. Restart Apache.

sudo systemctl restart httpd

5. If the restart of Apache didn't work, reboot the virtual machine.

sudo reboot

Add the host as a trusted proxy

1. Open the configuration file of Nextcloud.

sudo vim /var/www/html/config/config.php

2. Add the following line to the PHP array.

'trusted_proxies'   => ['Internal IP address host'],

Use i to get into insert mode, add the internal IP address of the host, press Esc to exit insert mode and type :wq to save and close the file.

You can get the IP address of the host on the internal/virtual network by logging out of the virtual machine and running the command hostname -I on the host.

3. Restart Apache.

sudo systemctl restart httpd

Enable HTTP Strict Transport Security

1. Log in on the host  (or exit the virtual machine with exit).

ssh [username]@[IP address server]

2. Open the virtual host file.

sudo vim /etc/httpd/conf.d/virtualhosts.conf

3. Add the following three lines to the virtual host with port 443.

    <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>

4. Restart Apache.

sudo systemctl restart httpd

Enable PHP OPcache

1. Open the configuration file of OPcache

sudo vim /etc/php.d/10-opcache.ini

2. Check the following values and change or enable (removing the ;) accordingly.

opcache.enable = 1
opcache.interned_strings_buffer = 8
opcache.max_accelerated_files = 10000
opcache.memory_consumption = 128
opcache.save_comments = 1
opcache.revalidate_freq = 1

3. Restart Apache.

sudo systemctl restart httpd

4. If the restart of Apache didn't work, reboot the virtual machine.

sudo reboot

Redirect CalDAV en CardDAV correctly

1. Log in on the host

2. Open the virtual host file.

sudo vim /etc/httpd/conf.d/virtualhosts.conf

3. Add the following three lines to the virtual host with port 443

RewriteEngine On
RewriteRule ^/\.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
RewriteRule ^/\.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]

4. Restart Apache

sudo systemctl restart httpd

Add the default phone region

1. Open the configuration file of Nextcloud.

sudo vim /var/www/html/config/config.php

2. Add the following line to the PHP array.

'default_phone_region' => '[country code]',

Replace the country code with to the country code of your country.
You can find all the country codes here.

3. Close and save the file.

Update Nextcloud

A. Enable the SELinux boolean httpd_unified

sudo setsebool httpd_unified on

B. Start the update process.

  1. Log in the Nextcloud web interface.
  2. Go to Settings
  3. Click on Overview
  4. Check if there is an update.
  5. Click on Open updater
  6. Click on Start update
  7. Click on Disable maintenance mode and continue in the web based updater
  8. Click on Start update

C. Disable the SELinux boolean httpd_unified

sudo setsebool -P  httpd_unified  off

Install the Nextcloud client

The recommended way to install an app on Linux, is to use either the Flatpak version or the Snap version of the program. Both package formats use container technologies to isolate the application from the rest of the system. Another advantage of using these technologies, is that when there is an update, the update is installed immediately.

When you use a Linux distribution with either Flatpak of Snap enabled, use the application GNOME Software or KDE Discover to install the Nextcloud client. 

Note: make sure that you install the Flatpak or Snap version and not the rpm or deb version.

If you can't find the Nextcloud client in GNOME Software or KDE Discover, install the application from the website Flathub (for Flatpak apps) or Snapcraft (for Snap packages). Below you can find the official addresses.

Flatpak

https://flathub.org/apps/details/com.nextcloud.desktopclient.nextcloud

Snap

https://snapcraft.io/nextcloud

Synchronise your files

Clean up files

  1. Log in to you Nextcloud installation.
  2. Go to Files
  3. Click on All files
  4. Select all the default files and templates.
  5. Click on ...Actions and choose Delete
  6. Go to Deleted files
  7. Select all files.
  8. Click on ...Actions and choose Delete permanently

Configure settings

  1. Launch the application Nextcloud Desktop
  2. Close the window Add Nextcloud account
    Reason: we have to configure the settings first.
  3. Click on the icon in the system tray of your desktop environment.
    Install the extension AppIndicator and KStatusNotifierItem Support if you use the GNOME desktop.
  4. Select Settings
  5. Increase the size of the setting Ask for confirmation before synchronizing folders larger than to a value that is higher than any directory in your home directory. This way you will never be asked to confirm the synchronisation of a directory. Tip: use the application Disk Usage Analyzer to find the size of your local directories.
  6. Click on Edit Ignored Files
  7. Deselect Sync hidden files
  8. Click on OK
  9. Close the window.

In version 3.3.3 of the Nextcloud Desktop app the unselecting of the option Sync hidden files isn't saved and you have to add the expression .* (all hidden files) manually.

1. Open the window Edit Ignored Files
2. Click on Add
3. Type .*
4. Click on OK
5. Click again on OK

Synchronise files

  1. Click on the icon in the system tray of your desktop environment.
  2. Click on Add account
  3. Click on Log in to your Nextcloud
  4. Enter the address of the Nextcloud server.

    After you entered the address of your Nextcloud installation and clicked on Next, you are redirected to a web page on your Nextcloud installation and asked to log in. This in order to grant the desktop application access to the Nextcloud installation.

    1. Click on Log in
    2. Log in with your username and password.
    3. Click on Grant access
    4. Close the browser window and go back to the Desktop application.

  5. Select the folder (or complete home directory) that you want to synchronise.
  6. Keep Synchronize everything from server selected.
  7. Keep Keep local data selected in order to preserve all files on your computer/laptop.
  8. Click on Connect
  9. Wait until all files and directories are synced. 

    Depending on the number and size of your files this can take many hours! On my system the synchronisation of 33 GB of data took more than two hours.

Install Nextcloud Apps

Install NextCloud Groupware

  1. Log in the Nextcloud web interface.
  2. Go to Apps
  3. Click on App bundles
  4. Go to Groupware bundle
  5. Click on Enable all
  6. Reload the interface with F5

Install Collabora Online

  1. Log in the Nextcloud web interface.
  2. Go to Apps
  3. Click on App bundles
  4. Go to HUB bundle
  5. Click on Enable all

Version 6.4.1004 of Collabora Online - Built-in CODE Server has a bug that prevents Collabora Online to run correctly (Exception: Could not find urlsrc in WOPI). When Wopi is enabled the error Column "oc_wopi_wopi"."canwrite" is type Bool and also NotNull, so it can not store "false" is shown.

Install NextCloud Talk