Easy Nextcloud Server Snap Setup for Cloud Storage, Chat, Documents, and More
This tutorial will walk you through the phenomenally easy setup of Nextcloud with Snapd on Ubuntu 20.04 LTS. Why give your data to Google or Microsoft when you can store your own data for free? You can install this snap on any snapd-capable Linux machine, but the recommended OS by Nextcloud is Ubuntu 20.04 LTS. At the end of this tutorial, you'll have a fully functional cloud collaboration server with HTTPS enabled and antivirus running.
You have many options for what kind of server you want to host on, and where the server will be hosted. The most cost effective and secure way to host this server is at home on an old computer that's collecting dust in your closet. That way, you literally don't have to pay for anything (besides maybe some external hard drives) and you do not have to trust a third party company with your data at all. Here's how to turn your old Windows or Mac computer into a Ubuntu server.
In addition, setting up your Nextcloud server on a virtual machine will make scaling your RAM, CPU, and storage, and managing backups infinitely easier. I personally use KVM with libvirt on CentOS, but VMWare and VirtualBox are also great.
Step 1: Install Nextcloud
a. Update your packages:
sudo apt update && apt upgrade -y
b. Install the snap:
sudo snap install nextcloud
c. (For home-hosted servers) Forward HTTPS and HTTP traffic to your Nextcloud server.
The example in this tutorial uses a public IP from a VPS for easy demonstration. If you are hosting at home, you will be working with a private IP on your home LAN. In order for traffic to get to your public IP and then reach your Nextcloud server, you need to setup port forwarding on your router.
The exact steps to do this will depend on your router, but the main thing you need to look for is your "Port Forwarding" configurations. Then forward traffic from external TCP ports 443 (HTTPS) and 80 (HTTP) to your local IP for your Nextcloud server. Here is an example of my router with Asuswrt-Merlin firmware:
d. Navigate to your server IP in your browser and setup your admin account.
If you are hosting this at home, this will be the local IP of your server. If you are hosting this on a VPS, this will be the public IP. In my example, I'm using a VPS. As you can see, this site is marked as "Not secure".
At this screen, type in a username and password to create your admin account. If you're only using this server for cloud storage, you can uncheck "Install recommended apps"; if you're not sure, leave it checked. You can remove the apps later. Then click Finish setup. You'll see an installation progress screen, then it will take you to a welcome splash screen.
Step 2: Configure Nextcloud
a. Update your trusted domains in your config.php file:
sudo nano /var/snap/nextcloud/current/nextcloud/config/config.php
'trusted_domains' => array ( 0 => 'XX.XX.XX.XX', ),
"XX.XX.XX.XX" represents your current IP, the IP you just navigated to your server with. Add your public domain to this array. This array dictates what website you can login from; right now, you can only login by navigating to 'XX.XX.XX.XX' in your address bar; if you try navigating to another domain or IP pointing to the same server, you'll get an "Access through untrusted domain" error.
Add your public domain. Here's an example of mine:
'trusted_domains' => array ( 0 => '220.127.116.11', 1 => 'hannahscloud.ddns.net', ),
Save and exit.
b. Generate and install your SSL certificate:
sudo nextcloud.enable-https lets-encrypt
Follow the prompts and provide your public domain, and that's it. This script will generate you a Let's-Encrypt certificate (now accepted by most browsers and services) and auto-renew your certificate every three months. As long as you don't change your domain, you won't have to worry about your SSL certificate ever again.
NOTE: If you already have an SSL certificate that you want to install, or if you want to generate a self-signed certificate, check out the help page:
c. Navigate to your public domain in your browser to ensure your trusted domains were updated and your SSL certificate was applied properly.
Step 3: Install Antivirus
Since any machine can get infected with malware, I always put antivirus on every server. However, it is especially important here when you have multiple users logging into your server and uploading various files you have little control of. ClamAV will scan all files before they are uploaded to ensure they do not contain malware.
a. Login to your root account on your server.
b. Install ClamAV:
apt-get install clamav clamav-daemon
c. Update your antivirus signatures:
d. Verify clamscan works:
clamscan -r /home
e. Edit clamd.conf:
Comment out or delete the following:
LocalSocket /var/run/clamav/clamd.ctl LocalSocketGroup clamav LocalSocketMode 666
Add the following:
TCPSocket 3310 TCPAddr 127.0.0.1
Save and exit.
f. Restart clamd:
systemctl restart clamav-daemon
g. Update your firewall:
sudo ufw allow from 127.0.0.1 to 127.0.0.1 port 3310 proto tcp
h. Login to your admin account on the web interface and navigate to Apps.
i. Navigate to Security on the left bar and find the Antivirus for files app.
Click Download and enable.
j. Navigate to Settings.
k. Navigate to Security on the left bar and scroll down to Antivirus for Files.
Configure the following:
Mode: ClamAV Daemon
l. Upload the EICAR test file to ensure your antivirus is working.
From another machine, go to the EICAR website and save a test text file. This string triggers all antivirus software to test if your antivirus software is working (you may have to disable your machine's antivirus software temporarily to even download it). Login to your Nextcloud account and attempt to upload this file. Your upload should be rejected and you should get a virus detection notice:
m. Setup routine cron jobs for scans:
NOTE: Although you might not feel like this is necessary since you all scanning all of your users' uploaded files, this is recommended if your system can support it. You never know how malware can make its way into your server, and, remember, new antivirus signatures are being added everyday. However, remember that snap instances are immutable, so you will have to remove any found infected files from an admin account on the web interface. You can add the Impersonate app to login to anyone's account as an admin, but if the files are encrypted, you will have to change the user's password and login normally as the user to remove a user's infected file.
Add these lines:
# Updates all packages weekly 1 1 * * 1 apt update && apt -y upgrade; echo "$(date) UPDATED" >> /var/log/update.log # Scans entire root directory of the host machine, to include # all of the snap directories, every day at 2:01 AM. # THIS JOB DOES NOT TAKE ACTION ON INFECTED FILES. Add --remove if you # want files marked "infected" auto-removed. Add --move=DIRECTORY to # move files marked infected for review. Or just run "grep FOUND" on log. # Add "--exclude=/snap/nextcloud" to only scan files outside of # snap instance. # NOTE: Any remove or move actions # taken by clamscan will only be applied to the host machine outside of # the Nextcloud instance. 1 2 * * * clamscan -r / >> /var/log/clamav/clamscan/$(date +"\%b-\%d-\%y-\%H-\%M").log # Removes all logs older than 30 days 30 3 * * * find /var/log/clamav/clamscan -type f -mtime +30 -delete
You can change these times as you see fit. You can reference crontab.guru if you're like me and get confused with the times.
n. Create log directory:
Step 4: Explore Nextcloud and Backup!
I won't go into detail of all the things you can do from here, e.g. add accounts, add applications, features, settings, etc. Check out the administration manual for all that. It's a pretty intuitive interface, so you will be able to figure out a lot yourself by clicking around.
One important thing I didn't cover here is BACKUPS. If you're telling your friends and family that they can use your free cloud drive instead of paying Google for storage above 15 GB, you better make sure you don't lose everything if your hard drive crashes! Nextcloud has documentation on how to backup your snap here, but you will have to figure out how to export this to another location external to your default storage location. How you do this is highly dependent on what kind of server you're hosting on, so I'm going to leave this one up to you for now.