h3artbl33d

Security and privacy activist

Nextcloud on OpenBSD

NextCloud on OpenBSD

NextCloud and OpenBSD are complimentary to one another. NextCloud is an awesome, secure and private alternative for propietary platforms, whereas OpenBSD forms the most secure and solid foundation to serve it on. Setting it up in the best way isn’t hard, especially using this step by step tutorial.

Preface

Back when this tutorial was initially written, things were different. The OpenBSD port relied on PHP 5.6 and there were no package updates. But the port improved (hats off, Gonzalo!) and package updates were introduced to the -stable branch (hats off, Solene!).

A rewrite of this tutorial was long overdue. Right now, it is written for 6.6 -stable and will be updated once 6.7 is released. If you have any questions or desire some help, feel free to reach out.

Installing the system

1. OpenBSD

Install OpenBSD using the install wizard.

  1. If you desire full disk encryption, follow the official FAQ to set it up.
  2. You might want to swap the /home and /var partitions during the partitioning.

After the initial boot, apply syspatch to get the latest errata fixes. Apply two options to the filesystem:

# sed -i 's/rw/rw,noatime,softdep/g' /etc/fstab

Install the edited sysctl.confand pf.conf:

# ftp https://h3artbl33d.nl/examples/{sysctl.conf,pf.conf,pf.conf.anchor.block,pf.conf.anchor.icmp,pf.conf.table.ban,pf.conf.table.martians}
# install -o root -g wheel -m 0600 -b pf.conf* /etc/
# install -o root -g wheel -m 0644 -b sysctl.conf /etc/

2. Packages

Install the packages:

# pkg_add nextcloud postgresql-server php-pdo_pgsql pecl73-redis redis
Ambiguous: choose package for php-pdo_pgsql
	0: <None>
	1: php-pdo_pgsql-7.1.33
	2: php-pdo_pgsql-7.2.29
	3: php-pdo_pgsql-7.3.16
Your choice: 3 

Link PHP:

# ln -sf /usr/local/bin/php-7.3 /usr/local/bin/php
# ln -sf /usr/local/bin/php-config-7.3 /usr/local/bin/php-config
# ln -sf /usr/local/bin/phpize-7.3 /usr/local/bin/phpize

3. Database

Initialize the database:

# su - _postgresql
$ mkdir /var/postgresql/data
$ initdb -D /var/postgresql/data -U postgres -A scram-sha-256 -E UTF8 -W

After initialization, start PostgreSQL:

# rcctl enable postgresql
# rcctl start postgresql

Create the user and database:

# psql -U postgres
Password for user postgres:
postgres=# create database nextcloud;
postgres=# create user nextcloud with encrypted password 'topsecret';
postgres=# grant all privileges on database nextcloud to nextcloud;
postgres=# \q

4. PHP

Enable the extensions:

# cd /etc/php-7.3.sample
# for i in *; do ln -sf ../php-7.3.sample/$i ../php-7.3/; done

Open the configuration for editing:

# vi /etc/php-7.3.ini

Edit the following lines:

371: expose_php = Off
380: max_execution_time = 90
401: memory_limit = 512M
1786: opcache.enable=1
1789: opcache.enable_cli=1
1817: opcache.revalidate_freq=1

Save and exit. Enable and start php-fpm:

rcctl enable php73_fpm
rcctl start php73_fpm

Enable and start Redis too, which we’ll use for caching and locking:

rcctl enable redis
rcctl start redis

5. Webserver

Since OpenBSD’s httpd is chrooted, we need to make sure that hostnames can be resolved and tls certificates can be verified from within the chroot:

# mkdir -p /var/www/etc/ssl
# install -m 444 -o root -g bin /etc/resolv.conf /var/www/etc
# install -m 444 -o root -g bin /etc/ssl/cert.pem /etc/ssl/openssl.cnf /var/www/etc/ssl/

Use acme-client to obtain a certificate for your domain. There is an example configuration in /etc/examples and futher documentation can be found in the manpages.

Once done, download the sample configuration for your host:

# ftp -o /etc/httpd.conf https://h3artbl33d.nl/examples/nc-httpd.conf

Open the configuration and change the hostname from thereisno.cloud to your own hostname.

Enable and start httpd:

rcctl enable httpd
rcctl start httpd

6. Nextcloud

Allow the installation of Nextcloud:

# touch /var/www/nextcloud/config/CAN_INSTALL

Next, accessing https:///nextcloud with a web browser allows finishing the installation. Having it setup, open `/var/www/nextcloud/config/config.php` with your favorite text editor and append the following config:

  'filelocking.enabled' => true,
  'memcache.local' => '\OC\Memcache\Redis',
  'memcache.locking' => '\OC\Memcache\Redis',
  'redis' => array(
    'host' => 'localhost',
    'port' => 6379,
    'timeout' => 0.0,
    'password' => '', // Optional, if not defined no password will be used.
  ),

On OpenBSD, Nextcloud runs from a chroot. That only applies to php-fpm, the cli version of php runs outside that chroot. So, a little adjustment needs to be made in order to prevent the cronjob from failing miserably:

# touch /var/www/nextcloud/custom.config.php

Throw the following lines in (where /data is the directory that holds your Nextcloud storage, within /var/www):

<?php
$CONFIG = array (
  'datadirectory' => ((php_sapi_name() == 'cli') ? '/var/www' : '') . '/data',
);

And remove the datadirectory line from /var/www/nextcloud/config/config.php. This change prevents Nextcloud from overwriting this custom workaround.

7. Finishing up

Add the following cronjob for the root user:

*/15	*	*	*	*	su -m www -c "/usr/local/bin/php-7.3 -f /var/www/nextcloud/cron.php"

Next, set the cronjob method from the default “AJAX” to cron in the settings.

8. Done

Now, you have a fully functional Nextcloud server on OpenBSD! Congratulations.