Install NextCloud 11 on Fedora 25 with SaltStack

scottalanmiller

This is a single SaLt State file approach (with two ancillary configuration files) to building a complete, fully functional NextCloud 11.0.2 server on Fedora 25 with MariaDB configured, Redis used for locking, a local memcache to speed deployments, the data directory moved to /data and more. All needed packages are handled by the state file, as is the installation. The file is idempotent so can safely be run over and over again, once installed it will not attempt to install NextCloud again. The setup here also creates a swapfile as part of the setup.

To use nextcloud.sls you will need to copy all three files to your /srv/salt/ directory as it will pull the two configuration files from there to put them on the server.

/srv/salt/nextcloud.sls

install_network_packages:
  pkg.installed:
    - pkgs:
      - wget
      - unzip
      - firewalld
      - net-tools
      - php 
      - mariadb 
      - mariadb-server 
      - mod_ssl
      - php-pecl-apcu
      - httpd 
      - php-xml 
      - php-gd 
      - php-pecl-zip
      - php-mbstring
      - redis
      - php-pecl-redis
      - php-process
      - php-pdo
      - certbot
      - php-mysqlnd
      - policycoreutils
      - policycoreutils-python
      - policycoreutils-python-utils
      - dnf-automatic
      - python2-certbot-apache
      - sysstat
      - php-ldap
  archive:
    - extracted
    - name: /var/www/html/
    - source: https://download.nextcloud.com/server/releases/nextcloud-11.0.2.zip
    - source_hash: md5=720cb50f98a94f2888f2d07d5d4e91b4
    - archive_format: zip
    - if_missing: /var/www/html/nextcloud 

/swapfile:
  cmd.run:
    - name: |
        [ -f /swapfile ] || dd if=/dev/zero of=/swapfile bs=1M count={{ grains["mem_total"] * 2 }}
        chmod 0600 /swapfile
        mkswap /swapfile
        swapon -a
    - unless:
      - file /swapfile 2>&1 | grep -q "Linux/i386 swap"
  mount.swap:
    - persist: true

configure_swappiness:
  file.append:
    - name: /etc/sysctl.conf
    - text: vm.swappiness = 10

/var/www/html/:
  file.directory:
    - user: apache
    - group: apache
    - recurse:
      - user
      - group

/etc/httpd/conf.d/ssl.conf:
  file.managed:
    - source: 
      - salt://ssl.conf
    - user: root
    - group: root
    - mode: 644

/data:
  file.directory:
    - user: apache
    - group: apache

/var/run/redis:
  file.directory:
    - user: redis
    - group: redis

/etc/redis.conf:
  file.managed:
    - source:
      - salt://redis.conf
    - user: root
    - group: root
    - mode: 644

httpd:
  pkg.installed: []
  service.running:
    - enable: True
    - require:
      - pkg: httpd

mariadb:
  pkg.installed: []
  service.running:
    - enable: True
    - require:
      - pkg: mariadb

redis:
  pkg.installed: []
  service.running:
    - enable: True
    - require:
      - pkg: redis

FedoraServer:
  firewalld.present:
    - name: FedoraServer
    - block_icmp:
      - echo-reply
      - echo-request
    - default: False
    - masquerade: True
    - ports:
      - 443/tcp

permissive:
  selinux.mode

install-foo:
  cmd.run:
    - name: |
        cd /var/www/html/nextcloud
        setenforce 0
        sudo -u apache php occ maintenance:install --database="mysql" --database-name "nextcloud" --database-user "root" --database-pass "" --admin-user "admin" --admin-pass "superdupercrazysecretepasswordthatnooneknows" --data-dir "/data"
        sed -i "/0 => 'localhost',/a \ \ \ \ 1 => '*'," config/config.php
        sed -i "/'installed' => true,/a \ \ 'memcache.local' => '\\\OC\\\Memcache\\\APCu',\n\ \ 'filelocking.enabled' => true,\n\ \ 'memcache.locking' => '\\\OC\\\Memcache\\\Redis',\n\ \ 'redis' => array(\n\ \ \ \ \ \ \ 'host' => '/var/run/redis/redis.sock',\n\ \ \ \ \ \ \ 'port' => 0,\n\ \ \ \ \ \ \ 'timeout' => 0.0,\n\ \ \ \ \ \ \ \ )," config/config.php
        semanage fcontext -a -t httpd_sys_rw_content_t '/data'
        restorecon '/data'
        semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/config(/.*)?'
        semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/apps(/.*)?'
        semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/assets(/.*)?'
        semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/.htaccess'
        semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/.user.ini'
        restorecon -Rv '/var/www/html/nextcloud/' > /dev/null
        systemctl restart httpd
        touch install_complete
    - cwd: /var/www/html/nextcloud
    - shell: /bin/bash
    - timeout: 300
    - creates: /var/www/html/nextcloud/install_complete

/srv/salt/ssl.conf

#
# When we also provide SSL we have to listen to the 
# the HTTPS port in addition.
#
Listen 443 https

##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism 
#   to use and second the expiring timeout (in seconds).
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names.  NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly. 
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

##
## SSL Virtual Host Context
##

<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration
DocumentRoot "/var/www/html/nextcloud"
#ServerName www.example.com:443

  <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
  </IfModule>

# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   List the protocol versions which clients are allowed to connect with.
#   Disable SSLv3 by default (cf. RFC 7525 3.1.1).  TLSv1 (1.0) should be
#   disabled as quickly as practical.  By the end of 2016, only the TLSv1.2
#   protocol or later should remain in use.
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3

#   User agents such as web browsers are not configured for the user's
#   own preference of either security or performance, therefore this
#   must be the prerogative of the web server administrator who manages
#   cpu load versus confidentiality, so enforce the server's cipher order.
SSLHonorCipherOrder on

#   SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
# The OpenSSL system profile is configured by default.  See
# update-crypto-policies(8) for more details.
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

#   Client Authentication (Type):
#   Client certificate verification type and depth.  Types are
#   none, optional, require and optional_no_ca.  Depth is a
#   number which specifies how deeply to verify the certificate
#   issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth  10

#   Access Control:
#   With SSLRequire you can do per-directory access control based
#   on arbitrary complex boolean expressions containing server
#   variable checks and other lookup directives.  The syntax is a
#   mixture between C and Perl.  See the mod_ssl documentation
#   for more details.
#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>

#   SSL Engine Options:
#   Set various options for the SSL engine.
#   o FakeBasicAuth:
#     Translate the client X.509 into a Basic Authorisation.  This means that
#     the standard Auth/DBMAuth methods can be used for access control.  The
#     user name is the `one line' version of the client's X.509 certificate.
#     Note that no password is obtained from the user. Every entry in the user
#     file needs this password: `xxj31ZMTZzkVA'.
#   o ExportCertData:
#     This exports two additional environment variables: SSL_CLIENT_CERT and
#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
#     server (always existing) and the client (only existing when client
#     authentication is used). This can be used to import the certificates
#     into CGI scripts.
#   o StdEnvVars:
#     This exports the standard SSL/TLS related `SSL_*' environment variables.
#     Per default this exportation is switched off for performance reasons,
#     because the extraction step is an expensive operation and is usually
#     useless for serving static content. So one usually enables the
#     exportation for CGI and SSI requests only.
#   o StrictRequire:
#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
#     under a "Satisfy any" situation, i.e. when it applies access is denied
#     and no other module can change it.
#   o OptRenegotiate:
#     This enables optimized SSL connection renegotiation handling when SSL
#     directives are used in per-directory context. 
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

#   Per-Server Logging:
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

/srv/salt/redis.conf

bind 127.0.0.1
protected-mode yes
port 0
tcp-backlog 511
unixsocket /var/run/redis/redis.sock
unixsocketperm 777
timeout 0
tcp-keepalive 0
daemonize no
supervised no
pidfile /var/run/redis_6379.pid
loglevel notice
logfile /var/log/redis/redis.log
databases 16
save 900 1
save 300 10
save 60 10000
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum yes
dbfilename dump.rdb
dir /var/lib/redis
slave-serve-stale-data yes
slave-read-only yes
repl-diskless-sync no
repl-diskless-sync-delay 5
repl-disable-tcp-nodelay no
slave-priority 100

To apply from your Salt Master, just run...

salt 'servername' state.apply nextcloud

It's that simple. Once done, simply navigate to your IP address with a web browser and you should see your fully installed and configured Nextcloud 11 system.

scottalanmiller

To Do: There is an issue with Redis socks and Apache with SELinux so that is permissive currently. The state file is ready for that to be adjusted, though. Most SELinux settings are there.

scottalanmiller

Why Fedora 25?

Fedora 25 gives us PHP 7.1 for the latest in features and performance with NextCloud 11. We also get the latest MariaDB and Redis platforms. This helps to speed the overall platform and makes for a snappy experience that gets maximum benefits from a singularly tested and integrated base. The only package that we download and add onto the tested Fedora system here is NextCloud itself. Everything else is fully integrated by the Fedora team.

scottalanmiller

In the default configuration that I have provided here, neither port 22 nor 80 are left open. Port 443 for HTTPS is the sole access to the outside world. This makes our NextCloud system easier to secure and reduces the attack surface. We can improve memory by stopping the OpenSSH process, if we feel that it is warranted.

CrimsonKidA

Hey Scott, Drew here (CrimsonKidA) from SW. I think there might be something wrong with my Salt Master install. The salt-master service doesn't auto start at boot, so I manually start it. Also, it didn't seem to make /var/cache/salt/master either, so I manually created it. When I try to run your last command here, this is what I get:
[root@NextCloud /srv/salt]# salt 'NextCloud.ourdomain.com' state.apply nextcloud
No minions matched the target. No command was sent, no jid was assigned.
ERROR: No return received

Any ideas? Thanks.

scottalanmiller

@CrimsonKidA said in Install NextCloud 11 on Fedora 25 with SaltStack:

Hey Scott, Drew here (CrimsonKidA) from SW. I think might be wrong with my Salt Master install. The salt-master service doesn't auto start at boot, so I manually start it. Also, it didn't seem to make /var/cache/salt/master either, so I manually created it. When I try to run your last command here, this is what I get:
[root@NextCloud /srv/salt]# salt 'NextCloud.ourdomain.com' state.apply nextcloud
No minions matched the target. No command was sent, no jid was assigned.
ERROR: No return received

Any ideas? Thanks.

So that error means that the key has not been accepted for that host. Start with this...

salt-key --list-all

CrimsonKidA

@scottalanmiller [root@NextCloud salt]# salt-key --list-all
Accepted Keys:
Denied Keys:
Unaccepted Keys:
Rejected Keys:

scottalanmiller

@CrimsonKidA said in Install NextCloud 11 on Fedora 25 with SaltStack:

@scottalanmiller [root@NextCloud salt]# salt-key --list-all
Accepted Keys:
Denied Keys:
Unaccepted Keys:
Rejected Keys:

There we go. Your minion has not reached out to your master yet. Nothing will work until those two are taking to each other. Is Salt definitely running on the minion and pointing to the master?

CrimsonKidA

@scottalanmiller Sorry, I don't follow. I only have one VM and it's the Fedora 25 Server. It's running everything.

scottalanmiller

@CrimsonKidA said in Install NextCloud 11 on Fedora 25 with SaltStack:

@scottalanmiller Sorry, I don't follow. I only have one VM and it's the Fedora 25 Server. It's running everything.

That's no problem. You just have to configure both sides on one machine. That's standard actually.

Look at /etc/salt/minion

add the line:

master: localhost

CrimsonKidA

@scottalanmiller Thanks, I just appended it on to the end of /etc/salt/minion via Nano and restarted salt-minion service. No change though...?

scottalanmiller

@CrimsonKidA said in Install NextCloud 11 on Fedora 25 with SaltStack:

@scottalanmiller Thanks, I just appended it on to the end of /etc/salt/minion via Nano and restarted salt-minion service. No change though...?

The salt-key --list-all didn't list it?

CrimsonKidA

@scottalanmiller Afraid not. I did find where to change the salt master in the /etc/salt/minion file (line 16), so I un-commented it out and changed that to master:localhost and restarted the salt-minion service again, but no change. Also tried restarting salt-master service.

scottalanmiller

@CrimsonKidA said in Install NextCloud 11 on Fedora 25 with SaltStack:

@scottalanmiller Afraid not. I did find where to change the salt master in the /etc/salt/minion file (line 16), so I un-commented it out and changed that to master:localhost and restarted the salt-minion service again, but no change. Also tried restarting salt-master service.

Make sure that there is a space after the colon.

You can go in /var/log and look in the salt minion logs to see what it is complaining about.

CrimsonKidA

@scottalanmiller Thanks, I have DNS lookup failures for 'salt' and master hostname 'salt' not found as a result.

scottalanmiller

@CrimsonKidA said in Install NextCloud 11 on Fedora 25 with SaltStack:

@scottalanmiller Thanks, I have DNS lookup failures for 'salt' and master hostname 'salt' not found as a result.

Something is wrong with your minion file. That means that the minion is looking for a machine named salt rather than for localhost.

In /etc/hosts you can just name the local machine "salt" to resolve that, too.

scottalanmiller

"salt" is the default. so that's why that specific one shows up.

CrimsonKidA

@scottalanmiller Perfect, thanks. I just added '127.0.0.0 salt' to my /etc/hosts file and that got the DNS issue cleared up. But then the key was still not accepted. Got that sorted by running:
salt-key -A
from directory /etc/salt

CrimsonKidA

...just CD'd back to /srv/salt and your scripts are working now!!

CrimsonKidA

The script seemed run fine, but I still have no NextCloud installation. I thought it was just the firewall getting enabled in Fedora, but I turned it off and still nothing is there on 443 at the IP (other than Cockpit at 9090 of course).