26. Install Nextcloud

by Cover Tower - Updated October 15, 2021

Nextcloud is a file sync and share application offering a variety of online collaboration tools. It allows syncing files from desktop/laptop/tablet/phone with a remote server, sharing them with other Nextcloud users or giving public access to them, editing office documents online, managing calendars, tasks, conducting surveys, creating forms, mounting external directories, sharing files with other Nextcloud instances through ‘federation sharing’, etc.

We recommend that you install only the apps described in this guide and only with the settings that we specify, as a starting point. When you will have a functional, well-configured Nextcloud installation, you can try adding other Nextcloud apps and experiment with different settings, if you need to. Nextcloud is very useful but it is difficult to install properly. You have to know in advance which ‘recommended’ settings should be applied and which shouldn’t, what apps deserve to be installed and what apps don’t.

To download the latest stable verstion of Nextcloud, navigate to the official download page. Here right-click on the ‘Download Nextcloud’ button and choose ‘Copy Link Location’ to copy the download link to clipboard. Then use the copied link to download the latest version of Nextcloud as shown below:

cd /tmp
wget https://download.nextcloud.com/server/releases/nextcloud-20.0.0.zip
unzip nextcloud-20.0.0.zip
rm nextcloud-20.0.0.zip
mv nextcloud /var/www/cloud.example.com

Replace example.com with the main domain hosted on your server. Please note that the /var/www/cloud.example.com directory will be created by the mv command. Basically, the mv command will move the nextcloud directory to /var/www and will change its name to cloud.example.com, so, you shouldn’t create the cloud.example.com directory manually in advance. If you create it in advance, the mv command will place the nextcloud directory inside the /var/www/cloud.example.com directory, which is not what we want.

Set the right ownership and permissions for the cloud.example.com directory and all its subdirectories, replacing example.com with the main domain hosted on your server:

chown -R www-data:www-data /var/www/cloud.example.com
find /var/www/cloud.example.com -type d -exec chmod 750 {} +
find /var/www/cloud.example.com -type f -exec chmod 640 {} +

26.1. Obtain a Let’s Encrypt SSL certificate

Please note that when you have configured Asterisk, you had to specify in /etc/asterisk/http.conf the path to the certificate file and private key file used to encrypt the connection to the domain where the browser phone resided. The two paths were looking like this:

tlscertfile=/etc/asterisk/keys/cert.pem
tlsprivatekey=/etc/asterisk/keys/privkey.pem

Since Asterisk only supports one certificate file in the tlscertfile parameter and one private key file in the tlsprivatekey parameter, it is expected that you have only one browser phone, on one domain, that you intend to connect to Asterisk. But what if you have two browser phones, on different domains, that you want to connect simultaneously to Asterisk ? For example: SIP Trip Phone on cloud.example.com, and Roundpin on roundpin.example.com ? Whose domain’s certificate and private key should you enter in the tlscertfile and tlsprivatekey parameters ? To overcome this problem and be able to connect both SIP Trip Phone and Roundpin simultaneously to Asterisk, you can obtain a Let’s Encrypt certificate for both cloud.example.com and roundpin.example.com and then mention the certificate file and private key file of that SSL certificate in the tlscertfile and tlsprivatekey parameters. There is no need for a wild card certificate, you just get one SSL certificate for the two different domains (they are in fact two different subdomains of the same domain, but they can be two entirely different domains).

First edit the Nginx server blocks configuration file:

nano /etc/nginx/sites-enabled/0-conf

Add the following temporary server blocks for cloud.example.com and roundpin.example.com at the end of the file:

server {
   listen 80;
   listen [::]:80;
   server_name cloud.example.com;

   location /.well-known/acme-challenge {
        root /var/www;
   }
}

server {
   listen 80;
   listen [::]:80;
   server_name roundpin.example.com;

   location /.well-known/acme-challenge {
        root /var/www;
   }
}

Replace example.com with the main domain hosted on your server. Restart Nginx:

systemctl restart nginx

Edit your DNS settings. Add an A entry and an AAAA entry for cloud.example.com and for roundpin.example.com . These entries will be similar to the entries you already have for doli.example.com. It’s just that instead of doli, you will enter cloud and roundpin respectively. Wait a few minutes until the DNS changes propagate.

Then, get one Let’s Encrypt SSL certificate for both cloud.example.com and roundpin.example.com by running:

certbot certonly --agree-tos --webroot -w /var/www/ -d cloud.example.com -d roundpin.example.com

Now is the moment to run the script created as explained in the Build and install Asterisk chapter, to copy the two files (/etc/letsencrypt/live/cloud.example.com/cert.pem and /etc/letsencrypt/live/cloud.example.com/privkey.pem) to the intended destination (/etc/asterisk/keys). So run:

/srv/scripts/copy-asterisk-cert

From now on, Asterisk can connect to the browser phones residing on cloud.example.com and roundpin.example.com . Of course, you will have to install SIP Trip Phone and Roundpin, as explained further down below, in order to be able to connect them to Asterisk and use them.

26.2. Configure Nginx for Nextcloud

Next, edit the /etc/nginx/sites-enabled/0-conf file again:

nano /etc/nginx/sites-enabled/0-conf

Replace the temporary server blocks for cloud.example.com (and roundpin.example.com) added earlier, with the following blocks:

server {
    listen  80;
    listen [::]:80;
    server_name cloud.example.com;
    return  301 https://cloud.example.com$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name cloud.example.com;
    root /var/www/cloud.example.com;
    index index.php;

    ssl_certificate /etc/letsencrypt/live/cloud.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/cloud.example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/cloud.example.com/chain.pem;
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;

    ssl_session_timeout 4h;
    ssl_session_cache shared:SSL:40m;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security "max-age=63072000" always;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    fastcgi_hide_header X-Powered-By;

    location = /.well-known/carddav {
        return 301 $scheme://$host:$server_port/remote.php/dav;
    }

    location = /.well-known/caldav {
        return 301 $scheme://$host:$server_port/remote.php/dav;
    }

    location ^~ /.well-known/acme-challenge {
        root /var/www;
    }

    location = /robots.txt {
        allow all;
    }

    location ^~ /webrtc {
         proxy_pass http://127.0.0.1:8090;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header Host $http_host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

         proxy_buffering             on;
         proxy_ignore_client_abort   off;
         proxy_redirect              off;
         proxy_connect_timeout       90;
         proxy_send_timeout          90;
         proxy_read_timeout          90;
         proxy_buffer_size           4k;
         proxy_buffers               4 32k;
         proxy_busy_buffers_size     64k;
         proxy_temp_file_write_size  64k;
         proxy_next_upstream         error timeout invalid_header http_502 http_503 http_504;
    }

    # set max upload size
    client_max_body_size 1G;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
        rewrite ^ /index.php;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }

    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
        try_files $fastcgi_script_name =404;
        include /etc/nginx/fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        # Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        # Enable pretty urls
        fastcgi_param front_controller_active true;
        fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff|svg|gif)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=15778463";
        add_header Strict-Transport-Security 'max-age=31536000';
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        add_header Referrer-Policy no-referrer;

        # Optional: Don't log access to assets
        access_log off;
    }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
    }

    location /apps/sip_trip_phone/phone {
        try_files $uri /index.html;
    }

    location /apps/sip_trip_phone/lib {

        # prevents 502 bad gateway error
        proxy_buffers 8 32k;
        proxy_buffer_size 64k;

        proxy_pass http://0.0.0.0:8088/ws;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # enables WS support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    access_log /var/log/sites/cloud.example.com/access.log;
    error_log  /var/log/nginx/cloud.example.com.error.log notice;
}

Create the access log directory:

mkdir /var/log/sites/cloud.example.com

Create the /var/log/nextcloud logs directory and change ownership:

mkdir /var/log/nextcloud
chown -R www-data:root /var/log/nextcloud

Please note that Nextcloud will log data in 3 different logs: the errors in /var/log/nginx/cloud.example.com.error.log, the access data in /var/log/sites/cloud.example.com/access.log, and the detailed warning and errors in /var/log/nextcloud/nextcloud.log. The latter is very important, because it will be automatically analyzed by ‘System Health and Security Probe’, to identify the viruses detected in the files uploaded to Nextcloud.

Restart Nginx:

systemctl restart nginx

26.3. Configure logrotate to rotate Nextcloud logs

nano /etc/logrotate.d/nginx

Add the following section at the bottom of this file:

/var/log/sites/cloud.example.com/access.log {
        missingok
        rotate 10
        compress
        delaycompress
        notifempty
        create 0640 www-data adm
        size 2M
        sharedscripts
        prerotate
                if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
                        run-parts /etc/logrotate.d/httpd-prerotate; \
                fi; \
        endscript
        postrotate
                [ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid`
        endscript
}

Replace example.com with the main domain hosted on your server.

Next, create a new configuration file necessary to rotate the logs that will be stored in the /var/log/nextcloud directory:

nano /etc/logrotate.d/nextcloud

Add the following content inside this file:

/var/log/nextcloud/nextcloud.log {
        missingok
        rotate 5
        size 2M
        compress
        delaycompress
        notifempty
        create 0640 www-data adm
        sharedscripts
}

26.4. Configure PHP for Nextcloud

Next open the /etc/php/7.3/fpm/pool.d/www.conf file for editing:

nano /etc/php/7.3/fpm/pool.d/www.conf

Uncomment the following lines to make them look like this:

env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

26.5. Run the installation using the web interface

Use phpMyAdmin to create a new database and database user for Nextcloud. You can call the database nextcloud and the database user ncuser . Give ncuser all the rights over the nextcloud database, except GRANT, which is not necessary. Write down the name of the database, the database user and the password, because you will need them later.

To begin the installation, navigate to:

https://cloud.example.com

You will see the following screen:

In the two fields under ‘Create an admin account’ enter a username that you choose for the administrator account and a strong password. Avoid using the highly unsafe ‘admin’, ‘administrator’, ‘nextcloudadmin’, etc. usernames.

The content of the ‘Data folder’ field should be /var/www/cloud.example.com/data .

In the ‘Database user’ field enter the name of the user created earlier, ncuser in our example, in the ‘Database password’ field enter the user’s password, in the ‘Database name’ field enter the name of the database created earlier, nextcloud in our example, and in the ‘Database host’ field enter localhost, without specifying the port, which is not necessary.

Uncheck the ‘Install recommended apps’ checkbox, because we will install only the best apps from inside Nextcloud, so we don’t need any ‘recommended’ app to be installed automatically along with Nextcloud.

Click on the ‘Finish setup’ button.

After the installation you will see the ‘First run wizard’ popup window displaying general information about Nextcloud and when you will close it, the first screen will look like this:

The first thing to do is to click on ‘Settings’ in the lower left corner, then uncheck ‘Show rich workspaces’ and ‘Show recommendations’. Generally, these two options are not needed and they clutter the workspace, confusing the user.

You can also disable the ‘Dashboard’ app, which is also not needed and confuses the user, since it’s opened by default after logging in. To disable it, click on the user icon in the upper right corner, then click on ‘Apps’, then search for the ‘Dashboard’ app and click on ‘Disable’ on its row.

Also, you can click on the user icon in the upper right corner, then click on ‘Settings’, then in the ‘Personal info’ section you can add your email address in the ‘Email’ field and set a picture from Nextcloud or from your computer, as ‘Profile picture’.

If you ever want to see the content of the Nextcloud log, click on the user icon in the upper right corner, then click on ‘Settings’, then under ‘Administration ‘click on ‘Logging’. In the upper left corner of the logging window click on ‘Level’ and uncheck ‘Debug’ and ‘Info’ to make Nextcloud display only the most important information. Otherwise the log will become almost unreadable.

Next, open the /var/www/cloud.example.com/config/config.php file:

nano /var/www/cloud.example.com/config/config.php

Add the following lines just before the last ); :

  'auth.bruteforce.protection.enabled' => false,
  'app.mail.verify-tls-peer' => false,
  'mail_smtpmode' => 'sendmail',
  'mail_smtpsecure' => 'tls',
  'mail_from_address' => 'admin',
  'mail_domain' => 'example.com',
  'mail_smtpauth' => true,
  'mail_smtpport' => '587',
  'mail_smtphost' => 'mail.example.com',
  'mail_smtpname' => 'admin@example.com',
  'mail_smtppassword' => 'strongpassword',
  'maintenance' => false,
  'logtimezone' => 'Europe/Berlin',
  'log_type' => 'file',
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'loglevel' => '2',
  'theme' => '',

Replace example.com with the main domain hosted on your server, strongpassword with the password for the admin@example.com email account, and Europe/Berlin with your own timezone, that you can find on the list of timezones supported by PHP.

Please note that the app.mail.verify-tls-peer parameter and the parameters starting with mail_ are only needed if you want to install the Mail app inside Nextcloud, to access your admin@example.com account in Nextcloud. The Mail app had some bugs in the past and installing it it’s not necessarily a good idea, but if you ever install it, the app.mail.verify-tls-peer parameter and the mail_ parameters shown above should be present in the configuration file.

Also, you can notice that we didn’t include any cahing parameters in the configuration file, although the official Nextcloud documentation suggests to add APCu/Redis/Memcached caching to Nextcloud. The reality is that using APCu and Redis caching doesn’t improve performance at all, as our tests showed, and using Memcached for object caching via UNIX sockets is not supported for the moment. So, for the time being, the best way to handle Nextcloud caching is by not adding any caching at all, even if you will see a warning related to the absence of caching when you go to Settings > Administration > Overview (“No memory cache has been configured. To enhance performance, please configure a memcache, if available. Further information can be found in the documentation.”).

Restart Nginx:

systemctl restart nginx

26.6. Move the configuration file outside the web root

To increase security, first copy the /var/www/cloud.example.com/config/config.php file outside the web root, to the /srv/scripts directory. Replace example.com with the main domain hosted on your server:

cp /var/www/cloud.example.com/config/config.php /srv/scripts/nextcloud.php

Then empty the /var/www/cloud.example.com/config/config.php file:

cat /dev/null > /var/www/cloud.example.com/config/config.php

Then open it:

nano /var/www/cloud.example.com/config/config.php

Add the following line inside it:

<?php include('/srv/scripts/nextcloud.php'); ?>

Change ownership amd permissions for the /srv/scripts/nextcloud.php file:

cd /srv/scripts
chown www-data:root nextcloud.php
chmod 400 nextcloud.php

26.7. Install Nextcloud apps

The apps available in Nextcloud App Store add a lot of new functionalities to Nextcloud. It’s just that you have to know in advance what apps deserve to be installed and with what configurations.

First we’ll describe how to install LibreOffice Online.

26.7.1. Install LibreOffice Online

LibreOffice Online is a free and open source program derived from LibreOffice, that allows accessing and editing office documents in a browser. It’s similar to Google Docs Editors, with the significant difference that if you install it on a server that you control, you can own it and you can own the documents that you edit with it. Using a self-hosted installation of LibreOffice Online, you can open and edit office documents with any device connected to the Internet, from anywhere in the world, using just a browser. It also allows multiple users to view and edit the same documents simultaneously. This is called ‘collaborative editing’ and is important for web-based teamwork.

Some releases of LibreOffice Online are branded as Collabora Online and Collabora Online Development Edition (CODE), since Collabora Ltd is the main contributor to the LibreOffice Online project.

If you want to install LibreOffice Online on your own server and integrate it with Nextcloud, you have three main options:

  • install the Docker version of it, which implies installing and using Docker, which is not ideal when you try to spare your server’s resources as much as possible. The Docker version also displays a popup warning whenever more than 10 documents or more then 20 connections are in use simultaneously. Indeed, in spite of that warning, you can still open more than 10 documents simultaneously and have more then 20 concurrent connections, if your hardware allows it. Yet, it’s not pleasant to see that popup warning.
  • install the ‘Collabora Online – Built-in CODE Server’ Nextcloud application. In this case, the ‘Collabora Online Developer Edition’ server gets installed like any Nextcloud application. However, if you choose this method you will still see the 10 documents/20 connections warning and the program will be so slow that you won’t be able to actually use it to do real work.
  • build LibreOffice Online by yourself and install it on your server without using Docker. You can pass the maximum number of concurrent opened documents and connections at compile time as we’ll show below and in this way you can avoid seeing the popup warning. With this method, LibreOffice Online won’t have speed problems either. The key point here is that the licenses under which different parts of the project are released (GPL v3, LGPL v3, MPL v2, Apache License v2.0, BSL v1, etc.) give any user the right to modify the software, compile it and use it for commercial or personal purposes. Here ‘The Document Foundation’, which supervises the development of the LibreOffice project, warns users that if they make substantial changes to the code of LibreOffice Online, they will have to also change the name of the program (from LibreOffice Online to something else), in order to comply with their trademark policy presented here. However, passing the maximum number of concurrent opened documents and connections at compile time cannot be considered by any means a substantial change of the software, especially if you consider that the warning is not removed from the code. It’s just that the upper limit which triggers the warning is increased. Thus, you can leave the name of the project as it is. If you don’t want to build LibreOffice Online from source by yourself, you can download an already built version from here.

Needless to say that we recommend the third option.

If you want to build LibreOffice Online by yourself, please note that for efficient compiling you will need the following:

  • a VPS, dedicated server or virtual machine (created with VirtualBox) with at least 4 CPU cores, 4 GB RAM, and 32 GB of storage space. Even with this specifications, the building process will take about 6 hours.
  • a minimal Debian 10 64-bit installation.
  • the build-libreoffice-online script (which is a modified version of the build-lool script).

To compile LibreOffice Online from source, you will need to compile three packages: libreoffice core, libreoffice online and poco. POCO (Portable Components) is a collection of C++ libraries focued on network-centric applications. By compiling from source using the mentioned script, you can adjust the maximum number of concurrent connections and opened documents as you wish, as well as the version of ‘libreoffice core’, ‘libreoffice online’ and ‘poco’ to be used. Please note that not all the versions of ‘libreoffice core’, ‘libreoffice online’ and ‘poco’ are compatible with each other. Before choosing the versions of the three components and starting the building process, you should make sure you know which versions are compatible, so as to avoid loosing time and computing resources with failed building attempts. We explain below which are the latest versions of the three programs known to be compatible with each other, and how to build and install LibreOffice Online.

The most ‘cost-effective’ method to compile LibreOffice Online is by installing Debian 10 in a virtual machine created on your own laptop/desktop with VirtualBox. We’ll describe this method below. However, if you don’t want to overload your laptop/desktop for long hours, or if your hardware doesn’t meet the minimal requirements specified above, you may want to rent a VPS from Linode, OVH, or other similar companies. The advantage in this case is that you will receive a server with Debian 10 64-bit already installed and ready to use.

26.7.1.1. Build LibreOffice Online with a virtual machine created with VirtualBox

26.7.1.1.1. Install Debian 10 on a virtual machine

To install Debian 10 64-bit on a virtual machine, first download Oracle VM VirtualBox, released under the GPL licence, from the official website. After you install VirtualBox on your computer first create a folder in the /root directory, called virtualboxes, then start VirtualBox and click on ‘New’ > enter ‘Debian_10’ as the name of the new virtual machine > in ‘Machine Folder:’ enter /root/virtualboxes > from the ‘Version’ drop-down select ‘Debian (64-bit)’ > ‘Next’ > alocate at least 4096 MB of RAM > ‘Next’ > ‘Create a virtual hard disk now’ > ‘Create’ > select ‘VDI (VirtualBox Disk Image)’ > ‘Next’ > ‘Fixed size’ > ‘Next’ > alocate at least 40 GB > ‘Create’ > then, in the upper bar click on ‘Settings’ > ‘System’ > ‘Processor’ > alocate 4 CPU cores and an ‘Execution Cap’ of 100% > click on ‘Storage’ > under ‘Storage Devices’ , ‘Controler: IDE’ click on the ‘Empty’ optical drive > under ‘Attributes’ click on the optical drive icon > ‘Choose a disk file’ > select the Debian 10 netinst iso image (debian-10.10.0-amd64-netinst.iso) downloaded from here > click ‘OK’ > Click ‘OK’ again. Next start the Debian virtual machine by selecting it in the left panel of VirtualBox and then clicking on ‘Start’ on the upper bar. When you see the prompt “Please select a virtual optical disk file or a physical optical drive containing a disk to start your new virtual machine from. …” just click ‘Cancel’ and the installation of Debian will start from the iso image that you have already selected in ‘Storage Devices’. Follow the prompts to install Debian. On the ‘Partition disks’ screen, you can choose to install everything on one single partition by first selecting ‘Guided – use entire disk’ and then ‘All files in one partition’. On the ‘Software selection’ screen check only ‘SSH server’. Don’t select a desktop environment (Gnome, Xfce, KDE, Mate, etc.).

When the installation finishes, the virtual machine will be restarted. A message will ask you to ‘remove the installation medium, then press Enter’; the Debian iso image is removed automatically, so just press Enter. When the boot up finishes, you can log in using the regular user’s username and password set up during the installation process.

Add the user that you are logged in with (let’s say bernard) to the list of sudoers, so as to allow it to perform all the needed actions while building the necessary packages:

Change the current user to root:

su -

(enter the root password)

Then run:

nano /etc/sudoers

Search for the line:

root ALL=(ALL:ALL) ALL

below it add the following line:

bernard ALL=(ALL:ALL) ALL

replace bernard with your own username.

Next, install unzip by running:

apt-get update
apt-get install unzip

Now, log in as a normal user:

su bernard
26.7.1.1.2. Build LibreOffice Online

Since the build-libreoffice-online script is just a modified version of the build-lool script, you will have to run it as a regular user and not as root. While logged in as a regular user, create a directory to download the script, download it and uncompress it as follows:

cd ~/
mkdir tools
cd tools
wget --content-disposition  https://git.covertower.com/build-libreoffice-online/zipball/master
unzip -d build-lool-master build_libreoffice_online_master.zip
cd build-lool-master/config

Copy lool-config.sh.example to lool-config.sh:

cp lool-config.sh.example lool-config.sh

Open lool-config.sh:

nano lool-config.sh

If some text uses colors that make it impossible to read, go to the upper bar of the terminal, click on ‘Edit’ > ‘Profile Preferences’ > ‘Colors’, then in the ‘Palette’ section, under ‘Color palette:’ click on the color that is impossible to read, select a new color (black is usually the best for a white background) > ‘Select’ > ‘Close’.

Edit the script as follows:

POCO_VERSION="1.10.1"
LOC_VERSION="cp-6.4-10"
LOOL_VERSION="cp-4.2.9-1"
LOOL_PREFIX="/opt/lool"
LOOL_MAX_CON="10000000"
LOOL_MAX_DOC="10000000"
POCO_PREFIX=""

Then go to the parent directory:

cd ..

Run the build-lool.sh script to build all the packages:

./build-lool.sh

The script will ask if you want to proceed, then it will download and install all the additional packages needed for building LibreOffice Online, then it will automatically reboot the system. After the reboot, you’ll have to log in again with the same user as before and open the terminal again. Once you open the terminal, the script will ask again if you want to continue, so type y , then press Enter. The script will download the three packages (‘Poco’, ‘LibreOffice Core’ and ‘LibreOffice Online’), then it will compile them one by one by itself. During the building process you’ll be asked for your password 3 times, so it’s recommended to minimize the terminal but come back to it from time to time, to see if the process stopped, waiting for the password. As mentioned before, the building process will last about 6 hours on a machine with a 4 cores CPU, 4 GB of RAM and 32 GB of storage space.

After the building process finishes you will find 4 archives in /home/bernard/tools/build-lool-master/packages . There are three archives with the compiled version of LibreOffice Online, LibreOffice core and Poco respectively, and a fourth archive containing all the three compiled applications. All you need to install LibreOffice online is this fourth archive. As you used Poco (1.10.1), LibreOffice core (cp-6.4-10) and LibreOffice online (cp-4.2.9-1), the general archive will be called lool-poco-1.10.1-core-cp-6.4-10-online-cp-4.2.9-1.tar.xz . This archive must be transferred to the production Debian server. In the same directory, ~/tools/build-lool-master/packages, there is also a txt file that lists all the packages that need to be installed on the host server for LibreOffice Online to work (lool-poco-1.10.1-core-cp-6.4-10-online-cp-4.2.9-1-required-packages.txt).

You can transfer the archive and txt file to the /srv directory on the remote server using the scp command, like this:

scp -P 6283 /path/to/local/file gerald@123.123.123.123:/path/to/destination

The -P option is used to specify the SSH port , when it’s different from the default 22. Here, 6283 is the custom SSH port. gerald is the username that you use to log in via SSH to the remote server, 123.123.123.123 is the public IP address of the remote server, /path/to/destination is the remote directory where you want to transfer the file.

To transfer the LibreOffice archive to the /home/gerald directory on the remote server run:

scp -P 6283 /home/bernard/tools/build-lool-master/packages/lool-poco-1.10.1-core-cp-6.4-10-online-cp-4.2.9-1.tar.xz gerald@123.123.123.123:/home/gerald

Replace 6283 with your custom SSH port, replace bernard with the username from the virtual machine that you used to build LibreOffice, replace gerald with the username that you use to log in via SSH to your remote Debian server, and replace 123.123.123.123 with the public IP address of the remote server.

You will be asked if you accept the connection to the remote host and then to enter gerald‘s password.

To transfer the txt file run:

scp -P 6283 /home/bernard/tools/build-lool-master/packages/lool-poco-1.10.1-core-cp-6.4-10-online-cp-4.2.9-1-required-packages.txt gerald@123.123.123.123:/home/gerald

26.7.1.2. Install LibreOffice Online

Log in to your remote Debian server and install LibreOffice Online following the steps described below.

If you open the lool-poco-1.10.1-core-cp-6.4-10-online-cp-4.2.9-1-required-packages.txt file, you will see a list of packages that LibreOffice depends upon. To install all the required packages listed in the txt file run:

apt-get install libaudit1 libblkid1 libc6 libcap2 libcap-ng0 libcom-err2 libdbus-1-3 libexpat1 libgcc1 libgcrypt20 libgpg-error0 libkeyutils1 liblzma5 libmount1 libpam0g libpcre3 libselinux1 libsystemd0 libuuid1 zlib1g libcap2-bin libcunit1 libiodbc2 python-polib python3-polib python-lxml python3-lxml

The output of the command from above will inform you that some of the packages are already installed. Yet, it’s important to run the installation command with all the above packages, so that the packages which are already isntalled get marked as “manually installed”. In this way, since they are ‘manually installed’ and not ‘automatically installed’ (by other packages), they won’t be uninstalled together with the packages that automatically triggered their installation.

Then create the lool user (and group) and add the lool user to the www-data group:

useradd -r -s /bin/false lool
adduser lool www-data

Then run:

mkdir /opt/lool
tar -C /opt/lool -xf /home/gerald/lool-poco-1.10.1-core-cp-6.4-10-online-cp-4.2.9-1.tar.xz

Replace gerald with your own username. Next, set the capabilities for loolforkit to allow it to create and mount the jails:

/sbin/setcap cap_fowner,cap_mknod,cap_sys_chroot=ep /opt/lool/bin/loolforkit

Then create the sytem template for the jails:

/opt/lool/bin/loolwsd-systemplate-setup /opt/lool/var/systemplate /opt/lool/lib/collaboraoffice

Create the missing directories and adjust the ownership for the /opt/lool directory:

mkdir -p /opt/lool/{var/tmp,var/log/loolwsd,var/jails,var/cache/loolwsd}
chown -R lool:lool /opt/lool

‘loolwsd’ stands for ‘LibreOffice Online WebSocket Daemon’. First make a copy of the /opt/lool/etc/loolwsd/loolwsd.xml file:

cp /opt/lool/etc/loolwsd/loolwsd.xml /opt/lool/etc/loolwsd/loolwsd.xml_orig

Then open the /opt/lool/etc/loolwsd/loolwsd.xml file for editing:

nano /opt/lool/etc/loolwsd/loolwsd.xml

Edit the following lines to make them look like below. Please pay attention to the settings in blue:

<sys_template_path desc="Path to a template tree with shared libraries etc to be used as source for chroot jails for child processes." type="path" relative="true" default="systemplate">../var/systemplate</sys_template_path>

<child_root_path desc="Path to the directory under which the chroot jails for the child processes will be created. Should be on the same file system as systemplate and lotemplate. Must be an empty directory." type="path" relative="true" default="jails">../var/jails</child_root_path>

<file_server_root_path desc="Path to the directory that should be considered root for the file server. This should be the directory containing loleaflet." type="path" relative="true" default="loleaflet/../">../var/www/loleaflet/..</file_server_root_path>

In the <logging> section change the <file enable="false"> parameter from false to true like this:

<file enable="true">

Also, in the <trace section edit the path line to make it look like this:

<path desc="Output path to hold trace file and docs. Use '%' for timestamp to avoid overwriting." compress="true" snapshot="false">/opt/lool/var/tmp/looltrace.gz</path>

Also edit the following lines to make them look like so:

<cert_file_path desc="Path to the cert file" relative="false">/opt/lool/etc/loolwsd/cert.pem</cert_file_path>

<key_file_path desc="Path to the key file" relative="false">/opt/lool/etc/loolwsd/key.pem</key_file_path>

<ca_file_path desc="Path to the ca file" relative="false">/opt/lool/etc/loolwsd/ca-chain.cert.pem</ca_file_path>

In the <wopi section, right below this line:

<host desc="Regex pattern of hostname to allow or deny." allow="true">localhost</host>

add the following two lines:

            <host desc="Regex pattern of hostname to allow or deny." allow="true">cloud\.example\.com</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="true">123.123.123.123</host>

Replace example.com with the main domain hosted on your server and 123.123.123.123 with the public IP address of your server.

Inside the storage section there is another ssl section that should look like this:

           <ssl desc="SSL settings">
	    <as_scheme type="bool" default="true" desc="When set we exclusively use the WOPI URI's scheme to enable SSL for storage">true</as_scheme>
            <enable type="bool" desc="If as_scheme is false or not set, this can be set to force SSL encryption between storage and loolwsd. When empty this defaults to following the ssl.enable setting"></enable>
            <cert_file_path desc="Path to the cert file" relative="false">/opt/lool/etc/loolwsd/cert.pem</cert_file_path>
            <key_file_path desc="Path to the key file" relative="false">/opt/lool/etc/loolwsd/key.pem</key_file_path>
            <ca_file_path desc="Path to the ca file. If this is not empty, then SSL verification will be strict, otherwise cert of storage (WOPI-like host) will not be verified." relative="false">/opt/lool/etc/loolwsd/ca-chain.cert.pem</ca_file_path>
            <cipher_list desc="List of OpenSSL ciphers to accept. If empty the defaults are used. These can be overriden only if absolutely needed."></cipher_list>
        </ssl>

Then enter the admin username and password for the administration console of loolwsd:

<username desc="The username of the admin console. Ignored if PAM is enabled.">adminname</username>

<password desc="The password of the admin console. Deprecated on most platforms. Instead, use PAM or loolconfig to set up a secure password.">adminnamepassword</password>

Change permissions for this file:

chown lool:lool /opt/lool/etc/loolwsd/loolwsd.xml

Next, create a self-signed SSL certificate. This is sufficient because the communication is done via a reverse proxy, which we’ll provide with a Let’s Encrypt certificate.

Generate a new 4096 bits RSA private key, a Certificate Signing Request and a SSL certificate:

openssl genrsa -out /opt/lool/etc/loolwsd/key.pem 4096

chown root:lool /opt/lool/etc/loolwsd/key.pem

chmod 640 /opt/lool/etc/loolwsd/key.pem

openssl req -out /opt/lool/etc/loolwsd/cert.csr -key /opt/lool/etc/loolwsd/key.pem -new -sha256 -nodes -subj "/C=DE/OU=office.example.com/CN=office.example.com/emailAddress=admin@example.com"

Replace example.com with the main domain hosted on your server. office.example.com is the domain that is used to proxy all the requests to the loolwsd service, and not the domain where Nextcloud resides, which is cloud.example.com. Then run:

openssl x509 -req -days 73000 -in /opt/lool/etc/loolwsd/cert.csr -signkey /opt/lool/etc/loolwsd/key.pem -out /opt/lool/etc/loolwsd/cert.pem

openssl x509 -req -days 73000 -in /opt/lool/etc/loolwsd/cert.csr -signkey /opt/lool/etc/loolwsd/key.pem -out /opt/lool/etc/loolwsd/ca-chain.cert.pem

cd /opt/lool/etc/loolwsd

chown root:lool cert.csr cert.pem ca-chain.cert.pem

chmod 644 cert.csr cert.pem ca-chain.cert.pem

Next, create a service file for systemd, so that the loolwsd service can start automatically at system startup:

nano /etc/systemd/system/loolwsd.service

Add the following content in this file:

[Unit]
Description=LibreOffice Online WebSocket Daemon
After=network.target

[Service]
Type=simple
User=lool
ExecStart=/opt/lool/bin/loolwsd --o:security.capabilities=false
KillMode=control-group
Restart=always

[Install]
WantedBy=multi-user.target

Then reload the systemctl daemon and enable the loolwsd service:

systemctl daemon-reload
systemctl enable loolwsd

Then start the loolwsd service:

systemctl start loolwsd

You can check the status of the loolwsd.service with:

systemctl status loolwsd

You can see data related to loolwsd‘s state in its log:

/opt/lool/var/log/loolwsd/loolwsd.log

You can also see the data logged by loolwsd by running:

journalctl -u loolwsd

26.7.1.3. Disable the automatic opening of the sidebar

By default, when you open any document with LibreOffice Online inside Nextcloud, the sidebar will open automatically:

If you want to remove this annoying behavior and have the sidebar disabled when opening documents, so that you can enable it manually only when you need it, you will have to edit the /opt/lool/var/www/loleaflet/dist/bundle.js file. First make a copy of the original file:

cp /opt/lool/var/www/loleaflet/dist/bundle.js /opt/lool/var/www/loleaflet/dist/bundle.js_orig

Then open the file for editing:

nano /opt/lool/var/www/loleaflet/dist/bundle.js

Search for the following code fragment:

if(window.mode.isDesktop()&&!window.ThisIsAMobileApp){map._socket.sendMessage("uno .uno:SidebarShow")}

Replace SidebarShow with SidebarHide. So, the fragment from above will become:

if(window.mode.isDesktop()&&!window.ThisIsAMobileApp){map._socket.sendMessage("uno .uno:SidebarHide")}

Change permissions for this file:

chown lool:lool /opt/lool/var/www/loleaflet/dist/bundle.js

Restart the loolwsd service:

systemctl restart loolwsd

26.7.1.4. Obtain a Let’s Encrypt SSL certificate

Edit the Nginx server blocks configuration file:

nano /etc/nginx/sites-enabled/0-conf

Create a temporary server block for office.example.com, by adding the following lines:

server {
    listen 80;
    listen [::]:80;
    server_name office.example.com;

    location /.well-known/acme-challenge {
        root /var/www;
    }
}

Restart Nginx:

systemctl restart nginx

Now edit your DNS settings. Add an A entry and an AAAA entry for office.example.com. These entries are similar with the entries for cloud.example.com . It’s just that instead of cloud you use office. Wait a few minutes until the DNS changes propagate.

Next, you can obtain a Let’s Encrypt certificate for office.example.com by running:

certbot certonly --agree-tos --webroot -w /var/www/ -d office.example.com

26.7.1.5. Configure Nginx for LibreOffice Online

Then open the /etc/nginx/sites-enabled/0-conf file:

nano /etc/nginx/sites-enabled/0-conf

Replace the temporary server block for office.example.com with the following server block, in order to allow Nginx to serve the site over SSL:

server {
    listen  80;
    listen [::]:80;
    server_name office.example.com;
    return  301 https://office.example.com$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name office.example.com;

    ssl_certificate /etc/letsencrypt/live/office.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/office.example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/office.example.com/chain.pem;
    ssl_dhparam     /etc/nginx/ssl/dhparam.pem;

    ssl_session_timeout 4h;
    ssl_session_cache shared:SSL:40m;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

    ssl_stapling on;
    ssl_stapling_verify on;

    add_header Strict-Transport-Security 'max-age=31536000';
    add_header X-Content-Type-Options nosniff;

    add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";

    location /.well-known/acme-challenge {
        root /var/www;
    }

    # static files
    location ^~ /loleaflet {
        proxy_pass https://127.0.0.1:9980;
        proxy_set_header Host $http_host;
    }

    # WOPI discovery URL
    location ^~ /hosting/discovery {
        proxy_pass https://127.0.0.1:9980;
        proxy_set_header Host $http_host;
   }

    # Capabilities
    location ^~ /hosting/capabilities {
        proxy_pass https://127.0.0.1:9980;
        proxy_set_header Host $http_host;
    }

    # main websocket
    location ~ ^/lool/(.*)/ws$ {
        proxy_pass https://127.0.0.1:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
    }

    # download, presentation and image upload
    location ~ ^/lool {
        proxy_pass https://127.0.0.1:9980;
        proxy_set_header Host $http_host;
    }

    # Admin Console websocket
    location ^~ /lool/adminws {
        proxy_pass https://127.0.0.1:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
    }

   access_log /var/log/sites/office.example.com/access.log;
   error_log  /var/log/nginx/office.example.com.error.log notice;
}

Create the access log directory:

mkdir /var/log/sites/office.example.com

26.7.1.6. Configure logrotate to rotate LibreOffice Online logs

Configure logrotate to rotate the LibreOffice Online access logs and the loolwsd logs:

nano /etc/logrotate.d/nginx

Add the following section at the bottom of the file:

/var/log/sites/office.example.com/access.log /opt/lool/var/log/loolwsd/loolwsd.log {
	missingok
	rotate 10
	compress
	delaycompress
	notifempty
	create 0640 www-data adm
	size 2M
	sharedscripts
	prerotate        
		if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
			run-parts /etc/logrotate.d/httpd-prerotate; \
		fi; \
	endscript

        postrotate
                [ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid`
        endscript 
}

Restart Nginx:

systemctl restart nginx

26.7.1.7. Install the ‘Collabora Online’ app in Nextcloud

Once you have LibreOffice Online properly installed on your server, to properly connect it to Nextcloud, you will have to install the ‘Collabora Online’ app in Nextcloud. Click on the user icon in the upper right corner of Nexcloud, click on ‘Apps’, then use the search box in the upper bar to search for ‘Collabora Online’ and install it. Then go to ‘Admin’ > ‘Collabora Online’ > specify the server you have setup, namely: https://office.example.com, then click ‘Save’.

The administration console which provides information about the number of documents opened, the number of users connected, memory usage, etc., can be accessed at the following URL:

https://office.example.com/loleaflet/dist/admin/admin.html

You’ll have to enter the username and password set up earlier in the /opt/lool/etc/loolwsd/loolwsd.xml file.

26.7.1.8. Configure Fail2ban to protect the LibreOffice Online administration console against brute-force attacks

Navigate to the /etc/fail2ban/filter.d directory:

cd /etc/fail2ban/filter.d

Create a file called looladmin.conf:

nano looladmin.conf

Add the following content in this file:

[Definition]

failregex =  ^<HOST> .* "GET /loleaflet/dist/admin/admin.html HTTP/2.0" 401
ignoreregex =

Now open the /etc/fail2ban/jail.local file:

nano /etc/fail2ban/jail.local

Add the following block somewhere below the [wordpress] block:

[looladmin]
enabled  = true
filter   = looladmin
logpath  = /var/log/sites/office.example.com/access.log
port     = 80,443
maxretry = 3
bantime = 259200

Restart Fail2ban:

systemctl restart fail2ban

26.7.1.9. Upgrading LibreOffice Online

Before upgrading LibreOffice Online to a new version, it’s recommended to check if the new version has been tested and confirmed to function well within the suite by visiting this page.

Once you have LibreOffice Online installed and working on your server, you can upgrade it to a new version by following again all the steps in the compilation and installation process described above.

When you set the new versions of ‘poco’, ‘libreoffice core’ and ‘libreoffice online’ in the ~/tools/build-lool-master/config/lool-config.sh script, and start compiling, you have to be aware that in many cases, the versions of the three packages are not compatible with each other and won’t work together. This also happens with older versions. The safest approach is to compile the versions that we recommend in this guide.

26.7.2. Install SIP Trip Phone

SIP Trip Phone is a browser phone that connects to an Asterisk server to make and receive VoIP phone calls. It uses SIP over WebSocket and WebRTC. For calls to and from PSTN phone numbers, a ‘telnyx.com’ or ‘localphone.com’ account is needed and a real phone number acquired from one of the two providers. SIP Trip Phone allows making and receiving phone calls to/from any mobile or landline phone, at lower rates than with regular phones. It allows making cheap international phone calls from phone numbers located in the same country as the receivers. The receivers will also be able to call those numbers and pay as for local calls. It can be used to make free calls over the Internet between extensions configured on the underlying Asterisk server. It logs recent phone calls and their duration and allows pausing, muting and transferring phone calls. On the underlying Asterisk server you can implement an IVR (Interactive Voice Response) and many advanced PBX features such as voicemail, queue management, music on hold, number blacklisting, call recording, audio conference calls, etc.

SIP Trip Phone can be installed like any other Nextcloud application: click on the profile picture from the upper right corner > Apps > search for ‘SIP Trip Phone’ using the search box in the upper bar > click ‘Download and install’. Next enter your credentials by clicking on the profile picture > Settings > under ‘Personal’ click ‘SIP Trip Phone’ > in the ‘Display Name’ field enter your name or a nickname; in the ‘SIP user’ field enter the extension configured on the Asterisk server that you want to use (601, 602 etc.); in the ‘SIP User Password’ enter the password for that Asterisk extension (set up in the /etc/asterisk/pjsip.conf file); in the ‘WSS URL’ field enter wss://cloud.example.com:8089/ws; in the ‘SIP Realm’ field enter the public IPv4 IP of your server, eg. 123.123.123.123; in the ‘STUN Server domain or IPv4 address, and port number’ field enter 123.123.123.123:8443, where 123.123.123.123 is the IP of your server, then click ‘Save’.

If the Asterisk server is configured properly, to start ‘SIP Trip Phone’ all you have to do is to click on its icon on the upper bar. The browser will warn you about opening a pop-up window. Accept opening the pop-up window and then you will be asked for permission to allow the application to access your microphone. Click ‘Allow’. (When you log in to Nextcloud, you also see a message on the upper bar asking if you allow notifications from the domain of your Nextcloud installation. You should click ‘Allow’ in order to see on-screen notifications when you receive new calls.) The phone’s pop-up window will look like this:

If you click on the ‘Show Keypad’ button in the upper left corner, the keypad will show up:

26.7.2.1. Making calls with SIP Trip Phone

To make a call, use the keypad to enter the number and press ‘Call’, or use the keyboard of your computer to enter the number in the number field, then press Enter.

If you want to make a call to one of the extensions of your own company/organization, just call that extension (601, 602, 603, etc.). As explained before, the number of an internal extension can be of any length, although, for simplicity, they are in general made up of 3 digits.

If you want to call a number outside your company/organization, don’t forget to place a 9 in front of the phone number if you want to make calls using Telnyx, or an 8 if you want to make calls using Localphone (as per the settings made in Asterisk explained earlier). Also, the 9 or 8 have to be followed by the country calling code, and only afterwards by the recipient’s number. For example, if you want to call the German number 1212121212 using Telnyx, you’ll have to call:

9491212121212

where 49 is the country calling code for Germany.

26.7.2.2. Receiving calls with SIP Trip Phone

To receive calls with SIP Trip Phone just leave the phone’s window open, maybe minimized. Any incoming calls will be announced in 3 ways:

1) SIP Trip Phone will generate the classic intermittent ringing sound. You can hear it in your headphones, earphones or computer speakers.

2) System notifications will appear in the upper right or lower right corner of the screen, with the message: ‘New incoming call !’

3) The title of the window will blink, showing the message: ‘New call !!!’.

In this way, even if you don’t have your headphones close to your ears to hear the ringing, you can still notice the system notifications or the blinking title. The three signals make new calls hard to miss. Even if you miss a call, you’ll see the number of the caller in the recent calls log in the application’s window (if you haven’t closed the window).

Please note that even if you log out of Nextcloud, if you leave the phone’s window open (and minimized), the phone will still remain connected to Asterisk and will be perfectly functional, allowing you to receive and make phone calls.

26.7.2.3. SIP Trip Phone workflow

Please note that any individual user will have to enter their own credentials on the settings page: by clicking on the profile picture from the upper right corner > ‘Settings’ > then in the left panel, under ‘Personal’, by clicking ‘SIP Trip Phone’. They can’t use the phone if they don’t have their own extension configured in Asterisk and if they don’t enter their credentials in SIP Trip Phone’s settings.

The admin can restrict the use of the application to certain user groups by clicking on the profile picture in the upper right corner > Apps, then by clicking on ‘SIP Trip Phone’ in the list of apps, then by checking the ‘Limit to groups’ checkbox, then entering the name of the group whose members will be allowed to use the application.

26.7.2.4. Disable the microphone indicator in Firefox

By default, when a web page requests access to the computer’s microphone or webcam and the user grants access, a microphone/webcam indicator icon is displayed at the top of the screen until that web page is closed. If you want to disable this microphone/webcam indicator when using SIP Trip Phone and in other similar cases, follow these steps:

– In Firefox, go to ‘Help’ > ‘Troubleshooting Information’ and find the directory listed in ‘Profile Directory’. For Debian 10, this is /root/.mozilla/firefox/oikqae27.default-esr

– In the ‘Profile Directory’ create the chrome directory (/root/.mozilla/firefox/oikqae27.default-esr/chrome)

– In the chrome directory create the file userChrome.css file with the following content:

#webrtcIndicator {
  display: none;
}

– Type about:config in the address bar of Firefox, press Enter, click ‘I accept the risk’, then search for:

toolkit.legacyUserProfileCustomizations.stylesheets

Double-click it to change its value from false to true.

Restart Firefox.

26.7.2.5. Upgrading SIP Trip Phone

SIP Trip Phone can be upgraded like any other Nextcloud application. If you click on the profile picture, then on Apps, and you see that SIP Trip Phone has an active ‘Update’ button, click on it and the new version will be installed.

26.7.3. Install SMS Relentless

SMS Relentless connects to a ‘telnyx.com’ or ‘plivo.com’ account to send and receive SMS messages. It needs at least an SMS enabled phone number acquired from Telnyx or Plivo. It allows sending and receiving SMS messages from a browser, using one or multiple phone numbers located in a country chosen by the admin. The numbers can be acquired from Telnyx or Plivo or from both. Users can send individual SMS messages to any SMS enabled phone numbers in the world, they can send SMS messages to multiple recipients by uploading ‘csv’ or ‘txt’ files containig the target phone numbers, they receive delivery receipts for sent SMS messages, they receive Nextcloud notifications and can also receive email notifications when new SMS messages arrive, they can list all the sent and received messages in paginated tables, filter all the messages by any table column, archive messages older then a specified time interval before deleting them, so that they become available for future viewing and analysis, list current balance and current phone numbers, set alphanumeric sequences as Sender IDs for sent SMS messages, etc.

You can install SMS Relentless like any other Nextcloud application. Click on the profile picture from the upper right corner > Apps > search for ‘SMS Relentless’ using the search box in the upper bar > click ‘Download and install’. Next, configure SMS Relentless by clicking on the profile picture > Settings > then, on the left panel under ‘Personal’ click ‘SMS Relentless’. In the settings fields, you can fill in your credentials from Telnyx if you want to use Telnyx as SMS service provider, or you can fill in your credentials from Plivo if you want to use Plivo. Of course, if you have acquired phone numbers from both providers and you want to use both, fill in the credentials for both. Fill in the settings fields as follows:

Telnyx Settings

– in the Telnyx API Secret Key field enter your Telnyx API Key: log in to Telnyx, click on ‘API Keys’ on the left panel, click ‘Create API Key’, then copy the Key and enter it in the Telnyx API Secret Key field.

– in the Telnyx Account Public Key field enter the public key necessary to verify the signature of the incoming SMS messages: while logged in to Telnyx, click on ‘API Keys’ on the left panel, click on ‘Public Key’ on the upper bar, then copy the public key from the ‘Key’ field and enter it in the Telnyx Account Public Key field.

– in the Messaging Profile ID enter the messaging profile ID that you will be using (you can have multiple phone numbers associated with the same messaging profile ID): while logged in to Telnyx, click on ‘Messaging’ on the left panel, click on the name of the messaging profile that you want to use, then under ‘Profile ID’ you will find the messaging profile ID. Copy it and enter it in the Messaging Profile ID field.

– in the Telnyx webhook URL for incoming SMS field enter the webhook URL for incoming messages. You have to first generate and then copy this URL into your Telnyx account, so that Telnyx knows where to deliver the SMS messages received by your Telnyx phone number(s). First generate the URL by pressing the ‘Generate new webhook URL for incoming SMS’ button, copy it, then, in your Telnyx account click on ‘Messaging’ on the left panel, click on the name of the messaging profile that you associated with your phone number(s), then, under ‘Inbound Settings’, enter the webhook URL generated here in the field ‘Send a webhook to this URL’ and click ‘Save’.

– in the Telnyx webhook URL for delivery receipts field enter the webhook URL for the delivery receipts that you will receive for sent messages. This URL will be included by SMS Relentless in SMS message sending requests, so that Telnyx will know where to send the delivery receipts. Just generate it by pressing the ‘Generate new webhook URL for delivery receipts’ button. You don’t have to enter this URL into your Telnyx account.

– in the Telnyx alphanumeric Sender ID field enter an alphanumeric sequence of up to 11 characters in the range of a-z, A-Z, 0-9 and space. In certain countries there are regulations that accept only shorter alphanumeric Sender IDs, such as up to 6 characters. You cannot send SMS messages with alphanumeric Sender IDs to USA or Canada. There are even countries that require preregistration of alphanumeric Sender IDs. Before sending SMS messages to a country please read the country specific features and restrictions. Some carriers won’t accept messages with an alphanumeric Sender ID

Plivo Settings

– in the PlivoAuth ID field, enter the auth ID obtained as follows: log in to Plivo; on the first page which is the Overview page, under Account, copy the ‘Auth ID’.

– in the PlivoAuth Token field, enter the auth token obtained like this: while logged in to Plivo; on the Overview page, under Account, copy the ‘Auth Token’.

– in the Plivo webhook URL for incoming SMS field enter the webhook URL for incoming messages. You have to first generate and then copy this URL into your Plivo account, so that Plivo knows where to deliver the SMS messages received by your Plivo phone number(s). First generate the URL by pressing the Generate new webhook URL for incoming SMS button, copy it, then, in your Plivo account click on ‘Messaging’ on the left vertical bar, click on ‘Applications’, then, under ‘Application name’ click on ‘Inbound SMS Messages’, next, under ‘Message’, enter the webhook URL generated earlier in the field ‘Message URL’ and select ‘POST’ next to it, then click the ‘Update Application’ button.

– in the Plivo webhook URL for delivery receipts field enter the webhook URL for the delivery receipts that you will receive for sent messages. This URL will be included by SMS Relentless in SMS message sending requests, so that Plivo will know where to send the delivery receipts. Just generate it by pressing the ‘Generate new webhook URL for delivery receipts’ button. You don’t have to enter this URL into your Plivo account.

– in the Plivo alphanumeric Sender ID field enter an alphanumeric sequence of up to 11 characters in the range of a-z, A-Z, 0-9 and space. In certain countries there are regulations that accept only shorter alphanumeric Sender IDs, such as up to 6 characters. You cannot send SMS messages with alphanumeric Sender IDs to USA or Canada. There are even countries that require preregistration of alphanumeric Sender IDs. Before sending SMS messages to a country please read the country specific features and restrictions. Some carriers won’t accept messages with an alphanumeric Sender ID.

– in the Number of messages per page field enter the number of messages to be displayed on one page of the received and sent messages tables. If you don’t enter anything in this field, the default of 100 messages per page will be used.

– check the I want to see a notification in Nextcloud when a new SMS is received checkbox if you want to see Nextcloud notifications when new SMS messages arrive.

– if you want to enable email notifications enter your email address in the I want to receive a notification to the email address from below, when a new SMS is received field.

– if you want the SMS message to be included in the email notification, check the Include the SMS message in the email notification itself checkbox.

Click ‘Save’ to save all the settings to the database.

26.7.3.1. Using SMS Relentless

To use SMS Relentless just click on its icon in the upper bar, inspect the Telnyx/Plivo available balance by selecting the name of the provider from the Balance drop-down list, then click on the refresh button on the Set ID line to refresh the list of available sender IDs, then choose one of the phone numbers or alphanumeric IDs from the drop-down list, then enter the phone number of the receiver preceded by the country code in the phone number field (Eg.: 491212121212, where 49 is the country calling code), then enter the text of the message in the message text area, then press the ‘Send SMS’ button.

Please note that you can send the same message to multiple receivers by writing their phone numbers in the number field one after the other separated by coma, or if you have a large number of receivers, like hundreds or thousands, you can upload a txt or csv file by checking the ‘Upload file with phone numbers’ checkbox. In this case you should also specify the time interval in milliseconds between two consecutive send message requests. You will find information about different restrictions regarding the frequency of sending messages in the information tooltip text. In general 1000 milliseconds is ok.

If your message contains special characters that don’t exist in the GSM 7-bit default alphabet table, you should encode your message in Unicode by checking the ‘Send SMS in Unicode’ checkbox.

You can see the received SMS messages by clicking the ‘Received SMS Messages’ button and the sent messages by clicking the ‘Sent SMS messages’ button. Both tables have a row of filters at the top, that you can use to filter the messages by the content of one or multiple columns. The row of filters shows up when you click on the arrow from the top left corner of the application content area. You can also permanently delete messages by selecting them and then clicking on the ‘Permanently delete’ icon located on the left end of the filter row.

You can also remove old messages to keep the database small by checking the ‘Remove old messages’ checkbox (located below the ‘Sent SMS Messages’ button). You can remove all the messages that are older than the number of days that you specify in the appropriate fields. This can be done for both sent and received messages. If you delete old messages in this way, they won’t be really lost, because before deleting them, the application saves the messages in csv files that you can later find in the SMS_Relentless/removed_received_messages, and SMS_Relentless/removed_sent_messages folders. The csv files have names that include the date of message removal.

26.7.3.2. SMS Relentless workflow

Please note that in order to be able to use the application, any individual user has to have the credentials entered on the settings page of SMS Relentless, under ‘Personal’, in their own Nextcloud account (in Nextcloud ‘Settings’, on the left panel, under ‘Personal’, ‘SMS Relentless’).

In general, the admin, who creates the Nextcloud account for each regular user, will enter his own credentials on the SMS Relentless settings page of each regular user account, with the exception of the webhook URL used for delivery receipts, which should be generated for each individual user by pressing the ‘Generate new webhook URL for delivery receipts’ button. In this way, they will be different from one user to the other, and this will ensure that users will get only the delivery receipts for the messages that they will send. The keys, tokens and IDs are invisible to the regular users, because they are replaced with placeholders once they are saved to the database (encrypted).

However, users of SMS Relentless can have different Telnyx/Plivo accounts with different phone numbers. In this case, each user will enter her/his own credentials on the Settings page and use her/his own phone number(s) when sending and receiving SMS messages.

In the Sent Messages table, each message record will show the user who sent the message and from what phone number. If all the users have different Telnyx/Plivo accounts, in the Received Messages table, each message record will show the specific user who received the message.

When a user clicks the ‘Sent SMS Messages’ button, (s)he will see only the messages sent by her/him. Also, when clicking the ‘Received SMS Messages’ button, the user will see only the messages received by her/him.

The admin can restrict the use of the application to certain user groups by clicking on the profile picture in the upper right corner > Apps, then by clicking on ‘SMS Relentless’ in the list of apps, then by checking the ‘Limit to groups’ checkbox, then entering the name of the group whose members will be allowed to use the application.

26.7.3.3. Upgrading SMS Relentless

SMS Relentless can be upgraded like any other Nextcloud application. If you click on the profile picture, then on Apps, and you see that SMS Relentless has an active ‘Update’ button, click on it and the new version will be installed.

26.7.4. Install Pax Fax

Pax Fax allows sending and receiving faxes in Nextcloud by connecting to a ‘phaxio.com’ account. A real fax number acquired from Phaxio is needed. Users can send up to 20 documents in one fax call (supported file formats are: pdf, doc, docx, odt, jpg, png, tif, txt, html), they can send faxes to 10 different fax numbers simultaneously, they can receive faxes as pdf documents in Nextcloud, they receive notifications in Nextcloud and can receive email notifications when new faxes arrive. All the sent and received faxes are stored in specific Nextcloud folders. Users can search for faxes by caller/callee phone number or date; they can see the current Phaxio balance; they can set their fax number as caller ID for sent faxes. When they want to send a fax, they can upload files from their computer or choose them directly from Nextcloud.

Like with any other Nextcloud application, to install Pax Fax click on the profile picture from the upper right corner > ‘Apps’ > search for ‘Pax Fax’ using the search box in the upper bar > click ‘Download and install’. Next, configure Pax Fax by clicking on the profile picture > ‘Settings’ > then, on the left panel, under ‘Personal’ click ‘Pax Fax’.

pax_fax_settings

– in the Phaxio API Key and Phaxio API Secret fields enter the key and secret that you can find by logging in to Phaxio and clicking ‘API Keys’ on the left panel; then, under ‘Live Keys’ you will find the ‘API Key’ and the ‘API Secret’.

– in the Phaxio Webhook Token field enter your webhook token that you can find in your Phaxio account, by clicking ‘Webhooks’ on the left panel, then scrolling down to ‘Webhook Token’.

– in the Phaxio callback URL for incoming faxes field enter the callback URL that Phaxio will use to send incoming faxes to. This URL must have the form: https://username:6VTGs-c36j4-qK2wm-RgJcl-9pjUD@cloud.example.com/apps/pax_fax/api/recfaxphaxio , where username is the Nextcloud user who has a Phaxio phone number in her/his Phaxio account (callback URLs can only be configured one per Phaxio phone number), 6VTGs-c36j4-qK2wm-RgJcl-9pjUD is the ‘application password’ created for this purpose as explained below, and cloud.example.com is your Nextcloud domain. To create the Nextcloud ‘application password’ click on the profile picture in the upper right corner, then click ‘Settings’, then, on the left panel, under ‘Personal’ click ‘Security’, then under ‘Devices & sessions’, in the ‘App name’ field enter Pax_Fax, then click the ‘Create new app password’ button. The password will be displayed only when created. Copy the password, click the ‘Done’ button, enter the password in the constructed callback URL between ‘:’ and ‘@’ as shown above, copy the entire callback URL to a safe location, then enter the callback URL in the field Phaxio callback URL for incoming faxes. The next step is to enter the callback URL that you have just created in your Phaxio account: log in to Phaxio, click ‘Phone Numbers’ on the left panel, click the settings wheel on the row of the phone number for which you want to set up the callback URL, enter the URL in the ‘Callback URL’ field, then click ‘Save’.

– check the ‘I want to see a notification in Nextcloud when a new fax is received‘ checkbox if you want to receive Nextcloud notifications when new faxes arrive.

– in the ‘I want to receive a notification to the email address from below, when a new fax is received‘ field enter your email address if you want to receive an email notification when new faxes arrive.

Click the ‘Save’ button at the bottom of the page to save all the settings to the database.

26.7.4.1. Using Pax Fax

To use Pax Fax, click on its icon in the upper bar. You can see the current Phaxio balance by clicking the ‘Phaxio balance’ refresh button. Then, on the ‘Set ID’ line, you can first refresh the list of the available IDs, then choose from the drop-down list one of your Phaxio fax numbers, or the blank space if you want to send a fax with no Sender ID.

Next, in the phone number field enter the reveiver’s fax number preceded by the country calling code. For example, a German fax number would look like this:

491212121212

where 49 is the country calling of Germany. You can enter up to 10 fax numbers separated by comma in this field, if you want to send the fax simultaneously to multiple recipients.

Next, upload a file from your computer to send as fax, or choose a file from Nextcloud. Allowed formats are: pdf, odt, jpg, png, txt, tif, html, doc, docx. You can upload or choose from Nextcloud multiple files to be sent in the same fax call, one after the other; you can send up to 20 files in one fax call, with a cumulative size of up to 20 MB, and up to 200 pages. If you have more pages to send, you can split them in two or more groups and send them in multiple fax calls.

Then click ‘Send Fax’. You can see the sent faxes by clicking on the ‘Sent Faxes’ button and the received faxes by clicking on the ‘Received Faxes’ button. If sending a fax fails because the fax number was wrong, or the connection dropped, or the receiving fax machine had a problem, etc., you will find the failed fax in the Pax_Fax/faxes_sent_failed folder or by clicking on the ‘Failed Sent Faxes’ button. Similarly, if for some reason an incoming fax fails, you will find a failed fax file in the Pax_Fax/faxes_received_failed folder, or by clicking on the ‘Failed Received Faxes’ button. The faild faxes files will be empty but they will have a name that will include the date of the received fax.

All the received faxes will be pdf files and all the sent and received faxes will have the date of sending/receiving included in their names, as well as the to/from fax numbers, so that they can be easily found by their destination/origin fax number or by their date, by using the search function of Nextcloud. To use the Nextcloud search function to filter the sent/received faxes navigate to Pax_Fax/faxes_sent or Pax_Fax/faxes_received and enter a fax number or a date in the search box located on the upper bar.

26.7.4.2. Pax Fax workflow

Please note that any individual user will have to have the Pax Fax credentials on the settings page of Pax Fax, under ‘Personal’, in their own Nextcloud account in order to be able to use the application. In general, the admin, who creates the Nextcloud account for each regular user, enters his own API Key and API Secret on the Pax Fax settings page of each regular user account. The API Key and Secret, as well as the webhook token and the callback URL are invisible to the regular users, because they are replaced with placeholders once they are saved to the database (encrypted). In this way, all the received faxes will be saved in the Pax_Fax/faxes_received directory of the admin Nextcloud account and not in the regular users’ Pax_Fax/faxes_received respective directories. If the admin wants any other users apart from himself to see the received faxes, he has to share the Pax_Fax/faxes_received folder with those users. With sent faxes, the situation is different: if a Nextcloud user sends a fax, the sent fax will be saved in the Pax_Fax/faxes_sent folder of that respective user, regardless if he is a regular user or the admin. If the admin wants to see what faxes were sent by what users, he can ask the users to share their Pax_Fax/faxes_sent directories with him, or he can inspect/download the sent faxes of any user directly via FTP, by connecting to the server and navigating to /var/www/cloud.example.com/data/username/files/Pax_Fax/faxes_sent directory, where example.com is the Nextcloud domain and username is the name of the user.

Like with other Nextcloud applications, the admin can restrict the use of Pax Fax to certain user groups by clicking on the profile picture in the upper right corner > Apps, then by clicking on ‘Pax Fax’ in the list of apps, then by checking the ‘Limit to groups’ checkbox, then entering the name of the group whose members will be alllowed to use the application.

However, if a Phaxio account has multiple fax numbers associated with it, different users of Pax Fax can use different fax numbers of the same Phaxio account, each number having a different webhook for receiving faxes. In this situation, if a fax is received on one fax number, it will be saved only in the Pax_Fax/faxes_received directory of the user whose fax number received the fax. Also, different users of Pax Fax can have different Phaxio accounts, each with its own associated fax number(s). In this situation again, if a fax is received, it will be saved only in the Pax_Fax/faxes_received directory of the user whose fax number received the fax.

It’s good to know that Phaxio gives its users the ability to receive all incoming faxes as email attachments. If you don’t want your faxes to be received by Pax Fax and you want to receive them as email attachments, log in to Phaxio, click on ‘Phone Numbers’ on the left panel, click on the wheel next to the fax number(s), delete the webhook URL associated with the number(s) for receiving faxes, click ‘Save’, then click on ‘Webhooks’ on the left panel and in the ‘Sent Handler’ and ‘Received Handler’ fields enter mailto:admin@example.com where admin@example.com is the email address where you want to receive your faxes, then click ‘Update’. On the same page, in the ‘Webhook Version’ field, make sure it’s Version 2 selected.

For increased privacy it’s recommended that you configure your Phaxio account so that the sent/received faxes are not stored on Phaxio’s servers. To do this click on ‘Fax’ on the left panel, then scroll down and uncheck ‘Store sent fax files on Phaxio server?’ and ‘Store received fax files on Phaxio server?’, then click ‘Update’.

On the same page, there are two other checkboxes: ‘Receive faxes that only partially completed’ and ‘Include caller name for received faxes’. It’s recommended to check this checkboxes and leave all the other settings as they are, then click ‘Update’.

26.7.4.3. Upgrading Pax Fax

Pax Fax can be upgraded like any other Nextcloud application. If you click on the profile picture, then on Apps, and you see that Pax Fax has an active ‘Update’ button, click on it and the new version will be installed.

26.7.5. Install the Calendar app

To install the Calendar app click on the upper right corner user icon > click on ‘Apps’ > click on the ‘Search’ icon on the Nextcloud upper bar, search for ‘Calendar’ > when the app is found click on ‘Download and enable’.

To open the Calendar app click on its shortcut on the Nextcloud upper bar.

To create a new calendar, click on the plus sign next to ‘New calendar’ on the left panel and choose ‘New calendar’. Enter a name for the new calendar then click the arrow to create the calendar. You can create multiple calendars. To toggle the visibility of a calendar just click on its name. On the left panel you can choose the month to view, you can switch between Day/Week/Month/List view for the selected calendar(s) and you can create a new event by clicking on the ‘New event’ button. Yet, the best way to create events is by clicking on the rectangle of the day of the month in which you want to place the event.

While a calendar is displayed in ‘month view’, if you click on a day of the month, the ‘New event’ panel will open at the right end of the screen. There you can enter a suggestive name for the new event, you can choose the name of the calendar to which the event will belong, if you have multiple calendars, you can choose the moment when the event will start and the moment when it will end or whether it will last all day.

On the ‘Details’ tab you can add a location for the new event, a description, whether the event is confirmed or not, the visibility of the event in shared calendars, whether the time interval of the event will count as busy or free time, you can add a category and a specific color to the event.

On the ‘Attendees’ tab you can search for other Nextcloud users to add as attendees to the newly created event. You can also enter the email addresses of attendees that are not Nextcloud users. After you add each attendee, you can click on the three dots next to their email address to assign them a role: ‘Chairperson’/’Required participant’/’Optional participant’/’Non-participant’. If you leave the ‘Send e-mail’ checkbox checked, the attendee will receive the invitation to the event by email, the moment you save the event.

On the ‘Reminders’ tab you can add a reminder for the event. You can choose the moment when the reminder will be sent (a day before the event starts, 30 minutes before the event starts, etc.). After the reminder is added, you can click on the three dots next to it to choose whether the reminder will be a notification or an email. If you choose ‘Notification’, the attendees will see a Nextcloud notification when they will log in to Nextcloud. If you choose ‘Email’, the attendees will receive an email on the moment of the reminder. However, Nextcloud can send emails at specific times only if its cron script is run at those specific times. So, to enable email notifications, you will need to set up a cron job on the server, that will run the cron script inside Nextcloud with a specific frequency. So, on your server run:

crontab -e

At the bottom of the file enter the following lines:

# Run the Nextcloud cron script every 15 minutes
*/15 * * * * sudo -u www-data php -f /var/www/cloud.example.com/cron.php

Replace example.com with your main domain. Of course, you can run the Nextcloud cron script with a higher or lower frequency, like once every 10 or 5 minutes, or once every hour, etc. After setting up this cron job, make sure that in Nextcloud Settings, under ‘Administration’ > ‘Basic settings’ > ‘Background jobs’, the ‘Cron’ option is selected.

On the ‘Repeat’ tab, you can choose if the new event should be repeated, and with what frequency (once every day/several days, once or multiple times per week, month, year).

You may find useful the fact that you can share a calendar with persons that don’t have a Nextcloud account. To create the public share link for a calendar, click on the share sign next to the calendar name, on the left panel, then click on the plus sign. You can then copy the public access link to clipboard by clicking on the ‘Copy public link’ icon. If you send the public access link by email to somebody, they can open it in a browser and have read-only access to the calendar, without being logged in to Nextcloud.

26.7.5.1. Add Nextcloud calendars as remote calendars in Thunderbird

First click on the Calendar app icon. If you click on the three dots next to the name of each calendar, and then on ‘Copy private link’, you can get the URL of that respective calendar that you can use to add it to Thunderbird. Next open Thunderbird, go to File > New > Calendar > Check ‘On the Network’ > Next > check CalDAV, enter your Nextcloud username and the calendar’s URL copied earlier, leave ‘Offline Support’ checked > Next > enter a name for the new calendar, leave ‘Show Reminders’ checked, select the email you want to associate with this calendar > Next > Finish. To see the new calendar, go to ‘Events and Tasks’ > Calendar (or click on the ‘Switch to the calendar tab’ icon located in the upper right corner). The name of all the calendars will be listed on the left panel.

26.7.5.2. Upgrading the Calendar app

The Calendar app can be upgraded like any other Nextcloud application. If you click on the profile picture, then on Apps, and you see that Calendar has an active ‘Update’ button, click on it and the new version will be installed.

26.7.6. Install the Tasks app

To install the Tasks app click on the upper right corner user icon > click on ‘Apps’ > click on the ‘Search’ icon on the Nextcloud upper bar, search for ‘Tasks’ > when the app is found click on ‘Download and enable’.

To open the Tasks app click on its shortcut on the Nextcloud upper bar.

Tasks are grouped in tasks lists. To create a new tasks list, on the left panel click on ‘Add List…’, enter a name for the new list, choose a color, then click on the tick sign to save the new list. Then on the right panel, in the ‘Add a task’ text box enter a short suggestive name for the new task and press Enter to save it. In order to edit the task and set its description, due date, etc., click on its name. When you click on a task’s name, a new vertical panel will open at the right end of the screen. There you can set a start date for the task, a due date, the way it will be shown when shared, the priority, the degree of completeness, the category associated with it, a description, etc. If you click on the three dots next to the task name, you can see a menu with an option to add a subtask. If you want to add a subtask click on the ‘Add subtask’ option, enter a name for the new subtask, then click on its name to enter its details like you did for the parent task. You can even add subtasks to subtasks in this way.

If you want to share a list of tasks with other Nextcloud users, on the left panel, click on the name of the tasks list to select it, then click on the share button, then enter the name of the Nextcloud user whom you want to share the tasks list with, then click on its name.

When you click on a tasks list on the left panel and all its tasks are displayed on the right panel, you can click on the ‘Change sort order’ button next to the ‘Add a task’ text box, to order the tasks by various criteria: start date, due date, last modified, priority, alphabetically, etc.

26.7.6.1. Upgrading the Tasks app

The Tasks app can be upgraded like any other Nextcloud application. If you click on the profile picture, then on Apps, and you see that Tasks has an active ‘Update’ button, click on it and the new version will be installed.

26.7.7. Install the Forms app

To install the Forms app click on the upper right corner user icon > click on ‘Apps’ > click on the ‘Search’ icon on the Nextcloud upper bar, search for ‘Forms’ > when the app is found click on ‘Download and enable’.

To open the Forms app click on its shortcut on the Nextcloud upper bar. To create a new form click on the ‘Create a form’ button, enter the name of the form and a short description in the respective text boxes. Then click the ‘Add a question’ button to add a question to the newly created form. You will see a menu with multiple types of answer for the new question: Checkboxes, Multiple choice, Dropdown, Short answer, Long text, Date, Datetime. Choose the type of answer which best suits your question and click on it. Next enter the text of the question and the tags for the checkboxes/multiple choice radio buttons, dropdown menu, etc. If you click the three dots next to the question, you can check the ‘Required’ checkbox, so as to make the question mandatory. To add a new question click again on the ‘Add a question’ button and repeat the process.

In the upper right corner of the screen you will see the ‘Toggle settings’ icon. If you click on it, you will see a new vertical panel, in which you can choose how you want to share the form. If you click on the ‘Copy share link’ button, the URL of the form will be copied to the clipboard and you can send it by email or by other means to any person whom you want to get answers from. That person can have direct access to the form using that URL. The default method for sharing is ‘Share via link’ but there are other two options: ‘Show to all users of this instance’ and ‘Choose users to share with’. Under ‘Settings’ you can check ‘Anonymous responses’ to allow anonymous users to fill in the form and send it; you can check ‘Allow multiple reponses per person’ and you can also set up an expiration date by checking the ‘Set expiration date’ checkbox and entering a date after which the form will be inaccessible.

To see the responses sent by various users click on the ‘Response’ button located in the upper right corner of the form. You will see a screen similar to this:

On the ‘Summary’ tab you will see a summary of all the answers, while on the ‘Responses’ tab you will see the actual answers of all users. If you click on the three dots next to the ‘Responses’ tab, you will see the ‘Export to CSV’ option, which you can use if you want to export the answers to the form’s questions in csv format.

26.7.7.1. Upgrading the Forms app

The Forms app can be upgraded like any other Nextcloud application. If you click on the profile picture, then on Apps, and you see that Forms has an active ‘Update’ button, click on it and the new version will be installed.

26.7.8. Install the Polls app

To install the Polls app click on the upper right corner user icon > click on ‘Apps’ > click on the ‘Search’ icon on the Nextcloud upper bar, search for ‘Polls’ > when the app is found click on ‘Download and enable’.

To open the Polls app click on its shortcut on the Nextcloud upper bar. To create a new poll click the ‘Add new Poll’ button, enter a name for the new poll, choose its type (‘Date poll’ or ‘Text poll’) and click ‘Apply’. To add a new option to the poll click the ‘Add some!’ button. The ‘Details’ panel will open. Here, in the ‘Add a new text/date option’ text box you can enter the name of the option and click the arrow to save it. In this manner you can enter as many options as you need. All the options will show up on the middle panel, like below:

Below the options there is the ‘Receive notification email on activity’ checkbox that you can check if you want to receive an email notification each time a user takes the poll. However, to properly enable the Polls app to send email notifications on new activity, you will need to set up a cron job to regularly run the cron script included in Nextcloud, like we explained for the Calendar app. To run the cron script every 15 minutes you will need a cron job like this:

# Run the Nextcloud cron script every 15 minutes
*/15 * * * * sudo -u www-data php -f /var/www/cloud.example.com/cron.php

Where example.com is your main domain. After setting up this cron job, make sure that in Nextcloud Settings, under ‘Administration’ > ‘Basic settings’ > ‘Background jobs’, the ‘Cron’ option is selected.

On the ‘Configuration’ tab of the Details panel you can enter a description, you can check options to allow admins to edit the poll, to allow ‘maybe’ votes, to allow anonymous users to take the poll, to close the poll or set up a closing date, to give access to the poll to all users or only to invited users, to display the results at all times, only after the poll is closed or never, etc.

On the ‘Shares’ tab, under ‘Effective shares’ you can search for Nextcloud users and select them in order to share the poll with them, or you can enter the email address of external users, that don’t have a Nextcloud account. After you add a user under ‘Effective shares’, its name or email address will show up under ‘Unsent invitations’, at the bottom of the panel. You can send users emails to invite them to take the poll, by clicking on the right arrow next to their name or email address.

Under ‘Public shares’, if you click the ‘Add a public link’ button, you create a URL which you can copy to the clipboard by clicking the ‘Copy link to clipboard’ button. Then you can send that URL by email or by other means to any person, so that they can access the poll without having a Nextcloud account.

On the ‘Comments’ tab, in the ‘New comment’ text box you can enter various comments related to the poll.

Once the poll results begin to arrive, if you selected ‘Always show results’ on the ‘Configuration’ tab, when you click on the ‘Switch to desktop view’ button located in the upper right corner of the middle panel, you will see the detailed results of the poll in a table, like below:

26.7.8.1. Upgrading the Polls app

The Polls app can be upgraded like any other Nextcloud application. If you click on the profile picture, then on Apps, and you see that Polls has an active ‘Update’ button, click on it and the new version will be installed.

26.7.9. Install the ‘External storage support’ app

Using the ‘External storage support’ app, you can mount in Nextcloud any directory that is outside the /var/www/cloud.example.com/data directory of Nextcloud. To prevent errors during future upgrades, it’s recommended to mount a directory that is outside the /var/www/cloud.example.com directory. It should be also readable and writable by the HTTP server user, www-data. Thus, you’ll have to set the following permissions for the directory that you want to mount in Nextcloud:

chown -R www-data:root /path/to/folder
chmod 700 /path/to/folder

A directory that you will want to mount in Nextcloud is /var/bm_archives, where Backup Manager stores the archives of all the important directories and which can also be used to store the archives of applications that you will make manually before upgrading those applications, as we described earlier. Once /var/bm_archives is mounted, you can use Nextcloud to download all the archives in that directory to your computer, when you need to.

To enable the ‘External storage support’ app click on the upper right corner user icon > click on ‘Apps’ > click on the ‘Search’ icon on the Nextcloud upper bar, search for ‘External storage support’ > when the app is found click on ‘Enable’.

We’ll exemplify how to mount an external directory in Nextcloud, using the /var/bm_archives directory.

Click on the upper right corner user icon > Settings > on the left panel, under ‘Administration’, click on ‘External storages’. Next, in the ‘Folder name’ textbox enter the folder name that you want to appear on the ‘Files’ page, for example, Server_Backups; in the ‘External storage’ field choose ‘Local’, in the ‘Authentication’ field choose ‘None’, in the ‘Configuration’ field enter the full path of the folder you want to mount, which in this case is /var/bm_archives, in the ‘Available for’ box choose the users or user groups that will have access to the mounted folder. Next click on ‘Save’. That’s it.

We’ll show later how to configure Backup Manager to save all the backups to /var/bm_archives. In this way, you will be able to download all the backups to your desktop/laptop, with the click of a button, like you would do with any other Nextcloud files or folders. For the moment, set the right ownership and permissions for /var/bm_archives, so that all the archives stored in it could be accessed using Nextcloud’s web interface:

chown -R www-data:root /var/bm_archives
chmod 700 /var/bm_archives

26.7.9.1. Upgrading the ‘External storage support’ app

The ‘External storage support’ app can be upgraded like any other Nextcloud application. If you click on the profile picture, then on Apps, and you see that ‘External storage support’ has an active ‘Update’ button, click on it and the new version will be installed.

26.7.10. Install the ‘Antivirus for files’ app

To install the ‘Antivirus for files’ app click on the upper right corner user icon > click on ‘Apps’ > click on the ‘Search’ icon on the Nextcloud upper bar, search for ‘Antivirus for files’ > when the app is found click on ‘Download and enable’. Then go to Settings > Administration > Security > scroll down to the ‘Antivirus for Files’ section, set ‘Mode’ to ‘ClamAV Daemon (Socket)’; in the ‘Socket’ field enter /var/run/clamav/clamd.ctl . You can leave the ‘Stream Length’ set to ‘26214400’ (this value sets the number of bytes read in one pass); you can also leave the ‘File size limit for periodic background scans’ set to ‘-1’, which means no limit of file size; in the ‘When infected files are found during a background scan’ field select ‘Delete file’, to have the infected files deleted right when they reach the server, then click ‘Save’.

To test if ClamAV scans, detects and deletes an infected file, save the following string, in a txt file:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

This will create a standard antivirus test file. Then put that file in a folder, archive the folder as zip or other archive format, then try to upload the archive to Nextcloud. The upload will begin but then you will see the message: “Virus Win.Test.EICAR_HDB-1 is detected in the file. Upload cannot be completed.” and Nextcloud will refuse the upload, so nothing will be saved on the server. Then, the /var/log/clamav/clamav.log file will also mention the detection:

instream(local): Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND

26.7.10.1. Configure ClamAV to periodically scan Nextcloud directories and mail directories

Once Nextcloud and all the important apps are installed, you can configure ClamAV to periodically scan the Nextcloud directories. We’ll also configure ClamAV to scan the mail directories periodically, since they are also very sensitive. This is a reasonable thing to do, because although ClamAV scans files the moment they are uploaded to Nextcloud or the moment emails arrive, at a later date, when the virus signatures get updated, ClamAV can detect viruses that it didn’t detect before, on real-time scanning.

First create a directory to store the scan reports:

mkdir /srv/scripts/detections

Create the cron job:

crontab -e

Enter the following lines:

# Scan the '/var/www/cloud.example.com/data' directory and the '/var/vmail' directory with ClamAV once every three days
20 4 */3 * * cat /dev/null > /srv/scripts/detections/clamav_nextcloud_report && clamdscan --fdpass --quiet /var/www/cloud.example.com/data -l /srv/scripts/detections/clamav_nextcloud_report
40 4 */3 * * cat /dev/null > /srv/scripts/detections/clamav_mail_report && clamdscan --fdpass --quiet /var/vmail -l /srv/scripts/detections/clamav_mail_report

Replace example.com with the main domain on your server.

The results of the periodic scan will be read by ‘System Health and Security Probe’, which we’ll present later, and will be included in the periodic email reports sent to the admin. The results will be displayed also on the dashboard of ‘RED Scarf Suite Panel’, which we’ll also describe later.

26.7.10.2. Upgrading the ‘Antivirus for files’ app

The ‘Antivirus for files’ app can be upgraded like any other Nextcloud application. If you click on the profile picture, then on Apps, and you see that ‘Antivirus for files’ has an active ‘Update’ button, click on it and the new version will be installed.

26.8. Note about the ‘Talk’ and ‘Mail’ apps

The ‘Talk’ app seems very attractive because it promises to allow Nextcloud users to have text, audio and video conversations and even video conference calls. Its main advantage is that it allows quick one-to-one audio/video calls to other users of the same Nextcloud instance or to external users. However, it has a big structural problem: it doesn’t include a signaling server for the WebRTC based audio/video calls. All these calls rely exclusively on peer-to-peer, browser-to-browser data traffic. So, if a user tries to initiate a video conference with more than 4 participants, the bandwidth of each participant will become saturated, and the video conference will stop working. Not to mention that ‘Talk’ doesn’t include a WebRTC-to-SIP gateway, to allow Nextcloud users to call real phone numbers. For these reasons, we didn’t include ‘Talk’ in RED SCARF Suite. Of course, if you think you will only need to have one-to-one audio/video calls or video conferences with 4 participants or less, or that you won’t need to call and receive calls from real phone numbers, you can try installing and using it.

If, on the contrary, you want to use an application that allows good quality text/audio/video conversations with other users, as well as video conferences with an unlimited number of users, which includes a central server (Asterisk, installed on your own server) and also allows calls to/from real phone numbers on the Public Switched Telephone Network (PSTN), then you may want to use Roundpin, an application that we built in order to offer precisely what Nextcloud ‘Talk’ doesn’t offer. Roundpin can be installed independently of Nextcloud and it aims to be a FOSS self-hosted alternative to Zoom, under your full control. Roundpin is part of RED SCARF Suite and further down below we’ll describe how to install and use it.

The ‘Mail’ app can also seem attractive to many Nextcloud users. However, if you install it, you will see that it lacks important features. If you try to use it, you may understand why we didn’t include it in RED SCARF Suite and why Roundcube is the only web based IMAP client that you will need.

26.9. Use Fail2ban to protect Nextcloud against brute-force attacks

First create a Fail2ban configuration file for Nextcloud:

nano /etc/fail2ban/filter.d/nextcloud.conf

Add the following content inside:

[Definition]
failregex = ^{"reqId":".*Login failed: .*\(Remote IP: <HOST>\)".*}$
ignoreregex =

Then edit the /etc/fail2ban/jail.local file:

nano /etc/fail2ban/jail.local

Add the following block under the [phpmyadmin] block:

[nextcloud]
enabled = true
port = 80,443
filter = nextcloud
logpath = /var/log/nextcloud/nextcloud.log
maxretry = 3
bantime = 259200

Restart Fail2ban:

systemctl restart fail2ban

26.10. Installing the Nextcloud Desktop Synchronization Client

Nextcloud can be used without installing a desktop synchronization client. You just upload any files that you want to your Nextcloud server while also keeping the files on your local computer. However, if you want to synchronize a folder (or multiple folders) from your desktop/laptop with your Nextcloud server, so that any file that you save in that folder gets automatically uploaded to Nextcloud, you can install the Nextcloud Desktop Synchronization Client.

To install the Nextcloud Desktop Synchronization Client on Debian 11 run:

apt-get update
apt-get install nextcloud-desktop

Then, you can install the package that integrates the Nextcloud Desktop Synchronization Client with your file manager, as follows:

If your desktop environment is Mate, run:

apt-get install caja-nextcloud

If you are using Gnome run:

apt-get install nautilus-nextcloud

If you are using Plasma run:

apt-get install dolphin-nextcloud

If you are using Cinnamon run:

apt-get install nemo-nextcloud

Please note that even if you install the client while logged in as root, you will not be able to start it as root. To be able to start the Nextcloud Desktop Synchronization Client and connect it to your Nextcloud server, you have to log in to your desktop/laptop as a regular user (we’ll show below how you can actually use the client even logged in as root, but to connect it to your remote server, you have to log in as a regular user).

While logged in as a non-privileged user, create a folder that you want to synchronize with your Nextcloud server, preferably in /home/nameofuser. Give this folder a suggestive name, such as synchronized_with_nextcloud, so, the path of the new folder will be /home/nameofuser/synchronized_with_nextcloud. Then go to the Main Menu > ‘Accessories’ > ‘Nextcloud desktop sync client’. You will see the following screen:

Click ‘Log in’. The next screen will let you enter the URL of your Nextcloud server:

Click ‘Next’.

Click ‘Log in’.

Enter your username and password and click ‘Log in’.

Click ‘Grant access’.

In the next screen, under ‘Server’ select ‘Choose what to sync’ and click the ‘Choose what to sync’ button to choose the remote folder from your Nextcloud server that you want to sync with your local folder. Under ‘Local Folder’ click the button and choose the local folder that you want to sync with the remote Nextcloud folder, namely the folder that you have created earlier, /home/nameofuser/synchronized_with_nextcloud. Then click ‘Connect…’. The two folders will be synchronized automatically and you will see a green tick sign with the name of the remote folder, with the specification: ‘Synchronized with local folder’. Please note that the synchronization process is bi-directional, in the sense that when you add a file in the local folder it will be automatically uploaded to the remote folder and when you add a file to the remote folder, it will be automatically added in the local folder. The same thing will happen when you modify an existing file.

You can sync additional local folders with remote folders. To add a local folder to the sync client, click on the ‘Add Folder Sync Connection’ button on the client’s main screen. You will be able to select a new local folder that you want to sync, then, after you click ‘Next’, you will be able to choose a remote folder to sync with.

Next, click on the ‘General’ tab of the client and under ‘General Settings’ you can check ‘Launch on System Startup’, if you want the sync client to start at system startup.

If you want to use the Nextcloud Desktop Synchronization Client while logged in as root, you will have to start it in command line, under the regular user. To make things simpler, you can create a small script in a directory like /srv/scripts:

mkdir /srv/scripts
cd /srv/scripts
nano nextcloud-sync-client

Add the following lines inside this file:

#!/bin/bash
xhost si:localuser:nameofuser
sudo -u nameofuser /usr/bin/nextcloud

where nameofuser is the username of the regular user that you used to connect the client to your Nextcloud server. Change permissions:

chmod 700 nextcloud-sync-client

Then, when you want to start the client run:

/srv/scripts/nextcloud-sync-client

Before starting, Nextcloud Desktop Synchronization Client will ask you to enter your root password.

In the client’s main screen, if you click on the three dots next to the name of the synchronized remote folder and choose ‘Open folder’, you will open the local synchronized folder.

Please note that if you implement basic HTTP authentication for the login page of Nextcloud (https://cloud.example.com), the sync client will fail to connect to the remote server because it doesn’t have a mechanism to specify the username and password required by basic HTTP authentication. This is the only reason why we didn’t show how to implement basic HTTP authentication when we described how to configure Nginx for Nextcloud. If you are confident that you won’t need Nextcloud Desktop Synchronization Client in the future, you can implement basic HTTP authentication for the Nextcloud login page in the same way as we showed for other applications, such as Dolibarr, to add an extra layer of security to Nextcloud.

Nextcloud also offers a desktop synchronization client for Windows and macOS (https://nextcloud.com/install/#install-clients). However, since we strongly discourage the use of these operating systems, because of their contempt for digital freedom and privacy, we won’t describe how to install and use the sync clients for them.

There are also Nextcloud synchronization clients in the form of mobile apps for Android and iOS (https://nextcloud.com/install/#install-clients). Since we also discourage the use of both Android and iOS because of their digital freedom restrictions and privacy issues, we won’t present how to install and use these apps. The only setup that would be acceptable would be that in which you use a Pinephone and try to install the Nextcloud sync client from F-Droid.

26.11. Upgrading Nextcloud

Before upgrading Nextcloud to a new version, it’s recommended to check if the new version has been tested and confirmed to function well within the suite by visiting this page.

Before upgrading Nextcloud, make sure you backup the Nextcloud database (using phpMyAdmin) and the /var/www/cloud.example.com directory (with the tar czf command). Don’t forget to include the date in the name of the backup files. The built-in updater makes some backups, but it doesn’t backup the Nextcloud database or the /var/www/cloud.example.com/data directory.

You can upgrade Nextcloud by using either the web based updater, or the command line.

It’s easier to use the web based updater.

Before upgrading Nextcloud you should temporarily disable the ‘External storage support’ app, so as to avoid errors during the upgrade process.

To prevent errors caused by Nginx denying access to some directories, you should comment out the deny all; directive in the following paragraphs inside the Nginx block dedicated to cloud.example.com from /etc/nginx/sites-enabled/0-conf, like this:

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
#        deny all;
    }

    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
#        deny all;
    }

Then reload Nginx:

systemctl reload nginx

To upgrade Nextcloud using the web based method, follow these steps:

  1. When there is a new update available, Nextcloud will display a notification when you log in. Click on the upper right corner user icon > ‘Settings’ > under ‘Administration’ click on ‘Overview’ > under ‘Version’ you will see the ‘Open updater’ button. This button as well as the update notification will only be available if the ‘Update notication’ app is enabled.
  2. Click the ‘Open updater’ button.
  3. Verify the information that is shown and click the button “Start update” to start the update.
  4. In case an error happens or a check fails, the updater will stop and will show a message. You can try to solve the problem and then click the “Retry update” button. This will start the update and re-run the failed step. It will not re-run the previous steps that succeeded.
  5. In case you close the updater before it finished, you can open the updater page again and proceed from the last succeeded step. Closing the web page will still execute the running step but will not continue with the next step, because this is triggered by the open updater page.
  6. Once all steps are executed, the updater will ask you a final question: “Keep maintenance mode active?”. This allows you to use either the web based upgrade page or the command line based upgrade procedure (by running sudo -u www-data php ./occ upgrade from the installation directory, /var/www/cloud.example.com). So, click on ‘No (to use the web based updater)’.
  7. You will see a button with the text: ‘Go back to your Nextcloud instance to finish the update’. Click on it.
  8. You will see a screen with the message:

    “This apps will be updated

    Please make sure that the database, the config folder and the data folder have been backed up before proceeding”

    Click on the ‘Start update’ button.
    That’s it.

After update, undo the changes mentioned earlier to the location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ block and the location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) block in the Nginx server blocks configuration file, reload Nginx, then log in to Nextcloud, go to Settings > Overview. You may see the following warnings:

“No memory cache has been configured. To enhance performance, please configure a memcache, if available. Further information can be found in the documentation.”

This warning should be ignored. The memory cache options recommended by the official Nextcloud documentation for a single server (APCu and Redis) will make no difference at all or will slow down Nextcloud, as our experiments showed. Until we’ll find a way to implement Memcached over Unix sockets as local cache, the best caching solution for Nextcloud is no caching at all.

“The database is missing some indexes. Due to the fact that adding indexes on big tables could take some time they were not added automatically. By running “occ db:add-missing-indices” those missing indexes could be added manually while the instance keeps running. Once the indexes are added queries to those tables are usually much faster.”

Update the indexes manually by running:

cd /var/www/cloud.example.com
sudo -u www-data php ./occ db:add-missing-indices

“The database is missing some primary keys. Due to the fact that adding primary keys on big tables could take some time they were not added automatically. By running “occ db:add-missing-primary-keys” those missing primary keys could be added manually while the instance keeps running.”

Add the missing primary keys by running:

cd /var/www/cloud.example.com
sudo -u www-data php ./occ db:add-missing-primary-keys

“Some columns in the database are missing a conversion to big int. Due to the fact that changing column types on big tables could take some time they were not changed automatically. By running ‘occ db:convert-filecache-bigint’ those pending changes could be applied manually. This operation needs to be made while the instance is offline. For further details read thedocumentation page about this.”

Make the necessary changes manually by running:

cd /var/www/cloud.example.com
sudo -u www-data php ./occ db:convert-filecache-bigint

If you also see a warning about tha fact that PHP doesn’t have read access to /dev/urandom, just log out, restart Nginx, then log in again.

If after upgrade you experience problems receiving faxes with Pax Fax, go to Settings > Personal > Security > scroll to the bottom of the page, revoke the old Pax Fax app password by clicking on the three dots next to its name, then choosing Revoke. Then enter pax_fax in the box next to the ‘Create new app password’ button, then press the button to create a new password for Pax Fax. Then take the username and the newly created password, log in to your Phaxio account, go to ‘Phone Numbers’, click on the little wheel to the right of your phone number, then enter the new callback URL, containing the username and the new password, like this:

https://username:sJyq3-eflGB-46H2qj-SpZ50-4T7lr@cloud.example.com/apps/pax_fax/api/recfax

where username is your Nextcloud username, sJyq3-eflGB-46H2qj-SpZ50-4T7lr is the newly created app password and cloud.example.com is your Nextcloud domain.

26.11.1. Copy the configuration file outside the web root


Please note that after upgrade, the /var/www/cloud.example.com/config/config.php file is overwritten by Nextcloud, therefore, to increase security, you should copy it outside the web root by running:

cp /var/www/cloud.example.com/config/config.php /srv/scripts/nextcloud.php

Then change ownership and permissions:

cd /srv/scripts
chown www-data:root nextcloud.php
chmod 400 nextcloud.php

Then replace the content of the /var/www/cloud.example.com/config/config.php file with:

<?php include('/srv/scripts/nextcloud.php'); ?>
You can send your questions and comments to: