Setting up Nextcloud on Amazon Lightsail with an S3 Backend

This post will explain how to setup a Nextcloud server on Amazon Web Services with the following features:

  • based on a virtual Linux server in the Cloud (AWS Lightsail)
    AWS Lightsail is an easy-to-use service from Amazon that let’s you spin up a virtual server in less then a minute; the cheapest one is 5 USD/month
  • uses AWS S3 as a storage backend
    AWS S3 is Amazon’s object storage solution; I use it here due to its low cost (100 GB is just 2.45 USD/month)
  • is reachable via the internet at a subdomain of your choosing (e.g. mycloud.example.com)
  • supports HTTPS with CA-signed certificates from Let’s Encrypt
    Let’s encrypt provides free CA-signed certificates for the average person; they are sponsored by Mozilla, Google and others

This post is split into several parts – here is an outline:

  • Part 1: create a virtual Linux server on AWS Lightsail
  • Part 2: generate credentials for AWS S3
  • Part 3: install and configure Nextcloud
  • Part 4: point your subdomain to the virtual server
  • Part 5: enable HTTPS and create certificates

 

Part 1: Create the virtual server

First, we need to create a server. We will be using a small virtual Linux server which runs Ubuntu.

    1. Log in to AWS Lightsail; create an account if you don’t have one.
    2. Create a new Linux instance running Ubuntu





    3. Your instance should be up and running after a minute or so. To verify this, you can log in to the instance via SSH using the console-button in in Lightsail:





    4. Before we start playing with the instance though, there are two more things to do: In the web console, go to manage -> networking to see the network settings for your instance:


    5. Add HTTPS (port 443) to the list of open ports; this will allow incoming connections via HTTPS
    6. Click the button “Create static IP” to get a public IP address that never changes. If you skip this step, Amazon might change your instance’s public IP address during a restart. This would mess up the DNS settings we will put in place later.
    7. Note down the static IP address; we will need it later.

    Part 2: Create a user for AWS S3

    Since we want to use AWS S3 as a storage backend, we need to give your new instance access to the S3 service. We will do this by creating a new user and getting the so-called API-Access Key. This key will then later be used to configure Nextcloud.
    To get your API access key, do the following:

    1. In the Lightsail web page, go to Account -> Advanced; click the link Go to the IAM console



    2. In the IAM console, go to the Users-section and click Add User



    3. Create a new user with the following settings:
      • Username: nextcloud (you can also pick something else if you like)
      • Access type: Programmatic access
    4. Click “Next: Permissions”


    5. Select “Attach existing policies directly”
    6. Filter for “S3” and select AmazonS3FullAccess
    7. Click “Next: Review” and then “Create user”
    8. The new user will be created and Amazon shows you the security credentials. Copy the access key ID and the secret access key – we will need those later.



      Make sure to copy those NOW. Amazon will not show you the secret access key again.

    Part 3: Install Snap, Nextcloud and configure S3 access

    In Part 3, we will install Nextcloud and configure it for access to S3. For installing Nextcloud, we will use the pre-packaged Nextcloud Snap. This already comes pre-configured and brings all its dependencies. Plus, it contains an easy-to-use script to add certificates  for HTTPS later.

    1. In the AWS Lightsail web console, click the console-button to login via SSH.
    2. First, we need to install Snap; Snap is a kind of container/package manager that runs software bundles including all their dependencies; it also keeps those bundles up-to-date automatically. To install snap, simply type:
      sudo apt update
      sudo apt install snap
    3. Once snap is installed, we can install the Nextcloud Snap:
      sudo snap install nextcloud
    4. Before doing anything else, we need to configure Nextcloud to use S3 as primary storage. To do this, add the following section to /var/snap/nextcloud/current/nextcloud/config/config.php:
      'objectstore' => array(
        'class' => 'OC\\Files\\ObjectStore\\S3',
        'arguments' => array(
          'bucket' => '<choose a bucket name>',
          'region' => '<region where your instance resides, e.g. eu-central-1 for Frankfurt>',
          'autocreate' => true,
          'key' => '<your API key from part 2>',
          'secret' => '<your API key secret from part 2>',
          'use_ssl' => true
        ),
      ),

      A couple of notes on this:

      • Nextcloud will automatically create the S3 bucket you specify in the region that you specify
        Make sure that the S3 bucket and the instance are in the same region to avoid paying cross-region data transfer cost
      • The so-called bucket name is S3-terminology for a folder.
        This name needs to be unique (like an e-mail address). So just using “nextcloud” is not going to work.
        I recommend something like <mycloud.example.com-currentdate>.
      • To edit the config file, you need root-permissions
      • it is important to make this setting BEFORE setting up the admin account for Nextcloud. The reason is that changing the primary storage breaks all user profiles in Nextcloud – this includes the admin profile (see this Issue in Nextcloud’s github for more details).
    5. Now we are ready to setup the Nextcloud admin account and make Nextcloud ready-to-run: In the SSH console type:
      sudo nextcloud.manual-install admin <admin password of your choosing>
    6. Finally, let us add the domains from which Nextcloud will be served. Open config.php for editing again (it looks different this time due to the installation in the previous step).
    7. In config.php, find the section for trusted_domains. Add the IP address of your instance and also the domain:
      'trusted_domains' => array (0 => 'localhost', 1 => '111.122.133.144', 2 => 'mycloud.example.com',),
    8. Restart the Nextcloud snap with
      sudo snap restart nextcloud
    9. Open a browser and visit your IP address: http://111.122.133.144. You should see the login page for Nextcloud. You should be able to login with your admin password.

    Part 4: Setup Subdomain

    In this chapter, we will point your subdomain (e.g. mycloud.example.com) to the virtual instance’s static IP address. I assume here that you already have a domain registered (e.g. example.com). How exactly this works highly depends on the provider you used for registering the domain. Hence I can only provide an abstract description here:

    1. Go to your domain registrar website (the company where you got the domain) and log in
    2. Open the DNS settings for your domain (example.com)
    3. Create a new A-record that points the subdomain (mycloud.example.com) to the static IP address (111.122.133.144) of your instance, i.e. the A-record should have the following properties:
      • Type: A
      • Name: mycloud
      • Data: 111.122.133.144
    4. It might take a while until this new information has propagated through webservers. You can check whether it works by visiting https://www.dnswatch.info/. If you type in your subdomain, and hit the resolve button, it should come up with your instance’s static IP address.
    5. Try to visit your subdomain with a browser; you should see the Nextcloud login page.
      Make sure that this works before attempting to setup HTTPS, otherwise the HTTPS setup will fail.

    Part 5: Setup HTTPS

    Setting up HTTPS involves two steps: configure Nextcloud to listen on the HTTPS port (i.e. 433) and creating a CA-signed certificate for your domain. Luckily the Nextcloud snap comes with a script for this:

    1. Log in to your instance via SSH (through the Lightsail web page).
    2. In the console, type the following command and follow the instructions
      sudo nextcloud.enable-https lets-encrypt
    3. To confirm that HTTPs works correctly, point your browser to https://<your subdomain>. You should see the Nextcloud login page.

    Aaaand that’s it. Now you can install the Nextcloud client and point it to your subdomain to sync files and folders directly to your hard-drive.

    Additional Info

    Keeping Ubuntu and Nextcloud up-to-date

    Actually, you should not have to worry about updating your machine:

    • the Ubuntu installation comes with a package named unattended-upgrades, that automatically installs security patches
    • Snap should automatically keep Nextcloud updated as well

    Starting/stopping Nextcloud (and related services like MySQL)

    sudo snap stop nextcloud
    sudo snap start nextcloud

    For a complete list of snap commands, type snap help.

     

One thought on “Setting up Nextcloud on Amazon Lightsail with an S3 Backend

  1. Pingback: Backups of your Nextcloud Server | ThisIsNotATest

Leave a Reply

Your email address will not be published. Required fields are marked *