{"id":48,"date":"2017-12-31T14:10:48","date_gmt":"2017-12-31T12:10:48","guid":{"rendered":"http:\/\/tom.paschenda.org\/blog\/?p=48"},"modified":"2018-01-03T09:12:13","modified_gmt":"2018-01-03T07:12:13","slug":"setting-up-nextcloud-on-amazon-lightsail-with-an-s3-backend","status":"publish","type":"post","link":"https:\/\/tom.paschenda.org\/blog\/?p=48","title":{"rendered":"Setting up Nextcloud on Amazon Lightsail with an S3 Backend"},"content":{"rendered":"<p><a href=\"http:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/nextcloud_loggedin.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-78 size-full\" src=\"http:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/nextcloud_loggedin.png\" alt=\"\" width=\"999\" height=\"439\" srcset=\"https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/nextcloud_loggedin.png 999w, https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/nextcloud_loggedin-300x132.png 300w, https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/nextcloud_loggedin-768x337.png 768w\" sizes=\"auto, (max-width: 999px) 100vw, 999px\" \/><\/a><\/p>\n<p>This post will explain how to setup a Nextcloud server on Amazon Web Services with the following features:<\/p>\n<ul>\n<li>based on a virtual Linux server in the Cloud (<a href=\"https:\/\/aws.amazon.com\/lightsail\/\">AWS Lightsail<\/a>)<br \/>\nAWS Lightsail is an easy-to-use service from Amazon that let&#8217;s you spin up a virtual server in less then a minute; the cheapest one is 5 USD\/month<\/li>\n<li>uses\u00a0<a href=\"https:\/\/aws.amazon.com\/s3\/\">AWS S3<\/a> as a storage backend<br \/>\nAWS S3 is Amazon&#8217;s object storage solution; I use it here due to its low cost (100 GB is just 2.45 USD\/month)<\/li>\n<li>is reachable via the internet at a subdomain of your choosing (e.g. mycloud.example.com)<\/li>\n<li>supports HTTPS with CA-signed certificates from\u00a0<a href=\"https:\/\/letsencrypt.org\">Let&#8217;s Encrypt<\/a><br \/>\nLet&#8217;s encrypt provides free CA-signed certificates for the average person; they are sponsored by Mozilla, Google and others<\/li>\n<\/ul>\n<p>This post is split into several parts &#8211; here is an outline:<\/p>\n<ul>\n<li>Part 1: create a virtual Linux server on AWS Lightsail<\/li>\n<li>Part 2: generate credentials for AWS S3<\/li>\n<li>Part 3: install and configure Nextcloud<\/li>\n<li>Part 4: point your subdomain to the virtual server<\/li>\n<li>Part 5: enable HTTPS and create certificates<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2>Part 1: Create the virtual server<\/h2>\n<p>First, we need to create a server. We will be using a small virtual Linux server which runs Ubuntu.<\/p>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li>Log in to\u00a0<a href=\"https:\/\/lightsail.aws.amazon.com\/\">AWS Lightsail<\/a>; create an account if you don&#8217;t have one.<\/li>\n<li>Create a new Linux instance running Ubuntu<br \/>\n<a href=\"http:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/create_instance_1.png\"><br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-52\" src=\"http:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/create_instance_1.png\" alt=\"\" width=\"400\" height=\"241\" srcset=\"https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/create_instance_1.png 628w, https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/create_instance_1-300x181.png 300w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><br \/>\n<\/a><br \/>\n<a href=\"http:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/create_instance_2.png\"><br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-53 \" src=\"http:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/create_instance_2.png\" alt=\"\" width=\"437\" height=\"264\" srcset=\"https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/create_instance_2.png 604w, https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/create_instance_2-300x181.png 300w\" sizes=\"auto, (max-width: 437px) 100vw, 437px\" \/><br \/>\n<\/a><\/li>\n<li>Your instance should be up and running after a minute or so. To verify this, you can log in to the instance via SSH using the console-button in in Lightsail:<br \/>\n<a href=\"http:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/connect_to_instance-1.png\"><br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-55\" src=\"http:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/connect_to_instance-1-300x91.png\" alt=\"\" width=\"300\" height=\"91\" srcset=\"https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/connect_to_instance-1-300x91.png 300w, https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/connect_to_instance-1.png 592w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><br \/>\n<\/a><br \/>\n<a href=\"http:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/console.png\"><br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-56\" src=\"http:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/console-300x159.png\" alt=\"\" width=\"401\" height=\"213\" srcset=\"https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/console-300x159.png 300w, https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/console-768x408.png 768w, https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/console.png 888w\" sizes=\"auto, (max-width: 401px) 100vw, 401px\" \/><br \/>\n<\/a><\/li>\n<li>Before we start playing with the instance though, there are two more things to do: In the web console,\u00a0go to <em>manage -&gt; networking<\/em> to see the network settings for your instance:<br \/>\n<a href=\"http:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/network-settings.png\"><br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-58\" src=\"http:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/network-settings-300x255.png\" alt=\"\" width=\"300\" height=\"255\" srcset=\"https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/network-settings-300x255.png 300w, https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/network-settings-768x653.png 768w, https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/network-settings-1024x870.png 1024w, https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/network-settings.png 1087w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><br \/>\n<\/a><\/li>\n<li>Add HTTPS (port 443) to the list of open ports; this will allow incoming connections via HTTPS<\/li>\n<li>Click the button &#8220;Create static IP&#8221; to get a public IP address that never changes. If you skip this step, Amazon might change your instance&#8217;s public IP address during a restart. This would mess up the DNS settings we will put in place later.<\/li>\n<li>Note down the static IP address; we will need it later.<\/li>\n<\/ol>\n<h2>Part 2: Create a user for AWS S3<\/h2>\n<p>Since we want to use AWS S3 as a storage backend, we need to give your new instance access to the S3 service. We will do this by creating a new user and getting the so-called API-Access Key. This key will then later be used to configure Nextcloud.<br \/>\nTo get your API access key, do the following:<\/p>\n<ol>\n<li>In the Lightsail web page, go to<em> Account -&gt; Advanced<\/em>; click the link\u00a0<em>Go to the IAM console<br \/>\n<a href=\"http:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/lightsail_account_advanced.png\"><br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-61\" src=\"http:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/lightsail_account_advanced-300x166.png\" alt=\"\" width=\"300\" height=\"166\" srcset=\"https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/lightsail_account_advanced-300x166.png 300w, https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/lightsail_account_advanced-768x425.png 768w, https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/lightsail_account_advanced.png 935w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><br \/>\n<\/a><br \/>\n<\/em><\/li>\n<li>In the IAM console, go to the Users-section and click\u00a0<em>Add User<br \/>\n<a href=\"http:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/iam_console.png\"><br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-62\" src=\"http:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/iam_console-300x279.png\" alt=\"\" width=\"300\" height=\"279\" srcset=\"https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/iam_console-300x279.png 300w, https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/iam_console.png 533w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><br \/>\n<\/a><br \/>\n<\/em><\/li>\n<li>Create a new user with the following settings:\n<ul>\n<li>Username: nextcloud (you can also pick something else if you like)<\/li>\n<li>Access type: Programmatic access<\/li>\n<\/ul>\n<\/li>\n<li>Click &#8220;Next: Permissions&#8221;<br \/>\n<a href=\"http:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/add_user_permissions.png\"><br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-63\" src=\"http:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/add_user_permissions-300x276.png\" alt=\"\" width=\"300\" height=\"276\" srcset=\"https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/add_user_permissions-300x276.png 300w, https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/add_user_permissions-768x708.png 768w, https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/add_user_permissions.png 828w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><br \/>\n<\/a><\/li>\n<li>Select &#8220;Attach existing policies directly&#8221;<\/li>\n<li>Filter for &#8220;S3&#8221; and select AmazonS3FullAccess<\/li>\n<li>Click &#8220;Next: Review&#8221; and then &#8220;Create user&#8221;<\/li>\n<li>The new user will be created and Amazon shows you the security credentials. Copy the access key ID and the secret access key &#8211; we will need those later.<br \/>\n<a href=\"http:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/download_api_key.png\"><br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-64\" src=\"http:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/download_api_key-300x99.png\" alt=\"\" width=\"300\" height=\"99\" srcset=\"https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/download_api_key-300x99.png 300w, https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/download_api_key-768x253.png 768w, https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/download_api_key-1024x338.png 1024w, https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/download_api_key.png 1586w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><br \/>\n<\/a><br \/>\n<strong>Make sure to copy those NOW. Amazon will not show you the secret access key again.<\/strong><\/li>\n<\/ol>\n<h2>Part 3: Install Snap, Nextcloud and configure S3 access<\/h2>\n<p>In Part 3, we will install Nextcloud and configure it for access to S3. For installing Nextcloud, we will use the pre-packaged\u00a0<a href=\"https:\/\/github.com\/nextcloud\/nextcloud-snap\">Nextcloud Snap<\/a>. This already comes pre-configured and brings all its dependencies. Plus, it contains an easy-to-use script to add certificates\u00a0 for HTTPS later.<\/p>\n<ol>\n<li>In the AWS Lightsail web console, click the console-button to login via SSH.<\/li>\n<li>First, we need to install\u00a0<a href=\"https:\/\/snapcraft.io\/\">Snap<\/a>; Snap is a kind of container\/package manager that runs software bundles including all their dependencies; it also keeps those bundles up-to-date automatically. To install snap, simply type:\n<pre>sudo apt update\r\nsudo apt install snap<\/pre>\n<\/li>\n<li>Once snap is installed, we can install the Nextcloud Snap:\n<pre>sudo snap install nextcloud<\/pre>\n<\/li>\n<li>Before doing anything else, we need to configure\u00a0<a href=\"https:\/\/docs.nextcloud.com\/server\/12\/admin_manual\/configuration_files\/primary_storage.html#amazon-s3\">Nextcloud to use S3 as primary storage<\/a>. To do this, add the following section to\u00a0<em>\/var\/snap\/nextcloud\/current\/nextcloud\/config\/config.php<\/em>:\n<pre>'objectstore' =&gt; array(\r\n  'class' =&gt; 'OC\\\\Files\\\\ObjectStore\\\\S3',\r\n  'arguments' =&gt; array(\r\n    'bucket' =&gt; '&lt;choose a bucket name&gt;',\r\n    'region' =&gt; '&lt;region where your instance resides, e.g. eu-central-1 for Frankfurt&gt;',\r\n    'autocreate' =&gt; true,\r\n    'key' =&gt; '&lt;your API key from part 2&gt;',\r\n    'secret' =&gt; '&lt;your API key secret from part 2&gt;',\r\n    'use_ssl' =&gt; true\r\n  ),\r\n),<\/pre>\n<p>A couple of notes on this:<\/p>\n<ul>\n<li>Nextcloud will automatically create the S3 bucket you specify in the region that you specify<br \/>\n<strong>Make sure that the S3 bucket and the instance are in the same region to avoid paying cross-region data transfer cost<\/strong><\/li>\n<li>The so-called bucket name is S3-terminology for a folder.<br \/>\n<a href=\"https:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/dev\/BucketRestrictions.html\">This name needs to be unique (like an e-mail address)<\/a>. So just using &#8220;nextcloud&#8221; is not going to work.<br \/>\nI recommend something like &lt;mycloud.example.com-currentdate&gt;.<\/li>\n<li>To edit the config file, you need root-permissions<\/li>\n<li>it is important to make this setting BEFORE setting up the admin account for Nextcloud. The reason is that changing the primary storage breaks all user profiles in Nextcloud &#8211; this includes the admin profile (see <a href=\"https:\/\/github.com\/nextcloud\/server\/issues\/5516\"> this Issue in Nextcloud&#8217;s github<\/a> for more details).<\/li>\n<\/ul>\n<\/li>\n<li>Now we are ready to setup the Nextcloud admin account and make Nextcloud ready-to-run: In the SSH console type:\n<pre>sudo nextcloud.manual-install admin &lt;admin password of your choosing&gt;<\/pre>\n<\/li>\n<li>Finally, let us add the domains from which Nextcloud will be served. Open config.php for editing again (it looks different this time due to the installation in the previous step).<\/li>\n<li>In config.php, find the section for <em>trusted_domains<\/em>. Add the IP address of your instance and also the domain:\n<pre>'trusted_domains' =&gt; array (0 =&gt; 'localhost', 1 =&gt; '111.122.133.144', 2 =&gt; 'mycloud.example.com',),<\/pre>\n<\/li>\n<li>Restart the Nextcloud snap with\n<pre>sudo snap restart nextcloud<\/pre>\n<\/li>\n<li>Open a browser and visit your IP address: http:\/\/111.122.133.144. You should see the login page for Nextcloud. You should be able to login with your admin password.<br \/>\n<a href=\"http:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/nextcloud_login.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-79\" src=\"http:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/nextcloud_login-300x176.png\" alt=\"\" width=\"300\" height=\"176\" srcset=\"https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/nextcloud_login-300x176.png 300w, https:\/\/tom.paschenda.org\/blog\/wp-content\/uploads\/2017\/12\/nextcloud_login.png 751w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/li>\n<\/ol>\n<h2>Part 4: Setup Subdomain<\/h2>\n<p>In this chapter, we will point your subdomain (e.g. mycloud.example.com) to the virtual instance&#8217;s static IP address. I assume here that you already have a domain registered (e.g. example.com). How exactly this works highly depends on the provider you used for registering the domain. Hence I can only provide an abstract description here:<\/p>\n<ol>\n<li>Go to your domain registrar website (the company where you got the domain) and log in<\/li>\n<li>Open the DNS settings for your domain (example.com)<\/li>\n<li>Create a new A-record that points the subdomain (mycloud.example.com) to the static IP address (111.122.133.144) of your instance, i.e. the A-record should have the following properties:\n<ul>\n<li>Type: A<\/li>\n<li>Name: mycloud<\/li>\n<li>Data:\u00a0111.122.133.144<\/li>\n<\/ul>\n<\/li>\n<li>It might take a while until this new information has propagated through webservers. You can check whether it works by visiting <a href=\"https:\/\/www.dnswatch.info\/\">https:\/\/www.dnswatch.info\/<\/a>. If you type in your subdomain, and hit the resolve button, it should come up with your instance&#8217;s static IP address.<\/li>\n<li>Try to visit your subdomain with a browser; you should see the Nextcloud login page.<br \/>\n<strong>Make sure that this works before attempting to setup HTTPS, otherwise the HTTPS setup will fail.<\/strong><\/li>\n<\/ol>\n<h2>Part 5: Setup HTTPS<\/h2>\n<p>Setting up HTTPS involves two steps: configure Nextcloud to listen on the HTTPS port (i.e. 433) and creating a CA-signed certificate for your domain. Luckily the Nextcloud snap comes with a script for this:<\/p>\n<ol>\n<li>Log in to your instance via SSH (through the Lightsail web page).<\/li>\n<li>In the console, type the following command and follow the instructions\n<pre>sudo nextcloud.enable-https lets-encrypt<\/pre>\n<\/li>\n<li>To confirm that HTTPs works correctly, point your browser to https:\/\/&lt;your subdomain&gt;. You should see the Nextcloud login page.<\/li>\n<\/ol>\n<p>Aaaand that&#8217;s it. Now you can install the Nextcloud client and point it to your subdomain to sync files and folders directly to your hard-drive.<\/p>\n<h2>Additional Info<\/h2>\n<h4>Keeping Ubuntu and Nextcloud up-to-date<\/h4>\n<p>Actually, you should not have to worry about updating your machine:<\/p>\n<ul>\n<li>the Ubuntu installation comes with a package named <a href=\"https:\/\/help.ubuntu.com\/lts\/serverguide\/automatic-updates.html\">unattended-upgrades<\/a>, that automatically installs security patches<\/li>\n<li>Snap should automatically keep Nextcloud updated as well<\/li>\n<\/ul>\n<h4>Starting\/stopping Nextcloud (and related services like MySQL)<\/h4>\n<pre>sudo snap stop nextcloud\r\nsudo snap start nextcloud<\/pre>\n<p>For a complete list of snap commands, type <em>snap help<\/em>.<\/p>\n<p>&nbsp;<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>This post will explain how to setup a Nextcloud server on Amazon Web Services with the following features: based on a virtual Linux server in the Cloud (AWS Lightsail) AWS Lightsail is an easy-to-use service from Amazon that let&#8217;s you spin up a virtual server in less then a minute; the cheapest one is 5 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,3],"tags":[],"class_list":["post-48","post","type-post","status-publish","format-standard","hentry","category-amazon-web-services","category-software-development"],"_links":{"self":[{"href":"https:\/\/tom.paschenda.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/48","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tom.paschenda.org\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tom.paschenda.org\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tom.paschenda.org\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tom.paschenda.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=48"}],"version-history":[{"count":21,"href":"https:\/\/tom.paschenda.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/48\/revisions"}],"predecessor-version":[{"id":87,"href":"https:\/\/tom.paschenda.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/48\/revisions\/87"}],"wp:attachment":[{"href":"https:\/\/tom.paschenda.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=48"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tom.paschenda.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=48"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tom.paschenda.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=48"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}