Migrating to Nextcloud from ownCloud

Once again ownCloud has become inoperative after a package update (OpenSuSE Tumbleweed dist-upgrade) that included a minor version update for ownCloud. This happens every year or two and is very annoying. I've decided to take drastic action: to change to a different file sharing service.

Table of Contents

• Goals
• Overview of Nextcloud
• Installation Details from the Admin Manual
• Executing the Installation, Part 1
• Setup Activities as the Administrator
• Installing Infrastructure Apps
• Installing and Setting Up Clients
• More Apps to Install
• Apps Related to Mail, Etc.

Goals

A file synchronization or file sharing service manages a designated directory (or several) on a collection of hosts. If one host creates, changes or removes a file in that directory (recursively), the change is propagated to all the other hosts. An extension is collaborative editing: multiple users have (instances of) the same file open at the same time in the service's augmented editor, and they edit the file coordinately without trashing it.

Major goals, beyond what a file sharing service normally does:

• The types of data that jimc currently shares are contact lists, calendars, web pages (see Pico CMS), and generic flat files.
• Possible future shared data types include web browser bookmarks and streaming media.
• The text, voice and video chat features should also be investigated, since on my net, generic XMPP seems to be having support problems.
• For keeping the package up to date, these are my preferences for getting the software:
  • RPMs from OpenSuSE Tumbleweed official repo (when pigs fly).
  • SuSE Open Build Service experimental or community repo.
  • Non-SuSE repo.
  • Tarballs. (See below for finger of blame.)
• I'm making a new rule about backup: all content must be recoverable after a total loss and reinstallation of the file sharing service, as recently happened. The backups shall be in their native formats. Particularly, contacts and calendars shall be in a form (VCF) that can be imported into the new file sharing service instance; a database backup isn't good enough (but will still be done).

Why not just resurrect ownCloud? I'm pretty sure that a disagreement between the ownCloud tarball and directory ownership by a SuSE package killed my ownCloud installation. In addition, ownCloud seems to have picked up some political issues, referring to its style of support:

• They seem to be emphasizing enterprise deployments with paid support, with residence either on the customer's I.T. infrastructure (the original paradigm) or on ownCloud's servers.
• I see few recently added apps in the app store.
• A lot of the non-corporate developers have forked the project into a new one called Nextcloud.
• A large and raucous user base have followed them over, who claim a larger market share than ownCloud, probably referring to a lot of small installations, versus a few installations with a lot of users on each.
• Oooo, Nextcloud has been deployed for GDPR compliance by:
  • French Ministry of the Interior
  • Dutch Ministry of Education
  • German federal government
  • Swedish federal government
• Your legal and security situation is a lot more sanitary if you host your customers' data on your own servers, vs. a commercial service, particularly if you are subject to GDPR in the European Union.

This category of software is referred to as a file synchronization service (Wikipedia list). What is available? The Wikipedia list has been filtered to meet these requirements: must be hosted on the user's net, not a commercial service; server must run locally on Linux; must have a generic web interface; must have native clients for desktop Linux, Android, and iOS. (Other people will want Windows and macOS too.)

• Nextcloud: well liked by the raucous user base.
• ownCloud (community edition): what I'm trying to get away from.
• Seafile (community edition): I hadn't heard about it before, but it's mentioned frequently in research results as another alternative.

A big advantage of Nextcloud is that it's very similar technically, if not culturally, to ownCloud, so my work in learning to manage it will be less than for a new package like Seafile.

Preliminary investigation gives me some confidence that Nextcloud is the way of the future, and so I'm going to resurrect my file sharing service by migrating to Nextcloud. Of course ownCloud will not be de-installed until Nextcloud has proven itself operational.

Overview of Nextcloud

Web resources:

• ownCloud project site
• Nextcloud project site
• Wikipedia article about Nextcloud
• Software repo for Nextcloud

Features of Nextcloud, emphasizing those that Jimc is already using (U) or should investigate (I). This list is summarized from the Wikipedia article.

• Shared use of files by multiple clients. (U)
• Includes Linux desktop, Android and iOS clients, as well as a generic web browser interface. (U) There are also clients for Microsoft Windows, macOS and FreeBSD, but I don't use them.
• Generic WebDAV API (Sabre/DAV) to be used by ad-hoc clients like the contacts and calendar connector. (U)
• There is a backup app in the app store. (I)
• Kerberos authentication (coming someday).
• CalDAV and CardDAV plugins, interoperates with contact and calendar apps on mobile devices, plus viewing and editing cards on the generic web interface. (U)
• Streaming media (Ampache). (I)
• Flat file (and/or Markdown?) editor in Javascript.
• Bookmark server. (I)
• Plugin for Pico CMS, a Content Management System (website content organizer). (U)
• Office suite: OnlyOffice and/or Collabora Online. (I)
• Text, voice and video chat extension, similar features as commercial competitors (but not interoperable). (I)

The office suites, per Wikipedia:

OnlyOffice

Wikipedia article about it. It is allegedly FOSS, also available as SaaS (presumably paid). Included features:

• Document management and sharing. Includes audio and video player. Includes editors for text, spreadsheets, presentation, forms. Can handle collaborative editing.
• Project management: team management, Gantt charts, etc.
• Client Relationship Management. With billing and sales reports.
• Mail client.
• Calendar client inluding making meetings.
• Community or corporate soclal network functions.

Collabora Online

Wikipedia article about it. Built upon LibreOffice (with a formal partnership/sponsorship) but enhanced to handle collaborative realtime editing. Included features:

• Objects that can be edited: text documents, spreadsheets, presentations, vector graphics.
• Revision history and control.
• Integrated text, voice or video chat (while editing) .
• Normally used with the generic web browser interface, but there are native apps (for Collabora, not the Nextcloud native app) for Andoid, ChromeOS, iOS, desktop Linux, Windows, macOS.
• It can work with no Internet connection (airplane mode). (How does this jive with the philosophy that the document never leaves the server?)

Overall strategy to install Nextcloud:

• Relevant data in ownCloud has been backed up properly or has been recovered from the database by cowboy programming.
• The ownCloud installation (damaged) will be left in place until Nextcloud is confirmed working.
• Nextcloud will be installed from scratch. It has extensive features to help migration from other services, particularly ownCloud, but absent a working ownCloud instance, the migration tools will not be feasible to use.
• Then the saved content will be restored and client apps (e.g. contacts on Android) will be reconfigured to use it.
• Finally, when everything seems to be working, ownCloud can be removed.

The package to be installed is nextcloud-24.0.5-2.1.noarch in the Factory/standard repo (Tumbleweed main repo) (not for Leap). 102Mb compressed, noarch implies that it's all in PHP. It has a few dependencies (PHP modules), under 1Mb. php7-bcmath php7-gmp are recommended; they need to be listed explicitly in extra.sel. 338Mb installed, 22954 files, almost all of them are in /srv/www/htdocs/nextcloud/ .

Product hype says it is currently available on the repos of OpenSuSE Tumbleweed, Arch Linux, Fedora, Debian and Ubuntu, and Alpine Linux has a special repo for it. It's all in PHP, so no architecture limitations. It does require a database (see later for which ones are supported). Hardware that people run it on ranges from Raspberry Pi to Intel NUC to enterprise servers.

Glossary and User Interface for Nextcloud:

• Avatar: A picture of you, uploaded to your profile page. 128x128px should be plenty; a giant photo wastes space and time. Keep in mind that it will be cropped to an inscribed circle. If no photo is set, they use the initial letters of your name. The avatar is always(?) visible at the right of the top border. When clicked on, it produces a menu of the most important actions including Logout and Settings (your profile page and more).
• Hamburger: an icon of three horizontal lines, which (at least to Microsoft UI devs) looks a little like an edible hamburger. In the Nextcloud UI it generally is at the upper left of the page. It opens a toplevel navigation menu, including Settings, generally at or near the bottom if existing. To close the navigation pane, either click on the relocated hamburger again, or drag the main page to the left.

Installation Details from the Admin Manual

OK, how do you install it? RPM installation was uneventful but obviously there's a lot more to be done. But the project page doesn't have an obvious link to their installation guide and/or product manual.

• On the front page, scroll down to Use Cases, and at the bottom of the section there's a button titled Get Nextcloud at Home.
• This page gives you an overview of Nextcloud features (product hype), and at the end is a link titled How to Get Started.
• This page turns out to be a set of three links:
  • Commercial providers who host Nextcloud.
  • Nextcloud Install which is the real download page (or root of a set of download pages) for clients, server, documentation, and source code.
  • Dedicated hardware (e.g. NAS boxes) that you can install Nextcloud on.
• The resulting page has a subtle nested list design, and what you want is the Download Server major section, Community Projects, and then under either the Web Installer or Archive paragraphs, find the link to the Nextcloud Admin Manual (which includes installation and server configuration).

Now that the treasure hunt is complete, I'm going to read through most of the document and take notes.

• System requirements for the server:
  • A 64bit CPU and 64bit OS is required for Nextcloud to run well. Implying that you could run it on an old i586 but it will be a slug.
  • Operating system: Linux, OpenSuSE Leap 42.1 (ancient) or later. Similarly for other Linux distros, Nextcloud will tolerate somewhat old OS versions. Since it's all in PHP, if you can get a supported PHP version onto the OS, there should be no problem executing Nextcloud.
  • You can actually run the Nextcloud server on Windows. A virtual machine is recommended and several VM images are available.
  • Database: MySQL 8.0+, MariaDB 10.2 to 10.5, PostgreSQL 10 to 13, SQLite (only for testing and micro instances), Oracle 11g (only with paid enterprise subscription).
  • Webserver: Apache 2.4 with mod_php or php-fpm, or nginx with php-fpm.
  • PHP version: 7.4, 8.0 (recommended), 8.1
  • See Installation on Linux for required PHP modules and additional software possibilities.
• Recommended web browsers: Microsoft Edge, Mozilla Firefox, Google Chrome or Chromium, Apple Safari. Or other browsers based on these.
• Nextcloud deployment recommendations: with a support subscription, you can get detailed recommendations for three size examples: 150 users and 1e10 bytes data; 1000 users and 2e14 bytes data; 1e5 users and 1e15 bytes data. See Nextcloud Global Scale for up to 1e8 users.
• Installation on Linux: You can install their tarball, or distro provided packages, or a Snap Package, or a VM image. They list required and optional PHP modules (investigate php-gmp). A persistent memory cache is recommended such as redis (which I have). You don't need mod_webdav because Sabre/DAV is included (but presence is OK).
• Webserver details: It needs an Apache conf file (provided). You can put Nextcloud as a subdirectory of your webroot, or directly at the root (normally for a vhost). See also the list of required Apache modules. SSL is strongly recommended.
• Using the Installation Wizard: Once you have everything installed, navigate to the magic URL, give the admin loginID and password (to create the admin account), and answer the questions. Specific items:
  • Location of data directory (under Storage and Database). It is hard to change after installation. It should be outside of your DocumentRoot (web page storage). It must already exist and be owned and writable by the HTTP user (wwwrun on SuSE).
  • Choose the database. It will want the loginID and password of the database root user (or an administrator authorized to create databases and users, and to give permission to the newly created admin user). It will create a special database role (with the admin's name prefixed by 'oc_') and will never use the global admin's login again.
  • Finally hit Finish Setup and you're ready to begin setting up Nextcloud.
  • The wizard will install recommended apps like Calendar and Contacts.
  • Before logging in as the admin user, you need to edit config.php listing the trusted_domains. These are hostnames or IP addresses. Clients must use a URL whose host part is one of these hostnames. (These are the hostnames or IPs of the server, not the client.)
• The next step is to install more apps. Here's a list of officially supported apps (vs. 3rd party apps). See below for which ones I installed and how well they worked out.
• User management:
  • You can use LDAP for authentication, if you installed the LDAP app, which I did. Other authentication and single sign-on services are available also.
  • Lacking LDAP, the admin needs to create all the users, with loginID, password, full name and group membership. And e-mail address. Or let the user fill in the full name and the password.
  • The admin group is special: to give admin rights to a user, put them in the admin group. It is possible to delegate portions of admin rights to particular groups. Group admins can control membership of the group.
  • If you forget your password: There is a link on the login screen; if your e-mail address is in your profile, a password reset link can be sent. Or you can ask your admin to reset it. Or use the occ user:resetpassword command (useful if you're the only admin). See the admin manual for the actual command line.

Executing the Installation, Part 1

• Checking required PHP modules:
  • Missing: php7-libxml, php7-session, php7-SimpleXML; these are not explicitly required by the Nextcloud package whereas most or all of the other required ones are listed in the RPM. Nextcloud is running fine without them.
  • Installed with another spelling: php7-XMLReader → php7-xmlreader, php7-XMLWriter → php7-xmlwriter .
  • Required modules installed on Jacinth: php7-7.4.30-1.3.x86_64, php7-ctype, php7-curl, php7-dom, php7-gd, php7-json, php7-mbstring, php7-openssl, php7-posix, php7-zip, php7-zlib
  • Recommended but not installed: (none)
  • Recommended and is installed: php7-fileinfo, php7-intl, php7-bz2
  • Required for specific apps, and installed: php7-ldap, php7-imagick, php7-imap, php7-exif, php7-pcntl, php7-bcmath, php7-gmp
  • Other modules: we have libxml2-2-2.10.1, minimum is 2.7.0. We have php7-redis .
  • Database connector: php-pdo_pgsql is provided by php7-pgsql, installed.
  • For preview generation: php7-imagick, ffmpeg, LibreOffice (have all 3).
  • All needed modules were already installed or otherwise provided, except for the missing set, which are nowhere to be found on OBS. Nextcloud seems to run OK without them.

• Apache setup:

  • Base URL will be https://www.jfcarter.net:1445/nextcloud . The nextcloud RPM package installs into /srv/www/htdocs/nextcloud .
  • Nextcloud uses an Apache conf file or snippet that aliases the base URL. (For ownCloud I just used a symlink, but Nextcloud needs some more tweaking.) The package provides this file in /etc/apache2/conf.d/nextcloud.conf. I moved it into vhosts.d/nextcloud.incl and made a dummy file under the original name so package upgrades won't resurrect it. The 1445 and 1446 vhosts will include it. [Done]
  • The above conf file provides RewriteRules that create aliases in /.well-known/ for carddav, caldav, and several others. Clients use these aliases to autodetect DAV services.
  • Nextcloud requires mod_rewrite and recommends mod_headers, mod_env, mod_dir and mod_mime. mod_dav is not required (presence is OK); Nextcloud instead uses Sabre/DAV.
  • Restart Apache after making these changes.

• By default they put the data dir in /srv/www/htdocs/nextcloud/data . Pre-create a data directory in a place that my backup scheme will accept, owned and writable by the HTTP user. For many people, /home is a lot better place than in the software installation directory.

  • mkdir /home/nextcloud .
  • chmod 750 /home/nextcloud
  • chown wwwrun:www /home/nextcloud #The HTTP user in SuSE

• Instructions for database configuration from the admin manual.

  • I'm using PostgreSQL for my database. The procedure for MariaDB (MySQL) is generally similar. You need to do some configuration in PostgreSQL before you run the Setup Wizard (or manual equivalent).
  • Decide whether you want PEERCRED authentication, in which the Nextcloud administrator is a UNIX user, or password authentication. PEERCRED is better in that the client connects to the PostgreSQL socket, and the engine knows authoritatively the UID that the client is executing as. But that would be wwwrun (Apache user), which therefore would have to do su to the admin (or some equivalent) and would give a password to do su. Better to just do password auth, like with MySQL. The notes below are for password auth.
  • Edit /etc/php7/conf.d/pgsql.ini with the configuration they give you.
    • [PostgresSQL]
    • pgsql.allow_persistent = On
    • pgsql.auto_reset_persistent = Off
    • pgsql.max_persistent = -1
    • pgsql.max_links = -1
    • pgsql.ignore_notice = 0
    • pgsql.log_notice = 0
  • pdo_pgsql.ini is in the same directory; it contains extension=pdo_pgsql.so and is correct as installed.
  • Edit ~/pgsql/data//pg_hba.conf letting in oc_nextcloud_admin. Nextcloud prepends oc_ to the admin's name that you give. The first matching row is the only one used, so these additions should be early.

    (Type)	(Database)	(DB Role)	(From Host)	(Mechanism)
    local	nextcloud	oc_nextcloud_admin		md5
    host	nextcloud	oc_nextcloud_admin	samehost	md5

  • Now you're ready to run the Setup Wizard. Or to create the database by hand.

• Do one or the other of these instruction sets; this one is for the Setup Wizard.

  • Navigate to the base URL. Lacking configuration, it will run the Setup Wizard.
  • Create an admin account. Fill in the new loginID and password. For me the loginID is nextcloud_admin (without oc_ prepended); password is (wouldn't you like to know; it's in Bitwarden). Leave them filled in and continue to…
  • Into the Data Folder box, fill in /home/nextcloud which you just created and re-owned.
  • Click on Storage & Database.
  • For the database engine, I prefer PostgreSQL (click on it).
  • A form appears; fill it out:
    • Database user: postgres
    • Database password: Find it in ~postgres/.pgpass
    • Database name: nextcloud (without oc_)
    • Hostname: localhost:5432
  • Hit Install. It circulated for 5 to 10 mins, and finally came up with a page of recommended apps that it wanted to install!
  • When finished installing, in config.php it adds 'installed' => true, I'm not sure when or how this happens on a manual installation.

• These instructions are for creating the database by hand.

  • Start a session as the postgres master user. (Or another user who has permission to create users and databases.) Normally the connect string (with password) is saved in ~postgres/.pgpass . Beware, check in /etc/passwd if the postgres user has a shell, and if not, either fix it or provide -s /bin/bash to the su command.
    su postgres -s /bin/bash -c "psql"
  • Issue these commands via psql; this is for password auth. Mind the ending semicolons. Pick or generate a decent password.
    create user oc_nextcloud_admin with password 'qwerty';
    create database nextcloud encoding 'UNICODE' owner oc_nextcloud_admin;
    grant all privileges on database nextcloud to oc_nextcloud_admin;
    \q (to quit)
  • To check your work, su to wwwrun and give this command:
    su wwwrun -s /bin/bash -c "psql nextcloud oc_nextcloud_admin"
    (It will ask for the admin password.)
    \l nextcloud
    (Should describe the nextcloud database with arcane permissions for oc_nextcloud_admin.)
    \q (to quit)

• For both the Setup Wizard or hand creation, review and/or fix up /srv/www/htdocs/nextcloud/config/config.php .

  • Database type: PostgreSQL
  • Database user: oc_nextcloud_admin (not postgres, needs oc_)
  • Database PW: The one specified when this user was created by hand, or the admin password given to the Setup Wizard
  • Database name: nextcloud (without oc_)
  • Database host: localhost:5432 (is the default; maybe '' is better)
  • trusted_domains -- Add the rest of them, see below.

• The trusted domains started out with just 'www.jfcarter.net:1445' which is the official base URL. The complete list is:
  'jfcarter.net:1445',
  'www.jfcarter.net:1445',
  'www.cft.ca.us:1445',
  'jacinth.jfcarter.net:1445',
  'jacinth.cft.ca.us:1445',
  'jfcarter.net:1446',
  'www.jfcarter.net:1446',
  'www.cft.ca.us:1446',
  'jacinth.jfcarter.net:1446',
  'jacinth.cft.ca.us:1446',
  'localhost',
  '127.0,0,1',
  '192.9.200.193',

Setup Activities as the Administrator

• This is what happens at the end of the Setup Wizard. I didn't do a total manual installation so I'm only guessing that all these steps need to be done by hand. The wizard auto logs you in as the admin user; on the manual installation the login would be manual too.

  • First it installs the recommended apps, which are:
    • Calendar
    • Contacts
    • Collabora Online
    • Collabora Online Builtin CODE Server (dependency) (which failed, not much error info, fix later)
    • Mail (later I de-installed it)
    • Talk
  • Then it opens up the admin user's dashboard, taking a while to init everything. You end with a big white rectangle and a right arrow; action icons along the top are not active, except X(close). This is a product hype intro slideshow for Nextcloud Hub II, but the first frame did not auto start. Hitting the right arrow showed frame 2, and the left arrow brought back frame 1 with animated content. On about frame 4 there are links to native apps on your favorite download sites, plus links to connect calendar, contacts, etc. The next frame has links to the admin manual, forums, etc.
  • Cute frog picture. The dashboard seems to be reasonable.

• How to log out from the web interface: click on your avatar (picture or initials at upper right), and in the resulting menu, log out is the bottom item. If you don't log out your cookie will remain valid (I'm not sure how long) and when you navigate to Nextcloud again your session will resume.

• I added to Bitwarden the userID and password for nextcloud_admin.

• Anyone in the admin group can do administrative things. To find admin settings, click on nextcloud_admin's avatar (upper right corner). Pick Settings. The Personal Info page will open by default. Click on the hamburger at the upper left corner. Scroll past the Personal categories and find Administration, then choose from there. The sections below are all the Administration activities.

Overview

Security and setup warnings (quite a lot of them since I haven't set up anything):

• The PHP memory_limit is below recommended 512M. Find it in /etc/php7/apache2/php.ini (we're using mod_php). As installed it's 128M (megabytes). [Raised it.]
• You aren't resolving some URLs in /.well-known/ . I fixed up the RewriteRules for this in /etc/apache2/conf.d/nextcloud.conf and got rid of all the setup warnings, but some of the URLs seem not too functional. /.well-known/$service (where service is host-meta, host-meta.json, nodeinfo, webfinger) returns JSON saying message: $service not supported. But /.well-known/caldav and carddav are functioning OK.
• Verify your e-mail server configuration under Basic Settings, then hit the button to send a test message. [Set up.] This is how the admin gets problem reports.
• In config.php, insert 'default_phone_region' => 'US'. [Done]
• You need a memory cache.
  • Yes we do have redis running, but it's an instance: redis@owncloud. Copy /etc/redis/owncloud.conf to nextcloud.conf, and it needs mode 640 root:redis because it contains a password. Change owncloud to nextcloud wherever occurring: unixsocket, pidfile, logfile, dir. Create the dir directory. Start the redis instance now and enable to start at boot:
    systemctl enable --now redis@nextcloud
  • Oops, permission denied on /run/redis/nextcloud.sock. nextcloud.conf needs unixsocketperm 770, and wwwrun to be in group redis. (And reload apache2 to get the new group.)
  • Yes we do have package php7-redis.
  • See the admin manual for the php7-redis parameters to add to /etc/php7/apache2/php.ini .
  • But the overview still thinks the cache is not configured. Reasons why this message is bogus:
    • strace on the redis process says something was using the cache.
    • /var/log/redis/nextcloud.log says something was using the cache.
    • The Nextcloud log GUI shows no log messages when the overview is reloaded.
    • Forum posters mention that this message sometimes won't go away despite troubleshooting.
• The PHP OPcache needs configuration, and the default sized buffer is nearly full. This message self healed, and apparently correct config items were already present in /etc/php7/apache2/php.ini and also cli and fastcgi. Values are equal to those recommended in forum posts. I didn't do it; I assume it's the default from PHP7.
• This is Nextcloud-24.0.5 which is up to date. Stable update channel.

Basic settings

• Background job(s) aren't getting run. Default is AJAX, but they want you to use cron [doing it] to execute (by wwwrun) cron.php every 5 mins. cron.php is in the Nextcloud installation root. A forum post had one person's list of background jobs and I'm judging that once an hour is plenty for me.
• Background jobs cont'd: Calendar event notifications are sent via background jobs, so they must be run frequently enough. Reverting to every 5 minutes.
• More on background jobs: The frequent job execution caused cronj to fail its functional test (though other cronj jobs seemed to run even so). Rather than diverting to debug cronj, I made a systemd timer/service unit. Now cron.php gets run and other cronj jobs also get run on schedule.
• Profile (for new users): Enabled (is the default)
• Email server: is set up and tested.
• Collaborative Tags: None have been set up.

Sharing

Taking all defaults, which are:

• Allow apps to use the Share API.
• Allow users to share via links and emails; allow public uploads.
• Allow username autocompletion in share dialog.
• Default share permissions: Create, Change, Delete, Reshare (i.e all permissions).
• Federated Cloud Sharing: Allow foreign shares in and out, search public global address book, allow users to publish data in a public global address book.
• No trusted servers have been configured. You can still federate to arbitrary servers, but trusted servers get more privileges.
• User can share by mailing a link that contains (?) a password. More likely it contais an encrypted field saying what is shared plus a HMAC to reveal fraudulent alteration. Reply to initiator is enabled.

Security settings

Taking all defaults.

• Two factor authentication: Allowed but not required.
• Server-side encryption: Off. Mind the performance penalty if you turn this on. It refers to encrypting everything in the data directory (data at rest) and decrypting it when sent out.
• Password policies:
  • Minimum length 10, no history, no expiry, don't block after N failed logins.
  • Blacklist common passwords.
  • Rules about password complexity: all are disabled.
  • Check on haveibeenpwned.com (list of stolen passwords).
  • Note: Since I'm using LDAP for authentication, except for nextcloud_admin, no users will ever change their password through Nextcloud and these rules will never be consulted.
• Brute force attack resistance: no addresses are whitelisted.
• OAuth 2.0 Clients: None configured.

Theming

Taking all defaults.

Groupware

Taking all defaults. No email provisioning is configured.

Administration privileges

You can delegate to particular group(s) write access to admin setting sections. None are delegated.

Activity

Users could be notified of certain events by email (once an hour, batched?) or push to an app. Events include file/folder modification, sharing, access to a share, PIM object modified, various miscellaneous.

Flows

I assume this is a workflow framework. None are configured; find some in the app store or create your own.

Talk

Taking all defaults. They provide their own STUN server which tells the originator its own wild-side address. A TURN server is a proxy to get through the participant's firewall; it's not configured. For high traffic sites a separate high performance signaling server should be used (vs. the internal one, in PHP, wimpy). This is required for SIP. They have a partner who can sell you this service. See below for an actual test of Talk.

Nextcloud Office

The local CODE (Collabora Online Development Edition) server didn't get installed. Retry loading it from the app store. Or exec:
php -d memory_limit=512M occ app:install richdocumentscode
Later I got this installed and working; see below.

Usage Survey

Not sent by default, but they want to hear from you.

Logging

This is a display of the server's log messages (most recent first). It's in the data directory, /home/nextcloud/nextcloud.log. The format is ugly and prolix (489kb); if feasible you should read it on this logging page.

I created a file in /etc/logrotate.d/nextcloud.J . I have a lot of defaults preset; other users may need more commands. Here it is:
/home/nextcloud/nextcloud.log {
size 200k
su wwwrun www
create 644 wwwrun www
}

System

It has a fairly comprehensive system status display. Sections: OS version; load (stripchart); memory usage (stripchart); disc usage by partition (torus graph); net interfaces status; active users; shares; PHP version; database type and version; external monitoring tool endpoint URL. Running this page runs the load on Jacinth up to 2.5.

Installing Infrastructure Apps

So the settings accessible to the admin user have been reviewed and adjusted where appropriate. The next step is to install infrastructure apps to support this workflow:

• A new user logs in using Kerberos (GSSAPI), X.509 certificate, or a password.
• A small amount of provisioning happens automatically.
• The user can use the various payload apps.

Infrastructure apps to be installed from the app store for these goals:

LDAP user and group backend

Most apps are enabled when installed, but not this one, because it requires site-specific configuration. Generic procedure to enable an app:

• Log in as nextcloud_admin.
• Click on your avatar (upper right corner).
• In the resulting menu pick Apps. You get a list of installed apps.
• Apps that need updates are listed first. Do any necessary paranoid research, then hit the Update button.
• Scroll down and find your app (LDAP backend). Hit Enable. If it's already enabled the button will be labeled Disable, so leave it alone. The other 4 apps installed in this phase were already enabled.
• Click on your avatar again. Pick Settings. You get your profile page.
• Click on the hamburger (3 lines, upper left corner). A list of activities appears, divided into Personal and Administration sections. But focus is still in the profile page. Click on the hamburger to close the activity list. Click on the hamburger again to bring back the activity list. Now focus is on the list and you can scroll it. Watch out for behavior changes in this area due to bug fixes.
• Scroll down and find your app (LDAP backend). Some apps like Pico CMS have two line items, one under Personal for your personal use of the app, and another under Administration for system-wide settings.

Specific settings for LDAP: Nextcloud runs on the same host as one of the LDAP servers, so localhost is used and TLS/SSL is not needed.

• Server: name is localhost, port 389. Credential is not used, leave blank. Base DN could not be auto detected; for me it's the realm with each component prefixed by dc=: dc=cft,dc=ca,dc=us (and test it: OK). Filters: leave blank, mine is a small directory.
• Users: object class posixAccount (was autodetected). No group restriction because server has no member-of index. I didn't monkey with the LDAP query. Hit verify: 91 users found.
• Login attributes: search by user name (vs. email or other) (is the default). I didn't monkey with the generated query. Fill in a loginID known to exist, and hit Verify: it's there.
• Groups: object class posixGroup (was autodetected). Pick any number of required groups: users in my case. I assume, but haven't seen documentation, that you can have zero groups (no group restriction) or multiple groups and a user in any of these groups can log in. I didn't monkey with the generated query. Hit Verify: 1 group found.
• I read, but didn't alter, the Advanced and Expert tabs.
• I'm assuming that the configuration has already been saved and I can just navigate to a different page. Confirmed.
• Logging out. The logout item is at the bottom of the avatar menu. Logging in: it let me on! (With the welcome slideshow that won't auto play.)

SSO and SAML Authentication

Published by Nextcloud. Supported auth providers: SAML 2.0 (Shibboleth, Active Directory Federation Services), mod_auth_kerb and any others that use the REMOTE_USER environment variable. mod_auth_kerb is deprecated and has been replaced by mod_auth_gssapi. See jimc's blog post for some hints on how to configure it. Nextcloud setup:

• First choose between the builtin SAML provider, or an environment variable (set by the webserver's auth module).
• Logging in with your regular Nextcloud account won't be possible any more, unless you go directly to this URL: https://www.jfcarter.net:1445/nextcloud/index.php/login?direct=1
• Only allow authentication if an account exists in LDAP (or alternative provider). Turn on.
• Attribute to map the UID to: What are they asking for? In the SAML branch, with OneLogin as the provider, PersonImmutableID is the correct attribute. It seems there are a whole lot of SAML identity providers. But for environment variables I get no hits on Google. But this has got to be the name of the variable. Trying it.
• When you log in, the SAML app maunders Your account is not provisioned (before getting my loginID). Logging in to the fallback URL above and deactivating SAML SSO. [Done, it worked.] I'll try to debug this later.

Pico CMS

(Under Tools.) I have important content here and this should be one of the first payload apps installed. It needs both Administrative and Personal setup.

Administrative setup for Pico CMS:

• Restrict to group(s): none configured, everyone can use it.
• Custom themes: none installed.
• Custom plugins: none installed.
• Custom templates: just the provides defaults: empty, sample_pico.
• Webserver: enable short URLs (turn on). You can still use the long style.
  Short style: https://www.jfcarter.net:1445/nextcloud/site/itsname/
  Long style: https://www.jfcarter.net:1445/nextcloud/index.php/apps/cms_pico/pico/itsname/
  The trailing slash is required; if missing, links in the index page will replace the website identifier, rather than being appended as they should be.
• Webserver: mod_proxy (for Apache). To make the short style happen, you need to enable Apache mod_proxy and mod_proxy_http, and to add the code that they give you to the other Nextcloud configurations in apache.conf or equivalent. You can also use a RewriteRule but the result is to rewrite short URLs into long URLs which get sent back to the client's web browser. So mod_proxy is recommended. Equivalent code is also provided for nginx. [Done.]

Reviving my Pico CMS website

• On the web app, which you could have reached either by logging in or via the activity icon group on the systray icon pop-up, click on your avatar, pick Settings, Hamburger, Pico CMS, fill out the New Website form. The website's name is free-format text (short) and may contain blanks and punctuation. The identifier becomes the name of the site's toplevel directory. It may contain lower case letters, digits, hyphen and underbar; no upper case, no blanks, no dots or other punctuation.
• Give the desktop client a moment (under 1min) to sync, signalled by the systray icon changing to blue circle arrows. The systray icon popup also has a list of recent sync events that you can check.
• Copy (rsync or a substitute) the backed-up content from wherever you backed it up into the toplevel directory of the newly created website, as found in your ~/Nextcloud directory. The restored content will be synced to your server, and from there to other logged-in clients.
• The Pico CMS settings page has a list of your websites, and each one's row has a … menu including Go To Website. The resulting URL (for me) is
  https://www.jfcarter.net:1445/nextcloud/index.php/apps/cms_pico/pico/itsname/
  The short URL feature lets it accept this URL instead:
  https://www.jfcarter.net:1445/nextcloud/sites/itsname/
  The trailing slash is needed (in both forms) so links in the index page will be appended to the website identifier. Without the slash, the link targets replace the website identifier, and of course are not found.

Installing and Setting Up Clients

These are the Contacts and Calendar connectors on Android and the nextcloud-desktop native app on Linux.

Contacts

To set up the Android client:

• Log in as the user (yourself) to the Nextcloud web app. From the top row pick Contacts.
• It says, There are no contacts yet, which is correct.
• Click the hamburger (upper left corner), producing an index pane. Settings is at the bottom. Click it.
  • Sort by: (I picked last name)
  • Update avatars (leave it turned off)
  • Contacts… You can copy the link, download the address book, rename it, disable, or delete it. Under sharing (branched icon) you could share your address book with other users or groups. Unfortunately the copied link is just a <li> tag, not the URL. What it should have said is, https://www.jfcarter.net:1445/nextcloud/remote.php/dav/
  • Recently Contacted… You can copy a link to this, download it, or delete it (on the server?). I just left it alone.
  • Add Net Address Book. (I didn't.)
  • Import Contacts. I'm going to import them from my phone, which has the intact list. (Men plan, God laughs.)
• I have the latest contacts file squirreled away on the backup server and I have permission to read it. (Should I have permission? I don't think so.)
• On the Android-12 device, open Settings-Passwords & Accounts-jimc(CardDAV)-Edit Settings-Well, you can't change the provider URL on this page.
• Open the CardDAV Sync app. You can't edit the URL here either; you have to delete the ownCloud account, losing the phone's cache of the ownCloud contact list, and then add the Nextcloud account. Go back to the Nextcloud web app.
• On the web app, I'm going to import the backup VCF file of my contacts. Open Contacts-Settings-Import. Select local file. (Or I could import from Nextcloud shared files if it were there.) Doing it… 68 vCards imported, 1 error occurred, didn't say what the problem was. Attila the Hun has 2 vCards; this is probably the error. They differ in the Notes field, otherwise identical. I counted 68 cards in the list.
• Testing: I inspected in detail the vCards for Tim Wang, Attila the Hun, Jim Carter. They had all relevant fields except the group (called CATEGORIES in the VCF file); jimc's photo was there.
• The cards used to be all in groups. 3 groups were honored (correctly), the rest were forgotten. Hiss, boo, I'm going to have to set most of their groups again. [Done.]
• Very nice, you can generate a QR code from the … menu on the top row of an individual contact page, or download just that one vCard (or delete it). Both Android and iOS can read this QR code and import the contained vCard.
• Adding an account on the phone, from the CardDAV-Sync app:
  • Click on Add Account.
  • From the list of preconfigured providers, pick CardDAV (top of list).
  • Fill out the form: server name is www.jfcarter.net:1445 (no schema, it can auto-detect the path, and the port is needed only if nonstandard, like mine). Yes use SSL (is preselected). Give your user name and password as if logging into the web app. No client cert, later try to get this working. Hit Next.
  • Yes it autodetected the correct path. Pick Contacts (and skip Recently). Hit Next.
  • Pick an account title. Default would be jimc@www.jfcarter.net. I'm appending /NC. Hit Finish. It claims to have succeeded.
  • Edit sync settings: I took all the defaults.
    • Not one way sync, I want bidirectional.
    • Policy: phone always wins.
    • Auto sync: Yes (is the default).
    • Sync interval: 1 day.
  • Hit Done. Yes it synced and the contacts are all here, in groups as seen on Nextcloud, i.e. minus all but 3 groups.
  • In Settings, I now have the jimc@www.jfcarter.net/NC account, and also Contacts(jimc@www.jfcarter.net/NC). The latter is a workaround for an Android design glitch. Unless you have multiple address books from the same server, ignore it and use the main account for sync and other management. See the Contacts account's About note for more explanation.
• Back on the accounts page, remove the ownCloud account.

Calendars

Setting up the Android client is similar but not identical to Contacts.

• Log in to the Nextcloud web app. From the top row pick Calendar.
• In Hamburger - Calendar Settings, the bottom item is Show Keyboard Shortcuts. They actually work. The top item is to import a calendar.
• In the Hamburger's pane, the top row has a date navigator; click in the center for a calendar widget. The second row has buttons for New Event, Today (go to it), and View (meaning daily, weekly, monthly; click for a menu). You can enable or disable calendars on the following rows, and the … menu has an item to export the calendar.
• The calendar starts out empty. So we can tell that the calendar is working, create an event.
• Adding an account on the phone, from the CalDAV-Sync app:
  • Click on Add Account.
  • From the list of preconfigured providers, pick CalDAV (top of list).
  • Fill out the form: server name is www.jfcarter.net:1445 (no schema, hope it auto-detects the path). Yes use SSL (is preselected). Give your user name and password as if logging into the web app. No client cert, later try to get this working. Hit Next.
  • Yes it autodetected the correct path. Pick Personal (and skip Birthdays, it does just fine to get this from the local cache of contacts). Hit Next.
  • Provide (or fix) your e-mail address, for sending reminders. It uses this e-mail address for the calendar's title; you could have edited the title separately for Contacts. Hit Finish. It claims to have synced successfully.
  • Edit sync settings: I took all the defaults except raised the sync interval from 6hr to 1day. Long term sync (1 week) was preselected.
  • Hit Done. Yes it synced and the calendar event is there.
• Back on the accounts page, remove the ownCloud account.

Nextcloud-Desktop for Linux

This is the native client app for Linux, which interacts with the Nextcloud server to synchronize files. The package name, in the SuSE Tumbleweed main repo, is nextcloud-desktop.

• Command line: zypper install --no-recommends --download-as-needed nextcloud-desktop
• It installs dependencies, total of 18 packages. Download size 59Mb, installed (decompressed) 189Mb (oink). Without --no-recommends it would install GeoClue (geoclue2) and 3 dependencies, as well.
• See the Nextcloud Client Manual, starting with Using the Synchronization Client, for how to configure it and to use it.
• On OpenSuSE It's in the desktop app menu under Accessories. Launch it. Later you will want to make it start at login.
• A login screen appears. Pick Login. (Other choices are Sign Up With Provider, or Host Your Own Server, which you've already done.)
• It wants the URL of the server: https://www.jfcarter.net:1445/nextcloud
• It opens a new tab/window in your browser. Log in.
• Hit the Grant Access button. Upon success, close the window. The result of this is a persistent cookie on the client which it can use to reconnect on subsequent restarts, without a password.
• Back in the client setup window, it has preset a connection between you@server/nextcloud and the local directory ~you/Nextcloud, which does not exist yet. You can change the name.
• Below that, configure sync; I took the default, which is to sync everything.
• Hit Connect. It reports sync progress (23Mb including a lot of product hype), then closes the window. The systray now has an icon of a green checkmark, which is good.
• In the out of the box installation, the largest files are Nextcloud\ manual.pdf (12.7Mb), introductory video (3,9Mb), Photos/Library.jpg (2.2Mb), other photos (3.3Mb total). Many of these could be deleted once you've taken a look at them.
• If you right click on the systray icon you get a menu, including Settings. I took all the defaults, including Launch on System Startup. System Startup for Linux has got to mean on login because the user lacks permission to start system services at boot time. But on Windows, a user could actually have this process start at boot time.
• Your default presence status is offline (invisible). To change your presence status, you can left click on the systray icon, click on your avatar, hit the … icon, and pick Status from the menu. (This set of pop-up windows is volatile; if focus goes elsewhere they vanish.)
• Similarly, left click on the systray icon, and notice at the right side of the top row a grouping of four activity icons. Click on it and you get a menu of 7 popular apps; click on one and its page will open in a new tab/window of your browser.
• Next to the apps grouping is a Q for the talk app. See below for testing.
• See the client manual for discussion of a lot more features.
• You should create needed directories and deposit files in them; they will be synced to the Nextcloud server and will be shared with yourself on other devices, and with other users according to your sharing settings. You can also delete cruft like product hype, once you have looked it over. Don't delete the sync metadata.

More Apps to Install

More apps that I should investigate, once basic operation (like contacts and calendars) are working:

Nextcloud Office and Friends

This is the Collabora Online office suite.

• The Collabora Online Builtin CODE Server (under Integration) needs to be installed. The Setup Wizard tried to install it, but there was an unspecified error. Need to try this again. Now it's installed. There are versions for ARM64 and x86_64; get the right one.
• You could also have installed the standalone server, which is better if you have a lot of users, because the builtin one is in PHP so it's a bit slow, and it lacks certain large-scale features for which it is obviously unsuitable.
• It works with the Collabora Online frontend, which is titled Nextcloud Office. The current version, for Nextcloud-24.x, is v6.2.1. It's already installed and enabled, from the Setup Wizard. Its icon seems to be a standard document symbol (rectangle with text lines and a folded corner). So why don't I see it in my apps bar? Because you bring it into action by opening a file of the appropriate type, which the program recognizes by its name extension.
• Log in as nextcloud_admin. Hit avatar, settings, hamburger, scroll down into the admin half and find Office (icon of document). I ended up taking all the defaults. If a server is reachable you won't have to activate Nextcloud Office.
  • It says Collabora Online server is reachable.
  • 3 choices for which server to use: your separate server, the CODE server (if you installed it, I did so), or a demo server. The CODE server was preselected and I kept that.
  • I left all the Advanced settings turned off. These are described in Nextcloud Office App Settings.
  • There are 4 slots for global templates. All are empty.
• It does have a personal settings page. To find this, log in as yourself (vs. nextcloud_admin), hit avatar, settings, hamburger, scroll down in the navigation pane to find its line item. The only configurable item is the template directory. There's a file browser icon, for the Nextcloud shared file collection. Do I have any templates? It turns out that there's a toplevel directory called Templates with a bunch of them. Pick this one.
• I copied the Elegant.odp template to toplevel, and renamed it to something more prosaic, testdoc.odp (using the Rename item in its … menu in the file browser). Clicked in its name. It turns out to be a presentation slideshow and it opens in an editor. Hit the X in the upper right corner to close it.
• For a textual document the extension is .odt. To create a new document without copying a template, the top row of the file browser has a '+' icon. Click; the menu has a bunch of object format choices, of which one is new document. Click on that. Then pick a template, and hit Create. It opens in a rich text editor.

Music

(Under Multimedia.) This is mainly a music player, audio and video, but I'm trying out the streaming server feature. I installed it. For the administrator it doesn't have any setup page, but the user needs do these steps:

• Launch Music from your icon bar (2 eighth notes). It says No Music Found, which is correct because it only looks in the Nextcloud shared directory.
• Hit the hamburger. Find and click on Settings at the very bottom of the navigation pane.
• Specify the path to your music collection. The first directory name starts with a slash and refers to a directory in the root of your Nextcloud directory. Whatever media files are in this dir will be synced to all your participating devices.
• I already have a music colledtion, just on one server, served by Icecast. I had hoped to try out Nextcloud's Ampache implementation to send it out, maybe as an improvement over Icecast. But syncing 2Gb of music tracks to each of my devices is not exactly my preferred use case.
• A symlink to the music files, outside the Nextcloud directory, is ignored and is ineffective (but with no error message), because if the symlink were synced to (e.g.) a cellphone, its referent would definitely not exist on the cellphone.
• Brainwave: let's try populating the music dir with hard links to the existing media files. But now the files are inside the Nextcloud directory and they will be propagated to all participating devices. Also if a track were synced back from another device to the server, almost certainly the old directory entry would be tossed, reducing the inode's llink count by 1, and replaced by a link to the newly received instance of the file, which would remain separate from the pre-existing, formerly multi-linked instance of the file. Again that's not my desired use-case.

Tasks

I installed it on Nextcloud (as admin) and created a task list (as the user). Now, how do I want to use it on my phone? [This turned out to be a messy tangle with success at the end.] I have OpenTasks (org.dmfs.tasks v1.4.2), but never really used it. It appears to be local only; I can't see how to sync it with a server. Following a review I spotted, I replaced it with Tasks.org (Java name: org.tasks) based on the no longer available Astrid. Key features: FOSS; no ads; can sync with generic CalDAV (Nextcloud) and many others. There is a pro version on a begware basis; I don't know what additional stuff you get for this. Setting it up:

• It opens with a blank screen. Hit the hamburger (lower left corner). Select Settings (at the bottom).
• Not Signed In: Select a protocol (CalDAV).
• Blecch, syncing with the nonlocal provider requires a subscription. This means a Google Play subscription, or a Github sponsorship. The latter means you create a persistent relation (involving money) with a particular Github account (an individual or a company account). Details, like the amount of payment, are not clear yet. They take credit cards, or Paypal.
• Once you set up your subscription, your Server Type is Nextcloud. The URL can be just the schema and hostname; it will use the server's .well-known RewriteRule to autodetect the URL of the calendar collection. It requires your userID and password on the Nextcloud server.
• I'm not sure I'm going to use this a lot on the phone; I'm going to defer setting up the task app. The Nextcloud app has a generic file browser including an editor, and a media player, but does not include a user interface for other apps such as Tasks. For the time being, I'll use the web interface on the phone. Which is useable with the portrait oriented mobile device theme for Tasks.
• A new day dawns, and my CalDAV Sync app notifies me that if I would reinstall OpenTasks (org.dmfs.tasks) I could use the tasks calendar that it found on Nextcloud. I reinstalled OpenTasks, and this time it found the remote tasks calendar with no help from the user. So I now have a working Tasks app on the phone.

Talk

This is the text, voice and video chat client. It was installed by the Setup Wizard as a recommended app. You use it between web app instances (in your and the peer's browser). I thought the Linux and/or Android clients could do Talk autonomously, but they can't. An issue for testing: you aren't allowed to talk to yourself, e.g. on different devices (though there are rumors that that's coming soon).

I'm using Alice and Bob as the peers who are talking, the traditional names in cryptographic documentation. It's also possible to create a multi-user chat room.

Global Setup

This is by nextcloud_admin. I ended up taking all defaults. They have some integration aspects, most of which are not installed by default. They are:

• Matterbridge Integration: This separate daemon acts as a bridge between any of generic XMPP, Nextcloud, IRC, Whatsapp, Microsoft Teams, and many others that I've never heard of, not including Zoom, Apple's iMessage or FaceTime.
• Commands: You can execute scripts on the server. A /help command is preset.
• stun.nextcloud.com:443 is preset as your STUN server (Session Traversal Utilities for NAT, RFC 3489, 5780, 8489), which tells you your wild-side IP address and port if you're behind a NAT box. Your talk protocol will tell a peer to contact you at that address.
• TURN server: Suppose your net has a firewall preventing remote peers from connecting to you. The TURN server executes on the wild side and it acts as a proxy or unencrypted VPN, and the peers connect to it instead.
• High performance backend: The low performance signaling server is included, but if you're going to have over 4 participants in a chat, they recommend a separate daemon. The shared secret should be configured in this daemon and in Nextcloud (globally). It appears to not be needed for the low performance signaling server. Self-hosted backend(s) are available, and Nextcloud has a partner that offers (sells, I assume) this service.

User Setup

Each participating user needs to set up Talk, like this:

• Log in to the web client as the user.
• Click on the Q icon for Talk.
• Hamburger - Talk Settings. (Many apps, but not this one, have their settings dialog in user settings, i.e. avatar - Settings - find the line item for the app if any.) Settable items are:
  • Choose which mic and camera, if not unique. Give permission to use the microphone and camera (and remember the decision). The test picture is showing my face, and if I speak, there's a bargraph showing mic activity.
  • Attachments Folder: /Talk (is the default).
  • Share Read-Status
  • Play a sound when a participant joins or leaves the call.
  • There's a table of keyboard shortcuts.
  • Use the X in the upper right corner to close settings.

Create a Conversation and Test It

• Alice, in the navigation pane, enters bob in the top box Search Conversations or Users. He is found. Hit '+' to the right of the box to add him to (a new) conversation.
• It is also possible to create a multi-user conversation, the same idea as an IRC chat room or a Zoom meeting. But I didn't test that feature.
• The conversation now exists. Alice clicks on its navigation line item to join it. But we haven't actually started the call yet. (Close the navigation pane by clicking on the hamburger.)
• Test one: there's a text entry field at the bottom. Send a text message. Return key, or the right wedge icon at the right of the box, will send out the message, which appears as a pop-up on the peer's Talk window (and various other places can be turned on). I wonder what is the maximum length, if any? I sent 300 bytes at once and it was delivered OK.
• Test two: there's a microphone icon to the right of the text box. The tooltip says it's for recording a voice message. I didn't do anything more with it.

Video Chat

• Test three: In the top row, click on Start Call. It shows a camera and mic check picture (Yes I'm on camera). Click on Start Call in the picture. It plays a ringtone.
• Bob does the same thing except his button is labelled Join Call.
• When he has joined, a two-part window opens (for each) with the peer's scene and a small instance of the sender's scene. If both of you are in the same room, beware of echoes, which are annoying but seem to avoid diverging to infinity.
• Along the bottom of the main scene are a microphone and camera icon. If clicked, they mean that you don't receive the audio or video in that scene. But the peer still receives your audio or video. On the top row are mic and camera icons which mute what you send out. Use these to shut up echoes.
• The Talk app does not influence DPMS. If you don't use the keyboard or mouse for a while, the display will go to sleep. Not impairing the conversation, just your ability to see it. Hit the shift key to wake up the display.
• To send text during a video call, at the right of the top row there's an icon that looks like a text message. Click; there are several actions on the resulting pane including a text box at the bottom. Type your message and hit Return or the right wedge next to the box.
• In the top row there's an icon with an up-arrow, which the tooltip identifies as Screen Sharing. One person clicks on it. Select one window, or the entire screen (bottom of the window list). This content is what is sent out as your scene, and both people see it. The cursor is visible when over the window. The icon changes to an X, meaning to stop Screen Sharing.
• I got stuck in Screen Sharing once: disabled it, but the peer continued to see the shared window (without updates). To recover, I re-enabled Screen Sharing and disabled again; it went back to my camera's view.
• The … menu in the top row has more actions. Most are on-off toggles.
  • Raise Hand: on other peoples' views (and your own) a hand icon appears next to your name. And the action label changes to Lower Hand.
  • Blur background: It works, but it takes at least twice as much CPU as sending the background as-is.
  • Grid view: everyone's scene is in an equal sized sub-window, vs. using most of the space for the peer or the speaker.
  • Device Settings: Do things to your mic or camera, same dialog as in Talk Settings.

Ending the Call

• When everyone has clicked on Leave Call, it will end. The last to leave will hear a ringtone, until either someone else joins, or they leave.
• There is a difference between leaving the call, and leaving the conversation. The conversation still exists and can be revived if participants rejoin the call later. When every participant has left the conversation, it will disappear, unless it has been made persistent in settings.

Right Click

Provides a menu with actions like save, edit, delete… (Under Tools.) Yes it works, except I think the menu only appears in the Files app.

Backup

(Under Tools.) First, find out what it backs up and in what format.

Apps Related to Mail, Etc.

In summary, I already have Roundcube Webmail and I prefer it to Nextcloud's core app, so none of these mail apps made it into production. Nor did any of the etc. apps.

Mail

This is the mail app in the core How to set it up:

• Each user sets it up individually, except there's an app that presets a template for newly appearing users, which I haven't configured yet.
• When you start it for the first time, it wants you to tell it the IMAP and SMTP servers. First trying the Auto tab; it pre-fills your Name, which I take to be your full name for the From header, your e-mail address (but you have to add the realm), and your password, which presumably is your Nextcloud password. Is it going to try to use MailRoute as my IMAP provider? There was an error while setting up your account (but it doesn't say what the error was).
• Trying the manual tab. For the IMAP protocol it preselects intrinsic SSL/TLS (port 993). This is deprecated in favor of STARTTLS on 143 (which I changed to), but it will never die. STARTTLS on 587 is the default for SMTP. I just had to fill in smtp.jfcarter.net for both the servers.
• It failed to contact smtp.jfcarter.net. Duh, this is just a MX record, not a CNAME.
• I changed servers to jacinth.cft.ca.us. IMAP connection failed. telnet jacinth.cft.ca.us 143 works and offers STARTTLS, but if you accepted that offer, Jacinth's host cert (the one used by the Dovecot IMAP server) certifies (various).jfcarter.net but not jacinth.cft.ca.us, and things go downhill from there.
• I retyped my password for IMAP. Its length is the same as the prefilled one. I wonder exactly where it came from and how securely it's stored.
• I changed servers to jacinth.jfcarter.net. Now it connects!
• The UI shows your inbox (the whole thing, scroll through it) including the subect and the first line of each message. In the hamburger pane you have an option to Show All Mailboxes (to revert, pick Collapse Mailboxes at the end). Click on a line item and it shows the message, in HTML if available or neatened text/plain if not.
• In Mail Settings, top posting is the default but you can tell it to use proper etiquette on this. For encryption they encourage you to install Mailvelope (which I've tangled with…) But my interest is in signing mail, not encrypting it.
• I composed and sent a test message to myself. It showed up in my inbox after about 30 secs, and Nextcloud popped a notification on the desktop. The message was automatically classifed as important (you can turn this off). It was purely text/plain; HTML and MD were rendered as-is. If there was an option to switch to a real HTML composer, I didn't find it. I don't see any setting to have the composer include a signature block.
• From Roundcube I sent a text/html message. In the mailbox list the HTML was stripped out (just the element's body), though the emoji was rendered. In the message viewer the HTML was shown properly, plus the emoji. Roundcube's Enigma plugin signed the message, and in Nextcloud I could have downloaded it and checked it by hand, but Nextcloud does not know how to vaildate it.
• Conclusion: this app isn't bad as a simple mail reader, but I get a lot more, that I need, from Roundcube. Keep it simple: I'm going to deinstall/deactivate Nextcloud's mail app.

Auto Mail Accounts

When a new user appears, it creates a mail account for them. (Under Tools.) Since I'm not going to use Nextcloud's Mail, I'm also not going to install this one.

RainLoop Webmail

(Under Tools.) Different from the core Mail app. It's specialized for a particular commercial(?) server which seems to be in the process of disappearing. Forget this one.

Welcome

(Under Integration). It displays a welcome message when a new user first logs in. User turnover doesn't happen on my system, so forget this one.

OIDC Identity Provider and Login

(Under Integration.) I think this is intended for OpenID, and I shouldn't try to improve my single sign-on service at this time.