Valid Generic HTML

Migrating to Nextcloud from ownCloud

James F. Carter <jimc@jfcarter.net>, 2022-09-17

Once again ownCloud has become inoperative after a package update (OpenSuSE Tumbleweed dist-upgrade) that included a minor version update for ownCloud. This happens every year or two and is very annoying. I've decided to take drastic action: to change to a different file sharing service.

Table of Contents

Goals

A file synchronization or file sharing service manages a designated directory (or several) on a collection of hosts. If one host creates, changes or removes a file in that directory (recursively), the change is propagated to all the other hosts. An extension is collaborative editing: multiple users have (instances of) the same file open at the same time in the service's augmented editor, and they edit the file coordinately without trashing it.

Major goals, beyond what a file sharing service normally does:

Why not just resurrect ownCloud? I'm pretty sure that a disagreement between the ownCloud tarball and directory ownership by a SuSE package killed my ownCloud installation. In addition, ownCloud seems to have picked up some political issues, referring to its style of support:

This category of software is referred to as a file synchronization service (Wikipedia list). What is available? The Wikipedia list has been filtered to meet these requirements: must be hosted on the user's net, not a commercial service; server must run locally on Linux; must have a generic web interface; must have native clients for desktop Linux, Android, and iOS. (Other people will want Windows and macOS too.)

A big advantage of Nextcloud is that it's very similar technically, if not culturally, to ownCloud, so my work in learning to manage it will be less than for a new package like Seafile.

Preliminary investigation gives me some confidence that Nextcloud is the way of the future, and so I'm going to resurrect my file sharing service by migrating to Nextcloud. Of course ownCloud will not be de-installed until Nextcloud has proven itself operational.

Overview of Nextcloud

Web resources:

Features of Nextcloud, emphasizing those that Jimc is already using (U) or should investigate (I). This list is summarized from the Wikipedia article.

The office suites, per Wikipedia:

OnlyOffice
Wikipedia article about it. It is allegedly FOSS, also available as SaaS (presumably paid). Included features:
Collabora Online
Wikipedia article about it. Built upon LibreOffice (with a formal partnership/sponsorship) but enhanced to handle collaborative realtime editing. Included features:

Overall strategy to install Nextcloud:

The package to be installed is nextcloud-24.0.5-2.1.noarch in the Factory/standard repo (Tumbleweed main repo) (not for Leap). 102Mb compressed, noarch implies that it's all in PHP. It has a few dependencies (PHP modules), under 1Mb. php7-bcmath php7-gmp are recommended; they need to be listed explicitly in extra.sel. 338Mb installed, 22954 files, almost all of them are in /srv/www/htdocs/nextcloud/ .

Product hype says it is currently available on the repos of OpenSuSE Tumbleweed, Arch Linux, Fedora, Debian and Ubuntu, and Alpine Linux has a special repo for it. It's all in PHP, so no architecture limitations. It does require a database (see later for which ones are supported). Hardware that people run it on ranges from Raspberry Pi to Intel NUC to enterprise servers.

Glossary and User Interface for Nextcloud:

Installation Details from the Admin Manual

OK, how do you install it? RPM installation was uneventful but obviously there's a lot more to be done. But the project page doesn't have an obvious link to their installation guide and/or product manual.

Now that the treasure hunt is complete, I'm going to read through most of the document and take notes.

Executing the Installation, Part 1

Setup Activities as the Administrator

Overview

Security and setup warnings (quite a lot of them since I haven't set up anything):

Basic settings

Sharing

Taking all defaults, which are:

Security settings

Taking all defaults.

Theming

Taking all defaults.

Groupware

Taking all defaults. No email provisioning is configured.

Administration privileges

You can delegate to particular group(s) write access to admin setting sections. None are delegated.

Activity

Users could be notified of certain events by email (once an hour, batched?) or push to an app. Events include file/folder modification, sharing, access to a share, PIM object modified, various miscellaneous.

Flows

I assume this is a workflow framework. None are configured; find some in the app store or create your own.

Talk

Taking all defaults. They provide their own STUN server which tells the originator its own wild-side address. A TURN server is a proxy to get through the participant's firewall; it's not configured. For high traffic sites a separate high performance signaling server should be used (vs. the internal one, in PHP, wimpy). This is required for SIP. They have a partner who can sell you this service. See below for an actual test of Talk.

Nextcloud Office

The local CODE (Collabora Online Development Edition) server didn't get installed. Retry loading it from the app store. Or exec:
php -d memory_limit=512M occ app:install richdocumentscode
Later I got this installed and working; see below.

Usage Survey

Not sent by default, but they want to hear from you.

Logging

This is a display of the server's log messages (most recent first). It's in the data directory, /home/nextcloud/nextcloud.log. The format is ugly and prolix (489kb); if feasible you should read it on this logging page.

I created a file in /etc/logrotate.d/nextcloud.J . I have a lot of defaults preset; other users may need more commands. Here it is:
/home/nextcloud/nextcloud.log {
size 200k
su wwwrun www
create 644 wwwrun www
}

System

It has a fairly comprehensive system status display. Sections: OS version; load (stripchart); memory usage (stripchart); disc usage by partition (torus graph); net interfaces status; active users; shares; PHP version; database type and version; external monitoring tool endpoint URL. Running this page runs the load on Jacinth up to 2.5.

Installing Infrastructure Apps

So the settings accessible to the admin user have been reviewed and adjusted where appropriate. The next step is to install infrastructure apps to support this workflow:

Infrastructure apps to be installed from the app store for these goals:

LDAP user and group backend

Most apps are enabled when installed, but not this one, because it requires site-specific configuration. Generic procedure to enable an app:

Specific settings for LDAP: Nextcloud runs on the same host as one of the LDAP servers, so localhost is used and TLS/SSL is not needed.

SSO and SAML Authentication

Published by Nextcloud. Supported auth providers: SAML 2.0 (Shibboleth, Active Directory Federation Services), mod_auth_kerb and any others that use the REMOTE_USER environment variable. mod_auth_kerb is deprecated and has been replaced by mod_auth_gssapi. See jimc's blog post for some hints on how to configure it. Nextcloud setup:

Pico CMS

(Under Tools.) I have important content here and this should be one of the first payload apps installed. It needs both Administrative and Personal setup.

Administrative setup for Pico CMS:

Reviving my Pico CMS website

Installing and Setting Up Clients

These are the Contacts and Calendar connectors on Android and the nextcloud-desktop native app on Linux.

Contacts

To set up the Android client:

Calendars

Setting up the Android client is similar but not identical to Contacts.

Nextcloud-Desktop for Linux

This is the native client app for Linux, which interacts with the Nextcloud server to synchronize files. The package name, in the SuSE Tumbleweed main repo, is nextcloud-desktop.

More Apps to Install

More apps that I should investigate, once basic operation (like contacts and calendars) are working:

Nextcloud Office and Friends

This is the Collabora Online office suite.

Music

(Under Multimedia.) This is mainly a music player, audio and video, but I'm trying out the streaming server feature. I installed it. For the administrator it doesn't have any setup page, but the user needs do these steps:

Tasks

I installed it on Nextcloud (as admin) and created a task list (as the user). Now, how do I want to use it on my phone? [This turned out to be a messy tangle with success at the end.] I have OpenTasks (org.dmfs.tasks v1.4.2), but never really used it. It appears to be local only; I can't see how to sync it with a server. Following a review I spotted, I replaced it with Tasks.org (Java name: org.tasks) based on the no longer available Astrid. Key features: FOSS; no ads; can sync with generic CalDAV (Nextcloud) and many others. There is a pro version on a begware basis; I don't know what additional stuff you get for this. Setting it up:

Talk

This is the text, voice and video chat client. It was installed by the Setup Wizard as a recommended app. You use it between web app instances (in your and the peer's browser). I thought the Linux and/or Android clients could do Talk autonomously, but they can't. An issue for testing: you aren't allowed to talk to yourself, e.g. on different devices (though there are rumors that that's coming soon).

I'm using Alice and Bob as the peers who are talking, the traditional names in cryptographic documentation. It's also possible to create a multi-user chat room.

Global Setup

This is by nextcloud_admin. I ended up taking all defaults. They have some integration aspects, most of which are not installed by default. They are:

  • Matterbridge Integration: This separate daemon acts as a bridge between any of generic XMPP, Nextcloud, IRC, Whatsapp, Microsoft Teams, and many others that I've never heard of, not including Zoom, Apple's iMessage or FaceTime.
  • Commands: You can execute scripts on the server. A /help command is preset.
  • stun.nextcloud.com:443 is preset as your STUN server (Session Traversal Utilities for NAT, RFC 3489, 5780, 8489), which tells you your wild-side IP address and port if you're behind a NAT box. Your talk protocol will tell a peer to contact you at that address.
  • TURN server: Suppose your net has a firewall preventing remote peers from connecting to you. The TURN server executes on the wild side and it acts as a proxy or unencrypted VPN, and the peers connect to it instead.
  • High performance backend: The low performance signaling server is included, but if you're going to have over 4 participants in a chat, they recommend a separate daemon. The shared secret should be configured in this daemon and in Nextcloud (globally). It appears to not be needed for the low performance signaling server. Self-hosted backend(s) are available, and Nextcloud has a partner that offers (sells, I assume) this service.

User Setup

Each participating user needs to set up Talk, like this:

  • Log in to the web client as the user.
  • Click on the Q icon for Talk.
  • Hamburger - Talk Settings. (Many apps, but not this one, have their settings dialog in user settings, i.e. avatar - Settings - find the line item for the app if any.) Settable items are:
    • Choose which mic and camera, if not unique. Give permission to use the microphone and camera (and remember the decision). The test picture is showing my face, and if I speak, there's a bargraph showing mic activity.
    • Attachments Folder: /Talk (is the default).
    • Share Read-Status
    • Play a sound when a participant joins or leaves the call.
    • There's a table of keyboard shortcuts.
    • Use the X in the upper right corner to close settings.

Create a Conversation and Test It

  • Alice, in the navigation pane, enters bob in the top box Search Conversations or Users. He is found. Hit '+' to the right of the box to add him to (a new) conversation.
  • It is also possible to create a multi-user conversation, the same idea as an IRC chat room or a Zoom meeting. But I didn't test that feature.
  • The conversation now exists. Alice clicks on its navigation line item to join it. But we haven't actually started the call yet. (Close the navigation pane by clicking on the hamburger.)
  • Test one: there's a text entry field at the bottom. Send a text message. Return key, or the right wedge icon at the right of the box, will send out the message, which appears as a pop-up on the peer's Talk window (and various other places can be turned on). I wonder what is the maximum length, if any? I sent 300 bytes at once and it was delivered OK.
  • Test two: there's a microphone icon to the right of the text box. The tooltip says it's for recording a voice message. I didn't do anything more with it.

Video Chat

  • Test three: In the top row, click on Start Call. It shows a camera and mic check picture (Yes I'm on camera). Click on Start Call in the picture. It plays a ringtone.
  • Bob does the same thing except his button is labelled Join Call.
  • When he has joined, a two-part window opens (for each) with the peer's scene and a small instance of the sender's scene. If both of you are in the same room, beware of echoes, which are annoying but seem to avoid diverging to infinity.
  • Along the bottom of the main scene are a microphone and camera icon. If clicked, they mean that you don't receive the audio or video in that scene. But the peer still receives your audio or video. On the top row are mic and camera icons which mute what you send out. Use these to shut up echoes.
  • The Talk app does not influence DPMS. If you don't use the keyboard or mouse for a while, the display will go to sleep. Not impairing the conversation, just your ability to see it. Hit the shift key to wake up the display.
  • To send text during a video call, at the right of the top row there's an icon that looks like a text message. Click; there are several actions on the resulting pane including a text box at the bottom. Type your message and hit Return or the right wedge next to the box.
  • In the top row there's an icon with an up-arrow, which the tooltip identifies as Screen Sharing. One person clicks on it. Select one window, or the entire screen (bottom of the window list). This content is what is sent out as your scene, and both people see it. The cursor is visible when over the window. The icon changes to an X, meaning to stop Screen Sharing.
  • I got stuck in Screen Sharing once: disabled it, but the peer continued to see the shared window (without updates). To recover, I re-enabled Screen Sharing and disabled again; it went back to my camera's view.
  • The … menu in the top row has more actions. Most are on-off toggles.
    • Raise Hand: on other peoples' views (and your own) a hand icon appears next to your name. And the action label changes to Lower Hand.
    • Blur background: It works, but it takes at least twice as much CPU as sending the background as-is.
    • Grid view: everyone's scene is in an equal sized sub-window, vs. using most of the space for the peer or the speaker.
    • Device Settings: Do things to your mic or camera, same dialog as in Talk Settings.

Ending the Call

  • When everyone has clicked on Leave Call, it will end. The last to leave will hear a ringtone, until either someone else joins, or they leave.
  • There is a difference between leaving the call, and leaving the conversation. The conversation still exists and can be revived if participants rejoin the call later. When every participant has left the conversation, it will disappear, unless it has been made persistent in settings.

Right Click

Provides a menu with actions like save, edit, delete… (Under Tools.) Yes it works, except I think the menu only appears in the Files app.

Backup

(Under Tools.) First, find out what it backs up and in what format.

Apps Related to Mail, Etc.

In summary, I already have Roundcube Webmail and I prefer it to Nextcloud's core app, so none of these mail apps made it into production. Nor did any of the etc. apps.

Mail

This is the mail app in the core How to set it up:

Auto Mail Accounts

When a new user appears, it creates a mail account for them. (Under Tools.) Since I'm not going to use Nextcloud's Mail, I'm also not going to install this one.

RainLoop Webmail

(Under Tools.) Different from the core Mail app. It's specialized for a particular commercial(?) server which seems to be in the process of disappearing. Forget this one.

Welcome

(Under Integration). It displays a welcome message when a new user first logs in. User turnover doesn't happen on my system, so forget this one.

OIDC Identity Provider and Login

(Under Integration.) I think this is intended for OpenID, and I shouldn't try to improve my single sign-on service at this time.