Previous Page

nihilist - 06 / 08 / 2020

Nginx Nextcloud Server Setup

Rent a VPS with debian 10+ (or just run it yourself, but make sure it is correctly port forwarded so that public ip points to the machine like a vps).

click here for the arch linux version

Once you have ssh'd into your debian server, we can start:

Setting up php7.4 and pgsql

First we get every package we need:

apt update -y && apt upgrade -y
apt -y install apt-transport-https lsb-release ca-certificates curl gnupg -y
sh -c 'echo "deb $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
wget --quiet -O - | apt-key add -

apt update -y
apt install sudo socat wget unzip zip postgresql-13 nginx php7.4-{xml,json,intl,dev,common,fpm,curl,cli,pgsql,gd,common,mbstring,zip,soap,bz2} -y

Once that's done, start nginx and cd into php7.4 to edit the 2 php.ini and www.conf

systemctl enable --now nginx
systemctl status nginx

cd /etc/php/7.4/

echo 'date.timezone = Europe/Paris' >> fpm/php.ini
echo 'date.timezone = Europe/Paris' >> cli/php.ini

echo 'cgi.fix_pathinfo=0' >> fpm/php.ini
echo 'cgi.fix_pathinfo=0' >> cli/php.ini

echo 'env[HOSTNAME] = $HOSTNAME' >> fpm/pool.d/www.conf
echo 'env[PATH] = /usr/local/bin:/usr/bin:/bin' >> fpm/pool.d/www.conf
echo 'env[TMP] = /tmp' >> fpm/pool.d/www.conf
echo 'env[TMPDIR] = /tmp' >> fpm/pool.d/www.conf
echo 'env[TEMP] = /tmp' >> fpm/pool.d/www.conf

Once that's done, restart php7.4-fpm and start postgres:

systemctl enable --now php7.4-fpm

systemctl enable --now postgresql 
systemctl status postgresql

Once that's done you will start the postgresql secure installation:

useradd nextcloud -s /bin/bash 
sudo -u postgres psql

CREATE USER nextcloud;
ALTER DATABASE nextcloud OWNER TO nextcloud;

Certbot Certificate and Nginx Configuration

From here we need to install our letsencrypt certificate. If you don't have a domain name yet, go get one, or just go for the free alternative DuckDNS and get one, mine currently is

So we know the server is now "" you can browse to it and see that nginx is active. now we'll install the certificate using certbot:

wget -O - | sh
cd ~
source .bashrc
systemctl stop nginx --issue --standalone -d -k 4096
systemctl start nginx

This puts the certificate into /root/

Once that's done, we can download the latest nextcloud zipfile:

cd /var/www/
wget -q

unzip -qq
sudo chown -R nextcloud:www-data /var/www/nextcloud

Once that's done, go and modify the nginx configuration:

cd /etc/nginx/sites-available/
wget -O nextcloud.conf
nano nextcloud.conf

From here you need to modify the into whatever your domain name is. from nano you can do CTRL+W ENTER to find where the text is. do CTRL+X y when you're done, to save the file.

ln -s /etc/nginx/sites-available/nextcloud.conf /etc/nginx/sites-enabled/
nginx -t

Once you're here, nginx should say that the configuration doesn't have any errors. Now we need to restart nginx and php7.4-fpm:

nginx -s reload 
wget -O /etc/php/7.4/fpm/pool.d/nextcloud.conf
systemctl restart php7.4-fpm

From here, just browse to your server at and you should be greeted by the following webpage:

Please make sure that each prompt field is correct (apart from the first 2 , you get to pick which your admin credentials)

At the top just create the admin account with credentials you choose, then below you need to input the postgresql credentials from earlier: "nextcloud with no password" and you should be able to get in your nextcloud instance:

And we're done! Or so we think! We have been able to install a nextcloud instance on debian10 using duckdns, nginx and php7.4-fpm But we still need to harden it, check out the errors in the overview dashboard and fix them one by one:

Starting with the php memory limit:

vim /etc/php/7.4/fpm/php.ini

memory_limit = 2048M

systemctl restart php7.4-fpm

next fix any potential missing php libraries and configure php-apcu:

apt install php-apcu php-imagick php7.4-{bcmath,gmp,imagick} php-xml-svg -y

vim /etc/php/7.4/fpm/pool.d/nextcloud.conf

pm = dynamic
pm.max_children = 120
pm.start_servers = 12
pm.min_spare_servers = 6
pm.max_spare_servers = 18


systemctl restart php7.4-fpm

Now for the memcache error:

vim /var/www/nextcloud/config/config.php


  'memcache.local' => '\OC\Memcache\APCu',


Now for the SVG error:

apt install libmagickcore-6.q16-6-extra -y

Now for the ~/.well-known/webfinger error:

vim /etc/nginx/sites-available/

location ^~ /.well-known {
        # The following 6 rules are borrowed from `.htaccess`

        location = /.well-known/carddav     { return 301 /remote.php/dav/; }
        location = /.well-known/caldav      { return 301 /remote.php/dav/; }
        # Anything else is dynamically handled by Nextcloud
        location ^~ /.well-known            { return 301 /index.php$uri; }

        try_files $uri $uri/ =404;


systemctl restart nginx

And lastly the default phone region:

vim /var/www/nextcloud/config/config.php


  'default_phone_region' => 'FR',


systemctl restart php7.4-fpm

And at last just refresh your browser:

And that's it! We correctly hardened our nextcloud instance.


Now from here you can make backups just in case if the server goes down or harddrive gets corrupted, etc. You could use a script like this:

#this must run as root !
if [ "$EUID" -ne 0 ]
        echo 'MUST RUN AS ROOT!'

cd /var/www/nextcloud/data/nothing/files/
#make sure the path to your  user is correct!

#run it at 3AM
cooldate=$(date --iso-8601)
echo $cooldate

rm backup*.zip
rm backup-$
zip -r backup-$ /var/www/nextcloud/data/nothing/files/

#rsync backup-$ nothing@
rsync backup-$ nothing@mainpc:/home/nothing/backup/

rm backup*.zip

#crontab -e
#0 3 * * * /bin/bash /var/www/nextcloud/data/nothing/files/

#chmod u+x backup.shg

#BACKUP_SERVER (here its
#use this script to setup the key based ssh authentication, and then make sure your nextcloud server's root user has the private ssh key.

Here i can make rsync login via ssh to my mainpc host thanks to the private key ssh authentication specified in ~/.ssh/config:

root@home:/var/www/nextcloud/data/nothing/files# apt install rsync -y
root@home:/var/www/nextcloud/data/nothing/files# cat ~/.ssh/config
Host mainpc
        IdentityFile ~/.ssh/mainpc-10.pkey
        User nothing

of course you would have created the ssh keys on your remote host (in this case : and placed the private key in the server's /root/.ssh/ folder. as comments at the end of the script imply, you can setup the cronjob to run every day at 3 AM.g

Now in order to mount your files as a webdav share on linux you can do the following:

[ ] [ /dev/pts/42 ] [~]
→ apt-get install davfs2

 [ ] [ /dev/pts/42 ] [~]
→ sudo mkdir /mnt/

[ ] [ /dev/pts/42 ] [~]
→ sudo chown -R nothing:nothing /mnt/

[ ] [ /dev/pts/42 ] [~]
→ sudo mount -t davfs -o noexec /mnt/
Please enter the username to authenticate with server or hit enter for none.
  Username: nothing
Please enter the password to authenticate user nothing with server or hit enter for none.
/usr/bin/mount.davfs: warning: the server does not support locks

[ ] [ /dev/pts/42 ] [~]
→ cd /mnt/

[ ] [ /dev/pts/42 ] [/mnt/]
→ ls   Caldera   Certs   Cours   Crypto   Documents   id_ed25519   KEEPASS.txt   lost+found   Notes   nothing.ovpn   Passwords.kdbx   Photos   Random_Files   SSH   Templates  ' setup'

Now in order to make it persistant accross reboots, you need to make a fstab entry:

[ ] [ /dev/pts/42 ] [~]
→ sudo vim /etc/fstab

[ ] [ /dev/pts/42 ] [~]
→ cat /etc/fstab

#webdav entry /mnt/ davfs _netdev,noauto,user,uid=nothing,gid=nothing 0 0

[ ] [ /dev/pts/42 ] [~]
→ sudo vim /etc/davfs2/secrets

[ ] [ /dev/pts/42 ] [~]
→ sudo cat /etc/davfs2/secrets | tail -n2
# personal webdav, nextcloud application password
/mnt/ nothing "mypassword"

[ ] [ /dev/pts/42 ] [~]
→ sudo mount /mnt/
/usr/bin/mount.davfs: warning: the server does not support locks

And that's it ! your nextcloud files have been mounted on a linux host.

[ ] [ /dev/pts/42 ] [~]
→ cd /mnt/

[ ] [ /dev/pts/42 ] [/mnt/]
→ ls -l
total 46
-rw-r--r-- 1 nothing nothing   859 Apr  7  2021
drwxr-xr-x 3 nothing nothing     0 Feb 16 13:14  Caldera
drwxr-xr-x 9 nothing nothing     0 Jan 20 20:54  Certs
drwxr-xr-x 8 nothing nothing     0 Mar 21 20:34  Cours
drwxr-xr-x 2 nothing nothing     0 Oct 27 09:05  Crypto
drwxr-xr-x 2 nothing nothing     0 Apr  7  2021  Documents
-rw-r--r-- 1 nothing nothing   411 Apr  7  2021  id_ed25519
-rw-r--r-- 1 nothing nothing    55 Apr  7  2021  KEEPASS.txt
drwx------ 2 nothing nothing     0 Mar 27 14:07  lost+found
drwxr-xr-x 2 nothing nothing     0 Aug 23  2021  Notes
-rw-r--r-- 1 nothing nothing  2914 Apr  7  2021  nothing.ovpn
-rw-r--r-- 1 nothing nothing 40510 Mar 26 21:40  Passwords.kdbx
drwxr-xr-x 2 nothing nothing     0 Apr  7  2021  Photos
drwxr-xr-x 9 nothing nothing     0 Mar 25 09:42  Random_Files
-rw-r--r-- 1 nothing nothing     1 May 27  2021
drwxr-xr-x 7 nothing nothing     0 Jul  1  2021  SSH
drwxr-xr-x 2 nothing nothing     0 Apr  7  2021  Templates
drwxr-xr-x 2 nothing nothing     0 Jun  6  2021 ' setup'

Special thanks to skid9000 from the staff for helping me update this tutorial. (23/09/2020)


Until there is Nothing left.

About nihilist

Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8

Contact: (PGP)