The idea is to take you through all the steps needed to get up and running, some basic familiarity with computers and Linux is assumed, but not a lot.

• Server Setup 1: OS installation
  This goes through a few pre-requisites, and then launches into the installation.
• Server Setup 2: Initial tweaks
  These first few steps will make your life easier when administering this server.
• Server Setup 3: Install Webserver
  We’ll install and test the webserver software – Apache.
• Server Setup 4: Going Public
  Configure the server, DNS and your router to allow public access to a placeholder website.
• Server Setup 5: HTTPS
  Enable secure connections to your new website with Lets Encrypt and certbot.
• Server Setup 6: WordPress Pre-requisites
  Get ourselves ready to install WordPress – we need PHP and a database.
• Server Setup 7: Install WordPress
  Get WordPress installed so you have a functional website!
• Server Setup 8: WordPress tweaks
  A few tweaks to optimise WordPress.
• Server Setup 9: Nextcloud Prep
  Preparatory work before the Nextcloud installation.
• Server Setup 10: Nextcloud Installation
  Get the database and files system configured, then install Nextcloud
• Server Setup 11: Config Improvements
  Some little tweaks to improve the security of our server
• Server Setup 12: Collabora
  Install and configure Collabora Online Development Edition
• Server Setup 13: Security Improvements
  Move the WordPress configuration out of the web root
• Server Setup 14: Backups
  This shows how to collect together all the data you need to completely back up your server.
• Server Setup 15: Optional Extras
  Further optional tweaks to make your installation better.

Now you’re up and running with what should be a stable and secure installation of WordPress and Nextcloud with Collabora.

There are plenty more tweaks you can work on yourself:

Server Administration

• Advanced HTTPS – you can check your config with https://www.ssllabs.com/ssltest/. You have choices about how you want to set up your system – more secure or more compatible with older clients. This tool from Mozilla provides recommendations for the the Apache configuration you need.
• Email configuration – This allows either system to send emails. Best way to do it us an existing email service, and let your server connect to that. s-nail and exim can both do this.
• You can keep you system automatically up to date with the unattened-upgrades package – this keeps your system up to date. If email is configure it’ll send you an summary of what it’s updated.

WordPress:

WordPress relies on htaccess for a few things, mainly nicely writing urls for permalinks. However, .htaccess files have a problem – they’re checked every time someone visits your site. You can reconfigure apache to load the data from the .htaccess file once, instead of on every request.

Be careful, there may be multiple .htaccess files, and some plugins install their own, so use these commands to find them all:

cd /var/www/wordpress
find | grep htaccess

Nextcloud

A few ideas:

• Work your way through the list in administration section – the links to the documentation will help a lot.
• Background jobs: Try setting up a systemd timer or traditional crontab. Have a look in Basic Settings in the Settings menu for an Administrator.
• Scan you installation for security issues https://scan.nextcloud.com/
• Include .htaccess instead of loading it every time, like for WordPress.

User friendliness

These are a few niceties you might try to help with general use:

• Set up passwordless login: https://linuxize.com/post/how-to-setup-passwordless-ssh-login/
• Use tmux to keep you shell sessions alive.

The final of the 3 big pieces – this provides document editing capability in Nextcloud.

Install Collabora

There are a couple of ways to install Collabora, and the recommended way is to use a Docker image. That isn’t ideal for us because the Docker version will use more resources which we can’t afford if you’re running this on something old. Instead, Collabora provide respositories, so these commands will:

1. Install a little tool me we need
2. Get the security keys so the repository is safe to use
3. Add the repository to our /etc/apt/sources.list.
4. Install Collabora

sudo apt install gnupg
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0C54D189F4BA284D
sudo echo 'deb https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-debian10 ./' | sudo tee -a /etc/apt/sources.list
sudo apt update && sudo apt install loolwsd code-brand

Configure Collabora

Modify /etc/loolwsd/loolwsd.xml

sudoedit /etc/loolwsd/loolwsd.xml

We’ll disable SSL in collabora itself, because Apache will handle that. Find <ssl desc="SSL settings">. Look at the line below. Change the second-to last word to false. It should now be this:

<enable type="bool" desc="Controls whether SSL encryption between browser and loolwsd is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">false</enable>

In the line below that, the second-to last word should be true.

<termination desc="Connection via proxy where loolwsd acts as working via https, but actually uses http." type="bool" default="true">true</termination>

Now find <wopi desc="Allow/de..... Add a line below it, swapping in your Nextcloud domain name, with the dots "." escaped with backslashes "\.".

<host desc="Regex pattern of hostname to allow or deny." allow="true">nextcloud\.example\.org</host>

Save and close the file, then restart Collabora

sudo systemctl restart loolwsd

Test

There isn’t a whole lot of testing we can do on Collabora as an intermediate step, but this will at least confirm the server is running. This command asks Collabora for a file saying what it’s capable of:

cd ~
wget http://localhost:9980/hosting/capabilities

If it seems to run OK, you should now have a file called capabilites in your home (~) directory. Lets look at what’s inside:

cat ~/capabilities

{"convert-to":{"available":true},"hasMobileSupport":true,"hasTemplateSaveAs":false,"hasTemplateSource":true,"productName":"Collabora Online Development Edition"}

Looking good!

Configure Apache

In this situation, all Apache has to do is act as a proxy between Collabora and the internet – we can’t connect it directly because otherwise the other sites (WordPress and Nextcloud) wouldn’t work.

Enable these 3 modules:

sudo a2enmod proxy proxy_http proxy_wstunnel

Edit the main Collabora SSL Apache configuration file:

sudoedit /etc/apache2/sites-available/collabora-le-ssl.conf

Change it to this:

<VirtualHost *:443>
    ServerName collabora.example.org
    ErrorLog ${APACHE_LOG_DIR}/collabora_error.log
    CustomLog ${APACHE_LOG_DIR}/collabora_access.log combined

    SSLCertificateFile /etc/letsencrypt/live/collabora.example.org/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/collabora.example.org/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
	# Encoded slashes need to be allowed
	AllowEncodedSlashes NoDecode

	# Container uses a unique non-signed certificate
	SSLProxyEngine On
	SSLProxyVerify None
	SSLProxyCheckPeerCN Off
	SSLProxyCheckPeerName Off

	# keep the host
	ProxyPreserveHost On

	# static html, js, images, etc. served from loolwsd
	# loleaflet is the client part of Collabora Online
	ProxyPass           /loleaflet http://127.0.0.1:9980/loleaflet retry=0
	ProxyPassReverse    /loleaflet http://127.0.0.1:9980/loleaflet

	# WOPI discovery URL
	ProxyPass           /hosting/discovery http://127.0.0.1:9980/hosting/discovery retry=0
	ProxyPassReverse    /hosting/discovery http://127.0.0.1:9980/hosting/discovery

	# Capabilities
	ProxyPass           /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities retry=0
	ProxyPassReverse    /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities

</VirtualHost>

Basically, the bits we’ve added are a two-way connector between Apache and Collabora, and it needs slightly different things for all of the different features.

Reload Apache.

Configure Nextcloud

1. Log into Nextcloud with your admin account.
2. Click on the circle with your initial in the top right corner, choose Apps.
3. Click on Office & text from the menu on the left.
4. Find Collabora Online and click Download and enable
   

5. Click on the circle with your initial in the top right corner, choose Settings.
6. Click on Collabora Online near the bottom of the menu on the left.
7. Choose Use your own server
8. Enter your Collabora domain name with the https:// and then hit save.

Now go back to the files section and give it a try!

• You should have the option to create a New Document, New Spreadsheet or New Presentation from the “+” icon.

• Or if you have any files on Open Document (.odt, .ods, .odp) or Open Office XML (.docx, .xlsx, .pptx) formats you can try opening them. They should open for editing in Collabora:

Before enabling public access to Nextcloud, lets take a moment to improve things a little.

Apache Config

First up, let’s force the use of the HTTPS and make sure we haven’t left any security holes by stripping back the HTTP config file to it’s bare bones.

sudoedit /etc/apache2/sites-available/nextcloud.conf

<VirtualHost *:80>
	ServerName nextcloud.example.org
	Redirect permanent / https://nextcloud.example.org/
</VirtualHost>

The default Apache configuration gives access to a little too much – we can lock that down, and just open up the bits we want later with the site-specific configuration files.

sudoedit /etc/apache2/apache2.conf

Look for this section and put a # at the beginning of every line so they’re ignored.

<Directory /usr/share>
	AllowOverride None
	Require all granted
</Directory>

<Directory /var/www/>
	Options Indexes FollowSymLinks
	AllowOverride None
	Require all granted
</Directory>

Now we have to give access back just where want it:

sudoedit /etc/apache2/sites-available/nextcloud-le-ssl.conf

Before the ErrorLog line, add this:

<Directory /var/www/nextcloud>
    Require all granted
</Directory>

Then do the same for the WordPress config:

sudoedit /etc/apache2/sites-available/wordpress-le-ssl.conf	

Before the ErrorLog line, add this:

<Directory /var/www/wordpress>
    Require all granted
</Directory>

Restart Apache (you should know how to do that by now – look back through the previous posts until you find it.)

Nextcloud Administration Warnings

Log into your nextcloud administrator account, click on the circle with your initial in the top right corner, choose setttings. On the page that pops up, pick Overview from the menu on the right.

The system will think for a moment, then show a list of warnings:

If your list is the same as mine, I’ll show you how to fix the first 2, but you can work through the others on your own if you like.

PHP Memory Limit

“The PHP memory limit is below the recommended value of 512MB.”

It isn’t essential to fix this, and if you’re running nextcloud on an old, lower powered machine I wouldn’t recommend it, because that’s the limit per script, and a script fires up every time someone access your site, so with a few users doing heavy things, you’ll have a problem.

If you do want to do it, edit the PHP configuration file:

sudoedit /etc/php/7.3/apache2/php.ini

Find this line and change the number to what you want:

memory_limit = 512M

Then restart Apache

Enable HSTS

“The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips .”

You can follow that link in the tip to find out the details of how we fix this, but these are the steps:

Enable the Apache headers module:

sudo a2enmod headers

Modify the Nextcloud apache configuration:

sudoedit /etc/apache2/sites-available/nextcloud-le-ssl.conf

Add this after the ServerName line:

Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

And reload Apache

Re-enable public access

Now we’ve dealt with a few potential security issues, you can enable access to Nextcloud from outside you network.

sudoedit /etc/apache2/sites-available/nextcloud-le-ssl.conf

Either delete, or comment out these 3 lines. You can make a line into a comment by putting a # at the beginning of the line. That means it will be ignored.

<Location />
    Require ip xxx.xxx.xxx.0/24
</Location>

Reload apache and you’re done!

Database

Again, same as for WordPress, we need a database and a user. Same command to login as the root database server user:

sudo mysql -u root -p

a similar set of SQL commands to set up the nextcloud database:

CREATE USER 'nc_usr'@'localhost' IDENTIFIED BY 'password';
CREATE DATABASE IF NOT EXISTS nc_db CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
GRANT ALL PRIVILEGES on nc_db.* to 'nc_usr'@'localhost';
FLUSH privileges;
EXIT;

Disable Public Access – a different way

Like before, we don’t want the Nextclound site to be public until we’ve completed the installation & configuration. On the other hand, we don’t want to do the same as before (cutting our server off from the internet by turning off port forwarding on the router) because we have an active WordPress installation that people might be using.

To do this we’ll tell Apache to only respond to requests (for the Nextcloud site) from your internal network, not from the public internet:

sudoedit /etc/apache2/sites-available/nextcloud.conf

Add this section, just before the ErrorLog line, replacing the xxx.xxx.xxx with the first 3 blocks of your IP address on your network.

<Location />
    Require ip xxx.xxx.xxx.0/24
</Location>

Reload apache:

sudo systemctl reload apache

Download the installer script

Navigate to the nextcloud folder

cd /var/www/nextcloud

Download the installer script, and pass ownership of it and the entire nextcloud folder to www-data (which is apache, remember).

sudo wget https://download.nextcloud.com/server/installer/setup-nextcloud.php
sudo chown -R www-data:www-data /var/www/nextcloud

We should also create a data folder outside the /var/www folder, which improves security:

sudo mkdir /var/nc_data
sudo chown -R www-data:www-data /var/nc_data

Run Installation Script

On the client machine, open a browser and go to nextcloud.example.org/setup-nextcloud.php

You should see the Setup Wizard, most it should be easy to understand, click your way through:

Put a “.” in the box like it says because the Nextcloud installer is already in the correct place

• Enter the details for the database and database user you created above.
• Make an admin account with a strong password.
• Change the data folder to the one we just created: /var/nc_data,
• I’d recommend unticking the Install recommended apps box. You can add them later if you like.

Once this is done you should be able to log in and start using it!

First, we need 1 extra PHP module:

sudo apt install php-gd

Like with WordPress, we’ll create a folder and apache configuration for Nextcloud:

cd /var/www
sudo mkdir nextcloud
sudoedit /etc/apache2/sites-available/nextcloud.conf

And we’ll use essentially the same apache configuration we used for wordpress, with a few tweaks.

<VirtualHost *:80>
    ServerName nextcloud.example.org
    DocumentRoot /var/www/nextcloud
    
    <Directory /var/www/nextcloud/>
        Require all granted
        AllowOverride All
        Options FollowSymLinks MultiViews

        <IfModule mod_dav.c>
            Dav off
        </IfModule>
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/nextcloud_error.log
    CustomLog ${APACHE_LOG_DIR}/nextcloud_access.log combined
</VirtualHost>

We’ll also create a temporary configuration for collabora while we’re here:

sudoedit /etc/apache2/sites-available/collabora.conf

<VirtualHost *:80>
    ServerName collabora.example.org
    ErrorLog ${APACHE_LOG_DIR}/collabora_error.log
    CustomLog ${APACHE_LOG_DIR}/collabora_access.log combined
</VirtualHost>

This is just a barebones template that’s just enough to let us set up HTTPS later.

Enable the sites and reload apache:

sudo a2ensite nextcloud collabora
sudo systemctl reload apache2

DNS

We need to create DNS Entries for Nextcloud and Collabora:

1. Log into the control panel for your domain.
2. Create a CNAME record
   • Domain: e.g. nextcloud.example.org
   • Data: e.g. example.org if you had a fixed IP, or the dynamic DNS server address you created e.g. anotherexample.ddns.net
3. Do the exact same for collabora.example.org

HTTPS

Use certbot again to enable https on both nextcloud.example.org and collabora.example.org

sudo certbot --apache

When it asks you which sites you want to activate HTTPS for, you can select multiple options by putting a comma separated list. You can also choose to allow certbot to automatically reconfigure apache to Redirect (option 2 when it asks you).