nextcloud-server

AWS CloudFormation template that provisions an EC2 instance running Nextcloud file synchronization and sharing server, with a new Amazon S3 bucket as primary storage and AWS Backup for data protection. Includes option to mount existing S3 bucket.

Notice

Although this repository is released under the MIT-0 license, its CloudFormation template uses features from Nextcloud project. Nextcloud project's licensing includes the AGPL license.

The template offers the option to install Webmin which is released under BSD-3-Clause license. Usage of template indicates acceptance of license agreements of all software that is installed in the EC2 instance.

Architecture diagram

Deployment from CloudFormation console

Download UbuntuLinux-Nextcloud.yaml file, and login to AWS CloudFormation console.

Start the Create Stack wizard by choosing Create Stack. Select stack template by selecting Upload a template file, Choose File, select your .yaml file and click Next. Enter a Stack name and specify parameters values.

Parameter options

EC2 instance

• ec2Name: EC2 instance name
• ec2KeyPair: EC2 key pair name. Create key pair if necessary
• osVersion: operating system version and processor architecture. Default architecture is Graviton arm64
• instanceType: EC2 instance type. Do ensure type matches selected processor architecture. Default is t4g.xlarge burstable instance type

Network

• vpcID: VPC with internet connectivity. Select default VPC if unsure
• subnetID: subnet with internet connectivity. Select subnet in default VPC if unsure
• displayPublicIP: select No if your EC2 instance will not receive public IP address. EC2 private IP will be displayed in CloudFormation Outputs section instead. Default is Yes
• assignStaticIP: associates a static public IPv4 address using Elastic IP address. Default is Yes

Remote Administration

• ingressIPv4: allowed IPv4 source prefix to remote administration services, e.g. 1.2.3.4/32. You can get your source IP from https://checkip.amazonaws.com. Use 127.0.0.1/32 to block incoming access from public internet. Default is 0.0.0.0/0.
• ingressIPv6: allowed IPv6 source prefix to remote administration services. Use ::1/128 to block all incoming IPv6 access. Default is ::/0
• allowSSHport: allow inbound SSH. Option does not affect EC2 Instance Connect access. Default is No
• installDCV: install graphical desktop environment and Amazon DCV server. Default is No
• installWebmin: install Webmin web-based system administration tool. Default is No

SSH, DCV and Webmin inbound access from internet are restricted to ingressIPv4 and ingressIPv6 IP prefixes.

Nextcloud

• adminUserName: Nextcloud admin username. Default is admin
• phpVersion: PHP version to install. Uses Ondřej Surý's ppa:ondrej/php repository
• databaseOption: MariaDB or MySQL. Default is MariaDB
• r53ZoneID (optional): Amazon Route 53 hosted zone ID to grant access for use with Certbot certbot-dns-route53 DNS plugin. A * value will grant access to all Route 53 zones in your AWS account. Permission is restricted to _acme-challenge.* TXT DNS records using resource record set permissions. Default is empty string for no access

S3

• s3StorageClass: S3 storage class for files in primary storage. Default is STANDARD
• enableS3bucketLogging: enable S3 server access logging. Default is No

S3 External Storage

• externalS3Bucket (optional): option to mount existing S3 bucket within Nextcloud as external storage. Specify bucket name in your account
• externalS3BucketRegion: AWS Region where externalS3Bucket is located
• externalS3BucketStorageClass: S3 storage class

EBS

• volumeSize: Amazon EBS volume size
• volumeType: EBS General Purpose Volume type

AWS Backup

• backupResource: option to backup EC2 instance, S3 bucket, existing S3 bucket mounted as external storage, or none. Versioning must be enabled on S3 bucket mounted as external storage before AWS Backup can back it up. Default is EC2-and-S3
• scheduleExpression: CRON expression specifying when AWS Backup initiates a backup job. Default is cron(0 1 ? * * *)
• scheduleExpressionTimezone: timezone in which the schedule expression is set. Default is Etc/UTC
• deleteAfterDays: number of days after creation that a recovery point is deleted. Default is 7 days

It may take more than 30 minutes to provision the entire stack. After your stack has been successfully created, its status changes to CREATE_COMPLETE.

CloudFormation Outputs

The following are available in Outputs section

• DCVwebConsole (if installDCV is Yes): DCV web browser console URL link. Login as user specified in Description field.
• EC2console: EC2 console URL link to your EC2 instance
• EC2instanceConnect: EC2 Instance Connect URL link. Functionality is only available under certain conditions
• NextcloudLogUrl: Cloudwatch log group with the contents of your EC2 instance nextcloud log
• SetPasswordCmd: command to set Nextcloud admin password
• SSMsessionManager or SSMsessionManagerDCV: SSM Session Manager URL link
• WebminUrl (if installWebmin is Yes): Webmin URL link. Set the root password by running sudo passwd root from EC2instanceConnect, SSMsessionManager or SSH session first
• WebUrl: EC2 web server URL link

Nextcloud admin user password

Use either EC2 instance connect or SSM session manager URL link to obtain in-browser terminal access to your EC2 instance. Copy and paste SetPasswordCmd value to set Nextcloud admin password. For example, if adminUserName value is admin, the command is

sudo -u www-data php /var/www/html/occ user:resetpassword admin

After which, you can login to your Nextcloud application using WebUrl link or proceed to install a HTTPS certificate.

Obtaining certificate for HTTPS using Certbot

The EC2 instance uses a self-signed certificate for HTTPS. You can use Certbot to automatically obtain and install Let's Encrypt certificate on your web server.

Prerequisites

Ensure you have a domain name whose DNS entry resolves to your EC2 instance IP address. If you do not have a domain, you can register a new domain using Amazon Route 53 and create a DNS A record.

Obtain HTTPS certificate

Option 1: Using Certbot Apache plugin

This option requires your domain name to resolve to your EC2 instance public IP address. From terminal, run the below command

sudo certbot --apache

Option 2: Using Certbot certbot-dns-route53 plugin

The certbot-dns-route53 option requires your DNS to be hosted by Route 53. It supports wildcard certificates and domain names that resolve to private IP addresses. Ensure that Route 53 zone access is granted by specifying r53ZoneID value. From terminal, run the below command

sudo certbot --dns-route53 --installer apache

Follow instructions to have Certbot request and install certificate on your web server. Refer to Certbot site for help with this tool.

Configure HSTS

To configure HTTP Strict Transport Security (HSTS) headers, edit *ssl.conf file in /etc/apache2/sites-available/ folder and add the following text between <VirtualHost> and </VirtualHost> rows.

    <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>

Verify Apache configuration

sudo apachetl -t

Reload Apache server

sudo systemctl reload apache2

Managing and using Nextcloud

Sending email

Nextcloud supports email server for password reset and activity notifications. You can configure Nextcloud to use external SMTP server (e.g. Amazon SES), or sendmail.

When configuring external SMTP server, use 465, 587 or supported port number that is not 25. Amazon EC2 restricts email sending using port 25 on all instances by default. You can request that this restriction be removed if you are using port 25 for external SMTP server or sendmail. Refer to How do I remove the restriction on port 25 from my Amazon EC2 instance or Lambda function? for more information.

Using the occ command

The occ command is Nextcloud's command-line interface. It is used to perform common server operations such as installing and upgrading Nextcloud, and must be run as HTTP user, i.e. sudo -u www-data php /var/www/html/occ. On the EC2 instance, you can use the alias nextcloud.occ.

Mounting external storage services as external storage

Nextcloud external storage feature enables you to mount external storage services including Windows file servers and S3 buckets as secondary storage devices. Refer to NextCloud documentation for details.

Downloads

Desktop and mobile applications download links are available from Nextcloud Install page.

Using Nextcloud

Refer to Nextcloud documentation.

Documentation

Administration guide and user manual are available from Nextcloud documentation site.

Further information

Nextcloud is mentioned by the following blog posts

• Scale your Nextcloud with Storage on Amazon Simple Storage Service (Amazon S3)
• Advanced Nextcloud Workflows with Amazon Simple Storage Service (Amazon S3)

Data protection

S3 primary storage

Amazon S3 is used to provide almost unlimited, cost-effective and durable storage over EBS. Using S3 as primary storage provides performance benefits over S3 as external storage, including support for large file uploads.

Note that files are not accessible outside of NextCloud as all metadata (filenames, directory structures, etc) is stored in MariaDB/MySQL database on EC2 instance. The S3 bucket holds the file content by unique identifier and not filename. This has implications for data backup and recovery, and it is important to backup both EC2 instance and S3 bucket data.

Restoring from backup

If you enable AWS Backup, you can restore your EC2 instance and S3 data from recovery points (backups) in your backup vault. The CloudFormation template creates an IAM role that grants AWS Backup permission to restore your backups. Role name can be located in your CoudFormation stack Resources section where Logical ID is backupRestoreRole.

Recovery points protection

To protect recovery points from inadvertent or malicious deletions, you can enable AWS Backup Vault Lock in compliance mode to provide immutable WORM (write-once, read-many) backups. Vaults that are locked in compliance mode cannot be deleted once the cooling-off period ("grace time") expires if any recovery points are in the vault. Refer to Protecting data with AWS Backup Vault Lock for more information.

Filter IAM policy source IP

Nextcloud server uses EC2 IAM role for S3 primary storage access. If assignStaticIP is Yes, you can limit access to only your Nextcloud server. This ensures that even when the session credentials are stolen, an attacker cannot directly use it to access files from his own address.

The created IAM role can be located in CloudFormation console stack Resources section with Logical ID of instanceIamRole. Click on the Physical ID value to edit inline permission in IAM console. Change aws:SourceIp value from 0.0.0.0/0 to your EC2 instance public IPv4 address. If IP address is 1.2.3.4, your updated policy may look similar to below

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "1.2.3.4/32"
        }
      },
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::nextcloud-s3bucket-8ohvkk9vzv2f",
        "arn:aws:s3:::nextcloud-s3bucket-8ohvkk9vzv2f/*"
      ],
      "Effect": "Allow"
    }
  ]
}

An IAM user with attached policy is used for S3 external storage access. Using EC2 IAM role for external storage currently generates errors in nextcloud.log. (Issue #46400) The IAM user can be located in CloudFormation Resources section where Logical ID is iamUser, and you may want to configure the associated policy aws:SourceIp value.

To use its credentials to mount other S3 buckets in your AWS account as external storage, modify associated IAM policy Resource key and add your desired S3 bucket names. The access key and secret can be retrieved by running sudo grep secret /root/install-nextcloud.sh.

Sensitive data protection

To strengthen data security posture, you can enable Amazon Macie to automate discovery of sensitive data that is uploaded to your S3 bucket

Securing EC2 instance

To futher secure your EC2 instance, you may want to

• Restrict remote administration access to your IP address only (ingressIPv4 and ingressIPv6)
• Disable SSH access from public internet (allowSSHport). Use EC2 Instance Connect or SSM Session Manager for in-browser terminal access. If you have AWS CLI and Session Manager plugin for the AWS CLI installed, you can start a session using AWS CLI or SSH
• Remove DCV web browser client package by running the command sudo apt remove -y nice-dcv-web-viewer. Connect using native Windows, MacOS or Linux client
• Deploy EC2 instance in a private subnet. Use Application Load Balancer and AWS WAF to protect your EC2 instance. You can use AWS Certificate Manager to request a public HTTPS certificate and associate it with your Application Load Balancer
• Enable Amazon Inspector to automatically scan EC2 instance for software vulnerabilities and unintended network exposure
• Enable Amazon GuardDuty and GuardDuty Malware Protection for EC2 to detect potentially malicious activity in your AWS account

Clean Up

To remove created resources,

• Empty created S3 bucket(s)
• Delete recovery points in created backup vault
• Disable EC2 instance termination protection
• Delete CloudFormation stack

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.