Moving Nextcloud to the DMZ

Introduction

This journal entry was written by me, Brandon Nolet, in the context that I’ll be moving my Nextcloud installation to my router’s virtual DMZ.

Preamble

A while ago I wrote a post about moving my self-hosting setup onto a Raspberry Pi. This was written before I realized that my incoming port 443 is not blocked by my ISP at my connection to the internet. The reason that’s important is that without port 443, I would have to use an external service to redirect connection to the port to the correct one before they get to my IP. I would have to set up port forwarding as well.

Without port 443 being blocked, none of that is required and I can already make the move for the portion already at home a little easier. Prior to this post, my NextCloud installation was residing behind a reverse proxy located on a VPS with Digital Ocean, which connects to a port that’s forwarded to the internal reverse proxy.

Pre-Installation

Before making the network changes, placing the server (which is actually an old workstation from my employer that was decomissioned) on the virtual DMZ, I’d like to start with an absolutely fresh install. I intend to run this server in headless mode as I will also be adding a Plex Media Server to the emsemble.

I’ll be using Ubuntu Server LTS 18.04.2 for this, so now I’m putting that onto a USB key for installation. I initially planned to make this an unattended install but in the interest of squashing any fears about weird partitioning, I’ll be doing an interactive install.

Installation

So before I could actually install, I had to back up my docker-compose file, meaning I had to mount the drive I’ll be formatting and the large-format drive used for media storage. After copying the file over, I started the installation, but it failed, due to the drives I mounted.

So I rebooted, and restarted, sans mounting the drives this time.

The current drive configuration is:

  • 1 SSD, 180GB or so in size, one partition, bootable
  • 1 HDD, 4TB or so in size, one partition

I hope to eventually set up a NAS storage system but that’s for when I’m more financially well-off.

The installation was successful and now it’s time to make some configuration changes.

Configuration

I’ll be following this guide for basic security before actually making any progress on actually setting up nextcloud on this virgin machine. A few deviations from the guide are that I’ll be using a different username, matching logins based on an IP range rather than a singular IP, and configured logwatch with an internet site. That last one will allow me to send mail directly from the server rather than having to rely on something like mailgun.

Now that basic security is configured, it’s time to install a few things.

Transmission-Daemon

The first thing I’d like to install is a Transmission torrenting server that I can remotely start torrent jobs on. For this you use the transmission-daemon package. After installing the package, I recommend looking through /etc/transmission-daemon/settings.json and configure the settings as desired. I’ll be changing the default port, download location, and speed and peer limit settings.

Protip: transmission-daemon runs under its own user, debian-transmission, so if you change the default download location, remember to give debian-transmission permissions on that directory. I used setfacl to use ACL permission granting. This removes the need to give some sort of ownership of the given directory to debian-transmission. When going this route, you’ll want to set the umask directive in the transmission-daemon settings to 2 so that you’ll be able to make modifications to the files.

Another time I’ll make a script to automatically move the video and/or audio files into a proper staging area for sorting, or maybe there’s a tool for that already that can look at the file metadata? Hit me up if you know of such a thing.

Docker

Next I’ll be installing Docker as that’s the platform with which I’ll be running the Plex Media Server and Nextcloud installs. I would have installed docker as a snap, but I’d like to refrain from using snaps as much as possible as I find them inefficient on storage space, which is a premium with a 180GB SSD. I’ll be following this guide.

After installing Docker, I now have to install docker-compose as that is how I set up my Docker stack. I used this guide to install it.

NextCloud

Getting Docker onto the machine was the easy part. The hard part is getting everything set up like before. Below are the few issues I ran into when setting this back up.

Let’s Encrypt

This wasn’t as much an issue as it was a pain. When I was making the TXT DNS record on Digital Ocean (that’s where my nameserver points) I accidentally made the TXT record for _acme-challenge.bnolet.me.bnolet.me. Why a TXT record? Because my port 80 is blocked so the traditional method of Let’s Encrypt certificate registry doesn’t work. I also wanted to go wildcard on this one.

Port Forwarding

Unfortunately, I forgot that I had port forwarding set up so the internal port 443 was already being used by that. I was facing connection issues when trying to reach my server’s address. After deactivating this, I had another problem.

Nginx-Proxy

For Docker, if you want to host any sort of web service in a sane fashion, you’ll want to use jwilder’s nginx-proxy. You can manually map a folder containing the SSL certs you want to use to the Docker container. It works fantastically when you give it the right folder. Doesn’t work so well when you don’t. So I had to correct the directory in my docker-compose file and then restart the service.

Another part of this is that I didn’t remember which file is supposed to have the .crt extension and which one was supposed to have the .key extension. Luckily I still had my VPS to use as reference and was able to compare file sizes of the files with their respective file name extensions.

Plex Media Server

Fantastic, next we just have to modify the docker-compose file to add the Plex Media Server container. It seems like we need a few pieces of information though.

Timezone

As I’m in Montreal, Quebec, I’ll be using the Eastern time zone. Looking at my desktop’s time zone, I can see that I’m using America/Toronto. So I’ll be putting that in the Docker environment variable for PMS.

PLEX_CLAIM

Okay so I don’t know what this thing is so let’s do a quick internet search for the answer. Okay so apparently it’s something to automatically link your server to your plex.tv account so you can access the server over the internet (with stuff like Chromecast, which I use). The claim token will automatically log the server into your account.

No PMS

Unfortunately I won’t be able to finish with Plex Media Server tonight as it’s getting late and for some reason, PMS doesn’t detect…itself. Strange happenings! I’ll figure it out another day.

Conclusion

Suprisingly, once all these issues were solved, there was absolutely nothing else to configure. NextCloud saw that there was an update to perform, did it, cleaned itself up, and then was ready to use! I’m really happy that I was able to eliminate a speed bump by being able to remove the external nginx proxy.