# Teil 3: Downloading, installing and configuring Nextcloud

## Objective of This Section

In this section, we install Nextcloud completely on the prepared Debian 13 system. We set up the LAMP stack, configure Apache and PHP specifically for Nextcloud, integrate the data directory outside the webroot, and complete the installation including essential optimizations.

At the end of this section:

* Nextcloud is running under **cloud.zn80.net**
* All user data is stored cleanly under **/srv/cloud.zn80.net/data**
* The database is secured and properly connected
* Caching, proxy operation, and optional performance features are prepared

---

## Important Security Notice

For secure operation on the public internet, a reverse proxy with HTTPS is mandatory (e.g., Nginx Proxy Manager, Traefik, or a standalone Nginx setup with Let’s Encrypt).

Without HTTPS (and HSTS), it is strongly discouraged to expose the Nextcloud instance beyond the local network. You may operate it internally first and enable external access later with a proxy and certificate at any time.

Further information:

* Nextcloud Admin Documentation: HTTPS Setup & Server Hardening
* Nextcloud Admin Documentation: SSL/TLS Configuration
* Let’s Encrypt Official Website

---

## Update the System

Before beginning the installation, ensure the system is fully up to date:

```bash
sudo apt update && sudo apt full-upgrade -y
```

---

## Install and Secure MariaDB

Install the database server and client:

```bash
sudo apt install mariadb-server mariadb-client-compat
```

Enter the MariaDB shell and create the Nextcloud database:

```bash
sudo mariadb
```

Inside the MariaDB shell:

```sql
CREATE DATABASE nextcloud;
GRANT ALL PRIVILEGES ON nextcloud.* TO 'nextcloud'@'localhost' IDENTIFIED BY '<DATABASE_PASSWORD>';
FLUSH PRIVILEGES;
EXIT;
```

Secure the MariaDB installation:

```bash
sudo mysql_secure_installation
```

Recommended answers:

* unix_socket authentication: **n**
* Set root password: **Y**
* Remove anonymous users: **Y**
* Disallow remote root login: **Y**
* Remove test database: **Y**
* Reload privilege tables: **Y**

---

## Install Apache, PHP, and Required Extensions

Install Apache indirectly via PHP packages along with all required extensions:

```bash
sudo apt install imagemagick-7.q16 php php-apcu php-bcmath php-cli php-common php-curl php-gd php-gmp php-imagick php-intl php-mbstring php-mysql php-zip php-bz2 php-xml
```

Enable required PHP modules:

```bash
sudo phpenmod apcu bcmath gmp imagick intl unzip
```

Ensure `unzip` and `wget` are installed:

```bash
sudo apt install unzip wget
```

---

## Download and Prepare Nextcloud

Download and extract the latest Nextcloud version:

```bash
wget https://download.nextcloud.com/server/releases/latest.zip
unzip latest.zip
```

Rename the extracted directory to the service FQDN and move it into Apache’s web directory:

```bash
mv nextcloud cloud.zn80.net
sudo chown -R www-data:www-data cloud.zn80.net
sudo mv cloud.zn80.net /var/www/
```

Disable the Apache default site:

```bash
sudo a2dissite 000-default.conf
```

Enable required Apache modules:

```bash
sudo a2enmod dir env headers mime rewrite ssl
sudo systemctl restart apache2
```

> Note:
> Instead of `latest.zip`, specific previous versions (e.g., `nextcloud-29.zip` or `nextcloud-30.zip`) can be downloaded from the official release archive if required for compatibility reasons. However, running outdated versions on the public internet is not recommended.

---

## Create Apache Virtual Host for Nextcloud

Create the configuration file:

```bash
sudo nano /etc/apache2/sites-available/cloud.zn80.net.conf
```

Insert the following content:

```apache
<VirtualHost *:80>
    ServerAdmin mail@example.com
    DocumentRoot "/var/www/cloud.zn80.net"
    ServerName cloud.zn80.net

    <Directory "/var/www/cloud.zn80.net/">
        Options FollowSymLinks
        AllowOverride All
        Header always set Referrer-Policy "no-referrer"
        Require all granted
        SetEnv HOME /var/www/cloud.zn80.net
        SetEnv HTTP_HOME /var/www/cloud.zn80.net
    </Directory>

    TransferLog /var/log/apache2/cloud.zn80.net_access.log
    ErrorLog /var/log/apache2/cloud.zn80.net_error.log
</VirtualHost>
```

Do not enable the site yet.

---

## Optimize PHP for Nextcloud

Edit PHP configuration:

```bash
sudo nano /etc/php/8.4/apache2/php.ini
```

Adjust the following values:

```ini
memory_limit = 512M
upload_max_filesize = 200M
post_max_size = 200M
max_execution_time = 360
date.timezone = Europe/Amsterdam

opcache.enable=1
opcache.memory_consumption=128
opcache.interned_strings_buffer=16
opcache.max_accelerated_files=10000
opcache.revalidate_freq=1
opcache.save_comments=1
```

Enable the site and restart Apache:

```bash
sudo a2ensite cloud.zn80.net.conf
sudo systemctl restart apache2
```

Enable APCu for CLI:

```bash
sudo nano /etc/php/8.4/mods-available/apcu.ini
```

Append:

```ini
apc.enable_cli=1
```

Restart Apache again:

```bash
sudo systemctl restart apache2
```

---

## Prepare the Data Directory

The Nextcloud data directory must **not** be located inside the webroot.

Ensure the mount point exists:

```bash
sudo mkdir -p /srv/cloud.zn80.net
```

Test mounting:

```bash
sudo mount -a
df -h /srv/cloud.zn80.net
```

Create the actual data directory and apply secure permissions:

```bash
sudo mkdir /srv/cloud.zn80.net/data
sudo chown -R www-data:www-data /srv/cloud.zn80.net/data
sudo chmod -R 750 /srv/cloud.zn80.net/data
```

---

## Web-Based Nextcloud Installation

Open in your browser:

```
http://cloud.zn80.net
```

Provide the following:

Admin user:

* Username: `nextcloud_admin`
* Password: secure custom password

Data directory:

```
/srv/cloud.zn80.net/data
```

Database:

* User: `nextcloud`
* Database: `nextcloud`
* Password: database password
* Server: `localhost:3306`

After installation, return to the command line.

---

## Post-Installation Optimizations

### Optimize the Nextcloud Database

Temporarily make the `occ` CLI tool executable:

```bash
sudo chmod +x /var/www/cloud.zn80.net/occ
```

Add missing database indices:

```bash
sudo /var/www/cloud.zn80.net/occ db:add-missing-indices
```

Run repair tasks:

```bash
sudo /var/www/cloud.zn80.net/occ maintenance:repair --include-expensive
```

Remove executable permission again:

```bash
sudo chmod -x /var/www/cloud.zn80.net/occ
```

Secure configuration file:

```bash
sudo chown root:www-data /var/www/cloud.zn80.net/config/config.php
sudo chmod 660 /var/www/cloud.zn80.net/config/config.php
```

---

### Configure Trusted Proxies, Domains, and Caching

Edit configuration file:

```bash
sudo nano /var/www/cloud.zn80.net/config/config.php
```

Add:

```php
'trusted_proxies' => [
    '192.168.10.105',
],

'trusted_domains' => [
    'cloud.zn80.net',
    '192.168.10.120',
],

'overwrite.cli.url' => 'https://cloud.zn80.net',
'overwriteprotocol' => 'https',
'memcache.local' => '\\OC\\Memcache\\APCu',
'default_phone_region' => 'DE',
```

Run repair command:

```bash
sudo -u www-data php occ maintenance:repair
```

---

### Install Redis (Optional, Recommended)

Install:

```bash
sudo apt install redis-server php-redis
```

Add configuration in `config.php`:

```php
'filelocking.enabled' => true,
'memcache.locking' => '\\OC\\Memcache\\Redis',
'redis' => [
    'host' => '/run/redis/redis-server.sock',
    'port' => 0,
    'timeout' => 0.0,
],
```

Restart services:

```bash
sudo systemctl restart redis
sudo systemctl restart apache2
```

---

The Nextcloud installation is now complete and properly configured.

In Part 4, additional security hardening and recommended configuration adjustments will be implemented.