Fj Graf

Author: fjgraf

  • Configure partition table, format and auto mount disks. MBR – EXT4

    Connect the External HDD: Ensure that your external HDD is connected to your Debian system.

    Identify the Device: Use the lsblk or fdisk -l command to identify the device name of your external HDD. It will typically be something like /dev/sdX, where X is a letter assigned to the drive.

    lsblk

    Partition the Drive with MBR: Use the fdisk command to create an MBR partition on the external HDD.

    sudo fdisk /dev/sdX

    Once inside the fdisk program do the following:

    Type o and press Enter to create a new empty DOS partition table (MBR).

    Type n and press Enter to create a new partition.

    Choose the default values for the start and end sectors to use the entire disk.

    Type t and press Enter to set the partition type. Choose 83 for Linux.

    Type w and press Enter to write the changes and exit.

    Create the ext4 Filesystem: After creating the partition, use the mkfs.ext4 command to create an ext4 filesystem.

    mkfs.ext4 /dev/sdX1

    Replace /dev/sdX1 with the actual partition identifier you created in the previous step.

    Label the Filesystem (Optional): You can optionally label the ext4 filesystem for easier identification. Replace NEW_LABEL with the desired label for your filesystem. That can for example be the model of the hard disk or it’s purpose.

    e2label /dev/sdX1 NEW_LABEL

    Mount the Filesystem: Create a directory where you want to mount the hard disk and mount the filesystem.

    It would be a good idea to create the folder using the same name as the label of the hard disk’s partition.

    sudo mkdir /media/LABEL sudo mount /dev/sdX1 /media/LABEL

    Adjust the mount point (/media/LABEL) according to your preference.

    Now, your external HDD should be formatted with MBR and have an ext4 filesystem. If you want the drive to be automatically mounted on boot, you may need to add an entry to the /etc/fstab file which is show below.

    Automounting disk with fstab

    Identify the UUID of the Partition: Use the blkid command to identify the UUID of the partition on your external HDD. The UUID uniquely identifies the partition, and using it in /etc/fstab helps avoid issues if the disk order changes.

    Replace /dev/sdX1 with the actual partition identifier.

    sudo blkid /dev/sdX1

    Take note of the PTUUID number without quotes. It should look something like this: “c381c2aa-044b-415a-b901-2a6a374b2591“.

    Edit the /etc/fstab file: Open the /etc/fstab file in a text editor using a command like sudo nano or sudo vim. Add a new line with the following information:

    UUID=your_partition_uuid /media/LABEL ext4 defaults 0 2

    Replace your_partition_uuid with the UUID you obtained in the first step, and adjust the mount point (/media/LABEL) if needed.Example using nano:

    sudo nano /etc/fstab

    Add the line to automount the disk with default values:

    UUID=c381c2aa-044b-415a-b901-2a6a374b2591 /media/LABEL ext4 defaults 0 2

    Or with more specific options:

    UUID=c381c2aa-044b-415a-b901-2a6a374b2591 /media/LABEL ext4 rw,relatime,nofail,errors=remount-ro 0 2
    1. rw:
      • Stands for “read-write.”
      • This option allows both read and write operations on the filesystem. It specifies that the filesystem should be mounted with read and write permissions.
    2. relatime:
      • This option stands for “relative atime.”
      • With relatime, the access time of files is updated only if the current access time is earlier than the modification time or the inode creation time. It’s an optimization over the traditional atime update mechanism, helping to reduce write operations to the filesystem.
    3. nofail:
      • This option indicates that if the filesystem cannot be mounted, the failure should not be considered fatal to the system boot process. If the device is not present or there are issues with the filesystem, the system will continue booting without the specified filesystem being mounted.
    4. errors=remount-ro:
      • Specifies the action to be taken in case of errors on the filesystem.
      • If errors are encountered, the filesystem will be remounted in read-only mode (ro). This is a safety measure to prevent further potential damage and data loss in case of filesystem errors.
    5. 0 2:
      • These are the dump and pass fields, respectively.
        • The dump field (0) indicates whether the filesystem should be backed up using the dump command. A value of 0 means no automatic backup.
        • The pass field (2) is used by the fsck command to determine the order in which filesystems are checked at boot time. A value of 2 typically means the filesystem will be checked after the root filesystem.

    In summary, the options in your /etc/fstab entry specify that the filesystem should be mounted with read-write permissions, use relative atime for optimization, not be considered critical for system boot (nofail), remount in read-only mode in case of errors, and be checked after the root filesystem during the boot process.

    Press Ctrl + X to save, press Y to confirm changes, and press Enter to exit.

    Create the Mount Point (if not already created): If you haven’t created the mount point earlier, create it using:

    sudo mkdir /media/LABEL

    Remember to create the folder with the name of the label of your hard drive for easy identification.

    Mount All Filesystems in /etc/fstab: To mount all filesystems listed in /etc/fstab, you can use the following command:

    sudo mount -a

    To auto mount as a non root user

    To automount a disk with specific user permissions using /etc/fstab, you can utilize the user and noauto options along with the uid, gid, and umask options.

    1. Determine the UID and GID of the user you want to mount the disk as. You can find this information by running the following commands:
    id -u username
id -g username
    1. Determine the UUID of the disk you want to mount. You can find this information using the blkid command:
    sudo blkid
    1. Edit the /etc/fstab file using a text editor:
    UUID=your_disk_uuid /mnt/mount_point filesystem defaults,user,noauto,uid=your_user_id,gid=your_group_id,umask=022 0 0

  • Easy WAN-LAN speed test over cli

    The following two debian tools makes it very easy to accurately measure your internet connection speed as well as in your LAN.

    Measuring internet connection speed

    sudo apt install speedtest-cli

    Run it by typing:

    speedtest-cli

    Measuring LAN connection speed

    sudo apt install iperf3

    Run the server in one device which will be listening for the client to establish a connection.

    iperf3 -s

    In your other network device install iperf3 and run the client against the server:

    iperf3 -c [server's ip address]

    Results should show up promptly

  • sshfs

    For an easy way to obtain temporary access to a directory in a remote location using the sshfs command just type in your terminal:

    sshfs remote_user@ip_address:/path_to_dir path_to_local_dir

    Make sure you have have already created the local directory to mount the remote directory, that you have the credentials of the remote user and all necessary permissions.

    For example:

    sshfs admin@192.168.1.130:/media/backup ~/nfs

    Now in your local file manager you will have access to the remote directory for the current session. Performance may be reduced with this method in contrast with other alternatives like a network file system setup but for managing small files it’s just perfect if you prefer to have a single secure connection to a remote location without having to use to much the terminal.

    NOTE: If you are a local non root user, you need to make sure to create the folder where you want to mount the remote disk somewhere in your home folder so you can have access to it either with CLI or a file explorer.

    To disconnect:

    fusermount -u /path/to/mount/point

  • Configure passwordless authentication

    Server Side

    1- In this scenario we are going to install an ssh server and configuring it so that it only accepts certificates to log in.

    sudo apt-get install openssh-server

    2- In the Remote Server: Ensure that password based ssh login is allowed in the ssh server configuration before copying your public key.. Edit the ssh configuration file after you have a working certificate based authentication. You should skip this step for now:

    sudo nano /etc/ssh/sshd_config

    Set the following options:

    PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
KbdInteractiveAuthentication no

    Save and exit the file.

    sudo systemctl reload/restart sshd
    or
    sudo service ssh restart

    Client Side

    sudo apt-get install openssh-client

    Navigate to /home/.ssh

    3- Generate an SSH key pair (if you don\’t already have one. This command generates an RSA key pair with 4096 bits.

    ssh-keygen -t rsa -b 4096

    Or you can generate the more modern version with this command:

    ssh-keygen -t ed25519 -a 100 -f .ssh/testkey

    Give it a meaningful name and provide a password (optional)

    Add Your SSH Key to the SSH Agent: You need to add a new identity using your SSH private key to the SSH agent with the following command:

    ssh-add ~/.ssh/id_rsa (NOT the id_rsa.pub!)

    Ensure SSH Agent is Running: ssh-copy-id relies on an SSH agent to manage your keys. If you need to stop it, type eval \”$(ssh-agent -k)\”

    eval "$(ssh-agent -s)"
Or
eval $(ssh-agent -s)

    OPTIONAL: Make sure that ssh-agent is running and that will it start at system boot in your local session and adding a desired private key:

    nano ~/.bashrc

    4- Add the following line at the end of the file :

    eval "$(ssh-agent -s)"
ssh-add PATH_TO_YOUR_PRIVATE_KEY

    To check if the SSH agent is running, you can use the ssh-add command with the -l option. If the ssh agent is running and has loaded any keys, you will see a list of the loaded key fingerprints. Open a terminal and run the following command:

    ssh-add -l

    Another way to check if the SSH agent is running, is to list the environment variables related to SSH.

    If the SSH agent is running, this command will print the path to the SSH agent socket. If it\’s not running, the command will produce no output. Run the following command:

    echo $SSH_AUTH_SOCK

    You can also see if ssh agent is running by showing it\’s PID.

    echo $SSH_AGENT_PID
    • There is another way to load the identities beside running the ssh agent and that is by creating a file named config inside the .ssh folder with the following information per server you want to connect to. The identities configured will be loaded at the time to try to connect via ssh.
    Host server
       Hostname server_ip_address
       User remote_user
       IdentityFile /home/local_user/.ssh/identity_file

    5- Make sure that ssh password authentication on your remote server is enabled. You\’ll need to copy your public key to the remote server using ssh-copy-id:

    ssh-copy-id -i /path/to/id_rsa.pub admin@remote_server_ip

    You are going to be prompted to type the password of your remote user to accept the public key.

    6- Once that\’s done, log in and if all goes well, you will connect to the remote machine without a password.

    ssh admin@remote_server_ip

    Now you can disable password authentication in the remote machine in step 2 .

  • Resize OpenWRT partition

    After OpenWrt installation on a 8GB sd card I noticed that I only had 104 MB of disk space left for future software installation. The file system was only using a fraction of the 8GB so I needed to expand the size of the partition as well as for the file system.

    Boot up your openwrt device and perform the following steps from CLI.

    First of all and just to be safe, remove all external disks attached.

    Install software (preferably via Luci):

    opkg lsblk parted resize2fs tune2fs

    Now lets gather information about block devices:
    lsblk
    sda                   179:0    0 8G   0 disk   
    ├─sda1                179:1    0   16M   0 part
    ├─sda2               179:2    0   104M  0 part /  

    Now lets enter to parted and Resize Partition

    parted
p
Number  Start   End     Size    Type      File system  Flags
1      33.6M   50.3MB  16.8MB  primary   ext2         boot
2      67.1MB  104MB   104MB   primary

resizepart 2 8GB #Decide how much you want to expand according to sd card capacity
q

    Resizing the file system

    Remount root as read only:

    mount -o remount,ro /

    Remove reserved GDT blocks:

    tune2fs -O^resize_inode /dev/sda2

    Fix part, answer yes to all. This will remove GDT blocks remnants.

    fsck.ext4 /dev/sda2

    Now reboot, log back in again and then resize the partition:

    Expand root filesystem

    resize2fs -f /dev/sda2
    To apply changes, reboot  the system again and finish.

    Sources

    https://openwrt.org/docs/guide-user/installation/installation_methods/sd_card#fn

    https://openwrt.org/docs/guide-user/installation/openwrt_x86#resizing_filesystem

    https://openwrt.org/toh/friendlyarm/nanopi_r4s_v1#installation

  • Install Debian on RaspberryPi 3B+

    Go to https://raspi.debian.net/ and download the appropriate image file. I\’m going for this one: 20230612_raspi_3_bookworm.img.xz.

    Decompress the image:

    xz -d path/to/.img

    Copy image file to sdcard:

    sudo dd if=/path/to/.img of=/dev/sdx bs=4M status=progress conv=sync

    Insert the sdcard into your raspberrypi and start it up. First time run will get you prompted to user root without a password so you must give it a password right after login. Remote root login is disabled by default so in order to ssh into the raspberrypi create an admin account give it sudo privileges.\n\n\n\n

    Configure as root server-side

    Create a password for your root account

    passwd

    Update the system

    apt update && apt upgrade -y

    Create an admin account and provide a password

    adduser admin

    Install dependencies

    apt install sudo openssh-server

    Give sudo privileges to user admin by navigating to /etc/sudoers.d/ and either edit the README file or create a new file. Add the following line at the end of the file:\n\n\n\n

    admin ALL=(ALL:ALL) ALL

    Another way to setup sudo on a user is to add that user to the sudo group (you need to be root to do that).

    usermod -aG sudo admin

    Reboot the system and leave the raspberrypi without logging in locally with the root or admin accounts. From now on you should be able to log in remotely with your user admin and continue with further configurations.

    Take note of the ip address of your raspberrypi.

    ip a

    Configuration client-side

    Install open ssh client package.

    sudo apt install openssh-client

    Connect via ssh in your terminal.

    ssh admin@raspberrypi_ip_address

    Now you should be able to log in remotely with the admin account and continue with further configurations!

  • TOR Relay

    Recently I installed debian on a raspberrypi using a very minimalist version to maximize the usability of the raspberry pi 3B+ as it\’s limited in resources with only 1 Gb of RAM.
    as a good test for this board and also give a hand to the tor project.

    Install packges

    sudo apt install wget gpg apt-transport-https apt-config-auto-update unattended-upgrades apt-listchanges

    Configure unattended upgrades

    Edit file /etc/apt/apt.conf.d/50unattended-upgrades. Comment with // every line starting like this from:
    //Unattended-Upgrade::Origins-Pattern {
    to its end curly bracket
    //}
    Then add these lines following the commented section:

    Unattended-Upgrade::Allowed-Origins {\n \"${distro_id}:${distro_codename}-security\";\n \"TorProject:${distro_codename}\";\n };\n Unattended-Upgrade::Package-Blacklist {\n };

    Edit file /etc/apt/apt.conf.d/20auto-upgrades and add:

    APT::Periodic::Update-Package-Lists \"1\";
APT::Periodic::Unattended-Upgrade \"1\";
APT::Periodic::Autocleaninterval \"5\";
APT::Periodic::verbose \"1\";

    Test the unattended upgrades:

    sudo unattended-upgrades -d

    Configure Tor repositories

    2. Create a new file in /etc/apt/sources.list.d/ named tor.list. Add the following entries:

    deb     [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main\ndeb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main

    Then add the gpg key used to sign the packages
    Must be executed with root account as sudo might not work. Type exit once the command has finished working.

    su -
    sudo wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null

    Install Tor

    sudo apt install tor deb.torproject.org-keyring

    Edit Tor configuration by editing the /etc/tor/torrc file and add the following lines:
    To test Tor for 1 month I\’ll assign 500 GB/month and check daily how its behaving the tor relay on my raspberry pi.

    Nickname    myNiceRelay  # Change \"myNiceRelay\" to something you like\nContactInfo your@e-mail  # Write your e-mail and be aware it will be published\nORPort      443          # You might use a different port, should you want to\nExitRelay   0\nSocksPort   0\n\n## BANDWIDTH\n## The config below has a maximum of 500GB (up/down) per month, starting on the 1st at midnight\nAccountingMax 500 GB\nAccountingStart month 1 0:00\n\n## MONITORING\nControlPort 9051\nCookieAuthentication 1\n
    sudo systemctl enable tor && sudo systemctl restart tor

    Verify it\’s running and enabled

    sudo systemctl status tor

    htop shows overall little resources consumption

    Optional

    Install nyx (sudo apt install nyx) to have a visual depiction of what\’s happening in your recently installed Tor relay.

    Sources

    https://support.torproject.org/apt/tor-deb-repo/

    https://community.torproject.org/relay/setup/guard/debian-ubuntu/updates/

    https://www.youtube.com/watch?v=tBnJRraXDc0\n

  • Automated folders backup

    This is a very simple way to back up folders in an incremental way and it can be tweaked slightly to make more or less copies while at the same time keeping a defined number of copies on disk, It starts by creating one copy of one or more folders and saves it in its unique folder named after the time and date of the day. The day after, it creates a second copy and the next day the same and so on. By the sixth day it will make a another copy but the script will also remove the oldest copy from disk. So you will always have a predefined number of copies on disk at all times (in this example it’s 5). If for any reason the admin executes the script manually this script won’t delete the oldest two folders but only the single oldest so keep that in mind. Another thing is that the websites_backup.service file has the last 2 lines commented. This is made on purpose due to that initially my idea was run the script once if the system reboots but this will accumulate unnecessary copies and probably make your disk run out of space if not paying attention.I kept the lines there just to remind myself of that.

    I’m using this script to keep copies of my websites. These are full folder copies.

    websites_backup.sh

    #!/bin/bash

SOURCE_DIR="/var/www/*"
BACKUP_DIR="/media/backup/websites_backups"
LOG_FILE="/home/admin/CUSTOM_SERVER_SCRIPTS/backup.log"
DATE=$(date +"%Y-%m-%d_%H-%M-%S")
NUMBER_OF_BACKUPS="5"

        {
                echo "Websites Backup Script execution started at: $(date)"
                mkdir -p "$BACKUP_DIR/$DATE"
                cp -ra $SOURCE_DIR "$BACKUP_DIR/$DATE"
                echo "Copying all contents of /var/www/ folder to /media/backup/websites_backups"
                echo "Websites Backups completed at: $(date)"
                OLDEST_FOLDER=$(ls -t1 "$BACKUP_DIR" | tail -n +$((NUMBER_OF_BACKUPS+1)))
                if [ -n "$OLDEST_FOLDER" ]; then
                        rm -rf "$BACKUP_DIR/$OLDEST_FOLDER"
                        echo "Deleted oldest backup folder, no more than 3 backups allowed."
                fi
        } >> "$LOG_FILE" 2>&1  # Redirecting both stdout and stderr to the log file

    Using cp -ra will copy everything (including hidden files) and preserve all attributes as well.

    websites_backup.service

    To automate this process, a service file can be saved in /etc/systemd/system 

    [Unit]
Description=Backup process for websites in /var/www/ folder.
After=network-online.target

[Service]
Type=simple
ExecStart=/home/admin/CUSTOM_SERVER_SCRIPTS/websites_backup_script/websites_backup.sh
Restart=on-failure
StartLimitInterval=0

# Running this script during system boot has been disabled.
# Uncomment if you want it enabled. Keep in mind space storage management.
#[Install]
#WantedBy=multi-user.target

    Lets enable the service and to verify it’s running properly by typing:

    sudo systemctl enable websites_backup.service
    sudo systemctl status websites_backup.service

    websites_backup.timer

    [Unit]
Description=websites_backup.service Timer

[Timer]
OnCalendar=*-*-* 7:00:00
AccuracySec=1h
RandomizedDelaySec=30m
Persistent=true

[Install]
WantedBy=timers.target

    Optional: Set OnCalendar=Mon 7:00:00 for weekly backup.

    This timer will trigger the execution of the websites_backup.service file that will run the websites_backup.sh script. This process will be repeated everyday at 7AM, it will also be triggered within 1 hour of the expected time of execution and an extra 30 mins max randomized execution time to avoid eventual processes spikes (if any). I believe it’s good practice to add randomized execution just in case you forget and decide to create a lot of services starting at the same time.

    In the near future I’d like to expand the functionality by also keeping 3 weekly copies at all times.

  • Editing image files

    So I decided to start adding images to this blog and I found two probably the best (prove me wrong) website for ai generated images and two (or three) pretty neat commands in my debian that are probably going to be the only ones I will ever use from now on when working with images.

    I’m no expert so I need easy to use tools just to get the job done quickly to upload images to this website and with minimum effort (I am shameless).

    https://zoo.replicate.dev

    Thanks to this website and the geniuses behind this open source project.

    So as a test, i will upload an image previously downloaded from their website. But before that, I will modify it to reduce its size to save space and make it more suitable as featured image.

    The first tool is exiftool that shows the metadata of the image.

    :~/server_images$ exiftool creepypplonajet.png

    ExifTool Version Number         : 12.16
File Name                       : creepypiconajet.png
Directory                       : .
File Size                       : 879 KiB
File Modification Date/Time     : 2023:11:04 04:49:15-04:00
File Access Date/Time           : 2023:11:04 04:49:15-04:00
File Inode Change Date/Time     : 2023:11:04 04:49:15-04:00
File Permissions                : rw-r--r--
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Image Width                     : 768
Image Height                    : 768
Bit Depth                       : 8
Color Type                      : RGB
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Noninterlaced
Image Size                      : 768x768
Megapixels                      : 0.590

    Then we have identify and convert… yep pretty simple named commands. Both identify and convert commands are part of the ImageMagick package and it’s supposed to be widely used and very popular.

    identify well.. identifies the images and convert well… converts them! I love the straightforwardness

    :~/server_images$ identify creepyppplonajet.png  
creepyppplonajet.png PNG 768x768 768x768+0+0 8-bit sRGB 900046B 0.000u 0:00.000

    ls -lh

    -rw-r–r– 1 root root 879K Nov  4 04:49 creepypplonajet.png

    It’s a 768×768 image and 879 kilobytes. lets shrink it with convert by setting the pixel size.

    :~/server_images$ convert image.png -resize 200x200 image_small.png

    Your can also reduce (change) the size by choosing a percentage. In this case the image is reduced by 50%.

    :~/server_images$ convert image.png -resize 50% image_small.png
    After
    Before

    From 2.2 MB to 540 Kb

    Not bad at all and the possibilities are many in terms of efficiency managing large volumes of images and the capabilities of these tools.

    I’m juts going to make a brief pause to this post here and keep editing in the near feature to post more functionalities of the convert tool. In the meantime I’m publishing this post anyways!

    New edit: https://zoo.replicate.dev is not working as open as it was before. A good alternative is https://deepai.org.

  • Install Nextcloud – Apache

    1. Prerequisites

    In this example we assume that there is already a webserver with ssl enabled running on your server and you have configured a subdomain to be used by nextcloud in your DNS service provider. If your site is example.com, you can create a subdomain nc.example.com to access to it. If you prefer not to have a subdomain, you will have to point the nextcloud’s root folder in the configuration file of your main site.

    • Server: You need a server (VPS, dedicated server, or local server) running a Linux distribution (e.g., Ubuntu, CentOS, Debian).
    • Web Server: Apache should be installed and running.
    • PHP: Ensure PHP is installed (Nextcloud requires PHP 7.1 or higher) and php-gd, php-curl, php-xml, php-mbstring, php-zip.
    • Other optional but very useful packages, fail2ban and a front end firewall manager like ufw.
    sudo apt install certbot python3-certbot-apache wget

    Apache modules for enhanced security and for php integration

    sudo apt install libapache2-mod-php libapache2-mod-security2

    Certbot will provide the certificate for your website’s subdomain while python3-certbot-apache will facilitate the installation of the certificate in your system by integrating apache in the installation process. It will add the necessary lines where the certificates can be accessed into the nc.examle.conf file in folder sites-available and deploy the certificate, among other things

    2. Install Nextcloud Server Community edition

    https://download.nextcloud.com/server/releases/latest.zip

    Step 1: Unzip latest.zip to /var/www. I like to name those kind of folders as the name of the website they are holding in so you should rename it as example.com.

    Step 2: Set the correct permissions:

    sudo chown -R www-data:www-data /var/www/html/nc.example.com

    OPTIONAL INSTALL

    Alternatively, you can download the zip file and decompress the folder named nextcloud into your /var/www folder like so:

    Download the zip file to your home folder:

    wget https://download.nextcloud.com/server/releases/latest.zip

    Decompress:

    sudo unzip latest.zip -d /var/www/

    Rename folder according to the settings in your web server:

    mv /var/www/nextcloud /var/www/nc.example.com

    Set permissions to the www-data user

    Go to your ip address or domain setup for nextcloud after you had created an database user and the database itself.

    sudo chown -R www-data:www-data /var/www/nc.example.com

    3. Configure Apache for Nextcloud

    • Step 1: Enable necessary Apache modules:
    sudo a2enmod rewrite headers env dir mime ssl
    sudo systemctl restart apache2

    Step 2: Create a new Apache configuration file for Nextcloud:

    sudo nano /etc/apache2/sites-available/nc.example.com.conf

    Add the following configuration (modify paths if necessary):

    apache

    <VirtualHost *:80>
    ServerName nc.example.com
    Redirect permanent / https://nc.example.com/
</VirtualHost>

#########################################################

<IfModule mod_ssl.c>
        <VirtualHost *:443>
                ServerName nc.RootDomain
                DocumentRoot /var/www/nc.example.com

# NextCloud folder directives
                <Directory /var/www/nc.example.com/>
                        Options +FollowSymlinks
                        AllowOverride All
                        Require all granted
                        Satisfy Any
                </Directory>

# Certificates
                SSLEngine on
                SSLCertificateFile /etc/letsencrypt/live/nc.example.com/cert.pem
                SSLCertificateKeyFile /etc/letsencrypt/live/nc.example.com/privkey.pem

# logging
                ErrorLog ${APACHE_LOG_DIR}/nc.example.com_error.log
                CustomLog ${APACHE_LOG_DIR}/nc.example.com_access.log combined

# Reverse Proxy Directives. End edit appropriately before uncommenting.
#               <Location />
#                       ProxyPass http://localhost:50000/
#                       ProxyPassReverse http://localhost:50000/
#                       ProxyPreserveHost On
#                       RequestHeader set X-Forwarded-Proto "https"
#                       RequestHeader set X-Forwarded-Port "443"
#               </Location>

        </VirtualHost>
</IfModule>

    I’ve left some reverse proxy directives in the config file. Those are not going to be executed as long as they have the # at the beginning of the line. Remove them if you want.

    Once the config file is done and you are planing to have the nextcloud website in a subdomain, get the appropriate certificate with this command:

    sudo certbot certonly --webroot -w /var/www/example.com -d nc.example.com

    Step 3: Enable the Nextcloud site and restart Apache:

    sudo a2ensite nc.example.com
    sudo systemctl restart apache2

    4. If your plan is to use it for LAN only…

    <VirtualHost LAN_IP_ADDRESS:80>
    ServerAdmin admin@example.com
    ServerName nextcloud.example.com

    DocumentRoot /var/www/nextcloud

    <Directory /var/www/nextcloud>
        Options +FollowSymlinks
        AllowOverride All

        Require local
        # If you want to allow access from specific LAN IP ranges, use:
        # Require ip 192.168.1.0/24
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/nextcloud_error.log
    CustomLog ${APACHE_LOG_DIR}/nextcloud_access.log combined
</VirtualHost>

    5. Using MySQL/MariaDB Command Line:

    The pre final step is to create a database for nextcloud. Download the appropriate packages if you dont have them already installed on your system. A secure installation of mariadb must have been already performed. I also prefer to name the database the same as the website from whic it receives the data.

    1. Access MySQL/MariaDB:bash

    mysql -u root -p

    Create a Database:

    CREATE DATABASE nc.example.com;

    Replace nc.example.com with the name you want for your Nextcloud database.

    Create a Database User:

    CREATE USER 'nextcloud_user'@'localhost' IDENTIFIED BY 'your_password';

    Replace nextcloud_user with the desired username and your_password with a strong password.

    Grant Permissions:

    GRANT ALL PRIVILEGES ON nc.example.com.* TO 'nextcloud_user'@'localhost';

    FLUSH PRIVILEGES;

    EXIT;

    Ensure to replace nc.example.com and nextcloud_user with your actual database name and username.

    6. Finalize Installation

    • Step 1: Open your web browser and navigate to http://nc.example.com/
    • Step 2: Follow the on-screen instructions to complete the Nextcloud setup.