Setup Nextcloud Server on Arch Linux with Nginx, MariaDB and PHP7

In this tutorial, I will show you how to set up your own Nextcloud server on Arch Linux with Nginx, MariaDB and PHP7.

This tutorial assumes that you have already installed a LEMP stack (Linux, Nginx, MariaDB/MySQL, PHP) on Arch Linux. If you haven’t already done so, please check out the below easy-to-follow guide.

Install Nginx, MariaDB, PHP7 (LEMP) on Arch Linux

After you install LEMP stack, come back here and follow the instructions below. If you have a Arch Linux server, then ssh into it. You can also use your local Arch Linux computer.

Step 1: Install Nextcloud 10 Server on Arch Linux

Download the NextCloud tarball onto your server. The latest version is 10.0.1 at the time of this writing. You may need to change the version number. Go to https://nextcloud.com/install and click the download button to check out the latest version.

wget https://download.nextcloud.com/server/releases/nextcloud-10.0.1.tar.bz2

Extract it.

tar xvf nextcloud-10.0.1.tar.bz2

A new directory named nextcloud will be created in the current working directory. Copy the new directory and all of its content to the document root of Nginx web server. (/usr/share/nginx/).

sudo cp -r nextcloud /usr/share/nginx/

Then you also need to give the Nginx user (http) write permission.

sudo chown http:http /usr/share/nginx/nextcloud/ -R

Step 2: Create a Database and User in MariaDB

Log into MariaDB database server with the following command:

mysql -u root -p

Then create a database for Nextcloud. This tutorial name the database nextcloud. You can use whatever name you like.

create database nextcloud;

Create the database user. Again, you can use your preferred name for this user. Replace your-password with your preferred password.

create user nextclouduser@localhost identified by 'your-password';

Grant this user all privileges on the nextcloud database.

grant all privileges on nextcloud.* to nextclouduser@localhost identified by 'your-password';

Flush the privileges table and exit.

flush privileges;

exit;

Step 3: Enable Binary Logging in MariaDB

Edit the main MariaDB config file.

sudo nano /etc/mysql/my.cnf

Add the following two lines in [mysqld] section. You may find that these two lines are already there (line 54 and 57) because the MariaDB package of Arch Linux enables binary logging by default. If you cannot find them, then manually add them to the [mysqld] section of my.cnf file.

log-bin        = mysql-bin
binlog_format  = mixed

The format of binary log must be mixed. Save and close the file. Then restart MariaDB service.

sudo systemctl restart mysqld

Step 4: Create an Nginx Config File for Nextcloud

First, create a conf.d directory for individual Nginx config files.

sudo mkdir /etc/nginx/conf.d

Then create a config file for Nextcloud.

sudo nano /etc/nginx/conf.d/nextcloud.conf

Put the following text into the file.

upstream php-handler {
    server unix:/run/php-fpm/php-fpm.sock;
}

server {
    listen 80;
    server_name nextcloud.your-domain.com;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    # add_header Strict-Transport-Security "max-age=15768000;
    # includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

    # Path to the root of your installation
    root /usr/share/nginx/nextcloud/;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
    # last;

    location = /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
       return 301 $scheme://$host/remote.php/dav;
    }

    location ~ /.well-known/acme-challenge {
      allow all;
    }

    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Disable gzip to avoid the removal of the ETag header
    gzip off;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;

    location / {
       rewrite ^ /index.php$uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
       deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
       deny all;
     }

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
       include fastcgi_params;
       fastcgi_split_path_info ^(.+\.php)(/.*)$;
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
       fastcgi_param PATH_INFO $fastcgi_path_info;
       #Avoid sending the security headers twice
       fastcgi_param modHeadersAvailable true;
       fastcgi_param front_controller_active true;
       fastcgi_pass php-handler;
       fastcgi_intercept_errors on;
       fastcgi_request_buffering off;
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
       try_files $uri/ =404;
       index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~* \.(?:css|js)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=7200";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        # add_header Strict-Transport-Security "max-age=15768000;
        # includeSubDomains; preload;";
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
   }

   location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
   }
}

Replace the red-colored text with your actual data. If you are setting up Nextcloud on your home computer, then enter your private IP address for the server name, like:

server_name 192.168.1.105

Next, edit /etc/nginx/nginx.conf file

sudo nano /etc/nginx/nginx.conf

Add the following line in the http section so that individual Nginx config files will be loaded.

include /etc/nginx/conf.d/*.conf;

Like this:

http {
   include /etc/nginx/conf.d/*.conf;

   include mime.types;
   default_type application/octet-stream;

.....

Save and close the file. Then reload Nginx for the changes to take effect.

sudo systemctl reload nginx

Step 5: Install and Enable PHP Modules

Nextcloud requires mysql and gd modules to be enabled in order to work properly. mysql module is already installed in the previous LEMP tutorial. Now install gd module with the following command:

sudo pacman -S php-gd

Then edit php.ini file.

sudo nano /etc/php/php.ini

Find the following 3 lines. Remove the semicolons to enable these 3 modules.

;extension=gd.so         (line 899)

;extension=mysqli.so     (line 887)

;extension=pdo_mysql.so  (line 891)

Save and close the file. Then reload php-fpm process for the changes to take effect.

sudo systemctl reload php-fpm

the Nextcloud Web Installer

Now in your browser address bar, type

nextcloud.your-domain.com

to access the Nextcloud web installer. If you are installing on a local Arch Linux computer, type your private IP address such as 192.168.1.105. You will see the following.

arch-linux-nextcloud

You need to create an administrative account and connect ownCloud service with MariaDB database. Enter the database username, password and database name you created earlier. Once it’s done, your Nextcloud server is ready to rock.

nextcloud-server-on-arch-linux

If you are using a remote Arch Linux server, I recommend installing a SSL/TLS certificate before you finish the installation in the web browser to prevent malicious sniffing.

Get A Free SSL Certificate from Let’s Encrypt

This step is necessary on a remote server because you want to make sure your Nextcloud username and password are not sniffed by malicious people. Skip this step if you are setting up Nextcloud on your home computer.

First we need to install the certbot client which is available in Arch Linux community repository.

sudo pacman -S certbot

Then use the webroot plugin to obtain a certificate for Nginx Web server.

sudo certbot certonly --webroot --email your-email-address -d nextcloud.your-domain.com -w /usr/share/nginx/nextcloud/

I assume you are using a domain name like nextcloud.your-domain.com to access the ownCloud web interface. You also need to point your domain name to your server IP in DNS before running the above command.

certonly means the client obtains SSL/TLS certificate but will not install it. Because Let’s Encrypt does not support auto SSL/TLS configuration for Nginx yet, so we have to manually configure (install) SSL/TLS.

Your SSL/TLS certificate will be saved under /etc/letsencrypt/live/nextcloud.your-domain.com directory.

Install the SSL/TLS Certificate

Edit the Nginx config file for Nextcloud.

sudo nano /etc/nginx/conf.d/nextcloud.conf

Change the configuration as follows:

upstream php-handler {
    server unix:/run/php-fpm/php-fpm.sock;
}

server {
   listen 80;
   server_name nextcloud.your-domain.com;
   # enforce https
   return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name nextcloud.your-domain.com;

    ssl_certificate /etc/letsencrypt/live/nextcloud.your-domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/nextcloud.your-domain.com/privkey.pem;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    # add_header Strict-Transport-Security "max-age=15768000;
    # includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

    # Path to the root of your installation
    root /usr/share/nginx/nextcloud/;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
    # last;

    location = /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
       return 301 $scheme://$host/remote.php/dav;
    }

    location ~ /.well-known/acme-challenge {
      allow all;
    }

    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Disable gzip to avoid the removal of the ETag header
    gzip off;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;

    location / {
       rewrite ^ /index.php$uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
       deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
       deny all;
     }

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
       include fastcgi_params;
       fastcgi_split_path_info ^(.+\.php)(/.*)$;
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
       fastcgi_param PATH_INFO $fastcgi_path_info;
       fastcgi_param HTTPS on;
       #Avoid sending the security headers twice
       fastcgi_param modHeadersAvailable true;
       fastcgi_param front_controller_active true;
       fastcgi_pass php-handler;
       fastcgi_intercept_errors on;
       fastcgi_request_buffering off;
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
       try_files $uri/ =404;
       index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~* \.(?:css|js)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=7200";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        # add_header Strict-Transport-Security "max-age=15768000;
        # includeSubDomains; preload;";
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
   }

   location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
   }
}

Save and close the file. Then reload Nginx.

sudo systemctl reload nginx

Enter your Nextcloud domain name in browser address bar and finish the installation.

Auto-Renew TLS Certificate

It’s advisable to auto-renew Let’s Encrypt TLS certificate. We can achieve that with cron job. First install cronie on Arch Linux.

sudo pacman -S cronie

Then edit the crontab file of root user.

sudo crontab -e

Put the following line into the file which will try to renew your cert once per day.

@daily certbot renew --quiet

Save and close the file.

Congrats! You have successfully set up NextCloud personal cloud storage on Arch Linux with Nginx, MariaDB and PHP7.

As always, if you found this post useful, then please subscribe to our free newsletter or follow us on Google+Twitter or like our Facebook page. Thanks for visiting!

Rate this tutorial
[Total: 5 Average: 4.2]
  • Thank you very much for this. <3
    I will definitely try it.

  • Ok.
    I’ve got a few questions:
    1.I’ve got my domain setup so:
    cloud.domain.com points to the same IP as domain.com
    What if I want to have a normal website at domain.com and a drive at cloud.domain,com? (Even domain.com/cloud would be nice)

    2. Do you know how can I get transmission which is accessible through domain.com:port to be accessible as either transmission.domain.com or domain.com/transmission?

    It’s my first time with a web server 😀

    P.S.
    Also, this installation destroyed my plex web player.
    Trying to access it through localip:32400 or publicip:14885 throws me at the nextcloud page

    • An IP can host multiple domains ( or websites), however you need to be careful about what web server you use and the configurations.

      The configurations in this tutorial is suitable when you want a normal website at domain.com and a drive at cloud.domain.com. You just need to follow the instructions in this tutorial to setup cloud.domain.com. If you want a normal website, then you need to create another nginx config file under /etc/nginx/conf.d/ for your website.

      I wrote a tutorial about Deluge torrent on Ubuntu 16.04 server before.
      How to Install Latest Deluge BitTorrent Client on Ubuntu 16.04/14.04

      and qbittorrent
      Install qBittorrent on Ubuntu 16.04 Desktop and Server

      Although it’s for Ubuntu, you can apply the configurations on Arch Linux because both Arch and Ubuntu use systemd now. I will write a transmission tutorial in the near future.

      • Hey.
        You are really helpful, your tuts are pretty good and I hope I’m not bothering you too much, but I’ve ran into more issues.

        I wanted to use phpMyAdmin, to fix a few things with my database, but
        -Instaling it
        -Adding a symlink to /usr/share/nginx/html/phpMyAdmin
        -Even adding “mydomain.com mypublicIP mylocalIP” to server_name in nginx.conf

        Doesn’t let me access it with “mylocalIP/phpMyAdmin” or “mypublicIP/phpMyAdmin” leaving me with error 404

        Though adding proxy_pass for transmission works flawlessly.

        I haven’t done much more outside of your tutorials, so you could maybe help me fix that.

        • You need to specify the location of index.php for phpMyAdmin. After creating the symlink, add the following directives in nginx.conf server section

          location /phpMyAdmin/ {
                  root /usr/share/nginx/html/;
                  index index.php;
           }

          Save the file. Then reload nginx for the changes to take effect.

          sudo systemctl reload nginx
          • Ok. I’m really a noob 😀
            I was trying to access domain.com/phpMyAdmin
            while the name of the symlink was called:
            phpmyadmin

            Changing it to phpMyAdmin fixed my issues 😀

  • Also, there is no “letsencrypt” package, but “cerbot” is.

  • I’ve got another issue Xiao 😀
    In /usr/share/nginx/nextcloud/data/nextcloud.log I can read this:

    
    {"reqId":"nBJDJCsbkJIvwDu+4Xtu","remoteAddr":"111.111.111.111","app":"PHP","message":"mkdir(): Permission denied at /usr/share/nginx/nextcloud/lib/private/Setup.php#289","level":3,"time":"2016-10-26T19:59:28+00:00","method":"POST","url":"/index.php","user":"--"}
    {"reqId":"CzVdyqoJgar7AIRONP4i","remoteAddr":"111.111.111.111","app":"PHP","message":"mkdir(): Permission denied at /usr/share/nginx/nextcloud/lib/private/Setup.php#289","level":3,"time":"2016-10-26T20:00:50+00:00","method":"POST","url":"/index.php","user":"--"}
    {"reqId":"OqXCLvVt4WO/w4YvaP3P","remoteAddr":"111.111.111.111","app":"PHP","message":"mkdir(): Permission denied at /usr/share/nginx/nextcloud/lib/private/Setup.php#289","level":3,"time":"2016-10-26T20:01:04+00:00","method":"POST","url":"/index.php","user":"--"}
    {"reqId":"8IdT0N0jAT9xDPHZQxTY","remoteAddr":"111.111.111.111","app":"PHP","message":"mkdir(): Permission denied at /usr/share/nginx/nextcloud/lib/private/Setup.php#289","level":3,"time":"2016-10-26T20:01:09+00:00","method":"POST","url":"/index.php","user":"--"}
    {"reqId":"yO3INWeTvz4nQ7h7vh+j","remoteAddr":"111.111.111.111","app":"PHP","message":"mkdir(): Permission denied at /usr/share/nginx/nextcloud/lib/private/Setup.php#289","level":3,"time":"2016-10-26T20:01:32+00:00","method":"POST","url":"/index.php","user":"--"}
    {"reqId":"g0SQp0scLmYRoG2XusOa","remoteAddr":"111.111.111.111","app":"mysql.setup","message":"Specific user creation failed: An exception occurred while executing 'SELECT user FROM mysql.user WHERE user=?' with params ["oc_user"]:nnSQLSTATE[42000]: Syntax error or access violation: 1142 SELECT command denied to user 'user'@'localhost' for table 'user'","level":3,"time":"2016-10-26T20:05:14+00:00","method":"POST","url":"/index.php","user":"--"}
    {"reqId":"g0SQp0scLmYRoG2XusOa","remoteAddr":"111.111.111.111","app":"mysql.setup","message":"Database creation failed: An exception occurred while executing 'GRANT ALL PRIVILEGES ON `nextcloud` . * TO 'user'':nnSQLSTATE[42000]: Syntax error or access violation: 1044 Access denied for user 'user'@'localhost' to database 'nextcloud'","level":3,"time":"2016-10-26T20:05:14+00:00","method":"POST","url":"/index.php","user":"--"}
    

    How can I fix that?

    Pasting again

    
    grant all privileges on nextcloud.* to [email protected] identified by 'your-password';
    

    into mysql command line editor (inside nextcloud database of course) doesn’t address the issue.

    • My nextcloud.log also has these lines. If you can use Nextcloud without issues, I believe these errors can be ignored.

      • The thing is that I can’t Create users in the web interface configuration.
        I’m almost sure I’ve wrote that somewhere already.

        When I press create in the users settings, nothing happens and my browser returns:
        “Failed to load resource: the server responded with a status of 403 (Forbidden)
        Uncaught TypeError: Cannot read property ‘message’ of undefined(…)”

        Except from the above post I haven’t found any other info on what could be the cause of it.

        • I can create users on my Nextcloud server without issues. You may want to check out the nginx error log /var/log/nginx/error.log which may give you a hint of what’s wrong.

          • There is no error.log file 🙁 only access.log

            Thank you so much for all your help. I wouldn’t have done it without you.
            My issue was in one of managment/security apps, but I’m not really sure which, because I turned a bunch of them, turned some back on and user creation works just fine.

            I think I’m set now and there will be no more need to bother you 🙂
            I wish you all the best 🙂