11 Setting up Nextcloud and sncf
neil edited this page 2 months ago

Here's the process I followed to configure forms.42l.fr in production from a local development instance. It took me two hours. Sorry if the tutorial is not very clean – feel free to improve it.

There is currently no automatic configuration method. If you have the courage, feel free to develop one.

Note: This process has been followed on Nextcloud 19.0.1 with Nextcloud Forms 2.0.3 and sncf 1.0.0. Some details might not be exactly the same depending on the version and it might break things, or not. Feel free to ask advice if needed. Good luck.

  1. Pre-configuration

    • [reverse-proxy only] Route your public-facing (sub-)domain to your future Nextcloud instance address. This is temporary: once it'll be fully configured, it should route to sncf instead.
    • [reverse-proxy only] Set up basic-auth as long as your instance isn't fully configured.
    • [reverse-proxy only] Do NOT route /.well-known/caldav and /.well-known/carddav as indicated in Nextcloud tutorial. This is not necessary for our usage.
    • Set up your database (create an user and a database for Nextcloud).
  2. Install Nextcloud WITHOUT the default apps.

    • Use PostgreSQL or MariaDB as database for best performance.
    • Even if the login form won't be public-facing in the end, choose a strong admin password.
    • [reverse-proxy only] Set-up the trusted-proxies configuration parameter as per the Nextcloud documentation.
  3. Login as admin.

    • Delete all your files (from the trash, too.)
    • In Settings -> Administration -> Overview tab, there should only be two warnings about carddav and caldav. If there are more, fix them.
  4. Manage applications.

    • Remove or disable all Nextcloud applications except the following ones (install them if missing):
      • Forms
      • Custom CSS
      • Theming (should be already enabled).
  5. In Users (/settings/users):

    • In the Settings (bottom-left) menu, set the default quota to 0B (as a precautionary measure).
  6. Some more little tweaks left! Go to Settings.

    • Administration -> Sharing
      • Disable "Allow resharing"
      • Disable "Allow sharing with groups"
      • Disable "Allow username autocompletion in share dialog"
      • Uncheck all checkboxes in "Federated Cloud Sharing" section
    • Administration -> Groupware
      • Uncheck all
    • Administration -> Theming
      • Set the name, web link, slogan, logo and color you want (default color for 42l Forms is #1C65EF)
      • Set the legal notice and privacy policy link.
      • Set the favicon if you want.
      • Custom CSS section: add the following hackish code:
#contactsmenu {
    display: none !important;
}

#settings {
    display:none !important;
}

.app-sidebar-tabs__content > ul:nth-child(2) {
    display:none !important;
}

.app-sidebar-tabs__content > ul:nth-child(4) > li:nth-child(1) {
    display:none !important;
}

.app-sidebar-tabs__content > ul:nth-child(4) > li:nth-child(2) {
    display:none !important;
}

#content-vue ~ div.popover.vue-popover-theme.open > div > div > div > div > ul > li[data-v-6c7cb9ab=""][data-v-889584e6=""]:nth-child(1) {
    display:none !important;
}

#appmenu > li[data-id="files"] {
    display:none !important;
}

⚠️ This will hide the user menu from your interface to provide a better end-user experience (the routes will be restricted anyway). If you need to re-enable your icons for some time, go to http://your-instance-url/settings/user, then Theming section again, then comment out this CSS code and save. Note that this will affect all users. If you don't want that, tweak your own CSS.

  1. You're almost done. Open Nextcloud's config file config/config.php.
    • Consider adding 'simpleSignUpLink.shown' => false to remove Nextcloud's recommendation to create a Nextcloud account (which doesn't match this Forms service at all).

Now your Nextcloud instance should be ready. Let's move on to sncf.

  1. Copy config.toml.sample to config.toml and edit it.

    • If you're at this step, you should be able to configure most of it yourself.
    • sncf_url is your public-facing (sub-)domain.
    • nextcloud_url is the (supposedly) local IP address of your Nextcloud instance, preceeded by the protocol (probably http://).
    • admin_username and admin_password are plaintext credentials for the admin acount you just created.
    • You are advised to enable debug_mode at least during the first days in production. The debug mode won't slow down sncf, but will help you to understand when something's wrong by printing a lot of data to stdout.
  2. Compile and run sncf.

    • sncf requires the following packages to be installed (on a Debian-based system):
      • libsqlite3-0 if you're using SQLite
      • libpq5 if you're using PostgreSQL
      • libmysql++-dev if you're using MySQL / MariaDB.
    • Compile and run using Cargo. You may need to install Rust beforehand.
      • cargo run --release --no-default-features --features sqlite for SQLite
      • cargo run --release for PostgreSQL
      • cargo run --release --no-default-features --features mysql for MySQL / MariaDB.
  3. Route through sncf instead of Nextcloud.

    • [reverse-proxy only] Route your public-facing address to sncf instead of Nextcloud.
    • [reverse-proxy only] [optional] You might want to set up direct access to Nextcloud without going through sncf, for technical purposes. You can do that on a secret port or route (not /admin/, though). Be sure to strenghten this access (at least with basic auth) to avoid transforming it into a backdoor for evil people.
  4. Open a browser in private navigation mode. - Try accessing https://<sncf_url>/. It should display the main page. - Try accessing https://<sncf_url>/link. It should generate an administration link. If you're already logged in – as admin – it will directly redirect you to Forms. So please try in private navigation mode. - Try accessing your administration link. It should redirect you to Forms. - Try creating a form and sharing it with peers. Enjoy. - If one of those steps fail, check the error message from sncf and try fixing the problem. Check if your version of sncf is compatible with Nextcloud's and Nextcloud Forms'. - If you think it's a bug, please file an issue with all the debug log, configuration, environment setup and error messages you can.

  5. Important: Configure a fail2ban instance.

    • There is currently no built-in rate-limiter or protection mechanism for /link and /admin/{admin_token} pages. This is being discussed in #8 and #9.
    • One request to /link without cookie means one created account on Nextcloud.
    • To lower the risk of getting DoS'd, you should restrict those two routes to a few access per day and per IP.
      • You can try 5 requests to /link per 48h and 12 requests to /admin/{admin_token} per 24h. If it's too restrictive, adjust it.
  6. [reverse-proxy only] When you're good to go, remove the basic auth from your configuration to let people in.