Added script for installing the Nextcloud Snap behind Caddy

caddy-webserver.service

@@ -0,0 +1,24 @@
+[Unit]
+Description=Caddy webserver
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=forking
+User=caddy
+Group=caddy
+ExecStartPre=/usr/bin/caddy validate --config /srv/www/Caddyfile
+ExecStart=/usr/bin/caddy start --config /srv/www/Caddyfile
+ExecReload=/usr/bin/caddy reload --config /srv/www/Caddyfile
+ExecStop=/usr/bin/caddy stop
+TimeoutStopSec=5s
+LimitNOFILE=1048576
+LimitNPROC=512
+PrivateTmp=true
+ProtectHome=full
+ProtectSystem=full
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+#RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

nextcloud-snap-caddy-setup.md

@@ -0,0 +1,85 @@
+1. Install snapd & a web server (caddy in this guide)
+
+```
+sudo apt update && sudo apt install --yes snapd caddy
+```
+
+
+2. Start snapd systemd unit
+
+```
+sudo systemctl start snapd
+```
+
+
+3. Install Nextcloud snap
+
+```
+sudo snap install nextcloud
+```
+
+
+4. Initialize Nextcloud snap and create admin account
+
+```
+sudo /snap/bin/nextcloud.manual-install USER PASSWORD
+```
+
+
+5. Set trusted domains in Nextcloud
+
+```
+sudo /snap/bin/nextcloud.occ config:system:set trusted_domains NUMBER --value=DOMAIN
+```
+
+
+6. Set Nextcloud HTTP & HTTPS ports to 8080 & 4443
+
+```
+sudo snap set nextcloud ports.http=8080
+```
+
+```
+sudo snap set nextcloud ports.https=4443
+```
+
+
+7. Create (or add to) a Caddyfile to reverse proxy to Nextcloud
+
+```
+nano /path/to/Caddyfile
+```
+
+```
+DOMAIN {
+reverse_proxy   localhost:8080
+
+rewrite /.well-known/carddav    /remote.php/dav
+rewrite /.well-known/caldav     /remote.php/dav
+rewrite /.well-known/webfinger  /public.php?service=webfinger
+}
+```
+
+
+8. Stop Caddy systemd service & change Caddyfile path
+
+```
+sudo systemctl stop caddy
+```
+
+```
+cat /usr/lib/systemd/system/caddy.service | \
+sed "s|/etc/caddy/Caddyfile|/path/to/Caddyfile|g" | \
+sudo tee /usr/lib/systemd/system/caddy.service &> /dev/null
+```
+
+
+9. Reload systemd daemon and restart Caddy
+
+```
+sudo systemctl daemon-reload
+```
+
+```
+sudo systemctl start caddy
+```

nextcloud-snap-caddy.sh

@@ -0,0 +1,77 @@
+#!/bin/bash
+set -euo pipefail
+
+
+printf 'Enter username for Nextcloud admin account:\n'
+read -r USERNAME
+
+printf '\nEnter password for Nextcloud admin account:'
+read -sr PASSWORD
+
+printf '\n\nEnter domain name that will point to this server:\n'
+read -r DOMAIN
+
+
+sudo \
+	apt \
+		update \
+		&& \
+sudo \
+	apt \
+		install \
+		--yes \
+			snapd \
+			caddy \
+		|| \
+		exit \
+			1
+
+sudo \
+	systemctl \
+		enable \
+		--now \
+		snapd
+
+sudo \
+	snap \
+		install \
+		nextcloud
+
+sudo \
+	/snap/bin/nextcloud.manual-install \
+		${USERNAME} \
+		${PASSWORD}
+
+sudo \
+	/snap/bin/nextcloud.occ \
+		config:system:set \
+		trusted_domains \
+		0 \
+		--value=${DOMAIN}
+
+sudo \
+	snap \
+		set \
+		nextcloud \
+		ports.http=8080
+
+sudo \
+	snap \
+		set \
+		nextcloud \
+		ports.https=4443
+
+cat << EOF | sudo tee /etc/caddy/Caddyfile &> /dev/null
+${DOMAIN} {
+	reverse_proxy	localhost:8080
+
+	rewrite	/.well-known/carddav	/remote.php/dav
+	rewrite	/.well-known/caldav		/remote.php/dav
+	rewrite	/.well-known/webfinger	/public.php?service=webfinger
+}
+EOF
+
+sudo \
+	systemctl \
+	restart \
+	caddy

sshd_lockdown.conf

@@ -0,0 +1,3 @@
+PermitRootLogin no
+PasswordAuthentication no
+PermitEmptyPasswords no