AWS CloudFormation template that provisions an EC2 instance running Nextcloud file synchronization and sharing server, with a new Amazon S3 bucket as primary storage and AWS Backup for data protection. Includes option to mount existing S3 bucket.
Although this repository is released under the MIT-0 license, its CloudFormation template uses features from Nextcloud project. Nextcloud project's licensing includes the AGPL license.
The template offers the option to install Webmin which is released under BSD-3-Clause license. Usage of template indicates acceptance of license agreements of all software that is installed in the EC2 instance.
Solution can be deployed in a private subnet for internal only use.
Download UbuntuLinux-Nextcloud.yaml file, and login to AWS CloudFormation console.
Start the Create Stack wizard by choosing Create Stack. Select stack template by selecting Upload a template file, Choose File, select your .yaml
file and click Next. Enter a Stack name and specify parameters values.
EC2 instance
ec2Name
: EC2 instance nameec2KeyPair
: EC2 key pair name. Create key pair if necessaryosVersion
: operating system version and processor architecture. Default architecture is Graviton arm64instanceType
: EC2 instance type. Do ensure type matches selected processor architecture. Default ist4g.xlarge
burstable instance typeec2TerminationProtection
: enable EC2 termination protection to prevent accidental deletion. Default isYes
Network
vpcID
: VPC with internet connectivity. Select default VPC if unsuresubnetID
: subnet with internet connectivity. Select subnet in default VPC if unsuredisplayPublicIP
: selectNo
if your EC2 instance will not receive public IP address. EC2 private IP will be displayed in CloudFormation Outputs section instead. Default isYes
assignStaticIP
: associates a static public IPv4 address using Elastic IP address. Default isYes
Remote Administration
ingressIPv4
: allowed IPv4 source prefix to remote administration services, e.g.1.2.3.4/32
. You can get your source IP from https://checkip.amazonaws.com. Use127.0.0.1/32
to block incoming access from network. Default is0.0.0.0/0
.ingressIPv6
: allowed IPv6 source prefix to remote administration services. Use::1/128
to block all incoming IPv6 access. Default is::/0
allowSSHport
: allow inbound SSH. Option does not affect EC2 Instance Connect access. Default isNo
installDCV
: install graphical desktop environment and Amazon DCV server. Default isNo
installWebmin
: install Webmin web-based system administration tool. Default isNo
SSH, DCV and Webmin inbound access are restricted to ingressIPv4
and ingressIPv6
IP prefixes.
Nextcloud
adminUserName
: Nextcloud admin username. Default isadmin
phpVersion
: PHP version to install. Uses Ondřej Surý's ppa:ondrej/php repositorydatabaseOption
:MariaDB
orMySQL
. Default isMariaDB
r53ZoneID
(optional): Amazon Route 53 hosted zone ID to grant access for use with Certbot certbot-dns-route53 DNS plugin. A*
value will grant access to all Route 53 zones in your AWS account. Permission is restricted to _acme-challenge.* TXT DNS records using resource record set permissions. Default is empty string for no access
S3
s3StorageClass
: S3 storage class for files in primary storage. Default isSTANDARD
enableS3bucketLogging
: enable S3 server access logging. Default isNo
S3 External Storage
externalS3Bucket
(optional): option to mount existing S3 bucket within Nextcloud as external storage. Specify bucket name in your accountexternalS3BucketRegion
: AWS Region whereexternalS3Bucket
is locatedexternalS3BucketStorageClass
: S3 storage class
EBS
volumeSize
: Amazon EBS volume sizevolumeType
: EBS General Purpose Volume type
AWS Backup
backupResource
: option to backup EC2 instance, S3 bucket, existing S3 bucket mounted as external storage, or none. Versioning must be enabled on S3 bucket mounted as external storage before AWS Backup can back it up. Default isEC2-and-S3
scheduleExpression
: CRON expression specifying when AWS Backup initiates a backup job. Default iscron(0 1 ? * * *)
scheduleExpressionTimezone
: timezone in which the schedule expression is set. Default isEtc/UTC
deleteAfterDays
: number of days after creation that a recovery point is deleted. Default is35
days
It may take more than 30 minutes to provision the entire stack. After your stack has been successfully created, its status changes to CREATE_COMPLETE.
The following are available in Outputs section
DCVwebConsole
(ifinstallDCV
isYes
): DCV web browser console URL link. Login asubuntu
. Set user password by runningsudo passwd ubuntu
fromEC2instanceConnect
,SSMsessionManager
or SSH session firstEC2console
: EC2 console URL link to your EC2 instanceEC2instanceConnect
: EC2 Instance Connect URL link. Functionality is only available under certain conditionsNextcloudLogUrl
: Cloudwatch log group with the contents of nextcloud.logSetPasswordCmd
: command to set Nextcloud admin passwordSSMsessionManager
orSSMsessionManagerDCV
: SSM Session Manager URL linkWebminUrl
(ifinstallWebmin
isYes
): Webmin URL link. Set the root password by runningsudo passwd root
fromEC2instanceConnect
,SSMsessionManager
or SSH session firstWebUrl
: EC2 web server URL link
Use either EC2 instance connect or SSM session manager URL link to obtain in-browser terminal access to your EC2 instance. Copy and paste SetPasswordCmd
value to set Nextcloud admin password. For example, if adminUserName
value is admin
, the command is
sudo -u www-data php /var/www/html/occ user:resetpassword admin
After which, you can login to your Nextcloud application using WebUrl
link or proceed to install a HTTPS certificate.
The EC2 instance uses a self-signed certificate for HTTPS. You can use Certbot to automatically obtain and install Let's Encrypt certificate on your web server.
Ensure you have a domain name whose DNS entry resolves to your EC2 instance IP address. If you do not have a domain, you can register a new domain using Amazon Route 53 and create a DNS A record.
This option requires your domain name to resolve to your EC2 instance public internet IP address. From terminal, run the below command
sudo certbot --apache
The certbot-dns-route53 option requires your DNS to be hosted by Route 53. It supports wildcard certificates and domain names that resolve to private IP addresses. Ensure that Route 53 zone access is granted by specifying r53ZoneID
value. From terminal, run the below command
sudo certbot --dns-route53 --installer apache
Follow instructions to have Certbot request and install certificate on your web server. Refer to Certbot site for help with this tool.
To configure HTTP Strict Transport Security (HSTS) headers, edit *ssl.conf
file in /etc/apache2/sites-available/
folder and add the following text between <VirtualHost>
and </VirtualHost>
rows.
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
Verify Apache configuration
sudo apachetl -t
Reload Apache server
sudo systemctl reload apache2
Nextcloud supports email server for password reset and activity notifications. You can configure Nextcloud to use external SMTP server (e.g. Amazon SES), or sendmail.
When configuring external SMTP server, use 465, 587 or supported port number that is not 25. Amazon EC2 restricts email sending using port 25 on all instances by default. You can request that this restriction be removed if you are using port 25 for external SMTP server or sendmail. Refer to How do I remove the restriction on port 25 from my Amazon EC2 instance or Lambda function? for more information.
The occ command is Nextcloud's command-line interface. It is used to perform common server operations such as installing and upgrading Nextcloud, and must be run as HTTP user, i.e. sudo -u www-data php /var/www/html/occ
. On the EC2 instance, you can use the alias nextcloud.occ
.
Nextcloud external storage feature enables you to mount external storage services including Windows file servers and S3 buckets as secondary storage devices. Refer to NextCloud documentation for details.
Desktop and mobile applications download links are available from Nextcloud Install page.
Refer to Nextcloud documentation.
Administration guide and user manual are available from Nextcloud documentation site.
Nextcloud is mentioned by the following blog posts
- Scale your Nextcloud with Storage on Amazon Simple Storage Service (Amazon S3)
- Advanced Nextcloud Workflows with Amazon Simple Storage Service (Amazon S3)
Amazon S3 is used to provide almost unlimited, cost-effective and durable storage over EBS. Using S3 as primary storage provides performance benefits over S3 as external storage, including support for large file uploads.
Note that files are not accessible outside of NextCloud as all metadata (filenames, directory structures, etc) is stored in MariaDB/MySQL database on EC2 instance. The S3 bucket holds the file content by unique identifier and not filename. This has implications for data backup and recovery, and it is important to backup both EC2 instance and S3 bucket data.
If you enable AWS Backup, you can restore your EC2 instance and S3 data from recovery points (backups) in your backup vault. The CloudFormation template creates an IAM role that grants AWS Backup permission to restore your backups. Role name can be located in your CoudFormation stack Resources section where Logical ID is backupRestoreRole
.
To protect recovery points from inadvertent or malicious deletions, you can enable AWS Backup Vault Lock in compliance mode to provide immutable WORM (write-once, read-many) backups. Vaults that are locked in compliance mode cannot be deleted once the cooling-off period ("grace time") expires if any recovery points are in the vault. Refer to Protecting data with AWS Backup Vault Lock for more information.
Nextcloud server uses EC2 IAM role for S3 primary storage access. If assignStaticIP
is Yes
, you can limit access to only your Nextcloud server. This ensures that even when the session credentials are stolen, an attacker cannot directly use it to access files from his own address.
The created IAM role can be located in CloudFormation console stack Resources section with Logical ID
of instanceIamRole. Click on the Physical ID
value to edit inline permission in IAM console. Change aws:SourceIp
value from 0.0.0.0/0
to your EC2 instance public IPv4 address. If IP address is 1.2.3.4, your updated policy may look similar to below
{
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"IpAddress": {
"aws:SourceIp": "1.2.3.4/32"
}
},
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::nextcloud-s3bucket-8ohvkk9vzv2f",
"arn:aws:s3:::nextcloud-s3bucket-8ohvkk9vzv2f/*"
],
"Effect": "Allow"
}
]
}
An IAM user with attached policy is used for S3 external storage access. Using EC2 IAM role for external storage currently generates errors in nextcloud.log. (Issue #46400) The IAM user can be located in CloudFormation Resources section where Logical ID
is iamUser, and you may want to configure the associated policy aws:SourceIp
value. You can modify attached IAM policy to mount additional S3 buckets; the security credentials are located in /root/.nextcloud-credentials
on EC2 instance.
To strengthen data security posture, you can enable Amazon Macie to automate discovery of sensitive data that is uploaded to your S3 bucket
To futher secure your EC2 instance, you may want to
- Restrict remote administration access to your IP address only (
ingressIPv4
andingressIPv6
) - Disable SSH access from public internet (
allowSSHport
). Use EC2 Instance Connect or SSM Session Manager for in-browser terminal access. If you have AWS CLI and Session Manager plugin for the AWS CLI installed, you can start a session using AWS CLI or SSH - Remove DCV web browser client package by running the command
sudo apt remove -y nice-dcv-web-viewer
. Connect using native Windows, MacOS or Linux client - Deploy EC2 instance in a private subnet. Use Application Load Balancer and AWS WAF to protect your EC2 instance. You can use AWS Certificate Manager to request a public HTTPS certificate and associate it with your Application Load Balancer
- Enable Amazon Inspector to automatically scan EC2 instance for software vulnerabilities and unintended network exposure
- Enable Amazon GuardDuty and GuardDuty Malware Protection for EC2 to detect potentially malicious activity in your AWS account
To remove created resources,
- Empty created S3 bucket(s)
- Delete any recovery points in created backup vault
- Disable EC2 instance termination protection (if enabled)
- Delete CloudFormation stack
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.