Successfully setup nextcloud, some questions remaining

I have successfully setup nextcloud but there are some questions left:

I dont know, if something got wrong while installation, but it was installed with sqlite backend. How can this be changed? Isnt the standard backend something else, did I mess something up? How can I change the backend the easiest way?

We plan to implement shareable calendar for our employes. So I wanted to ask, if it is the prefered way to do so by creating the calendars and maybe contacts in nextcloud and share dem via caldav, or are there better options?

Another question, my boss had is if it is possible to somehow limit the access to these calendars, similar to macadress filtering limiting access to the own network. The goal would be, that only business hardware is allowed to gain access to these calendar. Any idea on that?

Speaking of authentication. My boss wants me to implement 2FA, but not only for the cloud, but possibly for windows AD logins too. Is there an easy or recomended way to implement this with nethserver created active directory domain?

As I read about new onlyoffice recently being released as an app, I wanted to know, if there are plans to support that version of nextcloud 18 within nethserver? Or can I install it already now? And if so - does any of you know, how to activate it? I have privatly a nextcloud 18 instance and was able to download and activate this after getting passed the curl timeout error, but I did not have the time yet, to find out, howto activate it.

I know, that the alternative would be colabora online, but I thought, I’d like to compare the two solutions as the one needs a separate instance in a container, while the ladder does not anymore.

If you installed Nextcloud through the software center, I have no idea how this could have happened. Something is very wrong with your installation.

There are at least three solutions for calendar/contact sharing: Nextcloud, SOGo, and WebTop; AFAIK any of them would allow what you’re trying to do.

There’s no way to limit by MAC address. Access could be limited by network (i.e., only clients on your LAN could access it), but at this time you’d need to do that by manually editing the web server config files. I wouldn’t expect that should be too difficult to add to the package though.

Nextcloud 18 makes some changes to this, but OnlyOffice has been available for quite a while, and it’s also supported on Nethserver:

I’m sure there will be an update for Nextcloud 18 soon. Be patient–it’s been less than a week since it was released.

In their current Nethserver implementations, neither Collabora nor OnlyOffice requires a separate instance in a container.


You will need a software component to this like Duo. Fail2Ban might somewhat work here but the amount of headaches I can see that causing isn’t worth it.


I use Nextcloud for my clients in need of shared calenders.

Usually I create a user like AdminCAL to create and own the calenders, allowing for users or groups to access (read) and / or write to the calenders.

Employees can’t change say a “Public Holidays” calender, but can make an entry in the “Vacation request” calender…

This works quite well.

My 2 cents

I did install through software center, and I am confused too, but never mind, I am willing to restart from scratch as this shall be our production server and I want it to be setup correctly. My first attempt was with an internal domain for testing purposes, and I then was convinced, that nethserver suits our needs very good.

The second try was with the name of an external domain, but…

  • I set it up with self signed certificate, and only after created a certificate from letsencrypt when for testing nextcloud. That created another problem in windows domain member when wanted to install .Net and it complained that CN name was not corresponding.

  • Also maybe not the best approach, after having installed from the cd - even before updating, I went into software center and activatecd basically every module that we would need. The only packaged, I did not (yet) install, are:

Dedalo Hotsport
Fax server
Instant messaging
POP3 Proxy
SOGo groupware
VoIP PBX (will probably need that later)

So all other packages were selected and installed in one go. Maybe I should start one by one. And especially, I thought, that it maybe makes sense, to first create a correct certificate and only then create the productive domain. :slight_smile:

Is there a preferable order of which packages to install first? I think the best approach is first update then create certificate and then the domain and then one installation after the other, right ?

I will report back how it went. Thanks for your very helpfull comments!

Actually the order of packages are mostly not important.

Important: Installation and Updates (No modules yet!)
Then language module.

Create Domain and add SSL with LetsEncrypt

Add AD Authentification provider
Add at least one user and say remotdesktopusers as a group

Add Modules now.
Some Modules have prerequisites like StephDLs repo, your mileage may vary.

But it is definitely worth setting up a server really well - it’ll give much less headache later on.
If you’re running in a vm environment, disk space can easily be corrected any time later!

My 2 cents

Hi Andy_Wismer,

thanks, I start doing it. Language module? I already have setup german while installation from cd. About domain creation. So first I create the domain, then get the certificate? Not the other way round? I was asking myself if the domain controller would also need the letsencrypt certificate?

I also use german (Being in the german part of Switzerland…).
But sofar after the installation in german, after reboot it came in english with the german module not yet installed…

You must create the domain, and make sure the server is accessible from the internet with the chosen name.

I use something like, where
XX is the initials of the company Institution
YY is the initials for the site

This has to be entered in your external DNS (For the Internet)
Your firewall also has to be configured to allow Port 80 and 443 to the NethServer.
The DNS Entries also have to be made on your internal DNS Server, your NethServer.

Further names can be added later on, if you say need names like

This poses no problem modifiying the names later on. All names / aliases must be internet resolveable and reachable - letsencrypt checks if the stated server is really accessible!

The main thing is, your server is already running a letsencrypt ssl certificate when you set up your AD. (or Nextcloud or anything that might use SSL…)

The AD would then be called
Change the NETBios Name of the AD to something representing the Network…
Then click to create that AD!

So, wo bist du denn eigentlich am werkeln?

My 2 cents

Tschau Andy,

Switzerland here too :slight_smile:

Fine, the prerequisites are already setup now (dns and everything) so I am now installing my production version in the next hours.

That was my impression too, that I will need to first get certificate and then setup active directory. Thanks for your confirmation.

Will report tommorrow how it went

Good Luck and progress!

Always better to get the foundation / basement done first, then build the house, then the roof.

You can start with the roof first, prop it up, build some walls around it, then dig a cellar or foundations - i just have my doubts about wind, stability and other issues…


After setting up letsencrytp, log out and login with the right url instead of IP when setting up your AD. Not a requirement, but better! You also see right away if the SSL is correctly accepted by your Browser…

Hi Andy, and all other reading here,

i schaffe in ZH :wink:

I think, I have a problem with routing after forwarding the ports to the nethserver guest. As I did not find any useful information on how to do this with firewall-cmd commands, I am using the following sequence of iptables lines.

I read, that the problem with firewall-cmd is that it sets its rules after libvirt rules, so that it does not work. So here is what I do to open and forward a port:

iptables -I FORWARD -o virbr1 -d -j ACCEPT
iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to
iptables -t nat -I PREROUTING -p tcp --dport 443 -j DNAT --to
iptables -t nat -I PREROUTING -p tcp --dport 22 -j DNAT --to
iptables -I FORWARD -o virbr1 -d -j ACCEPT
iptables -t nat -A POSTROUTING -s -j MASQUERADE
iptables -A FORWARD -o virbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i virbr1 -o enp26s0 -j ACCEPT
iptables -A FORWARD -i virbr1 -o lo -j ACCEPT

This works for accessing ssh which is forwarded to the vm, so I thought, I am good. But I am not, as I still can resolve dns (checked by ping something).

But I cannot install any package:

yum install nethserver-squid
Loaded plugins: changelog, fastestmirror, nethserver_events
Loading mirror speeds from cached hostfile

  • ce-base:
  • ce-extras:
  • ce-sclo-rh:
  • ce-sclo-sclo:
  • ce-updates:
  • epel:
  • nethforge:
  • nethserver-base:
  • nethserver-updates:
    Resolving Dependencies
    → Running transaction check
    —> Package nethserver-squid.noarch 0:1.10.5-1.ns7 will be installed
    → Processing Dependency: squid >= 3.5.20 for package: nethserver-squid-1.10.5-1.ns7.noarch
    → Running transaction check
    —> Package squid.x86_64 7:3.5.20-999.ns7 will be installed
    → Processing Dependency: squid-migration-script for package: 7:squid-3.5.20-999.ns7.x86_64
    → Processing Dependency: perl(DBI) for package: 7:squid-3.5.20-999.ns7.x86_64
    → Processing Dependency: for package: 7:squid-3.5.20-999.ns7.x86_64
    → Processing Dependency: for package: 7:squid-3.5.20-999.ns7.x86_64
    → Running transaction check
    —> Package libecap.x86_64 0:1.0.0-1.el7 will be installed
    —> Package libtool-ltdl.x86_64 0:2.4.2-22.el7_3 will be installed
    —> Package perl-DBI.x86_64 0:1.627-4.el7 will be installed
    → Processing Dependency: perl(RPC::PlServer) >= 0.2001 for package: perl-DBI-1.627-4.el7.x86_64
    → Processing Dependency: perl(RPC::PlClient) >= 0.2000 for package: perl-DBI-1.627-4.el7.x86_64
    —> Package squid-migration-script.x86_64 7:3.5.20-999.ns7 will be installed
    → Running transaction check
    —> Package perl-PlRPC.noarch 0:0.2020-14.el7 will be installed
    → Processing Dependency: perl(Net::Daemon) >= 0.13 for package: perl-PlRPC-0.2020-14.el7.noarch
    → Processing Dependency: perl(Net::Daemon::Test) for package: perl-PlRPC-0.2020-14.el7.noarch
    → Processing Dependency: perl(Net::Daemon::Log) for package: perl-PlRPC-0.2020-14.el7.noarch
    → Running transaction check
    —> Package perl-Net-Daemon.noarch 0:0.48-5.el7 will be installed
    → Finished Dependency Resolution

Dependencies Resolved

Package Arch Version Repository Size

nethserver-squid noarch 1.10.5-1.ns7 nethserver-updates 1.3 M
Installing for dependencies:
libecap x86_64 1.0.0-1.el7 ce-base 21 k
libtool-ltdl x86_64 2.4.2-22.el7_3 ce-base 49 k
perl-DBI x86_64 1.627-4.el7 ce-base 802 k
perl-Net-Daemon noarch 0.48-5.el7 ce-base 51 k
perl-PlRPC noarch 0.2020-14.el7 ce-base 36 k
squid x86_64 7:3.5.20-999.ns7 nethserver-base 3.1 M
squid-migration-script x86_64 7:3.5.20-999.ns7 nethserver-base 48 k

Transaction Summary

Install 1 Package (+7 Dependent packages)

Total download size: 5.4 M
Installed size: 19 M
Is this ok [y/d/N]: y
Downloading packages:
No Presto metadata available for nethserver-updates
No Presto metadata available for nethserver-base
No Presto metadata available for ce-base
libtool-ltdl-2.4.2-22.el7_3.x8 FAILED [Errno 14] HTTP Error 404 - Not Found
Trying other mirror.
To address this issue please refer to the below wiki article

If above article doesn’t help to resolve this issue please use

libecap-1.0.0-1.el7.x86_64.rpm FAILED [Errno 14] HTTP Error 404 - Not Found
Trying other mirror.
perl-PlRPC-0.2020-14.el7.noarc FAILED [Errno 14] HTTP Error 404 - Not Found
Trying other mirror.
perl-DBI-1.627-4.el7.x86_64.rp FAILED [Errno 14] HTTP Error 404 - Not Found
Trying other mirror.
libtool-ltdl-2.4.2-22.el7_3.x8 FAILED [Errno 14] HTTP Error 404 - Not Found
Trying other mirror.
Error downloading packages:
7:squid-3.5.20-999.ns7.x86_64: [Errno 256] No more mirrors to try.
perl-Net-Daemon-0.48-5.el7.noarch: [Errno 256] No more mirrors to try.
nethserver-squid-1.10.5-1.ns7.noarch: [Errno 256] No more mirrors to try.
perl-PlRPC-0.2020-14.el7.noarch: [Errno 256] No more mirrors to try.
perl-DBI-1.627-4.el7.x86_64: [Errno 256] No more mirrors to try.
7:squid-migration-script-3.5.20-999.ns7.x86_64: [Errno 256] No more mirrors to try.
libecap-1.0.0-1.el7.x86_64: [Errno 256] No more mirrors to try.
libtool-ltdl-2.4.2-22.el7_3.x86_64: [Errno 256] No more mirrors to try.


So what am I missing? Is there an easier way to successfully portforward a port with firewall-cmd ? As soon as I reload cmd-firealld reload, I can successfully install a package, so it has to do with above sequence.

Btw. I think the problem with not being able to get a certificate is related with this, so I need some help. I will continue to search another way to portforward…


Bi in Zug und Kreuzlingen dehei…

So is your Nethserver the acting firewall?
What is your internet connection - cabel, vdsl?

I always use a separate firewall to prevent such issues from happening. Be it because of failover or any quirks of firewalling - i prefer my Nethserver untainted by this.
So I may not be able to specifically help you in this case.
I use OPNsense as a firewall, a Fork of the swiss developed M0n0wall. That also works Very well in a proxmox environment…

It might be a good idea - even temporarily - to setup a separate firewall / internet connection till you installed / setup what you really need. You can always decide later which box should do firewalling.

OPNsense takes 10-15 minutes to install in Proxmox, maybe even less…
NO command line necessary for any operation, all done from the GUI, even complex rules and Provider Failover or even full HA with two boxes!
These can be combinations of real / virtual or whatever.

OPNsense is free to download and use, there are no “premium” versions or such. You want to support their great project? Buy / use their Hardware… (Combined with a virtual one for fulll HA!).

Get your Firewall working from scratch in 15-20 minutes, with rules and all…



the problem is, that it is a hosted rootserver with centos 8 and just kvm installed, nothing else. Within I created am vm and installed nethserver. I created a bridge in promiscuous mode for external access and an isolated internal network for lan.

So basically the only thing I need to find out is how a port is correctly forwarded. Opening port so that it is passed to guest works. I can connect to the vm through forwarded ssh for example. There I must missing something that messes up routing.

I am willing to try to do it with firewalld-cmd but aparently the problem is that it injects its rules after the blocking libvirt rule, from what I am reading.

OK, I understand better!

You told me about this setup earlier, but I think in a different post.

What could make things easier is eg install webmin or something on your KVM Host. I’ve had good experiences in such environments with webmin, then also only remote limited access.

Webmin can help administrating stuff like the Firewall or your KVM environment.

I used it a while back to setup very complex time based rules for Squid Proxy, like allowing the night shift access to stuff like FB, but not during daytime working hours. Nethserver GUI couldn’t handle such complex stuff. I only used NethServer for the rules, thereafter templating them. I never touched any other aspect of NethServer with Webmin! (Didn’t want to break a well working setup!).

I think, it is more of a problem with the routing because having had an isolated brigded network, to be able to have nethserver being dhcp server, and I messed this thing while tinkering with the xml file. I start creating a new network and report back :wink:

Besides from gentoo world I am used to console and not so keen on webtools, if possible I avoid them.

OK, good luck!

ty, I’ll be back :smiley:

Andy, ich schaffs nicht :neutral_face:

The problem is, when opening a port, then something in networkstack goes south. I have discovered two ways of opening a port:
With iptables or with a hook script in /etc/libvirt/hooks/qemu.

It works both ways, for example, I opened non standard ssh port, and also 80 and 443.

But as soon as I do that, I cannot install any packages anymore within nethserver (404 error), and I cannot retreive a certificate.

I can re-establish network connection by reloading iptables thus flushing away the created rules creating by the methods mentioned above.

The only certificate, I was able to generate was the one for nextcloud.

I dont get it how opening a port can degrade network connectivity like this. DNS still working, but installing packages does not…

Try it with webmin. your situ can’t get worse than no connectivity.
Maybe we’re overlooking some small detail, and webmin checks for that…

If it doesn’t help, it’s removed fast…

I will do so, and if it doesn’t work, I maybe come back to the suggestion to flush away centos and install promox, although it might be an overkill to just run some vms.