# Quick Setup: TrueNAS Nextcloud + LemonSec ## Your Setup - ✅ Proxmox VM running Docker/Portainer - ✅ TrueNAS Scale VM running Nextcloud - ✅ Need: Family access to Nextcloud via secure domain ## Timeline: 15 minutes to working Nextcloud --- ## Phase 1: Prepare (5 min) ### 1. Get Your IPs ```bash # On Proxmox VM (where LemonSec will run) ip addr show | grep "inet " | head -3 # Note: e.g., 192.168.1.50 # On TrueNAS Scale VM # Check TrueNAS UI or: ip addr # Note: e.g., 192.168.1.100 # Get Nextcloud port in TrueNAS # Apps → Nextcloud → Note the Node Port (e.g., 9001) ``` ### 2. Configure Environment ```bash cd LemonSec cp .env.example .env nano .env ``` Fill in: ``` CF_API_EMAIL=youremail@example.com CF_API_KEY=your-cloudflare-global-api-key TZ=Europe/Stockholm TRUENAS_IP=192.168.1.100 TRUENAS_NEXTCLOUD_PORT=9001 ``` ### 3. Generate Secrets ```bash # PowerShell (on Windows) $jwt = -join ((1..32) | ForEach-Object { '{0:x2}' -f (Get-Random -Max 256) }) $jwt | Set-Content secrets/authelia_jwt_secret.txt -NoNewline $session = -join ((1..32) | ForEach-Object { '{0:x2}' -f (Get-Random -Max 256) }) $session | Set-Content secrets/authelia_session_secret.txt -NoNewline $storage = -join ((1..32) | ForEach-Object { '{0:x2}' -f (Get-Random -Max 256) }) $storage | Set-Content secrets/authelia_storage_key.txt -NoNewline # Or on Linux: # openssl rand -hex 32 > secrets/authelia_jwt_secret.txt # openssl rand -hex 32 > secrets/authelia_session_secret.txt # openssl rand -hex 32 > secrets/authelia_storage_key.txt ``` --- ## Phase 2: Deploy Core (5 min) ### 1. Start LemonSec ```bash docker-compose up -d # Check logs docker-compose logs -f traefik # Wait for: "Configuration loaded from files..." # Press Ctrl+C when stable ``` ### 2. Setup CrowdSec ```bash docker-compose exec crowdsec cscli bouncers add traefik-bouncer # Copy the API key # Edit .env, add: # CROWDSEC_API_KEY=paste-key-here # Restart docker-compose up -d ``` ### 3. Start External Routing ```bash docker-compose -f docker-compose.yml -f docker-compose.external.yml up -d ``` --- ## Phase 3: Cloudflare DNS (3 min) Login to [Cloudflare Dashboard](https://dash.cloudflare.com) ### Add DNS Records | Type | Name | Target | Proxy | |------|------|--------|-------| | A | cloud | YOUR_PROXMOX_PUBLIC_IP | 🟠 | | A | auth | YOUR_PROXMOX_PUBLIC_IP | 🟠 | | A | * | YOUR_PROXMOX_PUBLIC_IP | 🟠 | ### SSL/TLS Settings - **SSL/TLS encryption**: Full (strict) - **Always Use HTTPS**: ON --- ## Phase 4: TrueNAS Nextcloud Config (2 min) ### In TrueNAS Scale: 1. **Apps** → **Installed Applications** → **Nextcloud** → **Edit** 2. **Add Environment Variables**: ``` NEXTCLOUD_TRUSTED_DOMAINS=cloud.lemonlink.eu OVERWRITEPROTOCOL=https OVERWRITEHOST=cloud.lemonlink.eu OVERWRITECLIURL=https://cloud.lemonlink.eu TRUSTED_PROXIES=192.168.1.50 ``` (Replace 192.168.1.50 with your Proxmox VM IP) 3. **Save** and wait for app to update --- ## Phase 5: Test (Immediately) ### 1. Test Nextcloud ```bash # From anywhere curl -I https://cloud.lemonlink.eu # Should return 200 or redirect to login ``` ### 2. Access Web UI Open: `https://cloud.lemonlink.eu` You should see Nextcloud login page! ### 3. Create Family Accounts Login as admin → **Users** → **Create** for each family member --- ## Optional: Add Authelia Protection If you want extra login security before Nextcloud: ### Edit docker-compose.external.yml ```yaml # Change this line: - "traefik.http.routers.nextcloud.middlewares=authelia@docker,security-headers@file,rate-limit@file" # From: (no authelia) # - "traefik.http.routers.nextcloud.middlewares=security-headers@file,rate-limit@file" ``` ### Restart ```bash docker-compose -f docker-compose.yml -f docker-compose.external.yml up -d ``` ### Setup Authelia User ```bash # Generate password hash docker run --rm authelia/authelia:latest \ authelia crypto hash generate argon2 \ --password 'FamilyPassword123!' # Edit authelia/users_database.yml # Add family members with the hash # Restart authelia docker-compose restart authelia ``` Now family logs in to Authelia first, then Nextcloud. --- ## For Family Members Send them this info: ``` 🍋 Your Nextcloud Access URL: https://cloud.lemonlink.eu Login with your credentials (created by admin) Mobile Apps: - iOS: App Store → "Nextcloud" - Android: Play Store → "Nextcloud" - Desktop: nextcloud.com/install Server address in apps: https://cloud.lemonlink.eu ``` --- ## Troubleshooting ### "Access through untrusted domain" ```bash # Shell into TrueNAS k3s kubectl exec -it -n ix-nextcloud deployment/ix-nextcloud -- /bin/sh # Check config cat /var/www/html/config/config.php | grep trusted # Should include 'cloud.lemonlink.eu' ``` ### "502 Bad Gateway" - Check TrueNAS IP and port in .env - Verify Nextcloud app is running in TrueNAS - Test direct access: `curl http://TRUENAS_IP:PORT` ### "Too Many Redirects" - Ensure OVERWRITEPROTOCOL=https is set - Check Cloudflare SSL mode is "Full (strict)" --- ## Next Steps (After Nextcloud Works) 1. ✅ **Backup** - Set up automatic backups 2. ✅ **Monitoring** - Enable `--profile monitoring` 3. ✅ **More Services** - Add Portainer, etc. 4. ✅ **Security** - Review `docs/SECURITY.md` --- ## Files You Modified Keep backups of these: - `.env` - Your secrets and IPs - `authelia/users_database.yml` - Family logins - `docker-compose.external.yml` - Service routing