impulsivefps
/
LemonSec
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
LemonSec/SETUP-TRUENAS-NEXTCLOUD.md

5.3 KiB
Raw Blame History

Quick Setup: TrueNAS Nextcloud + LemonSec

Your Setup

  • Proxmox VM running Docker/Portainer
  • TrueNAS Scale VM running Nextcloud
  • Need: Family access to Nextcloud via secure domain

Timeline: 15 minutes to working Nextcloud

Phase 1: Prepare (5 min)

1. Get Your IPs

# On Proxmox VM (where LemonSec will run)
ip addr show | grep "inet " | head -3
# Note: e.g., 192.168.1.50

# On TrueNAS Scale VM
# Check TrueNAS UI or: ip addr
# Note: e.g., 192.168.1.100

# Get Nextcloud port in TrueNAS
# Apps → Nextcloud → Note the Node Port (e.g., 9001)

2. Configure Environment

cd LemonSec
cp .env.example .env
nano .env

Fill in:

CF_API_EMAIL=youremail@example.com
CF_API_KEY=your-cloudflare-global-api-key
TZ=Europe/Stockholm
TRUENAS_IP=192.168.1.100
TRUENAS_NEXTCLOUD_PORT=9001

3. Generate Secrets

# PowerShell (on Windows)
$jwt = -join ((1..32) | ForEach-Object { '{0:x2}' -f (Get-Random -Max 256) })
$jwt | Set-Content secrets/authelia_jwt_secret.txt -NoNewline

$session = -join ((1..32) | ForEach-Object { '{0:x2}' -f (Get-Random -Max 256) })
$session | Set-Content secrets/authelia_session_secret.txt -NoNewline

$storage = -join ((1..32) | ForEach-Object { '{0:x2}' -f (Get-Random -Max 256) })
$storage | Set-Content secrets/authelia_storage_key.txt -NoNewline

# Or on Linux:
# openssl rand -hex 32 > secrets/authelia_jwt_secret.txt
# openssl rand -hex 32 > secrets/authelia_session_secret.txt
# openssl rand -hex 32 > secrets/authelia_storage_key.txt

Phase 2: Deploy Core (5 min)

1. Start LemonSec

docker-compose up -d

# Check logs
docker-compose logs -f traefik
# Wait for: "Configuration loaded from files..."
# Press Ctrl+C when stable

2. Setup CrowdSec

docker-compose exec crowdsec cscli bouncers add traefik-bouncer
# Copy the API key

# Edit .env, add:
# CROWDSEC_API_KEY=paste-key-here

# Restart
docker-compose up -d

3. Start External Routing

docker-compose -f docker-compose.yml -f docker-compose.external.yml up -d

Phase 3: Cloudflare DNS (3 min)

Login to Cloudflare Dashboard

Add DNS Records

Type Name Target Proxy
A cloud YOUR_PROXMOX_PUBLIC_IP 🟠
A auth YOUR_PROXMOX_PUBLIC_IP 🟠
A * YOUR_PROXMOX_PUBLIC_IP 🟠

SSL/TLS Settings

  • SSL/TLS encryption: Full (strict)
  • Always Use HTTPS: ON

Phase 4: TrueNAS Nextcloud Config (2 min)

In TrueNAS Scale:

  1. AppsInstalled ApplicationsNextcloudEdit

  2. Add Environment Variables:

    NEXTCLOUD_TRUSTED_DOMAINS=cloud.lemonlink.eu
OVERWRITEPROTOCOL=https
OVERWRITEHOST=cloud.lemonlink.eu
OVERWRITECLIURL=https://cloud.lemonlink.eu
TRUSTED_PROXIES=192.168.1.50

    (Replace 192.168.1.50 with your Proxmox VM IP)

  3. Save and wait for app to update

Phase 5: Test (Immediately)

1. Test Nextcloud

# From anywhere
curl -I https://cloud.lemonlink.eu
# Should return 200 or redirect to login

2. Access Web UI

Open: https://cloud.lemonlink.eu

You should see Nextcloud login page!

3. Create Family Accounts

Login as admin → UsersCreate for each family member

Optional: Add Authelia Protection

If you want extra login security before Nextcloud:

Edit docker-compose.external.yml

# Change this line:
- "traefik.http.routers.nextcloud.middlewares=authelia@docker,security-headers@file,rate-limit@file"
# From: (no authelia)
# - "traefik.http.routers.nextcloud.middlewares=security-headers@file,rate-limit@file"

Restart

docker-compose -f docker-compose.yml -f docker-compose.external.yml up -d

Setup Authelia User

# Generate password hash
docker run --rm authelia/authelia:latest \
  authelia crypto hash generate argon2 \
  --password 'FamilyPassword123!'

# Edit authelia/users_database.yml
# Add family members with the hash

# Restart authelia
docker-compose restart authelia

Now family logs in to Authelia first, then Nextcloud.

For Family Members

Send them this info:

🍋 Your Nextcloud Access

URL: https://cloud.lemonlink.eu

Login with your credentials (created by admin)

Mobile Apps:
- iOS: App Store → "Nextcloud"
- Android: Play Store → "Nextcloud"
- Desktop: nextcloud.com/install

Server address in apps: https://cloud.lemonlink.eu

Troubleshooting

"Access through untrusted domain"

# Shell into TrueNAS
k3s kubectl exec -it -n ix-nextcloud deployment/ix-nextcloud -- /bin/sh

# Check config
cat /var/www/html/config/config.php | grep trusted

# Should include 'cloud.lemonlink.eu'

"502 Bad Gateway"

  • Check TrueNAS IP and port in .env
  • Verify Nextcloud app is running in TrueNAS
  • Test direct access: curl http://TRUENAS_IP:PORT

"Too Many Redirects"

  • Ensure OVERWRITEPROTOCOL=https is set
  • Check Cloudflare SSL mode is "Full (strict)"

Next Steps (After Nextcloud Works)

  1. Backup - Set up automatic backups
  2. Monitoring - Enable --profile monitoring
  3. More Services - Add Portainer, etc.
  4. Security - Review docs/SECURITY.md

Files You Modified

Keep backups of these:

  • .env - Your secrets and IPs
  • authelia/users_database.yml - Family logins
  • docker-compose.external.yml - Service routing