Posts by oopenmediavault

Quote from Adoby

I use FolderSync. Works perfectly fine for me. But I only backup or update data and I initiate it.

I understand you can also install SSH Helper on an unrooted phone.

Then you can use rsync transfers, perhaps initiated automatically from your OMV NAS whenever your phone is available on WiFi the LAN.

For instance use a crontab script that tests every hour if the phone has been successfully backed up the last 24 hours, if not it checks if the phone is online now, if it is it runs a rsync script to back it up using a time stamped rsync snapshot. And automatically purge very old snapshots. And finally trigger tasker on your phone to tell you that the phone has been backed up successfully again.

Or have tasker trigger a backup whenever the phone connects to WiFi and a connection to your OMV NAS is available.

Display More

This seems fairly advanced... Not every user can program something like this, (without wasting a lot of time). So I'll just ask if you already implemented this or know for example the command to 1)check if phone online 2) check if it phone is on WiFi (not just mobile data) 3) Check if it backed up in last 24 hours.

So my problem is the following. I have a OMV install on a server, that is quite slow. I did a lot of custom configurations in /etc and also changed a lot in the GUI... Also I installed a lot of packages via apt install in ssh. I will not be able to redo all the things, since I just dont remember. I want to somehow clone that system and have it on a new machine. I was wondering if it is possible to use the dd-backup of the backup plugin and extract it to a new drive on a new server. So I tried to extract it on /dev/sda on the new drive in the new pc. But obviously, that didnt work because the server also doesnt know that it exists, it doesnt show up in the bootloader to start it.

So what is the best way to achieve that all the custom configs aswell as all the shared folders and cronjobs, the custom installed packages, and all of that stuff that is setup and customized is on the new machine aswell?

Thanks

Quote from KM0201

Again, if you read what I wrote.. I said, "It's not the only way...". Some of that stuff was required before swag was even a twinkle in the eye and everyone was using letsencrypt.

I rarely change what works (unless it stops working), and how I setup nextcloud (even after the swag migration, etc..) is no exception

Hey, I dont know why exactly you take it somehow as insulting or badmouthing of what you post (if you do, atleast it sounds like that, coming from the short and seemingly annoyed answer), yet the only thing I ever intend to do is just post information that I found out, and that may be helpful for the community. Maybe that way some people can get a more comprehensive view of what their doing and they can decide what they do with the given information on their machines.

So you can do however you wish to do, of course, and your guide is really really helpful and I used it also to setup my nextcloud since its the best out there.

Yet I think it is allowed to add some stuff to the forum that maybe is useful to one or another, maybe even yourself, if you get some feedback on how others do some setups that work.

Thats why I added all the sources so that all of us in the forum can together get some more knowledge about what were doing.

And thats also why I add the information about trusted proxy setting and also the forwarding headers, since that is actually pretty important and if people want brute force protection to work they have to use that information. Same goes for trusted proxy, for which, with my knowledge, if I setup something as a trusted proxy, and it actually shouldnt be, then I make myself vulnerable to IP spoofing.

Concering the issue I described about accessing the nextcloud locally. How is that working for you all? do you have access locally KM0201

Also I think I found another "issue" that might turn out as a security risk or as an inconvenience, e.g. if all clients get banned because of Brute force attempts that seem to come from the same IP-adress. (although its all different users).

After I went to my nextcloud/nginx/access.log, I saw that there were only local IP-adresses shown.

As shown in: Nextcloud docs, it is necessary to correctly forward the real IP-adresses of the clients accessing nextcloud so that Bruteforce-protection works.

Since swag is actually receiving the traffic for nextcloud, the only IP the nextcloud server ever sees for me is the one from the swag containers reverse proxy.

So it is necessary to forward the real IP adresses to nextcloud.

In the Nextcloud docs, it is described, that one should add some headers to the config.php of nextcloud which is in the location: <Nextcloud-Config-Folder/www/nextcloud/config/config.php>

I added the following line:

'forwarded_for_headers' => array('HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR'),

before the );

After doing this and restarting Nextcloud, Nextclouds access.log now actually sees the real IP in <Nextcloud-Config-Folder/nginx/access.log>.

[Optional info]

It is notable that inside <Nextcloud-Config-Folder/nginx/site-confs/default> there are the following lines, which were added after this github issue: https://github.com/linuxserver…55#issuecomment-754623561

set_real_ip_from 172.0.0.0/8;

real_ip_header X-Forwarded-For;

So if your swag is not in that IP-Range (e.g. 192.168.X.X) be the case, then it will not forward the real IP-Adress to nextcloud, which will always see the same local IP of your swag-reverse-proxy.

So either make sure the swag container is in this IP-Range (should be if using docker and not using host network), or add another line to this site-conf with the IP-Range you want, e.g.

set_real_ip_from 10.0.0.0/8;

set_real_ip_from 192.168.0.0/16;

Additionally, following the explanation about the "trusted Proxies" setting in the config.php in Nextcloud docs.

Quote from Nextcloud docs

Set the trusted_proxies parameter as an array of:

IPv4 addresses,

IPv4 ranges in CIDR notation

IPv6 addresses

to define the servers Nextcloud should trust as proxies. This parameter provides protection against client spoofing, and you should secure those servers as you would your Nextcloud server.

I am also not really sure why you, KM0201, say to add those lines below to the config.php, since the local IP isnt a proxy and doesnt need to be there in my opinion.

Quote from from KM0201

'trusted_proxies' =>

array (

0 => 'your.ip:450',

1 => 'nextcloud.YOUR_SUBDOMAIN.duckdns.org',

),

In my config.php, I did it likeso and it works flawlessly.

'trusted_proxies' =>
array (
0 => 'swag',
),

It is also described to do it like this inside of the Swag-Config-Folder

There it says:

Quote from Swag-Config-Folder/nginx/proxy-confs/nextcloud.subdomain.conf.sample

# assuming this container is called "swag", edit your nextcloud container's config

# located at /config/www/nextcloud/config/config.php and add the following lines before the ");":

# 'trusted_proxies' => ['swag'],

I didnt notice, because I only accessed nextcloud from outside my lan, but after following this configuration setup, I cant access the nextcloud server on port 450 anymore locally by typing <mylocalip>:450. Only if I delete the lines we changed in the config.php, specified below, I can access it locally again by the local-IP on port 450 again.

The problem now is that it is not possible to connect to the nextcloud when im in my own LAN network. Also my phone doesnt sync to nextcloud, if its connected to the wifi, which is inside the same lan network as the nextcloud server.

My Configuration is [Public-IP:179.12.67.26 Modem 192.168.0.1] --> [ 192.168.0.2 Router 192.168.1.1 ] --> [192.168.1.2 Openmediavault running nextcloud & 192.168.1.X Clients wanting to talk to nextcloud. (phone, laptop)

I think since all the records are pointing to the public IP, it doesnt know where to go. after the router. So if I request nextcloud from within the lan it asks my router for the DNS entry of <nextcloud.mydomain.duckdns.org> and then gets back the public IP. Changing this in the hosts entry of the Router doesnt help though because if I set up a DNS override for <nextcloud.mydomain.duckdns.org>, going to my openmediavault server, it will just retrieve the openmediavault webpage.

So how can I make the <nextcloud.mydomain.duckdns.org connectable from inside my lan network?

Alright, Ill just let it be then. I did the stuff in gentoo before posting here of course but to no success... Well Hopefully the ACPI and other errors are related to this, since I dont care about wifi.

Hey KM0201, yes the machine is working otherwise, I just dont like those errors...

I already ran

sudo apt install firmware-b43-installer

but the problem persists...

Yet now the reboot is strange and it doesnt seem that this is how OMV normally restarts:

I have following output during bootup:

~$ sudo dmesg | grep -i "error\|warn\|fail"

[ 0.673331] acpi PNP0A08:00: _OSC failed (AE_ERROR); disabling ASPM

[ 3.415246] ACPI Warning: SystemIO range 0x0000000000000428-0x000000000000042F conflicts with OpRegion 0x0000000000000400-0x000000000000047F (\PMIO) (20200925/utaddress-213)

[ 3.415265] ACPI Warning: SystemIO range 0x0000000000000540-0x000000000000054F conflicts with OpRegion 0x0000000000000500-0x0000000000000563 (\GPIO) (20200925/utaddress-213)

[ 3.415274] ACPI Warning: SystemIO range 0x0000000000000530-0x000000000000053F conflicts with OpRegion 0x0000000000000500-0x0000000000000563 (\GPIO) (20200925/utaddress-213)

[ 3.415283] ACPI Warning: SystemIO range 0x0000000000000500-0x000000000000052F conflicts with OpRegion 0x0000000000000500-0x0000000000000563 (\GPIO) (20200925/utaddress-213)

[ 11.128296] EXT4-fs (sdb1): re-mounted. Opts: errors=remount-ro

[ 14.314718] platform regulatory.0: firmware: failed to load regulatory.db (-2)

[ 14.314871] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2

[ 14.314876] cfg80211: failed to load regulatory.db

[ 15.159646] b43: probe of bcma0:1 failed with error -524

I unfortunately dont know how to fix them or why they are even there. Can someone point me into the right direction? Below are system informations

Quote from votdev

Normally this is caused by a not available filesystem (incl. shared folders) which is the target of a backup/rsync/whatever job. So you might concentrate on looking into the /srv directory where all filesystems are mounted. If a filesystem is not mounted and a rsync job or something else is writing to a shared folder the data is written into thr root filesystem instead.

Quote from ryecoaaron

Your du command should have to the -x flag to not traverse other filesystems. That way, you will still see usage in /srv even in filesystems are mounted on the subdirectories.

sudo du -x -d1 -h / | sort -h

Thank you a lot. It was exactly this happening and you helped me figure out the problem in really much less time than it would have took! I now created a script that first tries to read a file that is ONLY in the mounted drive so that if it isnt, the rsync will not happen.

Additional to the AWESOME tutorial posted by KM0201. I would like to add the following since I had some warnings when I logged in as root and checking some things. So following things I added to the Tutorial:

You can see it as a continuation after the following:

Quote

This is optional, but once you're done and you can log in to your subdomain properly and securely... If you want to disable insecure access from your local network, go back to your stack and make this adjustment under the "nextcloud" portion

Code

ports:

- 450:443

to this

#ports:

#- 450:443

Then redeploy the stack and you'll no longer have local access.

Display More

As last steps:
Logged in as root go to Settings --> Overview and check for warnings and errors. I had 2 warnings with a reference to

Hardening and security guidance — Nextcloud latest Administration Manual latest documentation

--> Enable Strict-Transport-Security: More info about what STRICT TRANSPORT SECURITY is @ https://www.nginx.com/blog/htt…-security-hsts-and-nginx/

To enable this use the following steps:

1.) Go to Swag_Config_Folder/nginx/

2.) use nano or other editor to edit ssl_conf

3.) Enable the following line by removing the hashtag.

# HSTS, remove # from the line below to enable HSTS

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

4.) docker restart swag

--> Enable Default Country code for phones:

Country codes are defined in following norm:

ISO 3166-1 alpha-2 - Wikipedia

To enable this use following steps:

1.) Go to Nextcloud_config_folder/www/nextcloud/config/

2.) Use nano or other editor to edit config.php

3.) Add following line in front of the );

'default_phone_region' => 'COUNTRYCODE SEE WIKIPEDIA' e.g. 'DE'

4.) docker restart nextcloud

--> All warnings should be gone now!

Go to https://scan.nextcloud.com/ and do a security check of your nextcloud instance by entering your Nextcloud URL.

I tried:

Setting the APM and Spindown via GUI of openmediavault

Setting the APM and Spindown via hdparm in command line

Setting APM and Spindown using udisks2 and creating a config file with the apm level and spindown

Nothing seems to spindown my disk after the amount of time I specified, although udisks2 daemon seems to run.

When I use the command sudo hdparm -y /dev/sdc , the disk spins down, but the automatic one doesnt work. There is nothing on the disk and Im not writing anything to it or doing stuff. I formatted the disk in BTRFS Filesystem, but before formatting when the disk was NTFS it was the same. SMART-Data indicates it should support this and I think it should for sure, since western digital has a program for this also ( that I cant run on my openmediavault server).

so any ideas what might supress the spindown or why it wont work? heres the smart data

Pastebin S.M.A.R.T. Data

Doesnt work for me neither.... Idk why, its like you say... using the y option works without a problem, but automatically, it doesnt spindown, I have APM=1 and Spindown of 5 minutes and it doesnt do it. Is there anyone with a solution for this?