Install guide Nextcloud on Debian 8 with webconference

Install packages for apache, mariadb, php, nextcloud and enable ssl

apt-get install vim
apt-get install unzip
apt-get install sudo
Installing apache2.4 and Mariadb
apt-get install apache2 mariadb-server libapache2-mod-php5

Installing php modules
apt-get install php5-gd php5-json php5-mysql php5-curl
apt-get install php5-intl php5-mcrypt php5-imagick

Download unzip and move latest NextCloud
mv nextcloud/ /var/www

Enable SSL
a2enmod ssl
a2ensite default-ssl

Now for some reason the default-ssl prevents from starting. So create your own certificate:

mkdir /etc/apache2/ssl
cd /etc/apache2/ssl
openssl req -new -x509 -days 365 -nodes -out /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.key
Just enter trough all the certificate questions
chmod 600 /etc/apache2/ssl/apache.*

Create vhost file (rename to your own host.domain):

Download the vhost config file here

Create symbolic link to sites-enabled
ln -s /etc/apache2/sites-available/nextcloud.conf /etc/apache2/sites-enabled/nextcloud.conf

Enable apache modules:
a2enmod rewrite
a2enmod headers
a2enmod env
a2enmod dir
a2enmod mime
a2enmod ssl
a2ensite default-ssl
a2enmod proxy proxy_http proxy_wstunnel

If you’re running mod_fcgi instead of the standard mod_php also enable:
a2enmod setenvif

Installing NextCloud
cd /var/www/nextcloud
sudo -u www-data php occ maintenance:install --database "mysql" --database-name "nextcloud" --database-user "root" --database-pass ‘password’ --admin-user "admin" --admin-pass ‘password’

Make sure you have a dns record or configured host file so you can access your virtualhost name based. Open your browser and go to (change to your host and domain)

You probably get an error:

You are accessing the server from an untrusted domain.
Please contact your administrator. If you are an administrator of this instance, configure the “trusted_domains” setting in config/config.php. An example configuration is provided in config/config.sample.php.
Depending on your configuration, as an administrator you might also be able to use the button below to trust this domain.

Just open your /var/www/nextcloud/config/config.php and add:

vi /var/www/nextcloud/config/config.php
find the line with 0 => ‘localhost’, and add a line below like 1 => ‘’,

array (
0 => 'localhost',
1 => '',

I also move the data folder from /var/www/nextcloud/data to /var/oc_data

mv /var/www/nextcloud/data /var/oc_data

And change the data folder in /var/www/nextcloud/config/config.php

'datadirectory' => '/var/oc_data',

If you have done this you can also run the next script for strong file permissions:

vi /var/www/

####### Copy and Paste from #!/bin/bash to the last fi

printf "Creating possible missing Directories\n"
mkdir -p $ncpath/data
mkdir -p $ncpath/assets
mkdir -p $ncpath/updater

printf "chmod Files and Directories\n"
find ${ncpath} -type f -print0 | xargs -0 chmod 0640
find ${ncpath} -type d -print0 | xargs -0 chmod 0750

printf "chown Directories\n"
chown -R ${rootuser}:${htgroup} ${ncpath}
chown -R ${htuser}:${htgroup} ${ncpath}/apps/
chown -R ${htuser}:${htgroup} ${ncpath}/assets/
chown -R ${htuser}:${htgroup} ${ncpath}/config/
chown -R ${htuser}:${htgroup} ${ncdata}/
chown -R ${htuser}:${htgroup} ${ncpath}/themes/
chown -R ${htuser}:${htgroup} ${ncpath}/updater/

chmod +x ${ncpath}/occ

printf "chmod/chown .htaccess\n"
if [ -f ${ncpath}/.htaccess ]
chmod 0644 ${ncpath}/.htaccess
chown ${rootuser}:${htgroup} ${ncpath}/.htaccess
if [ -f ${ncdata}/.htaccess ]
chmod 0644 ${ncdata}/.htaccess
chown ${rootuser}:${htgroup} ${ncdata}/.htaccess

######### END SCRIPT#########

That concludes the basic Nextcloud installation and configuration on a Debian 8.5 server. Now for the WebRTC fun stuff. You can now login in nextcloud by going to

First we gonna make go available on our system. Don’t install it with apt because you’ll get a 1.3 version wich is to low. Install it from source, its verry easy:

First download go
cd /root
tar xzvf go1.7.linux-amd64.tar.gz
mv go/ /usr/local
vi /root/.profile

add after fi and before mesg n

export PATH=$PATH:/usr/local/go/bin

I also run this command straight from the command line to make available instantly

export PATH=$PATH:/usr/local/go/bin

Now test if go can be found and is working

go version
go version go1.7 linux/amd64

Now install WebRTC

First we need some more packages. Git and node.js

apt-get install git node.js make automake

cd /var/www

cd spreed-webrtc-master

If all finished without errors, then kuddo’s, you really followed this manual. Now you can now configure webrtc. We still need to be in /var/www/spreed-webrtc-master First copy the de default config file to server.conf

cp server.conf

Lets first generate a secret for our sessionSecret

openssl rand -hex 32

Copy this string to your memory so you can paste it in the next config file

You need to adjust te following lines to be exactly like (except for the sessionSecret and sharedsecret_secret ofcourse):

vi server.conf

[http] section
basePath = /webrtc/

[app] section
authorizeRoomJoin = true
extra = /var/www/nextcloud/apps/spreedme/extra
plugin = extra/static/owncloud.js
sessionSecret = 1e719578d2345d32f7ce467d891111f1ba6aa8bexxxxxxxxxxxxxxxx

[users] section
enabled = true
mode = sharedsecret
sharedsecret_secret = 1e719578d2345d32f7ce467d891111f1ba6aa8bexxxxxxxxxxxxxxxx

Save and close the file. This concludes the configuration of spreed-webrtc.

Now we need the nextcloud app

cd /var/www/nextcloud/apps
mv nextcloud-spreedme-master spreedme
cd spreedme/config
cp config.php
vi config.php

Add your sharedSecret from ealier to the config

SPREED_WEBRTC_SHAREDSECRET = ‘1e719578d2345d32f7ce467d891111f1ba6aa8bexxxxxxxxxxxxxxxx’

Thats it. Save and close the file. This concludes the configuration of app.

cd ../extra/static/config
cp OwnCloudConfig.js

Now we can start

cd /var/www/spreed-webrtc-master/

This command makes spreed run in the forground. Use the next command to run in background (at least until your next boot. U can ofcourse make a init script. Please leave samples below i’m not that good in init scripts)

nohup ./spreed-webrtc-server > /dev/null 2>&1 &

Check if it is running

ps -e |grep spreed

Now the app is installed and configured. Login to Nextcloud, open the apps page. Select “Not Enabled” and scroll to the bottom and enable the app

Just remember. Your spreedme cam sessions will only work if you and the one you call are in the same network, or are directly connected to the internet. When you are inside a company network your peer to peer traffic will most likely be blocked by the firewall.

Auto add fail2ban-ssh to ipset


# This script will spit out all of the IPs that have been blocked by fail2ban-ssh, then for each one, add it to our `ipset fail2ban-ssh`. It will then restart fail2ban to flush the fail2ban-ssh drop chain.

# Build the ipset if it's not already built

ipset create fail2ban-ssh hash:ip

# Build a list of IPs to scrub

iptables -L fail2ban-ssh -v -n | grep -E '[1-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '{print $8}' > blockthese.txt

# Add lines from blockthese.txt to your ipset fail2ban-ssh

while read line; do ipset add fail2ban-ssh $line; done < blockthese.txt iptables -I INPUT -m set --match-set blacklist src -p TCP --destination-port 22 -j DROP echo -e "Adding to fail2ban-ssh...\n" echo -e "All finished." # Mail the file we just made cat blockthese.txt | mail -s "Fail2Ban -> IPSet Added"

# optional remove the blockthese file. i'll just keep it for future reference.
# rm blockthese.txt

# And that's it