Cloud notes with Nextcloud and Joplin

AppArmor, Logwatch, and Postfix came along for the ride too.

I wanted to migrate from QOwnNotes to something that would let me view and edit notes from my phone. I ended up using Joplin with Nextcloud. I don't like that notes are stored locally in a SQLite database instead of plain text files, or that changing the user chrome to enlarge the interface text seems to make Joplin whitescreen (the only fix I found was to delete the .joplin folder from the home directory), but it'll do for now.

Setting up Nextcloud #

Creating AppArmor profiles #

I decided to try setting up AppArmor profiles for nginx, PHP, and PHP-FPM. It was frustrating to figure things out, but I think I've got the process down:

  1. Launch aa-genprof APPLICATION to start creating a profile for an application.
  2. Start the application and cause it to exhibit as much normal behaviour as possible. For example, start nginx, make web requests to sites hosted on it, upload files, cause web applications to interact with the databases, etc.
  3. In aa-genprof, allow the process to access everything (as long as it doesn't look outright unreasonable, like the server is actually under attack), with some reasonable globs.
  4. Save the profile.
  5. Make any adjustments to the profile, like additional globs or allowing access to other directories/files that you didn't access before.
  6. Reload the profile using apparmor_parser -r /path/to/apparmor.d/PROFILE.
  7. Start enforcing the profile using aa-enforce /path/to/apparmor.d/PROFILE.
  8. Run the application again and look for any disallowed behaviours using aa-notifyaa-genprof can't catch and allow everything [5]. Make modifications to the profile, reload, and continue until aa-notify doesn't report any more denials. Because I could only see options to review events from the past day or since login, I found it more useful to disconnect from the server, reconnect, run the application, and run aa-notify -l -v to see only the new entries.
  9. Periodically review log files (Logwatch is helpful) for denials. aa-logprof can sometimes make the right adjustments to the profile...but not always.

Configuring the server to send emails #

I decided it would be nice to receive summary reports via email, so I created an account with a mail service that offers a free tier with SMTP relay. I set it up to send emails from a subdomain; that way, if the API key is ever compromised, only the subdomain's email reputation is at risk—not the bare domain. Then I added the API key to Postfix.

Since mail will only be sent from local applications, I configured Postfix to only send mail [6]. Additionally, in master.cf, I commented out the line indicating that Postfix should listen on port 25—because there won't be anything to listen for.

Setting Logwatch up to send daily summary emails #

I configured Logwatch to send me a summary report in medium detail daily. I had to manually create a temporary directory for Logwatch [7].

Footnotes #

[1] MariaDB: Authentication Plugin - Unix Socket: Creating Users (mariadb.com) ^

[2] Configuring MariaDB for Remote Client Access (mariadb.com) ^

[3] Nextcloud: Background jobs (docs.nextcloud.com) ^

[4] Nextcloud: Configuration Parameters (docs.nextcloud.com) ^

[5] In particular, I had to allow php to access /run/mysqld/mysqld.sock by adding the attach_disconnected flag. Evidently, unix socket connections may be created without the leading slash (serverfault.com). The AppArmor Core Policy Reference (gitlab.com) notes that the attach_disconnected flag exists to indicate that AppArmor should allow access if the path exists with a leading slash prepended. I guess this could theoretically be abused to access files that the profile writer actually intended to disallow with AppArmor, though file permissions still apply. ^

[6] Postfix on a null client (www.postfix.org) ^

[7] Tools - Logwatch (ubuntu.com) ^

Additional reading materials #