Cloud notes with Nextcloud and Joplin
AppArmor, Logwatch, and Postfix came along for the ride too.
I wanted to migrate from QOwnNotes to something that would let me view and edit
notes from my phone. I ended up using Joplin with Nextcloud. I don't like that
notes are stored locally in a SQLite database instead of plain text files, or
that changing the user chrome to enlarge the interface text seems to make Joplin
whitescreen (the only fix I found was to delete the .joplin
folder from the
home directory), but it'll do for now.
Setting up Nextcloud #
- I set Nextcloud up to use MariaDB, connecting via unix socket [1].
- Since applications will only be running locally, I configured MariaDB to skip networking [2].
- Nextcloud comes with a number of apps enabled by default. I disabled the ones I don't plan to use (which was most of them).
- I set up a
cron
job to run Nextcloud's background jobs every five minutes [3]. - I disabled password reset by email (
lost_password_link => disabled,
) and login by device ('auth.webauthn.enabled' => false,
) [4]. - I enabled the Two-Factor TOTP Provider app.
Creating AppArmor profiles #
I decided to try setting up AppArmor profiles for nginx, PHP, and PHP-FPM. It was frustrating to figure things out, but I think I've got the process down:
- Launch
aa-genprof APPLICATION
to start creating a profile for an application. - Start the application and cause it to exhibit as much normal behaviour as possible. For example, start nginx, make web requests to sites hosted on it, upload files, cause web applications to interact with the databases, etc.
- In
aa-genprof
, allow the process to access everything (as long as it doesn't look outright unreasonable, like the server is actually under attack), with some reasonable globs. - Save the profile.
- Make any adjustments to the profile, like additional globs or allowing access to other directories/files that you didn't access before.
- Reload the profile using
apparmor_parser -r /path/to/apparmor.d/PROFILE
. - Start enforcing the profile using
aa-enforce /path/to/apparmor.d/PROFILE
. - Run the application again and look for any disallowed
behaviours using
aa-notify
—aa-genprof
can't catch and allow everything [5]. Make modifications to the profile, reload, and continue untilaa-notify
doesn't report any more denials. Because I could only see options to review events from the past day or since login, I found it more useful to disconnect from the server, reconnect, run the application, and runaa-notify -l -v
to see only the new entries. - Periodically review log files (Logwatch is helpful) for denials.
aa-logprof
can sometimes make the right adjustments to the profile...but not always.
Configuring the server to send emails #
I decided it would be nice to receive summary reports via email, so I created an account with a mail service that offers a free tier with SMTP relay. I set it up to send emails from a subdomain; that way, if the API key is ever compromised, only the subdomain's email reputation is at risk—not the bare domain. Then I added the API key to Postfix.
Since mail will only be sent from local applications, I configured Postfix
to only send mail [6]. Additionally, in master.cf
, I commented out the line
indicating that Postfix should listen on port 25—because there won't be
anything to listen for.
Setting Logwatch up to send daily summary emails #
I configured Logwatch to send me a summary report in medium detail daily. I had to manually create a temporary directory for Logwatch [7].
Footnotes #
[1] MariaDB: Authentication Plugin - Unix Socket: Creating Users (mariadb.com) ^
[2] Configuring MariaDB for Remote Client Access (mariadb.com) ^
[3] Nextcloud: Background jobs (docs.nextcloud.com) ^
[4] Nextcloud: Configuration Parameters (docs.nextcloud.com) ^
[5] In particular, I had to allow php
to access /run/mysqld/mysqld.sock
by adding the attach_disconnected
flag. Evidently, unix socket connections
may be
created without the leading slash (serverfault.com). The
AppArmor Core Policy Reference (gitlab.com)
notes that the attach_disconnected
flag exists to indicate that AppArmor
should allow access if the path exists with a leading slash prepended. I
guess this could theoretically be abused to access files that the profile
writer actually intended to disallow with AppArmor, though file permissions
still apply. ^
[6] Postfix on a null client (www.postfix.org) ^
[7] Tools - Logwatch (ubuntu.com) ^
Additional reading materials #
- Nextcloud: Example installation on Ubuntu 22.04 LTS (docs.nextcloud.com)
- Nextcloud: NGINX configuration (docs.nextcloud.com)