Cloud & Backup systems¶

ownCloud is accessible via regular HTTP/HTTPS TCP ports 80/443 below the /owncloud path:

• URL: http://<your.IP>/owncloud
• Username: admin (or the one you set in dietpi.txt)
• Password: <your global password> (default: dietpi)

You can configure ownCloud via CLI from command line. To simplify this, DietPi has added a shortcut to the otherwise necessary sudo -u www-data php /var/www/owncloud/occ.
Simply run occ from your console:

occ list

More details about available commands can be found in the ownCloud admin manual.

1. Option: Use the web-based updater from within the ownCloud web UI settings.

2. Option: Use the updater script from console (recommended):

   sudo -u www-data php /var/www/owncloud/updater/application.php
   1
   

3. Follow the official documentation for a manual upgrade process: https://doc.owncloud.com/server/next/admin_manual/maintenance/upgrading/manual_upgrade.html

Where is my data stored?

/mnt/dietpi_userdata/owncloud_data (or dietpi.txt choice)

Why am I limited to 2 GiB file size uploads?

DietPi will automatically apply the max supported upload size to the PHP and ownCloud configs.

• 32-bit systems can handle 2 GiB
• 64-bit systems can handle 8796 PiB, yep, in petabyte
• echo -e "$(( $(php -r 'print(PHP_INT_MAX);') / 1024 / 1024)) MiB"

Will my data be saved after deinstallation?

Your userdata directory will stay after deinstallation.
As well a database backup will be saved to your userdata directory. Thus you can easily restore your instance by reinstalling ownCloud and restore the database dump.

Nextcloud is accessible via regular HTTP/HTTPS ports 80/443 below the /nextcloud path:

• URL: http://<your.IP>/nextcloud
• Username: admin (or the one you set in dietpi.txt)
• Password: <your global password> (default: dietpi)

You can configure Nextcloud via CLI from command line. To simplify this, DietPi has added a shortcut to the otherwise necessary sudo -u www-data php /var/www/nextcloud/occ.
Simply run ncc from your console:

ncc list

More details about available commands can be found in the Nextcloud admin manual.

Nextcloud offers built-in brute-force protection, which will delay your login rate in case of several failed login attempts.

See also:

• https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/bruteforce_configuration.html

This protection can be extended with Fail2Ban (see following tab).

Using Fail2Ban your can block users after failed login attempts, which can further harden the brute-force protection of your Nextcloud instance.
To achieve this hardening, execute the following steps:

1. If not done yet, install Fail2Ban:

   dietpi-software install 73
   

2. Set options in the Nextcloud configuration file, typically /var/www/nextcloud/config/config.php:

   • Assure that all domains and IPs you use to access your Nextcloud instance were added to the 'trusted_domains' entry.

     'trusted_domains' =>
      array (
        0 => 'localhost',
        1 => 'your.domain/IP.org',
      ),
     

     The entry of the trusted domains is important, because one of the Fail2Ban filters deals with trusted domain errors (“Trusted domain error”, see below). By default, if you try to access with an untrusted domain, Nextcloud will show an error message.

     Attention

     Take care, if you use this “Trusted domain error” failregex option and you then reload the page several times (more often than maxretry value in the Fail2Ban jail file) you lockout yourself also for logging in via a trusted domain from the IP address you are using.

3. Create new Fail2Ban filter, e.g. /etc/fail2ban/filter.d/nextcloud.conf:

   # Fail2Ban filter for Nextcloud
   
   [Definition]
   _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
   failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
               ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
   datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
   

4. Create new Fail2Ban jail file/etc/fail2ban/jail.d/nextcloud.local:

   [nextcloud]
   enabled = true
   backend = auto
   logpath = /mnt/dietpi_userdata/nextcloud_data/nextcloud.log
   port = 80,443
   protocol = tcp
   filter = nextcloud
   maxretry = 5
   bantime = 600
   

   Assure that the logpath matches the 'datadirectory' value in the Nextcloud configuration file (config.php, see above), or the 'logfile' value if defined.

   Properties not defined here are taken from the [DEFAULT] block in /etc/fail2ban/jail.conf, or /etc/fail2ban/jail.local if present.
   Note the setting backend = auto: By default, backend is set to systemd in /etc/fail2ban/jail.conf. As a result, Fail2Ban would ignore the logpath entry here in the jail nextcloud.local, with the consequence that Fail2Ban does not recognize an attack on Nextcloud (port 80, 443), even though attacks are logged in /mnt/dietpi_userdata/nextcloud_data/nextcloud.log.

5. Restart Fail2Ban:

   systemctl restart fail2ban
   

6. Test your settings by trying to sign in multiple times from a remote PC with a wrong user or password. After maxretry attempts your IP should be banned for bantime seconds (DietPi does not respond anymore) as the default action by Fail2Ban is route, specified in /etc/fail2ban/jail.conf and defined in /etc/fail2ban/action.d/route.conf.

7. Check the current status on your DietPi:

   fail2ban-client status nextcloud
   

   IPs can be unbanned via:

   fail2ban-client unban 123.123.123.123
   

See also:

• Fail2Ban
• https://help.nextcloud.com/t/repeated-login-attempts-from-china/6510/11?u=michaing
• https://www.c-rieger.de/nextcloud-installationsanleitung/#c06

1. Option: Use the web-based updater from within the Nextcloud web UI settings.

2. Option: Use the updater script from console (recommended):

   phpenmod phar # The PHP Phar module is required
   sudo -u www-data php /var/www/nextcloud/updater/updater.phar
   y # Starts download and install of files
   y # Starts the internal database upgrade and migration steps
   N # Do not keep maintenance mode active
   

3. Follow the official documentation for a manual upgrade process: https://docs.nextcloud.com/server/latest/admin_manual/maintenance/manual_upgrade.html

Where is my data stored?

/mnt/dietpi_userdata/nextcloud_data (or dietpi.txt choice)

Why am I limited to 2 GiB file size uploads?

DietPi will automatically apply the max supported upload size to the PHP and Nextcloud configs.

• 32-bit systems can handle 2 GiB
• 64-bit systems can handle 8796 PiB, yep, in petabyte
• echo -e "$(( $(php -r 'print(PHP_INT_MAX);') / 1024 / 1024)) MiB"

Will my data be saved after deinstallation?

Your user data directory will stay after deinstallation. As well a database backup will be saved to your user data directory. Thus you can easily restore your instance by reinstalling Nextcloud and restore the database dump.

How can I check my OPcache status?

PHP uses a so called OPcache to store PHP scripts in optimised opcode format in RAM, which speeds up browser access as the raw PHP scripts do not need to be read from disk and parsed first.
The Nextcloud admin panel includes a check for sufficient OPcache settings and in case shows a recommendation for settings to apply. If such appears, we recommend to apply them with an own configuration file, e.g.:

echo -e '; Custom Nextcloud OPcache settings\n; priority=99\nopcache.memory_consumption=128' > /etc/php/7.4/mods-available/custom.ini
phpenmod custom

You can watch the actual usage with the pre-installed opcache-gui by @amnuts.

• URL: http://<your.IP>/opcache.php

The dialog shows the cache status as well as the settings.

What shall I do about missing bcmath, gmp and imagick PHP modules?

After a fresh install via dietpi-software, the Nextcloud admin panel shows warnings about three missing modules. We propose to ignore them: imagick is not needed at all and a subject of discussion about security issues, bcmath and gmp are required only if you want to use the WebAuthn passwordless authentication with Nextcloud.
If you must mute those warnings, you can install the modules manually:

sudo apt install php-bcmath php-gmp php-imagick libmagickcore-6.q16-6-extra

The imagick related warning can be solved alternatively by disabling the Theming app (in the Nextcloud apps settings), if no manual theming is done to the Nextcloud instance anyway.

For video call throughout your local network, a so called TURN server is required. Coturn is a common implementation and hence installed by default together with our Nextcloud Talk option.

During installation you will be asked to enter your server’s external domain and a port, that you want to use for the Coturn TURN server. Note that you need to forward the chosen port and/or open it in your firewall.

Coturn will be configured with authentication via shared secret and some additional security measures. For details, see this HowTo: https://help.nextcloud.com/t/howto-setup-nextcloud-talk-with-turn-server/30794

URL: http://<your.IP>/pydio

• Ignore the warnings and click the button titled CLICK HERE TO CONTINUE TO PYDIO.
  Remark: If you require SSL access, please use LetsEncrypt to set this up.
• The wizard can now be started, click the start wizard > button to begin.
• Enter and create a new admin account for use with Pydio. Then click the >> button.
• Under database details, enter the following:
  • Database type = MySQL
  • Host = localhost
  • Database = pydio
  • User = pydio
  • Password = <your global password> (default: dietpi)
  • Use MySqli = No
• Click test connection, when successful, click the >> button.
• Under advanced options, use the default values, then click the Install Pydio button.

Once the server has been configured (as per above):

• Download the sync client for your system: https://pydio.com/en/get-pydio/downloads/pydiosync-desktop-app
• When configuring the remote server, use the following:
  • Select HTTP option (unless you have setup an SSL cert)
  • URL = http://<your.IP>/pydio (replace IP with your system IP)
  • User = The “admin” user you setup in initial setup.
  • Password = The “admin” password you setup in initial setup.

The web interface is accessible via TCP port 55414:

• URL: http://<your.IP>:55414

The configuration of UrBackup is within these options:

• UrBackup web interface, tab Settings

• UrBackup configuration file, /etc/default/urbackupsrv

  After editing the config file, the service needs to be restart for changes to take effect:

  systemctl restart urbackupsrv
  

Best practice: Disable “Allow client-side pausing of backups”
Backup procedures sometimes are paused by the client side which leads to a long backup duration. To avoid this the pausing can be deactivated via the UrBackup web interface:

• Select Settings
• Select tab General -> Permissions
• Uncheck option Allow client-side pausing of backups
• Alternatively this can also be set via the client resp. group based settings in the Settings area

The location of the backups can be set prior to installing UrBackup via SOFTWARE_URBACKUP_BACKUPPATH setting in /boot/dietpi.txt. It defaults to /mnt/dietpi_userdata/urbackup.

After the installation, the path can be changed via web interface:

• Select Settings
• Select tab General -> Server
• Change Backup Storage Path
• Click Save

mkdir /path/to/backup/storage
chown -R urbackup:urbackup /path/to/backup/storage

Install the appropriate client on the systems you wish to backup from https://www.urbackup.org/download.html#client_windows.
Remark: For Windows 7 (outdated), the client version 2.4.11 has to be used.

Via web interface Settings > Advanced section, a temporary download buffer can be enabled, where backups are stored to during download, before being moved to the final backup path. See the corresponding UrBackup documentation chapter for details.
By default the /tmp tmpfs (RAM disk) is used for this, which causes issues if you do not have several free GiB of RAM. The directory can be changed via:

nano /etc/default/urbackupsrv

The relevant entry is DAEMON_TMPDIR:

#Temporary file directory
# -- this may get very large depending on the advanced settings
DAEMON_TMPDIR='/tmp'

Note that this means doubled file writes and has no benefits as long as the backup duration from clients’ side is not time critical, or your backup drive is not very slow. It makes sense only if you have a much faster drive available, or plenty GiB of free RAM to use as backup download buffer.

UrBackup logs to /var/log/urbackup.log by default. The path to the log file can be changed via /etc/default/urbackupsrv. See “Configuration” tab for details.

You can easily update UrBackup by reinstalling it. Your settings and data are preserved:

dietpi-software reinstall 111

The web interface is accessible via TCP port 3000:

• URL: http://<your.IP>:3000

Has to be done once, when connected to the web interface:

• Change the following values only:
  • Database Type: MySQL
  • Host: /run/mysqld/mysqld.sock
  • Password: <your global password> (default: dietpi)
  • Repository Root Path: /mnt/dietpi_userdata/gogs-repo
  • Run User: gogs
  • Domain: <your.domain/IP>
  • Application URL: http://<your.domain/IP>:3000/
  • Log Path: /var/log/gogs
• Scroll to the bottom of page and select “Install Gogs”.
• Depending on whether the application URL above was entered correctly/is accessible by the connected browser, you may need to reconnect to the web page using the IP address, e.g.: http://<your.IP>:3000
• Once the page has reloaded, you will need to click Register to create the admin account.

If you wish to allow external access to your Gogs server, you will need to setup port forwarding on your router, pointing to the IP address of your DietPi device.

• Port: 3000
• Protocol: TCP

If an external access is used, HTTPS is strongly recommended to increase your system security. You can get a free certificate e.g. via dietpi-letsencrypt.

Initial service logs can be viewed via:

journalctl -u gogs

Daemon logs can be found in the following directory:

/var/log/gogs

You can easily update Gogs by reinstalling it. Your settings and data are preserved by this:

dietpi-software reinstall 49

The web interface is accessible via port 3000:

• URL: http://<your.IP>:3000

Has to be done once, when connected to the web interface:

• Change the following values only:
  • Host: /run/mysqld/mysqld.sock
  • Password: <your global password> (default: dietpi)
  • Server Domain: <your.domain/IP>
  • Gitea Base URL: http://<your.domain/IP>:3000/
  • Log Path: /var/log/gitea (However, file logging is disabled by default.)
• Scroll to the bottom of page and select “Install Gitea”.
• Depending on whether the base URL above was entered correctly/is accessible by the connected browser, you may need to reconnect to the web page using the IP address, e.g.: http://<your.IP>:3000
• Once the page has reloaded, you will need to click Register to create the admin account.

If you wish to allow external access to your Gitea server, you will need to setup port forwarding on your router, pointing to the IP address of your DietPi device.

• Port: 3000
• Protocol: TCP

If an external access is used, HTTPS is strongly recommended to increase your system security. You can get a free certificate e.g. via dietpi-letsencrypt.

Using Fail2Ban your can block IP addresses after failed login attempts. This hardens your system against e.g. brute-force attacks.

[Definition]
journalmatch = _SYSTEMD_UNIT=gitea.service
failregex = Failed authentication attempt for \x1b\[1m.+\x1b\[0m from \x1b\[1m<HOST>:\d+\x1b\[0m:

[gitea]
enabled = true
backend = systemd

[Definition]
failregex = Failed authentication attempt for .+ from <HOST>:\d+:

[gitea]
enabled = true
backend = auto
logpath = /var/log/gitea/gitea.log

You can specify other properties like maxretry or bantime to overwrite the defaults in /etc/fail2ban/jail.conf or /etc/fail2ban/jail.local if present. When done:

• Restart Fail2Ban: systemctl restart fail2ban
• Try to login to the Gitea web interface with a wrong password.
• Check whether the failed login has been detected: fail2ban-client status gitea
• When you further try to login maxretry times, your IP should be banned for bantime seconds, so that neither the Gitea web interface, nor SSH or any other network application will respond to requests from your client. When Fail2Ban was installed via dietpi-software, by default route/blackhole blocking is used, so that ip r on the server should show a blackhole route for your client’s IP.
• See also:
  • Fail2Ban
  • https://docs.gitea.com/administration/fail2ban-setup

By default, logs can be viewed with the following command:

journalctl -u gitea

File logging to /var/log/gitea/gitea.log can be enabled by editing /mnt/dietpi_userdata/gitea/custom/conf/app.ini and changing MODE = console in the [log] section to MODE = file.

You can easily update Gitea by reinstalling it. Your settings and data are preserved by this:

dietpi-software reinstall 165

The web interface is accessible via port 3000:

• URL: http://<your.IP>:3000

Has to be done once, when connected to the web interface:

• Change the following values only:
  • Host: /run/mysqld/mysqld.sock
  • Password: <your global password> (default: dietpi)
  • Server Domain: <your.domain/IP>
  • Forgejo Base URL: http://<your.domain/IP>:3000/
  • Log Path: /var/log/forgejo (However, file logging is disabled by default.)
• Scroll to the bottom of page and select “Install Forgejo”.
• Depending on whether the base URL above was entered correctly/is accessible by the connected browser, you may need to reconnect to the web page using the IP address, e.g.: http://<your.IP>:3000
• Once the page has reloaded, you will need to click Register to create the admin account.

If you wish to allow external access to your Forgejo server, there are some options, here are two of them:

1. You can setup port forwarding on your router, pointing to the IP address of your DietPi device.

   • Port: 3000
   • Protocol: TCP

2. Without port forwarding, you can setup a tunnel or reverse proxy with services like Cloudflare Tunnel.

If an external access is used, HTTPS is strongly recommended to increase your system security. You can get a free certificate e.g. via dietpi-letsencrypt.

Using Fail2Ban your can block IP addresses after failed login attempts. This hardens your system against e.g. brute-force attacks.

[Definition]
journalmatch = _SYSTEMD_UNIT=forgejo.service
failregex = Failed authentication attempt for .+ from <HOST>:\d+:

[forgejo]
enabled = true
backend = systemd

[Definition]
failregex = Failed authentication attempt for .+ from <HOST>:\d+:

[forgejo]
enabled = true
backend = auto
logpath = /var/log/forgejo/forgejo.log

You can specify other properties like maxretry or bantime to overwrite the defaults in /etc/fail2ban/jail.conf or /etc/fail2ban/jail.local if present. When done:

• Restart Fail2Ban: systemctl restart fail2ban
• Try to login to the Forgejo web interface with a wrong password.
• Check whether the failed login has been detected: fail2ban-client status forgejo
• When you further try to login maxretry times, your IP should be banned for bantime seconds, so that neither the Forgejo web interface, nor SSH or any other network application will respond to requests from your client. When Fail2Ban was installed via dietpi-software, by default route/blackhole blocking is used, so that ip r on the server should show a blackhole route for your client’s IP.
• See also: Fail2Ban

By default, logs can be viewed with the following command:

journalctl -u forgejo

File logging to /var/log/forgejo/forgejo.log can be enabled by editing /mnt/dietpi_userdata/forgejo/custom/conf/app.ini and changing MODE = console in the [log] section to MODE = file.

You can easily update Forgejo by reinstalling it. Your settings and data are preserved by this:

dietpi-software reinstall 177

The web interface is accessible via port 8384:

URL = http://<your.IP>:8384

Has to be done once, when connected to the web interface.

• When the Danger! Please set a GUI Authentication User and Password in the Settings dialog. box appears, click the settings button inside the box.
• Under GUI Authentication User and GUI Authentication Password: Enter new login details you would like to use for access to the web interface. Then click save.

DietPi will automatically setup your default folder share to /mnt/dietpi_userdata.

In this example we will use a Windows system. The goal is to “sync” the user data from your DietPi device with another system.

• Download, extract and run the Windows application syncthing.exe: https://syncthing.net/downloads/.
• Syncthing web interface will load automatically, if not, you can access it via http://127.0.0.1:8384/.
  • Click Actions at the top right, then select Show ID. Copy the UUID code.
• On the DietPi device, open the web interface and click Add remote device (bottom right).
  • Under Device ID, paste in the UUID we copied earlier.
  • Under Device name, enter any name. e.g.: My Windows PC.
  • Under Share Folders With Device tick/select DietPi user data, then click save.
• After a few seconds, go back to the Windows web interface http://127.0.0.1:8384/. You should receive a message asking you to confirm the new device, click Add Device.
  • Under Share Folders With Device tick/select DietPi user data, then click save.

You devices should now duplicate the user data from your DietPi device to your Windows PC.

The web interface is accessible via TCP port 9001 and S3 clients need to connect via TCP port 9004:

• Web UI URL: http://<your.IP>:9001
• S3 API URL: http://<your.IP>:9004
• Username: minioadmin
• Password: minioadmin
• MinIO Server Quick Start Guide
• Python Client Quick Start Guide - MinIO
• JavaScript Client Quick Start Guide - MinIO

• During install, a self-signed 4096-bit RSA TLS certificate is created to allow encrypted HTTPS access, which is required for access with most Bitwarden clients and reasonable as of the sensitivity of the data a password manager handles.
• Most web browsers will warn you on access that the certificate is not trusted, although usually you can choose to ignore that and still access the web vault.
• Most Bitwarden clients on the other hand will deny to access your server, as long as the certificate is not trusted.
• As far as you have a public domain name for your DietPi server, we recommend to request an official trusted CA certificate, e.g. via dietpi-letsencrypt and setup either a reverse proxy, or configure vaultwarden to use the retrieved key and certificate directly via ROCKET_TLS setting in the config file (see “Directories” tab).

The web interface is accessible via port 8001:

• URL = https://<your.IP>:8001
• On first access, you need to create an account, either via web UI or via client (see “Client access” tab).

Any official Bitwarden client will work: https://bitwarden.com/download

1. Select the settings cog at the top left of the window.
2. Add https://<your.IP>:8001 into the custom server field.
3. Create a new account, which will be created on your own server only.

• Install directory: /opt/vaultwarden
• Data directory: /mnt/dietpi_userdata/vaultwarden
• Config file: /mnt/dietpi_userdata/vaultwarden/vaultwarden.env

As vaultwarden is installed via APT, it can be update with the following commands:

apt Update
apt install vaultwarden

The web interface is accessible via regular HTTP and HTTPS ports 80 and 443:

• URL: http://<your.IP> or https://<your.IP> (When using HTTPS, you may ignore the browser warning because of the self-signed certificate which is used by default.)
• Username: dietpi
• Password: <your global password> (default: dietpi)

• Install directory: /home/bd
• Config file: /home/bd/bdd.conf
• File server directory: /mnt/dietpi_userdata/fuguhub-data

• Service: journalctl -u bdd
• Trace: /home/bd/trace/
  It contains an info about the database creation only, even after playing around with the web UI a bit.

To update FuguHub, simply reinstall it:

dietpi-software reinstall 161

All your settings and data will be preserved.

The web interface is accessible via port 8084:

• URL = http://<your.IP>:8084
• Username = dietpi
• Password = <your global password>

• Install directory: /opt/filebrowser
• Config directory: /mnt/dietpi_userdata/filebrowser
• Default data directory: /mnt

File Browser comes with a powerful CLI not only allowing to change the configuration, but also execute commands, set rules, etc. (some settings can also be changed via the web interface).
You can find the full feature set in the official documentation of File Browser, linked below, or run:

/opt/filebrowser/filebrowser --help

Here is an example for how to change the default data directory (in this example set to /foo/bar/baz): - Stop the service:

```sh
systemctl stop filebrowser
```

• Apply new config:

  /opt/filebrowser/filebrowser config set -r /foo/bar/baz -d /mnt/dietpi_userdata/filebrowser/filebrowser.db
  

• Bring the service back:

  systemctl start filebrowser
  

View the logs by executing:

journalctl -u filebrowser

You can easily update File Browser by reinstalling it. Your settings and data are preserved by this:

dietpi-software reinstall 198

Run rclone config to setup. See Rclone config docs for more details.

Rclone can be updated by simply reinstalling it:

dietpi-software reinstall 202