OPNsense Forum
Archive => 22.7 Legacy Series => Topic started by: FullyBorked on September 13, 2022, 10:09:44 pm
-
I wanted some sort of semi automated backup of my config. Google Drive is way more complex than I want it to be and don't see any options for a simple ftp or SMB upload. So decided the next simplest option was NextCloud. So I did a quick VM deployment of next cloud, it's up and running without issue. I've followed the instructions herehttps://github.com/opnsense/docs/blob/master/source/manual/how-tos/cloud_backup.rst#setup-nextcloud-api-usage (https://github.com/opnsense/docs/blob/master/source/manual/how-tos/cloud_backup.rst#setup-nextcloud-api-usage), created my app passwords etc. But when I test it gives the following error.
Error while fetching filelist from Nextcloud '/.' path
According to the instructions it should create the needed folder on my NextCloud instance but that isn't' happening. Anyone have any insight into why this seems to not be able to find the path? Or is this a red herring and it's some other issue, I am using a self signed cert so maybe it's a cert error but doesn't display as one?
-
Once I created an App password for Opnsense, it was pretty straightforward. Assuming you set the correct URL for your nextcloud and the username and the App password for opnsense and enabled the "service"
Did you by any chance use a leading slash in your path for Directory Name? You shouldn't as the comment there suggests.
-
Once I created an App password for Opnsense, it was pretty straightforward. Assuming you set the correct URL for your nextcloud and the username and the App password for opnsense and enabled the "service"
Did you by any chance use a leading slash in your path for Directory Name? You shouldn't as the comment there suggests.
It won't allow it a leading or trailing slash it'll error if you try and save. After tons of digging the best I can figure is it doesn't like the self signed cert. I think it's failing cert validation, but the error doesn't give a lot of detail. "ssl_verify_result":18
-
Have you tried creating the folder that you want the backups in -- manually in Nextcloud and then trying?
-
Have you tried creating the folder that you want the backups in -- manually in Nextcloud and then trying?
I did, I tried it both ways, with and without the folder pre-created, I tried all lower case, no special characters, I even tried very simple folder names like "test". I tried multiple app passwords, I even tried my main password in case there was a bug or issue with the app password. I verified that the firewall was allowing the traffic. I verified that I could connect using a web browser.
-
https://forum.opnsense.org/index.php?topic=8996.0 this post had a similar issue and it was cert related, that's why I think it just doesn't like a self signed cert. It's waaay to much effort to get let's encrypt up and going imo.
Very frustrating something as necessary as backup is so hard to reach it seems. I'd say I'm a pretty seasoned sysadmin and this is stumping me. No way less seasoned users are gonna get this working. IMO there needs to be a much simpler option available.
-
https://forum.opnsense.org/index.php?topic=8996.0 this post had a similar issue and it was cert related, that's why I think it just doesn't like a self signed cert. It's waaay to much effort to get let's encrypt up and going imo.
Very frustrating something as necessary as backup is so hard to reach it seems. I'd say I'm a pretty seasoned sysadmin and this is stumping me. No way less seasoned users are gonna get this working. IMO there needs to be a much simpler option available.
Hmm. The 2 key differences in my setup are that my Nextcloud is running locally on a proxmox LXC container and I am using Let's Encrypt wildcard cert for all my services -- opnsense, nextcloud and many more.
I still think that self signed certs should work, as long as both ends accept it.
-
Hi
I didn't know about the nextcloud backup option.... Tried Google a while back but it's confusing and inconvenient!
Really there should be a simple smb/ftp/nfs share option for backing up to NAS etc.
Anyway, after reading this thread I tried nextcloud. Dididn't use it before as I have 2 QNAP's and nextcloud doesn't bring anything useful. BUT:
I installed dietpi in a proxmox VM (ALL my linux vm's run dietpi, used it on raspberry before migrating all devices to VM's in proxmox). Installed nextcloud from dietpi-software options. Did basic config creating "opnsense" user and an app password as described above.
I created the backup folder in nexcloud under the created user.
Installed the nextcloud plugin in opnsense and configured the new backup option with the internal IP from the nexcloud interface: http://192.168.2.44/nextcloud
user: the user I created
pw: the app password.
Did a save/test and all is working.
Couldn't be simpler.
No certs nothing as this is all local.
-
Hi
I didn't know about the nextcloud backup option.... Tried Google a while back but it's confusing and inconvenient!
Really there should be a simple smb/ftp/nfs share option for backing up to NAS etc.
Anyway, after reading this thread I tried nextcloud. Dididn't use it before as I have 2 QNAP's and nextcloud doesn't bring anything useful. BUT:
I installed dietpi in a proxmox VM (ALL my linux vm's run dietpi, used it on raspberry before migrating all devices to VM's in proxmox). Installed nextcloud from dietpi-software options. Did basic config creating "opnsense" user and an app password as described above.
I created the backup folder in nexcloud under the created user.
Installed the nextcloud plugin in opnsense and configured the new backup option with the internal IP from the nexcloud interface: http://192.168.2.44/nextcloud
user: the user I created
pw: the app password.
Did a save/test and all is working.
Couldn't be simpler.
No certs nothing as this is all local.
Glad you were able to get it setup without issue. I have no idea what the issue was on my side, I'm hosting on Proxmox as well, but on an Ubuntu VM. Seems like I'm not alone in the issue I ran into, I've found quite a few similar posts with no real resolution. On the surface the setup seems to be quite simple, but the poor logging makes it hard to troubleshoot when it doesn't work.
-
If you want to get it running just install a Dietpi VM and try again, might be lucky also.... It's done in 5min under proxmox
-
If you want to get it running just install a Dietpi VM and try again, might be lucky also.... It's done in 5min under proxmox
OK, so finally have this figured out, it's cert related. I blew out the install and reinstalled it, but this time I skipped the step for enabling SSL. I also noticed in your config yours is set as http as well. Works like a charm, as soon as I go back and enable SSL it breaks again, it doesn't like that self signed cert, so if you want to secure it you'll need a valid cert. Sigh... really wish the Nextcloud plugin had a way to ignore cert validation. I'll have to think if I want to keep this configured without a cert.
-
Great.
Guess if this is all local (in my case) and only to accept opnsense backups (don't need it for anything else) it can be http only.
-
Great.
Guess if this is all local (in my case) and only to accept opnsense backups (don't need it for anything else) it can be http only.
Yea that's mostly true, I just never like plain text passwords, if something is ever compromised on network that's just one more thing that could be read and subsequently accessed. Small risk, but I worked a long time in enterprise cyber so lateral movement is something I always think about. I'll probably leave it this way for now, looks like DNS based Let's encrypt isnt easy to setup on Nextcloud currently.
Secondly how often does a backup run? Do I need to setup a cron job? I see there is a "remote backup" option but I have no idea what it does.
-
Yea that's mostly true, I just never like plain text passwords, if something is ever compromised on network that's just one more thing that could be read and subsequently accessed. Small risk, but I worked a long time in enterprise cyber so lateral movement is something I always think about.
Then set up a free Let's Encrypt account and use a wildcard cert. It's not terribly difficult with the Acme plugin on Opnsense. I originally did it because vaultwarden password manager required SSL in order to access the WebUI. So I thought instead of a self-signed cert, I might as well set up LE and use that for all my services that I host locally.
I'll probably leave it this way for now, looks like DNS based Let's encrypt isnt easy to setup on Nextcloud currently.
Then don't. Set it up on a proxy -- HAProxy plugin on Opnsense is what I use --- although, the configuration for HAProxy is relatively convoluted compared to other proxy servers like Nginx Proxy manager or caddy. I initially started with caddy (which has built in LE btw), then switched to HAProxy only to avoid having a separate VM/LXC container for the proxy, when my opnsense router was plenty capable of doing the same thing. If you enable the mimugmail repo in Opnsense, you can even use caddy as a plugin on Opnsense.
Secondly how often does a backup run? Do I need to setup a cron job? I see there is a "remote backup" option but I have no idea what it does.
It runs nightly. Mine runs at 1AM, but I couldn't find any documentation as to whether we can change the time it runs etc. If you do select the Cron job of Remote Backup, it will simply do the configured backup for you. So for eg. if you configured Nextcloud and Google Drive -- then it would run both those backups at the scheduled time.
I had set up a cron job and forgotten about it -- so when i saw a backup of my opnsense config at a time other than 1AM, I was confused until I checked the cron job. I have now disabled the cron job since I had set that up to run once a week whereas the autorun runs everyday even without a cron job.
-
Setup described here:https://forum.opnsense.org/index.php?topic=23339.0
Skimmed it and got my head spinning....
Not worth the trouble in my case.
-
Setup described here:https://forum.opnsense.org/index.php?topic=23339.0
Skimmed it and got my head spinning....
Not worth the trouble in my case.
Yea def not going through all that, and even with a proxy I don't want my nextcloud box exposed to the internet. Exposing it to the internet just to add a cert, exponentially increases my security risk. I'll just accept the risk of a internal portal not have TLS until I can figure out how to make let's encrypt DNS work.
-
Setup described here:https://forum.opnsense.org/index.php?topic=23339.0
Skimmed it and got my head spinning....
Not worth the trouble in my case.
As I said, the HAProxy opnsense plugin configuration is a bit convoluted with real servers, backend pools, conditions, rules etc. Too many fields however aren't even used for basic SSL offloading which is what I am using it for.
There was no 3rd party repos when I first started using Opnsense. So I opted for Caddy v2 in a Proxmox container, but then having to maintain host overrides in Opnsense Unbound pointing Caddy and then having them route again to the correct server seemed unnecessary which is why I opted for HAProxy which was available in the main Opnsense repo at that time.
I didn't have mimugmail repo enabled until 3 days ago -- which I did for AdGuard plugin. I would have used the caddy plugin when I did this if I had the option. Who knows, I might switch to the caddy plugin down the road. It would just be a lot of work for me since I would have to move and test 20+ different services over. Tedious without any huge benefit (for me). The config will be simpler, so I might try it out when I have time and patience.