Using OCI Object Storage with Nextcloud
Nextcloud is a popular open-source collaboration and file hosting platform.
There are many options available to install and deploy Nextcloud, with packaged distributions available for most platforms, including NAS devices, Raspberry Pi, or VM and Docker deployments. Personally, I run Nextcloud on my home network on a Raspberry Pi.
You could also deploy Nextcloud on OCI, and that would be a great project for running on an OCI Always Free account. This article however is not going to cover that. Instead, regardless of how it has been deployed, I wanted to look at using OCI Object Storage as the backend storage for the documents managed by Nextcloud.
Nextcloud by default will store its data on the local files system of the server its running on, but there is also an option to configure External Storage to mount external storage services as secondary storage devices
To use OCI Object Storage as a storage backend we will be using OCI’s s3 compatible storage API. For the s3 compatible API authentication, we need to generate an access key and secret key. While you could generate these keys for your main user account, this would allow any system configured with these keys with full access to ALL storage buckets that the user account has access to.
To ensure Nextcloud can only access a limited set of buckets we use the OCI identify and access management (IAM) configuration to create a dedicated user with limited access permissions.
Configure OCI Object Storage access
By creating a separate service account we can limit the scope of the data that Nextcloud has access to. To create a new limited access account for Nextcloud we will:
- Create a “nextcloud” Compartment.
- Create a “nextcloud” Group.
- Create a “nextcloud” User.
- Update the “nextcloud” User to only allow auth token and secret key authentication.
- Add the “nextcloud” User to the “nextcloud” Group.
- Create a Policy to allow the “nextcloud” Group to access Buckets and Objects in the “nextcloud” Compartment.
- Create a Buckets in the “nextcloud” Compartment.
The following OCI CLI commands can be executed in the directly in OCI Cloud Shell to setup the required compartment, user, group and access policies
# create the compartment, group and userexport NEXTCLOUD_COMPARTMENT=$(oci iam compartment create --compartment-id ${OCI_TENANCY} --name nextcloud --description "Nextcloud compartment" | jq -r '.data.id')export NEXTCLOUD_GROUP=$(oci iam group create --name nextcloud --description "Nextcloud group" | jq -r '.data.id')export NEXTCLOUD_USER=$(oci iam user create --name nextcloud --description "Nextcloud compartment" | jq -r '.data.id')
# set the user capabilities and add to the groupoci iam user update-user-capabilities --user-id ${NEXTCLOUD_USER} --can-use-api-keys false --can-use-auth-tokens true --can-use-console-password false --can-use-customer-secret-keys true --can-use-o-auth2-client-credentials false --can-use-smtp-credentials falseoci iam group add-user --user-id ${NEXTCLOUD_USER} --group-id ${NEXTCLOUD_GROUP}
# create the object storage access policyoci iam policy create --compartment-id ${OCI_TENANCY} --name nextcloud --description "nextcloud object storage access" --statements "[\"Allow group nextcloud to read buckets in compartment nextcloud\", \"Allow group nextcloud to manage objects in compartment nextcloud\"]"
We also need to create a bucket, or buckets, to be used by Nextcloud. The buckets must be in the nextcloud Compartment. You can create multiple buckets and configure each as a separate External Storage location, allowing for example separate buckets to be assigned to different Nextcloud users or groups.
Here we’ll just create one bucket called “nextcloud”.
oci os bucket create --name "nextcloud" --compartment-id ${NEXTCLOUD_COMPARTMENT}Configure the Nextcloud External Storage
In Nextcloud, as an administrator user, go to the account setting page and select the Administration > External storages section
Enter an appropriate Folder name, e.g. “My OCI Object Storage”, and select “Amazon S3” as the External storage type
In the Bucket field enter the name of the bucket you created for external storage, e.g. nextcloud
For the Hostname enter the OCI s3 compatible API endpoint, in the style <namespace>.compat.objectstorage.<region>.oraclecloud.com. Do not prefix with hostname with the https://
Set the <region> to your OCI region where the buckets have been created, e.g. us-ashburn-1. Change the <namespace> to the tenancy specific object storage namespace id. To find object storage namespace you can run
$ oci os ns get | jq -r '.data'Select the Enable SSL option
Select the Enable Path Style option
For authentication we need to generate a new access and secret key pair. In the OCI Console open the configuration page for the nextcloud User. Select the Customer Secret Keys option and click the Generate Secret Key button
Enter “nextcloud” as the name of the key. Copy the generated secret and paste it into the External Storage Secret key field
After closing the Generate Secret Key dialog the Access Key is show in the table of keys . Copy the Access key and paste it into the External Storage Access key field
To complete the setup click the checkmark on the right to validate and save the credentials. If the configuration is successful you will see a green circle with a checkmark on the left of the configuration settings
The configured External Storage connection is now available as a folder. Any documents placed in this folder will be saved to Object Storage instead of on the Nextcloud host.
Conclusion
This article covers how to create a dedicated service account in OCI with limited access privileges for Object Storage bucket access using the OCI s3 compatible storage API. While Nextcloud is a specific example, the same pattern can be used for any integration where data access should be scoped to a limited set of Object Storage buckets.