wsl2에 archlinux 설치

wsl2에 2022-11-18 현재 공식적으로 배포중인 linux distro에 archlinux는 없다.

하지만 linux 배포판중 archlinux를 가장 좋아하기때문에 archlinux를 설치해보았다.

docker에서 배포중인 archlinux 이미지를 사용하여 기본 설정하고 export 한 다음에 wsl에 등록하였다.

docker는 이미 설치되어 있다고 가정한다.

1. docker archlinux image 가져오기

> docker pull archlinux

2. archlinux container 실행

> docker run -it --name archlinux-wsl archlinux

3. archlinux 기본 설정

3.1. update 및 sudo 설정

# pacman -Syu
# pacman -Sy sudo vi
# visudo

3.2. 아래 내용을 찾아 주석을 해제한다.

%wheel ALL=(ALL:ALL) ALL

3.3. user 계정 생성. 아래 명령에서 userid는 사용할 user 계정을 쓴다.
# useradd -G wheel,users -m userid
# passwd userid

3.4. 아래와 같이 passwd, group shadow, gshadow 파일 존재 여부와 권한 확인

# ls -l /etc/passwd /etc/shadow /etc/group /etc/gshadow
-rw-r--r-- 1 root root 672 Nov 18 12:23 /etc/group
-rw------- 1 root root 598 Nov 18 12:23 /etc/gshadow
-rw-r--r-- 1 root root 873 Nov 18 12:19 /etc/passwd
-rw------- 1 root root 523 Nov 18 12:19 /etc/shadow

3.5. shadow, gshadow 파일이 없다면 아래 명령으로 생성

# pwconv
# grpconv

3.6. 권한이 다르다면 아래 명령으로 권한 설정

# chmod 644 /etc/passwd
# chmod 644 /etc/group
# chmod 600 /etc/shadow
# chmod 600 /etc/gshadow

3.7 root 계정 로그인 막기. root의 login shell을 /bin/bash에서 /usr/bin/nologin으로 변경한다.

# vi /etc/passwd

root:x:0:0::/root:/usr/bin/nologin

3.8 wsl.conf 설정

# vi /etc/wsl.conf

아래 내용을 삽입한다. userid는 3.3에서 사용한 userid와 동일하게 사용한다.

[user]
default = userid

3.8. docker image에서 나오기

# exit

4. docker에서 archlinux image export 하기

> docker export --output archlinux-wsl.tar archlinux-wsl

5. wsl에 archlinux import하기. archlinux-wsl.tar의 내용을 archlinux라는 이름으로 c:\archlinux 경로에  추가할것이다. 원하는 이름과 경로를 사용한다.

> wsl --import archlinux c:\archlinux archlinux-wsl.tar

6. wsl로 archlinux 실행. 

> wsl -d archlinux

6.1 만약 This account is currently not available. 같은 에러가 발생한다면 wsl.conf에 userid설정이 적용 안된것이니 아래 명령을 사용한다.

> wsl --shutdown
> wsl -d archlinux

7. wsl에 기본 linux를 archlinux로 설정

> wsl --set-default archlinux

archlinux laptop 덮개 덮을 때 휴면 모드 사용 / 사용안함 설정

이번에 archlinux에서 laptop 덮개를 덮은후 별도 모니터, 키보드, 마우스를 연결 하여 사용할 필요가 있었다.

macbook에서는 clamshell mode라고 부르는것 같다.

windows에서는 덮개 덮은 후 동작 안하게 설정 하면되서 10년 넘게 사용했었다.

archlinux에서 사용했던 명령어를 남긴다.

systemctl로 전원설정 변경하는거라 아마 다른 linux에서도 동일하게 사용가능 할것 같다.

laptop 덮개 덮을 때 휴면 모드 사용 안함 

$ sudo systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target

laptop 덮개 덮을 때 휴면 모드 사용 함

$ sudo systemctl unmask sleep.target suspend.target hibernate.target hybrid-sleep.target

archlinux에 NextCloud 설치

NextCloud 설치

집에 Odroid N2+내에 NextCloud를 설치하여 개인 Cloud를 구축한 작업을 기록한다.

참조 문서에서는 MariaDB/MySQL이 추천 방법이지만, 본 문서에서는 PostgreSQL를 사용한다.

참조 문서에서는 nextcloud 계정으로 nextcloude 서비스를 실행했지만, 본 문서에서는 http 계정과 그룹을 사용한다. nginx를 실행시는 계정이 http인데 nginx에서 권할이 필요하기때문에 http계정을 사용해야한다.

참조 문서에서는 /var/lib/nextcloud 경로를 기본 경로로 사용하였지만, 본 문서에서는 /mnt/a/nextcloud 경로를 기본경로로 사용한다. 외장 하드 경로를 사용한다.

1. 사양

• 장비 : Odroid N2+
• OS : archlinux 64bits
• DB : PostgreSQL
• web server : nginx
• application server : php-fpm
• 참조 : https://wiki.archlinux.org/title/Nextcloud

2. Install

$ sudo pacman -Syu $sudo pacman -S nextcloud nginx postgresql php-pgsql php-fpm php-imagick php-intl $ sudo pacman -S curl

3. Configuration

3-1. PHP

/etc/php/php.ini 파일에 아래 내용을 추가하거나 찾아서 주석을 해제한다.

기본 디렉토리는 /mnt/a/nextcloud를 사용한다.

$ sudo vi /etc/php/php.ini

extension=bcmath
extension=bz2
extension=exif
extension=gd
extension=iconv
extension=intl
zend_extension=opcache
extension=pdo_pgsql
extension=pgsql
; in case you installed php-imagick (as recommended)
extension=imagick

; set timezone Seoul
date.timezone = Asia/Seoul

; Raise PHP's memory limit to at least 512MiB
memory_limit = 512M

; security configure
open_basedir=/mnt/a/nextcloud/data:/mnt/a/nextcloud/apps:/tmp:/usr/share/webapps/nextcloud:/etc/webapps/nextcloud:/dev/urandom:/usr/lib/php/modules:/var/log/nextcloud:/proc/meminfo

[opcache]
opcache.enable = 1
opcache.memory_consumption = 128
opcache.interned_strings_buffer = 8
opcache.max_accelerated_files = 10000
opcache.revalidate_freq = 1
opcache.save_comments = 1

3-2. Nextcloud

/etc/webapps/nextcloud/config/config.php 파일에 아래 내용을 추가/수정 한다.

기본 디렉토리는 /mnt/a/nextcloud를 사용한다.

cloud.mysite.com 을 domain으로 사용 하는 경우

$ sudo vi /etc/webapps/nextcloud/config/config.php

<?php
$CONFIG = array (
'datadirectory' => '/mnt/a/nextcloud/data',
'logfile' => '/mnt/a/nextcloud/log/nextcloud.log',
'log_type' => 'file',
'filesystem_check_changes' => 1,
'apps_paths' => [
  [
    'path'=> '/usr/share/webapps/nextcloud/apps',
    'url' => '/apps',
    'writable' => false,
  ],
  [
    'path'=> '/mnt/a/nextcloud/apps',
    'url' => '/wapps',
    'writable' => true,
  ],
],
'trusted_domains' =>
  array (
    0 => 'localhost',
    1 => 'cloud.mysite.com',
  ),    
'overwrite.cli.url' => 'https://cloud.mysite.com/',
'htaccess.RewriteBase' => '/',
);

아래와 같이 nextcloud하위 디렉토리들을 생성한다.

기본 설정 사용시 sessions 디렉토리만 생성하면 된다.

왠지 모르겠지만 /mnt/a/nextcloud를 /var/lib/nextcloud로 링크걸지 않으면 정상 동작하지 않는다.

$ mkdir -p /mnt/a/nextcloud/sessions
$ mkdir -p /mnt/a/nextcloud/apps
$ mkdir -p /mnt/a/nextcloud/data
$ mkdir -p /mnt/a/nextcloud/log
$ sudo rm -rf /var/lib/nextcloud
$ sudo ln -sf /mnt/a/nextcloud /var/lib/nextcloud
$ sudo chown -R http /mnt/a/nextcloud

3-3. PostgreSQL

PostgreSQL 설정한다.

$ sudo chown -R postgres:postgres /var/lib/postgres
$ sudo -iu postgres
$ initdb --encoding=UTF8 --locale=ko_KR.UTF-8 -D /var/lib/postgres/data --data-checksums
$ echo "listen_addresses = '127.0.0.1'" >> /var/lib/postgres/data/postgresql.conf
$ pg_ctl -D /var/lib/postgres/data -l /var/lib/postgres/data/logfile start
$ exit
$ sudo -u postgres -- psql

# pg_ctl에서 error 발생시 - '/run/postgresql/.s.PGSQL.5432.lock' 파일 없다는 에러
# 아래 명령 수행
$ sudo mkdir /run/postgresql
$ sudo chown -R postgres:postgres /run/postgresql
$ sudo -u postgres -- pg_ctl -D /var/lib/postgres/data -l /var/lib/postgres/data/logfile start
$ sudo -u postgres -- psql

nextcloud 이름으로 database와 db_user를 생성한다.

db-password 는 원하는 값으로 설정한다.

CREATE USER nextcloud WITH PASSWORD 'db-password';
CREATE DATABASE nextcloud TEMPLATE template0 ENCODING 'UNICODE';
ALTER DATABASE nextcloud OWNER TO nextcloud;
GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud;
\q

/etc/webapps/nextcloud/config 권한을 변경한다.

기본 설정을 사용하는 경우라면 변경할 필요가 없겠지만, 본 문서에서는 http 계정으로 nextcloud 서비스를 실행하기 때문에 변경한다.

$ sudo chown -R http:http /etc/webapps/nextcloud/config
$ sudo chmod -R g+w /etc/webapps/nextcloud/config

Nextcloud database schema를 설정한다.

db-password 는 위에서 설정한 값을 사용한다.

admin-user와 admin-password 는 원하는 값으로 설정한다.

admin-email 는 관리자 email주소로 설정한다.

기본 디렉토리는 /mnt/a/nextcloud를 사용한다.

$ /usr/share/webapps/nextcloud/occ maintenance:install \
    --database=pgsql \
    --database-name=nextcloud \
    --database-host=/run/postgresql \
    --database-user=nextcloud \
    --database-pass=db-password \
    --admin-user=admin-user \
    --admin-pass=admin-password \
    --admin-email=admin-email \
    --data-dir=/mnt/a/nextcloud/data

3-4. php-fpm

nextcloud.conf 파일을 다운로드 받는다.

$ curl -sL 'https://gist.githubusercontent.com/wolegis/0d9c83acd0c8bf83bcfb3983931bc364/raw/44ebeef205cb35d4514d0895c333e1582ccbb8e5/nextcloud.conf' > nextcloud.conf
$ sudo mv nextcloud.conf /etc/php/php-fpm.d/nextcloud.conf
$ sudo chown root:root /etc/php/php-fpm.d/nextcloud.conf

$ ls -l /etc/php/php-fpm.d/nextcloud.conf 
-rw-r--r-- 1 root root ... /etc/php/php-fpm.d/nextcloud.conf

/etc/php/php-fpm.d/nextcloud.conf 파일을 일부 수정한다.

user 및 group을 원하는 계정으로 수정한다.

기본 설정을 사용하는 경우라면 변경할 필요가 없겠지만, 본 문서에서는 개인 계정으로 nextcloud 서비스를 실행하기 때문에 변경한다.

timezone을 서울로 설정한다.

$ sudo vi /etc/php/php-fpm.d/nextcloud.conf

user = http
group = http
listen.owner = http
listen.group = http

php_value[date.timezone] = Asia/Seoul

php-fpm service를 구성한다.

$ sudo mkdir -p /etc/systemd/system/php-fpm.service.d
$ sudo vi /etc/systemd/system/php-fpm.service.d/override.conf

[Service]
ExecStart=
ExecStart=/usr/bin/php-fpm --nodaemonize --fpm-config /etc/php/php-fpm.conf 
ReadWritePaths=/mnt/a/nextcloud
ReadWritePaths=/etc/webapps/nextcloud/config

$ sudo systemctl enable php-fpm.service
$ sudo systemctl start php-fpm.service

# error 발생시 - failed to open access log (/var/log/php-fpm/access/nextcloud.log): No such file or directory
# 아래 명령 수행
$ sudo mkdir -p /var/log/php-fpm/access
$ sudo systemctl start php-fpm.service

3-5. nginx

cloud.mysite.com라는 domain을 사용한다면, 아래 링크에서 Nextcloud in a subdir of the NGINX webroot섹션의 파일 내용을 복사하여 /etc/nginx/sites-available/cloud.mysite.com.conf 파일을 생성하고 그 파일의 심볼릭 링크를 /etc/nginx/sites-enabled/cloud.mysite.com.conf 로 생성한다. cloud.mysite.com 가 아닌 다른 domain을 사용시 해당 domain에 맞게 파일명을 변경한다.

https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html

$ sudo mkdir -p /etc/nginx/sites-available
$ sudo mkdir -p /etc/nginx/sites-enabled
$ sudo vi /etc/nginx/sites-available/cloud.mysite.com.conf
$ sudo ln -sf /etc/nginx/sites-available/cloud.mysite.com.conf /etc/nginx/sites-enabled/cloud.mysite.com.conf

root 경로를 /usr/share/webapps/nextcloud 로 수정한다.

HSTS header를 사용하게 수정한다.

php-handler 사용 구문을 주석 처리하고 unix:/run/php-fpm/nextcloud.sock; 을 사용하게 수정한다.

$ sudo vi /etc/nginx/sites-available/cloud.mysite.com.conf

root /usr/share/webapps/nextcloud;

add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload" always;

#fastcgi_pass php-handler;
fastcgi_pass unix:/run/php-fpm/nextcloud.sock;

만약 nginx.conf에 site-enabled가 include 되어 있지 않다면 include 한다.

$ sudo vi /etc/nginx/nginx.conf

...
http {
...
    include /etc/nginx/sites-enabled/*;
    include /etc/nginx/sites-enabled/*.*;
...
}
...

nginx restart

$ sudo systemctl restart nginx

3-6 권한확인

아래와 같이 오류 없이 실행되면 된다.

$ sudo -u http php /usr/share/webapps/nextcloud/occ -h

Description:
  List commands

Usage:
  list [options] [--] [<namespace>]

Arguments:
  namespace            The namespace name

Options:
      --raw            To output raw command list
      --format=FORMAT  The output format (txt, xml, json, or md) [default: "txt"]

Help:
  The list command lists all commands:

    php /usr/share/webapps/nextcloud/occ list

  You can also display the commands for a specific namespace:

    php /usr/share/webapps/nextcloud/occ list test

  You can also output the information in other formats by using the --format option:

    php /usr/share/webapps/nextcloud/occ list --format=xml

  It's also possible to get raw list of commands (useful for embedding command runner):

    php /usr/share/webapps/nextcloud/occ list --raw

2. Client

web browser 에서 https://https://cloud.mysite.com/nextcloud/ 와 같은 경로로 접속 후 사용하면 된다.

안드로이드용 앱은 아래 주소에서 다운로드 받으면 된다.

android app : https://play.google.com/store/apps/details?id=com.nextcloud.client

3. Logs

$ sudo cat /var/lib/postgres/data/logfile
$ sudo cat /mnt/a/nextcloud/data/nextcloud.log
$ sudo cat /var/log/nextcloud/nextcloud.log
$ sudo cat /var/log/nginx/access.log
$ sudo cat /var/log/nginx/error.log

4. 기타

4-1. /etc/php/php-fpm.d/nextcloud.conf 파일 내용

•   ; Start a new pool named 'nextcloud'.
    ; the variable $pool can be used in any directive and will be replaced by the
    ; pool name ('nextcloud' here)
    [nextcloud]
  
    ; Per pool prefix
    ; It only applies on the following directives:
    ; - 'access.log'
    ; - 'slowlog'
    ; - 'listen' (unixsocket)
    ; - 'chroot'
    ; - 'chdir'
    ; - 'php_values'
    ; - 'php_admin_values'
    ; When not set, the global prefix (or /usr) applies instead.
    ; Note: This directive can also be relative to the global prefix.
    ; Default Value: none
    ;prefix = /path/to/pools/$pool
  
    ; Unix user/group of processes
    ; Note: The user is mandatory. If the group is not set, the default user's group
    ;       will be used.
    user = nextcloud
    group = nextcloud
  
    ; The address on which to accept FastCGI requests.
    ; Valid syntaxes are:
    ;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
    ;                            a specific port;
    ;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
    ;                            a specific port;
    ;   'port'                 - to listen on a TCP socket to all addresses
    ;                            (IPv6 and IPv4-mapped) on a specific port;
    ;   '/path/to/unix/socket' - to listen on a unix socket.
    ; Note: This value is mandatory.
    listen = /run/php-fpm/nextcloud.sock
  
    ; Set listen(2) backlog.
    ; Default Value: 511 (-1 on FreeBSD and OpenBSD)
    ;listen.backlog = 511
  
    ; Set permissions for unix socket, if one is used. In Linux, read/write
    ; permissions must be set in order to allow connections from a web server. Many
    ; BSD-derived systems allow connections regardless of permissions. The owner
    ; and group can be specified either by name or by their numeric IDs.
    ; Default Values: user and group are set as the running user
    ;                 mode is set to 0660
    listen.owner = nextcloud
    listen.group = http
    listen.mode = 0660
    ; When POSIX Access Control Lists are supported you can set them using
    ; these options, value is a comma separated list of user/group names.
    ; When set, listen.owner and listen.group are ignored
    ;listen.acl_users =
    ;listen.acl_groups =
  
    ; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
    ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
    ; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
    ; must be separated by a comma. If this value is left blank, connections will be
    ; accepted from any ip address.
    ; Default Value: any
    ;listen.allowed_clients = 127.0.0.1
  
    ; Specify the nice(2) priority to apply to the pool processes (only if set)
    ; The value can vary from -19 (highest priority) to 20 (lower priority)
    ; Note: - It will only work if the FPM master process is launched as root
    ;       - The pool processes will inherit the master process priority
    ;         unless it specified otherwise
    ; Default Value: no set
    ; process.priority = -19
  
    ; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
    ; or group is different than the master process user. It allows to create process
    ; core dump and ptrace the process for the pool user.
    ; Default Value: no
    ; process.dumpable = yes
  
    ; Choose how the process manager will control the number of child processes.
    ; Possible Values:
    ;   static  - a fixed number (pm.max_children) of child processes;
    ;   dynamic - the number of child processes are set dynamically based on the
    ;             following directives. With this process management, there will be
    ;             always at least 1 children.
    ;             pm.max_children      - the maximum number of children that can
    ;                                    be alive at the same time.
    ;             pm.start_servers     - the number of children created on startup.
    ;             pm.min_spare_servers - the minimum number of children in 'idle'
    ;                                    state (waiting to process). If the number
    ;                                    of 'idle' processes is less than this
    ;                                    number then some children will be created.
    ;             pm.max_spare_servers - the maximum number of children in 'idle'
    ;                                    state (waiting to process). If the number
    ;                                    of 'idle' processes is greater than this
    ;                                    number then some children will be killed.
    ;             pm.max_spawn_rate    - the maximum number of rate to spawn child
    ;                                    processes at once.
    ;  ondemand - no children are created at startup. Children will be forked when
    ;             new requests will connect. The following parameter are used:
    ;             pm.max_children           - the maximum number of children that
    ;                                         can be alive at the same time.
    ;             pm.process_idle_timeout   - The number of seconds after which
    ;                                         an idle process will be killed.
    ; Note: This value is mandatory.
    pm = dynamic
  
    ; The number of child processes to be created when pm is set to 'static' and the
    ; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
    ; This value sets the limit on the number of simultaneous requests that will be
    ; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
    ; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
    ; CGI. The below defaults are based on a server without much resources. Don't
    ; forget to tweak pm.* to fit your needs.
    ; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
    ; Note: This value is mandatory.
    pm.max_children = 5
  
    ; The number of child processes created on startup.
    ; Note: Used only when pm is set to 'dynamic'
    ; Default Value: (min_spare_servers + max_spare_servers) / 2
    pm.start_servers = 2
  
    ; The desired minimum number of idle server processes.
    ; Note: Used only when pm is set to 'dynamic'
    ; Note: Mandatory when pm is set to 'dynamic'
    pm.min_spare_servers = 1
  
    ; The desired maximum number of idle server processes.
    ; Note: Used only when pm is set to 'dynamic'
    ; Note: Mandatory when pm is set to 'dynamic'
    pm.max_spare_servers = 3
  
    ; The number of rate to spawn child processes at once.
    ; Note: Used only when pm is set to 'dynamic'
    ; Note: Mandatory when pm is set to 'dynamic'
    ; Default Value: 32
    ;pm.max_spawn_rate = 32
  
    ; The number of seconds after which an idle process will be killed.
    ; Note: Used only when pm is set to 'ondemand'
    ; Default Value: 10s
    ;pm.process_idle_timeout = 10s;
  
    ; The number of requests each child process should execute before respawning.
    ; This can be useful to work around memory leaks in 3rd party libraries. For
    ; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
    ; Default Value: 0
    ;pm.max_requests = 500
  
    ; The URI to view the FPM status page. If this value is not set, no URI will be
    ; recognized as a status page. It shows the following information:
    ;   pool                 - the name of the pool;
    ;   process manager      - static, dynamic or ondemand;
    ;   start time           - the date and time FPM has started;
    ;   start since          - number of seconds since FPM has started;
    ;   accepted conn        - the number of request accepted by the pool;
    ;   listen queue         - the number of request in the queue of pending
    ;                          connections (see backlog in listen(2));
    ;   max listen queue     - the maximum number of requests in the queue
    ;                          of pending connections since FPM has started;
    ;   listen queue len     - the size of the socket queue of pending connections;
    ;   idle processes       - the number of idle processes;
    ;   active processes     - the number of active processes;
    ;   total processes      - the number of idle + active processes;
    ;   max active processes - the maximum number of active processes since FPM
    ;                          has started;
    ;   max children reached - number of times, the process limit has been reached,
    ;                          when pm tries to start more children (works only for
    ;                          pm 'dynamic' and 'ondemand');
    ; Value are updated in real time.
    ; Example output:
    ;   pool:                 www
    ;   process manager:      static
    ;   start time:           01/Jul/2011:17:53:49 +0200
    ;   start since:          62636
    ;   accepted conn:        190460
    ;   listen queue:         0
    ;   max listen queue:     1
    ;   listen queue len:     42
    ;   idle processes:       4
    ;   active processes:     11
    ;   total processes:      15
    ;   max active processes: 12
    ;   max children reached: 0
    ;
    ; By default the status page output is formatted as text/plain. Passing either
    ; 'html', 'xml' or 'json' in the query string will return the corresponding
    ; output syntax. Example:
    ;   http://www.foo.bar/status
    ;   http://www.foo.bar/status?json
    ;   http://www.foo.bar/status?html
    ;   http://www.foo.bar/status?xml
    ;
    ; By default the status page only outputs short status. Passing 'full' in the
    ; query string will also return status for each pool process.
    ; Example:
    ;   http://www.foo.bar/status?full
    ;   http://www.foo.bar/status?json&full
    ;   http://www.foo.bar/status?html&full
    ;   http://www.foo.bar/status?xml&full
    ; The Full status returns for each process:
    ;   pid                  - the PID of the process;
    ;   state                - the state of the process (Idle, Running, ...);
    ;   start time           - the date and time the process has started;
    ;   start since          - the number of seconds since the process has started;
    ;   requests             - the number of requests the process has served;
    ;   request duration     - the duration in µs of the requests;
    ;   request method       - the request method (GET, POST, ...);
    ;   request URI          - the request URI with the query string;
    ;   content length       - the content length of the request (only with POST);
    ;   user                 - the user (PHP_AUTH_USER) (or '-' if not set);
    ;   script               - the main script called (or '-' if not set);
    ;   last request cpu     - the %cpu the last request consumed
    ;                          it's always 0 if the process is not in Idle state
    ;                          because CPU calculation is done when the request
    ;                          processing has terminated;
    ;   last request memory  - the max amount of memory the last request consumed
    ;                          it's always 0 if the process is not in Idle state
    ;                          because memory calculation is done when the request
    ;                          processing has terminated;
    ; If the process is in Idle state, then informations are related to the
    ; last request the process has served. Otherwise informations are related to
    ; the current request being served.
    ; Example output:
    ;   ************************
    ;   pid:                  31330
    ;   state:                Running
    ;   start time:           01/Jul/2011:17:53:49 +0200
    ;   start since:          63087
    ;   requests:             12808
    ;   request duration:     1250261
    ;   request method:       GET
    ;   request URI:          /test_mem.php?N=10000
    ;   content length:       0
    ;   user:                 -
    ;   script:               /home/fat/web/docs/php/test_mem.php
    ;   last request cpu:     0.00
    ;   last request memory:  0
    ;
    ; Note: There is a real-time FPM status monitoring sample web page available
    ;       It's available in: /usr/share/php/fpm/status.html
    ;
    ; Note: The value must start with a leading slash (/). The value can be
    ;       anything, but it may not be a good idea to use the .php extension or it
    ;       may conflict with a real PHP file.
    ; Default Value: not set
    ;pm.status_path = /status
  
    ; The address on which to accept FastCGI status request. This creates a new
    ; invisible pool that can handle requests independently. This is useful
    ; if the main pool is busy with long running requests because it is still possible
    ; to get the status before finishing the long running requests.
    ;
    ; Valid syntaxes are:
    ;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
    ;                            a specific port;
    ;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
    ;                            a specific port;
    ;   'port'                 - to listen on a TCP socket to all addresses
    ;                            (IPv6 and IPv4-mapped) on a specific port;
    ;   '/path/to/unix/socket' - to listen on a unix socket.
    ; Default Value: value of the listen option
    ;pm.status_listen = 127.0.0.1:9001
  
    ; The ping URI to call the monitoring page of FPM. If this value is not set, no
    ; URI will be recognized as a ping page. This could be used to test from outside
    ; that FPM is alive and responding, or to
    ; - create a graph of FPM availability (rrd or such);
    ; - remove a server from a group if it is not responding (load balancing);
    ; - trigger alerts for the operating team (24/7).
    ; Note: The value must start with a leading slash (/). The value can be
    ;       anything, but it may not be a good idea to use the .php extension or it
    ;       may conflict with a real PHP file.
    ; Default Value: not set
    ;ping.path = /ping
  
    ; This directive may be used to customize the response of a ping request. The
    ; response is formatted as text/plain with a 200 response code.
    ; Default Value: pong
    ;ping.response = pong
  
    ; The access log file
    ; Default: not set
    ;access.log = log/$pool.access.log
    access.log = /var/log/php-fpm/access/$pool.log
  
    ; The access log format.
    ; The following syntax is allowed
    ;  %%: the '%' character
    ;  %C: %CPU used by the request
    ;      it can accept the following format:
    ;      - %{user}C for user CPU only
    ;      - %{system}C for system CPU only
    ;      - %{total}C  for user + system CPU (default)
    ;  %d: time taken to serve the request
    ;      it can accept the following format:
    ;      - %{seconds}d (default)
    ;      - %{milliseconds}d
    ;      - %{milli}d
    ;      - %{microseconds}d
    ;      - %{micro}d
    ;  %e: an environment variable (same as $_ENV or $_SERVER)
    ;      it must be associated with embraces to specify the name of the env
    ;      variable. Some examples:
    ;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
    ;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
    ;  %f: script filename
    ;  %l: content-length of the request (for POST request only)
    ;  %m: request method
    ;  %M: peak of memory allocated by PHP
    ;      it can accept the following format:
    ;      - %{bytes}M (default)
    ;      - %{kilobytes}M
    ;      - %{kilo}M
    ;      - %{megabytes}M
    ;      - %{mega}M
    ;  %n: pool name
    ;  %o: output header
    ;      it must be associated with embraces to specify the name of the header:
    ;      - %{Content-Type}o
    ;      - %{X-Powered-By}o
    ;      - %{Transfert-Encoding}o
    ;      - ....
    ;  %p: PID of the child that serviced the request
    ;  %P: PID of the parent of the child that serviced the request
    ;  %q: the query string
    ;  %Q: the '?' character if query string exists
    ;  %r: the request URI (without the query string, see %q and %Q)
    ;  %R: remote IP address
    ;  %s: status (response code)
    ;  %t: server time the request was received
    ;      it can accept a strftime(3) format:
    ;      %d/%b/%Y:%H:%M:%S %z (default)
    ;      The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
    ;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
    ;  %T: time the log has been written (the request has finished)
    ;      it can accept a strftime(3) format:
    ;      %d/%b/%Y:%H:%M:%S %z (default)
    ;      The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
    ;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
    ;  %u: remote user
    ;
    ; Default: "%R - %u %t \"%m %r\" %s"
    ;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
    access.format = "%{%Y-%m-%dT%H:%M:%S%z}t %R: \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
  
    ; The log file for slow requests
    ; Default Value: not set
    ; Note: slowlog is mandatory if request_slowlog_timeout is set
    ;slowlog = log/$pool.log.slow
  
    ; The timeout for serving a single request after which a PHP backtrace will be
    ; dumped to the 'slowlog' file. A value of '0s' means 'off'.
    ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
    ; Default Value: 0
    ;request_slowlog_timeout = 0
  
    ; Depth of slow log stack trace.
    ; Default Value: 20
    ;request_slowlog_trace_depth = 20
  
    ; The timeout for serving a single request after which the worker process will
    ; be killed. This option should be used when the 'max_execution_time' ini option
    ; does not stop script execution for some reason. A value of '0' means 'off'.
    ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
    ; Default Value: 0
    ;request_terminate_timeout = 0
  
    ; The timeout set by 'request_terminate_timeout' ini option is not engaged after
    ; application calls 'fastcgi_finish_request' or when application has finished and
    ; shutdown functions are being called (registered via register_shutdown_function).
    ; This option will enable timeout limit to be applied unconditionally
    ; even in such cases.
    ; Default Value: no
    ;request_terminate_timeout_track_finished = no
  
    ; Set open file descriptor rlimit.
    ; Default Value: system defined value
    ;rlimit_files = 1024
  
    ; Set max core size rlimit.
    ; Possible Values: 'unlimited' or an integer greater or equal to 0
    ; Default Value: system defined value
    ;rlimit_core = 0
  
    ; Chroot to this directory at the start. This value must be defined as an
    ; absolute path. When this value is not set, chroot is not used.
    ; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
    ; of its subdirectories. If the pool prefix is not set, the global prefix
    ; will be used instead.
    ; Note: chrooting is a great security feature and should be used whenever
    ;       possible. However, all PHP paths will be relative to the chroot
    ;       (error_log, sessions.save_path, ...).
    ; Default Value: not set
    ;chroot =
  
    ; Chdir to this directory at the start.
    ; Note: relative path can be used.
    ; Default Value: current directory or / when chroot
    ;chdir = /srv/http
    chdir = /usr/share/webapps/$pool
  
    ; Redirect worker stdout and stderr into main error log. If not set, stdout and
    ; stderr will be redirected to /dev/null according to FastCGI specs.
    ; Note: on highloaded environment, this can cause some delay in the page
    ; process time (several ms).
    ; Default Value: no
    ;catch_workers_output = yes
  
    ; Decorate worker output with prefix and suffix containing information about
    ; the child that writes to the log and if stdout or stderr is used as well as
    ; log level and time. This options is used only if catch_workers_output is yes.
    ; Settings to "no" will output data as written to the stdout or stderr.
    ; Default value: yes
    ;decorate_workers_output = no
  
    ; Clear environment in FPM workers
    ; Prevents arbitrary environment variables from reaching FPM worker processes
    ; by clearing the environment in workers before env vars specified in this
    ; pool configuration are added.
    ; Setting to "no" will make all environment variables available to PHP code
    ; via getenv(), $_ENV and $_SERVER.
    ; Default Value: yes
    ;clear_env = no
  
    ; Limits the extensions of the main script FPM will allow to parse. This can
    ; prevent configuration mistakes on the web server side. You should only limit
    ; FPM to .php extensions to prevent malicious users to use other extensions to
    ; execute php code.
    ; Note: set an empty value to allow all extensions.
    ; Default Value: .php
    ;security.limit_extensions = .php .php3 .php4 .php5 .php7
  
    ; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
    ; the current environment.
    ; Default Value: clean env
    env[HOSTNAME] = $HOSTNAME
    env[PATH] = /usr/local/bin:/usr/bin
    env[TMP] = /tmp
    env[TMPDIR] = /tmp
    env[TEMP] = /tmp
  
    ; Additional php.ini defines, specific to this pool of workers. These settings
    ; overwrite the values previously defined in the php.ini. The directives are the
    ; same as the PHP SAPI:
    ;   php_value/php_flag             - you can set classic ini defines which can
    ;                                    be overwritten from PHP call 'ini_set'.
    ;   php_admin_value/php_admin_flag - these directives won't be overwritten by
    ;                                     PHP call 'ini_set'
    ; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
  
    ; Defining 'extension' will load the corresponding shared extension from
    ; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
    ; overwrite previously defined php.ini values, but will append the new value
    ; instead.
  
    ; Note: path INI options can be relative and will be expanded with the prefix
    ; (pool, global or /usr)
  
    ; Default Value: nothing is defined by default except the values in php.ini and
    ;                specified at startup with the -d argument
    ;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
    ;php_flag[display_errors] = off
    ;php_admin_value[error_log] = /var/log/fpm-php.www.log
    ;php_admin_flag[log_errors] = on
    ;php_admin_value[memory_limit] = 32M
  
    php_value[date.timezone] = Europe/Berlin
  
    php_value[open_basedir] = /var/lib/$pool:/tmp:/usr/share/webapps/$pool:/etc/webapps/$pool:/dev/urandom:/usr/lib/php/modules:/var/log/$pool:/proc/meminfo
  
    ; put session data in dedicated directory
    php_value[session.save_path] = /var/lib/$pool/sessions
    php_value[session.gc_maxlifetime] = 21600
    php_value[session.gc_divisor] = 500
    php_value[session.gc_probability] = 1
  
    php_flag[expose_php] = false
    php_value[post_max_size] = 1000M
    php_value[upload_max_filesize] = 1000M
  
    ; as recommended in admin manual (avoids related warning in admin GUI later)
    php_flag[output_buffering] = off
    php_value[max_input_time] = 120
    php_value[max_execution_time] = 60
  
    php_value[memory_limit] = 768M
  
    ; opcache settings must be defined in php-fpm.ini. otherwise (i.e. when defined here)
    ; this causes segmentation faults in php-fpm worker processes
  
    ; uncomment if php-apcu is installed and used
    ; php_value[extension] = apcu
    ; (see https://github.com/krakjoe/apcu/blob/simplify/INSTALL)
    php_value[apc.ttl] = 7200
    php_flag[apc.enable_cli] = 1
  
    php_value[extension] = bcmath
    php_value[extension] = bz2
    php_value[extension] = exif
    php_value[extension] = gd
    php_value[extension] = gmp
    ; uncomment if php-imagick is installed and used
    php_value[extension] = imagick
    ; uncomment if php-imap is installed and used
    ; php_value[extension] = imap
    ; recommended to enable
    php_value[extension] = intl
    php_value[extension] = iconv
    ; uncomment if php-memcached is installed and used
    ; php_value[extension] = memcached
    ; uncomment exactly one of the pdo extensions
    php_value[extension] = pdo_mysql
    ; php_value[extension] = pdo_pgsql
    ; php_value[extension] = pdo_sqlite
    ; uncomment if php-igbinary is installed and used
    ; php_value[extension] = igbinary
    ; uncomment if php-redis is installed and used (requires php-igbinary)
    ; php_value[extension] = redis
    ; uncomment if php-xsl is installed and used
    ; php_value[extension] = xsl

4-2. cloud.mysite.com.conf

•   upstream php-handler {
        server 127.0.0.1:9000;
        #server unix:/var/run/php/php7.4-fpm.sock;
    }
  
    # Set the `immutable` cache control options only for assets with a cache busting `v` argument
    map $arg_v $asset_immutable {
        "" "";
        default "immutable";
    }
  
    server {
        listen 80;
        listen [::]:80;
        server_name cloud.example.com;
  
        # Prevent nginx HTTP Server Detection
        server_tokens off;
  
        # Enforce HTTPS just for `/nextcloud`
        location /nextcloud {
            return 301 https://$server_name$request_uri;
        }
    }
  
    server {
        listen 443      ssl http2;
        listen [::]:443 ssl http2;
        server_name cloud.example.com;
  
        # Path to the root of the domain
        root /var/www;
  
        # Use Mozilla's guidelines for SSL/TLS settings
        # https://mozilla.github.io/server-side-tls/ssl-config-generator/
        ssl_certificate     /etc/ssl/nginx/cloud.example.com.crt;
        ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key;
  
        # Prevent nginx HTTP Server Detection
        server_tokens off;
  
        # HSTS settings
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
  
        location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }
  
        location ^~ /.well-known {
            # The rules in this block are an adaptation of the rules
            # in the Nextcloud `.htaccess` that concern `/.well-known`.
  
            location = /.well-known/carddav { return 301 /nextcloud/remote.php/dav/; }
            location = /.well-known/caldav  { return 301 /nextcloud/remote.php/dav/; }
  
            location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
            location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
  
            # Let Nextcloud's API for `/.well-known` URIs handle all other
            # requests by passing them to the front-end controller.
            return 301 /nextcloud/index.php$request_uri;
        }
  
        location ^~ /nextcloud {
            # set max upload size and increase upload timeout:
            client_max_body_size 512M;
            client_body_timeout 300s;
            fastcgi_buffers 64 4K;
  
            # Enable gzip but do not remove ETag headers
            gzip on;
            gzip_vary on;
            gzip_comp_level 4;
            gzip_min_length 256;
            gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
            gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
  
            # Pagespeed is not supported by Nextcloud, so if your server is built
            # with the `ngx_pagespeed` module, uncomment this line to disable it.
            #pagespeed off;
  
            # The settings allows you to optimize the HTTP2 bandwitdth.
            # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
            # for tunning hints
            client_body_buffer_size 512k;
  
            # HTTP response headers borrowed from Nextcloud `.htaccess`
            add_header Referrer-Policy                      "no-referrer"   always;
            add_header X-Content-Type-Options               "nosniff"       always;
            add_header X-Download-Options                   "noopen"        always;
            add_header X-Frame-Options                      "SAMEORIGIN"    always;
            add_header X-Permitted-Cross-Domain-Policies    "none"          always;
            add_header X-Robots-Tag                         "none"          always;
            add_header X-XSS-Protection                     "1; mode=block" always;
  
            # Remove X-Powered-By, which is an information leak
            fastcgi_hide_header X-Powered-By;
  
            # Specify how to handle directories -- specifying `/nextcloud/index.php$request_uri`
            # here as the fallback means that Nginx always exhibits the desired behaviour
            # when a client requests a path that corresponds to a directory that exists
            # on the server. In particular, if that directory contains an index.php file,
            # that file is correctly served; if it doesn't, then the request is passed to
            # the front-end controller. This consistent behaviour means that we don't need
            # to specify custom rules for certain paths (e.g. images and other assets,
            # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
            # `try_files $uri $uri/ /nextcloud/index.php$request_uri`
            # always provides the desired behaviour.
            index index.php index.html /nextcloud/index.php$request_uri;
  
            # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
            location = /nextcloud {
                if ( $http_user_agent ~ ^DavClnt ) {
                    return 302 /nextcloud/remote.php/webdav/$is_args$args;
                }
            }
  
            # Rules borrowed from `.htaccess` to hide certain paths from clients
            location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)    { return 404; }
            location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console)                  { return 404; }
  
            # Ensure this block, which passes PHP files to the PHP process, is above the blocks
            # which handle static assets (as seen below). If this block is not declared first,
            # then Nginx will encounter an infinite rewriting loop when it prepends
            # `/nextcloud/index.php` to the URI, resulting in a HTTP 500 error response.
            location ~ \.php(?:$|/) {
                # Required for legacy support
                rewrite ^/nextcloud/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /nextcloud/index.php$request_uri;
  
                fastcgi_split_path_info ^(.+?\.php)(/.*)$;
                set $path_info $fastcgi_path_info;
  
                try_files $fastcgi_script_name =404;
  
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param PATH_INFO $path_info;
                fastcgi_param HTTPS on;
  
                fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
                fastcgi_param front_controller_active true;     # Enable pretty urls
                fastcgi_pass php-handler;
  
                fastcgi_intercept_errors on;
                fastcgi_request_buffering off;
  
                fastcgi_max_temp_file_size 0;
            }
  
            location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
                try_files $uri /nextcloud/index.php$request_uri;
                add_header Cache-Control "public, max-age=15778463, $asset_immutable";
                access_log off;     # Optional: Don't log access to assets
  
                location ~ \.wasm$ {
                    default_type application/wasm;
                }
            }
  
            location ~ \.woff2?$ {
                try_files $uri /nextcloud/index.php$request_uri;
                expires 7d;         # Cache-Control policy borrowed from `.htaccess`
                access_log off;     # Optional: Don't log access to assets
            }
  
            # Rule borrowed from `.htaccess`
            location /nextcloud/remote {
                return 301 /nextcloud/remote.php$request_uri;
            }
  
            location /nextcloud {
                try_files $uri $uri/ /nextcloud/index.php$request_uri;
            }
        }
    }