Cloud Security Steps [01] Configure Cloudflare Tunnel (cloudflared) - Set up a named tunnel on your Raspberry Pi. - Only expose required services (Nextcloud, optionally Pi-hole) through the tunnel. - Run cloudflared as a systemd service to ensure it starts automatically. [02] Configure HTTPS / SSL - Ensure "Full (strict)" SSL mode is used in Cloudflare. - Install Cloudflare Origin Certificate on the Pi. - Verify all traffic is served over HTTPS. [03] Secure SSH on Raspberry Pi - Disable SSH password login. - Disable root login via SSH. - Use SSH keys for authentication only. - Restrict SSH access to trusted IPs if possible. [04] Configure Raspberry Pi firewall - Default deny all incoming connections. - Allow only outbound traffic necessary for updates and cloudflared tunnel. - Optionally restrict access to Pi-hole (DNS) or Nextcloud ports internally. [05] Secure Nextcloud - Set trusted domains in Nextcloud configuration. - Enforce HTTPS only. - Move Nextcloud data directory outside web root. - Ensure correct file permissions on Nextcloud data. - Configure database to accept connections only from localhost. - Set strong database password. [06] Nextcloud Web Security Settings - Enable 2FA for all admin and important users. - Enable brute-force protection app. - Enable strong password policy app. - Disable or uninstall unused apps. - Configure HSTS headers: - Enable HSTS headers (max-age 15552000) - Include Subdomains only if all HTTPS - Preload OFF - Enable No-Sniff header [07] Cloudflare Zero Trust / Access Policies - Enable Zero Trust access. - Require authentication (Google/GitHub/email) to access Nextcloud. - Apply policies only to allowed users. - Enable Web Application Firewall (WAF) in Cloudflare. - Add rate-limiting rules for login pages. [08] Verify tunnel and DNS - Confirm Cloudflare Tunnel routes Nextcloud (and Pi-hole if needed) correctly. - Ensure your home IP is not exposed. - Test that Nextcloud is accessible via the domain only through Cloudflare. [09] Backups / Credential Security - Set up encrypted backups of Nextcloud data and database. - Backup /etc/cloudflared/config.yml and Nextcloud config. - Store SSH keys and Cloudflare certificates securely. - Test restoration of at least one backup. [10] Test Security Headers - Verify HSTS and No-Sniff headers are active using curl or https://securityheaders.com. - Ensure browsers enforce HTTPS and MIME sniffing prevention. glances token CF-Access-Client-Secret: f7908c8d9e1206284dfbcb43a29106ff9c50ec9b9397a08d0420a6a6d3cec061