Nextcloud
By the end of this section, you will have knowledge about the following topics.
  • Installing the Nextcloud cloud system on the Gemstone development board
  • Methods used to access your Gemstone from your mobile phone or from anywhere in the world

1. Introduction

Today, control and security of personal data are more important than ever. You might want to manage your files, photos, calendars, notes, and even passwords in a centralized system without depending on major cloud providers like Amazon, Google, or Microsoft. To do this, you need to use a method called self-hosting, which means hosting your own server on your own devices. However, running a server at home brings technical problems such as the inability to access the server from anywhere with an internet connection and difficulties in ensuring data security. These problems are often solved with complex and costly methods. The GemCloud project enables these problems to be solved in an easy, cost-effective, and secure manner.

2. Nextcloud Installation

Nextcloud is an open-source cloud solution. It offers applications such as photo and file storage, chat, calendar, password manager, and Kanban task planning in one place. After connecting to the Gemstone development board via terminal connection, start the Nextcloud installation with the following command. 
sudo apt install t3-gem-nextcloud
During the installation, you will encounter the following password entry screen. This password will be used in the database used by Nextcloud and as the Nextcloud admin user password. Choose a strong and memorable password and keep it safe.
Nextcloud password input
Once the installation is complete, the Nextcloud server will start running on Gemstone. The next step explains how to connect to this cloud system from the outside world.

3. Access from the Public Internet

Accessing your home computers by IP address is only possible within your home network. The ability to access recently popular devices like robot vacuums, smart lighting systems, air conditioners controlled from mobile phones, and various household appliances from the outside world is made possible by these devices transferring data to servers set up by their manufacturers. The easiest solution to access the Gemstone Cloud project from the outside world is to call your internet service provider to request a Static IP and set up port forwarding in your modem settings. For users who do not wish to do this, there are various solutions such as Tailscale and Localtunnel.
The basic principle is that a service installed on your computer communicates with Tailscale, allowing you to access your computer from the outside world via Tailscale.

3.1. Tailscale Installation

Tailscale
Click on this link to sign up for Tailscale using your Github, Google, or Microsoft account.
Tailscale signup
Once you log into your account, you will see the Tailscale control panel. To add the Gemstone board, select Machines -> Add device -> Linux server.
Add Gemstone
Scroll to the bottom of the page and click the Generate install script button to copy the Tailscale installation command. Then, connect to the Gemstone board via terminal and run the copied command in the terminal.
Install script
After the Tailscale installation is complete, start the Tailscale services with the following command. 
sudo tailscale up
Verify that the connection is healthy by checking the Machines section in the Tailscale Control Panel to see if it says Connected.
Tailnet machine list
The next step is to make the Nextcloud server accessible from the tailnet. Go to the DNS menu in the control panel and click the Enable HTTPS button at the bottom of the page, then click the Enable button.
Tailnet HTTPS enable
Connect to the development board via terminal and use the following command to make Nextcloud accessible to other devices on the network. 
sudo tailscale serve --bg --http=80 1453
After this step, other devices added to this network can access Nextcloud at http://gemstone. To add a client device (e.g., mobile phone, personal computer, or tablet) to the network, select the other option in the device addition section: Machines -> Add device -> Client device.
Tailnet Add Client device
On the screen that opens, follow the installation instructions for your device to complete the Tailscale installation on the device you want to add. Start the Tailscale application and log in using the method appropriate for your operating system. Once you complete the steps, you should see the machine labeled Connected in the control panel.
Tailnet device list
When you go to http://gemstone in the browser on the device you added, you will see the Nextcloud login page. The administrator account username is admin, and the password is the CLOUD password you entered during installation.
Nextcloud login

3.4. Why is Tailscale Used?

Due to the limited number of IPv4 addresses, internet service providers use CGNAT (Carrier-Grade NAT) to route multiple users through a single IPv4 address to the internet. This situation prevents direct access to servers running at home (in our case, Nextcloud). Tailscale solves this problem by establishing a WireGuard-based VPN network, overcoming CGNAT and traditional NAT barriers. Users can securely connect to the Nextcloud server from anywhere with internet access, using only authorized devices. Thus, a closed and controlled network environment is provided without the need for public IP sharing.

3.5. Usage with Static IP

Under construction…

4. Advanced Security

4.1. Nextcloud Two-Factor Authentication

After logging into the admin account, click the profile picture at the top and select Personal Settings from the menu that opens.
Nextcloud user menu
Then, select Security from the left menu and check the Enable TOTP box.
Nextcloud security settings
When you check this option, enter the generated password or QR code into your verification application to generate a code. Finally, enter the generated code in the Authentication field and click the Verify button to complete the process.
Nextcloud totp enable
From now on, in addition to your password, you will need to use a verification code to log into your account as an additional security measure.

4.2. Enabling Tailscale Tailnet Lock

In this system, access to Nextcloud is only possible from devices added to the tailnet, making the system secure. However, there is a closed-source server called the Coordination Server by Tailscale that controls which devices can be added to the network. The decision of whether a device can join the tailnet is made by this server. In the worst-case scenario, if Tailscale targets you, the Coordination Server could add devices to your tailnet without your permission. Tailscale solves this problem with a method called Tailnet Lock. Tailnet Lock stores the keys that allow joining the network on two devices you specify within your network, instead of on Tailscale’s own Coordination Server. Thus, only these two devices can manage entries into your tailnet. From the control panel, click Settings -> Device management -> Enable tailnet lock.
Tailnet lock page
On the Enable tailnet lock screen, click Add new signing node and select two devices already in the tailnet. If there are other devices in your tailnet, the devices selected here should be ones you trust.
Tailnet sign nodes
Once Tailnet Lock is activated, the only way to revert is by using the Tailnet lock disablement secrets. If you lose access to your network for any reason, recovering the network is impossible without these codes. Tailscale recommends sending one of these codes to their support system, but you can instead store the passwords in a location you trust. Go to the Configure disablement options section and click Don’t send disablement secret to Tailscale support. Copy the command from the Run command from signing node section and run it on one of the devices we added (For example, you can run it on the Gemstone board).
Tailnet lock cmd
When you run it, note the disablement secrets that appear in the format disablement-secret:XXXXXXXX in a secure location. In the control panel, under Machines, you should see the Signing node label under the two devices we selected.
After Tailnet lock
Now, when you create new devices, they will not be able to connect directly to your network; instead, they will appear as Locked out, as shown below.
Tailnet locked out
These devices must be activated from one of the Signing node devices. To do this, click on the device to be added on the Signing node device and click the Sign machine button. Then, select one of the options appropriate for the device’s operating system and complete the sign process. After the process, the device will be connected to the network. To perform the sign process on the Gemstone board, select the CLI option, copy the generated command, connect to the board via terminal, and run the command in the terminal.
Tailnet sign