Skip to main content

11: Nextcloud - Cloud Storage Platform

Nextcloud is a full-featured, self-hosted collaboration and file storage platform. It provides file sync and share, WebDAV, CalDAV/CardDAV, and a rich app ecosystem. For full configuration details and the admin manual, see the official Nextcloud documentation.

Architecture Overview

  • Core services: Apache/PHP application with PostgreSQL database
  • Protocols: WebDAV, CalDAV, CardDAV
  • Identity: Local users; supports SSO/OIDC via apps
  • Networking: Traefik reverse proxy (recommended) or standalone
  • Data: Application files + user data volume + database

Resource Requirements

  • Minimum: 1 vCPU, 512 MB RAM, 10 GB disk (grows with user data)
  • Recommended: 2+ vCPU, 2 GB+ RAM, 20 GB+ disk

Prerequisites

  • Traefik installed (Chapter 4) with Let's Encrypt
  • Docker installed (Chapter 3)
  • Apprise installed (Chapter 5) for notifications
  • Borgmatic installed (Chapter 6) for automated backups
  • Domain configured (Chapter 4.5) for production HTTPS

Interdependencies: The PostgreSQL service is attached to a borgmatic-db network for backup discovery. Borgmatic relies on Apprise for notifications.

Installation Methods

Via Infinity Tools Menu

📱 APPLICATIONS → Nextcloud → Install

Command Line

# Show current status (no changes)
sudo bash /opt/InfinityTools/Solutions/setup-nextcloud.sh

# Run interactive installation
sudo bash /opt/InfinityTools/Solutions/setup-nextcloud.sh --install

Configuration Parameters

  • SSL Mode: Traefik (HTTPS, recommended) or standalone (HTTP or self-signed HTTPS)
  • Domain: Required for Traefik (e.g., cloud.example.com)
  • Standalone Port: If not using Traefik
  • Default Quota: Per-user storage limit in GB (recommended)
  • Credentials: Admin and DB passwords are generated and stored in /opt/speedbits/nextcloud/.env

Generated Files & Directories

  • /opt/speedbits/nextcloud/.env — Installation parameters and credentials
  • /opt/speedbits/nextcloud/docker-compose.yml — Service definition
  • /opt/speedbits/nextcloud/html — App files
  • /opt/speedbits/nextcloud/data — User data
  • /opt/speedbits/nextcloud/db — PostgreSQL data

Compose (Traefik Mode - Highlights)

services:
  db:
    image: postgres:${DB_VERSION}
    networks: [ ${NETWORK}, borgmatic-db ]

  nextcloud:
    image: nextcloud:${NEXTCLOUD_VERSION}
    environment:
      POSTGRES_HOST: nextcloud-db
      NEXTCLOUD_ADMIN_USER: ${NEXTCLOUD_ADMIN_USER}
      NEXTCLOUD_ADMIN_PASSWORD: ${NEXTCLOUD_ADMIN_PASSWORD}
      NEXTCLOUD_TRUSTED_DOMAINS: ${DOMAIN}
      OVERWRITEPROTOCOL: https
      OVERWRITEHOST: ${DOMAIN}
      PHP_UPLOAD_LIMIT: 16G
      PHP_MEMORY_LIMIT: 512M
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud.rule=Host(`${DOMAIN}`)"
      - "traefik.http.routers.nextcloud.entrypoints=websecure"
      - "traefik.http.routers.nextcloud.tls.certresolver=myresolver"
      - "traefik.http.services.nextcloud.loadbalancer.server.port=80"
      - "traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.permanent=true"
      - "traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.regex=https://(.*)/.well-known/(card|cal)dav"
      - "traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.replacement=https://$${1}/remote.php/dav/"
      - "traefik.http.middlewares.nextcloud-security.headers.customResponseHeaders.X-Content-Type-Options=nosniff"
      - "traefik.http.middlewares.nextcloud-security.headers.customResponseHeaders.X-Frame-Options=SAMEORIGIN"
      - "traefik.http.middlewares.nextcloud-security.headers.customResponseHeaders.X-XSS-Protection=1; mode=block"
      - "traefik.http.routers.nextcloud.middlewares=nextcloud-redirectregex,nextcloud-security"

Post-Install Hardening & Tasks

  • Trusted domains and overwrite settings are applied automatically (Traefik mode)
  • Default quota is applied if configured
  • Security hardening executed: brute-force protection, file locking, log level
  • Background jobs switched to Cron

Cron Setup

*/5 * * * * docker exec -u www-data nextcloud php -f /var/www/html/cron.php

Backup Integration (Borgmatic)

  • Database container is auto-registered with Borgmatic (if available)
  • Include these paths in backups:
    • /opt/speedbits/nextcloud/data — User files
    • /opt/speedbits/nextcloud/db — Database volume
    • /opt/speedbits/nextcloud/config (if present) — Config overrides
  • Ensure Apprise is configured for notifications

Operations

# Logs
docker logs nextcloud

# Restart
cd /opt/speedbits/nextcloud && docker compose restart

# Update
cd /opt/speedbits/nextcloud && docker compose pull && docker compose up -d

# OCC (run as www-data)
docker exec -u www-data nextcloud php occ status
docker exec -u www-data nextcloud php occ app:list

Troubleshooting

  • SSL/Domain: Verify Traefik routing, DNS A/AAAA, and ACME logs
  • Database: Check container health; confirm credentials in .env
  • Storage: Monitor df -h /opt/speedbits/nextcloud; enforce quotas
  • Trusted Domains: occ config:system:set trusted_domains 1 --value="cloud.example.com"
  • Background Jobs: Confirm cron runs; see Settings → Basic settings

Security Best Practices

  • Enable 2FA for admin and users
  • Enforce sane quotas to prevent disk exhaustion
  • Regularly apply updates and review logs
  • Restrict admin access and consider IP allowlists
  • Review app permissions and disable unused apps

Verification Checklist

  • ✅ Nextcloud and database containers running and healthy
  • ✅ HTTPS reachable via Traefik with valid certificate
  • ✅ Admin login works; quotas visible under Users
  • ✅ Cron executing background jobs
  • ✅ Backups configured and tested

References

No comments to display

Back to top