11: Nextcloud - Cloud Storage Platform

Nextcloud is a full-featured, self-hosted collaboration and file storage platform. It provides file sync and share, WebDAV, CalDAV/CardDAV, and a rich app ecosystem. For full configuration details and the admin manual, see the official Nextcloud documentation.

Architecture Overview

• ✅ Core services: Apache/PHP application with PostgreSQL database
• ✅ Protocols: WebDAV, CalDAV, CardDAV
• ✅ Identity: Local users; supports SSO/OIDC via apps
• ✅ Networking: Traefik reverse proxy (recommended) or standalone
• ✅ Data: Application files + user data volume + database

Resource Requirements

• Minimum: 1 vCPU, 512 MB RAM, 10 GB disk (grows with user data)
• Recommended: 2+ vCPU, 2 GB+ RAM, 20 GB+ disk

Prerequisites

• ✅ Traefik installed (Chapter 4) with Let's Encrypt
• ✅ Docker installed (Chapter 3)
• ✅ Apprise installed (Chapter 5) for notifications
• ✅ Borgmatic installed (Chapter 6) for automated backups
• ✅ Domain configured (Chapter 4.5) for production HTTPS

Interdependencies: The PostgreSQL service is attached to a borgmatic-db network for backup discovery. Borgmatic relies on Apprise for notifications.

Installation Methods

Via Infinity Tools Menu

📱 APPLICATIONS → Nextcloud → Install

Command Line

# Show current status (no changes)
sudo bash /opt/InfinityTools/Solutions/setup-nextcloud.sh

# Run interactive installation
sudo bash /opt/InfinityTools/Solutions/setup-nextcloud.sh --install

Configuration Parameters

• SSL Mode: Traefik (HTTPS, recommended) or standalone (HTTP or self-signed HTTPS)
• Domain: Required for Traefik (e.g., cloud.example.com)
• Standalone Port: If not using Traefik
• Default Quota: Per-user storage limit in GB (recommended)
• Credentials: Admin and DB passwords are generated and stored in /opt/speedbits/nextcloud/.env

Generated Files & Directories

• /opt/speedbits/nextcloud/.env — Installation parameters and credentials
• /opt/speedbits/nextcloud/docker-compose.yml — Service definition
• /opt/speedbits/nextcloud/html — App files
• /opt/speedbits/nextcloud/data — User data
• /opt/speedbits/nextcloud/db — PostgreSQL data

Compose (Traefik Mode - Highlights)

services:
  db:
    image: postgres:${DB_VERSION}
    networks: [ ${NETWORK}, borgmatic-db ]

  nextcloud:
    image: nextcloud:${NEXTCLOUD_VERSION}
    environment:
      POSTGRES_HOST: nextcloud-db
      NEXTCLOUD_ADMIN_USER: ${NEXTCLOUD_ADMIN_USER}
      NEXTCLOUD_ADMIN_PASSWORD: ${NEXTCLOUD_ADMIN_PASSWORD}
      NEXTCLOUD_TRUSTED_DOMAINS: ${DOMAIN}
      OVERWRITEPROTOCOL: https
      OVERWRITEHOST: ${DOMAIN}
      PHP_UPLOAD_LIMIT: 16G
      PHP_MEMORY_LIMIT: 512M
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud.rule=Host(`${DOMAIN}`)"
      - "traefik.http.routers.nextcloud.entrypoints=websecure"
      - "traefik.http.routers.nextcloud.tls.certresolver=myresolver"
      - "traefik.http.services.nextcloud.loadbalancer.server.port=80"
      - "traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.permanent=true"
      - "traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.regex=https://(.*)/.well-known/(card|cal)dav"
      - "traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.replacement=https://$${1}/remote.php/dav/"
      - "traefik.http.middlewares.nextcloud-security.headers.customResponseHeaders.X-Content-Type-Options=nosniff"
      - "traefik.http.middlewares.nextcloud-security.headers.customResponseHeaders.X-Frame-Options=SAMEORIGIN"
      - "traefik.http.middlewares.nextcloud-security.headers.customResponseHeaders.X-XSS-Protection=1; mode=block"
      - "traefik.http.routers.nextcloud.middlewares=nextcloud-redirectregex,nextcloud-security"

Post-Install Hardening & Tasks

• Trusted domains and overwrite settings are applied automatically (Traefik mode)
• Default quota is applied if configured
• Security hardening executed: brute-force protection, file locking, log level
• Background jobs switched to Cron

Cron Setup

*/5 * * * * docker exec -u www-data nextcloud php -f /var/www/html/cron.php

Backup Integration (Borgmatic)

• Database container is auto-registered with Borgmatic (if available)
• Include these paths in backups:
  • /opt/speedbits/nextcloud/data — User files
  • /opt/speedbits/nextcloud/db — Database volume
  • /opt/speedbits/nextcloud/config (if present) — Config overrides
• Ensure Apprise is configured for notifications

Operations

# Logs
docker logs nextcloud

# Restart
cd /opt/speedbits/nextcloud && docker compose restart

# Update
cd /opt/speedbits/nextcloud && docker compose pull && docker compose up -d

# OCC (run as www-data)
docker exec -u www-data nextcloud php occ status
docker exec -u www-data nextcloud php occ app:list

Troubleshooting

• SSL/Domain: Verify Traefik routing, DNS A/AAAA, and ACME logs
• Database: Check container health; confirm credentials in .env
• Storage: Monitor df -h /opt/speedbits/nextcloud; enforce quotas
• Trusted Domains: occ config:system:set trusted_domains 1 --value="cloud.example.com"
• Background Jobs: Confirm cron runs; see Settings → Basic settings

Security Best Practices

• Enable 2FA for admin and users
• Enforce sane quotas to prevent disk exhaustion
• Regularly apply updates and review logs
• Restrict admin access and consider IP allowlists
• Review app permissions and disable unused apps

Verification Checklist

• ✅ Nextcloud and database containers running and healthy
• ✅ HTTPS reachable via Traefik with valid certificate
• ✅ Admin login works; quotas visible under Users
• ✅ Cron executing background jobs
• ✅ Backups configured and tested

References

• Nextcloud Admin Manual
• Nextcloud desktop & mobile clients