kbtw.docs

Nextcloud setup

6 min read

description

Nextcloud - self-hosted productivity platform which provides private and secure functions for file sharing, collaborative work and more.

A safe home for all your data. Access and share your files, calendars, contacts, mail and more from any devices, on your terms.

install guide

Nextcloud has an official Nextcloud All-in-One docker image, but using it is so complicated that (in my case) it comes nearly impossible to set it up properly. Besides an official AIO container, there are several other options to install Nextcloud on your server.

snap package

Unfortunately, almost the simplest way to install Nextcloud is a snap package. Straightly speaking, this one’s fucked up too, but at least it is possible to make your cloud work with this snap. All you have to do is install snap package and then configure it via web interface:

sudo snap install nextcloud

Also there are some preferences you need to make for nextcloud to work properly, but i won’t address it here since snap isn’t ideal option. Using snap option, you have to use only this nextcloud image on whole machine, because it’ll occupy 80 and 443 ports. Unfortunately, reverse proxy is not an option to make nextcloud work using https. Using caddy, i haven’t been able to make it see client’s real ip - at some point brute-force sec will block any request, no matter which IP address it comes from, because nextcloud server will see all clients as 127.0.0.1 (localhost). The only way to fix that is by adding 127.0.0.1 to brute-force bypass in nextcloud administrative settings or make it exposed to network without reverse proxy 🤷‍♂️

docker container (proper way)

To setup Nextcloud we’ll use Docker official Nextcloud image, mariadb and caddy images. Of course, you need docker-compose to be installed on your server.

network

First of all, create the Docker network that the Nextcloud and Caddy containers will use to communicate with each other:

docker network create caddy --subnet=172.16.0.0/24

Although manual specification of IP subnets and addresses is not really in the spirit of Docker, it is sometimes necessary, or at least convenient; in our case, it enables us to set the Nextcloud Docker cintainer’s TRUSTED_PROXIES nevironment variable (see below).

nextcloud

Create docker-compose.yml file in any Nextcloud specified directory (create it anywhere you like). Paste following compose in this file:

services:
 
  db:
    # See the official Nextcloud documentation for recommended MariaDB versions:
    # https://docs.nextcloud.com/server/latest/admin_manual/installation/system_requirements.html#server
    # https://help.nextcloud.com/t/mariadb-version-11-5-2-mariadb-deb12-detected-mariadb-10-6-and-11-4-is-suggested-for-best/203872
    image: mariadb:11.4
    restart: always
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    volumes:
      - db:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=<password1>
      - MYSQL_PASSWORD=<password2>
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
    networks:
      caddy:
        ipv4_address: 172.16.0.8
	# The following alias is only necessary when there are other Docker Compose stacks connected to the same network
        # that contain 'db:' services. If there are not, the alias can be omitted (in which case 'MYSQL_HOST' in the 'app' service should be set to 'db').
        # See:
        # https://stackoverflow.com/questions/78983153/intermittent-error-establishing-a-database-connection-errors-with-wordpress-on
        # https://github.com/docker/compose/issues/8223
        # https://forums.docker.com/t/add-option-to-remove-service-name-as-default-alias-on-networks/106172
        aliases:
          - nextcloud_db
 
  app:
    image: nextcloud:30.0
    restart: always
    networks:
      caddy:
        ipv4_address: 172.16.0.7
        
    # see: https://github.com/nextcloud/documentation/blob/master/admin_manual/configuration_server/reverse_proxy_configuration.rst  
    labels:
      caddy: nextcloud.example.duckdns.org
      caddy.reverse_proxy: "{{upstreams}}"
      # see: https://github.com/lucaslorentz/caddy-docker-proxy/issues/114
      caddy.header: /*
      # see: https://docs.nextcloud.com/server/23/admin_manual/installation/harden_server.html#enable-http-strict-transport-security
      caddy.header.Strict-Transport-Security: '"max-age=15552000;"'
      # see: https://docs.nextcloud.com/server/23/admin_manual/issues/general_troubleshooting.html#service-discovery
      # https://github.com/lucaslorentz/caddy-docker-proxy/issues/222
      caddy.redir_0: /.well-known/carddav /remote.php/dav/ 301
      caddy.redir_1: /.well-known/caldav /remote.php/dav/ 301
    volumes:
      - nextcloud:/var/www/html
    environment:
      - MYSQL_PASSWORD=<password2>
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_HOST=nextcloud_db
      # See: https://hub.docker.com/_/nextcloud/
      - APACHE_DISABLE_REWRITE_IP=1
      # See: https://github.com/nextcloud/documentation/issues/7005
      # and: https://old.reddit.com/r/NextCloud/comments/s3skdn/nextcloud_behind_caddy_as_a_reverse_proxy_using/hsnj5wh/
      - TRUSTED_PROXIES=172.16.0.6
    links:
      - db
  cron:
  # Nextcloud cron functionality with Docker deployments is not well documented:
  # https://github.com/nextcloud/docker/blob/master/.examples/docker-compose/with-nginx-proxy/mariadb/apache/docker-compose.yml#L39
  # https://github.com/nextcloud/docker/blob/master/.examples/docker-compose/insecure/mariadb/apache/docker-compose.yml#L35
  # https://github.com/nextcloud/docker/issues/1695
  # https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/background_jobs_configuration.html
    image: nextcloud:30.0
    restart: always
    volumes:
      - nextcloud:/var/www/html
    networks:
      caddy:
        ipv4_address: 172.16.0.9
    entrypoint: /cron.sh
    depends_on:
      - db
 
volumes:
  db:
  nextcloud:
 
networks:
  caddy:
    external: true

An alternative to including the database passwords in the docker-compose.yml file itself is to configure them via environment-variables. A convenient way to do so is via an .env file. To use this method, modify the MYSQL_ROOT_PASSWORD and MYSQL_PASSWORD lines in the docker-compose.yml file as follows:

- MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
- MYSQL_PASSWORD=${MYSQL_PASSWORD}

and create a file named .env in the same directory as that file, containing the following:

MYSQL_ROOT_PASSWORD=<password1>
MYSQL_PASSWORD=<password2>

The permissions of whichever file contains the passwords should be set to something like 600.

After that, start the container with docker-compose up -d.

Choosing an image tag

The above file specifies the Nextcloud Docker stable image tag. There are actually dozens of available tags to choose from. For the purposes of this guide, one of the apache, rather than one of the fpm, tags should be chosen (i.e., the tag should either contain apache or contain neither apache nor fpm). Beyond that, any tag should work.

In general, the more specific a version is specified in the configuration, the less the likelihood of something breaking on update, at the price of not receiving various improvements and enhancements. (This is true for all containers, but is particularly significant for software as complex and as rapidly changing as Nextcloud. See here for Nextcloud’s explanation of it’s release channels.).

Caddy

Create docker-compose.yml file in any Caddy specified directory and paste the following in it:

services:
  caddy:
    # see here for guidance on which image / tag to choose:
    # https://github.com/lucaslorentz/caddy-docker-proxy#docker-images
    image: lucaslorentz/caddy-docker-proxy:2.9.1
    ports:
      - 80:80
      - 443:443
    environment:
      - CADDY_INGRESS_NETWORKS=caddy
    networks:
      caddy:
        ipv4_address: 172.16.0.6
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - caddy_data:/data
    restart: unless-stopped
 
networks:
  caddy:
    external: true
 
volumes:
  caddy_data:

and start container by running docker-compose up -d.

Nextcloud installation wizard

If everything has worked correctly, it will now be possible to finish the Nextcloud installation by running the Installation Wizard by navigating to https://nextcloud.example.duckdns.org and following the prompts. (If the database configuration via the Docker environment variables has worked correctly, then the “Storage and Databases” choces will not be available; if they are, then something has gone wrong with the configuration.)

Configuration

Navigate to https://nextcloud.example.duckdns.org/settings/admin/ and adjust the following configuration settings:

  • Follow the directions to configure an email server

Miscellaneous steps

There are a few remaining configuration settings that should be set which can only be set by directly editing Nextcloud’s config.php file (documented here), or via the occ command (see below), and cannot (currently) be set using Docker. The config.php file is located (in Debian, when following this guide) at /var/lib/docker/volumes/nextcloud_nextcloud/_data/config/config.php. Edit this fuile and set the following values:

  • 'default_phone_refion' => '<ISO 3166-1 country code>'

Using the occ command

To run the occ command inside the docker Nextcloud instance, run the following on the host system:

docker exet -ti --user www-data <nextcloud_container_name> /var/www/html/occ <occ parameters>

where nextcloud_container_name is the name of Nextcloud container (e.g., nextcloud_app_1), and occ parameters are the desired occ parameters.

To use the occ command to set Nextcloud configuration values, see the occ documentation.

Graph View