DEV Community

Cover image for Take Control of Your Data- Self-host NextCloud.
R. Quazi
R. Quazi

Posted on • Edited on

Take Control of Your Data- Self-host NextCloud.

Take Control of Your Data- Self-Hosting NextCloud with MariaDB, Redis, with Let's Encrypt SSL and Securely Access via TailScale VPN

[! Table of Contents]

  1. Introduction

    1.1. Preface

    1.2. Architecture

  2. Initial Setup

    2.1. Get a Domain Name

    2.2. Tailscale VPN Setup

    2.3. Installing Docker

    2.4. Pointing DNS to the Server's Private IP Address

  3. NextCloud Deployment

    3.1. SSL Request with Let's Encrypt

    3.2. Using a .env File to Manage Configuration Variables

    3.3. NextCloud Configuration in config.php

    3.4. Creating the Apache Configuration File

    3.5. Setting Request Limits in Apache

    3.6. Script to Enable SSL and Headers Module in NextCloud Container

  4. Docker Compose

    4.1. Creating a Docker Compose File

    4.2. Running Docker Services

  5. Accessing NextCloud on a Private IP

    5.1. Accessing via Private IP

    5.2. Resolving Untrusted Domain Error


1 Introduction :

1.1 Preface

In today's digital age, data is the new currency. But with popular collaboration tools like Slack and Microsoft Teams, there's a growing concern about data privacy and security. These platforms may collect user data, potentially using it to train AI models or fix bugs, leaving organizations vulnerable.

That's why self-hosting has become an attractive option for businesses seeking control over their data. In this article, we'll guide you through setting up NextCloud, a powerful collaboration platform, using MariaDB as our database and Redis for caching. We'll also use Let's Encrypt SSL certificates using Certbot and accessing it securely via TailScale VPN.

The Best Part?

  • Flexibility: This setup will run entirely in Docker containers, making it easy to deploy on any platform with Docker installed.

  • Security: We'll use TailScale to establish secure, encrypted connections from client devices, ensuring NextCloud is only accessible via private IP.


1.2 Architecture :

This self-hosted NextCloud setup is designed with security, privacy, and performance in mind. The architecture ensures that services remains private and secure ( Considering you have enabled RBAC , followed Zero Trust Principles and best practices for shared security model if you have Virtual Machine/Server in public cloud . )

Architecture

The NextCloud server is accessible only through Tailscale VPN, which establishes secure, encrypted communication between employee devices and the server. Access control (ACLs) is strictly enforced, allowing only approved employees (e.g., Employee 1 and Employee 2) to connect, while denying access to others (e.g., Employee 3..even if he connected to VPN and external users trying to connect to nextcloud without VPN).

The NextCloud service itself is containerized and runs within a Docker container. The key services include:

  • Let's Encrypt: Ensuring secure communication between clients and the server using Let's Encrypt SSL/TLS certificates.

  • NextCloud: The core collaboration platform, running alongside Apache2 as the web server (Apache2 running in same nextcloud container. If you are using nextcloud:fpm docker image you may need to setup apache or traefik container. In this article have used nextcloud:apache-stable docker image).

  • Redis: Handling caching duties to improve performance.

  • MariaDB: Serving as the primary database for storing sensitive data.

This containerized approach offers modularity, ease of management, and scalability, all while maintaining a high level of security and performance.


2 Initial Setup :

2.1 Get a Domain name:

[!NOTE]
If you already have a domain name, you can skip this step.

For those who need to purchase a domain, there are several providers to choose from, including:

Please note, I am not promoting any specific platform, and these links are not affiliate links. You are free to select any domain provider that suits your needs.


2.2 Tailscale :

Tailscale is a modern VPN service that simplifies connecting devices and applications over a secure network. It leverages the WireGuard protocol to create a peer-to-peer mesh network, known as TailNet, which allows devices within the same private network to communicate directly. This is different from traditional VPNs, which route all traffic through a central gateway.

Tailscale can be used for various purposes, including:

  • SSH Access: Securely connect to remote machines.
  • File Access and Sharing: Access and share files across devices.
  • Private Website Access: Reach privately hosted websites.
  • Database and Kubernetes Clusters: Connect to databases and Kubernetes clusters securely.

2.2.1 Key Differences from Traditional VPNs

Traditional VPNs create a central tunnel for all network traffic, routing it through a single gateway. In contrast, Tailscale establishes a peer-to-peer or point-to-point mesh network, which they refer to as TailNet, enabling direct communication between devices.

2.2.2 Setting Up Tailscale

2.2.3 Sign Up and Access the Admin Dashboard

  1. Sign Up: Create an account at Tailscale.
  2. Admin Dashboard: After signing up, you will be directed to the Tailscale Admin Dashboard.

Image description

2.2.4 Install Tailscale on Linux

  1. Open your Linux terminal and run:

    curl -fsSL https://tailscale.com/install.sh | sh
    
  2. Check the status of the Tailscale service:

    sudo systemctl status tailscaled
    
  3. Enable and start the Tailscale service:

    sudo systemctl enable tailscaled
    sudo systemctl start tailscaled
    

2.2.5 Install Tailscale on Windows

  1. Download the Tailscale installer for Windows from here.
  2. Once Installed login to tailscale.

2.2.6 Configure Tailscale

  1. Generate an Auth Key:
  • Return to the Tailscale Admin Dashboard.

  • Navigate to Settings to generate an authentication key. (I have used Ubuntu 24.04 Linux as WSL. )

Image description

  1. Authenticate and Connect:
  • Return to your Linux terminal.

  • Run the following command to authenticate and connect:

sudo tailscale up --auth-key=YOUR_AUTH_KEY --ssh
Enter fullscreen mode Exit fullscreen mode

Replace YOUR_AUTH_KEY with the key you generated.

Congratulations! Your Linux is now configured for remote SSH access over a private IP. Both your Windows machine and the Linux instance should be connected to Tailscale to access resources or applications and to perform SSH.

2.2.7 SSH Using Tailscale Browser-Based Access

  1. Access Tailscale Admin Portal:
  • Go to the Tailscale Admin Portal.

  • Select the machine you want to SSH into and choose the option to SSH into the machine.

Image description

  1. Select User:
    • Choose the user you want to log in as.

Image description

  1. Confirm Identity:
  • Confirm your identity by logging in to Tailscale.

  • You are now connected to WSL / Linux through your browser.

Image description

2.2.8 Get Private IP :

To obtain the private IP address of your machine, you can use the following command in the terminal:

tailscale ip -4
Enter fullscreen mode Exit fullscreen mode

Alternatively, you can also find the private IP address through the Tailscale admin portal. Be sure to note this IP, as we will need it for subsequent configuration steps.


2.3 Installing Docker :

-- Steps For ubuntu 24 :

2.3.1 Install using the apt repository

Before you install Docker Engine for the first time on a new host machine, you need to set up the Docker repository. Afterward, you can install and update Docker from the repository.

  1. Set up Docker's apt repository.
# Add Docker's official GPG key:
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

# Add the repository to Apt sources:
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
Enter fullscreen mode Exit fullscreen mode
  • To install the latest version, run:
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
Enter fullscreen mode Exit fullscreen mode
  • Verify that the Docker Engine installation is successful by running :
sudo docker ps
sudo docker info
Enter fullscreen mode Exit fullscreen mode

-- For Other Machines :
Docker Installation Guide for :

Windows : https://docs.docker.com/desktop/install/windows-install/
Mac : https://docs.docker.com/desktop/install/mac-install/

Ubuntu : https://docs.docker.com/engine/install/ubuntu/
Debian : https://docs.docker.com/engine/install/debian/
RHEL : https://docs.docker.com/engine/install/rhel/
Fedora : https://docs.docker.com/engine/install/fedora/
Raspberry Pi : https://docs.docker.com/engine/install/raspberry-pi-os/
CentOS : https://docs.docker.com/engine/install/centos/
SLES : https://docs.docker.com/engine/install/centos/


2.4 Pointing DNS to the Server's Private IP Address :

To configure your DNS to point to the private IP of your server, follow these steps. In this example, I have used Cloudflare as the domain provider:

  1. Log in to your domain provider's dashboard.
  2. Navigate to the Website section and select your domain.

Image description

Now click DNS --> Records --> Add record :

Image description

To set up access to your Nextcloud instance via a custom subdomain, you need to create an A record with your domain provider.

Choose a subdomain name, such as nextcloud-server, so your Nextcloud instance will be accessible at nextcloud-server.domain.com.

In the DNS settings, point this subdomain to the Tailscale IP address you copied earlier in step 2.2.8 .

Image description

keep this tab open we may need to add TXT record for Let's Encrypt SSL .


3 Nextcloud Deployment :

3.1 SSL request :

In this section, we’ll walk through how to request a free SSL certificate from Let's Encrypt using Certbot. This SSL certificate will secure your domain, and the process is simple with Docker.

Step 1: Running Certbot to Generate an SSL Certificate

To begin, open your terminal and run the following Docker command. This will start the Certbot client, which will guide you through the process of generating a free SSL certificate:

docker run -it --rm \ -v "/etc/letsencrypt:/etc/letsencrypt" \ -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \ certbot/certbot certonly --manual --preferred-challenges dns
Enter fullscreen mode Exit fullscreen mode

This command will initiate Certbot in interactive mode, prompting you for details like your domain name and email address.

Step 2: Input Required Information

After running the command, Certbot will ask for several pieces of information. Follow the prompts as shown below:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): email@example.com

Please read the Terms of Service at:
https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree to continue.
(Y)es/(N)o: Y

Would you like to receive email updates from Let's Encrypt and the EFF?
(Y)es/(N)o: Y

Enter fullscreen mode Exit fullscreen mode

Next, you will be prompted to enter the domain name for which you want the SSL certificate:

Please enter the domain name(s) you would like on your certificate (comma and/or space separated) (Enter 'c' to cancel):

nextcloud-server.domain.com


Enter fullscreen mode Exit fullscreen mode

Step 3: Deploying DNS TXT Record

Certbot will now ask you to deploy a DNS TXT record for domain validation. You need to add a specific TXT record to your domain's DNS configuration:


Please deploy a DNS TXT record under the name:
_acme-challenge.nextcloud-server.domain.com.

With the following value:
D1eW0MaeV4L61WsvJJHniuUBAuj3aoggwF2-mXad21KaF-x


Enter fullscreen mode Exit fullscreen mode

Go to your domain provider's DNS management interface and add a new TXT record:

  • Type: TXT
  • Name: _acme-challenge.nextcloud-server.domain.com
  • Value: D1eW0MaeV4L61WsvJJHniuUBAuj3aoggwF2-mXad21KaF-x

Image description

Step 4: Verifying the DNS Record

Before continuing, ensure the DNS record has been successfully deployed. You can verify this using online tools like the Google Admin Toolbox.

Once the record is visible, return to your terminal and press Enter to proceed.

Step 5: SSL Certificate Issuance

Once the DNS record is verified, Certbot will complete the certificate generation. You will see a message like this:

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/nextcloud-server.domain.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/nextcloud-server.domain.com/privkey.pem
This certificate expires on 2024-12-15.


Enter fullscreen mode Exit fullscreen mode

Important Notes:

  • This certificate is valid for 90 days, and you will need to renew it before it expires.
  • For manual DNS-based certificates, renewal requires repeating this process unless you configure automated renewal using Certbot hooks.

( I will cover SSL Autorenewal in next article. )

We have successfully obtained an SSL certificate for your domain. Now, your connection will be secured with HTTPS!


3.2 Utilizing a .env File to Manage Configuration Variables

When deploying applications using Docker, it’s important to manage the configuration effectively. One of the best practices is to use a .env file to store environment variables instead of hardcoding values directly in your docker-compose.yml file. This approach not only keeps your configuration organized but also simplifies the process of making changes in the future.

To create a .env file, open your terminal and use the following command:

nano .env
Enter fullscreen mode Exit fullscreen mode

In the .env file, you can define your environment variables like this:

NEXTCLOUD_ADMIN_USER=email@example.com
NEXTCLOUD_ADMIN_PASSWORD=YOUR_SECURE_PASSWORD
NEXTCLOUD_PORT=80
NEXTCLOUD_PORT_HTTPS=443
PRIVATE_IP=YOUR_TAILSCALE_IP_HERE
REDIS_HOST=redis
REDIS_HOST_PORT=6379
REDIS_HOST_PASSWORD=YOUR_SECURE_PASSWORD
MYSQL_HOST=db
MYSQL_DATABASE=nextcloud
MYSQL_USER=nextclouddb
MYSQL_PASSWORD=YOUR_SECURE_PASSWORD
MYSQL_ROOT_PASSWORD=YOUR_SECURE_ROOT_PASSWORD
MYSQL_HOST_PORT=3379
NEXTCLOUD_SSL_KEY_PATH=/etc/letsencrypt/live/nextcloud-server.domain.com/privkey.pem
NEXTCLOUD_SSL_CERT_PATH=/etc/letsencrypt/live/nextcloud-server.domain.com/fullchain.pem
NEXTCLOUD_APACHE_CONFIG_PATH=./000-default.conf
NEXTCLOUD_APACHE_LIMIT_PATH=./apache-limits.conf
Enter fullscreen mode Exit fullscreen mode

3.3 Nextcloud Configuration in config.php

[!NOTE]

!! SKIP this step if you are deploying nextcloud first time.

Next, you'll need to configure Nextcloud itself. The configuration settings for Nextcloud are typically stored in the /var/www/html/config/config.php file in nextcloud docker container. Below is a sample configuration that you can adapt to your setup:

To create a config.php file, open your terminal and use the following command:

nano config.php
Enter fullscreen mode Exit fullscreen mode

In the config.php file, you can add configurations like this:

<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => 'redis',
    'password' => '',
    'port' => 6379,
  ),
  'upgrade.disable-web' => true,
  'passwordsalt' => 'NSOLqCOL3s+8JyIaFtz6Xw0guUC7Vf',
  'secret' => 'nLg9bkVKY4HV4fOkop6vmJ5/DyqdOUo21545JQTpmzWQSGe3',
  'trusted_domains' => 
  array (
    0 => 'nextcloud-server.domain.com',
  ),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'mysql',
  'version' => '29.0.6.1',
  'overwrite.cli.url' => 'http://localhost',
  'dbname' => 'nextcloud',
  'dbhost' => 'db',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextclouddb',
  'dbpassword' => 'YOUR_SECURE_PASSWORD',
  'installed' => true,
  'instanceid' => 'ocuijn9xg681',
);
Enter fullscreen mode Exit fullscreen mode

Mounting an Existing config.php File

If you already have a config.php file and want to mount it to your Nextcloud Docker container, make sure to uncomment the following line in your docker-compose.yml file:

# 3 - ./config.php:/var/www/html/config/config.php
Enter fullscreen mode Exit fullscreen mode

By doing so, you can easily manage your Nextcloud configuration without modifying the Docker image itself.


3.4 Creating the Apache Configuration File

To set up your Apache web server, you’ll need to create a configuration file. Start by opening your terminal and running the following command:

nano 000-default.conf
Enter fullscreen mode Exit fullscreen mode

In this apache.conf file, you will define your server settings. Below is a sample configuration for a Nextcloud server, which includes both HTTP and HTTPS settings:

Sample Apache2 Configuration File

<VirtualHost *:80>
    ServerName nextcloud-server.domain.com
    Redirect permanent / https://nextcloud-server.domain.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName nextcloud-server.domain.com

    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    # Enable SSL
    SSLEngine on
    SSLProtocol TLSv1.2 TLSv1.3

    # Specify the certificate files
    SSLCertificateFile /etc/ssl/certs/fullchain.pem
    SSLCertificateKeyFile /etc/ssl/private/privkey.pem

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Enter fullscreen mode Exit fullscreen mode

3.5 Setting Request Limits in Apache

To enhance the performance and security of your Apache server, you can set limits on the size of the request body. This helps prevent abuse by limiting the maximum size of uploaded files. To do this, create or modify the apache-limits.conf file. Open your terminal and enter the following command:

nano apache-limits.conf
Enter fullscreen mode Exit fullscreen mode

In the apache-limits.conf file, add the following line:

LimitRequestBody 104857600
Enter fullscreen mode Exit fullscreen mode

This configuration sets the maximum allowed size of the request body to 100 MB (104,857,600 bytes).


3.6 Script to Enable SSL and Headers Module in Nextcloud Container :

The official Nextcloud Docker image (nextcloud:apache-stable) does not come with SSL enabled by default. To enable SSL support and necessary headers in your Nextcloud container, you can use the following script. This script ensures that the SSL module and headers are properly configured.

Create a new script file, for example enable_ssl.sh, and add the following content:


#!/bin/bash

# 4 Enable SSL module and configure Apache SSL
docker exec ncapp-nextcloud-server /bin/bash -c "a2enmod ssl"
docker exec ncapp-nextcloud-server /bin/bash -c "a2ensite 000-default"
docker exec ncapp-nextcloud-server /bin/bash -c "a2enmod headers"

# 5 Restart Apache to apply changes
docker exec ncapp-nextcloud-server /bin/bash -c "service apache2 reload"

Enter fullscreen mode Exit fullscreen mode

Make sure to give the script execution permissions before running it:

chmod +x enable_ssl.sh
Enter fullscreen mode Exit fullscreen mode

4 Docker Compose :

At this stage, we have gathered the essential files required for our setup, including the SSL certificates, config.php, 000-default.conf, apache-limits.conf, and the necessary script.

Now, let's move forward by creating a Docker Compose file. This file will serve as the backbone of our deployment, orchestrating the various services and configurations we've prepared.

To create our Docker Compose file, open a terminal and enter the following command:

nano docker-compose.yml

Enter fullscreen mode Exit fullscreen mode

This command will open the Nano text editor, where we can define our services and configurations. Below is a sample configuration to get you started:

#   Docker compose file for Nextcloud setup with Redis and Mariadb

services:
  nc:
    image: nextcloud:stable-apache
    restart: unless-stopped
    container_name: ncapp-nextcloud-server
    ports:
      - ${PRIVATE_IP}:${NEXTCLOUD_PORT}:80
      - ${PRIVATE_IP}:${NEXTCLOUD_PORT_HTTPS}:443
    volumes:
      - ${NEXTCLOUD_SSL_KEY_PATH}:/etc/ssl/private/privkey.pem
      - ${NEXTCLOUD_SSL_CERT_PATH}:/etc/ssl/certs/fullchain.pem
      - ${NEXTCLOUD_APACHE_CONFIG_PATH}:/etc/apache2/sites-enabled/000-default.conf
      - ${NEXTCLOUD_APACHE_LIMIT_PATH}:/etc/apache2/conf-enabled/apache-limits.conf
      # - ./config.php:/var/www/html/config/config.php
      - nc_data:/var/www/html      
      - nc_apache2:/etc/apache2/
    depends_on:
      - redis
      - db
    links:
      - db
      - redis
    networks:
      - redisnet
      - dbnet
    healthcheck:
      test: [CMD-SHELL, curl -f http://localhost]
      interval: 1m
      timeout: 10s
      retries: 3
    deploy:
      resources:
        limits:
          cpus: '2'
          memory: 2048M      
    # labels:
    #   maintainer: "Your Name <your@email.com>"
    #   org.label-schema.version: "latest"
    #   org.label-schema.name: "Nextcloud-NC-APP"
    #   org.label-schema.description: "Self-hosted file sharing and collaboration platform"
    #   org.label-schema.url: "https://nextcloud.com"
    #   org.label-schema.documentation: "https://docs.nextcloud.com"
    #   org.label-schema.source: "https://github.com/nextcloud/docker"
    #   org.label-schema.issues: "https://github.com/nextcloud/docker/issues"
    environment: 
      - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER}  
      - NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD}    
      - REDIS_HOST=${REDIS_HOST}
      - REDIS_HOST_PORT=${REDIS_HOST_PORT}
      # - REDIS_HOST_PASSWORD=${REDIS_HOST_PASSWORD}  # Cant login to nexcloud if enabled
      - MYSQL_HOST=${MYSQL_HOST}
      - MYSQL_DATABASE=${MYSQL_DATABASE}
      - MYSQL_USER=${MYSQL_USER}
      - MYSQL_PASSWORD=${MYSQL_PASSWORD}


  redis:
    image: redis@sha256:6a5130174e14177c3777ea34f4989a91bb5a7d7562dd48578cbfa3ad8cd53743
    restart: unless-stopped
    container_name: ncapp-redis-server
    networks:
      - redisnet
    deploy:
      resources:
        limits:
          cpus: '1'
          memory: 1024M
    volumes:
       - rd_data:/data
    healthcheck:
      test: [CMD-SHELL, redis-cli PING]
      interval: 1m
      timeout: 10s
      retries: 3  
    # labels:
    #   maintainer: "Your Name <your@email.com>"
    #   org.label-schema.version: "latest"
    #   org.label-schema.name: "Nextcloud-REDIS"
    #   org.label-schema.description: "Self-hosted file sharing and collaboration platform"
    #   org.label-schema.url: "https://nextcloud.com"
    #   org.label-schema.documentation: "https://docs.nextcloud.com"
    #   org.label-schema.source: "https://github.com/nextcloud/docker"
    #   org.label-schema.issues: "https://github.com/nextcloud/docker/issues"
    environment:
      - REDIS_HOST=${REDIS_HOST}
      - REDIS_HOST_PORT=${REDIS_HOST_PORT}
      # - REDIS_PASSWORD=${REDIS_HOST_PASSWORD}
    expose:
      - ${REDIS_HOST_PORT}

  db:
    image: mariadb:10.5
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    # if getting this error : 4047 InnoDB refuses to write tables with ROW_FORMAT=COMPRESSED or KEY_BLOCK_SIZE.
    # More details here : https://techoverflow.net/2021/08/17/how-to-fix-nextcloud-4047-innodb-refuses-to-write-tables-with-row_formatcompressed-or-key_block_size/
    # Comment the above command and use the below :
    # command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --innodb-file-per-table=1 --skip-innodb-read-only-compressed
    restart: unless-stopped
    container_name: ncapp-db-server
    volumes:
      - db_data:/var/lib/mysql
    healthcheck:
      test: [CMD-SHELL, mysqladmin ping -h localhost]
      interval: 1m
      timeout: 10s
      retries: 3
    networks:
      - dbnet
    deploy:
      resources:
        limits:
          cpus: '2'
          memory: 4096M

    # labels:
    #   maintainer: "Your Name <your@email.com>"
    #   org.label-schema.version: "latest"
    #   org.label-schema.name: "Nextcloud-MARIADB"
    #   org.label-schema.description: "Self-hosted file sharing and collaboration platform"
    #   org.label-schema.url: "https://nextcloud.com"
    #   org.label-schema.documentation: "https://docs.nextcloud.com"
    #   org.label-schema.source: "https://github.com/nextcloud/docker"
    #   org.label-schema.issues: "https://github.com/nextcloud/docker/issues"
    environment:
      - MYSQL_DATABASE=${MYSQL_DATABASE}
      - MYSQL_USER=${MYSQL_USER}
      - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
      - MYSQL_PASSWORD=${MYSQL_PASSWORD}
    expose:
      - ${MYSQL_HOST_PORT}

volumes:
  db_data:
  nc_data:
  rd_data:
  nc_apache2:

networks:
  dbnet:
    driver: bridge
  redisnet:
    driver: bridge

Enter fullscreen mode Exit fullscreen mode

Once you have saved your docker-compose.yml file, you can start your services in detached mode using the following command:

docker-compose up -d
Enter fullscreen mode Exit fullscreen mode

This command will pull the necessary images (if not already available) and start the containers in the background, allowing you to continue using your terminal for other tasks.

After running above command , wait for about 5 to 10 seconds to ensure that all services are properly initialized. Once the waiting period is over, you can enable SSH by running the script:

./enable-ssh.sh
Enter fullscreen mode Exit fullscreen mode

This script will configure SSH access, allowing you to manage your services remotely and securely.

If you are getting output similar to this , then please wait for 5 more seconds and rerun the script :
ERROR :

Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
  service apache2 restart
Site 000-default already enabled
Module headers already enabled
Reloading Apache httpd web server: apache2 failed!
Apache2 is not running ... (warning).
Enter fullscreen mode Exit fullscreen mode

EXPECTED OUTPUT :

$ ./enable-ssl.sh
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
Module ssl already enabled
Site 000-default already enabled
Module headers already enabled
Reloading Apache httpd web server: apache2.
Enter fullscreen mode Exit fullscreen mode

5 Accessing Nextcloud on a Private IP

To successfully access your Nextcloud instance running on a private IP, ensure that Tailscale is active on both the server hosting Nextcloud and the machine you are using for access.

  1. Open Your Browser: Navigate to the private IP address of your Nextcloud server.
  2. Login Credentials: Enter your administrator username and password. Upon logging in, you may encounter the following error:
   ## Access through untrusted domain

   Please contact your administrator. If you are an administrator, edit the "trusted_domains" setting in config/config.php like the example in config.sample.php.

   Further information on how to configure this can be found in the [documentation](https://docs.nextcloud.com/server/29/go.php?to=admin-trusted-domains).
Enter fullscreen mode Exit fullscreen mode

Image description


Resolving the Untrusted Domain Error

To resolve the untrusted domain issue, you need to update the trusted domains in your Nextcloud configuration:

  1. Access the Docker Container: Execute the following command to enter your Nextcloud Docker container:
   docker exec -it ncapp-nextcloud-server /bin/bash
Enter fullscreen mode Exit fullscreen mode
  1. Install a Text Editor: If not already installed, you can install nano by running:
   apt update && apt install nano
Enter fullscreen mode Exit fullscreen mode
  1. Edit the Configuration File: Open the configuration file using:
   nano /var/www/html/config/config.php
Enter fullscreen mode Exit fullscreen mode
  1. Locate the Trusted Domains Section: Use Ctrl + W to initiate a search and type trusted_domains, then hit Enter.

Image description

  1. Modify the Trusted Domains: You can either edit the existing localhost entry or add your domain. Your configuration block should look like this:
   array (
       0 => 'localhost',
       1 => 'nextcloud-server.domain.com',
   ),
Enter fullscreen mode Exit fullscreen mode
  1. Save and Exit: Save your changes in nano by pressing Ctrl + X, then confirm with Y and press Enter.

Now, you should be able to access your Nextcloud instance at https://nextcloud-server.domain.com.

Congratulations! You've successfully configured your Nextcloud server to recognize your domain.

Image description


As we come to the end of this guide, we hope you've gained valuable insights and practical steps to take control of your data by self-hosting NextCloud with MariaDB, Redis, and secure access via Tailscale VPN. By following these steps, you've not only set up a powerful collaboration platform but also enhanced your data security and privacy.

Remember, self-hosting isn't just about functionality—it's about owning your infrastructure and safeguarding sensitive information. Whether you're managing it for personal use or for a team, always prioritize regular backups, updates, and monitoring to maintain the integrity of your setup.

If you found this guide helpful and have any questions or feedback, feel free to reach out. For more insights on technology and to stay updated with my latest content, connect with me on LinkedIn and you can support open source community by buying a coffee here.

*Email *hi@plexio.cloud
*Linkedin *:  LinkedIn

Thank you for following along, and best of luck with your self-hosting journey!

Top comments (0)