corrado/nextcloud
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2 Commits 1 Branch 0 Tags
master
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE

README.md

nextcloud

Config and compose files for my self-hosted Nextcloud at drive.net.mulas.me.

Two pieces:

  • nginx/ — the vhost, TLS profile, and header set I wrote and hardened for Nextcloud back in 2019 and have been using in production since then. I revised it in 2026 to match new Nextcloud docs directives.
  • docker/ — a small Compose stack with MariaDB, Redis, and Memcached. Nextcloud itself runs on the host, served by NGINX and PHP-FPM, because I had an abysmal experience with Nextcloud's containerised setup, in particular on updating and adding modules. The containers only provide the backing services.

Layout

docker/docker-compose.yml — the MariaDB + Redis + Memcached stack.

Everything under nginx/ mirrors /etc/nginx/ on the server:

  • nginx.conf — main http{} block: tuning, real-ip, gzip, headers-more
  • conf.d/header.conf — HSTS and the Nextcloud-recommended hardening headers
  • conf.d/ssl.conf — TLS 1.2, AEAD ciphers, OCSP stapling
  • sites-available/drive.mulas.me — the vhost
  • custom.d/ — mime types, cors, error pages, charset maps
  • fcgi.d/ — fastcgi / scgi / uwsgi params
  • snippets/ — letsencrypt ACME challenge, snakeoil

Docker stack

Images are pinned, all overridable via env:

Service Default tag Env override
db mariadb:11.8-ubi9 ENV_MARIADB_VERSION
redis redis:7.4.9-alpine ENV_REDIS_VERSION
memcached memcached:alpine3.23 ENV_MEMCACHED_VERSION

State, configs, and sockets land under ${ENV_BASE_DIR}/<service>/{data,config,socket}. In production ENV_BASE_DIR=/opt/nextcloud.

MariaDB credentials are mounted as Docker secrets — files on the host, never in the repo:

/opt/nextcloud/secrets/mariadb_root_password.txt
/opt/nextcloud/secrets/mariadb_app_password.txt

MYSQL_USER and MYSQL_DATABASE are intentionally blank in the compose file; fill them in (or move them to an .env) before bringing the stack up.

Bringing it up

# host paths
sudo mkdir -p /opt/nextcloud/{mariadb,redis,memcached}/{data,config,socket}
sudo mkdir -p /opt/nextcloud/secrets && sudo chmod 700 /opt/nextcloud/secrets

# secrets
openssl rand -base64 48 | sudo tee /opt/nextcloud/secrets/mariadb_root_password.txt
openssl rand -base64 48 | sudo tee /opt/nextcloud/secrets/mariadb_app_password.txt
sudo chmod 600 /opt/nextcloud/secrets/*.txt

# env
echo 'ENV_BASE_DIR=/opt/nextcloud' > docker/.env

# go
( cd docker && docker compose up -d )

Wait for the db healthcheck (it pings mysqladmin) to come up green before pointing Nextcloud at it.

Nginx install

sudo cp    nginx/nginx.conf                      /etc/nginx/nginx.conf
sudo cp -r nginx/conf.d/*                        /etc/nginx/conf.d/
sudo cp -r nginx/custom.d nginx/fcgi.d           /etc/nginx/
sudo cp -r nginx/snippets/*                      /etc/nginx/snippets/
sudo cp    nginx/sites-available/drive.mulas.me  /etc/nginx/sites-available/
sudo ln -sf /etc/nginx/sites-available/drive.mulas.me /etc/nginx/sites-enabled/drive.mulas.me

sudo nginx -t && sudo systemctl reload nginx

What you need on the host for this to work:

  • Nginx built with headers-more (the config uses more_set_headers)
  • PHP-FPM 8.5 with a socket at /var/run/php/php8.5-fpm.sock
  • A Let's Encrypt cert for drive.net.mulas.me and a dhparams.pem at /etc/ssl/private/dhparams.pem
  • Nextcloud unpacked at /ssda1/www/drive.net.mulas.me/

Wiring Nextcloud to the stack

In config/config.php (not in this repo):

'dbtype'   => 'mysql',
'dbhost'   => '127.0.0.1:3306',
'dbname'   => '<MYSQL_DATABASE>',
'dbuser'   => '<MYSQL_USER>',
'dbpassword' => trim(file_get_contents('/opt/nextcloud/secrets/mariadb_app_password.txt')),

'memcache.local'       => '\OC\Memcache\APCu',
'memcache.distributed' => '\OC\Memcache\Memcached',
'memcache.locking'     => '\OC\Memcache\Redis',
'redis'             => ['host' => '127.0.0.1', 'port' => 6379],
'memcached_servers' => [['127.0.0.1', 11211]],

Things worth knowing before reusing this elsewhere

  • The compose file publishes 3306/6379/11211 on all interfaces — fine when Nextcloud runs on the same host and the box has a firewall, but bind them to 127.0.0.1 if you're not in that situation.
  • set_real_ip_from in nginx.conf trusts 127.0.0.1 and 192.168.1.0/24. Change it for your network.
  • ssl.conf is TLS 1.2 only. There's a commented-out line to flip on TLS 1.3 when you're ready.
  • client_max_body_size is 50 GB and the proxy/fastcgi timeouts are essentially infinite — that's deliberate for large WebDAV uploads and long sync sessions, not an oversight.

License

BSD 3-clause — see LICENSE.

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme BSD-3-Clause 44 KiB
Languages
Roff 100%