cloud-storage

Deploy Nextcloud Hub 7 (28.0.1) in Ubuntu with Docker Compose, Behind Caddy v2.7.6

Nextcloud is an open-source industry-leading on-premises collaboration platform. It’s a safe home for all your data.

Hello everyone. Previously I wrote an article on Nextcloud. Please check it here if you would like. I deployed it behind Traefik proxy there.

Today I am going to deploy Nextcloud Hub 7 (28.0.1) behind Caddy, automatic HTTPS server written in Go, in Ubuntu Server using Docker Compose.

Nextcloud is an open-source industry-leading on-premises collaboration platform. It’s a safe home for all your data. User files are encrypted during transit.

The original ownCloud developer Frank Karlitschek forked ownCloud and created Nextcloud, which continues to be actively developed by Karlitschek and other members of the original ownCloud team.

Let’s start with actual deployment…

Please make sure you should fulfill the below requirements before proceeding to the actual deployment.

  1. Ubuntu Server with docker and docker compose installed.
  2. Caddy as reverse proxy to expose micro-services to external.
  3. Database stack to host application databases.

Introduction

Nextcloud is an open-source industry-leading on-premises collaboration platform. It’s a safe home for all your data. Secure, under your control, and developed in an open, transparent and trustworthy.

Nextcloud – A safe home for all your data, is a suite of client-server software for creating and using file hosting services. Nextcloud application functionally is similar to Dropbox. Unlike Dropbox, Nextcloud does not offer off-premises file storage hosting.

Nextcloud combines the convenience and ease of use of consumer-grade solutions like Dropbox and Google Drive with the security, privacy and control business needs.

Nextcloud can synchronize with local clients running Windows (Windows XP, Vista, 7, 8, and 10), macOS (10.6 or later), or various Linux distributions.

Nextcloud permits user and group administration (via OpenID or LDAP). Content can be shared by defining granular read/write permissions between users and groups.

Why is Nextcloud

Nextcloud is free and open-source, which means that anyone is allowed to install and operate it on their own private server devices.

In contrast to proprietary services like Dropbox, Office 365, or Google Drive, the open architecture enables users to have full control of their data.

User files are encrypted during transit and optionally at rest.

Nextcloud Features

Alternatively, Nextcloud users can create public URLs when sharing files. Logging of file-related actions, as well as disallowing access based on file access rules is also available.

Nextcloud files are stored in conventional directory structures, accessible via WebDAV if necessary.

Nextcloud is introducing new features such as monitoring capabilities, full-text search, and Kerberos authentication, as well as audio/video conferencing, expanded federation, and smaller user interface improvements.

Since Nextcloud is modular, it can be extended with plugins to implement extra functionality. This platform communicates with the Nextcloud instances via an open protocol. The App Store already contains over 200 extensions. With the help of these extensions, many functionalities can be added, including:

  • Calendar and Contacts
  • Secure audio and video calls
  • View and edit documents with Collabora
  • Automatically upload files to replace large attachments or integrate Calendars and Contacts in your mail client
  • Integrated account management
  • Workflow management
  • External storage, securely encrypted (connection to DropboxGoogle Drive and Amazon S3)
  • Track file changes
  • Powerful search

Please go through the official link for more features of Nextcloud.

Nextcloud Key Differentiators

Putting IT back in control Security First User Focus

Nextcloud puts the customer in control over their data in the most literal and direct sense. Your data is in your data center, on a server managed by you, rather than floating somewhere in the cloud.

Nextcloud features a host of unique, innovative security technologies from brute force protection to advanced server-side and integrated end-to-end, client-side encryption with enterprise-grade key handling and a wide range of security hardening.

Nextcloud’s development process is a transparent and clear focus on the needs of users and customers results in a better product. By working in the open within and with the wider developer- and user community, development is sped up, quality improved and alignment with the needs of users improved.

Prepare Nextcloud Environment

Most of the time I use /opt directory to store the configuration files, i.e docker-compose, volumes and secrets. Create a folder nextcloud in /opt directory.

Use the below commands to create the folder.

cd nextcloud
sudo touch docker-compose.yml

Create `nextcloud` folder to map container volume /var/www/html for data persistency.

it is very important to specify the volume in Caddy container to serve the files.

Caddyfile – Nextcloud

The Caddyfile is a convenient Caddy configuration format for humans.

Caddyfile is easy to write, easy to understand, and expressive enough for most use cases.

Please find Production-ready Caddyfile for Woodpecker.

Learn more about Caddyfile here to get familiar with it.

{
    email you@example.com
    default_sni example
    cert_issuer acme
    # Production acme directory
    acme_ca https://acme-v02.api.letsencrypt.org/directory
    # Staging acme directory
    #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
    servers {
        metrics
        protocols h1 h2c h3
        strict_sni_host on
        trusted_proxies cloudflare {
            interval 12h
            timeout 15s
        }
    }
}

#Security
(security) {
    header /* {
        #Enable STS
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        #Disable clients from sniffing the media type
        X-Content-Type-Options "nosniff"
        #Keep referrer data off of HTTP connections
        Referrer-Policy "strict-origin"
        #Other security options
        X-Xss-Protection "1; mode=block"
        X-Frame-Options "SAMEORIGIN"
        -Server 
        Content-Security-Policy "default-src https: 'unsafe-inline' 'unsafe-eval'"
        Feature-Policy "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; speaker 'none'; usb 'none'; battery 'none'"
    }
}

nextcloud.example.com {
    redir /.well-known/carddav /remote.php/dav 301
    redir /.well-known/caldav /remote.php/dav 301
    redir /.well-known/* /index.php{uri} 301
    redir /remote/* /remote.php{uri} 301
    root * /var/www/html
    php_fastcgi nextcloud:9000
    file_server {
        precompressed gzip zstd
    }
    encode {
        zstd
        gzip 6
    }
    import security
}

Please go to Caddy Post to get more insight to deploy it in the docker swarm cluster.

Caddy supports snippets, a small piece of code that can be added globally to the Caddyfile and imported to individual sites.

Here I created security snippet and imported to nextcloud site.

Got a technical issue? Need help? Want to send feedback or suggestion.

Let me know

Nextcloud Docker Compose

Open docker-compose.yml created earlier with nano editor using sudo nano docker-compose.yml

Copy and paste the below code in docker-compose.yml

version: "3.7"

services:
  caddy:
    image: rajaseg/caddy
    restart: unless-stopped
    container_name: caddy
    ports:
      - target: 80
        published: 80
        mode: host
      - target: 443
        published: 443
        mode: host
      - target: 443
        published: 443
        mode: host
        protocol: udp
    networks:
      - caddy
      - inet
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - ./caddydata:/data
      - ./caddyconfig:/config
      - ./caddylogs:/var/log/caddy
      - ./nextcloud:/var/www/html
  maria:
    image: mariadb:latest
    container_name: maria
    restart: unless-stopped
    depends_on:
      caddy:
        condition: service_started
    volumes:
      - ./maria-data:/var/lib/mysql
    secrets:
      - mysql_user
      - mysql_database
      - mysql_db_password
      - mysql_root_password
    environment:
      - MYSQL_USER_FILE=/run/secrets/mysql_user
      - MYSQL_DATABASE_FILE=/run/secrets/mysql_database
      - MYSQL_PASSWORD_FILE=/run/secrets/mysql_db_password
      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password
    command: ["--wait_timeout=28800", "--interactive_timeout=28800", "--max_allowed_packet=256M", "--transaction-isolation=READ-COMMITTED", "--binlog-format=ROW"]
    networks:
      - inet
  nextcloud:
    image: nextcloud:fpm
    restart: unless-stopped
    container_name: nextcloud
    environment:
      - MYSQL_PASSWORD_FILE=/run/secrets/mysql_db_password
      - MYSQL_DATABASE_FILE=/run/secrets/mysql_database
      - MYSQL_USER_FILE=/run/secrets/mysql_user
      - MYSQL_HOST=maria
      - TRUSTED_PROXIES=caddy
    volumes:
      - ./nextcloud:/var/www/html
    depends_on:
      maria:
        condition: service_started
    networks:
      - inet
secrets:
  mysql_user:
    file: ./mysql_user.txt
  mysql_database:
    file: ./mysql_database.txt
  mysql_root_password:
    file: ./mysql_root_password.txt
  mysql_db_password:
    file: ./mysql_db_password.txt
volumes:
  caddydata:
  caddyconfig:
  caddylogs:
  maria-data:
  nextcloud:
networks:
  caddy:
    external: true
  inet:
    driver: bridge

I used custom Caddy because I have to include DNS modules to get and renew the SSL certs for the services.

You can pull it from docker hub using below command.

docker pull rajaseg/caddy

Also I used Nextcloud FPM docker image.

Here I am using MariaDB as a back-end storage system for Nextcloud. It was not exposed to the external. I used a bridge network, inet in order Mariadb container to communicate with other containers.

Only Caddy proxy exposed to the external. All other services are behind Caddy and communicate with inet bridge network.

Deploy Nextcloud using Docker Compose

Now it’s time to deploy our docker-compose using the below command

docker compose up -d

You can wait for it to finish downloading the nextcloud container and available for installation. You can check the status using docker logs <container id>

Make sure that you have DNS entry for your application (next.example.com) in your DNS Management Application.

Now open any browser and type next.example.com (whatever host URL used in the Nextcloud configuration in the docker-compose file) to complete Nextcloud installation.

You will be greeted with the admin account creation page first.

Create an Admin account by entering the user name and password. Click on Storage & database to provide database details for it.

We can use SQLite for minimal or development purposes. Please see the below image for reference.

I am going to select MySQL/MariaDB option because I will be using this Nextcloud instance to store my photo albums.

Check the ‘Install recommended apps’ check box to go with default apps and click on the Finish button to complete the setup.

The installation will take 10 mins to complete. After successful installation, we will be greeted below the Nextcloud welcome screen.

Please find below images for your reference. Click on them to open in lightbox for full resolution.

I hope you enjoyed the reading it and gained some knowledge on how to install or deploy Nextcloud in Ubuntu using docker-compose.

Please provide us your input/thought on it by commenting below. It would help me to bring more articles that focus on Open Source to self-host.

Stay tuned for other deployments in coming posts… 🙄

Leave a Reply

Your email address will not be published. Required fields are marked *