Running your own instance of Nextcloud is probably one of the best solutions for reclaiming some privacy and avoiding services hosted by Google, Apple or Microsoft. I tried to cover the task of installing Nextcloud on a Synology NAS here by using the archive file provided by Nextcloud. However, they also offer some very handy “AIO - all-in-one docker image” which will pretty much take care of everything.
I will try to guide through the installation process using Ubuntu 22.04 as example server OS. Usually, Docker images will run with root privileges which I don’t consider best practice. As Nextcloud AIO will also work with Docker’s rootless mode I will cover this as well.
I got most of the information from the official installation instructions, you can check them out here:
As said, I will use Ubuntu 22.04 as example server OS. It can run on hardware or as virtualized KVM guest. (You will need to configure grub at one point, so you require a dedicated kernel).
HINT: make sure the server’s FQDN is not pointing to any local IP in
Assuming you have a fresh, secured and up-to-date installation of Ubuntu, let’s start by installing Docker first. You can either run their convenience-script or simply add their repository manually by following instructions given here. Once everything is installed we will disable dockerd right away (we will not need it once we set up rootless mode):
Setup Docker rootless mode
Create a user
Create an unprivileged user/group and lock the user:
Now switch to that user and add some variables to its
Switch back to root.
Install Docker in rootless mode
We need some packages installed for rootless mode to work:
Switch back to the previously created user and run Docker’s script:
In the end you should have Docker daemon running and be able to control it via
Switch back to user root and make user services autostart on boot:
You should now have Docker installed in rootless mode!
Disable cgroups (Ubuntu 22.04)
There is an issue with cgroups and Ubuntu 22.04 which will prevent Nextcloud containers from starting in rootless mode. To disable cgroups execute as root:
Allow to open privileged ports for non-root
As Nextcloud containers require to open privileged ports as non-root user, run as root:
Switch to ncuser and restart dockerd:
HINT: make sure to repeat the above upon each Docker update!
Open firewall ports
Open TCP ports 80, 443, 8443 and UDP/TCP port 3478. In case of ufw:
Create a directory for Nextcloud data
We will need a directory outside the Docker container, which will host our user data. The directory needs to be owned by ncuser and others should NOT have access, i.e. (as root):
Install Nextcloud AIO
Now we’re actually ready to install Nextcloud AIO. As ncuser run (default settings, replace
/nc/ncdata with whatever directory you’ve created before):
Keep it running.
Point your DNS to the IP of your server and open
https://<YOUR_URL>:8443 in a browser. It might take a moment but you should be greeted by the password for your AIO container and the site having a valid certificate (I had to refresh the page manually once). Write down the password and login. Follow the instructions given on the following page. You can now choose, which containers to download. It’s ok to keep the defaults here. Once all containers are up, you can follow the link to login to your new Nextcloud instance as user admin. I’d recommend logging in once as admin, create a new admin user from there, then login with your new admin user and delete the old one.
That’s it, you’ve got Nextcloud running!
Remove “missing default phone region” warning
On the security check page you will probably find a warning: “missing default phone region”. To fix that, execute as ncuser:
I’d also recommend configuring logrotate by following this. However, as we’re running in rootless mode, you’ll have to modify the configuration file a little:
Checkout this to configure fail2ban for your AIO installation.
Running ‘occ’ commands
In case you need to run
occ commands, remember to run them as ncuser and omit
sudo of course! (See here on how to run
That should cover a basic installation. You should check all settings and tweak them to your needs, as well in Nextcloud as in Nextcloud AIO. The latter will reveal some more settings once the Nextcloud containers are stopped. Nextcloud AIO container will updated itself and the other containers. Optionally, you can remove port 8443/tcp from your firewall again and just add it each time you want to connect to the AIO container.