Self Hosting a Private Nextcloud on Ubuntu Server

Nextcloud, a fork of ownCloud, is a free and open-source suite of client-server software that can be a great privacy-respecting replacement for Google Workspace or Office 365. It has all the features of a traditional cloud service providers including Collabora Online, OnlyOffice, calendar, contacts, RSS …

Nextcloud, a fork of ownCloud, is a free and open-source suite of client-server software that can be a great privacy-respecting replacement for Google Workspace or Office 365.

It has all the features of a traditional cloud service providers including Collabora Online, OnlyOffice, calendar, contacts, RSS feed reader, etc. with the added benefit of being completely open source that puts you in control of your personal data.

Nextcloud is a full-on self-hosted productivity platform, designed with compliance in mind, providing extensive data policy enforcement, encryption, user management and auditing capabilities, it keeps you in control of your data, eliminating the need for a third-party cloud hosting service.

Nextcloud is used by the German Federal Administration, French Ministry of Interior, Seimens, and many other educational institutions, healthcare providers, as well as government agencies around the world.

You can try Nextcloud for free, or sign up for a free, limited Nextcloud account via one of the hosting providers. Nextcloud also provides an Enterprise edition in partnership with IONOS, as well as home server devices, in partnership with maufacurers like HanssonIT, Syncloud, etc.

This tutorial will be covering installation and configuration of a Nextcloud instance on an Ubuntu Server.

I’ve used Microsoft Azure as an example, the steps will be the same for any other cloud provider be it DigitalOcean, Linode, AWS, etc.

Step 1: Creating a Virtual Machine

Any basic virtual machine running Ubuntu 20.04 will suffice:

  • 1 GB RAM
  • 1 vCPU
  • 20 GB Storage

You’ll need to increase RAM & CPU if multiple people are using your Nextcloud instance, additional storage using object storage.

Pick a server location that’s closest to you for low latency, or a different geographical location for compliance or privacy reasons, or you could just host it on your own local machine.

Step 2: Updating the DNS Entry

Note down the IP address of the virtual machine, and go to your domain registrar and add an A record with the IP address of the VM.

Enter @ in the host section, your IP address in the value section, and update TTL to 3600.

We’ll be securing connections to our Nextcloud installation via TLS/SSL. Nextcloud can set up and manage a free, trusted SSL certificate from Let’s Encrypt if your server has a domain name.

You could skip this step, if you don’t have a domain name yet, Nextcloud can set up a self-signed SSL certificate that can encrypt connections, but it won’t be trusted by default in web browsers, and you’ll get an annoying warning message.

Step 3: Configuring the Virtual Machine for NextCloud

Now, let’s configure our server:

Step 3.1: Connect to the Server via SSH

Open up the terminal on your device, and run this command:

ssh root@123.45.67.89

If you chose a username while creating the virtual machine, use that instead of root, and replace 123.45.67.89 with the IP address of your VM.

You’ll be prompted with “The authenticity of host…”, just type yes, and then enter the password.

Step 3.2: Configure Automatic Updates

Let’s update packages and configure automatic updates so that our server gets patched automatically.

# Update packages
sudo apt update && apt upgrade

# Install unattended-upgrades
sudo apt install unattended-upgrades

# Configure unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

# Test unattended-upgrades
sudo unattended-upgrades --dry-run --debug

Step 3.3: Creating a “sudo” user

If your cloud provider didn’t ask you to choose a username while creating it, you are given root access to your server; it is recommended to not use the “root” user, which has unlimited privileges and can execute any command, even ones that could potentially disrupt your server.

Let’s create a new user on a server that can use “sudo” to do day-to-day administration tasks.

# Create a new user
adduser username

# Add user to the "sudo" group
usermod -aG sudo username

# Check user's group
groups username

# Switching users
su - username
su - root

Step 3.4: Configure SSH Keys

Using SSH keys instead of passwords provides you with better security, as SSH keys are far more long and complex than any password could ever be; you can also add an extra password to the SSH keys, requiring both the SSH key and the password to access the server.

Log out of the server or just open up a new terminal on your computer to create SSH keys:

# Create ssh keys
ssh-keygen -b 4096 

# View ssh keys
ls -l ~/.ssh

# Add public key to server
ssh-copy-id -i ~/.ssh/keyname.pub username@123.45.67.89

# Switch ssh keys on client
ssh-add ~/.ssh/keyname

During the ssh-keygen process, you’ll be prompted for file location, use the default one or give a new location by typing in /home/username/.ssh/keyname, and enter a strong password for the SSH key.

In the .ssh folder, there’ll be two files, the one with “.pub” extension is your public key, the other one is your private key, never share the private key with anyone.

You might get a message like Could not open a connection to your authentication agent when switching SSH keys, you’ll need to start ssh-agent first using:

eval `ssh-agent`

Once done, you can log in to the server by just using the ssh username@123.45.67.89 command without entering the user password, although you will need to enter the password of your SSH key.

Step 3.5: Disable root login

Now that we have a new user with limited privileges that can run “sudo” commands and can access the server via SSH keys; let’s lock down our root user, as it is usually the most targeted account by hackers.

To do so, type in sudo nano /etc/ssh/sshd_config, and update PermitRootLogin to no and add AllowUsers username as shown below:

Disable root login via SSH

Optionally, you can also go ahead and disable password-based login via SSH for all users, including the new user account we just created, by updating these values in the same sshd config file:

# Disable password-based login via ssh for all users [optional]
PasswordAuthentication no
ChallengeResponseAuthentication no

Once done, save the file using Ctrl + O & Ctrl + X, and restart the sshd service using this command:

sudo systemctl restart sshd

Now, your server is ready to install Nextcloud, let’s get into it.

Step 4: Installing Nextcloud

We’ll be using the Nextcloud Snap package to install Nextcloud on our server. Snap packaging system comes preinstalled with Ubuntu, that allows organizations to ship software, along with all associated dependencies and configuration, in a self-contained unit with automatic updates.

These Snap packages makes it much easier to install Nextcloud, without doing much configuration of web and database server, we’ll just install the Snap package which will handle all the underlying system for us.

Run the following command to download and install the Nextcloud snap package:

sudo snap install nextcloud

This will download and install Nextcloud on your Ubuntu server, and you’ll be greeted with something like this:

nextcloud 22.1.1snap1 from Nextcloud✓ installed

You can also check if the installation process was successful or not by listing the changes associated with the snap:

snap changes nextcloud
# Output
ID   Status  Spawn               Ready               Summary
3    Done    today at 06:40 UTC  today at 06:41 UTC  Install "nextcloud" snap

We can view additional information about the Nextcloud Snap using the following commands:

# Basic description, management commands, and installed version
snap info nextcloud

# Network connections made by the snap
snap connections nextcloud

# All of the specific services and apps that this snap provides
cat /snap/nextcloud/current/meta/snap.yaml

This concludes the installation of Nextcloud, let’s get into configuring an admin account.

Step 5: Configuring the Administrator Account

We can configure the admin account for our Nextcloud instance via the web interface by going to the IP address of our virtual machine or by visiting the URL:

Configure Nextcloud Administrator Account

Alternatively, we can create an admin account using the following command:

sudo nextcloud.manual-install username password

Replace username and password with the username and password of your choice, and you’ll be greeted with something like this:

Nextcloud was successfully installed

Now, we have a fully functional Nextcloud instance with an Administrative account setup, up next, we’ll need to configure “Trusted Domains”

Step 6: Configuring Trusted Domains

By default, Nextcloud restricts the Nextcloud instance is restricted to respond to only the “localhost” hostname, and since we’ll need to access Nextcloud via our domain name and IP address, so we need to whitelist them in the config.php file, under the trusted_domains setting.

You can view the current settings using the following command:

sudo nextcloud.occ config:system:get trusted_domains
# Output
localhost

To add the domain name of your choice, use the following command:

sudo nextcloud.occ config:system:set trusted_domains 1 --value=example.com

Replace example.com with your domain name, and you’ll get an output like this:

System config value trusted_domains => 1 set to string example.com

You can add additional domains or even the IP address of the VM using the same config:system:set command, just increment the index number:

 sudo nextcloud.occ config:system:set trusted_domains 2 --value=123.45.67.89

Now, we just need to secure our connection to Nextcloud via an SSL certificate.

Step 7: Securing the Nextcloud Web Interface with SSL

We’ll be using a free SSL certificate from Let’s Encrypt, the Nextcloud snap package has a built-in functionality to do just that.

To configure a free SSL certificate from Let’s Encrypt, use the following command:

sudo nextcloud.enable-https lets-encrypt

You’ll be greeted with something like this:

In order for Let's Encrypt to verify that you actually own the
domain(s) for which you're requesting a certificate, there are a
number of requirements of which you need to be aware:

1. In order to register with the Let's Encrypt ACME server, you must
   agree to the currently-in-effect Subscriber Agreement located
   here:

       https://letsencrypt.org/repository/

   By continuing to use this tool you agree to these terms. Please
   cancel now if otherwise.

2. You must have the domain name(s) for which you want certificates
   pointing at the external IP address of this machine.

3. Both ports 80 and 443 on the external IP address of this machine
   must point to this machine (e.g. port forwarding might need to be
   setup on your router).

Have you met these requirements? (y/n)

Type in y to continue. You’ll be prompted next to enter an email address for urgent notices and key recovery:

Please enter an email address (for urgent notices or key recovery):

Type in your email address and press Enter to continue.

Next up, you’ll need to enter the domain name associated with the Nextcoloud server:

Please enter your domain name(s) (space-separated): example.com

If all goes well, you’ll have an output like this:

Attempting to obtain certificates... done
Restarting apache... done

And, that’s it now you can go ahead and access your very own personal Nextcloud by going to the domain name https://example.com in your browser.

Setting Up SSL with Self-Signed Certificate (Optional)

Alternatively, if you went the no domain name route, you can set up SSL with a self-signed Certificate,

A self-signed certificate will secure the web interface by providing access via an encrypted connection, but won’t be able to verify the identity of the server, so the web browsers will be display a warning message.

Alright, here’s how we can set up a self-signed SSL certificate:

sudo nextcloud.enable-https self-signed
# Output
Generating key and self-signed certificate... done
Restarting apache... done

You now have a fully functional Nextcloud instance that you can access over an encrypted connection.

Step 8: Accessing Nextcloud Across Devices

You can now access your Nextcloud instance across all of your devices on your web browsers via the web interface using the domain name or the IP address.

You can also use the native Nextcloud apps to access your private Nextcloud instance.

Nextcloud Conclusion

All in all, Nextcloud is an amazing tool to self-host your very own personal cloud and regain control over your personal data.

You should check out the Nextcloud App Store to learn about all the cool apps and extensions you can add to your Nextcloud instance.

Leave a Comment