Skip to Content
BlogsSelf-Hosting Nextcloud Guide

Introduction

Want your own private cloud storage like Google Drive/Dropbox and a photo management experience like Google Photos, but completely under your control and accessible securely from anywhere? This guide will walk you through setting up Nextcloud, enhanced with the Memories app for photo viewing, using Docker for easy management and Tailscale for secure remote access without opening firewall ports. We’ll use Caddy as an efficient reverse proxy. This guide assumes minimal technical experience, providing every command and explanation needed.

Who is this guide for?

  • Users comfortable with basic Linux command-line operations.
  • Anyone wanting to self-host their files and photos securely.
  • Users with a spare computer running Debian or Ubuntu (like Debian 12, Ubuntu 22.04 LTS, etc.).

Core Technologies Used:

  • Nextcloud: Open-source file sync, share, and collaboration platform. (Official Site)
  • Memories: A Nextcloud app providing a timeline/gallery view for photos and videos. (GitHub)
  • Tailscale: A zero-config VPN service creating a secure network between your devices. (Official Site)
  • Docker & Docker Compose: Containerization tools to run applications in isolated environments easily. (Docker Docs)
  • Caddy: A modern, easy-to-use web server and reverse proxy with automatic HTTPS. (Official Site)
  • MariaDB: Open-source database used by Nextcloud.
  • Redis: In-memory cache used by Nextcloud for performance.

Prerequisites

Before you begin, ensure you have the following:

  • Server: A computer or virtual machine running Debian 12 (Bookworm) or Ubuntu 24.04 LTS (Noble Numbat). Using these specific OS versions is recommended.
  • Hardware:
    • RAM: 8GB minimum recommended, 16GB+ ideal. Less RAM requires tuning (see Performance Considerations) and will be slower.
    • CPU: 64-bit multi-core processor recommended.
    • Storage: SSD Highly Recommended (SATA or NVMe, 256GB+) for the OS, Docker, databases, and caches. A separate HDD can be used for bulk media files (via External Storage).
  • Internet: A stable internet connection for the server.
  • Tailscale Account: Sign up for a free account at Tailscale.
  • Skills: Basic familiarity with a Linux terminal (cd, nano, sudo, copy/paste).
  • Access: SSH access to the server or direct physical access.
  • Backup Strategy: CRITICAL! Have a plan to back up your data. This guide does not cover backups.

Phase 1: Preparing Your Server

These steps are performed on your Debian/Ubuntu server via SSH or direct access.

  1. Access Your Server:

    • Connect via SSH: ssh <your_username>@<your_server_ip>
    • Or open a terminal directly on the server.

  2. Update System Packages:

    # Purpose: Ensure OS is secure and up-to-date
sudo apt update && sudo apt upgrade -y

  3. Install Docker and Docker Compose:

    • Install prerequisites: 
      sudo apt install ca-certificates curl gnupg -y
    • Add Docker’s official GPG key: 
      sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
    • Set up the Docker repository: 
      # Purpose: Add Docker's official package source (Auto-detects Debian/Ubuntu version)
# Source: https://docs.docker.com/engine/install/debian/#install-using-the-repository
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/$(. /etc/os-release && echo "$ID") \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update
    • Install Docker components: 
      # Purpose: Install Docker Engine, CLI, Containerd, and Compose plugin
sudo apt install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y

  4. Verify Docker Installation:

    • Run the following commands. They should output version numbers without errors. 
      docker --version
docker compose version

  5. Add Your User to the Docker Group (Recommended):

    • This step allows running docker and docker compose commands without sudo.
    • Add user to group: 
      sudo usermod -aG docker $USER
    • IMPORTANT: You must log out and log back in (or close and reopen your SSH session) for this group change to take effect. Alternatively, run newgrp docker in your current session (this only affects the current shell).
    • Test (after re-logging in): 
      # Purpose: Verify you can run docker commands without sudo
docker run hello-world
      (If this fails with a permission error, you didn’t re-login correctly, or you can choose to prepend sudo to all docker compose commands going forward).

  6. Set Up Firewall with UFW (Uncomplicated Firewall):

    # Purpose: Install and configure basic firewall rules
sudo apt install ufw -y
sudo ufw default deny incoming    # Block incoming by default
sudo ufw default allow outgoing   # Allow outgoing by default
sudo ufw allow OpenSSH          # Allow SSH access (use your port if not 22, e.g., 22/tcp)
sudo ufw enable                 # Enable the firewall
    • Action: Confirm with y when prompted. Ensure SSH is allowed before confirming, otherwise you might lock yourself out!
    • Verify status: 
      sudo ufw status verbose
      (Check that Status is active and your SSH rule is listed under ALLOW IN).

  7. (Optional) Configure Lid Close Action for Laptops:

    • Purpose: Prevent laptop server from suspending when lid is closed.
    • Edit config file: 
      sudo nano /etc/systemd/logind.conf
    • Action: Find lines starting with #HandleLidSwitch.... Uncomment them (remove #) and set the value to ignore. It should look like this: 
      HandleLidSwitch=ignore
HandleLidSwitchExternalPower=ignore
HandleLidSwitchDocked=ignore
    • Save and Close: Press Ctrl+X, then Y, then Enter.
    • Restart service: 
      sudo systemctl restart systemd-logind.service

Phase 2: Setting Up Tailscale for Secure Access

Tailscale creates your secure private network.

  1. Install Tailscale on the Server:

    # Purpose: Install Tailscale client service from official source
curl -fsSL https://tailscale.com/install.sh | sh
# Verify installation
tailscale --version

  2. Connect Server to Your Tailnet:

    # Purpose: Start Tailscale and authenticate the server
sudo tailscale up
# Optional: Add --advertise-routes=192.168.1.0/24 (replace with YOUR LAN subnet)
#           to access home network devices from other Tailscale clients.
    • Action: A URL will be printed. Copy this URL and open it in a browser on any device. Log in to your Tailscale account and authorize the new server.
    • Action (If using —advertise-routes): Go to the Tailscale Admin Console (https://login.tailscale.com/admin/machines), find your server, click the three dots (...), choose “Edit route settings…”, and enable the advertised subnet route.

  3. Verify Tailscale Connection & Get Identifiers:

    • Verify server status: 
      # Purpose: Confirm server is connected to Tailscale
tailscale status
      (Look for your server hostname listed with an IP and status like online).
    • Get Tailscale IP: 
      # Purpose: Find the server's private Tailscale IP address
tailscale ip -4
      • Action: Note the 100.x.y.z IP address. This is <Your Server's Tailscale IP>.
    • Get MagicDNS Name:
      • Action: Go to the Tailscale Admin Console (https://login.tailscale.com/admin/machines). Find your server in the list. Note its full DNS name (e.g., your-server-name.your-tailnet.ts.net). This is <Your Server's MagicDNS Name>.

  4. Install Tailscale on Client Devices:

    • Action: On each device (Android, iOS, Windows, Mac, Linux) you want to use to access Nextcloud, download and install Tailscale from https://tailscale.com/download or the device’s app store.
    • Action: Log in to the Tailscale app on each client using the same Tailscale account used for the server.
    • Verify: Ensure Tailscale shows as “Active” or “Connected” on the clients.

Phase 3: Setting Up the Docker Stack (Nextcloud, MariaDB, Redis, Caddy)

Run these commands on your server.

  1. Create Project Directory & Navigate Into It:

    # Purpose: Organize configuration files
sudo mkdir -p /srv/nextcloud-stack
cd /srv/nextcloud-stack

  2. Create Host Directories for Persistent Data:

    # Purpose: Store data outside containers to prevent loss
# !! IMPORTANT: Create these on your SSD if possible for performance !!
# Adjust base path '/srv/nextcloud-stack/' if your SSD is mounted elsewhere
sudo mkdir -p /srv/nextcloud-stack/nextcloud_data
sudo mkdir -p /srv/nextcloud-stack/mariadb_config
sudo mkdir -p /srv/nextcloud-stack/mariadb_data
sudo mkdir -p /srv/nextcloud-stack/caddy_certs
sudo mkdir -p /srv/nextcloud-stack/caddy_data
sudo mkdir -p /srv/nextcloud-stack/caddy_config
 
# Set ownership for Nextcloud data directory (UID 33 = www-data user inside container)
sudo chown -R 33:33 /srv/nextcloud-stack/nextcloud_data

  3. Create Environment File (.env):

    # Purpose: Store secrets securely
sudo nano .env
    • Action: Paste the following content. Replace placeholders (<...>) with YOUR own strong, unique passwords (use a password manager to generate them). 
      # --- MariaDB Settings ---
MYSQL_ROOT_PASSWORD=<YOUR_STRONG_MARIADB_ROOT_PASSWORD>
MYSQL_DATABASE=nextcloud_db
MYSQL_USER=nextcloud_user
MYSQL_PASSWORD=<YOUR_STRONG_NEXTCLOUD_DB_PASSWORD>

# --- Optional: Timezone ---
# Find yours: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
TZ=Etc/UTC
    • Save and Close: Press Ctrl+X, then Y, then Enter.
    • Set permissions: 
      # Purpose: Make file readable only by owner (root)
sudo chmod 600 .env

  4. Create MariaDB Custom Configuration (custom.cnf):

    # Purpose: Tune database memory & allow triggers
sudo nano /srv/nextcloud-stack/mariadb_config/custom.cnf
    • Action: Paste the following content. Adjust 1G based on your server’s available RAM (e.g., use 512M or 256M for <8GB RAM). 
      [mysqld]
innodb_buffer_pool_size = 1G
log_bin_trust_function_creators = 1
    • Save and Close: Press Ctrl+X, then Y, then Enter.

  5. Generate Self-Signed Root CA Certificate:

    • Navigate to certs directory: 
      cd /srv/nextcloud-stack/caddy_certs
    • Create OpenSSL config file: 
      # Purpose: Create SSL certificate for Caddy to use for HTTPS on Tailscale network
sudo nano openssl.cnf
    • Action: Paste the following content. Replace <Your Server's MagicDNS Name> and <Your Server's Tailscale IP> with YOUR actual values noted earlier. 
      [req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
 
[req_distinguished_name]
CN = <Your Server's MagicDNS Name> # e.g., your-server.your-tailnet.ts.net
 
[v3_req]
basicConstraints = CA:TRUE # Mark as CA for iOS trust
nsCertType = server
keyUsage = digitalSignature, keyEncipherment, keyCertSign
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
 
[alt_names]
DNS.1 = <Your Server's MagicDNS Name> # e.g., your-server.your-tailnet.ts.net
IP.1 = <Your Server's Tailscale IP> # e.g., 100.x.y.z
    • Save and Close: Press Ctrl+X, then Y, then Enter.
    • Generate the key and certificate: 
      # Purpose: Create private key and public certificate valid for 10 years
sudo openssl req -x509 -nodes -newkey rsa:2048 -keyout private.key -out certificate.crt -days 3650 -config openssl.cnf -extensions v3_req
    • Verify files created: 
      ls -l
      (You should see certificate.crt and private.key listed).
    • Go back to project directory: 
      cd /srv/nextcloud-stack

  6. Create Caddyfile:

    # Purpose: Configure Caddy reverse proxy
# Make sure you are in /srv/nextcloud-stack
sudo nano Caddyfile
    • Action: Paste the following content. Replace <Your Server's MagicDNS Name> and <Your Server's Tailscale IP> with YOUR actual values. 
      <Your Server's MagicDNS Name>, <Your Server's Tailscale IP> {
    # Point to the generated certificate files mounted into the container
    tls /etc/caddy/certs/certificate.crt /etc/caddy/certs/private.key

    # Add security header recommended by Nextcloud scan
    header Strict-Transport-Security "max-age=15552000;" always

    # Recommended redirects for CalDAV/CardDAV discovery
    redir /.well-known/carddav /remote.php/dav 301
    redir /.well-known/caldav /remote.php/dav 301

    # Reverse proxy requests to the Nextcloud app container
    reverse_proxy http://app:80 {
        header_up Host {http.request.host}
        header_up X-Real-IP {http.request.remote.host}
        header_up X-Forwarded-Proto {http.request.scheme}
    }
}

# Redirect HTTP to HTTPS
http://<Your Server's MagicDNS Name>, http://<Your Server's Tailscale IP> {
   redir https://{host}{uri} permanent
}
    • Save and Close: Press Ctrl+X, then Y, then Enter.

  7. Create Docker Compose File (docker-compose.yml):

    # Purpose: Define all the services (Nextcloud, DB, Redis, Caddy)
# Make sure you are in /srv/nextcloud-stack
sudo nano docker-compose.yml
    • Action: Paste the following content. Review and adjust paths and the PHP_MEMORY_LIMIT based on your system RAM. Replace <Your Server's MagicDNS Name> placeholder. 
      services:
  app:
    image: nextcloud:apache # Using Apache variant, consider specific version e.g., nextcloud:29-apache
    container_name: nextcloud_app
    restart: always
    volumes:
      # Named volumes managed by Docker (location defined below)
      - nextcloud_config:/var/www/html/config
      - nextcloud_apps:/var/www/html/custom_apps
      # Bind mount for main user data (uses host path)
      - /srv/nextcloud-stack/nextcloud_data:/var/www/html/data
      # Example external storage mount (uncomment and adjust path if using)
      # - /mnt/my_external_hdd:/media/external_hdd:rw
    environment:
      - MYSQL_HOST=db
      - MYSQL_DATABASE=${MYSQL_DATABASE}
      - MYSQL_USER=${MYSQL_USER}
      - MYSQL_PASSWORD=${MYSQL_PASSWORD}
      - REDIS_HOST=redis
      - OVERWRITEPROTOCOL=https
      # Adjust based on RAM (e.g., 1G-2G for 16GB+, 512M-768M for `<8GB`)
      - PHP_MEMORY_LIMIT=1G
      - TZ=${TZ} # Timezone from .env
      # Trust Caddy's static IP from the network defined below
      - TRUSTED_PROXIES=172.20.0.2 # Caddy's static IP
    extra_hosts:
      # Help container resolve itself via proxy using static IP
      - "<Your Server's MagicDNS Name>:172.20.0.2" # Replace MagicDNS Name
    depends_on:
      - db
      - redis
      - caddy
    networks:
      nextcloud_network: # Assign to custom network
        ipv4_address: 172.20.0.3 # Assign static IP to Nextcloud app
 
  db:
    image: mariadb:11.4 # Use specific stable version
    container_name: nextcloud_db
    restart: always
    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW --log_bin_trust_function_creators=1
    volumes:
      # Bind mount for DB data (adjust host path to SSD if possible)
      - /srv/nextcloud-stack/mariadb_data:/var/lib/mysql
      # Mount custom config for tuning
      - /srv/nextcloud-stack/mariadb_config:/etc/mysql/conf.d:ro
    environment:
      - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
      - MYSQL_DATABASE=${MYSQL_DATABASE}
      - MYSQL_USER=${MYSQL_USER}
      - MYSQL_PASSWORD=${MYSQL_PASSWORD}
      - TZ=${TZ}
    networks:
      nextcloud_network:
        ipv4_address: 172.20.0.4 # Assign static IP to DB
 
  redis:
    image: redis:alpine # Lightweight image
    container_name: nextcloud_redis
    restart: always
    networks:
      nextcloud_network:
        ipv4_address: 172.20.0.5 # Assign static IP to Redis
 
  caddy:
    image: caddy:latest
    container_name: nextcloud_caddy
    restart: always
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp" # For HTTP/3
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile # Use Caddyfile from host
      # Bind mount for Caddy data (adjust host path to SSD if possible)
      - /srv/nextcloud-stack/caddy_data:/data
      - /srv/nextcloud-stack/caddy_config:/config
      # Mount generated certs (use absolute path)
      - /srv/nextcloud-stack/caddy_certs:/etc/caddy/certs:ro
    environment:
      - TZ=${TZ}
    networks:
      nextcloud_network:
        ipv4_address: 172.20.0.2 # Assign static IP to Caddy
 
volumes:
  # Define named volumes (Docker manages these in /var/lib/docker/volumes/)
  # You generally don't need to map these unless you want explicit host paths
  nextcloud_config:
  nextcloud_apps:
 
networks:
  nextcloud_network: # Define the network explicitly
    driver: bridge
    name: nextcloud_network # Give it a fixed name
    ipam: # IP Address Management for this network
      config:
        - subnet: 172.20.0.0/16 # Define the subnet for static IPs
          # Optional: Specify gateway if needed
          # gateway: 172.20.0.1
    • Action: Save and Close (Ctrl+X, Y, Enter).

Phase 4: Starting and Configuring Nextcloud

  1. Start the Docker Stack:

    # Make sure you are in /srv/nextcloud-stack
# Use 'sudo docker compose' if you didn't add user to docker group
docker compose up -d
    • Action: Docker Compose will download images (if needed) and start all containers defined in the docker-compose.yml file in detached mode (-d).
    • Monitor startup logs (optional): 
      docker compose logs -f
      (Press Ctrl+C to stop viewing logs).

  2. Initial Nextcloud Web Setup:

    • Action: On a device connected to your Tailscale network, open a web browser.
    • Action: Navigate to https://<Your Server's MagicDNS Name> (replace placeholder with your actual MagicDNS name).
    • Action: You will see a browser warning about an untrusted certificate because it’s self-signed. Click “Advanced”, then “Proceed to…” or “Accept the Risk and Continue”.
    • Action: Follow the Nextcloud setup wizard on the screen:
      • Create your admin username and a strong password. Store these securely.
      • The database section should be automatically configured using the details from your .env file.
      • Click Install (or Finish setup).
      • You can skip installing recommended apps for now (click “Install recommended apps” later if desired).

  3. Run Essential occ Commands:

    • Purpose: Configure Nextcloud to work correctly behind the Caddy reverse proxy and set recommended options.
    • Action: Run these commands one by one on your server terminal, inside the /srv/nextcloud-stack directory. Replace placeholders with YOUR actual values. 
      # Set trusted domains (MagicDNS and IP, NO ports)
docker compose exec --user www-data app php occ config:system:set trusted_domains 0 --value="<Your Server's Tailscale IP>"
docker compose exec --user www-data app php occ config:system:set trusted_domains 1 --value="<Your Server's MagicDNS Name>"
 
# Set overwrite parameters (use MagicDNS name)
docker compose exec --user www-data app php occ config:system:set overwritehost --value="<Your Server's MagicDNS Name>"
docker compose exec --user www-data app php occ config:system:set overwriteprotocol --value="https"
docker compose exec --user www-data app php occ config:system:set overwrite.cli.url --value="https://<Your Server's MagicDNS Name>"
 
# Set header for correct client IP detection behind proxy
docker compose exec --user www-data app php occ config:system:set forwarded_for_headers 0 --value="HTTP_X_FORWARDED_FOR"
 
# Set Redis for file locking (improves performance/reliability)
docker compose exec --user www-data app php occ config:system:set memcache.locking --value='\OC\Memcache\Redis'
docker compose exec --user www-data app php occ config:system:set redis host --value=redis
 
# Set default phone region (Needed for profile settings - replace XX with your 2-letter country code, e.g., US, GB, IN)
docker compose exec --user www-data app php occ config:system:set default_phone_region --value=XX
 
# Set maintenance window (avoids heavy background jobs during peak hours - value is 0-23 hour)
docker compose exec --user www-data app php occ config:system:set maintenance_window_start --type=integer --value=3
    • Restart Nextcloud app container: 
      # Purpose: Ensure all configuration changes are fully applied
docker compose restart app

Phase 5: Installing and Configuring Memories & Previews

  1. Install Dependencies Inside Nextcloud Container:

    # Purpose: Install ffmpeg (for video previews) and imagick (for HEIC/image previews)
# Use 'sudo docker compose' if needed
docker compose exec app apt update
docker compose exec app apt install -y --no-install-recommends ffmpeg libmagickwand-dev
docker compose exec app pecl install imagick
docker compose exec app docker-php-ext-enable imagick
docker compose restart app # Restart to load PHP extension

  2. Verify Dependencies Installation:

    • Run these commands. The first should output imagick. The second should output paths like /usr/bin/ffmpeg /usr/bin/ffprobe. 
      docker compose exec app php -m | grep imagick
docker compose exec app which ffmpeg ffprobe

  3. Install Nextcloud Apps (Memories & Preview Generator):

    • Action: Log in to Nextcloud web UI as admin (https://<Your Server's MagicDNS Name>).
    • Action: Go to Apps menu (click user icon in top right -> Apps).
    • Action: Search for “Memories”, click “Download and enable”.
    • Action: Search for “Preview Generator”, click “Download and enable”.

  4. Configure Nextcloud Cron Job:

    • Action: In Nextcloud web UI: Go to Administration Settings -> Basic settings -> Background jobs -> Select Cron.
    • Action: On the Debian host server, add the cron job:
      • Run sudo crontab -e (select nano if prompted).
      • Add this line to the bottom: 
        */5 * * * * docker exec --user www-data nextcloud_app php -f /var/www/html/cron.php
      • Save and close (Ctrl+X, Y, Enter).

  5. Configure Memories App:

    • Action: In Nextcloud web UI: Go to Administration Settings -> Memories.
    • Action: Go to the “File Support” section. Verify ffmpeg and ffprobe errors are gone.
      • If errors persist, run these commands on the server (using paths found by which): 
        docker compose exec --user www-data app php occ config:app:set memories ffmpeg --value="/usr/bin/ffmpeg"
docker compose exec --user www-data app php occ config:app:set memories ffprobe --value="/usr/bin/ffprobe"
        (Then refresh the Memories admin page).
    • Action: Go to the “Performance” section. Verify the “Database triggers not set up” warning is gone.
      • If warning persists, run this command on the server: 
        docker compose exec --user www-data app php occ maintenance:repair
        (Then refresh the Memories admin page).
    • Action: Go to the “Video Streaming” section. Ensure “Enable transcoding” is UNCHECKED (unless you have powerful hardware and specifically want it).

  6. Run Initial Indexing/Preview Generation (Use screen or tmux):

    • Purpose: Process existing files for Memories and generate Nextcloud previews. This will take a very long time for large libraries, especially on HDDs. Running inside screen or tmux allows you to disconnect your SSH session without stopping the process.
    • Action: On the Debian host server: 
      # Navigate to project directory
cd /srv/nextcloud-stack
 
# Start screen session (or use tmux: tmux new -s initialscan)
screen -S initialscan
 
# Run Memories indexing (inside screen session)
# Use 'sudo docker compose' if needed
docker compose exec --user www-data app php occ memories:index
 
# Run Preview generation (inside screen session)
docker compose exec --user www-data app php occ preview:generate-all -vv
 
# Detach from screen session (process keeps running)
# Press Ctrl+A, then press D
    • You can now safely exit your SSH session.
    • Action (Optional): To check progress later, SSH back in and re-attach: screen -r initialscan (or tmux attach -t initialscan).

Phase 6: Optional Storage Configuration

  1. External Storage (Accessing Additional Drives like /mnt/nasdrive):

    • Action: Ensure the “External storage support” app is enabled in Nextcloud (Apps menu).
    • Action: Edit docker-compose.yml (sudo nano docker-compose.yml).
    • Action: Add a volume mount to the app service’s volumes: section. Use :ro for read-only if Nextcloud shouldn’t write here. 
      volumes:
  # ... other volumes ...
  - /mnt/nasdrive:/media/nasdrive:rw # Host path : Path inside container : Permissions
    • Action: Apply changes: docker compose up -d --force-recreate app
    • Action: Grant www-data (UID 33) permissions to /mnt/nasdrive on the host (use sudo chown -R 33:33 /mnt/nasdrive or group permissions/ACLs).
    • Action: In Nextcloud Admin Settings -> External storage -> Add storage:
      • Type: Local
      • Folder name: NAS Drive (or your choice)
      • Configuration: /media/nasdrive (path inside container)
      • Available for: Select users/groups.
      • Save (click checkmark).
    • Verify: Look for a green checkmark next to the storage entry. Check if users can see the folder in their Files app.

  2. Group Folders (Shared Folder for All):

    • Action: Enable “Group Folders” app in Nextcloud Apps menu.
    • Action: In Admin Settings -> Users: Create a group (e.g., allusers), add desired users to it.
    • Action: In Admin Settings -> Group folders: Click + Create a group folder, name it (e.g., Shared Files), assign the allusers group, set desired permissions (Write, Share, Delete).
    • Verify: Folder appears automatically for group members in Files app.

Phase 7: Setting Up Client Devices (Instructions for End Users)

  • Provide these instructions to your users. You must also provide them with:
    • Your Server’s MagicDNS Name (e.g., your-server.your-tailnet.ts.net)
    • The Tailscale login method or invitation.
    • Their unique Nextcloud Username and Password.
    • (iOS Only): The Root CA certificate file (certificate.crt).

A. Android Setup

  1. Install Tailscale: Open Google Play Store, search Tailscale, tap Install.
  2. Log in to Tailscale: Open Tailscale app, log in using the method provided by your admin. Ensure it shows “Active”.
  3. Install Nextcloud: Open Google Play Store, search Nextcloud, tap Install.
  4. Log in to Nextcloud:
    • Open Nextcloud app, tap Log in.
    • Server address: Enter https:// followed by the MagicDNS Name provided by your admin.
    • Tap Log in / arrow.
    • Accept security warning about certificate if it appears (look for “Trust” or “Proceed”).
    • Enter your Nextcloud Username and Password.
    • Tap Log in. Grant permissions if asked.
  5. Using: Files tab shows personal files. Look for the shared folder (ask admin for name) for common files. Configure Auto Upload in “More” tab if desired.

B. iPhone/iPad Setup

  1. Install Tailscale: Open App Store, search Tailscale, tap Get/Install.
  2. Log in to Tailscale: Open Tailscale app, log in using the method provided by your admin. Ensure it shows “Active”.
  3. Transfer & Install Certificate:
    • Action: Get the certificate.crt file from your admin (e.g., via Email, AirDrop).
    • Action: Tap the .crt file. Tap Allow if asked about downloading a profile. Tap Close.
    • Action: Open Settings app -> tap Profile Downloaded (near top) OR go to General -> VPN & Device Management and tap the profile.
    • Action: Tap Install (top right). Enter passcode. Tap Install (warning screen). Tap Install again. Tap Done.
  4. Trust the Certificate:
    • Action: Go back to Settings -> General -> About.
    • Action: Scroll all the way down -> tap Certificate Trust Settings.
    • Action: Find the server name (matching the certificate) -> Toggle the switch ON. Tap Continue.
  5. Install Nextcloud: Open App Store, search Nextcloud, tap Get/Install.
  6. Log in to Nextcloud:
    • Open Nextcloud app, tap Log in.
    • Server address: Enter https:// followed by the MagicDNS Name provided by your admin.
    • Tap Log in / arrow. (Should connect without certificate errors now).
    • Enter your Nextcloud Username and Password.
    • Tap Log in. Grant permissions if asked.
  7. Using: Files tab shows personal files. Look for the shared folder (ask admin for name) for common files. Configure Auto Upload in “More” tab -> Settings -> Auto upload if desired.

Phase 8: Maintenance & Next Steps

  • Backups (CRITICAL):
    • What to Back Up Regularly:
      • Configuration Directory: /srv/nextcloud-stack/ (includes .env, docker-compose.yml, Caddyfile, mariadb_config, caddy_certs).
      • Nextcloud Data Directory: /srv/nextcloud-stack/nextcloud_data/.
      • Database Data Volume: /srv/nextcloud-stack/mariadb_data/. Performing a database dump is often safer.
      • Other Data Volumes: /srv/nextcloud-stack/caddy_data/, /srv/nextcloud-stack/caddy_config/.
      • Docker Named Volumes: Check /var/lib/docker/volumes/ for nextcloud-stack_nextcloud_config and nextcloud-stack_nextcloud_apps (or similar prefixed names) if you didn’t use bind mounts for everything.
    • How: Use tools like rsync, restic, borgbackup, or simple cp/tar scripts scheduled via host cron to copy these essential items regularly to another location (external HDD, another server, cloud storage).
    • Database Dump Example (Run via Host Cron): 
      # In /srv/nextcloud-stack, ensure .env is readable or run as root
source /srv/nextcloud-stack/.env # Load DB credentials (might need sudo source if .env owned by root)
# Dump command (adjust backup path)
docker compose exec -T db mariadb-dump --single-transaction -h localhost -u $MYSQL_USER -p$MYSQL_PASSWORD $MYSQL_DATABASE | gzip > /path/to/backups/nextcloud-db-$(date +%Y%m%d).sql.gz
      (The -T flag disables pseudo-TTY allocation, often needed for piping within cron. Secure the backup file.)
  • Updates:
    • OS: Regularly run sudo apt update && sudo apt upgrade -y on the host.
    • Docker Images: Periodically update containers: 
      # In /srv/nextcloud-stack
# Use 'sudo docker compose' if needed
docker compose pull # Download newer image versions defined in compose file
docker compose up -d --remove-orphans # Recreate containers using new images
    • Nextcloud Core Update: After updating the Docker image, log in to Nextcloud web UI. It might require a web-based update step or running occ upgrade: 
      docker compose exec --user www-data app php occ upgrade
    • Nextcloud Apps: Update individual Nextcloud apps via the Apps menu in the web UI when available.
  • Monitoring:
    • Periodically check system resources using htop on the host.
    • Check container resource usage with docker stats (or sudo docker stats).
    • Review Nextcloud logs (Admin -> Logging) and container logs (docker compose logs <service_name>) for errors.

Performance Considerations (Especially for Low RAM < 16GB)

  • Tune PHP Memory: Lower PHP_MEMORY_LIMIT in docker-compose.yml (e.g., 768M or 512M).
  • Tune Apache Workers: Edit /etc/apache2/mods-available/mpm_prefork.conf inside the app container (docker compose exec app nano ...) and significantly reduce MaxRequestWorkers (e.g., to 10 or 15) and related SpareServers values. Restart app container after changes.
  • Tune MariaDB: Lower innodb_buffer_pool_size in custom.cnf (e.g., 512M or 256M). Restart db container.
  • Swappiness: Consider lowering host swappiness (sudo sysctl vm.swappiness=10, add to /etc/sysctl.conf).
  • Disable Apps: Disable unused Nextcloud apps.
  • Avoid Resource-Intensive Features: Don’t enable Memories transcoding or AI features (Recognize/Face Recognition) on low-RAM systems.

Conclusion

Congratulations! You’ve set up a powerful, private Nextcloud instance with photo management capabilities via Memories, accessible securely from anywhere using Tailscale. Explore the apps, configure clients, and remember to implement a solid backup strategy. Enjoy your self-hosted cloud!

BlogsAI Trajectory: Bias & Future