How to deploy Nextcloud using rootless Podman
Make use of Quadlets and Kubernetes files, to make managing your services easier
Prerequisites
For this tutorial, you are going to need a few things. I am assuming that you already have these, but if you don't, a quick internet search should point you in the right direction.
- A linux server with a public IP address
- A domain name
- Podman version 4.4 or higher
- Knowledge of how to set up a reverse proxy
- Cloudflare tunnels handles certificates and you don't have to do port-forwarding. It is very convenient. It proxies through cloudflare's servers.
- Caddy also handles certificates if you want a more local solution. You will have to do port-forwarding if you're behind a NAT, though.
Why use Nextcloud?
If you're on this page, you probably already know why you want to use Nextcloud, but in case you don't, I'll summarise here; because Nextcloud is an private, self-hosted alternative to many of Google's services. Great for individuals and companies who care about their privacy and/or who don't want their data to be used to train AI's. It offers cloud storage, a calendar, a photo library, an online meeting platform and online office applications, among other things.
Why use Podman?
If you're already looking for a containerised solution, you might be wondering, why not just use Docker? Because Podman makes setting up rootless containers very easy. This is nice, because it adds an extra layer of security over your services, preventing attackers from gaining root privileges if they manage to gain access to your system through an insecure service.
Why use Quadlets?
Because Quadlets makes managing container services on your system very easy. If you use quadlets, you can manage all your containers services in a centralised place, in the same way that you manage all the other services on your system. It also allows for the convenient podman auto-update command, which automatically updates and restarts containerized services for you.
Why use Kubernetes files?
Because Kubernetes files allow for easy configuration of pods, similar to docker compose, but with the added benefit of being compatible with Kubernetes orchestration, if you ever want to go that route. Additionally, Kubernetes files are officially supported by Podman, while compose files are not.
Setting up
First, you want to create a new user with a home directory. This can be done with the following commands:
useradd -m nextcloud && passwd nextcloud
Then, log out and log in to the new nextcloud account.
For the next steps, I have prepared some configuration files in a GitHub repository. I'll provide a rundown of what each files is:
caddy/Caddyfile- This is the webserver that is used to serve Nextcloud files to your browser.
example.config.php- This is an example of some configuration rules for Nextcloud. They will be explained later in the tutorial.
nextcloud-*-secrets.yaml- These files hold environment variables with passwords for the containers.
nextcloud.kube- This file is similar to a systemctl service file and allows us to manage our containers through systemctl.
nextcloud.yaml- This is a Kubernetes pod configuration. This is similar to a docker compose configuration, but it is compatible with Kubernetes. It defines the containers and their settings and groups them into a pod.
Download these release archive, extract the files into a folder called nextcloud-app and cd into that folder:
curl -L -O https://github.com/dexterdy/nextcloud-kubernetes-podman-config/archive/refs/tags/v1.2.tar.gz
tar -xzf ./v1.2.tar.gz
mv ./nextcloud-kubernetes-podman-config-1.2 ./nextcloud-app
cd ./nextcloud-app
If you want to use a different folder name or you didn't put it in your home directory, you will have to edit the nextcloud.kube file and change the following line:
Yaml=%h/nextcloud-app/nextcloud.yaml # <-- change this
After this, you should move the .kube file to the container systemd directory:
mkdir -p ~/.config/containers/systemd/; mv ./nextcloud.kube $_
Configuring storage
If you want the the data to live on the same drive as the configuration files, you can simply create the following folders and move on to the next section:
mkdir db html data
If, however, you want your data to live on a separate drive or even on a NAS of some kind, you will need to adjust the configuration file, nextcloud.yaml and scroll down to the following section:
volumes:
# change paths to store data elsewhere
# make sure you have write permissions
- hostPath:
path: caddy/caddy_data
type: Directory
name: nextcloud_caddy_data
- hostPath:
path: caddy/Caddyfile
type: File
name: nextcloud_caddyfile
- hostPath:
path: db
type: Directory
name: nextcloud_db
- hostPath:
path: html
type: Directory
name: nextcloud_html
- hostPath:
path: data
type: Directory
name: nextcloud_data
Here you can simply change the path to whatever location you want and the data will be stored there. Just make sure that the directories actually exist, are empty and that the nextcloud user has read, write and execute permissions. A path without a / in front of it, is relative to the location of this yaml file.
The directories store the following content:
db: metadata on users, plugins, files, etchtml: all the Nextcloud files, such as configurations, plugin files, php and html filesdata: user data, including their cloud storage
You most likely want to change the path of thedatadirectory.
Secrets and admin account
In the nextcloud-app folder, you will find three files for storing your secrets: nextcloud-collabora-secrets.yaml, nextcloud-db-secrets.yaml and nextcloud-redis-secrets.yaml. In these files, you should fill in unique and secure passwords. Take for example nextcloud-db-secrets.yaml:
apiVersion: v1
kind: Secret
metadata:
name: nextcloud-db-secrets
type: Opaque
stringData:
MYSQL_DATABASE: nextcloud
MYSQL_USER: nextcloud
MYSQL_ROOT_PASSWORD: # your password
MYSQL_PASSWORD: # your password
The other files will look similar. The fields where you should add a password are marked with a comment.
Now you are ready to start the server for the first time and create an admin account. The server will only be available on your local network, for now.
systemctl daemon-reload --user # makes a systemd service out of the .kube file
systemctl start nextcloud --user
You can now access your Nextcloud instance on localhost:8080. Go there in your browser and create an admin account.
Congratulations! You have a fully operational Nextcloud instance on your localhost! There are still a few things to do, though.
Access through the internet
In order to acces your instance outside of your network, you will need a domain and a reverse proxy. A reverse proxy can be set up through Cloudflare tunnels, Caddy or any reverse proxy server of your choice. The ports you need are 8080 for Nextcloud and 9980 for Collabora. I recommend using subdomains the distinguish them: nextcloud.yourdomain.com and office.yourdomain.com.
After you have set up your proxy, you will need to change a few configuration files. Let's start with nextcloud.yaml:
- name: collabora
image: docker.io/collabora/code:latest
ports:
- containerPort: 9980
hostPort: 9980
envFrom:
- secretRef:
name: nextcloud-collabora-secrets
env:
- name: domain
value: office.yourdomain.com # <-- change this
- name: server_name
value: office.yourdomain.com # <-- change this
- name: extra_params
value: --o:ssl.enable=false --o:ssl.termination=true
You should change the domain and server_name values to match the the domain and subdomain you chose for collabora.
Next, the config.php file. Here, you should add a few configuration options, which you can find in example.config.php between the files you downloaded. Some options still need to be tweaked for your setup:
<?php
$CONFIG = array (
'trusted_domains' =>
array (
0 => 'your.ip.address.here:8080', // <-- change this
1 => 'nextcloud.youdomain.com', // <-- change this
),
'trusted_proxies' =>
array (
0 => '127.0.0.1',
),
'overwrite.cli.url' => 'https://nextcloud.youdomain.com', // <-- change this
'overwriteprotocol' => 'https',
'overwritehost' => 'nextcloud.youdomain.com', // <-- change this
'default_phone_region' => 'NL', // <-- change this
);
The lines you need to change are marked with a comment. If your proxy is not on the same server, you will also need to adjust the trusted_proxies array.
These options will need to be added to the configuration file found in html/config/config.php. Be careful to only copy the configuration options themselves and not the <?php $CONFIG = array ( (first two lines) and the ); (last line).
Now that the system is configured, you can go ahead and restart your server.
systemctl restart nextcloud --user
And now you can acces your Nextcloud instance via the internet at nextcloud.yourdomain.com.
To prevent your service from stopping when you quit ssh, you can do the following:
loginctl enable-linger $USER
Cron jobs
Nextcloud delegates some long-running and maintenance tasks to background jobs. You get a few options for how you want to run these jobs, but cron is recommended. I also use cron to start my service at boot, because rootless Podman services cannot be configured to start at boot through systemd.
crontab -e
*/5 * * * * podman exec -t -u www-data nextcloud-nextcloud php -f /var/www/html/cron.php
@reboot systemctl start nextcloud --user
Then, in Nextcloud, go to your administration settings, found in the top right, and then to basic settings. Here, you can select cron for background jobs.
Collabora settings
You will need the Nextcloud Office app, which, if it isn't already installed, you can install in the apps section, also found the in top right. Then go to administration settings again and then to Nextcloud Office. Here, you should select 'use your own server' and then you can fill in your Collabora url: office.yourdomain.com.
Updating your service
Updating using quadlets is really simple. All you need is a single command:
podman auto-update
Conclusion
Now you have a fully operational Nextcloud instance! I hope that this tutorial has helped you. If you have any questions, feel free to contact me on [email protected].
I would also like to thank greylinux1 on the Nextcloud forum as his tutorial was very helpful.