Skip to content

Deployment Overview of Nextcloud on Server

Prerequisites and Basic Requirements

The deployment requires a server with the following configurations and privileges:

  • Operating System: Linux distribution compatible with Docker and Docker Compose.
  • Privileges: Root access or sudo privileges are required to manage Docker containers, firewall rules, and file permissions.
  • Domain: A valid domain name (final_domain) must be configured and pointing to the server's IP address.
  • Ports: The following TCP ports must be open and accessible:
  • Port 80 (HTTP)
  • Port 443 (HTTPS)
  • Port 22 (SSH) (if using UFW firewall)

File and Directory Structure

The application and its configuration files are organized in the following directories:

  • /opt/nextcloud/: Contains the Docker Compose configuration, PHP configuration files, and initialization scripts.
  • compose.yml: Docker Compose definition for the application stack.
  • set_configuration.sh: Script to initialize Nextcloud and install the OnlyOffice app.
  • www.conf, fpm.conf, php.ini: PHP-FPM and PHP configuration files.
  • /opt/nginx/: Contains Nginx configuration files.
  • nginx.conf: Main Nginx configuration.
  • nginx-certbot.env: Environment variables for the Certbot container.
  • user_conf.d/: Directory for domain-specific Nginx server blocks (e.g., {{ final_domain }}.conf).
  • Data Storage:
  • /var/www/html: Mount point for Nextcloud data (either a Docker volume or a host directory defined by nextcloud_data_path).
  • Docker Volumes: app_data, db_data, document_data, document_log, nginx_secrets.

Application Installation Process

The application is deployed using Docker Compose, which orchestrates the following services:

  • Nextcloud: Version nextcloud:fpm running as the app-server container.
  • Database: PostgreSQL (postgres:alpine) for data storage.
  • Cache: Redis (redis:alpine) for session and cache management.
  • Document Server: OnlyOffice (onlyoffice/documentserver:latest) for document editing.
  • Web Server: Nginx with Certbot (jonasal/nginx-certbot:latest) for reverse proxying and SSL management.

The deployment process involves:

  1. Creating necessary directories and Docker volumes.
  2. Generating the compose.yml file with environment variables for database credentials and domain settings.
  3. Starting the containers using docker compose up -d in the /opt/nextcloud directory.
  4. Obtaining an SSL certificate via Certbot for the specified domain.
  5. Executing the set_configuration.sh script to initialize the Nextcloud instance and configure the OnlyOffice integration.

Access Rights and Security

Firewall rules are configured to allow traffic on specific ports depending on the firewall service in use:

  • Firewalld:
  • Port 80/tcp (enabled, zone: public)
  • Port 443/tcp (enabled, zone: public)
  • UFW:
  • Port 80/tcp (enabled)
  • Port 443/tcp (enabled)
  • Port 22/tcp (enabled)

Security headers are enforced by the Nginx configuration, including:

  • Strict-Transport-Security
  • X-Frame-Options
  • X-Content-Type-Options
  • X-XSS-Protection
  • X-Robots-Tag
  • X-Download-Options
  • X-Permitted-Cross-Domain-Policies

Access to sensitive directories such as /build, /tests, /config, /lib, /3rdparty, /templates, and /data is denied via Nginx location blocks.

Databases

The application uses a PostgreSQL database with the following settings:

  • Image: postgres:alpine
  • Database Name: nextcloud
  • User: nextcloud
  • Password: Defined by the nextcloud_admin_pwd variable.
  • Storage: Data is persisted in the db_data Docker volume mounted at /var/lib/postgresql/data.
  • Connection: The Nextcloud container connects to the database using the hostname db on port 5432.

Docker Containers and Their Deployment

The deployment utilizes Docker Compose to manage the following containers:

  • db: PostgreSQL database container.
  • redis: Redis cache container.
  • app-server: Nextcloud application container.
  • onlyoffice-document-server: OnlyOffice document editing container.
  • nginx-certbot: Nginx reverse proxy and SSL certificate management container.

Docker volumes are created to ensure data persistence:

  • app_data: Stores Nextcloud application data (used if nextcloud_data_path is not defined).
  • db_data: Stores PostgreSQL data.
  • document_data: Stores OnlyOffice data.
  • document_log: Stores OnlyOffice logs.
  • nginx_secrets: Stores Let's Encrypt SSL certificates.

The containers are started with the command: 

docker compose up -d
executed from the /opt/nextcloud directory.

Proxy Servers

Nginx is configured as a reverse proxy using the jonasal/nginx-certbot image. It handles:

  • SSL Termination: Certificates are obtained and managed by Certbot for the domain {{ final_domain }}.
  • HTTP to HTTPS Redirect: Port 80 traffic is redirected to HTTPS (port 443).
  • OnlyOffice Proxy: Requests to /ds-vpath/ are proxied to the onlyoffice-document-server container.
  • Configuration Files:
  • Main configuration: /opt/nginx/nginx.conf
  • Domain-specific configuration: /opt/nginx/user_conf.d/{{ final_domain }}.conf
  • Environment variables: /opt/nginx/nginx-certbot.env

The Nginx container exposes ports 80 and 443 to the host.

Permission Settings

File and directory permissions are set as follows:

  • /opt/nextcloud: Owner root, Group root, Mode 0640.
  • /opt/nginx: Owner root, Group root, Mode 0640.
  • /opt/nginx/user_conf.d: Owner root, Group root, Mode 0640.
  • Configuration files (compose.yml, set_configuration.sh, nginx.conf, etc.): Owner root, Group root, Mode 0644 or 0755 for executable scripts.
  • Nextcloud data directory (nextcloud_data_path or app_data volume): Owner root, Group root, Mode 0755.

Inside the containers, the Nextcloud application runs as the www-data user.

Starting, Stopping, and Updating

The application stack is managed via Docker Compose. The following commands are used:

  • Start: 
    cd /opt/nextcloud
docker compose up -d
  • Stop: 
    cd /opt/nextcloud
docker compose down
  • Restart: 
    cd /opt/nextcloud
docker compose restart
  • Update: To update the application, pull the latest images and restart the containers: 
    cd /opt/nextcloud
docker compose pull
docker compose up -d

Post-deployment maintenance tasks are executed via Docker exec commands: 

docker exec --user www-data app-server php occ db:add-missing-indices
docker exec --user www-data app-server php occ db:add-missing-columns
docker exec --user www-data app-server php occ config:system:set maintenance_window_start --type=integer --value=1

question_mark
Is there anything I can help you with?
question_mark
AI Assistant ×