Nextcloud All-in-One

The official Nextcloud installation method. Nextcloud AIO provides easy deployment and maintenance with most features included in this one Nextcloud instance.

Included are:

Nextcloud
High performance backend for Nextcloud Files
Nextcloud Office (optional)
High performance backend for Nextcloud Talk and TURN-server (optional)
Nextcloud Talk Recording-server (optional)
Backup solution (optional, based on BorgBackup)
Imaginary (optional, for previews of heic, heif, illustrator, pdf, svg, tiff and webp)
ClamAV (optional, Antivirus backend for Nextcloud)
Fulltextsearch (optional)

Simple web interface included that enables easy installation and maintenance
Easy updates included
Update and backup notifications included
Daily backups can be enabled from the AIO interface which also allows updating all containers, Nextcloud and its apps afterwards automatically
Instance restore from backup archive via the AIO interface included (you only need the archive and the password in order to restore the whole instance on a new AIO instance)
APCu as local cache
Redis as distributed cache and for file locking
Postgresql as database
PHP-FPM with performance-optimized config (e.g. Opcache and JIT enabled by default)
A+ security in Nextcloud security scan
Ready to be used behind existing Reverse proxies
Can be used behind Cloudflare Tunnel
Ready for big file uploads up to 10 GB on public links, adjustable (logged in users can upload much bigger files using the webinterface or the mobile/desktop clients since chunking is used in that case)
PHP and web server timeouts set to 3600s, adjustable (important for big file uploads)
Defaults to a max of 512 MB RAM per PHP process, adjustable
Automatic TLS included (by using Let's Encrypt)
Brotli compression enabled by default for javascript, css and svg files which reduces Nextcloud load times
HTTP/2 and HTTP/3 enabled
"Pretty URLs" for Nextcloud are enabled by default (removes the index.php from all links)
Video previews work out of the box and when Imaginary is enabled, many recent image formats as well!
Only one domain and not multiple domains are required for everything to work (usually you would need to have one domain for each service which is much more complex)
Adjustable location of Nextcloud's datadir (e.g. good for easy file-sharing with host system on Windows and MacOS)
By default confined (good for security) but can allow access to additional storages in order to enable the usage of the local external storage feature
Possibility included to adjust default installed Nextcloud apps
Nextcloud installation is not read only - that means you can apply patches if you should need them (instead of having to wait for the next release for them getting applied)
ffmpeg, smbclient and nodejs are included by default
Possibility included to permanently add additional OS packages into the Nextcloud container without having to build your own Docker image
Possibility included to permanently add additional PHP extensions into the Nextcloud container without having to build your own Docker image
Possibility included to pass the needed device for hardware transcoding to the Nextcloud container
Possibility included to store all docker related files on a separate drive
Additional features can be added very easily
LDAP can be used as user backend for Nextcloud
Migration from any former Nextcloud installation to AIO is possible. See this documentation
Fail2Ban can be added
phpMyAdmin, Adminer or pgAdmin can be added
Mail server can be added
Nextcloud can be accessed locally via the domain
Can be installed locally (if you don't want or cannot make the instance publicly reachable)
IPv6-ready
Can be used with Docker rootless (good for additional security)
Runs on all platforms Docker supports (e.g. also on Windows and Macos)
Included containers easy to debug by having the possibility to check their logs directly from the AIO interface
Docker-compose ready
Can be installed without a container having access to the docker socket
Can be installed with Docker Swarm
Can be installed with Kubernetes
Almost all included containers Alpine Linux based (good for security and size)
Many of the included containers run as non-root user (good for security)
Many of the included containers have a read-only root-FS (good for security)
Included containers run in its own docker network (good for security) and only really necessary ports are exposed on the host
Multiple instances on one server are doable without having to deal with VMs
Adjustable backup path from the AIO interface (good to put the backups e.g. on a different drive)
Possibility included to also back up external Docker Volumes or Host paths (can be used for host backups)
Borg backup can be completely managed from the AIO interface, including backup creation, backup restore, backup integrity check and integrity-repair
Remote backups are indirectly possible
Updates and backups can be run from an external script. See this documentation for a complete example.

</details>

Screenshots

First setup	After installation

How to use this?

The following instructions are meant for installations without a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) already being in place. If you want to run AIO behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else), see the reverse proxy documentation. Also, the instructions below are especially meant for Linux. For macOS see this, for Windows see this and for Synology see this.

Install Docker on your Linux installation by following the official documentation: https://docs.docker.com/engine/install/#supported-platforms. The easiest way is installing it by using the convenience script:
```
curl -fsSL https://get.docker.com | sudo sh
```
If you need ipv6 support, you should enable it by following https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md.
Run the command below in order to start the container on Linux and without a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) already in place:
```
# For Linux and without a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) already in place:
sudo docker run \
--init \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 80:80 \
--publish 8080:8080 \
--publish 8443:8443 \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
nextcloud/all-in-one:latest
```
<details> <summary>Explanation of the command</summary>
- sudo docker run This command spins up a new docker container. Docker commands can optionally be used without sudo if the user is added to the docker group (this is not the same as docker rootless, see FAQ below).
- --init This option makes sure that no zombie-processes are created, ever. See the Docker documentation.
- --sig-proxy=false This option allows to exit the container shell that gets attached automatically when using docker run by using [CTRL] + [C] without shutting down the container.
- --name nextcloud-aio-mastercontainer This is the name of the container. This line is not allowed to be changed, since mastercontainer updates would fail.
- --restart always This is the "restart policy". always means that the container should always get started with the Docker daemon. See the Docker documentation for further detail about restart policies: https://docs.docker.com/config/containers/start-containers-automatically/
- --publish 80:80 This means that port 80 of the container should get published on the host using port 80. It is used for getting valid certificates for the AIO interface if you want to use port 8443. It is not needed if you run AIO behind a web server or reverse proxy and can get removed in that case as you can simply use port 8080 for the AIO interface then.
- --publish 8080:8080 This means that port 8080 of the container should get published on the host using port 8080. This port is used for the AIO interface and uses a self-signed certificate by default. You can also use a different host port if port 8080 is already used on your host, for example --publish 8081:8080 (only the first port can be changed for the host, the second port is for the container and must remain at 8080).
- --publish 8443:8443 This means that port 8443 of the container should get published on the host using port 8443. If you publish port 80 and 8443 to the public internet, you can access the AIO interface via this port with a valid certificate. It is not needed if you run AIO behind a web server or reverse proxy and can get removed in that case as you can simply use port 8080 for the AIO interface then.
- --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config This means that the files that are created by the mastercontainer will be stored in a docker volume that is called nextcloud_aio_mastercontainer. This line is not allowed to be changed, since built-in backups would fail later on.
- --volume /var/run/docker.sock:/var/run/docker.sock:ro The docker socket is mounted into the container which is used for spinning up all the other containers and for further features. It needs to be adjusted on Windows/macOS and on docker rootless. See the applicable documentation on this. If adjusting, don't forget to also set WATCHTOWER_DOCKER_SOCKET_PATH! If you dislike this, see https://github.com/nextcloud/all-in-one/tree/main/manual-install.
- nextcloud/all-in-one:latest This is the docker container image that is used.
- Further options can be set using environment variables, for example --env NEXTCLOUD_DATADIR="/mnt/ncdata" (This is an example for Linux. See this for other OS' and for an explanation of what this value does. This specific one needs to be specified upon the first startup if you want to change it to a specific path instead of the default Docker volume). To see explanations and examples for further variables (like changing the location of Nextcloud's datadir or mounting some locations as external storage into the Nextcloud container), read through this readme and look at the docker-compose file: https://github.com/nextcloud/all-in-one/blob/main/compose.yaml
</details>
Note: You may be interested in adjusting Nextcloud’s datadir to store the files in a different location than the default docker volume. See this documentation on how to do it.
After the initial startup, you should be able to open the Nextcloud AIO Interface now on port 8080 of this server. E.g. https://ip.address.of.this.server:8080 ⚠️ Important: do always use an ip-address if you access this port and not a domain as HSTS might block access to it later! (It is also expected that this port uses a self-signed certificate due to security concerns which you need to accept in your browser) If your firewall/router has port 80 and 8443 open/forwarded and you point a domain to your server, you can get a valid certificate automatically by opening the Nextcloud AIO Interface via: https://your-domain-that-points-to-this-server.tld:8443
Please do not forget to open port 3478/TCP and 3478/UDP in your firewall/router for the Talk container!

FAQ

How does it work?

Nextcloud AIO is inspired by projects like Portainer that manage the docker daemon by talking to it through the docker socket directly. This concept allows a user to install only one container with a single command that does the heavy lifting of creating and managing all containers that are needed in order to provide a Nextcloud installation with most features included. It also makes updating a breeze and is not bound to the host system (and its slow updates) anymore as everything is in containers. Additionally, it is very easy to handle from a user perspective because a simple interface for managing your Nextcloud AIO installation is provided.

Are reverse proxies supported?

Yes. Please refer to the following documentation on this: reverse-proxy.md

Which CPU architectures are supported?

You can check this on Linux by running: uname -m

x86_64/x64/amd64
aarch64/arm64/armv8 (Note: ClamAV is currently not supported on this CPU architecture)

Which ports are mandatory to be open in your firewall/router?

Only those (if you access the Mastercontainer Interface internally via port 8080):

443/TCP for the Apache container
443/UDP if you want to enable http3 for the Apache container
3478/TCP and 3478/UDP for the Talk container

Explanation of used ports:

8080/TCP: Mastercontainer Interface with self-signed certificate (works always, also if only access via IP-address is possible, e.g. https://ip.address.of.this.server:8080/) ⚠️ Important: do always use an ip-address if you access this port and not a domain as HSTS might block access to it later! (It is also expected that this port uses a self-signed certificate due to security concerns which you need to accept in your browser)
80/TCP: redirects to Nextcloud (is used for getting the certificate via ACME http-challenge for the Mastercontainer)
8443/TCP: Mastercontainer Interface with valid certificate (only works if port 80 and 8443 are open/forwarded in your firewall/router and you point a domain to