Tech Insights

Self-Hosting Nextcloud: A Real Walkthrough (and Everything It Takes to Keep It Safe)

Self-Hosting Nextcloud: A Real Walkthrough (and Everything It Takes to Keep It Safe)

This is the first of our monthly deep dives. We're going to walk through actually standing up Nextcloud — the leading open-source replacement for OneDrive and Dropbox — on your own server. Files, folder sync, mobile apps, sharing: everything you use Dropbox for, on hardware you own, with your data in your building.

We're showing you the real process, not a sanitized “it's so easy!” version, for one reason: by the end you'll know exactly what you're signing up for. Some readers will look at this and think “I can do that.” Many more will look at it and think “I want this, but I want someone else to run it.” Both are correct answers. What you don't want is to do half of this and walk away thinking you're done.

Fair warning: this gets technical. That's the point.

Step 1: Decide what the server actually is

Before any software, a hardware decision. Nextcloud for a small office is not a Raspberry Pi under the receptionist's desk. For real business use you want:

  • A proper small-business server or a capable mini-PC with ECC memory if you can (it catches memory errors that silently corrupt files)
  • Redundant storage — at minimum two drives in a mirror (RAID 1), so one drive failure doesn't end your company
  • A UPS battery backup — non-negotiable in Houston, where a flickering grid will corrupt a database mid-write
  • A wired connection and a static internal IP

Decision one, and most people get it wrong: a single consumer SSD with no redundancy means your “owned data” has a single point of failure worse than the cloud you left.

Step 2: The operating system and the base stack

Most Nextcloud installs run on Ubuntu Server LTS. You'll install the OS headless (no desktop), then the supporting software it depends on — a web server, a database, and PHP:

sudo apt update && sudo apt upgrade -y
sudo apt install -y apache2 mariadb-server libapache2-mod-php \
  php php-gd php-mysql php-curl php-mbstring php-intl php-gmp \
  php-bcmath php-xml php-imagick php-zip php-apcu unzip

Already, decisions: which PHP version Nextcloud currently supports (it's picky, and the wrong one fails silently), whether you're using Apache or Nginx, and whether you want the database on the same box or separate. Each of those is a fork in the road with consequences down the line.

Step 3: The database

Nextcloud needs its own database and a dedicated user — never the root account:

sudo mysql
CREATE DATABASE nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
CREATE USER 'nextcloud'@'localhost' IDENTIFIED BY 'use-a-real-long-random-password-here';
GRANT ALL PRIVILEGES ON nextcloud.* TO 'nextcloud'@'localhost';
FLUSH PRIVILEGES;
EXIT;

Then you'll tune MariaDB for Nextcloud — transaction isolation level, the binary log format, buffer pool size. Skip this tuning and Nextcloud will throw database-lock warnings under real load. This is the first place “it worked in the demo” diverges from “it works for 25 people all day.”

Step 4: Install Nextcloud itself

Download, extract, set ownership:

cd /var/www
sudo wget https://download.nextcloud.com/server/releases/latest.zip
sudo unzip latest.zip
sudo chown -R www-data:www-data /var/www/nextcloud

Then an Apache virtual host pointing at the directory, the right modules enabled (rewrite, headers, env, dir, mime), and the web installer to finish setup. If that were the whole job, this would be a short post.

Step 5: TLS — and this is where DIY gets real

You are about to put your company's files behind a web server. If that server speaks plain unencrypted HTTP, you've built a liability, not a solution. You need a valid TLS certificate:

sudo apt install certbot python3-certbot-apache
sudo certbot --apache -d files.yourcompany.com

Which immediately requires that you own a domain, have control of its DNS, have a way for the certificate authority to reach your server, and a plan to auto-renew that certificate every 90 days — because the day it silently expires, every employee's sync client throws errors and nobody can work. One missed renewal is a company-wide outage.

Step 6: Exposing it safely (the part that bites people)

For staff to reach files from home or the road, the server has to be reachable from the internet — which means you've just published a door to your company's data. Do this wrong and you're on the news. Doing it right means some combination of:

  • A properly configured firewall exposing only what's necessary
  • A reverse proxy in front of Nextcloud, not the application directly
  • Ideally, putting access behind a VPN (we'll cover WireGuard later in this series) so the files aren't openly exposed at all
  • Fail2ban to lock out brute-force login attempts
  • Enforced two-factor authentication for every user
  • Geo-blocking and rate limiting

This single step is where the gap between “I installed Nextcloud” and “I securely run Nextcloud for a business” is widest. The install is an afternoon. Securing the exposure correctly is a discipline.

Step 7: Backups — you are now your own disaster recovery

The cloud quietly backed your files up across multiple data centers. That's gone now; it's your job. A real Nextcloud backup means capturing three things in sync:

  1. The file data directory
  2. The database (a mysqldump, taken consistently)
  3. The config.php and your TLS setup

…on an automated schedule, stored offsite or at least off-box, and — the step everyone skips — actually test-restored on a regular basis. A backup you've never restored is a rumor, not a backup. In Houston, “offsite” also means “not in the same building that floods.”

Step 8: The part with no end date — maintenance

Installation is a day. This is forever:

  • Apply Nextcloud updates promptly (each version brings security fixes — and occasionally breaks an app you depend on, so you test first)
  • Patch the OS, PHP, the database, and Apache on their own schedules
  • Monitor disk space, failed logins, certificate expiry, and backup success — and get alerted, not “remember to check”
  • Watch the security advisories and react when one lands
  • Plan the hardware refresh before the drives age out

So… should you do this yourself?

If you read all of that and felt energized, you may genuinely be a good candidate to run your own — and we're happy to consult, harden your setup, and be your backstop when something breaks.

If you read all of that and thought “I want my data in my building, but I have a business to run and I am not going to be the one auto-renewing TLS certificates at 11 p.m.” — that's the honest, common, correct reaction. And it's exactly the service we provide. We build and maintain Nextcloud and other open-source systems for Houston small businesses: sized right, secured properly, backed up, monitored, and kept current — so you get the data ownership without the second job.

We don't do this for free, and we don't cut corners — the entire value is in the parts of this article that came after the install. Our rates reflect skilled, ongoing work. If you want Nextcloud done once and done right, book a free discovery call and we'll scope it for your business.

Aspendora Technologies provides cybersecurity, managed IT, and expert on-premise & open-source solutions to Houston-area small businesses since 2010.

Need IT Help?

Talk to a real Houston-based IT pro. 15 minutes, no pressure.

Schedule a Free Consultation