Minimum Requirements

• Ubuntu >=18 or Debian >=9
• CPU/Memory: 2 CPU/4GB RAM
• Storage: 100GB SSD hard drive
• DNS record A or Cloudflare Tunnel
• HTTP and HTTPS ports opened

Run Nextcloud AIO

# Make sure to set NEXTCLOUD_DATADIR and NEXTCLOUD_MOUNT paths
docker compose -p homecloud up -d
# Reference: https://github.com/nextcloud/all-in-one?tab=readme-ov-file#nextcloud-all-in-one

Encryption at rest

Only newly uploaded files will be encrypted, unless you run encrypt:all command

docker exec --user www-data -it nextcloud-aio-nextcloud php occ encryption:enable

docker exec --user www-data -it nextcloud-aio-nextcloud php occ encryption:status
# Reference: https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#occ-encryption-commands

Automatic backups and upload to S3 Glacier Deep Archive

First, enable automatic daily backups using AIO interface. Take note of the encryption password for backups.

Nextcloud uses BorgBackup as the underlying backup technology. By default, it sets a retention policy of:

• Keep 7 end of day, 4 additional end of week and 6 end of month archives

Server configuration

1. Install required packages

sudo apt update && sudo apt install -y jq unzip

# Install awscli
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

# Make sure to use the latest stable version of aws_signing_helper
wget https://rolesanywhere.amazonaws.com/releases/1.4.0/X86_64/Linux/aws_signing_helper
chmod +x aws_signing_helper
sudo mv aws_signing_helper /usr/local/bin/

2. Install rclone

sudo -v ; curl https://rclone.org/install.sh | sudo bash

3. Configure rclone, by changing settings in rclone.conf file. Then move it to your rclone config directory, usually ~/.config/rclone/rclone.conf

4. Setup PKI for AWS login

# Create a private key for CA certificate
openssl genrsa -out homecloud-root-ca.key 4096

# Create CA certificate (valid for 10 years) using an OpenSSL configuration file
# Make sure to change all values inside the [ dn ] SECTION before applying the following command
openssl req -x509 -new -nodes -config certificates/selfsigned-ca.cnf -key homecloud-root-ca.key -days 3650 -out homecloud-root-ca.crt

# Create a private key for client certificate
openssl genrsa -out homecloud-client.key 2048

### Create client certificate Signing Request
# Make sure that the --subj argument values match the [ dn ] SECTION inside the selfsigned-ca.cnf configuration file before applying the following command
openssl req -new -key homecloud-client.key -out homecloud-client.csr -subj "/C=IT/ST=Ragusa/L=Acate/O=HomeCloud/CN=homecloud.yourdomain.com"

### Sign client certificate using CA (valid for 1 year) and use an OpenSSL configuration file
# to apply certificate extensions required by AWS
openssl x509 -req -in homecloud-client.csr -CA homecloud-root-ca.crt -CAkey homecloud-root-ca.key -CAcreateserial -out homecloud-client.crt -days 365 -sha256 -extfile certificates/homecloud-client.cnf -extensions homecloudclient_extensions

AWS configuration

1. Create a Roles Anywhere Trust Anchor to estabilish trust between the server and AWS using the Certificate Authority:

• Certificate authority (CA) source = External certificate bundle
• External certificate bundle = Paste the content of homecloud-root-ca.crt into the box
• (Optional) customize Notification settings for certificates expiration alerts

2. Create an S3 bucket along with a Lifecycle rule with action "Expire current versions of objects" and set a value of your liking for "Days after object creation" field. This is for removing old tar.gz archives and free-up disk space

3. Create a IAM Policy but change s3bucketname to match your S3 bucket name

4. Create a IAM Role:

• use Roles Anywhere as Service Principal
• attach the previously created permission policy to it
• add a Trust Policy but replace rolesanywhere-trustanchor-arn with the Trust Anchor ARN created before
• (Optional) customize Maximum session duration value according to your liking (currently 4hrs). Make sure to change the --session-duration parameter within homecloud_backup.sh file accordingly.

5. Create a Roles Anywhere Profile:

• select the previously created IAM Role from the dropdown
• (Optional) customize Maximum session duration value according to your liking (currently 4hrs). Make sure to change the --session-duration parameter within homecloud_backup.sh file accordingly.

Backup configuration

1. Change the ENV file according to your setup then:

sudo mv homecloud_backup.env /etc/homecloud_backup.sh && sudo chmod 600 /etc/homecloud_backup.env

sudo mv homecloud_backup.sh /usr/local/bin/homecloud_backup.sh && sudo chmod 644 /usr/local/bin/homecloud_backup.sh

2. Set a Cronjob to automatically run the backup script

crontab -e
# Every 10 days at 4:00am
0 4 */10 * * bash /usr/local/bin/homecloud_backup.sh

Restore files from S3 Deep Archive

# List S3 objects with StorageClass Glacier Deep Archive
aws s3api list-objects --bucket <BUCKET_NAME> | grep "StorageClass" | grep DEEP_ARCHIVE

# Change object StorageClass for 2 days from Deep Archive to Standard
aws s3api restore-object \
  --bucket <BUCKET_NAME> \
  --key "borg_2025-03-11_22-50-21.tar.gz" \
  --restore-request '{"Days":2, "GlacierJobParameters": {"Tier": "Standard"}}'

# Check restoration status
aws s3api head-object --bucket <BUCKET_NAME> --key borg_2025-03-11_22-50-21.tar.gz

# Misc
# check S3 bucket usage
aws s3 ls s3://<BUCKET_NAME> --recursive --human-readable --summarize

Restore Nextcloud data into a new server

Reference: https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-migrate-from-aio-to-aio

1. Install a valid SSL certificate on the server:

# Make sure that no process is running on port 80
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo certbot certonly --standalone

2. Once you've installed the new AIO Nextcloud instance, start the compose project and then go to https://yourdomain.com:8443/login

3. Copy the tar.gz archive of the Borg repository into the new host. Then extract it and place it into a directory. The extracted directory name must be borg. E.g. /mnt/borg

4. On AIO Nextcloud Interface webpage, select "Restore AIO instance":

• enter the path of the extracted backup without specifying the directory name. E.g. if backup is placed at /mnt/borg, use: /mnt
• enter Borg encryption password

5. Change domain (if required) Reference: https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-change-the-domain

# Replace each occurrence of old domain with the new one inside configuration.json
sudo docker run -it --rm --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config:rw alpine sh -c "apk add --no-cache nano && nano /mnt/docker-aio-config/data/configuration.json"

'overwritehost' => 'newurl.com'
'trusted_domains' => array (0 => 'localhost', 1 => 'newurl.com')
'overwrite.cli.url' => 'https://newurl.com/'

After that, restart/start all Nextcloud containers and everything should work as expected