This repository contains instructions on how to set up a server with Ubuntu and the awesome Nextcloud. It is built with security and reliability as primary goals.
It was originally installed on a repurposed laptop and intended for home use. While this repo serves primarily as the documentation of the setup of the author, it should be applicable by a wider range of users without a lot of modifications.
The main features/goals of the installed system are the following
- Ubuntu server system, hardened with CIS level 1 server profile
- a Nextcloud instance using its AIO setup
- monitoring and alerting with Prometheus, visualization with Grafana
- encrypted backups with borg, stored on the public cloud of your choice with rclone
- nftables firewall
- reliable and automated 3-2-1 backup strategy
- low maintenance effort
If you encounter issues or have suggestions for improvement, feel encouraged to submit them via pull requests or issues, for the benefit of others!
Be aware of the following things:
- usually you need to understand what you are currently doing, just copying and pasting might or might not work
- some of the commands (like appending some text to a file) will lead to unexpected effects when executed more than once
Follow these instructions in sequence:
- Install the base operating system
- Monitoring with Prometheus and Grafana
- Install Nextcloud and backup services
It is highly recommended executing all maintenance steps indicated below now for the first time.
Congratulations, you have your own cloud running!
I recommend setting up a reminder to monthly do the following things:
- plug in your external hard disk to sync your offline backup
- using the scripts
mount-cloud-nc-bkp.sh&mount-disc-nc-bkp.sh, mount your backups, open and check a file you have edited recently (ensures that the backup is readable and up to date) - log in to the nextcloud admin settings overview, check for warnings & errors in the logs
- log in to your server via SSH, verify no evil warnings show up in the login welcome message, ideally do a security audit with
sudo usg audit --html-file /tmp/report.html --tailoring-file /opt/private-cloud/tailor.xml, consider also regenerating the tailoring file with the snippet in Apply CIS security profile. - optionally, check the consistency of one of your backups with borg check (takes a lot of time, depending on the size of your backup):
borg check --verify-data <path to local, cloud or external disk backup>
None. You are responsible for what you do on your system, so think and try to understand what is done and why before you type, as always. See the attached license.