Nextcloud on Ubuntu via Docker for nxt.bhatfamily.in

This repository deploys Nextcloud behind Nginx using Docker Compose. Exposed ports:

• HTTP: 8082
• HTTPS: 8446 Target hostname:
• nxt.bhatfamily.in

What changed

The stack now includes:

• Fixed Nginx mount path (nginx/nginx.conf mapped correctly)
• Fixed MariaDB command (mariadbd)
• Nginx reverse proxy mode for nextcloud:apache (no FastCGI mismatch)
• Production TLS provisioning using Let's Encrypt DNS-01 with Cloudflare
• Automated TLS renewal job support (cron)

Prerequisites

• Ubuntu host with Docker + Docker Compose plugin (or docker-compose)
• Domain nxt.bhatfamily.in in Cloudflare DNS
• DNS A record for nxt pointing to your server public IP (DNS-only)
• Router/firewall forwarding for ports 8082 and 8446

Initial setup

1. Create runtime env file:

cp .env.example .env

2. Edit .env with strong values.
3. Start stack with bootstrap TLS:

./scripts/install.sh

4. Validate:

./scripts/test.sh

Move Nextcloud data directory to external storage

Use the migration helper to move existing data to a host path and switch the app to a bind mount. Default target:

• /media/rbhat/DATA/nextcloud/NextCloudData Run migration:

./scripts/migrate-data-directory.sh /media/rbhat/DATA/nextcloud/NextCloudData

What the script does:

• enables maintenance mode
• copies current /var/www/html/data content to target directory
• applies owner/group and permissions for Nextcloud (www-data)
• updates docker-compose.yml app volume with ...:/var/www/html/data
• recreates app and web services
• disables maintenance mode and verifies mount Rollback (if needed):

1. Remove the :/var/www/html/data bind mount line from app volumes in docker-compose.yml.
2. docker compose up -d app web
3. Confirm status:

docker exec --user www-data nextcloud-app php occ status

Production TLS (Let's Encrypt + Cloudflare DNS-01)

1. Export credentials in shell:

export CF_DNS_API_TOKEN={{CF_DNS_API_TOKEN}}
export LETSENCRYPT_EMAIL={{LETSENCRYPT_EMAIL}}

2. Issue/renew and install production cert:

./scripts/provision-production-tls.sh

3. Reload Nginx container:

docker compose restart web

4. Verify cert:

echo | openssl s_client -connect nxt.bhatfamily.in:8446 -servername nxt.bhatfamily.in 2>/dev/null | openssl x509 -noout -subject -issuer -dates

Automated renewal job (cron)

1. Ensure your Cloudflare token export script exists (default path used by renewal wrapper):

• ~/bin/cloudflare-api-usertoken.sh

2. Install/update renewal cron entry:

./scripts/setup-renewal-cron.sh

This script will:

• create/update .tls-renewal.env (local only, not committed)
• install a daily cron job (03:17 by default)
• write logs to logs/tls-renew.log

3. Manual renewal run (same path cron uses):

./scripts/renew-production-tls.sh

Admin password reset

List existing users:

docker exec --user www-data nextcloud-app php occ user:list

Reset password using helper script (interactive prompt):

./scripts/reset-admin-password.sh admin

Reset password non-interactively (for automation):

NEW_NEXTCLOUD_PASSWORD={{NEW_NEXTCLOUD_PASSWORD}} ./scripts/reset-admin-password.sh admin

You can target a different username by passing it as the first argument.

Useful commands

Start/update containers:

docker compose up -d

Restart all services:

docker compose restart

Restart web only:

docker compose restart web

Stop and remove containers/volumes:

./scripts/uninstall.sh

Security notes

• .env, .tls-renewal.env, and runtime cert material under nginx/ssl are intentionally ignored by Git.
• If secrets were ever committed earlier, rotate them.