Posted on Jul 2

Installing Nextcloud in isolation with podman

I recently wanted to install Nextcloud, I wanted to use containers because I like when things are very organized and each thing is in its own little box, rather than scattered across the system.

However, I saw that the official method with Docker was using the Docker socket, meaning that this Nextcloud container has direct access to Docker itself and can interact with other containers than its own.

I don't want this, I want to use Podman (which is rootless) and I want that Nextcloud be only able to access its own containers.

Quick note : This tutorial has been tested on a blank Debian 12 virtual machine with unstable source enabled and ssh installed. The test has been made on 2nd July 2025. At time of writing the Nextcloud AIO version was v11.2.1, the Nextcloud version was v31.0.6 and the podman version was v5.4.2.

Why this method

Official Nextcloud's installation method
Very complete, AIO can automatically set up office, Talk, high performance backend for NC Talk, etc.
Fast and easy
Rootless configuration (more secure)
Isolated from the rest of your containers and system. Unlike in the official instructions, Nextcloud won't be able to interact with other containers than its own.
Great for trying out Nextcloud quickly locally, even if you can't open the ports of your router or don't have any domain name

Requirements

Before going on this, we obviously need Podman to be installed. If you're doing this from your home network and can't (or don't want to) open the ports of your router, you might want to also install localtunnel.

On Debian unstable (sid), installing Podman is very easy.

sudo apt install podman

The version of Podman on the stable branch is quite outdated and I've had a lot of trouble to make it work, so I recommend you to use sid instead.

For localtunnel, I personally prefer to use bun rather than install NodeJS (because bun is a lot lighter)

sudo apt install unzip curl -fsSL https://bun.sh/install | bash source ~/.bashrc # The command to run localtunnel now is: bun x localtunnel # args go here

Create a dedicated Nextcloud user to isolate it

Run those command as a dedicated Nextcloud user for isolation

sudo useradd -m nextcloud sudo loginctl enable-linger nextcloud

Enter into a shell of that new user

sudo -u nextcloud bash cd

Enable the Podman daemon in that user

XDG_RUNTIME_DIR=/run/user/$(id -u) systemctl --user enable --now podman.socket

Install Nextcloud

Please note, containers cannot directly contact the host, here it's not an issue since localtunnel acts as a reverse proxy on a different IP, but if you use a reverse proxy on the same IP

You'll need to add the option --add-host your.domain.name:host-gateway to let the container access it.

This command is based on the official AIO instructions, you can find them here: https://nextcloud.com/install/aio and here : https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md

I simply added --network bridge so that it can access the other containers it creates (all in the same network) and changed the path of the docker socket, to Podman's socket.

podman run \ --init \ --sig-proxy=false \ --name nextcloud-aio-mastercontainer \ --restart always \ --publish 8080:8080 \ --env APACHE_PORT=11000 \ --env APACHE_IP_BINDING=0.0.0.0 \ --env APACHE_ADDITIONAL_NETWORK="" \ --env SKIP_DOMAIN_VALIDATION=false \ --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \ --volume /run/user/$(id -u)/podman/podman.sock:/var/run/docker.sock:ro \ --network bridge \ ghcr.io/nextcloud-releases/all-in-one:latest

Create a tunnel to Nextcloud to automatically encrypt the traffic, get a domain name and forward the traffic without needing to open the ports of the router

This is only for testing quickly, but should not use in production. Use a proper reverse proxy instead for production. This command will require you have localtunnel installed.

lt --port 11000 # or if you used bun like me to install localtunnel: bun x localtunnel --port 11000

Go on https://localhost:8080 and specify your domain name, timezone and apps (I personally disabled Collabora though, as I prefer to use OnlyOffice). Disable it as well if you want to use OnlyOffice.

If you're doing those instructions on a remote server, you can use SSH port forwarding as such:
ssh -L 8080:localhost:8080 <your usual ssh things> 
It will launch what looks like a usual SSH session, but in bonus you'll also be able to access that localhost:8080 from your own machine! So you can just now go in your browser and go on https://localhost:8080 and it should work :)

Once you're done, you can then click on the "Start containers" button and wait for a few minutes for everything to be done. Then you can use the credentials provided by the page to login as admin on your new instance.

If you use localtunnel you'll have to provide a password the first time you access it. This password is actually the public IP address of the host. You can find a link to get it below on the page.

The configuration of OnlyOffice is not directly in the UI because the Nextcloud AIO team wanted to only propose one choice of office suite (better defaults instead of more choice, they said).

However, I personally prefer OnlyOffice, as it's much faster and more compatible with stinky MS Office documents. You can enable it by running this command.

podman unshare sed -i 's/isOnlyofficeEnabled": 0/isOnlyofficeEnabled": 1/g' ~/.local/share/containers/storage/volumes/nextcloud_aio_mastercontainer/_data/data/configuration.json

Restart the containers from the web interface

Go to the admin panel, change your password and go into OnlyOffice and click on save. You might also want to enable the odt, ods and odp extensions to be able to edit LibreOffice files

If you want to disable things or get more features, go into the "Apps" section. You can now proceed to go through the settings and app to customize your cloud.