Nextcloud is one of the most popular self-hosted platforms out there, and for good reason. It gives you file sync, calendars, contacts, office document editing, video calls, and a whole ecosystem of apps, all running on your hardware. Think of it as your own private Google Workspace or iCloud replacement.

We're going to set up Nextcloud using the official All-in-One (AIO) Docker image on Ubuntu Server, get storage sorted out (whether you're using a simple Docker volume or mounting network storage like NFS or SMB), install a NetBird client on the machine, and expose it securely through NetBird's built-in reverse proxy with automatic TLS. No port forwarding, no Nginx configs, no Cloudflare tunnels.

Prerequisites

Before we dive in, here's what you'll need:

• An Ubuntu server (bare metal or VM) with at least 2 CPU cores and 4 GB of RAM. Nextcloud AIO runs several containers (database, Redis, Apache, the Nextcloud app itself), so give it some headroom.
• Docker installed. If you haven't done that yet, I have a full getting started with Docker guide that covers installation, post-install setup, and the basics. The quick version:

• A self-hosted NetBird instance with the reverse proxy enabled. If you don't have that set up, follow the self-hosting NetBird with Authentik guide first. That covers the full install, reverse proxy setup, and identity provider configuration.
• A domain configured in your NetBird reverse proxy. We'll set this up in a later step, but make sure you have a domain ready to go in your NetBird dashboard.

Planning Your Storage

This is the part where you want to stop and think before you start deploying containers. Nextcloud stores user files, and those files can get large fast. Where you put that data matters.

Option 1: Docker Volume (Simple)

The easiest option. Nextcloud AIO manages its own Docker volumes by default. Your data lives in on the host. This works great if your Ubuntu server has enough local disk space and you just want to get up and running.

The downside is that Docker volumes can be harder to browse and back up compared to a regular directory. If you're running this on a machine with a single disk and don't plan on storing terabytes of files, this is totally fine though.

Option 2: Custom Directory with NFS or SMB Mount

If you have a NAS or dedicated storage server, you probably want Nextcloud's data living there instead of on the local disk. The way to do this is to mount your network share on the Ubuntu host and then tell Nextcloud AIO to use a folder on that mount as its data directory.

First, install the packages you need for your mount type:

For NFS:

For SMB/CIFS:

Create a mount point on your system:

Then add the mount to so it persists across reboots.

NFS fstab entry:

SMB fstab entry:

For SMB, create that credentials file so your password isn't sitting in fstab:

Then lock it down:

Mount everything:

Verify it's mounted:

Now create the folder that Nextcloud will use:

This path is what we'll pass to the AIO container later. Do note that the folder needs to exist before you start the container, otherwise AIO will throw an error.

Setting Up the NetBird Peer

We need a NetBird client running on the Ubuntu machine so it's reachable through your NetBird network. The reverse proxy will use this peer to route traffic to Nextcloud.

Create a Setup Key

In your NetBird dashboard, go to Setup Keys > Add Setup Key. Give it a name like "Nextcloud Server" and copy the key.

Install and Connect the NetBird Client

Install the NetBird client on your Ubuntu server:

Now connect it to your self-hosted instance using the setup key:

Replace with the key you just created and update the management URL to match your NetBird domain.

Check that it's connected:

You should see the peer connected and an IP assigned. Head over to your NetBird dashboard and confirm the peer shows up under Peers. Note the peer's NetBird IP address, you'll need it for the reverse proxy configuration.

Configuring the Domain

Now let's set up the domain in NetBird's reverse proxy so Nextcloud will be accessible at something like .

1. In the NetBird dashboard, go to Reverse Proxy > Services > Add Service

2. Enter a subdomain like and select your domain

3. Click Add Target and configure:

   • Peer: Select your Nextcloud server peer
   • Protocol: HTTP
   • Port:

4. Still in the target settings, open Optional Settings and add these custom headers:

   • →
   • →
   • →

   These matter for Nextcloud specifically. The buffer size handles chunked uploads more efficiently, setting max body size to removes the upload size limit entirely (otherwise large file uploads will fail), and the read timeout gives long-running uploads a full 24 hours before timing out.

1. Click Add Target to save
2. Under the Authentication tab, leave all methods disabled. Nextcloud handles its own auth, and you can connect OIDC providers directly through Nextcloud's admin settings. Enabling proxy-level authentication will break connections from the Nextcloud mobile and desktop apps, since they can't handle an auth layer sitting in front of the actual Nextcloud instance.
3. Under Access Control, you can optionally add geo-restriction rules. For example, you could add a rule to only allow access from your country. This isn't required but it's a nice extra layer if you know you'll only ever access Nextcloud from specific locations.
4. Before saving, make sure Pass Host Header and Rewrite are both enabled. Nextcloud needs the original host header to validate trusted domains, and the rewrite ensures requests are forwarded correctly.
5. Click Add Service

The port is important here. Nextcloud AIO runs its Apache container on this port by default when configured for use behind a reverse proxy. This is the port that serves the actual Nextcloud interface, not the AIO admin panel.

NetBird will provision a TLS certificate for the domain automatically. Once the service shows as active, the domain is ready. But we haven't started Nextcloud yet, so let's do that.

Creating the Nextcloud Stack

Create a directory for Nextcloud on your server:

Create the Docker Compose file:

You can find the official reference compose file from Nextcloud at github.com/nextcloud/all-in-one . The compose above is tailored for a NetBird reverse proxy setup, but check the official one for the latest options and defaults.

A few things to note about what's going on here:

• tells AIO to expose the Nextcloud Apache container on port 11000 instead of the default 443. This is what the NetBird reverse proxy is pointed at.
• is the NetBird IP range. Since traffic hits Nextcloud through the NetBird reverse proxy, you need to tell AIO to trust that network so it correctly identifies client IPs instead of seeing everything as coming from the proxy.
• sets where Nextcloud stores user files. Point this to the directory on your mount if you're using NFS/SMB, or remove this line entirely to use the default Docker volume.
• and control the max upload size and timeout. The values here are generous to support large file uploads.
• enables hardware transcoding via Intel QuickSync. If your server doesn't have an Intel GPU, you can remove this line.
• can be set to if AIO has trouble validating your domain through the reverse proxy. Try first, and only flip it if domain validation fails during setup.
• exposes the Talk container for video calls on this port.
• The Docker socket mount () is required because the master container manages other containers. It spins up the database, Redis, Apache, and the Nextcloud app containers on its own.

Now start it up:

Give it a minute to pull the images. You can watch the logs with:

Initial Nextcloud AIO Setup

Once the master container is running, access the AIO admin interface at . You'll get a self-signed certificate warning since this is the local admin panel, go ahead and accept it.

Note: The AIO interface on port 8080 is only for initial setup and administration. The actual Nextcloud instance that your users access goes through the NetBird reverse proxy on your configured domain.

On first load, AIO gives you a passphrase. Save this somewhere safe. You'll need it to access the AIO admin panel in the future.

Log in with the passphrase and you'll see the AIO dashboard.

From here you can:

1. Verify the domain shows your configured domain (e.g., )
2. Confirm the NetBird IP range () shows up under trusted proxies. We already set this in the compose file via , so it should be populated automatically. If it's not, add it here manually.
3. Select which optional containers you want (Collabora for document editing, Talk for video calls, Imaginary for image previews, and so on)
4. Click Start containers to deploy everything

AIO will pull and start all the selected containers. This can take a few minutes depending on your internet connection and how many optional containers you enabled. Once everything is green, Nextcloud is running.

Now go to in your browser. You should see the Nextcloud login page, served over HTTPS through your NetBird network. The initial admin credentials are shown in the AIO admin interface, so grab those and log in.

Change Your Admin Password

The first thing you should do after logging in is change the auto-generated admin password. Go to your profile in the top right, click Administration Settings, then navigate to Security. Enter the current password and set a new one that's strong and something you'll actually remember. Don't skip this — the default password is long, random, and easy to lose track of.

And there we go. Nextcloud is running, storage is sorted, and it's accessible through a secure WireGuard tunnel with automatic TLS. No ports exposed to the public internet, no complex reverse proxy configs.

Closing the Admin Port

Once you've confirmed everything is working, you can optionally firewall port 8080 on the Ubuntu server so the AIO admin panel isn't accessible from the local network. You'll still be able to reach it if you need to by temporarily opening the port or SSHing in with a tunnel:

Then access it at from your local machine.

What's Next

From here, there's a lot you can do with Nextcloud:

• Install mobile and desktop clients from nextcloud.com/install and point them at your domain
• Enable two-factor authentication in Nextcloud's security settings
• Set up Collabora or OnlyOffice through the AIO interface for browser-based document editing
• Configure external storage within Nextcloud to connect additional SMB/NFS shares, S3 buckets, or FTP servers

The combination of Nextcloud AIO handling the application stack and NetBird handling the networking means you get a production-ready setup without the usual headaches of certificate management, port forwarding, and reverse proxy configuration. I do hope this guide was helpful. Have a great one.