Nextcloud All-in-One Docker Tutorial 2026: Full Setup & Auto HTTPS

Take back control of your files, calendar, and contacts without relying on Google Drive or Dropbox: this is exactly what Nextcloud allows. However, the “manual” installation of Nextcloud has long been a headache, with its database, Redis cache, PHP-FPM server, cron, antivirus, and search engine to orchestrate one by one. In 2026, the Nextcloud team officially recommends Nextcloud All-in-One (AIO): a master Docker image that automatically deploys and maintains all these components for you.

In this tutorial, we deploy Nextcloud AIO on a VPS, place it behind a clean HTTPS reverse proxy, enable built-in backups, and harden the entire setup. By the end, you will have a complete, TLS-encrypted personal cloud with a dedicated subdomain, ready to sync your devices.

Prerequisites

• A secure VPS running Ubuntu 24.04 LTS (or Debian 12), with at least 2 vCPUs, 4 GB of RAM, and 40 GB of disk space (Nextcloud AIO spins up multiple containers). A provider like Hetzner offers CX22/CPX21 instances perfectly sized for this use case. If your server is not yet configured, follow our guide to install and secure an Ubuntu VPS first.
• Docker and Docker Compose installed (installation command in Step 1).
• A domain name for which you control the DNS. We will use cloud.example.com as the example subdomain.
• Ports 80 and 443 open on the UFW firewall (for Let’s Encrypt validation and HTTPS traffic), as well as port 8080 temporarily for the AIO admin interface.
• Ideally, a reverse proxy already in place. We will show the Caddy configuration; the principle is identical with Traefik or Nginx Proxy Manager.

Step 1: Install Docker

If Docker is not present, install it from the official repository (Ubuntu repository versions are often outdated):

sudo apt update
sudo apt install -y ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

Verify:

docker --version && docker compose version

Step 2: Point the DNS

At your DNS provider, create an A record (and AAAA if IPv6) pointing your subdomain to the VPS IP:

Type	Name	Value
A	cloud.example.com	203.0.113.10

Check propagation:

dig +short cloud.example.com

The command should return your VPS IP. Until this is the case, certificate issuance will fail.

Step 3: Understand the AIO Architecture

Nextcloud AIO revolves around a master container (nextcloud-aio-mastercontainer). You do not configure the database or Redis yourself: the master orchestrates all “child” containers (Nextcloud, PostgreSQL, Redis, Apache, the transcoding service, optional ClamAV antivirus, Collabora Office, etc.) and manages their updates. You interact with it via a web administration interface exposed on port 8080.

There are two deployment modes. The most robust for production is to let AIO manage its own internal Apache listening on a high port, then place your reverse proxy in front. This is the mode we adopt here, as it allows you to share Caddy with your other services.

Step 4: Launch the AIO Master Container

Create a working directory and the composition file:

mkdir -p ~/nextcloud-aio && cd ~/nextcloud-aio
nano docker-compose.yml

services:
  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    container_name: nextcloud-aio-mastercontainer
    restart: always
    ports:
      - "8080:8080"
    environment:
      # Internal port on which AIO's Apache will listen (behind our proxy)
      APACHE_PORT: 11000
      APACHE_IP_BINDING: 127.0.0.1
      # Public domain served by the reverse proxy
      NC_DOMAIN: cloud.example.com
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro

volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer

Key points:

• APACHE_PORT: 11000 and APACHE_IP_BINDING: 127.0.0.1 tell AIO to expose Nextcloud only locally, on port 11000. Your reverse proxy will handle TLS and public exposure.
• The read-only mount of /var/run/docker.sock is essential: this is how the master container orchestrates child containers.
• The named volume nextcloud_aio_mastercontainer stores the configuration; never delete it without a backup.

Launch:

docker compose up -d

Step 5: Configure the HTTPS Reverse Proxy (Caddy)

AIO now serves Nextcloud on 127.0.0.1:11000. We place Caddy in front to get automatic Let’s Encrypt certificates. In your Caddy folder, add this block to the Caddyfile:

cloud.example.com {
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        X-Content-Type-Options "nosniff"
        Referrer-Policy "strict-origin-when-cross-origin"
        -Server
    }
    reverse_proxy 127.0.0.1:11000
}

If Caddy runs in a container, ensure it can reach the host. The simplest method: start Caddy with network_mode: host, or use host.docker.internal depending on your configuration. For a new setup, follow our dedicated tutorial automatic HTTPS reverse proxy with Caddy and Docker.

Reload Caddy without downtime:

docker compose exec caddy caddy reload --config /etc/caddy/Caddyfile

Common pitfall: never place Nextcloud AIO behind a proxy that re-encodes TLS itself without passing X-Forwarded-* headers. Caddy does this natively; with Nginx, explicitly add proxy_set_header X-Forwarded-Proto https;.

Step 6: Finalize via the AIO Admin Interface

Open https://VPS-IP:8080 in your browser (accept the self-signed certificate warning, which is normal for this technical interface). AIO displays a master password of 16 words: note it carefully, as it is used to regain control of the instance.

In the interface:

1. Enter the domain cloud.example.com and launch verification: AIO checks that the domain points to the server and that the proxy responds.
2. Choose the optional containers to activate: Collabora (online office suite), Talk (video conferencing), ClamAV antivirus, full-text indexing, local AI. Only activate what you need to preserve RAM.
3. Click Download and start containers. AIO downloads and starts the entire stack. Expect a few minutes.

Once finished, the interface displays the initial Nextcloud admin credentials. Go to https://cloud.example.com: your cloud is online, over HTTPS, with a valid padlock.

Step 7: Harden the Installation

• Close port 8080 to the public. The AIO interface should only be accessible for maintenance. Restrict it with UFW:

  sudo ufw deny 8080

  You can access it temporarily via an SSH tunnel: ssh -L 8080:localhost:8080 user@your-vps, then https://localhost:8080.

• Enforce HSTS (already done in the Caddyfile above) and check the TLS rating on SSL Labs: aim for A+.

• Enable server-side encryption in Nextcloud only if you store data on an untrusted external backend; otherwise, leave it disabled to avoid increasing I/O overhead.

• Configure recommended headers. Nextcloud flags missing headers in Administration → Overview; AIO handles most of them, but check this panel after installation.

• Keep updated. AIO offers an update button in its interface; schedule a weekly window and perform the update after verifying the backup.

Step 8: Built-in Backup

AIO’s major asset is its native backup based on BorgBackup, managed from the admin interface. In the Backup and restore panel:

1. Specify a destination directory on a separate volume (ideally a network drive or external mount point), for example /mnt/backup.
2. AIO cleanly stops the containers, creates a deduplicated and encrypted Borg archive, then restarts everything.
3. Schedule an automatic daily backup and note the displayed Borg encryption key: without it, restoration is impossible.

For a truly resilient strategy, copy these Borg archives to off-site object storage (Backblaze B2, Wasabi). Our tutorial automatic encrypted backup with restic and Backblaze details a complementary off-site approach applicable to AIO’s backup folder.

Troubleshooting

• “Domain does not point to this server.” DNS is not propagated or port 443 is filtered. Check dig +short cloud.example.com and sudo ufw status. If you are behind Cloudflare in proxy mode (orange cloud), disable it temporarily for validation.
• HTTPS redirect loop. Your reverse proxy is not passing X-Forwarded-Proto: https. With Caddy this is automatic; with Nginx, add the header manually.
• Child containers do not start. Often due to lack of RAM. Disable optional containers (Collabora, ClamAV, Talk) in the AIO interface and restart.
• Master no longer controls children. Verify that /var/run/docker.sock is mounted and that Docker is running. Check docker logs nextcloud-aio-mastercontainer.
• Master password lost. It is stored in the nextcloud_aio_mastercontainer volume. Without it or a backup, you will need to reset the instance.

Final Verification

# All AIO containers are running
docker ps --filter "name=nextcloud-aio"

# HTTP redirects to HTTPS
curl -sI http://cloud.example.com | head -1

# Nextcloud responds over HTTPS
curl -sI https://cloud.example.com | head -1

Connect the Nextcloud desktop client and mobile app to https://cloud.example.com, then configure CalDAV/CardDAV sync for your calendars and contacts. Your personal cloud is operational.

FAQ

Should I prefer Nextcloud AIO over the classic Docker image?

For the vast majority of cases, yes. AIO automates the orchestration of the database, cache, cron, backups, and updates, whereas the classic image requires assembling each brick manually. The classic image remains relevant if you want fine-grained control over each component or want to integrate Nextcloud into an existing Kubernetes stack.

How much RAM do I need?

Count on 4 GB of RAM for comfortable family use with a few optional containers. If you activate Collabora Office, Talk, and ClamAV antivirus simultaneously, aim for 6 to 8 GB. ClamAV alone can consume 1 GB at startup.

Can I host Nextcloud AIO behind an existing proxy like Traefik?

Yes. This is precisely the recommended mode here: AIO exposes Nextcloud on 127.0.0.1:11000 and your proxy handles TLS. With Traefik, add the usual labels pointing to this port. To compare reverse proxies, see Traefik vs Nginx Proxy Manager vs Caddy.

Do updates break the installation?

AIO is designed for safe, sequential updates via its interface. The main risk comes from major Nextcloud version jumps, which AIO applies progressively. Always run a Borg backup just before an update: in case of issues, restoration is immediate.

How do I migrate an existing Nextcloud to AIO?

Migration is not automatic because AIO imposes its own volume structure. The recommended method is to export your data and database from the old instance, deploy AIO fresh, then re-import user files and recreate accounts. For large volumes, test first on a staging server.

Is Nextcloud AIO suitable for professional use?

For a small team or SME, absolutely: it offers file versioning, granular sharing, the Collabora office suite, and Talk video conferencing. For hundreds of simultaneous users, a multi-server architecture with an external database and dedicated object storage becomes preferable to a single-server AIO deployment.

Related Topics

• Hosting Nextcloud on a VPS
• Nextcloud vs Seafile vs ownCloud: which self-hosted cloud in 2026
• Automatic HTTPS reverse proxy with Caddy and Docker
• Automatic encrypted backup with restic and Backblaze
• Install and secure an Ubuntu VPS from A to Z

With Nextcloud AIO, you get a complete personal cloud without having to maintain a dozen containers manually. The built-in Borg backup and managed updates make it a truly “set and forget” solution for home or small teams. To not miss any Nextcloud security updates or new self-hosted tools, subscribe to our Telegram watch bot.