Nextcloud is the open-source alternative to Dropbox, Google Workspace, and Microsoft 365 rolled together. Self-hosting it means your files, calendars, contacts, and notes live on infrastructure you control. The catch: self-hosting also means you're now the security team. This checklist covers what you need to configure, monitor, and back up to keep a self-hosted Nextcloud safe.
Server fundamentals
Before Nextcloud-specific concerns, the underlying VPS needs to be hardened:
- SSH key auth only. Disable password login:
PasswordAuthentication noin/etc/ssh/sshd_config. If you absolutely need password fallback, use 2FA via Google Authenticator PAM module. - Non-root SSH user. Create an unprivileged user, give them sudo, disable direct root SSH:
PermitRootLogin no. - UFW firewall, default deny. Allow only 22 (SSH), 80 (HTTP redirect), and 443 (HTTPS). Block everything else.
- Automatic security updates.
sudo apt install unattended-upgradeswith the security-only repo enabled. - Fail2ban for SSH. Default config bans IPs after 5 failed attempts for 10 minutes — sufficient for residential brute-force.
Web server configuration
Use Nginx with the Mozilla SSL config generator's "modern" profile. Specifics:
- TLS 1.2+ only. Disable SSLv3, TLS 1.0, TLS 1.1.
ssl_protocols TLSv1.2 TLSv1.3; - HSTS with preload.
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - HTTP redirect to HTTPS. Always 301 to HTTPS, never serve content over plain HTTP.
- Strong cipher suites. Use ECDHE-ECDSA or ECDHE-RSA with AES-GCM or ChaCha20-Poly1305.
- Certificate from Let's Encrypt with auto-renewal via certbot. Set up a systemd timer to test renewal weekly.
Nextcloud application security
Strong admin password. 20+ characters, generated. Don't reuse from anywhere else. Store in a password manager (Bitwarden if self-hosted on the same VPS, or a separate vault).
2FA mandatory for admin accounts. Enable the TOTP app, require it for the admin user, and ideally for all users. The Two-Factor TOTP Provider app is built-in.
Disable unused apps. By default, Nextcloud ships with apps you may not need (Talk, Mail, Calendar). Each enabled app increases attack surface. Disable everything you don't actively use.
Configure Brute Force Protection. Built into Nextcloud, but verify in Settings → Security that it's active. After several failed logins from an IP, the IP is throttled.
Set 'overwrite.cli.url' in config.php to your full HTTPS URL. Misconfigured trust proxies and base URLs can cause Nextcloud to generate links that bypass your TLS reverse proxy.
Configure trusted domains in config.php. List only the domains you actually serve from. This prevents host header injection attacks.
Database hardening
Run PostgreSQL or MariaDB locally on the same VPS (more secure than network-exposed DB). Configure:
- Listen on localhost only (
bind-address = 127.0.0.1). - Strong, randomly generated DB password (different from Nextcloud admin password).
- Disable unused database users.
- Enable slow-query log to detect anomalous query patterns.
Encryption at rest
Nextcloud has a server-side encryption module that encrypts files on disk. Worth enabling, with caveats:
- Pro: if your VPS is compromised at the filesystem level (e.g., a stolen NVMe), files are unreadable.
- Con: the encryption keys live on the same server, so a memory-resident attacker can still read files. Encryption at rest defends against offline attacks, not online ones.
- Con: server-side encryption breaks file-level deduplication and complicates disaster recovery (lose the keys, lose the data).
For most threat models, full-disk encryption (LUKS) of the underlying VPS is more useful than Nextcloud's app-level encryption — your VPS provider should offer this. FranceVPS supports LUKS-encrypted volumes; ask support for the workflow.
External storage and end-to-end encryption
If users want to share files with end-to-end encryption (E2EE) — meaning even server admins can't read them — Nextcloud has the End-to-End Encryption app. It requires client-side support (mobile apps and desktop clients), and significantly limits server-side functionality (no preview generation, no full-text search). Use it for the most sensitive folders only, not by default.
Backups, properly
The 3-2-1 rule applies: three copies, on two different media, one off-site.
- Copy 1: the live data on your Nextcloud VPS
- Copy 2: daily snapshots on the same provider, different region (FranceVPS lets you snapshot to Marseille while running in Paris)
- Copy 3: weekly off-site backup to a different provider entirely (Hetzner Storage Box, Backblaze B2, or another sovereign provider)
Critical: backups must include the database AND the data directory AND config/config.php. Missing any one of these means the restore won't work.
Test restores quarterly. An untested backup is theater.
Monitoring and detection
You want to know if something's wrong before users do. Minimum viable monitoring:
- Uptime check from external service (Uptime Kuma, Healthchecks.io, UptimeRobot).
- Disk space alert at 80%. Nextcloud silently breaks when disk is full.
- Failed login alerts via Nextcloud's built-in security dashboard.
- Slow query alerts from your database — sudden slow queries often indicate something's wrong (table bloat, missing index, attack).
- Certificate expiration alert 30 days before — Let's Encrypt certs renew automatically, but if renewal breaks, you find out fast.
Update discipline
Nextcloud releases roughly monthly, with security patches flowing in faster. Don't run versions more than 2 minor versions behind current. The update path within a major version (e.g., 28.x → 28.y) is generally smooth via the built-in updater. Major version upgrades (e.g., 28 → 29) can be more disruptive — read the release notes, test on a staging VPS first.
Auto-updates via the built-in updater are off by default. We recommend leaving them off and updating manually after reading release notes — automatic updates have caused enough community drama over the years that the tradeoff isn't obviously favorable.
The reality check
Self-hosting Nextcloud is meaningful security work — measured in hours per month, not minutes. If you're not willing to put in that time, the honest recommendation is to use a managed Nextcloud provider (yes, those exist) or to rent space from a hosted Nextcloud service. Self-hosting badly is worse than using a managed service.
Self-hosting well, however, gives you complete data sovereignty, the ability to scale to your needs, and operational independence from any vendor. For organizations and individuals who care about that — and have the time — it's one of the highest-leverage software stacks you can run.