Nextcloud

What it is

Nextcloud is a self-hosted file storage and sync platform. Files in a folder on my workstation are automatically mirrored to the Nextcloud server, which means they're accessible from any other device (web UI, mobile app, sync client on another machine) and survive my workstation dying.

Why I run it

Two specific jobs:

1. Cross-device file sync that doesn't go through Dropbox or Drive. Same workflow, different storage.
2. Obsidian vault sync. My homelab notes (including the source material for everything in this catalog) live in a Nextcloud-synced folder. When I write a note on the workstation, it's on the laptop and the phone within seconds, all without involving anyone else's servers.

The Obsidian sync alone justifies the install. Obsidian has an official sync service; I'd rather pay for it with disk space on my own hardware.

How I use it

The desktop sync client runs on every machine I use, pointed at the same account. Files in the sync folder are bidirectionally mirrored. The mobile app handles photos-on-the-go (although Immich is the photo-primary tool — Nextcloud is more for documents).

I don't expose this externally. Sync clients connect over the LAN at home and over Tailscale when remote.

Setup notes

• Host: an Alpine LXC on the laptop node, with the Nextcloud data directory on the node's 1 TB NVMe.

• Reverse proxy: yes, and Nextcloud is the trickiest service to put behind a proxy because it has its own trust list and proxy-awareness settings that all have to agree.

  Four layers have to line up:

  1. DNS rewrite for the hostname (handled by the AdGuard wildcard).
  2. NPM proxy host with proxy_ssl_verify off, client_max_body_size 10G, and the standard proxy_request_buffering off / proxy_buffering off for large uploads.
  3. The hostname added to Nextcloud's trusted_domains list (via occ config:system:set).
  4. The overwritehost, overwriteprotocol, overwrite.cli.url, and trusted_proxies keys set so Nextcloud generates correct URLs for shared links.

  Forget any one of these and you get a different failure mode (502, "Access through untrusted domain," redirect loop to the raw IP, broken CSS).

• Alpine quirk: no sudo. The standard "run as the nextcloud user" pattern uses su -s /bin/sh nextcloud -c "..." instead.

• Backups: PBS captures the LXC. The data directory is large but inside the rootfs/data mount so it rides along.

• Update cadence: manual, careful — Nextcloud is the kind of software where major-version upgrades benefit from reading the migration notes.

Runbook

• Healthy looks like: web UI loads, sync clients on the workstation and laptop show "synced," recent file changes propagate within seconds.
• 502 Bad Gateway: NPM can't reach the upstream. Check the LXC is running and port 443 is responsive.
• "Access through untrusted domain": hostname missing from trusted_domains. Add it via occ config:system:set trusted_domains <N> --value=<hostname>.
• Redirect to the raw LXC IP: the overwrite* settings aren't set. All four (overwritehost, overwriteprotocol, overwrite.cli.url, trusted_proxies) need values that match how you're accessing the service.
• CSS/JS broken on the page: overwriteprotocol is set to https but you're accessing over http (or vice versa). Match it to the actual scheme.
• Apps page hangs: an upstream issue I've hit and don't have a clean fix for. The occ CLI works for managing apps when the UI doesn't.
• Where logs live: data/nextcloud.log in the data directory, the admin → logging view in the UI.