This repo holds the configuration files for my personal Nextcloud server running in Hetzner Cloud. It uses rootless Podman on top of Centos Stream 9 running the following containers:
The containers run in a Podman pod and are managed as user-level Systemd service files.
- Ansible
- Terraform
- Hetzner Cloud account and API token
- Porkbun account and API token (for DNS)
- Tailscale account and auth key
- LibreNMS server for SNMP and syslog monitoring
- Borg repostiory for backups
The Terraform files in this repo will create a Hetzner Cloud server instance complete with an attached firewall and block storage volume. In addition, it will create a DNS "A" record in Porkbun that reflects the server's public IP address. After creation, the instance will be available via SSH at the domain name you specified in your .tfvars file.
- Create a
terraform.tfvarsfile in theterraformdirectory. This should contain values for all variables defined invars.tf. - Create a
backend.s3.conffile to intialize the S3 backend. This should contain values forbucket,access_key, andsecret_key. - Initialize the terraform folder:
cd terraform terraform init -backend-config=backend.s3.conf - Test with
terraform plan. - Run
terraform applywhen ready.
Once complete, you can SSH into the server as the user assigned to the USER variable in your vars.tf.
The Ansible playbook in this repo will perform the following tasks:
- Add relevant SSH keys
- Enable auto-updates for Centos
- Install Tailscale and join the system to your Tailscale network
- Configure SNMP and rsyslog to send data to a LibreNMS server
- Install and configure Podman
- Add the Systemd service files for the Podman containers
- Configure the Caddy webserver
- Install and configure Borg for nightly backups
- Start the Nextcloud pod
The Ansible playbook in this repo makes use of Ansible Vault to store sensitive variables. Any variables in the vars.yml files that are set to an equivalent variable prefixed with "vault_" are configured in the accompanying vault.yml file.
-
Set the non-vault variables in all
vars.yamlfiles. -
Set the variables in both
vault.ymlfiles:ansible-vault edit roles/nextcloud/vars/vault.yml ansible-vault edit roles/tailscale/vars/vault.yml ansible-vault edit roles/borgbackup/vars/vault.yml
-
The playbook expects a host named "nextcloud-hetzner" in your inventory, so make sure to add/update it before running the playbook.
-
Once your inventory is up-to-date and variables have been edited in all instances of
vars.ymlandvault.yml, run the playbook.ansible-playbook --vault-password-file=.vault_pass -i ~/.ansible/hosts --ask-become-pass playbook-nextcloud.yml
When the playbook finishes running, your Nextcloud server should be available at the domain name specified.
Once you've confirmed that the Nextcloud instance is up and running, add the following lines to config/config.php in your Nextcloud directory to optimize the instance and clear warnings:
Fix trusted proxy warning
'trusted_proxies' =>
array (
0 => 'localhost',
),Set default phone region
'default_phone_region' => 'US',Speed up photo thumbnail generation and reduce size
'preview_max_x' => '2048',
'preview_max_y' => '2048',
'jpeg_quality' => '60',- Preview Generator - Automatically generate thumbnail previews for photos on a scheduled basis, speeding up load times for previews.
- Two-Factor WebAuthn - Use a FIDO2 security key as a second factor.
- Tasks - Task management with CalDAV sync.
Backup is configured via the borgbackup Ansible role in the repo and uses the Borg and Borgmatic projects to back up the Nextcloud configuration, data directory, and MySQL database. This backup runs once daily.
Assuming you've set the variables in roles/borgbackup/vars/vault.yml, the only thing you'll need to do is add the generated SSH key to the authorized_keys file on the Borg server. Alternatively, if you use Borgbase, make sure you've added the key under SSH Keys and attached that key to the repo.
First, initialize the borg repositories
sudo /root/.local/bin/borgmatic init -e repokeyTo test the backup, run:
sudo /root/.local/bin/borgmatic