Nextcloud on Opalstack

HOWTO install Nextcloud on Opalstack

  1. In your Opalstack dashboard create a new "Nginx Proxy Port" application and attach it to a site with Let's Encrypt enabled on the site. Make a note of the app's name and port assignment, and the site domain.

  2. In your Opalstack dashboard create a new MariaDB database and user. Make a note of the DB name, DB user name, and password.

  3. SSH to your app's shell user and run the following commands:

    cd ~/apps/appname
    git clone -b opalstack
    cd userspace-fpm-installer
  4. In the ~/apps/appname/userspace-fpm-installer directory edit config to resemble the following, replacing the app name, port assignment, and domain with your own:

  5. Still in the ~/apps/appname/userspace-fpm-installer directory execute the following command. This will set up the config and control scripts for a private Nginx+PHP-FPM stack:

  6. Edit ~/apps/appname/server/conf/nginx.conf to resemble the following, replacing the shell user name, app name, port assignment, and domain with your own:

    pid /home/shelluser/apps/appname/server/var/run/;
    error_log /home/shelluser/apps/appname/server/log/nginx_nc_error.log;
    events {}
    http {
        include /etc/nginx/mime.types;
        default_type application/octet-stream;
        client_body_temp_path /home/shelluser/apps/appname/server/tmp/client_body;
        fastcgi_temp_path     /home/shelluser/apps/appname/server/tmp/fastcgi_temp;
        proxy_temp_path       /home/shelluser/apps/appname/server/tmp/proxy_temp;
        scgi_temp_path        /home/shelluser/apps/appname/server/tmp/scgi_temp;
        uwsgi_temp_path       /home/shelluser/apps/appname/server/tmp/uwsgi_temp;
        log_format main '$http_x_forwarded_for - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
        access_log /home/shelluser/apps/appname/server/log/nginx_nc_access.log main;
        server {
            listen 55555;
            port_in_redirect off;
            # set max upload size
            client_max_body_size 512M;
            fastcgi_buffers 64 4K;
            # Enable gzip but do not remove ETag headers
            gzip on;
            gzip_vary on;
            gzip_comp_level 4;
            gzip_min_length 256;
            gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
            gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/ application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
            # HTTP response headers borrowed from Nextcloud `.htaccess`
            add_header Referrer-Policy                      "no-referrer"      always;
            add_header X-Content-Type-Options               "nosniff"          always;
            add_header X-Download-Options                   "noopen"           always;
            add_header X-Frame-Options                      "SAMEORIGIN"       always;
            add_header X-Permitted-Cross-Domain-Policies    "none"             always;
            add_header X-Robots-Tag                         "none"             always;
            add_header X-XSS-Protection                     "1; mode=block"    always;
            add_header Strict-Transport-Security            "max-age=15552000" always;
            # Remove X-Powered-By, which is an information leak
            fastcgi_hide_header X-Powered-By;
            # Path to the root of your installation
            root /home/shelluser/apps/appname/nextcloud;
            index index.php index.html /index.php$request_uri;
            location = / {
                if ( $http_user_agent ~ ^DavClnt ) {
                    return 302 /remote.php/webdav/$is_args$args;
            location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
            location ^~ /.well-known {
                location = /.well-known/carddav     { return 301 https://$server_name/remote.php/dav; }
                location = /.well-known/caldav      { return 301 https://$server_name/remote.php/dav; }
                location ^~ /.well-known            { return 301 https://$server_name/index.php$uri; }
                try_files $uri $uri/ =404;
            location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
            location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)              { return 404; }
            location ~ \.php(?:$|/) {
                fastcgi_split_path_info ^(.+?\.php)(/.*)$;
                set $path_info $fastcgi_path_info;
                try_files $fastcgi_script_name =404;
                include /etc/nginx/fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param PATH_INFO $path_info;
                fastcgi_param HTTPS on;
                fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
                fastcgi_param front_controller_active true;     # Enable pretty urls
                fastcgi_pass unix:/home/shelluser/apps/appname/server/var/run/php-fpm.sock;
                fastcgi_intercept_errors on;
                fastcgi_request_buffering off;
            location ~ \.(?:css|js|svg|gif)$ {
                try_files $uri /index.php$request_uri;
                expires 6M;         # Cache-Control policy borrowed from `.htaccess`
                access_log off;     # Optional: Don't log access to assets
            location ~ \.woff2?$ {
                try_files $uri /index.php$request_uri;
                expires 7d;         # Cache-Control policy borrowed from `.htaccess`
                access_log off;     # Optional: Don't log access to assets
            location / {
                try_files $uri $uri/ /index.php$request_uri;
  7. Execute the following commands to download Nextcloud:

    wget wget
    tar -jxf nextcloud-24.0.4.tar.bz2
  8. Restart the stack: ~/apps/appname/server/bin/restart

  9. Visit the site you created in step 1 - the Nextcloud installation wizard will guide you through the rest of the setup.

Dear Sean,
very helpful instructions. I do get "403 Forbidden" after logging in. (it tries to go to "").
do you have any hint on how to overcome this?
Thank you

stephan0h commented May 3, 2022

Worked like a charm. Just one thing: where can I tweak php settings? Need to increase memory limit to 512M with 23.0.4.

Worked like a charm. Just one thing: where can I tweak php settings? Need to increase memory limit to 512M with 23.0.4.

  1. Add the following to server/etc/php-fpm.conf just below [www]:

     env[PHP_INI_SCAN_DIR] = /home/shelluser/apps/appname/nextcloud/
  2. Create /home/shelluser/apps/appname/nextcloud/.user.ini with the PHP config you want.

  3. Restart the stack.

@dreamerworks apologies for missing your question 6 months ago! I'd have to have a look at your config to be able to troubleshoot it, feel free to email Opalstack support if it's still an issue.

Worked like a charm. Just one thing: where can I tweak php settings? Need to increase memory limit to 512M with 23.0.4.

1. Add the following to `server/etc/php-fpm.conf` just below `[www]`:
    env[PHP_INI_SCAN_DIR] = /home/shelluser/apps/appname/nextcloud/

2. Create `/home/shelluser/apps/appname/nextcloud/.user.ini` with the PHP config you want.

3. Restart the stack.

Thanks a lot!

@defulmere Well I sort it out back then. Honestly don't remember how it got solved.
Thanks for asking.

Updated to use latest Nextcloud and PHP 8, plus a couple of tweaks to the Nginx config to solve some errors that were appearing in the NC admin overview.

defulmere commented Aug 23, 2022

Updated to use correct scheme for redirects on caldav/cardav URLs.

