{"id":14155246,"url":"https://github.com/hoellen/docker-nextcloud","last_synced_at":"2025-08-06T01:30:52.937Z","repository":{"id":39971772,"uuid":"434591567","full_name":"hoellen/docker-nextcloud","owner":"hoellen","description":"All-in-one Nextcloud Docker image. Alpine-based, rootless and simple.","archived":false,"fork":false,"pushed_at":"2024-12-06T02:34:24.000Z","size":194,"stargazers_count":31,"open_issues_count":10,"forks_count":5,"subscribers_count":9,"default_branch":"master","last_synced_at":"2024-12-06T03:25:35.037Z","etag":null,"topics":["alpine","docker","nextcloud"],"latest_commit_sha":null,"homepage":"","language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hoellen.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-12-03T12:39:22.000Z","updated_at":"2024-12-06T02:31:14.000Z","dependencies_parsed_at":"2023-02-10T08:50:11.778Z","dependency_job_id":"1326b5e6-71ea-4797-8ac1-bf38713c6e8d","html_url":"https://github.com/hoellen/docker-nextcloud","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hoellen%2Fdocker-nextcloud","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hoellen%2Fdocker-nextcloud/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hoellen%2Fdocker-nextcloud/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hoellen%2Fdocker-nextcloud/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hoellen","download_url":"https://codeload.github.com/hoellen/docker-nextcloud/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":228821400,"owners_count":17977165,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["alpine","docker","nextcloud"],"created_at":"2024-08-17T08:02:35.016Z","updated_at":"2025-08-06T01:30:52.924Z","avatar_url":"https://github.com/hoellen.png","language":"Dockerfile","funding_links":[],"categories":["docker"],"sub_categories":[],"readme":"# hoellen/nextcloud\n*The self-hosted productivity platform that keeps you in control.*\n\nNextcloud [official website](https://nextcloud.com/) and [source code](https://github.com/nextcloud).\n\n## About\nThis non-official image is intended as an **all-in-one** (as in monolithic) Nextcloud **production** image. If you're not sure you want this image, you should probably use [the official image](https://hub.docker.com/r/nextcloud). The main goal is to provide an easy-to-use image with decent security standards. This repository is mainly based on [Wondefall/docker-nextcloud](https://github.com/Wonderfall/docker-nextcloud). \n\nCheck out Nextcloud [official website](https://nextcloud.com/) and [source code](https://github.com/nextcloud).\n\n___\n\n* [Features](#features)\n* [Security](#security)\n* [Tags](#tags)\n* [Build-time variables](#build-time-variables)\n* [Environment variables](#environment-variables)\n  * [Runtime](#runtime)\n  * [Startup](#startup)\n* [Volumes](#volumes)\n* [Ports](#ports)\n* [Migration](#migration)\n* [Usage](#usage)\n\n## Features\n\n- Based on [Alpine Linux](https://alpinelinux.org/).\n- Fetching PHP/nginx from their official images.\n- **Rootless**: no privilege at any time, even at startup.\n- Uses [s6](https://skarnet.org/software/s6/) as a lightweight process supervisor.\n- Supports MySQL/MariaDB, PostgresQL and SQLite3 database backends.\n- Includes OPcache and APCu for improved caching \u0026 performance, also supports redis.\n- Tarball integrity \u0026 authenticity checked during build process.\n- Includes **hardened_malloc**, [a hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc).\n- Includes **Snuffleupagus**, [a PHP security module](https://github.com/jvoisin/snuffleupagus).\n- Includes a simple **built-in cron** system.\n- Much easier to maintain thanks to multi-stages build.\n- Does not include imagick, samba, etc. by default.\n\nYou're free to make your own image based on this one if you want a specific feature. Uncommon features won't be included as they can increase attack surface: this image intends to stay **minimal**, but **functional enough** to cover basic needs.\n\n## Security\n\nDon't run random images from random dudes on the Internet. Ideally, you want to maintain and build it yourself.\n\n- **Images are scanned every day** by [Trivy](https://github.com/aquasecurity/trivy) for OS vulnerabilities. Known vulnerabilities will be automatically uploaded to [GitHub Security Lab](https://github.com/Wonderfall/docker-nextcloud/security/code-scanning) for full transparency. This also warns me if I have to take action to fix a vulnerability. \n- **Latest tag/version is automatically built weekly**, so you should often update your images regardless if you're already using the latest Nextcloud version.\n- **Build production images without cache** (use `docker build --no-cache` for instance) if you want to build your images manually. Latest dependencies will hence be used instead of outdated ones due to a cached layer.\n- **A security module for PHP called [Snuffleupagus](https://github.com/jvoisin/snuffleupagus) is used by default**. This module aims at killing entire bug and security exploit classes (including weak PRNG, file-upload based code execution), thus raising the cost of attacks. For now we're using a configuration file derived from [the default one](https://github.com/jvoisin/snuffleupagus/blob/master/config/default_php8.rules), with some explicit exceptions related to Nextcloud. This configuration file is tested and shouldn't break basic functionality, but it can cause issues in specific and untested use cases: if that happens to you, get logs from either `syslog` or `/nginx/logs/error.log` inside the container, and [open an issue](https://github.com/hoellen/docker-nextcloud/issues). You can also disable the security module altogether by changing the `PHP_HARDENING` environment variable to `false` before recreating the container.\n- **Images are signed with the GitHub-provided OIDC token in Actions** using the experimental \"keyless\" signing feature provided by [cosign](https://github.com/sigstore/cosign). You can verify the image signature using `cosign` as well:\n\n```\nCOSIGN_EXPERIMENTAL=true cosign verify ghcr.io/hoellen/nextcloud\n```\n\nVerifying the signature isn't a requirement, and might not be as seamless as using *Docker Content Trust* (which is not supported by GitHub's OCI registry). However, it's strongly recommended to do so in a sensitive environment to ensure the authenticity of the images and further limit the risk of supply chain attacks.\n\n## Tags\n\n- `latest` : latest Nextcloud version\n- `x` : latest Nextcloud x.x (e.g. `31`)\n- `x.x.x` : Nextcloud x.x.x (e.g. `31.0.0`)\n\nYou can always have a glance [here](https://github.com/users/hoellen/packages/container/package/nextcloud).\nOnly the **latest stable version** will be maintained by myself.\n\n*Note: automated builds only target `linux/amd64` (x86_64). There is no technical reason preventing the image to be built for `arm64` (in fact you can build it yourself), but GitHub Actions runners are limited in memory, and this limit makes it currently impossible to target both platforms.*\n\n## Build-time variables\n\n|          Variable           |               Description              |       Default      |\n| --------------------------- | -------------------------------------- | ------------------ |\n| **NEXTCLOUD_VERSION**       | version of Nextcloud                   |          *         |\n| **ALPINE_VERSION**          | version of Alpine Linux                |          *         |\n| **PHP_VERSION**             | version of PHP                         |          *         |\n| **NGINX_VERSION**           | version of nginx                       |          *         |\n| **HARDENED_MALLOC_VERSION** | version of hardened_malloc             |          *         |\n| **SNUFFLEUPAGUS_VERSION**   | version of Snuffleupagus (php ext)     |          *         |\n| **SHA256_SUM**              | checksum of Nextcloud tarball (sha256) |           *        |\n| **GPG_FINGERPRINT**         | fingerprint of Nextcloud GPG key       |           *        |\n| **UID**                     | user id                                |        1000        |\n| **GID**                     | group id                               |        1000        |\n| **CONFIG_NATIVE**           | native code for hardened_malloc        |        false       |\n| **VARIANT**                 | variant of hardened_malloc (see repo)  |        light       |\n\n*\\* latest known available, likely to change regularly*\n\nFor convenience they were put at [the very top of the Dockerfile](https://github.com/Wonderfall/docker-nextcloud/blob/main/Dockerfile#L1-L13) and their usage should be quite explicit if you intend to build this image yourself. If you intend to change `NEXTCLOUD_VERSION`, change `SHA256_SUM` accordingly.\n\n## Environment variables\n\n### Runtime\n\n|          Variable         |         Description         |       Default      |\n| ------------------------- | --------------------------- | ------------------ |\n|     **UPLOAD_MAX_SIZE**   | file upload maximum size    |         10G        |\n|      **APC_SHM_SIZE**     | apc shared memory size      |         128M       |\n|    **OPCACHE_MEM_SIZE**   | opcache available memory    |         128M       |\n|      **MEMORY_LIMIT**     | max php command mem usage   |         512M       |\n|       **CRON_PERIOD**     | cron time interval (min.)   |         5m         |\n|   **CRON_MEMORY_LIMIT**   | cron max memory usage       |         1G         |\n|         **DB_TYPE**       | sqlite3, mysql, pgsql       |       sqlite3      |\n|         **DOMAIN**        | host domain                 |      localhost     |\n|      **PHP_HARDENING**    | enables snuffleupagus       |        true        |\n\nLeave them at default if you're not sure what you're doing.\n\n### Startup\n\n|          Variable         |         Description         | \n| ------------------------- | --------------------------- |\n|        **ADMIN_USER**     | admin username              |\n|      **ADMIN_PASSWORD**   | admin password              |\n|         **DB_TYPE**       | sqlite3, mysql, pgsql       |\n|         **DB_NAME**       | name of the database        |\n|         **DB_USER**       | name of the database user   |\n|       **DB_PASSWORD**     | password of the db user     |\n|         **DB_HOST**       | database host               |\n\n`ADMIN_USER` and `ADMIN_PASSWORD` are optional and mainly for niche purposes. Obviously, avoid clear text passwords. Once `setup.sh` has run for the first time, these variables can be removed. You should then edit `/nextcloud/config/config.php` directly if you want to change something in your configuration.\n\nThe usage of [Docker secrets](https://docs.docker.com/engine/swarm/secrets/) will be considered in the future, but `config.php` already covers quite a lot.\n\n## Volumes\n\n|          Variable            |         Description        |\n| -------------------------    | -------------------------- |\n| **/data**                    |         data files         |\n| **/nextcloud/config**        |        config files        |\n| **/nextcloud/apps2**         |       3rd-party apps       |\n| **/nextcloud/themes**        |        custom themes       |\n| **/php/session**             |      PHP session files     |\n\n*Note: mounting `/php/session` isn't required but could be desirable in some circumstances.*\n\n## Ports\n\n|              Port            |            Use             |\n| -------------------------    | -------------------------- |\n| **8888** (tcp)               |       Nextcloud web        |\n\nA reverse proxy like [Traefik](https://doc.traefik.io/traefik/) or [Caddy](https://caddyserver.com/) can be used, and you should consider:\n- Redirecting all HTTP traffic to HTTPS\n- Setting the [HSTS header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) correctly\n\n## Migration\n\nFrom now on you'll need to make sure all volumes have proper permissions. The default UID/GID is now 1000, so you'll need to build the image yourself if you want to change that, or you can just change the actual permissions of the volumes using `chown -R 1000:1000`. The flexibility provided by the legacy image came at some cost (performance \u0026 security), therefore this feature won't be provided anymore.\n\nOther changes that should be reflected in your configuration files:\n- `/config` volume is now `/nextcloud/config`\n- `/apps2` volume is now `/nextcloud/apps2`\n- `ghcr.io/hoellen/nextcloud` is the new image location\n\nYou should edit your `docker-compose.yml` and `config.php` accordingly.\n\n## Usage\n\n*To do.*\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhoellen%2Fdocker-nextcloud","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhoellen%2Fdocker-nextcloud","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhoellen%2Fdocker-nextcloud/lists"}