Looking at the current instructions for installing Nextcloud (AiO) on Linux ( How to install the Nextcloud All-in-One on Linux - Nextcloud ), is it necessary to have a “public domain” and non-CGNAT setup even if it’s only for home usage (not to be accessed outside of the home network)? I can’t tell if the install is dependent on it.
A “public domain” may be also a DynDNS Domain.
With regard to CGNAT i can say a non AIO-Setup and non SNAP-Setup works also behind CGNAT with IPv6 only access from WAN. The ACME Let’s Encrypt-challenge does not need IPv4. In fact it prefers IPv6 over IPv4.
The ACME DNS challenge doesn’t require any access from the internet/WAN at all. 
@bb77 You are so right. I was meaning the ACME Lets’s Encrypt challenge to get and renew a certificate for https.
I’m very lazy when it comes to writing and often use copy and paste, and then I forgot to replace DNS with Let’s Encrypt.
I corrected it now. SORRY
Well, I do have a DynDNS address, so that could work for me as well.
But I was mainly looking at the AiO option to drop into OpenMediaVault. I’m not even sure if OMV is even necessary (I just want the file shares and a file backup host), but also want to have a Jellyfin server(or rather I’m looking to eventually replace my Fedora-based Jellyfin with something not tainted by RedHat).
I ran mine purely on local IP for a long time until i added an external IP+DNS for use when i was at the office. They started blocking VPN, so i published it to the internet to get around that.
Having static IP and my own domain name, no dyndns stuff needed in my case. But i don’t see why that would not work ( as suggested above )
As mentioned by @zig , you can definitely use Nextcloud AiO within your local next work. Nothing in the install forces it otherwise. Access is an external (to Nextcloud) issue so you just access it via a local IP.
My next question is why I should need an external DNS/IP connection at all. What is the system doing here? I would be running Nextcloud on my OpenMediaVault system, and I don’t want that visible/accessible outside of my house (nextcloud would not be the only thing running on the server; it will have my media, photos, backups, documents, etc.)
Currently I am just building a test install, but I don’t want to set up a NextCloud instance on OMV unless I know what it’s going to be doing (especially if I’m copying my actual files to it to try out).
First and foremost… NC was basically built to give ppl the safe chance to share stuff to the world (regardless if “The world” just means your parents or the whole www). It only shares the things YOU want to share exactly with the addresses you want to have that information. That means: you are in FULL control about everything that leaves your server. And since NC is also used by really big and professional players you can be sure that the software comes with a stable and sane built-in security (so you better keep up to date with your installation and make sure that you always run a supported version on your server - which means that you usually need to upgrade once/year at least).
So as you can be sure about this security point (quite bulletproof, of course) on the other hand you should be aware of the fact that it is possible to run NC without direct access to the outer world but that - at the same time - won’t give you any additional security regarding your data being safe from be stolen. Though this concept adds a lot more tinkering around, especially on cost of security. And possibly it won’t run as flawless as the other way round. So if it comes to problems with your setup you can’t be sure that it’s not connected with your wish to use it only locally.
But of course you can run it locally. It just was never meant to do that. So you will be on a uncommon way to use NC.
I always like to add some car-image to make it clearer… so here we go: You can also fill up a diesel car with heating oil. It will probably run. But if you experience engine troubles, you’ll be on your own.
happy NC’ing
It doesn’t need an external connection, but it does need a valid/trusted TLS certificate. And you can only obtain such certificates for publicly registered domain names or public IP addresses, not for local RFC1918 addresses.
In theory, you could also run your own local Certificate Authority (CA), which would allow you to sign your own certificates. You could even set up your own ACME server so that Certbot or other ACME clients can automatically obtain those certificates, for example, in combination with a reverse proxy running in front of Nextcloud-AIO. See, for example: Run your own private CA & ACME server using step-ca
However seting up all that is already quite a bit of effort. On top of that, you would also need to configure all client to trust your CA’s root certificate, in other words, import it into the respective certificate stores on every device that should access your Nextcloud.
In comparison, it’s much easier to just register a domain and use Let’s Encrypt certificates, which are automatically trusted by all major OSs and browsers.
Note: This strict preriquisite of a truted certificate is specific to Nextcloud-AIO. If you install Nextcloud manually, in theory you can still use local IP addresses with self-signed (“snakeoil”) certificates (or even run it without TLS / HTTP only). However, that comes with its own drawbacks, such as browser warnings and potential issues with certain mobile apps etc.
I’m thinking now that Nextcloud is more than I want to run, or isn’t the right tool. I didn’t so much care about the file sharing part (as OMV handles that) but wanting something for a local calendar & contacts sync, photo library, and the like. Something to pull all of that off of Google and Microsoft, while being able to keep it all in sync with family desltops, laptops, and mobile devices.
Perhaps what I need is OMV and Syncthing? I have Jellyfin for a media server. Maybe the one external function I’d want is a replacement for Google Docs (where I write all of my fiction), although I doubt some malicious party is going to steal my anime space-opera or fanfiction.
Whether it’s the right tool for you is a whole other discussion.
Fact is that in 2026, HTTPS is pretty much a must for all kinds of web applications. And if, for example, you want to host your own calendar server and use it on mobile devices, you’ll quickly run into issues with self-signed certificates, because mobile operating systems generally don’t like them. For example, as far as I know, the iOS Calendar app can only connect to servers with trusted certificates, i.e. there’s no longer any option to skip SSL checks.
So even with alternative solutions, you’ll find it increasingly difficult to avoid using trusted certificates.
Again, that’s a separate discussion, and ultimately only you can decide what you actually need. If you just want to synchronize files across all your devices, Syncthing is a good solution and definitely less complex than Nextcloud. However, it doesn’t offer the broader range of features that Nextcloud provides, such as calendars, contacts, and more.
well that was just the original idea behind owncloud/nextcloud. You don’t need to use that feature. But it set the logical base for everything else.
And it turned out to be well pre-planned since all the things you mentioned (calendar, contacts, photos) were planned on top and would need the same security-components if you want to use them productivly like the first built-in sharing option.
And yeah, some ppl here do run a “local” Nextcloud. I don’t know why, tbh. It’ll cause you more trouble/clicks than if you would use it normally. And it doesn’t really give you more security than the common way. “Security through obscurity” never really helped anyone to be safer. It just causes more trouble.
so what are you really afraid of?
It’s the general idea that if you don’t need/use a functionality, don’t enable it. It’s one less component to give you trouble.
you can disable sharing in your NC, no problems.
Or use a tool that doesn’t provide those functionality in the first place.
But since we’re in the Nextcloud forums, a few more words about Nextcloud: it’s not really about making it publicly accessible, which, by the way, isn’t a requirement. Sharing can also be useful in a purely local setup, for example when sharing files, calendars, etc., with other users on the same instance.
The only strict requirement, which is specific to Nextcloud AIO, is that it needs a valid TLS certificate. And that, in turn, can only be obtained by using a publicly registered domain name. Or, if you really want to go all-in on a fully local setup, by running your own Certificate Authority along with a reverse proxy (or, if you want to get really fancy, you could also run your own ACME server, which should theoretically also work with AIO, although I’m not 100% sure).
However, I’d go with a publicly registered domain name, which makes things much easier. And no, that doesn’t mean your Nextcloud has to be exposed to the internet. For example, you could use the ACME DNS challenge, which doesn’t require opening any ports: https://github.com/nextcloud/all-in-one/blob/main/local-instance.md#3-use-the-acme-dns-challenge
This is becoming my impression, that Nextcloud is just overkill for what I want. Ever since the demise of the PalmPilot/PalmOS systems, I’ve wanted a basic replacement for them. All the old Palm hardware is slowly dying, as well as losing the operating system support for PalmSync, so that means browbeating Android and desktop systems to take on the functionality. I’m just having to remember not to get distracted by all the other add-ins and plugins available in a project and get back to the core of what I wanted in the first place.
So thanks for the help, but I need to re-think what I’m trying to do.