Pulumi Code and Ansible Playbook for Nextcloud deployment (bare-metal + minimal Docker) β€” v3.2 released

πŸ“‘ How to
, , , ,
1

Nextcloud AIO BIB β€” All-in-One But-in-Big

Ansible Playbook for Nextcloud deployment + Pulumi-based cloud provisioning

Hey everyone :waving_hand:

I’d like to announce the release of v3.0 of my Ansible playbook for deploying Nextcloud β€” primarily on bare metal, without the all-in-one Docker approach.

Repository: GitHub - ReinerNippes/nextcloud: Ansible playbook to install nextcloud, php, nginx or apache, mariadb or postgres, redis-server, onlyoffice or collabora office Β· GitHub

What is this?

An Ansible playbook (with optional Pulumi-based cloud provisioning) that installs a full Nextcloud stack directly on bare metal or VMs. The core components β€” Nextcloud, PHP, database, Redis, webserver β€” all run natively on the host. Some companion services (Nextcloud Office/Collabora, OnlyOffice, Talk Recording) run in containers, and more may follow where it makes sense.

The playbook sets up:

  • Nextcloud (latest)

  • nginx or Apache

  • PHP (current recommended version)

  • PostgreSQL or MariaDB

  • Redis (or Valkey on RHEL-based systems)

  • Let’s Encrypt via acme.sh (or self-signed certs)

  • Nextcloud Talk with High Performance Backend (HPB)

  • Nextcloud Office (Collabora) :spouting_whale:

  • OnlyOffice :spouting_whale:

  • Talk Recording :spouting_whale:

  • Fulltextsearch with Elasticsearch

  • Notify Push

  • ExApps (HaPR Daemon) :spouting_whale:

  • Restic Backup

:spouting_whale: = runs in a container

Ready to log in in less than 20 minutes.

Why this approach?

There are great fully containerized solutions out there (Nextcloud AIO, etc.), but some of us prefer or need the core stack running natively β€” for performance, compliance, full control, or because that’s how our infrastructure works. Where upstream only provides container images (Office suites, recording), this playbook uses Docker for those specific services.

Back after 6 years

Some of you may remember the original version of this playbook. After a 6-year pause, I’ve completely overhauled it and brought everything up to current standards:

  • Support for Ubuntu 24.04, Debian 12/13, CentOS 10, AlmaLinux 10, RockyLinux 10

  • Modern PHP, PostgreSQL, and Nextcloud versions

  • Reworked roles for Talk, OnlyOffice, Nextcloud Office, Fulltextsearch, and more

  • Added Pulumi-based cloud provisioning for Hetzner and Scaleway (infrastructure-as-code)

  • Multi-server support (dedicated coturn, signaling, OnlyOffice servers)

  • Performance tuning playbook included

What’s next

I’m actively working on adding:

  • :black_square_button: Whiteboard integration

  • :black_square_button: CrowdSec for intrusion prevention

  • :black_square_button: S3 primary storage support

  • :black_square_button: SMTP relay server setup

  • :black_square_button: Additional cloud providers (AWS, DigitalOcean, …)

Feature requests are very welcome! Open an issue on GitHub or reply here.

Documentation

The repository includes detailed documentation for each component:

GitHub: GitHub - ReinerNippes/nextcloud: Ansible playbook to install nextcloud, php, nginx or apache, mariadb or postgres, redis-server, onlyoffice or collabora office Β· GitHub

Happy Self-Hosting! :rocket:

2

v3.1 and v3.2 are out β€” here’s what’s new :rocket:

Since the v3.0 announcement, two more releases have landed. Here’s a quick overview:

v3.1

The big theme was modularity and broader OS support:

  • Whiteboard role β€” Excalidraw-based collaborative whiteboard (Docker + reverse proxy), collocated or dedicated server

  • Office co-hosting refactor β€” nextcloudoffice and onlyoffice roles now support both collocated and dedicated modes with auto-detection

  • Nextcloud role split β€” the monolithic nextcloud role is now split into nextcloud_prepare, nextcloud_install, and nextcloud_app for better maintainability

  • Custom Ansible collection (reinernippes.nextcloud) β€” all raw php occ calls replaced with idempotent typed modules (occ_app, occ_config_system, occ_user, …)

  • openSUSE Leap 16 support β€” full coverage across all roles including Valkey (Redis fork), PHP packages, and Apache

  • New firewall role β€” disables firewalld on openSUSE; placeholder for future per-server port management

  • Elasticsearch upgraded 7 β†’ 9, various Redis/Valkey config fixes, TLS cert provisioning for office/whiteboard hosts

v3.2

Focus shifted to infrastructure maturity β€” dedicated/managed services and cloud provisioning:

  • Euro-Office Document Server β€” new eurooffice role for the OnlyOffice-compatible Euro-Office suite, mirroring the onlyoffice architecture. Tested on Debian 13, Rocky 10, CentOS 10, openSUSE Leap 16

  • MariaDB Analyzer β€” new mariadb_analyzer role for live tuning analysis (mirrors postgres_analyzer), with hardware-aware recommendations for InnoDB buffer pool, connections, threads, and more

  • Dedicated DB & Redis servers β€” now fully functional β€” PostgreSQL with dynamic source-IP detection for pg_hba.conf (via ip route get), scram-sha-256 auth, TCP-mode Redis bound to the private interface

  • Managed database/Redis support β€” new nextcloud_db.managed flag for external services (AWS RDS, Scaleway Managed PostgreSQL/MySQL, etc.)

  • Pulumi stack examples split β€” Pulumi.nextcloud.yaml.example replaced by three focused examples: Hetzner all-in-one, Hetzner multi-tier (DB/Redis on private network), Scaleway + Cloudflare DNS + managed services

  • Hetzner: intern-only servers & per-server firewalls β€” servers without public rules are labelled intern_only=true; one merged firewall per server removes the previous 5-firewalls limit

Breaking changes in v3.2: default database type changed from mysql to pgsql; default PostgreSQL version bumped to 18.

Full changelogs and documentation are in the repository. Feedback and feature requests welcome β€” either here or as a GitHub issue!