Remote SAMBA backup with NextCloud

Hello,

On our office we have a Linux file server running SAMBA. Our network can reach the internet, but it is closed to access from the internet.

We intend to have a remote (NextCloud?) server, somewhere, with two goals: 1) Remote backup, and 2) Let us, when on the road, to access a (recent or current) copy of our files, since the internal network is closed to remote access.

How can I set this up?

Should our local file server have installed the NextCloud client, and have the samba folder set as the NextCloud sharing folder?

Or should our local file server have installed the NextCloud server also?

Is this a right approach? What options do I have to reach my goals? Is NextCloud appropriate to my needs?

Thanks,
Marcio

Many of my customers have similar ideas, to work only with a copy of the data for example. At one point, you’ll have to make up your mind. Without knowing your exact situation, but working in a cloud without being able to access your original work data doesn’t make sense. What if your backup fails and your cloud workers do not have current files? Do you want to consume your (mostly limited) Internet access with constant backups?

There is only one solution: A proper corporate network consisting of one, better two firewalls hosting your Nextcloud server by your own. To achieve this I am using ipfire.org, Nextcloud and Onlyoffice on llittle Zotac Boxes. A “serverstack” with 8 Sockets and 16 cores looks like this and costs less then 1.000 Euros

serverstack1600×1200 210 KB

I encountered a similar situation to this with a company wanting Nextcloud. You will have to consider a couple things:

1. which files do you want accessible over the Internet via Nextcloud?
2. Are you keeping samba local only for security reasons, or because you have files you absolutely do not want on the Internet?

With point 1: you’ll want to have separate shares, one being internal only and the other external only, and share the external share with Nextcloud, and then you’ll have to create a clear policy within the company of what can/can’t go on the public server.

With point 2: If you just keep samba local-only for security and don’t care if all your docs are accessible via Nextcloud on the Internet, why not then just move everything to a Nextcloud server? But my impression is you don’t want all your docs to be on a public-facing server, so an option like I state with point 1 would be a wise approach.

If you split your files up into 2 shares (local-only & Internet access allowed), then you could (and should) have a separate server running Nextcloud, and access that share with the external storage app. One thing I faced though is changes made on the samba server without knowledge of Nextcloud means Nextcloud will not see those changes and assume the changes didn’t happen. There is a configuration you can add so Nextcloud regularly checks for non-Nextcloud changes, but it is supposedly experimental.

You more than likely don’t want to have duplicates of your files (recent vs. current) because that will just cause chaos and confusion among end users and you when you can’t tell which version you’re using.

Like what @jakobssystems says, you will want to do some firewalling in this case for security, like this:

image903×642 42.5 KB

You could do some additional advanced security like VPN between the servers and the like, and then set up proper firewall rules to block unwanted communications (such as Internet cannot access samba or users, users can access samba, nextcloud can’t access users, etc.). I hope this gives you a good idea. Definitely keep in mind when you start exposing things to the internet you really want to take this security into consideration even more so. I have hundreds of SSH attempts on my server daily, and that’s just my personal server

Bonus: you could also set up your edge router or some other machine inside to be a VPN and say internal users and remote VPN users only can access Nextcloud, that way you don’t have Nextcloud web facing and people can still access files via a web interface and sync client by using the VPN to your network