Safely and responsibly self-hosting Nextcloud as an amateur?

I have been a linux user for more than a decade, and in recent years I started self hosting some services as a hobby. As far as nextcloud is concerned I have self hosted for personal use for about 1 1/2 years now. At first just following the official “LAMP stack” instructions, and later using the nextloud all in one docker containers. My self hosted nextcloud has usually been pretty stable and low maintenance, but so far i have avoided using it for keeping any sensitive information, just to be safe.

I am also part of a small association that is looking for a decent cloud solution for filesharing and collaboration. Nextcloud itself is a perfect solution for that imo. We have tried some of the more affordable managed nextcloud instances but budget options do (understandably) lack in functionality, flexiblity and support. There are more expensive providers which I expect would provide better service, but we can’t afford them as a small not profit group with a limited budget.

In short, my self hosted Nextcloud instances are much faster, more stable, more up to date etc, than any budget managed nextcloud that I have had a chance to try out. And I feel like I could easily install and maintain nextcloud-aoi on a VPS which would give us everything we need for a low price.

But as I am self-taught, and I am aware that there are still plenty of things that I don’t know or understand, I have doubts about whether it would be responsible to self-manage nextcloud when the information stored on it actually needs to be secure.

Obviously you can’t judge my ‘level’ from the above, but I am very curious what people generally regard as the best practice around responsibly self-managing Nextcloud when you are not all that experienced or knowledgeable.
Should I just trust that things are fine as long I follow all the general security recommendations?
Should I take extra steps, like find someone to “audit” the setup?
Or is it better left to the experts altogether?

Thanks!

Hi, I think for really sensitive information would be the E2EE feature suited very well

Hello,

Answer is here.

What kind of small association? Are they dealing / working with some kind of stuff that catches attention of a govt or some autocratic / oppressive regime? Or some highly classified stuff of great financial or such importance?

If the answer is yes, then I guess you need professional assistance for your data security.

For anything and everything else, default given stuff is secure enough. Only security concern is admin or users losing their password due to some phishing attack or their respective client devices getting compromised due to some malware.

Practice restoration from various fault scenario. More than data security, I feel fixing stuff when they are broken may give you more trouble in long run.

Default setup is secure enough but when and as we keep doing changes and modifications on top of that, restoration becomes that much complicated when things break.

Personally, I use SNAP and I feel any long termer who are looking for stability and reliability, snap way is the easier and better way. Sure, it lacks in terms of deep customization, but that lack of options means it never breaks & even if the user (admin) breaks things, its dead simple to backup and restore.

Thanks.

This is actually also one of the key-features of AIO. And it features an in my opinion better backup and restore feature than the one of the snap.

Somehow similar to Nextcloud AIO is the Nextcloudpi-project:
NextcloudPi is a Nextcloud instance that is preinstalled, preconfigured and includes a management interface with all the tools you need to self host your private data in a single package. It can take care about backups, security, updates, etc.

For more information read https://nextcloudpi.com/

I like your way of thinking. It’s always better to ask in advance rather brake something…

1. I think you are aware of the amount of work related to self-hosting based on your personal installation. Add reasonable SLA on it e.g. installing security relevant hotfixes within 1 week and major update within 3 months after release to make the estimate perfect
2. Add some user support to it and you will know what to expect as daily load on sysadmin to understand if you are willing to take this load
3. Think about risks you want to address (and compare to the current state)…
4. develop measures to address the risks (and understand the risks you don’t (want to) address)

There is no total security/safety, even Pentagon and Microsoft couldn’t totally protect their systems. Consider a fault is “matter of time” - if you are lucky this happens really far in the future, maybe far enough when you are not responsible anymore, it you are unlucky this happens tomorrow…

Because risks are very different and for small installation

• you don’t want to deal with too many different cases, tons of docs
• prefer most easiest recovery strategy which address the most catastrophic outage first: complete loss of everything - e.g. ransomware attack, a fire completely destroying the server etc.
• and measure your recovery approach against it.

You only know how good your recovery strategy is only when you really test and practice it from time to time.

Running an application as Docker containers allows very easy recovery and restoration tests - your real hardware just needs some free resources or you need another hardware (preferred - doesn’t need to be very powerful, just enough storage to restore everything).

• try it out with small dev installation and test data to save time
• once you know how it works try with full data set (recovery time, bandwidth, storage)

If you manage previous exercises well and still commit to run you organization instance you will be prepared for disaster and can improve over time adding resilience for smaller issues e.g. RAID to avoid outage when a single disk fails…

Ooh, I like this thread. Great questions! I have answers.

go for it

Self-hosting FOSS like Nextcloud can be very empowering, especially for nonprofits and small businesses. Besides cost savings, raw access to data is so powerful.

secure by default

A core/base Nextcloud install appears to have excellent security. The source is in heavy use and is backed by a solid company with a reputation that depends on their commitment to security. They make it easy to lock down and vet (it is FOSS after all). The defaults appear secure. They follow best practices. They have a public bounty program and threat model.

start with the right questions

I think you are asking “am I good self-hosting Nextcloud, including sensitive information? can I do this?”, and I think you should ask “is the org good self-hosting Nextcloud, including sensitive information? can the org do this?”. More on this below.

this is fundamentally about resources

I think most folks here would agree that it costs money and time to do security well, not to mention privacy, compliance, reliability.

Have you tried contacting Nextcloud GmbH? Maybe they have a special pricing tier for nonprofits or could at least offer guidance.

What about grant money? If you get specific on costs (see below), that is helpful info to include in a grant application, and/or helps the org target specific donors/sponsors/donation channels/grant money.

should you do more than just stand up Nextcloud

Yes.

I would take extra steps. Most of the security of a Nextcloud instance is left to the host. The security recommendations are a good start, assuming you’re talking about this. As @NaXal touched on, there’s a lot more to it, and it depends (in part) how much of a target your org / these data are. I’d add: how irreplaceable the data are, the cost of a breach, potential liability, stuff like that.

more thoughts, lightning round

• encrypt data at rest
• how sensitive are your data?
  • PII is a big deal, PHI or financial data are radioactive
  • have a plan for compliance – the fines for failing at this are substantial
• what’s your risk profile?
  • phone a friend to help you do a simple threat model, it might not be as bad as you think
• sure, yes, do an audit
  • budget based on your risk
  • if you have low risk / low budget: just get 2nd, 3rd opinions
• are you aligned with the org you are supporting?
  • present your findings/recommendations and solicit feedback
• be realistic about costs
  • show your work re: hosting/admin cost, and include predictions for ongoing costs
  • count your time as a cost, even if you don’t charge for it (this helps the org plan for the future)
• be transparent about your choices
  • document what you do and why
  • heck, document everything
  • e.g. “we can’t afford paid hosting, we need to go paperless, here’s our plan, it’ll be awesome”
• consider succession: what if you get hit by a bus?
• what’s the plan for backups and restores?
• have periodic maintenance plans (weekly, monthly, etc)
  • applying security patches
  • checking backups, logs
  • making sure users with access are the right ones
  • pay attention to Nextcloud’s community release EOL schedule
  • test! (what @wwe said!)
• consider document retention
• understand and exceed your org and end-user expectations for reliability
  • ballpark cost to the org for failures
  • if you get budget, formalize SLAs, SLOs, QoS, SLIs, etc.

use caution re: customization

You mention “flexibility” as a benefit of self-hosting. Proceed with caution. Every customization you make, app you install, and device that connects increases your attack surface. Test heavily first (including desktop clients, WebDAV, headless scripts with access). Keep a test instance (and scripts to stand up & tear down same) on standby for this purpose. Make sure everything is justified and documented.

Start with the leanest possible vanilla install using the Docker image. The official AIO release looks fine too–I haven’t tried it, personally. For filesharing all you really need is the Files app. “Collaboration” can mean lots of things, but you probably want Notes and to be able to edit office documents together, yeah? Those apps work well (on desktops, not so much mobile), IMHO. I also just started using Temporary files lock… this is handy. You get the point though–less is more when it comes to installing Nextcloud apps and security.

I want to specifically address the E2EE app since it appeared in this thread. On paper it sounds like exactly what you want, but there are quite a few open issues. I tried it and I do not recommend it yet. YMMV

who is this guy anyway?

I guess I should say why you might want to listen to me at all. I’ve been in tech for over 20 years: coding, architecting, hiring, managing, startups, big enterprise, giving lectures, writing, sysadmin, security, privacy, compliance, stuff like that. I’ve been self-hosting and using Nextcloud heavily for a couple years now (and owncloud before that). So let’s say I have some experience and I aspire to become an expert. I am not affiliated with Nextcloud GmbH.

parting thoughts

Topic for another thread, but I bet you’re not at all alone in looking for affordable secure cloud hosting for a nonprofit. I’d love to learn more about that together!

Sounds like you are a self-hosting badass.

That makes you smart in my book; do what makes you comfortable. If you are not already, keep regular, automated backups on an external disk.

Amen.

Yes those of us now very confident and strong in hosting, managing, tweaking, optimizing and using Nextcloud would never have any doubts, we also carefully assess and learns about other solutions, before just throwing all our eggs in one basket. This makes you a pro.

None of our data is very sensitive or valuable and I don’t expect anyone to specifically target us. However, some documents do have basic personal information of our members and we are serious about preventing any leaks. Also based in Europe and need to comply to EU privacy laws.

Very true! That is my next concern. I have some practice backing up and restoring, one of my main reasons for liking nextcloud-AIO is the relative ease of restoring it, but things could definitely still break under my watch. I already have the habit to keep extra backups of files (locally and encrypted) . Even though it’s true that breaking the instance and losing data is more likely than actually leaking data, it would not be nearly as catastrophic.

Thank you for all the good points! I might use it as a checklist.

Yes, File sharing, Nextcloud-Office and the Calender are the main tools we would use. I would at least also add the Deck app, which seems harmless to me.

It would be an amazing bonus if Talk would also be stable and powerful enough to use it for meetings and webinars (streaming to up to 200 ppl) instead of Zoom, but I imagine that would dramatically increase the required resources. I’ve hardly tested Talk myself and haven’t really looked into this yet as there is already a lot to consider.

There has been said so much right things in this thread. Nothing to add here.
Though I wanted to comment to one specific point:

if your association is non-profit you might apply for a personal quote at NC inc, directly. As fas as I know they offer special prices for non-profit and/or educational customers.