Nextcloud AIO Raspberry Pi 5: Complete Cloud Setup Guide

Q: How many users can Nextcloud AIO on Pi 5 support?

For light use, 5 to 10 simultaneous users is reasonable on Pi 5 with 8GB RAM. For Collabora document editing, 2 to 4 simultaneous users is the practical limit. Memory is the primary constraint.

Q: Can I migrate an existing Nextcloud install to AIO?

Not directly. Export data from the existing install using the admin export tool at Settings > Administration > Export, then import into a fresh AIO installation manually.

Q: Does Nextcloud AIO work without Collabora?

Yes. Collabora is optional. Without it, Nextcloud still handles file sync, sharing, calendar, contacts, and photos. Skipping Collabora saves roughly 300 to 500MB of RAM on the Pi.

Print 🖨 PDF 📄 eBook 📱

Nextcloud AIO Raspberry Pi 5 gives you a self-hosted file sync, calendar, contacts, and collaboration platform running entirely on your hardware. Nextcloud All-in-One bundles Nextcloud Hub, PostgreSQL, Redis, Collabora Online, and a backup solution into a single Docker-managed stack. Caddy handles HTTPS automatically with Let’s Encrypt, so your Pi is reachable from anywhere over a verified TLS connection without manual certificate management. This guide covers hardware preparation, OS setup, Docker and AIO deployment, Caddy reverse proxy configuration, security hardening, and maintenance.

Key Takeaways

Nextcloud AIO uses APACHE_IP_BINDING=127.0.0.1 to keep the Nextcloud Apache container off the public interface. Caddy must run on the same host as the AIO stack and proxy to 127.0.0.1:11000. Running Caddy on a different machine from AIO requires additional network configuration.
The AIO master container wizard creates the Nextcloud admin account on first run. Do not skip or refresh the wizard page mid-setup. The admin credentials are only shown once. Store them in a password manager immediately.
Store all Nextcloud data on an SSD mounted at a consistent path. AIO NEXTCLOUD_DATADIR must exist before the container starts. Changing the data directory after initial setup requires migrating all data manually.

Nextcloud AIO Raspberry Pi 5: How It Works

Nextcloud All-in-One is a master container that manages a set of subordinate containers. The master container exposes a web-based setup wizard on port 8080. Through this wizard you configure your domain, choose optional containers (Collabora, ClamAV, Talk), and start the stack. The master container then pulls and manages all subordinate containers automatically including updates.

The Nextcloud Apache container serves the application on port 11000 bound to 127.0.0.1. Caddy runs on the host and proxies public HTTPS traffic to that local port. All external traffic passes through Caddy TLS termination before reaching Nextcloud.

Container	Role	Port
AIO master	Manages the stack, setup wizard	8080 (setup only)
Nextcloud Apache	Serves Nextcloud web UI and API	11000 (localhost only)
PostgreSQL	Primary database	Internal only
Redis	Cache and session storage	Internal only
Collabora	Online document editing	Internal only
AIO Backup	BorgBackup-based snapshots	Internal only

Hardware and OS Preparation

The Pi 5 with 8GB RAM is the right choice for Nextcloud AIO. The stack at idle uses around 1.5GB RAM. With Collabora active and one to two users editing documents, expect 3 to 4GB. The 4GB Pi 5 works for single-user setups but leaves limited headroom for other services.

An external SSD connected via USB 3.0 is required for the Nextcloud data directory. Nextcloud generates continuous write I/O from file sync, thumbnail generation, and database transactions. See Booting Raspberry Pi from USB SSD for SSD setup. Use the official 27W USB-C power supply. See Raspberry Pi Power Monitoring via USB for load verification.

Flash Raspberry Pi OS Bookworm Lite 64-bit using Raspberry Pi Imager. In the advanced settings, set hostname, enable SSH, and configure credentials. After first boot:

sudo apt update && sudo apt full-upgrade -y

Set a static IP so DNS records and port forwards always point to the same address:

sudo nmcli connection modify "Wired connection 1" \
  ipv4.method manual \
  ipv4.addresses 192.168.1.110/24 \
  ipv4.gateway 192.168.1.1 \
  ipv4.dns 192.168.1.1
sudo nmcli connection up "Wired connection 1"

Mount the SSD and create the data directory using UUID for a stable mount:

blkid /dev/sda1
# Add to /etc/fstab:
# UUID=your-uuid  /mnt/nextcloud  ext4  defaults,nofail,noatime  0  2
sudo mkdir -p /mnt/nextcloud
sudo mount -a

Installing Docker and Deploying AIO

curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
sudo usermod -aG docker $USER
sudo apt install docker-compose-plugin -y

Log out and back in so the Docker group membership takes effect. Start the Nextcloud AIO master container:

docker run \
  --sig-proxy=false \
  --name nextcloud-aio-mastercontainer \
  --restart always \
  -p 8080:8080 \
  -e NEXTCLOUD_DATADIR=/mnt/nextcloud \
  -e APACHE_PORT=11000 \
  -e APACHE_IP_BINDING=127.0.0.1 \
  -v nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  ghcr.io/nextcloud-releases/all-in-one:latest

APACHE_IP_BINDING=127.0.0.1 keeps the Nextcloud Apache container off the public interface. APACHE_PORT=11000 sets the local port Caddy will proxy to. NEXTCLOUD_DATADIR points to the SSD mount. The Docker socket is mounted read-only so the master container can manage subordinate containers without root on the host.

Navigate to http://<pi-ip>:8080 in a browser. The AIO setup wizard loads. Enter your domain name and work through the wizard. It verifies domain reachability, lets you choose optional containers, then pulls and launches all containers.

Expected result: The wizard completes and shows the Nextcloud admin credentials. Store them immediately. Navigate to https://your-domain.com and the Nextcloud login screen loads over HTTPS. The first page load takes 30 to 60 seconds while Nextcloud finishes initialising.

Nextcloud AIO Raspberry Pi 5 stack diagram showing Caddy proxy AIO master container Nextcloud Apache PostgreSQL Redis and Collabora

Caddy Reverse Proxy Configuration

Install Caddy on the Pi host using the official APT repository:

curl -fsSL https://dl.cloudsmith.io/public/caddy/stable/gpg.key \
  | sudo gpg --dearmor -o /etc/apt/keyrings/caddy-stable.gpg

echo "deb [signed-by=/etc/apt/keyrings/caddy-stable.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main" \
  | sudo tee /etc/apt/sources.list.d/caddy-stable.list

sudo apt update && sudo apt install caddy -y

Create /etc/caddy/Caddyfile:

cloud.yourdomain.com {
    reverse_proxy 127.0.0.1:11000
    encode gzip
}

Caddy v2 obtains and renews Let’s Encrypt certificates automatically. No tls directive is needed. Caddy handles the ACME HTTP-01 challenge over port 80 and serves HTTPS on 443 without any additional configuration. For the full Caddy setup including DuckDNS for dynamic IP, see Caddy Reverse Proxy Raspberry Pi.

sudo caddy validate --config /etc/caddy/Caddyfile
sudo systemctl enable --now caddy
sudo systemctl status caddy

Expected result: caddy validate returns no errors. Within 60 seconds of Caddy starting, https://cloud.yourdomain.com serves the Nextcloud login page with a valid certificate. If the browser shows a certificate warning, check that ports 80 and 443 are forwarded to the Pi in your router port forwarding settings.

DNS and port forwarding

Create an A record in your DNS provider pointing your domain to your home public IP. If you have a dynamic IP, use DuckDNS and update the record automatically. Forward ports 80 and 443 from your router to the Pi static IP. Port 80 is required for the ACME HTTP-01 challenge; port 443 carries all user traffic.

If your ISP uses CGNAT and you cannot forward ports, use Tailscale instead. Access Nextcloud at http://<pi-tailnet-ip>:11000 from within your tailnet without public exposure. See Tailscale Raspberry Pi for the setup.

Security Hardening

After first login, go to Settings > Security and enable TOTP two-factor authentication. Create a second admin account separate from your daily-use account. Disable Nextcloud apps you do not use.

Restrict port 8080 to your local network after completing the setup wizard:

sudo apt install ufw -y
sudo ufw allow OpenSSH
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow from 192.168.1.0/24 to any port 8080
sudo ufw enable

Disable SSH password authentication:

# In /etc/ssh/sshd_config set:
# PasswordAuthentication no
# PubkeyAuthentication yes
# PermitRootLogin no
sudo systemctl reload sshd

Run the Nextcloud security scan at scan.nextcloud.com after your instance is live. It checks for missing security headers, exposed admin routes, and weak TLS. Caddy default TLS settings pass the scan without manual tuning.

Backups and Maintenance

Nextcloud AIO includes a BorgBackup-based backup container. Configure it in the AIO wizard by specifying a backup destination on the SSD or a network share. It captures the data directory, database, and container configurations as a compressed deduplicated archive. Set a daily backup schedule.

For off-Pi copies, use rclone to sync completed Borg archives to cloud storage. See BorgBackup Raspberry Pi Prune Policies for retention configuration and Rclone Raspberry Pi for encrypted cloud sync.

The AIO wizard handles Nextcloud and container updates. Navigate to http://<pi-ip>:8080, select Update, and the master container pulls new images and restarts the stack. Update the host OS separately:

sudo apt update && sudo apt upgrade -y

Troubleshooting

502 Bad Gateway from Caddy

docker ps -a | grep nextcloud
docker logs nextcloud-aio-mastercontainer
journalctl -u caddy -n 50

A 502 means Caddy cannot reach port 11000. Either the Nextcloud Apache container is not running or it is still starting. Give AIO 2 to 3 minutes after a fresh start. If a container is in a restart loop, check its logs with docker logs <container-name>.

Certificate not issued

sudo caddy list-certs
openssl s_client -connect cloud.yourdomain.com:443 < /dev/null 2>&1 | grep -i "notafter\|verify"

Certificate failures are almost always a DNS or port forwarding problem. Caddy cannot complete the ACME challenge if port 80 is unreachable, or if the domain A record points to the wrong IP. Test from outside your home network using a mobile data connection, not your home Wi-Fi.

Permission errors on the data directory

ls -la /mnt/nextcloud
docker exec nextcloud-aio-nextcloud id www-data
# Then set ownership to match the returned UID, for example:
sudo chown -R 33:33 /mnt/nextcloud

Always check the container UID before running chown. The UID inside the container may differ from the www-data user on the host.

High CPU on Pi

ClamAV scanning is the most common cause of unexpectedly high CPU. If enabled with a large file collection, it scans everything on upload and on schedule. Disable it in the AIO wizard if CPU usage is unsustainable. Collabora also uses significant CPU when multiple documents are open simultaneously.

FAQ

What is the difference between Nextcloud AIO and a manual Nextcloud install?

A manual install gives full control over every component. Nextcloud AIO trades that control for simplicity: the master container manages everything and updates apply through a web UI. For a single user or small family on a Pi, AIO is significantly less maintenance than a manual install. For users who need specific component versions or integration with existing infrastructure, a manual install is more appropriate.

Can I run Nextcloud AIO without a public domain?

Yes. Without a public domain you can run AIO on your local network via HTTP on port 11000, or use Tailscale for remote access. Caddy automatic TLS requires a valid domain reachable from the internet. The Nextcloud mobile apps work over LAN or Tailscale connections without public HTTPS.

How many users can Nextcloud AIO on Pi 5 support?

For light use (file sync, calendar, contacts), 5 to 10 simultaneous users is reasonable on a Pi 5 with 8GB RAM. For Collabora document editing, 2 to 4 simultaneous users is the practical limit. Memory is the primary constraint, not CPU.

Can I migrate an existing Nextcloud install to AIO?

Not directly. The recommended path is to export data from the existing install using the admin export tool at Settings > Administration > Export, then import into a fresh AIO installation. It requires matching user accounts and moving data directories manually.

Does Nextcloud AIO work without Collabora?

Yes. Collabora is optional and adds online document editing for .docx, .xlsx, and .odt files. Without it, Nextcloud still handles file sync, sharing, calendar, contacts, and photos. Skipping Collabora saves roughly 300 to 500MB of RAM on the Pi.

References

About the Author

Chuck Wilson has been programming and building with computers since the Tandy 1000 era. His professional background includes CAD drafting, manufacturing line programming, and custom computer design. He runs PidiyLab in retirement, documenting Raspberry Pi and homelab projects that he actually deploys and maintains on real hardware. Every article on this site reflects hands-on testing on specific hardware and OS versions, not theoretical walkthroughs.

Last tested hardware: Raspberry Pi 5 (8GB), Samsung T7 SSD via USB 3.0. Last tested OS: Raspberry Pi OS Bookworm Lite 64-bit. Nextcloud AIO 8.x, Caddy 2.9.

Was this helpful?

Yes

Thanks for your feedback!