Pidiylab Logo

Pidiylab Title

Nextcloud AIO on Raspberry Pi 5 with Caddy Reverse Proxy and SSL

Published:

Updated:

Author:

C Wilson

Nextcloud aio on pi 5 with caddy ssl

Disclaimer

As an affiliate, we may earn a commission from qualifying purchases. We get commissions for purchases made through links on this website from Amazon and other third parties.

Introduction

Now, before we get going, let’s acknowledge the obvious: setting up a cloud server on something that fits in your palm sounds like a weird flex. But here you are, eyeing your Raspberry Pi 5 like it owes you rent, and thinking, “Can I actually run Nextcloud AIO on this thing… and make it secure with SSL?” Spoiler alert: yeah, you can.

Nextcloud AIO isn’t just another container—it’s the “hey, I got this” of self-hosted solutions. It rolls together file sync, calendar, contacts, even video calls, all inside Docker containers that behave like a family of introverts who only talk through their handler. That handler is Docker Compose.

Now toss in Caddy. Why Caddy? Because unlike Nginx or Apache, it doesn’t need a master’s in config files. It speaks plain English. You point it to your Nextcloud container, it grabs your SSL certs, and boom, you’re secure. Automatic HTTPS, with no crying into your terminal at 2 AM because Certbot borked again.

Add in a sprinkle of Pi 5 power, a dash of reverse proxy, and a solid static IP, and you’ve got a privacy-focused, sync-your-life cloud server that doesn’t require a server rack or a second mortgage.

Key Takeaways

  • The Raspberry Pi 5 is powerful enough to run a full Nextcloud AIO stack with Docker and Caddy.
  • Caddy simplifies reverse proxy setup and automates SSL certificate management via Let’s Encrypt.
  • Use a static IP and forward ports 80 and 443 for public access.
  • External SSDs should be used for performance and reliability.
  • Docker containers make the whole setup modular and easier to maintain or update.
  • Security basics like 2FA, locked down admin panels, and disabled SSH passwords go a long way.
  • Regular updates, backups, and monitoring prevent surprises and data loss.
  • For maximum control, you can skip AIO and build a custom container stack—but for most users, AIO works great.
  • Troubleshooting mostly comes down to reading logs and verifying config files.
  • This setup empowers you to own and manage your own cloud, free from external service providers.

Getting the Raspberry Pi 5 Ready

Setting up the Hardware

All right, let’s start with what you’ll actually need on your desk or kitchen table—or wherever your DIY server empire lives. The Raspberry Pi 5 finally stopped pretending to be a toy and brought real specs to the table. We’re talking up to 8GB of RAM, a faster Broadcom CPU, PCIe support, and dual 4K HDMI. Not that you’ll use the HDMI ports once it’s headless, but still, it’s nice they’re there for emergencies and bragging rights.

Here’s the bare minimum:

  • Raspberry Pi 5 (preferably the 8GB version, because containers are memory-hungry gremlins)
  • USB-C power supply (not your old phone charger, please)
  • microSD card (for the OS, minimum 32GB, but don’t cheap out—go with A2-rated)
  • External SSD via USB 3.0 (your Nextcloud storage; don’t try to store 400GB of data on an SD card unless you enjoy pain)
  • Heatsink and fan or a proper case (because throttling is real and sad)

Set it up on Ethernet if you care about stability. Wi-Fi works, but let’s not pretend it won’t drop at the worst time. And yeah, you’ll need a mouse/keyboard and monitor for the first boot… unless you’re already doing headless installs like the overachiever you probably are.

Installing the OS

You’re going to want a 64-bit OS. Raspberry Pi OS (Bookworm 64-bit) is a solid pick, but if you’re comfortable with servers, go with Ubuntu Server 22.04 LTS. It behaves more like the big leagues.

Steps to install:

  1. Flash the OS using Raspberry Pi Imager or Balena Etcher.
  2. Enable SSH before first boot if you’re going headless.
  3. Boot it up, resize the filesystem, and run your usual sudo apt update && sudo apt full-upgrade.
  4. Set a static IP address. You’ll want your reverse proxy and DNS to always know where home is. DHCP leases change like gas prices.

Oh, and enable SSH keys if you want security without the dance of typing passwords 30 times a day.

Installing Docker and Docker Compose

Why Containers Work Well on Pi

I’m sure a lot of you are going, “Docker? On a Raspberry Pi? Isn’t that like towing a boat with a lawnmower?” Not anymore. The Pi 5 isn’t some underpowered science fair project. It’s got enough muscle to run Docker containers smoothly—especially if you’re smart about what you’re spinning up.

Containers are efficient. They isolate apps without needing full-blown virtual machines. You get repeatable builds, easy updates, and you can crash one service without dragging the whole system down with it. It’s like having a bunch of well-behaved roommates who each clean up after themselves.

Installation Steps

All right, here’s the no-nonsense way to install Docker on Raspberry Pi OS or Ubuntu:

curl -fsSL https://get.docker.com | sudo sh
sudo usermod -aG docker $USER

Then reboot. Or log out and back in if you’re the impatient type.

Check if Docker works:

docker run hello-world

It’ll spit out a message if it worked. If not, you’ve probably got a permissions issue, or you missed the group step.

Next, install Docker Compose:

sudo apt install docker-compose

Or for the binary:

sudo curl -L "https://github.com/docker/compose/releases/download/2.24.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

Check it:

docker-compose --version

Boom. You’re ready to spin up services.

Deploying Nextcloud AIO

Overview of Nextcloud AIO Architecture

All right, time to get the heavy-lifting container up and running. Nextcloud All-in-One (AIO) is basically the Costco of self-hosted cloud solutions. It’s one image that wraps up Nextcloud, the database, Redis, Collabora or OnlyOffice, cron jobs, monitoring—basically everything but the coffee maker.

It uses Docker Compose behind the scenes but does most of the orchestration for you. You don’t have to build a Franken-stack with five different compose files. It’s got a web UI that even your most paranoid IT friend would nod at. And yes, it runs fine on ARM, so the Pi 5 can absolutely handle it—just don’t try to add 20 users and expect miracles.

Installation via Docker

Let’s walk through this like someone who’s done it before and made all the wrong turns so you don’t have to.

Start with pulling the setup container:

docker run \
  --sig-proxy=false \
  -p 8080:8080 \
  -v nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
  -e NEXTCLOUD_DATADIR=/mnt/nextcloud \
  -e APACHE_PORT=11000 \
  -e APACHE_IP_BINDING=127.0.0.1 \
  nextcloud/all-in-one:latest

A few notes:

  • Port 8080 is just for initial setup.
  • The NEXTCLOUD_DATADIR path points to wherever your storage is mounted (ideally on your SSD).
  • APACHE_IP_BINDING tells it to not expose itself to the public—Caddy will handle that mess.
  • Volumes will persist between updates and crashes. Don’t forget to back them up.

After this, open your browser to:

http://<your-pi-ip>:8080

You’ll walk through the setup wizard, choose what services to install (pick the defaults unless you really hate Collabora), and let it do its thing.

The initial install can take a while, especially if you’re on slow storage. It’s pulling multiple images and building containers. Go get a snack. Or three.

Setting Up Caddy as a Reverse Proxy

Why Choose Caddy Over Nginx or Apache?

Okay, let’s address the obvious—Nginx and Apache have been the default reverse proxies for years. But then there’s Caddy. It’s like showing up to a potluck with a slow cooker that also does your taxes. It auto-fetches SSL certificates from Let’s Encrypt without needing separate cron jobs or complex configs. That’s huge when you’re already managing Nextcloud, Docker, Raspberry Pi quirks, and a DNS setup that barely behaves.

Nginx makes you write 30 lines of config just to say “point to this IP.” Apache needs modules enabled like you’re activating cheat codes. Caddy? It’s “here’s my domain, here’s the proxy address.” Done. It even renews the certs before they expire. Bless it.

Basic Caddyfile for Nextcloud

Let’s keep this simple. Here’s a working Caddyfile:

yourdomain.com {
    reverse_proxy 127.0.0.1:11000
    encode gzip
    tls your@email.com
}

Breakdown:

  • yourdomain.com is your actual domain.
  • 127.0.0.1:11000 is where the Nextcloud container is listening (remember the APACHE_PORT in AIO config?)
  • encode gzip helps with performance
  • tls triggers Let’s Encrypt and sets your contact email

Throw this file into /etc/caddy/Caddyfile or wherever your distro expects it. Test it:

caddy validate --config /etc/caddy/Caddyfile

If it passes, start it:

sudo systemctl start caddy
sudo systemctl enable caddy

Your Nextcloud AIO should now be available at https://yourdomain.com, complete with a shiny green padlock.

Enabling HTTPS with Let’s Encrypt

Here’s what makes Caddy king for lazy-but-smart admins: it handles ACME protocol automatically.

By default, it:

  • Performs an HTTP-01 challenge over port 80
  • Uses your domain and email to get a valid cert
  • Renews certs every 60 days before they expire
  • Stores everything in /var/lib/caddy/.local/share/caddy

If your ISP blocks port 80, you can switch to a DNS challenge, but that’s a little messier and depends on your DNS provider supporting APIs.

Check your cert status:

sudo caddy list-modules | grep tls
sudo journalctl -u caddy

Look for ACME logs—those’ll tell you if the cert was issued, renewed, or failed because you typoed your domain.

DNS and Network Configuration

DNS Setup for Public Access

Let’s say you want to access your Nextcloud from anywhere—not just from the couch with your laptop balanced on your knees. That means setting up your DNS. If you’ve got a custom domain, cool. If not, you can use a dynamic DNS service like DuckDNS, No-IP, or one of the dozens that exist to make your life mildly easier.

Your goal here is to point your domain to your home’s public IP address. Go into your domain registrar’s DNS settings and add an A record:

  • Type: A
  • Host: @ (or nextcloud if you want a subdomain like nextcloud.yourdomain.com)
  • Value: Your public IP (find it at whatismyip.com)
  • TTL: Auto or 3600 seconds is fine

If you’re on a dynamic IP from your ISP (which most of us are, unless you pay extra), then use a dynamic DNS script to keep the IP updated.

Router and Firewall Rules

All right, now we’ve got to crack open your router’s settings. You need to forward two ports from the outside world to your Raspberry Pi:

  • Port 80 (HTTP) → lets Let’s Encrypt validate the domain
  • Port 443 (HTTPS) → lets users securely access Nextcloud

In your router’s admin panel (which is usually something like 192.168.0.1 or 192.168.1.1), look for “Port Forwarding” or “NAT.”

Forward:

  • External Port 80 → Internal IP of Pi, Port 80
  • External Port 443 → Internal IP of Pi, Port 443

Set your Pi to a static IP so these forwards don’t break every time you reboot. Either reserve the IP in your router or configure it manually in the Pi’s DHCP settings.

If you’re behind CGNAT or double NAT (like some mobile or satellite ISPs), you may need to tunnel through a VPN or use a reverse proxy service like Cloudflare Tunnel. Hopefully you’re not, but hey, we’ve all made questionable ISP choices.

Storage, Volumes, and Data Safety

Connecting External Drives

Let’s be real: Nextcloud without decent storage is just a very complicated calendar. You’ll want a fast, reliable external SSD or HDD connected via USB 3.0. Don’t even think about storing terabytes on a microSD card—unless you like living dangerously and enjoy random data loss at 3 a.m.

Format your drive as ext4. It plays nice with Linux, supports permissions properly, and doesn’t flake out after heavy use like exFAT. You can use gparted or mkfs.ext4 to format it.

Mount it somewhere consistent, like /mnt/nextcloud:

sudo mkdir -p /mnt/nextcloud
sudo mount /dev/sda1 /mnt/nextcloud

Then edit /etc/fstab to auto-mount on boot:

/dev/sda1  /mnt/nextcloud  ext4  defaults,nofail  0  2

Test it with sudo mount -a.

Nextcloud Data Volumes

Nextcloud AIO needs persistent volumes so your data doesn’t disappear every time a container restarts or updates. When you launched the container earlier, you pointed it to a data directory using NEXTCLOUD_DATADIR.

Just make sure:

  • The mount path matches what you configured
  • The Docker user has read/write access (www-data inside the container often owns the files)
  • You don’t accidentally delete the Docker volumes while cleaning up unused images

Check volume usage:

docker volume ls
docker inspect <volume_name>

Backups and Snapshots

Let’s say your cat jumps on your Pi, unplugs it mid-write, and corrupts the storage. Or more likely, you just mess something up while “tweaking.” You need backups.

Two solid options:

  1. Rsync Backup
    Sync your data volume to another drive or remote server: rsync -a /mnt/nextcloud /mnt/backupdrive
  2. Btrfs or ZFS Snapshots
    If you’re using Btrfs or ZFS, take snapshots regularly. They’re fast, efficient, and restore quicker than your faith in cheap hardware.

Consider automating these with cron jobs and storing at least one copy offsite or on a separate drive.

Performance and Monitoring

Pi 5 Capabilities

Let’s not sugarcoat it: the Raspberry Pi 5 is the first Pi that actually feels like it can replace a light-duty server. It’s got a quad-core Cortex-A76, PCIe support (with a hat, for now), and faster RAM. That said, you’re still working with a single-board computer. It’s not going to laugh off five users uploading RAW image files while Collabora runs in the background—unless you like 100% CPU usage and spinning wheels.

Thermals are the first thing to watch. This board gets toasty under load. If you didn’t install active cooling, expect it to throttle like a ’90s Civic going uphill. A proper case with a fan and heatsink is not optional—it’s life support.

Check the temps:

vcgencmd measure_temp

If it creeps above 70°C under load, your Pi’s trying to tell you it’s in pain.

Monitoring Tools

Want to know what’s going on under the hood? You’ve got options, and most don’t require spinning up a full Grafana stack.

Here’s what actually works well on the Pi:

  • htop — Nice terminal-based overview of CPU/RAM.
  • Netdata — Lightweight, real-time monitoring in a web UI.
  • Docker stats — See what your containers are doing: docker stats

You can also check system load and uptime:

uptime

Or see which services are guzzling memory:

ps aux --sort=-%mem | head

Log what matters. Keep an eye on disk I/O (iotop), container logs (docker logs), and system resource alerts. If your SSD starts acting up, you’ll want to know before your Nextcloud data turns into digital soup.

Securing the Deployment

Access Controls

So you’ve got this thing online. Congratulations. Now, let’s talk about the million ways someone could try to break into it.

Start with your Nextcloud admin account. Use a strong password, enable two-factor authentication, and don’t reuse the login from that sketchy coupon site you joined in 2013.

In the Nextcloud settings:

  • Enable 2FA with TOTP (Time-Based One-Time Password)
  • Limit login attempts
  • Create user groups with restricted permissions

The AIO web interface should also be locked down. After initial setup, restrict access via firewall or local IP whitelist. You don’t need the whole internet poking around your management interface.

SSL and Certificate Validity

Let’s Encrypt is great—until you forget it’s there and your cert quietly expires, breaking everything.

Caddy handles renewals for you, but still, check the cert status now and then:

curl -vI https://yourdomain.com

Look for the SSL certificate verify ok. Or check the expiry:

openssl s_client -connect yourdomain.com:443 | openssl x509 -noout -dates

Caddy stores certs in /var/lib/caddy. Back that up if you ever migrate.

And avoid mixing self-signed certs unless you enjoy browser warnings and chasing down trust store errors.

Network Hardening

Even with SSL, don’t assume you’re done. Most attacks come from exposed services that were never meant to be public.

Some tips:

  • Close ports you don’t use
  • Only expose 80 and 443
  • Use ufw or iptables to lock down the Pi
  • Disable SSH password login and use keys only
  • Rotate your keys and use non-standard SSH ports if you’re extra paranoid

Also, check your Nextcloud’s security scan at:

https://scan.nextcloud.com

It’ll flag missing headers, weak SSL settings, or exposed admin routes.

Troubleshooting and Maintenance

Common Issues

Look, things break. That’s the deal you sign when you self-host. But most problems fall into a few categories:

  • Caddy won’t start? Usually a bad config or port already in use. Run: sudo journalctl -u caddy --no-pager | tail -n 50
  • Nextcloud page isn’t loading? Check if the AIO containers are up: docker ps -a If one crashed, restart it manually or pull fresh images.
  • SSL errors? Your DNS might not be pointing correctly, or port 80/443 is blocked.
  • Permission denied? That’s your data directory. Run ls -la and check who owns it.

Log Files and Systemd

You’ll solve 90% of issues by reading the logs. They’re not fun, but they tell the truth.

  • Caddy logs: journalctl -u caddy
  • Docker logs: docker logs <container_name>
  • System events: dmesg and journalctl -xe

Nextcloud also keeps logs in:

/mnt/nextcloud/data/nextcloud.log

If it’s full of “can’t write” errors, you’ve got a file ownership issue. Use chown -R www-data:www-data /mnt/nextcloud to fix it.

Updates and Upgrades

Stay updated or stay vulnerable. This isn’t a set-it-and-forget-it appliance.

  • AIO handles app updates inside the container. Open the AIO interface, hit update.
  • Docker: Pull the latest images occasionally: docker pull nextcloud/all-in-one
  • Caddy: Install updates via package manager or official binary.
  • OS: Run your usual: sudo apt update && sudo apt upgrade

Reboot every few weeks. Not because Linux needs it—just to prove everything still comes back up clean.

Alternatives and ComparisonsWhen Not to Use AIO

Nextcloud AIO is slick, but it’s not the answer to everything. If you:

  • Want total control over every component
  • Need to scale for more than a handful of users
  • Already run PostgreSQL, Redis, or OnlyOffice outside of Docker
  • Use Kubernetes or another orchestration tool

…then AIO might feel limiting. It’s great for a single user or small family setup on a Raspberry Pi 5, but it’s not the tool for enterprise-grade, multi-region hosting. You’ll want to split the stack and manage each service individually.

Also, if you’re trying to integrate with LDAP, external databases, or complex backup systems, AIO gets in the way more than it helps.

Comparing Caddy vs Nginx

All right, now the spicy part. Caddy vs Nginx. Let’s make it simple:

FeatureCaddyNginx
Config SimplicityOne line per siteDozens of lines with edge cases
SSL AutomationBuilt-in with Let’s EncryptNeeds Certbot or similar
Resource UsageSlightly higher RAM footprintLower baseline
DocumentationClear and modernExtensive but older
Learning CurveEasy for beginnersSteep but powerful
Default TLS SettingsStrong out of the boxNeeds manual tuning

Caddy’s ideal when you want it working now, securely, with no drama. Nginx is ideal when you want fine-grained control over everything and are willing to spend the time setting it up.

On the Pi, both run fine, but Caddy’s ease-of-use makes it the better pick for most Raspberry Pi Nextcloud users.

Final Thoughts

You’ve just built a full-featured, encrypted, self-hosted cloud server using a Raspberry Pi 5, Docker, Nextcloud AIO, and Caddy. Monitor it, update it, back it up, and enjoy owning your own data.

Frequently Asked Questions (FAQ)

Can I use Wi-Fi instead of Ethernet on the Raspberry Pi 5?

Yes, but it’s not recommended for reliability. Ethernet provides a stable, faster connection—especially for syncing large files or using multiple services.

What’s the best OS for this setup?

Ubuntu Server 22.04 LTS or Raspberry Pi OS 64-bit Bookworm are both solid. Go with what you’re comfortable maintaining.

Do I have to use Caddy as the reverse proxy?

No, you can use Nginx or Apache if you prefer, but Caddy is easier to configure and handles SSL certificates automatically.

Will Nextcloud AIO work with an external database or OnlyOffice server?

AIO is designed to bundle everything together. If you need modular control, a manual multi-container setup is better.

Can I access my Nextcloud from outside my network?

Yes, as long as your domain is set up correctly and ports 80/443 are forwarded through your router.

What happens if the SSL certificate fails to renew?

Caddy logs the failure. Check your DNS, open ports, and domain validity. You can manually trigger a reload.

How do I back up everything safely?

Use rsync for file-level backups or Btrfs/ZFS snapshots. Backup Docker volumes and any custom config files.

Can I run other containers on the same Pi?

Yes, but keep an eye on CPU and RAM. The Pi 5 is powerful, but multitasking with resource-heavy containers can cause instability.

What’s the easiest way to monitor performance?

Use Netdata or docker stats. For a quick overview, htop tells you almost everything.

Is this setup secure enough for sensitive data?

With SSL, firewalls, and strong credentials, it’s reasonably secure. Still, always keep software updated and follow best practices.

References

Was this helpful?

Yes
No
Thanks for your feedback!

About the author

Written by

C Wilson

Chuck has been in computer programming for decades, and began his foray into the world of computing with a Tandy 1000 while working at Radio Shack. His careers have included CAD drafting, manufacturing line programming, and custom computer design. Chuck continues with computer sciences while enjoying retirement.

Latest Posts

Pi DIY Lab