Cloud storage · no KYC
Host Nextcloud on an Offshore VPS
Nextcloud gives you a full private cloud — files, sync, calendar, and contacts — running entirely on hardware you control, with no third party reading your data.
What it is
Nextcloud is an open-source cloud storage and collaboration platform: file sync across desktop and mobile, sharing, calendar, contacts, and an app ecosystem for office documents, notes, and photos. It is the leading self-hosted alternative to Dropbox, Google Drive, and iCloud, with all data stored on your own server.
Why host it offshore
On a no-KYC, offshore VPS your files never touch a US or EU big-cloud account tied to your identity, and unmetered bandwidth means large sync loads and shared media downloads don't rack up egress fees. Paying in crypto and choosing a privacy-tier location keeps the storage of personal documents free of identity records and outside common data-request jurisdictions.
The deploy
A working reference setup
Copy this onto a fresh ChainVPS instance. Replace the placeholders, then bring it up.
## docker-compose.yml — Nextcloud + MariaDB + Redis
## Prereqs on Ubuntu 24.04:
## apt update && apt install -y docker.io docker-compose-v2
## Put this file in /opt/nextcloud/ and run: docker compose up -d
## Then front it with a TLS reverse proxy (Caddy/Nginx) on 443 -> 127.0.0.1:8080
services:
db:
image: mariadb:11
restart: unless-stopped
command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
volumes:
- db:/var/lib/mysql
environment:
- MARIADB_ROOT_PASSWORD=CHANGE_ME_root
- MARIADB_DATABASE=nextcloud
- MARIADB_USER=nextcloud
- MARIADB_PASSWORD=CHANGE_ME_db
networks:
- nc
redis:
image: redis:7-alpine
restart: unless-stopped
command: redis-server --requirepass CHANGE_ME_redis
networks:
- nc
app:
image: nextcloud:30-apache
restart: unless-stopped
depends_on:
- db
- redis
ports:
- "127.0.0.1:8080:80" # bind to localhost; expose via reverse proxy TLS
volumes:
- nextcloud:/var/www/html # app + config + apps
- ./data:/var/www/html/data # user files (put on your big data volume)
environment:
- MYSQL_HOST=db
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
- MYSQL_PASSWORD=CHANGE_ME_db
- REDIS_HOST=redis
- REDIS_HOST_PASSWORD=CHANGE_ME_redis
- NEXTCLOUD_ADMIN_USER=admin
- NEXTCLOUD_ADMIN_PASSWORD=CHANGE_ME_admin
- NEXTCLOUD_TRUSTED_DOMAINS=cloud.example.com
- OVERWRITEPROTOCOL=https # required behind a TLS proxy
networks:
- nc
volumes:
db:
nextcloud:
networks:
nc:
Firewall
Ports to open
| Port | Protocol | Purpose |
|---|---|---|
| 443 | TCP | HTTPS access via your TLS reverse proxy (Caddy/Nginx) — the only port you expose publicly |
| 80 | TCP | HTTP for ACME/Let's Encrypt challenge and redirect to HTTPS |
| 8080 | TCP | Nextcloud container HTTP, bound to 127.0.0.1 only and reached by the reverse proxy |
| 3478 | TCP/UDP | Optional: TURN/coturn for Nextcloud Talk audio/video calls |
Right-sizing
Which plan you need
VPS Small (2 vCPU / 4 GB RAM)
1-5 users, personal file sync + calendar/contacts. Add a Storage plan volume for the data directory as your library grows.
VPS Pro (4 vCPU / 8 GB RAM)
10-30 users with active sync, previews, and Collabora/OnlyOffice document editing. Pair with a large Storage-tier data volume.
Dedicated (8+ cores / 32 GB RAM) + Storage node
50+ users, team collaboration, Talk video calls, and heavy preview generation. Move user data to a dedicated Storage server or S3-compatible external storage.
Best locations: Because Nextcloud holds personal documents, pick a privacy-tier location — NL, CH, RO, IS, MD, or LU. Switzerland and Iceland have strong constitutional data-protection and are outside the 14-Eyes core; Moldova and Romania sit outside EU data-sharing pressure. Choose the region nearest your users to keep sync latency low while staying in a privacy-friendly jurisdiction.
Lock it down
Hardening checklist
- Never expose the container port directly — bind Nextcloud to 127.0.0.1:8080 and terminate TLS at a Caddy or Nginx reverse proxy, forcing HTTPS with HSTS. Set OVERWRITEPROTOCOL=https so generated URLs are correct.
- Lock NEXTCLOUD_TRUSTED_DOMAINS to your real hostname, use long random passwords for the admin/db/redis, and after first boot run 'occ config:system:set trusted_domains' rather than leaving wildcards.
- Enable server-side encryption for external storage and turn on brute-force protection plus 2FA (TOTP) for all accounts; put the login behind fail2ban watching the Nextcloud log.
- Move the /data directory onto a separate large volume (ChainVPS Storage) and schedule 'occ maintenance:mode' backups of both the database dump and the data dir; test restores periodically.
- Run the recommended cron background job via a system cron calling 'docker compose exec -u www-data app php cron.php' every 5 minutes instead of AJAX cron, and add memory caching (Redis is wired above) to clear the admin overview warnings.
Deploy it on
The right ChainVPS product
Questions
Hosting Nextcloud — FAQ
Do I need a domain name?
Yes, in practice. Nextcloud needs a hostname for a valid TLS certificate and for the mobile/desktop sync clients to connect securely. Point an A record at your VPS IP and put it in NEXTCLOUD_TRUSTED_DOMAINS.
Which ChainVPS product should I pick — VPS or Storage?
Start on a VPS for the app itself, and attach or pair a Storage plan for the actual file data. Nextcloud's compute needs are modest; it is disk-hungry, so cheap high-capacity storage is where the real sizing decision lives.
Can I keep my file data outside the main disk?
Yes. Mount a separate Storage volume at the /data path, or configure S3-compatible external storage. This lets you grow capacity independently of the VPS and simplifies backups.
Is unmetered bandwidth actually useful for Nextcloud?
Very. Initial syncs, large media libraries, and multi-device usage move a lot of data. Unmetered transfer means big uploads and downloads don't generate surprise egress bills the way big-cloud providers do.
How do I keep it updated and secure?
Pin a major image tag (e.g. nextcloud:30-apache), snapshot before upgrading, then bump one major version at a time and run 'occ upgrade'. Combine that with 2FA, fail2ban, and off-host backups for a solid baseline.
Will paying in crypto keep my storage private?
Payment is no-KYC and no identity is attached to the account, but privacy end-to-end also depends on your setup: use a privacy-tier location, enable encryption, and control your own admin credentials. ChainVPS never asks for identity documents.
More to self-host
Other one-click stacks
Spin up Nextcloud
in the next 60 seconds.
Unmetered bandwidth · DDoS included · 21 cryptocurrencies · no KYC.