The original motivation was twofold: enabling digital sovereignty while turning the entire setup into a personal learning sandbox. ๐The initial deployments were provisioned using Ansible. However, the automation pipeline never reached full end-to-end maturity; smaller adjustments and operational tweaks were still executed manually. ๐งHistorically, each Nextcloud instance had its own dedicated playbook. While functional, this architecture revealed structural weaknesses over time โ particularly when synchronized or centralized changes across both environments became necessary. โ๏ธ
Up to now, the base operating system has been Debian 12. ๐ง
๐ฏ Concrete Technical Objectives of the New Stack
The renewed infrastructure is not just a distribution change. It is a deliberate architectural refinement.
The concrete goals of the new setup are:
- ๐ Nginx with HTTP/3 and QUIC support for modern transport-layer performance and future-proof web delivery
- ๐๏ธ MariaDB as the relational backend for predictable and performant data persistence
- ๐ฅ iptables-based firewalling for deterministic packet filtering and explicit traffic control
- ๐ Letโs Encrypt certificates for automated, zero-cost TLS lifecycle management
The intention is to run a lean, high-performance, cryptographically sound stack with minimal unnecessary surface area.
๐ Migration Strategy: From Debian to AlmaLinux
I am currently preparing a complete infrastructure refresh. This time, I deliberately chose AlmaLinux, a Red Hatโcompatible distribution.
The decision was driven partly by a desire to gain deeper knowledge of the Red Hat ecosystem, but primarily by my interest in SELinux. ๐ก๏ธ
In simplified terms, SELinux adds an additional security layer on top of classic Linux permissions.
Instead of relying solely on user/group access, it enforces policy-based access control: services are only allowed to perform explicitly permitted actions. Even if a process gets compromised, SELinux can prevent it from interacting with unrelated system components.
I am already fairly deep into the migration โ but at this stage, everything revolves around one thing: testing, testing, and more testing. ๐งช
๐ Collabora: From Manual Installs to Containerization
In previous setups, the Collabora Online integration was always installed manually.
In production environments for the associations, this repeatedly caused friction: compatibility issues, operational instability, and the recurring need to rely on older versions. ๐ฉ
Over time, this constant operational overhead became frustrating enough that I even considered switching to a commercially hosted Nextcloud solution. ๐ธ
From a purely financial perspective, managed hosting is no longer dramatically more expensive than running a private vServer.
The real difference lies in control, flexibility, and architectural freedom.
Additionally, some hosted Nextcloud providers meter the number of simultaneously active Collabora users and charge additional fees once certain thresholds are exceeded โ a model that doesnโt align well with community-driven infrastructure. ๐ซ
๐ณ Major Improvement: Podman-based Collabora Deployment
Today marked a major breakthrough regarding Collabora.
Following guidance from ChatGPT (yesโฆ I admit it ๐
), I migrated the Collabora service into a standalone containerized deployment using Podman.
Nextcloud now connects to this external service endpoint instead of hosting the app internally.
This architectural approach is widely considered more stable, easier to maintain, and operationally cleaner than the classic in-app deployment model. ๐งฑ
That said, this setup still requires extensive validation.
More testing is inevitable โ and in parallel, I will continue diving deeper into SELinux behavior in containerized environments. ๐
โ๏ธ Ansible Status and Next Steps
The Ansible codebase is already operational, but far from โfinished.โ My current workflow is intentionally iterative:
- Destroy the Nextcloud test vServer ๐ฃ
- Reinstall everything from scratch ๐งฐ
- Refine playbooks ๐
- Repeat the cycle ๐
This destroy-and-rebuild loop is deliberate โ itโs the fastest path toward a reproducible, deterministic infrastructure state.
๐ฆ Download: Ansible Playbook (Beta)
The current state of the Ansible project is already fully executable and successfully runs end-to-end in my test environments.
However, before using it in your own setup, you must adapt all sensitive and environment-specific values accordingly
(e.g. hostnames, domains, credentials, secrets, IP addresses).
You can download the current zip archive of the Ansible project here:
๐ Download Ansible Nextcloud Stack (Beta)
Please note that this codebase is currently in beta status.
While the playbooks are functional, the project is still under active development and continuous improvement.
I am already working on refinements and optimizations, and I plan to publish an updated version within the next few days.
โ ๏ธ Disclaimer
This project is provided as-is, without any warranty of any kind.
Usage is entirely at your own responsibility.
I strongly recommend testing the playbooks in a non-production environment before considering any productive deployment.
Infrastructure as code. Community-first. Fully sovereign. ๐ดโโ ๏ธ