Nextcloud is a great open-source all-in-one solution for startups. It offers many of the same great features that the big guys do but at a much more cost-effective route. Our founders have worked with startups all over the globe and see their struggles on a daily basis with trying to start a business. So we will teach you how to setup Nextcloud with an extra security layer.

Many of the startup programs out there offer SaaS-based solutions and for good reasons. Google, Amazon, Hubspot, etc. all offer great services but at an exponential cost that can be cost-prohibitive to startups on a bootstrap budget. So if you’re trying to quickly scale a team with a limited budget you may find yourself doing things that create security holes in your organization.

Sharing passwords for shared accounts. Saves money but can leave a single point of attack on your entire organization. And as a startup, you may have intellectual property you want to protect. And this IP creates value for your small company. Protect it at all costs.

We have chosen Nextcloud for a startup tutorial because it offers key factors for a virtual workforce to help you on your way to getting customers.

  • Communication | Talk
  • Project Management | Deck
  • File Management | Files
  • Email Server Connection | Email

Server Setup

Now we will show you how to set up NextCloud with an extra security layer on AWS Lightsail. Lightsail is a much easier solution than EC2 for the not-so-tech-savvy. It also gives you an introduction to cloud services. Other cloud solutions like Linode also work great and have very competitive pricing.

The first thing you will need to do is set up a Lightsail instance capable of installing Nextcloud. Click the Create Instance button in your Amazon Lightsail dashboard. See the image below.

The next step is to choose your platform and for this choose Linux/Unix. Then you need to select a blueprint for this please select Ubuntu 20.04 LTS.

Make sure to set your SSH key pair. It is good to create separate key pairs for your servers to compartmentalize and offer better security for your server. Enable automatic snapshots, this will allow your server to take snapshots if you need to revert due to anything that could arise.

Up next is picking your instance plan. For testing purposes, we like to start with one of the first three tiers which give you 3 months free for a limited time. This will allow you to test Nextcloud out and see how it runs with your team on board and using it daily. Once you take a snapshot you can always upgrade it to a larger instance to speed things up. For this tutorial, we selected the $ 10-a-month plan.

Name your instance and add any additional tags and then click create instance and your server will begin its initial setup. This can take a few minutes so go grab a cup of coffee and you will be ready to jump into the command line. Once your server is up and running you can just click on the title to enter the details. It should look something like the image below.


The next thing will be to go into the network and make a few temporary changes in order to quickly do any server updates and give it a quick reboot. Click on the Networking tab scroll down to the IPv6 networking and disable it. Then delete the HTTP port in your IPv4 Firewall. Additionally, you can set your SSH port to only connect to localhost for added security.

Updating your new server

Now go back to your Connect tab and click on Connect using SSH or use your own SSH client like Putty. AWS lightsail makes it easy to jump into your server.

Run the following commands to update, upgrade and then reboot your server. You may need to answer a few questions and the default suggestions are normally fine to answer and be done so using the tab key and enter or using the arrow keys.

$ sudo apt update # it will show you all avaialbe updates hit enter or Y
$ sudo apt upgrade # answer the questions as they arise default settings fine
$ sudo reboot # reboot after upgrade and verify you can reconnect via ssh

How to setup Nextcloud

Now comes the fun part of getting Nextcloud setup and running on your new server. For this purpose, we will use snapcraft for its ease of use and automagic setup (for the most part). We will show you step-by-step directions below to get your installation running on a domain or subdomain of your choice.

Step 1. Install Next Cloud

$ sudo snap install nextcloud

Step 2. Add an Admin username and password

$ sudo nextcloud.manual-install username password

Step 3. Configure your domain to the trusted domains list. This can be your domain name or a subdomain but make sure to but the exact domain you plan on using.

$ sudo nextcloud.occ config:system:set trusted_domains 1

Step 4. Check to make sure that your domain has been added to the trusted domains list

$ sudo nextcloud.occ config:system:get trusted_domains

SSL Certificate Setup

Next up is important, setting up your SSL certificate for https:// with Let’s Encrypt from the great folks over at EFF. Nextcloud requires a valid SSL cert for the installation to work correctly. For this you will need to do a few things to make this work correctly.

You need to go back into your networking tab in the lightsail dashboard and turn on both HTTP (80) and HTTPS (443) ports. You will also want to create a static ip. The link for this is under your Public ip near the top.

Once you have done the above your IPv4 Firewall should look like the below image with your IP address. By creating a static ip you will be able to setup your DNS at your webhost to point to the new static IP you get from amazon. It should show that your new public static ip address is attached to your instance. This will also be reflected on the Connect Tab.

The last step is running the let’s encrypt command in order to get the SSL running with your new domain.

$ sudo nextcloud.enable-https lets-encrypt

Make sure you put in the same domain that you used above. So if it was a subdomain put the subdomain in. Answer the questions as they come and once the setup is finished you should have a valid SSL certificate installed on for your domain or subdomain. Don’t forget to add your new static ip address to your domain’s DNS records in order for it to redirect to your installation.

Check your domain by visiting the site. You should come to a login page where you sign in with the Admin account you created in the previous steps. If you want to learn more about the snap and other commands visit the git repo here.

Nextcloud Going off the grid

Here at Blacksite we like things off the grid and hidden, we have found and created multiple solutions that help you do just that. SLNT makes some amazing gear that helps protect you against wireless attacks with their patented faraday material. They have dope backpack dry bags to keep your electronics safe and anything with an NFC or RFID tag from getting manipulated.

VirnetX’s (NYSE:VHC) latest platform VirnetX One took their pre-existing patented technology and create a pair of products (War Room/Matrix) that allow you to have off-the-public internet encrypted video conferences. If you are not authorized to get into the meeting your not getting in. Say goodbye to zoom bombs or forwarded meeting invites. It’s like having a Ukrainian bouncer protecting the front door. Matrix allows you to secure almost any app on your server. It acts as identity management for your org and partners. Authenticate user access and secure applications and services at the network edge. Manage access, apply access policies in real-time, and easily understand who has access to information.

The following steps will require a Matrix subscription to get your team using Nextcloud giving you the built-in end-to-end encryption and home directory encryption but also data encryption in transit.

Protecting an Application with Matrix

Step one is to enter the Admin Console highlighted in gold below. The goal will be to have a dashboard icon like the Nextcloud one below for your organization. AKA how to set up NextCloud with an extra security layer. One thing to take into consideration is to make sure you are logged into your organization’s secure domain it will look domain like us-domain.

Step two you will need to go into the protected apps area where you can set up application templates and protected apps. As you can see from the menu change this is where you manage your apps, users, devices, and networks. Giving you quick insight into who your zero trust network.

The first thing you will see is your protected apps and services that are running and their status off connectivity. You can also dive deep into the details of each application to see who has accessed what devices are on the network and their OS, User, IPs, Version, and Online Status. Super easy ACL for an easy overview of your digital infrastructure. You can set up simple CNAME redirects for your apps for simple accessibility.

Click on the New Access Template button that is red to begin setting up the Nextcloud Template. Matrix comes with a few templates built in like a normal web app on ports 80 and 443 which makes it pretty easy to set up an app.

Once you get to this screen it should look something like this. By default, it has HTTPS firewall rule setup and you can add them. For this install, we will add HTTP as well. These are the required ports for Nextcloud if you were to run it normally on the public internet.

Now that you have your app template saved it is now time to add the protected app. To do so click the new application button in red.

It’s just three steps to a off-grid hybrid cloud for your company to focus on customers and sales rather than managing multiple websites and SaaS subscriptions. Step one choose the nextcloud template from the dropdown.

Name your application and give it a description and click next. This helps as you grow your secure domain infrastructure and network of applications and users.

Step 2 of the process is giving access to your user base by the entire organization or on a team-by-team or individual basis. Help to compartmentalize for better security of applications in your digital supply chain. This will also send out user invites letting them know they have access to the application.

Step 2.1 would be selecting the users who have access. By default, the account that is creating the app (an administrator) would be selected. Once users are selected press the next button.

The last step is how your users access the application. This is where you will need to put the domain from the top of this tutorial. Whatever you put for your domain or subdomain for let’s encrypt will have to match. You also have the opportunity to create your unique secure domain or stick to the default one.

Verify that it all looks solid and click create! You should see the installer working its magic and when it’s done creating the domain infrastructure it should spit out your server install script to activate the server on the network, set up secure access, and turn off all public-facing ports.

Each installation is tied directly to your protected application so if you run into any issues at all contact our support team at Once successful you should see your application come on as green in the dashboard meaning the secure domain-protected application is online.

First step installs virnetx

$ curl > virnetx_cmd
$ chmod 755 virnetx_cmd
$ ./virnetx_cmd install

The next step registers the device/server to do this you will want to create a one-time use password using the link provided. And then add your password in replacement of the dots and hit enter. And the last part of the installation is registering the application on the network. If all systems are go an you didn’t run into any issues in the cmd line then you should see your Protected App Green and Online. To View details click on the menu icon to the right of the status. This takes you to the overview of your protected app.

The Very last step to verify that everything is all systems go and operating correctly. To do so you will need to go into your AWS lightsail dashboard. Go to the networking tab and delete ports HTTP and HTTPS. You can leave the SSH port active if you like or turn it off until you need it.

Now there are 2 ways to test. One uses your web browser and points it to the domain or subdomain you set up. If you see the Nextcloud login screen you are good to go! The other easy way is to click on the Protected app icon in the dashboard. This will open the app for you to use.

War Room Secure Video Conferencing

This gives you privacy and security on multiple levels when you turn on the added encryption within Nextcloud when you do full disk encryption. You can set up services as well for secure connection to databases, email servers, SSH, RDP, and more. You could set up a GitLab CE server to keep your code base separate and backup to your Nextcloud install. Perhaps with a large enough server instance, you could run both Nextcloud and GitLab as docker containers. The possibilities are endless.

That’s it and thank you for checking out the tutorial. We should have a video version uploaded to our youtube channel shortly. Check out our Security as a Service for other unique services to keep you secure.

Interested in learning how you can set up your own secure wallet? Check out this tutorial.