Setting Up High-Performance Nextcloud on Hetzner with Split Storage: A Detailed Guide

Self-hosting your own cloud storage gives you control over your data. It increases privacy. It can also save you money. For businesses that need to store massive amounts of data securely, the default public cloud options are expensive.

At Sharp Digital, we recently completed a deployment for a client requiring a secure, fast, and high-capacity cloud solution for hundreds of gigabytes of media files. We chose Hetzner for the infrastructure and Nextcloud for the software.

This guide is not a generic overview. This is a technical case study. It details the exact steps we took to build a production-ready Nextcloud instance. We used a split-storage architecture. The application code sits on a fast SSD. The massive user data files sit on a cost-effective Hetzner Storage Box.

If you follow these steps, you will have a secure, fully licensed (HTTPS), and high-performance cloud server.

Prerequisites

Before starting, make sure you have the following:

A Hetzner Cloud account.
A Domain Name (e.g., cloud.youracademy.net).

Step 1: Provisioning Infrastructure in the Hetzner Console

The first step is setting up the hardware. We need a virtual private server (VPS) and a Storage Box.

Creating the Server

Log in to the Hetzner Cloud Console (console.hetzner.cloud).
Select your desired Project.
Click the red Add Server button.
Select a Location. (We chose Nuremberg, Germany).
Select Ubuntu 24.04 for the Image.
Select a Server Type. (We chose the CX22. It has 2 vCPUs and 4 GB RAM. This is sufficient for Nextcloud when optimized).
Add your SSH Key. (This is critical for secure access).
Give your server a Name (e.g., nextcloud-prod).
Click Create & Buy now.

Creating the Storage Box

We will use a Storage Box for the actual user files. This is much cheaper than buying large SSD drives on the VPS.

In the main Hetzner Console menu, click on Storage Box.
Click the green Add Storage Box button.
Select a Size plan. (For this project, we used the BX21. It provides 5 TB of storage).
Select a Location (preferably the same as your server for lower latency).
Click Create & Buy now.

Gathering Credentials

Once the Storage Box is created, click on it in the dashboard. You need to gather information from the Setup tab:

Copy the Hostname (e.g., uXXXXXX.your-storagebox.de).
Copy the Username (e.g., uXXXXXX).
Click Reset Password to get a password. Copy this password.
Make sure the Samba/CIFS checkbox is Enabled.

Step 2: Preparing the Server via SSH

Now we connect to the VPS to install required software and mount the Storage Box.

Installation and Updates

Open your terminal. Connect to your new server using the IP address Hetzner provided.

# Connect to your server (replace with your server IP)
ssh root@<YOUR_SERVER_IP>

Once logged in, update the server.

apt update && apt upgrade -y

Install Docker and Docker Compose. This is what we will use to run Nextcloud.

apt install docker.io docker-compose-v2 -y

Mounting the 5 TB Storage Box

We must make the Storage Box look like a normal folder on the server.

1. Create the folder on your SSD where we will mount the remote storage.

mkdir -p /mnt/storagebox

2. Create a credentials file to securely store your Storage Box password.

nano /root/.smbcredentials

Paste your Storage Box username and password into this file:

username=uXXXXXX
password=YOUR_LONG_STORAGEBOX_PASSWORD

(Press Ctrl+O, Enter, then Ctrl+X to save and exit).

3. Set secure permissions on the credentials file.

chmod 600 /root/.smbcredentials

4. Edit the system's mount file.

nano /etc/fstab

5. Add this exact line to the very bottom of the file. Replace uXXXXXX and the hostname with your specific details.

//uXXXXXX.your-storagebox.de/backup /mnt/storagebox cifs credentials=/root/.smbcredentials,uid=33,gid=33,iocharset=utf8,nofail 0 0

(This line tells the server to mount the box automatically on boot. Crucially, it sets the owner to UID 33. This is the www-data user that Nextcloud requires).

6. Tell the server to read the new file and mount the box right now.

mount -a

7. Verify the mount was successful.

df -h | grep storagebox

You should see a line showing /mnt/storagebox with 5 TB available.

8. Finally, create the actual data directory inside the mounted storage and set proper ownership.

mkdir -p /mnt/storagebox/nextcloud_data
chown -R www-data:www-data /mnt/storagebox/nextcloud_data

Step 3: Setting Up Nginx Proxy Manager (NPM)

Nginx Proxy Manager is the gateway. It will listen for incoming traffic on port 80 (HTTP) and 443 (HTTPS). It will handle the SSL certificates. It will then route the traffic to the Nextcloud container internally.

1. Create a separate folder for NPM.

mkdir -p /opt/npm
cd /opt/npm
nano compose.yaml

2. Paste this Docker blueprint into the file:

version: '3.8'
services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: always
    ports:
      - '80:80'      # Public HTTP
      - '443:443'    # Public HTTPS
      - '81:81'      # Admin Web Interface
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt

3. Start NPM.

docker compose up -d

Step 4: DNS Configuration

You must now point your domain to your server IP.

Log in to your DNS Provider dashboard (e.g., GoDaddy, Cloudflare, Namecheap).
Go to the DNS Management page for your domain.
Add a new A Record.

Name/Host: cloud (This creates cloud.yourdomain.com).
Value/IP: Your Hetzner VPS IP Address.
TTL: Set to Automatic or the lowest value.

Step 5: Deploying Nextcloud with Video Support

We need a custom Docker configuration for Nextcloud. The client needs video playback support for hundreds of .MOV files. The official Nextcloud Docker image does not include the necessary software (ffmpeg) to generate video thumbnails. We will create a custom build.

1. The custom Dockerfile

1. Create the main Nextcloud folder.

mkdir -p /opt/nextcloud
cd /opt/nextcloud
nano Dockerfile

2. Paste these lines. This instructs Docker to download Nextcloud but immediately install ffmpeg into the application.

FROM nextcloud:latest
RUN apt-get update && apt-get install -y ffmpeg

2. The main compose file

1. Create the compose.yaml file in the same /opt/nextcloud folder.

nano compose.yaml

2. Paste this complete configuration. We use PostgreSQL as the database (it is faster than MySQL for large file collections) and Redis for high-speed memory caching.

version: '3.8'

services:
  nextcloud-aio-database:
    image: postgres:17-alpine
    container_name: nextcloud-aio-database
    restart: always
    volumes:
      - ./db_data:/var/lib/postgresql/data
    environment:
      # Change this secure password!
      - POSTGRES_PASSWORD=YOUR_STRONG_DB_PASSWORD
      - POSTGRES_DB=nextcloud_database
      - POSTGRES_USER=nextcloud

  redis:
    image: redis:alpine
    container_name: nextcloud-redis
    restart: always

  app:
    # This builds from the Dockerfile we just created
    build: . 
    container_name: nextcloud-app
    restart: always
    expose:
      - 80 # We only expose port 80 internally
    depends_on:
      - nextcloud-aio-database
      - redis
    volumes:
      # Core application code (runs fast on SSD)
      - /opt/nextcloud/html_data:/var/www/html
      # Heavy user files (maps directly to 5 TB Storage Box)
      - /mnt/storagebox/nextcloud_data:/var/www/html/data
    environment:
      - POSTGRES_HOST=nextcloud-aio-database
      - POSTGRES_DB=nextcloud_database
      - POSTGRES_USER=nextcloud
      # Must match the password set in the db service above
      - POSTGRES_PASSWORD=YOUR_STRONG_DB_PASSWORD
      - REDIS_HOST=redis

3. Build and Start

Tell Docker to build the custom image (installing ffmpeg) and spin up all three containers.

docker compose up -d --build

(This will take a few minutes as it downloads and installs software).

Step 6: Configuring the Proxy in Nginx Proxy Manager

Now we go to the web browser to route traffic to the container we just started on the backend.

Open your browser. Go to your server IP on port 81 (e.g., http://<YOUR_SERVER_IP>:81).
Log in with the default credentials:

Email: admin@example.com
Password: changeme

Immediately update your email address, name, and password when prompted.
In the dashboard, click on Hosts -> Proxy Hosts.
Click the orange Add Proxy Host button.

Details Tab Configuration

Domain Names: cloud.example.com (Type your exact domain and press Enter).
Scheme: http
Forward Hostname / IP: <YOUR_SERVER_IP> (Use your VPS IP).
Forward Port: 80 (This is the internal port Nextcloud is listening on).
Check Block Common Exploits.
Check Websockets Support.

SSL Tab Configuration

Click the SSL tab.
Change SSL Certificate from 'None' to Request a new SSL Certificate.
Check Force SSL.
Type your email address.
Check I agree to the Let's Encrypt Terms of Service.
Click the orange Save button.

Nginx Proxy Manager will now automatically generate a free, valid SSL certificate for you.

Step 7: Finalizing Nextcloud Setup

We are almost done. The application is running and accessible via HTTPS.

The First-Run Wizard

Open your domain in your browser: https://cloud.example.com.
You will see the Nextcloud setup wizard.
Create an Admin Account (Choose a strong username and password).
Verify the database details match what we wrote in the compose.yaml (Database Host will be nextcloud-aio-database).
Click Install.

Security Optimization (Trusted Domains)

Nextcloud will currently show an error because it is accessed via a domain but expects an IP. We must edit the server's configuration file.

1. Go back to your terminal on the Hetzner server.

nano /opt/nextcloud/html_data/config/config.php

2. Look for the trusted_domains section. Add your domain to the list so it looks like this:

  'trusted_domains' => 
  array (
    0 => '<YOUR_SERVER_IP>', # Your IP
    1 => 'cloud.example.com', # Your new Domain
  ),

(Press Ctrl+O, Enter, then Ctrl+X to save and exit).

Performance Tuning (Switching to System Cron)

Nextcloud runs maintenance tasks in the background. By default, it uses a slow method called "AJAX". We need to switch this to the server's system clock for a much faster experience.

In your Nextcloud web dashboard, click your profile picture (top right) -> Administration settings.
Click Basic settings in the left menu.
Under Background jobs, select Cron.
Go back to your Hetzner terminal. We will add a job to the server's scheduler.

crontab -e

5. Add this exact line to the very bottom of the file. This tells the server to trigger Nextcloud maintenance every 5 minutes invisibly in the background.

*/5 * * * * docker exec -u www-data nextcloud-app php -f /var/www/html/cron.php

Save and exit the file.

Video Thumbnails Generation

Finally, because we have massive media folders, we want to pre-generate thumbnails at night, so students do not have to wait for them to load.

In your Nextcloud web dashboard, go to the Apps section.
Search for Preview Generator. Click Download and enable.
Go back to your Hetzner terminal and edit your crontab again.

crontab -e

4. Add this second line below the first one we added:

*/10 * * * * docker exec -u www-data nextcloud-app php occ preview:pre-generate

(Now, every 10 minutes, the server will quietly generate new video and image thumbnails without slowing down the web interface).

Step 8: Creating the Network Firewall

This is the most crucial final step. Docker has a massive security limitation. If you install a firewall software directly on the server (like ufw), Docker completely ignores it. Ports you think are blocked remain open to the public internet.

The only safe solution is to use Hetzner’s Cloud Firewall. It sits completely outside the server.

Log in to the Hetzner Cloud Console (console.hetzner.cloud).
Click Firewalls on the left menu.
Click the red Create Firewall button.
Give it a name (e.g., Nextcloud-Firewall).
Set the Inbound rules exactly as follows. Do not deviate from this list.

Rule	Protocol	Port	Source IPs	Purpose
1	TCP	`22`	Any IPv4, Any IPv6	Allows SSH Access (Do not forget this or you will be locked out!)
2	TCP	`80`	Any IPv4, Any IPv6	Allows standard web traffic for Let's Encrypt validation.
3	TCP	`443`	Any IPv4, Any IPv6	Allows secure HTTPS traffic for users.
4	TCP	`81`	Any IPv4, Any IPv6	Allows you to access the Nginx Proxy Manager dashboard.

(Crucially, notice that PostgreSQL port 5432 is blocked and Redis port 6379 is blocked. By leaving them off this list, the public internet cannot access them, keep your database secure).

In the Apply to section at the bottom, select your server (nextcloud-prod).
Click the red Create Firewall button.

Conclusion

Your Nextcloud instance is now fully secured, hyper-optimized, and backed by 5 TB of capacity.

At Sharp Digital, we pride ourselves on building solutions that are both technically robust and cost-effective. This architecture gives our client an incredibly fast web interface (because the code is on an SSD and cached by Redis) and massive storage capacity (because the heavy files sit on the Storage Box), all while costing a fraction of public cloud storage fees.

If you are a business looking to implement a private cloud solution but want professional implementation, contact us today. We build solutions that allow you to own your data.

Ready to Own Your Data?

Stop paying monthly fees for limited cloud storage. Let us help you set up a secure, private, and high-performance cloud solution for your business.