Nextcloud: technical details

Architecture

• Nextcloud Hub (current stable branch), PHP-FPM, MariaDB/PostgreSQL, Redis (file locking, cache).
• File storage on NVMe in the EU. Optional S3 compatible primary or secondary object store.
• Horizontal scaling per project (more workers, separate preview/thumbnail workers).
• Production instance separated from backup snapshot storage.

Network and encryption

• TLS 1.2+ (1.3 recommended), HSTS, modern cipher suites.
• Server-side encryption (SSE) on storage per configuration.
• Optional client-side encryption (E2EE) for selected folders via supported apps.
• Brute-force protection, rate limiting on login and API.
• 2FA: TOTP, backup codes, WebAuthn/U2F. Password policies and session lifetime in admin.

Admin console

Your admins get full access to the Nextcloud administration on your instance.

• Users, groups, quotas, apps, sharing, external mounts.
• Flow, webhooks, audit log, 2FA and password settings.
• Login branding, maintenance mode, preview configuration.
• occ CLI and server shell per agreement (usually Enterprise).

We run OS ops, DB backups, and updates. You govern in-app content and policies.

Identity and federation

• Local accounts or LDAP/Active Directory (group mapping).
• SAML/OIDC for SSO (Azure AD, Google Workspace, Keycloak per project).
• App passwords and OAuth2 tokens for clients and scripts (granular revoke).
• Group folders: folder-level ACL, inherited team permissions.

Backup and recovery (technical)

Business context and ransomware: backup and protection.

• Filesystem snapshot + database dump (frequency and retention per plan).
• Backups stored off production volume, separate access accounts.
• Restore: full instance, tenant, or single file via versions (occ versions) and admin restore.
• Documented RPO/RTO in contract for Enterprise. Recovery tests on request.
• File versions and trash: configurable retention (admin limits).

APIs and protocols

• WebDAV: /remote.php/dav/files/{user}/ for drive mapping and sync clients.
• OCS/REST: /ocs/v2.php/ for users, sharing, capabilities.
• Provisioning API: automatic accounts from HR/IdM (per project).
• CalDAV/CardDAV: /remote.php/dav/ for calendar and contacts.
• External storage: S3, SMB, SFTP mounts via admin or user external storage (quotas in reports).

Workflow and events (technical)

Process examples: automation.

• Workflow Engine (Flow): File entity, operations tag, move, convert, notify, limit access.
• Webhook listeners (OCS): register URLs for events, filters by user/table.
• Background jobs (cron/systemd): occ background:cron, queue for index, preview, Flow.
• External orchestration via signed webhooks and idempotent endpoints.

Search (technical)

For users: search.

• Unified search + Full text search app.
• Indexing: occ fulltextsearch:index, cron for incremental rebuild.
• Optional Elasticsearch/OpenSearch backend at scale (cluster in EU).
• OCR pipeline for PDF/scans when preview provider is enabled.

AI (technical)

Product overview: AI integration. Stack: AI and LLM.

• Nextcloud Assistant / context chat: LLM via internal gateway (not public US APIs).
• Context search: embedding index in controlled environment.
• AppAPI / exapps per version and agreement.
• Audit of prompts and document access by group.

Logs, audit, monitoring

• Audit log (files, sharing, login, admin changes).
• Export to syslog or SIEM (JSON/CEF per integration).
• Monitoring: HTTP availability, disk, DB, queue lag, cert expiry.
• Alerts on anomalies (mass delete, failed logins).

Operations and updates

• Planned Nextcloud updates and security patches after staging test (Enterprise).
• occ maintenance:mode during critical work.
• Staging instance to validate apps before production (per plan).
• GDPR: data in EU, DPA with customer, subprocessors in contract.

Full Business Cloud (Rocket.Chat, hosting): general technical page.

Technical inquiry Back to overview