• A fully working Nextcloud server on Ubuntu 24.04 inside a Proxmox LXC container
• Complete setup: Apache + MariaDB + PHP (no Docker)
• Proper permissions, security, performance tweaks
• Ready for SSL, backups, and external storage

Step 1: Create the LXC Container in Proxmox

1. In Proxmox UI, click Create CT
2. Select Ubuntu 24.04 LTS as the template
3. Assign resources:
   • 2+ vCPU
   • 2+ GB RAM
   • 10+ GB disk
4. Enable nesting under the «Features» tab
5. Set hostname, password, static IP (or DHCP)

Optional: mount extra Proxmox storage (ZFS/NFS) for user files.

Step 2: Prepare the System (Inside Container)

apt update && apt upgrade -y
apt install sudo unzip ufw htop curl software-properties-common -y

You can add a non-root user and configure SSH if needed.

Step 3: Install Apache and Required PHP Packages

apt install apache2 -y
add-apt-repository ppa:ondrej/php -y && apt update
apt install php8.2 php8.2-{cli,common,gd,mysql,xml,mbstring,zip,curl,intl,bcmath,imagick} libapache2-mod-php8.2 -y

Enable important modules:

a2enmod rewrite headers env dir mime ssl
systemctl restart apache2

Step 4: Install and Configure MariaDB

apt install mariadb-server -y
mysql_secure_installation

Then configure the database:

CREATE DATABASE nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
CREATE USER 'ncuser'@'localhost' IDENTIFIED BY 'yourStrongPassword';
GRANT ALL PRIVILEGES ON nextcloud.* TO 'ncuser'@'localhost';
FLUSH PRIVILEGES;

Step 5: Download and Deploy Nextcloud

cd /var/www/
wget https://download.nextcloud.com/server/releases/latest.zip
unzip latest.zip && rm latest.zip
chown -R www-data:www-data nextcloud
chmod -R 755 nextcloud

Step 6: Apache Virtual Host

nano /etc/apache2/sites-available/nextcloud.conf

Paste this config:

<VirtualHost *:80>
    ServerAdmin admin@yourdomain.com
    DocumentRoot /var/www/nextcloud
    ServerName cloud.yourdomain.com

    <Directory /var/www/nextcloud/>
        Options +FollowSymlinks
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/nextcloud_error.log
    CustomLog ${APACHE_LOG_DIR}/nextcloud_access.log combined
</VirtualHost>

Then:

a2ensite nextcloud.conf
systemctl reload apache2

Step 7: (Optional) Set Up HTTPS with Let’s Encrypt

If DNS is set:

apt install certbot python3-certbot-apache -y
certbot --apache -d cloud.yourdomain.com

Step 8: Finalize via Web Interface

1. Visit http://<your_ip> or domain
2. Create admin account
3. Provide:
   • Database name: nextcloud
   • DB user: ncuser
   • Password: yourStrongPassword
4. Hit Install

Optional Enhancements

• Enable PHP OPcache, APCu, and Redis
• Configure external storage (SMB/NFS)
• Integrate with Collabora or OnlyOffice
• Set up automated backups (e.g., Borg, rsync)

Backup Snapshot Tip (Proxmox)

Before starting syncs/uploads, create a snapshot:

pct snapshot 101 "fresh-installed-nextcloud"

Summary

By following this guide, you’ve built a private cloud using modern tools without Docker or Snap. Your system is modular, lightweight, and easy to backup. Perfect for home labs, professionals, and privacy-focused users.

Сообщение Full Deployment of Nextcloud in a Proxmox LXC Container (No Docker) появились сначала на Boxvirt - Proxmox & OPNsense Infrastructure Guides.

Introduction

DNS-over-TLS (DoT) encrypts DNS traffic, preventing third-party monitoring or tampering. OPNsense, a popular open-source firewall, supports DoT out of the box through the integrated Unbound DNS resolver. This guide walks you through setting up encrypted DNS using Unbound for improved security and privacy.

What is Unbound DNS?

Unbound is a modern, high-performance recursive DNS resolver developed by NLnet Labs. Within OPNsense, Unbound acts as the system’s default DNS engine. Instead of relying on third-party resolvers like Google or Cloudflare, Unbound performs full DNS resolution by querying root servers directly.

Core Capabilities of Unbound:

• Full support for DNSSEC to validate DNS integrity
• Local DNS overrides for internal hosts
• Native DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) support
• Per-client access controls
• Fast, efficient DNS caching

Why Use Unbound in OPNsense?

1. Enhanced Security

• Encrypted DNS queries using DoT help prevent eavesdropping and manipulation.
• DNSSEC ensures responses are verified at every step of resolution.
• Recursive resolution eliminates dependency on upstream DNS providers.

2. High Performance

• Lightweight and resource-efficient — ideal even for embedded systems.
• Local caching drastically reduces latency for repeated queries.
• Optimized for real-time performance, even under high load.

3. Advanced Control

• Full customization of DNS zones, blacklists, and redirects.
• Restrict access by IP, interface, or query type.
• Easily integrates with VLANs, aliases, and firewall policies.

4. Privacy Focused

• No DNS logs by default — ideal for privacy-conscious setups.
• Completely avoids third-party DNS services unless explicitly configured.

5. Seamless Integration with OPNsense

• Managed through a simple web UI
• Ties into DHCP static mappings
• Works harmoniously with other OPNsense services

Limitations to Consider

1. Cold Start Latency

Initial queries can be slower than cloud DNS providers, especially after reboots or cache clears, since Unbound must resolve each domain from scratch.

2. Manual Configuration Needed

Features like DoT, DNS blocklists, or custom rules often require deeper configuration. This can be challenging for beginners.

3. No Built-In Ad Blocking

Unbound doesn’t block ads out of the box. Users must manually configure and maintain DNS blocklists.

4. Minimal Logging & GUI

Unlike Pi-hole or AdGuard Home, Unbound lacks a rich dashboard or per-client query log. Power users may need additional tools to monitor DNS traffic.

Step-by-Step: Enabling DNS-over-TLS in OPNsense

Part 1: Configure DoT in Unbound

1. Go to Services → Unbound DNS → DNS over TLS in the OPNsense web GUI.
2. Click Add (+) to create a new DoT entry.
3. Enable the entry by ticking the Enabled checkbox.
4. Leave the Domain field blank to apply forwarding globally.
5. Specify the DNS server’s IP (e.g., 1.1.1.1).
6. Set the Port to 853 — the standard for DoT.
7. Enter the DNS server’s hostname (e.g., cloudflare-dns.com) under Verify CN to validate the TLS certificate.
8. Save the settings. Optionally, add a second (IPv6) DoT server.
9. Click Apply to activate changes.

Part 2: Update General and DHCP Settings

1. Go to System → Settings → General.
2. Remove any predefined DNS servers to ensure Unbound handles all DNS.
3. Uncheck the option to allow DNS overrides from DHCP/PPP.
4. Save changes.
5. Navigate to Services → DHCPv4 → LAN.
6. Clear the DNS server fields to inherit the default Unbound configuration.
7. Save and restart DHCP if prompted.

Conclusion

Unbound DNS with DNS-over-TLS in OPNsense delivers strong privacy and control without reliance on third-party DNS services. While setup requires a bit more effort than using external resolvers, the result is a secure, self-reliant DNS infrastructure — ideal for privacy-focused users and advanced network environments.

Сообщение How to Secure DNS with DNS-over-TLS in OPNsense Using Unbound появились сначала на Boxvirt - Proxmox & OPNsense Infrastructure Guides.