Nextcloud AIO: The Realistic Google Workspace Replacement

April 26, 2026 · 16 min read

The pitch sounds familiar by now: ditch Google Workspace, host your own files, run your own video calls, edit documents in your own browser, and keep every byte under your roof. The reality of self-hosting that stack has historically been brutal — five separate services, four reverse proxy configs, three TURN server tutorials gone stale, and one weekend lost. Nextcloud AIO is the project that finally compresses that mess into something a small team or a serious individual can actually run.

Nextcloud All-in-One (AIO) is the official Docker-based deployment method maintained by Nextcloud GmbH. It bundles Nextcloud Hub — the file sync, document editor, chat, calendar, mail, and project management platform — into a single mastercontainer that orchestrates every dependency. The platform powers over 500,000 servers worldwide, and AIO is how most new self-hosters now get there. This article covers what AIO actually replaces in the Google Workspace stack, how it installs and operates, the container architecture, the ports and commands you need, and the pain points that aren’t in the marketing copy.

What AIO Actually Replaces

A typical Google Workspace tenant gives you Gmail, Drive, Docs/Sheets/Slides, Meet, Calendar, Chat, and Keep, glued together by SSO and a unified search bar. AIO gets you closer to feature parity than any other self-hosted option in 2026, because it ships those components as official, version-locked, pre-integrated containers rather than asking you to wire them yourself.

Files and sync replace Drive directly. Nextcloud Files handles desktop and mobile sync clients, public links, federated sharing across servers, and — as of Hub 26 Winter — browser-based end-to-end encryption with permission management and encrypted file drops. Nextcloud Office, powered by a bundled Collabora Online container, edits .docx, .xlsx, and .pptx files in real time with multiple cursors, replacing Docs, Sheets, and Slides. Nextcloud Talk with its high-performance backend handles chat, audio, and video calls, replacing Meet and Chat; Hub 26 Winter added scheduled messages, pinned messages, real-time translations, auto-gain, echo cancellation, noise suppression, and live transcription. Calendar, Contacts, Mail, Deck (Trello-style boards), Tables (Airtable-style), and Notes round out the suite. Federation — the ability for users on different servers to share with each other — extends to Calendar, Deck, and Teams in the current release, which is the closest thing the self-hosted world has to cross-tenant collaboration.

The gaps worth naming up front: there’s no Gmail-grade spam filtering out of the box (Mail is an IMAP client, not a mail server), no equivalent of Looker Studio, and the mobile experience — while functional — does not match Google’s polish. AI features exist via Nextcloud Assistant, but you supply the model.

How AIO Differs from Hand-Rolled Nextcloud

People who’ve run Nextcloud the old way — a Snap package, a manual LAMP install, or a docker-compose.yml they wrote themselves — sometimes treat AIO with suspicion. The skepticism made sense in 2022. It doesn’t now.

The architectural difference is the mastercontainer. AIO ships a single Docker container, nextcloud/all-in-one, that talks to your host’s Docker socket and orchestrates every other component as a child container. You don’t manage a docker-compose.yml with seven services; you run one container, open a web UI on port 8080, and click checkboxes for what you want enabled. The mastercontainer handles version compatibility between the database, Redis, the PHP app server, the high-performance backend, and the optional services. All apps are pre-integrated and tested, including Files, Talk, Office, backup tools, and the High Performance Backend, and additional server-side components can be enabled with one click without touching configuration files manually.

The tradeoff is rigidity. AIO assumes its own opinionated layout. Want a custom PHP extension not in the upstream image? You’re patching a derivative. Want to swap PostgreSQL for MariaDB? You’re not running AIO anymore. Want fine-grained control over php-fpm pool tuning beyond the exposed environment variables? Limited. AIO is Nextcloud’s answer to “I want it to just work,” not “I want to engineer it.”

For the audience this article is for — small teams, families, prosumers, professionals who want sovereignty without becoming a part-time sysadmin — that tradeoff is the entire point.

Installation: Step-by-Step on a Linux Host

The official Linux install is one Docker command, but the work around it — DNS, firewall, prerequisites, post-install configuration — is what determines whether the deployment is actually usable. Here’s the full sequence.

Prerequisites

Before you touch the Docker command, get these in place.

A Linux host with at least 4 GB RAM (8 GB recommended, 16 GB if you’re enabling Talk recording, ClamAV, and Fulltextsearch together). Ubuntu 22.04 or 24.04 LTS, Debian 12, and Fedora Server are the best-tested. Snap-based Docker is not supported — the Nextcloud documentation calls this out specifically because it breaks the Docker socket mount. If you’re on Ubuntu, install Docker from Docker’s own apt repository, not the Snap store.

A domain name pointing to your server’s public IP via an A record (and AAAA if you have IPv6). AIO can run on a LAN-only IP for testing, but the automatic Let’s Encrypt flow needs a real domain. Wildcard subdomains like cloud.yourdomain.com work fine.

Open ports on your firewall and router: 443/TCP for the public web interface, 80/TCP and 8443/TCP for the Let’s Encrypt domain validation flow, and 3478/TCP plus 3478/UDP for Talk’s TURN server. Port 8080/TCP should remain open only on your local network — that’s the AIO admin UI and it must not be exposed publicly.

Docker Engine installed via the official convenience script or apt repository. Verify with docker --version and docker compose version before continuing.

Step 1 — Install Docker

On a fresh Ubuntu or Debian host, the official convenience script is the fastest path.

Step 2 — Point Your Domain at the Server

Create an A record at your DNS provider for cloud.yourdomain.com (or whatever subdomain you prefer) pointing to your server’s public IPv4 address. If you have IPv6, add an AAAA record. Wait for propagation — dig cloud.yourdomain.com from another machine should return your server’s IP before you continue. This usually takes minutes; some registrars take longer.

If your server sits behind a home router, configure port forwarding for 80, 443, 3478/TCP, and 3478/UDP to your server’s LAN IP now. The Let’s Encrypt validation in Step 4 will fail otherwise.

Step 3 — Run the Mastercontainer

This is the single command that bootstraps everything.

</div>

The --sig-proxy=false flag prevents Ctrl-C from killing the container if you started it interactively. The :ro on the Docker socket mount is correct — AIO only needs read access plus a separate Docker socket proxy for write operations, which it spawns itself.

Step 4 — Initial Configuration via the AIO Interface

Open https://your-server-ip:8080 in a browser. You’ll get a self-signed certificate warning — accept it. You’re on a private LAN port, not a public-facing URL.

The first screen displays a generated passphrase. Copy it into a password manager immediately — this is the only credential that lets you back into the AIO admin UI, and it cannot be recovered. Then log in with it.

The next screen asks for your domain. Enter the FQDN you set up in Step 2 (e.g. cloud.yourdomain.com). AIO performs a domain validation check — it makes an outbound request to confirm DNS resolves to your server, and that ports 80 and 8443 are reachable from the public internet. If the check fails, the most common causes are: DNS hasn’t propagated yet, a firewall is blocking inbound 80/8443, or a CDN like Cloudflare is proxying with the orange cloud enabled (turn it off for initial setup, re-enable later if needed).

After domain validation, you’re presented with the optional containers menu. For a Workspace replacement, check Office, Talk, Talk recording, Imaginary, Fulltextsearch, Whiteboard, and BorgBackup. Skip ClamAV unless you have compliance requirements. You can change these later.

Click Download and start containers. AIO pulls every image (this takes 5–15 minutes on a residential connection) and brings up the stack. Watch for any container that fails to come up — the AIO interface shows logs for each one directly.

Step 5 — First Login and Admin Hardening

Once containers are running, the AIO interface shows the initial Nextcloud admin password. Copy it, then click the link to your Nextcloud instance at https://cloud.yourdomain.com. Log in as admin with that password.

Immediately do four things. Change the admin password to something only you know — the AIO-generated one was for bootstrapping. Create a separate non-admin user account for your daily use; running as admin for normal work is the same mistake as using root on Linux. Set the default phone region in the Administration → Basic settings panel, otherwise the security warnings panel will nag you forever. Configure your mail server (SMTP) under Administration → Basic settings so password resets and share notifications can actually send email.

Step 6 — Configure Backups

This is the step people skip and regret. In the AIO admin UI on port 8080, set a backup location. A local path on a separate drive is fine; an SSH-accessible remote Borg repository is better. Generate the Borg encryption passphrase AIO offers and store it in your password manager next to the AIO passphrase from Step 4. Both passphrases together are what let you restore an instance from scratch — losing either makes the backup useless.

Enable daily automatic backups. Set them for a time when the server is idle (most people pick 03:00–05:00 local). Verify the first backup completes successfully before walking away.

Step 7 — Talk and Office Sanity Check

Two services are most likely to break in subtle ways: Talk and Office. Test both before you call the install done.

For Talk, open the Talk app in Nextcloud, create a test conversation, and start a video call from two different networks (your phone on cellular works for the second device). If the call connects but you see no video, your TURN server isn’t reachable — check that 3478/TCP and 3478/UDP are forwarded to your server.

For Office, create a new .docx from the Files app and try to edit it. If you get a “Failed to load Nextcloud Office” error, the WOPI allowlist needs adjustment — this is the single most common AIO support thread on the Nextcloud forums. The fix lives in Administration → Office, where you may need to add your server’s public or proxy-facing IP to the allowlist.

If both work, you have a functioning self-hosted Workspace replacement. Install the Nextcloud desktop sync client and the mobile app, point them at your domain, and start moving in.

Container Architecture and Ports

Knowing what’s running and on which port matters the moment you front AIO with an existing reverse proxy or open it through a firewall. The mastercontainer spawns a private Docker network — nextcloud-aio — and maps only the ports that need to face the host.

The ports that matter for firewalls and reverse proxies are tight. Inbound 443 is your public web entry. Inbound 3478/TCP and 3478/UDP are for Talk’s TURN server — without them, video calls between users on different NATs will fail. The AIO admin UI on 8080 is intentionally HTTP-on-self-signed-TLS and should not be exposed publicly. If Nextcloud Talk is enabled, port 3478/TCP and 3478/UDP must be opened in the firewall or router for the Talk container.

If you already run a reverse proxy — Nginx Proxy Manager, Caddy, Traefik — AIO can sit behind it, but you have to follow its specific reverse-proxy documentation; the APACHE_PORT environment variable on the mastercontainer becomes how the outer proxy talks to the inner Apache.

Daily Operation: Backups, Updates, and the Borg Layer

The single best argument for AIO over hand-rolled Nextcloud is its update story. Hand-rolled installs require you to track Nextcloud server versions, the specific PHP version each major release supports, the matching Collabora release, the matching HPB release, and the database compatibility window. Get the order wrong and you brick the instance.

AIO does it from one button. The mastercontainer takes a Borg snapshot, pulls the new versions of every child container, runs migrations, and brings the stack back up. Daily backups can be enabled from the AIO interface, which also allows updating all containers, Nextcloud, and its apps afterwards automatically. Instance restore from a backup archive is included via the AIO interface — only the archive and the password are needed to restore the whole instance on a new AIO instance. That last sentence is the reason serious people use AIO: disaster recovery becomes “spin up a new VPS, install Docker, run the bootstrap command, paste the Borg passphrase.” The first time you do it intentionally, the appeal becomes obvious.

The Borg integration also handles host paths and external Docker volumes, so you can fold backups of unrelated services into the same encrypted repository. Off-site backup to a remote Borg repository — Hetzner Storage Box, BorgBase, your own SSH-accessible server — is configurable from the same UI without dropping into a shell.

The Pain Points Nobody Mentions in the Marketing

Three problems will hit you, and pretending otherwise wastes your time.

Reverse proxy edge cases — especially WOPI. Collabora communicates with the Nextcloud PHP backend through the WOPI protocol, and the WOPI allowlist is a recurring source of broken Office editing. Users on the Nextcloud forums repeatedly find that opening an Office document produces a WOPI error stating the request was denied because it does not match the configured ranges. The fix usually involves widening the allowlist or fixing the proxy headers, but the official debug discussion is long and the failure modes are not always intuitive. If you front AIO with Cloudflare proxying, expect to spend an evening on this.

Resource appetite. A full AIO stack with Office, Talk, Imaginary, Fulltextsearch, ClamAV, and Whiteboard enabled wants 8 GB of RAM minimum to feel responsive for a small team, and 16 GB to feel comfortable. The “free” 100-user threshold from Nextcloud’s own enterprise tier is real but optimistic at the lower end of hardware. The default configuration allocates a maximum of 512 MB RAM per PHP process, and that scales linearly with concurrent users.

Less flexibility than raw Docker Compose. You cannot drop a custom Nginx config in. You cannot swap the database engine. You cannot run a different version of Collabora than the one AIO ships. If your team needs that, AIO is wrong for you and you should run the regular Docker images directly.

A fourth, smaller annoyance: AIO has had genuine release-train wobbles. Nextcloud had to stop the rollout of versions 32.0.7 and 33.0.1 due to a regression in the sharing sidebar, recommending users update to 32.0.8 or 33.0.2 respectively. The auto-update mechanism is good but not infallible — keeping an eye on the Nextcloud blog before clicking “update” is still wise.

FAQ

Can I migrate an existing Nextcloud install to AIO? Yes. The official documentation covers migration from any prior installation, and the reverse — AIO back to a VM-based install — is also possible. Plan for several hours of database export, file transfer, and validation; this is not a click.

Is AIO suitable for production with paying users? For under 100 users, yes, including small businesses. Nextcloud recommends Nextcloud Enterprise for All-in-One deployments at larger installations of 100 users or more, which adds a support SLA, direct access to the engineering team, and security information. Above ~100 active users, plan for either Enterprise support or a hand-tuned non-AIO architecture.

Does it work behind Cloudflare? Yes, but you need to disable Cloudflare’s proxy for the WebDAV and WOPI paths, or accept that some uploads and Office sessions will hit Cloudflare’s body-size and timeout limits. A Cloudflare Tunnel is often cleaner than the orange-cloud proxy.

Can I run only some of the containers? Yes — most are optional. The minimum useful deployment is the mastercontainer plus the Apache, Nextcloud, database, and Redis containers, which AIO bundles as the non-optional core. Office, Talk, Whiteboard, Fulltextsearch, ClamAV, Imaginary, and the recording server can each be toggled.

The Verdict

Self-hosting was supposed to be the answer to surveillance capitalism, and for a decade it failed because the gap between “I want my own files” and “I have a working video-conferencing-plus-office-suite-plus-file-sync stack” was a wall of YAML. AIO is the project that knocked that wall down for the people who weren’t going to climb it.

It is not a Google Workspace clone. Gmail-grade mail isn’t there, the polish gap on mobile is real, and large deployments still need Nextcloud Enterprise. But for a household, a small business, a freelance practice, or a privacy-serious individual, the calculus has changed. One Docker command, a domain name, a few firewall rules, and an evening — that’s the cost of the alternative now. The ongoing tax is one click per month for updates and a Borg passphrase you do not lose.

If you’ve been waiting for self-hosting to mature past the hobbyist phase, it has. The remaining question is whether you want to own your data badly enough to spend the evening.