Zero limits. One command. Infinite scale.
The simplest way to deploy a production‑grade
Nextcloud High Availability infrastructure
curl -fsSL https://raw.githubusercontent.com/oboeglen/Azure-NXT-Maxscale/main/deploy.sh \
-o /tmp/deploy.sh && sudo bash /tmp/deploy.shDocker Compose deploys containers. NXT Maxscale deploys a complete, secure, Nextcloud high availability infrastructure.
Wiring HAProxy, Galera, Redis Cluster, RustFS, Collabora and TLS manually takes weeks of configuration, network debugging, and documentation reading.
deploy.sh orchestrates everything — Docker installation, inter-service configuration, SSL certificates and healthchecks — with zero manual intervention.
Correctly configuring the Galera quorum, Redis Cluster slot distribution, and RustFS erasure coding requires advanced infrastructure expertise and weeks of testing.
Automatic failover in less than 10 seconds. A node goes down? HAProxy redistributes, Galera autoheal recovers, RustFS continues — no intervention needed.
TLS 1.3, HSTS 2-year preload, extended CSP, and WAF filtering are not part of a standard Docker Compose installation — each layer requires configuration and testing.
Every security layer is pre-configured and tested. Certbot renews certificates every 12 hours. Zero manual tuning required.
A single entry point. No SPOF on the base infrastructure*. Automatic failover < 10 seconds.
flowchart TD
Internet(["Internet"]) -->|"HTTP 80 / HTTPS 443"| HAProxy
Internet -->|"UDP+TCP 3478"| coturn["coturn\nTURN/STUN · host network"]
HAProxy["HAProxy\nSSL · Load Balancer · Stats"]
HAProxy -->|"/push"| npush["notify-push\nClient Push · WebSocket"]
HAProxy --> nginx["nginx-next-01..N\nStatic files · FastCGI"]
HAProxy --> collab["collabora-node1..N\nCollabora CODE · WOPI"]
HAProxy --> wb["whiteboard-node1..N\nWhiteboard · WebSocket"]
HAProxy -->|"wss://"| sig["spreed-signaling-01..N\nTalk HA · WebSocket"]
nginx --> fpm["app-next-01..N\nNextcloud PHP-FPM 8.4"]
fpm --> galera[("MariaDB Galera\nOdd-number nodes")]
fpm --> redis["Redis Cluster\nMasters / Replicas"]
fpm --> rustfs[("RustFS S3\nErasure coding")]
wb --> redis_wb["redis-whiteboard\nStreams"]
sig --> grpc["gRPC :9090\ntalk-net · cross-node relay"]
grpc --> sig
sig <-->|"pub/sub"| nats["NATS-01..N\nMessage broker · talk-net · cluster"]
npush --> redis
npush --> galera
All user files reside in RustFS S3 — a node failure is transparent to users · redis-whiteboard is isolated from the shared Redis cluster because Whiteboard uses Redis Streams for real-time synchronization, a mode incompatible with Nextcloud's session/cache/lock usage
* COTURN is an optional container (STUN fallback) and runs as a single node. As Talk HA is optional, this has no impact on the base Nextcloud infrastructure.
* Coturn, spreed-signaling and NATS are optional — enable Talk HA backend support during deployment to activate them.
* Performance results depend on the infrastructure configuration used during benchmarks. They also vary depending on your company's internet connection and the hardware chosen (disks, processor).
Nextcloud interface deployed with NXT Maxscale — custom theme and integrated branding.
The branding shown is provided as an example. Logo, colors, and instance name are fully customizable at any time from the Nextcloud administration interface, to match your organization's visual identity.
| Endpoint | VUs | Throughput | P95 | P99 | Err. |
|---|---|---|---|---|---|
| /status.php | 20 | 120 req/s | 365 ms | 388 ms | 0/200 |
| /login | 20 | 44 req/s | 697 ms | 862 ms | 0/200 |
| /status.php | 100 | 247 req/s | 365 ms | 375 ms | 0/500 |
| Max stress | 150 | 231 req/s | 959 ms | 1,059 ms | 0/600 |
| Scenario | avg | p(95) | SLA | |
|---|---|---|---|---|
| Browser sessions | 74 ms | 155 ms | < 4 s | ✓ |
| WebDAV sync | 862 ms | 1,980 ms | < 3 s | ✓ |
| Collabora WOPI | 959 ms | 2,160 ms | < 5 s | ✓ |
| Whiteboard | 904 ms | 2,060 ms | < 5 s | ✓ |
k6 v0.55 · 34 VUs · 3,911 requests · 0 HTTP 5xx errors · 38 timeouts (0.97%)
| Profile | FPM | DB Galera | Redis | CPU | RAM | Users |
|---|---|---|---|---|---|---|
| 🧪 Test / dev | 1–2 | 1 | 0 (APCu) | 4 cores | 8–16 GB | < 100 |
| 🏢 Small team | 3 | 3 | 6 | 8 cores | 22–28 GB | ~1,450 |
| 🏭 SME ★ | 6 | 5 | 6 | 12 cores | 32–40 GB | ~2,450 |
| 🏦 Enterprise | 9–12 | 5–7 | 6–8 | 16–24 cores | 48–64 GB | 3,000–3,600 |
| 🏙️ Large organization | 15–20 | 7 | 8 | 32+ cores | 64–80 GB | +4,000 |
Re-running deploy.sh on an existing infrastructure displays a menu: quick update, add / remove nodes, or full redeployment. Docker volumes remain intact, .env is preserved.
| Service | Scale-up | Scale-down | Notes |
|---|---|---|---|
| Nextcloud FPM + nginx | ✓ | ✓ | FPM / nginx pairs added or removed together |
| MariaDB Galera | ✓ | ✓ | Odd number required · automatic SST on add |
| Redis Cluster | ✓ | ✓ | Even delta required · automatic cluster integration |
| Collabora CODE | ✓ | ✓ | Binary patch reapplied on new nodes |
| Whiteboard | ✓ | ✓ | — |
| Talk HA (spreed-signaling) | ✓ | ✓ | gRPC :9090 cross-node relay · coturn optional (STUN fallback) |
| RustFS | ⚠️ | ✗ | Scale-up/down not supported in beta · full redeploy required |
⚠ Scale-up and scale-down functions for RustFS will be available once RustFS releases a stable version with production-ready features fully implemented.
| Constraint | Detail |
|---|---|
| Redis — even delta | Each batch = 1 master + 1 replica |
| Redis — minimum 6 | 3 masters + 3 replicas required |
| Galera — odd number | Quorum required for election |
| RustFS — scale-up | Not supported in beta (v1.0.0-beta.6) · full redeploy required |
| RustFS — scale-down | Not supported · full redeploy required |
| Passwords | Never regenerated during scaling · .env preserved |
| File | Contents | |
|---|---|---|
.env | Passwords, RustFS paths, modes | ✓ |
.rustfs-pools | RustFS pool history | ✓ |
/tmp/.nxt-maxscale-config.env | Cached deploy.sh responses | ✗ |
If the /tmp/ cache is absent on reboot, deploy.sh automatically rebuilds the configuration from .env and the container state.
Nextcloud Enterprise charges for every advanced feature — module by module, 100 users minimum. NXT Maxscale delivers them all, for zero euros, from the very first user.
| Criterion | Nextcloud Standard | Nextcloud Premium | Nextcloud Ultimate | NXT Maxscale |
|---|---|---|---|---|
| Price / user / year | € 71,29 | € 104,99 | € 204,75 | €0 — Free |
| Minimum users | 100 min. | 100 min. | 100 min. | None |
| High availability | ✗ | ✓ Included support | ✓ Included support | ✓ Automatic |
| Talk HA (High Performance Backend) | Optional (extra costs) | Optional (extra costs) | Optional (extra costs) | ✓ Included |
| Push Notifications HA (Notify Push) | ✓ Enterprise · Manual | ✓ Enterprise · Manual | ✓ Enterprise · Manual | ✓ Automatic |
| Collabora CODE | Optional (extra costs) | Optional (extra costs) | Optional (extra costs) | ✓ Included · Unlimited |
| Collaborative Whiteboard | ✗ | Optional (extra costs) | ✓ | ✓ Included |
| WAF & hardened security | ✗ | ✗ | ✗ | ✓ HAProxy built-in |
| Automatic SSL | ✗ | ✗ | ✗ | ✓ Let's Encrypt · 12h |
| LDAP / Active Directory | ✓ Enterprise | ✓ Enterprise | ✓ Enterprise | ✓ Included |
| SSO — SAML / OIDC | ✓ Enterprise | ✓ Enterprise | ✓ Enterprise | ✓ Included |
| Groupware Calendar · Contacts · Deck · Mail |
Optional (extra costs) | Optional (extra costs) | Optional (extra costs) | ✓ Included |
| Nextcloud Assistant (AI) | ✗ | ✗ | ✓ | ✓ Included |
| Tables | ✗ | ✗ | ✓ | ✓ Included |
| Notes | ✗ | ✗ | ✓ | ✓ Included |
| Forms | ✗ | ✗ | ✓ | ✓ Included |
| Data sovereignty | ✓ | ✓ | ✓ | ✓ Your servers |
| Global Scale | ✗ | Optional (extra costs) | Optional (extra costs) | ✓ Included |
| Email support | Business hours | Extended business hours | Up to 24/7 | ✓ 24/7 |
| Reaction time | 2 business days | 1 business day | 1h / 4h / 12h / 24h | ✓ Upon receipt of request |
| License | AGPLv3 | AGPLv3 | AGPLv3 | MIT — Free / Open |
Nextcloud Enterprise pricing as of May 29, 2026 — prices net of VAT, volume-tiered (100 users minimum required), yet remain significant even at scale. NXT Maxscale is an independent open source project, not affiliated with Nextcloud GmbH.
Features under development — all will be integrated into deploy.sh at zero cost, no subscription, no user limit, no waiting list.
The most frequently asked questions before deploying.
Yes, entirely. NXT Maxscale is released under the MIT licence — free for commercial and personal use, with no subscription, no user limit, and no hidden fees. You self-host: the only cost is your server infrastructure. The source code is public on GitHub and auditable by anyone.
Yes. The Test / dev profile (1–2 FPM nodes, 1 Galera node, APCu cache) runs from 8 GB of RAM on a single machine. Multi-node high availability is optional: deploy.sh configures the profile based on your interactive answers and saves the configuration for each subsequent run.
The failover is transparent to users. HAProxy redistributes traffic in less than 10 seconds. The Galera quorum maintains data consistency, galera-autoheal automatically restarts out-of-sync nodes, the Redis cluster tolerates the loss of one node per hash slot, and RustFS continues reads during recovery of the failed node via erasure coding.
Let's Encrypt certificates are generated automatically by deploy.sh (HTTP-01 or TLS-ALPN-01 challenge) and renewed every 12 hours by the certbot service. A healthcheck monitors expiry at 30 days. HAProxy enforces TLS 1.2 minimum with TLS 1.3 preferred, ECDHE + AES-GCM + CHACHA20 cipher suites, and no-tls-tickets for Perfect Forward Secrecy.
No. deploy.sh automatically applies a binary patch on each coolwsd node that replaces the home_mode limits (20 connections, 10 documents) with INT_MAX. The patch is preserved across restarts and reapplied on updates via deploy.sh. If the Collabora version changes and the pattern is not found, the patch is skipped with a warning — the stack remains fully functional.
All files are stored in RustFS using distributed erasure coding — Nextcloud local storage is only used for temporary data. Bucket versioning is enabled automatically at installation. In production, each DATA{N} path must point to a separate physical disk for fault tolerance to be effective.
Re-run deploy.sh: if an existing infrastructure is detected, the script offers three options — quick update (pull new images + recreate containers), add / remove nodes, or full redeployment. The Collabora patch is reapplied automatically. Check the CHANGELOG before each major update.
Re-run deploy.sh and choose add / remove nodes. Docker volumes and the .env file are preserved — no data loss. Each service has its own constraints: Galera requires an odd number of nodes, Redis requires an even delta (1 master + 1 replica per batch), RustFS scale-up and scale-down are not supported in beta — full redeploy required.
NXT Maxscale supports the Nextcloud Talk High Performance Backend (HPB) as an optional component: spreed-signaling nodes for WebSocket high availability, gRPC :9090 for cross-node relay, NATS as pub/sub message broker for cross-node signaling, and coturn 4.6 for TURN/STUN relay. deploy.sh asks during the interactive configuration whether you want to deploy Talk HA — it is not required to run the core Nextcloud infrastructure. When enabled, all services are configured automatically. Benchmarks show 100 ms p(95) end-to-end WebSocket latency on the full stack.
Critical data to back up: RustFS data paths (all user files, stored with erasure coding), MariaDB Galera Docker volumes (database), Nextcloud config volume, and the deployment files (.env, .rustfs-pools). Recommended methods: VM snapshots, RustFS sync to external storage via rclone or aws s3 sync, MariaDB dumps, Docker volume archives. Always test restoration in a staging environment before relying on backups in production.
91/100 — Very good. All critical areas are secured: TLS 1.3 with post-quantum key exchange (X25519MLKEM768), HSTS 2-year preload with includeSubDomains, comprehensive security headers, HAProxy WAF filtering (TRACE/DEBUG/CONNECT blocked, common attack paths returning 403), no sensitive port exposed externally, secure cookies, and response header removal. Minor findings (4 low, 1 medium): version disclosure on /status.php and /api/v1/welcome, RustFS console publicly reachable (credentials required — disable when unused), coturn without TLS, no rate limiting at reverse proxy level, CSP not enforced on Collabora and Whiteboard subdomains — none are blocking for production use.
The automated script handles the entire deployment: system verification, Docker installation, interactive configuration, Let's Encrypt SSL certificates, deployment, and health checks.
curl -fsSL https://raw.githubusercontent.com/oboeglen/Azure-NXT-Maxscale/main/deploy.sh \
-o /tmp/deploy.sh && sudo bash /tmp/deploy.shgit clone https://github.com/oboeglen/Azure-NXT-Maxscale.env.example → .env and fill in all valuesdocker compose up -dServer sizing must be adapted to the expected storage space and number of users. RustFS node scale-up is not supported in the current beta — plan storage capacity upfront at deployment time.
See recommended configurations →x86_64 architecture required — Docker & Compose installed automatically
Free for commercial and personal use, modifiable and redistributable without restriction. Attribution required.
Read the license →Fork the project, open an issue, or submit a pull request. All contributions are welcome.
View on GitHub →