Tailscale (and Caddy as a sidecar) Reverse Proxy

[flll]

Disclaimer: It might be possible that the config below is not working 100% correctly, yet. Improvements to it are very welcome!

This setup integrates Nextcloud All-in-One (AIO) with Tailscale, using Caddy as a reverse proxy.
Since Tailscale currently only allows communication with localhost(127.0.0.1), we use a sidecar with Caddy to communicate with AIO.

• Enhanced security with ACL usage within Tailnet
• ACME certificate issuance without port forwarding (Tailnet only)
• Possibility to expose Nextcloud externally using Tailscale's serve.json configuration (This document does not provide an example of serve.json)

1. Set Environment Variables

Set the following environment variables:

TS_HOSTNAME=nextcloud # Hostname in Tailnet
NC_DOMAIN=nextcloud.your-tailnet.ts.net # Format: {$TS_HOSTNAME}.{$tailnetdomain}.ts.net
TS_AUTH_KEY=tskey-client-kXGGbs6CNTRL # OAuth client key recommended
TS_EXTRA_ARGS=--advertise-tags=tag:nextcloud # For OAuth client key usage

Note

We will not create a .env file, but instead write directly into the compose.yml file later.
If you do create a .env file, compose will automatically read it. In this case, set the key-value format in service[].environment[] of the compose.yml to keys only, allowing compose to pass variables to the service.

Ensure NC_DOMAIN is in the correct format.
When using OAuth client key, set tags in TS_EXTRA_ARGS and define them in ACL.

For more detailed information, please refer to:
https://tailscale.com/blog/docker-tailscale-guide

2. Configure Docker Compose File

Create a compose.yml file with the following content. Replace environment variables as appropriate.

compose.yml

services:
  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    init: true
    restart: always
    container_name: nextcloud-aio-mastercontainer # This line cannot be changed.
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - nextcloud-aio
    ports:
      - 0.0.0.0:8080:8080
    environment:
      APACHE_PORT: 11000
      APACHE_IP_BINDING: 127.0.0.1
      SKIP_DOMAIN_VALIDATION: true
  caddy:
    image: caddy:alpine
    restart: unless-stopped
    environment:
      NC_DOMAIN: nextcloud.your-tailnet.ts.net # Change this to your domain ending with .ts.net in the format {$TS_HOSTNAME}.{tailnetdomain}
    volumes:
      - type: bind
        source: ./Caddyfile
        target: /etc/caddy/Caddyfile
      - type: volume
        source: caddy_certs
        target: /certs
      - type: volume
        source: caddy_data
        target: /data
      - type: volume
        source: caddy_config
        target: /config
      - type: volume
        source: tailscale_sock
        target: /var/run/tailscale/ # Mount the volume for /var/run/tailscale/tailscale.sock
        read_only: true
    network_mode: service:tailscale
  tailscale:
    image: tailscale/tailscale:latest
    environment:
      TS_HOSTNAME: nextcloud # Enter the hostname for your tailnet
      TS_AUTH_KEY: tskey-client-kXGGbs6CNTRL # OAuth client key recommended
      TS_EXTRA_ARGS: --advertise-tags=tag:nextcloud # Tags are required when using OAuth client
    init: true
    restart: unless-stopped
    volumes:
      - /dev/net/tun:/dev/net/tun
      - type: volume
        source: tailscale
        target: /var/lib/tailscale
      - type: volume
        source: tailscale_sock
        target: /tmp # Mounting the entire /tmp folder to access tailscale.sock
    cap_add:
      - NET_ADMIN
      - NET_RAW
    networks:
      - nextcloud-aio
volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer # This line cannot be changed.
  caddy_certs:
    name: caddy_certs
  caddy_data:
    name: caddy_data
  caddy_config:
    name: caddy_config
  tailscale:
    name: tailscale
  tailscale_sock:
    name: tailscale_sock
networks:
  nextcloud-aio:
    name: nextcloud-aio
    driver: bridge
    enable_ipv6: false
    driver_opts:
      com.docker.network.driver.mtu: "9001" # Jumbo Frame
      com.docker.network.bridge.host_binding_ipv4: "127.0.0.1" # Harden aio

Important

Make sure to replace NC_DOMAIN, TS_HOSTNAME, TS_AUTH_KEY, and TS_EXTRA_ARGS with your actual values before running the docker compose file.

3. Create Caddyfile

Create a Caddyfile in the current directory with the following content:

Caddyfile

https://{$NC_DOMAIN}:443 {
    reverse_proxy nextcloud-aio-apache:11000
}

Note

Do not manually replace the {$NC_DOMAIN} variable. It will be automatically populated with the value set in your environment variables.

4. Set Up Nextcloud AIO

1. Run docker compose up -d
2. Connect to https://ip.address.of.server:8080/
3. Enter the configured $NC_DOMAIN
4. Provision Nextcloud
5. Connect to https://$NC_DOMAIN/ (e.g., https://nextcloud.your-tailnet.ts.net/)
6. Setup complete!

[darkgrid]

hi ,
i dont know much , where do we need to make the environment file and the caddy file

[flll]

The .env file and Caddyfile should be placed in the current directory where the docker compose.yml file is located. They will be automatically read when you run 'compose up'.
However, since there are only a few variables, it might be more convenient to write them directly in the docker compose.yml file instead.
This approach simplifies your setup and makes it easier to manage your configuration in a single file.

[szaimen]

However, since there are only a few variables, it might be more convenient to write them directly in the docker compose.yml file instead.

Indeed, maybe this would make the guide even easier?

[rik-shaw]

I am still having some issues with the environment variables, such as this:

network nextcloud-aio was found but has incorrect label com.docker.compose.network set to ""

Am I correct that for setting the environment variables inside the compose.yml manually now that the leading - needs to be removed, so instead of this:

    environment:
      - TS_HOSTNAME: nextcloud # Enter the hostname for your tailnet

It should be this:

    environment:
      TS_HOSTNAME: nextcloud # Enter the hostname for your tailnet

???

Then, if doing it inside the compose.yml cut the whole 1. Set Environment Variables section??

[flll]

- TS_HOSTNAME

This appears to be an old way of writing it.
I'll fix it later.

[flll]

Yes, I've been running this setup for a few weeks now, and
so far I've been able to use Talk, Office, and other features without any errors.

[szaimen]

Nice!

[szaimen]

See #5460

[A4alli]

This is amazing @flll , I am trying to achieve the same since a month. But I am not using docker. Can you KINDLY make a script like the one for nextcloud with nginx as server, caddy as reverse proxy, tailscale and cloudflare as DNS.
I have posted in nextcloud help desk today. Have a look to my conf,config,PHP,nginx, caddy files, https://help.nextcloud.com/t/nextcloud-tailscale-cloudflare-as-dns-and-caddy-as-reverse-proxy/207463 please

regards

[A4alli]

Thankyou for the kind advice. I will go for it on Monday. Well I thought that I already am in lcx,doesn't it mean the same docker hardening?

[A4alli]

Can you please enlighten the disadvantage?

[A4alli]

with that AIO, can caddy be installed on different separate container/ VM . ( for example: caddy in a separate proxmox LCX container and nextcloud AIO in a separate Proxmox VM. but both VM and LXC are on same network but different subnets. Is this possible?

[flll]

with that AIO, can caddy be installed on different separate container/ VM . ( for example: caddy in a separate proxmox LCX container and nextcloud AIO in a separate Proxmox VM. but both VM and LXC are on same network but different subnets. Is this possible?

I would recommend using Kubernetes or Docker Swarm.
If you're using compose, using Swarm would provide compatibility.
I'm not familiar with this guide, so please try it yourself.

[flll]

Can you please enlighten the disadvantage?

Docker-based deployment has very few disadvantages.
The only real drawback is the learning curve required to master Docker.

[abe-101]

I used the nginx.conf from the projects readme (link in my original comment)

What is nextcloid.conf? Never heard of that

I simply used the docker compose from the README (I had to comment and uncomment some lines)

[A4alli]

apology, it's nextcloud.conf.

[flll]

Is your configuration something like this?
[tailnet]-->[host-tailscaled]-->[nginx-ssl]-->[nextcloud-aio-apache]-->[nextcloud]
When using Tailscale VPN, the connection is always encrypted, so encryption by Nginx is redundant and unnecessary. Double encryption adds extra load, which is not recommended. Let's leave the internal communication unencrypted and rely on Tailscale for security.
For external access, you can use Tailscale's funnel feature to expose your service to the internet, complete with SSL certificates.
Also, even if you have Tailscale deployed on the host server, you can still deploy Tailscale in Docker containers.
This guide is about creating a new hostname within the Tailnet and making it accessible from within the Tailnet.
@abe-101

[A4alli]

@flll what about my case?

[flll]

@A4alli
If I were to comment, I might suggest changing the resolver from 1.1.1.1 1.0.0.1 to 100.100.100.100, or note that the PHP handler isn't specified (though it might be in /etc/nginx/conf.d/.conf files). Otherwise, the nginx.conf looks fine.
If you can flexibly configure Nextcloud in detail and maintain it yourself, installing directly on the host can be a good approach. However, it's a legacy method, so migrating to a container-based setup is also a viable option.
The deployment process for nextcloud-aio is thoroughly documented in the AIO repository. Why not give it a try?

[abishekmuthian]

Thank you for your work @flll .

But no matter how many times I try the procedure, the hostname I give in the compose environment doesn't get created in the tailscale and rather a random ephemeral hostname is created after manually authenticating using the url in the log.

tailscale-1                    | To authenticate, visit:
tailscale-1                    | 
tailscale-1                    | 	https://login.tailscale.com/a/6ff94430152e1
tailscale-1                    | 


tailscale-1                    | 2024/10/24 14:53:12 health(warnable=no-derp-connection): error: Tailscale could not connect to the relay server with ID '0'. Your Internet connection might be down, or the server might be temporarily unavailable.

My Internet and Network connection is fine.

But I cannot log into the nextcloud instance even with the the randomly generated hostname in my tailnet.

[flll]

- - TS_HOSTNAME = nextcloud
+ - TS_HOSTNAME=nextcloud

There should be no space between the key and value in the key-value pair.

[abishekmuthian]

That was it, I'm into nextcloud! Thank you so much my Japanese friend. The docker compose file as in the guide complained of map and kepair format and so I edited it but didn't know that space will cause issues.

I see couple of errors in the caddy log of refusing connection to fonts.json, should I be concerned?

nextcloud-aio-tailscale-caddy-1  | {"level":"error","ts":1729844319.020331,"logger":"http.log.error","msg":"dial tcp: lookup nextcloud-aio-apache on 127.0.0.11:53: no such host","request":{"remote_ip":"127.0.0.1","remote_port":"55868","client_ip":"127.0.0.1","proto":"HTTP/1.1","method":"GET","host":"nextcloud.tortoise-moth.ts.net","uri":"/apps/richdocuments/settings/fonts.json","headers":{"Date":["Fri, 25 Oct 2024 08:18:17"],"User-Agent":["COOLWSD HTTP Agent 24.04.8.1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"","server_name":"nextcloud.tortoise-moth.ts.net"}},"duration":0.012385143,"status":502,"err_id":"64di74n3m","err_trace":"reverseproxy.statusError (reverseproxy.go:1269)"}

Also two more questions,

1. nextcloud host in the Tailscale has a ephemeral label, is it supposed to be one?

2. Can I edit the ACL in Tailscale e.g. like adding admin group like how you showed in the another comment after I deploy? Because if I change the "autogroup:admin" to "group:admin" I'm unable to reach my next cloud instance. Is it because it should have been done before deployment of the host with the nextcloud tag?

[flll]

This error seems to be due to Caddy failing to connect to nextcloud-aio-apache.
This is likely happening because Caddy is being executed before Apache starts up.
Clicking the "start container" button in nextcloud-aio should start both Nextcloud and Apache.
You can safely ignore this initially.

Regarding the ephemeral label for the Nextcloud host in Tailscale:

Yes, using an OAuth key makes it ephemeral.
Ephemeral nodes will reset when restarted.
While you can configure it as non-ephemeral, this will create new nodes (nextcloud-1, nextcloud-2, nextcloud-3...) every time you restart.
Please refer to the official "Tailscale on Docker" documentation for more details.

Regarding ACL editing in Tailscale:

1. ACLs work dynamically and apply immediately. If connectivity is lost right after making changes, there's likely an issue with the ACL configuration.

2. "autogroup:admin" is automatically generated by the tailscale-admin-console.
   If changing from autogroup to group causes loss of connectivity, it's likely because either:

• group:admin is undefined
• ACL is missing

Example ACL configuration:

{
	"groups": {
		"group:admin": ["[email protected]", "flll@github"],
		"group:azuki": ["[email protected]"],
	},
	"acls": [
		{
			"action": "accept",
			"src":    ["group:admin"],
			"dst":    ["tag:nextcloud:*"],
		},
        ]
}

Note that "autogroup:admin" and "group:admin" are completely different groups.
If you want to make Nextcloud accessible to all members or external users, set src to "*" and dst to "*:*".

Please refer to Tailscale's autogroup documentation for more details.

[flll]

Thank you

Thank you as well. I was able to respond quickly because I've made the same mistake before, haha.
Thank you for your question.(o・ω・o)

[A4alli]

Non-ephemeral will make new nodes? Or ephemeral??

[rzimmerdev]

Did anyone get this error?

docker compose up
[+] Running 3/0
✔ Container nextcloud-aio-mastercontainer Created 0.0s
✔ Container maverick-caddy-1 Recreated 0.1s
✔ Container maverick-tailscale-1 Recreated 0.1s
Attaching to caddy-1, tailscale-1, nextcloud-aio-mastercontainer

tailscale-1 | boot: 2024/10/24 22:18:21 Running 'tailscale up'
tailscale-1 | Status: 400, Message: "requested tags [tag:nextcloud] are invalid or not permitted"
tailscale-1 | boot: 2024/10/24 22:18:22 failed to auth tailscale: failed to auth tailscale: tailscale up failed: exit status 1
...
tailscale-1 | boot: 2024/10/24 22:18:23 [warning] failed to symlink socket: file exists
tailscale-1 | To interact with the Tailscale CLI please use tailscale --socket="/tmp/tailscaled.sock"

[Kendellb]

I am also having the same issue

In the master container logs get this error:

NOTICE: PHP message: Not pulling the image for the nextcloud/aio-domaincheck container because docker hub does not seem to be reachable.
NOTICE: PHP message: Could not start domaincheck container: Could not create container nextcloud-aio-domaincheck: Client error: `POST http://127.0.0.1/v1.41/containers/create?name=nextcloud-aio-domaincheck` resulted in a `404 Not Found` response:
{"message":"No such image: nextcloud/aio-domaincheck:latest"}

checked tailscale logs and getting this error 2024/10/25 03:24:17 logtail: upload: log upload of 2604 bytes compressed failed: Post "https://log.tailscale.io/c/tailnode.log.tailscale.io/186b66569ec88d07a71fa7f708bc1caa8ca685e7c18661eab73821777896797d": dial tcp [IPV6address]:443: connect: network is unreachable

I also have gone through the reverse proxy debug guide and am getting and output of 1 when i run inside the tailscale-caddy-1 container
nc -z localhost 11000; echo $?

[flll]

Hmm...
It's probably a discrepancy in the ACL settings, or
Maybe because it's set to "tailv2133.ts.net" and the default "tainet-name", it might be better to generate a new one??? Just a guess though.

CLICK!

1. Create a tag for Nextcloud in the ACL settings.
   

{
	"groups": {
		"group:admin": ["[email protected]"],
	},
	"tagOwners": {
		"tag:nextcloud":  ["autogroup:admin", "group:azuki"],
	},
	"acls": [
		{
			"action": "accept",
			"src":    ["group:admin"],
			"dst":    ["tag:nextcloud:*"],
		},
	],
	"nodeAttrs": [
		{
			"target": ["group:admin", "tag:nextcloud"],
			"attr":   ["funnel"],
		},
	],
}

2. Go to OAuth Clients in the settings and click on Generate.
   

3. Set the Device permission to Write.
   

4. Select the tag you created earlier.

5. Enter the key that starts with "ts-" into the variable.

6. reboot container!

[flll]

I think there might be a need for it, so I'll provide the compose.yml that I'm actually using in operation. It's almost the same as what's written in the guide.
Please excuse the comments being in Japanese.

CLICK!

services:
  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    init: true
    restart: always
    container_name: nextcloud-aio-mastercontainer # この行は変更できません。
    volumes:
      - type: volume
        source: nextcloud_aio_mastercontainer
        target: /mnt/docker-aio-config
        volume:
          nocopy: true
      - type: bind
        source: /var/run/docker.sock
        target: /var/run/docker.sock
        read_only: true
    networks:
      - nextcloud-aio
    ports:
      - 0.0.0.0:4445:8080
    environment: # 以下のオプションのいずれかを使用する場合に必要です
      AIO_DISABLE_BACKUP_SECTION: false # これをtrueに設定すると、AIOインターフェースのバックアップセクションを非表示にできます。https://github.com/nextcloud/all-in-one#how-to-disable-the-backup-section を参照してください
      APACHE_PORT: 11000 # Webサーバーやリバースプロキシの背後で実行する場合に必要です。https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md を参照してください
      APACHE_IP_BINDING: 127.0.0.1 # 同じホスト上で実行されているWebサーバーやリバースプロキシの背後で実行する場合に設定する必要があります。https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md を参照してください
      SKIP_DOMAIN_VALIDATION: true
      BORG_RETENTION_POLICY: --keep-within=7d --keep-weekly=4 --keep-monthly=6 # borgの保持ポリシーを調整できます。https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy を参照してください
      COLLABORA_SECCOMP_DISABLED: false # これをtrueに設定すると、CollaboraのSeccomp機能を無効にできます。https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature を参照してください
      NEXTCLOUD_DATADIR: /mnt/hdd_toshiba/ncdata # Nextcloudのデータディレクトリのホストディレクトリを設定できます。⚠️⚠️⚠️ 警告：初期のNextcloudインストールが完了した後にこの値を設定または調整しないでください！https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir を参照してください
      NEXTCLOUD_MOUNT: /mnt/hdd_toshiba # Nextcloudコンテナがホストäã®選択したディレクトリにアクセスできるようにします。https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host を参照してください
      NEXTCLOUD_UPLOAD_LIMIT: 10G # より多くが必要な場合は調整できます。https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud を参照してください
      NEXTCLOUD_MAX_TIME: 7200 # より多くが必要な場合は調整できます。https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud を参照してください
      NEXTCLOUD_MEMORY_LIMIT: 1024M # より多くが必要な場合は調整できます。https://github.com/nextcloud/all-in-one#how-to-adjust-the-php-memory-limit-for-nextcloud を参照してください
      #NEXTCLOUD_TRUSTED_CACERTS_DIR: /usr/local/share/ca-certificates # このディレクトリ内のCA証明書は、nextcloudコンテナのOSによって信頼されます（例：LDAPSに有用）。https://github.com/nextcloud/all-in-one#how-to-trust-user-defined-certification-authorities-ca を参照してください
      NEXTCLOUD_STARTUP_APPS: deck twofactor_totp tasks calendar contacts notes # AIOを初めて起動する際にインストールされるNextcloudアプリを変更できます。https://github.com/nextcloud/all-in-one#how-to-change-the-nextcloud-apps-that-are-installed-on-the-first-startup を参照してください
      NEXTCLOUD_ADDITIONAL_APKS: imagemagick # Nextcloudコンテナに追加のパッケージを永続的に追加できます。デフォルトはimagemagickですが、この値を変更することで上書きできます。https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container を参照してください
      NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS: imagick # Nextcloudコンテナに追加のPHP拡張機能を永続的に追加できます。デフォルトはimagickですが、この値を変更することで上書きできます。https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container を参照してください
      #NEXTCLOUD_ENABLE_DRI_DEVICE: false # Nextcloudコンテナで/dev/driデバイスを有効にできます。⚠️⚠️⚠️ 警告：これはホスト上に'/dev/dri'デバイスが存在する場合にのみ機能します！ホスト上に存在しない場合は、trueに設定しないでください。そうしないとNextcloudコンテナが起動に失敗します！https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud を参照してください
      #NEXTCLOUD_KEEP_DISABLED_APPS: false # これをtrueに設定すると、AIOインターフェースで無効化されているNextcloudアプリを保持し、インストールされている場合はアンインストールしません。https://github.com/nextcloud/all-in-one#how-to-keep-disabled-apps を参照してください
      TALK_PORT: 3478 # talkコンテナが使用するポートを調整できます。https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port を参照してください
      WATCHTOWER_DOCKER_SOCKET_PATH: /var/run/docker.sock # ホスト上のdockerソケットがデフォルトの'/var/run/docker.sock'にない場合に指定する必要があります。そうしないとマスターコンテナの更新が失敗します。macOSの場合は'/var/run/docker.sock'である必要があります
      APACHE_MAX_SIZE: 10737418240 # これは整数である必要があり、NEXTCLOUD_UPLOAD_LIMITと同期している必要があります。
    security_opt: ["label:disable"] # SELinuxを使用する場合に必要です


  nextcloud-aio-tailscale-caddy:
    image: caddy:alpine
    restart: unless-stopped
    environment:
      - NC_DOMAIN=nextcloud.qilin-scala.ts.net # {$TS_HOSTNAME}.{tailnet-domain}という.ts.netで終わるドメインに変更してください
    volumes:
      - type: bind
        source: ./Caddyfile
        target: /etc/caddy/Caddyfile
      - type: volume
        source: caddy_certs
        target: /certs
      - type: volume
        source: caddy_data
        target: /data
      - type: volume
        source: caddy_config
        target: /config
      - type: volume
        source: tailscale_sock
        target: /var/run/tailscale/ # /var/run/tailscale/tailscale.sockのボリュームをマウント
        read_only: true
    network_mode: service:nextcloud-aio-tailscale

  nextcloud-aio-tailscale:
    image: tailscale/tailscale:latest
    environment:
      - TS_HOSTNAME=nextcloud # tailnetでのホスト名を入力してください
      - TS_AUTH_KEY=tskey-client-kbjbruk4Vm11CNTRL # OAuth clientsのkeyを取得することをオススメします
      - TS_EXTRA_ARGS=--advertise-tags=tag:nextcloud # OAuth client-tskeyを使う場合、advertise-tagsにtagを付与するようにしてください。tagを作成するにはACLにタグを定義する必要があります。
    init: true
    restart: unless-stopped
    volumes:
      - /dev/net/tun:/dev/net/tun
      - type: volume
        source: tailscale
        target: /var/lib/tailscale
      - type: volume
        source: tailscale_sock
        target: /tmp # /tmp/tailscale.sockのボリュームをマウント
    cap_add:
      - NET_ADMIN
      - NET_RAW
    networks:
      - nextcloud-aio
volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer # この行は変更できません。変更すると組み込みのバックアップソリューションが機能しなくなります
  caddy_certs:
    name: caddy_certs
  caddy_data:
    name: caddy_data
  caddy_config:
    name: caddy_config
  tailscale:
    name: tailscale
  tailscale_sock:
    name: tailscale_sock

networks:
  nextcloud-aio:
    name: nextcloud-aio
    driver: bridge
    enable_ipv6: false
    driver_opts:
      com.docker.network.driver.mtu: "9001"
      com.docker.network.bridge.host_binding_ipv4: "127.0.0.1"

If there are no discrepancies in the settings with this yml, then there's probably a misconfiguration in the Tailscale admin console.

@Kendellb @abishekmuthian @rzimmerdev

[Kendellb]

Hmm... It's probably a discrepancy in the ACL settings, or Maybe because it's set to "tailv2133.ts.net" and the default "tainet-name", it might be better to generate a new one??? Just a guess though.
CLICK!

Thank you for your help and for this amazing guide @flll . I was setting the host name to the same name as my server and I did not realized that it was making new machine server-1 in tailscale. Thank you again for your help!!!

[MateuszFido]

This was also the root of my issue. Remember that the hostname to provide both in compose.yml and the Nextcloud admin console is the new, ephemeral hostname created by Tailnet, not the current hostname of your physical machine!

[SteveImmanuel]

Nice guide! Thanks so much.
One issue that I found during my deployment is that the compose file syntax. Particulary the environment in the caddy and tailscale service. They need to be in key:pair format or map format. So either use:

environment:
      NC_DOMAIN: nextcloud.your-tailnet.ts.net

or

environment:
      - NC_DOMAIN=nextcloud.your-tailnet.ts.net

Note: same goes for the tailscale service environment.

[SteveImmanuel]

Yes the nextcloud-aio-mastercontainer does indeed run on port 8080. However, it only responsibles for first time setup when you provision the nextcloud instance. After that, the nextcloud-aio-nextcloud needs to be accessible from port 80 and 443 for service discovery and to handle the certificates as nextcloud need a valid SSL certificate to function. But please correct me if I'm wrong.
This is the log from my nextcloud-aio-nextcloud container:

[28-Oct-2024 00:52:48] NOTICE: fpm is running, pid 400
[28-Oct-2024 00:52:48] NOTICE: ready to handle connections
Activating Collabora config...
✓ Reset callback url autodetect
Checking configuration
🛈 Configured WOPI URL: https://nextcloud.tail42526.ts.net
🛈 Configured public WOPI URL: https://nextcloud.tail42526.ts.net
🛈 Configured callback URL: 

✓ Fetched /hosting/discovery endpoint
✓ Valid mimetype response
✓ Valid capabilities entry
✓ Fetched /hosting/capabilities endpoint
✓ Detected WOPI server: Collabora Online Development Edition 24.04.8.1

Collabora URL (used for Nextcloud to contact the Collabora server):
  https://nextcloud.tail42526.ts.net
Collabora public URL (used in the browser to open Collabora):
  https://nextcloud.tail42526.ts.net
Callback URL (used by Collabora to connect back to Nextcloud):
  autodetected (will use the same URL as your user for browsing Nextcloud)

[A4alli]

well I am using only via tailscale network. So I will not need any ports to forward. next I toggol on HTTPS in tailscale Admin counsel which give me lets encrypt https. right now Im stuck on provisioning screen. I cannot visit my nextclous AIO via tailscale domain. I am pasting the required data asked by @flll, when he will analyze about what is wrong.

[SteveImmanuel]

Even with tailscale, you need those port to make it accessible inside your tailscale network

[sym-afk]

Even with tailscale, you need those port to make it accessible inside your tailscale network

How to open up these ports in tailscale, whether it has to be done on the newly created nextcloud node or the host/server node in tailscale n/w.

[chamabreu]

I am running the whole system without any port forwarding or opening.

Only in the docker compose there are the port mappings, to make the container accessible.

The AIO master Container is only accessible over the ipadress from the Host running the Master container.
See ports on AIO master Container in docker compose:

ports:
      - 0.0.0.0:8080:8080

But the rest of nextcloud does not need any port changing and is only accessible over your Domain you give into the environment variables.

[blazing-ph0enix]

Okay, one question:

Should I "sudo dnf install tailscale" on my host, then follow all this docker compose things? because how would I declare ACL dst 'nextcloud.your-tailnet.ts.net'? Or do I add my device manually in tailscale admin?

I might be very less informed about ACL and tags, but I am trying to learn and doing all this to use nextcloud-aio is tiring, but I am trying my best.

Thanks!

PS: I was using this

{
  "tagOwners": {
    "tag:nextcloud": ["autogroup:admin"]
  },
  "acls": [
    {
      "action": "accept",
      "src": ["tag:nextcloud"],
      "dst": ["nextcloud.your-tailnet.ts.net:*"]
    }
  ]
}

[blazing-ph0enix]

Hey @flll

What I did:

1. Sudo dnf install tailscale
2. Setup my host with tailscale, named "fedora"
3. Made ACL like this:

{
	"tagOwners": {
		"tag:fedora": ["autogroup:admin"]
	},
	"acls": [
		{
			"action": "accept",
			"src":    ["tag:fedora"],
			"dst":    ["Tailscale_ip_of_fedora:*"]
		}
	]
}

4. Followed your guid
5. There was a new machine in my tailscale, named Fedora-1
6. Can't access nextcloud
7. Apache container unhealthy
8. Problem loading site for my NC_DOMAIN

I am sure I misunderstood a lot of things, looking for pointers, thanks!

[blazing-ph0enix]

New Setup:

1. Only one machine on Tailscale (that too the one from docker compose file tailscale)
2. ACL:

{
	"tagOwners": {
		"tag:nextcloud": ["autogroup:admin"]
	},
	"acls": [
		{
			"action": "accept",
			"src":    ["tag:nextcloud"],
			"dst":    ["tag:nextcloud:*"]
		}
	]
}

3. Still Apache container unhealthy
4. All other container working well, but the apache logs and master container logs are same as earlier

[flll]

My docker logs apache says:
This is normal.

Please check the following conditions:

• The guide's compose.yml starts before nextcloud-aio-apache
• The nextcloud-aio network in compose.yml is properly applied

If it's not working even though the order is correct, execute the following commands:

docker compose down;\
docker stop $(docker ps -aq);\
docker rm $(docker ps -aq);\
docker network rm nextcloud-aio

These commands will delete existing docker containers and networks.
Please execute with caution as this can be dangerous.
After execution, run docker compose up -d and deploy nextcloud-aio again.

New Setup

Please configure ACL according to your environment.
If you want to try a configuration unrelated to the guide, please refer to the official documentation.

[blazing-ph0enix]

@flll Brother, I finally did it. Nextcloud-AIO worked!!!

What I did?

1. Changed my default tailname
2. Made some changes in ACL
3. Made fresh docker compose containers
4. Crossed my fingers before entering the tail domain 😂

Thanks a lot!
I have learnt a lot of things and will make some experiments like what changes will make it stop working. Might make a guide of my own for basic noobs like myself 🙃

[flll]

@blazing-ph0enix
Congratulations! That's a fantastic achievement. I'm so happy to see that your persistence and ingenuity have paid off.

Crossing your fingers is indeed an essential step in solving technical problems! 😄

It's wonderful that you're planning to share what you've learned with others. A guide for beginners will be incredibly helpful for many people.

I'm looking forward to your future experiments. If you make any new discoveries, please do share them. Your experiences will be a valuable source of information for the community.

Keep up the great work. And remember, if you ever run into any issues, don't hesitate to ask for help.

[MateuszFido]

Thanks for the guide, it's great but I cannot make it work for myself.
I'm stuck at the point of connecting to my $NC_DOMAIN.

My compose.yaml:

services:
  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    init: true
    restart: always
    container_name: nextcloud-aio-mastercontainer # This line cannot be changed.
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - nextcloud-aio
    ports:
      - 0.0.0.0:8080:8080
    environment:
      APACHE_PORT: 11000
      APACHE_IP_BINDING: 127.0.0.1
      SKIP_DOMAIN_VALIDATION: true
  caddy:
    image: caddy:alpine
    restart: unless-stopped
    environment:
      - NC_DOMAIN=mydomain.my-tailnet.ts.net # Change this to your domain ending with .ts.net in the format {$TS_HOSTNAME}.{tailnetdomain}
    volumes:
      - type: bind
        source: ./Caddyfile
        target: /etc/caddy/Caddyfile
      - type: volume
        source: caddy_certs
        target: /certs
      - type: volume
        source: caddy_data
        target: /data
      - type: volume
        source: caddy_config
        target: /config
      - type: volume
        source: tailscale_sock
        target: /var/run/tailscale/ # Mount the volume for /var/run/tailscale/tailscale.sock
        read_only: true
    network_mode: service:tailscale
  tailscale:
    image: tailscale/tailscale:latest
    environment:
      - TS_HOSTNAME=mydomain # Enter the hostname for your tailnet
      - TS_AUTH_KEY=tskey-client-kPFRs4aRK721CNTRL # OAuth client key recommended
      - TS_EXTRA_ARGS=--advertise-tags=tag:nextcloud # Tags are required when using OAuth client
    init: true
    restart: unless-stopped
    volumes:
      - /dev/net/tun:/dev/net/tun
      - type: volume
        source: tailscale
        target: /var/lib/tailscale
      - type: volume
        source: tailscale_sock
        target: /tmp # Mounting the entire /tmp folder to access tailscale.sock
    cap_add:
      - NET_ADMIN
      - NET_RAW
    networks:
      - nextcloud-aio
volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer # This line cannot be changed.
  caddy_certs:
    name: caddy_certs
  caddy_data:
    name: caddy_data
  caddy_config:
    name: caddy_config
  tailscale:
    name: tailscale
  tailscale_sock:
    name: tailscale_sock
networks:
  nextcloud-aio:
    name: nextcloud-aio
    driver: bridge
    enable_ipv6: false
    driver_opts:
      com.docker.network.driver.mtu: "9001" # Jumbo Frame
      com.docker.network.bridge.host_binding_ipv4: "127.0.0.1" # Harden aio

My ACL:

"tagOwners": {
		"tag:nextcloud": ["autogroup:admin"],
	},

	// Define access control lists for users, groups, autogroups, tags,
	// Tailscale IP addresses, and subnet ranges.
	"acls": [
		// Allow all connections.
		// Comment this section out if you want to define specific restrictions.
		{"action": "accept", "src": ["*"], "dst": ["*:*"]},

		// Allow users in "group:example" to access "tag:example", but only from
		// devices that are running macOS and have enabled Tailscale client auto-updating.
		// {"action": "accept", "src": ["group:example"], "dst": ["tag:example:*"], "srcPosture":["posture:autoUpdateMac"]},
	],

	// Define postures that will be applied to all rules without any specific
	// srcPosture definition.
	// "defaultSrcPosture": [
	//      "posture:anyMac",
	// ],

	// Define device posture rules requiring devices to meet
	// certain criteria to access parts of your system.
	// "postures": {
	//      // Require devices running macOS, a stable Tailscale
	//      // version and auto update enabled for Tailscale.
	// 	"posture:autoUpdateMac": [
	// 	    "node:os == 'macos'",
	// 	    "node:tsReleaseTrack == 'stable'",
	// 	    "node:tsAutoUpdate",
	// 	],
	//      // Require devices running macOS and a stable
	//      // Tailscale version.
	// 	"posture:anyMac": [
	// 	    "node:os == 'macos'",
	// 	    "node:tsReleaseTrack == 'stable'",
	// 	],
	// },

	// Define users and devices that can use Tailscale SSH.
	"ssh": [
		// Allow all users to SSH into their own devices in check mode.
		// Comment this section out if you want to define specific restrictions.
		{
			"action": "check",
			"src":    ["autogroup:member"],
			"dst":    ["autogroup:self"],
			"users":  ["autogroup:nonroot", "root"],
		},
	],

	// Test access rules every time they're saved.
	// "tests": [
	//  	{
	//  		"src": "[email protected]",
	//  		"accept": ["tag:example"],
	//  		"deny": ["100.101.102.103:443"],
	//  	},
	// ],
}

Caddy seems to recognize the domain name correctly, i.e. it resolves $NC_DOMAIN correctly.

Tailscale logs:

2024/10/26 20:54:17 monitor: gateway and self IP changed: gw=172.18.0.1 self=172.18.0.2
2024/10/26 20:54:17 wgengine: Reconfig: configuring userspace WireGuard config (with 0/3 peers)
2024/10/26 20:54:17 wgengine: Reconfig: configuring router
2024/10/26 20:54:17 wgengine: Reconfig: configuring DNS
2024/10/26 20:54:17 dns: Set: {DefaultResolvers:[] Routes:{} SearchDomains:[] Hosts:4}
2024/10/26 20:54:17 dns: Resolvercfg: {Routes:{} Hosts:4 LocalDomains:[]}
2024/10/26 20:54:17 dns: OScfg: {}
2024/10/26 20:54:17 peerapi: serving on http://100.88.14.63:42665
2024/10/26 20:54:17 peerapi: serving on http://[fd7a:115c:a1e0::f001:e3f]:42665
2024/10/26 20:54:17 magicsock: home is now derp-4 (fra)
2024/10/26 20:54:17 magicsock: adding connection to derp-4 for home-keep-alive
2024/10/26 20:54:17 magicsock: 1 active derp conns: derp-4=cr0s,wr0s
2024/10/26 20:54:17 magicsock: endpoints changed: 31.10.141.0:13401 (stun), 172.18.0.2:57177 (local)
2024/10/26 20:54:17 derphttp.Client.Connect: connecting to derp-4 (fra)
2024/10/26 20:54:17 Switching ipn state Starting -> Running (WantRunning=true, nm=true)
2024/10/26 20:54:17 control: NetInfo: NetInfo{varies=false hairpin= ipv6=false ipv6os=true udp=true icmpv4=false derp=#4 portmap= link="" firewallmode=""}
boot: 2024/10/26 20:54:17 Startup complete, waiting for shutdown signal
2024/10/26 20:54:17 magicsock: derp-4 connected; connGen=1

Tried opening 443 (TCP and UDP), 80, 8080 (out of desperation) in firewall and even disabling the firewall completely, none of it helped

Seems that no matter what I do, in the nextcloud container I see:

Failed to fetch discovery endpoint from https://mydomain.my-tailnet.ts.net 
2024-10-26T20:14:35.885045556Z cURL error 7: Failed to connect to mydomain.my-tailnet.ts.net port 443 after 1 ms: Could not connect to server (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://mydomain.my-tailnet.ts.net/hosting/discovery

Pinging the domain name within tailscale works without problems

[flll]

@MateuszFido
Please check the following conditions:

• Whether nextcloud-aio network is defined correctly as specified in compose.yml
• Whether the nextcloud-aio network defined in compose.yml is created before nextcloud-aio-apache and nextcloud-aio-nextcloud start up.

If you need to redo it, execute the following commands:

docker compose down;\
docker stop $(docker ps -aq);\
docker rm $(docker ps -aq);\
docker network rm nextcloud-aio

These commands will delete existing docker containers and networks.
Please execute with caution as this can be dangerous.
After execution, run docker compose up -d and deploy nextcloud-aio again.

[MateuszFido]

Yep, did those many times, my friend

Finally got it today: the same issue as @Kendellb, the hostname to configure is the new, ephemeral hostname generated by Tailscale, not the current hostname of the physical machine hosting Nextcloud in tailnet. Initially, I thought your machine was just named "nextcloud" in your tailnet before running all the containers.

It's worth remembering that setting the hostname provided to Nextcloud in the admin console cannot be undone - so just removing the containers, and even doing docker system prune -a won't work. You need to reinstall from scratch, removing all the volumes.

This was totally unclear to me from the guide, maybe it could be mentioned?

Anyway, thanks a lot, it's a great setup nonetheless 👍

[vinayak19th]

I'm still having this issue. I'm using the ephemeral hostname but still having issues

[A4alli]

[blazing-ph0enix]

@blazing-ph0enix what is the Health status of your Apache container?

Right now, Unhealthy, because I haven't deleted old machines from admin console

[blazing-ph0enix]

@blazing-ph0enix what is the Health status of your Apache container?

and also Security and setup Warnings. if you please share in pastebin

Can't use my pc right now. Will try tomorrow.
Family gathering at home 😅

[A4alli]

Any update

[blazing-ph0enix]

Any update

Yes, I will make a new comment for my specific case, I will add all the logs in it

[A4alli]

@flll if you please jump in to here to see the issues, KINDLY

[A4alli]

Finally access the domain.

[flll]

@A4alli

1. I don't want to access my nextcloud-AIO from outside other than tail scale

The funnel feature will expose your service to the public internet.
If you don't want public access, please disable the funnel feature.
Please refer to the Tailscale guide for more details.

2. Moreover, what about the error in nextcloud0master-container...

This error message indicates that debug information is currently hidden. While it's recommended to keep error details concealed in production environments for security purposes, you can temporarily enable detailed error display when troubleshooting is necessary. Once you've resolved the issue, it's advisable to return to the default secure configuration where error details are hidden from end users.

3. And the security warnings...

Please remove all containers and networks, then redeploy.
If Nextcloud is successfully deployed, you can safely ignore these warnings.

4. docker-socket-proxy test is always failing at Init step.

If you're unsure how to use it or don't plan to use it, I recommend not using it.

5. does WebDav working in nextcloud-aio by default...

If Nextcloud is working, WebDAV should also be available by default.

6. @rinkfaraway

Security settings are already included in nextcloud-aio-apache,
so you can keep the Caddyfile at its default settings as shown in the guide,
just set up reverse proxy to nextcloud-aio-apache.

Are you trying to use both cloudflared and tailscaled tunnels?
If so, add network_mode: service:caddy to both cf and ts to attach them to caddy's NIC (127.0.0.1).

[A4alli]

Amazing. My nextcloud is functioning well by default. I mean from starting. I think I have no need to remove and redeploy. But of course security and setup warnings will stay the same as in the pastebin. (Or should it remove and redeploy and will get rid of the warnings)

Point 6. You have pasted a diagram. A bit confusion, if you may please help me with it. I want to use cloudflare as DNS not a reverse proxy or tunnel. I have caddy-dns-cloudflare-module.
⚠️ how to setup DNS record in cloudflare for such setup. Will it be CNAME or A or AAAA record? To which IP or address I have to do it so to get cloudflare DNS resolver along Tailscale. From jellyfin video posted by tailscale, @alex has redirected caddy container ts-domain as CNAME in cloudflare DNS. What will be in out nextcloud case.

[A4alli]

@flll @szaimen https://help.nextcloud.com/t/security-and-setup-warnings-nextcloud-aio-30-0-1/208752/2
please must look into this matter. I think it need due attention.

[A4alli]

moreover @flll the notify-push failed in here according to your guide

2024-11-05T15:59:01.241513477Z Connection to nextcloud-aio-nextcloud (172.18.0.x) 9001 port [tcp/*] succeeded!
2024-11-05T15:59:01.253060607Z notify-push was started
2024-11-05T15:59:02.625728570Z [2024-11-05 15:59:02.624874 +00:00] ERROR [notify_push] src/main.rs:84: Self test failed: Error while communicating with nextcloud instance: error sending request for url (https://nextcloud.tailscale.ts.net/index.php/apps/notify_push/test/version)

[A4alli]

@A4alli If you want to allow connections from outside the tailnet (public access using Funnel), you need to add serve.json. In the following example, serve.json is written directly within the compose.yml file, so I'll use this example. If you use this example as is, you don't need to create separate Caddyfile and serve.json files.

CLICK!

THIS IS CREATING A TONS OF CLONE MACHINE IN MY TAILSCALE

[blazing-ph0enix]

Hey, So I have tried a lot of things, now my experience is like this:

1. I did everything as the guide. What I faced is that my nextcloud instance worked perfectly for first time. But after a reboot, I couldn't access my instance because apache container was unhealthy? Maybe because my tailscale admin console showed 'server-1' ephemeral machine instead of using 'server' which was host name in docker compose tailscale environments. So I had to delete my 'server' machine everytime before rebooting, so that after reboot 'server' machine is created instead of 'server-1' etc.
2. I researched a lot, so I tried adding 'TS_STATE_DIR=/var/lib/tailscale' in environments of Tailscale service in docker compose.
3. Now, after every reboot my tailscale admin console mentions 'server' machine, so which means it remembers the state and tailscale ip is also same but yeah, it's still ephemeral so not sure if that's any issue.
4. When I enter my Tail domain, it says:

Unable to connect

An error occurred during a connection to server.rohu-nessie.ts.net.

5. These are my logs, thank you for reading and let me know if you have any tips.

Apache logs:

2024-10-30T08:08:25.073530751Z Waiting for Nextcloud to start...
2024-10-30T08:08:30.077841467Z Connection to nextcloud-aio-nextcloud (172.18.0.2) 9000 port [tcp/*] succeeded!
2024-10-30T08:08:32.153962851Z {"level":"info","ts":1730275712.1528685,"msg":"using config from file","file":"/tmp/Caddyfile"}
2024-10-30T08:08:32.156079603Z {"level":"info","ts":1730275712.155,"msg":"adapted config to JSON","adapter":"caddyfile"}
2024-10-30T08:08:32.234077578Z [Wed Oct 30 08:08:32.231068 2024] [mpm_event:notice] [pid 58:tid 58] AH00489: Apache/2.4.62 (Unix) configured -- resuming normal operations
2024-10-30T08:08:32.234117911Z [Wed Oct 30 08:08:32.231133 2024] [core:notice] [pid 58:tid 58] AH00094: Command line: '/usr/local/apache2/bin/httpd -D FOREGROUND'

Nextcloud logs:

2024-10-30T08:08:26.099483087Z [30-Oct-2024 08:08:26] NOTICE: fpm is running, pid 399
2024-10-30T08:08:26.099521081Z [30-Oct-2024 08:08:26] NOTICE: ready to handle connections
2024-10-30T08:08:40.857901402Z Activating Collabora config...
2024-10-30T08:08:41.766934909Z ✓ Reset callback url autodetect
2024-10-30T08:08:41.766972860Z Checking configuration
2024-10-30T08:08:41.766982102Z 🛈 Configured WOPI URL: https://server.rohu-nessie.ts.net
2024-10-30T08:08:41.766989585Z 🛈 Configured public WOPI URL: https://server.rohu-nessie.ts.net
2024-10-30T08:08:41.766996553Z 🛈 Configured callback URL:
2024-10-30T08:08:41.767002835Z
2024-10-30T08:08:41.865833719Z Failed to fetch discovery endpoint from https://server.rohu-nessie.ts.net
2024-10-30T08:08:41.866405353Z cURL error 6: Could not resolve host: server.rohu-nessie.ts.net (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://server.rohu-nessie.ts.net/hosting/discovery

Redis:

2024-10-30T08:06:44.427595043Z 8:M 30 Oct 2024 08:06:44.353 # Redis is now ready to exit, bye bye...
2024-10-30T08:07:44.753650530Z Redis has started

Database:

2024-10-30 08:07:45.840 UTC [14] LOG:  starting PostgreSQL 16.4 on x86_64-pc-linux-musl, compiled by gcc (Alpine 13.2.1_git20240309) 13.2.1 20240309, 64-bit
2024-10-30T08:07:45.841881733Z 2024-10-30 08:07:45.841 UTC [14] LOG:  listening on IPv4 address "0.0.0.0", port 5432
2024-10-30T08:07:45.841902318Z 2024-10-30 08:07:45.841 UTC [14] LOG:  listening on IPv6 address "::", port 5432
2024-10-30T08:07:45.846316627Z 2024-10-30 08:07:45.846 UTC [14] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
2024-10-30T08:07:45.873990980Z 2024-10-30 08:07:45.873 UTC [24] LOG:  database system was shut down at 2024-10-30 08:06:47 UTC
2024-10-30T08:07:45.893069077Z 2024-10-30 08:07:45.892 UTC [14] LOG:  database system is ready to accept connections

Notify Push:

2024-10-30T08:08:24.834948032Z Waiting for Nextcloud to start...
2024-10-30T08:08:29.838501694Z Connection to nextcloud-aio-nextcloud (172.18.0.2) 9001 port [tcp/*] succeeded!
2024-10-30T08:08:29.840436231Z notify-push was started
2024-10-30T08:08:34.936983393Z [2024-10-30 08:08:34.936482 +00:00] ERROR [notify_push] src/main.rs:84: Self test failed: Error while communicating with nextcloud instance: error sending request for url (https://server.rohu-nessie.ts.net/index.php/apps/notify_push/test/version)

Nextcloud Mastercontainer Logs:

[30-Oct-2024 08:08:56] NOTICE: fpm is running, pid 138
[30-Oct-2024 08:08:56] NOTICE: ready to handle connections
NOTICE: PHP message: 404 Not Found
Type: Slim\Exception\HttpNotFoundException
Code: 404
Message: Not found.
File: /var/www/docker-aio/php/vendor/slim/slim/Slim/Middleware/RoutingMiddleware.php
Line: 76
Trace: #0 /var/www/docker-aio/php/vendor/slim/slim/Slim/Routing/RouteRunner.php(62): Slim\Middleware\RoutingMiddleware->performRouting(Object(GuzzleHttp\Psr7\ServerRequest))
#1 /var/www/docker-aio/php/vendor/slim/csrf/src/Guard.php(482): Slim\Routing\RouteRunner->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#2 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(177): Slim\Csrf\Guard->process(Object(GuzzleHttp\Psr7\ServerRequest), Object(Slim\Routing\RouteRunner))
#3 /var/www/docker-aio/php/vendor/slim/twig-view/src/TwigMiddleware.php(117): Psr\Http\Server\RequestHandlerInterface@anonymous->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#4 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(129): Slim\Views\TwigMiddleware->process(Object(GuzzleHttp\Psr7\ServerRequest), Object(Psr\Http\Server\RequestHandlerInterface@anonymous))
#5 /var/www/docker-aio/php/src/Middleware/AuthMiddleware.php(36): Psr\Http\Server\RequestHandlerInterface@anonymous->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#6 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(280): AIO\Middleware\AuthMiddleware->__invoke(Object(GuzzleHttp\Psr7\ServerRequest), Object(Psr\Http\Server\RequestHandlerInterface@anonymous))
#7 /var/www/docker-aio/php/vendor/slim/slim/Slim/Middleware/ErrorMiddleware.php(77): Psr\Http\Server\RequestHandlerInterface@anonymous->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#8 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(129): Slim\Middleware\ErrorMiddleware->process(Object(GuzzleHttp\Psr7\ServerRequest), Object(Psr\Http\Server\RequestHandlerInterface@anonymous))
#9 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(73): Psr\Http\Server\RequestHandlerInterface@anonymous->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#10 /var/www/docker-aio/php/vendor/slim/slim/Slim/App.php(209): Slim\MiddlewareDispatcher->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#11 /var/www/docker-aio/php/vendor/slim/slim/Slim/App.php(193): Slim\App->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#12 /var/www/docker-aio/php/public/index.php(186): Slim\App->run()
#13 {main}
Tips: To display error details in HTTP response set "displayErrorDetails" to true in the ErrorHandler constructor.

My ACL of Tailscale:

{
	"tagOwners": {
		"tag:nextcloud": ["autogroup:admin"],
		"tag:malware":   ["autogroup:admin"]
	},
	"acls": [
		{
			"action": "accept",
			"src":    ["tag:malware"],
			"dst":    ["tag:nextcloud:*"]
		},
		{
			"action": "accept",
			"src":    ["tag:nextcloud"],
			"dst":    ["tag:malware:*"]
		}
	]
}

[A4alli]

Your tailscale is not connected as per above logs

[A4alli]

For me this guide work fine. Only problem is apache container showing unhealthy. But working

[flll]

I apologize for the delayed response.
Regarding this error shown in the Nextcloud logs:

cURL error 6: Could not resolve host: server.rohu-nessie.ts.net

This error suggests that the nextcloud-aio network is constantly being created, and Tailscale might not be properly connecting to the network
tailscale-aio

Here are the steps to resolve this:

1. Remove all nextcloud-aio containers

Warning!: This command will stop and remove containers

docker compose down

# Stop containers containing "nextcloud" in their name
docker stop $(docker ps -a | grep nextcloud | awk '{print $1}')

# Remove containers containing "nextcloud" in their name
docker rm $(docker ps -a | grep nextcloud | awk '{print $1}')

2. Delete the nextcloud-aio network

docker network rm nextcloud-aio

3. Run docker compose up (-d) again

I didn't find any issues with the ACL settings.

@blazing-ph0enix

[flll]

deleting 'server' machine before rebooting

Please disable the ephemeral setting.
Your OAuth key likely includes "?ephemeral=false"
Simply remove this query parameter.

'TS_STATE_DIR=/var/lib/tailscale'

It's recommended to keep the default state configuration.

"after every reboot my tailscale admin console mentions 'server' machine"

This is likely a temporary issue.
Try refreshing the admin console.

"When I enter my Tail domain..."

Often this is due to insufficient permissions on the client-side Tailscale.
Try adding the 'nextcloud' tag to your client.
By default, communication between devices with the nextcloud tag is allowed.

[A4alli]

deleting 'server' machine before rebooting

Please disable the ephemeral setting. Your OAuth key likely includes "?ephemeral=false" Simply remove this query parameter.

'TS_STATE_DIR=/var/lib/tailscale'

It's recommended to keep the default state configuration.

"after every reboot my tailscale admin console mentions 'server' machine"

This is likely a temporary issue. Try refreshing the admin console.

"When I enter my Tail domain..."

Often this is due to insufficient permissions on the client-side Tailscale. Try adding the 'nextcloud' tag to your client. By default, communication between devices with the nextcloud tag is allowed.

Thankyou 😍

[js-surya]

Has anyone tried to deploy using the portainer stack?

Caddy log:

INF ts=1730804048.0603747 msg=using config from file file=/etc/caddy/Caddyfile

Error: adapting config using caddyfile: subject does not qualify for certificate: '{env.NC_DOMAIN}'

I have double-checked my NC_DOMAIN variable.

compose.yml:

services:
  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    init: true
    restart: always
    container_name: nextcloud-aio-mastercontainer # This line cannot be changed.
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - nextcloud-aio
    ports:
      - 0.0.0.0:8080:8080
    environment:
      APACHE_PORT: 11000
      APACHE_IP_BINDING: 127.0.0.1
      SKIP_DOMAIN_VALIDATION: true
  caddy:
    image: caddy:alpine
    restart: unless-stopped
    container_name: caddy
    environment:
      NC_DOMAIN: nextcloud.[redacted].ts.net # Change this to your domain ending with .ts.net in the format {$TS_HOSTNAME}.{tailnetdomain}
    volumes:
      - type: bind
        source: /home/surya/Caddyfile
        target: /etc/caddy/Caddyfile
      - type: volume
        source: caddy_certs
        target: /certs
      - type: volume
        source: caddy_data
        target: /data
      - type: volume
        source: caddy_config
        target: /config
      - type: volume
        source: tailscale_sock
        target: /var/run/tailscale/ # Mount the volume for /var/run/tailscale/tailscale.sock
        read_only: true
    network_mode: service:tailscale
  tailscale:
    image: tailscale/tailscale:latest
    container_name: tailscale
    environment:
      TS_HOSTNAME: nextcloud # Enter the hostname for your tailnet
      TS_AUTH_KEY: tskey-client-kYthXvJbHD21CNTRL-[redacted]  # OAuth client key recommended
      TS_EXTRA_ARGS: --advertise-tags=tag:nextcloud # Tags are required when using OAuth client
    init: true
    restart: unless-stopped
    volumes:
      - /dev/net/tun:/dev/net/tun
      - type: volume
        source: tailscale
        target: /var/lib/tailscale
      - type: volume
        source: tailscale_sock
        target: /tmp # Mounting the entire /tmp folder to access tailscale.sock
    cap_add:
      - NET_ADMIN
      - NET_RAW
    networks:
      - nextcloud-aio
volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer # This line cannot be changed.
  caddy_certs:
    name: caddy_certs
  caddy_data:
    name: caddy_data
  caddy_config:
    name: caddy_config
  tailscale:
    name: tailscale
  tailscale_sock:
    name: tailscale_sock
networks:
  nextcloud-aio:
    name: nextcloud-aio
    driver: bridge
    enable_ipv6: false
    driver_opts:
      com.docker.network.driver.mtu: "9001" # Jumbo Frame
      com.docker.network.bridge.host_binding_ipv4: "127.0.0.1" # Harden aio

Tailscale ACL:

"groups": {
		"group:admin": ["js-surya@github"],
		"group:users": ["[email protected]", "[email protected]"],
	},

	"tagOwners": {
		"tag:nextcloud": ["group:admin"],
	},

	"acls": [
		// Allow general unrestricted access (you can comment this out if needed).
		{"action": "accept", "src": ["*"], "dst": ["*:*"]},

		// Allow users in "group:users" to access any devices tagged with "nextcloud".
		{"action": "accept", "src": ["group:users"], "dst": ["tag:nextcloud:*"]},

I'm not an IT expert, and I'm relatively new to this. My IP is behind CGNAT, and I want to access my Nextcloud server outside my local network using Tailscale. I'm eager to learn, so any suggestions or help would be appreciated.

[A4alli]

NC_DOMAIN=nextcloud.talscale.ts.net
TS_HOSTNAME=nextcloud
TS_AUTH_KEY=ts...
TS_EXTRA_ARGS=--

Remember there is = and than no space

[js-surya]

TS_HOSTNAME=nextcloud # Hostname in Tailnet
NC_DOMAIN=nextcloud.mydomain.ts.net # Format: {$TS_HOSTNAME}.{$tailnetdomain}.ts.net
TS_AUTH_KEY=tskey-client-kYthXvJbHD21CNTRL-mykey # OAuth client key recommended
TS_EXTRA_ARGS=--advertise-tags=tag:nextcloud # For OAuth client key usage

Here is my .env config

[A4alli]

check my config files above that work

[A4alli]

Apache is always unhealthy

docker exec -it nextcloud-aio-apache bash -x /healthcheck.sh

• nc -z nextcloud-aio-nextcloud 9000
  Connection to nextcloud-aio-nextcloud (172.18.0.1) 9000 port [tcp/*] succeeded!
• nc -z 127.0.0.1 8000
  Connection to 127.0.0.1 8000 port [tcp/*] succeeded!
• nc -z 127.0.0.1 11000
  Connection to 127.0.0.1 11000 port [tcp/*] succeeded!
• nc -z nextcloud.taiilscale.ts.net 443
  nc: getaddrinfo for host "nextcloud.tailscalets.net" port 443: Name does not resolve
• echo 'Could not reach nextcloud.tailscalets.net on port 443.'
  Could not reach nextcloud.tailscale.ts.net on port 443.
• exit 1

[chamabreu]

Same here

[A4alli]

check my last comment below for solution with serve.json

[chamabreu]

Checked it.
Sound interesting.

Is there a way to check if a port is open to public?
I am curious that if I add funnel And then remove it, that it really is not public anymore.

Will try and report.
Also I am wondering if this helps for nextcloud office.

[A4alli]

what about your security and setup warnings?

[patrick-theprogrammer]

@flll
Thanks for this guide!

Wanted to mention that I was able to get this working without needing caddy at all. I think it simplifies things a bit. Tailscale can natively proxy nextcloud.your-tailnet.ts.net to nextcloud-aio-apache via this method, and it supports https.

Note this employs tailscale serve (as opposed to tailscale funnel) so will only expose the service to your tailnet, not publicly. You could set a funnel flag to true in the json config below to expose it publicly, though some security and performance caveats would apply if you did.

• Create a json file on your host with the following

{
  "TCP": {
    "443": {
      "HTTPS": true
    }
  },
  "Web": {
    "${TS_CERT_DOMAIN}:443": {
      "Handlers": {
        "/": {
          "Proxy": "http://nextcloud-aio-apache:11000"
        }
      }
    }
  }
}

• on the tailscale container, create a bind mount to the directory where the json file is stored on the host, and supply a TS_SERVE_CONFIG environment parameter to tell tailscale where to look for the json file within the container

See https://tailscale.com/kb/1282/docker#ts_serve_config

[js-surya]

I managed to get it working, I deleted all containers, networks, and volumes.

I did everything cleanly and it worked.

My next question is, how do I configure funnel to be able to access it from the web?

{
  "TCP": {
    "443": {
      "HTTPS": true
    },
    "8443": {
      "HTTPS": true
    }
  },
  "Web": {
    "${TS_CERT_DOMAIN}:443": {
      "Handlers": {
        "/": {
          "Proxy": "http://nextcloud-aio-apache:11000"
        }
      }
    },
    "${TS_CERT_DOMAIN}:8443": {
      "Handlers": {
        "/": {
          "Proxy": "https+insecure://nextcloud-aio-mastercontainer:8080"
        }
      }
    }
  },
  "AllowFunnel": {
    "${TS_CERT_DOMAIN}:443": true,
    "${TS_CERT_DOMAIN}:8443": true
  }
}

Enable Funnel in the Tailscale admin console

PS: Also add node attributes in the ACL policy file. For more info see the official doc - https://tailscale.com/kb/1223/funnel

[purierca]

@js-surya thanks a lot for the json for Funnel; where would the json file need to be added? We haven't set a volume as they show in the official Tailscale docs https://tailscale.com/blog/docker-tailscale-guide

And related question, we haven't set the tailscale variable for serve, is that something that needs to be added to the docker-compose?

[js-surya]

@js-surya thanks a lot for the json for Funnel; where would the json file need to be added? We haven't set a volume as they show in the official Tailscale docs https://tailscale.com/blog/docker-tailscale-guide

And related question, we haven't set the tailscale variable for serve, is that something that needs to be added to the docker-compose?

I am utilizing the native proxy method provided by @patrick-theprogrammer, as detailed in 1 and 2, without employing Caddy as a sidecar. Please take a look at his compose file and serve-config.json there, you can find the serve config variable and volume.

[shawn-shellenbarger]

Thank you @patrick-theprogrammer! This feels like a much better approach for me personally (serve vs funnel). I have used tailscale explicitly to avoid exposing my home server to the public internet, which funnel does!

A couple of things to note in case others run into similar issues:

• /etc might need sudo privileges on your host machine

  • This caused me problems for the tailscale serve.json
  • Relevant line in the shared docker-compose.yml is /etc/docker/tailscale/nextcloud:/config
  • I just created a different directory elsewhere in place of /etc/docker/tailscale/nextcloud (e.g. /any/directory/without/sudo/) and placed my serve.json there

• I needed to map port 8080 from my host machine to the nextcloud-aio container, see below:

nextcloud-aio:
    image: nextcloud/all-in-one:latest
    container_name: nextcloud-aio-mastercontainer # app requirement
    depends_on:
      - nextcloud-tailscale
    ports:
      - 8080:8080 <----------------------------

• You need to enable HTTPS & Magic DNS on tailscale. Magic DNS is a prerequisite for HTTPS actually working. See https://tailscale.com/kb/1153/enabling-https#configure-https
  • I've had issues with Magic DNS interfering with my own local DNS server in the past. To avoid this, be sure to add additional name servers when enabling Magic DNS so that your machines can fallback to any local DNS provider you might be using

[A4alli]

No need of exposing port 8080. You call [tailscal].ts.net:8443

[A4alli]

@patrick-theprogrammer there is no port assigned to nextcloud-aio, how you assess to containers? and assign domain etc?

[A4alli]

moreover have you changed anything in VM domain, /etc/hosts, /etc/hostname.

[patrick-theprogrammer]

No I did not make any changes on the host machine outside of creating the serve config file.

I didn't explicitly expose any ports or do any dns setup because that is basically what using the Tailscale docker container and Tailscale serve does for you. The Nextcloud container has network mode set to the Tailscale container, which routes all of its network traffic through the Tailscale container.

The Tailscale docs really explain this best, I would highly recommend reading through them in detail before attempting to understand how to use it for Nextcloud specifically. The setup for Nextcloud isn't fundamentally any different than using Tailscale to expose any other docker app.
https://tailscale.com/blog/docker-tailscale-guide

[A4alli]

thank you. I have gone through their documents. but still some hardship to understand completely. also in contact with Tailscale dev team.
well I just use your setup as of above. As you explained that you haven't expose any port, how can you get the initial nextcloud setup instance in which we define the domain name and that start the containers. I did try https:192.168.xx.x:8080 but get nothing

[patrick-theprogrammer]

You're welcome! I understand, these topics can be challenging to learn.

The full serve config I posted in my setup proxies https://nextcloud.yourtailnet.ts.net:8443 to the Nextcloud AIO app itself running at port 8080 within its container, so that's what you would want to use to initially access the AIO interface for setup.

Alternatively, you should be able to use the Tailscale assigned IP address of the machine called "nextcloud" (you can find this IP address in your tailscale admin console, it should start with 100). This will give you direct access to the Nextcloud AIO container's network, so you would do https://100.x.y.z:8080

[patrick-theprogrammer]

Also, I know you mentioned wanting to use a custom domain name that you own, rather than your tailnet domain. You can use something like cloudflare to make eg nextcloud.mycustomdomain.com point to nextcloud.mytailnet.ts.net.

The Tailscale team has a good video on this topic below:
https://youtu.be/Vt4PDUXB_fg?si=3_EgtfPZrhpLVVzr

There's also this cool tool that will apparently automate some of this process for you across all the apps you host through Tailscale:
https://github.com/marc1307/tailscale-cloudflare-dnssync

I've been wanting to try this myself, but haven't gotten around to it yet.

I would definitely get Nextcloud working on your tailnet before attempting any custom domain stuff since it adds a whole other layer of complexity to learn.

[Kendellb]

If Others are interested I can write up how I was able to do this without caddy using tailscale serve. I was having issues with the caddy container so decided to use serve to route traffic to the apache port when you vist nextcloud.tailnet.ts.net. So far has been working well.

[A4alli]

yes, please do write. It's good approach. I talked to Tailscale dev via email. they also suggested to use serve instead of caddy.
btw, I tried a custom domain with Tailscale but couldn't manage to run. It would be great if you have any experience to achieve it. though custom domain running with Tailscale need caddy cloudflare-dns-module

[patrick-theprogrammer]

FYI I did a write up on how to set it up that way earlier in the thread already. Feel free to add to that thread if you have any additional improvements.

[Kendellb]

@patrick-theprogrammer Ill check it out and see if I can add anything!

[Kendellb]

Go check out @patrick-theprogrammer guide above ^ my docker compose looks almost the same and same serve.json

[Kendellb]

yes, please do write. It's good approach. I talked to Tailscale dev via email. they also suggested to use serve instead of caddy. btw, I tried a custom domain with Tailscale but couldn't manage to run. It would be great if you have any experience to achieve it. though custom domain running with Tailscale need caddy cloudflare-dns-module

I havent tried that but I run a tailscale as a side car with other docker containers and use the magic dns names instead. Such as nextcloud.tail.ts.net for my nextcloud instance.

[Kerambad]

The environment Variable in the Caddyfile seems not to work for me in that way.
I had to replace: https://{env.NC_DOMAIN}:443
with: https://{$NC_DOMAIN}:443
Documentation: https://caddyserver.com/docs/caddyfile-tutorial#environment-variables

Everything else worked now, even with domain validation :)

I'm thinking if there is maybe a possibility to have variables in the compose file itself... So that I don't need the Hostname 2x

[A4alli]

@flll and @patrick-theprogrammer has done incredible work without any doubt. Bravoo <3

[Kerambad]

Sorry for the confusion, but the Damain Validation is now also not working anymore for me. I have used a wrong caddyfile at the beginning which made it working.
I have tried it again with the right file and now it's also not working. You have tho skip it.

[Kerambad]

It works for me with caddy. Just without domain validation.
But without caddy is also a good idea. I will try it when I have to set it up again for some reason.

[chamabreu]

Heyo, first of all, thank you for this guide.
I got it nearly working 100%.

2 Questions are rising:
A) My apache is always unhealthy, (tried the tips in the other comments to solve this.)
B) I cant reach collabora, it says "Could not resolve host..."

For testing purpose i connected into the docker containers, e.g. into the nextcloud-aio-nextcloud with bash, and tried to ping my tailscale network.
I could not reach any Maschine.

But i can acccess my nextcloud whatsover, everything is working.
But it seems that it tries to connect to my tailscale domain and could not reach it (for collabora).

Any suggestions?

[chamabreu]

I recreated everything last night And it worked on a fresh install.

But first I had a massive IOdelay, caused by collabora, which caused my whole server rack to went very slow.
Don't know what it was, but after some time (1 hour) now it seems it has settled in, and now it's working fluent and clean.

[chamabreu]

yes this worked

Nice to have someone who made it also work, so it's not just a coincidence! 👍

[A4alli]

its basically loopback DNS issue which can be settle on the router. but need some settings and experience, though few guides on Google. installing Tailscale on host directly solve that problem automatically without fingering in router settings

[chamabreu]

I am kind of new to routing and DNS, so this solution seems for me the best for now.
Everything else I tried was more try and error.

Will report if I feel like something is not smooth in the future.

[A4alli]

Well do try the NAT thing in router.
Moreover, what are you security and setup scan saying?

[penny-9]

I have a slight issue and I'm guessing it's a rookie error.

I put the $NC_DOMAIN as my Unraid server's full domain (the one on the tailscale network) and when I open nextcloud in the nextcloud UI, it sends me to my Unraid server's GUI.

Where have I gone wrong here?

[chamabreu]

These are my ACLs and its working:
(My tag is nextcloud-ts, u need to adapt to urs)

	"groups": {
		"group:admin": ["[email protected]"],
	},

	// Define the tags which can be applied to devices and by which users.
	"tagOwners": {
		"tag:nextcloud-ts": ["group:admin"],
	},

	// Define access control lists for users, groups, autogroups, tags,
	// Tailscale IP addresses, and subnet ranges.
	"acls": [
		// Allow all connections.
		// Comment this section out if you want to define specific restrictions.
		{
			"action": "accept",
			// "src":    ["group:admin"],
			// "dst":    ["tag:nextcloud-ts:*"],
			"src": ["*"],
			"dst": ["*:*"],
		},

		// Allow users in "group:example" to access "tag:example", but only from
		// devices that are running macOS and have enabled Tailscale client auto-updating.
		// {"action": "accept", "src": ["group:example"], "dst": ["tag:example:*"], "srcPosture":["posture:autoUpdateMac"]},
	],

[penny-9]

I am speechless. Omg, thank you both so much. It was the tags!!!!!

It's all working, you absolute legends!!!!!

[chamabreu]

Does the nextcloud office work?
On my instance it can not connect...
Dunno why.

[penny-9]

If office you mean like being able to create files etc? Then yes, mines working.

[chamabreu]

I mean Nextloud Office (collabora).
https://yourNextcluodDomain.ts.net/settings/admin/richdocuments
If you enabled "Nextcloud Office" in AIO Mastercontainer and go to this link (change the domain to ur nextcloud), does it have errors?

[A4alli]

@patrick-theprogrammer your script compose.yml and serve.json is absolutely fine. The trick is in the tailscale, which also need to be installed on host machine as well. Apache container is Healthy and only three security and setup warnings which can be managed manually.

[A4alli]

I installed Tailscale on host machine and than did fresh installation. All well.

[A4alli]

@patrick-theprogrammer how to run 'occ maintenance:repair --include-expensive'

[purierca]

@flll great work with this how-to, and the comments really helped me. A few comments that may be useful to others (which could be added to your original post)

• Don't create a Nextcloud container before going through this guide, the guide creates & downloads all necessary Nextcloud files. If you already have you can follow the official Nextcloud guide to clean reset (remove) the container https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-properly-reset-the-instance
• In the Docker Compose file, it's all colons (:), there's no equal signs (=)
• About the "environment" variables, forget about that point, essentially, as they are already included in the Docker Compose file in step 2
• "Create a Caddyfile" (for noobs like me) just means create a file, in the same directory as your Docker Compose file, with file title Caddyfile and no extension
• There's a single mistake on line SKIP_DOMAIN_VALIDATION: true which should have true in quotation marks so it's recognized as a string SKIP_DOMAIN_VALIDATION: "true"

Also just a note, it might take some time to get the files all the setup ready on Tailscale's side when starting up the Docker environment. It took 10 minutes for me, having the error in the Nextcloud AIO interface "Failed to connect to server", just be patient (I tried debugging for no reason facepalm).

[chamabreu]

Thanks for participating.
But I want to correct some information:

A) Docker compose does not make a difference between "true" and true.
It both get parsed as a string.

B) with : it is a valid form for environment variables.
Just make sure you don't mix the 2 different syntaxes:

environment:
  APACHE_PORT: 11000
  APACHE_IP_BINDING: 127.0.0.1
  SKIP_DOMAIN_VALIDATION: true

And

environment:
  - APACHE_PORT=11000
  - APACHE_IP_BINDING=127.0.0.1
  - SKIP_DOMAIN_VALIDATION=true

Are the same.

Sometimes, when debugging, we find "errors" which don't exist. 😁

[purierca]

Thank you for this; we learn everyday!

[myAinsel]

Hi y’all! First of all, thank you So Much for writing this guide; I was trying to set up the AIO container with Tailscale a few months ago, and I couldn’t get the networking to work for the life of me. That said, I’m having a problem following this guide. I’ve only gotten as far as the initial docker compose up -d command. When I try to connect to the container IP for the initial setup, I just get a “Connection refused” error. On the server side, docker compose logs give the error tailscale-1 | 2024/12/08 19:49:29 netstack: could not connect to local backend server at 127.0.0.1:8080: dial tcp 127.0.0.1:8080: connect: connection refused each time I try to connect.

I’m sure this is a noob error—I’m still pretty new to both networking and containers—but could you clarify what I might be doing wrong, please?

[chamabreu]

The logs from tailscale should not relate to the try to connecting to the AIO master Container, due this should work outside of tailscale.

Find your hosts LOCAL - not tailscale - ipadress (the Server or VM which is running the docker command), and enter it into the browser with the port you defined in the docker compose file for the Master container.
So eg my host has 192.168.1.20 then enter 192.168.1.20:8080

That should lead you to the First login screen on the Master container.

[myAinsel]

Ohh, okay, thank you so much! That did the trick; I’m in the initial setup now.

[mraptakis]

Hello everyone! First I would like to say that this is an excellent guide, @flll! Thank you!

Now, I'm interested in running nextcloud-aio on a Raspberry Pi 4 Model B with 4GB of RAM. I have a 32GB SD card that runs Raspberry Pi OS 64-bit Lite and an external HDD storage with 2TB size.

It's worth mentioning that I already have managed to run nextcloud (not nextcloud-aio) with Tailscale, and I have tried this guide in order to move to Nextcloud AIO. I managed to finish the initial setup, but Tailscale's domain isn't reachable. Any ideas?

[chamabreu]

Install tailscale also native on the host machine itself.
Worked for me (and others too).

[mraptakis]

Thank you for the reply! I did and it actually worked!

But... Can someone, please, explain why it is necessary?

[chamabreu]

I think is has something to do with the /etc/resolv.conf, because this gets overridden when installing tailscale.

I think it should not be necessary, due the docker containers should use the network from the tailscale container, but this is where my knowledge ends.

[A4alli]

@patrick-theprogrammer After new Tailscale update, the setup you have describe earlier is not working. Tailscale cannot connect to endpoint. Tailscale container restarting frequently

[sym-afk]

I had similar issue and I moved from from serve config of Tailscale to caddy, but no help. Unable to connect to Nextcloud instance in Tailscale.

[chamabreu]

My tailscale with caddy setup still works, but my host machine had its resolve.conf overwritten for any reasons.
After restart, tailscale took over again the resolve.conf and it worked again.
Maybe this helps.

[A4alli]

its a Tailscale update bug. They will fix it soon. Basically bug in docker tailscale. They have posted it yesterday.

[A4alli]

https://github.com/almeidapaulopt/tsdproxy

https://almeidapaulopt.github.io/tsdproxy/

[js-surya]

https://github.com/almeidapaulopt/tsdproxy

https://almeidapaulopt.github.io/tsdproxy/

I tried it but couldn't get it working.

[A4alli]

there is something new in market. TSDPROXY. Anyone tried it?

[patrick-theprogrammer]

This is definitely something I plan to try in the future.

Basically someone took tailscale's programmatic go plugin (tsnet) and wrote their own web proxy around it. So you can have one tsdproxy container with access to the whole docker internal network rather than one docker sidecar container per app you are hosting. Should reduce complexity and resource usage when self hosting a bunch of apps.

There's some limitations in that it's not as configurable since it's not actually running the whole Tailscale app just programmatically integrating with your tailnet. For simple use it should work well though.

There's also tailscale's experimental own caddy extension https://github.com/tailscale/caddy-tailscale which has been out for a while and serves a similar purpose / is worth a look. I was never able to get this working the exact way I wanted to when it launched though, but maybe I'll try again in the future.

[A4alli]

Looking forward for that.
The new version v1.78.3 work well with the serve.json in docker. I just checked it now. Previously there was a bug in v1.78.1 tailscale for docker

[A4alli]

Well I'm confused regarding my setup. Don't know what is causing issue. I have to install tailscale on host machine separately in order to solve the DNS resolver for tailscale + nextcloud-aio in docker on same host.

[A4alli]

moreover, what if apache_bind to 127.0.0.1. instead of 0.0.0.0

[sym-afk]

Thanks @flll @A4alli . Excellent guide. Finally, I was able to run Nextcloud server locally. Silly me, I didn't enable HTTPS in tailscale admin due to which I was unable to access. Learnt a lot!!

[WinnerWind]

Hi there!
I did the setup exactly as done in the guide, I think so, have enabled HTTPS, and yet I get SSL_ERROR_INTERNAL_ERROR_ALERT when trying to connect to the tailscale domain. Where did I F-up? will produce more details if required.

Error seems to be
{"level":"info","ts":1734264936.2107675,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}. I am investigating this.

EDIT : I just fixed the UDP Buffer size, and that error doesn't show anymore, but it won't let me in due to the abovementioned error.

[A4alli]

Moreover, use tailscale serve config by @patrick-theprogrammer

[chamabreu]

Does the serve config use the serve functionality from tailscale?
Because if you don't want to open your nc instance to open world, you should try to avoid that.

[A4alli]

Serve never expose any port and not to public internet. That is funnel which do open to public internet. With caddy setup you are exposing port to internal host. But with server you can also avoid that

[WinnerWind]

Never saw this error.

May you describe on which step exactly you get this error, and which steps worked like expected?

I got this error after doing everything. The only differing step was that I couldn't run docker compose up -d due to that command being invalid.... for some reason.

[chamabreu]

Well, are the containers running then?
Because the compose up command is the command which spins it all up.
If this is not working, the whole setup is not even running.

Check with docker ps, if the containers are running.

[A4alli]

@chamabreu did you get theme error in logs? Further more did you get rid of those mime-type and email + phone warnings in Security Warning and setup tab inside nextcloud instance settings?

[chamabreu]

I did not even tried to remove them, cause they don't seem to have any impact on the instance.
I think they are not related to this specific setup.

[A4alli]

Yes not related to this setup specifically. Well phone-region is easy to get rid. For email I tried but not succeeded. And mime-type I did try but could solve

[A4alli]

One annoying thing in log is HAMS or something like it. Don't exactly remember. But this error occurs when 2FA via app for nextcloud app is setup for login.