Tailscale (and Caddy as a sidecar) Reverse Proxy

[flll]

Disclaimer: It might be possible that the config below is not working 100% correctly, yet. Improvements to it are very welcome!

This setup integrates Nextcloud All-in-One (AIO) with Tailscale, using Caddy as a reverse proxy.
Since Tailscale currently only allows communication with localhost(127.0.0.1), we use a sidecar with Caddy to communicate with AIO.

• Enhanced security with ACL usage within Tailnet
• ACME certificate issuance without port forwarding (Tailnet only)
• Possibility to expose Nextcloud externally using Tailscale's serve.json configuration (This document does not provide an example of serve.json)

1. Set Environment Variables

Set the following environment variables:

TS_HOSTNAME=nextcloud # Hostname in Tailnet
NC_DOMAIN=nextcloud.your-tailnet.ts.net # Format: {$TS_HOSTNAME}.{$tailnetdomain}.ts.net
TS_AUTH_KEY=tskey-client-kXGGbs6CNTRL # OAuth client key recommended
TS_EXTRA_ARGS=--advertise-tags=tag:nextcloud # For OAuth client key usage

Note

We will not create a .env file, but instead write directly into the compose.yml file later.
If you do create a .env file, compose will automatically read it. In this case, set the key-value format in service[].environment[] of the compose.yml to keys only, allowing compose to pass variables to the service.

Ensure NC_DOMAIN is in the correct format.
When using OAuth client key, set tags in TS_EXTRA_ARGS and define them in ACL.

For more detailed information, please refer to:
https://tailscale.com/blog/docker-tailscale-guide

2. Configure Docker Compose File

Create a compose.yml file with the following content. Replace environment variables as appropriate.

compose.yml

services:
  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    init: true
    restart: always
    container_name: nextcloud-aio-mastercontainer # This line cannot be changed.
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - nextcloud-aio
    ports:
      - 0.0.0.0:8080:8080
    environment:
      APACHE_PORT: 11000
      APACHE_IP_BINDING: 127.0.0.1
      SKIP_DOMAIN_VALIDATION: true
  caddy:
    image: caddy:alpine
    restart: unless-stopped
    environment:
      - NC_DOMAIN: nextcloud.your-tailnet.ts.net # Change this to your domain ending with .ts.net in the format {$TS_HOSTNAME}.{tailnetdomain}
    volumes:
      - type: bind
        source: ./Caddyfile
        target: /etc/caddy/Caddyfile
      - type: volume
        source: caddy_certs
        target: /certs
      - type: volume
        source: caddy_data
        target: /data
      - type: volume
        source: caddy_config
        target: /config
      - type: volume
        source: tailscale_sock
        target: /var/run/tailscale/ # Mount the volume for /var/run/tailscale/tailscale.sock
        read_only: true
    network_mode: service:tailscale
  tailscale:
    image: tailscale/tailscale:latest
    environment:
      - TS_HOSTNAME: nextcloud # Enter the hostname for your tailnet
      - TS_AUTH_KEY: tskey-client-kXGGbs6CNTRL # OAuth client key recommended
      - TS_EXTRA_ARGS: --advertise-tags=tag:nextcloud # Tags are required when using OAuth client
    init: true
    restart: unless-stopped
    volumes:
      - /dev/net/tun:/dev/net/tun
      - type: volume
        source: tailscale
        target: /var/lib/tailscale
      - type: volume
        source: tailscale_sock
        target: /tmp # Mounting the entire /tmp folder to access tailscale.sock
    cap_add:
      - NET_ADMIN
      - NET_RAW
    networks:
      - nextcloud-aio
volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer # This line cannot be changed.
  caddy_certs:
    name: caddy_certs
  caddy_data:
    name: caddy_data
  caddy_config:
    name: caddy_config
  tailscale:
    name: tailscale
  tailscale_sock:
    name: tailscale_sock
networks:
  nextcloud-aio:
    name: nextcloud-aio
    driver: bridge
    enable_ipv6: false
    driver_opts:
      com.docker.network.driver.mtu: "9001" # Jumbo Frame
      com.docker.network.bridge.host_binding_ipv4: "127.0.0.1" # Harden aio

Important

Make sure to replace NC_DOMAIN, TS_HOSTNAME, TS_AUTH_KEY, and TS_EXTRA_ARGS with your actual values before running the docker compose file.

3. Create Caddyfile

Create a Caddyfile in the current directory with the following content:

Caddyfile

https://{$NC_DOMAIN}:443 {
    reverse_proxy nextcloud-aio-apache:11000
}

Note

Do not manually replace the {$NC_DOMAIN} variable. It will be automatically populated with the value set in your environment variables.

4. Set Up Nextcloud AIO

1. Run docker compose up -d
2. Connect to https://ip.address.of.server:8080/
3. Enter the configured $NC_DOMAIN
4. Provision Nextcloud
5. Connect to https://$NC_DOMAIN/ (e.g., https://nextcloud.your-tailnet.ts.net/)
6. Setup complete!

[darkgrid]

hi ,
i dont know much , where do we need to make the environment file and the caddy file

[flll]

The .env file and Caddyfile should be placed in the current directory where the docker compose.yml file is located. They will be automatically read when you run 'compose up'.
However, since there are only a few variables, it might be more convenient to write them directly in the docker compose.yml file instead.
This approach simplifies your setup and makes it easier to manage your configuration in a single file.

[szaimen]

However, since there are only a few variables, it might be more convenient to write them directly in the docker compose.yml file instead.

Indeed, maybe this would make the guide even easier?

[szaimen]

btw @flll did you already tested features like Nextcloud office and Nextcloud talk in this kind of setup? Do they work?

[flll]

Yes, I've been running this setup for a few weeks now, and
so far I've been able to use Talk, Office, and other features without any errors.

[szaimen]

Nice!

[szaimen]

See #5460

[A4alli]

This is amazing @flll , I am trying to achieve the same since a month. But I am not using docker. Can you KINDLY make a script like the one for nextcloud with nginx as server, caddy as reverse proxy, tailscale and cloudflare as DNS.
I have posted in nextcloud help desk today. Have a look to my conf,config,PHP,nginx, caddy files, https://help.nextcloud.com/t/nextcloud-tailscale-cloudflare-as-dns-and-caddy-as-reverse-proxy/207463 please

regards

[A4alli]

Thankyou for the kind advice. I will go for it on Monday. Well I thought that I already am in lcx,doesn't it mean the same docker hardening?

[A4alli]

Can you please enlighten the disadvantage?

[A4alli]

with that AIO, can caddy be installed on different separate container/ VM . ( for example: caddy in a separate proxmox LCX container and nextcloud AIO in a separate Proxmox VM. but both VM and LXC are on same network but different subnets. Is this possible?

[flll]

with that AIO, can caddy be installed on different separate container/ VM . ( for example: caddy in a separate proxmox LCX container and nextcloud AIO in a separate Proxmox VM. but both VM and LXC are on same network but different subnets. Is this possible?

I would recommend using Kubernetes or Docker Swarm.
If you're using compose, using Swarm would provide compatibility.
I'm not familiar with this guide, so please try it yourself.

[flll]

Can you please enlighten the disadvantage?

Docker-based deployment has very few disadvantages.
The only real drawback is the learning curve required to master Docker.

[abe-101]

A few weeks ago I:

• setup my server with nginx (and the cloudflare pugin)
• set a dns record nextcloud.mydomain.com pointing to the tailscale internal ip of the server
• generate a cert with certbot (certbot uses a cloudflare api key - as its not open to the web)
• setup nextcloud-aio with nginx per the docs

now my nextcloud is only available on devices on my tailscale
So far haven't had any issues

[A4alli]

my nginx.conf are

click!

user www-data;
worker_processes auto;
pid /var/run/nginx.pid;
events {
  worker_connections 2048;
  multi_accept on;
  use epoll;
  }
http {
  log_format criegerde escape=json  # *criegerde not know to me why I put this. Assist if need amendment, please
  '{'
    '"time_local":"$time_local",'
    '"remote_addr":"$remote_addr",'
    '"remote_user":"$remote_user",'
    '"request":"$request",'
    '"status": "$status",'
    '"body_bytes_sent":"$body_bytes_sent",'
    '"request_time":"$request_time",'
    '"http_referrer":"$http_referer",'
    '"http_user_agent":"$http_user_agent"'
  '}';
  server_names_hash_bucket_size 64;
  access_log /var/log/nginx/access.log criegerde;   # *criegerde
  error_log /var/log/nginx/error.log warn;
  set_real_ip_from 100.110.210.310 192.168.10.20;   #1st IP is of caddy lxc tailscale which run inside the caddy lxc and 2nd IP is actual IP address of caddy LXC container.
  real_ip_header X-Forwarded-For;
  real_ip_recursive on;
  include /etc/nginx/mime.types;
  default_type application/octet-stream;
  sendfile on;
  send_timeout 3600;
  tcp_nopush on;
  tcp_nodelay on;
  open_file_cache max=500 inactive=10m;
  open_file_cache_errors on;
  keepalive_timeout 65;
  reset_timedout_connection on;
  server_tokens off;
  resolver 1.1.1.1 1.0.0.1 valid=30s;  # as of cloudflare DNS, assist if need amendment, please
  resolver_timeout 5s;
  include /etc/nginx/conf.d/*.conf;

[flll]

Is your configuration something like this?
[tailnet]-->[host-tailscaled]-->[nginx-ssl]-->[nextcloud-aio-apache]-->[nextcloud]
When using Tailscale VPN, the connection is always encrypted, so encryption by Nginx is redundant and unnecessary. Double encryption adds extra load, which is not recommended. Let's leave the internal communication unencrypted and rely on Tailscale for security.
For external access, you can use Tailscale's funnel feature to expose your service to the internet, complete with SSL certificates.
Also, even if you have Tailscale deployed on the host server, you can still deploy Tailscale in Docker containers.
This guide is about creating a new hostname within the Tailnet and making it accessible from within the Tailnet.
@abe-101

[A4alli]

@flll what about my case?

[flll]

@A4alli
If I were to comment, I might suggest changing the resolver from 1.1.1.1 1.0.0.1 to 100.100.100.100, or note that the PHP handler isn't specified (though it might be in /etc/nginx/conf.d/.conf files). Otherwise, the nginx.conf looks fine.
If you can flexibly configure Nextcloud in detail and maintain it yourself, installing directly on the host can be a good approach. However, it's a legacy method, so migrating to a container-based setup is also a viable option.
The deployment process for nextcloud-aio is thoroughly documented in the AIO repository. Why not give it a try?

[A4alli]

Yes, I have surf the whole internet and found that nextxloud AIO is very very well documented. BTW I adopted legacy approach and deployed nextcloud. Nginx,php directly on the host in proxmox VM.

[abishekmuthian]

Thank you for your work @flll .

But no matter how many times I try the procedure, the hostname I give in the compose environment doesn't get created in the tailscale and rather a random ephemeral hostname is created after manually authenticating using the url in the log.

tailscale-1                    | To authenticate, visit:
tailscale-1                    | 
tailscale-1                    | 	https://login.tailscale.com/a/6ff94430152e1
tailscale-1                    | 


tailscale-1                    | 2024/10/24 14:53:12 health(warnable=no-derp-connection): error: Tailscale could not connect to the relay server with ID '0'. Your Internet connection might be down, or the server might be temporarily unavailable.

My Internet and Network connection is fine.

But I cannot log into the nextcloud instance even with the the randomly generated hostname in my tailnet.

[abishekmuthian]

No, I'm deleting all containers and NEXTCLOUD_DATADIR each time as per official reset guidelines - https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-properly-reset-the-instance .

I deleted the .env file and tried again with same results i.e. $TS_HOSTNAME is empty.

Something interesting I notice is that in some containers nextcloud is misspelled as nextlcloud ,

CLICK!

[abishek@macubex nextlcoud-docker]$ docker compose down
[+] Running 4/4
 ✔ Container nextlcoud-docker-caddy-1       Removed                                                                                                                0.1s 
 ✔ Container nextcloud-aio-mastercontainer  Removed                                                                                                                0.2s 
 ✔ Container nextlcoud-docker-tailscale-1   Removed                                                                                                                0.1s 
 ✔ Network nextcloud-aio                    Removed                                                                                                                1.0s 
[abishek@macubex nextlcoud-docker]$ docker compose up
[+] Running 4/4
 ✔ Network nextcloud-aio                    Created                                                                                                                0.7s 
 ✔ Container nextcloud-aio-mastercontainer  Created                                                                                                                1.0s 
 ✔ Container nextlcoud-docker-tailscale-1   Created                                                                                                                0.9s 
 ✔ Container nextlcoud-docker-caddy-1       Created 

This is is the case even after several resets and I don't see any misspelling in my compose file -

services:
  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    init: true
    restart: always
    container_name: nextcloud-aio-mastercontainer # This line cannot be changed.
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - nextcloud-aio
    ports:
      - 0.0.0.0:8080:8080
    environment:
      NEXTCLOUD_DATADIR: /run/media/abishek/NextCloudStorage
      APACHE_PORT: 11000
      APACHE_IP_BINDING: 127.0.0.1
      SKIP_DOMAIN_VALIDATION: true
  caddy:
    image: caddy:alpine
    restart: unless-stopped
    environment:
      - NC_DOMAIN = nextcloud.[redacted].ts.net # Change this to your domain ending with .ts.net in the format {$TS_HOSTNAME}.{tailnetdomain}
    volumes:
      - type: bind
        source: ./Caddyfile
        target: /etc/caddy/Caddyfile
      - type: volume
        source: caddy_certs
        target: /certs
      - type: volume
        source: caddy_data
        target: /data
      - type: volume
        source: caddy_config
        target: /config
      - type: volume
        source: tailscale_sock
        target: /var/run/tailscale/ # Mount the volume for /var/run/tailscale/tailscale.sock
        read_only: true
    network_mode: service:tailscale
  tailscale:
    image: tailscale/tailscale:latest
    environment:
      - TS_HOSTNAME = nextcloud # Enter the hostname for your tailnet
      - TS_AUTH_KEY = tskey-client-[redacted] # OAuth client key recommended
      - TS_EXTRA_ARGS = --advertise-tags=tag:nextcloud # Tags are required when using OAuth client
    init: true
    restart: unless-stopped
    volumes:
      - /dev/net/tun:/dev/net/tun
      - type: volume
        source: tailscale
        target: /var/lib/tailscale
      - type: volume
        source: tailscale_sock
        target: /tmp # Mounting the entire /tmp folder to access tailscale.sock
    cap_add:
      - NET_ADMIN
      - NET_RAW
    networks:
      - nextcloud-aio
volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer # This line cannot be changed.
  caddy_certs:
    name: caddy_certs
  caddy_data:
    name: caddy_data
  caddy_config:
    name: caddy_config
  tailscale:
    name: tailscale
  tailscale_sock:
    name: tailscale_sock
networks:
  nextcloud-aio:
    name: nextcloud-aio
    driver: bridge
    enable_ipv6: false
    driver_opts:
      com.docker.network.driver.mtu: "9001" # Jumbo Frame
      com.docker.network.bridge.host_binding_ipv4: "127.0.0.1" # Harden aio

[flll]

- - TS_HOSTNAME = nextcloud
+ - TS_HOSTNAME=nextcloud

There should be no space between the key and value in the key-value pair.

[abishekmuthian]

That was it, I'm into nextcloud! Thank you so much my Japanese friend. The docker compose file as in the guide complained of map and kepair format and so I edited it but didn't know that space will cause issues.

I see couple of errors in the caddy log of refusing connection to fonts.json, should I be concerned?

nextcloud-aio-tailscale-caddy-1  | {"level":"error","ts":1729844319.020331,"logger":"http.log.error","msg":"dial tcp: lookup nextcloud-aio-apache on 127.0.0.11:53: no such host","request":{"remote_ip":"127.0.0.1","remote_port":"55868","client_ip":"127.0.0.1","proto":"HTTP/1.1","method":"GET","host":"nextcloud.tortoise-moth.ts.net","uri":"/apps/richdocuments/settings/fonts.json","headers":{"Date":["Fri, 25 Oct 2024 08:18:17"],"User-Agent":["COOLWSD HTTP Agent 24.04.8.1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"","server_name":"nextcloud.tortoise-moth.ts.net"}},"duration":0.012385143,"status":502,"err_id":"64di74n3m","err_trace":"reverseproxy.statusError (reverseproxy.go:1269)"}

Also two more questions,

1. nextcloud host in the Tailscale has a ephemeral label, is it supposed to be one?

2. Can I edit the ACL in Tailscale e.g. like adding admin group like how you showed in the another comment after I deploy? Because if I change the "autogroup:admin" to "group:admin" I'm unable to reach my next cloud instance. Is it because it should have been done before deployment of the host with the nextcloud tag?

[flll]

This error seems to be due to Caddy failing to connect to nextcloud-aio-apache.
This is likely happening because Caddy is being executed before Apache starts up.
Clicking the "start container" button in nextcloud-aio should start both Nextcloud and Apache.
You can safely ignore this initially.

Regarding the ephemeral label for the Nextcloud host in Tailscale:

Yes, using an OAuth key makes it ephemeral.
Ephemeral nodes will reset when restarted.
While you can configure it as non-ephemeral, this will create new nodes (nextcloud-1, nextcloud-2, nextcloud-3...) every time you restart.
Please refer to the official "Tailscale on Docker" documentation for more details.

Regarding ACL editing in Tailscale:

1. ACLs work dynamically and apply immediately. If connectivity is lost right after making changes, there's likely an issue with the ACL configuration.

2. "autogroup:admin" is automatically generated by the tailscale-admin-console.
   If changing from autogroup to group causes loss of connectivity, it's likely because either:

• group:admin is undefined
• ACL is missing

Example ACL configuration:

{
	"groups": {
		"group:admin": ["example@mail.jp", "flll@github"],
		"group:azuki": ["tuyu@azuki.com"],
	},
	"acls": [
		{
			"action": "accept",
			"src":    ["group:admin"],
			"dst":    ["tag:nextcloud:*"],
		},
        ]
}

Note that "autogroup:admin" and "group:admin" are completely different groups.
If you want to make Nextcloud accessible to all members or external users, set src to "*" and dst to "*:*".

Please refer to Tailscale's autogroup documentation for more details.

[flll]

Thank you

Thank you as well. I was able to respond quickly because I've made the same mistake before, haha.
Thank you for your question.(o・ω・o)

[rzimmerdev]

Did anyone get this error?

docker compose up
[+] Running 3/0
✔ Container nextcloud-aio-mastercontainer Created 0.0s
✔ Container maverick-caddy-1 Recreated 0.1s
✔ Container maverick-tailscale-1 Recreated 0.1s
Attaching to caddy-1, tailscale-1, nextcloud-aio-mastercontainer

tailscale-1 | boot: 2024/10/24 22:18:21 Running 'tailscale up'
tailscale-1 | Status: 400, Message: "requested tags [tag:nextcloud] are invalid or not permitted"
tailscale-1 | boot: 2024/10/24 22:18:22 failed to auth tailscale: failed to auth tailscale: tailscale up failed: exit status 1
...
tailscale-1 | boot: 2024/10/24 22:18:23 [warning] failed to symlink socket: file exists
tailscale-1 | To interact with the Tailscale CLI please use tailscale --socket="/tmp/tailscaled.sock"

[abishekmuthian]

Same situation here, Did you see the logs; does the Tailscale ask you to authenticate manually with an auth URL? Nevertheless even doing so doesn't make any difference apart from creating a random ephemeral hostname in the Taiscale which doesn't wokr with Nextcloud.

[Kendellb]

I am also having the same issue

here is my config file:

CLICK!

services:
  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    init: true
    restart: always
    container_name: nextcloud-aio-mastercontainer
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - nextcloud-aio
    ports:
      - 0.0.0.0:8195:8080
    environment:
      - APACHE_PORT=11000
      - APACHE_IP_BINDING=127.0.0.1
      - SKIP_DOMAIN_VALIDATION=true
      - NEXTCLOUD_DATADIR=/datastore/nextcloud/datadir
      - NEXTCLOUD_MOUNT=/datastore/nextcloud/
  caddy:
    image: caddy:alpine
    restart: unless-stopped
    environment:
      - NC_DOMAIN=homeserver.tailv2133.ts.net
    volumes:
      - type: bind
        source: ./Caddyfile
        target: /etc/caddy/Caddyfile
      - type: volume
        source: caddy_certs
        target: /certs
      - type: volume
        source: caddy_data
        target: /data
      - type: volume
        source: caddy_config
        target: /config
      - type: volume
        source: tailscale_sock
        target: /var/run/tailscale/ # Mount the volume for /var/run/tailscale/tailscale.sock
        read_only: true
    network_mode: service:tailscale
  tailscale:
    image: tailscale/tailscale:latest
    environment:
      - TS_HOSTNAME=homeserver # Enter the hostname for your tailnet
      - TS_AUTH_KEY=tskey-client-
      - TS_EXTRA_ARGS=--advertise-tags=tag:container # Tags are required when using OAuth client
    init: true
    restart: unless-stopped
    volumes:
      - /dev/net/tun:/dev/net/tun
      - type: volume
        source: tailscale
        target: /var/lib/tailscale
      - type: volume
        source: tailscale_sock
        target: /tmp # Mounting the entire /tmp folder to access tailscale.sock
    cap_add:
      - NET_ADMIN
      - NET_RAW
    networks:
      - nextcloud-aio
volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer # This line cannot be changed.
  caddy_certs:
    name: caddy_certs
  caddy_data:
    name: caddy_data
  caddy_config:
    name: caddy_config
  tailscale:
    name: tailscale
  tailscale_sock:
    name: tailscale_sock
networks:
  nextcloud-aio:
    name: nextcloud-aio
    driver: bridge
    enable_ipv6: false
    driver_opts:
      com.docker.network.driver.mtu: "9001" # Jumbo Frame
      com.docker.network.bridge.host_binding_ipv4: "127.0.0.1" # Harden aio

In the master container logs get this error:

NOTICE: PHP message: Not pulling the image for the nextcloud/aio-domaincheck container because docker hub does not seem to be reachable.
NOTICE: PHP message: Could not start domaincheck container: Could not create container nextcloud-aio-domaincheck: Client error: `POST http://127.0.0.1/v1.41/containers/create?name=nextcloud-aio-domaincheck` resulted in a `404 Not Found` response:
{"message":"No such image: nextcloud/aio-domaincheck:latest"}

checked tailscale logs and getting this error
2024/10/25 03:24:17 logtail: upload: log upload of 2604 bytes compressed failed: Post "https://log.tailscale.io/c/tailnode.log.tailscale.io/186b66569ec88d07a71fa7f708bc1caa8ca685e7c18661eab73821777896797d": dial tcp [IPV6address]:443: connect: network is unreachable

[Kendellb]

I am also having the same issue

In the master container logs get this error:

NOTICE: PHP message: Not pulling the image for the nextcloud/aio-domaincheck container because docker hub does not seem to be reachable.
NOTICE: PHP message: Could not start domaincheck container: Could not create container nextcloud-aio-domaincheck: Client error: `POST http://127.0.0.1/v1.41/containers/create?name=nextcloud-aio-domaincheck` resulted in a `404 Not Found` response:
{"message":"No such image: nextcloud/aio-domaincheck:latest"}

checked tailscale logs and getting this error 2024/10/25 03:24:17 logtail: upload: log upload of 2604 bytes compressed failed: Post "https://log.tailscale.io/c/tailnode.log.tailscale.io/186b66569ec88d07a71fa7f708bc1caa8ca685e7c18661eab73821777896797d": dial tcp [IPV6address]:443: connect: network is unreachable

I also have gone through the reverse proxy debug guide and am getting and output of 1 when i run inside the tailscale-caddy-1 container
nc -z localhost 11000; echo $?

[flll]

Hmm...
It's probably a discrepancy in the ACL settings, or
Maybe because it's set to "tailv2133.ts.net" and the default "tainet-name", it might be better to generate a new one??? Just a guess though.

CLICK!

1. Create a tag for Nextcloud in the ACL settings.
   

{
	"groups": {
		"group:admin": ["example@mail.jp"],
	},
	"tagOwners": {
		"tag:nextcloud":  ["autogroup:admin", "group:azuki"],
	},
	"acls": [
		{
			"action": "accept",
			"src":    ["group:admin"],
			"dst":    ["tag:nextcloud:*"],
		},
	],
	"nodeAttrs": [
		{
			"target": ["group:admin", "tag:nextcloud"],
			"attr":   ["funnel"],
		},
	],
}

2. Go to OAuth Clients in the settings and click on Generate.
   

3. Set the Device permission to Write.
   

4. Select the tag you created earlier.

5. Enter the key that starts with "ts-" into the variable.

6. reboot container!

[flll]

I think there might be a need for it, so I'll provide the compose.yml that I'm actually using in operation. It's almost the same as what's written in the guide.
Please excuse the comments being in Japanese.

CLICK!

services:
  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    init: true
    restart: always
    container_name: nextcloud-aio-mastercontainer # この行は変更できません。
    volumes:
      - type: volume
        source: nextcloud_aio_mastercontainer
        target: /mnt/docker-aio-config
        volume:
          nocopy: true
      - type: bind
        source: /var/run/docker.sock
        target: /var/run/docker.sock
        read_only: true
    networks:
      - nextcloud-aio
    ports:
      - 0.0.0.0:4445:8080
    environment: # 以下のオプションのいずれかを使用する場合に必要です
      AIO_DISABLE_BACKUP_SECTION: false # これをtrueに設定すると、AIOインターフェースのバックアップセクションを非表示にできます。https://github.com/nextcloud/all-in-one#how-to-disable-the-backup-section を参照してください
      APACHE_PORT: 11000 # Webサーバーやリバースプロキシの背後で実行する場合に必要です。https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md を参照してください
      APACHE_IP_BINDING: 127.0.0.1 # 同じホスト上で実行されているWebサーバーやリバースプロキシの背後で実行する場合に設定する必要があります。https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md を参照してください
      SKIP_DOMAIN_VALIDATION: true
      BORG_RETENTION_POLICY: --keep-within=7d --keep-weekly=4 --keep-monthly=6 # borgの保持ポリシーを調整できます。https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy を参照してください
      COLLABORA_SECCOMP_DISABLED: false # これをtrueに設定すると、CollaboraのSeccomp機能を無効にできます。https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature を参照してください
      NEXTCLOUD_DATADIR: /mnt/hdd_toshiba/ncdata # Nextcloudのデータディレクトリのホストディレクトリを設定できます。⚠️⚠️⚠️ 警告：初期のNextcloudインストールが完了した後にこの値を設定または調整しないでください！https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir を参照してください
      NEXTCLOUD_MOUNT: /mnt/hdd_toshiba # Nextcloudコンテナがホストäã®選択したディレクトリにアクセスできるようにします。https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host を参照してください
      NEXTCLOUD_UPLOAD_LIMIT: 10G # より多くが必要な場合は調整できます。https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud を参照してください
      NEXTCLOUD_MAX_TIME: 7200 # より多くが必要な場合は調整できます。https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud を参照してください
      NEXTCLOUD_MEMORY_LIMIT: 1024M # より多くが必要な場合は調整できます。https://github.com/nextcloud/all-in-one#how-to-adjust-the-php-memory-limit-for-nextcloud を参照してください
      #NEXTCLOUD_TRUSTED_CACERTS_DIR: /usr/local/share/ca-certificates # このディレクトリ内のCA証明書は、nextcloudコンテナのOSによって信頼されます（例：LDAPSに有用）。https://github.com/nextcloud/all-in-one#how-to-trust-user-defined-certification-authorities-ca を参照してください
      NEXTCLOUD_STARTUP_APPS: deck twofactor_totp tasks calendar contacts notes # AIOを初めて起動する際にインストールされるNextcloudアプリを変更できます。https://github.com/nextcloud/all-in-one#how-to-change-the-nextcloud-apps-that-are-installed-on-the-first-startup を参照してください
      NEXTCLOUD_ADDITIONAL_APKS: imagemagick # Nextcloudコンテナに追加のパッケージを永続的に追加できます。デフォルトはimagemagickですが、この値を変更することで上書きできます。https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container を参照してください
      NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS: imagick # Nextcloudコンテナに追加のPHP拡張機能を永続的に追加できます。デフォルトはimagickですが、この値を変更することで上書きできます。https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container を参照してください
      #NEXTCLOUD_ENABLE_DRI_DEVICE: false # Nextcloudコンテナで/dev/driデバイスを有効にできます。⚠️⚠️⚠️ 警告：これはホスト上に'/dev/dri'デバイスが存在する場合にのみ機能します！ホスト上に存在しない場合は、trueに設定しないでください。そうしないとNextcloudコンテナが起動に失敗します！https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud を参照してください
      #NEXTCLOUD_KEEP_DISABLED_APPS: false # これをtrueに設定すると、AIOインターフェースで無効化されているNextcloudアプリを保持し、インストールされている場合はアンインストールしません。https://github.com/nextcloud/all-in-one#how-to-keep-disabled-apps を参照してください
      TALK_PORT: 3478 # talkコンテナが使用するポートを調整できます。https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port を参照してください
      WATCHTOWER_DOCKER_SOCKET_PATH: /var/run/docker.sock # ホスト上のdockerソケットがデフォルトの'/var/run/docker.sock'にない場合に指定する必要があります。そうしないとマスターコンテナの更新が失敗します。macOSの場合は'/var/run/docker.sock'である必要があります
      APACHE_MAX_SIZE: 10737418240 # これは整数である必要があり、NEXTCLOUD_UPLOAD_LIMITと同期している必要があります。
    security_opt: ["label:disable"] # SELinuxを使用する場合に必要です


  nextcloud-aio-tailscale-caddy:
    image: caddy:alpine
    restart: unless-stopped
    environment:
      - NC_DOMAIN=nextcloud.qilin-scala.ts.net # {$TS_HOSTNAME}.{tailnet-domain}という.ts.netで終わるドメインに変更してください
    volumes:
      - type: bind
        source: ./Caddyfile
        target: /etc/caddy/Caddyfile
      - type: volume
        source: caddy_certs
        target: /certs
      - type: volume
        source: caddy_data
        target: /data
      - type: volume
        source: caddy_config
        target: /config
      - type: volume
        source: tailscale_sock
        target: /var/run/tailscale/ # /var/run/tailscale/tailscale.sockのボリュームをマウント
        read_only: true
    network_mode: service:nextcloud-aio-tailscale

  nextcloud-aio-tailscale:
    image: tailscale/tailscale:latest
    environment:
      - TS_HOSTNAME=nextcloud # tailnetでのホスト名を入力してください
      - TS_AUTH_KEY=tskey-client-kbjbruk4Vm11CNTRL # OAuth clientsのkeyを取得することをオススメします
      - TS_EXTRA_ARGS=--advertise-tags=tag:nextcloud # OAuth client-tskeyを使う場合、advertise-tagsにtagを付与するようにしてください。tagを作成するにはACLにタグを定義する必要があります。
    init: true
    restart: unless-stopped
    volumes:
      - /dev/net/tun:/dev/net/tun
      - type: volume
        source: tailscale
        target: /var/lib/tailscale
      - type: volume
        source: tailscale_sock
        target: /tmp # /tmp/tailscale.sockのボリュームをマウント
    cap_add:
      - NET_ADMIN
      - NET_RAW
    networks:
      - nextcloud-aio
volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer # この行は変更できません。変更すると組み込みのバックアップソリューションが機能しなくなります
  caddy_certs:
    name: caddy_certs
  caddy_data:
    name: caddy_data
  caddy_config:
    name: caddy_config
  tailscale:
    name: tailscale
  tailscale_sock:
    name: tailscale_sock

networks:
  nextcloud-aio:
    name: nextcloud-aio
    driver: bridge
    enable_ipv6: false
    driver_opts:
      com.docker.network.driver.mtu: "9001"
      com.docker.network.bridge.host_binding_ipv4: "127.0.0.1"

If there are no discrepancies in the settings with this yml, then there's probably a misconfiguration in the Tailscale admin console.

@Kendellb @abishekmuthian @rzimmerdev

[SteveImmanuel]

Nice guide! Thanks so much.
One issue that I found during my deployment is that the compose file syntax. Particulary the environment in the caddy and tailscale service. They need to be in key:pair format or map format. So either use:

environment:
      NC_DOMAIN: nextcloud.your-tailnet.ts.net

or

environment:
      - NC_DOMAIN=nextcloud.your-tailnet.ts.net

Note: same goes for the tailscale service environment.

[SteveImmanuel]

Follow up.

After provisioning the nextcloud, I haven't been able to connect using the NC_DOMAIN because of connection timed out.
Looking at the log from nextcloud-aio-nextcloud I got:

...
+ set +x
[25-Oct-2024 14:41:44] NOTICE: fpm is running, pid 501
[25-Oct-2024 14:41:44] NOTICE: ready to handle connections
Activating Collabora config...
✓ Reset callback url autodetect
Checking configuration
🛈 Configured WOPI URL: https://nextcloud.tail42526.ts.net
🛈 Configured public WOPI URL: https://nextcloud.tail42526.ts.net
🛈 Configured callback URL: 

Failed to fetch discovery endpoint from https://nextcloud.tail42526.ts.net
cURL error 28: Connection timed out after 5002 milliseconds (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://nextcloud.tail42526.ts.net/hosting/discovery

Any idea why?

[flll]

Please check the following conditions:

• Whether nextcloud-aio is defined correctly as specified in compose.yml
• Whether the nextcloud-aio network defined in compose.yml is created before nextcloud-aio-apache and nextcloud-aio-nextcloud start up.

If you need to redo it, execute the following commands:

docker compose down;\
docker stop $(docker ps -aq);\
docker rm $(docker ps -aq);\
docker network rm nextcloud-aio

These commands will delete existing docker containers and networks.
Please execute with caution as this can be dangerous.
After execution, run docker compose up -d and deploy nextcloud-aio again.

[SteveImmanuel]

Hmm everything looks to be correct so I am not sure what is causing the problem.
In the machine that I am trying to deploy, I actually also add it as the client in my tailscale network using:

curl -fsSL https://tailscale.com/install.sh | sh

So, after deploying the nextcloud-aio, there are two clients in my tailscale network which are actually the same device, both both are ping-able. Is it possible that might cause a conflict or something?

[SteveImmanuel]

Update: for some reason, now it works. All I did was simply reset and restart the process several times so I'm not really sure what was the problem as I didn't change any of the configuration file.

[blazing-ph0enix]

Okay, one question:

Should I "sudo dnf install tailscale" on my host, then follow all this docker compose things? because how would I declare ACL dst 'nextcloud.your-tailnet.ts.net'? Or do I add my device manually in tailscale admin?

I might be very less informed about ACL and tags, but I am trying to learn and doing all this to use nextcloud-aio is tiring, but I am trying my best.

Thanks!

PS: I was using this

{
  "tagOwners": {
    "tag:nextcloud": ["autogroup:admin"]
  },
  "acls": [
    {
      "action": "accept",
      "src": ["tag:nextcloud"],
      "dst": ["nextcloud.your-tailnet.ts.net:*"]
    }
  ]
}

[flll]

{
"acls": [
    {
      "action": "accept",
      "src": ["autogroup:admin","tag:trust"],
      "dst": ["tag:nextcloud:*"]
    }
  ]
}

It is recommended to specify tags for "src" and "dst"

src=tag:nextcloud
dst=tag:nextcloud

Users and nodes that have the same tag can communicate by default.
For more details, please refer to the official Tailscale documentation.

[blazing-ph0enix]

{
"acls": [
    {
      "action": "accept",
      "src": ["autogroup:admin","tag:trust"],
      "dst": ["tag:nextcloud:*"]
    }
  ]
}

It is recommended to specify tags for "src" and "dst"

src=tag:nextcloud
dst=tag:nextcloud

Users and nodes that have the same tag can communicate by default.
For more details, please refer to the official Tailscale documentation.

Hey, I tried to do it myself (just saw your reply), and everything went well, it's just my nextcloud-aio-apache container is "unhealthy" and I can't connect to "NC_domain" like "fedora.tail12345f.ts.net", it says "Problem loading page".

My docker logs apache says:

Waiting for Nextcloud to start...
Connection to nextcloud-aio-nextcloud (172.18.0.7) 9000 port [tcp/*] succeeded!
[Fri Oct 25 14:28:27.885349 2024] [mpm_event:notice] [pid 457:tid 457] AH00489: Apache/2.4.62 (Unix) configured -- resuming normal operations
[Fri Oct 25 14:28:27.885431 2024] [core:notice] [pid 457:tid 457] AH00094: Command line: '/usr/local/apache2/bin/httpd -D FOREGROUND'
{"level":"info","ts":1729846707.9613962,"msg":"using config from file","file":"/tmp/Caddyfile"}
{"level":"info","ts":1729846707.9638352,"msg":"adapted config to JSON","adapter":"caddyfile"}
Connection to nextcloud-aio-nextcloud (172.18.0.7) 9000 port [tcp/*] succeeded!
[Fri Oct 25 15:08:12.771040 2024] [mpm_event:notice] [pid 31:tid 31] AH00489: Apache/2.4.62 (Unix) configured -- resuming normal operations
[Fri Oct 25 15:08:12.772554 2024] [core:notice] [pid 31:tid 31] AH00094: Command line: '/usr/local/apache2/bin/httpd -D FOREGROUND'
{"level":"info","ts":1729849092.9108617,"msg":"using config from file","file":"/tmp/Caddyfile"}
{"level":"info","ts":1729849092.9200666,"msg":"adapted config to JSON","adapter":"caddyfile"}

and docker logs nextcloud-aio-mastercontainer says:

NOTICE: PHP message: Not starting nextcloud-aio-apache because it was already started.
NOTICE: PHP message: 404 Not Found
Type: Slim\Exception\HttpNotFoundException
Code: 404
Message: Not found.
File: /var/www/docker-aio/php/vendor/slim/slim/Slim/Middleware/RoutingMiddleware.php
Line: 76
Trace: #0 /var/www/docker-aio/php/vendor/slim/slim/Slim/Routing/RouteRunner.php(62): Slim\Middleware\RoutingMiddleware->performRouting(Object(GuzzleHttp\Psr7\ServerRequest))
#1 /var/www/docker-aio/php/vendor/slim/csrf/src/Guard.php(482): Slim\Routing\RouteRunner->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#2 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(177): Slim\Csrf\Guard->process(Object(GuzzleHttp\Psr7\ServerRequest), Object(Slim\Routing\RouteRunner))
#3 /var/www/docker-aio/php/vendor/slim/twig-view/src/TwigMiddleware.php(117): Psr\Http\Server\RequestHandlerInterface@anonymous->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#4 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(129): Slim\Views\TwigMiddleware->process(Object(GuzzleHttp\Psr7\ServerRequest), Object(Psr\Http\Server\RequestHandlerInterface@anonymous))
#5 /var/www/docker-aio/php/src/Middleware/AuthMiddleware.php(36): Psr\Http\Server\RequestHandlerInterface@anonymous->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#6 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(280): AIO\Middleware\AuthMiddleware->__invoke(Object(GuzzleHttp\Psr7\ServerRequest), Object(Psr\Http\Server\RequestHandlerInterface@anonymous))
#7 /var/www/docker-aio/php/vendor/slim/slim/Slim/Middleware/ErrorMiddleware.php(77): Psr\Http\Server\RequestHandlerInterface@anonymous->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#8 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(129): Slim\Middleware\ErrorMiddleware->process(Object(GuzzleHttp\Psr7\ServerRequest), Object(Psr\Http\Server\RequestHandlerInterface@anonymous))
#9 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(73): Psr\Http\Server\RequestHandlerInterface@anonymous->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#10 /var/www/docker-aio/php/vendor/slim/slim/Slim/App.php(209): Slim\MiddlewareDispatcher->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#11 /var/www/docker-aio/php/vendor/slim/slim/Slim/App.php(193): Slim\App->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#12 /var/www/docker-aio/php/public/index.php(186): Slim\App->run()
#13 {main}
Tips: To display error details in HTTP response set "displayErrorDetails" to true in the ErrorHandler constructor.

Thanks

[blazing-ph0enix]

Hey @flll

What I did:

1. Sudo dnf install tailscale
2. Setup my host with tailscale, named "fedora"
3. Made ACL like this:

{
	"tagOwners": {
		"tag:fedora": ["autogroup:admin"]
	},
	"acls": [
		{
			"action": "accept",
			"src":    ["tag:fedora"],
			"dst":    ["Tailscale_ip_of_fedora:*"]
		}
	]
}

4. Followed your guid
5. There was a new machine in my tailscale, named Fedora-1
6. Can't access nextcloud
7. Apache container unhealthy
8. Problem loading site for my NC_DOMAIN

I am sure I misunderstood a lot of things, looking for pointers, thanks!

[blazing-ph0enix]

New Setup:

1. Only one machine on Tailscale (that too the one from docker compose file tailscale)
2. ACL:

{
	"tagOwners": {
		"tag:nextcloud": ["autogroup:admin"]
	},
	"acls": [
		{
			"action": "accept",
			"src":    ["tag:nextcloud"],
			"dst":    ["tag:nextcloud:*"]
		}
	]
}

3. Still Apache container unhealthy
4. All other container working well, but the apache logs and master container logs are same as earlier

[flll]

My docker logs apache says:
This is normal.

Please check the following conditions:

• The guide's compose.yml starts before nextcloud-aio-apache
• The nextcloud-aio network in compose.yml is properly applied

If it's not working even though the order is correct, execute the following commands:

docker compose down;\
docker stop $(docker ps -aq);\
docker rm $(docker ps -aq);\
docker network rm nextcloud-aio

These commands will delete existing docker containers and networks.
Please execute with caution as this can be dangerous.
After execution, run docker compose up -d and deploy nextcloud-aio again.

New Setup

Please configure ACL according to your environment.
If you want to try a configuration unrelated to the guide, please refer to the official documentation.