Tailscale (and Caddy as a sidecar) Reverse Proxy

[flll]

Disclaimer: It might be possible that the config below is not working 100% correctly, yet. Improvements to it are very welcome!

This setup integrates Nextcloud All-in-One (AIO) with Tailscale, using Caddy as a reverse proxy.
Since Tailscale currently only allows communication with localhost(127.0.0.1), we use a sidecar with Caddy to communicate with AIO.

• Enhanced security with ACL usage within Tailnet
• ACME certificate issuance without port forwarding (Tailnet only)
• Possibility to expose Nextcloud externally using Tailscale's serve.json configuration (This document does not provide an example of serve.json)

1. Set Environment Variables

Set the following environment variables:

TS_HOSTNAME=nextcloud # Hostname in Tailnet
NC_DOMAIN=nextcloud.your-tailnet.ts.net # Format: {$TS_HOSTNAME}.{$tailnetdomain}.ts.net
TS_AUTH_KEY=tskey-client-kXGGbs6CNTRL # OAuth client key recommended
TS_EXTRA_ARGS=--advertise-tags=tag:nextcloud # For OAuth client key usage

Note

We will not create a .env file, but instead write directly into the compose.yml file later.
If you do create a .env file, compose will automatically read it. In this case, set the key-value format in service[].environment[] of the compose.yml to keys only, allowing compose to pass variables to the service.

Ensure NC_DOMAIN is in the correct format.
When using OAuth client key, set tags in TS_EXTRA_ARGS and define them in ACL.

For more detailed information, please refer to:
https://tailscale.com/blog/docker-tailscale-guide

2. Configure Docker Compose File

Create a compose.yml file with the following content. Replace environment variables as appropriate.

compose.yml

services:
  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    init: true
    restart: always
    container_name: nextcloud-aio-mastercontainer # This line cannot be changed.
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - nextcloud-aio
    ports:
      - 0.0.0.0:8080:8080
    environment:
      APACHE_PORT: 11000
      APACHE_IP_BINDING: 127.0.0.1
      SKIP_DOMAIN_VALIDATION: true
  nextcloud-aio-caddy:
    build:
      context: .
      dockerfile: Caddy.Dockerfile
    depends_on:
      nextcloud-aio-tailscale:
        condition: service_healthy
    restart: unless-stopped
    environment:
      NC_DOMAIN: nextcloud.your-tailnet.ts.net # Change this to your domain ending with .ts.net in the format {$TS_HOSTNAME}.{tailnetdomain}
    volumes:
      - type: bind
        source: ./Caddyfile
        target: /etc/caddy/Caddyfile
      - type: volume
        source: caddy_certs
        target: /certs
      - type: volume
        source: caddy_data
        target: /data
      - type: volume
        source: caddy_config
        target: /config
      - type: volume
        source: tailscale_sock
        target: /var/run/tailscale/ # Mount the volume for /var/run/tailscale/tailscale.sock
        read_only: true
    network_mode: service:nextcloud-aio-tailscale
  nextcloud-aio-tailscale:
    image: tailscale/tailscale:v1.80.3
    environment:
      TS_HOSTNAME: nextcloud # Enter the hostname for your tailnet
      TS_AUTH_KEY: tskey-client-kXGGbs6CNTRL # OAuth client key recommended
      TS_EXTRA_ARGS: --advertise-tags=tag:nextcloud # Tags are required when using OAuth client
    init: true
    healthcheck:
      test: tailscale status --peers=false --json | grep 'Online.*true'
      start_period: 3s
      interval: 1s
      retries: 3
    restart: unless-stopped
    devices:
      - /dev/net/tun:/dev/net/tun
    volumes:
      - type: volume
        source: tailscale
        target: /var/lib/tailscale
      - type: volume
        source: tailscale_sock
        target: /tmp # Mounting the entire /tmp folder to access tailscale.sock
    cap_add:
      - NET_ADMIN
    networks:
      - nextcloud-aio
volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer # This line cannot be changed.
  caddy_certs:
    name: caddy_certs
  caddy_data:
    name: caddy_data
  caddy_config:
    name: caddy_config
  tailscale:
    name: tailscale
  tailscale_sock:
    name: tailscale_sock
networks:
  nextcloud-aio:
    name: nextcloud-aio
    driver: bridge
    enable_ipv6: false
    driver_opts:
      com.docker.network.driver.mtu: "1280" # You can set this to 9001 etc. to use jumbo frames, but packets may be dropped.
      com.docker.network.bridge.host_binding_ipv4: "127.0.0.1" # Harden aio

Important

Make sure to replace NC_DOMAIN, TS_HOSTNAME, TS_AUTH_KEY, and TS_EXTRA_ARGS with your actual values before running the docker compose file.

3. Create Caddyfile and Caddy.Dockerfile

Create a Caddyfile in the current directory with the following content:

Caddyfile

{
    layer4 {
        127.0.0.1:3478 {
            route {
                proxy {
                    upstream nextcloud-aio-talk:3478
                }
            }
        }
        127.0.0.1:3479 {
            route {
                proxy {
                    upstream nextcloud-aio-talk:3479
                }
            }
        }
    }
}
https://{$NC_DOMAIN} {
    reverse_proxy nextcloud-aio-apache:11000
}
http://{$NC_DOMAIN} {
    reverse_proxy nextcloud-aio-apache:11000
}

Note

Do not manually replace the {$NC_DOMAIN} variable. It will be automatically populated with the value set in your environment variables.

Create Caddy.Dockerfile

FROM caddy:2.9.1-builder-alpine AS builder
RUN xcaddy build --with github.com/mholt/caddy-l4@87e3e5e2c7f986b34c0df373a5799670d7b8ca03

FROM caddy:2.9.1-alpine
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

4. Set Up Nextcloud AIO

1. Run docker compose up --build --wait and docker compose logs --follow
2. Connect to https://ip.address.of.server:8080/
3. Enter the configured $NC_DOMAIN
4. Provision Nextcloud
5. Connect to https://$NC_DOMAIN/ (e.g., https://nextcloud.your-tailnet.ts.net/)
6. Setup complete!

If it doesn't work

Please try the following:

• Try setting OAuth permissions to ALL
• If it times out, check your firewall logs
• We recently updated docker-compose.yml, so please try again

Docker Reset Commands

If things don't work, use the following commands to reset

Caution

⚠️ Running these commands will reset all Docker containers, volumes, networks, etc.!
Only use this if nothing else works.

CLICK!

docker compose down
docker kill $(docker ps -q)
docker remove $(docker ps -q -a)
docker rmi $(docker image ls -q)
docker volume remove $(docker volume ls -q)
docker network remove $(docker network ls -q)
docker system prune -a --volumes

sudo systemctl daemon-reload
sudo systemctl restart NetworkManager
sudo systemctl restart network
sudo systemctl restart docker

After force stopping, check that the Nextcloud entry is no longer visible in the Tailscale admin console

• Make sure to delete this item before proceeding with step 4. Set Up Nextcloud AIO.
• There is a possibility that the Tailscale route cache has not been cleared yet, so please restart the client-side PC just in case.

Thank you for your advice, frazar

[darkgrid]

hi ,
i dont know much , where do we need to make the environment file and the caddy file

[margotwolfe]

log file is pretty long, gonna attach it below. i'm fairly new to this so I'm not 100% sure what to make of it.
output.log

[frazar]

I believe you have a typo in your Caddyfile. Can you add $ before NC_DOMAIN like shown in the guide?

[margotwolfe]

You are correct, I had missed the $ before NC_DOMAIN. now that I have that fixed, is it as simple as stopping the containers and restarting them, or is there a different process i should do?

[frazar]

This should be sufficient

docker compose down 
docker compose up

[margotwolfe]

awesome, was able to close it down and restart it, Caddy is happier now, but I'm still having DNS issues. Going thru the docker resource about it, but not 100% how i will go about fixing it.

edit: realizing the log is throwing a fit about bridge-nf-call-iptables is disabled and bridge-nf-call-ip6tables is disabled
I am using nftables and firewalld on the host machine if that context is important

[flll]

Yes, I've been running this setup for a few weeks now, and
so far I've been able to use Talk, Office, and other features without any errors.

[szaimen]

Nice!

[szaimen]

See #5460

[A4alli]

This is amazing @flll , I am trying to achieve the same since a month. But I am not using docker. Can you KINDLY make a script like the one for nextcloud with nginx as server, caddy as reverse proxy, tailscale and cloudflare as DNS.
I have posted in nextcloud help desk today. Have a look to my conf,config,PHP,nginx, caddy files, https://help.nextcloud.com/t/nextcloud-tailscale-cloudflare-as-dns-and-caddy-as-reverse-proxy/207463 please

regards

[A4alli]

Thankyou for the kind advice. I will go for it on Monday. Well I thought that I already am in lcx,doesn't it mean the same docker hardening?

[A4alli]

Can you please enlighten the disadvantage?

[A4alli]

with that AIO, can caddy be installed on different separate container/ VM . ( for example: caddy in a separate proxmox LCX container and nextcloud AIO in a separate Proxmox VM. but both VM and LXC are on same network but different subnets. Is this possible?

[flll]

with that AIO, can caddy be installed on different separate container/ VM . ( for example: caddy in a separate proxmox LCX container and nextcloud AIO in a separate Proxmox VM. but both VM and LXC are on same network but different subnets. Is this possible?

I would recommend using Kubernetes or Docker Swarm.
If you're using compose, using Swarm would provide compatibility.
I'm not familiar with this guide, so please try it yourself.

[flll]

Can you please enlighten the disadvantage?

Docker-based deployment has very few disadvantages.
The only real drawback is the learning curve required to master Docker.

[abe-101]

I used the nginx.conf from the projects readme (link in my original comment)

What is nextcloid.conf? Never heard of that

I simply used the docker compose from the README (I had to comment and uncomment some lines)

[A4alli]

apology, it's nextcloud.conf.

[flll]

Is your configuration something like this?
[tailnet]-->[host-tailscaled]-->[nginx-ssl]-->[nextcloud-aio-apache]-->[nextcloud]
When using Tailscale VPN, the connection is always encrypted, so encryption by Nginx is redundant and unnecessary. Double encryption adds extra load, which is not recommended. Let's leave the internal communication unencrypted and rely on Tailscale for security.
For external access, you can use Tailscale's funnel feature to expose your service to the internet, complete with SSL certificates.
Also, even if you have Tailscale deployed on the host server, you can still deploy Tailscale in Docker containers.
This guide is about creating a new hostname within the Tailnet and making it accessible from within the Tailnet.
@abe-101

[A4alli]

@flll what about my case?

[flll]

@A4alli
If I were to comment, I might suggest changing the resolver from 1.1.1.1 1.0.0.1 to 100.100.100.100, or note that the PHP handler isn't specified (though it might be in /etc/nginx/conf.d/.conf files). Otherwise, the nginx.conf looks fine.
If you can flexibly configure Nextcloud in detail and maintain it yourself, installing directly on the host can be a good approach. However, it's a legacy method, so migrating to a container-based setup is also a viable option.
The deployment process for nextcloud-aio is thoroughly documented in the AIO repository. Why not give it a try?

[abishekmuthian]

Thank you for your work @flll .

But no matter how many times I try the procedure, the hostname I give in the compose environment doesn't get created in the tailscale and rather a random ephemeral hostname is created after manually authenticating using the url in the log.

tailscale-1                    | To authenticate, visit:
tailscale-1                    | 
tailscale-1                    | 	https://login.tailscale.com/a/6ff94430152e1
tailscale-1                    | 


tailscale-1                    | 2024/10/24 14:53:12 health(warnable=no-derp-connection): error: Tailscale could not connect to the relay server with ID '0'. Your Internet connection might be down, or the server might be temporarily unavailable.

My Internet and Network connection is fine.

But I cannot log into the nextcloud instance even with the the randomly generated hostname in my tailnet.

[flll]

- - TS_HOSTNAME = nextcloud
+ - TS_HOSTNAME=nextcloud

There should be no space between the key and value in the key-value pair.

[abishekmuthian]

That was it, I'm into nextcloud! Thank you so much my Japanese friend. The docker compose file as in the guide complained of map and kepair format and so I edited it but didn't know that space will cause issues.

I see couple of errors in the caddy log of refusing connection to fonts.json, should I be concerned?

nextcloud-aio-tailscale-caddy-1  | {"level":"error","ts":1729844319.020331,"logger":"http.log.error","msg":"dial tcp: lookup nextcloud-aio-apache on 127.0.0.11:53: no such host","request":{"remote_ip":"127.0.0.1","remote_port":"55868","client_ip":"127.0.0.1","proto":"HTTP/1.1","method":"GET","host":"nextcloud.tortoise-moth.ts.net","uri":"/apps/richdocuments/settings/fonts.json","headers":{"Date":["Fri, 25 Oct 2024 08:18:17"],"User-Agent":["COOLWSD HTTP Agent 24.04.8.1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"","server_name":"nextcloud.tortoise-moth.ts.net"}},"duration":0.012385143,"status":502,"err_id":"64di74n3m","err_trace":"reverseproxy.statusError (reverseproxy.go:1269)"}

Also two more questions,

1. nextcloud host in the Tailscale has a ephemeral label, is it supposed to be one?

2. Can I edit the ACL in Tailscale e.g. like adding admin group like how you showed in the another comment after I deploy? Because if I change the "autogroup:admin" to "group:admin" I'm unable to reach my next cloud instance. Is it because it should have been done before deployment of the host with the nextcloud tag?

[flll]

This error seems to be due to Caddy failing to connect to nextcloud-aio-apache.
This is likely happening because Caddy is being executed before Apache starts up.
Clicking the "start container" button in nextcloud-aio should start both Nextcloud and Apache.
You can safely ignore this initially.

Regarding the ephemeral label for the Nextcloud host in Tailscale:

Yes, using an OAuth key makes it ephemeral.
Ephemeral nodes will reset when restarted.
While you can configure it as non-ephemeral, this will create new nodes (nextcloud-1, nextcloud-2, nextcloud-3...) every time you restart.
Please refer to the official "Tailscale on Docker" documentation for more details.

Regarding ACL editing in Tailscale:

1. ACLs work dynamically and apply immediately. If connectivity is lost right after making changes, there's likely an issue with the ACL configuration.

2. "autogroup:admin" is automatically generated by the tailscale-admin-console.
   If changing from autogroup to group causes loss of connectivity, it's likely because either:

• group:admin is undefined
• ACL is missing

Example ACL configuration:

{
	"groups": {
		"group:admin": ["example@mail.jp", "flll@github"],
		"group:azuki": ["tuyu@azuki.com"],
	},
	"acls": [
		{
			"action": "accept",
			"src":    ["group:admin"],
			"dst":    ["tag:nextcloud:*"],
		},
        ]
}

Note that "autogroup:admin" and "group:admin" are completely different groups.
If you want to make Nextcloud accessible to all members or external users, set src to "*" and dst to "*:*".

Please refer to Tailscale's autogroup documentation for more details.

[flll]

Thank you

Thank you as well. I was able to respond quickly because I've made the same mistake before, haha.
Thank you for your question.(o・ω・o)

[A4alli]

Non-ephemeral will make new nodes? Or ephemeral??

[rzimmerdev]

Did anyone get this error?

docker compose up
[+] Running 3/0
✔ Container nextcloud-aio-mastercontainer Created 0.0s
✔ Container maverick-caddy-1 Recreated 0.1s
✔ Container maverick-tailscale-1 Recreated 0.1s
Attaching to caddy-1, tailscale-1, nextcloud-aio-mastercontainer

tailscale-1 | boot: 2024/10/24 22:18:21 Running 'tailscale up'
tailscale-1 | Status: 400, Message: "requested tags [tag:nextcloud] are invalid or not permitted"
tailscale-1 | boot: 2024/10/24 22:18:22 failed to auth tailscale: failed to auth tailscale: tailscale up failed: exit status 1
...
tailscale-1 | boot: 2024/10/24 22:18:23 [warning] failed to symlink socket: file exists
tailscale-1 | To interact with the Tailscale CLI please use tailscale --socket="/tmp/tailscaled.sock"

[Kendellb]

Hmm... It's probably a discrepancy in the ACL settings, or Maybe because it's set to "tailv2133.ts.net" and the default "tainet-name", it might be better to generate a new one??? Just a guess though.
CLICK!

Thank you for your help and for this amazing guide @flll . I was setting the host name to the same name as my server and I did not realized that it was making new machine server-1 in tailscale. Thank you again for your help!!!

[MateuszFido]

This was also the root of my issue. Remember that the hostname to provide both in compose.yml and the Nextcloud admin console is the new, ephemeral hostname created by Tailnet, not the current hostname of your physical machine!

[BaoAn21]

@MateuszFido what do you mean by new, ephemeral hostname created by Tailnet? Where can I find those?

[BaoAn21]

I read everything in this guild but still can not access Nextcloud using my endpoint
I checked log in nextcloud container
cURL error 6: Could not resolve host: nextcloud.jamnapari-solfege.ts.net (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://nextcloud.jamnapari-solfege.ts.net/hosting/discove

[frazar]

The value of NC_DOMAIN must be a string that ends with a . followed by the "Tailnet name" that Tailscale has assigned you, which you can find at https://login.tailscale.com/admin/dns.

Supposing that your Tailnet name is tail23ab5.ts.net, then NC_DOMAIN must end with .tail23ab5.ts.net. In this case, valid value for NC_DOMAIN could be nextcloud.tail23ab5.ts.net.

[SteveImmanuel]

Nice guide! Thanks so much.
One issue that I found during my deployment is that the compose file syntax. Particulary the environment in the caddy and tailscale service. They need to be in key:pair format or map format. So either use:

environment:
      NC_DOMAIN: nextcloud.your-tailnet.ts.net

or

environment:
      - NC_DOMAIN=nextcloud.your-tailnet.ts.net

Note: same goes for the tailscale service environment.

[SteveImmanuel]

Yes the nextcloud-aio-mastercontainer does indeed run on port 8080. However, it only responsibles for first time setup when you provision the nextcloud instance. After that, the nextcloud-aio-nextcloud needs to be accessible from port 80 and 443 for service discovery and to handle the certificates as nextcloud need a valid SSL certificate to function. But please correct me if I'm wrong.
This is the log from my nextcloud-aio-nextcloud container:

[28-Oct-2024 00:52:48] NOTICE: fpm is running, pid 400
[28-Oct-2024 00:52:48] NOTICE: ready to handle connections
Activating Collabora config...
✓ Reset callback url autodetect
Checking configuration
🛈 Configured WOPI URL: https://nextcloud.tail42526.ts.net
🛈 Configured public WOPI URL: https://nextcloud.tail42526.ts.net
🛈 Configured callback URL: 

✓ Fetched /hosting/discovery endpoint
✓ Valid mimetype response
✓ Valid capabilities entry
✓ Fetched /hosting/capabilities endpoint
✓ Detected WOPI server: Collabora Online Development Edition 24.04.8.1

Collabora URL (used for Nextcloud to contact the Collabora server):
  https://nextcloud.tail42526.ts.net
Collabora public URL (used in the browser to open Collabora):
  https://nextcloud.tail42526.ts.net
Callback URL (used by Collabora to connect back to Nextcloud):
  autodetected (will use the same URL as your user for browsing Nextcloud)

[A4alli]

well I am using only via tailscale network. So I will not need any ports to forward. next I toggol on HTTPS in tailscale Admin counsel which give me lets encrypt https. right now Im stuck on provisioning screen. I cannot visit my nextclous AIO via tailscale domain. I am pasting the required data asked by @flll, when he will analyze about what is wrong.

[SteveImmanuel]

Even with tailscale, you need those port to make it accessible inside your tailscale network

[sym-afk]

Even with tailscale, you need those port to make it accessible inside your tailscale network

How to open up these ports in tailscale, whether it has to be done on the newly created nextcloud node or the host/server node in tailscale n/w.

[chamabreu]

I am running the whole system without any port forwarding or opening.

Only in the docker compose there are the port mappings, to make the container accessible.

The AIO master Container is only accessible over the ipadress from the Host running the Master container.
See ports on AIO master Container in docker compose:

ports:
      - 0.0.0.0:8080:8080

But the rest of nextcloud does not need any port changing and is only accessible over your Domain you give into the environment variables.

[blazing-ph0enix]

Okay, one question:

Should I "sudo dnf install tailscale" on my host, then follow all this docker compose things? because how would I declare ACL dst 'nextcloud.your-tailnet.ts.net'? Or do I add my device manually in tailscale admin?

I might be very less informed about ACL and tags, but I am trying to learn and doing all this to use nextcloud-aio is tiring, but I am trying my best.

Thanks!

PS: I was using this

{
  "tagOwners": {
    "tag:nextcloud": ["autogroup:admin"]
  },
  "acls": [
    {
      "action": "accept",
      "src": ["tag:nextcloud"],
      "dst": ["nextcloud.your-tailnet.ts.net:*"]
    }
  ]
}

[blazing-ph0enix]

Hey @flll

What I did:

1. Sudo dnf install tailscale
2. Setup my host with tailscale, named "fedora"
3. Made ACL like this:

{
	"tagOwners": {
		"tag:fedora": ["autogroup:admin"]
	},
	"acls": [
		{
			"action": "accept",
			"src":    ["tag:fedora"],
			"dst":    ["Tailscale_ip_of_fedora:*"]
		}
	]
}

4. Followed your guid
5. There was a new machine in my tailscale, named Fedora-1
6. Can't access nextcloud
7. Apache container unhealthy
8. Problem loading site for my NC_DOMAIN

I am sure I misunderstood a lot of things, looking for pointers, thanks!

[blazing-ph0enix]

New Setup:

1. Only one machine on Tailscale (that too the one from docker compose file tailscale)
2. ACL:

{
	"tagOwners": {
		"tag:nextcloud": ["autogroup:admin"]
	},
	"acls": [
		{
			"action": "accept",
			"src":    ["tag:nextcloud"],
			"dst":    ["tag:nextcloud:*"]
		}
	]
}

3. Still Apache container unhealthy
4. All other container working well, but the apache logs and master container logs are same as earlier

[flll]

My docker logs apache says:
This is normal.

Please check the following conditions:

• The guide's compose.yml starts before nextcloud-aio-apache
• The nextcloud-aio network in compose.yml is properly applied

If it's not working even though the order is correct, execute the following commands:

docker compose down;\
docker stop $(docker ps -aq);\
docker rm $(docker ps -aq);\
docker network rm nextcloud-aio

These commands will delete existing docker containers and networks.
Please execute with caution as this can be dangerous.
After execution, run docker compose up -d and deploy nextcloud-aio again.

New Setup

Please configure ACL according to your environment.
If you want to try a configuration unrelated to the guide, please refer to the official documentation.

[blazing-ph0enix]

@flll Brother, I finally did it. Nextcloud-AIO worked!!!

What I did?

1. Changed my default tailname
2. Made some changes in ACL
3. Made fresh docker compose containers
4. Crossed my fingers before entering the tail domain 😂

Thanks a lot!
I have learnt a lot of things and will make some experiments like what changes will make it stop working. Might make a guide of my own for basic noobs like myself 🙃

[flll]

@blazing-ph0enix
Congratulations! That's a fantastic achievement. I'm so happy to see that your persistence and ingenuity have paid off.

Crossing your fingers is indeed an essential step in solving technical problems! 😄

It's wonderful that you're planning to share what you've learned with others. A guide for beginners will be incredibly helpful for many people.

I'm looking forward to your future experiments. If you make any new discoveries, please do share them. Your experiences will be a valuable source of information for the community.

Keep up the great work. And remember, if you ever run into any issues, don't hesitate to ask for help.

[MateuszFido]

Thanks for the guide, it's great but I cannot make it work for myself.
I'm stuck at the point of connecting to my $NC_DOMAIN.

My compose.yaml:

services:
  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    init: true
    restart: always
    container_name: nextcloud-aio-mastercontainer # This line cannot be changed.
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - nextcloud-aio
    ports:
      - 0.0.0.0:8080:8080
    environment:
      APACHE_PORT: 11000
      APACHE_IP_BINDING: 127.0.0.1
      SKIP_DOMAIN_VALIDATION: true
  caddy:
    image: caddy:alpine
    restart: unless-stopped
    environment:
      - NC_DOMAIN=mydomain.my-tailnet.ts.net # Change this to your domain ending with .ts.net in the format {$TS_HOSTNAME}.{tailnetdomain}
    volumes:
      - type: bind
        source: ./Caddyfile
        target: /etc/caddy/Caddyfile
      - type: volume
        source: caddy_certs
        target: /certs
      - type: volume
        source: caddy_data
        target: /data
      - type: volume
        source: caddy_config
        target: /config
      - type: volume
        source: tailscale_sock
        target: /var/run/tailscale/ # Mount the volume for /var/run/tailscale/tailscale.sock
        read_only: true
    network_mode: service:tailscale
  tailscale:
    image: tailscale/tailscale:latest
    environment:
      - TS_HOSTNAME=mydomain # Enter the hostname for your tailnet
      - TS_AUTH_KEY=tskey-client-kPFRs4aRK721CNTRL # OAuth client key recommended
      - TS_EXTRA_ARGS=--advertise-tags=tag:nextcloud # Tags are required when using OAuth client
    init: true
    restart: unless-stopped
    volumes:
      - /dev/net/tun:/dev/net/tun
      - type: volume
        source: tailscale
        target: /var/lib/tailscale
      - type: volume
        source: tailscale_sock
        target: /tmp # Mounting the entire /tmp folder to access tailscale.sock
    cap_add:
      - NET_ADMIN
      - NET_RAW
    networks:
      - nextcloud-aio
volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer # This line cannot be changed.
  caddy_certs:
    name: caddy_certs
  caddy_data:
    name: caddy_data
  caddy_config:
    name: caddy_config
  tailscale:
    name: tailscale
  tailscale_sock:
    name: tailscale_sock
networks:
  nextcloud-aio:
    name: nextcloud-aio
    driver: bridge
    enable_ipv6: false
    driver_opts:
      com.docker.network.driver.mtu: "9001" # Jumbo Frame
      com.docker.network.bridge.host_binding_ipv4: "127.0.0.1" # Harden aio

My ACL:

"tagOwners": {
		"tag:nextcloud": ["autogroup:admin"],
	},

	// Define access control lists for users, groups, autogroups, tags,
	// Tailscale IP addresses, and subnet ranges.
	"acls": [
		// Allow all connections.
		// Comment this section out if you want to define specific restrictions.
		{"action": "accept", "src": ["*"], "dst": ["*:*"]},

		// Allow users in "group:example" to access "tag:example", but only from
		// devices that are running macOS and have enabled Tailscale client auto-updating.
		// {"action": "accept", "src": ["group:example"], "dst": ["tag:example:*"], "srcPosture":["posture:autoUpdateMac"]},
	],

	// Define postures that will be applied to all rules without any specific
	// srcPosture definition.
	// "defaultSrcPosture": [
	//      "posture:anyMac",
	// ],

	// Define device posture rules requiring devices to meet
	// certain criteria to access parts of your system.
	// "postures": {
	//      // Require devices running macOS, a stable Tailscale
	//      // version and auto update enabled for Tailscale.
	// 	"posture:autoUpdateMac": [
	// 	    "node:os == 'macos'",
	// 	    "node:tsReleaseTrack == 'stable'",
	// 	    "node:tsAutoUpdate",
	// 	],
	//      // Require devices running macOS and a stable
	//      // Tailscale version.
	// 	"posture:anyMac": [
	// 	    "node:os == 'macos'",
	// 	    "node:tsReleaseTrack == 'stable'",
	// 	],
	// },

	// Define users and devices that can use Tailscale SSH.
	"ssh": [
		// Allow all users to SSH into their own devices in check mode.
		// Comment this section out if you want to define specific restrictions.
		{
			"action": "check",
			"src":    ["autogroup:member"],
			"dst":    ["autogroup:self"],
			"users":  ["autogroup:nonroot", "root"],
		},
	],

	// Test access rules every time they're saved.
	// "tests": [
	//  	{
	//  		"src": "alice@example.com",
	//  		"accept": ["tag:example"],
	//  		"deny": ["100.101.102.103:443"],
	//  	},
	// ],
}

Caddy seems to recognize the domain name correctly, i.e. it resolves $NC_DOMAIN correctly.

Tailscale logs:

2024/10/26 20:54:17 monitor: gateway and self IP changed: gw=172.18.0.1 self=172.18.0.2
2024/10/26 20:54:17 wgengine: Reconfig: configuring userspace WireGuard config (with 0/3 peers)
2024/10/26 20:54:17 wgengine: Reconfig: configuring router
2024/10/26 20:54:17 wgengine: Reconfig: configuring DNS
2024/10/26 20:54:17 dns: Set: {DefaultResolvers:[] Routes:{} SearchDomains:[] Hosts:4}
2024/10/26 20:54:17 dns: Resolvercfg: {Routes:{} Hosts:4 LocalDomains:[]}
2024/10/26 20:54:17 dns: OScfg: {}
2024/10/26 20:54:17 peerapi: serving on http://100.88.14.63:42665
2024/10/26 20:54:17 peerapi: serving on http://[fd7a:115c:a1e0::f001:e3f]:42665
2024/10/26 20:54:17 magicsock: home is now derp-4 (fra)
2024/10/26 20:54:17 magicsock: adding connection to derp-4 for home-keep-alive
2024/10/26 20:54:17 magicsock: 1 active derp conns: derp-4=cr0s,wr0s
2024/10/26 20:54:17 magicsock: endpoints changed: 31.10.141.0:13401 (stun), 172.18.0.2:57177 (local)
2024/10/26 20:54:17 derphttp.Client.Connect: connecting to derp-4 (fra)
2024/10/26 20:54:17 Switching ipn state Starting -> Running (WantRunning=true, nm=true)
2024/10/26 20:54:17 control: NetInfo: NetInfo{varies=false hairpin= ipv6=false ipv6os=true udp=true icmpv4=false derp=#4 portmap= link="" firewallmode=""}
boot: 2024/10/26 20:54:17 Startup complete, waiting for shutdown signal
2024/10/26 20:54:17 magicsock: derp-4 connected; connGen=1

Tried opening 443 (TCP and UDP), 80, 8080 (out of desperation) in firewall and even disabling the firewall completely, none of it helped

Seems that no matter what I do, in the nextcloud container I see:

Failed to fetch discovery endpoint from https://mydomain.my-tailnet.ts.net 
2024-10-26T20:14:35.885045556Z cURL error 7: Failed to connect to mydomain.my-tailnet.ts.net port 443 after 1 ms: Could not connect to server (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://mydomain.my-tailnet.ts.net/hosting/discovery

Pinging the domain name within tailscale works without problems

[flll]

@MateuszFido
Please check the following conditions:

• Whether nextcloud-aio network is defined correctly as specified in compose.yml
• Whether the nextcloud-aio network defined in compose.yml is created before nextcloud-aio-apache and nextcloud-aio-nextcloud start up.

If you need to redo it, execute the following commands:

docker compose down;\
docker stop $(docker ps -aq);\
docker rm $(docker ps -aq);\
docker network rm nextcloud-aio

These commands will delete existing docker containers and networks.
Please execute with caution as this can be dangerous.
After execution, run docker compose up -d and deploy nextcloud-aio again.

[MateuszFido]

Yep, did those many times, my friend

Finally got it today: the same issue as @Kendellb, the hostname to configure is the new, ephemeral hostname generated by Tailscale, not the current hostname of the physical machine hosting Nextcloud in tailnet. Initially, I thought your machine was just named "nextcloud" in your tailnet before running all the containers.

It's worth remembering that setting the hostname provided to Nextcloud in the admin console cannot be undone - so just removing the containers, and even doing docker system prune -a won't work. You need to reinstall from scratch, removing all the volumes.

This was totally unclear to me from the guide, maybe it could be mentioned?

Anyway, thanks a lot, it's a great setup nonetheless 👍

[vinayak19th]

I'm still having this issue. I'm using the ephemeral hostname but still having issues

[A4alli]

[blazing-ph0enix]

@blazing-ph0enix what is the Health status of your Apache container?

Right now, Unhealthy, because I haven't deleted old machines from admin console

[blazing-ph0enix]

@blazing-ph0enix what is the Health status of your Apache container?

and also Security and setup Warnings. if you please share in pastebin

Can't use my pc right now. Will try tomorrow.
Family gathering at home 😅

[A4alli]

Any update

[blazing-ph0enix]

Any update

Yes, I will make a new comment for my specific case, I will add all the logs in it

[A4alli]

@flll if you please jump in to here to see the issues, KINDLY

[A4alli]

Finally access the domain.

[flll]

@A4alli

1. I don't want to access my nextcloud-AIO from outside other than tail scale

The funnel feature will expose your service to the public internet.
If you don't want public access, please disable the funnel feature.
Please refer to the Tailscale guide for more details.

2. Moreover, what about the error in nextcloud0master-container...

This error message indicates that debug information is currently hidden. While it's recommended to keep error details concealed in production environments for security purposes, you can temporarily enable detailed error display when troubleshooting is necessary. Once you've resolved the issue, it's advisable to return to the default secure configuration where error details are hidden from end users.

3. And the security warnings...

Please remove all containers and networks, then redeploy.
If Nextcloud is successfully deployed, you can safely ignore these warnings.

4. docker-socket-proxy test is always failing at Init step.

If you're unsure how to use it or don't plan to use it, I recommend not using it.

5. does WebDav working in nextcloud-aio by default...

If Nextcloud is working, WebDAV should also be available by default.

6. @rinkfaraway

Security settings are already included in nextcloud-aio-apache,
so you can keep the Caddyfile at its default settings as shown in the guide,
just set up reverse proxy to nextcloud-aio-apache.

Are you trying to use both cloudflared and tailscaled tunnels?
If so, add network_mode: service:caddy to both cf and ts to attach them to caddy's NIC (127.0.0.1).

[A4alli]

Amazing. My nextcloud is functioning well by default. I mean from starting. I think I have no need to remove and redeploy. But of course security and setup warnings will stay the same as in the pastebin. (Or should it remove and redeploy and will get rid of the warnings)

Point 6. You have pasted a diagram. A bit confusion, if you may please help me with it. I want to use cloudflare as DNS not a reverse proxy or tunnel. I have caddy-dns-cloudflare-module.
⚠️ how to setup DNS record in cloudflare for such setup. Will it be CNAME or A or AAAA record? To which IP or address I have to do it so to get cloudflare DNS resolver along Tailscale. From jellyfin video posted by tailscale, @alex has redirected caddy container ts-domain as CNAME in cloudflare DNS. What will be in out nextcloud case.

[A4alli]

@flll @szaimen https://help.nextcloud.com/t/security-and-setup-warnings-nextcloud-aio-30-0-1/208752/2
please must look into this matter. I think it need due attention.

[A4alli]

moreover @flll the notify-push failed in here according to your guide

2024-11-05T15:59:01.241513477Z Connection to nextcloud-aio-nextcloud (172.18.0.x) 9001 port [tcp/*] succeeded!
2024-11-05T15:59:01.253060607Z notify-push was started
2024-11-05T15:59:02.625728570Z [2024-11-05 15:59:02.624874 +00:00] ERROR [notify_push] src/main.rs:84: Self test failed: Error while communicating with nextcloud instance: error sending request for url (https://nextcloud.tailscale.ts.net/index.php/apps/notify_push/test/version)

[A4alli]

@A4alli If you want to allow connections from outside the tailnet (public access using Funnel), you need to add serve.json. In the following example, serve.json is written directly within the compose.yml file, so I'll use this example. If you use this example as is, you don't need to create separate Caddyfile and serve.json files.

CLICK!

THIS IS CREATING A TONS OF CLONE MACHINE IN MY TAILSCALE

[blazing-ph0enix]

Hey, So I have tried a lot of things, now my experience is like this:

1. I did everything as the guide. What I faced is that my nextcloud instance worked perfectly for first time. But after a reboot, I couldn't access my instance because apache container was unhealthy? Maybe because my tailscale admin console showed 'server-1' ephemeral machine instead of using 'server' which was host name in docker compose tailscale environments. So I had to delete my 'server' machine everytime before rebooting, so that after reboot 'server' machine is created instead of 'server-1' etc.
2. I researched a lot, so I tried adding 'TS_STATE_DIR=/var/lib/tailscale' in environments of Tailscale service in docker compose.
3. Now, after every reboot my tailscale admin console mentions 'server' machine, so which means it remembers the state and tailscale ip is also same but yeah, it's still ephemeral so not sure if that's any issue.
4. When I enter my Tail domain, it says:

Unable to connect

An error occurred during a connection to server.rohu-nessie.ts.net.

5. These are my logs, thank you for reading and let me know if you have any tips.

Apache logs:

2024-10-30T08:08:25.073530751Z Waiting for Nextcloud to start...
2024-10-30T08:08:30.077841467Z Connection to nextcloud-aio-nextcloud (172.18.0.2) 9000 port [tcp/*] succeeded!
2024-10-30T08:08:32.153962851Z {"level":"info","ts":1730275712.1528685,"msg":"using config from file","file":"/tmp/Caddyfile"}
2024-10-30T08:08:32.156079603Z {"level":"info","ts":1730275712.155,"msg":"adapted config to JSON","adapter":"caddyfile"}
2024-10-30T08:08:32.234077578Z [Wed Oct 30 08:08:32.231068 2024] [mpm_event:notice] [pid 58:tid 58] AH00489: Apache/2.4.62 (Unix) configured -- resuming normal operations
2024-10-30T08:08:32.234117911Z [Wed Oct 30 08:08:32.231133 2024] [core:notice] [pid 58:tid 58] AH00094: Command line: '/usr/local/apache2/bin/httpd -D FOREGROUND'

Nextcloud logs:

2024-10-30T08:08:26.099483087Z [30-Oct-2024 08:08:26] NOTICE: fpm is running, pid 399
2024-10-30T08:08:26.099521081Z [30-Oct-2024 08:08:26] NOTICE: ready to handle connections
2024-10-30T08:08:40.857901402Z Activating Collabora config...
2024-10-30T08:08:41.766934909Z ✓ Reset callback url autodetect
2024-10-30T08:08:41.766972860Z Checking configuration
2024-10-30T08:08:41.766982102Z 🛈 Configured WOPI URL: https://server.rohu-nessie.ts.net
2024-10-30T08:08:41.766989585Z 🛈 Configured public WOPI URL: https://server.rohu-nessie.ts.net
2024-10-30T08:08:41.766996553Z 🛈 Configured callback URL:
2024-10-30T08:08:41.767002835Z
2024-10-30T08:08:41.865833719Z Failed to fetch discovery endpoint from https://server.rohu-nessie.ts.net
2024-10-30T08:08:41.866405353Z cURL error 6: Could not resolve host: server.rohu-nessie.ts.net (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://server.rohu-nessie.ts.net/hosting/discovery

Redis:

2024-10-30T08:06:44.427595043Z 8:M 30 Oct 2024 08:06:44.353 # Redis is now ready to exit, bye bye...
2024-10-30T08:07:44.753650530Z Redis has started

Database:

2024-10-30 08:07:45.840 UTC [14] LOG:  starting PostgreSQL 16.4 on x86_64-pc-linux-musl, compiled by gcc (Alpine 13.2.1_git20240309) 13.2.1 20240309, 64-bit
2024-10-30T08:07:45.841881733Z 2024-10-30 08:07:45.841 UTC [14] LOG:  listening on IPv4 address "0.0.0.0", port 5432
2024-10-30T08:07:45.841902318Z 2024-10-30 08:07:45.841 UTC [14] LOG:  listening on IPv6 address "::", port 5432
2024-10-30T08:07:45.846316627Z 2024-10-30 08:07:45.846 UTC [14] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
2024-10-30T08:07:45.873990980Z 2024-10-30 08:07:45.873 UTC [24] LOG:  database system was shut down at 2024-10-30 08:06:47 UTC
2024-10-30T08:07:45.893069077Z 2024-10-30 08:07:45.892 UTC [14] LOG:  database system is ready to accept connections

Notify Push:

2024-10-30T08:08:24.834948032Z Waiting for Nextcloud to start...
2024-10-30T08:08:29.838501694Z Connection to nextcloud-aio-nextcloud (172.18.0.2) 9001 port [tcp/*] succeeded!
2024-10-30T08:08:29.840436231Z notify-push was started
2024-10-30T08:08:34.936983393Z [2024-10-30 08:08:34.936482 +00:00] ERROR [notify_push] src/main.rs:84: Self test failed: Error while communicating with nextcloud instance: error sending request for url (https://server.rohu-nessie.ts.net/index.php/apps/notify_push/test/version)

Nextcloud Mastercontainer Logs:

[30-Oct-2024 08:08:56] NOTICE: fpm is running, pid 138
[30-Oct-2024 08:08:56] NOTICE: ready to handle connections
NOTICE: PHP message: 404 Not Found
Type: Slim\Exception\HttpNotFoundException
Code: 404
Message: Not found.
File: /var/www/docker-aio/php/vendor/slim/slim/Slim/Middleware/RoutingMiddleware.php
Line: 76
Trace: #0 /var/www/docker-aio/php/vendor/slim/slim/Slim/Routing/RouteRunner.php(62): Slim\Middleware\RoutingMiddleware->performRouting(Object(GuzzleHttp\Psr7\ServerRequest))
#1 /var/www/docker-aio/php/vendor/slim/csrf/src/Guard.php(482): Slim\Routing\RouteRunner->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#2 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(177): Slim\Csrf\Guard->process(Object(GuzzleHttp\Psr7\ServerRequest), Object(Slim\Routing\RouteRunner))
#3 /var/www/docker-aio/php/vendor/slim/twig-view/src/TwigMiddleware.php(117): Psr\Http\Server\RequestHandlerInterface@anonymous->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#4 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(129): Slim\Views\TwigMiddleware->process(Object(GuzzleHttp\Psr7\ServerRequest), Object(Psr\Http\Server\RequestHandlerInterface@anonymous))
#5 /var/www/docker-aio/php/src/Middleware/AuthMiddleware.php(36): Psr\Http\Server\RequestHandlerInterface@anonymous->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#6 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(280): AIO\Middleware\AuthMiddleware->__invoke(Object(GuzzleHttp\Psr7\ServerRequest), Object(Psr\Http\Server\RequestHandlerInterface@anonymous))
#7 /var/www/docker-aio/php/vendor/slim/slim/Slim/Middleware/ErrorMiddleware.php(77): Psr\Http\Server\RequestHandlerInterface@anonymous->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#8 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(129): Slim\Middleware\ErrorMiddleware->process(Object(GuzzleHttp\Psr7\ServerRequest), Object(Psr\Http\Server\RequestHandlerInterface@anonymous))
#9 /var/www/docker-aio/php/vendor/slim/slim/Slim/MiddlewareDispatcher.php(73): Psr\Http\Server\RequestHandlerInterface@anonymous->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#10 /var/www/docker-aio/php/vendor/slim/slim/Slim/App.php(209): Slim\MiddlewareDispatcher->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#11 /var/www/docker-aio/php/vendor/slim/slim/Slim/App.php(193): Slim\App->handle(Object(GuzzleHttp\Psr7\ServerRequest))
#12 /var/www/docker-aio/php/public/index.php(186): Slim\App->run()
#13 {main}
Tips: To display error details in HTTP response set "displayErrorDetails" to true in the ErrorHandler constructor.

My ACL of Tailscale:

{
	"tagOwners": {
		"tag:nextcloud": ["autogroup:admin"],
		"tag:malware":   ["autogroup:admin"]
	},
	"acls": [
		{
			"action": "accept",
			"src":    ["tag:malware"],
			"dst":    ["tag:nextcloud:*"]
		},
		{
			"action": "accept",
			"src":    ["tag:nextcloud"],
			"dst":    ["tag:malware:*"]
		}
	]
}

[A4alli]

Your tailscale is not connected as per above logs

[A4alli]

For me this guide work fine. Only problem is apache container showing unhealthy. But working

[flll]

I apologize for the delayed response.
Regarding this error shown in the Nextcloud logs:

cURL error 6: Could not resolve host: server.rohu-nessie.ts.net

This error suggests that the nextcloud-aio network is constantly being created, and Tailscale might not be properly connecting to the network
tailscale-aio

Here are the steps to resolve this:

1. Remove all nextcloud-aio containers

Warning!: This command will stop and remove containers

docker compose down

# Stop containers containing "nextcloud" in their name
docker stop $(docker ps -a | grep nextcloud | awk '{print $1}')

# Remove containers containing "nextcloud" in their name
docker rm $(docker ps -a | grep nextcloud | awk '{print $1}')

2. Delete the nextcloud-aio network

docker network rm nextcloud-aio

3. Run docker compose up (-d) again

I didn't find any issues with the ACL settings.

@blazing-ph0enix

[flll]

deleting 'server' machine before rebooting

Please disable the ephemeral setting.
Your OAuth key likely includes "?ephemeral=false"
Simply remove this query parameter.

'TS_STATE_DIR=/var/lib/tailscale'

It's recommended to keep the default state configuration.

"after every reboot my tailscale admin console mentions 'server' machine"

This is likely a temporary issue.
Try refreshing the admin console.

"When I enter my Tail domain..."

Often this is due to insufficient permissions on the client-side Tailscale.
Try adding the 'nextcloud' tag to your client.
By default, communication between devices with the nextcloud tag is allowed.

[A4alli]

deleting 'server' machine before rebooting

Please disable the ephemeral setting. Your OAuth key likely includes "?ephemeral=false" Simply remove this query parameter.

'TS_STATE_DIR=/var/lib/tailscale'

It's recommended to keep the default state configuration.

"after every reboot my tailscale admin console mentions 'server' machine"

This is likely a temporary issue. Try refreshing the admin console.

"When I enter my Tail domain..."

Often this is due to insufficient permissions on the client-side Tailscale. Try adding the 'nextcloud' tag to your client. By default, communication between devices with the nextcloud tag is allowed.

Thankyou 😍

[js-surya]

Has anyone tried to deploy using the portainer stack?

Caddy log:

INF ts=1730804048.0603747 msg=using config from file file=/etc/caddy/Caddyfile

Error: adapting config using caddyfile: subject does not qualify for certificate: '{env.NC_DOMAIN}'

I have double-checked my NC_DOMAIN variable.

compose.yml:

services:
  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    init: true
    restart: always
    container_name: nextcloud-aio-mastercontainer # This line cannot be changed.
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - nextcloud-aio
    ports:
      - 0.0.0.0:8080:8080
    environment:
      APACHE_PORT: 11000
      APACHE_IP_BINDING: 127.0.0.1
      SKIP_DOMAIN_VALIDATION: true
  caddy:
    image: caddy:alpine
    restart: unless-stopped
    container_name: caddy
    environment:
      NC_DOMAIN: nextcloud.[redacted].ts.net # Change this to your domain ending with .ts.net in the format {$TS_HOSTNAME}.{tailnetdomain}
    volumes:
      - type: bind
        source: /home/surya/Caddyfile
        target: /etc/caddy/Caddyfile
      - type: volume
        source: caddy_certs
        target: /certs
      - type: volume
        source: caddy_data
        target: /data
      - type: volume
        source: caddy_config
        target: /config
      - type: volume
        source: tailscale_sock
        target: /var/run/tailscale/ # Mount the volume for /var/run/tailscale/tailscale.sock
        read_only: true
    network_mode: service:tailscale
  tailscale:
    image: tailscale/tailscale:latest
    container_name: tailscale
    environment:
      TS_HOSTNAME: nextcloud # Enter the hostname for your tailnet
      TS_AUTH_KEY: tskey-client-kYthXvJbHD21CNTRL-[redacted]  # OAuth client key recommended
      TS_EXTRA_ARGS: --advertise-tags=tag:nextcloud # Tags are required when using OAuth client
    init: true
    restart: unless-stopped
    volumes:
      - /dev/net/tun:/dev/net/tun
      - type: volume
        source: tailscale
        target: /var/lib/tailscale
      - type: volume
        source: tailscale_sock
        target: /tmp # Mounting the entire /tmp folder to access tailscale.sock
    cap_add:
      - NET_ADMIN
      - NET_RAW
    networks:
      - nextcloud-aio
volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer # This line cannot be changed.
  caddy_certs:
    name: caddy_certs
  caddy_data:
    name: caddy_data
  caddy_config:
    name: caddy_config
  tailscale:
    name: tailscale
  tailscale_sock:
    name: tailscale_sock
networks:
  nextcloud-aio:
    name: nextcloud-aio
    driver: bridge
    enable_ipv6: false
    driver_opts:
      com.docker.network.driver.mtu: "9001" # Jumbo Frame
      com.docker.network.bridge.host_binding_ipv4: "127.0.0.1" # Harden aio

Tailscale ACL:

"groups": {
		"group:admin": ["js-surya@github"],
		"group:users": ["user@example.com", "otheruser@example.com"],
	},

	"tagOwners": {
		"tag:nextcloud": ["group:admin"],
	},

	"acls": [
		// Allow general unrestricted access (you can comment this out if needed).
		{"action": "accept", "src": ["*"], "dst": ["*:*"]},

		// Allow users in "group:users" to access any devices tagged with "nextcloud".
		{"action": "accept", "src": ["group:users"], "dst": ["tag:nextcloud:*"]},

I'm not an IT expert, and I'm relatively new to this. My IP is behind CGNAT, and I want to access my Nextcloud server outside my local network using Tailscale. I'm eager to learn, so any suggestions or help would be appreciated.

[A4alli]

NC_DOMAIN=nextcloud.talscale.ts.net
TS_HOSTNAME=nextcloud
TS_AUTH_KEY=ts...
TS_EXTRA_ARGS=--

Remember there is = and than no space

[js-surya]

TS_HOSTNAME=nextcloud # Hostname in Tailnet
NC_DOMAIN=nextcloud.mydomain.ts.net # Format: {$TS_HOSTNAME}.{$tailnetdomain}.ts.net
TS_AUTH_KEY=tskey-client-kYthXvJbHD21CNTRL-mykey # OAuth client key recommended
TS_EXTRA_ARGS=--advertise-tags=tag:nextcloud # For OAuth client key usage

Here is my .env config

[A4alli]

check my config files above that work

[A4alli]

Apache is always unhealthy

docker exec -it nextcloud-aio-apache bash -x /healthcheck.sh

• nc -z nextcloud-aio-nextcloud 9000
  Connection to nextcloud-aio-nextcloud (172.18.0.1) 9000 port [tcp/*] succeeded!
• nc -z 127.0.0.1 8000
  Connection to 127.0.0.1 8000 port [tcp/*] succeeded!
• nc -z 127.0.0.1 11000
  Connection to 127.0.0.1 11000 port [tcp/*] succeeded!
• nc -z nextcloud.taiilscale.ts.net 443
  nc: getaddrinfo for host "nextcloud.tailscalets.net" port 443: Name does not resolve
• echo 'Could not reach nextcloud.tailscalets.net on port 443.'
  Could not reach nextcloud.tailscale.ts.net on port 443.
• exit 1

[chamabreu]

Same here

[A4alli]

check my last comment below for solution with serve.json

[chamabreu]

Checked it.
Sound interesting.

Is there a way to check if a port is open to public?
I am curious that if I add funnel And then remove it, that it really is not public anymore.

Will try and report.
Also I am wondering if this helps for nextcloud office.

[A4alli]

what about your security and setup warnings?

[patrick-theprogrammer]

@flll
Thanks for this guide!

Wanted to mention that I was able to get this working without needing caddy at all. I think it simplifies things a bit. Tailscale can natively proxy nextcloud.your-tailnet.ts.net to nextcloud-aio-apache via this method, and it supports https.

Note this employs tailscale serve (as opposed to tailscale funnel) so will only expose the service to your tailnet, not publicly. You could set a funnel flag to true in the json config below to expose it publicly, though some security and performance caveats would apply if you did.

• Create a json file on your host with the following

{
  "TCP": {
    "443": {
      "HTTPS": true
    }
  },
  "Web": {
    "${TS_CERT_DOMAIN}:443": {
      "Handlers": {
        "/": {
          "Proxy": "http://nextcloud-aio-apache:11000"
        }
      }
    }
  }
}

• on the tailscale container, create a bind mount to the directory where the json file is stored on the host, and supply a TS_SERVE_CONFIG environment parameter to tell tailscale where to look for the json file within the container

See https://tailscale.com/kb/1282/docker#ts_serve_config

[js-surya]

@js-surya thanks a lot for the json for Funnel; where would the json file need to be added? We haven't set a volume as they show in the official Tailscale docs https://tailscale.com/blog/docker-tailscale-guide

And related question, we haven't set the tailscale variable for serve, is that something that needs to be added to the docker-compose?

I am utilizing the native proxy method provided by @patrick-theprogrammer, as detailed in 1 and 2, without employing Caddy as a sidecar. Please take a look at his compose file and serve-config.json there, you can find the serve config variable and volume.

[shawn-shellenbarger]

Thank you @patrick-theprogrammer! This feels like a much better approach for me personally (serve vs funnel). I have used tailscale explicitly to avoid exposing my home server to the public internet, which funnel does!

A couple of things to note in case others run into similar issues:

• /etc might need sudo privileges on your host machine

  • This caused me problems for the tailscale serve.json
  • Relevant line in the shared docker-compose.yml is /etc/docker/tailscale/nextcloud:/config
  • I just created a different directory elsewhere in place of /etc/docker/tailscale/nextcloud (e.g. /any/directory/without/sudo/) and placed my serve.json there

• I needed to map port 8080 from my host machine to the nextcloud-aio container, see below:

nextcloud-aio:
    image: nextcloud/all-in-one:latest
    container_name: nextcloud-aio-mastercontainer # app requirement
    depends_on:
      - nextcloud-tailscale
    ports:
      - 8080:8080 <----------------------------

• You need to enable HTTPS & Magic DNS on tailscale. Magic DNS is a prerequisite for HTTPS actually working. See https://tailscale.com/kb/1153/enabling-https#configure-https
  • I've had issues with Magic DNS interfering with my own local DNS server in the past. To avoid this, be sure to add additional name servers when enabling Magic DNS so that your machines can fallback to any local DNS provider you might be using

[A4alli]

No need of exposing port 8080. You call [tailscal].ts.net:8443

[hlieuw]

Hey all, i got the setup working with Tailscale server, thx for the info and guide.
However, the local nextcloud services will then only be accessible for tailscale clients, if i am not mistaken.
What if I wanted to make the services accesible to my other local machines without having to configure tailscale on each of them?
Anyone succeeded in that?

[A4alli]

use funnel but it will expose to internet

[jdumas]

Hi. Thanks a lot for this guide! I was having a lot of trouble with the Cloudflare DNS tunnel and the setup using Tailscale is much simpler.

However, I was not able to access the instance locally from a LAN device not connected to my Tailscale network. I have my pihole local DNS server point nextcloud.tailnet.ts.net to the local IP of my server running the nextcloud-aio container. Running dig nextcloud.tailnet.ts.net returns the correct local IP, but running curl -I nextcloud.tailnet.ts.net shows an error message:

curl: (7) Failed to connect to nextcloud.tailnet.ts.net port 80 after 9 ms: Could not connect to server

Do you have any suggestion on how to make this work? Would it help to use tailscale serve instead of Caddy for the reverse proxy?

[flll]

The Tailscale logs showed packet loss, and I was constantly monitoring to see if it was a firewall issue.

The cause turned out to be the service startup order and MTU value. Since Caddy depends on the Tailscale socket, if Caddy starts first, it can't find the socket and things go wrong.

The serve.json file is not necessary.

Also, it seems that when the MTU value is above 1280, packets are silently dropped. I discovered that when sending jumbo frames on a network with switches that don't support jumbo frames, the packets can be discarded at the switch level and never reach the destination.

For the changes, we'll modify the MTU value to what Tailscale recommends.
Please change your compose.yml as follows:

services:
  nextcloud-aio-caddy:
    build:
      context: .
      dockerfile: Caddy.Dockerfile
    container_name: nextcloud-aio-caddy
+    depends_on:
+      - nextcloud-aio-tailscale
    restart: unless-stopped
(...)
  nextcloud-aio-tailscale:
    image: tailscale/tailscale:v1.80.3
+    healthcheck:
+      test: tailscale status --peers=false --json | grep 'Online.*true'
+      start_period: 3s
+      interval: 1s
+      retries: 3
(...)
networks:
  nextcloud-aio:
    driver_opts:
-      com.docker.network.driver.mtu: "9001"
+      com.docker.network.driver.mtu: "1280"
      com.docker.network.bridge.host_binding_ipv4: "127.0.0.1" # Harden aio

You'll need to rebuild the nextcloud-aio network, so please refer to the "Docker Reset Commands" in the wiki to reset everything.
After running docker compose up --build --wait, execute docker network inspect nextcloud-aio to verify that the settings have been applied.

Please restart your client and try accessing the site again.
I've posted the corrected version on the wiki, so please check it.
I apologize for the inconvenience.
If you still have connection issues, please reply.

[jdumas]

Thanks! I'll give it a try next week-end.

[jdumas]

@flll I've tried your changes, but it didn't help. Running curl -I -v I can see that the issue is actually a connection refused:

* connect to 192.168.1.81 port 443 from 192.168.1.156 port 62099 failed: Connection refused

Do you know how can I troubleshoot the issue? My docker network inspect nextcloud-aio shows the MTU settings is correctly applied.

[jdumas]

Not sure how much it helps, but it seems I am now getting a TLS handshake error when attempting local access:

❯ curl -I -v https://nextcloud.my-tailnet.ts.net
* Host nextcloud.my-tailnet.ts.net:443 was resolved.
* IPv6: (none)
* IPv4: 192.168.1.81
*   Trying 192.168.1.81:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (IN), TLS alert, internal error (592):
* TLS connect error: error:0A000438:SSL routines::tlsv1 alert internal error
* closing connection #0
curl: (35) TLS connect error: error:0A000438:SSL routines::tlsv1 alert internal error

@flll please let me know if you have ideas how to debug this further.

[A4alli]

@flll will tailscale, caddy sidecar work with synapse+coturn? I wonder if it is possiable?

[flll]

I don't understand what Synapse and Coturn are.

[A4alli]

https://github.com/element-hq/synapse
&
https://github.com/coturn/coturn

Well I tried to fit in your above guide. The chat and file upload/download works well. But I couldn't figure out how to set coturn server for turn/stun

[A4alli]

any chance?

[A4alli]

@flll want to know how nextcloud use coturn server. I want it for synapse?

[jsparrowio]

This was a great guide, thank you @flll!

My only feedback:
If possible, can we get a version of the guide, or a section, that works with Portainer?
I tried to install with Portainer for about 24 hours (trying many different solutions) before I gave up and SSHed into my servers CLI and ran the docker up command, which ended up working out, but a Portainer version would be nice. From what I understand (and I could be wrong!) the only difference would be that you would need to include the Caddyfile and the Caddy.Dockerfile INSIDE the compose file. Since I'm new to this, I'm not quite sure how to do that...

Thanks again!

[Roy416]

omg i tried for so long with portainer (im new to it) and thought i was just not getting something.

[cristo357]

How to setup with TSDproxy in order to have multiple apps:

TSDproxy is a tailscale reverse proxy that allows you to deploy multiple docker apps without the needing sidecars.

In this following example, we'll configure TSDproxy to redirect to:

• Nextcloud
• Vaultwarden
• Pi-hole
• Dashy
• Stirling PDF
• Calibre web

PLEASE NOTE: Create a 90-day, no-ephemeral key.

docker-compose.yml:

services:
  ## TSDproxy
  tsdproxy:
    image: almeidapaulopt/tsdproxy:latest
    container_name: tsdproxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - tsdproxy_data:/data
      - tsdproxy_config:/config
    environment:
      # Get AuthKey from your Tailscale account
      - TSDPROXY_AUTHKEY=tskey-auth-XXXXXXXXXXXXX # Change: put your tailscale key.
      # Address of docker server (access to example.com ports)
      # - TSDPROXY_HOSTNAME=192.168.xxx.xxx
      - DOCKER_HOST=unix:///var/run/docker.sock
    restart: unless-stopped
    ports:
      - 8086:8080 # For the dashboard
    networks:
      - proxy-net
      - nextcloud-aio    

  ## NEXTCLOUD
  nextcloud:
    image: nextcloud/all-in-one:latest
    init: true
    restart: always
    container_name: nextcloud-aio-mastercontainer # This line cannot be changed.
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    ports:
      - "8080:8080"
    environment:
      - NEXTCLOUD_DATADIR=/mnt/data/nextcloud # Change: Use your own dir.
      # - AIO_DISABLE_BACKUP_SECTION=true
      - APACHE_PORT=11000
      - APACHE_IP_BINDING=0.0.0.0
      - SKIP_DOMAIN_VALIDATION=false
      - NEXTCLOUD_ENABLE_DRI_DEVICE=true # Change this if you don't have DRI supported.
    networks:
      - nextcloud-aio

  ## PI-HOLE
  pihole:
    image: pihole/pihole:latest
    container_name: pihole
    restart: always
    labels:
      tsdproxy.enable: "true"
      tsdproxy.name: "pi"
      tsdproxy.container_port: 80
      tsdproxy.ephemeral: "false"
    environment:
      - TZ="America/Mexico_City"
      - WEBPASSWORD="XXXXXXXXXX" # Change: choose password.
      - DNS1=8.8.8.8
      - DNS2=8.8.4.4
    ports:
      - "5353:53/udp"   # DNS port
      - "8083:80"       # Dashboard
    volumes:
      - pihole_config:/etc/pihole
      - pihole_dnsmasq:/etc/dnsmasq.d
    networks:
      - proxy-net

  ## VAULTWARDEN
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    labels:
      tsdproxy.enable: "true"
      tsdproxy.name: "vault"
      tsdproxy.ephemeral: "false"
    volumes:
      - /mnt/data/vaultwarden:/data  # Change: choose your location
    environment:
      - WEBSOCKET_ENABLED=true
      - SIGNUPS_ALLOWED=true
    ports:
      - "8081:80"  # Publicar puerto 80 del contenedor en el puerto 8081 del host
    networks:
      - proxy-net

  ## DASHY 
  dashy:
    image: lissy93/dashy:latest
    container_name: dashy
    restart: always
    labels:
      tsdproxy.enable: "true"
      tsdproxy.name: "dashy"
      tsdproxy.ephemeral: "false"
    ports:
      - "8082:8080"  # Dashboard
    volumes:
      - dashy_config:/config
    networks:
      - proxy-net

  ## PDF
  stirling-pdf:
    image: docker.stirlingpdf.com/stirlingtools/stirling-pdf:latest
    container_name: stirling-pdf
    labels:
      tsdproxy.enable: "true"
      tsdproxy.name: "pdf"
      tsdproxy.ephemeral: "false"
    ports:
      - 8084:8080
    volumes:
      - StirlingPDF_trainingData:/usr/share/tessdata # Required for extra OCR languages
      - StirlingPDF_extraConfigs:/configs
      - StirlingPDF_customFiles:/customFiles/
      - StirlingPDF_logs:/logs/
      - StirlingPDF_pipeline:/pipeline/
    environment:
      - DOCKER_ENABLE_SECURITY=false
      - LANGS=en_US
    networks:
      - proxy-net

  ## CALIBRE WEB
  calibre-web:
    image: lscr.io/linuxserver/calibre-web:latest
    container_name: calibre-web
    labels:
      tsdproxy.enable: "true"
      tsdproxy.name: "books"
      tsdproxy.ephemeral: "false"
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - DOCKER_MODS=linuxserver/mods:universal-calibre #optional
      - OAUTHLIB_RELAX_TOKEN_SCOPE=1 #optional
    volumes:
      - calibre_data:/config
      - /mnt/data/calibre/library:/books
    ports:
      - 8085:8083
    restart: unless-stopped
    networks:
      - proxy-net

volumes:
  tsdproxy_data:
    name: tsdproxy-data
  tsdproxy_config:
    name: tsdproxy-config
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer # This line cannot be changed.
  dashy_config:
    name: dashy_config
  pihole_config:
    name: pihole_config
  pihole_dnsmasq:
    name: pihole_dnsmasq
  calibre_data:
    name: calibre_data
  StirlingPDF_trainingData:
    name: StirlingPDF_trainingData
  StirlingPDF_extraConfigs:
    name: StirlingPDF_extraConfigs
  StirlingPDF_customFiles:
    name: StirlingPDF_customFiles
  StirlingPDF_logs:
    name: StirlingPDF_logs
  StirlingPDF_pipeline:
    name: StirlingPDF_pipeline

networks:
  proxy-net:
    name: proxy-net
    driver: bridge
  nextcloud-aio:
    external: true # Use the existing Nextcloud network

1. Run with sudo docker compose up -d
2. Then stop all using sudo docker compose down
3. Inspect the tsdproxy config volume using: sudo docker volume ls
4. Then inspect the container using: sudo docker volume inspect tsdproxy-config, you'll see the config docker dir.
5. Enter into root using sudo su and then cd /var/lib/docker/volumes/tsdproxy-config/_data. Check current files using ls, you'll see a file called tsdproxy.yaml.
6. Then edit tsdproxy.yaml and add into files::

  media:
    filename: /config/media.yaml
    defaultProxyProvider: default
    defaultProxyAccessLog: false

7. Save it. Now create a new file in the working dir (/var/lib/docker/volumes/tsdproxy-config/_data) named media.yaml and add:

nextcloud:
  url: http://nextcloud-aio-apache:11000

8. Save it. You're good to go! You'll see

Check your machine list into tailscale, you should see the different hosts.

PLEASE NOTE: I wasn't able to make it work the turn/stun server for "nextcloud-aio-talk:3478" upstream using TSDproxy. Improvements are welcome!

[kevvek78]

Having issues getting this to work, did you not need to use the tsdproxy labels for nextcloud-aio?

[A4alli]

Great. But how about synapse server and coturn server

…

On Mon, Mar 24, 2025, 10:46 Chris Coria ***@***.***> wrote: How to setup with TSDproxy in order to have multiple apps: TSDproxy is a tailscale reverse proxy <https://almeidapaulopt.github.io/tsdproxy/> that allows you to deploy multiple docker apps without the needing sidecars. In this following example, we'll configure TSDproxy to redirect to: - Nextcloud - Vaultwarden - Pi-hole - Dashy - Stirling PDF - Calibre web PLEASE NOTE: Create a 90-day, no-ephemeral key <https://login.tailscale.com/admin/settings/keys>. docker-compose.yml: services: ## TSDproxy tsdproxy: image: almeidapaulopt/tsdproxy:latest container_name: tsdproxy volumes: - /var/run/docker.sock:/var/run/docker.sock - tsdproxy_data:/data - tsdproxy_config:/config environment: # Get AuthKey from your Tailscale account - TSDPROXY_AUTHKEY=tskey-auth-XXXXXXXXXXXXX # Change: put your tailscale key. # Address of docker server (access to example.com ports) # - TSDPROXY_HOSTNAME=192.168.xxx.xxx - DOCKER_HOST=unix:///var/run/docker.sock restart: unless-stopped ports: - 8086:8080 # For the dashboard networks: - proxy-net - nextcloud-aio ## NEXTCLOUD nextcloud: image: nextcloud/all-in-one:latest init: true restart: always container_name: nextcloud-aio-mastercontainer # This line cannot be changed. volumes: - nextcloud_aio_mastercontainer:/mnt/docker-aio-config - /var/run/docker.sock:/var/run/docker.sock:ro ports: - "8080:8080" environment: - NEXTCLOUD_DATADIR=/mnt/data/nextcloud # Change: Use your own dir. # - AIO_DISABLE_BACKUP_SECTION=true - APACHE_PORT=11000 - APACHE_IP_BINDING=0.0.0.0 - SKIP_DOMAIN_VALIDATION=false - NEXTCLOUD_ENABLE_DRI_DEVICE=true # Change this if you don't have DRI supported. networks: - nextcloud-aio ## PI-HOLE pihole: image: pihole/pihole:latest container_name: pihole restart: always labels: tsdproxy.enable: "true" tsdproxy.name: "pi" tsdproxy.container_port: 80 tsdproxy.ephemeral: "false" environment: - TZ="America/Mexico_City" - WEBPASSWORD="XXXXXXXXXX" # Change: choose password. - DNS1=8.8.8.8 - DNS2=8.8.4.4 ports: - "5353:53/udp" # DNS port - "8083:80" # Dashboard volumes: - pihole_config:/etc/pihole - pihole_dnsmasq:/etc/dnsmasq.d networks: - proxy-net ## VAULTWARDEN vaultwarden: image: vaultwarden/server:latest container_name: vaultwarden restart: always labels: tsdproxy.enable: "true" tsdproxy.name: "vault" tsdproxy.ephemeral: "false" volumes: - /mnt/data/vaultwarden:/data # Change: choose your location environment: - WEBSOCKET_ENABLED=true - SIGNUPS_ALLOWED=true ports: - "8081:80" # Publicar puerto 80 del contenedor en el puerto 8081 del host networks: - proxy-net ## DASHY dashy: image: lissy93/dashy:latest container_name: dashy restart: always labels: tsdproxy.enable: "true" tsdproxy.name: "dashy" tsdproxy.ephemeral: "false" ports: - "8082:8080" # Dashboard volumes: - dashy_config:/config networks: - proxy-net ## PDF stirling-pdf: image: docker.stirlingpdf.com/stirlingtools/stirling-pdf:latest container_name: stirling-pdf labels: tsdproxy.enable: "true" tsdproxy.name: "pdf" tsdproxy.ephemeral: "false" ports: - 8084:8080 volumes: - StirlingPDF_trainingData:/usr/share/tessdata # Required for extra OCR languages - StirlingPDF_extraConfigs:/configs - StirlingPDF_customFiles:/customFiles/ - StirlingPDF_logs:/logs/ - StirlingPDF_pipeline:/pipeline/ environment: - DOCKER_ENABLE_SECURITY=false - LANGS=en_US networks: - proxy-net ## CALIBRE WEB calibre-web: image: lscr.io/linuxserver/calibre-web:latest container_name: calibre-web labels: tsdproxy.enable: "true" tsdproxy.name: "books" tsdproxy.ephemeral: "false" environment: - PUID=1000 - PGID=1000 - TZ=Etc/UTC - DOCKER_MODS=linuxserver/mods:universal-calibre #optional - OAUTHLIB_RELAX_TOKEN_SCOPE=1 #optional volumes: - calibre_data:/config - /mnt/data/calibre/library:/books ports: - 8085:8083 restart: unless-stopped networks: - proxy-net volumes: tsdproxy_data: name: tsdproxy-data tsdproxy_config: name: tsdproxy-config nextcloud_aio_mastercontainer: name: nextcloud_aio_mastercontainer # This line cannot be changed. dashy_config: name: dashy_config pihole_config: name: pihole_config pihole_dnsmasq: name: pihole_dnsmasq calibre_data: name: calibre_data StirlingPDF_trainingData: name: StirlingPDF_trainingData StirlingPDF_extraConfigs: name: StirlingPDF_extraConfigs StirlingPDF_customFiles: name: StirlingPDF_customFiles StirlingPDF_logs: name: StirlingPDF_logs StirlingPDF_pipeline: name: StirlingPDF_pipeline networks: proxy-net: name: proxy-net driver: bridge nextcloud-aio: external: true # Use the existing Nextcloud network 1. Run with sudo docker compose up -d 2. Then stop all using sudo docker compose down 3. Inspect the tsdproxy config volume using: sudo docker volume ls 4. Then inspect the container using: sudo docker volume inspect tsdproxy-config, you'll see the config docker dir. 5. Enter into root using sudo su and then cd /var/lib/docker/volumes/tsdproxy-config/_data. Check current files using ls, you'll see a file called tsdproxy.yaml. 6. Then edit tsdproxy.yaml and add into files:: media: filename: /config/media.yaml defaultProxyProvider: default defaultProxyAccessLog: false 7. Save it. Now create a new file in the working dir (/var/lib/docker/volumes/tsdproxy-config/_data) named media.yaml and add: nextcloud: url: http://nextcloud-aio-apache:11000 8. Save it. You're good to go! You'll see — Reply to this email directly, view it on GitHub <#5439 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BMKVEZZN24AWSF7KE2VFCO32V6LZZAVCNFSM6AAAAABQGBXP2KVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTENJZG43DINI> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[BaoAn21]

I now can start my Nextcloud. Thanks guy.
But what is the right way when I want to restart Nextcloud? For example when I turn off Docker and turn on, it does not connect to Tailscale network

[gizogit]

Awesome guide—really well documented... Appreciate the efforts! 🙌 Even I got everything up and running (learned about docker and everything.. 3 weeks ago.. hah), but I’m struggling with local (as in not via tailscale/internet) access since it seems somehow impossible to reach Nextcloud directly from the LAN. I tried setting up a local DNS entry in pihole (nextcloud.XX-XX.ts.net to ip of host machine (rasp pi)), but to no avail. Are there some additional configurations needed in caddy?

Also, performance over Tailscale is really slow and sometimes unresponsive, especially on Android using the nextcloud client (shows no internet, then works but sluggishly). Not sure if this is expected or if I'm doing something wrong. (despite fiber-optics inet access)

Any pointers? Would love your guys insights—thanks again for putting this together! 🚀

But... in this state its kinda useless to be completely frank.. haha 😅

[marenostrum1981]

Got AIO working with Tailscale based on cristo357's approach

I finally managed to get Nextcloud AIO working with Tailscale subdomains by following the approach described by cristo357. Here's how I did it.

1. Get a Tailscale auth key

First, obtain an auth key from Tailscale by going to Settings → Keys → Auth Keys. IMPORTANT: Make sure to create it as "Reusable" or it will stop working after a single use.

2. Create the required Docker networks

docker network create tsdproxy_default
docker network create nextcloud_aio_network

3. Set up tsdproxy

Create a tsdproxy folder and add this docker-compose file:

services:
  tsdproxy:
    image: almeidapaulopt/tsdproxy:latest
    container_name: tsdproxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./tsdproxy_data:/data
      - ./tsdproxy_config:/config
    environment:
      - TSDPROXY_AUTHKEY=tskey-auth-xxxxxx-xxxxxxx  # Change this
      - DOCKER_HOST=unix:///var/run/docker.sock
    restart: unless-stopped
    ports:
      - "8086:8080" # For the control panel (accessible from any interface)
    networks:
      - tsdproxy_default
      - nextcloud_aio_network

networks:
  tsdproxy_default:
    external: true
  nextcloud_aio_network:
    external: true

Note: "latest" works as of April 1, 2025. If it doesn't work, try the tag "almeidapaulopt/tsdproxy:1.4.7"

Start the container:

docker compose up -d

If successful, two new folders should be created: tsdproxy_config and tsdproxy_data

4. Configure the Proxy List

Now we need to configure a Proxy List so that when we launch the Nextcloud container, it can generate the subdomain. Adding a label to the AIO docker-compose doesn't work since we only have a container launcher. We need to interact with the Apache container on port 11000, and we can't do that by editing the AIO compose file. This part took me many hours to understand. More information about Proxy Lists can be found at https://almeidapaulopt.github.io/tsdproxy/docs/list/

Edit the newly created configuration file:

nano tsdproxy_config/tsdproxy.yaml

And set it up like this:

defaultproxyprovider: default
docker:
    local:
        host: unix:///var/run/docker.sock
        targethostname: 172.31.0.1
files: 
    media:
        filename: /config/media.yaml
        defaultProxyProvider: default
        defaultProxyAccessLog: false

tailscale:
    providers:
        default:
            authkey: tskey-auth-xxxxx-xxxxxx
            controlurl: https://controlplane.tailscale.com
    datadir: /data/
http:
    hostname: 0.0.0.0
    port: 8080
log:
    level: info
    json: false
proxyaccesslog: true

Basically, we've added the "media" section.

Now create the media.yaml file in the same path as tsdproxy.yaml:

nextcloud:
  url: http://nextcloud-aio-apache:11000

This will make our subdomain "nextcloud.tailcxxxxx.ts.net" and we'll see a service with that name in our Tailscale network.

5. Start the proxy

If you want to verify that the proxy is working properly, at least the general part, you can run:

docker run -d --name sample-nginx -p 8111:80 --label "tsdproxy.enable=true" nginx:latest

This will start a test nginx instance.

If you access your tailnet network on port 8086, you should see the proxy dashboard, along with the nginx button. Clicking the button should open nginx from its subdomain.

6. Set up Nextcloud AIO

Create the Nextcloud folder and add the compose file:

services:
  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    container_name: nextcloud-aio-mastercontainer
    init: true
    restart: always
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    ports:
      - "8080:8080"
    environment:
      - NEXTCLOUD_DATADIR=/mnt/external/nextcloud
      - APACHE_PORT=11000
      - APACHE_IP_BINDING=0.0.0.0
      - APACHE_ADDITIONAL_NETWORK=tsdproxy_default
      - SKIP_DOMAIN_VALIDATION=true
      - DISABLE_IP_RESTRICTIONS=true
      - NEXTCLOUD_MOUNT=/mnt/external
    networks:
      - nextcloud_aio_network
   
volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer

networks:
  tsdproxy_default:
    name: tsdproxy_default
    driver: bridge
  nextcloud_aio_network:
    external: true

Launch it and it should open the container configuration menu. After starting them, it should work.

Troubleshooting

If it doesn't work, check these things:

1. First, check the proxy logs with docker logs tsdproxy to see if your request is even reaching the proxy. If it's not visible, it's a connection problem, not a certificate issue.

2. Run tailscale status. Check that you don't have multiple "nextcloud" subdomains from previous failed attempts (like "nextcloud-1"). If you see "nextcloud-1", go to the Tailscale admin panel and delete both "nextcloud" and "nextcloud-1". Then restart the containers, and it should work properly with the "nextcloud" subdomain.

In my case, the problem was that I was applying the labels to the AIO container, and I spent many hours until I understood that they needed to be applied to the Apache container, which was impossible to do directly. You have to configure the media from the proxy.

The second problem I had was with "nextcloud-1", which made any configuration attempt unsuccessful.

It's possible that the compose files can be simplified with fewer configuration options, but this worked for me.

[marenostrum1981]

I''m attempting to do this with portainer. one of the networks say "nextcloud-aio" that should be "nextcloud_aio_network" right? portainer only accepted it that way lol

Yes, my fault! I will edit now. Thank you

[A4alli]

that is good tutorial. Much Appreciation

[A4alli]

can you tell me your security and privacy logs in nextcloud instance?

[Roy416]

Can confirm this works! I did have to restart my docker after the nextcloud containers started for the first time, so the nextcloud machine to appear. Can also confirm if you restart your server everything still works

[cyber-shifter]

First of all, thank you for this guide. I had found the tsdproxy docker on my own, but was unsure of how to go about using it. This got me much closer to actual success, but I'm still having issues.

I'm seeing a log message that the auth key is set, but the state is NoState so the authkey is ignored. Is this an expected state? Should we follow the log direction and put the environment variable in there to force the use of the auth key?

I'm seeing a message about needing to enable HTTPS in the admin panel to proceed. I thought I saw that http support was being added and that was already complete, but I could be wrong. Do I need to enable HTTPS? That wasn't mentioned in the instructions, so I didn't do it.

Also, in step 5 you talk about accessing the tailnet on port 8086. Did you mean to try accessing what would be the host address for the nextcloud on that port? That instruction is confusing.

I'm still fairly new to docker and tailscale especially, but I feel like this brought me at least closer. There's just some things that are unknowns as to whether I should be expected to see them. Please advise when you can. Thanks!

[Byte-sized1]

I'm new to docker, trailscale, coding, self-hosting, etc.....

1. Where do I set environmental variables?
2. Do I need to create the caddy file and docker compose file in a certain location?
3. I have tried to follow all the steps, but when I run docker compose up --build --wait I receive: no configuration file provided: not found

I'm sorry to ask such basic questions. I've been trying to research all of this but I'm keep getting links that take me back to this page.

[Byte-sized1]

What is the my ts_host name supposed to be? Where do I find it?

[Roy416]

you dont need to change that, leave it as nextcloud. unless thats where ive been going wrong too lmao, but nah looks like you dont need to change it

[Byte-sized1]

It's still failing to authorize. Still with the same log:
Post "https://api.tailscale.com/api/v2/tailnet/-/keys": oauth2: cannot fetch token: 401 Unauthorized
It also looks like it it's keeps trying to use an old oauth key that I tried to use the first time I tried this build. I completely deleted that first build using the docker reset commands from fill and started over. I've changed everything in my docker-compose file, but in my tailscale container under inspect I find:

"Env": [
			"TS_EXTRA_ARGS=--advertise-tags=tag:#########",
			"TS_HOSTNAME=nextcloud",
			"TS_AUTH_KEY=tskey-client-k41##########"
		],

The auth key starting in k41 is not what I have in my docker-compose file. How is the build accessing an old deleted key?

[Roy416]

did you create a .env or something? you dont need to do that, you need to put those values in the docker compose, theres variables already in there

[Byte-sized1]

I did on my first attempt, but then I scrapped that project and started over. I can't find any .env files currently. But the details from the env file are showing up on every build, so it must be somewhere. I even uninstalled and reinstalled docker and nothing has changed.

[Roy416]

This was working for me just last week on a VM that I scrapped. Trying it again today and it's creating a bunch of nextcloud machine clones. Tried a handful of times but the same issue, so I'm confused. One difference was this time the tailscale and caddy container had a "-1" at the end

[2kungfu4u]

compose.yml

services:
  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    init: true
    restart: always
    container_name: nextcloud-aio-mastercontainer # This line cannot be changed.
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - nextcloud-aio
    ports:
      - 0.0.0.0:8080:8080
    environment:
      APACHE_PORT: 11000
      APACHE_IP_BINDING: 127.0.0.1
      SKIP_DOMAIN_VALIDATION: true
  nextcloud-aio-caddy:
    build:
      context: .
      dockerfile: Caddy.Dockerfile
    depends_on:
      nextcloud-aio-tailscale:
        condition: service_healthy
    restart: unless-stopped
    environment:
      NC_DOMAIN: nextcloud.your-tailnet.ts.net # Change this to your domain ending with .ts.net in the format {$TS_HOSTNAME}.{tailnetdomain}
    volumes:
      - type: bind
        source: ./Caddyfile
        target: /etc/caddy/Caddyfile
      - type: volume
        source: caddy_certs
        target: /certs
      - type: volume
        source: caddy_data
        target: /data
      - type: volume
        source: caddy_config
        target: /config
      - type: volume
        source: tailscale_sock
        target: /var/run/tailscale/ # Mount the volume for /var/run/tailscale/tailscale.sock
        read_only: true
    network_mode: service:nextcloud-aio-tailscale
  nextcloud-aio-tailscale:
    image: tailscale/tailscale:v1.80.3
    environment:
      TS_HOSTNAME: nextcloud # Enter the hostname for your tailnet
      TS_AUTH_KEY: tskey-client-kXGGbs6CNTRL # OAuth client key recommended
      TS_EXTRA_ARGS: --advertise-tags=tag:nextcloud # Tags are required when using OAuth client
    init: true
    healthcheck:
      test: tailscale status --peers=false --json | grep 'Online.*true'
      start_period: 3s
      interval: 1s
      retries: 3
    restart: unless-stopped
    devices:
      - /dev/net/tun:/dev/net/tun
    volumes:
      - type: volume
        source: tailscale
        target: /var/lib/tailscale
      - type: volume
        source: tailscale_sock
        target: /tmp # Mounting the entire /tmp folder to access tailscale.sock
    cap_add:
      - NET_ADMIN
    networks:
      - nextcloud-aio
volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer # This line cannot be changed.
  caddy_certs:
    name: caddy_certs
  caddy_data:
    name: caddy_data
  caddy_config:
    name: caddy_config
  tailscale:
    name: tailscale
  tailscale_sock:
    name: tailscale_sock
networks:
  nextcloud-aio:
    name: nextcloud-aio
    driver: bridge
    enable_ipv6: false
    driver_opts:
      com.docker.network.driver.mtu: "1280" # You can set this to 9001 etc. to use jumbo frames, but packets may be dropped.
      com.docker.network.bridge.host_binding_ipv4: "127.0.0.1" # Harden aio

Important

Make sure to replace NC_DOMAIN, TS_HOSTNAME, TS_AUTH_KEY, and TS_EXTRA_ARGS with your actual values before running the docker compose file.

3. Create Caddyfile and Caddy.Dockerfile

Create a Caddyfile in the current directory with the following content:

Caddyfile

{
    layer4 {
        127.0.0.1:3478 {
            route {
                proxy {
                    upstream nextcloud-aio-talk:3478
                }
            }
        }
        127.0.0.1:3479 {
            route {
                proxy {
                    upstream nextcloud-aio-talk:3479
                }
            }
        }
    }
}
https://{$NC_DOMAIN} {
    reverse_proxy nextcloud-aio-apache:11000
}
http://{$NC_DOMAIN} {
    reverse_proxy nextcloud-aio-apache:11000
}

Note

Do not manually replace the {$NC_DOMAIN} variable. It will be automatically populated with the value set in your environment variables.

Create Caddy.Dockerfile

FROM caddy:2.9.1-builder-alpine AS builder
RUN xcaddy build --with github.com/mholt/caddy-l4@87e3e5e2c7f986b34c0df373a5799670d7b8ca03

FROM caddy:2.9.1-alpine
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

This was the only setup I could get to work to even load into nextcloud-aio, my question is if nextcloud and ccollabora aren't communicating re: "failed to connect to remote server" error, could this mean that we need additional arguments in the Docker-Compose and CaddyFile to add the collabora sever for communication something like

http://{$COLLABORA_DOMAIN} {
reverse_proxy nextcloud-aio-apache:11000

Or is it possible collabora needs to be added to tailscale the same way nextcloud is with its own tag?

[Byte-sized1]

I've made it through the first three steps. My containers and tailscale are up and running. But how do I proceed from here?

4. Provision Nextcloud
5. Connect to https://$NC_DOMAIN/ (e.g., https://nextcloud.your-tailnet.ts.net/)
6. Setup complete!
   Provisioning Nexcloud results in a second nextcloud-aio container with additional add-on containers.
   Connecting to my tailnet domain fails with: HTTP ERROR 502.
   What do I need to do to fix this?

[fallenoob]

I need help connecting to http://localhost:8080 on my old laptop being used a testing bench. I want to get this running to get a feel on it before i apply it on a stronger pc for the actual home server.

Laptop: Windows 10, i5 3rd Gen, 256GB Storage, 4GB RAM

I was able to follow the steps here until the Nextcloud AIO Provision all containers were up and running (green) but when I tried to open Nextcloud following the Provision, localhost:8080 doesnt load.

After a few troubleshooting with chatgpt, it was seen that Caddy and apache container are not connecting properly. Apache is giving a bad gateway and when i try doing Chatgpt's solution which is to connect the two manually, It displays the same thing in which i am now in a loop and i don't know what else to do now.

[Roy416]

https instead of http

[fallenoob]

Still cannot be reached. ERR_CONNECTION_REFUSED

[fallenoob]

I think i figured it out now on caddy container, I had "networks: -nextcloud-aio" instead of "network_mode: service:nextcloud-aio-tailscale" from the troubleshooting with chatgpt. I just noticed it from trying a fresh start.

I am now running it, hopefully it works! Will update soon.

[craig-dsilva]

I have done everything till step 4. When I navigate to my Nextcloud's domain i.e. Tailscale's domain, the domain does not respond.

To troubleshoot, I ran the following commands and got this response:

docker logs nexcloud-aio-nextcloud

Failed to fetch discovery endpoint from https:/nextcloud.tail.ts.net
cURL error 6: Could not resolve host: nextcloud.tail.ts.net (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://nextcloud.tail.ts.net/hosting/discovery

docker logs containers-nextcloud-aio-caddy-1

{"level":"error","ts":1744901388.1021264,"logger":"tls.obtain","msg":"will retry","error":"[nextcloud.tail.ts.net] Obtain: [nextcloud.tail.ts.net] solving challenge: nextcloud.tail.ts.net: [nextcloud.tail.ts.net] authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up A for nextcloud.tail.ts.net - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for nextcloud.tail.ts.net - check that a DNS record exists for this domain (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":2,"retrying_in":120,"elapsed":66.929218572,"max_duration":2592000}
{"level":"info","ts":1744901501.1028893,"logger":"tls.obtain","msg":"releasing lock","identifier":"nextcloud.tail.ts.net"}

Could someone please help me? Thanks.

[mboogaards]

You need to enable LetsEncrypt support in Tailscale: https://tailscale.com/kb/1153/enabling-https

[simon-schober]

How can I publish this to the internet using Tailscale funnels? I've tried following the exact guide above and it works inside my tailnet network, but I tried "tailscale funnel --bg https://localhost:80" and the same with 443 inside the tailscale container, as well as on the server itself to publish the website, but the website doesn't seem to work (it gives http 502 when doing it inside the Tailscale container and just straight up doesn't seem to find the website when trying to make the funnel on the host)