Setting up NextCloud AIO¶
We already have Nginx set up as our reverse proxy so that changes the docker command a bit. NextCloud AIO is simply portainer-like container management for NextCloud containers. We simply run a docker run command to initial the AIO interface and from there we configure the containers. If you run most of your apps with docker compose, this is slightly annoying because you cannot manage your containers like you normally would, you have to do so through the abstraction of the AIO interface.
Launching the AIO container¶
We're going to follow the reverse proxy documentation which makes slight changes to the docker run command, https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md.
- Added -d to run the container in the background
- Changed to port 8089. Consider binding to localhost with
127.0.0.1
to prevent direct access. - Will consider changing this binding so that the nextcloud server isn't directly exposed on the Apache port
- Changed to True. May prevent NextCloud for starting up with your desired domain.
- You can't change this to a bind mount. It must be a docker volume or Nextcloud will complain about not finding it.
- We have to pass AIO our docker sock so that it can create the NextCloud containers.
I'm changing SKIP_DOMAIN_VALIDATION
to true because it simply does not work for domains that resolve to local IPs or Tailscale IPs. It's just not really necessary. I also added -d
to run the container in detached mode.
Note
--env APACHE_IP_BINDING=0.0.0.0
should be attempted to be changed to --env APACHE_IP_BINDING=127.0.0.1
. Unknown at this point if this would close it off though since it's running in it's own network.
We can also configure an Nginx server block for AIO. NextCloud recommends that you access the AIO directly through a port, which is not very good security practice so I am going to access through my reverse proxy. NextCloud says that HSTS could break the AIO interface in the future so we can disable or comment that out if needed but I haven't had any issue with this thus far.
Setting up Nginx Blocks¶
# Nextcloud AIO
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name aio.tail.wildebeastmedia.com;
# Let's Encrypt Certs generated by certbot container
ssl_certificate /etc/letsencrypt/live/local.wildebeastmedia.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/local.wildebeastmedia.com/privkey.pem;
# Enable HTTP Strict Transport Security (HSTS) for one year, including subdomains.
include /etc/nginx/conf.d/hsts.conf;
# Enable Web Sockets
include /etc/nginx/conf.d/websocket.conf;
# Proxy settings for different subdomains
location / {
proxy_pass https://127.0.0.1:8089;
}
}
While we're in nginx, let's go ahead and create a proxy host for our actual NextCloud web server. Note that this is binding to port 11000 where the NextCloud apache server is listening.
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name nextcloud.tail.wildebeastmedia.com;
# Let's Encrypt Certs generated by certbot container
ssl_certificate /etc/letsencrypt/live/local.wildebeastmedia.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/local.wildebeastmedia.com/privkey.pem;
# Enable HTTP Strict Transport Security (HSTS) for one year, including subdomains.
include /etc/nginx/conf.d/hsts.conf;
# Enable Web Sockets
include /etc/nginx/conf.d/websocket.conf;
# Proxy settings for different subdomains
location / {
proxy_pass http://127.0.0.1:11000;
}
}
Note that if you need to start over the process because NextCloud gets configured wrong or stuck somewhere, you need to follow the instructions to remove the containers AND the volume (https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-properly-reset-the-instance).
Fixing Collabora¶
Right of the bat Collabora does not work to edit word documents. I need to follow these instructions to debug: https://github.com/nextcloud/all-in-one/discussions/1358, particularly this section
Note
First, visit https://yourdomain.com/settings/admin/richdocuments and if you see the Allow list for WOPI requests input field (If you dont see the field, just skip this step), add ,0.0.0.0/0 to it. This might already resolve you connection issue. However it is not secure as you allow all ip-addresses to connect by doing so. ⚠️ If you don't see the Allow list for WOPI requests input field, just continue with the debugging steps below.
I'll need to determine what IP address is needed to get it to work instead of adding ,0.0.0.0/0
which allows any IP address.