Skip to content

Setting up NextCloud AIO

We already have Nginx set up as our reverse proxy so that changes the docker command a bit. NextCloud AIO is simply portainer-like container management for NextCloud containers. We simply run a docker run command to initial the AIO interface and from there we configure the containers. If you run most of your apps with docker compose, this is slightly annoying because you cannot manage your containers like you normally would, you have to do so through the abstraction of the AIO interface.

Launching the AIO container

We're going to follow the reverse proxy documentation which makes slight changes to the docker run command, https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md.

docker run command for AIO
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
sudo docker run -d \ # (1)
--init \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 127.0.0.1:8089:8080 \ # (2)
--env APACHE_PORT=11000 \
--env APACHE_IP_BINDING=0.0.0.0 \ # (3)
--env APACHE_ADDITIONAL_NETWORK="" \
--env SKIP_DOMAIN_VALIDATION=true \ # (4)
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \ # (5)
--volume /var/run/docker.sock:/var/run/docker.sock:ro \ # (6)
ghcr.io/nextcloud-releases/all-in-one:latest
  1. Added -d to run the container in the background
  2. Changed to port 8089. Consider binding to localhost with 127.0.0.1 to prevent direct access.
  3. Will consider changing this binding so that the nextcloud server isn't directly exposed on the Apache port
  4. Changed to True. May prevent NextCloud for starting up with your desired domain.
  5. You can't change this to a bind mount. It must be a docker volume or Nextcloud will complain about not finding it.
  6. We have to pass AIO our docker sock so that it can create the NextCloud containers.

I'm changing SKIP_DOMAIN_VALIDATION to true because it simply does not work for domains that resolve to local IPs or Tailscale IPs. It's just not really necessary. I also added -d to run the container in detached mode.

Note

--env APACHE_IP_BINDING=0.0.0.0 should be attempted to be changed to --env APACHE_IP_BINDING=127.0.0.1. Unknown at this point if this would close it off though since it's running in it's own network.

We can also configure an Nginx server block for AIO. NextCloud recommends that you access the AIO directly through a port, which is not very good security practice so I am going to access through my reverse proxy. NextCloud says that HSTS could break the AIO interface in the future so we can disable or comment that out if needed but I haven't had any issue with this thus far.

Setting up Nginx Blocks

# Nextcloud AIO
    server {
        listen 443 ssl;
        listen [::]:443 ssl;
        http2 on;
        server_name aio.tail.wildebeastmedia.com;

        # Let's Encrypt Certs generated by certbot container
        ssl_certificate        /etc/letsencrypt/live/local.wildebeastmedia.com/fullchain.pem;
        ssl_certificate_key    /etc/letsencrypt/live/local.wildebeastmedia.com/privkey.pem;

        # Enable HTTP Strict Transport Security (HSTS) for one year, including subdomains.
        include /etc/nginx/conf.d/hsts.conf;

        # Enable Web Sockets
        include /etc/nginx/conf.d/websocket.conf;

        # Proxy settings for different subdomains
        location / {
            proxy_pass https://127.0.0.1:8089;
        }
    }

While we're in nginx, let's go ahead and create a proxy host for our actual NextCloud web server. Note that this is binding to port 11000 where the NextCloud apache server is listening. 

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name nextcloud.tail.wildebeastmedia.com;

    # Let's Encrypt Certs generated by certbot container
    ssl_certificate        /etc/letsencrypt/live/local.wildebeastmedia.com/fullchain.pem;
    ssl_certificate_key    /etc/letsencrypt/live/local.wildebeastmedia.com/privkey.pem;

    # Enable HTTP Strict Transport Security (HSTS) for one year, including subdomains.
    include /etc/nginx/conf.d/hsts.conf;

    # Enable Web Sockets
    include /etc/nginx/conf.d/websocket.conf;

    # Proxy settings for different subdomains
    location / {
        proxy_pass http://127.0.0.1:11000;
    }
}

Note that if you need to start over the process because NextCloud gets configured wrong or stuck somewhere, you need to follow the instructions to remove the containers AND the volume (https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-properly-reset-the-instance).

Fixing Collabora

Right of the bat Collabora does not work to edit word documents. I need to follow these instructions to debug: https://github.com/nextcloud/all-in-one/discussions/1358, particularly this section

Note

First, visit https://yourdomain.com/settings/admin/richdocuments and if you see the Allow list for WOPI requests input field (If you dont see the field, just skip this step), add ,0.0.0.0/0 to it. This might already resolve you connection issue. However it is not secure as you allow all ip-addresses to connect by doing so. ⚠️ If you don't see the Allow list for WOPI requests input field, just continue with the debugging steps below.

I'll need to determine what IP address is needed to get it to work instead of adding ,0.0.0.0/0 which allows any IP address.

Comments