From 17362bc23489a38e3ae9b52511421302bc635541 Mon Sep 17 00:00:00 2001
From: lll <2844835+flll@users.noreply.github.com>
Date: Sun, 13 Oct 2024 18:56:34 +0900
Subject: [PATCH 1/3] [reverse-proxy.md] Add Tailscale integration setup
- Detailed explanation of integrating Tailscale, Caddy, and AIO
- Add example configuration for Compose file
- Include example Caddyfile configuration
- Provide instructions for setting environment variables
- Include notes on security and network configuration
Signed-off-by: lll <2844835+flll@users.noreply.github.com>
---
reverse-proxy.md | 159 +++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 159 insertions(+)
diff --git a/reverse-proxy.md b/reverse-proxy.md
index 1ea7b179..828a1aea 100644
--- a/reverse-proxy.md
+++ b/reverse-proxy.md
@@ -707,6 +707,165 @@ Add the following `web.config` file to the root of the site you created as the r
+### Tailscale
+
+
+
+click here to expand
+
+**Disclaimer:** It might be possible that the config below is not working 100% correctly, yet. Improvements to it are very welcome!
+
+This setup integrates Nextcloud All-in-One (AIO) with Tailscale, using Caddy as a reverse proxy.
+Since Tailscale currently only allows communication with localhost(127.0.0.1), we use a sidecar with Caddy to communicate with AIO.
+
+- Enhanced security with ACL usage within Tailnet
+- ACME certificate issuance without port forwarding (Tailnet only)
+- Possibility to expose Nextcloud externally using Tailscale's `serve.json` configuration (This document does not provide an example of `serve.json`)
+
+
+### 1. Set Environment Variables
+
+Set the following environment variables:
+
+```env
+TS_HOSTNAME=nextcloud # Hostname in Tailnet
+NC_DOMAIN=nextcloud.your-tailnet.ts.net # Format: {$TS_HOSTNAME}.{$tailnetdomain}.ts.net
+TS_AUTH_KEY=tskey-client-kXGGbs6CNTRL # OAuth client key recommended
+TS_EXTRA_ARGS=--advertise-tags=tag:nextcloud # For OAuth client key usage
+```
+
+>[!NOTE]
+> Ensure NC_DOMAIN is in the correct format.
+> When using OAuth client key, set tags in TS_EXTRA_ARGS and define them in ACL.
+>
+> For more detailed information, please refer to:
+> https://tailscale.com/blog/docker-tailscale-guide
+
+### 2. Configure Docker Compose File
+Create a compose.yml file with the following content. Replace environment variables as appropriate.
+
+#### compose.yml
+
+```yml
+services:
+ nextcloud-aio-mastercontainer:
+ image: nextcloud/all-in-one:latest
+ init: true
+ restart: always
+ container_name: nextcloud-aio-mastercontainer # This line cannot be changed.
+ volumes:
+ - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
+ - /var/run/docker.sock:/var/run/docker.sock:ro
+ networks:
+ - nextcloud-aio
+ ports:
+ - 0.0.0.0:8080:8080
+ environment:
+ APACHE_PORT: 11000
+ APACHE_IP_BINDING: 127.0.0.1
+ SKIP_DOMAIN_VALIDATION: true
+
+ caddy:
+ image: caddy:alpine
+ restart: unless-stopped
+ environment:
+ - NC_DOMAIN=nextcloud.your-tailnet.ts.net # Change this to your domain ending with .ts.net in the format {$TS_HOSTNAME}.{tailnetdomain}
+ volumes:
+ - type: bind
+ source: ./Caddyfile
+ target: /etc/caddy/Caddyfile
+ - type: volume
+ source: caddy_certs
+ target: /certs
+ - type: volume
+ source: caddy_data
+ target: /data
+ - type: volume
+ source: caddy_config
+ target: /config
+ - type: volume
+ source: tailscale_sock
+ target: /var/run/tailscale/ # Mount the volume for /var/run/tailscale/tailscale.sock
+ read_only: true
+ network_mode: service:tailscale
+
+ tailscale:
+ image: tailscale/tailscale:latest
+ environment:
+ - TS_HOSTNAME=nextcloud # Enter the hostname for your tailnet
+ - TS_AUTH_KEY=tskey-client-kXGGbs6CNTRL # OAuth client key recommended
+ - TS_EXTRA_ARGS=--advertise-tags=tag:nextcloud # Tags are required when using OAuth client
+ init: true
+ restart: unless-stopped
+ volumes:
+ - /dev/net/tun:/dev/net/tun
+ - type: volume
+ source: tailscale
+ target: /var/lib/tailscale
+ - type: volume
+ source: tailscale_sock
+ target: /tmp # Mounting the entire /tmp folder to access tailscale.sock
+ cap_add:
+ - NET_ADMIN
+ - NET_RAW
+ networks:
+ - nextcloud-aio
+
+volumes:
+ nextcloud_aio_mastercontainer:
+ name: nextcloud_aio_mastercontainer # This line cannot be changed.
+ caddy_certs:
+ name: caddy_certs
+ caddy_data:
+ name: caddy_data
+ caddy_config:
+ name: caddy_config
+ tailscale:
+ name: tailscale
+ tailscale_sock:
+ name: tailscale_sock
+
+networks:
+ nextcloud-aio:
+ name: nextcloud-aio
+ driver: bridge
+ enable_ipv6: false
+ driver_opts:
+ com.docker.network.driver.mtu: "9001" # Jumbo Frame
+ com.docker.network.bridge.host_binding_ipv4: "127.0.0.1" # Harden aio
+```
+
+>[!IMPORTANT]
+> Make sure to replace `NC_DOMAIN`, `TS_HOSTNAME`, `TS_AUTH_KEY`, and `TS_EXTRA_ARGS` with your actual values before running the docker compose file.
+
+
+### 3. Create Caddyfile
+Create a Caddyfile in the current directory with the following content:
+
+#### Caddyfile
+
+```Caddyfile
+https://{$NC_DOMAIN}:443 {
+ reverse_proxy nextcloud-aio-apache:11000
+}
+```
+
+>[!NOTE]
+> Do not manually replace the `{$NC_DOMAIN}` variable. It will be automatically populated with the value set in your environment variables.
+
+
+
+### 4. Set Up Nextcloud AIO
+1. Run `docker compose up -d`
+1. Connect to https://ip.address.of.server:8080/
+1. Enter the configured $NC_DOMAIN
+1. Provision Nextcloud
+1. Connect to `https://$NC_DOMAIN/` (e.g., https://nextcloud.your-tailnet.ts.net/)
+1. Setup complete!
+
+
+
+
### Others
From 42a39397e4866906e542c1be8fd63e0a70a4047a Mon Sep 17 00:00:00 2001
From: lll <2844835+flll@users.noreply.github.com>
Date: Fri, 18 Oct 2024 23:40:21 +0900
Subject: [PATCH 2/3] to wiki
Signed-off-by: lll <2844835+flll@users.noreply.github.com>
---
reverse-proxy.md | 150 +----------------------------------------------
1 file changed, 1 insertion(+), 149 deletions(-)
diff --git a/reverse-proxy.md b/reverse-proxy.md
index 828a1aea..7a06d30a 100644
--- a/reverse-proxy.md
+++ b/reverse-proxy.md
@@ -713,155 +713,7 @@ Add the following `web.config` file to the root of the site you created as the r
click here to expand
-**Disclaimer:** It might be possible that the config below is not working 100% correctly, yet. Improvements to it are very welcome!
-
-This setup integrates Nextcloud All-in-One (AIO) with Tailscale, using Caddy as a reverse proxy.
-Since Tailscale currently only allows communication with localhost(127.0.0.1), we use a sidecar with Caddy to communicate with AIO.
-
-- Enhanced security with ACL usage within Tailnet
-- ACME certificate issuance without port forwarding (Tailnet only)
-- Possibility to expose Nextcloud externally using Tailscale's `serve.json` configuration (This document does not provide an example of `serve.json`)
-
-
-### 1. Set Environment Variables
-
-Set the following environment variables:
-
-```env
-TS_HOSTNAME=nextcloud # Hostname in Tailnet
-NC_DOMAIN=nextcloud.your-tailnet.ts.net # Format: {$TS_HOSTNAME}.{$tailnetdomain}.ts.net
-TS_AUTH_KEY=tskey-client-kXGGbs6CNTRL # OAuth client key recommended
-TS_EXTRA_ARGS=--advertise-tags=tag:nextcloud # For OAuth client key usage
-```
-
->[!NOTE]
-> Ensure NC_DOMAIN is in the correct format.
-> When using OAuth client key, set tags in TS_EXTRA_ARGS and define them in ACL.
->
-> For more detailed information, please refer to:
-> https://tailscale.com/blog/docker-tailscale-guide
-
-### 2. Configure Docker Compose File
-Create a compose.yml file with the following content. Replace environment variables as appropriate.
-
-#### compose.yml
-
-```yml
-services:
- nextcloud-aio-mastercontainer:
- image: nextcloud/all-in-one:latest
- init: true
- restart: always
- container_name: nextcloud-aio-mastercontainer # This line cannot be changed.
- volumes:
- - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
- - /var/run/docker.sock:/var/run/docker.sock:ro
- networks:
- - nextcloud-aio
- ports:
- - 0.0.0.0:8080:8080
- environment:
- APACHE_PORT: 11000
- APACHE_IP_BINDING: 127.0.0.1
- SKIP_DOMAIN_VALIDATION: true
-
- caddy:
- image: caddy:alpine
- restart: unless-stopped
- environment:
- - NC_DOMAIN=nextcloud.your-tailnet.ts.net # Change this to your domain ending with .ts.net in the format {$TS_HOSTNAME}.{tailnetdomain}
- volumes:
- - type: bind
- source: ./Caddyfile
- target: /etc/caddy/Caddyfile
- - type: volume
- source: caddy_certs
- target: /certs
- - type: volume
- source: caddy_data
- target: /data
- - type: volume
- source: caddy_config
- target: /config
- - type: volume
- source: tailscale_sock
- target: /var/run/tailscale/ # Mount the volume for /var/run/tailscale/tailscale.sock
- read_only: true
- network_mode: service:tailscale
-
- tailscale:
- image: tailscale/tailscale:latest
- environment:
- - TS_HOSTNAME=nextcloud # Enter the hostname for your tailnet
- - TS_AUTH_KEY=tskey-client-kXGGbs6CNTRL # OAuth client key recommended
- - TS_EXTRA_ARGS=--advertise-tags=tag:nextcloud # Tags are required when using OAuth client
- init: true
- restart: unless-stopped
- volumes:
- - /dev/net/tun:/dev/net/tun
- - type: volume
- source: tailscale
- target: /var/lib/tailscale
- - type: volume
- source: tailscale_sock
- target: /tmp # Mounting the entire /tmp folder to access tailscale.sock
- cap_add:
- - NET_ADMIN
- - NET_RAW
- networks:
- - nextcloud-aio
-
-volumes:
- nextcloud_aio_mastercontainer:
- name: nextcloud_aio_mastercontainer # This line cannot be changed.
- caddy_certs:
- name: caddy_certs
- caddy_data:
- name: caddy_data
- caddy_config:
- name: caddy_config
- tailscale:
- name: tailscale
- tailscale_sock:
- name: tailscale_sock
-
-networks:
- nextcloud-aio:
- name: nextcloud-aio
- driver: bridge
- enable_ipv6: false
- driver_opts:
- com.docker.network.driver.mtu: "9001" # Jumbo Frame
- com.docker.network.bridge.host_binding_ipv4: "127.0.0.1" # Harden aio
-```
-
->[!IMPORTANT]
-> Make sure to replace `NC_DOMAIN`, `TS_HOSTNAME`, `TS_AUTH_KEY`, and `TS_EXTRA_ARGS` with your actual values before running the docker compose file.
-
-
-### 3. Create Caddyfile
-Create a Caddyfile in the current directory with the following content:
-
-#### Caddyfile
-
-```Caddyfile
-https://{$NC_DOMAIN}:443 {
- reverse_proxy nextcloud-aio-apache:11000
-}
-```
-
->[!NOTE]
-> Do not manually replace the `{$NC_DOMAIN}` variable. It will be automatically populated with the value set in your environment variables.
-
-
-
-### 4. Set Up Nextcloud AIO
-1. Run `docker compose up -d`
-1. Connect to https://ip.address.of.server:8080/
-1. Enter the configured $NC_DOMAIN
-1. Provision Nextcloud
-1. Connect to `https://$NC_DOMAIN/` (e.g., https://nextcloud.your-tailnet.ts.net/)
-1. Setup complete!
+It's too long to write here, so please jump to **this guide:** https://github.com/nextcloud/all-in-one/discussions/5439
From 70e31a40b4a4d7e009d930942f9c2e8e20a5ecef Mon Sep 17 00:00:00 2001
From: "Simon L."
Date: Mon, 21 Oct 2024 10:27:35 +0200
Subject: [PATCH 3/3] update wording
Signed-off-by: Simon L.
---
reverse-proxy.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/reverse-proxy.md b/reverse-proxy.md
index 7a06d30a..15491819 100644
--- a/reverse-proxy.md
+++ b/reverse-proxy.md
@@ -713,7 +713,7 @@ Add the following `web.config` file to the root of the site you created as the r
click here to expand
-It's too long to write here, so please jump to **this guide:** https://github.com/nextcloud/all-in-one/discussions/5439
+For a reverse proxy example guide for Tailscale, see this guide by @flll: https://github.com/nextcloud/all-in-one/discussions/5439