New AiO installation behind caddy and tailscale, Collabora not connecting?

Nextcloud version: Nextcloud Hub 8 (29.0.4)
Operating system and version: 6.10.2-arch1-1 (64-bit)
Apache version: Apache/2.4.61 (Unix)
Caddy version: latest --with github.com/tailscale/caddy-tailscale
PHP version: PostgreSQL 16.3 on x86_64-pc-linux-musl, compiled by gcc (Alpine 13.2.1_git20240309) 13.2.1 20240309, 64-bit

The issue you are facing:
Hello, I have had Nextcloud running for about a week now. Just now noticed that the documents don’t load. I’d been opening the provided ones that come with a new installation and was satisfied that it was working and didn’t realize the others don’t load. Isn’t this supposed to just work on new installs?

Is this the first time you’ve seen this error?: Yes

Steps to replicate it:

1. Install nextcloud behind reverse proxy with tailscale. (No clear web access, talk works fine, so it’s not the weird setup)

2. include collabra in containers
   

   

   image789×839 61.7 KB

3. Try to create a new document, ensue infinite loading
   

   

   image773×556 10.4 KB

The output of your Nextcloud log in Admin > Logging: It’s the same error over and over, unrelated I think.

[no app in context] Fatal: Could not boot files_trackdownloads: Call to undefined method OC\Server::getEventDispatcher()
	GET /apps/logreader/api/log?offset=0&query=
	from 100.122.199.7 by admin at Aug 5, 2024, 12:56:13 PM

The output of your config.php file in /path/to/nextcloud :

<?php
$CONFIG = array (
  'one-click-instance' => true,
  'one-click-instance.user-limit' => 100,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'check_data_directory_permissions' => false,
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => 'nextcloud-aio-redis',
    'password' => 'snip',
    'port' => 6379,
  ),
  'overwritehost' => 'nextcloud.wallaby-gopher.ts.net',
  'overwriteprotocol' => 'https',
  'passwordsalt' => 'snip',
  'secret' => 'snip',
  'trusted_domains' => 
  array (
    0 => 'localhost',
    1 => 'nextcloud.wallaby-gopher.ts.net',
  ),
  'datadirectory' => '/mnt/ncdata',
  'dbtype' => 'pgsql',
  'version' => '29.0.4.1',
  'overwrite.cli.url' => 'https://nextcloud.wallaby-gopher.ts.net/',
  'dbname' => 'nextcloud_database',
  'dbhost' => 'nextcloud-aio-database:5432',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'oc_nextcloud',
  'dbpassword' => 'snip',
  'installed' => true,
  'instanceid' => 'oc35c56ax6f2',
  'maintenance' => false,
  'loglevel' => 2,
  'log_type' => 'file',
  'logfile' => '/var/www/html/data/nextcloud.log',
  'log_rotate_size' => 10485760,
  'log.condition' => 
  array (
    'apps' => 
    array (
      0 => 'admin_audit',
    ),
  ),
  'preview_max_x' => 2048,
  'preview_max_y' => 2048,
  'jpeg_quality' => 60,
  'enabledPreviewProviders' => 
  array (
    1 => 'OC\\Preview\\Image',
    2 => 'OC\\Preview\\MarkDown',
    3 => 'OC\\Preview\\MP3',
    4 => 'OC\\Preview\\TXT',
    5 => 'OC\\Preview\\OpenDocument',
    6 => 'OC\\Preview\\Movie',
    7 => 'OC\\Preview\\Krita',
    0 => 'OC\\Preview\\Imaginary',
  ),
  'enable_previews' => true,
  'upgrade.disable-web' => true,
  'mail_smtpmode' => 'smtp',
  'trashbin_retention_obligation' => 'auto, 30',
  'versions_retention_obligation' => 'auto, 30',
  'activity_expire_days' => 30,
  'simpleSignUpLink.shown' => false,
  'share_folder' => '/Shared',
  'one-click-instance.link' => 'https://nextcloud.com/all-in-one/',
  'upgrade.cli-upgrade-link' => 'https://github.com/nextcloud/all-in-one/discussions/2726',
  'updatedirectory' => '/nc-updater',
  'maintenance_window_start' => 100,
  'allow_local_remote_servers' => true,
  'davstorage.request_timeout' => 3600,
  'htaccess.RewriteBase' => '/',
  'dbpersistent' => false,
  'auth.bruteforce.protection.enabled' => true,
  'ratelimit.protection.enabled' => true,
  'files_external_allow_create_new_local' => false,
  'trusted_proxies' => 
  array (
    0 => '127.0.0.1',
    1 => '::1',
    10 => '172.19.0.0/16',
  ),
  'preview_imaginary_url' => 'http://nextcloud-aio-imaginary:9000',
  'preview_imaginary_key' => 'snip',
  'memories.db.triggers.fcu' => true,
  'memories.exiftool' => '/var/www/html/custom_apps/memories/bin-ext/exiftool-amd64-musl',
  'memories.vod.path' => '/var/www/html/custom_apps/memories/bin-ext/go-vod-amd64',
  'memories.vod.ffmpeg' => '/usr/bin/ffmpeg',
  'memories.vod.ffprobe' => '/usr/bin/ffprobe',
  'app_install_overwrite' => 
  array (
    0 => 'files_trackdownloads',
    1 => 'admin_notifications',
  ),
  'memories.gis_type' => 2,
);

The output of your Apache/system log in portainer:

Waiting for Nextcloud to start...

Connection to nextcloud-aio-nextcloud (172.19.0.10) 9000 port [tcp/*] succeeded!

[Mon Aug 05 17:43:44.844497 2024] [mpm_event:notice] [pid 53:tid 53] AH00489: Apache/2.4.61 (Unix) configured -- resuming normal operations

[Mon Aug 05 17:43:44.844523 2024] [core:notice] [pid 53:tid 53] AH00094: Command line: '/usr/local/apache2/bin/httpd -D FOREGROUND'

INF ts=1722879824.8573232 msg=using config from file file=/tmp/Caddyfile

INF ts=1722879824.8582845 msg=adapted config to JSON adapter=caddyfile

Once I give up on loading it’ll throw this error:

ERR ts=1722880782.8265193 logger=http.log.error msg=read tcp 172.19.0.12:57494->172.19.0.2:9980: read: connection reset by peer request={"remote_ip":"172.19.0.1","remote_port":"59136","client_ip":"100.122.199.7","proto":"HTTP/1.1","method":"GET","host":"nextcloud.wallaby-gopher.ts.net","uri":"/hosting/discovery","headers":{"X-Forwarded-Proto":["https"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Fetch-Site":["same-origin"],"Sec-Gpc":["1"],"X-Forwarded-For":["100.122.199.7"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"],"Cookie":["REDACTED"],"Sec-Fetch-Dest":["empty"],"Accept":["*/*"],"Accept-Language":["en-US,en;q=0.5"],"Dnt":["1"],"Priority":["u=4"],"Sec-Fetch-Mode":["no-cors"],"Te":["trailers"],"X-Forwarded-Host":["nextcloud.wallaby-gopher.ts.net"]}} duration=694.960393373 status=502 err_id=6kxerk504 err_trace=reverseproxy.statusError (reverseproxy.go:1269)

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

[05-Aug-2024 17:43:40] NOTICE: fpm is running, pid 569

[05-Aug-2024 17:43:40] NOTICE: ready to handle connections

Activating Collabora config...

✓ Reset callback url autodetect

Checking configuration

🛈 Configured WOPI URL: https://nextcloud.wallaby-gopher.ts.net

🛈 Configured public WOPI URL: https://nextcloud.wallaby-gopher.ts.net

🛈 Configured callback URL: 

Failed to fetch discovery endpoint from https://nextcloud.wallaby-gopher.ts.net

cURL error 28: Operation timed out after 5002 milliseconds with 0 bytes received (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://nextcloud.wallaby-gopher.ts.net/hosting/discovery

sh: /var/www/html/custom_apps/richdocumentscode/collabora/Collabora_Online.AppImage: not found

sh: /var/www/html/custom_apps/richdocumentscode/collabora/Collabora_Online.AppImage: not found

NOTICE: PHP message: richdocumentscode (proxy.php) error exit, PID: 638, Message: no_glibc

Collabora logs:

wsd-00007-00007 2024-08-05 18:16:25.125894 +0000 [ coolwsd ] TRC  #14: Listening| net/ServerSocket.hpp:77

wsd-00007-00007 2024-08-05 18:16:25.125895 +0000 [ coolwsd ] INF  #14 Listening to client connections on port 9980| wsd/COOLWSD.cpp:4221

wsd-00007-00007 2024-08-05 18:16:25.125897 +0000 [ coolwsd ] TRC  Creating thread for SocketPoll prisoner_poll| net/Socket.cpp:310

wsd-00007-00007 2024-08-05 18:16:25.125945 +0000 [ coolwsd ] TRC  #15: Created socket. Thread affinity set to 0x710bf8edd840| net/Socket.hpp:384

wsd-00007-00007 2024-08-05 18:16:25.125948 +0000 [ coolwsd ] INF  #15: Binding to Unix socket for local server with base name: 0coolwsd-| net/Socket.cpp:1231

wsd-00007-00007 2024-08-05 18:16:25.125954 +0000 [ coolwsd ] TRC  #15: Binding to Unix socket location [coolwsd-RNQjYAFu], result: 0| net/Socket.cpp:1258

wsd-00007-00007 2024-08-05 18:16:25.125956 +0000 [ coolwsd ] TRC  #15: Listening| net/ServerSocket.hpp:77

wsd-00007-00007 2024-08-05 18:16:25.125958 +0000 [ coolwsd ] INF  Listening to prisoner connections on coolwsd-RNQjYAFu| wsd/COOLWSD.cpp:4154

wsd-00007-00007 2024-08-05 18:16:25.125960 +0000 [ coolwsd ] TRC  Inserting socket #15, address [], into prisoner_poll| net/Socket.hpp:737

wsd-00007-00007 2024-08-05 18:16:25.125961 +0000 [ coolwsd ] TRC  #15: Resetting thread affinity while in transit (was 0x710bf8edd840)| net/Socket.hpp:337

wsd-00007-00007 2024-08-05 18:16:25.125965 +0000 [ coolwsd ] INF  Waiting for a new child for a max of 20000ms| wsd/COOLWSD.cpp:4392

wsd-00007-00010 2024-08-05 18:16:25.126004 +0000 [ prisoner_poll ] INF  Thread 10 (710bf78006c0) of process 7 formerly unnamed is now called [prisoner_poll]| common/Util.cpp:326

wsd-00007-00010 2024-08-05 18:16:25.126015 +0000 [ prisoner_poll ] INF  Starting polling thread [prisoner_poll] with thread affinity set to 0x710bf78006c0.| net/Socket.cpp:373

wsd-00007-00010 2024-08-05 18:16:25.126018 +0000 [ prisoner_poll ] TRC  ppoll start, timeoutMicroS: 64000000 size 0| net/Socket.cpp:428

wsd-00007-00010 2024-08-05 18:16:25.126022 +0000 [ prisoner_poll ] TRC  Poll completed with 1 live polls max (64000000us)| net/Socket.cpp:446

wsd-00007-00010 2024-08-05 18:16:25.126025 +0000 [ prisoner_poll ] TRC  #6: Handling events of wakeup pipe: 0x1| net/Socket.cpp:455

wsd-00007-00010 2024-08-05 18:16:25.126029 +0000 [ prisoner_poll ] TRC  Wakeup pipe read 1 bytes| net/Socket.cpp:462

wsd-00007-00010 2024-08-05 18:16:25.126030 +0000 [ prisoner_poll ] TRC  Inserting 1 new sockets after the existing 0| net/Socket.cpp:474

wsd-00007-00010 2024-08-05 18:16:25.126032 +0000 [ prisoner_poll ] TRC  #15: Thread affinity set to 0x710bf78006c0 (was 0)| net/Socket.hpp:326

wsd-00007-00010 2024-08-05 18:16:25.126034 +0000 [ prisoner_poll ] TRC  PrisonerPoll - wakes up with 0 new children and 0 brokers and 0 kits forking| wsd/COOLWSD.cpp:3472

wsd-00007-00010 2024-08-05 18:16:25.126037 +0000 [ prisoner_poll ] INF  Creating new forkit process.| wsd/COOLWSD.cpp:3495

wsd-00007-00010 2024-08-05 18:16:25.126044 +0000 [ prisoner_poll ] INF  Launching forkit process: /usr/bin/coolforkit --systemplate=/opt/cool/systemplate --lotemplate=/opt/collaboraoffice --childroot=/opt/cool/child-roots/7-95e9318e/ --clientport=9980 --masterport=coolwsd-RNQjYAFu --rlimits=limit_virt_mem_mb:0;limit_stack_mem_kb:8000;limit_file_size_mb:0;limit_num_open_files:0 --version --ui=default| wsd/COOLWSD.cpp:3606

wsd-00007-00010 2024-08-05 18:16:25.126205 +0000 [ prisoner_poll ] INF  Forkit process launched: 11| wsd/COOLWSD.cpp:3612

wsd-00007-00010 2024-08-05 18:16:25.126210 +0000 [ prisoner_poll ] TRC  Rebalance children to 3, have 0 and 1 outstanding requests| wsd/COOLWSD.cpp:553

wsd-00007-00010 2024-08-05 18:16:25.126215 +0000 [ prisoner_poll ] TRC  Rebalance children to 4, have 0 and 1 outstanding requests| wsd/COOLWSD.cpp:553

wsd-00007-00010 2024-08-05 18:16:25.126217 +0000 [ prisoner_poll ] TRC  PollSocket container size has changed from 0 to 1| net/Socket.cpp:519

coolforkit version details: 24.04.5.2 - ca2ed20

frk-00011-00011 2024-08-05 18:16:25.127822 +0000 [ coolforkit ] INF  Initializing frk. Local time: Mon 2024-08-05 18:16:25 +0000. Log level is [8]| common/Log.cpp:654

frk-00011-00011 2024-08-05 18:16:25.127830 +0000 [ coolforkit ] INF  Setting log-level to [trace and delaying setting to configured [warning] until after Forkit initialization.| kit/ForKit.cpp:651

frk-00011-00011 2024-08-05 18:16:25.127836 +0000 [ coolforkit ] INF  RLIMIT_AS is unlimited after setting it to unlimited.| common/Seccomp.cpp:287

frk-00011-00011 2024-08-05 18:16:25.127839 +0000 [ coolforkit ] INF  RLIMIT_STACK is 8192000 bytes after setting it to 8192000 bytes.| common/Seccomp.cpp:287

frk-00011-00011 2024-08-05 18:16:25.127842 +0000 [ coolforkit ] INF  Ignored setting RLIMIT_FSIZE to unlimited.| common/Seccomp.cpp:293

frk-00011-00011 2024-08-05 18:16:25.127844 +0000 [ coolforkit ] INF  Ignored setting RLIMIT_NOFILE to unlimited.| common/Seccomp.cpp:293

frk-00011-00011 2024-08-05 18:16:25.127850 +0000 [ coolforkit ] DBG  About to init Kit UnitBase with test []| kit/ForKit.cpp:763

frk-00011-00011 2024-08-05 18:16:25.127861 +0000 [ coolforkit ] ERR  Capability cap_sys_chroot is not set for the coolforkit program.| kit/ForKit.cpp:231

frk-00011-00011 2024-08-05 18:16:25.127864 +0000 [ coolforkit ] ERR  Capability cap_fowner is not set for the coolforkit program.| kit/ForKit.cpp:231

frk-00011-00011 2024-08-05 18:16:25.127866 +0000 [ coolforkit ] ERR  Capability cap_chown is not set for the coolforkit program.| kit/ForKit.cpp:231

Capabilities are not set for the coolforkit program.

frk-00011-00011 2024-08-05 18:16:25.127869 +0000 [ coolforkit ] FTL  Capabilities are not set for the coolforkit program.| kit/ForKit.cpp:777

Please make sure that the current partition was *not* mounted with the 'nosuid' option.

frk-00011-00011 2024-08-05 18:16:25.127871 +0000 [ coolforkit ] FTL  Please make sure that the current partition was *not* mounted with the 'nosuid' option.| kit/ForKit.cpp:778

If you are on SLES11, please set 'file_caps=1' as kernel boot option.

frk-00011-00011 2024-08-05 18:16:25.127874 +0000 [ coolforkit ] FTL  If you are on SLES11, please set 'file_caps=1' as kernel boot option.| kit/ForKit.cpp:779

wsd-00007-00007 2024-08-05 18:16:45.126051 +0000 [ coolwsd ] INF  Waiting for a new child for a max of 20000ms| wsd/COOLWSD.cpp:4392

wsd-00007-00007 2024-08-05 18:17:05.126172 +0000 [ coolwsd ] INF  Waiting for a new child for a max of 20000ms| wsd/COOLWSD.cpp:4392

wsd-00007-00010 2024-08-05 18:16:25.126221 +0000 [ prisoner_poll ] TRC  #15: setupPollFds getPollEvents: 0x1| net/Socket.hpp:875

wsd-00007-00010 2024-08-05 18:16:25.126223 +0000 [ prisoner_poll ] TRC  ppoll start, timeoutMicroS: 64000000 size 1| net/Socket.cpp:428

wsd-00007-00010 2024-08-05 18:17:29.190303 +0000 [ prisoner_poll ] TRC  Poll completed with 0 live polls max (64000000us)(timedout)| net/Socket.cpp:446

Things I’ve tried:

1. Navigated to my rich documents https://nextcloud.wallaby-gopher.ts.net/settings/admin/richdocuments
   It had said failed to curl
   

   

   image2020×640 73.1 KB
   
   so I thought I’d use the built in code which said I needed to install Collabora Online - Built-in CODE Server, so I did and got a slightly different error
   
   

   image2020×640 71 KB

2. I found this guide for when Collabra needs help even though it’s supposed to install itself: link

I ended up downloading two more apps based on that: Community Document Server Version 0.1.18 and ONLYOFFICE. This just resulted in a new error:

3.Uninstalling all of these apps now:
I can get a green light when no radio button is selected:

but behavior is the same, and returns to step 1.'s WOPI image upon selecting an option.

4. Trying this guide with integrating collabra. I get stuck on step 2 of troubleshooting docker exec nextcloud-aio-collabora curl https://nextcloud.wallaby-gopher.ts.net/hosting/discovery -v
   It just gets stuck, no errors:

% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 100.96.243.61:443...
* Connected to nextcloud.wallaby-gopher.ts.net (100.96.243.61) port 443 (#0)
* ALPN: offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [15 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2065 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [80 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=nextcloud.wallaby-gopher.ts.net
*  start date: Aug  1 16:35:45 2024 GMT
*  expire date: Oct 30 16:35:44 2024 GMT
*  subjectAltName: host "nextcloud.wallaby-gopher.ts.net" matched cert's "nextcloud.wallaby-gopher.ts.net"
*  issuer: C=US; O=Let's Encrypt; CN=E6
*  SSL certificate verify ok.
} [5 bytes data]
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /hosting/discovery]
* h2h3 [:scheme: https]
* h2h3 [:authority: nextcloud.wallaby-gopher.ts.net]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x5e64a9615ce0)
} [5 bytes data]
> GET /hosting/discovery HTTP/2
> Host: nextcloud.wallaby-gopher.ts.net
> user-agent: curl/7.88.1
> accept: */*
> 
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [122 bytes data]
  0     0    0     0    0     0      0      0 --:--:--  0:01:27 --:--:-- 

Thank you in advance for you help!

in the other post and the solution you referred caddy doesn’t have any config for Collabora - did you add this and is it reachable from Nextcloud (apache container) and client? I’m not sure it is expected with tailscale but I can’t access your URL from outside.

Hello wwe, yes, as far as I was aware the purpose of the Collabora Online - Built-in CODE Server is so that a separate server does not need to be run. Have I configured wrong to go this route or is the CODE server just so bad everyone runs it in separately?

I’m not quite sure how to check connection from apache to collabora, as it seems it doesn’t have curl? Ping doesn’t like the subdomains to try that way either.

[drm@archlinux ~]$ docker exec nextcloud-aio-apache curl https://nextcloud.wallaby-gopher.ts.net/hosting/discovery -v
OCI runtime exec failed: exec failed: unable to start container process: exec: "curl": executable file not found in $PATH: unknown
[drm@archlinux ~]$ docker exec nextcloud-aio-apache ping https://nextcloud.wallaby-gopher.ts.net/hosting/discovery
ping: bad port '//nextcloud.wallaby-gopher.ts.net/hosting/discovery'
[drm@archlinux ~]$ docker exec nextcloud-aio-apache ping nextcloud.wallaby-gopher.ts.net/hosting/discovery
ping: bad address 'nextcloud.wallaby-gopher.ts.net/hosting/discovery'
drm@archlinux ~]$ docker exec nextcloud-aio-apache ping nextcloud.wallaby-gopher.ts.net
PING nextcloud.wallaby-gopher.ts.net (100.96.243.61): 56 data bytes
64 bytes from 100.96.243.61: seq=0 ttl=42 time=0.216 ms
64 bytes from 100.96.243.61: seq=1 ttl=42 time=0.299 ms

This is an expected behavior, yes. You have to be on the tailnet to access my nextcloud. Along that line: if I have to run the collabora server separately, would it need a tailscale/caddy cert with https or does it typically just use an ip/port?

yes with ping you can only check DNS resolution for the host nextcloud.wallaby-gopher.ts.net - this should be your external/public IP address (caddy or tailscale depending on setup). well I’m in turn not familiar with AiO… but given the fact both share the same network curl results from Collabora should be valid for NC as well… from the results you posted earlier it looks like your request arrives at the right place as you see a valid cert… this request must be visible in tailscale/caddy logs (maybe you have increase/enable logging for access logs) - check where this request goes and why it fails.

yes but AiO doesn’t use built-in CODE… technically it is still a separate container… but it still shares the same public FQDN… I’m not sure your reverseproxy config requeires additional config. did you check AiO reverse proxy docs already?

So when I run docker exec nextcloud-aio-collabora curl https://nextcloud.wallaby-gopher.ts.net/hosting/discovery -v the caddy logs are suspiciously quiet. I can’t even get the below error I used to when I gave up loading a document. It’s just nothing now.

ERR ts=1722969422.6588783 logger=http.log.error msg=read tcp 172.18.0.2:43494->172.17.0.1:11000: read: connection reset by peer request={"remote_ip":"100.122.199.7","remote_port":"46162","client_ip":"100.122.199.7","proto":"HTTP/1.1","method":"GET","host":"nextcloud.wallaby-gopher.ts.net","uri":"/index.php/apps/notify_push/test/version","headers":{"Accept":["*/*"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"http/1.1","server_name":"nextcloud.wallaby-gopher.ts.net"}} duration=0.000362389 status=502 err_id=qikneuwvx err_trace=reverseproxy.statusError (reverseproxy.go:1269)

Yes, in that page there is no mention of Collabora/Office. On this page for troubleshooting with cloudflare (which seems similar to caddy/tailscale) they mention needing to add to the WOPI, but I can’t even get to that without connecting.

I hadn’t considered a demo server because it wouldn’t be able to access because of tailscale, but tried anyway and while it didn’t work as expected, it threw the exact same error.

although this one is different, not sure why

and got this instead of an infinite load

With a new error in apache

ERR ts=1722982403.8042994 logger=http.log.error msg=read tcp 172.19.0.10:54360->172.19.0.2:9980: read: connection reset by peer request={"remote_ip":"172.19.0.1","remote_port":"57306","client_ip":"100.122.199.7","proto":"HTTP/1.1","method":"GET","host":"nextcloud.wallaby-gopher.ts.net","uri":"/hosting/discovery","headers":{"Accept-Encoding":["gzip, deflate, br, zstd"],"Cookie":["REDACTED"],"Sec-Fetch-Mode":["no-cors"],"Te":["trailers"],"X-Forwarded-Host":["nextcloud.wallaby-gopher.ts.net"],"Accept-Language":["en-US,en;q=0.5"],"Sec-Fetch-Dest":["empty"],"Sec-Gpc":["1"],"X-Forwarded-For":["100.122.199.7"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"],"Dnt":["1"],"Sec-Fetch-Site":["same-origin"],"Accept":["*/*"],"Priority":["u=4"],"X-Forwarded-Proto":["https"]}} duration=139.551445256 status=502 err_id=43nb2mbdm err_trace=reverseproxy.statusError (reverseproxy.go:1269)

where this line comes from? /index.php/apps/notify_push/test/version sounds like this message is intended for your Apache but it fails?

assuming your CODE container has 172.19.0.2 the access is supposed to work. But there is one more issue I see in the screenshot above - you **client"" is unable to resolve public DNS? why? and in general does the DNS resolution inside of containers provide expected results?

Hmm. These networking questions may be beyond me. I’ve definitely been having trouble with DNS on my pc for some reason, like I can’t ping google.com it just gets stuck:

[drm@archlinux combo]$ ping google.com
PING google.com (2607:f8b0:4009:81a::200e) 56 data bytes
^C
--- google.com ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1014ms

but I can ping ip’s

[drm@archlinux combo]$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=55 time=13.3 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=55 time=15.8 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=55 time=10.2 ms
^C
--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 10.175/13.083/15.778/2.292 ms

I feel as if I’m stuck here so I tried to just make the separate container.
without tailscale certs here I saw I can connect just fine

nextcloud still didn’t like it so fine, I’ll cert it.
Now We’re connected, but having WOPI issues:

isn’t that the point of the domain= in the config below? I feel I’m close here, but not sure what else to do.

docker-compose.yaml:

configs:
  Caddyfile:
    content: |
      {
        tailscale {
          #auth_key tskey-auth-[snip]
          state_dir /tailscale
        }
      https://nextcloud.wallaby-gopher.ts.net {
        bind tailscale/nextcloud
        reverse_proxy host.docker.internal:11000
        }
      https://collabora.wallaby-gopher.ts.net {
        bind tailscale/collabora
        reverse_proxy collabora:9980
        }

volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer # This line is not allowed to be changed
  caddy:
  tailscale:
services:
  caddy:
    build:
        dockerfile_inline: |
          FROM caddy:2-builder AS builder
          RUN xcaddy build latest \
            --with github.com/tailscale/caddy-tailscale
          FROM caddy:2
          COPY --from=builder /usr/bin/caddy /usr/bin/caddy
    hostname: caddy
    container_name: "caddy"
    extra_hosts:
      - "host.docker.internal:host-gateway"
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - caddy:/data
      - tailscale:/tailscale
    configs:
      - source: Caddyfile
        target: /etc/caddy/Caddyfile
    restart: unless-stopped


  #nextcloud
  nextcloud:
    image: nextcloud/all-in-one:latest
    restart: always
    container_name: nextcloud-aio-mastercontainer # This line is not allowed to be changed as otherwise AIO will not work correctly
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work
      - /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'!
    ports:
      - 8080:8080
    environment: # Is needed when using any of the options below
      # - AIO_DISABLE_BACKUP_SECTION=false # Setting this to true allows to hide the backup section in the AIO interface. See https://github.com/nextcloud/all-in-one#how-to-disable-the-backup-section
      #- SKIP_DOMAIN_VALIDATION=true #might not be helping?
      - APACHE_PORT=11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      - APACHE_IP_BINDING=0.0.0.0 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      # - BORG_RETENTION_POLICY=--keep-within=7d --keep-weekly=4 --keep-monthly=6 # Allows to adjust borgs retention policy. See https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy
      # - COLLABORA_SECCOMP_DISABLED=false # Setting this to true allows to disable Collabora's Seccomp feature. See https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature
      # - NEXTCLOUD_MOUNT=/mnt/ # Allows the Nextcloud container to access the chosen directory on the host. See https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host
      - NEXTCLOUD_UPLOAD_LIMIT=1G # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud
      - NEXTCLOUD_MAX_TIME=3600 # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud
      - NEXTCLOUD_MEMORY_LIMIT=1024M # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-php-memory-limit-for-nextcloud
      # - NEXTCLOUD_TRUSTED_CACERTS_DIR=/path/to/my/cacerts # CA certificates in this directory will be trusted by the OS of the nexcloud container (Useful e.g. for LDAPS) See See https://github.com/nextcloud/all-in-one#how-to-trust-user-defined-certification-authorities-ca
      # - NEXTCLOUD_ADDITIONAL_APKS=imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container
      # - NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=imagick # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container
      # - NEXTCLOUD_ENABLE_DRI_DEVICE=true # This allows to enable the /dev/dri device in the Nextcloud container. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't set this to true as otherwise the Nextcloud container will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud
      - TALK_PORT=3478 # This allows to adjust the port that the talk container is using. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port
      # - WATCHTOWER_DOCKER_SOCKET_PATH=/var/run/docker.sock # Needs to be specified if the docker socket on the host is not located in the default '/var/run/docker.sock'. Otherwise mastercontainer updates will fail. For macos it needs to be '/var/run/docker.sock'
      # networks: # Is needed when you want to create the nextcloud-aio network with ipv6-support using this file, see the network config at the bottom of the file
      # - nextcloud-aio # Is needed when you want to create the nextcloud-aio network with ipv6-support using this file, see the network config at the bottom of the file
      - trusted_domains=nextcloud.wallaby-gopher.ts.net #should I use dbhost=? #Think both are wrong according to https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#adapting-the-sample-web-server-configurations-below
    depends_on: #needs to be in same stack? Just start after jellyfin stack?
      - caddy

  #for nextcloud office to work
  collabora:
    image: collabora/code
    container_name: collaborac
    restart: unless-stopped
    ports:
      - 9980:9980
    environment:
      - username=admin
      - password=Secret.Password
      # only this domain is allowed to access collabora
      - domain=https://nextcloud.wallaby-gopher.ts.net
      #to access collabora on this level via http (https via caddy)
      - extra_params=--o:ssl.enable=false --o:ssl.termination=true
      #- dictionaries=en
    cap_add:
      - MKNOD
    #tty: true
    depends_on:
      - nextcloud

does it mean tailscale comes with custom certificates? if this certificates are not a common public CA you might need to import this certificates into the AiO container

this is outdated value see Important changes regarding COOL/CODE docker versions from v21.11.3.6 on (multiple domains setup)

you screenshot shows https://0.0.0.0:9980 as /hosting/discovery output which is wrong and can’t work at all - please review if this URL reflects the real public server hostname.

Tailscale does have public ca, so I’m not allowed to change the wallaby-gopher part of my tailnet or it’d break. (Silly name, right? lol)

Well, the server wouldn’t be public, but I can go to here as well for it to say ok:

although the /hosting/discovery doesn’t seem to be quite right:

(although now http://0.0.0.0:9980/hosting/discovery is doing this as well)
strangely enough if I just click the above link it works, but I can’t enter it into the bar.

Hmm, things seem to have gotten worse adding in - aliasgroup1=https://nextcloud.wallaby-gopher.ts.net
Here’s the collabora log:

Ready to accept connections on port 9980.

wsd-00001-00001 2024-08-08 15:08:15.676673 +0000 [ coolwsd ] TRC  Have 1 new children.| wsd/COOLWSD.cpp:4399

wsd-00001-00001 2024-08-08 15:08:15.676684 +0000 [ coolwsd ] INF  WSD initialization complete: setting log-level to [warning] as configured.| wsd/COOLWSD.cpp:4414

wsd-00001-00001 2024-08-08 15:08:15.676908 +0000 [ coolwsd ] WRN  Waking up dead poll thread [main], started: false, finished: false| net/Socket.hpp:719

frk-00026-00026 2024-08-08 15:08:15.677039 +0000 [ forkit ] WRN  The systemplate directory [/opt/cool/systemplate] is read-only, and at least [/opt/cool/systemplate//etc/hosts] is out-of-date. Will have to copy sysTemplate to jails. To restore optimal performance, make sure the files in [/opt/cool/systemplate/etc] are up-to-date.| common/JailUtil.cpp:555

frk-00026-00026 2024-08-08 15:08:15.680469 +0000 [ forkit ] WRN  The systemplate directory [/opt/cool/systemplate] is read-only, and at least [/opt/cool/systemplate//etc/hosts] is out-of-date. Will have to copy sysTemplate to jails. To restore optimal performance, make sure the files in [/opt/cool/systemplate/etc] are up-to-date.| common/JailUtil.cpp:555

frk-00026-00026 2024-08-08 15:08:15.685032 +0000 [ forkit ] WRN  The systemplate directory [/opt/cool/systemplate] is read-only, and at least [/opt/cool/systemplate//etc/hosts] is out-of-date. Will have to copy sysTemplate to jails. To restore optimal performance, make sure the files in [/opt/cool/systemplate/etc] are up-to-date.| common/JailUtil.cpp:555

wsd-00001-00034 2024-08-08 15:12:02.834324 +0000 [ websrv_poll ] WRN  convert-to: Requesting address is denied: 100.122.199.7| wsd/ClientRequestDispatcher.cpp:493

wsd-00001-00034 2024-08-08 15:12:12.032526 +0000 [ websrv_poll ] WRN  convert-to: Requesting address is denied: 100.122.199.7| wsd/ClientRequestDispatcher.cpp:493

this ip is the tailscale of the host machine, so I added that as - aliasgroup2=100.122.199.7 No dice. I tried adding :443 like you had to both as well, same thing. Could it be because there’s no volume for configs in the compose? I thought it was strange the template didn’t include one but rolled with it.
I did notice in the nextcloud container these logs:

🛈 Configured WOPI URL: https://nextcloud.wallaby-gopher.ts.net

🛈 Configured public WOPI URL: https://collabora.wallaby-gopher.ts.net

🛈 Configured callback URL: 

Failed to fetch discovery endpoint from https://nextcloud.wallaby-gopher.ts.net

cURL error 28: Operation timed out after 5002 milliseconds with 0 bytes received (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://nextcloud.wallaby-gopher.ts.net/hosting/discovery

the wopi url is different now, but the callback still fails.

you can skip this setting at first… one first system using CODE is allowed by default.

the content is important for Nextcloud to know how to access CODE! I would focus on this - access from the client and NC must work!

Okay, this is embarassing, I don’t know how but somehow instead of collabora being the link in the https://nextcloud.wallaby-gopher.ts.net/settings/admin/richdocuments it got autofilled with nextcloud, and I didn’t notice, oops! Fixing that again it’s back to connecting and the WOPI error.

wsd-00001-00036 2024-08-08 20:07:27.985557 +0000 [ websrv_poll ] ERR  #31: Access denied to [https://nextcloud.wallaby-gopher.ts.net/index.php/apps/richdocuments/wopi/files/95125_oc35c56ax6f2?access_token=vxPbDKFM2TCtbhQLfTI0Vq2PaiLmUDXn&access_token_ttl=0]| wsd/wopi/CheckFileInfo.cpp:105

wsd-00001-00036 2024-08-08 20:07:28.114791 +0000 [ websrv_poll ] ERR  #36: CheckFileInfo failed for [https%3A%2F%2Fnextcloud.wallaby-gopher.ts.net%3A443%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F95125_oc35c56ax6f2], State::Fail| wsd/RequestVettingStation.cpp:272

I wonder if it’s necessary at all then? All tailscale IP’s will be acting as if they’re on the same local host. Or if because they’re all seperate IP’s if they’all ALL need to be added. How would I do that automatically?

the /hosting/disocvery seems to be working, just from not putting the wrong url into nextcloud like a dummy.

I realized inside nextcloud I can scroll down now that it’s connected and see

It looks like I can add them here but not with aliases? Files are now opening.
Since collabora can only be accessed on my tailnet is it okay to leave this blank so all my devices will automatically be added? Thanks for your help!!

Hey. Trying to replicate your setup. Nextcloud aio on windows 10 behind tailscale. would like to avoid caddy if possible. Unable to figure this out. could you help?

Could you share why you are wanting to avoid caddy? It’s a necessary component with this tailscale setup for nextcloud (and other web apps) to be able to use https.

Hey

Thanks for your quick response.

I’m not very experienced with projects like these, but I did managed to set up an audiobookshelf server on a Raspberry Pi and connect to it using Tailscale. I didn’t expect Nextcloud to be more complicated than that, but it turned out to be.

I didn’t use any domains except for the magic DNS from Tailscale and was hoping to pull off something similar.

Yes of course, everyone was very helpful to me here so I hope to do the same. I actually run audiobookshelf as well, caddy allows you to serve it as https so your users don’t get a scary “insecure” warning. Here’s an example:
wallaby-gopher is my tailnet, you can chose anything you want infront of it, for example I used books for my audiobookshelf server. Some other things will have to change depending on your hardware, like jellyfin won’t use nvidia on a rpi. I removed the auth key, and you can just approve the new machines via the links from caddy’s container logs.

configs:
  Caddyfile:
    content: |
      {
        tailscale {
          state_dir /tailscale
        }
      }
      https://jellyfin.wallaby-gopher.ts.net: {
        bind tailscale/jellyfin
        reverse_proxy jellyfin:8096
      }
      https://nextcloud.wallaby-gopher.ts.net {
        bind tailscale/nextcloud
        reverse_proxy host.docker.internal:11000
        }
      https://collabora.wallaby-gopher.ts.net {
        bind tailscale/collabora
        reverse_proxy collabora:9980
        }
      https://books.wallaby-gopher.ts.net {
        bind tailscale/books
        reverse_proxy audiobookshelf:80
        }

volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer # This line is not allowed to be changed
  #caddy/tailscale configs
  caddy:
  tailscale:
  #jellyfin
  jellyconfig:
  jellycache:
  #audiobookshelf
  audioc:
  audiom:
  #email
  thunderbird:
  protonmail:
services:
  #for local emails
  thunderbird:
    image: jlesage/thunderbird
    ports:
      - "5800:5800"
    volumes:
      - thunderbird:/config:rw
    restart: unless-stopped

  #for thunderbird to get protonmail
  protonmail-bridge:
    image: shenxn/protonmail-bridge
    ports:
      - 1025:25/tcp
      - 1143:143/tcp
    restart: unless-stopped
    volumes:
      - protonmail:/root

  jellyfin:
    image: jellyfin/jellyfin
    user: 1000:1000
    volumes:
      #- /media/server/server/jellyfin-server/config:/config
      - jellyconfig:/config
      #- /media/server/server/jellyfin-server/cache:/cache
      - jellycache:/cache
      # ro means read only, we don't want jellyfin accidentally deleting our files
      - /media/16d1/Shows and Movies/Movies:/Movies:ro
      - /media/16d1/Shows and Movies/Shows:/Shows:ro
      #- /media/16tb/Books:/Books:ro
      - /home/drm/Music:/music:ro
    restart: unless-stopped
    runtime: nvidia
    deploy:
      resources:
        reservations:
          devices:
            - capabilities: [gpu]
    depends_on:
      - caddy


  #audiobooks, does better than Kavita for ebooks too
  audiobookshelf:
    image: ghcr.io/advplyr/audiobookshelf
    volumes:
      - /media/16d1/Books/Audiobooks:/audiobooks
      - /media/16d1/Books:/books
      #- </path/to/podcasts>:/podcasts
      - audioc:/config
      - audiom:/metadata
    environment:
      - TZ=America/Chicago
    restart: unless-stopped

  caddy:
    build:
        dockerfile_inline: |
          FROM caddy:2-builder AS builder
          RUN xcaddy build latest \
            --with github.com/tailscale/caddy-tailscale
          FROM caddy:2
          COPY --from=builder /usr/bin/caddy /usr/bin/caddy
    hostname: caddy
    container_name: "caddy"
    extra_hosts:
      - "host.docker.internal:host-gateway"
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - caddy:/data
      - tailscale:/tailscale
    configs:
      - source: Caddyfile
        target: /etc/caddy/Caddyfile
    restart: unless-stopped


  #nextcloud
  nextcloud:
    image: nextcloud/all-in-one
    restart: always
    container_name: nextcloud-aio-mastercontainer # This line is not allowed to be changed as otherwise AIO will not work correctly
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work
      - /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'!
    ports:
      - 8080:8080
    environment: # Is needed when using any of the options below
      # - AIO_DISABLE_BACKUP_SECTION=false # Setting this to true allows to hide the backup section in the AIO interface. See https://github.com/nextcloud/all-in-one#how-to-disable-the-backup-section
      #- SKIP_DOMAIN_VALIDATION=true #might not be helping?
      - APACHE_PORT=11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      - APACHE_IP_BINDING=0.0.0.0 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      # - BORG_RETENTION_POLICY=--keep-within=7d --keep-weekly=4 --keep-monthly=6 # Allows to adjust borgs retention policy. See https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy
      # - COLLABORA_SECCOMP_DISABLED=false # Setting this to true allows to disable Collabora's Seccomp feature. See https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature
      # - NEXTCLOUD_MOUNT=/mnt/ # Allows the Nextcloud container to access the chosen directory on the host. See https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host
      - NEXTCLOUD_UPLOAD_LIMIT=1G # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud
      - NEXTCLOUD_MAX_TIME=3600 # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud
      - NEXTCLOUD_MEMORY_LIMIT=1024M # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-php-memory-limit-for-nextcloud
      # - NEXTCLOUD_TRUSTED_CACERTS_DIR=/path/to/my/cacerts # CA certificates in this directory will be trusted by the OS of the nexcloud container (Useful e.g. for LDAPS) See See https://github.com/nextcloud/all-in-one#how-to-trust-user-defined-certification-authorities-ca
      # - NEXTCLOUD_ADDITIONAL_APKS=imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container
      # - NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=imagick # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container
      # - NEXTCLOUD_ENABLE_DRI_DEVICE=true # This allows to enable the /dev/dri device in the Nextcloud container. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't set this to true as otherwise the Nextcloud container will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud
      - TALK_PORT=3478 # This allows to adjust the port that the talk container is using. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port
      # - WATCHTOWER_DOCKER_SOCKET_PATH=/var/run/docker.sock # Needs to be specified if the docker socket on the host is not located in the default '/var/run/docker.sock'. Otherwise mastercontainer updates will fail. For macos it needs to be '/var/run/docker.sock'
    depends_on:
      - caddy

  #for nextcloud office to work
  collabora:
    image: collabora/code
    container_name: collaborac
    restart: unless-stopped
    ports:
      - 9980:9980
    environment: #--o:security.capabilities=false did not help with phone backspace either
      - username=admin
      - password=Secret.Password
      - extra_params=--o:ssl.enable=false --o:ssl.termination=true
      #- dictionaries=en
    cap_add: #- SYS_ADMIN sometimes needed due to permission issue, - CHOWN no difference?
      - MKNOD
      - SYS_ADMIN
    #tty: true
    depends_on:
      - nextcloud

Maybe FYI, there is now a dedicated tailscale guide:
https://github.com/nextcloud/all-in-one/discussions/5439