Nextcloud with FaceRecognition

01_README.md

Nextcloud with FaceRecognition

Nextcloud

First we need to install Nextcloud. I followed this video https://www.youtube.com/watch?v=SX1JHWViI7E for Arch Linux. For Ubuntu, follow instructions below. Although in the video he installs version 18 and at this moment there is version 24, I was able to install the 18 version with php 7.4 and the video instructions worked fine. To upgrade to 24 I had some issues, I didn't save all the steps to write them here, but it is basically about files permission. Just use "chown/chmod" in the failed files and try http:http or http:root.

Log is at "/usr/share/webapps/nextcloud/data/nextcloud.log"

FaceRecognition

Go to the nextcloud/apps folder, clone the git repo and compile. Need to compile dlib for php.

02_system.md

Arch Linux (Big Linux)

Update the system, install Nginx, MariaDB, configure the database, and install Nextcloud, PHP and PHP Modules.

sudo pacman -Syu
sudo pacman -S nginx-mainline
sudo systemctl start nginx   
sudo systemctl enable nginx
sudo pacman -S mariadb 
sudo mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql
sudo systemctl start mariadb
sudo systemctl enable mariadb
sudo mysql_secure_installation

mysql_secure_installation will ask some questions. Enter n for changing root password, the other just leave default.

Enter current password for root (enter for none): 
Switch to unix_socket authentication [Y/n] 
Change the root password? [Y/n] n
Remove anonymous users? [Y/n] 
Disallow root login remotely? [Y/n] 
Remove test database and access to it? [Y/n] 
Reload privilege tables now? [Y/n] 

Configure the database

sudo mysql -u root

MariaDB [(none)]> create database nextcloud;
Query OK, 1 row affected (0.001 sec)

MariaDB [(none)]> create user 'yourusername'@'localhost' identified by 'yourpassword';
Query OK, 0 rows affected (0.065 sec)

MariaDB [(none)]> grant all privileges on nextcloud.* to 'yourusername'@'localhost' identified by 'yourpassword';
Query OK, 0 rows affected (0.097 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.001 sec)

MariaDB [(none)]> exit
Bye

Install Nextcloud, PHP and PHP Modules

sudo pacman -S nextcloud php php-gd php-fpm php-intl

Change owner

sudo chown -R http:http /usr/share/webapps/nextcloud # or http:root

03_compile_dlib.md

Make sure you have these packages installed.

• Debian/Ubuntu

apt install cmake libx11-dev python3 python3-dev python3-setuptools php-dev

php-dev installs phpize.

Compile dlib

cd ~
git clone --depth 1 https://github.com/davisking/dlib.git
cd dlib/dlib
mkdir build
cd build
cmake -DBUILD_SHARED_LIBS=ON -DCMAKE_BUILD_TYPE=Release ..
make -j 12
sudo make install

Compile pdlib

cd ~
git clone --depth 1 https://github.com/goodspb/pdlib.git
cd pdlib
phpize
PKG_CONFIG_PATH=/usr/local/lib/pkgconfig ./configure
make -j 12
sudo make install

04_config_nginx_php.md

Open nginx.config

sudo nano /etc/nginx/nginx.conf

Uncomment and update values:

 location ~ \.php$ {
     root /usr/share/nginx/html;
     fastcgi_pass unix:/run/php-fpm/php8.1-fpm.sock;
     fastcgi_index index.php;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     include fastcgi_params;
 }

Add this line in "html"
include /etc/nginx/conf.d/*.conf;

Reload Nginx

sudo systemctl reload nginx

Edit php.ini

sudo nano /etc/php/php.ini

Update memory limit, uncomment extensions, and add pdlib extension (must have had it compiled as above)

memory_limit = 2048M
extension=bz2
extension=curl
extension=gd
extension=intl
extension=mysqli
extension=pdo_mysql
extension=zip
[pdlib]
extension="pdlib.so"

Start and enable php-fpm

sudo systemctl start php-fpm
sudo systemctl enable php-fpm

05_config_nextcloud.md

Create nextcloud.conf for Nginx by copy/paste contents from nextcloud.conf below

sudo mkdir /etc/nginx/conf.d  
sudo nano /etc/nginx/conf.d/nextcloud.conf

Edit www.conf

sudo nano /etc/php/php-fpm.d/www.conf

Uncomment these lines

env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp

Create location that will store uploaded files

sudo mkdir /var/nextcloud

Check permisions

sudo chown http:http /var/nextcloud # or http:root
sudo chmod 750 /var/nextcloud 
sudo mkdir -p /usr/share/webapps/nextcloud/data
sudo chown -R http:http /usr/share/webapps/nextcloud/{apps,data} # or http:root
sudo chmod 750 /usr/share/webapps/nextcloud/{apps,data}

Configure php-fpm

sudo systemctl edit php-fpm.service

Add these lines

[Service]
ReadWritePaths = /usr/share/webapps/nextcloud/apps
ReadWritePaths = /usr/share/webapps/nextcloud/data
ReadWritePaths = /etc/webapps/nextcloud/config
ReadWritePaths = /var/nextcloud

Get your local IP, look for 192.168.x.x

ip a

Edit config.php from nextcloud

sudo nano /usr/share/webapps/nextcloud/config/config.php

Add the ip as trusted domains, log level to info, tmp folder

 'trusted_domains' =>
   array (
   0 => 'localhost',
   1 => '192.168.x.x',
 ),
  'loglevel' => 1,
  'tempdirectory' => '/path/to/nextcloud/tmp',

Restart web services

sudo systemctl restart php-fpm 
sudo systemctl restart nginx 

06_nextcloud_web.md

Open your local nextcloud at http://localhost

The first it will ask for a initial config.
Create admin user (different from the Database above).

User: yourusername
Pass: yourpassword

Data storage location that was created above.

/var/nextcloud

Database connection, credentials created above.

User when setup MariaDB: yourusername
Pass: yourpassword
Database: nextcloud

07_setup_facerecognitions.md

Clone the repo.

cd /usr/share/webapps/nextcloud/apps
git clone https://github.com/matiasdelellis/facerecognition.git
cd facerecognition/
make

Configure Facerecognition

cd /usr/share/webapps/nextcloud
sudo -u http ./occ face:setup -M 2048M
sudo -u http ./occ face:setup --model 1
# sudo -u http ./occ app:enable facerecognition

I have enabled Facerecognition inside Nextcloud.
On the top right, select your user logo, select "Applications", search for Facerecognition and select Activate.

Other configurations

cd /usr/share/webapps/nextcloud
sudo -u http ./occ config:app:set facerecognition max_image_area --value 786432 
sudo -u http ./occ config:app:set facerecognition handle_external_files --value true 
sudo -u http ./occ config:app:set facerecognition handle_shared_files --value true
sudo -u http ./occ config:app:set facerecognition min_image_size --value 10 
sudo -u http ./occ config:app:set facerecognition handle_group_files --value true

To start the recognition neural network

cd /usr/share/webapps/nextcloud
sudo -u http ./occ face:background_job

Check for stats and progress

cd /usr/share/webapps/nextcloud
sudo -u http ./occ face:stats 
sudo -u http ./occ face:progress

08_Ubuntu.md

Ubuntu (old instructions 2021)

Most of Nextcloud instructions are https://docs.nextcloud.com/server/latest/admin_manual/installation/example_ubuntu.html and https://docs.nextcloud.com/server/latest/admin_manual/installation/source_installation.html#apache-configuration-label .
Basically, install Apache2 and extract nextcloud.zip into /var/www.
For Facerecognition, I had to install php-bz2, and dlin/pdlib as above.

sudo apt install php-bz2

Install location folloing official instructions is /var/www/nextcloud.

Create a partition ext4 (using Gparted)

Create folder to mount the new partition

sudo -u www-data mkdir /media/www-data
sudo -u www-data mkdir /media/www-data/Ext4HD

Get the partition UUID

sudo blkid

Mount on boot

sudo nano /etc/fstab

Add this line (UUID as from blkid, folder to mount into, type of pertition ext4, permissions (read and write rw), unused parameter, mount order (leave 1 to root, 2/3/4 for next ones).

UUID=xxxxYYYY /media/www-data/Ext4HD ext4 rw 0 2

Use webserver user to create a folder to store files

sudo -u www-data mkdir /media/www-data/Ext4HD/nextcloud_data

To setup facerecognition autotrigger, create the service and timer in systemd.

sudo nano /etc/systemd/system/facerecognition.service

[Unit]
Description=Nextcloud FaceRecognition Job

[Service]
User=www-data
ExecStart=/usr/bin/php -f /var/www/nextcloud/occ face:background_job -t 900

sudo nano /etc/systemd/system/facerecognition.timer

[Unit]
Description=Run Nextcloud FaceRecognition every 1 minute

[Timer]
OnBootSec=30min
OnUnitActiveSec=1min
Unit=facerecognition.service

[Install]
WantedBy=timers.target

Enable the timer

sudo systemctl enable --now facerecognition.timer

09_Ubuntu_20231211.md

Nextcloud on local Ubuntu (2023)

Useful links
Install Nextcloud on ARCH https://www.youtube.com/watch?v=SX1JHWViI7E
Nginx configuration https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html#nginx-subdir-example

Download Nextcloud

1. Download and extract

Download https://download.nextcloud.com/server/releases/latest.zip
Extract to a local directory, I chose /mnt/HDExtra/nextcloud-server.
It will create a directory nextcloud that will contain all files (index.php, apps/, config/, core/, etc.)

2. Verify folder permissions

/mnt/HDExtra is a mounted disk. When I power-on the system, it will mount under my user and group which nginx doesn't have permission.
I created a group datagroup that has my user and the user that runs both nginx.service and php8.1-fpm.server. They run under www-data user on my system. Use htop to find it.

sudo groupadd datagroup # create group
sudo usermod -aG datagroup ${USER} # add my user into group
sudo usermod -aG datagroup www-data # add www-data into group
sudo usermod -aG www-data ${USER} # add my user into www-data group just in case...

After the drive is mounted, change group for folder contaning nextcloud, and change owner (recursive) for nextcloud itself. Change permissions for all nextcloud files.

sudo chown ${USER}:datagroup /mnt/HDExtra # change group for disk
sudo chown ${USER}:datagroup /mnt/HDExtra/nextcloud-server # change group for upper directory
sudo chown -R www-data:datagroup /mnt/HDExtra/nextcloud-server/nextcloud # change user:group for all nextcloud files
sudo chmod -R ug+rwx /mnt/HDExtra/nextcloud-server/nextcloud # add rwx permission to all nextcloud files

Maybe you want to add rwx to just some files, but I prefer the easy an UNSECURE way, because these will run only for my local network.

3. Config

Open /mnt/HDExtra/nextcloud-server/nextcloud/config/config.php and add your local IP to trusted_domains so you can access from other devices in your local network (phone over WiFi for example).

ip a # find your local IP

'trusted_domains' => 
  array (
    0 => '127.0.0.1',
    1 => '192.168.12.x', // your local IP
    2 => 'hostname', // your hostname
    3 => 'hostname.domain', // your domain
  ),

Also, enable debug mode if needed (don't do that in a production enviroment or if you open you server to outside your network).

  'debug' => true,
  'loglevel' => 0,

Install MariaDB

1. Install mariadb-server

sudo apt install mariadb-server
sudo mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql
sudo systemctl start mariadb
sudo systemctl enable mariadb

2. Configure

Run the automated configuration

sudo mysql_secure_installation

• Select these options

Enter current password for root (enter for none):  - enter for none
Switch to unix_socket authentication [Y/n] Y
Change the root password? [Y/n] n
Remove anonymous users? [Y/n] Y
Disallow root login remotely? [Y/n] Y
Remove test database and access to it? [Y/n] Y
Reload privilege tables now? [Y/n] Y

3. Create the database

sudo mysql -u root

• Choose db admin user and password

MariaDB [(none)]> create database nextcloud;
MariaDB [(none)]> create user 'your_admin_user'@'localhost' identified by 'strong_password';
MariaDB [(none)]> grant all privileges on nextcloud.* to 'your_admin_user'@'localhost' identified by 'strong_password';
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit

Install PHP

1. Install PHP and extensions

sudo apt install php php-fpm php-gd php-intl php-zip php-curl php-dom php-mbstring php-mysql php-bz2 php-imagick

2. Configure fpm (change your installation version, here it is 8.1)

• www.conf

sudo nano /etc/php/8.1/fpm/pool.d/www.conf

Uncomment these lines

env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp

• php.ini

sudo nano /etc/php/8.1/cli/php.ini
sudo nano /etc/php/8.1/fpm/php.ini

Uncomment/Set these lines

memory_limit = 512M

cgi.fix_pathinfo=1

max_input_time = -1

; if you need Face Recognition, need to compile/install DLib and PDLib
extension=pdlib

• php8.1-fpm.service

Find if fpm is running

systemctl list-units --type=service php\*

Edit the service

sudo systemctl edit php8.1-fpm

The location /mnt/HDExtra/nextcloud-server/nextcloud is where we extracted Nextcloud.zip (where we have index.php, apps/, etc)

[Service]
ReadWritePaths = /mnt/HDExtra/nextcloud-server/nextcloud/apps
ReadWritePaths = /mnt/HDExtra/nextcloud-server/nextcloud/data
ReadWritePaths = /mnt/HDExtra/nextcloud-server/nextcloud/config
ReadWritePaths = /mnt/HDExtra/nextcloud-server/nextcloud

Install Nginx

1. Install Nginx

sudo apt install nginx

2. Create the webpage file for Nextcloud.

sudo nano /etc/nginx/sites-available/nextcloud

Insert the contents from the file nextcloud below.
Create a symlink to sites-enabled.

sudo ln -s /etc/nginx/sites-available/nextcloud /etc/nginx/sites-enabled/nextcloud

Create a self-signed certificate

I have no intention to access Nextcloud outside my local network (maybe in the future). So, I created a self-signed certificate, but I didn't ask a CA (Certificate Authority) to sign it.

cd ${HOME}
openssl req -newkey rsa:4096 \
            -x509 \
            -sha256 \
            -days 3650 \
            -nodes \
            -out myserver.crt \
            -keyout myserver.key

Copy/Move the .crt/.key files to a location that Nginx can access (check if /etc/nginx/sites-available/nextcloud has the correct path).

sudo mkdir -p /etc/ssl/nginx
sudo cp myserver.crt /etc/ssl/nginx
sudo cp myserver.key /etc/ssl/nginx

Services are ready

1. Restart the service

sudo systemctl start nginx
sudo systemctl enable nginx
# if not running
sudo systemctl start mariadb
sudo systemctl enable mariadb
sudo systemctl start php8.1-fpm
sudo systemctl enable php8.1-fpm

2. Login

Depending on how /etc/nginx/sites-available/nextcloud was configured, you can enter Nextcloud from https://localhost or https://192.168.12.x.

3. First access

On the first access it will ask for an admin user and password (for the Nextcloud application, not your system's or the DB).
Then, it asks for DB connection details (same as you configured MariaDB)

Database: nextcloud
Server: localhost
DB User: your_admin_user
DB Pass: strong_password
Storage: /mnt/HDExtra/nextcloud-server/nextcloud/data

Troubleshoot

• To check for service messages (-f follow)

journalctl -fxeu nginx.service

• To check for nginx logs (-f follow)

tail -f /var/log/nginx/access.log
tail -f /var/log/nginx/website.access.log
tail -f /var/log/nginx/error.log
tail -f /var/log/nginx/website.error.log

• Before I set the permissions, nginx was returning File not found.. I was able to open the default page at /var/www/html, but not from /mnt/HDExtra/nextcloud-server/nextcloud. Go back and check the permissions.

• After the permissions issue I was getting FastCGI sent in stderr: "Primary script unknown" in /var/log/nginx/error.log. I was missing cgi.fix_pathinfo=1 in my php.ini for fpm

• Enable firewall (maybe is not necessary)

sudo ufw allow from 192.168.12.0/24 to any port 443

10_recognize.md

Recognize

Recognize is the official Faces Recognition, but it also recognizes objects, locations, and audio/video.
https://github.com/nextcloud/recognize

I used the UI to install, but it downloaded with different permissions, and I also logout/login.

Need to download the models first:

sudo -u www-data /mnt/HDExtra/nextcloud-server/nextcloud/occ recognize:download-models

Enable Recognize from UI Admin Recognize.
From "UI Admin Basic Settings" select to use "Cron".

11_cron.md

Cron

It needs to be setup in the HOST if using docker, not inside the container.

To schedule classification, use cron.
https://docs.nextcloud.com/server/21/admin_manual/configuration_server/background_jobs_configuration.html?highlight=cron#cron

Setup crontab

sudo -u www-data crontab -e

Tell the main cron job to run every hour. Add the other lines to run specific app jobs.

0 * * * * php -f /mnt/HDExtra/nextcloud-server/nextcloud/cron.php
0 * * * * /mnt/HDExtra/nextcloud-server/nextcloud/occ recognize:classify
0 * * * * /mnt/HDExtra/nextcloud-server/nextcloud/occ recognize:cluster-faces
0 * * * * /mnt/HDExtra/nextcloud-server/nextcloud/occ face:background_job -t 900

To follow up the cron log

journalctl -fxeu cron.service

To check the current crontab without editing

sudo -u www-data crontab -l

12_Logging.md

Logging in Nextcloud

• Configure log level with www-data user (user that owns config/config.php).

./occ config:system:set loglevel --value 0 # 0 to debug, default is 2 warning

• Function logger returns a LoggerInterface object.
• Log messages with $logger object
• First param is a message format string, placeholders are keys from second param

<?php
// namespace ...
// use ...

use OCA\YourApp\AppInfo\Application;
use function OCP\Log\logger;
use Psr\Log\LoggerInterface;

// ...
class YourClass {
    // other class members
    private LoggerInterface $logger;
    
    public function __construct(/*your class params*/)
    {
        // your constructor
        $this->logger = logger(Application::APP_ID);
    }
    
    // other functions
    function someFunction()
    {
        $this->logger->emergency("some emergency"); // FATAL
        $this->logger->alert("some alert"); // ERROR
        $this->logger->critical("some critical"); // ERROR
        $this->logger->error("some error"); // ERROR
        $this->logger->warning("some warning"); // WARNING
        $this->logger->notice("some notice"); // INFO
        $this->logger->info("some info"); // INFO
        $this->logger->debug("some debug"); // DEBUG
        
        $myArray = ["cat", "dog"];
        $this->logger->error("error {1}", $myArray); // "error dog"
        
        $myData = ["color" => "blue", "item" => "button"];
        $this->logger->info("show a {item} with color {color}", $myData); // "show a button with color blue"
        
        // ...
    }
}

• Make sure you have logreader app installed. In Nextcloud-Dev docker it is not installed by default.
  https://github.com/nextcloud/logreader
• Check the logs in the Admin page Administration settings -> Logging
• If you don't have logreader and you don't want to install it, the log file can be found at /var/www/html/data/nextcloud.log. The Nextcloud-Dev docker mounts the volume at /var/lib/docker/volumes/master_data/_data/nextcloud.log.

Other references

https://docs.nextcloud.com/server/latest/developer_manual/basics/logging.html
https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/logging_configuration.html
https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html#occ-debugging
https://docs.nextcloud.com/server/latest/developer_manual/digging_deeper/psr.html#psr3

nextcloud

# this configuration is for the standalone installation of Nextcloud (directly from `git clone https://github.com/nextcloud/server`)

# configuration from https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html#nginx-subdir-example
# this "upstream" can be set in the "/etc/nginx/conf.d/somefile.conf" because in file "/etc/nginx/nginx.conf" inside "http {}" 
# there is a include for all *.conf
# check the correct sock location "ls /run/php" and "systemctl stop/start php8.1-fpm"
upstream php-handler {
    server unix:/run/php/php8.1-fpm.sock;
}

# add log_format to a conf file like "/etc/nginx/conf.d/log_fmt.conf"
log_format main '$remote_addr - $remote_user [$time_local] $status'
  ' "$request" $body_bytes_sent "$http_referer"'
  ' "$http_user_agent" "$http_x_forwarded_for"';

# Set the `immutable` cache control options only for assets with a cache busting `v` argument
map $arg_v $asset_immutable {
    "" "";
    default "immutable";
}

server {
    listen 8080 default_server;
    listen [::]:8080 default_server;
    server_name localhost;

    # Prevent nginx HTTP Server Detection
    server_tokens off;

    # Enforce HTTPS
    return 301 https://$server_name$request_uri;
    
    access_log /var/log/nginx/nextcloud.server.access.log main;
    error_log /var/log/nginx/nextcloud.server.error.log warn;
}

server {
    listen 8443 ssl http2;
    listen [::]:8443 ssl http2;
    server_name localhost;

    # Use Mozilla's guidelines for SSL/TLS settings
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
    ssl_certificate /etc/ssl/nginx/brunoubuntu.crt;
    ssl_certificate_key /etc/ssl/nginx/brunoubuntu.key;

    # Prevent nginx HTTP Server Detection
    server_tokens off;

    # Path to the root of your installation
    root /mnt/HDExtra/nextcloud-server/nextcloud;
    #root /mnt/HDExtra/n2/nextcloud;

    # HSTS settings
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;

    # set max upload size and increase upload timeout:
    client_max_body_size 512M;
    client_body_timeout 300s;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Pagespeed is not supported by Nextcloud, so if your server is built
    # with the `ngx_pagespeed` module, uncomment this line to disable it.
    #pagespeed off;

    # The settings allows you to optimize the HTTP2 bandwidth.
    # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
    # for tuning hints
    client_body_buffer_size 512k;

    # HTTP response headers borrowed from Nextcloud `.htaccess`
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "noindex, nofollow" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Strict-Transport-Security "max-age=15552000;includeSubDomains" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # Add .mjs as a file extension for javascript
    # Either include it in the default mime.types list
    # or include you can include that list explicitly and add the file extension
    # only for Nextcloud like below:
    include mime.types;
    types {
        text/javascript mjs;
    }

    # Specify how to handle directories -- specifying `/index.php$request_uri`
    # here as the fallback means that Nginx always exhibits the desired behaviour
    # when a client requests a path that corresponds to a directory that exists
    # on the server. In particular, if that directory contains an index.php file,
    # that file is correctly served; if it doesn't, then the request is passed to
    # the front-end controller. This consistent behaviour means that we don't need
    # to specify custom rules for certain paths (e.g. images and other assets,
    # `/updater`, `/ocs-provider`), and thus
    # `try_files $uri $uri/ /index.php$request_uri`
    # always provides the desired behaviour.
    index index.php index.html /index.php$request_uri;

    # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
    location = / {
        if ( $http_user_agent ~ ^DavClnt ) {
            return 302 /remote.php/webdav/$is_args$args;
        }
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # Make a regex exception for `/.well-known` so that clients can still
    # access it despite the existence of the regex rule
    # `location ~ /(\.|autotest|...)` which would otherwise handle requests
    # for `/.well-known`.
    location ^~ /.well-known {
        # The rules in this block are an adaptation of the rules
        # in `.htaccess` that concern `/.well-known`.

        location = /.well-known/carddav { return 301 /remote.php/dav/; }
        location = /.well-known/caldav { return 301 /remote.php/dav/; }

        location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
        location /.well-known/pki-validation { try_files $uri $uri/ =404; }

        # Let Nextcloud's API for `/.well-known` URIs handle all other
        # requests by passing them to the front-end controller.
        return 301 /index.php$request_uri;
    }

    # Rules borrowed from `.htaccess` to hide certain paths from clients
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }

    # Ensure this block, which passes PHP files to the PHP process, is above the blocks
    # which handle static assets (as seen below). If this block is not declared first,
    # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
    # to the URI, resulting in a HTTP 500 error response.
    location ~ \.php(?:$|/) {
        # Required for legacy support
        #rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;

        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        set $path_info $fastcgi_path_info;

        try_files $fastcgi_script_name =404;

        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;

        fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
        fastcgi_param front_controller_active true; # Enable pretty urls
        fastcgi_pass php-handler;

        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;

        fastcgi_max_temp_file_size 0;
        
        fastcgi_read_timeout 3600; # important for updater, the backup takes time
    }

    # Serve static files
    location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463, $asset_immutable";
        access_log off; # Optional: Don't log access to assets

        location ~ \.wasm$ {
            default_type application/wasm;
        }
    }

    location ~ \.woff2?$ {
        try_files $uri /index.php$request_uri;
        expires 7d; # Cache-Control policy borrowed from `.htaccess`
        access_log off; # Optional: Don't log access to assets
    }

    # Rule borrowed from `.htaccess`
    location /remote {
        return 301 /remote.php$request_uri;
    }

    location / {
        try_files $uri $uri/ /index.php$request_uri;
    }
    
    access_log /var/log/nginx/nextcloud.server.access.log main;
    error_log /var/log/nginx/nextcloud.server.error.log warn;
}

nextcloud_aio.md

Nextcloud AIO

"Nextcloud AIO" stands for "All In One", it is a docker setup that installs everything (almost everything), such as database, an admin like page, and nextcloud itself.
The official documentation requires users to install a reverse proxy with a valid certificate. The certificate can be aquired for free from Let's Encrypt, but we need a domain, which can also be aquired for free or for a few dollars per year, but if something is free, you are the product!
In order to host locally with self-signed certificate, we need to make changes to the official installation process.

https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md

Run AIO using this docker compose (docker compose up -d). The catch here is the option SKIP_DOMAIN_VALIDATION. Another setting is NEXTCLOUD_MEMORY_LIMIT, which is going to be forwarded to actual nextcloud container later.
But NEXTCLOUD_MEMORY_LIMIT sets PHP_MEMORY_LIMIT only for root, not for www-data. Need to edit manually /usr/local/etc/php/conf.d/nextcloud.ini inside the container nextcloud-aio-nextcloud once Nextcloud is ready (it will be created automatically after the installation is finished).
The volumes definition must come first, so it is created first, and the name is restricted to nextcloud_aio_mastercontainer due to next steps automation.
Set DNS if needed, mastercontainer has to connect to the internet to download files.
Set the mastercontainer IP to a high number as it will create other containers and will use IPs 2,3,4...

Without modifications, data is saved inside the container at /var/www/html/data, and in the host will be inside the volume nextcloud_aio_nextcloud. To save in a different location, set NEXTCLOUD_DATADIR. The location pointed by NEXTCLOUD_DATADIR needs permissions to www-data:root and mod 750.

volumes:
  nextcloud_aio_mastercontainer:
    name: "nextcloud_aio_mastercontainer"

services:
  nextcloud-aio:
    container_name: nextcloud-aio-mastercontainer
    image: nextcloud/all-in-one:latest
    restart: unless-stopped
    ports:
      - "8090:8080"
    networks:
      nextcloud-aio:
        ipv4_address: 172.18.0.250
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      APACHE_PORT: 11000
      APACHE_IP_BINDING: '127.0.0.1'
      SKIP_DOMAIN_VALIDATION: true
      NEXTCLOUD_MEMORY_LIMIT: 2048M
      # sudo chown -R www-data:root nextcloud-aio # or sudo chown -R 33:0 /mnt/your-drive-mountpoint
      # sudo chmod -R 750 nextcloud-aio/ # or sudo chmod -R 750 /mnt/your-drive-mountpoint
      # NEXTCLOUD_MOUNT: /mnt/HDExtra/nextcloud-aio # I couldn't make MOUNT work
      NEXTCLOUD_DATADIR: /mnt/HDExtra/nextcloud-aio/data # DATADIR works fine

networks:
  nextcloud-aio:
    name: nextcloud-aio
    ipam:
      driver: default
      config:
        - subnet: 172.18.0.0/16
          gateway: 172.18.0.1

Access https://your_hostname.your_domain:8090/setup
Save the Password, it consists of many words, all words are part of the password, this password is to control AIO, not Nextcloud session.
Click the button to open the Setup page, it will ask for the password. When you login a new container nextcloud-aio-domaincheck will be created.
If the login page hangs, try to enter https://your_hostname.your_domain:8090 again, you should enter the installation page.
Create your self-signed certificate.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout your_hostname.your_domain.key -out your_hostname.your_domain.crt

Set your_hostname.your_domain in your local DNS (either dnsmasq or PiHole).

Create a NGINX reverse proxy using below configuration inside /etc/nginx/sites-available and ln to /etc/nginx/sites-enabled. For some reason the port 443 must be used (it sucks, but AIO requires it).
Correct the path to your self-signed certificate.
Set the proxy_pass to the IP of the docker container nextcloud-aio-domaincheck that was created by the AIO.

docker inspect nextcloud-aio-domaincheck | grep IPAddress

Pay attention that after AIO is installed (it installs other containers), we need to come back here and change proxy_pass IP again, this time to the nextcloud-aio-apache container.
If you want to use $aio_proxy with hostnames, set your local DNS to resolve it, or use dnsmasq to read /etc/hosts. Make sure your Wifi/Internet connection has DNS as 127.0.0.1, 192.168.x.x, also, check /etc/resolv.conf, but it is updated automatically by your internet connection.
The easy way is just to put the IP in $aio_proxy, but hostnames avoid changes in the IP when creating/recreating containers.
Install docker-hostmanager to auto update /etc/hosts.

# https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#nginx

# AIO proxy is served in port 11000, Dev is served in port 443

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

server {

    #resolver 192.168.12.240 ipv6=off valid=10s; # my local DNS resolver
    resolver localhost ipv6=off; # using dnsmasq to read /etc/hosts

    # first to nextcloud-aio-domaincheck
    # later to nextcloud-aio-apache
    # I use docker-hostmanager to auto set them in /etc/hosts
    set $aio_proxy "http://nextcloud-aio-apache.nextcloud-aio:11000"; # /etc/hosts - added by docker-hostmanager https://github.com/iamluc/docker-hostmanager
    #set $aio_proxy "http://172.18.0.2:11000";
    
    listen 80;
    
    if ($scheme = "http") {
        return 301 https://$host$request_uri;
    }

    # for nginx versions below v1.25.1
    listen 192.168.0.12:443 ssl; # my local WiFi/LAN IP
    http2 on;
    
    server_name your_hostname.your_domain; # /etc/hosts - 192.168.0.12 your_hostname.your_domain

    location / {
        proxy_pass $aio_proxy$request_uri;
        
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Accept-Encoding "";
        proxy_set_header Host $host;
    
        client_body_buffer_size 512k;
        proxy_read_timeout 86400s;
        client_max_body_size 0;

        # Websocket
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

    ssl_certificate /etc/nginx/ssl/your_hostname.your_domain.crt;
    ssl_certificate_key /etc/nginx/ssl/your_hostname.your_domain.key;

    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
    ssl_session_tickets off;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
    ssl_prefer_server_ciphers on;
    
    # main is set at /etc/nginx/conf.d/log_fmt.conf
    access_log /var/log/nginx/aio.proxy.access.log main;
    error_log /var/log/nginx/aio.proxy.error.log warn;

}

Restart NGINX.

sudo systemctl restart nginx

Access https://your_hostname.your_domain and the proxy_pass should be able to connect to nextcloud-aio-domaincheck and return a hash value.

Go back to AIO install page, enter your_hostname.your_domain and click "Submit domain" button.
If any error, check if you have set your_hostname.your_domain in your DNS or any firewall rule.

Choose the optional containers.
Set the timezone.

Click on Install. It might take some minutes, Nextcloud is going to install itself, install default apps, and create new AIO containers.

Need to go back to reverse proxy configuration and change the proxy_pass IP to the new nextcloud-aio-apache created.

docker inspect nextcloud-aio-apache | grep IPAddress

Restart NGINX.

sudo systemctl restart nginx

Go back to https://your_hostname.your_domain:8090/ and take note of the admin password.

Enter https://your_hostname.your_domain and Nextcloud session should open the login page, you can enter with admin password.

Facerecognition

NEXTCLOUD_MEMORY_LIMIT sets PHP_MEMORY_LIMIT only for root, not for www-data. Need to edit /usr/local/etc/php/conf.d/nextcloud.ini manually once Nextcloud is ready.

vi /usr/local/etc/php/conf.d/nextcloud.ini
# memory_limit=2048M

The crontab need to be configured in the host system, not in the container. The crontab connects to the container via docker exec.

crontab -e
# add this line without #
# */1 * * * * docker ps --format "{{.Names}}" | grep -q "^nextcloud-aio-nextcloud$" && docker exec --user www-data nextcloud-aio-nextcloud php occ face:background_job -t 900

Change domain

Edit file /var/lib/docker/volumes/nextcloud_aio_mastercontainer/_data/data/configuration.json, restart containers from AIO setup page.
Check https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-change-the-domain

IP Changes

Everytime the containers are restarted (server reboot, docker stop/start/restart) the subnetwork assigns different IPs. Restart PiHole to receive the changes.

Nextcloud_Docker.md

Docker

Run this bootstrap script. It will create many entries in /etc/hosts, like nextcloud.local, stable16.local, etc. If you use docker-hostmanager you can remove these entries later.

git clone https://github.com/juliushaertl/nextcloud-docker-dev
cd nextcloud-docker-dev
./bootstrap.sh

It will also create a .env file and set some variables. Set PROXY_PORT_HTTPS to be the gateway of DOCKER_SUBNET and the 443 port (I tried different port but it doesn't work). Change PROXY_PORT_HTTP if needed too.

...
DOCKER_SUBNET=192.168.21.0/24
...
PROXY_PORT_HTTP=8070
PROXY_PORT_HTTPS=192.168.21.1:443

If you already have a service in port 443, make sure that other services are not listening to port 443 in that IP (or all IPs as *:443).

sudo lsof -i -P -n | grep LISTEN | grep :443

If you have *:443, check the NGINX configuration below. Stop NGINX for now or next step will fail.

Edit docker-compose.yml so that the network that will be created has an hyphen, not underscore (underscores are not resolved by systemd-resolved.

networks:
  default:
    name: ${COMPOSE_PROJECT_NAME:-master}-default
    ipam:
      driver: default
      config:
        - subnet: ${DOCKER_SUBNET:-192.168.21.0/24}

Run docker compose, it is going to download some docker images and setup Nextcloud in your Docker.

docker compose up -d nextcloud

Configure your DNS server to respond myhostname.local to your WiFi/LAN IP 192.168.x.y.

Tried to access both https://nextcloud.local and http://nextcloud.local . HTTPS was giving SSL error, HTTP was returning 503. I found this discussion https://github.com/juliushaertl/nextcloud-docker-dev/discussions/251#discussioncomment-8386204, which led to https://github.com/arawa/nextcloud-docker-dev/blob/doc/improve-getting-started/docs/containers/ssl.md . From there, I copied this command to create a self-signed SSL certificate.

# cd nextcloud-docker-dev
cd data/ssl
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout nextcloud.local.key -out nextcloud.local.crt
# and
docker compose restart proxy

Now I can access https://nextcloud.local, first password is admin/admin, change it later inside Nextcloud.

Local DNS

Change /etc/hosts entry for nextcloud.local, intead of 127.0.0.1, put proxy subnet IP. If you will use DNSMasq, add another entry for dev.nextcloud.local with your WiFI/LAN IP. If you will use PiHole you will add dev.nextcloud.local in its CNAME. If you use docker-hostmanager it will create an entry in /etc/hosts for you.

docker inspect master-proxy-1 | grep IPAddress

/etc/hosts

127.0.0.1      localhost
192.168.0.12   your_hostname.local
...
192.168.21.4    nextcloud.local
192.168.0.12    dev.nextcloud.local # only if using dnsmasq
...

DNSMasq

Not fully tested, probably need to edit /etc/hosts Install dnsmasq so your local server can resolve dev.nextcloud.local in your local LAN.

apt install dnsmasq

Configure /etc/dnsmaqs.conf and .
/etc/dnsmasq.conf

domain-needed
bogus-priv
no-resolv
# server - set to your local router, or to a public DNS like 8.8.8.8 (google) or 1.1.1.1 (cloudflare)
server=192.168.0.1
# address - tell dnsmasq that any domain xyz.local resolves to your local IP 
# 192.168.0.12 is the IP of your system in your LAN (`hostname -I` or `ip a`)
# I set it, but it doesn't work if `/etc/hosts` is not set, the documentation says it should work without `/etc/hosts`
address=/.local/192.168.0.12
# listen-address - set it to all your system IP, check `hostname -I`, Docker creates many Networks, each gets an IP range
# if you have Virt-Manager, exclude the virt-manager range
listen-address=::1,127.0.0.1,192.168.0.12,x.x.x.x,y.y.y.y,z.z.z.z
expand-hosts
cache-size=1000

PiHole

Add one entry in DNS Records with Domain your_hostname.local and IP 192.168.0.12 (your WiFi/LAN IP).
Add one CNAME entry with Domain dev.nextcloud.local and Target your_hostname.local.
If using PiHole docker version, another option is to mount your local /etc/hosts into PiHole.

-v '/etc/hosts:/etc/hosts:ro' # ro - read only

NGINX

Need to setup NGINX as reverse proxy.
If you have existing service, make sure it is not listening to all IPs. Set it to listen only your WiFi/LAN IP.
The new service listens to the CNAME dev.nextcloud.local in port 443 and proxy pass it to nextcloud.local defined in /etc/hosts.

# existing service
server {
  ...
  listen 192.168.0.12:443 ssl; # putting 192.168.0.12 here tells nginx to listen 443 only for this IP
  ...
}

# new service
# https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#nginx

# AIO proxy is served in port 11000, Dev is served in port 443

server {
    server_name dev.nextcloud.local; # /etc/hosts - 192.168.0.12 dev.nextcloud.local
    listen 192.168.0.12:443 ssl http2; # my WiFi/LAN IP
    resolver 192.168.0.12 ipv6=off valid=10s; # my local DNS resolver
    set $dev_proxy "http://nextcloud.local.master-default"; # /etc/hosts - added by docker-hostmanager
    location / {
        proxy_pass $dev_proxy$request_uri;
        
        proxy_redirect  $dev_proxy$request_uri $request_uri; # don't update user's browser URL
        
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme; # this causes the URL in the browser to change to nextcloud.local, causing problems when on LAN
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Accept-Encoding "";
        proxy_set_header X-Forwarded-Host $http_host;
	proxy_set_header X-Forwarded-Port $server_port;

        proxy_set_header Host nextcloud.local; # this has to be nextcloud.local, not $host, neither nextcloud.local.master-default
        
        add_header BRC_host $host;
        add_header BRC_http_host $http_host;
        add_header BRC_remote_addr $remote_addr;
        add_header BRC_server_port $server_port;
        add_header BRC_request_uri $request_uri;
        add_header BRC_proxy_host $proxy_host;
    
        client_body_buffer_size 512k;
        proxy_read_timeout 86400s;
        client_max_body_size 0;

        # Websocket
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

    ssl_certificate /etc/nginx/ssl/nextcloud.local.crt;
    ssl_certificate_key /etc/nginx/ssl/nextcloud.local.key;

    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
    ssl_session_tickets off;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
    ssl_prefer_server_ciphers on;

    # main is set at /etc/nginx/conf.d/log_fmt.conf
    access_log /var/log/nginx/dev.proxy.access.log main;
    error_log /var/log/nginx/dev.proxy.error.log warn;
}

Open firewall ports.

sudo ufw allow from 192.168.0.0/16 to any port 443

Nextcloud will be accessible through https://dev.nextcloud.local !

Facerecognition

Install the app from Admin page.
Can't setup models 1,2,3,4 due to problems on install/compile PDlib in the Nextcloud Docker container, some error with DLIB GUI. Solution is to deploy another docker container for the model analysis.
External Facerecognition https://github.com/matiasdelellis/facerecognition-external-model/
Use image v1, not v0.2.0.
Make sure API_KEY is cleared.

# cd nextcloud-docker-dev
# cd data/ssl
openssl rand -base64 32 > api.key
docker run -d -p 5000:5000 -v ./api.key:/app/api.key -e API_KEY= --name facerecognition matiasdelellis/facerecognition-external-model:v1

You will need the value to configure Nextcloud, save it somewhere.

# cd nextcloud-docker-dev
# cd data/ssl
cat ./api.key

Add facerecognition container to master-default network created by docker compose above.

docker network connect master-default facerecognition

Verify the new subnet IP

docker network inspect master-default | grep Gateway

Verify the facerecognition IP that belongs to the subnet above (there wil be more than one IP, check the correct subnet one).

docker inspect facerecognition | grep IPAdd

Configure Nextcloud instance to use External Facerecognition.
Enter container console.

docker exec -it master-nextcloud-1 /bin/bash

Test if Nextcloud can access External Facerecognition. If not, check your docker networks, they must be in the same subnet (new or existing).

# curl -k 192.168.21.7:5000/welcome
# if they are in the same subnet, you can use the container name as hostname
curl facerecognition:5000/welcome

Configure with these commands:

# cd /var/www/html
# sudo -u www-data ./occ config:system:set facerecognition.external_model_url --value 192.168.21.7:5000
# if they are in the same subnet, you can use the container name as hostname
sudo -u www-data ./occ config:system:set facerecognition.external_model_url --value facerecognition:5000
sudo -u www-data ./occ config:system:set facerecognition.external_model_api_key --value abc123 # file api.key created above

Configure PHP memory limit in Nextcloud container.

apt update
apt install nano
nano /usr/local/etc/php/conf.d/nextcloud.ini
# set memory limit to a value greater than 682.7 MB (value required by Facerecognition)
# memory_limit=2048M

Install Facerecognition from Nextcloud admin page.
Configure Facerecognition app.

occ face:setup --model 5
occ face:setup -M 2048M

For now, External Facerecognition need a small change in facerecognition-external-model.py.

        if 'API_KEY' in os.environ and os.environ['API_KEY']:

troubleshooting.md

I've problems with some permissions, try using different combinations of http:http, http:root or nextcloud:nextcloud.

sudo chown -R http:http /usr/share/webapps/nextcloud/config/config.php
sudo chown -R http:http /etc/webapps/nextcloud/config

Rescan files after moved manually, it updates the table in MariaDB for the location, but not the FaceRecognition labels

sudo -u http ./occ files:scan --all
sudo -u http ./occ files:scan someUserName

Reset all facerecognition data:

cd /usr/share/webapps/nextcloud
sudo -u http ./occ face:reset --all
sudo -u http ./occ face:reset --help # more options

Install MySQL Workbench to connect to MariaDB. On Ubuntu, install via Snap and run this command to allow the connection

sudo snap connect mysql-workbench-community:password-manager-service :password-manager-service

occ maintenance:mode --off
occ upgrade

Possible PHP packages

php \
libapache2-mod-php \
php-bz2 \
php-cli \
php-common \
php-curl \
php-dev \
php-fpm \
php-gd \
php-imagick \
php-mbstring \
php-mysql \
php-opcache \
php-readline \
php-xml \
php-zip

Reset password

sudo -u www-data ./occ user:resetpassword MyUserName

Try to repair

php occ maintenance:repair
php occ files:scan-app-data

AIO

I did this in my first attempt, but not in my second. Add nextcloud-aio-domaincheck/nextcloud-aio-apache to the bridge network.

docker network connect bridge nextcloud-aio-domaincheck
docker network connect bridge nextcloud-aio-apache

Another option is to create daemon.json and set dns.
/etc/docker/daemon.json

{
  "dns": ["192.168.12.34","172.17.0.1","172.19.0.1"]
}

172.17.0.1 is my bridge network gateway, 172.19.0.1 is the network created by AIO named nextcloud-aio.

Upgrade

When AIO asks for an upgrade, it will recreate the containers and they may get new IPs inside the nextcloud-aio local network. This will make nginx fail to find the apache container.
Restart PiHole to refresh the IP list.

SSL, SSH

Create self-signed certificate

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt

Copy files with ssh

scp [email protected]:/remote/path/file /local/path
scp /local/path/file [email protected]:/remote/path

Copy files with docker

docker cp /local/path/file <container_id>:/remote/path
docker cp <container_id>:/remote/path/file /local/path