A full guide for installing Nextcloud on TrueNAS Scale with Collabora integration and outside access through Nginx Proxy Manager

Background

It took me over 30 hours of actual time on the computer to correctly install Nextcloud on TrueNAS SCALE both with Collabora integration as well as with the ability to access Nextcloud from outside the local network, but I finally got everything working.

Considering the amount of people on these forums that seem to be struggling with this exact same issue, or a variant of it, I thought that there might be a reasonably large audience for a guide that details EXACTLY what one person, with little prior knowledge, did to get all of this working.

Here are all of the versions of the software that I am using:

  • TrueNAS SCALE Dragonfish-24.04.0
  • Nextcloud 29.0.1 (chart version 2.0.7)
  • Collabora 24.04.3.1.1 (chart version 2.0.15)
  • Nginx Proxy Manager 2.11.2 (chart version 1.0.32)

NOTE: I used the official TrueNAS versions for Nextcloud, Collabora and Nginx Proxy Manager, not the Truecharts versions. I have not tested this setup with any of the Truecharts versions of these apps, so I am not sure how transferable this guide is to those versions.

Prerequisites

In the interest of preventing this guide from becoming too broad, I am already assuming that you have done the following:

  • Installed TrueNAS SCALE
  • Installed Nginx Proxy Manager

Additionally, there are several prerequisites for this guide that I will not be going over because the exact way in which they need to be done will vary depending on which services you are relying on. Those prerequisites are:

Installing Nextcloud

Creating custom Nextcloud datasets (optional, but recommended)

During the Storage Configuration portion of your Nextcloud installation, you will need to point the installer to the locations of the required storage groups. The storage groups that you will need to set here will vary depending on which version of Nextcloud you are installing. For me, installing Nextcloud 29.0.1, there were four storage groups that needed to be set: AppData, User Data, Postgres Data and Postgres Backup.

I would recommend using datasets that you created (i.e., the Host Path option during the Storage Configuration portion of your Nextcloud installation) instead of ixVolumes, as custom datasets are easier to manipulate and easier to back up (at the cost of requiring a bit more work to initially configure). Just keep in mind that, if you use custom datasets:

  • You will need to set the Dataset Preset to Apps as you are initially creating these datasets.
  • You will also need to grant Full Control to the User www-data and the Group www-data in the ACLs of these datasets.
    • As per this documentation, it may actually be that you only need to grant Full Control to User www-data and Group www-data for the AppData and User Data datasets but not the Postgres Data and Postgres Backup datasets, but I just went ahead and granted Full Control to all four datasets.

The biggest problem I faced with Nextcloud installation

One of the main problems I had with Nextcloud was that I kept getting redirected to the local IP and port of my Nextcloud installation when I tried to access Nextcloud using the external URL I set up with Nginx Proxy Manager.

This made it so that I could not access Nextcloud from the WAN, since the local IP is useless anywhere outside of the local network.

Changing Nextcloud’s config.php file seemed to have absolutely no effect (believe me, I tried adding a lot of different things there).

It appears that TrueNAS SCALE ignores any changes you make to config.php and instead only relies on the settings you specify in the Nextcloud installation wizard.

So, instead of editing config.php, I made all the correct adjustments directly in the Nextcloud installation wizard. Read on to see exactly how I did this.

Nextcloud installation wizard configuration

Setting the Nextcloud host

Option 1 (recommended): Remove the value for “Host” and set the OVERWRITEHOST environment variable

01_Nextcloud_host
The thread that FINALLY pointed me in the right direction advised leaving the field labeled Host BLANK (for me, this was set to the local IP of my server by default).

02_Nextcloud_OVERWRITEHOST
Then, and only then, set the OVERWRITEHOST environment variable to nextcloud.mydomain.tld.

Option 2 (alternative, only works with a certificate): Set the value for “Host” and use port 443 for URL rewrites

As an alternative to leaving the Host field blank and setting the OVERWRITEHOST environment variable to nextcloud.mydomain.tld, you can set the Host field to nextcloud.mydomain.tld and then select Use different port for URL rewrites and specify 443 as the External Access Port.

This solution only worked for me when I installed Nextcloud WITH a certificate. Also, I would only set the host in this way if option 1 does not work for you, as the only posts that I came across online recommended setting the host using option 1. I simply discovered option 2 by messing around with my configuration.

Set OVERWRITECLIURL

03_Nextcloud_OVERWRITECLIURL
Set the environment variable OVERWRITECLIURL to nextcloud.mydomain.tld.

Set OVERWRITEPROTOCOL (only if installing Nextcloud without a certificate)

If you are installing Nextcloud WITHOUT a certificate, then you should also set the environment variable OVERWRITEPROTOCOL to https.

Setting the Nextcloud certificate

04_Nextcloud_certificate

From what I have gathered, it seems to be RECOMMENDED that you install BOTH Nextcloud and Collabora WITH a certificate.

I am assuming that the certificates for Nextcloud and Collabora need to be the same, but I am not sure of this, because I only tested this installation with the ‘truenas_default’ Certificate.

Other configurations that WORKED for me:

  • Interestingly, Collabora WITH a certificate seems to be compatible with Nextcloud WITHOUT a certificate.
  • Also, Collabora WITHOUT a certificate seems to be compatible with Nextcloud WITHOUT a certificate.

Configurations that did NOT work for me:

  • Nextcloud WITH a certificate did NOT appear to be compatible with Collabora WITHOUT a certificate.

Adding ffmpeg and smbclient to Nextcloud

05_Nextcloud_ffmpeg_smbclient
Don’t forget to add support for ffmpeg and smbclient if you want those features.

Nextcloud Storage Configuration

As mentioned, you will need to select the datasets that your Nextcloud installation should use. If you followed my recommendation of using custom datasets (with a Dataset Preset of Apps and Full Control of the datasets granted to both the User www-data and the Group www-data), then you should select those datasets here. The other option is to use ixVolumes.

Provided that you select custom datasets, your Storage Configuration for Nextcloud version 29.0.1 could look something like this:

06_Nextcloud_AppData
One dataset for AppData,

07_Nextcloud_User_Data
one dataset for User Data,

08_Nextcloud_Postgres_Data
one dataset for Postgres Data,

09_Nextcloud_Postgres_Backup
and one dataset for Postgres Backup.

Install Nextcloud

Once you have configured everything, hit Install and wait for Nextcloud to deploy.

You won’t be able to access your Nextcloud installation from the host path that you specified until you have set up a reverse proxy for Nextcloud. Read on for instructions on how to do this with Nginx Proxy Manager.

Getting an error message?

You may get an error message similar to this when you try to install Nextcloud:

Container - Environment Variable [OVERWRITEHOST] in [envList] tried to override the Environment Variable that is already defined in [Secret - nextcloud-creds]

This is a sign that you have tried to set the Nextcloud host by setting both the Host field as well as the OVERWRITEHOST environment variable. Remember, you should only set one of these values or the other, but not both.

To fix this, try setting the host by leaving the Host field blank and then setting the OVERWRITEHOST environment variable (i.e., option 1 from above). If that doesn’t work, and if you are installing Nextcloud WITH a certificate, then try setting the host by setting the Host field and using port 443 for URL rewrites (i.e., option 2 from above).

Enabling outside access to Nextcloud with Nginx Proxy Manager

Disclaimer

Remember that none of this will work if you haven’t already acquired a domain, added DNS records that point your domain to your network (as well as set up dynamic DNS if you have a dynamic IP address), forwarded port 443 (or a suitable alternative) on your network to the local IP and https port of your Nginx Proxy Manager installation and created an SSL certificate for your domain.

The exact way to do all of this will vary depending on your domain registrar, DNS provider, ISP and router firmware, so I will not be going over any of the aforementioned in this guide, unless you either:

  1. Are okay with using self-signed certificates and are aware of the drawbacks of doing so, in which case you can read my instructions for creating self-signed certificates in TrueNAS SCALE in the comments section below.
  2. Are using Dynu as your DNS provider, in which case you can read my instructions for creating Let’s Encrypt certificates with Dynu in the comments section below.

You can find plenty of guides elsewhere on the internet for acquiring a domain, adding DNS records, setting up dynamic DNS, forwarding ports and getting SSL certificates.

Create a proxy host for Nextcloud

Set the Domain Name to nextcloud.mydomain.tld (i.e., whatever you set the OVERWRITEHOST/OVERWRITECLIURL environment variables to during Nextcloud installation).

If you installed Nextcloud WITH a certificate, set the Scheme to https. Otherwise, set the Scheme to http.

Set the Forward Hostname / IP to the local IP of the device running your Nextcloud installation (e.g., 192.168.1.234).

Set the Forward Port to your Nextcloud port (which, for me, was 9001 by default).

I also enabled Block Common Exploits, although I doubt this is mandatory.

Add an SSL certificate to your Nextcloud proxy host

11_Nextcloud_SSL
Add a valid SSL certificate for your Nextcloud proxy host.

I also went ahead and enabled Force SSL, HTTP/2 Support and HSTS Enabled.

Installing Collabora

The biggest problem I faced with Collabora installation

Just as with my Nextcloud installation, I eventually discovered that most of the troubles I had been having with installing Collabora revolved around one problem: the server name being set incorrectly.

Curiously, what ended up finally getting my Collabora installation working was something that I came up with myself. This leads me to believe that I set the name of my Collabora server using a method that was not intended by the developers (perhaps someone else can confirm this).

Nonetheless, you can read on to see how I configured everything to get my Collabora installation up and running.

Collabora installation wizard configuration

Configuring the Collabora WebUI

12_Collabora_WebUI
Enable the WebUI and set the Username and Password to anything you like.

Setting the Collabora Server Name

13_Collabora_Server_Name
Set the Server Name to collabora.mydomain.tld, followed by a colon (:), followed by the SSL port for your network, which, in most cases, is 443 (as an example, the full value could be collabora.mydomain.tld:443).

  • As mentioned, this was not a solution that was recommended to me by anyone. What was recommended in another thread was to change the server_name and domain environment variables, but I did not do this for the following reasons:
    • Setting the server_name environment variable to collabora.mydomain.tld while leaving the explicit Server Name field blank made my Collabora server unreachable.
    • Setting the environment variable domain to nextcloud.mydomain.tld (i.e., whatever my Nextcloud domain is) appeared to have no effect on my installation, so I did not bother setting it.
  • It is possible that changing these environment variables was a valid solution for a previous version of Collabora, but is now obsolete.

Setting the Collabora certificate

14_Collabora_certificate
It is recommended that you install both Nextcloud and Collabora with a certificate. The ‘truenas_default’ Certificate worked for me.

  • If, for any reason, you want to install Nextcloud/Collabora without a certificate, refer to the above section labeled Setting the Nextcloud certificate for viable Nextcloud/Collabora certificate settings.

Enabling outside access to Collabora with Nginx Proxy Manager

Disclaimer

The disclaimer for this section is the same as the disclaimer for the section titled Enabling outside access to Nextcloud with Nginx Proxy Manager.

Create a proxy host for Collabora

Set the Domain Name to whatever you specified as the Server Name during Collabora installation, but this time, do not add :443 to the end (for example, if you set the Server Name to collabora.mydomain.tld:443 during Collabora installation, then you would simply set the Domain Name here to collabora.mydomain.tld).

If you installed Collabora WITH a certificate, set the Scheme to https. Otherwise, set the scheme to http.

Set the Forward Hostname / IP to the local IP of the device running your Collabora installation (e.g., 192.168.1.234).

Set the Forward Port to your Collabora port (which, for me, was 9980 by default).

VERY IMPORTANT: Enable Websockets Support.

I also enabled Block Common Exploits, although I doubt this is mandatory.

Add an SSL certificate to your Collabora proxy host

11_Nextcloud_SSL

Add a valid SSL certificate for your Collabora proxy host.

I also went ahead and enabled Force SSL, HTTP/2 Support and HSTS Enabled.

Verifying your Collabora installation

As per this resource, you can check that your Collabora instance is running properly by visiting https://collabora.mydomain.tld/hosting/discovery.

  • This page should be an XML document displaying the file types which your Collabora server can open.
  • Be sure to check that the entries in the XML document contain the correct public hostname for your Collabora instance and that they are preceded by https://, indicating a secure connection.

Integrating Collabora with Nextcloud


Download and enable the Nextcloud Office app within Nextcloud.


Select the drop-down menu for your Nextcloud profile in the top-right corner of the screen and then select Administration settings.


Select Office from the menu on the left under Administration.

Select Use your own server.

Enter the URL of your Collabora server, e.g., https://collabora.mydomain.tld.

If you configured your Collabora proxy host using a self-signed certificate, you will need to check Disable certificate verification (insecure). Otherwise, you should not need to check this option.

Hit Save.

If you get the message with the green checkmark, then your Collabora server is reachable.

However, you also need to make sure that the fields labeled URL used by the browser and Nextcloud URL used by Collabora are populated with the URL of your Collabora server and the URL of your Nextcloud server, respectively. If this is not the case for you, then it suggests that your Collabora server has been detected, but that it is not able to properly communicate with your Nextcloud server.

To to find out how to verify that your Nextcloud and Collabora servers are properly communicating, refer to the section below.

Verifying that everything works

To test that everything works, try to create and edit a new file within Nextcloud that has a Collabora-supported extension (e.g., .docx).

If anything has been set up incorrectly, Nextcloud should throw an error message while it’s trying to load the document.

If you are able to load and edit the document, then your Nextcloud and Collabora installations are successfully communicating behind your reverse proxy.

Troubleshooting common problems

If you are convinced that you have done everything correctly up to now, but Nextcloud is giving you error messages when you try to load your Collabora document, then there are three things that I can think of that you might want to double-check, which are based on the problems that I ran into before I got everything working.

Make sure that you have properly configured your Collabora Server Name

As stated in the above section titled Setting the Collabora Server Name, you must ensure that you entered the correct Server Name when you installed Collabora.

It is entirely possible to install both Nextcloud and Collabora and get the message with the green checkmark at the step outlined by the above section titled Integrating Collabora with Nextcloud WITHOUT actually having properly set your Collabora Server Name.

Two signs that you may have improperly set your Collabora Server Name are:

  • The field labeled URL used by the browser (which you should have seen as part of the green checkmark message during the Integrating Collabora with Nextcloud step) displays either the wrong URL for your Collabora server or no URL at all.
  • Nextcloud throws an error message, mentioning that Nextcloud Office failed to load, when you try to load a Collabora document. For me, during testing, the error message that I got when I had improperly set my Collabora Server Name was:

    Document loading failed
    Failed to load Nextcloud Office - please try again later

Make sure that you have enabled Websockets Support for your Collabora reverse proxy

As stated in the above section titled Create a proxy host for Collabora, you must have enabled Websockets Support when you created your Collabora proxy host in Nginx Proxy Manager.

If you forgot to enable Websockets Support, you can simply edit your Collabora proxy host, enable the Websockets Support feature and save your changes. There shouldn’t be any need to recreate the proxy host from scratch.

Here is one sign that your Collabora proxy host may not have Websockets Support enabled:

  • Nextcloud throws an error message, mentioning a failed socket connection, when you try to load a Collabora document. For me, during testing, the error message that I got when I didn’t enable Websockets Support for my Collabora proxy host was:

    Document loading failed
    Failed to establish socket connection or socket connection closed unexpectedly. The reverse proxy might be misconfigured, please contact the administrator. For more info on proxy configuration please checkout https://sdk.collaboraonline.com/docs/installation/Proxy_settings.html

Make sure that you installed Nextcloud and Collabora with the proper certificates

As mentioned in the above section titled Setting the Nextcloud certificate, it matters which certificates you use for Nextcloud/Collabora, and NOT JUST the certificates you use for your Nextcloud/Collabora proxy hosts with Nginx Proxy Manager, BUT ALSO the certificates you installed Nextcloud/Collabora with.

Again, it seems to be RECOMMENDED that you install BOTH Nextcloud and Collabora WITH a certificate. The ‘truenas_default’ Certificate worked for me. In addition to this configuration, I also found that:

  • Collabora WITH a certificate seems to be compatible with Nextcloud WITHOUT a certificate.
  • Collabora WITHOUT a certificate seems to be compatible with Nextcloud WITHOUT a certificate.
  • Nextcloud WITH a certificate did NOT appear to be compatible with Collabora WITHOUT a certificate.
10 Likes

Awesome write up! Very similar to what I am doing. I’m using haproxy running in a secure hardend linux VM that I expose to the internet via port mappings on my firewall. It then sends traffic where it needs to go.

1 Like

Great guide, thanks owl. Like you I spent a few hours getting a reliable, working nextcloud instance running in TrueNAS, but I ultimately went with a VM instead of the apps system due to flexibility and a more ‘standardised’ approach compared to the k3s system.

For those that want to install nextcloud in a VM, as opposed to the complexity (and changeability) of the apps system, I discussed this on the old forums, available here (Nextcloud Walkthrough | TrueNAS Community).

TLDR;

  1. First, set up a linux VM in TrueNAS, and install arch on it (https://youtu.be/UgkuDVaU16c).

  2. Next, download and install the nextcloud within your arch VM:
    https://www.atlantic.net/dedicated-server-hosting/how-to-install-nextcloud-on-arch-linux/

  3. Configure your config.php, php.ini, http.conf and .htaccess to resolve the various ‘security & setup warnings’ , and to get cron working to run the background tasks. I can post examples of this if there’s any interest.

  4. Configure your reverse proxy to allow external access - in my case I use HAproxy in OPNsense.

I’ve found this super simple to maintain and upgrade.

I’d be interested in anyone who has set up a working install in jailmaker / docker / dockge using compose.yaml.

2 Likes

@sos_nz, i went down your path several times and i kept getting burned on the major release upgrades. i had it working in a jail under CORE and then moved to a VM like you, however after the last major update and having to start all over again i’m giving the apps method a shot. i had nothing but headaches using the TrueCharts deployment with their insistence on using traefik for all access. i eventually settled on the TrueNAS app and have been running fine since moving to SCALE.

Really? I’ve had no issues whatsoever - but then I always upgrade from the terminal, since you can see what it’s actually doing. Cut & paste into your VM’s terminal / shell:

  1. sudo -u http php /srv/http/nextcloud/updater/updater.phar --no-interaction
  2. sudo -u http php /srv/http/nextcloud/occ upgrade
  3. cp /srv/http/.htaccess /srv/http/nextcloud/
  4. Reboot VM

Step 1 takes about 40 minutes to do, and the shell shows you the progress.

2 Likes

:thinking: interesting, i’ve never tried via the terminal. i’ve always run the updater through the web interface. i might have to spin up a test system…

I had similar experience as you. Always the core app worked. tried multiple time to use docker or vm with NAS storage but it would break and i being could not devote time to learn how to fix.
Moved to scale a week back and installed nextcloud in development environment. everything works but just cant access from WAN. I saw this post and thought i hit a gold. followed the guide. But still no luck.

I was having same issue and I follwed your process. But I still cant access from WAN.

Collabora without cert
Nextcloud with cert. added the two environment in config.php after removing host ip and deploying.
Now i see same behavior internal url redirects to IP:9001
Externally - connection timed out.
I use cloudflare-> NPM-> nextcloud ip. All other services work fine.

EDIT: All working now. I was changing the environment variable on config.php instead of gui as I was overlooking the wizard and missed the command section. Now everything is working.
Hope snapshots work.

Are you using the TrueNAS app or the TrueCharts one? Given the situation with TrueCharts I assume TrueNAS but want to confirm. I’m using the TrueNAS version as it was easier to get running then the TrueCharts and didn’t have ties to their ingress methods. I just assigned the app an IP on my network and then had to shell into the POD and edit the ini file for Nextcloud to accept connections from that IP and from my HAPROXY box. In my case I don’t install the certs on the Nextcloud instance but my HAPROXY box as a wildcard cert for my domain and it handles the direction to various systems based on URL.

‘trusted_domains’ =>
array (
0 => ‘localhost’,
1 => ‘X.X.X.X’, ← IP assigned to APP
2 => ‘Y.Y.Y.Y’, ← IP of my HAPROXY
3 => 'fqdn of external name,
4 => ‘fqdn of internal name’,
),

Sorted.
I am using truenas version.

1 Like

Thanks for the guide which I found useful in a number of specific areas relating to using Nginx to achieve https login to Truenas and Nextcloud.
The main difference in my installation has been that I am using a Cloudflare Tunnel and I suspect that is the reason why I have not been able to produce a SSL certificate in Nginx.

The key points that I have taken from your guide were.

  1. The use of the Certificates in Nextcloud
  2. Setting the Nextcloud Host field to nextcloud.mydomain.tld though without selecting a different port for URL rewrites and specifing 443.
  3. I did set the environment variables OVERWRITEHOST & OVERWRITECLIURL to nextcloud.mydomain.tld though.
1 Like

@Seapal Glad to hear I could help!

One thing: I meant for the step of setting the Host field to nextcloud.mydomain.tld and then using port 443 for URL rewrites to be an alternative to simply setting the OVERWRITEHOST environment variable to nextcloud.mydomain.tld, so if you have already set OVERWRITEHOST to nextcloud.mydomain.tld, then it doesn’t surprise me that your configuration worked without having explicitly set port 443 for URL rewrites.

As a matter of fact when I installed Nextcloud WITH a certificate, doing both of the aforementioned was impossible for me, i.e., I wasn’t able to manually set OVERWRITEHOST while also manually setting the Host field when I installed Nextcloud WITH a certificate.

Excellent guide. Finally finished getting rid of truecharts. Thank you!

Note: I did have to Disable certificate verification for use with my cert. Otherwise I got failed to connect to the remote server: cURL error 60: SSL certificate problem. I am using a paid ssl cert for office and main domain for now.

1 Like

@Wacky-Mole That’s interesting that you had to disable certificate verification. It could very well have something to do with your domain registrar.

For the record, I used Dynu for my domain and DDNS services, and I was able to do all of that with them entirely for free. I may update this guide with my Dynu configuration.

@owl Very well could be. I got some cheap ssl from www.ssls.com. It’s just a lot harder to do let’s encrypt on truenas scale apps than truecharts. Especially with a proxy that also requires the same certs. If you could provide a working way for free self renewing certs that would be awesome.

@Wacky-Mole I have added instructions below for creating Let’s Encrypt certificates with Dynu and Nginx Proxy Manager. I am assuming that you have already:

  • Added your domain to Dynu or claimed a (free) Dynu subdomain
  • Added DNS records to your domain/subdomain that point your domain/subdomain to your network
  • Forwarded port 443 on your network to the local IP of your Nginx Proxy Manager installation followed by the https port for Nginx Proxy Manager (normally port 30022)


Select API Credentials from the Control Panel in your Dynu account.



Select the View button (with the binoculars icon) from the API Key field. Copy the full API Key to your clipboard.



In Nginx Proxy Manager, go to the SSL Certificates menu.



Select Add SSL Certificate and then Let’s Encrypt.



For the Domain Names, you can write star (*) followed by dot (.) followed by your Dynu domain/subdomain (e.g., *.mydomain.tld) to create a wildcard certificate that will be valid for any URL that ends in your domain (for example, this would work for both nextcloud.mydomain.tld as well as collabora.mydomain.tld). Otherwise, you will need to create a unique certificate for every subdomain that you want to encrypt.

Enter your email address for Let’s Encrypt.

Select Use a DNS Challenge.

Select Dynu as the DNS Provider.

Replace the default value for dns_dynu_auth_token with the Dynu API Key that you copied to your clipboard.

Select I Agree to the Let’s Encrypt Terms of Service.

Hit Save. It may take Nginx Proxy Manager a few minutes to generate your Let’s Encrypt certificate.


I am not positive whether these certificates will auto-renew, but I think they will. The responses on this Reddit thread seem to indicate that Nginx Proxy Manager will take care of certificate renewals automatically, but I have not had any of my certificates for long enough to verify that this is the case (officially, my Let’s Encrypt certificates are set to expire three months from their creation date).

However, it should be noted that it is very easy to manually renew your Let’s Encrypt certificates (should the need ever arise):


Just select the Renew Now option from the drop-down menu for your certificate in Nginx Proxy Manager.

Okay, I was finally able to get the cert in Nginx and Truenas Scale for cloudflare. I followed https://www.youtube.com/watch?v=TJ5fDiDRcbU for truenas.

Nginx gave me a couple of errors, but after I entered admin@website email, I was able to power through.

So Let’s encrypt should auto renew a wildcard on truenas every 10 days, and nginx should renew my main domain + office.sub domain every 90. All for free.

Excellent. Hope this helps other people too.

1 Like

I don’t understand why nextcloud config page does not work when Nginx Proxy is listening to port 30022 but works on 443? Can anybody tell me?

Stuck in this state when I set router to redirect all 443 traffic to 30022 and let Nginx Proxy to listen to 30022 port and proxy_pass to 9001.

If I use host nginx and let it use 443 port - everything works again

@Lev When do you see the message in the picture you posted? Is it after you try to install Nextcloud?

Also, what do you mean when you say that it works when you use the host nginx and let it use 443 port? Are you saying that you set the Host during Nextcloud installation to your Nginx Proxy Manager internal IP and then have Nginx Proxy Manager listen on port 443 instead of 30022?

Please see my another post at the bottom of this thread:

Please help fixing this Strict-Transport-Security error in Nextcloud - Apps and Virtualization - TrueNAS Community Forums