Migrated from Nextcloud-AIO to standard nextcloud.

deploy.sh

@@ -499,8 +499,10 @@ services_generation() {
 
     # Nextcloud config
     elif [[ "${service}" == "nextcloud" ]]; then
-      generate_network "${service}" "0" "nextcloud-aio"
-      envsubst < templates/podman-config/traefik/nextcloud.yaml > final-nix-config/mnt/config/traefik/rules/nextcloud.yaml
+      generate_network "${service}" "1"
+      generate_db_creds "NEXTCLOUD"
+      export "NEXTCLOUD_REDIS_PASSWORD"="$(xkcdpass -d "-")"
+#      envsubst < templates/podman-config/traefik/nextcloud.yaml > final-nix-config/mnt/config/traefik/rules/nextcloud.yaml
 
     # Passbolt config
     elif [[ "${service}" == "passbolt" ]]; then

templates/nix-config/misc/activation.nix

@@ -64,20 +64,20 @@ PODMAN_NETWORKS
 
       DOMAIN_NAME="$(cat /run/secrets/domain_name)"
 
-      echo "Applying Pi-Hole quirks..."
-      if [[ -e /etc/nixos/podman/pi-hole.nix ]]; then
-        mkdir -p /mnt/config/pi-hole/
-        chown -R numbus-admin:users /mnt/config/pi-hole/
-        echo "Waiting for Pi-hole to be ready..."
-        until [[ -e /mnt/config/pi-hole/pihole-FTL.db ]]; do
-          sleep 15
-        done
-        sleep 60
-        sudo -u numbus-admin podman exec pi-hole pihole -g
-        sleep 60
-        systemctl restart pi-hole.service
-        echo "Pi-Hole quirk applied and service ready !"
-      fi
+      #echo "Applying Pi-Hole quirks..."
+      #if [[ -e /etc/nixos/podman/pi-hole.nix ]]; then
+      #  mkdir -p /mnt/config/pi-hole/
+      #  chown -R numbus-admin:users /mnt/config/pi-hole/
+      #  echo "Waiting for Pi-hole to be ready..."
+      #  until [[ -e /mnt/config/pi-hole/pihole-FTL.db ]]; do
+      #    sleep 15
+      #  done
+      #  sleep 60
+      #  sudo -u numbus-admin podman exec pi-hole pihole -g
+      #  sleep 60
+      #  systemctl restart pi-hole.service
+      #  echo "Pi-Hole quirk applied and service ready !"
+      #fi
 
       echo "Applying Home Assistant quirks..."
       if [[ -e /etc/nixos/podman/home-assistant.nix ]]; then

templates/nix-config/podman/nextcloud-aio.nix

@@ -0,0 +1,98 @@
+{ config, pkgs, ... }:
+
+let
+  container_name = "nextcloud";
+  compose_file = "podman/nextcloud/compose.yaml";
+  data_dir = "/mnt/data/nextcloud";
+in
+
+{
+  config = {
+    environment.etc."${compose_file}".text =
+      /*
+      yaml
+      */
+      ''
+        services:
+          nextcloud-aio-mastercontainer:
+            image: ghcr.io/nextcloud-releases/all-in-one:latest
+            container_name: nextcloud-aio-mastercontainer
+            networks:
+              nextcloud-aio:
+            volumes:
+              - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
+              - /run/user/1000/podman/podman.sock:/var/run/docker.sock:ro
+            environment:
+              APACHE_PORT: 11000
+              APACHE_IP_BINDING: 127.0.0.1
+              NEXTCLOUD_DATADIR: ${data_dir}
+              NEXTCLOUD_ENABLE_DRI_DEVICE: $NEXTCLOUD_ENABLE_DRI_DEVICE
+              NEXTCLOUD_UPLOAD_LIMIT: 16G
+              NEXTCLOUD_MAX_TIME: 3600
+              NEXTCLOUD_MEMORY_LIMIT: 2048M
+              NEXTCLOUD_ADDITIONAL_APKS: imagemagick
+              NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS: imagick
+              WATCHTOWER_DOCKER_SOCKET_PATH: /run/user/1000/podman/podman.sock
+            labels:
+              - traefik.enable=true
+              - traefik.docker.network=nextcloud-aio
+              - traefik.http.services.nextcloud-aio.loadbalancer.server.port=8080
+              - traefik.http.services.nextcloud-aio.loadbalancer.server.scheme=https
+              - traefik.http.routers.nextcloud-aio-https.entrypoints=websecure
+              - traefik.http.routers.nextcloud-aio-https.rule=Host(`nextcloud-aio.$DOMAIN_NAME`)
+              - traefik.http.routers.nextcloud-aio-https.tls=true
+              - traefik.http.routers.nextcloud-aio-https.tls.certresolver=cloudflare
+            init: true
+            restart: always
+
+        networks:
+          nextcloud-aio:
+            external: true
+
+        volumes:
+          nextcloud_aio_mastercontainer:
+            name: nextcloud_aio_mastercontainer
+      '';
+
+    systemd.services."${container_name}" = {
+      description = "Podman container : ${container_name}";
+      after = [ "network.target" "traefik.service" "pi-hole.service" ];
+      requires = [ "traefik.service" ];
+      wantedBy = [ "multi-user.target" ];
+      path = [ pkgs.podman pkgs.coreutils ];
+
+      serviceConfig = {
+        User = "numbus-admin";
+        Environment = [ "XDG_RUNTIME_DIR=/run/user/1000" ];
+        Type = "exec";
+        TimeoutStartSec = "600";
+        ExecStartPre = [
+          "${pkgs.bash}/bin/bash -c 'sleep $((RANDOM % 180))'"
+          "-${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull"
+        ];
+        ExecStart = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans";
+        ExecStop = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} down";
+        Restart = "on-failure";
+        RestartSec = "5m";
+        StartLimitBurst = "3";
+      };
+    };
+
+    systemd.services."update-${container_name}" = {
+      description = "Update ${container_name} container";
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = "${pkgs.systemd}/bin/systemctl restart ${container_name}.service";
+      };
+    };
+
+    systemd.timers."update-${container_name}" = {
+      timerConfig = {
+        OnCalendar = "02:00";
+        RandomizedDelaySec = "60m";
+        Unit = "update-${container_name}.service";
+      };
+      wantedBy = [ "timers.target" ];
+    };
+  };
+}

templates/nix-config/podman/nextcloud.nix

@@ -14,44 +14,78 @@ in
       */
       ''
         services:
-          nextcloud-aio-mastercontainer:
-            image: ghcr.io/nextcloud-releases/all-in-one:latest
-            container_name: nextcloud-aio-mastercontainer
+          nextcloud-server:
+            image: docker.io/library/nextcloud:latest
+            container_name: nextcloud-server
+            restart: unless-stopped
             networks:
-              nextcloud-aio:
+              nextcloud_frontend:
+              nextcloud_backend:
             volumes:
-              - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
-              - /run/user/1000/podman/podman.sock:/var/run/docker.sock:ro
+              - nextcloud_data:/var/www/html
             environment:
-              APACHE_PORT: 11000
-              APACHE_IP_BINDING: 127.0.0.1
-              NEXTCLOUD_DATADIR: ${data_dir}
-              NEXTCLOUD_ENABLE_DRI_DEVICE: $NEXTCLOUD_ENABLE_DRI_DEVICE
-              NEXTCLOUD_UPLOAD_LIMIT: 16G
-              NEXTCLOUD_MAX_TIME: 3600
-              NEXTCLOUD_MEMORY_LIMIT: 2048M
-              NEXTCLOUD_ADDITIONAL_APKS: imagemagick
-              NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS: imagick
-              WATCHTOWER_DOCKER_SOCKET_PATH: /run/user/1000/podman/podman.sock
+              MYSQL_HOST: nextcloud-database
+              MYSQL_DATABASE: $MYSQL_DATABASE
+              MYSQL_USER: $MYSQL_USER
+              MYSQL_PASSWORD: $MYSQL_PASSWORD
+              REDIS_HOST: nextcloud-redis
+              REDIS_HOST_PASSWORD: $REDIS_HOST_PASSWORD
+              NEXTCLOUD_TRUSTED_DOMAINS: $DOMAIN_NAME
+              NEXTCLOUD_DATA_DIR: ${data_dir}
+              SMTP_HOST: $SMTP_HOST
+              SMTP_SECURE: tls
+              SMTP_PORT: $SMTP_PORT
+              SMTP_NAME: $SMTP_NAME
+              SMTP_PASSWORD: $SMTP_PASSWORD
+              MAIL_FROM_ADDRESS: $MAIL_FROM_ADDRESS
+              MAIL_DOMAIN: $DOMAIN_NAME
+              APACHE_DISABLE_REWRITE_IP: 1
+              TRUSTED_PROXIES: traefik
+              OVERWRITEPROTOCOL: https
             labels:
               - traefik.enable=true
-              - traefik.docker.network=nextcloud-aio
-              - traefik.http.services.nextcloud-aio.loadbalancer.server.port=8080
-              - traefik.http.services.nextcloud-aio.loadbalancer.server.scheme=https
-              - traefik.http.routers.nextcloud-aio-https.entrypoints=websecure
-              - traefik.http.routers.nextcloud-aio-https.rule=Host(`nextcloud-aio.$DOMAIN_NAME`)
-              - traefik.http.routers.nextcloud-aio-https.tls=true
-              - traefik.http.routers.nextcloud-aio-https.tls.certresolver=cloudflare
-            init: true
-            restart: always
-
+              - traefik.docker.network=nextcloud_frontend
+              - traefik.http.services.nextcloud.loadbalancer.server.port=80
+              - traefik.http.services.nextcloud.loadbalancer.server.scheme=http
+              - traefik.http.routers.nextcloud-https.entrypoints=websecure
+              - traefik.http.routers.nextcloud-https.rule=Host(`nextcloud.$DOMAIN_NAME`)
+              - traefik.http.routers.nextcloud-https.tls=true
+              - traefik.http.routers.nextcloud-https.tls.certresolver=cloudflare
+            depends_on:
+              - nextcloud-database
+              - nextcloud-redis
+        
+          nextcloud-redis:
+            image: docker.io/library/redis:alpine
+            name: nextcloud-redis
+            restart: unless-stopped
+            networks:
+              nextcloud_backend:
+            command: redis-server --requirepass $REDIS_HOST_PASSWORD
+        
+          nextcloud-database:
+            image: docker.io/library/mariadb:latest
+            container_name: nextcloud-database
+            restart: unless-stopped
+            networks:
+              nextcloud_backend:
+            volumes:
+              - nextcloud_database:/var/lib/mysql
+            environment:
+              MARIADB_DATABASE: $MYSQL_DATABASE
+              MARIADB_USER: $MYSQL_USER
+              MARIADB_PASSWORD: $MYSQL_PASSWORD
+              MARIADB_RANDOM_ROOT_PASSWORD: true
+        
         networks:
-          nextcloud-aio:
+          nextcloud_frontend:
             external: true
-
+          nextcloud_backend:
+            external: true
+        
         volumes:
-          nextcloud_aio_mastercontainer:
-            name: nextcloud_aio_mastercontainer
+          nextcloud_data:
+          nextcloud_database:
       '';
 
     systemd.services."${container_name}" = {

templates/nix-config/podman/passbolt.nix

@@ -30,10 +30,10 @@ in
               DATASOURCES_DEFAULT_PASSWORD: $PASSBOLT_MYSQL_PASSWORD
               DATASOURCES_DEFAULT_DATABASE: $PASSBOLT_MYSQL_DATABASE
               EMAIL_DEFAULT_FROM_NAME: "Passbolt"
-              EMAIL_TRANSPORT_DEFAULT_HOST: $SENDER_EMAIL_DOMAIN
-              EMAIL_TRANSPORT_DEFAULT_PORT: $SENDER_EMAIL_PORT
-              EMAIL_TRANSPORT_DEFAULT_USERNAME: $SENDER_EMAIL_ADDRESS
-              EMAIL_TRANSPORT_DEFAULT_PASSWORD: $SENDER_EMAIL_ADDRESS_PASSWORD
+              EMAIL_TRANSPORT_DEFAULT_HOST: $EMAIL_TRANSPORT_DEFAULT_HOST
+              EMAIL_TRANSPORT_DEFAULT_PORT: $EMAIL_TRANSPORT_DEFAULT_PORT
+              EMAIL_TRANSPORT_DEFAULT_USERNAME: $EMAIL_TRANSPORT_DEFAULT_USERNAME
+              EMAIL_TRANSPORT_DEFAULT_PASSWORD: $EMAIL_TRANSPORT_DEFAULT_PASSWORD
               EMAIL_TRANSPORT_DEFAULT_TLS: true
               EMAIL_DEFAULT_FROM: $EMAIL_ADDRESS
               PASSBOLT_SSL_FORCE: true

templates/nix-config/podman/pi-hole.nix

@@ -3,7 +3,6 @@
 let
   container_name = "pi-hole";
   compose_file = "podman/pi-hole/compose.yaml";
-  config_dir = "/mnt/config/pi-hole";
 in
 
 {
@@ -43,7 +42,7 @@ in
               FTLCONF_ntp_ipv6_active: "false"
               FTLCONF_ntp_sync_active: "false"
             volumes:
-              - ${config_dir}:/etc/pihole
+              - pi-hole_data:/etc/pihole
             cap_add:
               - SYS_NICE
             labels:
@@ -57,6 +56,9 @@ in
               - traefik.http.routers.pihole-https.tls.certresolver=cloudflare
             restart: unless-stopped
 
+        volumes:
+          pi-hole_data:
+
         networks:
           pi-hole_frontend:
             external: true

templates/nix-config/sops-nix/secrets.yaml

@@ -34,17 +34,25 @@ podman:
     DOMAIN_NAME="$DOMAIN_NAME"
   nextcloud: |
     DOMAIN_NAME="$DOMAIN_NAME"
-    NEXTCLOUD_ENABLE_DRI_DEVICE=$TARGET_GRAPHICS
+    MYSQL_DATABASE="$NEXTCLOUD_DB_NAME"
+    MYSQL_USER="$NEXTCLOUD_DB_USERNAME"
+    MYSQL_PASSWORD="$NEXTCLOUD_DB_PASSWORD"
+    REDIS_HOST_PASSWORD="$NEXTCLOUD_REDIS_PASSWORD"
+    SMTP_HOST="$SENDER_EMAIL_DOMAIN"
+    SMTP_PORT="$SENDER_EMAIL_PORT"
+    SMTP_NAME="$SENDER_EMAIL_ADDRESS"
+    SMTP_PASSWORD="$SENDER_EMAIL_ADDRESS_PASSWORD"
+    MAIL_FROM_ADDRESS="$EMAIL_ADDRESS"
   passbolt: |
     DOMAIN_NAME="$DOMAIN_NAME"
     PASSBOLT_MYSQL_DATABASE="$PASSBOLT_DB_NAME"
     PASSBOLT_MYSQL_USER="$PASSBOLT_DB_USERNAME"
     PASSBOLT_MYSQL_PASSWORD="$PASSBOLT_DB_PASSWORD"
-    SENDER_EMAIL_ADDRESS="$SENDER_EMAIL_ADDRESS"
-    SENDER_EMAIL_ADDRESS_PASSWORD="$SENDER_EMAIL_ADDRESS_PASSWORD"
-    SENDER_EMAIL_DOMAIN="$SENDER_EMAIL_DOMAIN"
-    SENDER_EMAIL_PORT="$SENDER_EMAIL_PORT"
-    EMAIL_ADDRESS="$EMAIL_ADDRESS"
+    EMAIL_TRANSPORT_DEFAULT_HOST="$SENDER_EMAIL_DOMAIN"
+    EMAIL_TRANSPORT_DEFAULT_PORT="$SENDER_EMAIL_PORT"
+    EMAIL_TRANSPORT_DEFAULT_USERNAME="$SENDER_EMAIL_ADDRESS"
+    EMAIL_TRANSPORT_DEFAULT_PASSWORD="$SENDER_EMAIL_ADDRESS_PASSWORD"
+    EMAIL_DEFAULT_FROM="$EMAIL_ADDRESS"
     TZ="Europe/Paris"
   pi_hole: |
     DOMAIN_NAME="$DOMAIN_NAME"