From c6ce0be03e2e5ad2df266d030fea12b6c8d56ae5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Numbus?= Date: Mon, 16 Feb 2026 14:09:41 +0100 Subject: [PATCH] Migrated from Nextcloud-AIO to standard nextcloud. --- deploy.sh | 6 +- templates/nix-config/misc/activation.nix | 28 +++--- templates/nix-config/podman/nextcloud-aio.nix | 98 +++++++++++++++++++ templates/nix-config/podman/nextcloud.nix | 94 ++++++++++++------ templates/nix-config/podman/passbolt.nix | 8 +- templates/nix-config/podman/pi-hole.nix | 6 +- templates/nix-config/sops-nix/secrets.yaml | 20 ++-- 7 files changed, 202 insertions(+), 58 deletions(-) create mode 100644 templates/nix-config/podman/nextcloud-aio.nix diff --git a/deploy.sh b/deploy.sh index 39dc757..0b7d7b7 100644 --- a/deploy.sh +++ b/deploy.sh @@ -499,8 +499,10 @@ services_generation() { # Nextcloud config elif [[ "${service}" == "nextcloud" ]]; then - generate_network "${service}" "0" "nextcloud-aio" - envsubst < templates/podman-config/traefik/nextcloud.yaml > final-nix-config/mnt/config/traefik/rules/nextcloud.yaml + generate_network "${service}" "1" + generate_db_creds "NEXTCLOUD" + export "NEXTCLOUD_REDIS_PASSWORD"="$(xkcdpass -d "-")" +# envsubst < templates/podman-config/traefik/nextcloud.yaml > final-nix-config/mnt/config/traefik/rules/nextcloud.yaml # Passbolt config elif [[ "${service}" == "passbolt" ]]; then diff --git a/templates/nix-config/misc/activation.nix b/templates/nix-config/misc/activation.nix index 3153adb..8c72e9e 100644 --- a/templates/nix-config/misc/activation.nix +++ b/templates/nix-config/misc/activation.nix @@ -64,20 +64,20 @@ PODMAN_NETWORKS DOMAIN_NAME="$(cat /run/secrets/domain_name)" - echo "Applying Pi-Hole quirks..." - if [[ -e /etc/nixos/podman/pi-hole.nix ]]; then - mkdir -p /mnt/config/pi-hole/ - chown -R numbus-admin:users /mnt/config/pi-hole/ - echo "Waiting for Pi-hole to be ready..." - until [[ -e /mnt/config/pi-hole/pihole-FTL.db ]]; do - sleep 15 - done - sleep 60 - sudo -u numbus-admin podman exec pi-hole pihole -g - sleep 60 - systemctl restart pi-hole.service - echo "Pi-Hole quirk applied and service ready !" - fi + #echo "Applying Pi-Hole quirks..." + #if [[ -e /etc/nixos/podman/pi-hole.nix ]]; then + # mkdir -p /mnt/config/pi-hole/ + # chown -R numbus-admin:users /mnt/config/pi-hole/ + # echo "Waiting for Pi-hole to be ready..." + # until [[ -e /mnt/config/pi-hole/pihole-FTL.db ]]; do + # sleep 15 + # done + # sleep 60 + # sudo -u numbus-admin podman exec pi-hole pihole -g + # sleep 60 + # systemctl restart pi-hole.service + # echo "Pi-Hole quirk applied and service ready !" + #fi echo "Applying Home Assistant quirks..." if [[ -e /etc/nixos/podman/home-assistant.nix ]]; then diff --git a/templates/nix-config/podman/nextcloud-aio.nix b/templates/nix-config/podman/nextcloud-aio.nix new file mode 100644 index 0000000..1259eaf --- /dev/null +++ b/templates/nix-config/podman/nextcloud-aio.nix @@ -0,0 +1,98 @@ +{ config, pkgs, ... }: + +let + container_name = "nextcloud"; + compose_file = "podman/nextcloud/compose.yaml"; + data_dir = "/mnt/data/nextcloud"; +in + +{ + config = { + environment.etc."${compose_file}".text = + /* + yaml + */ + '' + services: + nextcloud-aio-mastercontainer: + image: ghcr.io/nextcloud-releases/all-in-one:latest + container_name: nextcloud-aio-mastercontainer + networks: + nextcloud-aio: + volumes: + - nextcloud_aio_mastercontainer:/mnt/docker-aio-config + - /run/user/1000/podman/podman.sock:/var/run/docker.sock:ro + environment: + APACHE_PORT: 11000 + APACHE_IP_BINDING: 127.0.0.1 + NEXTCLOUD_DATADIR: ${data_dir} + NEXTCLOUD_ENABLE_DRI_DEVICE: $NEXTCLOUD_ENABLE_DRI_DEVICE + NEXTCLOUD_UPLOAD_LIMIT: 16G + NEXTCLOUD_MAX_TIME: 3600 + NEXTCLOUD_MEMORY_LIMIT: 2048M + NEXTCLOUD_ADDITIONAL_APKS: imagemagick + NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS: imagick + WATCHTOWER_DOCKER_SOCKET_PATH: /run/user/1000/podman/podman.sock + labels: + - traefik.enable=true + - traefik.docker.network=nextcloud-aio + - traefik.http.services.nextcloud-aio.loadbalancer.server.port=8080 + - traefik.http.services.nextcloud-aio.loadbalancer.server.scheme=https + - traefik.http.routers.nextcloud-aio-https.entrypoints=websecure + - traefik.http.routers.nextcloud-aio-https.rule=Host(`nextcloud-aio.$DOMAIN_NAME`) + - traefik.http.routers.nextcloud-aio-https.tls=true + - traefik.http.routers.nextcloud-aio-https.tls.certresolver=cloudflare + init: true + restart: always + + networks: + nextcloud-aio: + external: true + + volumes: + nextcloud_aio_mastercontainer: + name: nextcloud_aio_mastercontainer + ''; + + systemd.services."${container_name}" = { + description = "Podman container : ${container_name}"; + after = [ "network.target" "traefik.service" "pi-hole.service" ]; + requires = [ "traefik.service" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.podman pkgs.coreutils ]; + + serviceConfig = { + User = "numbus-admin"; + Environment = [ "XDG_RUNTIME_DIR=/run/user/1000" ]; + Type = "exec"; + TimeoutStartSec = "600"; + ExecStartPre = [ + "${pkgs.bash}/bin/bash -c 'sleep $((RANDOM % 180))'" + "-${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} pull" + ]; + ExecStart = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} up --remove-orphans"; + ExecStop = "${pkgs.podman-compose}/bin/podman-compose -f /etc/${compose_file} down"; + Restart = "on-failure"; + RestartSec = "5m"; + StartLimitBurst = "3"; + }; + }; + + systemd.services."update-${container_name}" = { + description = "Update ${container_name} container"; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.systemd}/bin/systemctl restart ${container_name}.service"; + }; + }; + + systemd.timers."update-${container_name}" = { + timerConfig = { + OnCalendar = "02:00"; + RandomizedDelaySec = "60m"; + Unit = "update-${container_name}.service"; + }; + wantedBy = [ "timers.target" ]; + }; + }; +} \ No newline at end of file diff --git a/templates/nix-config/podman/nextcloud.nix b/templates/nix-config/podman/nextcloud.nix index 1259eaf..101ee2c 100644 --- a/templates/nix-config/podman/nextcloud.nix +++ b/templates/nix-config/podman/nextcloud.nix @@ -14,44 +14,78 @@ in */ '' services: - nextcloud-aio-mastercontainer: - image: ghcr.io/nextcloud-releases/all-in-one:latest - container_name: nextcloud-aio-mastercontainer + nextcloud-server: + image: docker.io/library/nextcloud:latest + container_name: nextcloud-server + restart: unless-stopped networks: - nextcloud-aio: + nextcloud_frontend: + nextcloud_backend: volumes: - - nextcloud_aio_mastercontainer:/mnt/docker-aio-config - - /run/user/1000/podman/podman.sock:/var/run/docker.sock:ro + - nextcloud_data:/var/www/html environment: - APACHE_PORT: 11000 - APACHE_IP_BINDING: 127.0.0.1 - NEXTCLOUD_DATADIR: ${data_dir} - NEXTCLOUD_ENABLE_DRI_DEVICE: $NEXTCLOUD_ENABLE_DRI_DEVICE - NEXTCLOUD_UPLOAD_LIMIT: 16G - NEXTCLOUD_MAX_TIME: 3600 - NEXTCLOUD_MEMORY_LIMIT: 2048M - NEXTCLOUD_ADDITIONAL_APKS: imagemagick - NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS: imagick - WATCHTOWER_DOCKER_SOCKET_PATH: /run/user/1000/podman/podman.sock + MYSQL_HOST: nextcloud-database + MYSQL_DATABASE: $MYSQL_DATABASE + MYSQL_USER: $MYSQL_USER + MYSQL_PASSWORD: $MYSQL_PASSWORD + REDIS_HOST: nextcloud-redis + REDIS_HOST_PASSWORD: $REDIS_HOST_PASSWORD + NEXTCLOUD_TRUSTED_DOMAINS: $DOMAIN_NAME + NEXTCLOUD_DATA_DIR: ${data_dir} + SMTP_HOST: $SMTP_HOST + SMTP_SECURE: tls + SMTP_PORT: $SMTP_PORT + SMTP_NAME: $SMTP_NAME + SMTP_PASSWORD: $SMTP_PASSWORD + MAIL_FROM_ADDRESS: $MAIL_FROM_ADDRESS + MAIL_DOMAIN: $DOMAIN_NAME + APACHE_DISABLE_REWRITE_IP: 1 + TRUSTED_PROXIES: traefik + OVERWRITEPROTOCOL: https labels: - traefik.enable=true - - traefik.docker.network=nextcloud-aio - - traefik.http.services.nextcloud-aio.loadbalancer.server.port=8080 - - traefik.http.services.nextcloud-aio.loadbalancer.server.scheme=https - - traefik.http.routers.nextcloud-aio-https.entrypoints=websecure - - traefik.http.routers.nextcloud-aio-https.rule=Host(`nextcloud-aio.$DOMAIN_NAME`) - - traefik.http.routers.nextcloud-aio-https.tls=true - - traefik.http.routers.nextcloud-aio-https.tls.certresolver=cloudflare - init: true - restart: always - + - traefik.docker.network=nextcloud_frontend + - traefik.http.services.nextcloud.loadbalancer.server.port=80 + - traefik.http.services.nextcloud.loadbalancer.server.scheme=http + - traefik.http.routers.nextcloud-https.entrypoints=websecure + - traefik.http.routers.nextcloud-https.rule=Host(`nextcloud.$DOMAIN_NAME`) + - traefik.http.routers.nextcloud-https.tls=true + - traefik.http.routers.nextcloud-https.tls.certresolver=cloudflare + depends_on: + - nextcloud-database + - nextcloud-redis + + nextcloud-redis: + image: docker.io/library/redis:alpine + name: nextcloud-redis + restart: unless-stopped + networks: + nextcloud_backend: + command: redis-server --requirepass $REDIS_HOST_PASSWORD + + nextcloud-database: + image: docker.io/library/mariadb:latest + container_name: nextcloud-database + restart: unless-stopped + networks: + nextcloud_backend: + volumes: + - nextcloud_database:/var/lib/mysql + environment: + MARIADB_DATABASE: $MYSQL_DATABASE + MARIADB_USER: $MYSQL_USER + MARIADB_PASSWORD: $MYSQL_PASSWORD + MARIADB_RANDOM_ROOT_PASSWORD: true + networks: - nextcloud-aio: + nextcloud_frontend: external: true - + nextcloud_backend: + external: true + volumes: - nextcloud_aio_mastercontainer: - name: nextcloud_aio_mastercontainer + nextcloud_data: + nextcloud_database: ''; systemd.services."${container_name}" = { diff --git a/templates/nix-config/podman/passbolt.nix b/templates/nix-config/podman/passbolt.nix index bc3364c..5901f11 100644 --- a/templates/nix-config/podman/passbolt.nix +++ b/templates/nix-config/podman/passbolt.nix @@ -30,10 +30,10 @@ in DATASOURCES_DEFAULT_PASSWORD: $PASSBOLT_MYSQL_PASSWORD DATASOURCES_DEFAULT_DATABASE: $PASSBOLT_MYSQL_DATABASE EMAIL_DEFAULT_FROM_NAME: "Passbolt" - EMAIL_TRANSPORT_DEFAULT_HOST: $SENDER_EMAIL_DOMAIN - EMAIL_TRANSPORT_DEFAULT_PORT: $SENDER_EMAIL_PORT - EMAIL_TRANSPORT_DEFAULT_USERNAME: $SENDER_EMAIL_ADDRESS - EMAIL_TRANSPORT_DEFAULT_PASSWORD: $SENDER_EMAIL_ADDRESS_PASSWORD + EMAIL_TRANSPORT_DEFAULT_HOST: $EMAIL_TRANSPORT_DEFAULT_HOST + EMAIL_TRANSPORT_DEFAULT_PORT: $EMAIL_TRANSPORT_DEFAULT_PORT + EMAIL_TRANSPORT_DEFAULT_USERNAME: $EMAIL_TRANSPORT_DEFAULT_USERNAME + EMAIL_TRANSPORT_DEFAULT_PASSWORD: $EMAIL_TRANSPORT_DEFAULT_PASSWORD EMAIL_TRANSPORT_DEFAULT_TLS: true EMAIL_DEFAULT_FROM: $EMAIL_ADDRESS PASSBOLT_SSL_FORCE: true diff --git a/templates/nix-config/podman/pi-hole.nix b/templates/nix-config/podman/pi-hole.nix index 3fd8833..296aea4 100644 --- a/templates/nix-config/podman/pi-hole.nix +++ b/templates/nix-config/podman/pi-hole.nix @@ -3,7 +3,6 @@ let container_name = "pi-hole"; compose_file = "podman/pi-hole/compose.yaml"; - config_dir = "/mnt/config/pi-hole"; in { @@ -43,7 +42,7 @@ in FTLCONF_ntp_ipv6_active: "false" FTLCONF_ntp_sync_active: "false" volumes: - - ${config_dir}:/etc/pihole + - pi-hole_data:/etc/pihole cap_add: - SYS_NICE labels: @@ -57,6 +56,9 @@ in - traefik.http.routers.pihole-https.tls.certresolver=cloudflare restart: unless-stopped + volumes: + pi-hole_data: + networks: pi-hole_frontend: external: true diff --git a/templates/nix-config/sops-nix/secrets.yaml b/templates/nix-config/sops-nix/secrets.yaml index a9f08d7..463bfc8 100644 --- a/templates/nix-config/sops-nix/secrets.yaml +++ b/templates/nix-config/sops-nix/secrets.yaml @@ -34,17 +34,25 @@ podman: DOMAIN_NAME="$DOMAIN_NAME" nextcloud: | DOMAIN_NAME="$DOMAIN_NAME" - NEXTCLOUD_ENABLE_DRI_DEVICE=$TARGET_GRAPHICS + MYSQL_DATABASE="$NEXTCLOUD_DB_NAME" + MYSQL_USER="$NEXTCLOUD_DB_USERNAME" + MYSQL_PASSWORD="$NEXTCLOUD_DB_PASSWORD" + REDIS_HOST_PASSWORD="$NEXTCLOUD_REDIS_PASSWORD" + SMTP_HOST="$SENDER_EMAIL_DOMAIN" + SMTP_PORT="$SENDER_EMAIL_PORT" + SMTP_NAME="$SENDER_EMAIL_ADDRESS" + SMTP_PASSWORD="$SENDER_EMAIL_ADDRESS_PASSWORD" + MAIL_FROM_ADDRESS="$EMAIL_ADDRESS" passbolt: | DOMAIN_NAME="$DOMAIN_NAME" PASSBOLT_MYSQL_DATABASE="$PASSBOLT_DB_NAME" PASSBOLT_MYSQL_USER="$PASSBOLT_DB_USERNAME" PASSBOLT_MYSQL_PASSWORD="$PASSBOLT_DB_PASSWORD" - SENDER_EMAIL_ADDRESS="$SENDER_EMAIL_ADDRESS" - SENDER_EMAIL_ADDRESS_PASSWORD="$SENDER_EMAIL_ADDRESS_PASSWORD" - SENDER_EMAIL_DOMAIN="$SENDER_EMAIL_DOMAIN" - SENDER_EMAIL_PORT="$SENDER_EMAIL_PORT" - EMAIL_ADDRESS="$EMAIL_ADDRESS" + EMAIL_TRANSPORT_DEFAULT_HOST="$SENDER_EMAIL_DOMAIN" + EMAIL_TRANSPORT_DEFAULT_PORT="$SENDER_EMAIL_PORT" + EMAIL_TRANSPORT_DEFAULT_USERNAME="$SENDER_EMAIL_ADDRESS" + EMAIL_TRANSPORT_DEFAULT_PASSWORD="$SENDER_EMAIL_ADDRESS_PASSWORD" + EMAIL_DEFAULT_FROM="$EMAIL_ADDRESS" TZ="Europe/Paris" pi_hole: | DOMAIN_NAME="$DOMAIN_NAME"