From ea86da660d46f81cf51a0debe8895e2f040587f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Numbus?= Date: Sat, 28 Feb 2026 22:41:11 +0100 Subject: [PATCH] Improved Nextcloud systemD services to avoid failures. Added middleware for carddav/caldav --- modules/services/nextcloud.nix | 81 +++++++++++++++++++++++----------- 1 file changed, 55 insertions(+), 26 deletions(-) diff --git a/modules/services/nextcloud.nix b/modules/services/nextcloud.nix index 22fa194..3021ca7 100644 --- a/modules/services/nextcloud.nix +++ b/modules/services/nextcloud.nix @@ -40,7 +40,7 @@ helper.mkPodmanService { "100999:100 ${cfg.configDir}/onlyoffice/database" "100032:100 ${cfg.dataDir}" ]; - middlewares = [ "secureHeaders" ]; + middlewares = [ "secureHeaders" "nextcloud-dav" ]; # Compose file good composeText = '' @@ -73,6 +73,7 @@ helper.mkPodmanService { MAIL_FROM_ADDRESS: nextcloud-noreply MAIL_DOMAIN: ${config.numbus.services.domain} APACHE_DISABLE_REWRITE_IP: 1 + OVERWRITEPROTOCOL: https TRUSTED_PROXIES: ${config.numbus.networking.ipAddress} NC_default_phone_region: "${config.numbus.language}" NC_default_language: "${config.numbus.language}" @@ -119,7 +120,7 @@ helper.mkPodmanService { - no-new-privileges:true cap_drop: - NET_RAW - command: + command: - "--transaction-isolation=READ-COMMITTED" - "--binlog-format=ROW" restart: unless-stopped @@ -202,6 +203,15 @@ helper.mkPodmanService { - url: "http://host.containers.internal:3002" ''; + environment.etc."traefik/rules/nextcloud-dav.yaml".text = '' + http: + middlewares: + nextcloud-dav: + replacePathRegex: + regex: "^/.well-known/ca(l|rd)dav" + replacement: "/remote.php/dav/" + ''; + systemd.services."${name}-quirk" = { description = "Podman container quirk : ${name}"; wantedBy = [ "multi-user.target" ]; @@ -209,42 +219,60 @@ helper.mkPodmanService { onFailure = [ "service-failure-notify@%n.service" ]; startLimitBurst = 5; startLimitIntervalSec = 600; - path = [ pkgs.coreutils pkgs.sudo pkgs.podman ]; + path = [ pkgs.coreutils pkgs.sudo pkgs.podman pkgs.systemd ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; }; script = '' - mkdir -p /var/lib/numbus-server/${name} - [[ -e /var/lib/numbus-server/${name}/quirk.true ]] && exit 0 [[ ! -e /var/lib/numbus-server/${name}/.env ]] && systemctl start ${name}-secrets.service until [[ -e /var/lib/numbus-server/${name}/.env ]]; do echo "Waiting for secrets generation..." - sleep 15 + sleep 5 + done + source /var/lib/numbus-server/${name}/.env + + until sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ status >/dev/null 2>&1; do + echo "Waiting for Nextcloud to be up and running..." + sleep 10 done - - source /var/lib/numbus-server/${name}/.env - sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ background:cron - sudo -u numbus-admin podman exec --user www-data nextcloud-server php -f /var/www/html/cron.php sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ db:add-missing-indices sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ maintenance:repair --include-expensive - sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ files:scan --all - sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ files:repair-tree - for app in calendar contacts mail note onlyoffice cookbook whiteboard; do - sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ app:install $app - sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ app:enable $app - done - for app in activity app_api federatedfilesharing federation webhook_listeners photos recommendations sharebymail teams support richdocumentscode; do - sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ app:disable $app - sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ app:remove $app - done - sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:system:set onlyoffice DocumentServerInternalUrl --value="https://onlyoffice.${config.numbus.services.domain}/" - sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:system:set onlyoffice DocumentServerUrl --value="https://onlyoffice.${config.numbus.services.domain}/" - sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:system:set onlyoffice jwt_secret --value="$ONLYOFFICE_PASSWORD" - sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:app:set whiteboard collabBackendUrl --value="https://whiteboard.${config.numbus.services.domain}" - sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:app:set whiteboard jwt_secret_key --value="$WHITEBOARD_PASSWORD" - touch /var/lib/numbus-server/${name}/quirk.true + + INSTALL_APPS_LIST=( "calendar" "contacts" "mail" "note" "onlyoffice" "cookbook" "whiteboard" ) + REMOVE_APPS_LIST=( "activity" "app_api" "federatedfilesharing" "federation" "webhook_listeners" "photos" "recommendations" "sharebymail" "teams" "support" "richdocumentscode" ) + CURRENT_APPS_SIGNATURE="$(echo "''${INSTALL_APPS_LIST[@]}" "''${REMOVE_APPS_LIST[@]}")" + APPS_SIGNATURE_FILE="/var/lib/numbus-server/${name}/installed_apps.signature" + + if [[ ! -f "$APPS_SIGNATURE_FILE" ]] || [[ "$(cat "$APPS_SIGNATURE_FILE")" != "$CURRENT_APPS_SIGNATURE" ]]; then + for app in ''${INSTALL_APPS_LIST[@]}; do + sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ app:install "$app" + sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ app:enable "$app" + done + for app in ''${REMOVE_APPS_LIST[@]}; do + sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ app:disable "$app" + sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ app:remove "$app" + done + sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:system:set onlyoffice DocumentServerInternalUrl --value="https://onlyoffice.${config.numbus.services.domain}/" + sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:system:set onlyoffice DocumentServerUrl --value="https://onlyoffice.${config.numbus.services.domain}/" + sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:system:set onlyoffice jwt_secret --value="$ONLYOFFICE_PASSWORD" + sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:app:set whiteboard collabBackendUrl --value="https://whiteboard.${config.numbus.services.domain}" + sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ config:app:set whiteboard jwt_secret_key --value="$WHITEBOARD_PASSWORD" + echo "$CURRENT_APPS_SIGNATURE" > "$APPS_SIGNATURE_FILE" + fi + + if [[ ! -f /var/lib/numbus-server/${name}/croned.true ]]; then + sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ background:cron + sudo -u numbus-admin podman exec --user www-data nextcloud-server php -f /var/www/html/cron.php + touch /var/lib/numbus-server/${name}/croned.true + fi + + if [[ ! -f /var/lib/numbus-server/${name}/scanned.true ]]; then + sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ files:scan --all + sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ files:repair-tree + touch /var/lib/numbus-server/${name}/scanned.true + fi ''; }; @@ -255,6 +283,7 @@ helper.mkPodmanService { path = [ pkgs.sudo pkgs.podman ]; serviceConfig = { Type = "oneshot"; + ExecCondition = ''${pkgs.sudo}/bin/sudo -u numbus-admin podman exec --user www-data nextcloud-server php occ status''; ExecStart = "${pkgs.sudo}/bin/sudo -u numbus-admin podman exec --user www-data nextcloud-server php -f /var/www/html/cron.php"; }; };