From d386c8e9c0dfab867a35308950b3aa7c43ddeed1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20Mass=C3=A9?= <nmasse@redhat.com>
Date: Fri, 5 Sep 2025 12:32:48 -0400
Subject: [PATCH] wip

---
 bootc/base/env.sh                             |   1 -
 bootc/scenario1/Containerfile                 |   4 +-
 bootc/scenario1/env.sh                        |   1 -
 .../systemd/configs/nextcloud-app.env         |  20 +++
 .../systemd/configs/nextcloud-config.env.tmpl |  26 +++
 .../systemd/configs/nextcloud-db.env          |   5 +
 .../systemd/configs/nextcloud-redis.env       |   1 +
 .../etc/containers/systemd/configs/nginx.conf | 163 ++++++++++++++++++
 .../systemd/configs/redis-session.ini         |   0
 .../etc/containers/systemd/configs/redis.conf |   3 +
 .../etc/containers/systemd/configs/www.conf   |   9 +
 .../containers/systemd/nextcloud-db.container |  39 +++++
 .../systemd/nextcloud-fpm.container           |  55 ++++++
 .../systemd/nextcloud-nginx.container         |  38 ++++
 .../systemd/nextcloud-redis.container         |  43 +++++
 .../check/required.d/30_nextcloud_check.sh    |  28 +++
 .../root/etc/systemd/system/nextcloud.target  |  10 ++
 bootc/scenario4/Containerfile                 |   8 +
 .../systemd/configs/odoo-config.env.tmpl}     |   0
 .../containers/systemd/configs/odoo-db.env    |   0
 .../etc/containers/systemd/odoo-app.container |   3 +
 .../etc/containers/systemd/odoo-db.container  |   7 +-
 .../containers/systemd/odoo-init.container    |   3 +
 .../check/required.d/30_odoo_check.sh         |   0
 .../root/etc/odoo/init.sh                     |   0
 .../root/etc/odoo/odoo.conf                   |   0
 .../root/etc/systemd/system/odoo.target       |   2 -
 27 files changed, 459 insertions(+), 10 deletions(-)
 delete mode 100644 bootc/base/env.sh
 delete mode 100644 bootc/scenario1/env.sh
 create mode 100644 bootc/scenario1/root/etc/containers/systemd/configs/nextcloud-app.env
 create mode 100644 bootc/scenario1/root/etc/containers/systemd/configs/nextcloud-config.env.tmpl
 create mode 100644 bootc/scenario1/root/etc/containers/systemd/configs/nextcloud-db.env
 create mode 100644 bootc/scenario1/root/etc/containers/systemd/configs/nextcloud-redis.env
 create mode 100644 bootc/scenario1/root/etc/containers/systemd/configs/nginx.conf
 create mode 100644 bootc/scenario1/root/etc/containers/systemd/configs/redis-session.ini
 create mode 100644 bootc/scenario1/root/etc/containers/systemd/configs/redis.conf
 create mode 100644 bootc/scenario1/root/etc/containers/systemd/configs/www.conf
 create mode 100644 bootc/scenario1/root/etc/containers/systemd/nextcloud-db.container
 create mode 100644 bootc/scenario1/root/etc/containers/systemd/nextcloud-fpm.container
 create mode 100644 bootc/scenario1/root/etc/containers/systemd/nextcloud-nginx.container
 create mode 100644 bootc/scenario1/root/etc/containers/systemd/nextcloud-redis.container
 create mode 100755 bootc/scenario1/root/etc/greenboot/check/required.d/30_nextcloud_check.sh
 create mode 100644 bootc/scenario1/root/etc/systemd/system/nextcloud.target
 create mode 100644 bootc/scenario4/Containerfile
 rename bootc/{scenario1/root/etc/containers/systemd/configs/odoo-config.env => scenario4/root/etc/containers/systemd/configs/odoo-config.env.tmpl} (100%)
 rename bootc/{scenario1 => scenario4}/root/etc/containers/systemd/configs/odoo-db.env (100%)
 rename bootc/{scenario1 => scenario4}/root/etc/containers/systemd/odoo-app.container (91%)
 rename bootc/{scenario1 => scenario4}/root/etc/containers/systemd/odoo-db.container (87%)
 rename bootc/{scenario1 => scenario4}/root/etc/containers/systemd/odoo-init.container (92%)
 rename bootc/{scenario1 => scenario4}/root/etc/greenboot/check/required.d/30_odoo_check.sh (100%)
 rename bootc/{scenario1 => scenario4}/root/etc/odoo/init.sh (100%)
 rename bootc/{scenario1 => scenario4}/root/etc/odoo/odoo.conf (100%)
 rename bootc/{scenario1 => scenario4}/root/etc/systemd/system/odoo.target (73%)

diff --git a/bootc/base/env.sh b/bootc/base/env.sh
deleted file mode 100644
index f6bcac6..0000000
--- a/bootc/base/env.sh
+++ /dev/null
@@ -1 +0,0 @@
-TARGET_IMAGE="edge-registry.itix.fr/demo-edge-retail/generic:latest"
diff --git a/bootc/scenario1/Containerfile b/bootc/scenario1/Containerfile
index b136cbe..15b6195 100644
--- a/bootc/scenario1/Containerfile
+++ b/bootc/scenario1/Containerfile
@@ -1,8 +1,8 @@
-FROM edge-registry.itix.fr/demo-edge-retail/generic:latest
+FROM edge-registry.itix.fr/demo-edge-retail/base:latest
 
 ADD --chown=root:root root /
 
 RUN <<EOF
 set -Eeuo pipefail
-systemctl enable odoo.target
+systemctl enable nextcloud.target
 EOF
diff --git a/bootc/scenario1/env.sh b/bootc/scenario1/env.sh
deleted file mode 100644
index e900341..0000000
--- a/bootc/scenario1/env.sh
+++ /dev/null
@@ -1 +0,0 @@
-TARGET_IMAGE="edge-registry.itix.fr/demo-edge-retail/scenario1:latest"
diff --git a/bootc/scenario1/root/etc/containers/systemd/configs/nextcloud-app.env b/bootc/scenario1/root/etc/containers/systemd/configs/nextcloud-app.env
new file mode 100644
index 0000000..ad3320c
--- /dev/null
+++ b/bootc/scenario1/root/etc/containers/systemd/configs/nextcloud-app.env
@@ -0,0 +1,20 @@
+# Database configuration
+POSTGRES_HOST=localhost
+POSTGRES_DB=nextcloud
+POSTGRES_USER=nextcloud
+POSTGRES_PASSWORD=nextcloud
+
+# Redis configuration
+REDIS_HOST=localhost
+REDIS_HOST_PORT=6379
+REDIS_HOST_PASSWORD=nextcloud
+
+# PHP configuration
+PHP_MEMORY_LIMIT=512M
+PHP_UPLOAD_LIMIT=10G
+
+# Nextcloud configuration
+NEXTCLOUD_UPDATE=1
+NEXTCLOUD_TABLE_PREFIX=
+NEXTCLOUD_DATA_DIR=/var/www/html/data
+NEXTCLOUD_INIT_HTACCESS=1
diff --git a/bootc/scenario1/root/etc/containers/systemd/configs/nextcloud-config.env.tmpl b/bootc/scenario1/root/etc/containers/systemd/configs/nextcloud-config.env.tmpl
new file mode 100644
index 0000000..25c32da
--- /dev/null
+++ b/bootc/scenario1/root/etc/containers/systemd/configs/nextcloud-config.env.tmpl
@@ -0,0 +1,26 @@
+##
+## Nextcloud Configuration Environment Variables
+##
+
+# Nextcloud domain configuration
+NEXTCLOUD_TRUSTED_DOMAINS=dev-aarch64.itix.fr
+OVERWRITEHOST=dev-aarch64.itix.fr
+OVERWRITEPROTOCOL=http
+OVERWRITECLIURL=http://dev-aarch64.itix.fr
+
+# Nextcloud admin credentials
+NEXTCLOUD_ADMIN_USER=admin
+NEXTCLOUD_ADMIN_PASSWORD=nextcloud
+
+# Nextcloud server info token
+NEXTCLOUD_SERVERINFO_TOKEN=S3cr3t!
+
+# SMTP configuration
+#SMTP_HOST=smtp.gmail.com
+#SMTP_NAME=bogus
+#SMTP_PASSWORD=REDACTED
+#SMTP_SECURE=tls
+#SMTP_PORT=587
+#SMTP_AUTHTYPE=LOGIN
+#MAIL_FROM_ADDRESS=user@itix.fr
+#MAIL_DOMAIN=itix.fr
diff --git a/bootc/scenario1/root/etc/containers/systemd/configs/nextcloud-db.env b/bootc/scenario1/root/etc/containers/systemd/configs/nextcloud-db.env
new file mode 100644
index 0000000..f88b494
--- /dev/null
+++ b/bootc/scenario1/root/etc/containers/systemd/configs/nextcloud-db.env
@@ -0,0 +1,5 @@
+POSTGRES_USER=nextcloud
+POSTGRES_PASSWORD=nextcloud
+POSTGRES_DB=nextcloud
+POSTGRES_HOST_AUTH_METHOD=scram-sha-256
+POSTGRES_INITDB_ARGS=--auth-host=scram-sha-256
diff --git a/bootc/scenario1/root/etc/containers/systemd/configs/nextcloud-redis.env b/bootc/scenario1/root/etc/containers/systemd/configs/nextcloud-redis.env
new file mode 100644
index 0000000..485bf53
--- /dev/null
+++ b/bootc/scenario1/root/etc/containers/systemd/configs/nextcloud-redis.env
@@ -0,0 +1 @@
+REDISCLI_AUTH=nextcloud
diff --git a/bootc/scenario1/root/etc/containers/systemd/configs/nginx.conf b/bootc/scenario1/root/etc/containers/systemd/configs/nginx.conf
new file mode 100644
index 0000000..7c90c28
--- /dev/null
+++ b/bootc/scenario1/root/etc/containers/systemd/configs/nginx.conf
@@ -0,0 +1,163 @@
+worker_processes auto;
+error_log  stderr warn;
+
+# Running Nginx as an unprivileged container
+pid        /tmp/nginx.pid;
+
+events {
+  worker_connections  1024;
+}
+
+http {
+  # Running Nginx as an unprivileged container
+  proxy_temp_path /tmp/proxy_temp;
+  client_body_temp_path /tmp/client_temp;
+  fastcgi_temp_path /tmp/fastcgi_temp;
+  uwsgi_temp_path /tmp/uwsgi_temp;
+  scgi_temp_path /tmp/scgi_temp;
+
+  include       /etc/nginx/mime.types;
+  default_type  application/octet-stream;
+
+  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for"';
+
+  access_log  /var/log/nginx/access.log  main;
+
+  sendfile        on;
+  keepalive_timeout  65;
+
+  # Do not leak server version in HTTP headers
+  server_tokens   off;
+
+  set_real_ip_from  10.0.0.0/8;
+  set_real_ip_from  172.16.0.0/12;
+  set_real_ip_from  192.168.0.0/16;
+  real_ip_header    X-Real-IP;
+
+  upstream php-handler {
+      server 127.0.0.1:9000;
+  }
+
+  server {
+    listen 80;
+
+    # set max upload size
+    client_max_body_size 10G;
+    fastcgi_buffers 64 4K;
+
+    # Enable gzip but do not remove ETag headers
+    gzip on;
+    gzip_vary on;
+    gzip_comp_level 4;
+    gzip_min_length 256;
+    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+    # HTTP response headers borrowed from Nextcloud `.htaccess`
+    add_header Referrer-Policy                      "no-referrer"   always;
+    add_header X-Content-Type-Options               "nosniff"       always;
+    add_header X-Download-Options                   "noopen"        always;
+    add_header X-Frame-Options                      "SAMEORIGIN"    always;
+    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+    add_header X-Robots-Tag                         "none"          always;
+    add_header X-XSS-Protection                     "1; mode=block" always;
+
+    # Remove X-Powered-By, which is an information leak
+    fastcgi_hide_header X-Powered-By;
+
+    # Path to the root of your installation
+    root /var/www/html;
+
+    # Specify how to handle directories -- specifying `/index.php$request_uri`
+    # here as the fallback means that Nginx always exhibits the desired behaviour
+    # when a client requests a path that corresponds to a directory that exists
+    # on the server. In particular, if that directory contains an index.php file,
+    # that file is correctly served; if it doesn't, then the request is passed to
+    # the front-end controller. This consistent behaviour means that we don't need
+    # to specify custom rules for certain paths (e.g. images and other assets,
+    # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
+    # `try_files $uri $uri/ /index.php$request_uri`
+    # always provides the desired behaviour.
+    index index.php index.html /index.php$request_uri;
+
+    # Do not include the hostname and scheme in the redirect URL since it is
+    # always wrong in a Kubernetes environment (request received on HTTPS by Traefik
+    # and transmitted on HTTP internally).
+    absolute_redirect off;
+
+    # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+    location = / {
+        if ( $http_user_agent ~ ^DavClnt ) {
+            return 302 /remote.php/webdav/$is_args$args;
+        }
+    }
+
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+
+    # Make a regex exception for `/.well-known` so that clients can still
+    # access it despite the existence of the regex rule
+    # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+    # for `/.well-known`.
+    location ^~ /.well-known {
+        # The following 6 rules are borrowed from `.htaccess`
+
+        location = /.well-known/carddav     { return 301 /remote.php/dav/; }
+        location = /.well-known/caldav      { return 301 /remote.php/dav/; }
+        # Anything else is dynamically handled by Nextcloud
+        location ^~ /.well-known            { return 301 /index.php$uri; }
+
+        try_files $uri $uri/ =404;
+    }
+
+    # Rules borrowed from `.htaccess` to hide certain paths from clients
+    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)              { return 404; }
+
+    # Ensure this block, which passes PHP files to the PHP process, is above the blocks
+    # which handle static assets (as seen below). If this block is not declared first,
+    # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+    # to the URI, resulting in a HTTP 500 error response.
+    location ~ \.php(?:$|/) {
+        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+        set $path_info $fastcgi_path_info;
+
+        try_files $fastcgi_script_name =404;
+
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $path_info;
+        fastcgi_param HTTPS on;
+
+        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
+        fastcgi_param front_controller_active true;     # Enable pretty urls
+        fastcgi_pass php-handler;
+
+        fastcgi_intercept_errors on;
+        fastcgi_request_buffering off;
+    }
+
+    location ~ \.(?:css|js|svg|gif)$ {
+        try_files $uri /index.php$request_uri;
+        expires 6M;         # Cache-Control policy borrowed from `.htaccess`
+        access_log off;     # Optional: Don't log access to assets
+    }
+
+    location ~ \.woff2?$ {
+        try_files $uri /index.php$request_uri;
+        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+        access_log off;     # Optional: Don't log access to assets
+    }
+
+    location / {
+        try_files $uri $uri/ /index.php$request_uri;
+        # Optional: Don't log access to other assets
+        access_log off;
+    }
+  }
+}
diff --git a/bootc/scenario1/root/etc/containers/systemd/configs/redis-session.ini b/bootc/scenario1/root/etc/containers/systemd/configs/redis-session.ini
new file mode 100644
index 0000000..e69de29
diff --git a/bootc/scenario1/root/etc/containers/systemd/configs/redis.conf b/bootc/scenario1/root/etc/containers/systemd/configs/redis.conf
new file mode 100644
index 0000000..736ac3c
--- /dev/null
+++ b/bootc/scenario1/root/etc/containers/systemd/configs/redis.conf
@@ -0,0 +1,3 @@
+requirepass nextcloud
+port 6379
+bind 0.0.0.0
diff --git a/bootc/scenario1/root/etc/containers/systemd/configs/www.conf b/bootc/scenario1/root/etc/containers/systemd/configs/www.conf
new file mode 100644
index 0000000..49000db
--- /dev/null
+++ b/bootc/scenario1/root/etc/containers/systemd/configs/www.conf
@@ -0,0 +1,9 @@
+[www]
+listen = 127.0.0.1:9000
+
+; As recommended here: https://docs.nextcloud.com/server/15/admin_manual/installation/server_tuning.html
+pm = dynamic
+pm.max_children = 16
+pm.start_servers = 4
+pm.min_spare_servers = 2
+pm.max_spare_servers = 8
diff --git a/bootc/scenario1/root/etc/containers/systemd/nextcloud-db.container b/bootc/scenario1/root/etc/containers/systemd/nextcloud-db.container
new file mode 100644
index 0000000..cd9d5d7
--- /dev/null
+++ b/bootc/scenario1/root/etc/containers/systemd/nextcloud-db.container
@@ -0,0 +1,39 @@
+[Unit]
+Description=PostgreSQL Database Server
+Documentation=https://www.postgresql.org/
+After=network.target
+
+# Only start if Nextcloud has been configured
+ConditionPathExists=/etc/containers/systemd/configs/nextcloud-config.env
+
+[Container]
+ContainerName=nextcloud-db
+Image=docker.io/library/postgres:17-alpine
+
+# Network configuration
+Network=host
+
+# Environment variables from config
+EnvironmentFile=/etc/containers/systemd/configs/nextcloud-db.env
+
+# Volume mounts
+Volume=/var/lib/postgresql/data:/var/lib/postgresql/data:Z
+
+# Health check
+HealthCmd=pg_isready -U nextcloud -d nextcloud
+HealthInterval=30s
+HealthTimeout=10s
+HealthStartPeriod=60s
+HealthRetries=3
+
+[Service]
+Restart=always
+RestartSec=10
+TimeoutStartSec=120
+TimeoutStopSec=30
+
+# Skaffold filesystem + fix permissions
+ExecStartPre=install -m 0700 -o 70 -g 70 -d /var/lib/postgresql/data
+
+[Install]
+WantedBy=nextcloud.target
diff --git a/bootc/scenario1/root/etc/containers/systemd/nextcloud-fpm.container b/bootc/scenario1/root/etc/containers/systemd/nextcloud-fpm.container
new file mode 100644
index 0000000..f45a57b
--- /dev/null
+++ b/bootc/scenario1/root/etc/containers/systemd/nextcloud-fpm.container
@@ -0,0 +1,55 @@
+[Unit]
+Description=Nextcloud PHP-FPM Application
+Documentation=https://nextcloud.com/
+After=network.target
+
+# Require initialization to complete first
+Requires=nextcloud-db.service nextcloud-redis.service
+After=nextcloud-db.service nextcloud-redis.service
+
+# Only start if Nextcloud has been configured
+ConditionPathExists=/etc/containers/systemd/configs/nextcloud-config.env
+
+[Container]
+ContainerName=nextcloud-app
+Image=docker.io/library/odoo:17
+
+# Network configuration
+Network=host
+AddCapability=CAP_NET_BIND_SERVICE
+
+# Environment variables from secrets and config
+EnvironmentFile=/etc/containers/systemd/configs/nextcloud-app.env
+EnvironmentFile=/etc/containers/systemd/configs/nextcloud-config.env
+
+# Volume mounts
+Volume=/var/lib/nextcloud:/var/www/html:z
+Volume=/var/lib/nextcloud/config/www.conf:/usr/local/etc/php-fpm.d/www.conf:Z
+Volume=/var/lib/nextcloud/config/redis-session.ini:/usr/local/etc/php/conf.d/redis-session.ini:Z
+
+# Health check (equivalent to readiness probe)
+HealthCmd=nc -z localhost 9000
+HealthInterval=30s
+HealthTimeout=10s
+HealthStartPeriod=60s
+HealthRetries=3
+
+[Service]
+Restart=always
+RestartSec=10
+TimeoutStartSec=600
+TimeoutStopSec=30
+
+# Skaffold filesystem + fix permissions
+ExecStartPre=/bin/bash -Eeuo pipefail -c 'install -m 0700 -o 82 -g 82 -d /var/lib/nextcloud/data /var/lib/nextcloud/config ; \
+  install -m 0700 -o 82 -g 82 -d /etc/containers/systemd/configs/www.conf /var/lib/nextcloud/config/www.conf ; \
+  install -m 0700 -o 82 -g 82 -d /etc/containers/systemd/configs/redis-session.ini /var/lib/nextcloud/config/redis-session.ini'
+
+# Wait for PostgreSQL to be ready
+ExecStartPre=/bin/sh -c 'exec 2>/dev/null; for try in $(seq 0 12); do if ! /bin/true 5<> /dev/tcp/127.0.0.1/5432; then echo "Waiting for PostgreSQL to be available..."; sleep 5; else exit 0; fi; done; exit 1'
+
+# Wait for Redis to be ready
+ExecStartPre=/bin/sh -c 'exec 2>/dev/null; for try in $(seq 0 12); do if ! /bin/true 5<> /dev/tcp/127.0.0.1/6379; then echo "Waiting for Redis to be available..."; sleep 5; else exit 0; fi; done; exit 1'
+
+[Install]
+WantedBy=nextcloud.target
diff --git a/bootc/scenario1/root/etc/containers/systemd/nextcloud-nginx.container b/bootc/scenario1/root/etc/containers/systemd/nextcloud-nginx.container
new file mode 100644
index 0000000..92e506e
--- /dev/null
+++ b/bootc/scenario1/root/etc/containers/systemd/nextcloud-nginx.container
@@ -0,0 +1,38 @@
+[Unit]
+Description=Nextcloud Nginx Reverse Proxy
+Documentation=https://nextcloud.com/
+After=network.target
+
+# Only start if Nextcloud has been configured
+ConditionPathExists=/etc/containers/systemd/configs/nextcloud-config.env
+
+[Container]
+ContainerName=nextcloud-nginx
+Image=docker.io/nginxinc/nginx-unprivileged:1.20-alpine
+
+# Network configuration
+Network=host
+AddCapability=CAP_NET_BIND_SERVICE
+
+# Run with the same UID/GID as PHP-FPM
+User=82:82
+
+# Volume mounts
+Volume=/var/lib/nextcloud/data:/var/www/html:z
+Volume=/etc/containers/systemd/configs/nginx.conf:/etc/nginx/nginx.conf:ro
+
+# Health check (equivalent to readiness probe)
+HealthCmd=curl -f http://localhost:80/status.php
+HealthInterval=30s
+HealthTimeout=10s
+HealthStartPeriod=30s
+HealthRetries=3
+
+[Service]
+Restart=always
+RestartSec=5
+TimeoutStartSec=300
+TimeoutStopSec=30
+
+[Install]
+WantedBy=nextcloud.target
diff --git a/bootc/scenario1/root/etc/containers/systemd/nextcloud-redis.container b/bootc/scenario1/root/etc/containers/systemd/nextcloud-redis.container
new file mode 100644
index 0000000..651366d
--- /dev/null
+++ b/bootc/scenario1/root/etc/containers/systemd/nextcloud-redis.container
@@ -0,0 +1,43 @@
+[Unit]
+Description=Redis Cache for Nextcloud
+Documentation=https://redis.io/
+After=network.target 
+
+# Only start if Nextcloud has been configured
+ConditionPathExists=/etc/containers/systemd/configs/nextcloud-config.env
+
+[Container]
+ContainerName=nextcloud-redis
+Image=docker.io/library/redis:8-alpine
+
+# Network configuration
+Network=host
+
+# Redis configuration with authentication
+Exec=redis-server /usr/local/etc/redis/redis.conf
+
+# Environment variables
+EnvironmentFile=/etc/containers/systemd/configs/nextcloud-redis.env
+
+# Volume mounts for data persistence
+Volume=/var/lib/redis:/data:Z
+Volume=/etc/containers/systemd/configs/redis.conf:/usr/local/etc/redis/redis.conf:ro
+
+# Health check
+HealthCmd=redis-cli ping | grep -q PONG
+HealthInterval=30s
+HealthTimeout=5s
+HealthStartPeriod=10s
+HealthRetries=3
+
+[Service]
+Restart=always
+RestartSec=5
+TimeoutStartSec=300
+TimeoutStopSec=30
+
+# Skaffold filesystem + fix permissions
+ExecStartPre=install -m 0700 -o 0 -g 0 -d /var/lib/redis
+
+[Install]
+WantedBy=nextcloud.target
diff --git a/bootc/scenario1/root/etc/greenboot/check/required.d/30_nextcloud_check.sh b/bootc/scenario1/root/etc/greenboot/check/required.d/30_nextcloud_check.sh
new file mode 100755
index 0000000..4e1978b
--- /dev/null
+++ b/bootc/scenario1/root/etc/greenboot/check/required.d/30_nextcloud_check.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+set -Eeuo pipefail
+declare -a container_state=()
+MAX_ATTEMPTS=60
+
+for attempt in (( i=1; i<=MAX_ATTEMPTS; i++ )); do
+  echo "Checking Nextcloud deployment ($attempt/$MAX_ATTEMPTS)..."
+  
+  state=1
+  for container in nextcloud-db nextcloud-redis nextcloud-fpm nextcloud-nginx; do
+    container_state=( $( ( podman inspect "$container" || true ) | jq -r '.[0].State.Status // "unknown", .[0].State.Health.Status // "unknown"') )
+    echo "Container $container has state ${container_state[0]} and its health is ${container_state[1]}!"
+    if [[ "${container_state[0]}-${container_state[1]}" != "running-healthy" ]]; then
+      state=0
+    fi
+  done
+
+  if [[ $state -eq 1 ]]; then
+    echo "Nextcloud deployment is up and running!"
+    exit 0
+  fi
+
+  sleep 5
+done
+
+echo "Nextcloud deployment is not running correctly after $MAX_ATTEMPTS attempts!"
+exit 1
diff --git a/bootc/scenario1/root/etc/systemd/system/nextcloud.target b/bootc/scenario1/root/etc/systemd/system/nextcloud.target
new file mode 100644
index 0000000..3a2ba68
--- /dev/null
+++ b/bootc/scenario1/root/etc/systemd/system/nextcloud.target
@@ -0,0 +1,10 @@
+[Unit]
+Description=Nextcloud Service Target
+Documentation=man:systemd.target(5)
+Wants=nextcloud-db.service nextcloud-redis.service nextcloud-fpm.service nextcloud-nginx.service
+After=nextcloud-db.service nextcloud-redis.service nextcloud-fpm.service nextcloud-nginx.service
+# Allow isolation - can stop/start this target independently
+AllowIsolate=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/bootc/scenario4/Containerfile b/bootc/scenario4/Containerfile
new file mode 100644
index 0000000..18e4c0b
--- /dev/null
+++ b/bootc/scenario4/Containerfile
@@ -0,0 +1,8 @@
+FROM edge-registry.itix.fr/demo-edge-retail/base:latest
+
+ADD --chown=root:root root /
+
+RUN <<EOF
+set -Eeuo pipefail
+systemctl enable odoo.target
+EOF
diff --git a/bootc/scenario1/root/etc/containers/systemd/configs/odoo-config.env b/bootc/scenario4/root/etc/containers/systemd/configs/odoo-config.env.tmpl
similarity index 100%
rename from bootc/scenario1/root/etc/containers/systemd/configs/odoo-config.env
rename to bootc/scenario4/root/etc/containers/systemd/configs/odoo-config.env.tmpl
diff --git a/bootc/scenario1/root/etc/containers/systemd/configs/odoo-db.env b/bootc/scenario4/root/etc/containers/systemd/configs/odoo-db.env
similarity index 100%
rename from bootc/scenario1/root/etc/containers/systemd/configs/odoo-db.env
rename to bootc/scenario4/root/etc/containers/systemd/configs/odoo-db.env
diff --git a/bootc/scenario1/root/etc/containers/systemd/odoo-app.container b/bootc/scenario4/root/etc/containers/systemd/odoo-app.container
similarity index 91%
rename from bootc/scenario1/root/etc/containers/systemd/odoo-app.container
rename to bootc/scenario4/root/etc/containers/systemd/odoo-app.container
index fd8c7f5..97258fd 100644
--- a/bootc/scenario1/root/etc/containers/systemd/odoo-app.container
+++ b/bootc/scenario4/root/etc/containers/systemd/odoo-app.container
@@ -6,6 +6,9 @@ Documentation=https://www.odoo.com/documentation/
 Requires=odoo-init.service odoo-db.service
 After=odoo-init.service odoo-db.service
 
+# Only start if Odoo has been configured
+ConditionPathExists=/etc/containers/systemd/configs/odoo-config.env
+
 # Only start if initialization has completed
 ConditionPathExists=/var/lib/odoo/initialized
 
diff --git a/bootc/scenario1/root/etc/containers/systemd/odoo-db.container b/bootc/scenario4/root/etc/containers/systemd/odoo-db.container
similarity index 87%
rename from bootc/scenario1/root/etc/containers/systemd/odoo-db.container
rename to bootc/scenario4/root/etc/containers/systemd/odoo-db.container
index 576e0a5..0d9ca8f 100644
--- a/bootc/scenario1/root/etc/containers/systemd/odoo-db.container
+++ b/bootc/scenario4/root/etc/containers/systemd/odoo-db.container
@@ -3,6 +3,9 @@ Description=PostgreSQL Database Server
 Documentation=https://www.postgresql.org/
 After=network.target
 
+# Only start if Odoo has been configured
+ConditionPathExists=/etc/containers/systemd/configs/odoo-config.env
+
 [Container]
 ContainerName=odoo-db
 Image=docker.io/library/postgres:17-alpine
@@ -10,10 +13,6 @@ Image=docker.io/library/postgres:17-alpine
 # Network configuration
 Network=host
 
-# Security context (equivalent to K8s securityContext)
-#NoNewPrivileges=true
-#DropCapability=ALL
-
 # Environment variables from config
 EnvironmentFile=/etc/containers/systemd/configs/odoo-db.env
 
diff --git a/bootc/scenario1/root/etc/containers/systemd/odoo-init.container b/bootc/scenario4/root/etc/containers/systemd/odoo-init.container
similarity index 92%
rename from bootc/scenario1/root/etc/containers/systemd/odoo-init.container
rename to bootc/scenario4/root/etc/containers/systemd/odoo-init.container
index cdd6f7a..159edf6 100644
--- a/bootc/scenario1/root/etc/containers/systemd/odoo-init.container
+++ b/bootc/scenario4/root/etc/containers/systemd/odoo-init.container
@@ -6,6 +6,9 @@ Requires=odoo-db.service
 After=odoo-db.service
 Before=odoo-app.service
 
+# Only start if Odoo has been configured
+ConditionPathExists=/etc/containers/systemd/configs/odoo-config.env
+
 # Prevent running if already initialized
 ConditionPathExists=!/var/lib/odoo/initialized
 
diff --git a/bootc/scenario1/root/etc/greenboot/check/required.d/30_odoo_check.sh b/bootc/scenario4/root/etc/greenboot/check/required.d/30_odoo_check.sh
similarity index 100%
rename from bootc/scenario1/root/etc/greenboot/check/required.d/30_odoo_check.sh
rename to bootc/scenario4/root/etc/greenboot/check/required.d/30_odoo_check.sh
diff --git a/bootc/scenario1/root/etc/odoo/init.sh b/bootc/scenario4/root/etc/odoo/init.sh
similarity index 100%
rename from bootc/scenario1/root/etc/odoo/init.sh
rename to bootc/scenario4/root/etc/odoo/init.sh
diff --git a/bootc/scenario1/root/etc/odoo/odoo.conf b/bootc/scenario4/root/etc/odoo/odoo.conf
similarity index 100%
rename from bootc/scenario1/root/etc/odoo/odoo.conf
rename to bootc/scenario4/root/etc/odoo/odoo.conf
diff --git a/bootc/scenario1/root/etc/systemd/system/odoo.target b/bootc/scenario4/root/etc/systemd/system/odoo.target
similarity index 73%
rename from bootc/scenario1/root/etc/systemd/system/odoo.target
rename to bootc/scenario4/root/etc/systemd/system/odoo.target
index 1fe55a2..59e9fae 100644
--- a/bootc/scenario1/root/etc/systemd/system/odoo.target
+++ b/bootc/scenario4/root/etc/systemd/system/odoo.target
@@ -1,8 +1,6 @@
 [Unit]
 Description=Odoo Service Target
 Documentation=man:systemd.target(5)
-# This target represents the complete MyApp service stack
-# It groups both the init and main services together
 Wants=odoo-db.service odoo-init.service odoo-app.service
 After=odoo-db.service odoo-init.service odoo-app.service
 # Allow isolation - can stop/start this target independently