Nicolas Massé
3 months ago
27 changed files with 459 additions and 10 deletions
@ -1 +0,0 @@ |
|||||
TARGET_IMAGE="edge-registry.itix.fr/demo-edge-retail/generic:latest" |
|
||||
@ -1,8 +1,8 @@ |
|||||
FROM edge-registry.itix.fr/demo-edge-retail/generic:latest |
FROM edge-registry.itix.fr/demo-edge-retail/base:latest |
||||
|
|
||||
ADD --chown=root:root root / |
ADD --chown=root:root root / |
||||
|
|
||||
RUN <<EOF |
RUN <<EOF |
||||
set -Eeuo pipefail |
set -Eeuo pipefail |
||||
systemctl enable odoo.target |
systemctl enable nextcloud.target |
||||
EOF |
EOF |
||||
|
|||||
@ -1 +0,0 @@ |
|||||
TARGET_IMAGE="edge-registry.itix.fr/demo-edge-retail/scenario1:latest" |
|
||||
@ -0,0 +1,20 @@ |
|||||
|
# Database configuration |
||||
|
POSTGRES_HOST=localhost |
||||
|
POSTGRES_DB=nextcloud |
||||
|
POSTGRES_USER=nextcloud |
||||
|
POSTGRES_PASSWORD=nextcloud |
||||
|
|
||||
|
# Redis configuration |
||||
|
REDIS_HOST=localhost |
||||
|
REDIS_HOST_PORT=6379 |
||||
|
REDIS_HOST_PASSWORD=nextcloud |
||||
|
|
||||
|
# PHP configuration |
||||
|
PHP_MEMORY_LIMIT=512M |
||||
|
PHP_UPLOAD_LIMIT=10G |
||||
|
|
||||
|
# Nextcloud configuration |
||||
|
NEXTCLOUD_UPDATE=1 |
||||
|
NEXTCLOUD_TABLE_PREFIX= |
||||
|
NEXTCLOUD_DATA_DIR=/var/www/html/data |
||||
|
NEXTCLOUD_INIT_HTACCESS=1 |
||||
@ -0,0 +1,26 @@ |
|||||
|
## |
||||
|
## Nextcloud Configuration Environment Variables |
||||
|
## |
||||
|
|
||||
|
# Nextcloud domain configuration |
||||
|
NEXTCLOUD_TRUSTED_DOMAINS=dev-aarch64.itix.fr |
||||
|
OVERWRITEHOST=dev-aarch64.itix.fr |
||||
|
OVERWRITEPROTOCOL=http |
||||
|
OVERWRITECLIURL=http://dev-aarch64.itix.fr |
||||
|
|
||||
|
# Nextcloud admin credentials |
||||
|
NEXTCLOUD_ADMIN_USER=admin |
||||
|
NEXTCLOUD_ADMIN_PASSWORD=nextcloud |
||||
|
|
||||
|
# Nextcloud server info token |
||||
|
NEXTCLOUD_SERVERINFO_TOKEN=S3cr3t! |
||||
|
|
||||
|
# SMTP configuration |
||||
|
#SMTP_HOST=smtp.gmail.com |
||||
|
#SMTP_NAME=bogus |
||||
|
#SMTP_PASSWORD=REDACTED |
||||
|
#SMTP_SECURE=tls |
||||
|
#SMTP_PORT=587 |
||||
|
#SMTP_AUTHTYPE=LOGIN |
||||
|
#MAIL_FROM_ADDRESS=user@itix.fr |
||||
|
#MAIL_DOMAIN=itix.fr |
||||
@ -0,0 +1,5 @@ |
|||||
|
POSTGRES_USER=nextcloud |
||||
|
POSTGRES_PASSWORD=nextcloud |
||||
|
POSTGRES_DB=nextcloud |
||||
|
POSTGRES_HOST_AUTH_METHOD=scram-sha-256 |
||||
|
POSTGRES_INITDB_ARGS=--auth-host=scram-sha-256 |
||||
@ -0,0 +1 @@ |
|||||
|
REDISCLI_AUTH=nextcloud |
||||
@ -0,0 +1,163 @@ |
|||||
|
worker_processes auto; |
||||
|
error_log stderr warn; |
||||
|
|
||||
|
# Running Nginx as an unprivileged container |
||||
|
pid /tmp/nginx.pid; |
||||
|
|
||||
|
events { |
||||
|
worker_connections 1024; |
||||
|
} |
||||
|
|
||||
|
http { |
||||
|
# Running Nginx as an unprivileged container |
||||
|
proxy_temp_path /tmp/proxy_temp; |
||||
|
client_body_temp_path /tmp/client_temp; |
||||
|
fastcgi_temp_path /tmp/fastcgi_temp; |
||||
|
uwsgi_temp_path /tmp/uwsgi_temp; |
||||
|
scgi_temp_path /tmp/scgi_temp; |
||||
|
|
||||
|
include /etc/nginx/mime.types; |
||||
|
default_type application/octet-stream; |
||||
|
|
||||
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' |
||||
|
'$status $body_bytes_sent "$http_referer" ' |
||||
|
'"$http_user_agent" "$http_x_forwarded_for"'; |
||||
|
|
||||
|
access_log /var/log/nginx/access.log main; |
||||
|
|
||||
|
sendfile on; |
||||
|
keepalive_timeout 65; |
||||
|
|
||||
|
# Do not leak server version in HTTP headers |
||||
|
server_tokens off; |
||||
|
|
||||
|
set_real_ip_from 10.0.0.0/8; |
||||
|
set_real_ip_from 172.16.0.0/12; |
||||
|
set_real_ip_from 192.168.0.0/16; |
||||
|
real_ip_header X-Real-IP; |
||||
|
|
||||
|
upstream php-handler { |
||||
|
server 127.0.0.1:9000; |
||||
|
} |
||||
|
|
||||
|
server { |
||||
|
listen 80; |
||||
|
|
||||
|
# set max upload size |
||||
|
client_max_body_size 10G; |
||||
|
fastcgi_buffers 64 4K; |
||||
|
|
||||
|
# Enable gzip but do not remove ETag headers |
||||
|
gzip on; |
||||
|
gzip_vary on; |
||||
|
gzip_comp_level 4; |
||||
|
gzip_min_length 256; |
||||
|
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; |
||||
|
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; |
||||
|
|
||||
|
# HTTP response headers borrowed from Nextcloud `.htaccess` |
||||
|
add_header Referrer-Policy "no-referrer" always; |
||||
|
add_header X-Content-Type-Options "nosniff" always; |
||||
|
add_header X-Download-Options "noopen" always; |
||||
|
add_header X-Frame-Options "SAMEORIGIN" always; |
||||
|
add_header X-Permitted-Cross-Domain-Policies "none" always; |
||||
|
add_header X-Robots-Tag "none" always; |
||||
|
add_header X-XSS-Protection "1; mode=block" always; |
||||
|
|
||||
|
# Remove X-Powered-By, which is an information leak |
||||
|
fastcgi_hide_header X-Powered-By; |
||||
|
|
||||
|
# Path to the root of your installation |
||||
|
root /var/www/html; |
||||
|
|
||||
|
# Specify how to handle directories -- specifying `/index.php$request_uri` |
||||
|
# here as the fallback means that Nginx always exhibits the desired behaviour |
||||
|
# when a client requests a path that corresponds to a directory that exists |
||||
|
# on the server. In particular, if that directory contains an index.php file, |
||||
|
# that file is correctly served; if it doesn't, then the request is passed to |
||||
|
# the front-end controller. This consistent behaviour means that we don't need |
||||
|
# to specify custom rules for certain paths (e.g. images and other assets, |
||||
|
# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus |
||||
|
# `try_files $uri $uri/ /index.php$request_uri` |
||||
|
# always provides the desired behaviour. |
||||
|
index index.php index.html /index.php$request_uri; |
||||
|
|
||||
|
# Do not include the hostname and scheme in the redirect URL since it is |
||||
|
# always wrong in a Kubernetes environment (request received on HTTPS by Traefik |
||||
|
# and transmitted on HTTP internally). |
||||
|
absolute_redirect off; |
||||
|
|
||||
|
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients |
||||
|
location = / { |
||||
|
if ( $http_user_agent ~ ^DavClnt ) { |
||||
|
return 302 /remote.php/webdav/$is_args$args; |
||||
|
} |
||||
|
} |
||||
|
|
||||
|
location = /robots.txt { |
||||
|
allow all; |
||||
|
log_not_found off; |
||||
|
access_log off; |
||||
|
} |
||||
|
|
||||
|
# Make a regex exception for `/.well-known` so that clients can still |
||||
|
# access it despite the existence of the regex rule |
||||
|
# `location ~ /(\.|autotest|...)` which would otherwise handle requests |
||||
|
# for `/.well-known`. |
||||
|
location ^~ /.well-known { |
||||
|
# The following 6 rules are borrowed from `.htaccess` |
||||
|
|
||||
|
location = /.well-known/carddav { return 301 /remote.php/dav/; } |
||||
|
location = /.well-known/caldav { return 301 /remote.php/dav/; } |
||||
|
# Anything else is dynamically handled by Nextcloud |
||||
|
location ^~ /.well-known { return 301 /index.php$uri; } |
||||
|
|
||||
|
try_files $uri $uri/ =404; |
||||
|
} |
||||
|
|
||||
|
# Rules borrowed from `.htaccess` to hide certain paths from clients |
||||
|
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } |
||||
|
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } |
||||
|
|
||||
|
# Ensure this block, which passes PHP files to the PHP process, is above the blocks |
||||
|
# which handle static assets (as seen below). If this block is not declared first, |
||||
|
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` |
||||
|
# to the URI, resulting in a HTTP 500 error response. |
||||
|
location ~ \.php(?:$|/) { |
||||
|
fastcgi_split_path_info ^(.+?\.php)(/.*)$; |
||||
|
set $path_info $fastcgi_path_info; |
||||
|
|
||||
|
try_files $fastcgi_script_name =404; |
||||
|
|
||||
|
include fastcgi_params; |
||||
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; |
||||
|
fastcgi_param PATH_INFO $path_info; |
||||
|
fastcgi_param HTTPS on; |
||||
|
|
||||
|
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice |
||||
|
fastcgi_param front_controller_active true; # Enable pretty urls |
||||
|
fastcgi_pass php-handler; |
||||
|
|
||||
|
fastcgi_intercept_errors on; |
||||
|
fastcgi_request_buffering off; |
||||
|
} |
||||
|
|
||||
|
location ~ \.(?:css|js|svg|gif)$ { |
||||
|
try_files $uri /index.php$request_uri; |
||||
|
expires 6M; # Cache-Control policy borrowed from `.htaccess` |
||||
|
access_log off; # Optional: Don't log access to assets |
||||
|
} |
||||
|
|
||||
|
location ~ \.woff2?$ { |
||||
|
try_files $uri /index.php$request_uri; |
||||
|
expires 7d; # Cache-Control policy borrowed from `.htaccess` |
||||
|
access_log off; # Optional: Don't log access to assets |
||||
|
} |
||||
|
|
||||
|
location / { |
||||
|
try_files $uri $uri/ /index.php$request_uri; |
||||
|
# Optional: Don't log access to other assets |
||||
|
access_log off; |
||||
|
} |
||||
|
} |
||||
|
} |
||||
@ -0,0 +1,3 @@ |
|||||
|
requirepass nextcloud |
||||
|
port 6379 |
||||
|
bind 0.0.0.0 |
||||
@ -0,0 +1,9 @@ |
|||||
|
[www] |
||||
|
listen = 127.0.0.1:9000 |
||||
|
|
||||
|
; As recommended here: https://docs.nextcloud.com/server/15/admin_manual/installation/server_tuning.html |
||||
|
pm = dynamic |
||||
|
pm.max_children = 16 |
||||
|
pm.start_servers = 4 |
||||
|
pm.min_spare_servers = 2 |
||||
|
pm.max_spare_servers = 8 |
||||
@ -0,0 +1,39 @@ |
|||||
|
[Unit] |
||||
|
Description=PostgreSQL Database Server |
||||
|
Documentation=https://www.postgresql.org/ |
||||
|
After=network.target |
||||
|
|
||||
|
# Only start if Nextcloud has been configured |
||||
|
ConditionPathExists=/etc/containers/systemd/configs/nextcloud-config.env |
||||
|
|
||||
|
[Container] |
||||
|
ContainerName=nextcloud-db |
||||
|
Image=docker.io/library/postgres:17-alpine |
||||
|
|
||||
|
# Network configuration |
||||
|
Network=host |
||||
|
|
||||
|
# Environment variables from config |
||||
|
EnvironmentFile=/etc/containers/systemd/configs/nextcloud-db.env |
||||
|
|
||||
|
# Volume mounts |
||||
|
Volume=/var/lib/postgresql/data:/var/lib/postgresql/data:Z |
||||
|
|
||||
|
# Health check |
||||
|
HealthCmd=pg_isready -U nextcloud -d nextcloud |
||||
|
HealthInterval=30s |
||||
|
HealthTimeout=10s |
||||
|
HealthStartPeriod=60s |
||||
|
HealthRetries=3 |
||||
|
|
||||
|
[Service] |
||||
|
Restart=always |
||||
|
RestartSec=10 |
||||
|
TimeoutStartSec=120 |
||||
|
TimeoutStopSec=30 |
||||
|
|
||||
|
# Skaffold filesystem + fix permissions |
||||
|
ExecStartPre=install -m 0700 -o 70 -g 70 -d /var/lib/postgresql/data |
||||
|
|
||||
|
[Install] |
||||
|
WantedBy=nextcloud.target |
||||
@ -0,0 +1,55 @@ |
|||||
|
[Unit] |
||||
|
Description=Nextcloud PHP-FPM Application |
||||
|
Documentation=https://nextcloud.com/ |
||||
|
After=network.target |
||||
|
|
||||
|
# Require initialization to complete first |
||||
|
Requires=nextcloud-db.service nextcloud-redis.service |
||||
|
After=nextcloud-db.service nextcloud-redis.service |
||||
|
|
||||
|
# Only start if Nextcloud has been configured |
||||
|
ConditionPathExists=/etc/containers/systemd/configs/nextcloud-config.env |
||||
|
|
||||
|
[Container] |
||||
|
ContainerName=nextcloud-app |
||||
|
Image=docker.io/library/odoo:17 |
||||
|
|
||||
|
# Network configuration |
||||
|
Network=host |
||||
|
AddCapability=CAP_NET_BIND_SERVICE |
||||
|
|
||||
|
# Environment variables from secrets and config |
||||
|
EnvironmentFile=/etc/containers/systemd/configs/nextcloud-app.env |
||||
|
EnvironmentFile=/etc/containers/systemd/configs/nextcloud-config.env |
||||
|
|
||||
|
# Volume mounts |
||||
|
Volume=/var/lib/nextcloud:/var/www/html:z |
||||
|
Volume=/var/lib/nextcloud/config/www.conf:/usr/local/etc/php-fpm.d/www.conf:Z |
||||
|
Volume=/var/lib/nextcloud/config/redis-session.ini:/usr/local/etc/php/conf.d/redis-session.ini:Z |
||||
|
|
||||
|
# Health check (equivalent to readiness probe) |
||||
|
HealthCmd=nc -z localhost 9000 |
||||
|
HealthInterval=30s |
||||
|
HealthTimeout=10s |
||||
|
HealthStartPeriod=60s |
||||
|
HealthRetries=3 |
||||
|
|
||||
|
[Service] |
||||
|
Restart=always |
||||
|
RestartSec=10 |
||||
|
TimeoutStartSec=600 |
||||
|
TimeoutStopSec=30 |
||||
|
|
||||
|
# Skaffold filesystem + fix permissions |
||||
|
ExecStartPre=/bin/bash -Eeuo pipefail -c 'install -m 0700 -o 82 -g 82 -d /var/lib/nextcloud/data /var/lib/nextcloud/config ; \ |
||||
|
install -m 0700 -o 82 -g 82 -d /etc/containers/systemd/configs/www.conf /var/lib/nextcloud/config/www.conf ; \ |
||||
|
install -m 0700 -o 82 -g 82 -d /etc/containers/systemd/configs/redis-session.ini /var/lib/nextcloud/config/redis-session.ini' |
||||
|
|
||||
|
# Wait for PostgreSQL to be ready |
||||
|
ExecStartPre=/bin/sh -c 'exec 2>/dev/null; for try in $(seq 0 12); do if ! /bin/true 5<> /dev/tcp/127.0.0.1/5432; then echo "Waiting for PostgreSQL to be available..."; sleep 5; else exit 0; fi; done; exit 1' |
||||
|
|
||||
|
# Wait for Redis to be ready |
||||
|
ExecStartPre=/bin/sh -c 'exec 2>/dev/null; for try in $(seq 0 12); do if ! /bin/true 5<> /dev/tcp/127.0.0.1/6379; then echo "Waiting for Redis to be available..."; sleep 5; else exit 0; fi; done; exit 1' |
||||
|
|
||||
|
[Install] |
||||
|
WantedBy=nextcloud.target |
||||
@ -0,0 +1,38 @@ |
|||||
|
[Unit] |
||||
|
Description=Nextcloud Nginx Reverse Proxy |
||||
|
Documentation=https://nextcloud.com/ |
||||
|
After=network.target |
||||
|
|
||||
|
# Only start if Nextcloud has been configured |
||||
|
ConditionPathExists=/etc/containers/systemd/configs/nextcloud-config.env |
||||
|
|
||||
|
[Container] |
||||
|
ContainerName=nextcloud-nginx |
||||
|
Image=docker.io/nginxinc/nginx-unprivileged:1.20-alpine |
||||
|
|
||||
|
# Network configuration |
||||
|
Network=host |
||||
|
AddCapability=CAP_NET_BIND_SERVICE |
||||
|
|
||||
|
# Run with the same UID/GID as PHP-FPM |
||||
|
User=82:82 |
||||
|
|
||||
|
# Volume mounts |
||||
|
Volume=/var/lib/nextcloud/data:/var/www/html:z |
||||
|
Volume=/etc/containers/systemd/configs/nginx.conf:/etc/nginx/nginx.conf:ro |
||||
|
|
||||
|
# Health check (equivalent to readiness probe) |
||||
|
HealthCmd=curl -f http://localhost:80/status.php |
||||
|
HealthInterval=30s |
||||
|
HealthTimeout=10s |
||||
|
HealthStartPeriod=30s |
||||
|
HealthRetries=3 |
||||
|
|
||||
|
[Service] |
||||
|
Restart=always |
||||
|
RestartSec=5 |
||||
|
TimeoutStartSec=300 |
||||
|
TimeoutStopSec=30 |
||||
|
|
||||
|
[Install] |
||||
|
WantedBy=nextcloud.target |
||||
@ -0,0 +1,43 @@ |
|||||
|
[Unit] |
||||
|
Description=Redis Cache for Nextcloud |
||||
|
Documentation=https://redis.io/ |
||||
|
After=network.target |
||||
|
|
||||
|
# Only start if Nextcloud has been configured |
||||
|
ConditionPathExists=/etc/containers/systemd/configs/nextcloud-config.env |
||||
|
|
||||
|
[Container] |
||||
|
ContainerName=nextcloud-redis |
||||
|
Image=docker.io/library/redis:8-alpine |
||||
|
|
||||
|
# Network configuration |
||||
|
Network=host |
||||
|
|
||||
|
# Redis configuration with authentication |
||||
|
Exec=redis-server /usr/local/etc/redis/redis.conf |
||||
|
|
||||
|
# Environment variables |
||||
|
EnvironmentFile=/etc/containers/systemd/configs/nextcloud-redis.env |
||||
|
|
||||
|
# Volume mounts for data persistence |
||||
|
Volume=/var/lib/redis:/data:Z |
||||
|
Volume=/etc/containers/systemd/configs/redis.conf:/usr/local/etc/redis/redis.conf:ro |
||||
|
|
||||
|
# Health check |
||||
|
HealthCmd=redis-cli ping | grep -q PONG |
||||
|
HealthInterval=30s |
||||
|
HealthTimeout=5s |
||||
|
HealthStartPeriod=10s |
||||
|
HealthRetries=3 |
||||
|
|
||||
|
[Service] |
||||
|
Restart=always |
||||
|
RestartSec=5 |
||||
|
TimeoutStartSec=300 |
||||
|
TimeoutStopSec=30 |
||||
|
|
||||
|
# Skaffold filesystem + fix permissions |
||||
|
ExecStartPre=install -m 0700 -o 0 -g 0 -d /var/lib/redis |
||||
|
|
||||
|
[Install] |
||||
|
WantedBy=nextcloud.target |
||||
@ -0,0 +1,28 @@ |
|||||
|
#!/bin/bash |
||||
|
|
||||
|
set -Eeuo pipefail |
||||
|
declare -a container_state=() |
||||
|
MAX_ATTEMPTS=60 |
||||
|
|
||||
|
for attempt in (( i=1; i<=MAX_ATTEMPTS; i++ )); do |
||||
|
echo "Checking Nextcloud deployment ($attempt/$MAX_ATTEMPTS)..." |
||||
|
|
||||
|
state=1 |
||||
|
for container in nextcloud-db nextcloud-redis nextcloud-fpm nextcloud-nginx; do |
||||
|
container_state=( $( ( podman inspect "$container" || true ) | jq -r '.[0].State.Status // "unknown", .[0].State.Health.Status // "unknown"') ) |
||||
|
echo "Container $container has state ${container_state[0]} and its health is ${container_state[1]}!" |
||||
|
if [[ "${container_state[0]}-${container_state[1]}" != "running-healthy" ]]; then |
||||
|
state=0 |
||||
|
fi |
||||
|
done |
||||
|
|
||||
|
if [[ $state -eq 1 ]]; then |
||||
|
echo "Nextcloud deployment is up and running!" |
||||
|
exit 0 |
||||
|
fi |
||||
|
|
||||
|
sleep 5 |
||||
|
done |
||||
|
|
||||
|
echo "Nextcloud deployment is not running correctly after $MAX_ATTEMPTS attempts!" |
||||
|
exit 1 |
||||
@ -0,0 +1,10 @@ |
|||||
|
[Unit] |
||||
|
Description=Nextcloud Service Target |
||||
|
Documentation=man:systemd.target(5) |
||||
|
Wants=nextcloud-db.service nextcloud-redis.service nextcloud-fpm.service nextcloud-nginx.service |
||||
|
After=nextcloud-db.service nextcloud-redis.service nextcloud-fpm.service nextcloud-nginx.service |
||||
|
# Allow isolation - can stop/start this target independently |
||||
|
AllowIsolate=yes |
||||
|
|
||||
|
[Install] |
||||
|
WantedBy=multi-user.target |
||||
@ -0,0 +1,8 @@ |
|||||
|
FROM edge-registry.itix.fr/demo-edge-retail/base:latest |
||||
|
|
||||
|
ADD --chown=root:root root / |
||||
|
|
||||
|
RUN <<EOF |
||||
|
set -Eeuo pipefail |
||||
|
systemctl enable odoo.target |
||||
|
EOF |
||||
@ -1,8 +1,6 @@ |
|||||
[Unit] |
[Unit] |
||||
Description=Odoo Service Target |
Description=Odoo Service Target |
||||
Documentation=man:systemd.target(5) |
Documentation=man:systemd.target(5) |
||||
# This target represents the complete MyApp service stack |
|
||||
# It groups both the init and main services together |
|
||||
Wants=odoo-db.service odoo-init.service odoo-app.service |
Wants=odoo-db.service odoo-init.service odoo-app.service |
||||
After=odoo-db.service odoo-init.service odoo-app.service |
After=odoo-db.service odoo-init.service odoo-app.service |
||||
# Allow isolation - can stop/start this target independently |
# Allow isolation - can stop/start this target independently |
||||
Loading…
Reference in new issue