From 3511f51c5917e943bd3cac82525e1791c5ea86d6 Mon Sep 17 00:00:00 2001
From: Nicolas MASSE <nicolas.masse@itix.fr>
Date: Thu, 4 Dec 2025 16:15:55 +0100
Subject: [PATCH] add nextcloud aio + fcos vm

---
 .gitignore                                    |   3 +
 Makefile                                      | 107 +++-------
 Makefile.common                               | 183 ++++++++++++++++++
 generate-butane-spec.sh                       |  72 +++++++
 local.bu.template                             |   9 +
 nextcloud-aio/Makefile                        |   8 +
 nextcloud-aio/config/config.env               | 101 ++++++++++
 nextcloud-aio/fcos.bu                         |   7 +
 .../nextcloud-aio-mastercontainer.container   |  39 ++++
 nextcloud-aio/nextcloud-aio.target            |  13 ++
 .../nextcloud_aio_mastercontainer.volume      |  11 ++
 nextcloud/Makefile                            |  22 ++-
 nextcloud/cookies.txt                         |   8 -
 nextcloud/fcos.bu                             |   8 +
 nextcloud/nextcloud-app.container             |   4 +-
 nextcloud/nextcloud-redis.container           |   4 -
 nginx/Makefile                                |   4 +-
 nginx/fcos.bu                                 |   7 +
 nginx/nginx-init.container                    |   3 -
 postgresql/Makefile                           |   9 +-
 postgresql/fcos.bu                            |   7 +
 postgresql/postgresql-backup.container        |   3 -
 postgresql/postgresql-set-major.service       |   3 -
 23 files changed, 520 insertions(+), 115 deletions(-)
 create mode 100644 .gitignore
 create mode 100644 Makefile.common
 create mode 100755 generate-butane-spec.sh
 create mode 100644 local.bu.template
 create mode 100644 nextcloud-aio/Makefile
 create mode 100644 nextcloud-aio/config/config.env
 create mode 100644 nextcloud-aio/fcos.bu
 create mode 100644 nextcloud-aio/nextcloud-aio-mastercontainer.container
 create mode 100644 nextcloud-aio/nextcloud-aio.target
 create mode 100644 nextcloud-aio/nextcloud_aio_mastercontainer.volume
 delete mode 100644 nextcloud/cookies.txt
 create mode 100644 nextcloud/fcos.bu
 create mode 100644 nginx/fcos.bu
 create mode 100644 postgresql/fcos.bu

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..bd886db
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,3 @@
+*.bu
+*.ign
+!fcos.bu
diff --git a/Makefile b/Makefile
index eb7f02e..b97ec36 100644
--- a/Makefile
+++ b/Makefile
@@ -1,86 +1,27 @@
-.PHONY: all install uninstall pre-requisites clean dryrun
-
-PROJECT_NAME := $(shell basename "$${PWD}")
-QUADLETS_FILES = $(wildcard *.container *.volume *.network *.pod *.build)
-SYSTEMD_FILES = $(wildcard *.service *.target *.timer)
-SYSTEMD_UNIT_NAMES := $(wildcard *.service *.target *.timer)
-SYSTEMD_MAIN_UNIT_NAMES := $(wildcard *.target)
-QUADLET_UNIT_NAMES := $(patsubst %.container, %.service, $(wildcard *.container)) \
-					 $(patsubst %.volume, %-volume.service, $(wildcard *.volume)) \
-					 $(patsubst %.network, %-network.service, $(wildcard *.network)) \
-					 $(patsubst %.pod, %-pod.service, $(wildcard *.pod)) \
-					 $(patsubst %.build, %-build.service, $(wildcard *.build))
-CONFIG_FILES = $(wildcard config/*)
-TARGET_QUADLETS_FILES = $(addprefix /etc/containers/systemd/, $(QUADLETS_FILES))
-TARGET_SYSTEMD_FILES = $(addprefix /etc/systemd/system/, $(SYSTEMD_FILES))
-TARGET_CONFIG_FILES = $(patsubst config/%, /etc/quadlets/$(PROJECT_NAME)/%, $(CONFIG_FILES))
-
-pre-requisites:
-	@test -n "$(PARENT_DIR)" || (echo "Do not run this Makefile from the top directory!" >&2; exit 1)
-	@test "$$(id -u)" -eq 0 || (echo "This Makefile must be run as root" >&2; exit 1)
-
-all: install
-
-dryrun:
-	QUADLET_UNIT_DIRS="$$PWD" /usr/lib/systemd/system-generators/podman-system-generator -dryrun > /dev/null
-
-/etc/containers/systemd/%.container: %.container
-	install -D -m 0644 -o root -g root $< $@
-
-/etc/containers/systemd/%.volume: %.volume
-	install -D -m 0644 -o root -g root $< $@
-
-/etc/containers/systemd/%.network: %.network
-	install -D -m 0644 -o root -g root $< $@
-
-/etc/containers/systemd/%.pod: %.pod
-	install -D -m 0644 -o root -g root $< $@
-
-/etc/containers/systemd/%.build: %.build
-	install -D -m 0644 -o root -g root $< $@
-
-/etc/systemd/system/%.service: %.service
-	install -D -m 0644 -o root -g root $< $@
-
-/etc/systemd/system/%.target: %.target
-	install -D -m 0644 -o root -g root $< $@
-
-/etc/systemd/system/%.timer: %.timer
-	install -D -m 0644 -o root -g root $< $@
-
-/etc/quadlets/$(PROJECT_NAME)/%: config/%
-	@run() { echo $$*; "$$@"; }; \
-	if [ -x $< ]; then \
-		run install -D -m 0755 -o root -g root $< $@; \
-	else \
-		run install -D -m 0644 -o root -g root $< $@; \
-	fi
-
-install: pre-requisites dryrun $(TARGET_QUADLETS_FILES) $(TARGET_SYSTEMD_FILES) $(TARGET_CONFIG_FILES)
-	systemctl daemon-reload
-	systemd-analyze --generators=true verify $(QUADLET_UNIT_NAMES) $(SYSTEMD_UNIT_NAMES)
-	systemctl enable $(SYSTEMD_UNIT_NAMES)
-	systemctl start $(SYSTEMD_MAIN_UNIT_NAMES)
-
-uninstall: pre-requisites
-	systemctl --no-block disable $(SYSTEMD_UNIT_NAMES) || true
-	systemctl --no-block stop $(SYSTEMD_UNIT_NAMES) $(QUADLET_UNIT_NAMES) || true
-	rm -f $(TARGET_QUADLETS_FILES) $(TARGET_SYSTEMD_FILES) $(TARGET_CONFIG_FILES)
-	systemctl daemon-reload
-
-tail-logs: pre-requisites
-	@run() { echo $$*; "$$@"; }; \
-	declare -a journalctl_args=( -f ); \
-	for unit in $(SYSTEMD_MAIN_UNIT_NAMES) $(QUADLET_UNIT_NAMES); do \
-		journalctl_args+=( -u "$$unit" ); \
-	done; \
-	run journalctl "$${journalctl_args[@]}"
-
-clean: pre-requisites
+SUBDIRS := $(wildcard */Makefile)
+SUBDIRS := $(dir $(SUBDIRS))
+
+.PHONY: all help butane clean dryrun fcos-vm $(SUBDIRS)
+
+all: help
+help:
+	@echo "Available targets:"
+	@echo "  butane         - Build Butane specifications suitable for Fedora CoreOS"
+	@echo "  clean          - Remove the quadlets persistent data and configuration"
+	@echo "  dryrun         - Perform a dry run of the podman systemd generator"
+	@echo "  fcos-vm        - Launch a Fedora CoreOS VM with the generated Butane spec"
+	@echo "  clean-vm       - Clean up the Fedora CoreOS VM and its resources"
+
+dryrun: $(SUBDIRS)
+butane: $(SUBDIRS)
+clean: $(SUBDIRS)
+fcos-vm: $(SUBDIRS)
+clean-vm: $(SUBDIRS)
+
+$(SUBDIRS):
 	@run() { echo $$*; "$$@"; }; \
-	read -p "This will remove all data of '$(PROJECT_NAME)'. Are you sure? (only 'yes' is accepted) " ans; \
-	if [ "$$ans" = "yes" ] || [ "$$ans" = "YES" ]; then \
-		run rm -rf /var/lib/quadlets/$(PROJECT_NAME)/ /var/run/quadlets/$(PROJECT_NAME)/ /etc/quadlets/$(PROJECT_NAME)/; \
+	if echo $(MAKECMDGOALS) | grep -Eq 'butane|fcos-vm'; then \
+		run $(MAKE) -C $@ $(MAKECMDGOALS); \
 	else \
-		echo "Aborted."; exit 1; \
+		run $(MAKE) -C $@ $(MAKECMDGOALS); \
 	fi
diff --git a/Makefile.common b/Makefile.common
new file mode 100644
index 0000000..e31823d
--- /dev/null
+++ b/Makefile.common
@@ -0,0 +1,183 @@
+.PHONY: all install install-etc install-var uninstall pre-requisites clean dryrun tail-logs butane help fcos-vm clean-vm console
+
+all: help
+help:
+	@echo "Available targets:"
+	@echo "  help           - Show this help message"
+	@echo "  install        - Install quadlets and systemd units"
+	@echo "  uninstall      - Uninstall quadlets and systemd units"
+	@echo "  clean          - Remove the quadlets persistent data and configuration"
+	@echo "  dryrun         - Perform a dry run of the podman systemd generator"
+	@echo "  tail-logs      - Tail the logs of the quadlet units"
+	@echo "  butane         - Build Butane specifications suitable for Fedora CoreOS"
+	@echo "  fcos-vm        - Launch a Fedora CoreOS VM with the generated Butane spec"
+	@echo "  clean-vm       - Clean up the Fedora CoreOS VM and its resources"
+	@echo "  console		- Connect to the Fedora CoreOS VM console"
+	
+
+TARGET_CHROOT ?= 
+PROJECT_NAME := $(shell basename "$${PWD}")
+QUADLETS_FILES = $(wildcard *.container *.volume *.network *.pod *.build)
+SYSTEMD_FILES = $(wildcard *.service *.target *.timer)
+SYSTEMD_UNIT_NAMES := $(wildcard *.service *.target *.timer)
+SYSTEMD_TIMER_NAMES := $(wildcard *.timer)
+SYSTEMD_MAIN_UNIT_NAMES := $(wildcard *.target)
+QUADLET_UNIT_NAMES := $(patsubst %.container, %.service, $(wildcard *.container)) \
+					 $(patsubst %.volume, %-volume.service, $(wildcard *.volume)) \
+					 $(patsubst %.network, %-network.service, $(wildcard *.network)) \
+					 $(patsubst %.pod, %-pod.service, $(wildcard *.pod)) \
+					 $(patsubst %.build, %-build.service, $(wildcard *.build))
+CONFIG_FILES = $(wildcard config/*)
+TARGET_QUADLETS_FILES = $(addprefix $(TARGET_CHROOT)/etc/containers/systemd/, $(QUADLETS_FILES))
+TARGET_SYSTEMD_FILES = $(addprefix $(TARGET_CHROOT)/etc/systemd/system/, $(SYSTEMD_FILES))
+TARGET_CONFIG_FILES = $(patsubst config/%, $(TARGET_CHROOT)/etc/quadlets/$(PROJECT_NAME)/%, $(CONFIG_FILES))
+TARGET_FILES = $(TARGET_QUADLETS_FILES) $(TARGET_SYSTEMD_FILES) $(TARGET_CONFIG_FILES)
+
+pre-requisites:
+	@if [ -z "$(TOP_LEVEL_DIR)" ]; then \
+	    echo "Do not run this Makefile from the top-level directory!" >&2; \
+		exit 1; \
+	fi ; \
+	if [ "$$(id -u)" -ne 0 ]; then \
+		echo "This Makefile must be run as root" >&2; \
+		exit 1; \
+	fi
+
+dryrun:
+	QUADLET_UNIT_DIRS="$$PWD" /usr/lib/systemd/system-generators/podman-system-generator -dryrun > /dev/null
+
+$(TARGET_CHROOT)/etc/containers/systemd:
+	install -D -d -m 0755 -o root -g root $@
+
+$(TARGET_CHROOT)/etc/systemd/system:
+	install -D -d -m 0755 -o root -g root $@
+
+$(TARGET_CHROOT)/etc/quadlets/$(PROJECT_NAME):
+	install -D -d -m 0755 -o root -g root $@
+
+$(TARGET_CHROOT)/etc/containers/systemd/%.container: %.container $(TARGET_CHROOT)/etc/containers/systemd
+	install -m 0644 -o root -g root $< $@
+
+$(TARGET_CHROOT)/etc/containers/systemd/%.volume: %.volume $(TARGET_CHROOT)/etc/containers/systemd
+	install -m 0644 -o root -g root $< $@
+
+$(TARGET_CHROOT)/etc/containers/systemd/%.network: %.network $(TARGET_CHROOT)/etc/containers/systemd
+	install -m 0644 -o root -g root $< $@
+
+$(TARGET_CHROOT)/etc/containers/systemd/%.pod: %.pod $(TARGET_CHROOT)/etc/containers/systemd
+	install -m 0644 -o root -g root $< $@
+
+$(TARGET_CHROOT)/etc/containers/systemd/%.build: %.build $(TARGET_CHROOT)/etc/containers/systemd
+	install -m 0644 -o root -g root $< $@
+
+$(TARGET_CHROOT)/etc/systemd/system/%.service: %.service $(TARGET_CHROOT)/etc/systemd/system
+	install -D -m 0644 -o root -g root $< $@
+
+$(TARGET_CHROOT)/etc/systemd/system/%.target: %.target $(TARGET_CHROOT)/etc/systemd/system
+	install -D -m 0644 -o root -g root $< $@
+
+$(TARGET_CHROOT)/etc/systemd/system/%.timer: %.timer $(TARGET_CHROOT)/etc/systemd/system
+	install -D -m 0644 -o root -g root $< $@
+
+$(TARGET_CHROOT)/etc/quadlets/$(PROJECT_NAME)/%: config/% $(TARGET_CHROOT)/etc/quadlets/$(PROJECT_NAME)
+	@run() { echo $$*; "$$@"; }; \
+	if [ -x $< ]; then \
+		run install -D -m 0755 -o root -g root $< $@; \
+	else \
+		run install -D -m 0644 -o root -g root $< $@; \
+	fi
+
+$(TARGET_CHROOT)/var/lib/quadlets/$(PROJECT_NAME):
+	install -d -m 0755 -o root -g root $@
+
+install-etc: $(TARGET_QUADLETS_FILES) $(TARGET_SYSTEMD_FILES) $(TARGET_CONFIG_FILES)
+install-var: $(TARGET_CHROOT)/var/lib/quadlets/$(PROJECT_NAME)
+
+install: pre-requisites dryrun install-etc install-var
+	systemctl daemon-reload
+	systemd-analyze --generators=true verify $(QUADLET_UNIT_NAMES) $(SYSTEMD_UNIT_NAMES)
+	systemctl enable $(SYSTEMD_UNIT_NAMES)
+	systemctl start $(SYSTEMD_MAIN_UNIT_NAMES)
+
+uninstall: pre-requisites
+	systemctl --no-block disable $(SYSTEMD_UNIT_NAMES) || true
+	systemctl --no-block stop $(SYSTEMD_UNIT_NAMES) $(QUADLET_UNIT_NAMES) || true
+	rm -f $(TARGET_QUADLETS_FILES) $(TARGET_SYSTEMD_FILES) $(TARGET_CONFIG_FILES)
+	systemctl daemon-reload
+
+tail-logs: pre-requisites
+	@run() { echo $$*; "$$@"; }; \
+	declare -a journalctl_args=( -f ); \
+	for unit in $(SYSTEMD_MAIN_UNIT_NAMES) $(QUADLET_UNIT_NAMES); do \
+		journalctl_args+=( -u "$$unit" ); \
+	done; \
+	run journalctl "$${journalctl_args[@]}"
+
+$(PROJECT_NAME).bu: install-etc install-var
+	@if [ -z "$(TARGET_CHROOT)" ]; then \
+		echo "TARGET_CHROOT is not set!"; exit 1; \
+	fi
+	$(TOP_LEVEL_DIR)/generate-butane-spec.sh $(TARGET_CHROOT) $(SYSTEMD_MAIN_UNIT_NAMES) $(SYSTEMD_TIMER_NAMES) > $(PROJECT_NAME).bu
+
+$(PROJECT_NAME).ign: butane
+	butane --strict -o $(PROJECT_NAME).ign $(PROJECT_NAME).bu
+
+butane:
+	@run() { echo $$*; "$$@"; }; \
+	if [ -z "$(TARGET_CHROOT)" ]; then \
+		run $(MAKE) TARGET_CHROOT=$$(mktemp -d /tmp/butane-XXXXXX) $(PROJECT_NAME).bu; \
+	else \
+		run $(MAKE) $(PROJECT_NAME).bu; \
+	fi
+
+$(TOP_LEVEL_DIR)/local.ign: $(TOP_LEVEL_DIR)/local.bu
+	butane --strict -o $@ $<
+
+fcos.ign: fcos.bu $(TOP_LEVEL_DIR)/local.ign $(PROJECT_NAME).ign
+	@run() { echo $$*; "$$@"; }; \
+	tmp=$$(mktemp -d /tmp/butane-XXXXXX); \
+	run cp $(filter %.ign,$^) $$tmp; \
+	run butane --strict -d $$tmp -o $@ fcos.bu; \
+	run rm -rf $$tmp
+
+/var/lib/libvirt/images/library/fedora-coreos.qcow2:
+	@run() { echo $$*; "$$@"; }; \
+	run mkdir -p /var/lib/libvirt/images/library/ ; \
+	if ! run coreos-installer download -p qemu -f qcow2.xz -d -C /var/lib/libvirt/images/library/ ; then \
+		echo "CoreOS QCOW2 image could not be downloaded." >&2; \
+		exit 1; \
+	fi ; \
+	qcow2=$$(ls -1ctr /var/lib/libvirt/images/library/fedora-coreos-*.qcow2 | tail -n 1) ; \
+	run mv "$$qcow2" $@
+
+/var/lib/libvirt/images/$(PROJECT_NAME)/fcos.ign: fcos.ign
+	install -D -o root -g root -m 0644 $< $@
+
+/var/lib/libvirt/images/$(PROJECT_NAME)/root.qcow2: /var/lib/libvirt/images/library/fedora-coreos.qcow2
+	install -D -o root -g root -m 0644 $< $@
+
+fcos-vm: pre-requisites clean-vm /var/lib/libvirt/images/$(PROJECT_NAME)/fcos.ign /var/lib/libvirt/images/$(PROJECT_NAME)/root.qcow2
+	virt-install --name=$(PROJECT_NAME) --import --noautoconsole \
+		--ram=4096 --vcpus=2 --os-variant=fedora-coreos-stable \
+		--disk path=/var/lib/libvirt/images/$(PROJECT_NAME)/root.qcow2,format=qcow2,size=50 \
+		--qemu-commandline="-fw_cfg name=opt/com.coreos/config,file=/var/lib/libvirt/images/$(PROJECT_NAME)/fcos.ign" \
+		--network network=default,model=virtio \
+		--console=pty,target.type=virtio --serial=pty --graphics=none --boot=uefi
+
+clean-vm: pre-requisites
+	virsh destroy $(PROJECT_NAME) || true
+	virsh undefine $(PROJECT_NAME) --nvram || true
+	rm -rf /var/lib/libvirt/images/$(PROJECT_NAME)
+
+console: pre-requisites
+	@while sleep 2; do virsh console $(PROJECT_NAME); done
+
+clean: pre-requisites
+	rm -f *.butane
+	@run() { echo $$*; "$$@"; }; \
+	read -p "This will remove all data of '$(PROJECT_NAME)'. Are you sure? (only 'yes' is accepted) " ans; \
+	if [ "$$ans" = "yes" ] || [ "$$ans" = "YES" ]; then \
+		run rm -rf /var/lib/quadlets/$(PROJECT_NAME)/ /var/run/quadlets/$(PROJECT_NAME)/ /etc/quadlets/$(PROJECT_NAME)/; \
+	else \
+		echo "Aborted."; exit 1; \
+	fi
diff --git a/generate-butane-spec.sh b/generate-butane-spec.sh
new file mode 100755
index 0000000..0b77027
--- /dev/null
+++ b/generate-butane-spec.sh
@@ -0,0 +1,72 @@
+#!/bin/bash
+
+#
+# This tool generates a butane config file for the podman-quadlet-cookbook
+# project. The generated file can be used to provision a Fedora CoreOS
+# instance with all necessary quadlets and systemd units to run the
+# podman-quadlet-cookbook tests.
+#
+# It takes the following parameters:
+#   - The target chroot directory where the quadlets and systemd units
+#     have been installed.
+#   - The list of systemd main unit names to enable.
+#
+# It outputs the butane config file to stdout.
+#
+
+set -Eeuo pipefail
+
+TARGET_CHROOT="$1"
+SYSTEMD_MAIN_UNIT_NAMES="${@:2}"
+
+cat <<"EOF"
+variant: fcos
+version: 1.4.0
+storage:
+  files:
+EOF
+for file in $(find "$TARGET_CHROOT" \! -type d); do
+    rel_path="${file#$TARGET_CHROOT}"
+    cat <<EOF
+  - path: "${rel_path}"
+    mode: 0$(stat -c '%a' "$file")
+    user:
+      id: $(stat -c '%u' "$file")
+    group:
+      id: $(stat -c '%g' "$file")
+    contents:
+      compression: gzip
+      source: data:;base64,$(gzip -c "$file" | base64 -w0)
+EOF
+done
+cat <<"EOF"
+  directories:
+EOF
+for dir in $(find "$TARGET_CHROOT" -type d); do
+    rel_path="${dir#$TARGET_CHROOT}"
+    if [[ "$rel_path" != "/var/lib/quadlets/"* ]] && [[ "$rel_path" != "/etc/quadlets/"* ]] \
+        && [[ "$rel_path" != "/etc/systemd/system/"* ]] && [[ "$rel_path" != "/etc/containers/systemd/"* ]]; then
+
+      continue
+    fi
+    cat <<EOF
+  - path: "${rel_path}"
+    mode: 0$(stat -c '%a' "$dir")
+    user:
+      id: $(stat -c '%u' "$dir")
+    group:
+      id: $(stat -c '%g' "$dir")
+EOF
+done
+
+cat <<"EOF"
+systemd:
+  units:
+EOF
+for unit in ${SYSTEMD_MAIN_UNIT_NAMES}; do
+cat <<EOF
+  - name: "$unit"
+    enabled: true
+    mask: false
+EOF
+done
diff --git a/local.bu.template b/local.bu.template
new file mode 100644
index 0000000..6414590
--- /dev/null
+++ b/local.bu.template
@@ -0,0 +1,9 @@
+variant: fcos
+version: 1.4.0
+passwd:
+  users:
+  - name: core
+    ssh_authorized_keys:
+    - ssh-ed25519 REDACTED user@host
+    # mkpasswd --method=yescrypt -s
+    password_hash: "$y$REDACTED"
diff --git a/nextcloud-aio/Makefile b/nextcloud-aio/Makefile
new file mode 100644
index 0000000..4e54741
--- /dev/null
+++ b/nextcloud-aio/Makefile
@@ -0,0 +1,8 @@
+TOP_LEVEL_DIR := ..
+include $(TOP_LEVEL_DIR)/Makefile.common
+
+# TODO fix permissions and ownerships
+$(TARGET_CHROOT)/var/lib/quadlets/nextcloud-aio/data:
+	install -m 0777 -o 0 -g 0 -d $@
+
+install-var: $(TARGET_CHROOT)/var/lib/quadlets/nextcloud-aio/data
diff --git a/nextcloud-aio/config/config.env b/nextcloud-aio/config/config.env
new file mode 100644
index 0000000..edc48bb
--- /dev/null
+++ b/nextcloud-aio/config/config.env
@@ -0,0 +1,101 @@
+# Setting this to true allows to hide the backup section in the AIO interface.
+# See https://github.com/nextcloud/all-in-one#how-to-disable-the-backup-section
+#AIO_DISABLE_BACKUP_SECTION=false
+
+# Is needed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else).
+# See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+#APACHE_PORT=11000
+
+# Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) that is running on the same host.
+# See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+#APACHE_IP_BINDING=127.0.0.1
+
+# (Optional) Connect the apache container to an additional docker network.
+# Needed when behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) running in a different docker network on same server.
+# See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+#APACHE_ADDITIONAL_NETWORK=frontend_net
+
+# Allows to adjust borgs retention policy.
+# See https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy
+#BORG_RETENTION_POLICY=--keep-within=7d --keep-weekly=4 --keep-monthly=6
+
+# Setting this to true allows to disable Collabora's Seccomp feature.
+# See https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature
+#COLLABORA_SECCOMP_DISABLED=false
+
+# You can adjust the internally used docker api version with this variable.
+# ⚠️⚠️⚠️ Warning: please note that only the default api version (unset this variable) is supported and tested by the maintainers of Nextcloud AIO.
+# So use this on your own risk and things might break without warning.
+# See https://github.com/nextcloud/all-in-one#how-to-adjust-the-internally-used-docker-api-version
+#DOCKER_API_VERSION=1.44
+
+# Allows to adjust the fulltextsearch java options.
+# See https://github.com/nextcloud/all-in-one#how-to-adjust-the-fulltextsearch-java-options
+#FULLTEXTSEARCH_JAVA_OPTIONS=-Xms1024M -Xmx1024M
+
+# Allows to set the host directory for Nextcloud's datadir.
+# ⚠️⚠️⚠️ Warning: do not set or adjust this value after the initial Nextcloud installation is done!
+# See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
+NEXTCLOUD_DATADIR=/var/lib/quadlets/nextcloud-aio/data
+
+# Allows the Nextcloud container to access the chosen directory on the host.
+# See https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host
+#NEXTCLOUD_MOUNT=/mnt/
+
+# Can be adjusted if you need more.
+# See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud
+#NEXTCLOUD_UPLOAD_LIMIT=16G
+
+# Can be adjusted if you need more.
+# See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud
+#NEXTCLOUD_MAX_TIME=3600
+
+# Can be adjusted if you need more.
+# See https://github.com/nextcloud/all-in-one#how-to-adjust-the-php-memory-limit-for-nextcloud
+#NEXTCLOUD_MEMORY_LIMIT=512M
+
+# CA certificates in this directory will be trusted by the OS of the nextcloud container (Useful e.g. for LDAPS).
+# See https://github.com/nextcloud/all-in-one#how-to-trust-user-defined-certification-authorities-ca
+#NEXTCLOUD_TRUSTED_CACERTS_DIR=/path/to/my/cacerts
+
+# Allows to modify the Nextcloud apps that are installed on starting AIO the first time.
+# See https://github.com/nextcloud/all-in-one#how-to-change-the-nextcloud-apps-that-are-installed-on-the-first-startup
+#NEXTCLOUD_STARTUP_APPS=deck twofactor_totp tasks calendar contacts notes
+
+# This allows to add additional packages to the Nextcloud container permanently.
+# Default is imagemagick but can be overwritten by modifying this value.
+# See https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container
+#NEXTCLOUD_ADDITIONAL_APKS=imagemagick
+
+# This allows to add additional php extensions to the Nextcloud container permanently.
+# Default is imagick but can be overwritten by modifying this value.
+# See https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container
+#NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=imagick
+
+# This allows to enable the /dev/dri device for containers that profit from it.
+# ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host!
+# If it should not exist on your host, don't set this to true as otherwise the Nextcloud container will fail to start!
+# See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud
+#NEXTCLOUD_ENABLE_DRI_DEVICE=true
+
+# This allows to enable the NVIDIA runtime and GPU access for containers that profit from it.
+# ⚠️⚠️⚠️ Warning: this only works if an NVIDIA gpu is installed on the server.
+# See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud.
+#NEXTCLOUD_ENABLE_NVIDIA_GPU=true
+
+# Setting this to true will keep Nextcloud apps that are disabled in the AIO interface and not uninstall them if they should be installed.
+# See https://github.com/nextcloud/all-in-one#how-to-keep-disabled-apps
+#NEXTCLOUD_KEEP_DISABLED_APPS=false
+
+# This should only be set to true if things are correctly configured.
+# See https://github.com/nextcloud/all-in-one#how-to-skip-the-domain-validation
+#SKIP_DOMAIN_VALIDATION=false
+
+# This allows to adjust the port that the talk container is using which is exposed on the host.
+# See https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port
+#TALK_PORT=3478
+
+# Needs to be specified if the docker socket on the host is not located in the default '/var/run/docker.sock'.
+# Otherwise mastercontainer updates will fail.
+# For macos it needs to be '/var/run/docker.sock'
+#WATCHTOWER_DOCKER_SOCKET_PATH=/var/run/docker.sock
diff --git a/nextcloud-aio/fcos.bu b/nextcloud-aio/fcos.bu
new file mode 100644
index 0000000..49130db
--- /dev/null
+++ b/nextcloud-aio/fcos.bu
@@ -0,0 +1,7 @@
+variant: fcos
+version: 1.4.0
+ignition:
+  config:
+    merge:
+    - local: nextcloud-aio.ign
+    - local: local.ign
diff --git a/nextcloud-aio/nextcloud-aio-mastercontainer.container b/nextcloud-aio/nextcloud-aio-mastercontainer.container
new file mode 100644
index 0000000..63d4f67
--- /dev/null
+++ b/nextcloud-aio/nextcloud-aio-mastercontainer.container
@@ -0,0 +1,39 @@
+[Unit]
+Description=Nextcloud All-in-One
+Documentation=https://github.com/nextcloud/all-in-one
+After=network.target podman.socket nextcloud_aio_mastercontainer-volume.service
+Requires=podman.socket nextcloud_aio_mastercontainer-volume.service
+
+# Only start if Nextcloud has been configured
+ConditionPathExists=/etc/quadlets/nextcloud-aio/config.env
+
+[Container]
+ContainerName=nextcloud-aio-mastercontainer
+Image=ghcr.io/nextcloud-releases/all-in-one:latest
+PodmanArgs=--privileged --sig-proxy=false
+
+# Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else).
+# See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+PublishPort=80:80
+
+# This is the AIO interface, served via https and self-signed certificate.
+# See https://github.com/nextcloud/all-in-one#explanation-of-used-ports
+PublishPort=8080:8080
+
+# Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else).
+# See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+PublishPort=8443:8443
+
+RunInit=true
+Volume=nextcloud_aio_mastercontainer:/mnt/docker-aio-config
+Volume=/run/podman/podman.sock:/var/run/docker.sock:ro,z
+EnvironmentFile=/etc/quadlets/nextcloud-aio/config.env
+
+[Service]
+Restart=always
+RestartSec=10
+TimeoutStartSec=600
+TimeoutStopSec=30
+
+[Install]
+WantedBy=nextcloud-aio.target
diff --git a/nextcloud-aio/nextcloud-aio.target b/nextcloud-aio/nextcloud-aio.target
new file mode 100644
index 0000000..de11c50
--- /dev/null
+++ b/nextcloud-aio/nextcloud-aio.target
@@ -0,0 +1,13 @@
+[Unit]
+Description=Nextcloud Service Target
+Documentation=man:systemd.target(5)
+Requires=nextcloud-aio-mastercontainer.service nextcloud_aio_mastercontainer-volume.service
+After=nextcloud-aio-mastercontainer.service nextcloud_aio_mastercontainer-volume.service
+
+# Allow isolation - can stop/start this target independently
+AllowIsolate=yes
+# Only start if Nextcloud All-in-One has been configured
+ConditionPathExists=/etc/quadlets/nextcloud-aio/config.env
+
+[Install]
+WantedBy=multi-user.target
diff --git a/nextcloud-aio/nextcloud_aio_mastercontainer.volume b/nextcloud-aio/nextcloud_aio_mastercontainer.volume
new file mode 100644
index 0000000..6b86c6d
--- /dev/null
+++ b/nextcloud-aio/nextcloud_aio_mastercontainer.volume
@@ -0,0 +1,11 @@
+[Unit]
+Description=Nextcloud All-in-One - Configuration volume
+Documentation=https://github.com/nextcloud/all-in-one
+
+# Only start if Nextcloud has been configured
+ConditionPathExists=/etc/quadlets/nextcloud-aio/config.env
+
+[Volume]
+
+[Install]
+WantedBy=nextcloud-aio.target
diff --git a/nextcloud/Makefile b/nextcloud/Makefile
index 074d4a1..2995f37 100644
--- a/nextcloud/Makefile
+++ b/nextcloud/Makefile
@@ -1,17 +1,31 @@
-PARENT_DIR := ..
-include $(PARENT_DIR)/Makefile
+TOP_LEVEL_DIR := ..
+include $(TOP_LEVEL_DIR)/Makefile.common
 
 .PHONY: test
 
+$(TARGET_CHROOT)/var/lib/quadlets/nextcloud/redis:
+	install -m 0700 -o 0 -g 0 -d $@
+
+$(TARGET_CHROOT)/var/lib/quadlets/nextcloud/data $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/config:
+	install -m 0700 -o 82 -g 82 -d $@
+
+install-var: $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/redis $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/data $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/config
+
+# Nextcloud depends on the PostgreSQL quadlets
+.PHONY: $(TOP_LEVEL_DIR)/postgresql/postgresql.ign
+$(TOP_LEVEL_DIR)/postgresql/postgresql.ign:
+	make -C $(TOP_LEVEL_DIR)/postgresql postgresql.ign
+fcos.ign: $(TOP_LEVEL_DIR)/postgresql/postgresql.ign
+
 test: uninstall clean install
 	@run() { echo $$*; "$$@"; }; \
 	echo "Running Nextcloud tests..."; \
 	set -Eeuo pipefail; \
 	source config/config.env; \
 	echo "Uploading file..."; \
-	run curl -X PUT -sSf -u "$${NEXTCLOUD_ADMIN_USER}:$${NEXTCLOUD_ADMIN_PASSWORD}" --data-binary @tests/witness.txt "$${OVERWRITECLIURL}/remote.php/webdav/witness.txt" -b cookies.txt; \
+	run curl -X PUT -sSf -u "$${NEXTCLOUD_ADMIN_USER}:$${NEXTCLOUD_ADMIN_PASSWORD}" --data-binary @tests/witness.txt "$${OVERWRITECLIURL}/remote.php/webdav/witness.txt"; \
 	echo "Verifying file upload..."; \
-	run curl -X GET -sSf -u "$${NEXTCLOUD_ADMIN_USER}:$${NEXTCLOUD_ADMIN_PASSWORD}" "$${OVERWRITECLIURL}/remote.php/webdav/witness.txt" -o /tmp/witness.txt -b cookies.txt; \
+	run curl -X GET -sSf -u "$${NEXTCLOUD_ADMIN_USER}:$${NEXTCLOUD_ADMIN_PASSWORD}" "$${OVERWRITECLIURL}/remote.php/webdav/witness.txt" -o /tmp/witness.txt; \
 	if run cmp -s tests/witness.txt /tmp/witness.txt ; then \
 		echo "File upload verified successfully!"; \
 	else \
diff --git a/nextcloud/cookies.txt b/nextcloud/cookies.txt
deleted file mode 100644
index f06db3d..0000000
--- a/nextcloud/cookies.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-# Netscape HTTP Cookie File
-# https://curl.se/docs/http-cookies.html
-# This file was generated by libcurl! Edit at your own risk.
-
-#HttpOnly_localhost	FALSE	/	FALSE	0	ocbny94p8hh4	02320e51bee9bd3808c761acdb10e820
-#HttpOnly_localhost	FALSE	/	FALSE	4133980799	nc_sameSiteCookiestrict	true
-#HttpOnly_localhost	FALSE	/	FALSE	4133980799	nc_sameSiteCookielax	true
-#HttpOnly_localhost	FALSE	/	FALSE	0	oc_sessionPassphrase	5xu%2F9mJaZB0HhAXmLErL8y5pNa5Rb6fr%2F%2BVJL%2FfnkKKsBVozLv2TpWQ2Khd%2FtT%2BSX0sR1VQS0pCql0CzOOd%2BTHU04gEnJ0PgYMV%2FRQVO3YJpWE5c5THOJ4eN2GLg7C0P
diff --git a/nextcloud/fcos.bu b/nextcloud/fcos.bu
new file mode 100644
index 0000000..3cfaabb
--- /dev/null
+++ b/nextcloud/fcos.bu
@@ -0,0 +1,8 @@
+variant: fcos
+version: 1.4.0
+ignition:
+  config:
+    merge:
+    - local: nextcloud.ign
+    - local: postgresql.ign
+    - local: local.ign
diff --git a/nextcloud/nextcloud-app.container b/nextcloud/nextcloud-app.container
index 190da84..0af8926 100644
--- a/nextcloud/nextcloud-app.container
+++ b/nextcloud/nextcloud-app.container
@@ -47,9 +47,7 @@ TimeoutStartSec=600
 TimeoutStopSec=30
 
 # Skaffold filesystem + fix permissions
-ExecStartPre=/bin/bash -Eeuo pipefail -c 'install -m 0755 -o 0 -g 0 -d /var/lib/quadlets/nextcloud ; \
-  install -m 0700 -o 82 -g 82 -d /var/lib/quadlets/nextcloud/data /var/lib/quadlets/nextcloud/config ; \
-  install -m 0700 -o 82 -g 82 /etc/quadlets/nextcloud/www.conf /var/lib/quadlets/nextcloud/config/www.conf ; \
+ExecStartPre=/bin/bash -Eeuo pipefail -c 'install -m 0700 -o 82 -g 82 /etc/quadlets/nextcloud/www.conf /var/lib/quadlets/nextcloud/config/www.conf ; \
   install -m 0700 -o 82 -g 82 /etc/quadlets/nextcloud/redis-session.ini /var/lib/quadlets/nextcloud/config/redis-session.ini'
 
 # Wait for PostgreSQL to be ready on localhost
diff --git a/nextcloud/nextcloud-redis.container b/nextcloud/nextcloud-redis.container
index 2b8fb8f..6cf05d8 100644
--- a/nextcloud/nextcloud-redis.container
+++ b/nextcloud/nextcloud-redis.container
@@ -39,9 +39,5 @@ RestartSec=5
 TimeoutStartSec=300
 TimeoutStopSec=30
 
-# Skaffold filesystem + fix permissions
-ExecStartPre=/bin/bash -Eeuo pipefail -c 'install -m 0755 -o 0 -g 0 -d /var/lib/quadlets/nextcloud ; \
-    install -m 0700 -o 0 -g 0 -d /var/lib/quadlets/nextcloud/redis'
-
 [Install]
 WantedBy=nextcloud.target
\ No newline at end of file
diff --git a/nginx/Makefile b/nginx/Makefile
index d43ffa6..1568eaf 100644
--- a/nginx/Makefile
+++ b/nginx/Makefile
@@ -1,5 +1,5 @@
-PARENT_DIR := ..
-include $(PARENT_DIR)/Makefile
+TOP_LEVEL_DIR := ..
+include $(TOP_LEVEL_DIR)/Makefile.common
 
 .PHONY: test
 
diff --git a/nginx/fcos.bu b/nginx/fcos.bu
new file mode 100644
index 0000000..8a5b224
--- /dev/null
+++ b/nginx/fcos.bu
@@ -0,0 +1,7 @@
+variant: fcos
+version: 1.4.0
+ignition:
+  config:
+    merge:
+    - local: nginx.ign
+    - local: local.ign
diff --git a/nginx/nginx-init.container b/nginx/nginx-init.container
index d28ea5e..faf39a1 100644
--- a/nginx/nginx-init.container
+++ b/nginx/nginx-init.container
@@ -35,9 +35,6 @@ TimeoutStartSec=30
 # These environment variables are sourced to be used by systemd in the Exec* commands
 EnvironmentFile=/etc/quadlets/nginx/config.env
 
-# Skaffold filesystem + fix permissions
-ExecStartPre=install -m 0755 -o root -g root -d /var/lib/quadlets/nginx
-
 # This container is a job - run once to completion
 Type=oneshot
 
diff --git a/postgresql/Makefile b/postgresql/Makefile
index c4744e1..1cf9b81 100644
--- a/postgresql/Makefile
+++ b/postgresql/Makefile
@@ -1,5 +1,5 @@
-PARENT_DIR := ..
-include $(PARENT_DIR)/Makefile
+TOP_LEVEL_DIR := ..
+include $(TOP_LEVEL_DIR)/Makefile.common
 
 .PHONY: test test-set-pgmajor
 
@@ -8,6 +8,11 @@ PG_MAJOR_LAST ?= 18
 test-set-pgmajor:
 	sed -i 's/^PG_MAJOR=.*/PG_MAJOR=$(PG_MAJOR_START)/' config/config.env
 
+$(TARGET_CHROOT)/var/lib/quadlets/postgresql/backup $(TARGET_CHROOT)/var/lib/quadlets/postgresql $(TARGET_CHROOT)/var/run/quadlets/postgresql:
+	install -m 0700 -o 70 -g 70 -d $@
+
+install-var: $(TARGET_CHROOT)/var/run/quadlets/postgresql $(TARGET_CHROOT)/var/lib/quadlets/postgresql $(TARGET_CHROOT)/var/lib/quadlets/postgresql/backup
+
 test: uninstall clean test-set-pgmajor install
 	@echo "Running PostgreSQL integration tests..."; \
 	set -Eeuo pipefail; \
diff --git a/postgresql/fcos.bu b/postgresql/fcos.bu
new file mode 100644
index 0000000..49b81ab
--- /dev/null
+++ b/postgresql/fcos.bu
@@ -0,0 +1,7 @@
+variant: fcos
+version: 1.4.0
+ignition:
+  config:
+    merge:
+    - local: postgresql.ign
+    - local: local.ign
diff --git a/postgresql/postgresql-backup.container b/postgresql/postgresql-backup.container
index fdfb895..a8d85e5 100644
--- a/postgresql/postgresql-backup.container
+++ b/postgresql/postgresql-backup.container
@@ -39,6 +39,3 @@ EnvironmentFile=/etc/quadlets/postgresql/config.env
 
 # This container is a job - run once to completion
 Type=oneshot
-
-# Skaffold filesystem + fix permissions
-ExecStartPre=install -m 0700 -o 70 -g 70 -d /var/lib/quadlets/postgresql/backup
diff --git a/postgresql/postgresql-set-major.service b/postgresql/postgresql-set-major.service
index e5c2272..4652729 100644
--- a/postgresql/postgresql-set-major.service
+++ b/postgresql/postgresql-set-major.service
@@ -16,9 +16,6 @@ TimeoutStartSec=30
 # These environment variables are sourced to be used by systemd in the Exec* commands
 EnvironmentFile=/etc/quadlets/postgresql/config.env
 
-# Skaffold filesystem + fix permissions
-ExecStartPre=install -m 0700 -o 70 -g 70 -d /var/lib/quadlets/postgresql
-
 # Set the "latest" symlink to point to the desired major version
 ExecStart=ln -sfT ${PG_MAJOR} /var/lib/quadlets/postgresql/latest