Compare commits
4 Commits
6d66a7be70
...
3511f51c59
| Author | SHA1 | Date |
|---|---|---|
 Nicolas Massé
|
3511f51c59 | 2 days ago |
|
Nicolas Massé
|
82fa15c00f | 3 days ago |
|
Nicolas Massé
|
246d4f4696 | 3 days ago |
|
Nicolas Massé
|
8a14794df5 | 3 days ago |
36 changed files with 948 additions and 96 deletions
@ -0,0 +1,3 @@ |
|||
*.bu |
|||
*.ign |
|||
!fcos.bu |
|||
@ -1,85 +1,27 @@ |
|||
.PHONY: all install uninstall pre-requisites clean dryrun |
|||
|
|||
PROJECT_NAME := $(shell basename "$${PWD}") |
|||
QUADLETS_FILES = $(wildcard *.container *.volume *.network *.pod *.build) |
|||
SYSTEMD_FILES = $(wildcard *.service *.target *.timer) |
|||
SYSTEMD_UNIT_NAMES := $(wildcard *.service *.target *.timer) |
|||
SYSTEMD_MAIN_UNIT_NAMES := $(wildcard *.target) |
|||
QUADLET_UNIT_NAMES := $(patsubst %.container, %.service, $(wildcard *.container)) \
|
|||
$(patsubst %.volume, %-volume.service, $(wildcard *.volume)) \
|
|||
$(patsubst %.network, %-network.service, $(wildcard *.network)) \
|
|||
$(patsubst %.pod, %-pod.service, $(wildcard *.pod)) \
|
|||
$(patsubst %.build, %-build.service, $(wildcard *.build)) |
|||
CONFIG_FILES = $(wildcard config/*) |
|||
TARGET_QUADLETS_FILES = $(addprefix /etc/containers/systemd/, $(QUADLETS_FILES)) |
|||
TARGET_SYSTEMD_FILES = $(addprefix /etc/systemd/system/, $(SYSTEMD_FILES)) |
|||
TARGET_CONFIG_FILES = $(patsubst config/%, /etc/quadlets/$(PROJECT_NAME)/%, $(CONFIG_FILES)) |
|||
|
|||
pre-requisites: |
|||
@test "$$(id -u)" -eq 0 || (echo "This Makefile must be run as root" >&2; exit 1) |
|||
|
|||
all: install |
|||
|
|||
dryrun: |
|||
QUADLET_UNIT_DIRS="$$PWD" /usr/lib/systemd/system-generators/podman-system-generator -dryrun > /dev/null |
|||
|
|||
/etc/containers/systemd/%.container: %.container |
|||
install -D -m 0644 -o root -g root $< $@ |
|||
|
|||
/etc/containers/systemd/%.volume: %.volume |
|||
install -D -m 0644 -o root -g root $< $@ |
|||
|
|||
/etc/containers/systemd/%.network: %.network |
|||
install -D -m 0644 -o root -g root $< $@ |
|||
|
|||
/etc/containers/systemd/%.pod: %.pod |
|||
install -D -m 0644 -o root -g root $< $@ |
|||
|
|||
/etc/containers/systemd/%.build: %.build |
|||
install -D -m 0644 -o root -g root $< $@ |
|||
|
|||
/etc/systemd/system/%.service: %.service |
|||
install -D -m 0644 -o root -g root $< $@ |
|||
|
|||
/etc/systemd/system/%.target: %.target |
|||
install -D -m 0644 -o root -g root $< $@ |
|||
|
|||
/etc/systemd/system/%.timer: %.timer |
|||
install -D -m 0644 -o root -g root $< $@ |
|||
|
|||
/etc/quadlets/$(PROJECT_NAME)/%: config/% |
|||
@run() { echo $$*; "$$@"; }; \
|
|||
if [ -x $< ]; then \
|
|||
run install -D -m 0755 -o root -g root $< $@; \
|
|||
else \
|
|||
run install -D -m 0644 -o root -g root $< $@; \
|
|||
fi |
|||
|
|||
install: pre-requisites dryrun $(TARGET_QUADLETS_FILES) $(TARGET_SYSTEMD_FILES) $(TARGET_CONFIG_FILES) |
|||
systemctl daemon-reload |
|||
systemd-analyze --generators=true verify $(QUADLET_UNIT_NAMES) $(SYSTEMD_UNIT_NAMES) |
|||
systemctl enable $(SYSTEMD_UNIT_NAMES) |
|||
systemctl start $(SYSTEMD_MAIN_UNIT_NAMES) |
|||
|
|||
uninstall: pre-requisites |
|||
systemctl --no-block disable $(SYSTEMD_UNIT_NAMES) || true |
|||
systemctl --no-block stop $(SYSTEMD_UNIT_NAMES) $(QUADLET_UNIT_NAMES) || true |
|||
rm -f $(TARGET_QUADLETS_FILES) $(TARGET_SYSTEMD_FILES) $(TARGET_CONFIG_FILES) |
|||
systemctl daemon-reload |
|||
|
|||
tail-logs: pre-requisites |
|||
@run() { echo $$*; "$$@"; }; \
|
|||
declare -a journalctl_args=( -f ); \
|
|||
for unit in $(SYSTEMD_MAIN_UNIT_NAMES) $(QUADLET_UNIT_NAMES); do \
|
|||
journalctl_args+=( -u "$$unit" ); \
|
|||
done; \
|
|||
run journalctl "$${journalctl_args[@]}" |
|||
|
|||
clean: pre-requisites |
|||
SUBDIRS := $(wildcard */Makefile) |
|||
SUBDIRS := $(dir $(SUBDIRS)) |
|||
|
|||
.PHONY: all help butane clean dryrun fcos-vm $(SUBDIRS) |
|||
|
|||
all: help |
|||
help: |
|||
@echo "Available targets:" |
|||
@echo " butane - Build Butane specifications suitable for Fedora CoreOS" |
|||
@echo " clean - Remove the quadlets persistent data and configuration" |
|||
@echo " dryrun - Perform a dry run of the podman systemd generator" |
|||
@echo " fcos-vm - Launch a Fedora CoreOS VM with the generated Butane spec" |
|||
@echo " clean-vm - Clean up the Fedora CoreOS VM and its resources" |
|||
|
|||
dryrun: $(SUBDIRS) |
|||
butane: $(SUBDIRS) |
|||
clean: $(SUBDIRS) |
|||
fcos-vm: $(SUBDIRS) |
|||
clean-vm: $(SUBDIRS) |
|||
|
|||
$(SUBDIRS): |
|||
@run() { echo $$*; "$$@"; }; \
|
|||
read -p "This will remove all data of '$(PROJECT_NAME)'. Are you sure? (only 'yes' is accepted) " ans; \
|
|||
if [ "$$ans" = "yes" ] || [ "$$ans" = "YES" ]; then \
|
|||
run rm -rf /var/lib/quadlets/$(PROJECT_NAME)/ /var/run/quadlets/$(PROJECT_NAME)/ /etc/quadlets/$(PROJECT_NAME)/; \
|
|||
if echo $(MAKECMDGOALS) | grep -Eq 'butane|fcos-vm'; then \
|
|||
run $(MAKE) -C $@ $(MAKECMDGOALS); \
|
|||
else \
|
|||
echo "Aborted."; exit 1; \
|
|||
run $(MAKE) -C $@ $(MAKECMDGOALS); \
|
|||
fi |
|||
|
|||
@ -0,0 +1,183 @@ |
|||
.PHONY: all install install-etc install-var uninstall pre-requisites clean dryrun tail-logs butane help fcos-vm clean-vm console |
|||
|
|||
all: help |
|||
help: |
|||
@echo "Available targets:" |
|||
@echo " help - Show this help message" |
|||
@echo " install - Install quadlets and systemd units" |
|||
@echo " uninstall - Uninstall quadlets and systemd units" |
|||
@echo " clean - Remove the quadlets persistent data and configuration" |
|||
@echo " dryrun - Perform a dry run of the podman systemd generator" |
|||
@echo " tail-logs - Tail the logs of the quadlet units" |
|||
@echo " butane - Build Butane specifications suitable for Fedora CoreOS" |
|||
@echo " fcos-vm - Launch a Fedora CoreOS VM with the generated Butane spec" |
|||
@echo " clean-vm - Clean up the Fedora CoreOS VM and its resources" |
|||
@echo " console - Connect to the Fedora CoreOS VM console" |
|||
|
|||
|
|||
TARGET_CHROOT ?= |
|||
PROJECT_NAME := $(shell basename "$${PWD}") |
|||
QUADLETS_FILES = $(wildcard *.container *.volume *.network *.pod *.build) |
|||
SYSTEMD_FILES = $(wildcard *.service *.target *.timer) |
|||
SYSTEMD_UNIT_NAMES := $(wildcard *.service *.target *.timer) |
|||
SYSTEMD_TIMER_NAMES := $(wildcard *.timer) |
|||
SYSTEMD_MAIN_UNIT_NAMES := $(wildcard *.target) |
|||
QUADLET_UNIT_NAMES := $(patsubst %.container, %.service, $(wildcard *.container)) \
|
|||
$(patsubst %.volume, %-volume.service, $(wildcard *.volume)) \
|
|||
$(patsubst %.network, %-network.service, $(wildcard *.network)) \
|
|||
$(patsubst %.pod, %-pod.service, $(wildcard *.pod)) \
|
|||
$(patsubst %.build, %-build.service, $(wildcard *.build)) |
|||
CONFIG_FILES = $(wildcard config/*) |
|||
TARGET_QUADLETS_FILES = $(addprefix $(TARGET_CHROOT)/etc/containers/systemd/, $(QUADLETS_FILES)) |
|||
TARGET_SYSTEMD_FILES = $(addprefix $(TARGET_CHROOT)/etc/systemd/system/, $(SYSTEMD_FILES)) |
|||
TARGET_CONFIG_FILES = $(patsubst config/%, $(TARGET_CHROOT)/etc/quadlets/$(PROJECT_NAME)/%, $(CONFIG_FILES)) |
|||
TARGET_FILES = $(TARGET_QUADLETS_FILES) $(TARGET_SYSTEMD_FILES) $(TARGET_CONFIG_FILES) |
|||
|
|||
pre-requisites: |
|||
@if [ -z "$(TOP_LEVEL_DIR)" ]; then \
|
|||
echo "Do not run this Makefile from the top-level directory!" >&2; \
|
|||
exit 1; \
|
|||
fi ; \
|
|||
if [ "$$(id -u)" -ne 0 ]; then \
|
|||
echo "This Makefile must be run as root" >&2; \
|
|||
exit 1; \
|
|||
fi |
|||
|
|||
dryrun: |
|||
QUADLET_UNIT_DIRS="$$PWD" /usr/lib/systemd/system-generators/podman-system-generator -dryrun > /dev/null |
|||
|
|||
$(TARGET_CHROOT)/etc/containers/systemd: |
|||
install -D -d -m 0755 -o root -g root $@ |
|||
|
|||
$(TARGET_CHROOT)/etc/systemd/system: |
|||
install -D -d -m 0755 -o root -g root $@ |
|||
|
|||
$(TARGET_CHROOT)/etc/quadlets/$(PROJECT_NAME): |
|||
install -D -d -m 0755 -o root -g root $@ |
|||
|
|||
$(TARGET_CHROOT)/etc/containers/systemd/%.container: %.container $(TARGET_CHROOT)/etc/containers/systemd |
|||
install -m 0644 -o root -g root $< $@ |
|||
|
|||
$(TARGET_CHROOT)/etc/containers/systemd/%.volume: %.volume $(TARGET_CHROOT)/etc/containers/systemd |
|||
install -m 0644 -o root -g root $< $@ |
|||
|
|||
$(TARGET_CHROOT)/etc/containers/systemd/%.network: %.network $(TARGET_CHROOT)/etc/containers/systemd |
|||
install -m 0644 -o root -g root $< $@ |
|||
|
|||
$(TARGET_CHROOT)/etc/containers/systemd/%.pod: %.pod $(TARGET_CHROOT)/etc/containers/systemd |
|||
install -m 0644 -o root -g root $< $@ |
|||
|
|||
$(TARGET_CHROOT)/etc/containers/systemd/%.build: %.build $(TARGET_CHROOT)/etc/containers/systemd |
|||
install -m 0644 -o root -g root $< $@ |
|||
|
|||
$(TARGET_CHROOT)/etc/systemd/system/%.service: %.service $(TARGET_CHROOT)/etc/systemd/system |
|||
install -D -m 0644 -o root -g root $< $@ |
|||
|
|||
$(TARGET_CHROOT)/etc/systemd/system/%.target: %.target $(TARGET_CHROOT)/etc/systemd/system |
|||
install -D -m 0644 -o root -g root $< $@ |
|||
|
|||
$(TARGET_CHROOT)/etc/systemd/system/%.timer: %.timer $(TARGET_CHROOT)/etc/systemd/system |
|||
install -D -m 0644 -o root -g root $< $@ |
|||
|
|||
$(TARGET_CHROOT)/etc/quadlets/$(PROJECT_NAME)/%: config/% $(TARGET_CHROOT)/etc/quadlets/$(PROJECT_NAME) |
|||
@run() { echo $$*; "$$@"; }; \
|
|||
if [ -x $< ]; then \
|
|||
run install -D -m 0755 -o root -g root $< $@; \
|
|||
else \
|
|||
run install -D -m 0644 -o root -g root $< $@; \
|
|||
fi |
|||
|
|||
$(TARGET_CHROOT)/var/lib/quadlets/$(PROJECT_NAME): |
|||
install -d -m 0755 -o root -g root $@ |
|||
|
|||
install-etc: $(TARGET_QUADLETS_FILES) $(TARGET_SYSTEMD_FILES) $(TARGET_CONFIG_FILES) |
|||
install-var: $(TARGET_CHROOT)/var/lib/quadlets/$(PROJECT_NAME) |
|||
|
|||
install: pre-requisites dryrun install-etc install-var |
|||
systemctl daemon-reload |
|||
systemd-analyze --generators=true verify $(QUADLET_UNIT_NAMES) $(SYSTEMD_UNIT_NAMES) |
|||
systemctl enable $(SYSTEMD_UNIT_NAMES) |
|||
systemctl start $(SYSTEMD_MAIN_UNIT_NAMES) |
|||
|
|||
uninstall: pre-requisites |
|||
systemctl --no-block disable $(SYSTEMD_UNIT_NAMES) || true |
|||
systemctl --no-block stop $(SYSTEMD_UNIT_NAMES) $(QUADLET_UNIT_NAMES) || true |
|||
rm -f $(TARGET_QUADLETS_FILES) $(TARGET_SYSTEMD_FILES) $(TARGET_CONFIG_FILES) |
|||
systemctl daemon-reload |
|||
|
|||
tail-logs: pre-requisites |
|||
@run() { echo $$*; "$$@"; }; \
|
|||
declare -a journalctl_args=( -f ); \
|
|||
for unit in $(SYSTEMD_MAIN_UNIT_NAMES) $(QUADLET_UNIT_NAMES); do \
|
|||
journalctl_args+=( -u "$$unit" ); \
|
|||
done; \
|
|||
run journalctl "$${journalctl_args[@]}" |
|||
|
|||
$(PROJECT_NAME).bu: install-etc install-var |
|||
@if [ -z "$(TARGET_CHROOT)" ]; then \
|
|||
echo "TARGET_CHROOT is not set!"; exit 1; \
|
|||
fi |
|||
$(TOP_LEVEL_DIR)/generate-butane-spec.sh $(TARGET_CHROOT) $(SYSTEMD_MAIN_UNIT_NAMES) $(SYSTEMD_TIMER_NAMES) > $(PROJECT_NAME).bu |
|||
|
|||
$(PROJECT_NAME).ign: butane |
|||
butane --strict -o $(PROJECT_NAME).ign $(PROJECT_NAME).bu |
|||
|
|||
butane: |
|||
@run() { echo $$*; "$$@"; }; \
|
|||
if [ -z "$(TARGET_CHROOT)" ]; then \
|
|||
run $(MAKE) TARGET_CHROOT=$$(mktemp -d /tmp/butane-XXXXXX) $(PROJECT_NAME).bu; \
|
|||
else \
|
|||
run $(MAKE) $(PROJECT_NAME).bu; \
|
|||
fi |
|||
|
|||
$(TOP_LEVEL_DIR)/local.ign: $(TOP_LEVEL_DIR)/local.bu |
|||
butane --strict -o $@ $< |
|||
|
|||
fcos.ign: fcos.bu $(TOP_LEVEL_DIR)/local.ign $(PROJECT_NAME).ign |
|||
@run() { echo $$*; "$$@"; }; \
|
|||
tmp=$$(mktemp -d /tmp/butane-XXXXXX); \
|
|||
run cp $(filter %.ign,$^) $$tmp; \
|
|||
run butane --strict -d $$tmp -o $@ fcos.bu; \
|
|||
run rm -rf $$tmp |
|||
|
|||
/var/lib/libvirt/images/library/fedora-coreos.qcow2: |
|||
@run() { echo $$*; "$$@"; }; \
|
|||
run mkdir -p /var/lib/libvirt/images/library/ ; \
|
|||
if ! run coreos-installer download -p qemu -f qcow2.xz -d -C /var/lib/libvirt/images/library/ ; then \
|
|||
echo "CoreOS QCOW2 image could not be downloaded." >&2; \
|
|||
exit 1; \
|
|||
fi ; \
|
|||
qcow2=$$(ls -1ctr /var/lib/libvirt/images/library/fedora-coreos-*.qcow2 | tail -n 1) ; \
|
|||
run mv "$$qcow2" $@ |
|||
|
|||
/var/lib/libvirt/images/$(PROJECT_NAME)/fcos.ign: fcos.ign |
|||
install -D -o root -g root -m 0644 $< $@ |
|||
|
|||
/var/lib/libvirt/images/$(PROJECT_NAME)/root.qcow2: /var/lib/libvirt/images/library/fedora-coreos.qcow2 |
|||
install -D -o root -g root -m 0644 $< $@ |
|||
|
|||
fcos-vm: pre-requisites clean-vm /var/lib/libvirt/images/$(PROJECT_NAME)/fcos.ign /var/lib/libvirt/images/$(PROJECT_NAME)/root.qcow2 |
|||
virt-install --name=$(PROJECT_NAME) --import --noautoconsole \
|
|||
--ram=4096 --vcpus=2 --os-variant=fedora-coreos-stable \
|
|||
--disk path=/var/lib/libvirt/images/$(PROJECT_NAME)/root.qcow2,format=qcow2,size=50 \
|
|||
--qemu-commandline="-fw_cfg name=opt/com.coreos/config,file=/var/lib/libvirt/images/$(PROJECT_NAME)/fcos.ign" \
|
|||
--network network=default,model=virtio \
|
|||
--console=pty,target.type=virtio --serial=pty --graphics=none --boot=uefi |
|||
|
|||
clean-vm: pre-requisites |
|||
virsh destroy $(PROJECT_NAME) || true |
|||
virsh undefine $(PROJECT_NAME) --nvram || true |
|||
rm -rf /var/lib/libvirt/images/$(PROJECT_NAME) |
|||
|
|||
console: pre-requisites |
|||
@while sleep 2; do virsh console $(PROJECT_NAME); done |
|||
|
|||
clean: pre-requisites |
|||
rm -f *.butane |
|||
@run() { echo $$*; "$$@"; }; \
|
|||
read -p "This will remove all data of '$(PROJECT_NAME)'. Are you sure? (only 'yes' is accepted) " ans; \
|
|||
if [ "$$ans" = "yes" ] || [ "$$ans" = "YES" ]; then \
|
|||
run rm -rf /var/lib/quadlets/$(PROJECT_NAME)/ /var/run/quadlets/$(PROJECT_NAME)/ /etc/quadlets/$(PROJECT_NAME)/; \
|
|||
else \
|
|||
echo "Aborted."; exit 1; \
|
|||
fi |
|||
@ -0,0 +1,72 @@ |
|||
#!/bin/bash |
|||
|
|||
# |
|||
# This tool generates a butane config file for the podman-quadlet-cookbook |
|||
# project. The generated file can be used to provision a Fedora CoreOS |
|||
# instance with all necessary quadlets and systemd units to run the |
|||
# podman-quadlet-cookbook tests. |
|||
# |
|||
# It takes the following parameters: |
|||
# - The target chroot directory where the quadlets and systemd units |
|||
# have been installed. |
|||
# - The list of systemd main unit names to enable. |
|||
# |
|||
# It outputs the butane config file to stdout. |
|||
# |
|||
|
|||
set -Eeuo pipefail |
|||
|
|||
TARGET_CHROOT="$1" |
|||
SYSTEMD_MAIN_UNIT_NAMES="${@:2}" |
|||
|
|||
cat <<"EOF" |
|||
variant: fcos |
|||
version: 1.4.0 |
|||
storage: |
|||
files: |
|||
EOF |
|||
for file in $(find "$TARGET_CHROOT" \! -type d); do |
|||
rel_path="${file#$TARGET_CHROOT}" |
|||
cat <<EOF |
|||
- path: "${rel_path}" |
|||
mode: 0$(stat -c '%a' "$file") |
|||
user: |
|||
id: $(stat -c '%u' "$file") |
|||
group: |
|||
id: $(stat -c '%g' "$file") |
|||
contents: |
|||
compression: gzip |
|||
source: data:;base64,$(gzip -c "$file" | base64 -w0) |
|||
EOF |
|||
done |
|||
cat <<"EOF" |
|||
directories: |
|||
EOF |
|||
for dir in $(find "$TARGET_CHROOT" -type d); do |
|||
rel_path="${dir#$TARGET_CHROOT}" |
|||
if [[ "$rel_path" != "/var/lib/quadlets/"* ]] && [[ "$rel_path" != "/etc/quadlets/"* ]] \ |
|||
&& [[ "$rel_path" != "/etc/systemd/system/"* ]] && [[ "$rel_path" != "/etc/containers/systemd/"* ]]; then |
|||
|
|||
continue |
|||
fi |
|||
cat <<EOF |
|||
- path: "${rel_path}" |
|||
mode: 0$(stat -c '%a' "$dir") |
|||
user: |
|||
id: $(stat -c '%u' "$dir") |
|||
group: |
|||
id: $(stat -c '%g' "$dir") |
|||
EOF |
|||
done |
|||
|
|||
cat <<"EOF" |
|||
systemd: |
|||
units: |
|||
EOF |
|||
for unit in ${SYSTEMD_MAIN_UNIT_NAMES}; do |
|||
cat <<EOF |
|||
- name: "$unit" |
|||
enabled: true |
|||
mask: false |
|||
EOF |
|||
done |
|||
@ -0,0 +1,9 @@ |
|||
variant: fcos |
|||
version: 1.4.0 |
|||
passwd: |
|||
users: |
|||
- name: core |
|||
ssh_authorized_keys: |
|||
- ssh-ed25519 REDACTED user@host |
|||
# mkpasswd --method=yescrypt -s |
|||
password_hash: "$y$REDACTED" |
|||
@ -0,0 +1,8 @@ |
|||
TOP_LEVEL_DIR := .. |
|||
include $(TOP_LEVEL_DIR)/Makefile.common |
|||
|
|||
# TODO fix permissions and ownerships
|
|||
$(TARGET_CHROOT)/var/lib/quadlets/nextcloud-aio/data: |
|||
install -m 0777 -o 0 -g 0 -d $@ |
|||
|
|||
install-var: $(TARGET_CHROOT)/var/lib/quadlets/nextcloud-aio/data |
|||
@ -0,0 +1,101 @@ |
|||
# Setting this to true allows to hide the backup section in the AIO interface. |
|||
# See https://github.com/nextcloud/all-in-one#how-to-disable-the-backup-section |
|||
#AIO_DISABLE_BACKUP_SECTION=false |
|||
|
|||
# Is needed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). |
|||
# See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md |
|||
#APACHE_PORT=11000 |
|||
|
|||
# Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) that is running on the same host. |
|||
# See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md |
|||
#APACHE_IP_BINDING=127.0.0.1 |
|||
|
|||
# (Optional) Connect the apache container to an additional docker network. |
|||
# Needed when behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) running in a different docker network on same server. |
|||
# See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md |
|||
#APACHE_ADDITIONAL_NETWORK=frontend_net |
|||
|
|||
# Allows to adjust borgs retention policy. |
|||
# See https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy |
|||
#BORG_RETENTION_POLICY=--keep-within=7d --keep-weekly=4 --keep-monthly=6 |
|||
|
|||
# Setting this to true allows to disable Collabora's Seccomp feature. |
|||
# See https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature |
|||
#COLLABORA_SECCOMP_DISABLED=false |
|||
|
|||
# You can adjust the internally used docker api version with this variable. |
|||
# ⚠️⚠️⚠️ Warning: please note that only the default api version (unset this variable) is supported and tested by the maintainers of Nextcloud AIO. |
|||
# So use this on your own risk and things might break without warning. |
|||
# See https://github.com/nextcloud/all-in-one#how-to-adjust-the-internally-used-docker-api-version |
|||
#DOCKER_API_VERSION=1.44 |
|||
|
|||
# Allows to adjust the fulltextsearch java options. |
|||
# See https://github.com/nextcloud/all-in-one#how-to-adjust-the-fulltextsearch-java-options |
|||
#FULLTEXTSEARCH_JAVA_OPTIONS=-Xms1024M -Xmx1024M |
|||
|
|||
# Allows to set the host directory for Nextcloud's datadir. |
|||
# ⚠️⚠️⚠️ Warning: do not set or adjust this value after the initial Nextcloud installation is done! |
|||
# See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir |
|||
NEXTCLOUD_DATADIR=/var/lib/quadlets/nextcloud-aio/data |
|||
|
|||
# Allows the Nextcloud container to access the chosen directory on the host. |
|||
# See https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host |
|||
#NEXTCLOUD_MOUNT=/mnt/ |
|||
|
|||
# Can be adjusted if you need more. |
|||
# See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud |
|||
#NEXTCLOUD_UPLOAD_LIMIT=16G |
|||
|
|||
# Can be adjusted if you need more. |
|||
# See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud |
|||
#NEXTCLOUD_MAX_TIME=3600 |
|||
|
|||
# Can be adjusted if you need more. |
|||
# See https://github.com/nextcloud/all-in-one#how-to-adjust-the-php-memory-limit-for-nextcloud |
|||
#NEXTCLOUD_MEMORY_LIMIT=512M |
|||
|
|||
# CA certificates in this directory will be trusted by the OS of the nextcloud container (Useful e.g. for LDAPS). |
|||
# See https://github.com/nextcloud/all-in-one#how-to-trust-user-defined-certification-authorities-ca |
|||
#NEXTCLOUD_TRUSTED_CACERTS_DIR=/path/to/my/cacerts |
|||
|
|||
# Allows to modify the Nextcloud apps that are installed on starting AIO the first time. |
|||
# See https://github.com/nextcloud/all-in-one#how-to-change-the-nextcloud-apps-that-are-installed-on-the-first-startup |
|||
#NEXTCLOUD_STARTUP_APPS=deck twofactor_totp tasks calendar contacts notes |
|||
|
|||
# This allows to add additional packages to the Nextcloud container permanently. |
|||
# Default is imagemagick but can be overwritten by modifying this value. |
|||
# See https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container |
|||
#NEXTCLOUD_ADDITIONAL_APKS=imagemagick |
|||
|
|||
# This allows to add additional php extensions to the Nextcloud container permanently. |
|||
# Default is imagick but can be overwritten by modifying this value. |
|||
# See https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container |
|||
#NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=imagick |
|||
|
|||
# This allows to enable the /dev/dri device for containers that profit from it. |
|||
# ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! |
|||
# If it should not exist on your host, don't set this to true as otherwise the Nextcloud container will fail to start! |
|||
# See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud |
|||
#NEXTCLOUD_ENABLE_DRI_DEVICE=true |
|||
|
|||
# This allows to enable the NVIDIA runtime and GPU access for containers that profit from it. |
|||
# ⚠️⚠️⚠️ Warning: this only works if an NVIDIA gpu is installed on the server. |
|||
# See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud. |
|||
#NEXTCLOUD_ENABLE_NVIDIA_GPU=true |
|||
|
|||
# Setting this to true will keep Nextcloud apps that are disabled in the AIO interface and not uninstall them if they should be installed. |
|||
# See https://github.com/nextcloud/all-in-one#how-to-keep-disabled-apps |
|||
#NEXTCLOUD_KEEP_DISABLED_APPS=false |
|||
|
|||
# This should only be set to true if things are correctly configured. |
|||
# See https://github.com/nextcloud/all-in-one#how-to-skip-the-domain-validation |
|||
#SKIP_DOMAIN_VALIDATION=false |
|||
|
|||
# This allows to adjust the port that the talk container is using which is exposed on the host. |
|||
# See https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port |
|||
#TALK_PORT=3478 |
|||
|
|||
# Needs to be specified if the docker socket on the host is not located in the default '/var/run/docker.sock'. |
|||
# Otherwise mastercontainer updates will fail. |
|||
# For macos it needs to be '/var/run/docker.sock' |
|||
#WATCHTOWER_DOCKER_SOCKET_PATH=/var/run/docker.sock |
|||
@ -0,0 +1,7 @@ |
|||
variant: fcos |
|||
version: 1.4.0 |
|||
ignition: |
|||
config: |
|||
merge: |
|||
- local: nextcloud-aio.ign |
|||
- local: local.ign |
|||
@ -0,0 +1,39 @@ |
|||
[Unit] |
|||
Description=Nextcloud All-in-One |
|||
Documentation=https://github.com/nextcloud/all-in-one |
|||
After=network.target podman.socket nextcloud_aio_mastercontainer-volume.service |
|||
Requires=podman.socket nextcloud_aio_mastercontainer-volume.service |
|||
|
|||
# Only start if Nextcloud has been configured |
|||
ConditionPathExists=/etc/quadlets/nextcloud-aio/config.env |
|||
|
|||
[Container] |
|||
ContainerName=nextcloud-aio-mastercontainer |
|||
Image=ghcr.io/nextcloud-releases/all-in-one:latest |
|||
PodmanArgs=--privileged --sig-proxy=false |
|||
|
|||
# Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). |
|||
# See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md |
|||
PublishPort=80:80 |
|||
|
|||
# This is the AIO interface, served via https and self-signed certificate. |
|||
# See https://github.com/nextcloud/all-in-one#explanation-of-used-ports |
|||
PublishPort=8080:8080 |
|||
|
|||
# Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). |
|||
# See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md |
|||
PublishPort=8443:8443 |
|||
|
|||
RunInit=true |
|||
Volume=nextcloud_aio_mastercontainer:/mnt/docker-aio-config |
|||
Volume=/run/podman/podman.sock:/var/run/docker.sock:ro,z |
|||
EnvironmentFile=/etc/quadlets/nextcloud-aio/config.env |
|||
|
|||
[Service] |
|||
Restart=always |
|||
RestartSec=10 |
|||
TimeoutStartSec=600 |
|||
TimeoutStopSec=30 |
|||
|
|||
[Install] |
|||
WantedBy=nextcloud-aio.target |
|||
@ -0,0 +1,13 @@ |
|||
[Unit] |
|||
Description=Nextcloud Service Target |
|||
Documentation=man:systemd.target(5) |
|||
Requires=nextcloud-aio-mastercontainer.service nextcloud_aio_mastercontainer-volume.service |
|||
After=nextcloud-aio-mastercontainer.service nextcloud_aio_mastercontainer-volume.service |
|||
|
|||
# Allow isolation - can stop/start this target independently |
|||
AllowIsolate=yes |
|||
# Only start if Nextcloud All-in-One has been configured |
|||
ConditionPathExists=/etc/quadlets/nextcloud-aio/config.env |
|||
|
|||
[Install] |
|||
WantedBy=multi-user.target |
|||
@ -0,0 +1,11 @@ |
|||
[Unit] |
|||
Description=Nextcloud All-in-One - Configuration volume |
|||
Documentation=https://github.com/nextcloud/all-in-one |
|||
|
|||
# Only start if Nextcloud has been configured |
|||
ConditionPathExists=/etc/quadlets/nextcloud-aio/config.env |
|||
|
|||
[Volume] |
|||
|
|||
[Install] |
|||
WantedBy=nextcloud-aio.target |
|||
@ -0,0 +1,35 @@ |
|||
TOP_LEVEL_DIR := .. |
|||
include $(TOP_LEVEL_DIR)/Makefile.common |
|||
|
|||
.PHONY: test |
|||
|
|||
$(TARGET_CHROOT)/var/lib/quadlets/nextcloud/redis: |
|||
install -m 0700 -o 0 -g 0 -d $@ |
|||
|
|||
$(TARGET_CHROOT)/var/lib/quadlets/nextcloud/data $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/config: |
|||
install -m 0700 -o 82 -g 82 -d $@ |
|||
|
|||
install-var: $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/redis $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/data $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/config |
|||
|
|||
# Nextcloud depends on the PostgreSQL quadlets
|
|||
.PHONY: $(TOP_LEVEL_DIR)/postgresql/postgresql.ign |
|||
$(TOP_LEVEL_DIR)/postgresql/postgresql.ign: |
|||
make -C $(TOP_LEVEL_DIR)/postgresql postgresql.ign |
|||
fcos.ign: $(TOP_LEVEL_DIR)/postgresql/postgresql.ign |
|||
|
|||
test: uninstall clean install |
|||
@run() { echo $$*; "$$@"; }; \
|
|||
echo "Running Nextcloud tests..."; \
|
|||
set -Eeuo pipefail; \
|
|||
source config/config.env; \
|
|||
echo "Uploading file..."; \
|
|||
run curl -X PUT -sSf -u "$${NEXTCLOUD_ADMIN_USER}:$${NEXTCLOUD_ADMIN_PASSWORD}" --data-binary @tests/witness.txt "$${OVERWRITECLIURL}/remote.php/webdav/witness.txt"; \
|
|||
echo "Verifying file upload..."; \
|
|||
run curl -X GET -sSf -u "$${NEXTCLOUD_ADMIN_USER}:$${NEXTCLOUD_ADMIN_PASSWORD}" "$${OVERWRITECLIURL}/remote.php/webdav/witness.txt" -o /tmp/witness.txt; \
|
|||
if run cmp -s tests/witness.txt /tmp/witness.txt ; then \
|
|||
echo "File upload verified successfully!"; \
|
|||
else \
|
|||
echo "File upload verification failed!"; \
|
|||
exit 1; \
|
|||
fi |
|||
|
|||
@ -0,0 +1,47 @@ |
|||
## |
|||
## Nextcloud Configuration Environment Variables |
|||
## |
|||
|
|||
# Nextcloud domain configuration |
|||
NEXTCLOUD_TRUSTED_DOMAINS=localhost |
|||
OVERWRITEHOST=localhost |
|||
OVERWRITEPROTOCOL=http |
|||
OVERWRITECLIURL=http://localhost |
|||
|
|||
# Nextcloud admin credentials |
|||
NEXTCLOUD_ADMIN_USER=admin |
|||
NEXTCLOUD_ADMIN_PASSWORD=nextcloud |
|||
|
|||
# Nextcloud server info token |
|||
NEXTCLOUD_SERVERINFO_TOKEN=S3cr3t! |
|||
|
|||
# SMTP configuration |
|||
#SMTP_HOST=smtp.gmail.com |
|||
#SMTP_NAME=bogus |
|||
#SMTP_PASSWORD=REDACTED |
|||
#SMTP_SECURE=tls |
|||
#SMTP_PORT=587 |
|||
#SMTP_AUTHTYPE=LOGIN |
|||
#MAIL_FROM_ADDRESS=user@itix.fr |
|||
#MAIL_DOMAIN=itix.fr |
|||
|
|||
# Database configuration |
|||
POSTGRES_HOST=localhost |
|||
POSTGRES_DB=nextcloud |
|||
POSTGRES_USER=nextcloud |
|||
POSTGRES_PASSWORD=nextcloud |
|||
|
|||
# Redis configuration |
|||
REDIS_HOST=localhost |
|||
REDIS_HOST_PORT=6379 |
|||
REDIS_HOST_PASSWORD=nextcloud |
|||
|
|||
# PHP configuration |
|||
PHP_MEMORY_LIMIT=512M |
|||
PHP_UPLOAD_LIMIT=10G |
|||
|
|||
# Nextcloud configuration |
|||
NEXTCLOUD_UPDATE=0 |
|||
NEXTCLOUD_TABLE_PREFIX= |
|||
NEXTCLOUD_DATA_DIR=/var/www/html/data |
|||
NEXTCLOUD_INIT_HTACCESS=1 |
|||
@ -0,0 +1,163 @@ |
|||
worker_processes auto; |
|||
error_log stderr warn; |
|||
|
|||
# Running Nginx as an unprivileged container |
|||
pid /tmp/nginx.pid; |
|||
|
|||
events { |
|||
worker_connections 1024; |
|||
} |
|||
|
|||
http { |
|||
# Running Nginx as an unprivileged container |
|||
proxy_temp_path /tmp/proxy_temp; |
|||
client_body_temp_path /tmp/client_temp; |
|||
fastcgi_temp_path /tmp/fastcgi_temp; |
|||
uwsgi_temp_path /tmp/uwsgi_temp; |
|||
scgi_temp_path /tmp/scgi_temp; |
|||
|
|||
include /etc/nginx/mime.types; |
|||
default_type application/octet-stream; |
|||
|
|||
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' |
|||
'$status $body_bytes_sent "$http_referer" ' |
|||
'"$http_user_agent" "$http_x_forwarded_for"'; |
|||
|
|||
access_log /var/log/nginx/access.log main; |
|||
|
|||
sendfile on; |
|||
keepalive_timeout 65; |
|||
|
|||
# Do not leak server version in HTTP headers |
|||
server_tokens off; |
|||
|
|||
set_real_ip_from 10.0.0.0/8; |
|||
set_real_ip_from 172.16.0.0/12; |
|||
set_real_ip_from 192.168.0.0/16; |
|||
real_ip_header X-Real-IP; |
|||
|
|||
upstream php-handler { |
|||
server 127.0.0.1:9000; |
|||
} |
|||
|
|||
server { |
|||
listen 80; |
|||
|
|||
# set max upload size |
|||
client_max_body_size 10G; |
|||
fastcgi_buffers 64 4K; |
|||
|
|||
# Enable gzip but do not remove ETag headers |
|||
gzip on; |
|||
gzip_vary on; |
|||
gzip_comp_level 4; |
|||
gzip_min_length 256; |
|||
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; |
|||
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; |
|||
|
|||
# HTTP response headers borrowed from Nextcloud `.htaccess` |
|||
add_header Referrer-Policy "no-referrer" always; |
|||
add_header X-Content-Type-Options "nosniff" always; |
|||
add_header X-Download-Options "noopen" always; |
|||
add_header X-Frame-Options "SAMEORIGIN" always; |
|||
add_header X-Permitted-Cross-Domain-Policies "none" always; |
|||
add_header X-Robots-Tag "none" always; |
|||
add_header X-XSS-Protection "1; mode=block" always; |
|||
|
|||
# Remove X-Powered-By, which is an information leak |
|||
fastcgi_hide_header X-Powered-By; |
|||
|
|||
# Path to the root of your installation |
|||
root /var/www/html; |
|||
|
|||
# Specify how to handle directories -- specifying `/index.php$request_uri` |
|||
# here as the fallback means that Nginx always exhibits the desired behaviour |
|||
# when a client requests a path that corresponds to a directory that exists |
|||
# on the server. In particular, if that directory contains an index.php file, |
|||
# that file is correctly served; if it doesn't, then the request is passed to |
|||
# the front-end controller. This consistent behaviour means that we don't need |
|||
# to specify custom rules for certain paths (e.g. images and other assets, |
|||
# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus |
|||
# `try_files $uri $uri/ /index.php$request_uri` |
|||
# always provides the desired behaviour. |
|||
index index.php index.html /index.php$request_uri; |
|||
|
|||
# Do not include the hostname and scheme in the redirect URL since it is |
|||
# always wrong in a Kubernetes environment (request received on HTTPS by Traefik |
|||
# and transmitted on HTTP internally). |
|||
absolute_redirect off; |
|||
|
|||
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients |
|||
location = / { |
|||
if ( $http_user_agent ~ ^DavClnt ) { |
|||
return 302 /remote.php/webdav/$is_args$args; |
|||
} |
|||
} |
|||
|
|||
location = /robots.txt { |
|||
allow all; |
|||
log_not_found off; |
|||
access_log off; |
|||
} |
|||
|
|||
# Make a regex exception for `/.well-known` so that clients can still |
|||
# access it despite the existence of the regex rule |
|||
# `location ~ /(\.|autotest|...)` which would otherwise handle requests |
|||
# for `/.well-known`. |
|||
location ^~ /.well-known { |
|||
# The following 6 rules are borrowed from `.htaccess` |
|||
|
|||
location = /.well-known/carddav { return 301 /remote.php/dav/; } |
|||
location = /.well-known/caldav { return 301 /remote.php/dav/; } |
|||
# Anything else is dynamically handled by Nextcloud |
|||
location ^~ /.well-known { return 301 /index.php$uri; } |
|||
|
|||
try_files $uri $uri/ =404; |
|||
} |
|||
|
|||
# Rules borrowed from `.htaccess` to hide certain paths from clients |
|||
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } |
|||
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } |
|||
|
|||
# Ensure this block, which passes PHP files to the PHP process, is above the blocks |
|||
# which handle static assets (as seen below). If this block is not declared first, |
|||
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` |
|||
# to the URI, resulting in a HTTP 500 error response. |
|||
location ~ \.php(?:$|/) { |
|||
fastcgi_split_path_info ^(.+?\.php)(/.*)$; |
|||
set $path_info $fastcgi_path_info; |
|||
|
|||
try_files $fastcgi_script_name =404; |
|||
|
|||
include fastcgi_params; |
|||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; |
|||
fastcgi_param PATH_INFO $path_info; |
|||
fastcgi_param HTTPS on; |
|||
|
|||
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice |
|||
fastcgi_param front_controller_active true; # Enable pretty urls |
|||
fastcgi_pass php-handler; |
|||
|
|||
fastcgi_intercept_errors on; |
|||
fastcgi_request_buffering off; |
|||
} |
|||
|
|||
location ~ \.(?:css|js|svg|gif)$ { |
|||
try_files $uri /index.php$request_uri; |
|||
expires 6M; # Cache-Control policy borrowed from `.htaccess` |
|||
access_log off; # Optional: Don't log access to assets |
|||
} |
|||
|
|||
location ~ \.woff2?$ { |
|||
try_files $uri /index.php$request_uri; |
|||
expires 7d; # Cache-Control policy borrowed from `.htaccess` |
|||
access_log off; # Optional: Don't log access to assets |
|||
} |
|||
|
|||
location / { |
|||
try_files $uri $uri/ /index.php$request_uri; |
|||
# Optional: Don't log access to other assets |
|||
access_log off; |
|||
} |
|||
} |
|||
} |
|||
@ -0,0 +1,3 @@ |
|||
requirepass nextcloud |
|||
port 6379 |
|||
bind 127.0.0.1 |
|||
@ -0,0 +1,9 @@ |
|||
[www] |
|||
listen = 127.0.0.1:9000 |
|||
|
|||
; As recommended here: https://docs.nextcloud.com/server/15/admin_manual/installation/server_tuning.html |
|||
pm = dynamic |
|||
pm.max_children = 16 |
|||
pm.start_servers = 4 |
|||
pm.min_spare_servers = 2 |
|||
pm.max_spare_servers = 8 |
|||
@ -0,0 +1,8 @@ |
|||
variant: fcos |
|||
version: 1.4.0 |
|||
ignition: |
|||
config: |
|||
merge: |
|||
- local: nextcloud.ign |
|||
- local: postgresql.ign |
|||
- local: local.ign |
|||
@ -0,0 +1,60 @@ |
|||
[Unit] |
|||
Description=Nextcloud PHP-FPM Application |
|||
Documentation=https://hub.docker.com/_/nextcloud/ |
|||
After=network.target nextcloud-redis.service postgresql-server.service |
|||
Requires=nextcloud-redis.service postgresql-server.service |
|||
|
|||
# Require initialization to complete first |
|||
Requires=nextcloud-redis.service |
|||
After=nextcloud-redis.service |
|||
|
|||
# Only start if Nextcloud has been configured |
|||
ConditionPathExists=/etc/quadlets/nextcloud/config.env |
|||
|
|||
# Start/stop this unit when the target is started/stopped |
|||
PartOf=nextcloud.target |
|||
|
|||
[Container] |
|||
ContainerName=nextcloud-app |
|||
Image=docker.io/library/nextcloud:31-fpm-alpine |
|||
|
|||
# Fix the UID/GID of the PHP-FPM daemon |
|||
User=82:82 |
|||
|
|||
# Network configuration |
|||
Network=host |
|||
AddCapability=CAP_NET_BIND_SERVICE |
|||
|
|||
# Environment variables from secrets and config |
|||
EnvironmentFile=/etc/quadlets/nextcloud/config.env |
|||
|
|||
# Volume mounts |
|||
Volume=/var/lib/quadlets/nextcloud/data:/var/www/html:z |
|||
Volume=/var/lib/quadlets/nextcloud/config/www.conf:/usr/local/etc/php-fpm.d/www.conf:Z |
|||
Volume=/var/lib/quadlets/nextcloud/config/redis-session.ini:/usr/local/etc/php/conf.d/redis-session.ini:Z |
|||
|
|||
# Health check (equivalent to readiness probe) |
|||
HealthCmd=nc -z localhost 9000 |
|||
HealthInterval=30s |
|||
HealthTimeout=10s |
|||
HealthStartPeriod=60s |
|||
HealthRetries=3 |
|||
|
|||
[Service] |
|||
Restart=always |
|||
RestartSec=10 |
|||
TimeoutStartSec=600 |
|||
TimeoutStopSec=30 |
|||
|
|||
# Skaffold filesystem + fix permissions |
|||
ExecStartPre=/bin/bash -Eeuo pipefail -c 'install -m 0700 -o 82 -g 82 /etc/quadlets/nextcloud/www.conf /var/lib/quadlets/nextcloud/config/www.conf ; \ |
|||
install -m 0700 -o 82 -g 82 /etc/quadlets/nextcloud/redis-session.ini /var/lib/quadlets/nextcloud/config/redis-session.ini' |
|||
|
|||
# Wait for PostgreSQL to be ready on localhost |
|||
ExecStartPre=/bin/sh -c 'exec 2>/dev/null; for try in $(seq 0 12); do if ! /bin/true 5<> /dev/tcp/127.0.0.1/5432; then echo "Waiting for PostgreSQL to be available..."; sleep 5; else exit 0; fi; done; exit 1' |
|||
|
|||
# Wait for Redis to be ready on localhost |
|||
ExecStartPre=/bin/sh -c 'exec 2>/dev/null; for try in $(seq 0 12); do if ! /bin/true 5<> /dev/tcp/127.0.0.1/6379; then echo "Waiting for Redis to be available..."; sleep 5; else exit 0; fi; done; exit 1' |
|||
|
|||
[Install] |
|||
WantedBy=nextcloud.target |
|||
@ -0,0 +1,42 @@ |
|||
[Unit] |
|||
Description=Nextcloud Nginx Reverse Proxy |
|||
Documentation=https://hub.docker.com/r/nginxinc/nginx-unprivileged/ |
|||
After=network.target nextcloud-app.service |
|||
Requires=nextcloud-app.service |
|||
|
|||
# Only start if Nextcloud has been configured |
|||
ConditionPathExists=/etc/quadlets/nextcloud/config.env |
|||
|
|||
# Start/stop this unit when the target is started/stopped |
|||
PartOf=nextcloud.target |
|||
|
|||
[Container] |
|||
ContainerName=nextcloud-nginx |
|||
Image=docker.io/nginxinc/nginx-unprivileged:1.20-alpine |
|||
|
|||
# Network configuration |
|||
Network=host |
|||
AddCapability=CAP_NET_BIND_SERVICE |
|||
|
|||
# Run with the same UID/GID as PHP-FPM |
|||
User=82:82 |
|||
|
|||
# Volume mounts |
|||
Volume=/var/lib/quadlets/nextcloud/data:/var/www/html:z |
|||
Volume=/etc/quadlets/nextcloud/nginx.conf:/etc/nginx/nginx.conf:ro |
|||
|
|||
# Health check (equivalent to readiness probe) |
|||
HealthCmd=curl -sSfL http://localhost/status.php |
|||
HealthInterval=30s |
|||
HealthTimeout=10s |
|||
HealthStartPeriod=30s |
|||
HealthRetries=3 |
|||
|
|||
[Service] |
|||
Restart=always |
|||
RestartSec=5 |
|||
TimeoutStartSec=300 |
|||
TimeoutStopSec=30 |
|||
|
|||
[Install] |
|||
WantedBy=nextcloud.target |
|||
@ -0,0 +1,43 @@ |
|||
[Unit] |
|||
Description=Redis Cache for Nextcloud |
|||
Documentation=https://redis.io/ |
|||
After=network.target |
|||
|
|||
# Only start if Nextcloud has been configured |
|||
ConditionPathExists=/etc/quadlets/nextcloud/config.env |
|||
|
|||
# Start/stop this unit when the target is started/stopped |
|||
PartOf=nextcloud.target |
|||
|
|||
[Container] |
|||
ContainerName=nextcloud-redis |
|||
Image=docker.io/library/redis:8-alpine |
|||
|
|||
# Network configuration |
|||
Network=host |
|||
|
|||
# Redis configuration with authentication |
|||
Exec=redis-server /usr/local/etc/redis/redis.conf |
|||
|
|||
# Environment variables |
|||
Environment=REDISCLI_AUTH=${REDIS_HOST_PASSWORD} |
|||
|
|||
# Volume mounts for data persistence |
|||
Volume=/var/lib/quadlets/nextcloud/redis:/data:Z |
|||
Volume=/etc/quadlets/nextcloud/redis.conf:/usr/local/etc/redis/redis.conf:ro |
|||
|
|||
# Health check |
|||
HealthCmd=redis-cli ping -t 5 | grep -q PONG |
|||
HealthInterval=30s |
|||
HealthTimeout=5s |
|||
HealthStartPeriod=10s |
|||
HealthRetries=3 |
|||
|
|||
[Service] |
|||
Restart=always |
|||
RestartSec=5 |
|||
TimeoutStartSec=300 |
|||
TimeoutStopSec=30 |
|||
|
|||
[Install] |
|||
WantedBy=nextcloud.target |
|||
@ -0,0 +1,13 @@ |
|||
[Unit] |
|||
Description=Nextcloud Service Target |
|||
Documentation=man:systemd.target(5) |
|||
Requires=postgresql.target nextcloud-redis.service nextcloud-app.service nextcloud-nginx.service |
|||
After=postgresql.target nextcloud-redis.service nextcloud-app.service nextcloud-nginx.service |
|||
|
|||
# Allow isolation - can stop/start this target independently |
|||
AllowIsolate=yes |
|||
# Only start if Nextcloud has been configured |
|||
ConditionPathExists=/etc/quadlets/nextcloud/config.env |
|||
|
|||
[Install] |
|||
WantedBy=multi-user.target |
|||
@ -0,0 +1 @@ |
|||
I'm a test file! |
|||
@ -0,0 +1,7 @@ |
|||
variant: fcos |
|||
version: 1.4.0 |
|||
ignition: |
|||
config: |
|||
merge: |
|||
- local: nginx.ign |
|||
- local: local.ign |
|||
@ -0,0 +1,5 @@ |
|||
-- Initialization script for Nextcloud database and user |
|||
CREATE USER nextcloud WITH PASSWORD 'nextcloud'; |
|||
CREATE DATABASE nextcloud OWNER nextcloud; |
|||
GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud; |
|||
ALTER ROLE nextcloud SET client_encoding TO 'utf8'; |
|||
@ -0,0 +1,7 @@ |
|||
variant: fcos |
|||
version: 1.4.0 |
|||
ignition: |
|||
config: |
|||
merge: |
|||
- local: postgresql.ign |
|||
- local: local.ign |
|||
Loading…
Reference in new issue