API tools faq
paste
WEDC

Nextcloud:fpm-alpine Rootless

WEDC
Mar 3rd, 2024 (edited)
42
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 7.38 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env bash
  2. # -*- coding: utf-8 -*-
  3. # shellcheck disable=SC1083
  4.  
  5. # Dependencies
  6. zypper in -y podman systemd-container
  7.  
  8. # NAMES
  9. USER_NAME="cloud"
  10.  
  11. if ! id -u "${USER_NAME}" &>/dev/null; then
  12.     useradd -Uc "${USER_NAME} Daemon" -m "${USER_NAME}"
  13.     loginctl enable-linger "${USER_NAME}"
  14. fi
  15.  
  16. machinectl shell "${USER_NAME}"@
  17.  
  18. ## Container Setup Database
  19. # shellcheck disable=SC2016
  20. cp -R /usr/share/containers "${HOME}"/.config/
  21. sed -i '0,/"journald"/s,,"k8s-file",' "${HOME}"/.config/containers/containers.conf
  22.  
  23. # ================= #
  24. # ===Environment=== #
  25. # ================= #
  26.  
  27. POD_NAME="podCloud"
  28. DB_NAME="pg-cloud"
  29. CLOUDDB_USER=uCloud
  30. CLOUDDB_NAME=nCloud
  31. REDIS_NAME="redis"
  32. CLOUD_NAME="cloud"
  33. CADDY_CONT="caddy"
  34. DOMAIN="example.lan"
  35. VOL="/opt/cloud"
  36. NET="nextcloud"
  37.  
  38. # Use this to reset the installation will remove everything
  39. podman rm -af --volumes && podman secret rm -a && podman volume prune -f && podman unshare rm -rf "${HOME}".enc/ /opt/cloud/* && podman network rm ${NET}
  40.  
  41. # =================== #
  42. # ===Miscellaneous=== #
  43. # =================== #
  44.  
  45. # Secret Setup
  46. mkdir -m 700 "${HOME}"/.enc
  47.  
  48. openssl rand -base64 32 | tr -d '\n' >"${HOME}"/.enc/"${DB_NAME}" && podman secret create "${DB_NAME}" "${HOME}"/.enc/"${DB_NAME}"
  49. openssl rand -base64 32 | tr -d '\n' >"${HOME}"/.enc/"${CLOUDDB_USER}" && podman secret create "${CLOUDDB_USER}" "${HOME}"/.enc/"${CLOUDDB_USER}"
  50. openssl rand -base64 128 | tr -d '\n' >"${HOME}"/.enc/"${REDIS_NAME}" && podman secret create "${REDIS_NAME}" "${HOME}"/.enc/"${REDIS_NAME}"
  51.  
  52. PG_SECRET=$(podman secret ls --format {{.ID}} -f NAME="${DB_NAME}")
  53. CLOUDDB_SECRET=$(podman secret ls --format {{.ID}} -f NAME="${CLOUDDB_USER}")
  54. REDIS_SECRET=$(podman secret ls --format {{.ID}} -f NAME="${REDIS_NAME}")
  55.  
  56. # ============= #
  57. # ===Volumes=== #
  58. # ============= #
  59.  
  60. # Cloud Management
  61. folders=(
  62.     "html"
  63.     "config"
  64.     "data"
  65. )
  66.  
  67. paths="${VOL}/cloud"
  68. for d in "${folders[@]}"; do
  69.     if [ ! -d "${paths}/${d}" ]; then
  70.         mkdir -p "${paths}/${d}"
  71.     fi
  72.     podman volume create \
  73.         -o type=none \
  74.         -o device="${paths}/${d}" \
  75.         -o o=bind \
  76.         "${d}"
  77. done
  78.  
  79. # DB Management
  80. folders=(
  81.     "pgdata"
  82.  
  83. )
  84.  
  85. paths="${VOL}/pgdb"
  86. for d in "${folders[@]}"; do
  87.     if [ ! -d "${paths}/${d}" ]; then
  88.         mkdir -p "${paths}/${d}"
  89.     fi
  90.     podman volume create \
  91.         -o type=none \
  92.         -o device="${paths}/${d}" \
  93.         -o o=bind \
  94.         "${d}"
  95. done
  96.  
  97. # Caddy Management
  98. folders=(
  99.     "caddy_data"
  100.     "caddy_config"
  101.     "caddy_etc"
  102.     "caddy_log"
  103. )
  104.  
  105. paths="${VOL}/caddy"
  106. for d in "${folders[@]}"; do
  107.     if [ ! -d "${paths}/${d}" ]; then
  108.         mkdir -p "${paths}/${d}"
  109.     fi
  110.     if ! podman volume inspect "${d}" &>/dev/null; then
  111.         podman volume create \
  112.             -o type=none \
  113.             -o device="${paths}/${d}" \
  114.             -o o=bind \
  115.             "${d}"
  116.     fi
  117. done
  118.  
  119. # ============= #
  120. # ===Network=== #
  121. # ============= #
  122.  
  123. podman network create "${NET}" --subnet 10.0.2.0/24 --gateway 10.0.2.1
  124.  
  125. # =============== #
  126. # ===POD_Cloud=== #
  127. # =============== #
  128.  
  129. podman pod create \
  130.     --replace \
  131.     --restart unless-stopped \
  132.     --network "${NET}" \
  133.     -n "${POD_NAME}" \
  134.     -p 80:80 \
  135.     -v pgdata:/data/postgresql \
  136.     -v html:/var/www/html \
  137.     -v config:/var/www/html/config \
  138.     -v data:/opt/data \
  139.     -v caddy_data:/data \
  140.     -v caddy_config:/config \
  141.     -v caddy_etc:/etc/caddy \
  142.     -v caddy_log:/var/log/caddy
  143.  
  144. # ========================= #
  145. # ===Database_PostgreSQL=== #
  146. # ========================= #
  147.  
  148. podman run -d \
  149.     --pod podCloud \
  150.     --replace \
  151.     --pull=newer \
  152.     --label "io.containers.autoupdate=registry" \
  153.     --restart unless-stopped \
  154.     --name "${DB_NAME}" \
  155.     --secret "${PG_SECRET}" \
  156.     -e PGDATA=/data/postgresql \
  157.     -e POSTGRES_PASSWORD_FILE=/run/secrets/"$(podman secret inspect --format {{.Spec.Name}} "${PG_SECRET}" | grep -vE "^$")" \
  158.     docker.io/postgres:latest
  159.  
  160. # ================= #
  161. # ===Redis Cache=== #
  162. # ================= #
  163.  
  164. podman run -d \
  165.     --pod podCloud \
  166.     --replace \
  167.     --pull=newer \
  168.     --label "io.containers.autoupdate=registry" \
  169.     --restart unless-stopped \
  170.     --name "${REDIS_NAME}" \
  171.     docker.io/redis:alpine redis-server --requirepass "$(podman secret inspect --format {{.SecretData}} --showsecret "${REDIS_SECRET}" | grep -vE "^$")"
  172.  
  173. # =============== #
  174. # ===NextCloud=== #
  175. # =============== #
  176.  
  177. podman run -d \
  178.     --pod podCloud \
  179.     --replace \
  180.     --pull newer \
  181.     --label "io.containers.autoupdate=registry" \
  182.     --restart unless-stopped \
  183.     --name "${CLOUD_NAME}" \
  184.     --secret "${PG_SECRET}" \
  185.     -e POSTGRES_DB=${CLOUDDB_NAME} \
  186.     -e POSTGRES_USER=${CLOUDDB_USER} \
  187.     -e POSTGRES_PASSWORD_FILE=/run/secrets/"$(podman secret inspect --format {{.Spec.Name}} "${PG_SECRET}" | grep -vE "^$")" \
  188.     -e POSTGRES_HOST=localhost \
  189.     -e REDIS_HOST=localhost \
  190.     -e REDIS_HOST_PASSWORD="$(podman secret inspect --format {{.SecretData}} --showsecret "${REDIS_SECRET}" | grep -vE "^$")" \
  191.     -e NEXTCLOUD_DATA_DIR=/opt/data \
  192.     -e NEXTCLOUD_INIT_HTACCESS=true \
  193.     -e NEXTCLOUD_TRUSTED_DOMAINS="cloud.${DOMAIN}, 192.168.1.20, 100.97.21.88" \
  194.     -e OVERWRITEHOST=cloud.${DOMAIN} \
  195.     -e PHP_MEMORY_LIMIT=1024M \
  196.     docker.io/nextcloud:fpm-alpine
  197.  
  198. # ================ #
  199. # ===Rev. Proxy=== #
  200. # ================ #
  201.  
  202. podman run -d \
  203.     --pod podCloud \
  204.     --replace \
  205.     --pull=newer \
  206.     --restart unless-stopped \
  207.     --label "io.containers.autoupdate=registry" \
  208.     --cap-add=NET_ADMIN \
  209.     --name "${CADDY_CONT}" \
  210.     docker.io/caddy:latest
  211.  
  212. # ============================= #
  213. # ===Post-Container Creation=== #
  214. # ============================= #
  215.  
  216. # ===CloudDB_USER User and DB=== #
  217. podman exec -it -u postgres "${DB_NAME}" psql -c "CREATE USER ${CLOUDDB_USER} WITH PASSWORD '$(podman secret inspect --format {{.SecretData}} --showsecret "${CLOUDDB_SECRET}" | grep -vE "^$")';" &&
  218.     podman exec -it -u postgres "${DB_NAME}" psql -c "CREATE DATABASE ${CLOUDDB_NAME} OWNER ${CLOUDDB_USER};" &&
  219.     podman exec -it -u postgres "${DB_NAME}" psql -c "GRANT ALL PRIVILEGES ON DATABASE ${CLOUDDB_NAME} TO ${CLOUDDB_USER};"
  220.  
  221. # ===Caddyfile Setup=== #
  222. cat >"${paths}/${folders[2]}"/Caddyfile <<EOF
  223. {
  224.         auto_https off
  225.         debug
  226.         admin off
  227.         log {
  228.                 format json
  229.                 level DEBUG
  230.         }
  231.         servers {
  232.                 protocols h1 h2
  233.         }
  234. }
  235.  
  236. :80 {
  237.         root * /var/www/html
  238.         file_server
  239.         encode gzip zstd
  240.  
  241.         php_fastcgi cloud:9000
  242.         redir /.well-known/carddav /remote.php/dav 301
  243.         redir /.well-known/caldav /remote.php/dav 301
  244.  
  245.         # .htaccess / data / config / ... shouldn't be accessible from outside
  246.         @forbidden {
  247.                 path /.htaccess
  248.                 path /data/*
  249.                 path /config/*
  250.                 path /db_structure
  251.                 path /.xml
  252.                 path /README
  253.                 path /3rdparty/*
  254.                 path /lib/*
  255.                 path /templates/*
  256.                 path /occ
  257.                 path /console.php
  258.         }
  259.         respond @forbidden 404
  260. }
  261. EOF
  262.  
  263. podman restart "${CADDY_CONT}"
  264.  
  265. # ===NextCloud Setup=== #
  266. podman unshare chown -vR 82:82 /opt/cloud/cloud/data
  267. podman exec -it -u 82 "${CLOUD_NAME}" /var/www/html/occ db:add-missing-indices
  268.  
Tags: podman Nextcloud-Rootless
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!