rootless nextcloud aio install working

2025-03-24 15:38:38 -04:00
parent 3865e64b19
commit e30db947b0
3 changed files with 308 additions and 175 deletions
--- a/docker/graduated/nextcloud/nextcloud-aio.md
+++ b/docker/graduated/nextcloud/nextcloud-aio.md
@@ -1,171 +0,0 @@
-# Nextcloud AIO
-
- [Nextcloud AIO](#nextcloud-aio)
-  - [Setup](#setup)
-  - [Install Docker](#install-docker)
-    - [IPV6](#ipv6)
-    - [Install](#install)
-  - [Backups](#backups)
-  - [Maintenace Mode](#maintenace-mode)
-  - [Trusted Proxy](#trusted-proxy)
-  - [Default phone region](#default-phone-region)
-  - [Adding existing files](#adding-existing-files)
-  - [Theming](#theming)
-  - [Changing the domain](#changing-the-domain)
-  - [Uninstall](#uninstall)
-  - [Edit QCOW](#edit-qcow)
-  - [Stuck in login screen](#stuck-in-login-screen)
-
-<https://github.com/nextcloud/all-in-one>
-
-## Setup
-
-## Install Docker
-
-<https://docs.docker.com/engine/install/fedora/#set-up-the-repository>
-
-### IPV6
-
-```bash
-cat <<EOF > /etc/docker/daemon.json
-{
-  "ipv6": true,
-  "fixed-cidr-v6": "fd12:3456:789a:1::/64",
-  "experimental": true,
-  "ip6tables": true
-}
-EOF
-systemctl restart docker
-systemctl enable --now docker
-```
-
-```bash
-# Enable IPV6
-docker network create --subnet="fd12:3456:789a:2::/64" --driver bridge --ipv6 nextcloud-aio
-```
-
-### Install
-
-```bash
-# Default
-# Note: this puts all your nextcloud data in /nextcloud
-docker run \
-d \
--init \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 80:80 \
--publish 8080:8080 \
--publish 8443:8443 \
--env NEXTCLOUD_DATADIR="/nextcloud" \
--env NEXTCLOUD_MEMORY_LIMIT=8192M \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
-nextcloud/all-in-one:latest
-
-# Reverse Proxy
-docker run \
--init \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 8080:8080 \
--env APACHE_PORT=11000 \
--env APACHE_IP_BINDING="::" \
--env NEXTCLOUD_DATADIR="/mnt/ncdata" \
--env NEXTCLOUD_MEMORY_LIMIT=8192M \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
-nextcloud/all-in-one:latest
-```
-
-## Backups
-
-IMPORTANT: you will need both KEY AND PASSPHRASE to access this repo!
-If you used a repokey mode, the key is stored in the repo, but you should back it up separately.
-Use "borg key export" to export the key, optionally in printable format.
-Write down the passphrase. Store both at safe place(s).
-
-```bash
-docker exec nextcloud-aio-borgbackup borg key export /mnt/borgbackup/borg/
-```
-
-## Maintenace Mode
-
-```bash
-docker stop nextcloud-aio-apache
-docker exec -it -u www-data nextcloud-aio-nextcloud ./occ maintenance:mode --on
-
-docker start nextcloud-aio-apache
-docker exec -it -u www-data nextcloud-aio-nextcloud ./occ maintenance:mode --off
-```
-
-## Trusted Proxy
-
-If running with a reverse proxy.
-
-```bash
-docker exec --user www-data -it nextcloud-aio-nextcloud php occ config:system:set trusted_proxies 2 --value="10.1.0.0/16"
-docker exec --user www-data -it nextcloud-aio-nextcloud php occ config:system:set trusted_proxies 3 --value="fd00:fd41:d0f1:1010::/64"
-```
-
-## Default phone region
-
-```bash
-docker exec --user www-data -it nextcloud-aio-nextcloud php occ config:system:set default_phone_region --value="US"
-```
-
-## Adding existing files
-
-```bash
-docker exec --user www-data -it nextcloud-aio-nextcloud php occ files:scan --path=ducoterra/files
-```
-
-## Theming
-
-Red: `#B30000`
-
-## Changing the domain
-
-```bash
-docker run -it --rm --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config:rw alpine sh -c "apk add --no-cache nano && nano /mnt/docker-aio-config/data/configuration.json"
-```
-
-## Uninstall
-
-```bash
-docker stop $(docker ps -a -q)
-docker container prune
-
-# DANGER ZONE
-# This deletes all your data
-docker volume prune -a -f
-```
-
-defaults,_netdev,x-systemd.requires=iscsid.service   0      1
-
-## Edit QCOW
-
-```bash
-sudo modprobe nbd
-sudo qemu-nbd -c /dev/nbd0 --read-only /path/to/image.qcow2
-udisksctl mount -b /dev/nbd0p1
-```
-
-## Stuck in login screen
-
-Check logs at `/var/www/html/data/nextcloud.log` in `nextcloud-aio-nextcloud` container.
-
-Sometimes this is caused by a broken app or twofactor. try:
-
-```bash
-# Disable two factor
-./occ twofactorauth:state <user>
-./occ twofactorauth:disable <user> totp
-```
-
-```bash
-# Disable problem app
-./occ app:disable integration_openai
-```
--- a/infrastructure/graduated/fedora/fedora-server.md
+++ b/infrastructure/graduated/fedora/fedora-server.md
@@ -2,6 +2,7 @@

 - [Fedora Server](#fedora-server)
  - [Installation](#installation)
+  - [Resize logical volume](#resize-logical-volume)
  - [Setup SSH](#setup-ssh)
  - [DNF](#dnf)
  - [Fail2Ban](#fail2ban)
@@ -9,6 +10,7 @@
  - [Disable Swap](#disable-swap)
  - [Selinux](#selinux)
  - [Firewalld](#firewalld)
+  - [Docker with Podman as Runtime](#docker-with-podman-as-runtime)
  - [Extras](#extras)
  - [Downgrading Kernel](#downgrading-kernel)

@@ -21,10 +23,19 @@ and the operator will store information about each server.

 ## Installation

-1. Make sure to use `custom` disk partitioner and select `btrfs`.
-2. Create an administrator. We'll give ssh root access later, but this gives you a cockpit user.
-3. Ensure IPV6 connection is set to "eui64".
-4. Set hostname
+1. Create an administrator. We'll give ssh root access later, but this gives you a cockpit user.
+2. Ensure IPV6 connection is set to "eui64".
+3. Set hostname
+
+## Resize logical volume
+
+```bash
+# Replace /dev/sda2 with whatever your disks are
+# This assumes xfs
+pvresize /dev/sda2
+lvextend /dev/mapper/root -l+100%FREE
+xfs_growfs -d /dev/mapper/root
+```

 ## Setup SSH

@@ -167,6 +178,19 @@ firewall-cmd --permanent --zone=public --add-port=9090/tcp
 firewall-cmd --reload
 ```

+## Docker with Podman as Runtime
+
+Note, you'll need to ssh into the server as the user in order to start the user's systemd session.
+
+```bash
+sudo dnf install podman docker docker-compose
+sudo loginctl enable-linger 1000 # Or whatever user
+
+systemctl --user enable --now podman.socket
+docker context create podman --docker host=unix://$XDG_RUNTIME_DIR/podman/podman.sock
+docker context use podman
+```
+
 ## Extras

 On the server:
@@ -182,6 +206,12 @@ dnf install -y glances
 dnf install -y zsh zsh-autosuggestions zsh-syntax-highlighting

 cat <<EOF > ~/.zshrc
+# History
+HISTFILE=~/.zsh_history
+HISTSIZE=10000
+SAVEHIST=10000
+setopt appendhistory
+
 # Basic settings
 autoload bashcompinit && bashcompinit
 autoload -U compinit; compinit
--- a/podman/graduated/nextcloud/nextcloud-aio.md
+++ b/podman/graduated/nextcloud/nextcloud-aio.md
@@ -0,0 +1,274 @@
+# Nextcloud AIO
+
+- [Nextcloud AIO](#nextcloud-aio)
+  - [Install with Rootless Podman](#install-with-rootless-podman)
+    - [Create the nextcloud user](#create-the-nextcloud-user)
+    - [Install Podman](#install-podman)
+    - [Install Caddy](#install-caddy)
+    - [Create the container autostart service](#create-the-container-autostart-service)
+    - [Install Nextcloud](#install-nextcloud)
+  - [Backups](#backups)
+  - [Maintenace Mode](#maintenace-mode)
+  - [Trusted Proxy](#trusted-proxy)
+  - [Default phone region](#default-phone-region)
+  - [Adding existing files](#adding-existing-files)
+  - [Theming](#theming)
+  - [Changing the domain](#changing-the-domain)
+  - [Uninstall](#uninstall)
+  - [Edit QCOW](#edit-qcow)
+  - [Stuck in login screen](#stuck-in-login-screen)
+  - [Freezing after working for a bit](#freezing-after-working-for-a-bit)
+    - [Out of disk space](#out-of-disk-space)
+    - [Redis can't dump its DB](#redis-cant-dump-its-db)
+
+<https://github.com/nextcloud/all-in-one>
+
+## Install with Rootless Podman
+
+Roughly taken from <https://github.com/nextcloud/all-in-one/discussions/3487>
+
+This has been tested working on Fedora 41 with selinux and firewalld enabled.
+
+### Create the nextcloud user
+
+```bash
+sudo useradd nextcloud
+sudo loginctl enable-linger nextcloud
+```
+
+### Install Podman
+
+```bash
+# As admin user
+sudo dnf install podman
+sudo loginctl enable-linger 1001 # Or whatever user nextcloud is
+
+# Now SSH into the server as the nextcloud user
+systemctl --user enable podman-restart
+systemctl --user enable --now podman.socket
+```
+
+### Install Caddy
+
+As root
+
+```bash
+mkdir /etc/caddy
+vim /etc/caddy/Caddyfile
+```
+
+Caddy will automatically provision certificates if the server DNS points to the correct IP
+and is accessible on the ports specifified. All you need to do is put `https` in the caddy conf.
+
+```conf
+https://nextcloud.reeseapps.com:443 {
+    reverse_proxy 127.0.0.1:11000
+}
+
+https://nextcloud.reeseapps.com:8443 {
+    reverse_proxy 127.0.0.1:11001 {
+        transport http {
+            tls_insecure_skip_verify
+        }
+    }
+}
+```
+
+```bash
+vim /etc/containers/systemd/caddy.container
+```
+
+```conf
+[Unit]
+Description=Caddy
+
+[Container]
+AddCapability=NET_ADMIN
+ContainerName=caddy
+Image=caddy
+Network=host
+SecurityLabelDisable=true
+Volume=/etc/caddy:/etc/caddy
+Volume=caddy_data:/data
+Volume=caddy_config:/config
+
+[Service]
+Restart=always
+
+[Install]
+WantedBy=default.target
+```
+
+```bash
+systemctl daemon-reload
+systemctl start caddy
+```
+
+### Create the container autostart service
+
+As the nextcloud user.
+
+`systemctl --user edit podman-restart.service`
+
+```conf
+[Service]
+ExecStart=
+ExecStart=/usr/bin/podman $LOGGING start --all --filter restart-policy=always --filter restart-policy=unless-stopped
+ExecStop=
+ExecStop=/bin/sh -c '/usr/bin/podman $LOGGING stop $(/usr/bin/podman container ls --filter restart-policy=always --filter restart-policy=unless-stopped -q)'
+```
+
+```bash
+systemctl --user daemon-reload
+systemctl --user enable podman-restart
+```
+
+### Install Nextcloud
+
+`vim ~/.config/containers/systemd/nextcloud-aio-mastercontainer.container`
+
+```conf
+[Unit]
+Description=Nextcloud AIO Master Container
+Documentation=https://github.com/nextcloud/all-in-one/blob/main/docker-rootless.md
+After=local-fs.target
+Requires=podman.socket
+
+[Container]
+ContainerName=nextcloud-aio-mastercontainer
+Image=docker.io/nextcloud/all-in-one:latest
+PublishPort=127.0.0.1:11001:8080
+Volume=nextcloud_aio_mastercontainer:/mnt/docker-aio-config
+Volume=/run/user/1001/podman/podman.sock:/var/run/docker.sock:Z
+Network=bridge
+SecurityLabelDisable=true
+
+Environment=APACHE_PORT=11000
+Environment=APACHE_IP_BINDING=127.0.0.1
+Environment=WATCHTOWER_DOCKER_SOCKET_PATH=/run/user/1001/podman/podman.sock
+Environment=NEXTCLOUD_DATADIR="/home/nextcloud/nextcloud_data"
+Environment=SKIP_DOMAIN_VALIDATION=true
+
+[Service]
+Restart=always
+
+[Install]
+WantedBy=multi-user.target default.target
+```
+
+```bash
+systemctl --user daemon-reload
+systemctl --user start nextcloud-aio-mastercontainer
+```
+
+## Backups
+
+IMPORTANT: you will need both KEY AND PASSPHRASE to access this repo!
+If you used a repokey mode, the key is stored in the repo, but you should back it up separately.
+Use "borg key export" to export the key, optionally in printable format.
+Write down the passphrase. Store both at safe place(s).
+
+```bash
+docker exec nextcloud-aio-borgbackup borg key export /mnt/borgbackup/borg/
+```
+
+## Maintenace Mode
+
+```bash
+docker stop nextcloud-aio-apache
+docker exec -it -u www-data nextcloud-aio-nextcloud ./occ maintenance:mode --on
+
+docker start nextcloud-aio-apache
+docker exec -it -u www-data nextcloud-aio-nextcloud ./occ maintenance:mode --off
+```
+
+## Trusted Proxy
+
+If running with a reverse proxy.
+
+```bash
+docker exec --user www-data -it nextcloud-aio-nextcloud php occ config:system:set trusted_proxies 2 --value="10.1.0.0/16"
+docker exec --user www-data -it nextcloud-aio-nextcloud php occ config:system:set trusted_proxies 3 --value="fd00:fd41:d0f1:1010::/64"
+```
+
+## Default phone region
+
+```bash
+docker exec --user www-data -it nextcloud-aio-nextcloud php occ config:system:set default_phone_region --value="US"
+```
+
+## Adding existing files
+
+```bash
+docker exec --user www-data -it nextcloud-aio-nextcloud php occ files:scan --path=ducoterra/files
+```
+
+## Theming
+
+Red: `#B30000`
+
+## Changing the domain
+
+```bash
+docker run -it --rm --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config:rw alpine sh -c "apk add --no-cache nano && nano /mnt/docker-aio-config/data/configuration.json"
+```
+
+## Uninstall
+
+```bash
+docker stop $(docker ps -a -q)
+docker container prune
+
+# DANGER ZONE
+# This deletes all your data
+docker volume prune -a -f
+```
+
+defaults,_netdev,x-systemd.requires=iscsid.service   0      1
+
+## Edit QCOW
+
+```bash
+sudo modprobe nbd
+sudo qemu-nbd -c /dev/nbd0 --read-only /path/to/image.qcow2
+udisksctl mount -b /dev/nbd0p1
+```
+
+## Stuck in login screen
+
+Check logs at `/var/www/html/data/nextcloud.log` in `nextcloud-aio-nextcloud` container.
+
+Sometimes this is caused by a broken app or twofactor. try:
+
+```bash
+# Disable two factor
+./occ twofactorauth:state <user>
+./occ twofactorauth:disable <user> totp
+```
+
+```bash
+# Disable problem app
+./occ app:disable integration_openai
+```
+
+
+## Freezing after working for a bit
+
+### Out of disk space
+
+This can happen when nextcloud tries to write logs to its volume and doesn't have enough space
+
+```bash
+podman exec -it nextcloud-aio-nextcloud bash
+df -h .
+```
+
+### Redis can't dump its DB
+
+This can happen when the redis volume doesn't have the correct permissions
+
+```bash
+podman exec -it --user root nextcloud-aio-redis bash
+ls -lah /data
+chown redis:redis /data
+```