User:Bai-Chiang/Podman setup for nextcloud

From ArchWiki

Installation

Install the podman and aardvark-dns packages.

If using linux-hardened kernel, create 

/etc/sysctl.d/unprivileged_user_namespace.conf
kernel.unprivileged_userns_clone=1

to enable kernel.unprivileged_userns_clone then reboot machine to apply the change.

Nextcloud

Create a separate user called nextcloud: 

# useradd -m nextcloud

Get an interactive shell as nextcloud user: 

# machinectl shell nextcloud@

Create directories for nextcloud data and database: 

$ mkdir /home/nextcloud/nextcloud
$ mkdir /home/nextcloud/database

Create nextcloud pod

$ podman pod create \
    --replace \
    --userns keep-id:uid=33,gid=33 \
    --publish 127.0.0.1:1180:80 \
    --name nextcloud-pod
  • --userns keep-id:uid=33,gid=33 will make files under /home/nextcloud/nextcloud and /home/nextcloud/database owned by the nextcloud user.
  • 127.0.0.1 make sure it only listen to local connection. We will setup reverse proxy later.

Attach PostgreSQL container to the pod

$ podman run \
    --pod=nextcloud-pod \
    --rm \
    --detach \
    --replace \
    --label io.containers.autoupdate=registry \
    --name=postgres \
    --user 33:33 \
    --volume /home/nextcloud/database:/var/lib/postgresql/data:Z \
    --env POSTGRES_DB=nextcloud \
    --env POSTGRES_USER=nextcloud \
    --env POSTGRES_PASSWORD=nextcloud_database_password \
    docker.io/library/postgres:15-alpine
  • --rm will automatically remove the container when it exits.
  • If another container with the same name already exists, --replace will replace and remove it.
  • --label io.containers.autoupdate=registry let podman-auto-update(1) update container automatically.

Attach redis container to the pod

$ podman run \
    --pod=nextcloud-pod \
    --rm \
    --detach \
    --replace \
    --label io.containers.autoupdate=registry \
    --name=redis \
    docker.io/library/redis:alpine

Attach nextcloud container to the pod

$ podman run \
    --pod=nextcloud-pod \
    --rm \
    --detach \
    --replace \
    --label io.containers.autoupdate=registry \
    --name=nextcloud \
    --sysctl net.ipv4.ip_unprivileged_port_start=80 \
    --volume /home/nextcloud/nextcloud:/var/www/html:Z \
    --env POSTGRES_HOST=localhost \
    --env POSTGRES_DB=nextcloud \
    --env POSTGRES_USER=nextcloud \
    --env POSTGRES_PASSWORD=nextcloud_database_password \
    --env REDIS_HOST=localhost \
    --env TRUSTED_PROXIES=10.0.2.100 \
    docker.io/library/nextcloud:latest
  • TRUSTED_PROXIES=10.0.2.100 is for the reverse proxy we will setup later. The incoming source IP address seen by rootless container with default port handler (rootlesskit) is 10.0.2.100.

Attach another nextcloud container to the pod (for cron jobs)

$ podman run \
    --pod=nextcloud-pod \
    --rm \
    --detach \
    --replace \
    --label io.containers.autoupdate=registry \
    --name=nextcloud-cron \
    --volume /home/nextcloud/nextcloud:/var/www/html:Z \
    --entrypoint /cron.sh \
    docker.io/library/nextcloud:latest

Finish initial setup for nextcloud

Use a browser connect to port 1180 to setup admin account. If running nextcloud server locally you can connect http://localhost:1180 directly. Probably nextcloud is running on a remote server, since the nextcloud-pod only listen to local connection, we can use ssh tunnel to forward local 1180 port to remote server by running ssh -N -L 1180:localhost:1180 your_server_address first, then connect to http://localhost:1180 .

Generate nextcloud systemd serivce files

$ mkdir -p /home/nextcloud/.config/systemd/user/
$ cd /home/nextcloud/.config/systemd/user/

To generate a systemd/user service file: 

$ podman generate systemd \
    --new \
    --name \
    --no-header \
    --restart-policy=on-failure \
    --container-prefix= \
    --pod-prefix= \
    --files \
    nextcloud-pod
Retrieved from "https://wiki.archlinux.org/index.php?title=User:Bai-Chiang/Podman_setup_for_nextcloud&oldid=785563"