Hello,
I am setting a rootless environment with caddy for nextcloud:fpm-alpine, with podman, but when I setup the domain/subdomain in the Caddyfile, caddy won’t reach the nextcloud.
when I read the logs, appear empty, it become silent.
next will show how I do the setup:
- Prepare OS environment (Package, User, Lingering):
# Dependencies
zypper in -y podman systemd-container
# Name of the User
USER_NAME="cloud"
# If the User not Exists Create it
if ! id -u "${USER_NAME}" &>/dev/null; then
useradd -Uc "${USER_NAME} Daemon" -m "${USER_NAME}"
loginctl enable-linger "${USER_NAME}"
fi
# Access to the user, this command allow to login to the user with XDG_RUNTIME ready to allow use systemd commands and others. (Is like ssh direct to the user)
machinectl shell "${USER_NAME}"@
- Setup containers.conf to the user
## Container Setup Database
# shellcheck disable=SC2016
cp -R /usr/share/containers "${HOME}"/.config/
# Change the journal driver to a file, becuase i don't want to add the user to *systemd-journald* group
sed -i '0,/"journald"/s,,"k8s-file",' "${HOME}"/.config/containers/containers.conf
- Environment Setup for easy name
POD_NAME="podCloud"
DB_NAME="pg-cloud"
CLOUDDB_USER=ucloud
CLOUDDB_NAME=ncloud
REDIS_NAME="redis"
CLOUD_NAME="cloud"
CADDY_NAME="caddy"
DOMAIN="example.lan"
VOL="/opt/cloud"
NET="nextcloud"
- Secret Setup (Passwords)
mkdir -m 700 "${HOME}"/.enc
openssl rand -base64 32 | tr -d '\n' >"${HOME}"/.enc/"${DB_NAME}" && podman secret create "${DB_NAME}" "${HOME}"/.enc/"${DB_NAME}"
openssl rand -hex 32 | tr -d '\n' >"${HOME}"/.enc/"${CLOUDDB_USER}" && podman secret create "${CLOUDDB_USER}" "${HOME}"/.enc/"${CLOUDDB_USER}"
openssl rand -base64 128 | tr -d '\n' >"${HOME}"/.enc/"${REDIS_NAME}" && podman secret create "${REDIS_NAME}" "${HOME}"/.enc/"${REDIS_NAME}"
PG_SECRET=$(podman secret ls --format {{.ID}} -f NAME="${DB_NAME}")
CLOUDDB_SECRET=$(podman secret ls --format {{.ID}} -f NAME="${CLOUDDB_USER}")
REDIS_SECRET=$(podman secret ls --format {{.ID}} -f NAME="${REDIS_NAME}")
- Volume Management
# Cloud
folders=(
"html"
"config"
"data"
)
paths="${VOL}/${CLOUD_NAME}"
for d in "${folders[@]}"; do
if [ ! -d "${paths}/${d}" ]; then
mkdir -p "${paths}/${d}"
fi
podman volume create \
-o type=none \
-o device="${paths}/${d}" \
-o o=bind \
"${CLOUD_NAME}_${d}"
done
# DB
folders=(
"pgdata"
)
paths="${VOL}/${DB_NAME}"
for d in "${folders[@]}"; do
if [ ! -d "${paths}/${d}" ]; then
mkdir -p "${paths}/${d}"
fi
podman volume create \
-o type=none \
-o device="${paths}/${d}" \
-o o=bind \
"${DB_NAME}_${d}"
done
# Caddy
folders=(
"data"
"config"
"etc"
"log"
)
paths="${VOL}/${CADDY_NAME}"
for d in "${folders[@]}"; do
if [ ! -d "${paths}/${d}" ]; then
mkdir -p "${paths}/${d}"
fi
if ! podman volume inspect "${d}" &>/dev/null; then
podman volume create \
-o type=none \
-o device="${paths}/${d}" \
-o o=bind \
"${CADDY_NAME}_${d}"
fi
done
- Network
podman network create "${NET}" --subnet 10.0.2.0/24 --gateway 10.0.2.1
- POD Creation
podman pod create \
--replace \
--restart unless-stopped \
--network "${NET}" \
-n "${POD_NAME}" \
-p 80:80 \
-v "${DB_NAME}"_pgdata:/data/postgresql \
-v "${CLOUD_NAME}"_html:/var/www/html \
-v "${CLOUD_NAME}"_config:/var/www/html/config \
-v "${CLOUD_NAME}"_data:/opt/data \
-v "${CADDY_NAME}"_data:/data \
-v "${CADDY_NAME}"_config:/config \
-v "${CADDY_NAME}"_etc:/etc/caddy \
-v "${CADDY_NAME}"_log:/var/log/caddy
- Database Container
podman run -d \
--pod podCloud \
--replace \
--pull=newer \
--label "io.containers.autoupdate=registry" \
--restart unless-stopped \
--name "${DB_NAME}" \
--secret "${PG_SECRET}" \
-e PGDATA=/data/postgresql \
-e POSTGRES_PASSWORD_FILE=/run/secret/"$(podman secret inspect --format {{.Spec.Name}} "${PG_SECRET}" | grep -vE "^$")" \
docker.io/postgres:latest
- Redis Container
podman run -d \
--pod podCloud \
--replace \
--pull=newer \
--label "io.containers.autoupdate=registry" \
--restart unless-stopped \
--name "${REDIS_NAME}" \
docker.io/redis:alpine redis-server --requirepass "$(podman secret inspect --format {{.SecretData}} --showsecret "${REDIS_SECRET}" | grep -vE "^$")"
- Nextcloud Container
podman run -d \
--pod podCloud \
--replace \
--pull newer \
--label "io.containers.autoupdate=registry" \
--restart unless-stopped \
--name "${CLOUD_NAME}" \
--secret "${PG_SECRET}" \
-e NEXTCLOUD_DATA_DIR=/opt/data \
-e NEXTCLOUD_INIT_HTACCESS=true \
-e NEXTCLOUD_TRUSTED_DOMAINS="[cloud.${DOMAIN} 192.168.1.20 100.97.21.88 10.0.2.2]" \
-e TRUSTED_PROXIES=10.0.2.0/24 \
-e POSTGRES_DB=${CLOUDDB_NAME} \
-e POSTGRES_USER=${CLOUDDB_USER} \
-e POSTGRES_PASSWORD_FILE=/run/secrets/"$(podman secret inspect --format {{.Spec.Name}} "${PG_SECRET}" | grep -vE "^$")" \
-e POSTGRES_HOST=localhost \
-e REDIS_HOST=localhost \
-e REDIS_HOST_PASSWORD="$(podman secret inspect --format {{.SecretData}} --showsecret "${REDIS_SECRET}" | grep -vE "^$")" \
-e PHP_MEMORY_LIMIT=1024M \
docker.io/nextcloud:fpm-alpine
- Caddy Container
podman run -d \
--pod podCloud \
--replace \
--pull=newer \
--restart unless-stopped \
--label "io.containers.autoupdate=registry" \
--cap-add=NET_ADMIN \
--name "${CADDY_NAME}" \
docker.io/caddy:latest
- Post-Container Setup
- Create Cloud DB User
# ===CloudDB_USER User and DB=== #
podman exec -it -u postgres "${DB_NAME}" psql -c "CREATE USER ${CLOUDDB_USER} WITH PASSWORD '$(podman secret inspect --format {{.SecretData}} --showsecret "${CLOUDDB_SECRET}" | grep -vE "^$")';" &&
podman exec -it -u postgres "${DB_NAME}" psql -c "CREATE DATABASE ${CLOUDDB_NAME} OWNER ${CLOUDDB_USER};" &&
podman exec -it -u postgres "${DB_NAME}" psql -c "GRANT ALL PRIVILEGES ON DATABASE ${CLOUDDB_NAME} TO ${CLOUDDB_USER};"
- CaddyFile
cat >"${paths}/${folders[2]}"/Caddyfile <<EOF
{
auto_https off
debug
admin off
log {
format console
level DEBUG
}
servers {
protocols h1 h2
}
}
:80 {
root * /var/www/html
file_server
encode gzip zstd
php_fastcgi cloud:9000
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
# .htaccess / data / config / ... shouldn't be accessible from outside
@forbidden {
path /.htaccess
path /data/*
path /config/*
path /db_structure
path /.xml
path /README
path /3rdparty/*
path /lib/*
path /templates/*
path /occ
path /console.php
}
respond @forbidden 404
}
EOF
podman restart "${CADDY_NAME}"
- Fix Permission folder
podman unshare chown -vR 82:82 /opt/cloud/cloud/data