nextcloud-previews/PODMAN.md

## Running with `podman kube play`

The following YAML can be used to launch a pod with Nextcloud-previews, 
PostgreSQL, Redis, ClamAV and another Nextcloud-previews container for cron jobs.
The YAML is also under the `examples` folder, along with the default ClamAV configuration.

A separate reverse proxy is the simplest option for SSL.

### Setup

Copy the YAML to a file on the host.

Change the variables in the beginning and the hostPath.path fields (marked with comments)
to match your environment. The example values would:
- Have all host mounts under `/path/to/nextcloud`
  - `/path/to/nextcloud/app` containing all Nextcloud data
  - `/path/to/nextcloud/clamav-config` containing ClamAV configuration
  - `/path/to/nextcloud/redis` containing the Redis db dump, used to persist cache between restarts (login sessions, etc.)
- Named volumes for `nextcloud-psql` and `clamav-db` for PostgreSQL and ClamAV databases
- Expose the Apache HTTP port on host port 8082

You need to create the directories for persistent data manually.
The ClamAV container requires configuration files present in the config directory, others populate the host directory
automatically if empty.

If using SELinux, change the context type of the folders
to `container_file_t` with `sudo chcon -t container_file_t /path/to/nextcloud`.

### Running

Pull the images and start the the pod with the command
```
podman kube play /path/to/nextcloud-podman.yaml
```
It may be a good idea to always add `--replace` argument to the start command so an existing pod is replaced.
The command will fail without it if a pod with the same name already exists.

Podman automatically pulls the images when using `kube play`

- Stop the pod with `podman kube play /path/to/nextcloud-podman.yaml --down`
- Restart, re-pull and recreate all containers with `podman kube play /path/to/nextcloud-podman.yaml --replace`

### Cloudflare tunnel (optional)
In the end there's a container for Cloudflare tunnel. To use a CF tunnel, create a tunnel in the CF dashboard,
point the tunnel to `http://localhost:8082`, uncomment the section and
insert your token as the last argument for the container CMD, for example:

```
...
   args:
   - tunnel
   - --no-autoupdate
   - run
   - --token
   - asdfghjklqwertyuiop1234567890
```


### Run as service
[See SYSTEMD.md](SYSTEMD.md)

YAML:
```
apiVersion: v1
kind: ConfigMap
metadata:
  name: nextcloud-config
data:
    POSTGRES_USER: nextcloud
    POSTGRES_DB: nextcloud
    POSTGRES_PASSWORD: supersecretPassw0rd
    NEXTCLOUD_ADMIN_USER: administrator
    NEXTCLOUD_ADMIN_PASSWORD: adminPassw0rd
    NEXTCLOUD_TRUSTED_DOMAINS: cloud.example.com 192.168.123.22
    REDIS_HOST: 127.0.0.1
    REDIS_PORT: 6379
    TZ: Europe/Helsinki
    ## Optionally tweak these ##
    PHP_MEMORY_LIMIT: 3G
    PHP_UPLOAD_LIMIT: 10G
    
---
apiVersion: v1
kind: Pod
metadata:
  name: nextcloud
  creationTimestamp: "2022-05-25T09:38:11Z"
  labels:
    app: nextcloud
  annotations:
spec:
  volumes:
  - hostPath:
      path: /path/to/nextcloud/clamav-config    ## Path of mounted ClamAV configuration directory on host ##
      type: Directory
    name: clamav-config-host-1
  - hostPath:
      path: /path/to/nextcloud/app              ## Path of mounted web root on host (/var/www/nextcloud) on host ##
      type: Directory
    name: nextcloud-app-host-0
  - hostPath:
      path: /path/to/nextcloud/redis            ## Path of mounted Redis db dump directory on host ##
      type: Directory
    name: nextcloud-redis-host-0
  - name: clamav-db
    persistentVolumeClaim:
      claimName: clamav-db
  - name: nextcloud-psql
    persistentVolumeClaim:
      claimName: nextcloud-psql
  containers:

  - name: clamav
    image: docker.io/clamav/clamav:latest
    # image: ghcr.io/0ranki/clamav-docker-arm64:v1.1.0      ## ClamAV ARM64 image (e.g. Raspberry Pi 4)
    resources: {}
    securityContext:
      capabilities:
        drop:
        - CAP_MKNOD
        - CAP_NET_RAW
        - CAP_AUDIT_WRITE
    volumeMounts:
    - mountPath: /var/lib/clamav
      name: clamav-db
    - mountPath: /etc/clamav
      name: clamav-config-host-1

  - name: redis
    image: docker.io/library/redis:alpine
    args:
    - redis-server
    - --save
    - 60
    - 1
    - --loglevel
    - warning
    resources: {}
    securityContext:
      capabilities:
        drop:
        - CAP_MKNOD
        - CAP_NET_RAW
        - CAP_AUDIT_WRITE
    volumeMounts:
    - mountPath: /data
      name: nextcloud-redis-host-0

  - name: psql
    image: docker.io/postgres:14-alpine
    args:
    - postgres
    command:
    - docker-entrypoint.sh
    envFrom:
    - configMapRef:
        name: nextcloud-config
        optional: false
    resources: {}
    securityContext:
      allowPrivilegeEscalation: true
      capabilities:
        drop:
        - CAP_MKNOD
        - CAP_NET_RAW
        - CAP_AUDIT_WRITE
      privileged: false
      readOnlyRootFilesystem: false
      seLinuxOptions: {}
    volumeMounts:
    - mountPath: /var/lib/postgresql/data
      name: nextcloud-psql
    workingDir: /

  - name: app
    ## Remember to change cron container version!
    image: ghcr.io/0ranki/nextcloud-previews:latest
    ## Remember to change cron container version!
    #imagePullPolicy: never
    ports:
    - containerPort: 80
      hostPort: 8082                                      ## Change host listening port here
    envFrom:
    - configMapRef:
        name: nextcloud-config
        optional: false
    resources: {}
    securityContext:
      capabilities:
        drop:
        - CAP_MKNOD
        - CAP_NET_RAW
        - CAP_AUDIT_WRITE
    volumeMounts:
    - mountPath: /var/www/html
      name: nextcloud-app-host-0

  - name: cron
    # Remember to change main image version!
    image: ghcr.io/0ranki/nextcloud-previews:latest
    # Remember to change main image version!
      #imagePullPolicy: never
    args:
    - busybox
    - crond
    - -f
    - -l
    - 0
    - -L
    - /dev/stdout
    envFrom:
    - configMapRef:
        name: nextcloud-config
        optional: false
    resources: {}
    securityContext:
      capabilities:
        drop:
        - CAP_MKNOD
        - CAP_NET_RAW
        - CAP_AUDIT_WRITE
    volumeMounts:
    - mountPath: /var/www/html
      name: nextcloud-app-host-0

#  - name: cloudflared
#    image: docker.io/cloudflare/cloudflared:latest
#    args:
#    - tunnel
#    - --no-autoupdate
#    - run
#    - --token
#    - ### CLOUDFLARE TOKEN HERE ###
#    resources: {}
#    securityContext: {}

  restartPolicy: Always

status: {}


```
Added Kube YAML and systemd service examples for running with Podman. 2023-11-02 21:48:38 +02:00			## Running with `podman kube play`

			`The following YAML can be used to launch a pod with Nextcloud-previews,`
			`PostgreSQL, Redis, ClamAV and another Nextcloud-previews container for cron jobs.`
			The YAML is also under the `examples` folder, along with the default ClamAV configuration.

			`A separate reverse proxy is the simplest option for SSL.`

			`### Setup`

			`Copy the YAML to a file on the host.`

			`Change the variables in the beginning and the hostPath.path fields (marked with comments)`
			`to match your environment. The example values would:`
			- Have all host mounts under `/path/to/nextcloud`
			- `/path/to/nextcloud/app` containing all Nextcloud data
			- `/path/to/nextcloud/clamav-config` containing ClamAV configuration
			- `/path/to/nextcloud/redis` containing the Redis db dump, used to persist cache between restarts (login sessions, etc.)
			- Named volumes for `nextcloud-psql` and `clamav-db` for PostgreSQL and ClamAV databases
			`- Expose the Apache HTTP port on host port 8082`

			`You need to create the directories for persistent data manually.`
			`The ClamAV container requires configuration files present in the config directory, others populate the host directory`
			`automatically if empty.`

			`If using SELinux, change the context type of the folders`
			to `container_file_t` with `sudo chcon -t container_file_t /path/to/nextcloud`.

			`### Running`

			`Pull the images and start the the pod with the command`
			```
			`podman kube play /path/to/nextcloud-podman.yaml`
			```
			It may be a good idea to always add `--replace` argument to the start command so an existing pod is replaced.
			`The command will fail without it if a pod with the same name already exists.`

			Podman automatically pulls the images when using `kube play`

			- Stop the pod with `podman kube play /path/to/nextcloud-podman.yaml --down`
			- Restart, re-pull and recreate all containers with `podman kube play /path/to/nextcloud-podman.yaml --replace`

			`### Cloudflare tunnel (optional)`
			`In the end there's a container for Cloudflare tunnel. To use a CF tunnel, create a tunnel in the CF dashboard,`
Update PODMAN.md Fix wrong port in CF tunnel instructions 2023-12-06 00:29:34 +02:00			point the tunnel to `http://localhost:8082`, uncomment the section and
Added Kube YAML and systemd service examples for running with Podman. 2023-11-02 21:48:38 +02:00			`insert your token as the last argument for the container CMD, for example:`

			```
			`...`
			`args:`
			`- tunnel`
			`- --no-autoupdate`
			`- run`
			`- --token`
			`- asdfghjklqwertyuiop1234567890`
			```


			`### Run as service`
			`[See SYSTEMD.md](SYSTEMD.md)`

			`YAML:`
			```
			`apiVersion: v1`
			`kind: ConfigMap`
			`metadata:`
			`name: nextcloud-config`
			`data:`
			`POSTGRES_USER: nextcloud`
			`POSTGRES_DB: nextcloud`
			`POSTGRES_PASSWORD: supersecretPassw0rd`
			`NEXTCLOUD_ADMIN_USER: administrator`
			`NEXTCLOUD_ADMIN_PASSWORD: adminPassw0rd`
			`NEXTCLOUD_TRUSTED_DOMAINS: cloud.example.com 192.168.123.22`
			`REDIS_HOST: 127.0.0.1`
			`REDIS_PORT: 6379`
			`TZ: Europe/Helsinki`
			`## Optionally tweak these ##`
			`PHP_MEMORY_LIMIT: 3G`
			`PHP_UPLOAD_LIMIT: 10G`

			`---`
			`apiVersion: v1`
			`kind: Pod`
			`metadata:`
			`name: nextcloud`
			`creationTimestamp: "2022-05-25T09:38:11Z"`
			`labels:`
			`app: nextcloud`
			`annotations:`
			`spec:`
			`volumes:`
			`- hostPath:`
			`path: /path/to/nextcloud/clamav-config ## Path of mounted ClamAV configuration directory on host ##`
			`type: Directory`
			`name: clamav-config-host-1`
			`- hostPath:`
			`path: /path/to/nextcloud/app ## Path of mounted web root on host (/var/www/nextcloud) on host ##`
			`type: Directory`
			`name: nextcloud-app-host-0`
			`- hostPath:`
			`path: /path/to/nextcloud/redis ## Path of mounted Redis db dump directory on host ##`
			`type: Directory`
			`name: nextcloud-redis-host-0`
			`- name: clamav-db`
			`persistentVolumeClaim:`
			`claimName: clamav-db`
			`- name: nextcloud-psql`
			`persistentVolumeClaim:`
			`claimName: nextcloud-psql`
			`containers:`

			`- name: clamav`
			`image: docker.io/clamav/clamav:latest`
			`# image: ghcr.io/0ranki/clamav-docker-arm64:v1.1.0 ## ClamAV ARM64 image (e.g. Raspberry Pi 4)`
			`resources: {}`
			`securityContext:`
			`capabilities:`
			`drop:`
			`- CAP_MKNOD`
			`- CAP_NET_RAW`
			`- CAP_AUDIT_WRITE`
			`volumeMounts:`
			`- mountPath: /var/lib/clamav`
			`name: clamav-db`
			`- mountPath: /etc/clamav`
			`name: clamav-config-host-1`

			`- name: redis`
			`image: docker.io/library/redis:alpine`
			`args:`
			`- redis-server`
			`- --save`
			`- 60`
			`- 1`
			`- --loglevel`
			`- warning`
			`resources: {}`
			`securityContext:`
			`capabilities:`
			`drop:`
			`- CAP_MKNOD`
			`- CAP_NET_RAW`
			`- CAP_AUDIT_WRITE`
			`volumeMounts:`
			`- mountPath: /data`
			`name: nextcloud-redis-host-0`

			`- name: psql`
			`image: docker.io/postgres:14-alpine`
			`args:`
			`- postgres`
			`command:`
			`- docker-entrypoint.sh`
			`envFrom:`
			`- configMapRef:`
			`name: nextcloud-config`
			`optional: false`
			`resources: {}`
			`securityContext:`
			`allowPrivilegeEscalation: true`
			`capabilities:`
			`drop:`
			`- CAP_MKNOD`
			`- CAP_NET_RAW`
			`- CAP_AUDIT_WRITE`
			`privileged: false`
			`readOnlyRootFilesystem: false`
			`seLinuxOptions: {}`
			`volumeMounts:`
			`- mountPath: /var/lib/postgresql/data`
			`name: nextcloud-psql`
			`workingDir: /`

			`- name: app`
			`## Remember to change cron container version!`
Update PODMAN.md Use the new image path without the extra nextcloud 2023-12-06 00:26:14 +02:00			`image: ghcr.io/0ranki/nextcloud-previews:latest`
Added Kube YAML and systemd service examples for running with Podman. 2023-11-02 21:48:38 +02:00			`## Remember to change cron container version!`
			`#imagePullPolicy: never`
			`ports:`
			`- containerPort: 80`
Update PODMAN.md Fix wrong port in CF tunnel instructions 2023-12-06 00:29:34 +02:00			`hostPort: 8082 ## Change host listening port here`
Added Kube YAML and systemd service examples for running with Podman. 2023-11-02 21:48:38 +02:00			`envFrom:`
			`- configMapRef:`
			`name: nextcloud-config`
			`optional: false`
			`resources: {}`
			`securityContext:`
			`capabilities:`
			`drop:`
			`- CAP_MKNOD`
			`- CAP_NET_RAW`
			`- CAP_AUDIT_WRITE`
			`volumeMounts:`
			`- mountPath: /var/www/html`
			`name: nextcloud-app-host-0`

			`- name: cron`
			`# Remember to change main image version!`
Update PODMAN.md Use the new image path without the extra nextcloud 2023-12-06 00:26:14 +02:00			`image: ghcr.io/0ranki/nextcloud-previews:latest`
Added Kube YAML and systemd service examples for running with Podman. 2023-11-02 21:48:38 +02:00			`# Remember to change main image version!`
			`#imagePullPolicy: never`
			`args:`
			`- busybox`
			`- crond`
			`- -f`
			`- -l`
			`- 0`
			`- -L`
			`- /dev/stdout`
			`envFrom:`
			`- configMapRef:`
			`name: nextcloud-config`
			`optional: false`
			`resources: {}`
			`securityContext:`
			`capabilities:`
			`drop:`
			`- CAP_MKNOD`
			`- CAP_NET_RAW`
			`- CAP_AUDIT_WRITE`
			`volumeMounts:`
			`- mountPath: /var/www/html`
			`name: nextcloud-app-host-0`

			`# - name: cloudflared`
			`# image: docker.io/cloudflare/cloudflared:latest`
			`# args:`
			`# - tunnel`
			`# - --no-autoupdate`
			`# - run`
			`# - --token`
			`# - ### CLOUDFLARE TOKEN HERE ###`
			`# resources: {}`
			`# securityContext: {}`

			`restartPolicy: Always`

			`status: {}`


Update PODMAN.md Use the new image path without the extra nextcloud 2023-12-06 00:26:14 +02:00			```