6.5 KiB
Running with podman kube play
The following YAML can be used to launch a pod with Nextcloud-previews,
PostgreSQL, Redis, ClamAV and another Nextcloud-previews container for cron jobs.
The YAML is also under the examples folder, along with the default ClamAV configuration.
A separate reverse proxy is the simplest option for SSL.
Setup
Copy the YAML to a file on the host.
Change the variables in the beginning and the hostPath.path fields (marked with comments) to match your environment. The example values would:
- Have all host mounts under
/path/to/nextcloud/path/to/nextcloud/appcontaining all Nextcloud data/path/to/nextcloud/clamav-configcontaining ClamAV configuration/path/to/nextcloud/rediscontaining the Redis db dump, used to persist cache between restarts (login sessions, etc.)
- Named volumes for
nextcloud-psqlandclamav-dbfor PostgreSQL and ClamAV databases - Expose the Apache HTTP port on host port 8082
You need to create the directories for persistent data manually. The ClamAV container requires configuration files present in the config directory, others populate the host directory automatically if empty.
If using SELinux, change the context type of the folders
to container_file_t with sudo chcon -t container_file_t /path/to/nextcloud.
Running
Pull the images and start the the pod with the command
podman kube play /path/to/nextcloud-podman.yaml
It may be a good idea to always add --replace argument to the start command so an existing pod is replaced.
The command will fail without it if a pod with the same name already exists.
Podman automatically pulls the images when using kube play
- Stop the pod with
podman kube play /path/to/nextcloud-podman.yaml --down - Restart, re-pull and recreate all containers with
podman kube play /path/to/nextcloud-podman.yaml --replace
Cloudflare tunnel (optional)
In the end there's a container for Cloudflare tunnel. To use a CF tunnel, create a tunnel in the CF dashboard,
point the tunnel to http://localhost:8082, uncomment the section and
insert your token as the last argument for the container CMD, for example:
...
args:
- tunnel
- --no-autoupdate
- run
- --token
- asdfghjklqwertyuiop1234567890
Run as service
YAML:
apiVersion: v1
kind: ConfigMap
metadata:
name: nextcloud-config
data:
POSTGRES_USER: nextcloud
POSTGRES_DB: nextcloud
POSTGRES_PASSWORD: supersecretPassw0rd
NEXTCLOUD_ADMIN_USER: administrator
NEXTCLOUD_ADMIN_PASSWORD: adminPassw0rd
NEXTCLOUD_TRUSTED_DOMAINS: cloud.example.com 192.168.123.22
REDIS_HOST: 127.0.0.1 # Don't change this
REDIS_PORT: 6379 # or this
TZ: Europe/Helsinki
## Optionally tweak these ##
PHP_MEMORY_LIMIT: 3G
PHP_UPLOAD_LIMIT: 10G
---
apiVersion: v1
kind: Pod
metadata:
name: nextcloud
creationTimestamp: "2022-05-25T09:38:11Z"
labels:
app: nextcloud
annotations:
spec:
volumes:
- hostPath:
path: /path/to/nextcloud/clamav-config ## Path of mounted ClamAV configuration directory on host ##
type: Directory
name: clamav-config-host-1
- hostPath:
path: /path/to/nextcloud/app ## Path of mounted web root on host (/var/www/nextcloud) on host ##
type: Directory
name: nextcloud-app-host-0
- hostPath:
path: /path/to/nextcloud/redis ## Path of mounted Redis db dump directory on host ##
type: Directory
name: nextcloud-redis-host-0
- name: clamav-db
persistentVolumeClaim:
claimName: clamav-db
- name: nextcloud-psql
persistentVolumeClaim:
claimName: nextcloud-psql
containers:
- name: clamav
image: docker.io/clamav/clamav:latest
# image: ghcr.io/0ranki/clamav-docker-arm64:v1.1.0 ## ClamAV ARM64 image (e.g. Raspberry Pi 4)
resources: {}
securityContext:
capabilities:
drop:
- CAP_MKNOD
- CAP_NET_RAW
- CAP_AUDIT_WRITE
volumeMounts:
- mountPath: /var/lib/clamav
name: clamav-db
- mountPath: /etc/clamav
name: clamav-config-host-1
- name: redis
image: docker.io/library/redis:alpine
args:
- redis-server
- --save
- 60
- 1
- --loglevel
- warning
resources: {}
securityContext:
capabilities:
drop:
- CAP_MKNOD
- CAP_NET_RAW
- CAP_AUDIT_WRITE
volumeMounts:
- mountPath: /data
name: nextcloud-redis-host-0
- name: psql
image: docker.io/postgres:14-alpine
args:
- postgres
command:
- docker-entrypoint.sh
envFrom:
- configMapRef:
name: nextcloud-config
optional: false
resources: {}
securityContext:
allowPrivilegeEscalation: true
capabilities:
drop:
- CAP_MKNOD
- CAP_NET_RAW
- CAP_AUDIT_WRITE
privileged: false
readOnlyRootFilesystem: false
seLinuxOptions: {}
volumeMounts:
- mountPath: /var/lib/postgresql/data
name: nextcloud-psql
workingDir: /
- name: app
## Remember to change cron container version!
image: ghcr.io/0ranki/nextcloud-previews:latest
## Remember to change cron container version!
#imagePullPolicy: never
ports:
- containerPort: 80
hostPort: 8082 ## Change host listening port here
envFrom:
- configMapRef:
name: nextcloud-config
optional: false
resources: {}
securityContext:
capabilities:
drop:
- CAP_MKNOD
- CAP_NET_RAW
- CAP_AUDIT_WRITE
volumeMounts:
- mountPath: /var/www/html
name: nextcloud-app-host-0
- name: cron
# Remember to change main image version!
image: ghcr.io/0ranki/nextcloud-previews:latest
# Remember to change main image version!
#imagePullPolicy: never
args:
- busybox
- crond
- -f
- -l
- 0
- -L
- /dev/stdout
envFrom:
- configMapRef:
name: nextcloud-config
optional: false
resources: {}
securityContext:
capabilities:
drop:
- CAP_MKNOD
- CAP_NET_RAW
- CAP_AUDIT_WRITE
volumeMounts:
- mountPath: /var/www/html
name: nextcloud-app-host-0
# - name: cloudflared
# image: docker.io/cloudflare/cloudflared:latest
# args:
# - tunnel
# - --no-autoupdate
# - run
# - --token
# - ### CLOUDFLARE TOKEN HERE ###
# resources: {}
# securityContext: {}
restartPolicy: Always
status: {}