mirror of
https://github.com/freedombox/FreedomBox.git
synced 2026-01-21 07:55:00 +00:00
3d8967a20a
Nextcloud has long been a desired app for FreedomBox, however, due to difficulties around Debian packaging, it hasn't yet been implemented. This branch creates an app for Nextcloud with the help of Podman. Podman is a containarization technology, like Docker, but with some extra features that make its integration into FreedomBox convenient. If the podman approach turns out to be favorable, we should consider writing a podman specific module. How does this work? The app installs the podman and default-mysql-server Debian packages. In other apps, such as MediaWiki, FreedomBox chooses SQLite which eases maintenance and backup/restore. However, this would bring a significant performance degrade for Nextcloud, hence the choice of Mysql. Other apps, like Wordpress already use Mysql, so it is installed on the host as opposed to installing it in a sepatate container. A firewalld rich rule is created, so the Nextcloud container can communicate with the db and OpenLDAP. The podman package comes with a systemd service and timer for automatically upgrading containers that are labeled as "io.containers.autoupdate=registry". podman-auto-update.timer is managed by FreedomBox. We might add a drop-in file for the timer to make it more consistent with unattended-upgrades. Podman natively supports creating systemd services for individual containers. The generated systemd service is then managed by FreedomBox. The current container image is based on Debian and runs apache inside the container. To avoid running apache redundantly (both on the host and inside the container) it would be preferable to use the nextcloud:stable-fpm image instead, which seems to require creating a new virtual host. Configure /.well-known URIs to redirect to /nextcloud. There is a conflict with Radicale if both apps are running. Put the podman1 interface into the trusted firewalld zone. This results in the container gaining Internet access which is necessary to downloading Nextcloud applications and federating with other Nextcloud instances. After applying the patches, I opened my instance to the Internet to make sure this configuration doesn't accidentally expose services. I scanned TCP ports 3306 and 6379 (after installing and binding redis-server to the bridge interface). After that, I installed the Tor app and put the default WAN interface to the external zone to confirm that port 9050/TCP does not get exposed through the bridge interface. To-do: * test the fpm image * test running the container in rootless mode for better security Signed-off-by: Benedek Nagy <contact@nbenedek.me> [sunil: Add missing docstrings] [sunil: Make some methods private to module] [sunil: Run yapf for formatting] [sunil: Remove a comment to hide form when app is disabled] [sunil: Update form labels] [sunil: I18N for client names] [sunil: Reduce number success messages in form for easy i18n and consistency] [sunil: Reorganize patch series, squash fixes] [sunil: Tweak auto update daemon component's ID] [sunil: Add blank lines for formatting] [sunil: Minor refactoring for _run_occ method] Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>