From 0bf2a34edddbad6f1976ea4e5b677170330b7e71 Mon Sep 17 00:00:00 2001
From: Thomas Hintz <t@thintz.com>
Date: Sun, 31 Aug 2025 09:01:44 -0700
Subject: [PATCH] Moving to bind mounts and docker secrets.

---
 all-apps/docker-compose.yaml           | 10 ++--
 all-apps/nextcloud/docker-compose.yaml | 71 +++++++++++++++++++++-----
 all-apps/wg-easy/docker-compose.yaml   |  6 +--
 cl.yaml                                | 14 +++--
 4 files changed, 76 insertions(+), 25 deletions(-)

diff --git a/all-apps/docker-compose.yaml b/all-apps/docker-compose.yaml
index 028fcdc..4705f23 100644
--- a/all-apps/docker-compose.yaml
+++ b/all-apps/docker-compose.yaml
@@ -5,8 +5,8 @@ services:
     volumes:
 #      - /app/lb:/etc/caddy
       - ./lb/:/etc/caddy
-      - config:/config
-      - data:/data
+      - /nassella/lb/config:/config
+      - /nassella/lb/data:/data
     networks:
       - lb
     restart: unless-stopped
@@ -20,6 +20,6 @@ services:
       - lb
 networks:
   lb:
-volumes:
-  config:
-  data:
+# volumes:
+#   config:
+#   data:
diff --git a/all-apps/nextcloud/docker-compose.yaml b/all-apps/nextcloud/docker-compose.yaml
index 1e7ab7a..ccdcdc7 100644
--- a/all-apps/nextcloud/docker-compose.yaml
+++ b/all-apps/nextcloud/docker-compose.yaml
@@ -1,21 +1,58 @@
 version: '3'
 
+secrets:
+  nextcloud_admin_password:
+    file: ./nextcloud/nextcloud_admin_password
+  nextcloud_admin_user:
+    file: ./nextcloud/nextcloud_admin_user
+  postgres_db:
+    file: ./nextcloud/postgres_db
+  postgres_password:
+    file: ./nextcloud/postgres_password
+  postgres_user:
+    file: ./nextcloud/postgres_user
+  redis_password:
+    file: ./nextcloud/redis_password
+
 services:
   db:
     image: postgres
+    env_file:
+      - ./nextcloud/nextcloud.env
     shm_size: 128mb
     restart: always
     volumes:
-      - db:/var/lib/postgresql/data
+      - /nassella/nextcloud/var-lib-postgresql-data:/var/lib/postgresql/data
     environment:
-      - POSTGRES_DB=nextcloud
-      - POSTGRES_USER=nextcloud
-      - POSTGRES_PASSWORD=password
+      - POSTGRES_DB_FILE=/run/secrets/postgres_db
+      - POSTGRES_USER_FILE=/run/secrets/postgres_user
+      - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password
     networks:
       - internal
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d `cat $$POSTGRES_DB_FILE` -U `cat $$POSTGRES_USER_FILE`"]
+      start_period: 15s
+      interval: 30s
+      retries: 3
+      timeout: 5s
+    secrets:
+      - postgres_db
+      - postgres_password
+      - postgres_user
   redis:
-    image: redis:alpine
+    image: redis
+    env_file:
+      - ./nextcloud/nextcloud.env
+    command: bash -c 'redis-server --requirepass "$$(cat /run/secrets/redis_password)"'
+    secrets:
+      - redis_password
     restart: always
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli --no-auth-warning -a \"$$(cat /run/secrets/redis_password)\" ping | grep PONG"]
+      start_period: 10s
+      interval: 30s
+      retries: 3
+      timeout: 3s
     networks:
       - internal
   nextcloud:
@@ -24,27 +61,35 @@ services:
       - POSTGRES_HOST=db
       - POSTGRES_DB=nextcloud
       - POSTGRES_USER=nextcloud
-      - POSTGRES_PASSWORD=password
+      - POSTGRES_PASSWORD=dbpassword
       - NEXTCLOUD_ADMIN_PASSWORD=password
       - NEXTCLOUD_ADMIN_USER=admin
       - REDIS_HOST=redis
-      - NEXTCLOUD_TRUSTED_DOMAINS=nextcloud1.nassella.cc
+      - NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.nassella.cc # TODO generate this?
     ports:
       - "8080:80"
     depends_on:
-      - redis
-      - db
+      redis:
+        condition: service_healthy
+      db:
+        condition: service_healthy
+    env_file:
+      - ./nextcloud/nextcloud.env
+    secrets:
+      - postgres_db
+      - postgres_password
+      - postgres_user
+      - nextcloud_admin_user
+      - nextcloud_admin_password
+      - redis_password
     networks:
       - lb
       - internal
     volumes:
-      - nextcloud:/var/www
+      - /nassella/nextcloud/var-www-html:/var/www/html
     restart: unless-stopped
 networks:
   lb:
   internal:
     driver: bridge
     internal: true
-volumes:
-  db:
-  nextcloud:
diff --git a/all-apps/wg-easy/docker-compose.yaml b/all-apps/wg-easy/docker-compose.yaml
index aa00d2b..781a54e 100644
--- a/all-apps/wg-easy/docker-compose.yaml
+++ b/all-apps/wg-easy/docker-compose.yaml
@@ -12,7 +12,7 @@ services:
         ipv4_address: 10.42.42.42
 #        ipv6_address: fdcc:ad94:bacf:61a3::2a
     volumes:
-      - etc_wireguard:/etc/wireguard
+      - /nassella/wg-easy/etc-wireguard:/etc/wireguard
       - /lib/modules:/lib/modules:ro
     restart: unless-stopped
     cap_add:
@@ -33,5 +33,5 @@ networks:
       config:
         - subnet: 10.42.42.0/24
         - subnet: fdcc:ad94:bacf:61a3::/64
-volumes:
-  etc_wireguard:
+# volumes:
+#   etc_wireguard:
diff --git a/cl.yaml b/cl.yaml
index 5e3eb28..6475b1e 100644
--- a/cl.yaml
+++ b/cl.yaml
@@ -5,14 +5,16 @@ passwd:
     - name: core
       ssh_authorized_keys_local:
         - /ssh-keys
+    - name: nextcloud
+      uid: 1001
 systemd:
   units:
-    - name: var-lib-docker-volumes.mount
+    - name: nassella.mount
       enabled: true
       contents: |
         [Mount]
         What=/dev/disk/by-partlabel/appstorage
-        Where=/var/lib/docker/volumes
+        Where=/nassella
         Type=ext4
 
         [Install]
@@ -29,8 +31,8 @@ systemd:
         - name: 10-wait-docker.conf
           contents: |
             [Unit]
-            After=var-lib-docker-volumes.mount
-            Requires=var-lib-docker-volumes.mount
+            After=nassella.mount
+            Requires=nassella.mount
     - name: systemd-sysupdate.service
       dropins:
         - name: docker-compose.conf
@@ -44,7 +46,11 @@ systemd:
 # device: /dev/disk/by-label/appstorage
 storage:
   disks:
+    # TODO I think this can be changed back to
+    # device: /dev/disk/by-label/appstorage
+    # I think it didn't work before becase the partition number was 0 (now correctly set to 1)
     - device: /dev/sda
+#    - device: /dev/disk/by-label/appstorage
       wipe_table: false
       partitions:
         - label: appstorage