Moving to bind mounts and docker secrets.

Makefile

@@ -2,7 +2,7 @@ TERRAFORM_ENV=production
 
 # .dirstamp plus && $@ is like make magic to get this rule
 # to only run if the contents of all-apps changes
-app/.dirstamp: all-apps/app.service all-apps/docker-compose.yaml $(wildcard all-apps/lb/*) $(wildcard all-apps/Nextcloud/*) $(wildcard all-apps/wg-easy/*)
+app/.dirstamp: all-apps/app.service all-apps/docker-compose.yaml $(wildcard all-apps/lb/*) $(wildcard all-apps/nextcloud/*) $(wildcard all-apps/wg-easy/*)
 	rm -Rf app/
 	cp -a all-apps app && touch $@
 
@@ -21,6 +21,9 @@ plan: ignition.json $(TERRAFORM_ENV).tfvars generated.tfvars
 apply: ignition.json $(TERRAFORM_ENV).tfvars generated.tfvars
 	bash -c "terraform apply -var-file=<(cat $(TERRAFORM_ENV).tfvars generated.tfvars)"
 
+destroy: ignition.json $(TERRAFORM_ENV).tfvars generated.tfvars
+	bash -c "terraform destroy -var-file=<(cat $(TERRAFORM_ENV).tfvars generated.tfvars)"
+
 ## to help me remember the command to run to test the config locally
 testlocalhost:
 	curl -k --resolve localhost:443:146.190.12.129 https://localhost

all-apps/docker-compose.yaml

@@ -5,8 +5,8 @@ services:
     volumes:
 #      - /app/lb:/etc/caddy
       - ./lb/:/etc/caddy
-      - config:/config
+      - /nassella/lb/config:/config
-      - data:/data
+      - /nassella/lb/data:/data
     networks:
       - lb
     restart: unless-stopped
@@ -20,6 +20,6 @@ services:
       - lb
 networks:
   lb:
-volumes:
+# volumes:
-  config:
+#   config:
-  data:
+#   data:

all-apps/nextcloud/docker-compose.yaml

@@ -1,21 +1,58 @@
 version: '3'
 
+secrets:
+  nextcloud_admin_password:
+    file: ./nextcloud/nextcloud_admin_password
+  nextcloud_admin_user:
+    file: ./nextcloud/nextcloud_admin_user
+  postgres_db:
+    file: ./nextcloud/postgres_db
+  postgres_password:
+    file: ./nextcloud/postgres_password
+  postgres_user:
+    file: ./nextcloud/postgres_user
+  redis_password:
+    file: ./nextcloud/redis_password
+
 services:
   db:
     image: postgres
+    env_file:
+      - ./nextcloud/nextcloud.env
     shm_size: 128mb
     restart: always
     volumes:
-      - db:/var/lib/postgresql/data
+      - /nassella/nextcloud/var-lib-postgresql-data:/var/lib/postgresql/data
     environment:
-      - POSTGRES_DB=nextcloud
+      - POSTGRES_DB_FILE=/run/secrets/postgres_db
-      - POSTGRES_USER=nextcloud
+      - POSTGRES_USER_FILE=/run/secrets/postgres_user
-      - POSTGRES_PASSWORD=password
+      - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password
     networks:
       - internal
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d `cat $$POSTGRES_DB_FILE` -U `cat $$POSTGRES_USER_FILE`"]
+      start_period: 15s
+      interval: 30s
+      retries: 3
+      timeout: 5s
+    secrets:
+      - postgres_db
+      - postgres_password
+      - postgres_user
   redis:
-    image: redis:alpine
+    image: redis
+    env_file:
+      - ./nextcloud/nextcloud.env
+    command: bash -c 'redis-server --requirepass "$$(cat /run/secrets/redis_password)"'
+    secrets:
+      - redis_password
     restart: always
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli --no-auth-warning -a \"$$(cat /run/secrets/redis_password)\" ping | grep PONG"]
+      start_period: 10s
+      interval: 30s
+      retries: 3
+      timeout: 3s
     networks:
       - internal
   nextcloud:
@@ -24,27 +61,35 @@ services:
       - POSTGRES_HOST=db
       - POSTGRES_DB=nextcloud
       - POSTGRES_USER=nextcloud
-      - POSTGRES_PASSWORD=password
+      - POSTGRES_PASSWORD=dbpassword
       - NEXTCLOUD_ADMIN_PASSWORD=password
       - NEXTCLOUD_ADMIN_USER=admin
       - REDIS_HOST=redis
-      - NEXTCLOUD_TRUSTED_DOMAINS=nextcloud1.nassella.cc
+      - NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.nassella.cc # TODO generate this?
     ports:
       - "8080:80"
     depends_on:
-      - redis
+      redis:
-      - db
+        condition: service_healthy
+      db:
+        condition: service_healthy
+    env_file:
+      - ./nextcloud/nextcloud.env
+    secrets:
+      - postgres_db
+      - postgres_password
+      - postgres_user
+      - nextcloud_admin_user
+      - nextcloud_admin_password
+      - redis_password
     networks:
       - lb
       - internal
     volumes:
-      - nextcloud:/var/www
+      - /nassella/nextcloud/var-www-html:/var/www/html
     restart: unless-stopped
 networks:
   lb:
   internal:
     driver: bridge
     internal: true
-volumes:
-  db:
-  nextcloud:

all-apps/nextcloud/nextcloud.env

@@ -0,0 +1,22 @@
+# TODO generate
+DOMAIN="nextcloud.nassella.cc"
+
+NEXTCLOUD_TRUSTED_DOMAINS=${DOMAIN}
+
+# reverse proxy config
+OVERWRITEHOST=${DOMAIN}
+OVERWRITECLIURL=https://${DOMAIN}
+OVERWRITEPROTOCOL=https
+TRUSTED_PROXIES=172.16.0.0/24 # trust the local lb
+PHP_MEMORY_LIMIT=1G
+PHP_UPLOAD_LIMIT=10G
+POSTGRES_HOST=db
+POSTGRES_DB_FILE=/run/secrets/postgres_db
+POSTGRES_USER_FILE=/run/secrets/postgres_user
+POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password
+# admin user
+NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/nextcloud_admin_password
+NEXTCLOUD_ADMIN_USER_FILE=/run/secrets/nextcloud_admin_user
+# redis
+REDIS_HOST=redis
+REDIS_HOST_PASSWORD_FILE=/run/secrets/redis_password

all-apps/wg-easy/docker-compose.yaml

@@ -12,7 +12,7 @@ services:
         ipv4_address: 10.42.42.42
 #        ipv6_address: fdcc:ad94:bacf:61a3::2a
     volumes:
-      - etc_wireguard:/etc/wireguard
+      - /nassella/wg-easy/etc-wireguard:/etc/wireguard
       - /lib/modules:/lib/modules:ro
     restart: unless-stopped
     cap_add:
@@ -33,5 +33,5 @@ networks:
       config:
         - subnet: 10.42.42.0/24
         - subnet: fdcc:ad94:bacf:61a3::/64
-volumes:
+# volumes:
-  etc_wireguard:
+#   etc_wireguard:

cl.yaml

@@ -5,14 +5,16 @@ passwd:
     - name: core
       ssh_authorized_keys_local:
         - /ssh-keys
+    - name: nextcloud
+      uid: 1001
 systemd:
   units:
-    - name: var-lib-docker-volumes.mount
+    - name: nassella.mount
       enabled: true
       contents: |
         [Mount]
         What=/dev/disk/by-partlabel/appstorage
-        Where=/var/lib/docker/volumes
+        Where=/nassella
         Type=ext4
 
         [Install]
@@ -29,8 +31,8 @@ systemd:
         - name: 10-wait-docker.conf
           contents: |
             [Unit]
-            After=var-lib-docker-volumes.mount
+            After=nassella.mount
-            Requires=var-lib-docker-volumes.mount
+            Requires=nassella.mount
     - name: systemd-sysupdate.service
       dropins:
         - name: docker-compose.conf
@@ -44,7 +46,11 @@ systemd:
 # device: /dev/disk/by-label/appstorage
 storage:
   disks:
+    # TODO I think this can be changed back to
+    # device: /dev/disk/by-label/appstorage
+    # I think it didn't work before becase the partition number was 0 (now correctly set to 1)
     - device: /dev/sda
+#    - device: /dev/disk/by-label/appstorage
       wipe_table: false
       partitions:
         - label: appstorage