From cfa20a6396ef2c5c7226c54bb77c257890b66cb8 Mon Sep 17 00:00:00 2001
From: coolnsx <ansari.tan20@gmail.com>
Date: Wed, 27 Aug 2025 13:42:56 +0530
Subject: [PATCH] Feat: unix socketifying and disabling ports as much as
 possible

---
 immich/immich_db.container              |  2 +-
 immich/immich_valkey.container          |  2 +-
 nextcloud/env.example                   |  2 --
 nextcloud/nextcloud-cron.service        |  2 +-
 nextcloud/nextcloud.container           | 21 ++++++++++++++++-----
 nextcloud/nextcloud.pod                 |  2 +-
 nextcloud/nextcloud_db.container        |  2 +-
 nextcloud/nextcloud_imaginary.container |  7 +++----
 nextcloud/nextcloud_valkey.container    |  2 +-
 nextcloud/zz-docker.conf                | 19 +++++++++++++++++++
 10 files changed, 44 insertions(+), 17 deletions(-)
 create mode 100644 nextcloud/zz-docker.conf

diff --git a/immich/immich_db.container b/immich/immich_db.container
index bcd660a..5b0d79e 100644
--- a/immich/immich_db.container
+++ b/immich/immich_db.container
@@ -5,7 +5,7 @@ Description=Immich Database Container
 Pod=immich.pod
 ContainerName=immich_db
 Image=ghcr.io/immich-app/postgres:17-vectorchord0.4.3
-Exec=postgres -c shared_preload_libraries=vchord -c unix_socket_directories='/var/run/postgresql/,/tmp/immich/' -c unix_socket_permissions=0770 -c shared_buffers=2GB -c work_mem=64MB -c effective_cache_size=4GB
+Exec=postgres -c shared_preload_libraries=vchord -c unix_socket_directories='/var/run/postgresql/,/tmp/immich/' -c unix_socket_permissions=0770 -c shared_buffers=2GB -c work_mem=64MB -c effective_cache_size=4GB -c listen_addresses=''
 
 # Enable auto-update container
 AutoUpdate=registry
diff --git a/immich/immich_valkey.container b/immich/immich_valkey.container
index 2b83417..b238f0a 100644
--- a/immich/immich_valkey.container
+++ b/immich/immich_valkey.container
@@ -5,7 +5,7 @@ Description=Immich Valkey Container
 Pod=immich.pod
 ContainerName=immich_valkey
 Image=ghcr.io/valkey-io/valkey:alpine
-Exec=--unixsocket /tmp/immich/valkey.sock --unixsocketperm 777
+Exec=--port 0 --unixsocket /tmp/immich/valkey.sock --unixsocketperm 777
 
 # Enable auto-update container
 AutoUpdate=registry
diff --git a/nextcloud/env.example b/nextcloud/env.example
index e58dd37..f42bc19 100644
--- a/nextcloud/env.example
+++ b/nextcloud/env.example
@@ -2,7 +2,5 @@ MARIADB_ROOT_PASSWORD=
 MARIADB_PASSWORD=
 MARIADB_DATABASE=nextcloud
 MARIADB_USER=nextcloud
-PUID=1000
-PGID=1000
 TZ=Asia/Kolkata
 EXTERNAL_DIR=/media/vault/nextcloud
diff --git a/nextcloud/nextcloud-cron.service b/nextcloud/nextcloud-cron.service
index d4233d8..073392e 100644
--- a/nextcloud/nextcloud-cron.service
+++ b/nextcloud/nextcloud-cron.service
@@ -4,4 +4,4 @@ After=default.target
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/podman exec -u abc nextcloud php /app/www/public/cron.php
+ExecStart=/usr/bin/podman exec -u 1000 nextcloud php /var/www/html/cron.php
diff --git a/nextcloud/nextcloud.container b/nextcloud/nextcloud.container
index 8529de8..d8163b6 100644
--- a/nextcloud/nextcloud.container
+++ b/nextcloud/nextcloud.container
@@ -3,18 +3,30 @@ Description=Nextcloud Container
 Requires=nextcloud_db.service nextcloud_valkey.service
 After=nextcloud_db.service nextcloud_valkey.service
 
+AssertPathIsDirectory=%h/podman/nextcloud
+AssertPathIsDirectory=%h/podman/nextcloud/html
+AssertPathIsDirectory=%h/nextcloud
+
 [Container]
 Pod=nextcloud.pod
 ContainerName=nextcloud
-Image=ghcr.io/linuxserver/nextcloud:latest
+Image=docker.io/library/nextcloud:fpm-alpine
 
 # Enable auto-update container
 AutoUpdate=registry
 # pass this to attach it to container
-EnvironmentFile=./.env
+Environment=MYSQL_PASSWORD=${MARIADB_PASSWORD}
+Environment=MYSQL_DATABASE=${MARIADB_DATABASE}
+Environment=MYSQL_USER=${MARIADB_USER}
+Environment=MYSQL_HOST=localhost:/tmp/docker/mysqld.sock
+Environment=PHP_MEMORY_LIMIT=2G
+Environment=PHP_UPLOAD_LIMIT=100G
+Environment=PHP_OPCACHE_MEMORY_CONSUMPTION=256
+Environment=PHP_MAX_EXECUTION_TIME=7200
 
-Volume=%h/podman/nextcloud/config:/config
-Volume=%h/nextcloud:/data
+Volume=%h/podman/nextcloud/html:/var/www/html
+Volume=%h/nextcloud:/var/www/html/data
+Volume=%h/.config/containers/systemd/nextcloud/zz-docker.conf:/usr/local/etc/php-fpm.d/zz-docker.conf
 Volume=${EXTERNAL_DIR}:${EXTERNAL_DIR}
 
 [Service]
@@ -25,4 +37,3 @@ TimeoutStartSec=300
 
 [Install]
 WantedBy=default.target
-
diff --git a/nextcloud/nextcloud.pod b/nextcloud/nextcloud.pod
index 01a115a..5f4302e 100644
--- a/nextcloud/nextcloud.pod
+++ b/nextcloud/nextcloud.pod
@@ -3,8 +3,8 @@ Description=Nextcloud Pod
 
 [Pod]
 PodName=nextcloud
-PublishPort=8080:80
 Volume=%h/podman/nextcloud/.socket:/tmp/docker
+Network=host
 
 # to satisfy nextcloud bitch permissions problems
 UIDMap=1000:0:1
diff --git a/nextcloud/nextcloud_db.container b/nextcloud/nextcloud_db.container
index 679edc1..833f4c8 100644
--- a/nextcloud/nextcloud_db.container
+++ b/nextcloud/nextcloud_db.container
@@ -5,7 +5,7 @@ Description=Nextcloud DB Container
 Pod=nextcloud.pod
 ContainerName=nextcloud_db
 Image=docker.io/library/mariadb:lts
-Exec='--transaction-isolation=READ-COMMITTED' '--log-bin=binlog' '--binlog-format=ROW' '--socket=/tmp/docker/mysqld.sock'
+Exec='--transaction-isolation=READ-COMMITTED' '--log-bin=binlog' '--binlog-format=ROW' '--socket=/tmp/docker/mysqld.sock' '--skip-networking'
 
 # Enable auto-update container
 AutoUpdate=registry
diff --git a/nextcloud/nextcloud_imaginary.container b/nextcloud/nextcloud_imaginary.container
index d2f1f40..03b4e1c 100644
--- a/nextcloud/nextcloud_imaginary.container
+++ b/nextcloud/nextcloud_imaginary.container
@@ -2,19 +2,18 @@
 Description=Nextcloud Imaginary Container
 
 [Container]
-Pod=nextcloud.pod
+Network=host
 ContainerName=nextcloud_imaginary
 Image=ghcr.io/nextcloud-releases/aio-imaginary
 Exec=-enable-url-source -cors
 
 # Enable auto-update container
 AutoUpdate=registry
+Environment=PORT=9999
+
 # capabilities
 AddCapability=CAP_SYS_NICE
 
-# this does not map any uid from host as this fucker doesn't like it.
-UserNS=auto
-
 # disable healthcheck
 HealthCmd=none
 HealthInterval=disable
diff --git a/nextcloud/nextcloud_valkey.container b/nextcloud/nextcloud_valkey.container
index 5fb0c7f..37093db 100644
--- a/nextcloud/nextcloud_valkey.container
+++ b/nextcloud/nextcloud_valkey.container
@@ -5,7 +5,7 @@ Description=Nextcloud Valkey Container
 Pod=nextcloud.pod
 ContainerName=nextcloud_valkey
 Image=ghcr.io/valkey-io/valkey:alpine
-Exec=--unixsocket /tmp/docker/valkey.sock --unixsocketperm 777
+Exec=--port 0 --unixsocket /tmp/docker/valkey.sock --unixsocketperm 777
 
 # Enable auto-update container
 AutoUpdate=registry
diff --git a/nextcloud/zz-docker.conf b/nextcloud/zz-docker.conf
new file mode 100644
index 0000000..3c573fc
--- /dev/null
+++ b/nextcloud/zz-docker.conf
@@ -0,0 +1,19 @@
+[global]
+daemonize = no
+
+[www]
+listen = /tmp/docker/nextcloud-fpm.sock
+
+listen.owner = 1000
+listen.group = 1000
+listen.mode = 0777
+
+user = 1000
+group = 1000
+
+pm.max_children = 50
+pm.start_servers = 10
+pm.min_spare_servers = 5
+pm.max_spare_servers = 15
+pm.max_requests = 1000
+