Feat: unix socketifying and disabling ports as much as possible

2025-12-20 03:45:16 +05:30 · 2025-08-27 13:42:56 +05:30
parent 08b5c07938
commit cfa20a6396
10 changed files with 44 additions and 17 deletions
--- a/immich/immich_db.container
+++ b/immich/immich_db.container
@@ -5,7 +5,7 @@ Description=Immich Database Container
 Pod=immich.pod
 ContainerName=immich_db
 Image=ghcr.io/immich-app/postgres:17-vectorchord0.4.3
-Exec=postgres -c shared_preload_libraries=vchord -c unix_socket_directories='/var/run/postgresql/,/tmp/immich/' -c unix_socket_permissions=0770 -c shared_buffers=2GB -c work_mem=64MB -c effective_cache_size=4GB
+Exec=postgres -c shared_preload_libraries=vchord -c unix_socket_directories='/var/run/postgresql/,/tmp/immich/' -c unix_socket_permissions=0770 -c shared_buffers=2GB -c work_mem=64MB -c effective_cache_size=4GB -c listen_addresses=''

 # Enable auto-update container
 AutoUpdate=registry
--- a/immich/immich_valkey.container
+++ b/immich/immich_valkey.container
@@ -5,7 +5,7 @@ Description=Immich Valkey Container
 Pod=immich.pod
 ContainerName=immich_valkey
 Image=ghcr.io/valkey-io/valkey:alpine
-Exec=--unixsocket /tmp/immich/valkey.sock --unixsocketperm 777
+Exec=--port 0 --unixsocket /tmp/immich/valkey.sock --unixsocketperm 777

 # Enable auto-update container
 AutoUpdate=registry
--- a/nextcloud/env.example
+++ b/nextcloud/env.example
@@ -2,7 +2,5 @@ MARIADB_ROOT_PASSWORD=
 MARIADB_PASSWORD=
 MARIADB_DATABASE=nextcloud
 MARIADB_USER=nextcloud
-PUID=1000
-PGID=1000
 TZ=Asia/Kolkata
 EXTERNAL_DIR=/media/vault/nextcloud
--- a/nextcloud/nextcloud-cron.service
+++ b/nextcloud/nextcloud-cron.service
@@ -4,4 +4,4 @@ After=default.target

 [Service]
 Type=oneshot
-ExecStart=/usr/bin/podman exec -u abc nextcloud php /app/www/public/cron.php
+ExecStart=/usr/bin/podman exec -u 1000 nextcloud php /var/www/html/cron.php
--- a/nextcloud/nextcloud.container
+++ b/nextcloud/nextcloud.container
@@ -3,18 +3,30 @@ Description=Nextcloud Container
 Requires=nextcloud_db.service nextcloud_valkey.service
 After=nextcloud_db.service nextcloud_valkey.service

+AssertPathIsDirectory=%h/podman/nextcloud
+AssertPathIsDirectory=%h/podman/nextcloud/html
+AssertPathIsDirectory=%h/nextcloud
+
 [Container]
 Pod=nextcloud.pod
 ContainerName=nextcloud
-Image=ghcr.io/linuxserver/nextcloud:latest
+Image=docker.io/library/nextcloud:fpm-alpine

 # Enable auto-update container
 AutoUpdate=registry
 # pass this to attach it to container
-EnvironmentFile=./.env
+Environment=MYSQL_PASSWORD=${MARIADB_PASSWORD}
+Environment=MYSQL_DATABASE=${MARIADB_DATABASE}
+Environment=MYSQL_USER=${MARIADB_USER}
+Environment=MYSQL_HOST=localhost:/tmp/docker/mysqld.sock
+Environment=PHP_MEMORY_LIMIT=2G
+Environment=PHP_UPLOAD_LIMIT=100G
+Environment=PHP_OPCACHE_MEMORY_CONSUMPTION=256
+Environment=PHP_MAX_EXECUTION_TIME=7200

-Volume=%h/podman/nextcloud/config:/config
-Volume=%h/nextcloud:/data
+Volume=%h/podman/nextcloud/html:/var/www/html
+Volume=%h/nextcloud:/var/www/html/data
+Volume=%h/.config/containers/systemd/nextcloud/zz-docker.conf:/usr/local/etc/php-fpm.d/zz-docker.conf
 Volume=${EXTERNAL_DIR}:${EXTERNAL_DIR}

 [Service]
@@ -25,4 +37,3 @@ TimeoutStartSec=300

 [Install]
 WantedBy=default.target
-
--- a/nextcloud/nextcloud.pod
+++ b/nextcloud/nextcloud.pod
@@ -3,8 +3,8 @@ Description=Nextcloud Pod

 [Pod]
 PodName=nextcloud
-PublishPort=8080:80
 Volume=%h/podman/nextcloud/.socket:/tmp/docker
+Network=host

 # to satisfy nextcloud bitch permissions problems
 UIDMap=1000:0:1
--- a/nextcloud/nextcloud_db.container
+++ b/nextcloud/nextcloud_db.container
@@ -5,7 +5,7 @@ Description=Nextcloud DB Container
 Pod=nextcloud.pod
 ContainerName=nextcloud_db
 Image=docker.io/library/mariadb:lts
-Exec='--transaction-isolation=READ-COMMITTED' '--log-bin=binlog' '--binlog-format=ROW' '--socket=/tmp/docker/mysqld.sock'
+Exec='--transaction-isolation=READ-COMMITTED' '--log-bin=binlog' '--binlog-format=ROW' '--socket=/tmp/docker/mysqld.sock' '--skip-networking'

 # Enable auto-update container
 AutoUpdate=registry
--- a/nextcloud/nextcloud_imaginary.container
+++ b/nextcloud/nextcloud_imaginary.container
@@ -2,19 +2,18 @@
 Description=Nextcloud Imaginary Container

 [Container]
-Pod=nextcloud.pod
+Network=host
 ContainerName=nextcloud_imaginary
 Image=ghcr.io/nextcloud-releases/aio-imaginary
 Exec=-enable-url-source -cors

 # Enable auto-update container
 AutoUpdate=registry
+Environment=PORT=9999
+
 # capabilities
 AddCapability=CAP_SYS_NICE

-# this does not map any uid from host as this fucker doesn't like it.
-UserNS=auto
-
 # disable healthcheck
 HealthCmd=none
 HealthInterval=disable
--- a/nextcloud/nextcloud_valkey.container
+++ b/nextcloud/nextcloud_valkey.container
@@ -5,7 +5,7 @@ Description=Nextcloud Valkey Container
 Pod=nextcloud.pod
 ContainerName=nextcloud_valkey
 Image=ghcr.io/valkey-io/valkey:alpine
-Exec=--unixsocket /tmp/docker/valkey.sock --unixsocketperm 777
+Exec=--port 0 --unixsocket /tmp/docker/valkey.sock --unixsocketperm 777

 # Enable auto-update container
 AutoUpdate=registry
--- a/nextcloud/zz-docker.conf
+++ b/nextcloud/zz-docker.conf
@@ -0,0 +1,19 @@
+[global]
+daemonize = no
+
+[www]
+listen = /tmp/docker/nextcloud-fpm.sock
+
+listen.owner = 1000
+listen.group = 1000
+listen.mode = 0777
+
+user = 1000
+group = 1000
+
+pm.max_children = 50
+pm.start_servers = 10
+pm.min_spare_servers = 5
+pm.max_spare_servers = 15
+pm.max_requests = 1000
+