feat: immich permissions problems not anymore

gitea/gitea.container

@@ -3,7 +3,7 @@ Description=Gitea Container
 
 [Container]
 ContainerName=gitea
-Image=docker.io/gitea/gitea:latest
+Image=ghcr.io/go-gitea/gitea:latest
 
 # Enable auto-update container
 AutoUpdate=registry

headscale/headscale.container

@@ -4,7 +4,7 @@ Description=Headscale Container
 [Container]
 Network=host
 ContainerName=headscale
-Image=docker.io/headscale/headscale:latest
+Image=ghcr.io/juanfont/headscale:latest
 Exec=serve
 
 # Enable auto-update container

homeassistant/homeassistant.container

@@ -12,6 +12,7 @@ AutoUpdate=registry
 Volume=%h/podman/homeassistant/config:/config
 Volume=/etc/localtime:/etc/localtime:ro
 Volume=/run/dbus:/run/dbus:ro
+Volume=/tmp/unbound_stats:/tmp/unbound_stats
 
 [Service]
 Restart=always

homeassistant/homeassistant.pod

@@ -4,5 +4,3 @@ Description=HomeAssistant Pod
 [Pod]
 PodName=homeassistant
 Network=host
-
-UserNS=keep-id

immich/immich.pod

@@ -6,7 +6,3 @@ PodName=immich
 #PublishPort=2283:2283
 Network=host
 Volume=%h/podman/immich/.socket:/tmp/immich
-
-# to satisfy immich bitch permissions problems
-UIDMap=1000:0:1
-UIDMap=0:1:1000

immich/immich_valkey.container

@@ -5,12 +5,13 @@ Description=Immich Valkey Container
 Pod=immich.pod
 ContainerName=immich_valkey
 Image=ghcr.io/valkey-io/valkey:alpine
-Exec=--port 0 --unixsocket /tmp/immich/valkey.sock --unixsocketperm 777
+Exec=--port 0 --unixsocket ${REDIS_SOCKET} --unixsocketperm 777
 
 # Enable auto-update container
 AutoUpdate=registry
 
 [Service]
+EnvironmentFile=%h/.config/containers/systemd/immich/.env
 Restart=always
 TimeoutStartSec=300
 

matrix/synapse.container

@@ -6,7 +6,7 @@ After=synapse_db.service
 [Container]
 Pod=matrix.pod
 ContainerName=synapse
-Image=docker.io/matrixdotorg/synapse:latest
+Image=ghcr.io/element-hq/synapse:latest
 
 # Enable auto-update container
 AutoUpdate=registry

matrix/synapse_db.container

@@ -12,7 +12,7 @@ AutoUpdate=registry
 # pass this to attach it to container
 Environment=POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
 Environment=POSTGRES_USER=${POSTGRES_USER}
-Environment=POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
+Environment=POSTGRES_INITDB_ARGS='--encoding=UTF-8 --lc-collate=C --lc-ctype=C'
 
 Volume=%h/podman/matrix/database:/var/lib/postgresql/data
 

nextcloud/env.example

@@ -1,6 +1,37 @@
+# db
 MARIADB_ROOT_PASSWORD=
 MARIADB_PASSWORD=
 MARIADB_DATABASE=nextcloud
 MARIADB_USER=nextcloud
-TZ=Asia/Kolkata
+MARIADB_HOST=/tmp/docker/mysqld.sock
-EXTERNAL_DIR=/media/vault/nextcloud
+
+# redis
+REDIS_HOST=/tmp/docker/valkey.sock
+REDIS_HOST_PORT=0
+
+# Misc
+TZ=Etc/UTC
+
+# Directories
+EXTERNAL_DIR=
+
+# notify push
+SOCKET_PATH=/tmp/docker/notify_push.sock
+
+# reverse proxy
+OVERWRITEPROTOCOL=https
+OVERWRITECLIURL=https://cloud.example.com
+TRUSTED_PROXIES=127.0.0.1 ::1
+
+# SMTP
+SMTP_HOST=smtp.example.com
+SMTP_SECURE=ssl
+SMTP_NAME=
+SMTP_PASSWORD=
+MAIL_FROM_ADDRESS=
+MAIL_DOMAIN=
+
+# PHP Optimizations
+PHP_MEMORY_LIMIT=2G
+PHP_UPLOAD_LIMIT=100G
+PHP_OPCACHE_MEMORY_CONSUMPTION=256

nextcloud/nextcloud-entrypoint.sh

@@ -0,0 +1,54 @@
+#!/bin/sh
+
+set -eu
+
+####################
+# My Special Sauce #
+####################
+#################################################################
+# This script is to make the www-data in /entrypoint.sh to	#
+# any user specified by $PUID environment variable,		#
+# so that your nextcloud can run or update properly.		#
+#################################################################
+
+# fix nextcloud not setting Local Time zone
+apk add --no-cache tzdata
+
+# default to UID=1000 if not set
+TARGET_UID="${PUID:-1000}"
+
+# add user as the su in image doesn't know user ID we will pass
+adduser -D -u "${TARGET_UID}" "abc" || true
+
+# Overwrite /usr/local/etc/php-fpm.d/zz-docker.conf to make php-fpm listen on unix socket
+cat <<EOF >/usr/local/etc/php-fpm.d/zz-docker.conf
+; Generated by /nextcloud-entrypoint.sh
+; DO NOT EDIT THIS FILE, IT WILL BE OVERWRITTEN !!
+; please make changes in the /nextcloud-entrypoint.sh script
+[global]
+daemonize = no
+
+[www]
+access.log = /tmp/fpm-access.log
+listen = ${NEXTCLOUD_FPM_SOCK:-/tmp/docker/nextcloud-fpm.sock}
+
+listen.owner = ${TARGET_UID}
+listen.group = ${TARGET_UID}
+; Restricting socket to owner and group only
+listen.mode = 0660
+
+user = ${TARGET_UID}
+group = ${TARGET_UID}
+
+pm.max_children = 50
+pm.start_servers = 10
+pm.min_spare_servers = 5
+pm.max_spare_servers = 15
+pm.max_requests = 1000
+EOF
+
+# replace "www-data" with numeric $PUID in /entrypoint.sh
+sed -i "s/www-data/abc/g" /entrypoint.sh
+
+# execute the patched entrypoint with all args
+exec /entrypoint.sh php-fpm

nextcloud/nextcloud-notify-push-entrypoint.sh

@@ -0,0 +1,60 @@
+#!/bin/sh
+
+# env exports
+export NEXTCLOUD_URL="${NEXTCLOUD_URL:-$OVERWRITECLIURL}"
+export REDIS_URL="redis+unix://${REDIS_HOST}"
+export DATABASE_URL="mysql://${MARIADB_USER}:${MARIADB_PASSWORD}@localhost/${MARIADB_DATABASE}?socket=${MARIADB_HOST}"
+export DATABASE_PREFIX="oc_"
+
+# Clean shutdown handler
+cleanup() {
+	echo "[*] Stopping notify_push..."
+	kill -TERM "$NOTIFY_PID" 2>/dev/null && echo "[✓] notify push stopped.." || echo "Unable to Kill Notify Push.."
+	echo "[✓] Bye..."
+}
+trap 'cleanup' TERM INT
+
+echo "[*] Checking Nextcloud Host Presence..."
+while ! curl -s --fail --max-time 15 "$NEXTCLOUD_URL/status.php" >/dev/null; do
+	echo "[*] Waiting for Nextcloud to start..."
+	sleep 5
+done
+
+echo "[✓] Nextcloud Host is UP and Serving."
+echo "[*] Ensuring notify_push app is installed and enabled..."
+php occ app:install notify_push || true
+php occ app:enable notify_push || true
+
+echo "[*] Starting notify_push binary..."
+/var/www/html/custom_apps/notify_push/bin/x86_64/notify_push &
+NOTIFY_PID=$!
+
+# Posix compliance check to ensure notify_push is running
+if kill -0 "$PID" 2>/dev/null; then
+	echo "[✓] Notify Push is UP and running."
+else
+	echo "[X] Notify Push is not Running!! Exiting.."
+	exit 1
+fi
+
+# Wait for the socket to active and respond, max 30 seconds
+i=1
+while [ $i -le 6 ]; do
+	if [ -S "$SOCKET_PATH" ]; then
+		echo "[*] Socket file exists, testing HTTP response..."
+		if curl -s --max-time 5 --unix-socket "$SOCKET_PATH" http://localhost/ -o /dev/null; then
+			echo "[*] Running occ notify_push:setup"
+			php occ notify_push:setup "${NEXTCLOUD_URL}/push" || true
+			break
+		else
+			echo "[!] Socket exists, but no HTTP response yet"
+		fi
+	fi
+
+	echo "[*] Waiting 5 seconds for notify_push to be ready... (try $i/6)"
+	sleep 5
+	: $((i += 1))
+done
+
+# Keep container alive while notify_push runs
+wait

nextcloud/nextcloud-notify-push.service

@@ -1,17 +0,0 @@
-[Unit]
-Description=Push daemon for Nextcloud clients
-Documentation=https://github.com/nextcloud/notify_push
-Requires=nextcloud.service
-After=nextcloud.service
-PartOf=nextcloud.service
-
-[Service]
-Type=simple
-ExecStart=/usr/bin/podman exec -u 1000 nextcloud \
-  /var/www/html/apps/notify_push/bin/x86_64/notify_push \
-  /var/www/html/config/config.php
-Restart=always
-RestartSec=5
-
-[Install]
-WantedBy=multi-user.target

nextcloud/nextcloud.container

@@ -3,39 +3,28 @@ Description=Nextcloud Container
 Requires=nextcloud_db.service nextcloud_valkey.service
 After=nextcloud_db.service nextcloud_valkey.service
 
-AssertPathIsDirectory=%h/podman/nextcloud
-AssertPathIsDirectory=%h/podman/nextcloud/html
-AssertPathIsDirectory=%h/nextcloud
-
 [Container]
 Pod=nextcloud.pod
 ContainerName=nextcloud
 Image=docker.io/library/nextcloud:fpm-alpine
+Entrypoint=/nextcloud-entrypoint.sh
 
 # Enable auto-update container
 AutoUpdate=registry
 
-Environment=TZ=${TZ}
+# DB credentials (only required when setting up first time)
-
-# DB credentials
 Environment=MYSQL_PASSWORD=${MARIADB_PASSWORD}
 Environment=MYSQL_DATABASE=${MARIADB_DATABASE}
 Environment=MYSQL_USER=${MARIADB_USER}
-Environment=MYSQL_HOST=localhost:/tmp/docker/mysqld.sock
+Environment=MYSQL_HOST=localhost:${MARIADB_HOST}
-
-# PHP Optimizations
-Environment=PHP_MEMORY_LIMIT=2G
-Environment=PHP_UPLOAD_LIMIT=100G
-Environment=PHP_OPCACHE_MEMORY_CONSUMPTION=256
-
-# Nextcloud Notify Push socket
-Environment=SOCKET_PATH=/tmp/docker/notify_push.sock
 
+# env file
+EnvironmentFile=./.env
 
 Volume=%h/podman/nextcloud/html:/var/www/html
 Volume=%h/nextcloud:/var/www/html/data
-Volume=%h/.config/containers/systemd/nextcloud/zz-docker.conf:/usr/local/etc/php-fpm.d/zz-docker.conf
 Volume=${EXTERNAL_DIR}:${EXTERNAL_DIR}
+Volume=./nextcloud-entrypoint.sh:/nextcloud-entrypoint.sh
 
 [Service]
 # pass this to autofill above variables

nextcloud/nextcloud_db.container

@@ -5,12 +5,19 @@ Description=Nextcloud DB Container
 Pod=nextcloud.pod
 ContainerName=nextcloud_db
 Image=docker.io/library/mariadb:lts
-Exec='--transaction-isolation=READ-COMMITTED' '--log-bin=binlog' '--binlog-format=ROW' '--socket=/tmp/docker/mysqld.sock' '--skip-networking'
+Exec=--transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW --socket=${MARIADB_HOST} --skip-networking
 
 # Enable auto-update container
 AutoUpdate=registry
-# pass this to attach it to container
+
-EnvironmentFile=./.env
+# Timezone
+Environment=TZ=${TZ}
+
+# DB credentials
+Environment=MARIADB_ROOT_PASSWORD=${MARIADB_ROOT_PASSWORD}
+Environment=MARIADB_PASSWORD=${MARIADB_PASSWORD}
+Environment=MARIADB_DATABASE=${MARIADB_DATABASE}
+Environment=MARIADB_USER=${MARIADB_USER}
 
 Volume=%h/podman/nextcloud/db:/var/lib/mysql
 

nextcloud/nextcloud_push.container

@@ -0,0 +1,47 @@
+[Unit]
+Description=Nextcloud Notify Push Container
+Requires=nextcloud_db.service nextcloud_valkey.service nextcloud.service
+After=nextcloud_db.service nextcloud_valkey.service nextcloud.service
+
+[Container]
+Pod=nextcloud.pod
+ContainerName=nextcloud_push
+Image=docker.io/library/nextcloud:fpm-alpine
+Entrypoint=/nextcloud-notify-push-entrypoint.sh
+User=1000
+Group=1000
+
+# Enable auto-update container
+AutoUpdate=registry
+
+# Timezone
+Environment=TZ=${TZ}
+
+# Nextcloud variables
+Environment=SOCKET_PATH=${SOCKET_PATH}
+Environment=OVERWRITECLIURL=${OVERWRITECLIURL}
+Environment=OVERWRITEPROTOCOL=${OVERWRITEPROTOCOL}
+Environment=TRUSTED_PROXIES=${TRUSTED_PROXIES}
+
+# DB credentials
+Environment=MARIADB_PASSWORD=${MARIADB_PASSWORD}
+Environment=MARIADB_DATABASE=${MARIADB_DATABASE}
+Environment=MARIADB_USER=${MARIADB_USER}
+Environment=MARIADB_HOST=${MARIADB_HOST}
+
+# Redis
+Environment=REDIS_HOST=${REDIS_HOST}
+Environment=REDIS_HOST_PORT=${REDIS_HOST_PORT}
+
+Volume=%h/podman/nextcloud/html:/var/www/html
+Volume=./nextcloud-notify-push-entrypoint.sh:/nextcloud-notify-push-entrypoint.sh
+Volume=%h/nextcloud:/var/www/html/data
+
+[Service]
+# pass this to autofill above variables
+EnvironmentFile=%h/.config/containers/systemd/nextcloud/.env
+Restart=always
+TimeoutStartSec=300
+
+[Install]
+WantedBy=default.target

nextcloud/nextcloud_valkey.container

@@ -5,12 +5,13 @@ Description=Nextcloud Valkey Container
 Pod=nextcloud.pod
 ContainerName=nextcloud_valkey
 Image=ghcr.io/valkey-io/valkey:alpine
-Exec=--port 0 --unixsocket /tmp/docker/valkey.sock --unixsocketperm 777
+Exec=--port 0 --unixsocket ${REDIS_HOST} --unixsocketperm 777
 
 # Enable auto-update container
 AutoUpdate=registry
-# pass this to attach it to container
+
-EnvironmentFile=./.env
+# Timezone
+Environment=TZ=${TZ}
 
 Volume=%h/podman/nextcloud/valkey:/data
 

nextcloud/zz-docker.conf

@@ -1,19 +0,0 @@
-[global]
-daemonize = no
-
-[www]
-listen = /tmp/docker/nextcloud-fpm.sock
-
-listen.owner = 1000
-listen.group = 1000
-listen.mode = 0777
-
-user = 1000
-group = 1000
-
-pm.max_children = 50
-pm.start_servers = 10
-pm.min_spare_servers = 5
-pm.max_spare_servers = 15
-pm.max_requests = 1000
-

vaultwarden/env.example

@@ -0,0 +1,17 @@
+# base config
+DOMAIN=https://vw.example.com
+SIGNUPS_ALLOWED=false
+INVITATIONS_ALLOWED=false
+
+# smtp config
+SMTP_HOST=smtp.example.com
+SMTP_FROM=mail@example.com
+SMTP_FROM_NAME=Vaultwarden
+SMTP_USERNAME=username
+SMTP_PASSWORD=
+SMTP_TIMEOUT=15
+SMTP_SECURITY=force_tls
+SMTP_PORT=465
+
+# rocket http configuration
+ROCKET_PORT=7777

vaultwarden/vaultwarden.container

@@ -0,0 +1,22 @@
+[Unit]
+Description=VaultWarden Container
+
+[Container]
+ContainerName=vaultwarden
+Image=ghcr.io/dani-garcia/vaultwarden:alpine
+
+# Enable auto-update container
+AutoUpdate=registry
+EnvironmentFile=./.env
+
+Network=host
+
+Volume=%h/podman/vaultwarden:/data
+
+[Service]
+EnvironmentFile=%h/.config/containers/systemd/vaultwarden/.env
+Restart=always
+TimeoutStartSec=300
+
+[Install]
+WantedBy=default.target