Add Nextcloud cloud storage role with split Redis caching strategy

## New Features - **Nextcloud Role**: Complete cloud storage deployment using Podman Quadlet - FPM variant with Caddy reverse proxy and FastCGI - PostgreSQL database via Unix socket - Valkey/Redis for app-level caching and file locking - Automatic HTTPS with Let's Encrypt via Caddy - Dual-root pattern: Caddy serves static assets, FPM handles PHP - **Split Caching Strategy**: Redis caching WITHOUT Redis sessions - Custom redis.config.php template for app-level caching only - File-based PHP sessions for stability (avoids session lock issues) - Prevents cascading failures from session lock contention - Documented in role README with detailed rationale ## Infrastructure Updates - **Socket Permissions**: Update PostgreSQL and Valkey to mode 777 - Required for containers that switch users (root → www-data) - Nextcloud container loses supplementary groups on user switch - Security maintained via password authentication (scram-sha-256, requirepass) - Documented socket permission architecture in docs/ - **PostgreSQL**: Export client group GID as fact for dependent roles - **Valkey**: Export client group GID as fact, update socket fix service ## Documentation - New: docs/socket-permissions-architecture.md - Explains 777 vs 770 socket permission trade-offs - Documents why group-based access doesn't work for user-switching containers - Provides TCP alternative for stricter security requirements - Updated: All role READMEs with socket permission notes - New: Nextcloud README with comprehensive deployment, troubleshooting, and Redis architecture documentation ## Configuration - host_vars: Add Nextcloud vault variables and configuration - site.yml: Include Nextcloud role in main playbook ## Technical Details **Why disable Redis sessions?** The official Nextcloud container enables Redis session handling via REDIS_HOST env var, which causes severe performance issues: 1. Session lock contention under high concurrency (browser parallel asset requests) 2. Infinite lock retries (default lock_retries=-1) blocking FPM workers 3. Timeout orphaning: reverse proxy kills connection, worker keeps lock 4. Worker pool exhaustion: all 5 default workers blocked on same session lock 5. Cascading failure: new requests queue, more timeouts, more orphaned locks Solution: Use file-based sessions (reliable, fast for single-server) while keeping Redis for distributed cache and transactional file locking via custom config file. This provides optimal performance without the complexity of Redis session debugging. Tested: Fresh deployment on arch-vps (69.62.119.31) Domain: https://cloud.jnss.me/
2025-12-14 22:07:08 +01:00
parent 8e8aabd5e7
commit 4f8da38ca6
24 changed files with 1379 additions and 8 deletions
--- a/roles/nextcloud/templates/nextcloud.caddy.j2
+++ b/roles/nextcloud/templates/nextcloud.caddy.j2
@@ -0,0 +1,71 @@
+# Nextcloud Cloud Storage Service
+# Caddy reverse proxy to FPM container with FastCGI transport
+# Based on official Caddy php_fastcgi Docker example and Nextcloud NGINX config
+{{ nextcloud_domain }} {
+    # Caddy root - host path where static files exist for serving
+    # This allows Caddy to find files to serve directly (CSS, JS, images)
+    root * {{ nextcloud_html_dir }}
+
+    # .well-known redirects for CalDAV/CardDAV (must be before php_fastcgi)
+    redir /.well-known/carddav /remote.php/dav 301
+    redir /.well-known/caldav /remote.php/dav 301
+    
+    # Handle .well-known requests that aren't explicitly redirected above
+    # Let Nextcloud's API handle all other /.well-known/* URIs
+    redir /.well-known/* /index.php{uri} 301
+
+    # Block access to sensitive directories (adapted from NGINX config)
+    # Match both the directory itself and anything under it
+    @forbidden {
+        path /build /build/*
+        path /tests /tests/*
+        path /config /config/*
+        path /lib /lib/*
+        path /3rdparty /3rdparty/*
+        path /templates /templates/*
+        path /data /data/*
+        path /.* /autotest* /occ* /issue* /indie* /db_* /console*
+    }
+    respond @forbidden 404
+
+    # PHP-FPM with container root for SCRIPT_FILENAME
+    # The nested 'root' directive tells FPM where files are in the container
+    # Per official Caddy docs: https://caddyserver.com/docs/caddyfile/directives/php_fastcgi
+    php_fastcgi 127.0.0.1:{{ nextcloud_fpm_port }} {
+        root /var/www/html
+        env front_controller_active true
+        env modHeadersAvailable true
+    }
+    
+    # Serve static files directly (CSS, JS, images, fonts, etc.)
+    # Disable index serving to let php_fastcgi handle / and /index.php
+    # This prevents index.html from being served instead of routing to index.php
+    file_server {
+        index off
+    }
+
+    # Security headers (adapted from Nextcloud NGINX config)
+    header {
+        # HSTS with preload
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        # Prevent embedding in frames from other origins
+        X-Frame-Options "SAMEORIGIN"
+        # Prevent MIME type sniffing
+        X-Content-Type-Options "nosniff"
+        # XSS protection
+        X-XSS-Protection "1; mode=block"
+        # Referrer policy
+        Referrer-Policy "no-referrer"
+        # Disable FLoC tracking
+        Permissions-Policy "interest-cohort=()"
+        # Remove server header
+        -Server
+    }
+
+    # Logging
+    log {
+        output file {{ caddy_log_dir }}/nextcloud.log
+        level INFO
+        format json
+    }
+}