Fix Nextcloud DNS resolution and implement systemd cron for background jobs

- Enable IP forwarding in security playbook (net.ipv4.ip_forward = 1)
- Add podman network firewall rules to fix container DNS/HTTPS access
- Implement systemd timer for reliable Nextcloud background job execution
- Add database optimization tasks (indices, bigint conversion, mimetypes)
- Configure maintenance window (04:00 UTC) and phone region (NO)
- Add security headers (X-Robots-Tag, X-Permitted-Cross-Domain-Policies)
- Create Nextcloud removal playbook for clean uninstall
- Fix nftables interface matching (podman0 vs podman+)

Root cause: nftables FORWARD chain blocked container egress traffic
Solution: Explicit firewall rules for podman0 bridge interface

roles/nextcloud/tasks/cron.yml

@@ -0,0 +1,72 @@
+---
+# =================================================================
+# Nextcloud Background Jobs Configuration
+# =================================================================
+# Rick-Infra - Nextcloud Role
+#
+# Configures systemd timer for reliable background job execution
+# instead of Ajax-based cron (which requires user activity)
+
+- name: Create nextcloud cron service
+  copy:
+    content: |
+      [Unit]
+      Description=Nextcloud Background Jobs (cron.php)
+      Documentation=https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/background_jobs_configuration.html
+      After=nextcloud.service
+      Requires=nextcloud.service
+
+      [Service]
+      Type=oneshot
+      ExecStart=/usr/bin/podman exec --user www-data nextcloud php -f /var/www/html/cron.php
+      
+      # Logging
+      StandardOutput=journal
+      StandardError=journal
+      SyslogIdentifier=nextcloud-cron
+    dest: /etc/systemd/system/nextcloud-cron.service
+    mode: '0644'
+    backup: yes
+  notify: reload systemd
+
+- name: Create nextcloud cron timer
+  copy:
+    content: |
+      [Unit]
+      Description=Nextcloud Background Jobs Timer
+      Documentation=https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/background_jobs_configuration.html
+
+      [Timer]
+      OnBootSec=5min
+      OnUnitActiveSec={{ nextcloud_cron_interval }}
+      Unit=nextcloud-cron.service
+
+      [Install]
+      WantedBy=timers.target
+    dest: /etc/systemd/system/nextcloud-cron.timer
+    mode: '0644'
+    backup: yes
+  notify: reload systemd
+
+- name: Enable and start nextcloud cron timer
+  systemd:
+    name: nextcloud-cron.timer
+    enabled: yes
+    state: started
+    daemon_reload: yes
+
+- name: Configure Nextcloud to use cron for background jobs
+  command: >
+    podman exec --user www-data nextcloud
+    php occ background:cron
+  register: nextcloud_cron_mode
+  changed_when: "'background jobs mode changed' in nextcloud_cron_mode.stdout or 'Set mode for background jobs to' in nextcloud_cron_mode.stdout"
+  failed_when: 
+    - nextcloud_cron_mode.rc != 0
+    - "'mode for background jobs is currently' not in nextcloud_cron_mode.stdout"
+
+- name: Verify cron timer is active
+  command: systemctl is-active nextcloud-cron.timer
+  register: timer_status
+  changed_when: false
+  failed_when: timer_status.stdout != "active"

roles/nextcloud/tasks/main.yml

@@ -138,6 +138,21 @@
   notify: restart nextcloud
   tags: [config, redis]
 
+- name: Truncate nextcloud.log to prevent bloat
+  shell: |
+    podman exec nextcloud truncate -s 0 /var/www/html/data/nextcloud.log || true
+  changed_when: false
+  failed_when: false
+  tags: [maintenance, cleanup]
+
+- name: Configure background jobs (cron)
+  include_tasks: cron.yml
+  tags: [cron, background-jobs]
+
+- name: Optimize database and apply configuration
+  include_tasks: optimization.yml
+  tags: [optimization, database]
+
 - name: Display Nextcloud deployment status
   debug:
     msg: |

roles/nextcloud/tasks/optimization.yml

@@ -0,0 +1,64 @@
+---
+# =================================================================
+# Nextcloud Database Optimization
+# =================================================================
+# Rick-Infra - Nextcloud Role
+#
+# Performs database maintenance tasks to optimize performance
+# and resolve setup warnings about missing indices and migrations
+
+- name: Add missing database indices
+  command: >
+    podman exec --user www-data nextcloud
+    php occ db:add-missing-indices
+  register: nextcloud_indices
+  changed_when: "'indices added' in nextcloud_indices.stdout or 'Check indices' in nextcloud_indices.stdout"
+  failed_when: 
+    - nextcloud_indices.rc != 0
+    - "'already exists' not in nextcloud_indices.stderr"
+
+- name: Convert filecache bigint columns
+  command: >
+    podman exec --user www-data nextcloud
+    php occ db:convert-filecache-bigint --no-interaction
+  register: nextcloud_bigint
+  changed_when: "'converted' in nextcloud_bigint.stdout"
+  failed_when:
+    - nextcloud_bigint.rc != 0
+    - "'already' not in nextcloud_bigint.stdout"
+  timeout: 300  # 5 minutes for large databases
+
+- name: Update mimetype database mappings
+  command: >
+    podman exec --user www-data nextcloud
+    php occ maintenance:repair --include-expensive
+  register: nextcloud_repair
+  changed_when: "'updated' in nextcloud_repair.stdout or 'repaired' in nextcloud_repair.stdout"
+  failed_when: nextcloud_repair.rc != 0
+  timeout: 600  # 10 minutes for expensive repairs
+
+- name: Configure maintenance window
+  command: >
+    podman exec --user www-data nextcloud
+    php occ config:system:set maintenance_window_start --value={{ nextcloud_maintenance_window_start }} --type=integer
+  register: nextcloud_maintenance_window
+  changed_when: "'set' in nextcloud_maintenance_window.stdout"
+  failed_when: nextcloud_maintenance_window.rc != 0
+
+- name: Configure default phone region
+  command: >
+    podman exec --user www-data nextcloud
+    php occ config:system:set default_phone_region --value={{ nextcloud_default_phone_region }}
+  register: nextcloud_phone_region
+  changed_when: "'set' in nextcloud_phone_region.stdout"
+  failed_when: nextcloud_phone_region.rc != 0
+
+- name: Display optimization results
+  debug:
+    msg: |
+      Database optimization complete:
+      - Indices: {{ 'Added' if 'indices added' in nextcloud_indices.stdout else 'Already optimized' }}
+      - BigInt: {{ 'Converted' if 'converted' in nextcloud_bigint.stdout else 'Already converted' }}
+      - Mimetypes: {{ 'Updated' if 'updated' in nextcloud_repair.stdout else 'Up to date' }}
+      - Maintenance window: {{ nextcloud_maintenance_window_start }}:00 UTC
+      - Phone region: {{ nextcloud_default_phone_region }}