Fix Nextcloud DNS resolution and implement systemd cron for background jobs

- Enable IP forwarding in security playbook (net.ipv4.ip_forward = 1)
- Add podman network firewall rules to fix container DNS/HTTPS access
- Implement systemd timer for reliable Nextcloud background job execution
- Add database optimization tasks (indices, bigint conversion, mimetypes)
- Configure maintenance window (04:00 UTC) and phone region (NO)
- Add security headers (X-Robots-Tag, X-Permitted-Cross-Domain-Policies)
- Create Nextcloud removal playbook for clean uninstall
- Fix nftables interface matching (podman0 vs podman+)

Root cause: nftables FORWARD chain blocked container egress traffic
Solution: Explicit firewall rules for podman0 bridge interface

roles/podman/defaults/main.yml

@@ -46,6 +46,10 @@ podman_registry_blocked: false
 podman_default_network: "bridge"
 podman_network_security: true
 
+# Trusted container subnets (allowed through firewall)
+podman_trusted_subnets:
+  - "10.88.0.0/16"
+
 # =================================================================
 # Storage Configuration
 # =================================================================

roles/podman/handlers/main.yml

@@ -10,4 +10,9 @@
   systemd:
     name: podman
     state: restarted
-  when: podman_service_enabled | default(true)
+  when: podman_service_enabled | default(true)
+
+- name: reload nftables
+  systemd:
+    name: nftables
+    state: reloaded

roles/podman/tasks/main.yml

@@ -42,6 +42,22 @@
     backup: yes
   notify: restart podman
 
+- name: Create default podman network with DNS enabled
+  command: podman network create podman --subnet 10.88.0.0/16
+  register: podman_network_create
+  changed_when: "'podman' in podman_network_create.stdout"
+  failed_when: 
+    - podman_network_create.rc != 0
+    - "'already exists' not in podman_network_create.stderr"
+
+- name: Deploy podman firewall rules
+  template:
+    src: podman.nft.j2
+    dest: /etc/nftables.d/10-podman.nft
+    mode: '0644'
+    backup: yes
+  notify: reload nftables
+
 - name: Enable podman system service (if enabled)
   systemd:
     name: podman

roles/podman/templates/podman.nft.j2

@@ -0,0 +1,32 @@
+#!/usr/sbin/nft -f
+
+# =================================================================
+# Podman Container Network Firewall Rules
+# =================================================================
+# Rick-Infra Infrastructure - Podman Role
+# Priority: 10 (loaded after base rules, before drop rules)
+#
+# Purpose:
+# - Allow container-to-host communication for services (PostgreSQL, Valkey)
+# - Allow container outbound traffic for DNS, package updates, etc.
+# - Enable NAT/masquerading for container networks
+#
+# Security Model:
+# - Containers are trusted (they run our own services)
+# - All container egress traffic is allowed (simplified management)
+# - Container ingress is controlled by application-specific port publishing
+#
+# Architecture:
+# - Containers access host services via Unix sockets or host.containers.internal
+# - Caddy reverse proxy handles all external traffic
+# - No direct container port exposure to internet
+
+# Add rules to INPUT chain - Allow trusted container subnets
+{% for subnet in podman_trusted_subnets %}
+add rule inet filter input ip saddr {{ subnet }} accept comment "Podman containers: {{ subnet }}"
+{% endfor %}
+
+# Add rules to FORWARD chain - Enable container forwarding
+add rule inet filter forward ct state established,related accept comment "Allow established connections"
+add rule inet filter forward iifname "podman0" accept comment "Allow outbound from podman bridge"
+add rule inet filter forward oifname "podman0" ct state established,related accept comment "Allow inbound to podman bridge (established)"