joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1f3f111d88dfe9240d20c4119581c5e23eb3330f
rick-infra/roles/valkey/defaults/main.yml
Joakim 4f8da38ca6 Add Nextcloud cloud storage role with split Redis caching strategy 
## New Features

- **Nextcloud Role**: Complete cloud storage deployment using Podman Quadlet
  - FPM variant with Caddy reverse proxy and FastCGI
  - PostgreSQL database via Unix socket
  - Valkey/Redis for app-level caching and file locking
  - Automatic HTTPS with Let's Encrypt via Caddy
  - Dual-root pattern: Caddy serves static assets, FPM handles PHP

- **Split Caching Strategy**: Redis caching WITHOUT Redis sessions
  - Custom redis.config.php template for app-level caching only
  - File-based PHP sessions for stability (avoids session lock issues)
  - Prevents cascading failures from session lock contention
  - Documented in role README with detailed rationale

## Infrastructure Updates

- **Socket Permissions**: Update PostgreSQL and Valkey to mode 777
  - Required for containers that switch users (root → www-data)
  - Nextcloud container loses supplementary groups on user switch
  - Security maintained via password authentication (scram-sha-256, requirepass)
  - Documented socket permission architecture in docs/

- **PostgreSQL**: Export client group GID as fact for dependent roles
- **Valkey**: Export client group GID as fact, update socket fix service

## Documentation

- New: docs/socket-permissions-architecture.md
  - Explains 777 vs 770 socket permission trade-offs
  - Documents why group-based access doesn't work for user-switching containers
  - Provides TCP alternative for stricter security requirements

- Updated: All role READMEs with socket permission notes
- New: Nextcloud README with comprehensive deployment, troubleshooting, and Redis architecture documentation

## Configuration

- host_vars: Add Nextcloud vault variables and configuration
- site.yml: Include Nextcloud role in main playbook

## Technical Details

**Why disable Redis sessions?**

The official Nextcloud container enables Redis session handling via REDIS_HOST env var,
which causes severe performance issues:

1. Session lock contention under high concurrency (browser parallel asset requests)
2. Infinite lock retries (default lock_retries=-1) blocking FPM workers
3. Timeout orphaning: reverse proxy kills connection, worker keeps lock
4. Worker pool exhaustion: all 5 default workers blocked on same session lock
5. Cascading failure: new requests queue, more timeouts, more orphaned locks

Solution: Use file-based sessions (reliable, fast for single-server) while keeping
Redis for distributed cache and transactional file locking via custom config file.

This provides optimal performance without the complexity of Redis session debugging.

Tested: Fresh deployment on arch-vps (69.62.119.31)
Domain: https://cloud.jnss.me/
2025-12-14 22:07:08 +01:00

97 lines
3.5 KiB
YAML
Raw Blame History

---
# =================================================================
# Valkey Infrastructure Role - Simplified Configuration
# =================================================================
# Provides Valkey (Redis-compatible) as shared infrastructure for applications
# Applications manage their own Valkey database selections and usage
# =================================================================
# Essential Configuration
# =================================================================
# Service Management
valkey_service_enabled: true
valkey_service_state: "started"
# Network Security (Unix socket only - no TCP)
valkey_bind: "" # Disable TCP, socket-only mode
valkey_port: 0 # Disable TCP port
valkey_protected_mode: false # Not needed for socket-only mode
# Unix Socket Configuration
valkey_unix_socket_enabled: true
valkey_unix_socket_path: "/var/run/valkey/valkey.sock"
# Note: 777 allows containers running as any UID to access the socket
# This is needed for containers that start as root and switch to unprivileged users (e.g., Nextcloud)
# Security is maintained via password authentication (requirepass)
# Alternative: Use TCP on 127.0.0.1:6379 (see documentation)
valkey_unix_socket_perm: "777"
# Group-Based Access Control
valkey_client_group: "valkey-clients"
valkey_client_group_create: true
# Authentication
valkey_password: "{{ vault_valkey_password }}"
# =================================================================
# Performance Settings (Conservative Defaults)
# =================================================================
# Memory Management
valkey_maxmemory: "256mb"
valkey_maxmemory_policy: "allkeys-lru"
# Persistence (balanced approach)
valkey_save_enabled: true
valkey_save_intervals:
- "900 1" # Save if 1 key changed in 900s
- "300 10" # Save if 10 keys changed in 300s
- "60 10000" # Save if 10000 keys changed in 60s
# RDB and AOF settings
valkey_rdbcompression: true
valkey_rdbchecksum: true
valkey_appendonly: false # RDB only for simplicity
# =================================================================
# Security Configuration
# =================================================================
valkey_timeout: 300
valkey_tcp_keepalive: 300
valkey_tcp_backlog: 511
# =================================================================
# Database Configuration
# =================================================================
# Database allocation for applications
# Applications should use different database numbers:
# - authentik: database 1
# - nextcloud: database 2
# - future services: database 3, 4, etc.
valkey_databases: 16
# =================================================================
# Logging Configuration
# =================================================================
valkey_loglevel: "notice"
valkey_syslog_enabled: true
valkey_syslog_ident: "valkey"
# =================================================================
# Infrastructure Notes
# =================================================================
# This role provides minimal Valkey infrastructure
# Applications should configure their own Valkey usage:
#
# Environment variables in application configs:
# - VALKEY_HOST: "{{ ansible_default_ipv4.address }}" or "127.0.0.1"
# - VALKEY_PORT: "6379"
# - VALKEY_PASSWORD: "{{ vault_valkey_password }}"
# - VALKEY_DB: "1" (or 2, 3, etc. - unique per application)
#
# Note: Applications can also use REDIS_* environment variables
# for compatibility since Valkey is fully Redis-compatible
Reference in New Issue View Git Blame Copy Permalink