LibrePortal/containers/nextcloud/docker-compose.yml
librelad d30c309d1d feat(nextcloud): switch to fpm-alpine + nginx sidecar + Redis caching wiring
Drop Apache+mod_php for the actual performance win — nginx + PHP-FPM — without
the LinuxServer image cascade (custom auto-install, /custom-cont-init.d, abc-vs-
www-data rewrites in the auth adapter + every tool, HTTPS-by-default quirks).
The official fpm-alpine image keeps env-var auto-install and the www-data user,
so the auth adapter, all tools, and the compose-tags hook keep working unchanged.

- Compose: nextcloud-service is now fpm-alpine (still container_name=nextcloud-
  service so docker exec ... nextcloud-service php occ in the auth adapter is
  untouched). New nextcloud-web nginx sidecar serves :80 over the shared ./html
  volume, terminating FastCGI to nextcloud-service:9000. Traefik labels + PORTS_
  TAG_1 move to nextcloud-web (the HTTP face); backup.files stays on -service
  (the file-owning brain). nextcloud-db + nextcloud-redis unchanged.
- resources/nginx.conf: Nextcloud's recommended nginx config, trimmed for
  behind-Traefik (no TLS), large-upload + caldav/carddav/.well-known redirects.
- scripts/nextcloud_update_specifics.sh: NEW post-install hook —
  appUpdateSpecifics_nextcloud waits for first-boot occ install to complete
  (config.php + occ status=installed), then wires Redis as memcache.distributed
  + memcache.locking via occ config:system:set. Idempotent.

Auto-install is unchanged (official image's NEXTCLOUD_ADMIN_USER + MYSQL_* env
flow). Redis caching now actually USED by Nextcloud (previously the container
was up but config.php had no memcache config). Container-side backup capture
still the right answer for the perm boundary — image change doesn't affect it.

Verified statically: yaml structure, hook parses + dispatches + has the right
graceful-timeout fallback when occ isn't reachable. Live verification (sync
performance + actual Redis hit rate + traefik proxy of FastCGI) needs a fresh
install on a throwaway box.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-26 13:32:08 +01:00

125 lines
6.1 KiB
YAML

networks:
DOCKER_NETWORK_DATA: #LIBREPORTAL|DOCKER_NETWORK_TAG|DOCKER_NETWORK_DATA
external: true
services:
# PHP-FPM backend. Same container_name as before (nextcloud-service) so the
# auth adapter + tools (`docker exec ... nextcloud-service php occ`) keep
# working unchanged. The image's entrypoint runs occ maintenance:install
# automatically on first boot when the NEXTCLOUD_ADMIN_USER + MYSQL_* env
# vars are set, so no user wizard.
nextcloud-service: #LIBREPORTAL|SERVICE_TAG_1|nextcloud-service
image: nextcloud:31-fpm-alpine
container_name: nextcloud-service
environment:
- TZ=TIMEZONE_DATA #LIBREPORTAL|TIMEZONE_TAG|TIMEZONE_DATA
- MYSQL_HOST=nextcloud-db
- MYSQL_DATABASE=NEXTCLOUD_DB_NAME_DATA #LIBREPORTAL|NEXTCLOUD_DB_NAME_TAG|NEXTCLOUD_DB_NAME_DATA
- MYSQL_USER=NEXTCLOUD_DB_USER_DATA #LIBREPORTAL|NEXTCLOUD_DB_USER_TAG|NEXTCLOUD_DB_USER_DATA
- MYSQL_PASSWORD=NEXTCLOUD_DB_PASSWORD_DATA #LIBREPORTAL|NEXTCLOUD_DB_PASSWORD_TAG|NEXTCLOUD_DB_PASSWORD_DATA
- NEXTCLOUD_ADMIN_USER=NEXTCLOUD_ADMIN_USER_DATA #LIBREPORTAL|NEXTCLOUD_ADMIN_USER_TAG|NEXTCLOUD_ADMIN_USER_DATA
- NEXTCLOUD_ADMIN_PASSWORD=NEXTCLOUD_ADMIN_PASSWORD_DATA #LIBREPORTAL|NEXTCLOUD_ADMIN_PASSWORD_TAG|NEXTCLOUD_ADMIN_PASSWORD_DATA
- NEXTCLOUD_TRUSTED_DOMAINS=NEXTCLOUD_TRUSTED_DOMAINS_DATA #LIBREPORTAL|NEXTCLOUD_TRUSTED_DOMAINS_TAG|NEXTCLOUD_TRUSTED_DOMAINS_DATA
- REDIS_HOST=nextcloud-redis
volumes:
- ./html:/var/www/html
restart: unless-stopped
depends_on:
- nextcloud-db
- nextcloud-redis
healthcheck:
disable: HEALTHCHECK_DATA #LIBREPORTAL|HEALTHCHECK_TAG|HEALTHCHECK_DATA
labels:
libreportal.category: "CATEGORY_DATA" #LIBREPORTAL|CATEGORY_TAG|CATEGORY_DATA
libreportal.title: "TITLE_DATA" #LIBREPORTAL|TITLE_TAG|TITLE_DATA
libreportal.backup.db: "mariadb:nextcloud-db:db_data:"
libreportal.backup.files: "nextcloud-service:/var/www/html:html:33:33"
# GLUETUN_OFF_BEGIN
networks:
DOCKER_NETWORK_DATA: #LIBREPORTAL|DOCKER_NETWORK_TAG|DOCKER_NETWORK_DATA
ipv4_address: IP_DATA_1 #LIBREPORTAL|IP_TAG_1|IP_DATA_1
# GLUETUN_OFF_END
# GLUETUN_ON_BEGIN
# network_mode: "container:gluetun-service"
# GLUETUN_ON_END
nextcloud-db: #LIBREPORTAL|SERVICE_TAG_2|nextcloud-db
image: mariadb:11
container_name: nextcloud-db
restart: unless-stopped
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
environment:
- MARIADB_ROOT_PASSWORD=NEXTCLOUD_DB_ROOT_PASSWORD_DATA #LIBREPORTAL|NEXTCLOUD_DB_ROOT_PASSWORD_TAG|NEXTCLOUD_DB_ROOT_PASSWORD_DATA
- MARIADB_DATABASE=NEXTCLOUD_DB_NAME_DATA #LIBREPORTAL|NEXTCLOUD_DB_NAME_TAG|NEXTCLOUD_DB_NAME_DATA
- MARIADB_USER=NEXTCLOUD_DB_USER_DATA #LIBREPORTAL|NEXTCLOUD_DB_USER_TAG|NEXTCLOUD_DB_USER_DATA
- MARIADB_PASSWORD=NEXTCLOUD_DB_PASSWORD_DATA #LIBREPORTAL|NEXTCLOUD_DB_PASSWORD_TAG|NEXTCLOUD_DB_PASSWORD_DATA
volumes:
- ./db_data:/var/lib/mysql
networks:
DOCKER_NETWORK_DATA: #LIBREPORTAL|DOCKER_NETWORK_TAG|DOCKER_NETWORK_DATA
ipv4_address: IP_DATA_2 #LIBREPORTAL|IP_TAG_2|IP_DATA_2
nextcloud-redis: #LIBREPORTAL|SERVICE_TAG_3|nextcloud-redis
image: redis:alpine
container_name: nextcloud-redis
restart: unless-stopped
volumes:
- ./redis_data:/data
networks:
DOCKER_NETWORK_DATA: #LIBREPORTAL|DOCKER_NETWORK_TAG|DOCKER_NETWORK_DATA
ipv4_address: IP_DATA_3 #LIBREPORTAL|IP_TAG_3|IP_DATA_3
# nginx sidecar — terminates HTTP/static, proxies *.php to nextcloud-service:9000
# via FastCGI. Shares ./html (read-only) with the FPM container. This is the
# whole performance win over Apache+mod_php: no per-request PHP init, nginx
# handles static + serves connections through the FPM process pool.
nextcloud-web: #LIBREPORTAL|SERVICE_TAG_4|nextcloud-web
image: nginx:alpine
container_name: nextcloud-web
restart: unless-stopped
depends_on:
- nextcloud-service
volumes:
- ./html:/var/www/html:ro
- ./resources/nginx.conf:/etc/nginx/nginx.conf:ro
# GLUETUN_OFF_BEGIN
ports:
- "PORTS_DATA_1" #LIBREPORTAL|PORTS_TAG_1|PORTS_DATA_1
# GLUETUN_OFF_END
labels:
traefik.enable: TRAEFIK_ENABLE_DATA #LIBREPORTAL|TRAEFIK_ENABLE_TAG|TRAEFIK_ENABLE_DATA
# TRAEFIK_PORT_1_BEGIN
traefik.http.routers.nextcloud-web.entrypoints: web,websecure
traefik.http.routers.nextcloud-web.rule: Host(`DOMAINSUBNAME_DATA_1`) #LIBREPORTAL|DOMAINSUBNAME_TAG_1|DOMAINSUBNAME_DATA_1
traefik.http.routers.nextcloud-web.tls: true
traefik.http.routers.nextcloud-web.tls.certresolver: production
traefik.http.services.nextcloud-web.loadbalancer.server.port: PORT_INTERNAL_DATA_1 #LIBREPORTAL|PORT_INTERNAL_TAG_1|PORT_INTERNAL_DATA_1
traefik.http.routers.nextcloud-web.middlewares: MIDDLEWARE_DATA_1 #LIBREPORTAL|MIDDLEWARE_TAG_1|MIDDLEWARE_DATA_1
# TRAEFIK_PORT_1_END
traefik.docker.network: DOCKER_NETWORK_DATA #LIBREPORTAL|DOCKER_NETWORK_TAG|DOCKER_NETWORK_DATA
# GLUETUN_OFF_BEGIN
networks:
DOCKER_NETWORK_DATA: #LIBREPORTAL|DOCKER_NETWORK_TAG|DOCKER_NETWORK_DATA
ipv4_address: IP_DATA_4 #LIBREPORTAL|IP_TAG_4|IP_DATA_4
# GLUETUN_OFF_END
# GLUETUN_ON_BEGIN
# network_mode: "container:gluetun-service"
# GLUETUN_ON_END
# >>> libreportal-monitoring >>>
#nextcloud-exporter:
# container_name: nextcloud-exporter
# image: xperimental/nextcloud-exporter:latest
# restart: unless-stopped
# depends_on:
# - nextcloud-service
# environment:
# - NEXTCLOUD_SERVER=http://nextcloud-web:PORT_INTERNAL_DATA_1 #LIBREPORTAL|PORT_INTERNAL_TAG_1|PORT_INTERNAL_DATA_1
# - NEXTCLOUD_USERNAME=NEXTCLOUD_ADMIN_USER_DATA #LIBREPORTAL|NEXTCLOUD_ADMIN_USER_TAG|NEXTCLOUD_ADMIN_USER_DATA
# - NEXTCLOUD_PASSWORD=NEXTCLOUD_ADMIN_PASSWORD_DATA #LIBREPORTAL|NEXTCLOUD_ADMIN_PASSWORD_TAG|NEXTCLOUD_ADMIN_PASSWORD_DATA
# - NEXTCLOUD_TLS_SKIP_VERIFY=true
# - NEXTCLOUD_LISTEN_ADDRESS=:PORT_INTERNAL_DATA_2 #LIBREPORTAL|PORT_INTERNAL_TAG_2|PORT_INTERNAL_DATA_2
# networks:
# DOCKER_NETWORK_DATA: #LIBREPORTAL|DOCKER_NETWORK_TAG|DOCKER_NETWORK_DATA
# <<< libreportal-monitoring <<<