diff --git a/pve1/00_README.md b/pve1/00_README.md index 94d49cb..10ad539 100644 --- a/pve1/00_README.md +++ b/pve1/00_README.md @@ -15,6 +15,7 @@ | 04 | [04_fallback_aktivierung.md](04_fallback_aktivierung.md) | OPNsense-Fallback | | 05 | [05_speicher_wartung.md](05_speicher_wartung.md) | Speicher & Wartung | | 06 | [06_ubuntu-vm-nextcloud.md](06_ubuntu-vm-nextcloud.md) | VM 101 ubuntu, Nextcloud Status & Optimierung | +| — | [scripts/](scripts/) | VM-101-Skripte (NAT, Wartungs-Cron, crontab) | ## Shared diff --git a/pve1/06_ubuntu-vm-nextcloud.md b/pve1/06_ubuntu-vm-nextcloud.md index 76bf482..b15ed98 100644 --- a/pve1/06_ubuntu-vm-nextcloud.md +++ b/pve1/06_ubuntu-vm-nextcloud.md @@ -239,7 +239,61 @@ sudo tail -f /var/log/nextcloud-maintain.log sudo crontab -l ``` -Ablauf Skript: `occ app:update notify_push` → `occ app:update --all` → `compose pull notify_push` → Sidecar restart → `notify_push:setup`. +Ablauf Wartungs-Skript: `occ app:update notify_push` → `occ app:update --all` → `compose pull notify_push` → Sidecar restart → `notify_push:setup`. + +--- + +## Skripte (VM 101) + +Quellen im docu-Repo (Deploy auf die VM nach Bedarf): + +| Datei im Repo | Ziel auf VM 101 | +|---------------|-----------------| +| [scripts/vm101-docker-nat-rules.sh](scripts/vm101-docker-nat-rules.sh) | `/usr/local/sbin/docker-nat-rules.sh` | +| [scripts/vm101-docker-nat-rules.service](scripts/vm101-docker-nat-rules.service) | `/etc/systemd/system/docker-nat-rules.service` | +| [scripts/vm101-nextcloud-maintain.sh](scripts/vm101-nextcloud-maintain.sh) | `/usr/local/sbin/nextcloud-maintain.sh` | +| [scripts/vm101-root-crontab.txt](scripts/vm101-root-crontab.txt) | root-crontab (Referenz) | + +### Installation / Sync vom docu-Repo + +```bash +# Auf VM 101 (als jean mit sudo), von einem Host mit docu-Clone: +DOCU=/path/to/docu/pve1/scripts + +sudo install -m 755 "$DOCU/vm101-docker-nat-rules.sh" /usr/local/sbin/docker-nat-rules.sh +sudo install -m 755 "$DOCU/vm101-nextcloud-maintain.sh" /usr/local/sbin/nextcloud-maintain.sh +sudo install -m 644 "$DOCU/vm101-docker-nat-rules.service" /etc/systemd/system/docker-nat-rules.service + +sudo systemctl daemon-reload +sudo systemctl enable --now docker-nat-rules.service +``` + +### `docker-nat-rules.sh` + +Manuelles NAT bei `"iptables": false`. Entfernt beim Start alte Duplikat-Regeln und setzt genau zwei MASQUERADE-Regeln. + +→ Vollständiger Inhalt: [scripts/vm101-docker-nat-rules.sh](scripts/vm101-docker-nat-rules.sh) + +### `docker-nat-rules.service` + +Systemd-Oneshot, startet nach `network-online.target` und `docker.service`. + +→ Vollständiger Inhalt: [scripts/vm101-docker-nat-rules.service](scripts/vm101-docker-nat-rules.service) + +### `nextcloud-maintain.sh` + +Wöchentliche Wartung: Apps updaten, notify_push-Sidecar pull/restart, `notify_push:setup` als Versions-Check. + +→ Vollständiger Inhalt: [scripts/vm101-nextcloud-maintain.sh](scripts/vm101-nextcloud-maintain.sh) + +### root-crontab + +→ Referenz: [scripts/vm101-root-crontab.txt](scripts/vm101-root-crontab.txt) + +```cron +*/5 * * * * docker exec -u abc nextcloud php /app/www/public/occ background:cron >> /var/log/nextcloud-cron.log 2>&1 +30 4 * * 0 /usr/local/sbin/nextcloud-maintain.sh >> /var/log/nextcloud-maintain.log 2>&1 +``` --- diff --git a/pve1/scripts/vm101-docker-nat-rules.service b/pve1/scripts/vm101-docker-nat-rules.service new file mode 100644 index 0000000..3964423 --- /dev/null +++ b/pve1/scripts/vm101-docker-nat-rules.service @@ -0,0 +1,12 @@ +[Unit] +Description=Manual NAT for Docker (iptables=false) +After=network-online.target docker.service +Wants=network-online.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/local/sbin/docker-nat-rules.sh + +[Install] +WantedBy=multi-user.target diff --git a/pve1/scripts/vm101-docker-nat-rules.sh b/pve1/scripts/vm101-docker-nat-rules.sh new file mode 100644 index 0000000..d7ec0ea --- /dev/null +++ b/pve1/scripts/vm101-docker-nat-rules.sh @@ -0,0 +1,30 @@ +#!/bin/bash +# Manual NAT for Docker with daemon.json "iptables": false. +# Docker does not install MASQUERADE; fixed IPs on docbr0 stay untouched. +# +# Install: /usr/local/sbin/docker-nat-rules.sh (chmod +x) +# Service: vm101-docker-nat-rules.service → /etc/systemd/system/docker-nat-rules.service +set -euo pipefail + +OUT_IF=$(ip route get 1.1.1.1 2>/dev/null | awk '{for(i=1;i<=NF;i++) if($i=="dev"){print $(i+1); exit}}') +[[ -n "${OUT_IF:-}" ]] || { echo "Could not detect outbound interface" >&2; exit 1; } + +# Remove legacy per-bridge rules from earlier tests (idempotent cleanup) +for net in 10.2.2.0/24 172.16.0.0/12 \ + 172.17.0.0/16 172.18.0.0/16 172.19.0.0/16 172.20.0.0/16 \ + 172.21.0.0/16 172.22.0.0/16 172.23.0.0/16; do + while iptables -t nat -C POSTROUTING -s "$net" -o "$OUT_IF" -j MASQUERADE 2>/dev/null; do + iptables -t nat -D POSTROUTING -s "$net" -o "$OUT_IF" -j MASQUERADE + done +done + +add_masq() { + local src=$1 + iptables -t nat -C POSTROUTING -s "$src" -o "$OUT_IF" -j MASQUERADE 2>/dev/null \ + || iptables -t nat -A POSTROUTING -s "$src" -o "$OUT_IF" -j MASQUERADE +} + +add_masq "10.2.2.0/24" # docbr0 — static container IPs +add_masq "172.16.0.0/12" # Docker bridge networks + +echo "docker-nat-rules: MASQUERADE via $OUT_IF for 10.2.2.0/24 and 172.16.0.0/12" diff --git a/pve1/scripts/vm101-nextcloud-maintain.sh b/pve1/scripts/vm101-nextcloud-maintain.sh new file mode 100644 index 0000000..f0d9c0f --- /dev/null +++ b/pve1/scripts/vm101-nextcloud-maintain.sh @@ -0,0 +1,54 @@ +#!/bin/bash +# Weekly maintenance: Nextcloud apps + notify_push sidecar sync. +# Container images (nextcloud stack): Dockge or manual compose pull. +# +# Install: /usr/local/sbin/nextcloud-maintain.sh (chmod +x) +# Cron: 30 4 * * 0 (root, Sonntag 04:30 UTC) +# Log: /var/log/nextcloud-maintain.log +set -euo pipefail + +STACK=/opt/stacks/nextcloud +LOG_TAG="nextcloud-maintain" +LOCK=/run/nextcloud-maintain.lock +PUSH_URL="https://cloud.jeanavril.com/push" + +log() { echo "[$(date -Iseconds)] $LOG_TAG: $*"; } + +exec 9>"$LOCK" +if ! flock -n 9; then + log "already running, exit" + exit 0 +fi + +log "start" + +if ! docker ps --format '{{.Names}}' | grep -qx nextcloud; then + log "nextcloud container not running, abort" + exit 1 +fi + +log "app:update notify_push" +docker exec -u abc nextcloud php /app/www/public/occ app:update notify_push 2>&1 || log "notify_push app update skipped or failed" + +log "app:update --all" +docker exec -u abc nextcloud php /app/www/public/occ app:update --all 2>&1 || log "app:update --all had failures" + +log "pull + restart notify_push sidecar" +cd "$STACK" +docker compose pull notify_push +docker compose up -d notify_push + +sleep 3 + +log "notify_push:setup" +if docker exec -u abc nextcloud php /app/www/public/occ notify_push:setup "$PUSH_URL" 2>&1; then + log "notify_push sync OK" +else + log "notify_push:setup FAILED" + exit 1 +fi + +log "notify_push:metrics" +docker exec -u abc nextcloud php /app/www/public/occ notify_push:metrics 2>&1 || true + +log "done" diff --git a/pve1/scripts/vm101-root-crontab.txt b/pve1/scripts/vm101-root-crontab.txt new file mode 100644 index 0000000..134c88c --- /dev/null +++ b/pve1/scripts/vm101-root-crontab.txt @@ -0,0 +1,8 @@ +# VM 101 (ubuntu) — root crontab +# Anzeigen: sudo crontab -l + +# Nextcloud Background-Jobs (alle 5 Minuten) +*/5 * * * * docker exec -u abc nextcloud php /app/www/public/occ background:cron >> /var/log/nextcloud-cron.log 2>&1 + +# Apps + notify_push Sidecar Sync (Sonntag 04:30 UTC) +30 4 * * 0 /usr/local/sbin/nextcloud-maintain.sh >> /var/log/nextcloud-maintain.log 2>&1