Doku: VM-101-Skripte ins Repo (NAT, Wartung, Crontab).

Skripte unter pve1/scripts/ mit Install-Anleitung in 06_ubuntu-vm-nextcloud.md.

Co-authored-by: Cursor <cursoragent@cursor.com>

pve1/scripts/vm101-docker-nat-rules.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Manual NAT for Docker (iptables=false)
+After=network-online.target docker.service
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/sbin/docker-nat-rules.sh
+
+[Install]
+WantedBy=multi-user.target

pve1/scripts/vm101-docker-nat-rules.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+# Manual NAT for Docker with daemon.json "iptables": false.
+# Docker does not install MASQUERADE; fixed IPs on docbr0 stay untouched.
+#
+# Install: /usr/local/sbin/docker-nat-rules.sh (chmod +x)
+# Service: vm101-docker-nat-rules.service → /etc/systemd/system/docker-nat-rules.service
+set -euo pipefail
+
+OUT_IF=$(ip route get 1.1.1.1 2>/dev/null | awk '{for(i=1;i<=NF;i++) if($i=="dev"){print $(i+1); exit}}')
+[[ -n "${OUT_IF:-}" ]] || { echo "Could not detect outbound interface" >&2; exit 1; }
+
+# Remove legacy per-bridge rules from earlier tests (idempotent cleanup)
+for net in 10.2.2.0/24 172.16.0.0/12 \
+  172.17.0.0/16 172.18.0.0/16 172.19.0.0/16 172.20.0.0/16 \
+  172.21.0.0/16 172.22.0.0/16 172.23.0.0/16; do
+  while iptables -t nat -C POSTROUTING -s "$net" -o "$OUT_IF" -j MASQUERADE 2>/dev/null; do
+    iptables -t nat -D POSTROUTING -s "$net" -o "$OUT_IF" -j MASQUERADE
+  done
+done
+
+add_masq() {
+  local src=$1
+  iptables -t nat -C POSTROUTING -s "$src" -o "$OUT_IF" -j MASQUERADE 2>/dev/null \
+    || iptables -t nat -A POSTROUTING -s "$src" -o "$OUT_IF" -j MASQUERADE
+}
+
+add_masq "10.2.2.0/24"   # docbr0 — static container IPs
+add_masq "172.16.0.0/12" # Docker bridge networks
+
+echo "docker-nat-rules: MASQUERADE via $OUT_IF for 10.2.2.0/24 and 172.16.0.0/12"

pve1/scripts/vm101-nextcloud-maintain.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+# Weekly maintenance: Nextcloud apps + notify_push sidecar sync.
+# Container images (nextcloud stack): Dockge or manual compose pull.
+#
+# Install: /usr/local/sbin/nextcloud-maintain.sh (chmod +x)
+# Cron:    30 4 * * 0 (root, Sonntag 04:30 UTC)
+# Log:     /var/log/nextcloud-maintain.log
+set -euo pipefail
+
+STACK=/opt/stacks/nextcloud
+LOG_TAG="nextcloud-maintain"
+LOCK=/run/nextcloud-maintain.lock
+PUSH_URL="https://cloud.jeanavril.com/push"
+
+log() { echo "[$(date -Iseconds)] $LOG_TAG: $*"; }
+
+exec 9>"$LOCK"
+if ! flock -n 9; then
+  log "already running, exit"
+  exit 0
+fi
+
+log "start"
+
+if ! docker ps --format '{{.Names}}' | grep -qx nextcloud; then
+  log "nextcloud container not running, abort"
+  exit 1
+fi
+
+log "app:update notify_push"
+docker exec -u abc nextcloud php /app/www/public/occ app:update notify_push 2>&1 || log "notify_push app update skipped or failed"
+
+log "app:update --all"
+docker exec -u abc nextcloud php /app/www/public/occ app:update --all 2>&1 || log "app:update --all had failures"
+
+log "pull + restart notify_push sidecar"
+cd "$STACK"
+docker compose pull notify_push
+docker compose up -d notify_push
+
+sleep 3
+
+log "notify_push:setup"
+if docker exec -u abc nextcloud php /app/www/public/occ notify_push:setup "$PUSH_URL" 2>&1; then
+  log "notify_push sync OK"
+else
+  log "notify_push:setup FAILED"
+  exit 1
+fi
+
+log "notify_push:metrics"
+docker exec -u abc nextcloud php /app/www/public/occ notify_push:metrics 2>&1 || true
+
+log "done"

pve1/scripts/vm101-root-crontab.txt

@@ -0,0 +1,8 @@
+# VM 101 (ubuntu) — root crontab
+# Anzeigen: sudo crontab -l
+
+# Nextcloud Background-Jobs (alle 5 Minuten)
+*/5 * * * * docker exec -u abc nextcloud php /app/www/public/occ background:cron >> /var/log/nextcloud-cron.log 2>&1
+
+# Apps + notify_push Sidecar Sync (Sonntag 04:30 UTC)
+30 4 * * 0 /usr/local/sbin/nextcloud-maintain.sh >> /var/log/nextcloud-maintain.log 2>&1