Doku: VM-101-Skripte ins Repo (NAT, Wartung, Crontab).

Skripte unter pve1/scripts/ mit Install-Anleitung in 06_ubuntu-vm-nextcloud.md.

Co-authored-by: Cursor <cursoragent@cursor.com>

pve1/00_README.md

@@ -15,6 +15,7 @@
 | 04 | [04_fallback_aktivierung.md](04_fallback_aktivierung.md) | OPNsense-Fallback |
 | 05 | [05_speicher_wartung.md](05_speicher_wartung.md) | Speicher & Wartung |
 | 06 | [06_ubuntu-vm-nextcloud.md](06_ubuntu-vm-nextcloud.md) | VM 101 ubuntu, Nextcloud Status & Optimierung |
+| — | [scripts/](scripts/) | VM-101-Skripte (NAT, Wartungs-Cron, crontab) |
 
 ## Shared
 

pve1/06_ubuntu-vm-nextcloud.md

@@ -239,7 +239,61 @@ sudo tail -f /var/log/nextcloud-maintain.log
 sudo crontab -l
 ```
 
-Ablauf Skript: `occ app:update notify_push` → `occ app:update --all` → `compose pull notify_push` → Sidecar restart → `notify_push:setup`.
+Ablauf Wartungs-Skript: `occ app:update notify_push` → `occ app:update --all` → `compose pull notify_push` → Sidecar restart → `notify_push:setup`.
+
+---
+
+## Skripte (VM 101)
+
+Quellen im docu-Repo (Deploy auf die VM nach Bedarf):
+
+| Datei im Repo | Ziel auf VM 101 |
+|---------------|-----------------|
+| [scripts/vm101-docker-nat-rules.sh](scripts/vm101-docker-nat-rules.sh) | `/usr/local/sbin/docker-nat-rules.sh` |
+| [scripts/vm101-docker-nat-rules.service](scripts/vm101-docker-nat-rules.service) | `/etc/systemd/system/docker-nat-rules.service` |
+| [scripts/vm101-nextcloud-maintain.sh](scripts/vm101-nextcloud-maintain.sh) | `/usr/local/sbin/nextcloud-maintain.sh` |
+| [scripts/vm101-root-crontab.txt](scripts/vm101-root-crontab.txt) | root-crontab (Referenz) |
+
+### Installation / Sync vom docu-Repo
+
+```bash
+# Auf VM 101 (als jean mit sudo), von einem Host mit docu-Clone:
+DOCU=/path/to/docu/pve1/scripts
+
+sudo install -m 755 "$DOCU/vm101-docker-nat-rules.sh" /usr/local/sbin/docker-nat-rules.sh
+sudo install -m 755 "$DOCU/vm101-nextcloud-maintain.sh" /usr/local/sbin/nextcloud-maintain.sh
+sudo install -m 644 "$DOCU/vm101-docker-nat-rules.service" /etc/systemd/system/docker-nat-rules.service
+
+sudo systemctl daemon-reload
+sudo systemctl enable --now docker-nat-rules.service
+```
+
+### `docker-nat-rules.sh`
+
+Manuelles NAT bei `"iptables": false`. Entfernt beim Start alte Duplikat-Regeln und setzt genau zwei MASQUERADE-Regeln.
+
+→ Vollständiger Inhalt: [scripts/vm101-docker-nat-rules.sh](scripts/vm101-docker-nat-rules.sh)
+
+### `docker-nat-rules.service`
+
+Systemd-Oneshot, startet nach `network-online.target` und `docker.service`.
+
+→ Vollständiger Inhalt: [scripts/vm101-docker-nat-rules.service](scripts/vm101-docker-nat-rules.service)
+
+### `nextcloud-maintain.sh`
+
+Wöchentliche Wartung: Apps updaten, notify_push-Sidecar pull/restart, `notify_push:setup` als Versions-Check.
+
+→ Vollständiger Inhalt: [scripts/vm101-nextcloud-maintain.sh](scripts/vm101-nextcloud-maintain.sh)
+
+### root-crontab
+
+→ Referenz: [scripts/vm101-root-crontab.txt](scripts/vm101-root-crontab.txt)
+
+```cron
+*/5 * * * * docker exec -u abc nextcloud php /app/www/public/occ background:cron >> /var/log/nextcloud-cron.log 2>&1
+30 4 * * 0 /usr/local/sbin/nextcloud-maintain.sh >> /var/log/nextcloud-maintain.log 2>&1
+```
 
 ---
 

pve1/scripts/vm101-docker-nat-rules.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Manual NAT for Docker (iptables=false)
+After=network-online.target docker.service
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/sbin/docker-nat-rules.sh
+
+[Install]
+WantedBy=multi-user.target

pve1/scripts/vm101-docker-nat-rules.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+# Manual NAT for Docker with daemon.json "iptables": false.
+# Docker does not install MASQUERADE; fixed IPs on docbr0 stay untouched.
+#
+# Install: /usr/local/sbin/docker-nat-rules.sh (chmod +x)
+# Service: vm101-docker-nat-rules.service → /etc/systemd/system/docker-nat-rules.service
+set -euo pipefail
+
+OUT_IF=$(ip route get 1.1.1.1 2>/dev/null | awk '{for(i=1;i<=NF;i++) if($i=="dev"){print $(i+1); exit}}')
+[[ -n "${OUT_IF:-}" ]] || { echo "Could not detect outbound interface" >&2; exit 1; }
+
+# Remove legacy per-bridge rules from earlier tests (idempotent cleanup)
+for net in 10.2.2.0/24 172.16.0.0/12 \
+  172.17.0.0/16 172.18.0.0/16 172.19.0.0/16 172.20.0.0/16 \
+  172.21.0.0/16 172.22.0.0/16 172.23.0.0/16; do
+  while iptables -t nat -C POSTROUTING -s "$net" -o "$OUT_IF" -j MASQUERADE 2>/dev/null; do
+    iptables -t nat -D POSTROUTING -s "$net" -o "$OUT_IF" -j MASQUERADE
+  done
+done
+
+add_masq() {
+  local src=$1
+  iptables -t nat -C POSTROUTING -s "$src" -o "$OUT_IF" -j MASQUERADE 2>/dev/null \
+    || iptables -t nat -A POSTROUTING -s "$src" -o "$OUT_IF" -j MASQUERADE
+}
+
+add_masq "10.2.2.0/24"   # docbr0 — static container IPs
+add_masq "172.16.0.0/12" # Docker bridge networks
+
+echo "docker-nat-rules: MASQUERADE via $OUT_IF for 10.2.2.0/24 and 172.16.0.0/12"

pve1/scripts/vm101-nextcloud-maintain.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+# Weekly maintenance: Nextcloud apps + notify_push sidecar sync.
+# Container images (nextcloud stack): Dockge or manual compose pull.
+#
+# Install: /usr/local/sbin/nextcloud-maintain.sh (chmod +x)
+# Cron:    30 4 * * 0 (root, Sonntag 04:30 UTC)
+# Log:     /var/log/nextcloud-maintain.log
+set -euo pipefail
+
+STACK=/opt/stacks/nextcloud
+LOG_TAG="nextcloud-maintain"
+LOCK=/run/nextcloud-maintain.lock
+PUSH_URL="https://cloud.jeanavril.com/push"
+
+log() { echo "[$(date -Iseconds)] $LOG_TAG: $*"; }
+
+exec 9>"$LOCK"
+if ! flock -n 9; then
+  log "already running, exit"
+  exit 0
+fi
+
+log "start"
+
+if ! docker ps --format '{{.Names}}' | grep -qx nextcloud; then
+  log "nextcloud container not running, abort"
+  exit 1
+fi
+
+log "app:update notify_push"
+docker exec -u abc nextcloud php /app/www/public/occ app:update notify_push 2>&1 || log "notify_push app update skipped or failed"
+
+log "app:update --all"
+docker exec -u abc nextcloud php /app/www/public/occ app:update --all 2>&1 || log "app:update --all had failures"
+
+log "pull + restart notify_push sidecar"
+cd "$STACK"
+docker compose pull notify_push
+docker compose up -d notify_push
+
+sleep 3
+
+log "notify_push:setup"
+if docker exec -u abc nextcloud php /app/www/public/occ notify_push:setup "$PUSH_URL" 2>&1; then
+  log "notify_push sync OK"
+else
+  log "notify_push:setup FAILED"
+  exit 1
+fi
+
+log "notify_push:metrics"
+docker exec -u abc nextcloud php /app/www/public/occ notify_push:metrics 2>&1 || true
+
+log "done"

pve1/scripts/vm101-root-crontab.txt

@@ -0,0 +1,8 @@
+# VM 101 (ubuntu) — root crontab
+# Anzeigen: sudo crontab -l
+
+# Nextcloud Background-Jobs (alle 5 Minuten)
+*/5 * * * * docker exec -u abc nextcloud php /app/www/public/occ background:cron >> /var/log/nextcloud-cron.log 2>&1
+
+# Apps + notify_push Sidecar Sync (Sonntag 04:30 UTC)
+30 4 * * 0 /usr/local/sbin/nextcloud-maintain.sh >> /var/log/nextcloud-maintain.log 2>&1