viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/stacks/nextcloud/chart_values.yaml

155 lines
3.7 KiB
YAML
Raw Normal View History

upgrade immich[ci skip]
2024-09-20 02:26:43 +00:00
nextcloud:
upgrade immich 1.116 and add nextcloud [ci skip]
2024-09-28 20:10:44 +00:00
host: nextcloud.viktorbarzin.me
upgrade immich[ci skip]
2024-09-20 02:26:43 +00:00
trustedDomains:
upgrade immich 1.116 and add nextcloud [ci skip]
2024-09-28 20:10:44 +00:00
- nextcloud.viktorbarzin.me
# mail:
# enabled: true
# # the user we send email as
# fromAddress: nextcloud@viktorbarzin.me
# # the domain we send email from
# domain: viktorbarzin.me
# smtp:
# host: mail.viktorbarzin.me
# secure: starttls
# port: 587
# authtype: LOGIN
# name: nextcloud@viktorbarzin.me
# password:
upgrade immich[ci skip]
2024-09-20 02:26:43 +00:00
extraEnv:
- name: TRUSTED_PROXIES
upgrade immich 1.116 and add nextcloud [ci skip]
2024-09-28 20:10:44 +00:00
value: "10.0.0.0/8"
tune Nextcloud Apache/PHP to fix constant crash-looping (50 restarts/6d) Root cause: Apache prefork with 150 MaxRequestWorkers (each ~220MB RSS) on SQLite DB causes worker exhaustion + lock contention → Apache hangs → aggressive liveness probe (3 failures × 10s) kills container. Fixes: - Apache: MaxRequestWorkers 150→25, MaxConnectionsPerChild 0→200, StartServers 5→3 (via ConfigMap mount over mpm_prefork.conf) - PHP: max_execution_time 0→300s, max_input_time 300s (prevent zombie workers) - Liveness probe: period 10s→30s, failureThreshold 3→6, timeout 5s→10s (180s tolerance vs 30s before) - Readiness probe: period 10s→30s, timeout 5s→10s
2026-03-08 21:33:27 +00:00
- name: PHP_MEMORY_LIMIT
value: "512M"
- name: PHP_UPLOAD_LIMIT
value: "16G"
upgrade immich 1.116 and add nextcloud [ci skip]
2024-09-28 20:10:44 +00:00
# - name: mail_smtpdebug
# value: "true"
# - name: loglevel
# value: "0"
Nextcloud performance tuning and fix backup cron job - Set loglevel=2 (warnings) and disable mail_smtpdebug via configs - Enable opcache.enable_file_override for faster file checks - Increase APCu shared memory from 32M to 128M - Fix broken module.nfs_nextcloud_data reference in backup cron job to use the iSCSI PVC directly
2026-03-14 08:20:51 +00:00
configs:
nextcloud: refactor chart values and main.tf configuration
2026-04-06 11:57:44 +03:00
zzz-redis.config.php: |
<?php
[redis] Phase 3-7: cutover to redis-v2, Nextcloud HAProxy-only Phase 3 — replication chain (old → v2): - Discovered the v2 cluster was running redis:7.4-alpine, but the Bitnami old master ships redis 8.6.2 which writes RDB format 13 — the 7.4 replicas rejected the stream with "Can't handle RDB format version 13". Bumped v2 image to redis:8-alpine (also 8.6.2) to restore PSYNC compatibility. - Discovered that sentinel on BOTH v2 and old Bitnami clusters auto-discovered the cross-cluster replication chain when v2-0 REPLICAOF'd the old master, triggering a failover that reparented old-master to a v2 replica and took HAProxy's backend offline. Mitigation: `SENTINEL REMOVE mymaster` on all 5 sentinels (both clusters) during the REPLICAOF surgery, then re-MONITOR after cutover. This must be done on the OLD sentinels too, not just v2 — they're the ones that kept fighting our REPLICAOF. - Set up the chain: v2-0 REPLICAOF old-master; v2-{1,2} REPLICAOF v2-0. All 76 keys (db0:76, db1:22, db4:16) synced including `immich_bull:*` BullMQ queues and `_kombu.*` Celery queues — the user-stated must-survive data class. Phase 4 — HAProxy cutover: - Updated `kubernetes_config_map.haproxy` to point at `redis-v2-{0,1,2}.redis-v2-headless` for both redis_master and redis_sentinel backends (removed redis-node-{0,1}). - Promoted v2-0 (`REPLICAOF NO ONE`) at the same time as the ConfigMap apply so HAProxy's 1s health-check interval found a role:master within a few seconds. Cutover disruption on HAProxy rollout was brief; old clients naturally moved to new HAProxy pods within the rolling update window. - Re-enabled sentinel monitoring on v2 with `SENTINEL MONITOR mymaster <hostname> 6379 2` after verifying `resolve-hostnames yes` + `announce-hostnames yes` were active — this ensures sentinel stores the hostname (not resolved IP) in its rewritten config, so pod-IP churn on restart doesn't break failover. Phase 5 — chaos: - Round 1: killed master v2-0 mid-probe. First run exposed the sentinel IP-storage issue (stored 10.10.107.222, went stale on restart) — ~12s probe disruption. Fixed hostname persistence and re-MONITORed. - Round 2: killed new master v2-2 with hostnames correctly stored. Sentinel elected v2-0, HAProxy re-routed, 1/40 probe failures over 60s — target <3s of actual user-visible disruption. Phase 6 — Nextcloud simplification: - `zzz-redis.config.php` no longer queries sentinel in-process — just points at `redis-master.redis.svc.cluster.local`. Removed 20 lines of PHP. HAProxy handles master tracking transparently now that it's scaled to 3 + PDB minAvailable=2. Phase 7 step 1: - `kubectl scale statefulset/redis-node --replicas=0` (transient — TF removal in a 24h follow-up). Old PVCs `redis-data-redis-node-{0,1}` preserved as cold rollback. Docs: - Rewrote `databases.md` Redis section to reflect post-cutover reality and the sentinel hostname gotcha (so future sessions don't relearn it). - `.claude/reference/service-catalog.md` entry updated. The parallel-bootstrap race documented in the previous commit is still worth watching — the init container now defaults to pod-0 as master when no peer reports role:master-with-slaves, so fresh boots land in a deterministic topology. Closes: code-7n4 Closes: code-9y6 Closes: code-cnf Closes: code-tc4 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-19 16:13:43 +00:00
// Redis via HAProxy master-only service. HAProxy (3 replicas, PDB
// minAvailable=2) health-checks all v2 pods via `INFO replication` and
// routes to the current role:master. Sentinel failover takes <30s, and
// HAProxy detects the new master via its 1s tcp-check interval and
// starts routing within ~3s of detection. Removed the old in-process
// sentinel-query loop on 2026-04-19 after the Redis rework — see
// beads code-v2b and infra/docs/architecture/databases.md.
nextcloud: refactor chart values and main.tf configuration
2026-04-06 11:57:44 +03:00
$CONFIG = array(
'memcache.distributed' => '\\OC\\Memcache\\Redis',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'redis' => array(
[redis] Phase 3-7: cutover to redis-v2, Nextcloud HAProxy-only Phase 3 — replication chain (old → v2): - Discovered the v2 cluster was running redis:7.4-alpine, but the Bitnami old master ships redis 8.6.2 which writes RDB format 13 — the 7.4 replicas rejected the stream with "Can't handle RDB format version 13". Bumped v2 image to redis:8-alpine (also 8.6.2) to restore PSYNC compatibility. - Discovered that sentinel on BOTH v2 and old Bitnami clusters auto-discovered the cross-cluster replication chain when v2-0 REPLICAOF'd the old master, triggering a failover that reparented old-master to a v2 replica and took HAProxy's backend offline. Mitigation: `SENTINEL REMOVE mymaster` on all 5 sentinels (both clusters) during the REPLICAOF surgery, then re-MONITOR after cutover. This must be done on the OLD sentinels too, not just v2 — they're the ones that kept fighting our REPLICAOF. - Set up the chain: v2-0 REPLICAOF old-master; v2-{1,2} REPLICAOF v2-0. All 76 keys (db0:76, db1:22, db4:16) synced including `immich_bull:*` BullMQ queues and `_kombu.*` Celery queues — the user-stated must-survive data class. Phase 4 — HAProxy cutover: - Updated `kubernetes_config_map.haproxy` to point at `redis-v2-{0,1,2}.redis-v2-headless` for both redis_master and redis_sentinel backends (removed redis-node-{0,1}). - Promoted v2-0 (`REPLICAOF NO ONE`) at the same time as the ConfigMap apply so HAProxy's 1s health-check interval found a role:master within a few seconds. Cutover disruption on HAProxy rollout was brief; old clients naturally moved to new HAProxy pods within the rolling update window. - Re-enabled sentinel monitoring on v2 with `SENTINEL MONITOR mymaster <hostname> 6379 2` after verifying `resolve-hostnames yes` + `announce-hostnames yes` were active — this ensures sentinel stores the hostname (not resolved IP) in its rewritten config, so pod-IP churn on restart doesn't break failover. Phase 5 — chaos: - Round 1: killed master v2-0 mid-probe. First run exposed the sentinel IP-storage issue (stored 10.10.107.222, went stale on restart) — ~12s probe disruption. Fixed hostname persistence and re-MONITORed. - Round 2: killed new master v2-2 with hostnames correctly stored. Sentinel elected v2-0, HAProxy re-routed, 1/40 probe failures over 60s — target <3s of actual user-visible disruption. Phase 6 — Nextcloud simplification: - `zzz-redis.config.php` no longer queries sentinel in-process — just points at `redis-master.redis.svc.cluster.local`. Removed 20 lines of PHP. HAProxy handles master tracking transparently now that it's scaled to 3 + PDB minAvailable=2. Phase 7 step 1: - `kubectl scale statefulset/redis-node --replicas=0` (transient — TF removal in a 24h follow-up). Old PVCs `redis-data-redis-node-{0,1}` preserved as cold rollback. Docs: - Rewrote `databases.md` Redis section to reflect post-cutover reality and the sentinel hostname gotcha (so future sessions don't relearn it). - `.claude/reference/service-catalog.md` entry updated. The parallel-bootstrap race documented in the previous commit is still worth watching — the init container now defaults to pod-0 as master when no peer reports role:master-with-slaves, so fresh boots land in a deterministic topology. Closes: code-7n4 Closes: code-9y6 Closes: code-cnf Closes: code-tc4 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-19 16:13:43 +00:00
'host' => 'redis-master.redis.svc.cluster.local',
'port' => 6379,
nextcloud: refactor chart values and main.tf configuration
2026-04-06 11:57:44 +03:00
'password' => '',
'timeout' => 1.5,
'read_timeout' => 1.5,
),
);
Nextcloud performance tuning and fix backup cron job - Set loglevel=2 (warnings) and disable mail_smtpdebug via configs - Enable opcache.enable_file_override for faster file checks - Increase APCu shared memory from 32M to 128M - Fix broken module.nfs_nextcloud_data reference in backup cron job to use the iSCSI PVC directly
2026-03-14 08:20:51 +00:00
performance.config.php: |
<?php
$CONFIG = array(
'loglevel' => 2,
'mail_smtpdebug' => false,
);
fix(nextcloud): enable mysql.utf8mb4 to fix collation errors with MySQL 8.4 MySQL 8.4 remapped `utf8` to mean `utf8mb4`, but Nextcloud without this config sends `COLLATE UTF8_general_ci` (a utf8mb3-only collation) in queries, causing SQLSTATE[42000] errors that broke occ commands and sync. Also removed stale `Work 🎯.csv` whose emoji filename was stripped in the DB filecache (stored as `Work .csv`), causing permanent sync errors. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 09:16:29 +00:00
zzz-mysql.config.php: |
<?php
$CONFIG = array(
'mysql.utf8mb4' => true,
);
tune Nextcloud Apache/PHP to fix constant crash-looping (50 restarts/6d) Root cause: Apache prefork with 150 MaxRequestWorkers (each ~220MB RSS) on SQLite DB causes worker exhaustion + lock contention → Apache hangs → aggressive liveness probe (3 failures × 10s) kills container. Fixes: - Apache: MaxRequestWorkers 150→25, MaxConnectionsPerChild 0→200, StartServers 5→3 (via ConfigMap mount over mpm_prefork.conf) - PHP: max_execution_time 0→300s, max_input_time 300s (prevent zombie workers) - Liveness probe: period 10s→30s, failureThreshold 3→6, timeout 5s→10s (180s tolerance vs 30s before) - Readiness probe: period 10s→30s, timeout 5s→10s
2026-03-08 21:33:27 +00:00
phpConfigs:
zzz-custom.ini: |
max_execution_time = 300
max_input_time = 300
default_socket_timeout = 300
Nextcloud performance tuning and fix backup cron job - Set loglevel=2 (warnings) and disable mail_smtpdebug via configs - Enable opcache.enable_file_override for faster file checks - Increase APCu shared memory from 32M to 128M - Fix broken module.nfs_nextcloud_data reference in backup cron job to use the iSCSI PVC directly
2026-03-14 08:20:51 +00:00
opcache.enable_file_override = 1
apc.shm_size = 128M
fix: mount Apache MPM config under nextcloud.extraVolumes (not top-level) The Nextcloud Helm chart expects extraVolumes/extraVolumeMounts nested under the nextcloud: key. Also mount to mods-available/ (the actual file) not mods-enabled/ (which is a symlink). Verified: MaxRequestWorkers 150→25, workers dropped from 49 to 6.
2026-03-08 21:37:39 +00:00
extraVolumes:
- name: apache-tuning
configMap:
name: nextcloud-apache-tuning
fix(nextcloud): auto-sync DB password from Vault rotation into config.php Nextcloud persists dbpassword in config.php on its PVC and ignores MYSQL_PASSWORD env var after initial install. When Vault rotates the MySQL password, config.php goes stale causing HTTP 500 crash loops. Adds a before-starting hook that patches config.php with the current MYSQL_PASSWORD on every pod start. Combined with Stakater Reloader annotation, the full rotation chain is now automated: Vault rotates → ESO syncs Secret → Reloader restarts pod → hook patches config.php → Nextcloud connects with new password. Also fixes stale existingClaim (nextcloud-data-iscsi → nextcloud-data-proxmox).
2026-04-10 22:23:41 +01:00
- name: db-password-sync
configMap:
name: nextcloud-db-password-sync
defaultMode: 0755
fix: mount Apache MPM config under nextcloud.extraVolumes (not top-level) The Nextcloud Helm chart expects extraVolumes/extraVolumeMounts nested under the nextcloud: key. Also mount to mods-available/ (the actual file) not mods-enabled/ (which is a symlink). Verified: MaxRequestWorkers 150→25, workers dropped from 49 to 6.
2026-03-08 21:37:39 +00:00
extraVolumeMounts:
- name: apache-tuning
mountPath: /etc/apache2/mods-available/mpm_prefork.conf
subPath: mpm_prefork.conf
fix(nextcloud): auto-sync DB password from Vault rotation into config.php Nextcloud persists dbpassword in config.php on its PVC and ignores MYSQL_PASSWORD env var after initial install. When Vault rotates the MySQL password, config.php goes stale causing HTTP 500 crash loops. Adds a before-starting hook that patches config.php with the current MYSQL_PASSWORD on every pod start. Combined with Stakater Reloader annotation, the full rotation chain is now automated: Vault rotates → ESO syncs Secret → Reloader restarts pod → hook patches config.php → Nextcloud connects with new password. Also fixes stale existingClaim (nextcloud-data-iscsi → nextcloud-data-proxmox).
2026-04-10 22:23:41 +01:00
- name: db-password-sync
mountPath: /docker-entrypoint-hooks.d/before-starting
upgrade immich 1.116 and add nextcloud [ci skip]
2024-09-28 20:10:44 +00:00
migrate Nextcloud from SQLite to MySQL InnoDB Cluster SQLite was causing constant crash-looping (138 restarts/day) due to write lock contention with concurrent sync clients. Migration required workarounds for multiple occ db:convert-type bugs: - GR error 3100: SET GLOBAL sql_generate_invisible_primary_key = ON - utf8mb3 column creation: stripped 4-byte emoji + invalid UTF-8 from SQLite (F1 calendar events, filecache) - SQLite index corruption: repaired via .dump + INSERT OR IGNORE reimport - kubectl exec timeouts: used nohup + detached process Verified: all 136 tables migrated, 100% row count match across 15 key tables (users, files, calendars, contacts, shares, activity). Also fixed typo: databse → database in chart values.
2026-03-12 23:27:12 +00:00
internalDatabase:
enabled: false
upgrade nextcloud and add external redis [ci skip]
2026-01-17 20:50:29 +00:00
externalRedis:
nextcloud: refactor chart values and main.tf configuration
2026-04-06 11:57:44 +03:00
enabled: false
upgrade nextcloud and add external redis [ci skip]
2026-01-17 20:50:29 +00:00
externalDatabase:
migrate Nextcloud from SQLite to MySQL InnoDB Cluster SQLite was causing constant crash-looping (138 restarts/day) due to write lock contention with concurrent sync clients. Migration required workarounds for multiple occ db:convert-type bugs: - GR error 3100: SET GLOBAL sql_generate_invisible_primary_key = ON - utf8mb3 column creation: stripped 4-byte emoji + invalid UTF-8 from SQLite (F1 calendar events, filecache) - SQLite index corruption: repaired via .dump + INSERT OR IGNORE reimport - kubectl exec timeouts: used nohup + detached process Verified: all 136 tables migrated, 100% row count match across 15 key tables (users, files, calendars, contacts, shares, activity). Also fixed typo: databse → database in chart values.
2026-03-12 23:27:12 +00:00
enabled: true
upgrade immich 1.116 and add nextcloud [ci skip]
2024-09-28 20:10:44 +00:00
type: mysql
[ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability Phase 1 - Critical Security: - Netbox: move hardcoded DB/superuser passwords to variables - MeshCentral: disable public registration, add Authentik auth - Traefik: disable insecure API dashboard (api.insecure=false) - Traefik: configure forwarded headers with Cloudflare trusted IPs Phase 2 - Security Hardening: - Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.) - Add Kyverno pod security policies in audit mode (privileged, host namespaces, SYS_ADMIN, trusted registries) - Tighten rate limiting (avg=10, burst=50) - Add Authentik protection to grampsweb Phase 3 - Monitoring & Alerting: - Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale, Authentik, Loki) - Increase Loki retention from 7 to 30 days (720h) - Add predictive PV filling alert (predict_linear) - Re-enable Hackmd and Privatebin down alerts Phase 4 - Reliability: - Add resource requests/limits to Redis, DBaaS, Technitium, Headscale, Vaultwarden, Uptime Kuma - Increase Alloy DaemonSet memory to 512Mi/1Gi Phase 6 - Maintainability: - Extract duplicated tiers locals to terragrunt.hcl generate block (removed from 67 stacks) - Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114 instances across 63 files) - Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references with variables across ~35 stacks - Migrate xray raw ingress resources to ingress_factory modules
2026-02-23 22:05:28 +00:00
host: ${mysql_host}
upgrade immich 1.116 and add nextcloud [ci skip]
2024-09-28 20:10:44 +00:00
user: nextcloud
migrate Nextcloud from SQLite to MySQL InnoDB Cluster SQLite was causing constant crash-looping (138 restarts/day) due to write lock contention with concurrent sync clients. Migration required workarounds for multiple occ db:convert-type bugs: - GR error 3100: SET GLOBAL sql_generate_invisible_primary_key = ON - utf8mb3 column creation: stripped 4-byte emoji + invalid UTF-8 from SQLite (F1 calendar events, filecache) - SQLite index corruption: repaired via .dump + INSERT OR IGNORE reimport - kubectl exec timeouts: used nohup + detached process Verified: all 136 tables migrated, 100% row count match across 15 key tables (users, files, calendars, contacts, shares, activity). Also fixed typo: databse → database in chart values.
2026-03-12 23:27:12 +00:00
database: nextcloud
fix DB password rotation desync in 5 stacks Vault DB engine rotates passwords weekly but 5 stacks baked passwords at Terraform plan time, causing stale credentials until next apply. - real-estate-crawler: add vault-database ESO, use secret_key_ref in 3 deployments - nextcloud: switch Helm chart to existingSecret for DB password - grafana: add vault-database ESO, use envFromSecrets in Helm values - woodpecker: use extraSecretNamesForEnvFrom, remove plan-time data source chain - affine: add vault-database ESO, use secret_key_ref in deployment + init container
2026-03-17 07:39:29 +00:00
existingSecret:
secretName: nextcloud-db-creds
fix nextcloud db-username + k8s-dashboard chart repo - nextcloud: add db-username to ESO secret template and usernameKey to chart values (required by newer chart version) - k8s-dashboard: update chart repo URL to kubernetes-retired.github.io (old kubernetes.github.io/dashboard returns 404)
2026-03-22 02:50:32 +02:00
usernameKey: db-username
fix DB password rotation desync in 5 stacks Vault DB engine rotates passwords weekly but 5 stacks baked passwords at Terraform plan time, causing stale credentials until next apply. - real-estate-crawler: add vault-database ESO, use secret_key_ref in 3 deployments - nextcloud: switch Helm chart to existingSecret for DB password - grafana: add vault-database ESO, use envFromSecrets in Helm values - woodpecker: use extraSecretNamesForEnvFrom, remove plan-time data source chain - affine: add vault-database ESO, use secret_key_ref in deployment + init container
2026-03-17 07:39:29 +00:00
passwordKey: DB_PASSWORD
upgrade immich 1.116 and add nextcloud [ci skip]
2024-09-28 20:10:44 +00:00
persistence:
enabled: true
feat(storage): migrate all sensitive services to proxmox-lvm-encrypted Reconcile Terraform with cluster state after manual encrypted PVC migrations and complete the remaining unfinished migrations. All services storing sensitive data now use LUKS2-encrypted block storage via the Proxmox CSI plugin. ## Context Only Technitium DNS was using encrypted storage in Terraform. Many services had been manually migrated to encrypted PVCs in the cluster, but Terraform was never updated — creating dangerous state drift where a `tg apply` could recreate unencrypted PVCs. ## This change Phase 0 — Infrastructure: - Add `proxmox-lvm-encrypted` StorageClass to Helm values (extraParameters) - Add ExternalSecret for LUKS encryption passphrase to Terraform - Fix CSI node plugin memory: `node.plugin.resources` (not `node.resources`) with 1280Mi limit for LUKS2 Argon2id key derivation Phase 1 — TF state reconciliation (zero downtime): - Health, Matrix, N8N, Forgejo, Vaultwarden, Mailserver: state rm + import - Redis, DBAAS MySQL, DBAAS PostgreSQL: Helm/CNPG value updates Phase 2 — Data migration (encrypted PVCs existed but unused): - Headscale, Frigate, MeshCentral: rsync + switchover - Nextcloud (20Gi): rsync + chart_values update Phase 3 — New encrypted PVCs: - Roundcube HTML, HackMD, Affine, DBAAS pgadmin: create + rsync + switchover Phase 4 — Cleanup: - Deleted 5 orphaned unencrypted PVCs ## Services migrated (18 PVCs across 14 namespaces) ``` vaultwarden → vaultwarden-data-encrypted dbaas → datadir-mysql-cluster-0, pg-cluster-{1,2}, dbaas-pgadmin-encrypted mailserver → mailserver-data-encrypted, roundcubemail-{enigma,html}-encrypted nextcloud → nextcloud-data-encrypted forgejo → forgejo-data-encrypted matrix → matrix-data-encrypted n8n → n8n-data-encrypted affine → affine-data-encrypted health → health-uploads-encrypted hackmd → hackmd-data-encrypted redis → redis-data-redis-node-{0,1} headscale → headscale-data-encrypted frigate → frigate-config-encrypted meshcentral → meshcentral-{data,files}-encrypted ``` Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 20:15:30 +00:00
existingClaim: nextcloud-data-encrypted
upgrade immich 1.116 and add nextcloud [ci skip]
2024-09-28 20:10:44 +00:00
accessMode: ReadWriteOnce
migrate Nextcloud data volume from NFS to iSCSI for fsync support SQLite on NFS caused persistent 500 errors on WebDAV PROPFIND due to missing fsync guarantees and database locking under concurrent access. iSCSI (ext4) provides proper fsync and block-level I/O. - Replace nfs_volume module with iscsi-truenas PVC (20Gi) - Update Helm chart to use nextcloud-data-iscsi claim - Excluded 12.5GB nextcloud.log and corrupted DB from migration Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-11 23:23:37 +00:00
size: 20Gi
upgrade immich 1.116 and add nextcloud [ci skip]
2024-09-28 20:10:44 +00:00
startupProbe:
enabled: true
[ci skip] fix nextcloud: increase memory to 4Gi, extend startup probe - Memory limit: 2Gi → 4Gi (VPA target is 2.8Gi, was OOMKilling) - Memory request: 512Mi → 1Gi - Startup probe: 30s delay, 10s timeout, 60 failures (10min total) Previous 5min window was too short for NFS-backed SQLite init
2026-02-28 23:32:28 +00:00
initialDelaySeconds: 30
upgrade immich 1.116 and add nextcloud [ci skip]
2024-09-28 20:10:44 +00:00
periodSeconds: 10
stabilize Nextcloud: relax probes, reduce resources for 2-client SQLite workload SQLite locks cause slow responses under concurrent access, triggering liveness probe failures and restarts. With only 2 sync clients: - Liveness: period 30→60s, timeout 10→30s, failures 6→10 (tolerates 10min) - Readiness: period 30→60s, timeout 10→30s, failures 3→5 - Startup: timeout 10→30s - Resources: CPU 16→4, memory 6Gi→3Gi (10 workers × 200MB = 2GB max) [ci skip] Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-12 10:01:20 +00:00
timeoutSeconds: 30
[ci skip] fix nextcloud: increase memory to 4Gi, extend startup probe - Memory limit: 2Gi → 4Gi (VPA target is 2.8Gi, was OOMKilling) - Memory request: 512Mi → 1Gi - Startup probe: 30s delay, 10s timeout, 60 failures (10min total) Previous 5min window was too short for NFS-backed SQLite init
2026-02-28 23:32:28 +00:00
failureThreshold: 60
upgrade immich 1.116 and add nextcloud [ci skip]
2024-09-28 20:10:44 +00:00
successThreshold: 1
update diun annotations to correctly monitor for image version updates and update some services alongside[ci skip]
2024-12-30 14:01:38 +00:00
tune Nextcloud Apache/PHP to fix constant crash-looping (50 restarts/6d) Root cause: Apache prefork with 150 MaxRequestWorkers (each ~220MB RSS) on SQLite DB causes worker exhaustion + lock contention → Apache hangs → aggressive liveness probe (3 failures × 10s) kills container. Fixes: - Apache: MaxRequestWorkers 150→25, MaxConnectionsPerChild 0→200, StartServers 5→3 (via ConfigMap mount over mpm_prefork.conf) - PHP: max_execution_time 0→300s, max_input_time 300s (prevent zombie workers) - Liveness probe: period 10s→30s, failureThreshold 3→6, timeout 5s→10s (180s tolerance vs 30s before) - Readiness probe: period 10s→30s, timeout 5s→10s
2026-03-08 21:33:27 +00:00
livenessProbe:
enabled: true
stabilize Nextcloud: relax probes, reduce resources for 2-client SQLite workload SQLite locks cause slow responses under concurrent access, triggering liveness probe failures and restarts. With only 2 sync clients: - Liveness: period 30→60s, timeout 10→30s, failures 6→10 (tolerates 10min) - Readiness: period 30→60s, timeout 10→30s, failures 3→5 - Startup: timeout 10→30s - Resources: CPU 16→4, memory 6Gi→3Gi (10 workers × 200MB = 2GB max) [ci skip] Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-12 10:01:20 +00:00
initialDelaySeconds: 30
periodSeconds: 60
timeoutSeconds: 30
failureThreshold: 10
tune Nextcloud Apache/PHP to fix constant crash-looping (50 restarts/6d) Root cause: Apache prefork with 150 MaxRequestWorkers (each ~220MB RSS) on SQLite DB causes worker exhaustion + lock contention → Apache hangs → aggressive liveness probe (3 failures × 10s) kills container. Fixes: - Apache: MaxRequestWorkers 150→25, MaxConnectionsPerChild 0→200, StartServers 5→3 (via ConfigMap mount over mpm_prefork.conf) - PHP: max_execution_time 0→300s, max_input_time 300s (prevent zombie workers) - Liveness probe: period 10s→30s, failureThreshold 3→6, timeout 5s→10s (180s tolerance vs 30s before) - Readiness probe: period 10s→30s, timeout 5s→10s
2026-03-08 21:33:27 +00:00
successThreshold: 1
readinessProbe:
enabled: true
stabilize Nextcloud: relax probes, reduce resources for 2-client SQLite workload SQLite locks cause slow responses under concurrent access, triggering liveness probe failures and restarts. With only 2 sync clients: - Liveness: period 30→60s, timeout 10→30s, failures 6→10 (tolerates 10min) - Readiness: period 30→60s, timeout 10→30s, failures 3→5 - Startup: timeout 10→30s - Resources: CPU 16→4, memory 6Gi→3Gi (10 workers × 200MB = 2GB max) [ci skip] Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-12 10:01:20 +00:00
initialDelaySeconds: 30
periodSeconds: 60
timeoutSeconds: 30
failureThreshold: 5
tune Nextcloud Apache/PHP to fix constant crash-looping (50 restarts/6d) Root cause: Apache prefork with 150 MaxRequestWorkers (each ~220MB RSS) on SQLite DB causes worker exhaustion + lock contention → Apache hangs → aggressive liveness probe (3 failures × 10s) kills container. Fixes: - Apache: MaxRequestWorkers 150→25, MaxConnectionsPerChild 0→200, StartServers 5→3 (via ConfigMap mount over mpm_prefork.conf) - PHP: max_execution_time 0→300s, max_input_time 300s (prevent zombie workers) - Liveness probe: period 10s→30s, failureThreshold 3→6, timeout 5s→10s (180s tolerance vs 30s before) - Readiness probe: period 10s→30s, timeout 5s→10s
2026-03-08 21:33:27 +00:00
successThreshold: 1
update diun annotations to correctly monitor for image version updates and update some services alongside[ci skip]
2024-12-30 14:01:38 +00:00
podAnnotations:
diun.enable: "true"
diun.include_tags: "^[0-9]+(?:.[0-9]+)?(?:.[0-9]+)?.*"
fix: cluster healthcheck fixes + Authentik upgrade to 2026.2.2 - Authentik: upgrade 2025.10.3 → 2025.12.4 → 2026.2.2 with DB restore and stepped migration. Switch to existingSecret, PgBouncer session mode. - Mailserver: migrate email roundtrip probe from Mailgun to Brevo API - Redis: fix HAProxy tcp-check regex (rstring), faster health intervals - Nextcloud: fix Redis fallback to HAProxy service, update dependency - MeshCentral: fix TLSOffload + certUrl init container for first-run - Monitoring: remove authentik from latency alert exclusion - Diun: simplify to webhook notifier, remove git auto-update [ci skip] Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 06:41:56 +00:00
dependency.kyverno.io/wait-for: "mysql.dbaas:3306,redis-master.redis:6379"
fix(nextcloud): auto-sync DB password from Vault rotation into config.php Nextcloud persists dbpassword in config.php on its PVC and ignores MYSQL_PASSWORD env var after initial install. When Vault rotates the MySQL password, config.php goes stale causing HTTP 500 crash loops. Adds a before-starting hook that patches config.php with the current MYSQL_PASSWORD on every pod start. Combined with Stakater Reloader annotation, the full rotation chain is now automated: Vault rotates → ESO syncs Secret → Reloader restarts pod → hook patches config.php → Nextcloud connects with new password. Also fixes stale existingClaim (nextcloud-data-iscsi → nextcloud-data-proxmox).
2026-04-10 22:23:41 +01:00
secret.reloader.stakater.com/reload: "nextcloud-db-creds"
add onlyoffice deployment along with collabora for backup if needed [ci skip]
2025-08-17 19:27:34 +00:00
collabora:
Cluster health remediation: cleanup CronJob, disable Collabora, fix GPU probe, add NFS exports [ci skip] - Add daily CronJob to auto-clean Failed/Evicted pods cluster-wide (infra-maintenance) - Disable Collabora in Nextcloud (broken HPA caused scaling storm; using OnlyOffice instead) - Increase gpu-pod-exporter liveness probe timeout from 1s to 5s - Add osm-routing NFS exports (osrm-data, otp-data)
2026-02-15 17:20:47 +00:00
enabled: false # Using onlyoffice instead
add onlyoffice deployment along with collabora for backup if needed [ci skip]
2025-08-17 19:27:34 +00:00
[ci skip] nextcloud: increase resource limits to prevent OOM crash loop Default LimitRange (256Mi) was too low — pod was using 227Mi/256Mi and getting OOM killed under sync client load, causing 500s and blank web UI.
2026-02-28 16:26:19 +00:00
resources:
limits:
equalize memory req=lim across 70+ containers using Prometheus 7d max data After node2 OOM incident, right-size memory across the cluster by setting requests=limits based on max_over_time(container_memory_working_set_bytes[7d]) with 1.3x headroom. Eliminates ~37Gi overcommit gap. Categories: - Safe equalization (50 containers): set req=lim where max7d well within target - Limit increases (8 containers): raise limits for services spiking above current - No Prometheus data (12 containers): conservatively set lim=req - Exception: nextcloud keeps req=256Mi/lim=8Gi due to Apache memory spikes Also increased dbaas namespace quota from 12Gi to 16Gi to accommodate mysql 4Gi limits across 3 replicas.
2026-03-14 21:46:49 +00:00
memory: 8Gi
[ci skip] nextcloud: increase resource limits to prevent OOM crash loop Default LimitRange (256Mi) was too low — pod was using 227Mi/256Mi and getting OOM killed under sync client load, causing 500s and blank web UI.
2026-02-28 16:26:19 +00:00
requests:
right-size Nextcloud resources after MySQL migration SQLite caused 4.7 CPU / 2GB usage, now MySQL uses ~95m / 95Mi. Reduced limits from 16 CPU / 6Gi to 2 CPU / 1Gi. Reduced requests from 100m / 1Gi to 50m / 256Mi. Frees ~14 CPU cores and 5Gi memory for other workloads.
2026-03-13 19:16:06 +00:00
cpu: 50m
memory: 256Mi
[ci skip] nextcloud: increase resource limits to prevent OOM crash loop Default LimitRange (256Mi) was too low — pod was using 227Mi/256Mi and getting OOM killed under sync client load, causing 500s and blank web UI.
2026-02-28 16:26:19 +00:00
add onlyoffice deployment along with collabora for backup if needed [ci skip]
2025-08-17 19:27:34 +00:00
cronjob:
enabled: true
equalize memory req=lim across 70+ containers using Prometheus 7d max data After node2 OOM incident, right-size memory across the cluster by setting requests=limits based on max_over_time(container_memory_working_set_bytes[7d]) with 1.3x headroom. Eliminates ~37Gi overcommit gap. Categories: - Safe equalization (50 containers): set req=lim where max7d well within target - Limit increases (8 containers): raise limits for services spiking above current - No Prometheus data (12 containers): conservatively set lim=req - Exception: nextcloud keeps req=256Mi/lim=8Gi due to Apache memory spikes Also increased dbaas namespace quota from 12Gi to 16Gi to accommodate mysql 4Gi limits across 3 replicas.
2026-03-14 21:46:49 +00:00
resources:
limits:
memory: 384Mi
requests:
cpu: 25m
memory: 384Mi
Reference in a new issue Copy permalink