final edits

_config.yml

@@ -276,7 +276,7 @@ defaults:
       author_profile: true
       read_time: true
       comments: true
-      share: true
+      share: false
       related: true
       classes: wide
       show_date: true

_posts/2023-08-27-nextcloud-podman.md

@@ -69,7 +69,7 @@ Enter [Ansible](https://www.ansible.com/). Anything you could possibly think to
 
 This post talked about the ideas and goals I had going into this project, and in Part 2 I'll talk about the details of the implementation, and how sometimes things seem a lot easier in a blog post than they turn out to be in reality! If you're interested in the nitty-gritty of how these tools work for a project like this, stay tuned for the next post in the series.
 
-[*Link to Part two*]({% link _posts/2023-08-28-nextcloud-podman-part2.md %})
+[*Link to Part two*]({% link _posts/2023-10-03-nextcloud-podman-part2.md %})
 
 
 

_posts/2023-10-03-nextcloud-podman-part2.md

@@ -1,7 +1,7 @@
 ---
 layout: single
 title:  "Building a Reproducible Nextcloud Server, Part two: Podman containers and Systemd units"
-date:   2023-08-28 10:00:00
+date:   2023-10-03 08:00:00
 excerpt: "In the second installment of my Nextcloud server rebuild, we'll get our containers set up with Podman and deploy them on a public-facing server."
 categories: [Self-Hosting, Linux Administration]
 tags: linux nextcloud podman docker container vps
@@ -18,7 +18,7 @@ Now that I've established the stack, let's dive in to setting up the Nextcloud a
 * [Create a Podman Pod](#create-a-pod)
 * [Create the containers](#create-the-containers)
 * [Generate Systemd service files](#generate-systemd-files)
-* [Moving to production](#move-to-production)
+* [Move to production](#move-to-production)
 * [Troubleshooting](#troubleshooting)
 
 ### Requirements
@@ -40,12 +40,13 @@ Podman "pods" are logical groupings of containers that depend on one another. Th
 For a much more thorough explanation on what pods are and how they work, check out this [excellent post](https://developers.redhat.com/blog/2019/01/15/podman-managing-containers-pods) on the Red Hat developer blog.
 
 **Rootless Gotcha #1**  
-In most Linux distributions, unprivileged applications are not allowed to bind themselves to ports below 1024. To fix this, we'll need to update a system parameter via `sysctl`:
+In most Linux distributions, unprivileged applications are not allowed to bind themselves to ports below 1024. Before we get started, we'll need to update a system parameter via `sysctl` to solve this issue:
 ``` shell
 sudo sysctl net.ipv4.ip_unprivileged_port_start=80
-sudo echo "net.ipv4.ip_unprivileged_port_start=80" > /etc/sysctl.d/99-podman.conf
 ```
-\
+
+To make the change persist on reboot, create a new file under `/etc/sysctl.d/` named `99-podman.conf` and paste the line `net.ipv4.ip_unprivileged_port_start=80`. You'll need to use `sudo` privileges for this.
+
 After that's done, let's create a new pod called "nextcloud".
 
 ``` shell
@@ -373,7 +374,7 @@ your.server.com {
 
 The above configuration will use Caddy's built-in automatic HTTPS to pull a certificate from Let's Encrypt. It also blocks web access to certain directories in your Nextcloud folder and adds redirects for Nextcloud's CalDAV and CardDAV endpoints. 
 
-### Mariadb optimizations
+### MariaDB optimizations
 
 After running this setup in production for a couple months and going through my first Nextcloud version upgrade, I had issues with Nextcloud losing access to the database during the upgrade process. I did some research and found this [helpful article](https://docs.nextcloud.com/server/latest/admin_manual/configuration_database/linux_database_configuration.html) in Nextcloud's documentation which points to some MariaDB options we can use to fix these issues.
 
@@ -471,23 +472,23 @@ Restart=on-failure
 TimeoutStopSec=70
 ExecStartPre=/bin/rm -f %t/%n.ctr-id
 ExecStart=/usr/bin/podman run \
-	--cidfile=%t/%n.ctr-id \
-	--cgroups=no-conmon \
-	--rm \
-	--pod-id-file %t/pod-nextcloud-pod.pod-id \
-	--sdnotify=conmon \
-	--replace \
-	--detach \
-	--env MYSQL_DATABASE=${MYSQL_DATABASE} \
-	--env MYSQL_USER=${MYSQL_USER} \
-	--env MYSQL_PASSWORD=${MYSQL_PASSWORD} \
-	--env MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD} \
-	--volume %h/.podman/nextcloud/mariadb:/var/lib/mysql:z \
-	--name mariadb docker.io/library/mariadb:11 \
-	--transaction-isolation=READ-COMMITTED \
+    --cidfile=%t/%n.ctr-id \
+    --cgroups=no-conmon \
+    --rm \
+    --pod-id-file %t/pod-nextcloud-pod.pod-id \
+    --sdnotify=conmon \
+    --replace \
+    --detach \
+    --env MYSQL_DATABASE=${MYSQL_DATABASE} \
+    --env MYSQL_USER=${MYSQL_USER} \
+    --env MYSQL_PASSWORD=${MYSQL_PASSWORD} \
+    --env MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD} \
+    --volume %h/.podman/nextcloud/mariadb:/var/lib/mysql:z \
+    --name mariadb docker.io/library/mariadb:11 \
+    --transaction-isolation=READ-COMMITTED \
     --log-bin=binlog \
     --binlog-format=ROW \
-	--max_allowed_packet=256000000
+    --max_allowed_packet=256000000
 ExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-id
 ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id
 Type=notify
@@ -527,8 +528,10 @@ If you haven't done so already, make the change to update the unprvivileged port
 
 ``` shell
 sudo sysctl net.ipv4.ip_unprivileged_port_start=80
-sudo echo "net.ipv4.ip_unprivileged_port_start=80" > /etc/sysctl.d/99-podman.conf
 ```
+
+Don't forget to create the file at `/etc/sysctl.d/99-podman.conf` so it persists on reboot!
+
 \
 Finally, start the Nextcloud service!
 
@@ -536,7 +539,7 @@ Finally, start the Nextcloud service!
 systemctl --user start pod-nextcloud
 ```
 \
-Verify everything is running with `podman ps`.
+On the first run, it may take a few mintues for Podman to pull down the container images. Check the output of `podman ps` and you should see the containers appearing there one after the other, eventually showing all three.
 
 ``` shell
 CONTAINER ID  IMAGE                                    COMMAND               CREATED         STATUS         PORTS                                     NAMES
@@ -548,11 +551,23 @@ b29486a99286  docker.io/library/caddy:2           caddy run --confi...  4 minute
 \
 At this point you should have rootless Nextcloud accessible at your FQDN on the public internet with HTTPS!
 
+![nextcloud-podman02](/assets/images/screenshots/nextcloud-podman02.png){:class="img-responsive"}
+
+Walk through the first-time setup of Nextcloud to create your admin account and install apps.
+
+![nextcloud-podman03](/assets/images/screenshots/nextcloud-podman03.png){:class="img-responsive"}
+
+![nextcloud-podman04](/assets/images/screenshots/nextcloud-podman04.png){:class="img-responsive"}
+
+I recommend navigating to **Administration Settings -> Overview** and reading the "Security & setup warnings". The Nextcloud app always has a few recommendations for fixes and changes to the configuration, with documentation to back it up.
+
+![nextcloud-podman05](/assets/images/screenshots/nextcloud-podman05.png){:class="img-responsive"}
+
 ## Troubleshooting
 
 If the Nextcloud page isn't loading as expected or you're getting an error when launching your service, the container output logs are your friends! Run `podman ps` to see if your containers are running. If they are, use `podman logs <container name>` to see the latest output from each container. It's usually pretty easy to spot red flags there.
 
-If the containers aren't running, use `sudo journalctl -xe` to check the output of each service. You may have to scroll up a bit to get useful information, since services will often try to restart multiple times after an error and fill up the output in process. Make sure you scroll up past the messages that say "service start request repeated too quickly" and try to find the first messages shown from each container's service.
+If the containers aren't running, use `sudo journalctl -xe` to check the output of each service. You may have to scroll up a bit to get useful information, since services will often try to restart multiple times after an error and fill up the output. Make sure you scroll up past the messages that say "service start request repeated too quickly" and try to find the first messages shown from each container's service.
 
 **Common problems**
 * Directory or file referenced in the `*.service` file doesn't exist or is in the wrong location (your container directories and Caddyfile). Make sure the paths are consistent in all your files.
@@ -567,7 +582,7 @@ If the containers aren't running, use `sudo journalctl -xe` to check the output
 
 ## Next steps
 
-Now that we have a working server, let's make sure we never have to do it by hand again! In Part 3 of the series, I'll go over how you can automate the entire configuration with an [Ansible playbook](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_intro.html). Not only can you re-use that playbook to spin up multiple servers or re-deploy on a new hosting provider, it's also documentation that writes itself. 
+Now that we have a working server, let's make sure we never have to do it by hand again! In Part 3 of the series, I'll go over how you can automate the entire configuration with an [Ansible playbook](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_intro.html). Not only can you re-use that playbook to spin up multiple servers or re-deploy on a new hosting provider, it also acts as documentation that writes itself. 
 
 As always, feel free to leave a comment below with any questions or suggestions. You can also reach me by [email](mailto:blog@rayagainstthemachine.net) or [Mastodon](https://fosstodon.org/@skoobasteeve).