Nextcloud is a collaboration platform which can be self-hosted to achieve complete control over your data. Nextcloud puts your data at your fingertips, under your control. Store your documents, calendar, contacts and photos on a server at home.

Nextcloud has many moving parts. It needs a mysql database, redis session manager, php-fpm, and nginx reverse proxy for serving static content.

My installation of Nextcloud is unique from the other applications, which use Longhorn volumes. My Nextcloud was migrated from my original Kubernetes cluster and I was using NFS for storage. In order to facilitate the migration to the new cluster quickly, I left the files on NFS. At some point, I’ll get back around to migrate the files to a proper Longhorn volume.

As with other roles, the Nextcloud role has a number of variables in the the k3s_cluster group_vars.

Variables

inventory/group_vars/k3s_cluster:

nextcloud_db_vol_size: 5Gi
nextcloud_db_name: nextclouddb
nextcloud_db_password: nextcloud_password
nextcloud_db_root_password: nextcloud_root_password
nextcloud_db_image: mariadb:10.4.12-bionic
nextcloud_nginx_image: nginx:1.17.9-alpine
nextcloud_www_fpm_vol_size: 250Gi
nextcloud_backup_vol_size: 500Gi
nextcloud_www_nfs_path: /Container/nextcloud-www
nextcloud_backup_nfs_path: /Container/nextcloud-backup
nextcloud_www_nfs_host: 192.168.x.x
nextcloud_backup_nfs_host: 192.168.x.x
nextcloud_admin_password: nextcloud_admin_password
nextcloud_smtp_password: smtp_password
nextcloud_domain: domain.tld
nextcloud_mail_from: [email protected]
nextcloud_smtp_port: 465
nextcloud_smtp_security: ssl
nextcloud_trusted_proxies: 10.42.0.0/16
nextcloud_fpm_image: nextcloud:25.0.1-fpm
nextcloud_hostname: nextcloud.domain.tld

Volumes

There is only one Longhorn volume called nextcloud-db-vol which I created as 5 GB which, as I’ve done before, is created using the Longhorn dashboard. If I were doing a brand new installation, I would also have another Longhorn volume for Nextcloud files.

The Ansible tasks for the Nextcloud roles which deploy and configure all of the manifests.

Tasks

roles/k3s_cluster/nextcloud/tasks/main.yml:

- name: Nextcloud namespace
  kubernetes.core.k8s:
    kubeconfig: "/var/lib/rancher/k3s/server/cred/admin.kubeconfig"
    state: present
    definition: "{{ lookup('template', 'manifests/namespace.j2') }}"
    validate:
      fail_on_error: yes
  delegate_to: "{{ ansible_host }}"
  run_once: true
- name: Nextcloud Volumes
  kubernetes.core.k8s:
    kubeconfig: "/var/lib/rancher/k3s/server/cred/admin.kubeconfig"
    state: present
    definition: "{{ lookup('template', 'manifests/volume.j2') }}"
    validate:
      fail_on_error: yes
  delegate_to: "{{ ansible_host }}"
  run_once: true
- name: Nextcloud Redis Deployment
  kubernetes.core.k8s:
    kubeconfig: "/var/lib/rancher/k3s/server/cred/admin.kubeconfig"
    state: present
    definition: "{{ lookup('template', 'manifests/redis-deployment.j2') }}"
    validate:
      fail_on_error: yes
  delegate_to: "{{ ansible_host }}"
  run_once: true
- name: Nextcloud Redis Config
  kubernetes.core.k8s:
    kubeconfig: "/var/lib/rancher/k3s/server/cred/admin.kubeconfig"
    state: present
    definition: "{{ lookup('template', 'manifests/redis-config.j2') }}"
    validate:
      fail_on_error: yes
  delegate_to: "{{ ansible_host }}"
  run_once: true
- name: Nextcloud Redis Service
  kubernetes.core.k8s:
    kubeconfig: "/var/lib/rancher/k3s/server/cred/admin.kubeconfig"
    state: present
    definition: "{{ lookup('template', 'manifests/redis-service.j2') }}"
    validate:
      fail_on_error: yes
  delegate_to: "{{ ansible_host }}"
  run_once: true
- name: Nextcloud Secrets
  kubernetes.core.k8s:
    kubeconfig: "/var/lib/rancher/k3s/server/cred/admin.kubeconfig"
    state: present
    definition: "{{ lookup('template', 'manifests/secret.j2') }}"
    validate:
      fail_on_error: yes
  delegate_to: "{{ ansible_host }}"
  run_once: true
- name: Nextcloud DB Deployment
  kubernetes.core.k8s:
    kubeconfig: "/var/lib/rancher/k3s/server/cred/admin.kubeconfig"
    state: present
    definition: "{{ lookup('template', 'manifests/db-deployment.j2') }}"
    validate:
      fail_on_error: yes
  delegate_to: "{{ ansible_host }}"
  run_once: true
- name: Nextcloud DB Service
  kubernetes.core.k8s:
    kubeconfig: "/var/lib/rancher/k3s/server/cred/admin.kubeconfig"
    state: present
    definition: "{{ lookup('template', 'manifests/db-service.j2') }}"
    validate:
      fail_on_error: yes
  delegate_to: "{{ ansible_host }}"
  run_once: true
- name: Nextcloud NGINX Config
  kubernetes.core.k8s:
    kubeconfig: "/var/lib/rancher/k3s/server/cred/admin.kubeconfig"
    state: present
    definition: "{{ lookup('template', 'manifests/nginx-config.j2') }}"
    validate:
      fail_on_error: yes
  delegate_to: "{{ ansible_host }}"
  run_once: true
- name: Nextcloud NGINX Deployment
  kubernetes.core.k8s:
    kubeconfig: "/var/lib/rancher/k3s/server/cred/admin.kubeconfig"
    state: present
    definition: "{{ lookup('template', 'manifests/nginx-deployment.j2') }}"
    validate:
      fail_on_error: yes
  delegate_to: "{{ ansible_host }}"
  run_once: true
- name: Nextcloud NGINX Service
  kubernetes.core.k8s:
    kubeconfig: "/var/lib/rancher/k3s/server/cred/admin.kubeconfig"
    state: present
    definition: "{{ lookup('template', 'manifests/nginx-service.j2') }}"
    validate:
      fail_on_error: yes
  delegate_to: "{{ ansible_host }}"
  run_once: true
- name: Nextcloud FPM Config
  kubernetes.core.k8s:
    kubeconfig: "/var/lib/rancher/k3s/server/cred/admin.kubeconfig"
    state: present
    definition: "{{ lookup('template', 'manifests/fpm-config.j2') }}"
    validate:
      fail_on_error: yes
  delegate_to: "{{ ansible_host }}"
  run_once: true
- name: Nextcloud FPM Deployment
  kubernetes.core.k8s:
    kubeconfig: "/var/lib/rancher/k3s/server/cred/admin.kubeconfig"
    state: present
    definition: "{{ lookup('template', 'manifests/fpm-deployment.j2') }}"
    validate:
      fail_on_error: yes
  delegate_to: "{{ ansible_host }}"
  run_once: true
- name: Nextcloud FPM Service
  kubernetes.core.k8s:
    kubeconfig: "/var/lib/rancher/k3s/server/cred/admin.kubeconfig"
    state: present
    definition: "{{ lookup('template', 'manifests/fpm-service.j2') }}"
    validate:
      fail_on_error: yes
  delegate_to: "{{ ansible_host }}"
  run_once: true
- name: Nextcloud Ingress
  kubernetes.core.k8s:
    kubeconfig: "/var/lib/rancher/k3s/server/cred/admin.kubeconfig"
    state: present
    definition: "{{ lookup('template', 'manifests/ingress.j2') }}"
    validate:
      fail_on_error: yes
  delegate_to: "{{ ansible_host }}"
  run_once: true

Manifests

roles/k3s_cluster/nextcloud/manifests/namespace.j2:

apiVersion: v1
kind: Namespace
metadata:
  name: {{ nextcloud_namespace }}

roles/k3s_cluster/nextcloud/manifests/volumes.j2:

---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: nextcloud-db-vol-pv
  labels:
    backup: daily
spec:
  capacity:
    storage: {{ nextcloud_db_vol_size }}
  volumeMode: Filesystem
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  storageClassName: longhorn-static
  csi:
    driver: driver.longhorn.io
    fsType: ext4
    volumeAttributes:
      numberOfReplicas: "3"
      staleReplicaTimeout: "2880"
    volumeHandle: nextcloud-db-vol
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nextcloud-db-vol-pvc
  namespace: {{ nextcloud_namespace }}
  labels:
    backup: daily
spec:
  storageClassName: longhorn-static
  volumeMode: Filesystem
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: {{ nextcloud_db_vol_size }}
---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: nextcloud-nginx-pv
  namespace: {{ nextcloud_namespace }}
spec:
  capacity:
    storage: {{ nextcloud_www_fpm_vol_size }}
  volumeMode: Filesystem
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs
  mountOptions:
    - hard
    - nfsvers=4.1
  nfs:
    path: {{ nextcloud_www_nfs_path }}
    server: {{ nextcloud_www_nfs_host }}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nextcloud-nginx-pvc
  namespace: {{ nextcloud_namespace }}
spec:
  accessModes:
  - ReadWriteMany 
  storageClassName: nfs
  volumeName: nextcloud-nginx-pv
  resources:
    requests:
      storage: {{ nextcloud_www_fpm_vol_size }}  
---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: nextcloud-fpm-www-pv
  namespace: {{ nextcloud_namespace }}
spec:
  capacity:
    storage: {{ nextcloud_www_fpm_vol_size }}
  volumeMode: Filesystem
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs
  mountOptions:
    - hard
    - nfsvers=4.1
  nfs:
    path: {{ nextcloud_www_nfs_path }}
    server: {{ nextcloud_www_nfs_host }}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nextcloud-fpm-www-pvc
  namespace: {{ nextcloud_namespace }}
spec:
  accessModes:
  - ReadWriteMany 
  storageClassName: nfs
  volumeName: nextcloud-fpm-www-pv
  resources:
    requests:
      storage: {{ nextcloud_www_fpm_vol_size }}  
---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: nextcloud-backup-pv
  namespace: {{ nextcloud_namespace }}
spec:
  capacity:
    storage: {{ nextcloud_backup_vol_size }}
  volumeMode: Filesystem
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs
  mountOptions:
    - hard
    - nfsvers=4.1
  nfs:
    path: {{ nextcloud_backup_nfs_path }}
    server: {{ nextcloud_backup_nfs_host }}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nextcloud-backup-pvc
  namespace: {{ nextcloud_namespace }}
spec:
  accessModes:
  - ReadWriteMany 
  storageClassName: nfs
  volumeName: nextcloud-backup-pv
  resources:
    requests:
      storage: {{ nextcloud_backup_vol_size }}  

roles/k3s_cluster/nextcloud/manifests/redis-deployment.j2:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nextcloud-redis
  namespace:  {{ nextcloud_namespace }}
  labels:
    app: nextcloud-redis
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nextcloud-redis
  template:
    metadata:
      labels:
        app: nextcloud-redis
    spec:
      containers:
      - name: nextcloud-redis
        image: redis:{{ nextcloud_redis_tag }}
        command:
          - redis-server
          - "/redis-master/redis.conf"
        env:
        - name: MASTER
          value: "true"
        ports:
        - containerPort: 6379
        resources:
          limits:
            cpu: "0.1"
        volumeMounts:
        - mountPath: /redis-master-data
          name: data
        - mountPath: /redis-master
          name: config
      volumes:
        - name: data
          emptyDir: {}
        - name: config
          configMap:
            name: nextcloud-redis-config
            items:
            - key: redis-config
              path: redis.conf

roles/k3s_cluster/nextcloud/manifests/redis-config.j2:

apiVersion: v1
kind: ConfigMap
metadata:
  name: nextcloud-redis-config
  namespace: {{ nextcloud_namespace }}
data:
  redis-config: |
    maxmemory 1gb
    maxmemory-policy allkeys-lru     

roles/k3s_cluster/nextcloud/manifests/redis-service.j2:

apiVersion: v1
kind: Service
metadata:
  name: nextcloud-redis
  namespace: {{ nextcloud_namespace }}
spec:
  selector:
    app: nextcloud-redis
  ports:
  - name: tcp
    port: 6379

roles/k3s_cluster/nextcloud/manifests/secret.j2:

---
apiVersion: v1
stringData:
  MYSQL_DATABASE: {{ nextcloud_db_name }}
  MYSQL_PASSWORD: {{ nextcloud_db_password }}
  MYSQL_ROOT_PASSWORD: {{ nextcloud_db_root_password }}
  MYSQL_USER: nextcloud
kind: Secret
metadata:
  name: nextcloud-db
  namespace: {{ nextcloud_namespace }}
type: Opaque
---
apiVersion: v1
stringData:
  MYSQL_PASSWORD: {{ nextcloud_db_password }}
  NEXTCLOUD_ADMIN_PASSWORD: {{ nextcloud_admin_password }}
  SMTP_PASSWORD: {{ nextcloud_smtp_password }}
kind: Secret
metadata:
  name: nextcloud-fpm
  namespace: {{ nextcloud_namespace }}
type: Opaque

roles/k3s_cluster/nextcloud/manifests/db-deployment.j2:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nextcloud-db
  name: nextcloud-db
  namespace: {{ nextcloud_namespace }}
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nextcloud-db
  template:
    metadata:
      labels:
        app: nextcloud-db
    spec:
      containers:
      - envFrom:
        - secretRef:
            name: nextcloud-db
        image: {{ nextcloud_db_image }}
        name: nextcloud-db
        ports:
        - containerPort: 3306
          name: nextcloud-db
          protocol: TCP
        volumeMounts:
        - mountPath: /var/lib/mysql
          name: nextcloud-db-vol
      volumes:
      - name: nextcloud-db-vol
        persistentVolumeClaim:
          claimName: nextcloud-db-vol-pvc

roles/k3s_cluster/nextcloud/manifests/db-service.j2:

apiVersion: v1
kind: Service
metadata:
  name: nextcloud-db
  namespace: {{ nextcloud_namespace }}
spec:
  ports:
  - name: nextcloud-db
    port: 3306
    protocol: TCP
    targetPort: 3306
  selector:
    app: nextcloud-db

roles/k3s_cluster/nextcloud/manifests/nginx-config.j2:

apiVersion: v1
data:
  nginx.conf: |-
    worker_processes auto;

    error_log  /var/log/nginx/error.log warn;
    pid        /var/run/nginx.pid;


    events {
        worker_connections  1024;
    }


    http {
        include       /etc/nginx/mime.types;
        default_type  application/octet-stream;

        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"';

        access_log  /var/log/nginx/access.log  main;

        sendfile        on;
        #tcp_nopush     on;

        keepalive_timeout  65;

        #gzip  on;

        upstream php-handler {
            server nextcloud-fpm.nextcloud.svc.cluster.local:9000;
        }

        server {
            listen 80;

            # Add headers to serve security related headers
            # Before enabling Strict-Transport-Security headers please read into this
            # topic first.
            add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
            #
            # WARNING: Only add the preload option once you read about
            # the consequences in https://hstspreload.org/. This option
            # will add the domain to a hardcoded list that is shipped
            # in all major browsers and getting removed from this list
            # could take several months.
            add_header Referrer-Policy "no-referrer" always;
            add_header X-Content-Type-Options "nosniff" always;
            add_header X-Download-Options "noopen" always;
            add_header X-Frame-Options "SAMEORIGIN" always;
            add_header X-Permitted-Cross-Domain-Policies "none" always;
            add_header X-Robots-Tag "none" always;
            add_header X-XSS-Protection "1; mode=block" always;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            add_header Front-End-Https on;

            # Remove X-Powered-By, which is an information leak
            fastcgi_hide_header X-Powered-By;

            # Path to the root of your installation
            root /var/www/html;

            location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
            }

            # The following 2 rules are only needed for the user_webfinger app.
            # Uncomment it if you're planning to use this app.
            rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
            rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

            # The following rule is only needed for the Social app.
            # Uncomment it if you're planning to use this app.
            rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
            location = /.well-known/carddav {
                return 301 $scheme://$host:$server_port/remote.php/dav;
            }

            location = /.well-known/caldav {
                return 301 $scheme://$host:$server_port/remote.php/dav;
            }

            # set max upload size
            client_max_body_size 10G;
            fastcgi_buffers 64 4K;

            # Enable gzip but do not remove ETag headers
            gzip on;
            gzip_vary on;
            gzip_comp_level 4;
            gzip_min_length 256;
            gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
            gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

            # Uncomment if your server is build with the ngx_pagespeed module
            # This module is currently not supported.
            #pagespeed off;

            location / {
                rewrite ^ /index.php;
            }

            location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
                deny all;
            }
            location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
                deny all;
            }

            location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
                fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
                set $path_info $fastcgi_path_info;
                try_files $fastcgi_script_name =404;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param PATH_INFO $path_info;
                # fastcgi_param HTTPS on;

                # Avoid sending the security headers twice
                fastcgi_param modHeadersAvailable true;

                # Enable pretty urls
                fastcgi_param front_controller_active true;
                fastcgi_pass php-handler;
                fastcgi_intercept_errors on;
                fastcgi_request_buffering off;
            }

            location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
                try_files $uri/ =404;
                index index.php;
            }

            # Adding the cache control header for js, css and map files
            # Make sure it is BELOW the PHP block
            location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
                try_files $uri /index.php$request_uri;
                add_header Cache-Control "public, max-age=15778463";
                # Add headers to serve security related headers (It is intended to
                # have those duplicated to the ones above)
                # Before enabling Strict-Transport-Security headers please read into
                # this topic first.
                #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
                #
                # WARNING: Only add the preload option once you read about
                # the consequences in https://hstspreload.org/. This option
                # will add the domain to a hardcoded list that is shipped
                # in all major browsers and getting removed from this list
                # could take several months.
                add_header Referrer-Policy "no-referrer" always;
                add_header X-Content-Type-Options "nosniff" always;
                add_header X-Download-Options "noopen" always;
                add_header X-Frame-Options "SAMEORIGIN" always;
                add_header X-Permitted-Cross-Domain-Policies "none" always;
                add_header X-Robots-Tag "none" always;
                add_header X-XSS-Protection "1; mode=block" always;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                add_header Front-End-Https on;

                # Optional: Don't log access to assets
                access_log off;
            }

            location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
                try_files $uri /index.php$request_uri;
                # Optional: Don't log access to other assets
                access_log off;
            }
        }
    }    
kind: ConfigMap
metadata:
  name: nextcloud-nginx-config
  namespace:  {{ nextcloud_namespace }}

roles/k3s_cluster/nextcloud/manifests/nginx-deployment.j2:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nextcloud-nginx
  name: nextcloud-nginx
  namespace: {{ nextcloud_namespace }}
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nextcloud-nginx
  template:
    metadata:
      labels:
        app: nextcloud-nginx
    spec:
      containers:
      - image: {{ nextcloud_nginx_image }}
        name: nextcloud-nginx
        ports:
        - containerPort: 80
          name: web
          protocol: TCP
        volumeMounts:
        - mountPath: /var/www/html
          name: nextcloud-nginx-vol
        - mountPath: /etc/nginx/nginx.conf
          name: nextcloud-nginx-config
          subPath: nginx.conf
      volumes:
      - name: nextcloud-nginx-vol
        persistentVolumeClaim:
          claimName: nextcloud-nginx-pvc
      - configMap:
          defaultMode: 256
          name: nextcloud-nginx-config
          optional: false
        name: nextcloud-nginx-config

roles/k3s_cluster/nextcloud/manifests/nginx-service.j2:

apiVersion: v1
kind: Service
metadata:
  labels:
    app: nextcloud-nginx
  name: nextcloud-nginx
  namespace: nextcloud
spec:
  ports:
  - name: web
    port: 80
  selector:
    app: nextcloud-nginx

roles/k3s_cluster/nextcloud/manifests/fpm-config.j2:

---
apiVersion: v1
data:
  MAIL_DOMAIN: {{ nextcloud_domain }}
  MAIL_FROM_ADDRESS: {{ nextcloud_mail_from }}
  MYSQL_DATABASE: {{ nextcloud_db_name }}
  MYSQL_HOST: nextcloud-db
  MYSQL_USER: nextcloud
  NEXTCLOUD_ADMIN_USER: admin
  REDIS_HOST: nextcloud-redis
  SMTP_HOST: {{ smtp_hostname }}
  SMTP_NAME: {{ smtp_username }}
  SMTP_PORT: "{{ nextcloud_smtp_port }}"
  SMTP_SECURE: {{ nextcloud_smtp_security }}
  TRUSTED_PROXIES: {{ nextcloud_trusted_proxies }}
kind: ConfigMap
metadata:
  name: nextcloud-fpm
  namespace: nextcloud
---
apiVersion: v1
data:
  www-conf: |-
    ; Start a new pool named 'www'.
    ; the variable $pool can be used in any directive and will be replaced by the
    ; pool name ('www' here)
    [www]

    ; Per pool prefix
    ; It only applies on the following directives:
    ; - 'access.log'
    ; - 'slowlog'
    ; - 'listen' (unixsocket)
    ; - 'chroot'
    ; - 'chdir'
    ; - 'php_values'
    ; - 'php_admin_values'
    ; When not set, the global prefix (or NONE) applies instead.
    ; Note: This directive can also be relative to the global prefix.
    ; Default Value: none
    ;prefix = /path/to/pools/$pool

    ; Unix user/group of processes
    ; Note: The user is mandatory. If the group is not set, the default user's group
    ;       will be used.
    user = www-data
    group = www-data

    ; The address on which to accept FastCGI requests.
    ; Valid syntaxes are:
    ;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
    ;                            a specific port;
    ;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
    ;                            a specific port;
    ;   'port'                 - to listen on a TCP socket to all addresses
    ;                            (IPv6 and IPv4-mapped) on a specific port;
    ;   '/path/to/unix/socket' - to listen on a unix socket.
    ; Note: This value is mandatory.
    listen = 127.0.0.1:9000

    ; Set listen(2) backlog.
    ; Default Value: 511 (-1 on FreeBSD and OpenBSD)
    ;listen.backlog = 511

    ; Set permissions for unix socket, if one is used. In Linux, read/write
    ; permissions must be set in order to allow connections from a web server. Many
    ; BSD-derived systems allow connections regardless of permissions. The owner
    ; and group can be specified either by name or by their numeric IDs.
    ; Default Values: user and group are set as the running user
    ;                 mode is set to 0660
    ;listen.owner = www-data
    ;listen.group = www-data
    ;listen.mode = 0660
    ; When POSIX Access Control Lists are supported you can set them using
    ; these options, value is a comma separated list of user/group names.
    ; When set, listen.owner and listen.group are ignored
    ;listen.acl_users =
    ;listen.acl_groups =

    ; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
    ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
    ; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
    ; must be separated by a comma. If this value is left blank, connections will be
    ; accepted from any ip address.
    ; Default Value: any
    ;listen.allowed_clients = 127.0.0.1

    ; Specify the nice(2) priority to apply to the pool processes (only if set)
    ; The value can vary from -19 (highest priority) to 20 (lower priority)
    ; Note: - It will only work if the FPM master process is launched as root
    ;       - The pool processes will inherit the master process priority
    ;         unless it specified otherwise
    ; Default Value: no set
    ; process.priority = -19

    ; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
    ; or group is differrent than the master process user. It allows to create process
    ; core dump and ptrace the process for the pool user.
    ; Default Value: no
    ; process.dumpable = yes

    ; Choose how the process manager will control the number of child processes.
    ; Possible Values:
    ;   static  - a fixed number (pm.max_children) of child processes;
    ;   dynamic - the number of child processes are set dynamically based on the
    ;             following directives. With this process management, there will be
    ;             always at least 1 children.
    ;             pm.max_children      - the maximum number of children that can
    ;                                    be alive at the same time.
    ;             pm.start_servers     - the number of children created on startup.
    ;             pm.min_spare_servers - the minimum number of children in 'idle'
    ;                                    state (waiting to process). If the number
    ;                                    of 'idle' processes is less than this
    ;                                    number then some children will be created.
    ;             pm.max_spare_servers - the maximum number of children in 'idle'
    ;                                    state (waiting to process). If the number
    ;                                    of 'idle' processes is greater than this
    ;                                    number then some children will be killed.
    ;  ondemand - no children are created at startup. Children will be forked when
    ;             new requests will connect. The following parameter are used:
    ;             pm.max_children           - the maximum number of children that
    ;                                         can be alive at the same time.
    ;             pm.process_idle_timeout   - The number of seconds after which
    ;                                         an idle process will be killed.
    ; Note: This value is mandatory.
    pm = dynamic

    ; The number of child processes to be created when pm is set to 'static' and the
    ; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
    ; This value sets the limit on the number of simultaneous requests that will be
    ; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
    ; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
    ; CGI. The below defaults are based on a server without much resources. Don't
    ; forget to tweak pm.* to fit your needs.
    ; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
    ; Note: This value is mandatory.
    pm.max_children = 50

    ; The number of child processes created on startup.
    ; Note: Used only when pm is set to 'dynamic'
    ; Default Value: (min_spare_servers + max_spare_servers) / 2
    pm.start_servers = 10

    ; The desired minimum number of idle server processes.
    ; Note: Used only when pm is set to 'dynamic'
    ; Note: Mandatory when pm is set to 'dynamic'
    pm.min_spare_servers = 10

    ; The desired maximum number of idle server processes.
    ; Note: Used only when pm is set to 'dynamic'
    ; Note: Mandatory when pm is set to 'dynamic'
    pm.max_spare_servers = 25

    ; The number of seconds after which an idle process will be killed.
    ; Note: Used only when pm is set to 'ondemand'
    ; Default Value: 10s
    ;pm.process_idle_timeout = 10s;

    ; The number of requests each child process should execute before respawning.
    ; This can be useful to work around memory leaks in 3rd party libraries. For
    ; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
    ; Default Value: 0
    ;pm.max_requests = 500

    ; The URI to view the FPM status page. If this value is not set, no URI will be
    ; recognized as a status page. It shows the following informations:
    ;   pool                 - the name of the pool;
    ;   process manager      - static, dynamic or ondemand;
    ;   start time           - the date and time FPM has started;
    ;   start since          - number of seconds since FPM has started;
    ;   accepted conn        - the number of request accepted by the pool;
    ;   listen queue         - the number of request in the queue of pending
    ;                          connections (see backlog in listen(2));
    ;   max listen queue     - the maximum number of requests in the queue
    ;                          of pending connections since FPM has started;
    ;   listen queue len     - the size of the socket queue of pending connections;
    ;   idle processes       - the number of idle processes;
    ;   active processes     - the number of active processes;
    ;   total processes      - the number of idle + active processes;
    ;   max active processes - the maximum number of active processes since FPM
    ;                          has started;
    ;   max children reached - number of times, the process limit has been reached,
    ;                          when pm tries to start more children (works only for
    ;                          pm 'dynamic' and 'ondemand');
    ; Value are updated in real time.
    ; Example output:
    ;   pool:                 www
    ;   process manager:      static
    ;   start time:           01/Jul/2011:17:53:49 +0200
    ;   start since:          62636
    ;   accepted conn:        190460
    ;   listen queue:         0
    ;   max listen queue:     1
    ;   listen queue len:     42
    ;   idle processes:       4
    ;   active processes:     11
    ;   total processes:      15
    ;   max active processes: 12
    ;   max children reached: 0
    ;
    ; By default the status page output is formatted as text/plain. Passing either
    ; 'html', 'xml' or 'json' in the query string will return the corresponding
    ; output syntax. Example:
    ;   http://www.foo.bar/status
    ;   http://www.foo.bar/status?json
    ;   http://www.foo.bar/status?html
    ;   http://www.foo.bar/status?xml
    ;
    ; By default the status page only outputs short status. Passing 'full' in the
    ; query string will also return status for each pool process.
    ; Example:
    ;   http://www.foo.bar/status?full
    ;   http://www.foo.bar/status?json&full
    ;   http://www.foo.bar/status?html&full
    ;   http://www.foo.bar/status?xml&full
    ; The Full status returns for each process:
    ;   pid                  - the PID of the process;
    ;   state                - the state of the process (Idle, Running, ...);
    ;   start time           - the date and time the process has started;
    ;   start since          - the number of seconds since the process has started;
    ;   requests             - the number of requests the process has served;
    ;   request duration     - the duration in µs of the requests;
    ;   request method       - the request method (GET, POST, ...);
    ;   request URI          - the request URI with the query string;
    ;   content length       - the content length of the request (only with POST);
    ;   user                 - the user (PHP_AUTH_USER) (or '-' if not set);
    ;   script               - the main script called (or '-' if not set);
    ;   last request cpu     - the %cpu the last request consumed
    ;                          it's always 0 if the process is not in Idle state
    ;                          because CPU calculation is done when the request
    ;                          processing has terminated;
    ;   last request memory  - the max amount of memory the last request consumed
    ;                          it's always 0 if the process is not in Idle state
    ;                          because memory calculation is done when the request
    ;                          processing has terminated;
    ; If the process is in Idle state, then informations are related to the
    ; last request the process has served. Otherwise informations are related to
    ; the current request being served.
    ; Example output:
    ;   ************************
    ;   pid:                  31330
    ;   state:                Running
    ;   start time:           01/Jul/2011:17:53:49 +0200
    ;   start since:          63087
    ;   requests:             12808
    ;   request duration:     1250261
    ;   request method:       GET
    ;   request URI:          /test_mem.php?N=10000
    ;   content length:       0
    ;   user:                 -
    ;   script:               /home/fat/web/docs/php/test_mem.php
    ;   last request cpu:     0.00
    ;   last request memory:  0
    ;
    ; Note: There is a real-time FPM status monitoring sample web page available
    ;       It's available in: /usr/local/share/php/fpm/status.html
    ;
    ; Note: The value must start with a leading slash (/). The value can be
    ;       anything, but it may not be a good idea to use the .php extension or it
    ;       may conflict with a real PHP file.
    ; Default Value: not set
    ;pm.status_path = /status

    ; The ping URI to call the monitoring page of FPM. If this value is not set, no
    ; URI will be recognized as a ping page. This could be used to test from outside
    ; that FPM is alive and responding, or to
    ; - create a graph of FPM availability (rrd or such);
    ; - remove a server from a group if it is not responding (load balancing);
    ; - trigger alerts for the operating team (24/7).
    ; Note: The value must start with a leading slash (/). The value can be
    ;       anything, but it may not be a good idea to use the .php extension or it
    ;       may conflict with a real PHP file.
    ; Default Value: not set
    ;ping.path = /ping

    ; This directive may be used to customize the response of a ping request. The
    ; response is formatted as text/plain with a 200 response code.
    ; Default Value: pong
    ;ping.response = pong

    ; The access log file
    ; Default: not set
    ;access.log = log/$pool.access.log

    ; The access log format.
    ; The following syntax is allowed
    ;  %%: the '%' character
    ;  %C: %CPU used by the request
    ;      it can accept the following format:
    ;      - %{user}C for user CPU only
    ;      - %{system}C for system CPU only
    ;      - %{total}C  for user + system CPU (default)
    ;  %d: time taken to serve the request
    ;      it can accept the following format:
    ;      - %{seconds}d (default)
    ;      - %{miliseconds}d
    ;      - %{mili}d
    ;      - %{microseconds}d
    ;      - %{micro}d
    ;  %e: an environment variable (same as $_ENV or $_SERVER)
    ;      it must be associated with embraces to specify the name of the env
    ;      variable. Some exemples:
    ;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
    ;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
    ;  %f: script filename
    ;  %l: content-length of the request (for POST request only)
    ;  %m: request method
    ;  %M: peak of memory allocated by PHP
    ;      it can accept the following format:
    ;      - %{bytes}M (default)
    ;      - %{kilobytes}M
    ;      - %{kilo}M
    ;      - %{megabytes}M
    ;      - %{mega}M
    ;  %n: pool name
    ;  %o: output header
    ;      it must be associated with embraces to specify the name of the header:
    ;      - %{Content-Type}o
    ;      - %{X-Powered-By}o
    ;      - %{Transfert-Encoding}o
    ;      - ....
    ;  %p: PID of the child that serviced the request
    ;  %P: PID of the parent of the child that serviced the request
    ;  %q: the query string
    ;  %Q: the '?' character if query string exists
    ;  %r: the request URI (without the query string, see %q and %Q)
    ;  %R: remote IP address
    ;  %s: status (response code)
    ;  %t: server time the request was received
    ;      it can accept a strftime(3) format:
    ;      %d/%b/%Y:%H:%M:%S %z (default)
    ;      %T: time the log has been written (the request has finished)
    ;      it can accept a strftime(3) format:
    ;      %d/%b/%Y:%H:%M:%S %z (default)
    ;  %u: remote user
    ;
    ; Default: "%R - %u %t \"%m %r\" %s"
    ;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"

    ; The log file for slow requests
    ; Default Value: not set
    ; Note: slowlog is mandatory if request_slowlog_timeout is set
    ;slowlog = log/$pool.log.slow

    ; The timeout for serving a single request after which a PHP backtrace will be
    ; dumped to the 'slowlog' file. A value of '0s' means 'off'.
    ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
    ; Default Value: 0
    ;request_slowlog_timeout = 0

    ; Depth of slow log stack trace.
    ; Default Value: 20
    ;request_slowlog_trace_depth = 20

    ; The timeout for serving a single request after which the worker process will
    ; be killed. This option should be used when the 'max_execution_time' ini option
    ; does not stop script execution for some reason. A value of '0' means 'off'.
    ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
    ; Default Value: 0
    ;request_terminate_timeout = 0

    ; The timeout set by 'request_terminate_timeout' ini option is not engaged after
    ; application calls 'fastcgi_finish_request' or when application has finished and
    ; shutdown functions are being called (registered via register_shutdown_function).
    ; This option will enable timeout limit to be applied unconditionally
    ; even in such cases.
    ; Default Value: no
    ;request_terminate_timeout_track_finished = no

    ; Set open file descriptor rlimit.
    ; Default Value: system defined value
    ;rlimit_files = 1024

    ; Set max core size rlimit.
    ; Possible Values: 'unlimited' or an integer greater or equal to 0
    ; Default Value: system defined value
    ;rlimit_core = 0

    ; Chroot to this directory at the start. This value must be defined as an
    ; absolute path. When this value is not set, chroot is not used.
    ; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
    ; of its subdirectories. If the pool prefix is not set, the global prefix
    ; will be used instead.
    ; Note: chrooting is a great security feature and should be used whenever
    ;       possible. However, all PHP paths will be relative to the chroot
    ;       (error_log, sessions.save_path, ...).
    ; Default Value: not set
    ;chroot =

    ; Chdir to this directory at the start.
    ; Note: relative path can be used.
    ; Default Value: current directory or / when chroot
    ;chdir = /var/www

    ; Redirect worker stdout and stderr into main error log. If not set, stdout and
    ; stderr will be redirected to /dev/null according to FastCGI specs.
    ; Note: on highloaded environement, this can cause some delay in the page
    ; process time (several ms).
    ; Default Value: no
    ;catch_workers_output = yes

    ; Decorate worker output with prefix and suffix containing information about
    ; the child that writes to the log and if stdout or stderr is used as well as
    ; log level and time. This options is used only if catch_workers_output is yes.
    ; Settings to "no" will output data as written to the stdout or stderr.
    ; Default value: yes
    ;decorate_workers_output = no

    ; Clear environment in FPM workers
    ; Prevents arbitrary environment variables from reaching FPM worker processes
    ; by clearing the environment in workers before env vars specified in this
    ; pool configuration are added.
    ; Setting to "no" will make all environment variables available to PHP code
    ; via getenv(), $_ENV and $_SERVER.
    ; Default Value: yes
    ;clear_env = no

    ; Limits the extensions of the main script FPM will allow to parse. This can
    ; prevent configuration mistakes on the web server side. You should only limit
    ; FPM to .php extensions to prevent malicious users to use other extensions to
    ; execute php code.
    ; Note: set an empty value to allow all extensions.
    ; Default Value: .php
    ;security.limit_extensions = .php .php3 .php4 .php5 .php7

    ; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
    ; the current environment.
    ; Default Value: clean env
    ;env[HOSTNAME] = $HOSTNAME
    ;env[PATH] = /usr/local/bin:/usr/bin:/bin
    ;env[TMP] = /tmp
    ;env[TMPDIR] = /tmp
    ;env[TEMP] = /tmp

    ; Additional php.ini defines, specific to this pool of workers. These settings
    ; overwrite the values previously defined in the php.ini. The directives are the
    ; same as the PHP SAPI:
    ;   php_value/php_flag             - you can set classic ini defines which can
    ;                                    be overwritten from PHP call 'ini_set'.
    ;   php_admin_value/php_admin_flag - these directives won't be overwritten by
    ;                                     PHP call 'ini_set'
    ; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.

    ; Defining 'extension' will load the corresponding shared extension from
    ; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
    ; overwrite previously defined php.ini values, but will append the new value
    ; instead.

    ; Note: path INI options can be relative and will be expanded with the prefix
    ; (pool, global or /usr/local)

    ; Default Value: nothing is defined by default except the values in php.ini and
    ;                specified at startup with the -d argument
    ;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f [email protected]
    ;php_flag[display_errors] = off
    ;php_admin_value[error_log] = /var/log/fpm-php.www.log
    ;php_admin_flag[log_errors] = on
    ;php_admin_value[memory_limit] = 32M    
kind: ConfigMap
metadata:
  name: nextcloud-fpm-www-conf
  namespace: nextcloud

roles/k3s_cluster/nextcloud/manifests/fpm-deployment.j2:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nextcloud-fpm
  name: nextcloud-fpm
  namespace: nextcloud
spec:
  securityContext:
    fsGroup: 33
  replicas: 1
  selector:
    matchLabels:
      app: nextcloud-fpm
  template:
    metadata:
      labels:
        app: nextcloud-fpm
    spec:
      containers:
      - envFrom:
        - secretRef:
            name: nextcloud-fpm
            optional: false
        - configMapRef:
            name: nextcloud-fpm
            optional: false
        image: {{ nextcloud_fpm_image }}
        name: nextcloud-fpm
        ports:
        - containerPort: 9000
          name: fpm
          protocol: TCP
        volumeMounts:
        - mountPath: /var/www/html
          name: nextcloud-fpm-www-vol
        - mountPath: /usr/local/etc/php-fpm.d/www.conf
          name: nextcloud-fpm-www-conf
          subPath: www.conf
        - mountPath: /backup
          name: nextcloud-backup-pvc
      - args:
        - /cron.sh
        image: {{ nextcloud_fpm_image }}
        name: nextcloud-cron
        volumeMounts:
        - mountPath: /var/www/html
          name: nextcloud-fpm-www-vol
        - mountPath: /usr/local/etc/php-fpm.d/www.conf
          name: nextcloud-fpm-www-conf
          subPath: www.conf
      volumes:
      - name: nextcloud-fpm-www-vol
        persistentVolumeClaim:
          claimName: nextcloud-fpm-www-pvc
      - configMap:
          defaultMode: 256
          items:
          - key: www-conf
            path: www.conf
          name: nextcloud-fpm-www-conf
          optional: false
        name: nextcloud-fpm-www-conf
      - name: nextcloud-backup-pvc
        persistentVolumeClaim:
          claimName: nextcloud-backup-pvc

roles/k3s_cluster/nextcloud/manifests/fpm-service.j2:

apiVersion: v1
kind: Service
metadata:
  labels:
    app: nextcloud-fpm
  name: nextcloud-fpm
  namespace: nextcloud
spec:
  ports:
  - name: fpm
    port: 9000
    protocol: TCP
  selector:
    app: nextcloud-fpm

roles/k3s_cluster/nextcloud/manifests/ingress.j2:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: nextcloud
  namespace: {{ nextcloud_namespace }}
spec:
  entryPoints:
    - web
    - websecure
  routes:
    - match: Host(`{{ nextcloud_hostname }}`)
      kind: Rule
      services:
        - name: nextcloud-nginx
          port: 80

Ansible Playbook

The following playbook executes the Nextcloud role.

k3s-nextcloud.yaml:

---
- hosts: master[0]
  become: yes
  vars:
    ansible_python_interpreter: /usr/bin/python3
  remote_user: ansible
  pre_tasks:
    - name: Install Kubernetes Python module
      pip:
        name: kubernetes
    - name: Install Kubernetes-validate Python module
      pip:
        name: kubernetes-validate
  roles:
    - role: k3s_cluster/nextcloud

Summary

This role sets up a Nextcloud installation which is highly performant, but this post doesn’t cover how to initialize and configure Nextcloud itself. For example, I’ve integrated Nextcloud with Authelia for single sign-on. The installation has evolved over time and I’m just not willing to start from scratch in order to document everything I’ve done. :)