Adds immich, puts redis/database on NVME, uses postgres for wallabag and nextcloud, adds backup services

files/backup-postgres.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+set -o errexit -o pipefail -o noclobber -o nounset -o errtrace -o functrace
+
+user="$(whoami)"
+today=$(date +%F)
+dir="/backup/${today}"
+host_dir="/var/mnt/nas/containers/${user}/storage/database-backup"
+mkdir -p "${host_dir}"
+if podman container exists "${user}-database"; then
+  podman exec "${user}-database" pg_dump -U "${user}" -d "${user}" -F d -Z zstd:3 -f "${dir}"
+else
+  echo "${user}-database" not found
+fi

home/nextcloud/.secrets

@@ -1,6 +1,4 @@
 database-password=7w6,{R_C=LdZ@9iy
-database-root-password=[-B#xMVj~\3X*vC>
-database-user=nextcloud
 nextcloud-admin-password=tcf@fg]%2BL]K*p`
 nextcloud-admin-user=admin
 nextcloud-redis-password=AznBSv9lCflXg2z0

home/wallabag/.secrets

@@ -1,2 +1 @@
 database-password=YdBYea47YBCpjhL7ped9
-database-root-password=zUMuEkTzOG8CH8VjvLXE

init/enable-all-quadlets.sh

@@ -4,7 +4,6 @@ set -o errexit -o pipefail -o noclobber -o nounset -o errtrace -o functrace
 setsebool -P container_use_devices on
 setsebool -P openvpn_run_unconfined on
 semanage fcontext -a -t container_file_t "/mnt/nas(/.*)?"
-#semanage fcontext -a -t container_file_t "/mnt/nas/containers/.*/storage/.*(/.*)?"
 restorecon -vR /mnt/nas
 
 users=("gitea" "homeassistant" "immich" "jdownloader" "kiwix" "komga" "navidrome" "nextcloud" "nginx" "pairdrop" "paperless" "pihole" "qbittorrent" "synapse" "wallabag")
@@ -15,7 +14,7 @@ for user in "${users[@]}"; do
     sudo -u "${user}" /opt/bin/add-secrets.sh "${secrets_file}"
   fi
   systemctl --user -M "${user}@" daemon-reload
-  systemctl --user -M "${user}@" enable --now "podman-auto-update.timer" || true
+  systemctl --user -M "${user}@" enable "podman-auto-update.timer" || true
   systemctl --user -M "${user}@" stop "${user}.service" || true
   systemctl --user -M "${user}@" start "${user}.service"
   echo "${user} done"
@@ -23,12 +22,19 @@ done
 systemctl --user -M "arr@" daemon-reload
 systemctl --user -M "arr@" start "overseerr.service"
 systemctl --user -M "tga@" daemon-reload
-systemctl --user -M "tga@" enable --now "update-dyndns.timer"
+systemctl --user -M "tga@" enable "update-dyndns.timer"
 
 systemctl --user -M "kiwix@" enable --now "clone-zim-updater.service"
-systemctl --user -M "nextcloud@" enable --now "pre-generate-preview.timer"
-systemctl --user -M "pihole@" enable --now "update-hints.timer"
-systemctl --user -M "pihole@" enable --now "update-root.timer"
+systemctl --user -M "nextcloud@" enable "pre-generate-preview.timer"
+systemctl --user -M "pihole@" enable "update-hints.timer"
+systemctl --user -M "pihole@" enable "update-root.timer"
+
+systemctl --user -M "gitea@" enable "backup-database.timer"
+systemctl --user -M "immich@" enable "backup-database.timer"
+systemctl --user -M "nextcloud@" enable "backup-database.timer"
+systemctl --user -M "paperless@" enable "backup-database.timer"
+systemctl --user -M "synapse@" enable "backup-database.timer"
+systemctl --user -M "wallabag@" enable "backup-database.timer"
 
 /opt/bin/add-secrets.sh /root/.secrets
 systemctl daemon-reload

pi4.bu

@@ -73,6 +73,10 @@ storage:
       contents:
         local: files/add-secrets.sh
       mode: 0755
+    - path: /opt/bin/backup-postgres.sh
+      contents:
+        local: files/backup-postgres.sh
+      mode: 0755
     - path: /etc/containers/systemd/samba.container
       contents:
         local: quadlets/samba/samba.container

quadlets/gitea/gitea-database.container

@@ -17,6 +17,7 @@ Secret=database-password,type=env,target=POSTGRES_PASSWORD
 StartWithPod=true
 Timezone=Europe/Zurich
 Volume=gitea-database.volume:/var/lib/postgresql
+Volume=/var/mnt/nas/containers/gitea/storage/database-backup:/backup
 
 [Service]
 Restart=always

quadlets/gitea/gitea-database.volume

@@ -1,7 +1,2 @@
 [Volume]
-Copy=true
-Device=/var/mnt/nas/containers/gitea/storage/database
-Driver=local
-Options=bind
-Type=none
 VolumeName=gitea-database

quadlets/immich/immich-database.container

@@ -5,11 +5,11 @@ Description=Immich database container
 AutoUpdate=registry
 ContainerName=immich-database
 Environment=DB_STORAGE_TYPE=HDD
-Environment=POSTGRES_USER=postgres
+Environment=POSTGRES_USER=immich
 Environment=POSTGRES_DB=immich
 Environment=POSTGRES_INTIDB_ARGS=--data-checksums
 Environment=TZ=Europe/Zurich
-HealthCmd=pg_isready -U postgres
+HealthCmd=pg_isready -U immich
 HealthInterval=30s
 HealthTimeout=10s
 HealthRetries=5
@@ -20,6 +20,7 @@ ShmSize=128m
 StartWithPod=true
 Timezone=Europe/Zurich
 Volume=immich-database.volume:/var/lib/postgresql/data
+Volume=/var/mnt/nas/containers/immich/storage/database-backup:/backup
 
 [Service]
 Restart=always

quadlets/immich/immich-database.volume

@@ -1,7 +1,2 @@
 [Volume]
-Copy=true
-Device=/var/mnt/nas/containers/immich/storage/database
-Driver=local
-Options=bind
-Type=none
 VolumeName=immich-database

quadlets/immich/immich-ml-cache.volume

@@ -1,7 +1,2 @@
 [Volume]
-Copy=true
-Device=/var/mnt/nas/containers/immich/storage/ml-cache
-Driver=local
-Options=bind
-Type=none
 VolumeName=immich-ml-cache

quadlets/immich/immich.container

@@ -9,7 +9,7 @@ Requires=immich-redis.container
 AutoUpdate=registry
 ContainerName=immich
 Environment=DB_DATA_LOCATION=./postgres
-Environment=DB_USERNAME=postgres
+Environment=DB_USERNAME=immich
 Environment=DB_DATABASE_NAME=immich
 Environment=IMMICH_VERSION=v2
 Environment=TZ=Europe/Zurich

quadlets/nextcloud/nextcloud-database.container

@@ -4,16 +4,20 @@ Description=Nextcloud database container
 [Container]
 AutoUpdate=registry
 ContainerName=nextcloud-database
-Environment=MYSQL_DATABASE=nextcloud
+Environment=POSTGRES_DB=nextcloud
+Environment=POSTGRES_USER=nextcloud
 Environment=TZ=Europe/Zurich
-Image=docker.io/mariadb:latest
+HealthCmd=pg_isready -U nextcloud
+HealthInterval=30s
+HealthTimeout=10s
+HealthRetries=5
+Image=docker.io/postgres:18
 Pod=nextcloud.pod
-Secret=database-user,type=env,target=MYSQL_USER
-Secret=database-password,type=env,target=MYSQL_PASSWORD
-Secret=database-root-password,type=env,target=MYSQL_ROOT_PASSWORD
+Secret=database-password,type=env,target=POSTGRES_PASSWORD
 StartWithPod=true
 Timezone=Europe/Zurich
-Volume=nextcloud-database.volume:/var/lib/mysql
+Volume=nextcloud-database.volume:/var/lib/postgresql
+Volume=/var/mnt/nas/containers/nextcloud/storage/database-backup:/backup
 
 [Service]
 Restart=always

quadlets/nextcloud/nextcloud-database.volume

@@ -1,7 +1,2 @@
 [Volume]
-Copy=true
-Device=/var/mnt/nas/containers/nextcloud/storage/database
-Driver=local
-Options=bind
-Type=none
 VolumeName=nextcloud-database

quadlets/nextcloud/nextcloud-redis-data.volume

@@ -1,7 +1,2 @@
 [Volume]
-Copy=true
-Device=/var/mnt/nas/containers/nextcloud/storage/redis-data
-Driver=local
-Options=bind
-Type=none
 VolumeName=nextcloud-redis-data

quadlets/paperless/paperless-database.container

@@ -7,12 +7,17 @@ ContainerName=paperless-database
 Environment=POSTGRES_USER=paperless
 Environment=POSTGRES_DB=paperless
 Environment=TZ=Europe/Zurich
+HealthCmd=pg_isready -U paperless
+HealthInterval=30s
+HealthTimeout=10s
+HealthRetries=5
 Image=docker.io/library/postgres:18
 Pod=paperless.pod
 Secret=database-password,type=env,target=POSTGRES_PASSWORD
 StartWithPod=true
 Timezone=Europe/Zurich
 Volume=paperless-database.volume:/var/lib/postgresql
+Volume=/var/mnt/nas/containers/paperless/storage/database-backup:/backup
 
 [Service]
 Restart=always

quadlets/paperless/paperless-database.volume

@@ -1,7 +1,2 @@
 [Volume]
-Copy=true
-Device=/var/mnt/nas/containers/paperless/storage/database
-Driver=local
-Options=bind
-Type=none
 VolumeName=paperless-database

quadlets/paperless/paperless-redis-data.volume

@@ -1,7 +1,2 @@
 [Volume]
-Copy=true
-Device=/var/mnt/nas/containers/paperless/storage/redis-data
-Driver=local
-Options=bind
-Type=none
 VolumeName=paperless-redis-data

quadlets/pihole/unbound-redis-cache.volume

@@ -1,7 +1,2 @@
 [Volume]
-Copy=true
-Device=/var/mnt/nas/containers/pihole/storage/unbound-redis-cache
-Driver=local
-Options=bind
-Type=none
 VolumeName=unbound-redis-cache

quadlets/pihole/unbound-redis-data.volume

@@ -1,7 +1,2 @@
 [Volume]
-Copy=true
-Device=/var/mnt/nas/containers/pihole/storage/unbound-redis-data
-Driver=local
-Options=bind
-Type=none
 VolumeName=unbound-redis-data

quadlets/synapse/synapse-database.container

@@ -18,6 +18,7 @@ Secret=database-password,type=env,target=POSTGRES_PASSWORD
 StartWithPod=true
 Timezone=Europe/Zurich
 Volume=synapse-database.volume:/var/lib/postgresql
+Volume=/var/mnt/nas/containers/synapse/storage/database-backup:/backup
 
 [Service]
 Restart=always

quadlets/synapse/synapse-database.volume

@@ -1,7 +1,2 @@
 [Volume]
-Copy=true
-Device=/var/mnt/nas/containers/synapse/storage/database
-Driver=local
-Options=bind
-Type=none
 VolumeName=synapse-database

quadlets/wallabag/wallabag-database.container

@@ -4,17 +4,20 @@ Description=Wallabag database container
 [Container]
 AutoUpdate=registry
 ContainerName=wallabag-database
+Environment=POSTGRES_DB=wallabag
+Environment=POSTGRES_USER=wallabag
 Environment=TZ=Europe/Zurich
-HealthCmd=CMD mysqladmin ping -h localhost
+HealthCmd=pg_isready -U wallabag
 HealthInterval=30s
 HealthTimeout=10s
 HealthRetries=5
-Image=docker.io/mariadb:latest
+Image=docker.io/postgres:18
 Pod=wallabag.pod
-Secret=database-root-password,type=env,target=MYSQL_ROOT_PASSWORD
+Secret=database-password,type=env,target=POSTGRES_PASSWORD
 StartWithPod=true
 Timezone=Europe/Zurich
-Volume=wallabag-database.volume:/var/lib/mysql
+Volume=wallabag-database.volume:/var/lib/postgresql
+Volume=/var/mnt/nas/containers/wallabag/storage/database-backup:/backup
 
 [Service]
 Restart=always

quadlets/wallabag/wallabag-database.volume

@@ -1,7 +1,2 @@
 [Volume]
-Copy=true
-Device=/var/mnt/nas/containers/wallabag/storage/database
-Driver=local
-Options=bind
-Type=none
 VolumeName=wallabag-database

quadlets/wallabag/wallabag.container

@@ -8,12 +8,13 @@ Requires=wallabag-redis.container
 [Container]
 AutoUpdate=registry
 ContainerName=wallabag
-Environment=SYMFONY__ENV__DATABASE_DRIVER=pdo_mysql
+Environment=POSTGRES_DB=wallabag
+Environment=POSTGRES_USER=wallabag
+Environment=SYMFONY__ENV__DATABASE_DRIVER=pdo_pgsql
 Environment=SYMFONY__ENV__DATABASE_HOST=wallabag-database
-Environment=SYMFONY__ENV__DATABASE_PORT=3306
+Environment=SYMFONY__ENV__DATABASE_PORT=5432
 Environment=SYMFONY__ENV__DATABASE_NAME=wallabag
 Environment=SYMFONY__ENV__DATABASE_USER=wallabag
-Environment=SYMFONY__ENV__DATABASE_CHARSET=utf8mb4
 Environment=SYMFONY__ENV__DATABASE_TABLE_PREFIX=wallabag_
 Environment=SYMFONY__ENV__MAILER_DSN=smtp:127.0.0.1
 Environment=SYMFONY__ENV__FROM_EMAIL=wallabag@gtache.ch
@@ -26,7 +27,7 @@ HealthTimeout=5s
 HealthRetries=5
 Image=docker.io/wallabag/wallabag:latest
 Pod=wallabag.pod
-Secret=database-root-password,type=env,target=MYSQL_ROOT_PASSWORD
+Secret=database-password,type=env,target=POSTGRES_PASSWORD
 Secret=database-password,type=env,target=SYMFONY__ENV__DATABASE_PASSWORD
 StartWithPod=true
 Timezone=Europe/Zurich

services/gitea/backup-database.service

@@ -0,0 +1,6 @@
+[Unit]
+Description=Backups the Gitea database
+
+[Service]
+Type=oneshot
+ExecStart=/opt/bin/backup-postgres.sh

services/gitea/backup-database.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=Timer for the backup-database service
+
+[Timer]
+OnCalendar=12:00:00
+Persistent=true
+Unit=backup-database.service
+
+[Install]
+WantedBy=timers.target

services/immich/backup-database.service

@@ -0,0 +1,6 @@
+[Unit]
+Description=Backups the Immich database
+
+[Service]
+Type=oneshot
+ExecStart=/opt/bin/backup-database.sh

services/immich/backup-database.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=Timer for the backup-database service
+
+[Timer]
+OnCalendar=12:00:00
+Persistent=true
+Unit=backup-database.service
+
+[Install]
+WantedBy=timers.target

services/nextcloud/backup-database.service

@@ -0,0 +1,6 @@
+[Unit]
+Description=Backups the Nextcloud database
+
+[Service]
+Type=oneshot
+ExecStart=/opt/bin/backup-postgres.sh

services/nextcloud/backup-database.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=Timer for the backup-database service
+
+[Timer]
+OnCalendar=12:00:00
+Persistent=true
+Unit=backup-database.service
+
+[Install]
+WantedBy=timers.target

services/paperless/backup-database.service

@@ -0,0 +1,6 @@
+[Unit]
+Description=Backups the paperless database
+
+[Service]
+Type=oneshot
+ExecStart=/opt/bin/backup-postgres.sh

services/paperless/backup-database.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=Timer for the backup-database service
+
+[Timer]
+OnCalendar=12:00:00
+Persistent=true
+Unit=backup-database.service
+
+[Install]
+WantedBy=timers.target

services/synapse/backup-database.service

@@ -0,0 +1,6 @@
+[Unit]
+Description=Backups the Synapse database
+
+[Service]
+Type=oneshot
+ExecStart=/opt/bin/backup-postgres.sh

services/synapse/backup-database.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=Timer for the backup-database service
+
+[Timer]
+OnCalendar=12:00:00
+Persistent=true
+Unit=backup-database.service
+
+[Install]
+WantedBy=timers.target

services/wallabag/backup-database.service

@@ -0,0 +1,6 @@
+[Unit]
+Description=Backups the Wallabag database
+
+[Service]
+Type=oneshot
+ExecStart=/opt/bin/backup-postgres.sh

services/wallabag/backup-database.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=Timer for the backup-database service
+
+[Timer]
+OnCalendar=12:00:00
+Persistent=true
+Unit=backup-database.service
+
+[Install]
+WantedBy=timers.target