Redid networking

modules/services/nextcloud.nix

@@ -58,7 +58,9 @@ in
     # -----------------------------------------------------------------------
     virtualisation.oci-containers.containers.nextcloud-postgres = {
       image = cfg.postgresImage;
-      # No ports mapping — --network=host shares the host network stack directly.
+      # Exposed on localhost for debugging; nextcloud reaches it via the
+      # container name "nextcloud-postgres" on the homey network.
+      ports = [ "127.0.0.1:${toString cfg.postgresPort}:5432" ];
 
       environment = {
         POSTGRES_DB   = "nextcloud_db";
@@ -71,7 +73,7 @@ in
       ];
 
       extraOptions = [
-        "--network=host"
+        "--network=homey"
         "--env-file=/run/nc-postgres-secrets.env"
       ];
     };
@@ -91,8 +93,8 @@ in
         ];
       };
       postStop = "rm -f /run/nc-postgres-secrets.env";
-      after    = lib.mkAfter  [ "mnt-data.mount" ];
-      requires = lib.mkAfter  [ "mnt-data.mount" ];
+      after    = lib.mkAfter  [ "mnt-data.mount" "podman-homey-network.service" ];
+      requires = lib.mkAfter  [ "mnt-data.mount" "podman-homey-network.service" ];
     };
 
     # -----------------------------------------------------------------------
@@ -100,20 +102,22 @@ in
     # -----------------------------------------------------------------------
     virtualisation.oci-containers.containers.nextcloud = {
       image = cfg.image;
-      # No ports mapping — --network=host shares the host network stack directly.
+      # Apache inside the container listens on port 80; map it to cfg.port on
+      # the host so Caddy can reach it. Postgres is reachable by container name.
+      ports = [ "127.0.0.1:${toString cfg.port}:80" ];
 
       environment = {
-        POSTGRES_HOST             = "127.0.0.1";
+        POSTGRES_HOST             = "nextcloud-postgres";
         POSTGRES_DB               = "nextcloud_db";
         POSTGRES_USER             = "postgres";
         NEXTCLOUD_ADMIN_USER      = "admin";
         NEXTCLOUD_TRUSTED_DOMAINS = "nextcloud.${domain}";
         OVERWRITEPROTOCOL         = "https";
         OVERWRITECLIURL           = "https://nextcloud.${domain}";
-        # With --network=host, port mappings are ignored and the container's
-        # Apache binds directly on the host. Force it onto port 8080 so Caddy
-        # can own 80/443.
-        APACHE_HTTP_PORT_NUMBER   = toString cfg.port;
+        OVERWRITEHOST             = "nextcloud.${domain}";
+        # Trust the reverse proxy (Caddy on the host reaches the container
+        # via the podman bridge; cover all RFC-1918 ranges to be robust).
+        TRUSTED_PROXIES           = "10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.1 ::1";
         # Passwords injected via env file
       };
 
@@ -122,7 +126,7 @@ in
       ];
 
       extraOptions = [
-        "--network=host"
+        "--network=homey"
         "--env-file=/run/nc-secrets.env"
       ];
     };
@@ -143,8 +147,8 @@ in
         ];
       };
       postStop = "rm -f /run/nc-secrets.env";
-      after    = lib.mkAfter  [ "mnt-data.mount" "podman-nextcloud-postgres.service" ];
-      requires = lib.mkAfter  [ "mnt-data.mount" "podman-nextcloud-postgres.service" ];
+      after    = lib.mkAfter  [ "mnt-data.mount" "podman-nextcloud-postgres.service" "podman-homey-network.service" ];
+      requires = lib.mkAfter  [ "mnt-data.mount" "podman-nextcloud-postgres.service" "podman-homey-network.service" ];
     };
   };
 }