Unfortunately when I go to the address, all I get is the error:
Configuration was not read or initialized correctly, not overwriting /var/lib/nextcloud/config/config.php
I too tried it without the container and it worked after I changed the permissions for the agenix secret. Unfortunately, when Nextcloud runs in a container, I can’t set the permissions with agenix as the nextcloud user and group don’t exist.
How can I change this declaratively? sudo chown inside the container didn’t work…
chown: changing ownership of '/run/agenix/nextcloud': Read-only file system
I am trying to replicate your config but it’s not working for me. I think the problem is the tailscale serve. Did you do anything extra for it to work?
The solution was to first do tailscale cert but the activation script was still not working so I turned it into a systemd service. I also followed the other approach of getting secrets into the container mentioned in that discussion by also having the nextcloud user outside the container. I’m not sure yet which approach I like better.
I am now finished with my transition to the container setup. It took me very long but I am very happy with it.
I also found a better method of managing the secrets. I pass the individual root owned secret files into the container and then use systemd tmpfile rules to change the permissions there.
You shouldn’t need to configure anything extra for nginx. At least I didn’t need to, just tailscale serve.
Why is this better? I actually like the other approach, seems easy to read at least.
I didn’t mean your approach, but my old one. I didn’t like the user hackery, tmpfile rules are much more elegant approach.
Passing the ssh key into the container is a fine method but I decided for myself, that I want the container as minimal as possible, so without any sops/age stuff. All that secret decryption stuff should get handled by the host.
I managed to isolate the container network completely from the host by following this guide. My container now shows up as a completely different host on my router interface. This should fix that issue completely but I am still in the process of setting up a second container to test it.
A short update: The problem with the macvlan method I used is that it only allows for tailscale userspace-networking which prevents reaching other tailscale devices from inside the container. This may not be a deal breaker for everyone but I decided to switch to the bridge networking method described in the wiki which doesn’t have this issue.