From 0a17e54d8c2edbd558deb26fca401018302b8613 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Tue, 30 Sep 2025 11:54:14 +0200
Subject: [PATCH] Nextcloud: set conservative Docker resource limits and
 template cleanups

- Add CPU/memory/PID limits for redis, database, proxy, cron, talk, whiteboard
- Keep nextcloud service unchanged except existing settings
- Normalize service_name templating and indentation in docker-compose.yml.j2
- Mount Janus config for Talk via volume

Ref: https://chatgpt.com/share/68db9f41-16ec-800f-9cdf-7530862f89aa
---
 roles/web-app-nextcloud/config/main.yml       | 26 ++++++++++++++++++-
 .../templates/docker-compose.yml.j2           | 21 ++++++++++-----
 2 files changed, 39 insertions(+), 8 deletions(-)

diff --git a/roles/web-app-nextcloud/config/main.yml b/roles/web-app-nextcloud/config/main.yml
index 1b9f7bb2..1f83472e 100644
--- a/roles/web-app-nextcloud/config/main.yml
+++ b/roles/web-app-nextcloud/config/main.yml
@@ -31,8 +31,16 @@ docker:
   services:
     redis:
       enabled:              true
+      cpus:                 "0.25"
+      mem_reservation:      "64m"
+      mem_limit:            "256m"
+      pids_limit:           256
     database:
       enabled:              true
+      cpus:                 "0.75"
+      mem_reservation:      "512m"
+      mem_limit:            "1.5g"
+      pids_limit:           512
     nextcloud:
       name:                 "nextcloud"
       image:                "nextcloud"
@@ -49,8 +57,16 @@ docker:
       version:              "alpine"
       backup:
         no_stop_required:   true
+      cpus:                 "0.5"
+      mem_reservation:      "64m"
+      mem_limit:            "256m"
+      pids_limit:           512
     cron:
       name:                 "nextcloud-cron"
+      cpus:                 "0.25"
+      mem_reservation:      "128m"
+      mem_limit:            "512m"
+      pids_limit:           256
     talk:
       name:                 "nextcloud-talk"
       image:                "nextcloud/aio-talk"
@@ -61,12 +77,20 @@ docker:
         onboard_enabled:    true # Deactivated because standalone turnserver works with  Big Blue Button, so I assume that the nextcloud internal turnserver has it's isssues
         standalone_enabled: false
       network_mode:         host
+      cpus:                 "1.0"
+      mem_reservation:      "256m"
+      mem_limit:            "1g"
+      pids_limit:           512
     whiteboard:
       name:                 "nextcloud-whiteboard"
       image:                "ghcr.io/nextcloud-releases/whiteboard"
       version:              "latest"
       backup:
-        no_stop_required: true
+        no_stop_required:   true
+      cpus:                 "0.25"
+      mem_reservation:      "128m"
+      mem_limit:            "512m"
+      pids_limit:           256
   enabled:  "{{ applications | get_app_conf('web-app-nextcloud', 'features.oidc', False) }}"   # Activate OIDC for Nextcloud
   # floavor decides which OICD plugin should be used. 
   # Available options: oidc_login, sociallogin
diff --git a/roles/web-app-nextcloud/templates/docker-compose.yml.j2 b/roles/web-app-nextcloud/templates/docker-compose.yml.j2
index 1ae6882f..4b44eef7 100644
--- a/roles/web-app-nextcloud/templates/docker-compose.yml.j2
+++ b/roles/web-app-nextcloud/templates/docker-compose.yml.j2
@@ -1,6 +1,7 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
 
-  proxy:
+{% set service_name = 'proxy' %}
+  {{ service_name }}:
     image: "{{ NEXTCLOUD_PROXY_IMAGE }}:{{ NEXTCLOUD_PROXY_VERSION }}"
     container_name: "{{ NEXTCLOUD_PROXY_CONTAINER }}"
     logging:
@@ -9,9 +10,9 @@
     ports:
       - "127.0.0.1:{{ NEXTCLOUD_PORT }}:{{ container_port }}"
     volumes:
-        - "{{ NEXTCLOUD_HOST_NGINX_SRC }}:/etc/nginx/nginx.conf:ro"
+      - "{{ NEXTCLOUD_HOST_NGINX_SRC }}:/etc/nginx/nginx.conf:ro"
     volumes_from:
-      - application
+      - {{ NEXTCLOUD_SERVICE }}
 {% include 'roles/docker-container/templates/healthcheck/curl.yml.j2'  %}
     networks:
       default:
@@ -21,7 +22,8 @@
       - "host.docker.internal:host-gateway"
 {% endif %}
 
-  application:
+{% set service_name = NEXTCLOUD_SERVICE %}
+  {{ service_name }}:
     image: "{{ NEXTCLOUD_IMAGE }}:{{ NEXTCLOUD_VERSION }}"
     container_name: {{ NEXTCLOUD_CONTAINER }}
     volumes:
@@ -38,7 +40,8 @@
         ipv4_address: 192.168.102.69
 
 {% if NEXTCLOUD_TALK_SIGNALING_ENABLED | bool %}
-  talk:
+{% set service_name = 'talk' %}
+  {{ service_name }}:
 {% set container_port = NEXTCLOUD_TALK_SIGNALING_PORT %}
 {% include 'roles/docker-container/templates/base.yml.j2' %}
 {% include 'roles/docker-container/templates/healthcheck/tcp.yml.j2' %}
@@ -46,6 +49,8 @@
     container_name: {{ NEXTCLOUD_TALK_CONTAINER }}
     init: true
     network_mode: {{ NEXTCLOUD_TALK_NETWORK_MODE }}
+    volumes:
+      - {{ NEXTCLOUD_HOST_JANUS_CONF_PATH }}:/usr/local/etc/janus/janus.jcfg:ro
 {% if NEXTCLOUD_TALK_NETWORK_MODE == 'bridge' and NEXTCLOUD_TALK_TURN_ONBOARD_ENABLED | bool %}
     ports:
       - {{ networks.internet.ip4 }}:{{ NEXTCLOUD_TALK_TURN_ONBOARD_PORT }}:{{ NEXTCLOUD_TALK_TURN_ONBOARD_PORT }}/tcp
@@ -60,7 +65,8 @@
 {% endif %}
 
 {% if NEXTCLOUD_WHITEBOARD_ENABLED %}
-  whiteboard:
+{% set service_name = 'whiteboard' %}
+  {{ service_name }}:
 {% set container_port = NEXTCLOUD_WHITEBOARD_PORT_INTERNAL %}
 {% include 'roles/docker-container/templates/base.yml.j2' %}
 {% include 'roles/docker-container/templates/healthcheck/nc.yml.j2' %}
@@ -73,7 +79,8 @@
         ipv4_address: 192.168.102.71
 {% endif %}
 
-  cron:
+{% set service_name = 'cron' %}
+  {{ service_name }}:
     container_name: "{{ NEXTCLOUD_CRON_CONTAINER }}"
     image: "{{ NEXTCLOUD_IMAGE }}:{{ NEXTCLOUD_VERSION }}"
     restart: {{ DOCKER_RESTART_POLICY }}