āOperating Community Nextcloud Instances with Ansible, AlmaLinux, SELinux and a Podman-based Collabora Stackā
,
you already know this started as a totally reasonable idea.(Narrator voice: It was not a totally reasonable idea.)
The Original Planā¢: Leave Debian, Embrace SELinux
At some point I thought: āHey, why not move from Debian to AlmaLinux?ā
Main reason? SELinux.
Because nothing says āfun weekend projectā like debugging security contexts at 2 AM.
During that phase I figured out how to integrate Collabora via containers ā and it felt
way more stable and predictable.
Phase 2: āLetās Just Add Kubernetesā š¤¦āāļø
Naturally, this escalated.
āI should probably install Kubernetes.ā
Enter K3s ā lightweight, simple, and just dangerous enough to deploy on a VPS.
The current idea:
- Run core services (MariaDB, Redis) natively
- Run applications inside K3s
- Convince myself this is āarchitectureā and not curiosity
Ansible: From Tool to Obsession
What used to be ājust a playbookā is now basically a small framework.
Two main playbooks:
- Nextcloud
- WordPress
Shared components everywhere:
- Repos
- fail2ban
- MariaDB
- K3s
- Firewall rules
Current status: ~16 roles.
Emotional status: also 16 roles.
AI Pair Programming is Real š¤
Using Claude AI inside VS Code feels like:
āSenior DevSecOps engineer joins your session.ā
- Requests command outputs
- Debugs errors
- Refactors playbooks
- Actually explains problems
Slightly terrifying. Extremely useful.
Now With Monitoring š
- Prometheus
- Grafana
I can now watch my system fail in real time ā but beautifully.
š§ Deep Dive: From āSimple Blogā to Full Infrastructure
Running a WordPress blog on a VPS sounds trivial ā until you start thinking about:
- TLS certificates
- Firewalls
- Updates
- Security monitoring
So naturally, I automated everything.
Infrastructure as Code (a.k.a. YAML everywhere)
The entire setup is defined in Ansible:
ansible-playbook blog.yml --limit meinserverReproducible. Idempotent. Slightly addictive.
Architecture: K3s vs Host
Inside K3s:
- WordPress (PHP-FPM)
- Nginx (Sidecar)
- MariaDB
- ingress-nginx
- cert-manager (Letās Encrypt)
- WordPress CronJob
On the Host:
- Prometheus
- Grafana
- Node Exporter
- fail2ban
- rkhunter
- auditd
- msmtp
The Playbook Flow
- Base System
- SELinux
- K3s
- Deployment
- Monitoring
Security: Defense in Depth
- iptables firewall
- fail2ban
- Rate limiting
- HTTPS via Letās Encrypt
- SELinux enforcing
- auditd
- Auto security updates
- rkhunter scans
Final Thoughts: Work in Progress š§
What started as:
āLetās try AlmaLinuxā
Became:
- Kubernetes
- Containers
- Ansible framework
- Monitoring stack
- AI-assisted ops
At this point, Iām basically running a tiny cloud on a VPS.
But: Iām still in the middle of refining, testing and breaking things again.
The Ansible code is not published yet ā mainly because Iām still tweaking roles, cleaning things up,
and making sure it doesnāt completely explode on a fresh system.
(a.k.a. āone more quick changeā ā famous last words)
I plan to publish the full playbook on GitHub in the next few days ā once Iām confident that itās
somewhat reusable and not just tailored chaos.
The bigger picture behind all of this: Iām considering migrating the existing Nextcloud instances
for two local clubs into this architecture.
But right now, thatās still a bit too risky ā moving production data plus introducing K3s at the same time
feels like a great way to ruin a weekend (or several).
The technology is still relatively new territory for me, and Iād like to gain more real-world experience
before trusting it with actual user data.
Maybe thatās a project for autumn š
Stay tuned š
