i am not a devops engineer. i appreciate any critique or correction.
Deploying Nextcloud on AWS ECS with Pulumi
This Pulumi programme deploys a highly-available, cost-effective Nextcloud service on AWS Fargate with a serverless Aurora PostgreSQL database.
Deployment Option 1 (GitOps)
The first few items are high-level instructions only. You can follow the instructions from the hyperlinked web pages. They include the best practices as recommended by the authors.
- A Pulumi account. This is for creating a Personal Access Token that is required when provisioning the AWS resources.
- Create a non-root AWS IAM User called
pulumi-user. - Create an IAM User Group called
pulumi-group - Add the
pulumi-userto thepulumi-groupUser Group. - Attach the
IAMFullAccesspolicy topulumi-group. TheIAMFullAccessallows your IAM User to add the remaining required IAM policies to the IAM User Group using the automation script later. - Create an access key for your non-root IAM User.
- On your Pulumi account, go to Personal access tokens and create a token.
- Also create a password for the Aurora Database. You can use a password generator.
- Clone this repository either to your GitLab or GitHub.
- This works either on GitLab CI/CD or GitHub Actions. On GitLab, go to the cloned repository settings > Settings > Variables. On GitHub, go to the cloned repository settings > Secrets and variables > Actions > Secrets.
- Store the credentials from steps 6-8 as
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,PULUMI_ACCESS_TOKEN, andPOSTGRES_PASSWORD. These will be used as environment variables by the deployment script. - On AWS Console, go to EC2 > Load Balancers. The
DNS nameis where you access the Nextcloud Web Interface to establish your administrative credentials.
[!NOTE] The automatic deployment will be triggered if there are changes made on the
main.go,.gitlab-ci.yml, or theci.ymlfile upon doing agit push. Onmain.go, you can adjust the specifications of the resources to be manifested. Notable ones are in lines 327, 328, 571, 572, 602, 603, 640.
Deployment Option 2 (Manual)
- Install Go, AWS CLI, and Pulumi.
- Follow steps 1-8 above.
- Add the required IAM policies to the IAM User Group to allow Pulumi to interact with AWS resources:
printf '%s\n' "arn:aws:iam::aws:policy/AmazonS3FullAccess" "arn:aws:iam::aws:policy/AmazonECS_FullAccess" "arn:aws:iam::aws:policy/ElasticLoadBalancingFullAccess" "arn:aws:iam::aws:policy/CloudWatchEventsFullAccess" "arn:aws:iam::aws:policy/AmazonEC2FullAccess" "arn:aws:iam::aws:policy/AmazonVPCFullAccess" "arn:aws:iam::aws:policy/SecretsManagerReadWrite" "arn:aws:iam::aws:policy/AmazonElasticFileSystemFullAccess" "arn:aws:iam::aws:policy/AmazonRDSFullAccess" | xargs -I {} aws iam attach-group-policy --group-name pulumi-group --policy-arn {}
- Add the environment variables.
export PULUMI_ACCESS_TOKEN="value" && export AWS_ACCESS_KEY_ID="value" && export AWS_SECRET_ACCESS_KEY="value" && export POSTGRES_PASSWORD="value"
- Clone the repository locally and deploy.
mkdir pulumi-aws && \
cd pulumi-aws && \
pulumi new aws-go && \
rm * && \
git clone https://gitlab.com/joevizcara/pulumi-aws.git . && \
pulumi up
Deprovisioning
pulumi destroy --yes
Local Testing
The Pulumi.aws-go-dev.yaml file contains a code block to use with Localstack for local testing.
Features
- Subscription-free application - Nextcloud is a free and open-source cloud storage and file-sharing platform.
- Serverless management - using Fargate and Aurora Serverless reduces infrastructure management.
- Reduced cost - can be scaled and as highly available as an AWS EKS cluster, but with cost lower per-hour.
- Go coding language - a popular language for cloud-native applications, eliminating syntax barriers for engineers.
Diagramme
Not that cheap. Both Aurora and Fargate can be pricy, so using this for personal cloud, not as business solution, is not only a overkill, but also expensive tool, that you will not fully reuse for other services. I think, in personal selfhosted area, we agree to not use that overkilled architecture (but for typical cloud deployment it is fairly simple) to cut costs massively.
Oh yeah, I am aware. Mostly here I would question the idea to have multi-AZ redundancy and using a manage service for DB (which indeed is expensive). All of this when a 5$ VPS could host the same (maybe still using s3 for storage) and accept the few hours downtime in the rare event your VPS explodes and you need to restore it from a backup.
So from my PoV this is absolutely overkill but I concede that it depends a lot on the requirements. I can’t ever imagine having requirements so tight that need such infra to run (in fact, I think not even most businesses have these requirements, I have written on the topic at https://loudwhisper.me/blog/hating-clouds/) for my personal stuff…
Yes, just like I said, when running it for personal use, going with SLA 99,(9) is too expensive. As far as long we say about serverless solutions, they can be great and helpful (I can say that from both SysOps and DevOps perspective that work on many projects), but I don’t think they should be used in homelab form, as they do not provide that much customisations, and homelabs are the place where we want to experiment and have some fun, not just deploy something in a way that will “just work”.
Plus, at this point why not using directly managed Nextcloud (or alternatives)… If anyway you use a managed storage, runtime and database, in a vendor lock…
I would not go with managed NC, because you can’t control nothing and provider raise prices over and over. Even with serverless Nextcloud deployment, the architecture is still like LEGO, and if something will go bad or price will be too high, then you can exchange those LEGO bricks, ie. migrate from Fargate to EC2 w/ ECS, migrate from Aurora to RDS Postgres or Postgres installed on EC2 and so one.