Fix permission issues

README.md

@@ -142,23 +142,26 @@ not being accessed/modified during this process. It is easy to access `yggdrasil
    ```sh
    /usr/local/sbin/restic-batch --config-dir /etc/restic-batch.d restore
    ```
-   Note that permissions and ownership are restored as a second step once all the content is
+3. Once restore has completed, `chown -R <user>:<user>` all the restored directories in
-   restored. Therefore, the files will list `root` as owner during the restoration.
+   `/var/lib/<hostname>/data`. Restic restores the UID information of the host from which the backup
-3. Start all the pod services with:
+   was performed which may not match that of the new target machine. Note that permissions and
+   ownership are restored as a second step once all the content is restored. Therefore, the files
+   will list `root` as owner during the restoration.
+4. Start all the pod services with:
    ```sh
    ansible-playbook --vault-id @vault-keyring-client.py -i inventory/baldur_production playbooks/services_start.yml
    ```
    Give them some time to download all the images and start.
-4. Once the CPU returns to idling check the state of all the pod services and their `veth`
+5. Once the CPU returns to idling check the state of all the pod services and their `veth`
    interfaces. If necessary restart the affected pod. Sometimes they fail to start (presumably due
    to issues related to limited CPU and RAM).
-5. Boot into a test VM. Ideally, one installed onto a virtual disk since the live system might not
+6. Boot into a test VM. Ideally, one installed onto a virtual disk since the live system might not
    have enough space. A VM is used to make sure that none of the services on the host workstation
    connect to `baldur` by accident.
-6. Modify `/etc/hosts` in the VM to point at `baldur` for all relevant domains.
+7. Modify `/etc/hosts` in the VM to point at `baldur` for all relevant domains.
-7. Test each service manually one by one. Use the Flagfox add-on to verify that you are indeed
+8. Test each service manually one by one. Use the Flagfox add-on to verify that you are indeed
    connecting to `baldur`.
-8. Stop all the pod services with:
+9. Stop all the pod services with:
    ```sh
    ansible-playbook --vault-id @vault-keyring-client.py -i inventory/baldur_production playbooks/services_stop.yml
    ```

playbooks/roles/services/deploy/cloud/templates/systemd/container-cloud-chown.service

@@ -15,12 +15,14 @@ ExecStart=/usr/bin/podman run \
                           --cgroups=no-conmon \
                           --pod-id-file %t/pod-cloud.pod-id \
                           --replace \
+                          -v {{ services_data_directory }}/pod-cloud/nextcloud/_data:/var/www/html \
+                          -v {{ services_data_directory }}/pod-cloud/data/_data:/var/www/html/data \
                           -v {{ services_data_directory }}/pod-cloud/external/_data:/media/external \
                           --user=0 \
                           --entrypoint="/bin/bash" \
                           --name=pod-cloud-chown \
                           docker.io/library/nextcloud:{{ services_deploy_versions.cloud.nextcloud }} \
-                          -c "chown -R www-data:www-data /media/external"
+                          -c "chown -R www-data:www-data /var/www/html /media/external"
 ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-cloud-chown.ctr-id
 Type=oneshot