---
apiVersion: codemowers.cloud/v1beta1
kind: SecretClaim
metadata:
  name: nextcloud-admin-secrets
spec:
  size: 32
  mapping:
    - key: password
      value: "%(plaintext)s"
---
apiVersion: codemowers.cloud/v1beta1
kind: KeydbClaim
metadata:
  name: nextcloud
spec:
  class: ephemeral
  capacity: 100Mi
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCClient
metadata:
  name: nextcloud
spec:
  displayName: Nextcloud
  uri: https://nextcloud.k-space.ee
  redirectUris:
    - https://nextcloud.k-space.ee/apps/oidc_login/oidc
  allowedGroups:
    - k-space:floor
  grantTypes:
    - authorization_code
    - refresh_token
  responseTypes:
    - code
  availableScopes:
    - openid
    - profile
  pkce: false
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: nextcloud
  labels:
    app.kubernetes.io/name: nextcloud
spec:
  serviceName: nextcloud
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: nextcloud
  template:
    metadata:
      labels:
        app.kubernetes.io/name: nextcloud
    spec:
      enableServiceLinks: false
      initContainers:
        - name: setup-php-config
          image: nextcloud@sha256:072d9d3b8428d6b31fe7ed603737d4173f0ca85c0f1d0d8607fd4741fdfa49a9
          command: [ "/bin/sh","-c" ]
          args: ["cp -r /usr/local/etc/php/conf.d/. /config/"]
          volumeMounts:
            - mountPath: /config
              name: php-config
      containers:
        - name: nextcloud
          image: nextcloud@sha256:072d9d3b8428d6b31fe7ed603737d4173f0ca85c0f1d0d8607fd4741fdfa49a9
          readinessProbe:
            exec:
              command:
                - /usr/local/bin/php
                - /var/www/html/cron.php
            initialDelaySeconds: 1
            periodSeconds: 300
            timeoutSeconds: 30
          env:
            - name: OIDC_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: oidc-client-nextcloud-owner-secrets
                  key: OIDC_CLIENT_ID
            - name: OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: oidc-client-nextcloud-owner-secrets
                  key: OIDC_CLIENT_SECRET
            - name: OIDC_IDP_AUTH_URI
              valueFrom:
                secretKeyRef:
                  name: oidc-client-nextcloud-owner-secrets
                  key: OIDC_IDP_AUTH_URI
            - name: OIDC_IDP_URI
              valueFrom:
                secretKeyRef:
                  name: oidc-client-nextcloud-owner-secrets
                  key: OIDC_IDP_URI
            - name: UPLOAD_LIMIT
              value: 10G
            - name: MYSQL_USER
              value: kspace_nextcloud
            - name: MYSQL_DATABASE
              value: kspace_nextcloud
            - name: MYSQL_HOST
              value: mariadb.infra.k-space.ee
            - name: NEXTCLOUD_ADMIN_USER
              value: admin
            - name: NEXTCLOUD_TRUSTED_DOMAINS
              value: nextcloud.k-space.ee nextcloud # This is for reference - these values are not actually changed by env after installation.
            - name: OBJECTSTORE_S3_HOST
              value: 172.20.9.2
            - name: OBJECTSTORE_S3_PORT
              value: "9000"
            - name: OBJECTSTORE_S3_BUCKET
              value: kspace-nextcloud
            - name: OBJECTSTORE_S3_SSL
              value: "false"
            - name: OBJECTSTORE_S3_KEY
              value: kspace-nextcloud
            - name: OBJECTSTORE_S3_REGION
              value: us-west-1
            - name: OBJECTSTORE_S3_USEPATH_STYLE
              value: "true"
            - name: TRUSTED_PROXIES
              value: 0.0.0.0/0
            - name: MAIL_FROM_ADDRESS
              value: nextcloud@k-space.ee
            - name: SMTP_HOST
              value: mail.k-space.ee
            - name: MAIL_DOMAIN
              value: k-space.ee
            - name: NEXTCLOUD_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: nextcloud-admin-secrets
                  key: password
            - name: REDIS_HOST
              valueFrom:
                secretKeyRef:
                  name: keydb-nextcloud-owner-secrets
                  key: REDIS_MASTER
            - name: REDIS_HOST_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: keydb-nextcloud-owner-secrets
                  key: REDIS_PASSWORD
            - name: MYSQL_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: nextcloud-imported-secrets
                  key: MYSQL_PASSWORD
            - name: OBJECTSTORE_S3_SECRET
              valueFrom:
                secretKeyRef:
                  name: nextcloud-imported-secrets
                  key: OBJECTSTORE_S3_SECRET
          ports:
            - containerPort: 80
              name: http
          volumeMounts:
            - mountPath: /var/www/html
              name: data
            - mountPath: /var/www/html/config/oidc.config.php
              name: config
              subPath: oidc.config.php
            - mountPath: /var/www/html/config/override.config.php
              name: config
              subPath: override.config.php
            - name: php-config
              mountPath: /usr/local/etc/php/conf.d/
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE
      volumes:
        - name: php-config
          emptyDir: {}
        - name: config
          projected:
            sources:
              - configMap:
                  name: nextcloud-config
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
        fsGroupChangePolicy: "OnRootMismatch"
        sysctls:
          - name: net.ipv4.ip_unprivileged_port_start
            value: "0"
  volumeClaimTemplates:
    - metadata:
        name: data
      spec:
        accessModes:
          - ReadWriteOnce
        storageClassName: longhorn
        resources:
          requests:
            storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
  name: nextcloud
spec:
  ports:
    - port: 80
      protocol: TCP
      targetPort: http
  selector:
    app.kubernetes.io/name: nextcloud
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nextcloud
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
    traefik.ingress.kubernetes.io/router.middlewares: nextcloud-nextcloud-block-external-cron@kubernetescrd
spec:
  rules:
  - host: nextcloud.k-space.ee
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: nextcloud
            port:
              number: 80
  tls:
  - hosts:
    - "*.k-space.ee"
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: nextcloud-block-external-cron
spec:
  replacePathRegex:
    regex: /cron.php
    replacement: /
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: nextcloud-config
data:
  override.config.php: |-
    <?php
    $CONFIG = array (
        'skeletondirectory' => '',
        'default_phone_region' => 'EE',
    );
  oidc.config.php: |-
    <?php
    $CONFIG = array (
        'allow_user_to_change_display_name' => false,
        'lost_password_link' => 'disabled',
        'oidc_login_provider_url' => getenv('OIDC_IDP_URI'),
        'oidc_login_client_id' => getenv('OIDC_CLIENT_ID'),
        'oidc_login_client_secret' => getenv('OIDC_CLIENT_SECRET'),
        'oidc_login_auto_redirect' => true,
        'oidc_login_logout_url' => getenv('OIDC_IDP_URI'),
        'oidc_login_end_session_redirect' => false,
        'oidc_login_default_quota' => '250000000000',
        'oidc_login_button_text' => 'Log in with OpenID',
        'oidc_login_hide_password_form' => true,
        'oidc_login_use_id_token' => false,
        'oidc_login_attributes' => array (
            'id' => 'sub',
            'name' => 'name',
            'mail' => 'email',
            //'quota' => 'ownCloudQuota',
            'home' => 'homeDirectory',
            //'ldap_uid' => 'sub',
            //'groups' => 'ownCloudGroups',
            //'login_filter' => 'realm_access_roles',
            //'photoURL' => 'picture',
            //'is_admin' => 'ownCloudAdmin',
        ),
        //'oidc_login_default_group' => 'oidc',
        'oidc_login_filter_allowed_values' => null,
        'oidc_login_use_external_storage' => false,
        'oidc_login_scope' => 'openid profile',
        'oidc_login_proxy_ldap' => false,
        'oidc_login_disable_registration' => false,
        'oidc_login_redir_fallback' => false,
        'oidc_login_alt_login_page' => 'assets/login.php',
        'oidc_login_tls_verify' => true,
        'oidc_create_groups' => false,
        'oidc_login_webdav_enabled' => false,
        'oidc_login_password_authentication' => false,
        'oidc_login_public_key_caching_time' => 86400,
        'oidc_login_min_time_between_jwks_requests' => 10,
        'oidc_login_well_known_caching_time' => 86400,
        'oidc_login_update_avatar' => false,
        'oidc_login_skip_proxy' => false,
        'oidc_login_code_challenge_method' => '',
    );