diff --git a/nextcloud/application.yaml b/nextcloud/application.yaml new file mode 100644 index 0000000..0a426d3 --- /dev/null +++ b/nextcloud/application.yaml @@ -0,0 +1,254 @@ +--- +apiVersion: codemowers.cloud/v1beta1 +kind: SecretClaim +metadata: + name: nextcloud-admin-secrets +spec: + size: 32 + mapping: + - key: password + value: "%(plaintext)s" +--- +apiVersion: codemowers.cloud/v1beta1 +kind: KeydbClaim +metadata: + name: nextcloud +spec: + class: ephemeral + capacity: 100Mi +--- +apiVersion: codemowers.io/v1alpha1 +kind: OIDCGWClient +metadata: + name: nextcloud +spec: + displayName: Nextcloud + uri: https://nextcloud.k-space.ee + redirectUris: + - https://nextcloud.k-space.ee/apps/oidc_login/oidc + allowedGroups: + - k-space:floor + grantTypes: + - authorization_code + - refresh_token + responseTypes: + - code + availableScopes: + - openid + - profile + pkce: false +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: nextcloud + labels: + app.kubernetes.io/name: nextcloud +spec: + serviceName: nextcloud + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: nextcloud + template: + metadata: + labels: + app.kubernetes.io/name: nextcloud + spec: + enableServiceLinks: false + containers: + - name: nextcloud + image: nextcloud:production-apache + env: + - name: OIDC_CLIENT_ID + valueFrom: + secretKeyRef: + name: oidc-client-nextcloud-owner-secrets + key: OIDC_CLIENT_ID + - name: OIDC_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: oidc-client-nextcloud-owner-secrets + key: OIDC_CLIENT_SECRET + - name: OIDC_GATEWAY_AUTH_URI + valueFrom: + secretKeyRef: + name: oidc-client-nextcloud-owner-secrets + key: OIDC_GATEWAY_AUTH_URI + - name: OIDC_GATEWAY_URI + valueFrom: + secretKeyRef: + name: oidc-client-nextcloud-owner-secrets + key: OIDC_GATEWAY_URI + - name: UPLOAD_LIMIT + value: 10G + - name: MYSQL_USER + value: kspace_nextcloud + - name: MYSQL_DATABASE + value: kspace_nextcloud + - name: MYSQL_HOST + value: mariadb.infra.k-space.ee + - name: NEXTCLOUD_ADMIN_USER + value: admin + - name: NEXTCLOUD_TRUSTED_DOMAINS + value: nextcloud.k-space.ee + - name: OBJECTSTORE_S3_HOST + value: 172.20.9.2 + - name: OBJECTSTORE_S3_PORT + value: "9000" + - name: OBJECTSTORE_S3_BUCKET + value: kspace-nextcloud + - name: OBJECTSTORE_S3_SSL + value: "false" + - name: OBJECTSTORE_S3_KEY + value: kspace-nextcloud + - name: OBJECTSTORE_S3_REGION + value: us-west-1 + - name: OBJECTSTORE_S3_USEPATH_STYLE + value: "true" + - name: TRUSTED_PROXIES + value: 0.0.0.0/0 + - name: MAIL_FROM_ADDRESS + value: nextcloud@k-space.ee + - name: SMTP_HOST + value: mail.k-space.ee + - name: MAIL_DOMAIN + value: k-space.ee + - name: NEXTCLOUD_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: nextcloud-admin-secrets + key: password + - name: REDIS_HOST + valueFrom: + secretKeyRef: + name: keydb-nextcloud-owner-secrets + key: REDIS_MASTER + - name: REDIS_HOST_PASSWORD + valueFrom: + secretKeyRef: + name: keydb-nextcloud-owner-secrets + key: REDIS_PASSWORD + - name: MYSQL_PASSWORD + valueFrom: + secretKeyRef: + name: nextcloud-imported-secrets + key: MYSQL_PASSWORD + - name: OBJECTSTORE_S3_SECRET + valueFrom: + secretKeyRef: + name: nextcloud-imported-secrets + key: OBJECTSTORE_S3_SECRET + ports: + - containerPort: 80 + name: http + volumeMounts: + - mountPath: /var/www/html + name: data + - mountPath: /var/www/html/config/oidc.config.php + name: config + subPath: oidc.config.php + volumes: + - name: config + projected: + sources: + - configMap: + name: nextcloud-config + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: + - ReadWriteOnce + storageClassName: longhorn + resources: + requests: + storage: 1Gi +--- +apiVersion: v1 +kind: Service +metadata: + name: nextcloud +spec: + ports: + - port: 80 + protocol: TCP + targetPort: http + selector: + app.kubernetes.io/name: nextcloud +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: nextcloud + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns.alpha.kubernetes.io/target: traefik.k-space.ee +spec: + rules: + - host: nextcloud.k-space.ee + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: nextcloud + port: + number: 80 + tls: + - hosts: + - "*.k-space.ee" +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: nextcloud-config +data: + oidc.config.php: |- + false, + 'lost_password_link' => 'disabled', + 'oidc_login_provider_url' => getenv('OIDC_GATEWAY_URI'), + 'oidc_login_client_id' => getenv('OIDC_CLIENT_ID'), + 'oidc_login_client_secret' => getenv('OIDC_CLIENT_SECRET'), + 'oidc_login_auto_redirect' => true, + 'oidc_login_logout_url' => getenv('OIDC_GATEWAY_URI'), + 'oidc_login_end_session_redirect' => false, + 'oidc_login_default_quota' => '250000000000', + 'oidc_login_button_text' => 'Log in with OpenID', + 'oidc_login_hide_password_form' => true, + 'oidc_login_use_id_token' => false, + 'oidc_login_attributes' => array ( + 'id' => 'sub', + 'name' => 'name', + 'mail' => 'email', + //'quota' => 'ownCloudQuota', + 'home' => 'homeDirectory', + 'ldap_uid' => 'sub', + //'groups' => 'ownCloudGroups', + //'login_filter' => 'realm_access_roles', + //'photoURL' => 'picture', + //'is_admin' => 'ownCloudAdmin', + ), + //'oidc_login_default_group' => 'oidc', + 'oidc_login_filter_allowed_values' => null, + 'oidc_login_use_external_storage' => false, + 'oidc_login_scope' => 'openid profile', + 'oidc_login_proxy_ldap' => false, + 'oidc_login_disable_registration' => true, + 'oidc_login_redir_fallback' => false, + 'oidc_login_alt_login_page' => 'assets/login.php', + 'oidc_login_tls_verify' => true, + 'oidc_create_groups' => false, + 'oidc_login_webdav_enabled' => false, + 'oidc_login_password_authentication' => false, + 'oidc_login_public_key_caching_time' => 86400, + 'oidc_login_min_time_between_jwks_requests' => 10, + 'oidc_login_well_known_caching_time' => 86400, + 'oidc_login_update_avatar' => false, + 'oidc_login_skip_proxy' => false, + 'oidc_login_code_challenge_method' => '', + );