--- apiVersion: codemowers.cloud/v1beta1 kind: SecretClaim metadata: name: nextcloud-admin-secrets spec: size: 32 mapping: - key: password value: "%(plaintext)s" --- apiVersion: codemowers.cloud/v1beta1 kind: KeydbClaim metadata: name: nextcloud spec: class: ephemeral capacity: 100Mi --- apiVersion: codemowers.io/v1alpha1 kind: OIDCGWClient metadata: name: nextcloud spec: displayName: Nextcloud uri: https://nextcloud.k-space.ee redirectUris: - https://nextcloud.k-space.ee/apps/oidc_login/oidc allowedGroups: - k-space:floor grantTypes: - authorization_code - refresh_token responseTypes: - code availableScopes: - openid - profile pkce: false --- apiVersion: apps/v1 kind: StatefulSet metadata: name: nextcloud labels: app.kubernetes.io/name: nextcloud spec: serviceName: nextcloud replicas: 1 selector: matchLabels: app.kubernetes.io/name: nextcloud template: metadata: labels: app.kubernetes.io/name: nextcloud spec: enableServiceLinks: false initContainers: - name: setup-php-config image: nextcloud@sha256:072d9d3b8428d6b31fe7ed603737d4173f0ca85c0f1d0d8607fd4741fdfa49a9 command: [ "/bin/sh","-c" ] args: ["cp -r /usr/local/etc/php/conf.d/. /config/"] volumeMounts: - mountPath: /config name: php-config containers: - name: nextcloud image: nextcloud@sha256:072d9d3b8428d6b31fe7ed603737d4173f0ca85c0f1d0d8607fd4741fdfa49a9 readinessProbe: exec: command: - /usr/local/bin/php - /var/www/html/cron.php initialDelaySeconds: 1 periodSeconds: 300 timeoutSeconds: 30 env: - name: OIDC_CLIENT_ID valueFrom: secretKeyRef: name: oidc-client-nextcloud-owner-secrets key: OIDC_CLIENT_ID - name: OIDC_CLIENT_SECRET valueFrom: secretKeyRef: name: oidc-client-nextcloud-owner-secrets key: OIDC_CLIENT_SECRET - name: OIDC_GATEWAY_AUTH_URI valueFrom: secretKeyRef: name: oidc-client-nextcloud-owner-secrets key: OIDC_GATEWAY_AUTH_URI - name: OIDC_GATEWAY_URI valueFrom: secretKeyRef: name: oidc-client-nextcloud-owner-secrets key: OIDC_GATEWAY_URI - name: UPLOAD_LIMIT value: 10G - name: MYSQL_USER value: kspace_nextcloud - name: MYSQL_DATABASE value: kspace_nextcloud - name: MYSQL_HOST value: mariadb.infra.k-space.ee - name: NEXTCLOUD_ADMIN_USER value: admin - name: NEXTCLOUD_TRUSTED_DOMAINS value: nextcloud.k-space.ee nextcloud # This is for reference - these values are not actually changed by env after installation. - name: OBJECTSTORE_S3_HOST value: 172.20.9.2 - name: OBJECTSTORE_S3_PORT value: "9000" - name: OBJECTSTORE_S3_BUCKET value: kspace-nextcloud - name: OBJECTSTORE_S3_SSL value: "false" - name: OBJECTSTORE_S3_KEY value: kspace-nextcloud - name: OBJECTSTORE_S3_REGION value: us-west-1 - name: OBJECTSTORE_S3_USEPATH_STYLE value: "true" - name: TRUSTED_PROXIES value: 0.0.0.0/0 - name: MAIL_FROM_ADDRESS value: nextcloud@k-space.ee - name: SMTP_HOST value: mail.k-space.ee - name: MAIL_DOMAIN value: k-space.ee - name: NEXTCLOUD_ADMIN_PASSWORD valueFrom: secretKeyRef: name: nextcloud-admin-secrets key: password - name: REDIS_HOST valueFrom: secretKeyRef: name: keydb-nextcloud-owner-secrets key: REDIS_MASTER - name: REDIS_HOST_PASSWORD valueFrom: secretKeyRef: name: keydb-nextcloud-owner-secrets key: REDIS_PASSWORD - name: MYSQL_PASSWORD valueFrom: secretKeyRef: name: nextcloud-imported-secrets key: MYSQL_PASSWORD - name: OBJECTSTORE_S3_SECRET valueFrom: secretKeyRef: name: nextcloud-imported-secrets key: OBJECTSTORE_S3_SECRET ports: - containerPort: 80 name: http volumeMounts: - mountPath: /var/www/html name: data - mountPath: /var/www/html/config/oidc.config.php name: config subPath: oidc.config.php - name: php-config mountPath: /usr/local/etc/php/conf.d/ securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL add: - NET_BIND_SERVICE volumes: - name: php-config emptyDir: {} - name: config projected: sources: - configMap: name: nextcloud-config securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 fsGroupChangePolicy: "OnRootMismatch" sysctls: - name: net.ipv4.ip_unprivileged_port_start value: "0" volumeClaimTemplates: - metadata: name: data spec: accessModes: - ReadWriteOnce storageClassName: longhorn resources: requests: storage: 1Gi --- apiVersion: v1 kind: Service metadata: name: nextcloud spec: ports: - port: 80 protocol: TCP targetPort: http selector: app.kubernetes.io/name: nextcloud --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: nextcloud annotations: traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" external-dns.alpha.kubernetes.io/target: traefik.k-space.ee traefik.ingress.kubernetes.io/router.middlewares: nextcloud-nextcloud-block-external-cron@kubernetescrd spec: rules: - host: nextcloud.k-space.ee http: paths: - pathType: Prefix path: "/" backend: service: name: nextcloud port: number: 80 tls: - hosts: - "*.k-space.ee" --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: nextcloud-block-external-cron spec: replacePathRegex: regex: /cron.php replacement: / --- apiVersion: v1 kind: ConfigMap metadata: name: nextcloud-config data: oidc.config.php: |- false, 'lost_password_link' => 'disabled', 'oidc_login_provider_url' => getenv('OIDC_GATEWAY_URI'), 'oidc_login_client_id' => getenv('OIDC_CLIENT_ID'), 'oidc_login_client_secret' => getenv('OIDC_CLIENT_SECRET'), 'oidc_login_auto_redirect' => true, 'oidc_login_logout_url' => getenv('OIDC_GATEWAY_URI'), 'oidc_login_end_session_redirect' => false, 'oidc_login_default_quota' => '250000000000', 'oidc_login_button_text' => 'Log in with OpenID', 'oidc_login_hide_password_form' => true, 'oidc_login_use_id_token' => false, 'oidc_login_attributes' => array ( 'id' => 'sub', 'name' => 'name', 'mail' => 'email', //'quota' => 'ownCloudQuota', 'home' => 'homeDirectory', 'ldap_uid' => 'sub', //'groups' => 'ownCloudGroups', //'login_filter' => 'realm_access_roles', //'photoURL' => 'picture', //'is_admin' => 'ownCloudAdmin', ), //'oidc_login_default_group' => 'oidc', 'oidc_login_filter_allowed_values' => null, 'oidc_login_use_external_storage' => false, 'oidc_login_scope' => 'openid profile', 'oidc_login_proxy_ldap' => false, 'oidc_login_disable_registration' => true, 'oidc_login_redir_fallback' => false, 'oidc_login_alt_login_page' => 'assets/login.php', 'oidc_login_tls_verify' => true, 'oidc_create_groups' => false, 'oidc_login_webdav_enabled' => false, 'oidc_login_password_authentication' => false, 'oidc_login_public_key_caching_time' => 86400, 'oidc_login_min_time_between_jwks_requests' => 10, 'oidc_login_well_known_caching_time' => 86400, 'oidc_login_update_avatar' => false, 'oidc_login_skip_proxy' => false, 'oidc_login_code_challenge_method' => '', );