301 lines
9.0 KiB
YAML
301 lines
9.0 KiB
YAML
---
|
|
apiVersion: codemowers.cloud/v1beta1
|
|
kind: SecretClaim
|
|
metadata:
|
|
name: nextcloud-admin-secrets
|
|
spec:
|
|
size: 32
|
|
mapping:
|
|
- key: password
|
|
value: "%(plaintext)s"
|
|
---
|
|
apiVersion: codemowers.cloud/v1beta1
|
|
kind: KeydbClaim
|
|
metadata:
|
|
name: nextcloud
|
|
spec:
|
|
class: ephemeral
|
|
capacity: 100Mi
|
|
---
|
|
apiVersion: codemowers.io/v1alpha1
|
|
kind: OIDCGWClient
|
|
metadata:
|
|
name: nextcloud
|
|
spec:
|
|
displayName: Nextcloud
|
|
uri: https://nextcloud.k-space.ee
|
|
redirectUris:
|
|
- https://nextcloud.k-space.ee/apps/oidc_login/oidc
|
|
allowedGroups:
|
|
- k-space:floor
|
|
- k-space:non-floor-nextcloud
|
|
grantTypes:
|
|
- authorization_code
|
|
- refresh_token
|
|
responseTypes:
|
|
- code
|
|
availableScopes:
|
|
- openid
|
|
- profile
|
|
pkce: false
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: StatefulSet
|
|
metadata:
|
|
name: nextcloud
|
|
labels:
|
|
app.kubernetes.io/name: nextcloud
|
|
spec:
|
|
serviceName: nextcloud
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: nextcloud
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: nextcloud
|
|
spec:
|
|
enableServiceLinks: false
|
|
initContainers:
|
|
- name: setup-php-config
|
|
image: nextcloud@sha256:072d9d3b8428d6b31fe7ed603737d4173f0ca85c0f1d0d8607fd4741fdfa49a9
|
|
command: [ "/bin/sh","-c" ]
|
|
args: ["cp -r /usr/local/etc/php/conf.d/. /config/"]
|
|
volumeMounts:
|
|
- mountPath: /config
|
|
name: php-config
|
|
containers:
|
|
- name: nextcloud
|
|
image: nextcloud@sha256:072d9d3b8428d6b31fe7ed603737d4173f0ca85c0f1d0d8607fd4741fdfa49a9
|
|
readinessProbe:
|
|
exec:
|
|
command:
|
|
- /usr/local/bin/php
|
|
- /var/www/html/cron.php
|
|
initialDelaySeconds: 1
|
|
periodSeconds: 300
|
|
timeoutSeconds: 30
|
|
env:
|
|
- name: OIDC_CLIENT_ID
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: oidc-client-nextcloud-owner-secrets
|
|
key: OIDC_CLIENT_ID
|
|
- name: OIDC_CLIENT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: oidc-client-nextcloud-owner-secrets
|
|
key: OIDC_CLIENT_SECRET
|
|
- name: OIDC_GATEWAY_AUTH_URI
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: oidc-client-nextcloud-owner-secrets
|
|
key: OIDC_GATEWAY_AUTH_URI
|
|
- name: OIDC_GATEWAY_URI
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: oidc-client-nextcloud-owner-secrets
|
|
key: OIDC_GATEWAY_URI
|
|
- name: UPLOAD_LIMIT
|
|
value: 10G
|
|
- name: MYSQL_USER
|
|
value: kspace_nextcloud
|
|
- name: MYSQL_DATABASE
|
|
value: kspace_nextcloud
|
|
- name: MYSQL_HOST
|
|
value: mariadb.infra.k-space.ee
|
|
- name: NEXTCLOUD_ADMIN_USER
|
|
value: admin
|
|
- name: NEXTCLOUD_TRUSTED_DOMAINS
|
|
value: nextcloud.k-space.ee nextcloud # This is for reference - these values are not actually changed by env after installation.
|
|
- name: OBJECTSTORE_S3_HOST
|
|
value: 172.20.9.2
|
|
- name: OBJECTSTORE_S3_PORT
|
|
value: "9000"
|
|
- name: OBJECTSTORE_S3_BUCKET
|
|
value: kspace-nextcloud
|
|
- name: OBJECTSTORE_S3_SSL
|
|
value: "false"
|
|
- name: OBJECTSTORE_S3_KEY
|
|
value: kspace-nextcloud
|
|
- name: OBJECTSTORE_S3_REGION
|
|
value: us-west-1
|
|
- name: OBJECTSTORE_S3_USEPATH_STYLE
|
|
value: "true"
|
|
- name: TRUSTED_PROXIES
|
|
value: 0.0.0.0/0
|
|
- name: MAIL_FROM_ADDRESS
|
|
value: nextcloud@k-space.ee
|
|
- name: SMTP_HOST
|
|
value: mail.k-space.ee
|
|
- name: MAIL_DOMAIN
|
|
value: k-space.ee
|
|
- name: NEXTCLOUD_ADMIN_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: nextcloud-admin-secrets
|
|
key: password
|
|
- name: REDIS_HOST
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: keydb-nextcloud-owner-secrets
|
|
key: REDIS_MASTER
|
|
- name: REDIS_HOST_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: keydb-nextcloud-owner-secrets
|
|
key: REDIS_PASSWORD
|
|
- name: MYSQL_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: nextcloud-imported-secrets
|
|
key: MYSQL_PASSWORD
|
|
- name: OBJECTSTORE_S3_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: nextcloud-imported-secrets
|
|
key: OBJECTSTORE_S3_SECRET
|
|
ports:
|
|
- containerPort: 80
|
|
name: http
|
|
volumeMounts:
|
|
- mountPath: /var/www/html
|
|
name: data
|
|
- mountPath: /var/www/html/config/oidc.config.php
|
|
name: config
|
|
subPath: oidc.config.php
|
|
- name: php-config
|
|
mountPath: /usr/local/etc/php/conf.d/
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
add:
|
|
- NET_BIND_SERVICE
|
|
volumes:
|
|
- name: php-config
|
|
emptyDir: {}
|
|
- name: config
|
|
projected:
|
|
sources:
|
|
- configMap:
|
|
name: nextcloud-config
|
|
securityContext:
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
fsGroup: 1000
|
|
fsGroupChangePolicy: "OnRootMismatch"
|
|
sysctls:
|
|
- name: net.ipv4.ip_unprivileged_port_start
|
|
value: "0"
|
|
volumeClaimTemplates:
|
|
- metadata:
|
|
name: data
|
|
spec:
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
storageClassName: longhorn
|
|
resources:
|
|
requests:
|
|
storage: 1Gi
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: nextcloud
|
|
spec:
|
|
ports:
|
|
- port: 80
|
|
protocol: TCP
|
|
targetPort: http
|
|
selector:
|
|
app.kubernetes.io/name: nextcloud
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: Ingress
|
|
metadata:
|
|
name: nextcloud
|
|
annotations:
|
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
|
traefik.ingress.kubernetes.io/router.tls: "true"
|
|
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
|
|
traefik.ingress.kubernetes.io/router.middlewares: nextcloud-nextcloud-block-external-cron@kubernetescrd
|
|
spec:
|
|
rules:
|
|
- host: nextcloud.k-space.ee
|
|
http:
|
|
paths:
|
|
- pathType: Prefix
|
|
path: "/"
|
|
backend:
|
|
service:
|
|
name: nextcloud
|
|
port:
|
|
number: 80
|
|
tls:
|
|
- hosts:
|
|
- "*.k-space.ee"
|
|
---
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: nextcloud-block-external-cron
|
|
spec:
|
|
replacePathRegex:
|
|
regex: /cron.php
|
|
replacement: /
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: nextcloud-config
|
|
data:
|
|
oidc.config.php: |-
|
|
<?php
|
|
$CONFIG = array (
|
|
'allow_user_to_change_display_name' => false,
|
|
'lost_password_link' => 'disabled',
|
|
'oidc_login_provider_url' => getenv('OIDC_GATEWAY_URI'),
|
|
'oidc_login_client_id' => getenv('OIDC_CLIENT_ID'),
|
|
'oidc_login_client_secret' => getenv('OIDC_CLIENT_SECRET'),
|
|
'oidc_login_auto_redirect' => true,
|
|
'oidc_login_logout_url' => getenv('OIDC_GATEWAY_URI'),
|
|
'oidc_login_end_session_redirect' => false,
|
|
'oidc_login_default_quota' => '250000000000',
|
|
'oidc_login_button_text' => 'Log in with OpenID',
|
|
'oidc_login_hide_password_form' => true,
|
|
'oidc_login_use_id_token' => false,
|
|
'oidc_login_attributes' => array (
|
|
'id' => 'sub',
|
|
'name' => 'name',
|
|
'mail' => 'email',
|
|
//'quota' => 'ownCloudQuota',
|
|
'home' => 'homeDirectory',
|
|
'ldap_uid' => 'sub',
|
|
//'groups' => 'ownCloudGroups',
|
|
//'login_filter' => 'realm_access_roles',
|
|
//'photoURL' => 'picture',
|
|
//'is_admin' => 'ownCloudAdmin',
|
|
),
|
|
//'oidc_login_default_group' => 'oidc',
|
|
'oidc_login_filter_allowed_values' => null,
|
|
'oidc_login_use_external_storage' => false,
|
|
'oidc_login_scope' => 'openid profile',
|
|
'oidc_login_proxy_ldap' => false,
|
|
'oidc_login_disable_registration' => true,
|
|
'oidc_login_redir_fallback' => false,
|
|
'oidc_login_alt_login_page' => 'assets/login.php',
|
|
'oidc_login_tls_verify' => true,
|
|
'oidc_create_groups' => false,
|
|
'oidc_login_webdav_enabled' => false,
|
|
'oidc_login_password_authentication' => false,
|
|
'oidc_login_public_key_caching_time' => 86400,
|
|
'oidc_login_min_time_between_jwks_requests' => 10,
|
|
'oidc_login_well_known_caching_time' => 86400,
|
|
'oidc_login_update_avatar' => false,
|
|
'oidc_login_skip_proxy' => false,
|
|
'oidc_login_code_challenge_method' => '',
|
|
);
|