1
0
forked from k-space/kube
kube/nextcloud/application.yaml

300 lines
9.0 KiB
YAML

---
apiVersion: codemowers.cloud/v1beta1
kind: SecretClaim
metadata:
name: nextcloud-admin-secrets
spec:
size: 32
mapping:
- key: password
value: "%(plaintext)s"
---
apiVersion: codemowers.cloud/v1beta1
kind: KeydbClaim
metadata:
name: nextcloud
spec:
class: ephemeral
capacity: 100Mi
---
apiVersion: codemowers.io/v1alpha1
kind: OIDCGWClient
metadata:
name: nextcloud
spec:
displayName: Nextcloud
uri: https://nextcloud.k-space.ee
redirectUris:
- https://nextcloud.k-space.ee/apps/oidc_login/oidc
allowedGroups:
- k-space:floor
grantTypes:
- authorization_code
- refresh_token
responseTypes:
- code
availableScopes:
- openid
- profile
pkce: false
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: nextcloud
labels:
app.kubernetes.io/name: nextcloud
spec:
serviceName: nextcloud
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: nextcloud
template:
metadata:
labels:
app.kubernetes.io/name: nextcloud
spec:
enableServiceLinks: false
initContainers:
- name: setup-php-config
image: nextcloud@sha256:072d9d3b8428d6b31fe7ed603737d4173f0ca85c0f1d0d8607fd4741fdfa49a9
command: [ "/bin/sh","-c" ]
args: ["cp -r /usr/local/etc/php/conf.d/. /config/"]
volumeMounts:
- mountPath: /config
name: php-config
containers:
- name: nextcloud
image: nextcloud@sha256:072d9d3b8428d6b31fe7ed603737d4173f0ca85c0f1d0d8607fd4741fdfa49a9
readinessProbe:
exec:
command:
- /usr/local/bin/php
- /var/www/html/cron.php
initialDelaySeconds: 1
periodSeconds: 300
timeoutSeconds: 30
env:
- name: OIDC_CLIENT_ID
valueFrom:
secretKeyRef:
name: oidc-client-nextcloud-owner-secrets
key: OIDC_CLIENT_ID
- name: OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: oidc-client-nextcloud-owner-secrets
key: OIDC_CLIENT_SECRET
- name: OIDC_GATEWAY_AUTH_URI
valueFrom:
secretKeyRef:
name: oidc-client-nextcloud-owner-secrets
key: OIDC_GATEWAY_AUTH_URI
- name: OIDC_GATEWAY_URI
valueFrom:
secretKeyRef:
name: oidc-client-nextcloud-owner-secrets
key: OIDC_GATEWAY_URI
- name: UPLOAD_LIMIT
value: 10G
- name: MYSQL_USER
value: kspace_nextcloud
- name: MYSQL_DATABASE
value: kspace_nextcloud
- name: MYSQL_HOST
value: mariadb.infra.k-space.ee
- name: NEXTCLOUD_ADMIN_USER
value: admin
- name: NEXTCLOUD_TRUSTED_DOMAINS
value: nextcloud.k-space.ee nextcloud # This is for reference - these values are not actually changed by env after installation.
- name: OBJECTSTORE_S3_HOST
value: 172.20.9.2
- name: OBJECTSTORE_S3_PORT
value: "9000"
- name: OBJECTSTORE_S3_BUCKET
value: kspace-nextcloud
- name: OBJECTSTORE_S3_SSL
value: "false"
- name: OBJECTSTORE_S3_KEY
value: kspace-nextcloud
- name: OBJECTSTORE_S3_REGION
value: us-west-1
- name: OBJECTSTORE_S3_USEPATH_STYLE
value: "true"
- name: TRUSTED_PROXIES
value: 0.0.0.0/0
- name: MAIL_FROM_ADDRESS
value: nextcloud@k-space.ee
- name: SMTP_HOST
value: mail.k-space.ee
- name: MAIL_DOMAIN
value: k-space.ee
- name: NEXTCLOUD_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: nextcloud-admin-secrets
key: password
- name: REDIS_HOST
valueFrom:
secretKeyRef:
name: keydb-nextcloud-owner-secrets
key: REDIS_MASTER
- name: REDIS_HOST_PASSWORD
valueFrom:
secretKeyRef:
name: keydb-nextcloud-owner-secrets
key: REDIS_PASSWORD
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: nextcloud-imported-secrets
key: MYSQL_PASSWORD
- name: OBJECTSTORE_S3_SECRET
valueFrom:
secretKeyRef:
name: nextcloud-imported-secrets
key: OBJECTSTORE_S3_SECRET
ports:
- containerPort: 80
name: http
volumeMounts:
- mountPath: /var/www/html
name: data
- mountPath: /var/www/html/config/oidc.config.php
name: config
subPath: oidc.config.php
- name: php-config
mountPath: /usr/local/etc/php/conf.d/
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
volumes:
- name: php-config
emptyDir: {}
- name: config
projected:
sources:
- configMap:
name: nextcloud-config
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
value: "0"
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
name: nextcloud
spec:
ports:
- port: 80
protocol: TCP
targetPort: http
selector:
app.kubernetes.io/name: nextcloud
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nextcloud
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
traefik.ingress.kubernetes.io/router.middlewares: nextcloud-nextcloud-block-external-cron@kubernetescrd
spec:
rules:
- host: nextcloud.k-space.ee
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: nextcloud
port:
number: 80
tls:
- hosts:
- "*.k-space.ee"
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: nextcloud-block-external-cron
spec:
replacePathRegex:
regex: /cron.php
replacement: /
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nextcloud-config
data:
oidc.config.php: |-
<?php
$CONFIG = array (
'allow_user_to_change_display_name' => false,
'lost_password_link' => 'disabled',
'oidc_login_provider_url' => getenv('OIDC_GATEWAY_URI'),
'oidc_login_client_id' => getenv('OIDC_CLIENT_ID'),
'oidc_login_client_secret' => getenv('OIDC_CLIENT_SECRET'),
'oidc_login_auto_redirect' => true,
'oidc_login_logout_url' => getenv('OIDC_GATEWAY_URI'),
'oidc_login_end_session_redirect' => false,
'oidc_login_default_quota' => '250000000000',
'oidc_login_button_text' => 'Log in with OpenID',
'oidc_login_hide_password_form' => true,
'oidc_login_use_id_token' => false,
'oidc_login_attributes' => array (
'id' => 'sub',
'name' => 'name',
'mail' => 'email',
//'quota' => 'ownCloudQuota',
'home' => 'homeDirectory',
'ldap_uid' => 'sub',
//'groups' => 'ownCloudGroups',
//'login_filter' => 'realm_access_roles',
//'photoURL' => 'picture',
//'is_admin' => 'ownCloudAdmin',
),
//'oidc_login_default_group' => 'oidc',
'oidc_login_filter_allowed_values' => null,
'oidc_login_use_external_storage' => false,
'oidc_login_scope' => 'openid profile',
'oidc_login_proxy_ldap' => false,
'oidc_login_disable_registration' => true,
'oidc_login_redir_fallback' => false,
'oidc_login_alt_login_page' => 'assets/login.php',
'oidc_login_tls_verify' => true,
'oidc_create_groups' => false,
'oidc_login_webdav_enabled' => false,
'oidc_login_password_authentication' => false,
'oidc_login_public_key_caching_time' => 86400,
'oidc_login_min_time_between_jwks_requests' => 10,
'oidc_login_well_known_caching_time' => 86400,
'oidc_login_update_avatar' => false,
'oidc_login_skip_proxy' => false,
'oidc_login_code_challenge_method' => '',
);