Migrate Nextcloud to Kube

nextcloud/application.yaml

@@ -0,0 +1,254 @@
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: SecretClaim
+metadata:
+  name: nextcloud-admin-secrets
+spec:
+  size: 32
+  mapping:
+    - key: password
+      value: "%(plaintext)s"
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: KeydbClaim
+metadata:
+  name: nextcloud
+spec:
+  class: ephemeral
+  capacity: 100Mi
+---
+apiVersion: codemowers.io/v1alpha1
+kind: OIDCGWClient
+metadata:
+  name: nextcloud
+spec:
+  displayName: Nextcloud
+  uri: https://nextcloud.k-space.ee
+  redirectUris:
+    - https://nextcloud.k-space.ee/apps/oidc_login/oidc
+  allowedGroups:
+    - k-space:floor
+  grantTypes:
+    - authorization_code
+    - refresh_token
+  responseTypes:
+    - code
+  availableScopes:
+    - openid
+    - profile
+  pkce: false
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: nextcloud
+  labels:
+    app.kubernetes.io/name: nextcloud
+spec:
+  serviceName: nextcloud
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: nextcloud
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: nextcloud
+    spec:
+      enableServiceLinks: false
+      containers:
+        - name: nextcloud
+          image: nextcloud:production-apache
+          env:
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-client-nextcloud-owner-secrets
+                  key: OIDC_CLIENT_ID
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-client-nextcloud-owner-secrets
+                  key: OIDC_CLIENT_SECRET
+            - name: OIDC_GATEWAY_AUTH_URI
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-client-nextcloud-owner-secrets
+                  key: OIDC_GATEWAY_AUTH_URI
+            - name: OIDC_GATEWAY_URI
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-client-nextcloud-owner-secrets
+                  key: OIDC_GATEWAY_URI
+            - name: UPLOAD_LIMIT
+              value: 10G
+            - name: MYSQL_USER
+              value: kspace_nextcloud
+            - name: MYSQL_DATABASE
+              value: kspace_nextcloud
+            - name: MYSQL_HOST
+              value: mariadb.infra.k-space.ee
+            - name: NEXTCLOUD_ADMIN_USER
+              value: admin
+            - name: NEXTCLOUD_TRUSTED_DOMAINS
+              value: nextcloud.k-space.ee
+            - name: OBJECTSTORE_S3_HOST
+              value: 172.20.9.2
+            - name: OBJECTSTORE_S3_PORT
+              value: "9000"
+            - name: OBJECTSTORE_S3_BUCKET
+              value: kspace-nextcloud
+            - name: OBJECTSTORE_S3_SSL
+              value: "false"
+            - name: OBJECTSTORE_S3_KEY
+              value: kspace-nextcloud
+            - name: OBJECTSTORE_S3_REGION
+              value: us-west-1
+            - name: OBJECTSTORE_S3_USEPATH_STYLE
+              value: "true"
+            - name: TRUSTED_PROXIES
+              value: 0.0.0.0/0
+            - name: MAIL_FROM_ADDRESS
+              value: nextcloud@k-space.ee
+            - name: SMTP_HOST
+              value: mail.k-space.ee
+            - name: MAIL_DOMAIN
+              value: k-space.ee
+            - name: NEXTCLOUD_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: nextcloud-admin-secrets
+                  key: password
+            - name: REDIS_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: keydb-nextcloud-owner-secrets
+                  key: REDIS_MASTER
+            - name: REDIS_HOST_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: keydb-nextcloud-owner-secrets
+                  key: REDIS_PASSWORD
+            - name: MYSQL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: nextcloud-imported-secrets
+                  key: MYSQL_PASSWORD
+            - name: OBJECTSTORE_S3_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: nextcloud-imported-secrets
+                  key: OBJECTSTORE_S3_SECRET
+          ports:
+            - containerPort: 80
+              name: http
+          volumeMounts:
+            - mountPath: /var/www/html
+              name: data
+            - mountPath: /var/www/html/config/oidc.config.php
+              name: config
+              subPath: oidc.config.php
+      volumes:
+        - name: config
+          projected:
+            sources:
+              - configMap:
+                  name: nextcloud-config
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        storageClassName: longhorn
+        resources:
+          requests:
+            storage: 1Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nextcloud
+spec:
+  ports:
+    - port: 80
+      protocol: TCP
+      targetPort: http
+  selector:
+    app.kubernetes.io/name: nextcloud
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: nextcloud
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
+spec:
+  rules:
+  - host: nextcloud.k-space.ee
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: nextcloud
+            port:
+              number: 80
+  tls:
+  - hosts:
+    - "*.k-space.ee"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nextcloud-config
+data:
+  oidc.config.php: |-
+    <?php
+    $CONFIG = array (
+        'allow_user_to_change_display_name' => false,
+        'lost_password_link' => 'disabled',
+        'oidc_login_provider_url' => getenv('OIDC_GATEWAY_URI'),
+        'oidc_login_client_id' => getenv('OIDC_CLIENT_ID'),
+        'oidc_login_client_secret' => getenv('OIDC_CLIENT_SECRET'),
+        'oidc_login_auto_redirect' => true,
+        'oidc_login_logout_url' => getenv('OIDC_GATEWAY_URI'),
+        'oidc_login_end_session_redirect' => false,
+        'oidc_login_default_quota' => '250000000000',
+        'oidc_login_button_text' => 'Log in with OpenID',
+        'oidc_login_hide_password_form' => true,
+        'oidc_login_use_id_token' => false,
+        'oidc_login_attributes' => array (
+            'id' => 'sub',
+            'name' => 'name',
+            'mail' => 'email',
+            //'quota' => 'ownCloudQuota',
+            'home' => 'homeDirectory',
+            'ldap_uid' => 'sub',
+            //'groups' => 'ownCloudGroups',
+            //'login_filter' => 'realm_access_roles',
+            //'photoURL' => 'picture',
+            //'is_admin' => 'ownCloudAdmin',
+        ),
+        //'oidc_login_default_group' => 'oidc',
+        'oidc_login_filter_allowed_values' => null,
+        'oidc_login_use_external_storage' => false,
+        'oidc_login_scope' => 'openid profile',
+        'oidc_login_proxy_ldap' => false,
+        'oidc_login_disable_registration' => true,
+        'oidc_login_redir_fallback' => false,
+        'oidc_login_alt_login_page' => 'assets/login.php',
+        'oidc_login_tls_verify' => true,
+        'oidc_create_groups' => false,
+        'oidc_login_webdav_enabled' => false,
+        'oidc_login_password_authentication' => false,
+        'oidc_login_public_key_caching_time' => 86400,
+        'oidc_login_min_time_between_jwks_requests' => 10,
+        'oidc_login_well_known_caching_time' => 86400,
+        'oidc_login_update_avatar' => false,
+        'oidc_login_skip_proxy' => false,
+        'oidc_login_code_challenge_method' => '',
+    );