diff --git a/.archive/kube/deploy/apps/nextcloud/app/hr.yaml b/.archive/kube/deploy/apps/nextcloud/app/hr.yaml index 0266af36aa..b5c045a8ec 100644 --- a/.archive/kube/deploy/apps/nextcloud/app/hr.yaml +++ b/.archive/kube/deploy/apps/nextcloud/app/hr.yaml @@ -94,7 +94,7 @@ spec: redis: image: repository: "public.ecr.aws/docker/library/redis" - tag: "7.2.4-bookworm@sha256:8a4aaf84f31a637cb4e88b82f64d898448ed2e1eabbd8484eb202a492cc98c63" + tag: "7.4.1-bookworm@sha256:ea96c435dc17b011f54c6a883c3c45e7726242b075de61c6fe40a10ae6ae0f83" command: ["redis-server", "--port", "0", "--bind", "127.0.0.1", "--unixsocket", "/sockets/redis.sock", "--unixsocketperm", "700"] securityContext: *sc resources: diff --git a/kube/deploy/apps/nextcloud/app/hr.yaml b/kube/deploy/apps/nextcloud/app/hr.yaml deleted file mode 100644 index b5c045a8ec..0000000000 --- a/kube/deploy/apps/nextcloud/app/hr.yaml +++ /dev/null @@ -1,428 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta2 -kind: HelmRelease -metadata: - name: &app nextcloud - namespace: *app -spec: - timeout: 1h - chart: - spec: - chart: app-template - version: 2.6.0 - sourceRef: - name: bjw-s - kind: HelmRepository - namespace: flux-system - values: - controllers: - main: - type: statefulset - replicas: 1 - pod: - labels: - ingress.home.arpa/nginx-internal: "allow" - egress.home.arpa/world: "allow" # TODO: tighten this - # s3.home.arpa/store: "rgw-${CLUSTER_NAME}" - containers: - main: - image: &ncimg - repository: "ghcr.io/jjgadgets/nextcloud" - tag: "27.1.3-fpm" - env: &env - TZ: "${CONFIG_TZ}" - NC_DOMAIN: &host "${APP_DNS_NEXTCLOUD}" - NC_VERSION: "27.1.3" - NEXTCLOUD_DATA_DIR: "/ceph/data" - NEXTCLOUD_TRUSTED_DOMAINS: *host - POSTGRES_HOST: - valueFrom: - secretKeyRef: - name: &pgsec "pg-nextcloud-pguser-nextcloud" - key: "host" - POSTGRES_DB: - valueFrom: - secretKeyRef: - name: *pgsec - key: "dbname" - POSTGRES_USER: - valueFrom: - secretKeyRef: - name: *pgsec - key: "user" - POSTGRES_PASSWORD: - valueFrom: - secretKeyRef: - name: *pgsec - key: "password" - envFrom: &envFrom - - secretRef: - name: "nextcloud-secrets" - securityContext: &sc - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - probes: - startup: - enabled: true - type: TCP - spec: - initialDelaySeconds: 5 - timeoutSeconds: 1 - periodSeconds: 1 - failureThreshold: 7200 # 2 hours - resources: - requests: - cpu: 10m - memory: 128Mi - limits: - memory: 6000Mi - web: # just a static web server - image: - repository: "gcr.io/distroless/static-debian12" - tag: "latest" # screw version controlling a static web server, always tinfoil with latest version! - # command: ["/caddy/caddy", "file-server", "--listen", ":8080", "--root", "/var/www/html"] - command: ["/caddy/caddy", "run", "--config", "/Caddyfile"] - securityContext: *sc - resources: - requests: - cpu: 10m - memory: 32Mi - limits: - memory: 256Mi - redis: - image: - repository: "public.ecr.aws/docker/library/redis" - tag: "7.4.1-bookworm@sha256:ea96c435dc17b011f54c6a883c3c45e7726242b075de61c6fe40a10ae6ae0f83" - command: ["redis-server", "--port", "0", "--bind", "127.0.0.1", "--unixsocket", "/sockets/redis.sock", "--unixsocketperm", "700"] - securityContext: *sc - resources: - requests: - cpu: 10m - memory: 32Mi - limits: - memory: 256Mi - # push: - # image: *ncimg - # command: ["/var/www/html/custom_apps/notify_push/bin/x86_64/notify_push", "/var/www/html/config/redis.php"] - # env: - # PORT: &push "7867" - # NEXTCLOUD_URL: "https://${APP_DNS_NEXTCLOUD}" - # DATABASE_PREFIX: "oc" - # DATABASE_URL: - # valueFrom: - # secretKeyRef: - # name: *pgsec - # key: "uri" - # securityContext: *sc - # resources: - # requests: - # cpu: 10m - # memory: 32Mi - # limits: - # memory: 256Mi - statefulset: - volumeClaimTemplates: - - name: "data" - accessMode: ReadWriteOnce - size: 100Gi - storageClass: block - advancedMounts: - main: - - subPath: nextcloud - path: /var/www/html - - subPath: config - path: /var/www/html/config - - subPath: data - path: /ceph - # push: - # - subPath: nextcloud - # path: /var/www/html - # readOnly: true - web: - - subPath: nextcloud - path: /var/www/html - readOnly: true - initContainers: - # 01-cp-config: - # image: *ncimg - # command: ["/bin/sh", "-c", "cp /nc-config/config.php /var/www/html/config/config.php; chmod 0400 /var/www/html/config/config.php"] - # securityContext: *sc - 02-caddy: - image: - repository: "public.ecr.aws/docker/library/caddy" - tag: "latest" - command: ["/bin/sh", "-c", "cp /usr/bin/caddy /caddy/caddy"] - securityContext: *sc - # 01-init-db: - # image: "ghcr.io/onedr0p/postgres-init:14.8" - # imagePullPolicy: IfNotPresent - # envFrom: [secretRef: {name: "nextcloud-pg-superuser"}] - service: - main: - ports: - http: - primary: false - port: 8080 - fpm: - primary: true - port: 9000 - # push: - # port: *push - ingress: - main: &ingress - enabled: true - primary: false - className: "nginx-internal" - hosts: - - host: *host - paths: - - &path - path: / - pathType: Prefix - service: - name: main - port: http - tls: - - hosts: - - *host - # fpm: - # <<: *ingress - # primary: true - # annotations: &fpm-anno - # nginx.ingress.kubernetes.io/use-regex: "true" - # nginx.ingress.kubernetes.io/backend-protocol: "FCGI" - # nginx.ingress.kubernetes.io/fastcgi-index: "index.php" - # nginx.ingress.kubernetes.io/fastcgi-params-configmap: "nextcloud/nextcloud-ingress-nginx-fastcgi" - # hosts: - # - host: *host - # paths: - # - path: "/.*\\.php(/|$)(.*)" - # pathType: ImplementationSpecific - # service: - # name: main - # port: fpm - # push: - # <<: *ingress - # annotations: - # nginx.ingress.kubernetes.io/use-regex: "true" - # nginx.ingress.kubernetes.io/rewrite-target: "/$2" - # hosts: - # - host: *host - # paths: - # - path: "/push(/|$)(.*)" - # pathType: ImplementationSpecific - # service: - # name: main - # port: push - dav: - <<: *ingress - annotations: - nginx.ingress.kubernetes.io/permanent-redirect: "/remote.php/dav/" - nginx.ingress.kubernetes.io/permanent-redirect-code: "301" - hosts: - - host: *host - paths: - - <<: *path - path: "/.well-known/carddav" - - <<: *path - path: "/.well-known/caldav" - well-known: - <<: *ingress - annotations: - nginx.ingress.kubernetes.io/permanent-redirect: "/index.php$request_uri" - nginx.ingress.kubernetes.io/permanent-redirect-code: "301" - hosts: - - host: *host - paths: - - <<: *path - path: "/.well-known" - persistence: - config: - enabled: true - type: configMap - name: "nextcloud-config" - advancedMounts: - main: - # 01-cp-config: - # - path: "/nc-config" - # readOnly: true - main: - # - path: "/nc-config" - - subPath: "config.php" - path: "/var/www/html/config/jj.config.php" - readOnly: true - # push: - # - path: "/var/www/html/config" - # readOnly: true - # caddy: - # enabled: true - # type: configMap - # name: "nextcloud-caddy" - # advancedMounts: - # main: - web: - - subPath: "Caddyfile" - path: "/Caddyfile" - readOnly: true - secrets: - enabled: true - type: secret - name: "nextcloud-secrets" - advancedMounts: - main: - main: - - subPath: "secrets.config.php" - path: "/var/www/html/config/secrets.config.php" - readOnly: true - nas: - enabled: true - existingClaim: "nextcloud-nas-data" - advancedMounts: - main: - # 01-cp-config: - # - subPath: "config" - # path: "/var/www/html/config" - main: - - subPath: "data" - path: "/nas" - # - subPath: "config" - # path: "/var/www/html/config" - tmp: - enabled: true - type: emptyDir - medium: Memory - advancedMounts: - main: - # 01-cp-config: - # - &cfgmnt - # subPath: "config" - # path: "/var/www/html/config" - main: - - subPath: "nextcloud" - path: "/tmp" - # - <<: *cfgmnt - # readOnly: true - - &sockmnt - subPath: "sockets" - path: "/sockets" - # push: - # - subPath: "nextcloud" - # path: "/tmp" - # - *sockmnt - redis: - - subPath: "redis-tmp" - path: "/tmp" - - subPath: "redis-data" - path: "/data" # for interval RDB saving - - *sockmnt - web: - - subPath: "caddy" - path: "/caddy" - readOnly: true - 02-caddy: - - subPath: "caddy" - path: "/caddy" - configMaps: - config: - enabled: true - data: - config.php: |- - '/ceph/data', - 'overwrite.cli.url' => 'https://${APP_DNS_NEXTCLOUD}', - 'overwriteprotocol' => 'https', - 'default_phone_region' => 'SG', - 'dbtype' => 'pgsql', - 'dbhost' => getenv('POSTGRES_HOST'), - 'dbport' => '5432', - 'dbname' => getenv('POSTGRES_DB'), - 'dbuser' => getenv('POSTGRES_USER'), - 'dbpassword' => getenv('POSTGRES_PASSWORD'), - 'dbtableprefix' => 'oc_', - 'memcache.local' => '\\OC\\Memcache\\APCu', - 'memcache.distributed' => '\\OC\\Memcache\\Redis', - 'memcache.locking' => '\\OC\\Memcache\\Redis', - 'redis' => - array ( - 'host' => '/sockets/redis.sock', - 'port' => 0, - ), - 'trusted_domains' => - array ( - 0 => '${APP_DNS_NEXTCLOUD}', - 1 => 'localhost', - 2 => '127.0.0.1', - ), - 'trusted_proxies' => - array ( - 0 => '${IP_POD_CIDR_V4}', - 1 => '127.0.0.1', - ), - 'apps_paths' => - array ( - 0 => - array ( - 'path' => '/var/www/html/apps', - 'url' => '/apps', - 'writable' => false, - ), - 1 => - array ( - 'path' => '/var/www/html/custom_apps', - 'url' => '/custom_apps', - 'writable' => true, - ), - ), - ); - # redis.php: | - # '\\OC\\Memcache\\APCu', - # 'memcache.distributed' => '\\OC\\Memcache\\Redis', - # 'memcache.locking' => '\\OC\\Memcache\\Redis', - # 'redis' => - # array ( - # 'host' => '/sockets/redis.sock', - # 'port' => 0, - # ), - # ); - # caddy: - # enabled: true - # data: - Caddyfile: | - { - http_port 8080 - https_port 8443 - } - ${APP_DNS_NEXTCLOUD}:8080 { - header Strict-Transport-Security "max-age=15768000;preload" - redir /.well-known/carddav /remote.php/dav 301 - redir /.well-known/caldav /remote.php/dav 301 - root * /var/www/html - encode zstd gzip - php_fastcgi 127.0.0.1:9000 { - root /var/www/html - env front_controller_active true - trusted_proxies ${IP_POD_CIDR_V4} - } - file_server - } - ingress-nginx-fastcgi: - enabled: true - data: - SCRIPT_FILENAME: "/var/www/html/$fastcgi_script_name" - PATH_INFO: "$fastcgi_path_info" - modHeadersAvailable: "true" - front_controller_active: "true" - defaultPodOptions: - automountServiceAccountToken: false - securityContext: - runAsUser: &uid 33 - runAsGroup: *uid - fsGroup: *uid - runAsNonRoot: false - seccompProfile: {type: "RuntimeDefault"} - fsGroupChangePolicy: "Always"