github-personal/Biohazard
1
0
Fork 0
mirror of https://github.com/outbackdingo/Biohazard.git synced 2026-01-27 18:18:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(nextcloud): crunchy PG, admin creds, cleanup

Browse Source
This commit is contained in:
JJGadgets
2023-11-03 07:31:41 +08:00
parent a5af15dee4
commit c2fc07aed0
5 changed files with 159 additions and 120 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
kube/clusters/biohazard/config/secrets.sops.env
View File

@@ -34,6 +34,7 @@ SECRET_VOLSYNC_PASSWORD=ENC[AES256_GCM,data:luZbC66TEN90ZeovPH9ycVVzvYiBk3x249sB
SECRET_VOLSYNC_R2_REPO=ENC[AES256_GCM,data:mbO4iS61FII8EXfMcRRu6kK69pnbdCLLARPWmlt4ta5F/lq20Byl/0ZVojbRPHLMmivgb6+z3dlxALjjJTvZrLGOGDCc8+BmNHxFjialAm3aNPr9ept0HlD8k71tSf8CY/s=,iv:NYDLCCzZ35mpUZBjh+zEc8M0c58RcNdWNfvLzL9F6dM=,tag:RHQcR8Lwkr129jXwN1vhnA==,type:str]
SECRET_VOLSYNC_R2_ID=ENC[AES256_GCM,data:MKOfV3t/LDQ0FUYXXcL3DzgMoCz9uGfJkkG3L+Zpmyk=,iv:591+OgMLhbU18DJmTgl494mLpEp2gWCpeWg84262N6M=,tag:cllraQY6pSZmAVIS42PbPA==,type:str]
SECRET_VOLSYNC_R2_KEY=ENC[AES256_GCM,data:880BQx/r+lp73c2vqDgs7JCyQs58D2qpgU2/U6ekrD0KEv9vWOm9Xg3Sttkow11ZTr7QBZv6vJatRUSqjWsJ2Q==,iv:M2zvGkT/wfZYS8jp7FIa1UwsSMHJTd4M3hmqykPpU1Y=,tag:SnPuOnmpr4X0kciaGbdVFA==,type:str]
SECRET_PGBACKREST_WAL_ENCRYPT=ENC[AES256_GCM,data:FHrl/JouEsT5s2vNI+V+LCXFr15x3PCS3dO3HIkZKd4IGnjCXwyhU2ZlWujpn4/m4lmsMCGc8ZeeJlN741ZcVLIi2Bnaw40NMJyD08AoGYFmpyTZ0pMY8Fm9a2Ag5kuEKrTooF2gupOtJD1lIzPdh0p+zArlUpgowCOcuYzwstYvQ3DWxqNLqXbDPKr3ogz4lSXiYIz4t/smAdNSzy6Vooig2HntQSE+onETvU90TKn2aOMUxvOn5V7nOYqdU21J8vRosz5VkHBc23gwn9lCRrY2xuqCTz8fJCIgzV63LtxFhGH4Qq2nHICR3MgptZnPosbwZA2InGZrQBkDgQU3RygqauYN0UmpoJnV65ojl9ucbhsKINyjUDAsrgOnhwFUI0Y/NA/XjU6iqdzqkCSLjjevV1dLORg+2rAfEwrGo+Bvdof7gDbzRQ0HhouwSmz667YxgwdpyYobGMgDR7ZW8mVe2ak/rW3aqlQc2CCO7o/l46UFUAPZkHVLpqZQ8hGXDspBk24gY0hZ5J9vAgiy8f0LUCSrZDC5f+hYJEqW7ACqaIS1UB9iJuFm6R6afxYv4W8yLrN74VIjKtZG1GqDWAwJ5bXLTDlVXUkvL/67+VzAEq6ZUyQv6VJ0/f7QwnmCbsEQIquT3I+kE30wpYZKqqyuaQaF5Kq4svUT+SZQPDXYp4FGp2EeqbvdqCIyxxL2ybUnI8qXjURf9GXyNkIEHDa9ePHnRLTH9XEnfq6vIXwiaPAyfdF1ZtCKcVo/VqE0IFbj9loNYyvHpv7q7ho70rXFl11/xFVkmjcguAJKPBTA/msmeTqi6KEp8NEPswieAL78RC5jsQrPQ3qhJbvTFVQhSXyrnHdbslQ3Fsj/62Z+6uOJeLaSLIrKji/PU2RBDIk44IDTMCthTrDp,iv:krhhqhA5VIYrGSBTjZrD3RqRwGa1VbtekWJ1k21Kph8=,tag:vKHK6nFAw1YJ9B2ktVUjHQ==,type:str]
SECRET_PGBACKREST_WAL_R2_ENDPOINT=ENC[AES256_GCM,data:oVzPxFx9vBzLSnrZrljmhw0yNZGF0HXPZ+iHP/q+44qF4Za2ji2zR8NoLZr5N3aPlwj1VP+J81ZT,iv:C5MoncOrM15ICnj1emUlx5jHi/xQqiMU5sZausuRpj0=,tag:xvRGlkWbsxN2skd1RwiS4g==,type:str]
SECRET_PGBACKREST_WAL_R2_BUCKET=ENC[AES256_GCM,data:d9kUcQUHw44LsIEj1AK/WwC69eHIYp4oc04qCGI=,iv:+1PU0RiOb4Cynuo+8tb3oobdKBXdQ/R7QBClN8EvhKk=,tag:ZHLoK8iipapYF0oTnEAgvg==,type:str]
SECRET_PGBACKREST_WAL_R2_CFAPI=ENC[AES256_GCM,data:9FoYBTzxtBDVi7JMkD4X04A2n85qTBSJNMHy0zJAWa2EzQ/+uQqPgA==,iv:whjTpY1ui7VBHMkb3d9q63eI25NbC+BE187WtwPYRu8=,tag:8jbF7gNdeLBwESfJeuWT0w==,type:str]
@@ -152,12 +153,14 @@ SECRET_PAPERLESS_NGX_ADMIN_PASSWORD=ENC[AES256_GCM,data:6/PeN9+zK+viah9LcqaHYUbN
SECRET_NEXTCLOUD_INSTANCEID=ENC[AES256_GCM,data:6liejBLYj4yuQvEA,iv:22EbF6M30G7ux+zQP5xnKrqFodaDc+6NVEn3cVD9Snc=,tag:HksD8O8DYZGyE23mYBjbKA==,type:str]
SECRET_NEXTCLOUD_PASSWORDSALT=ENC[AES256_GCM,data:mdt1zy/RPMlBa+GMHmG3TB/ZMh61+ayVlVK4H6vQ,iv:Y0igq1UDHvYOmKKfvFi0IM6z5yG9vIpCwyaAmrj4NbI=,tag:f0il/GWunYfu2uwh5gdRGw==,type:str]
SECRET_NEXTCLOUD_SECRET=ENC[AES256_GCM,data:ujfo1cqbLaL8u5y6FcQtgUw2NEupIlg5Bzc76LHJ7TZQRVOt6uHyVEfMof5WEnvE,iv:3Ke4VrRIVpdNxuh750SDiO1ocjB3BiGJfMp50Ne1yBU=,tag:FjV9v/P30NR5IVSNiIga6g==,type:str]
sops_pgp__list_0__map_created_at=2023-06-01T18:01:07Z
sops_mac=ENC[AES256_GCM,data:CgXiVUaCUz9WTi/2u8SYdiQBj/HUG5sof0XTYqB1E6BsCKCuJx+CUhYwDMrBxPMwNx4jgODHD9UYGSTobPPSKLk7DLJnl4u8Ix6K1Du3Fy3dF8qd6TblR/fbCGRE/kqk9EdOxcLxKjqePYCCjjOyDAUy/UIIRqT31XdSEy3GkOU=,iv:SSljgB124kMXJOzbUB5EQt7Lro3/bH/vBcsAKwPdV9k=,tag:zmLMAGDEdpuxp1AdMZVcRA==,type:str]
sops_unencrypted_suffix=_unencrypted
sops_version=3.7.3
SECRET_NEXTCLOUD_ADMIN_USER=ENC[AES256_GCM,data:DPuZCJk8zKjZW+IM7ujaLg==,iv:aNM9RWMpuy3LSriNnojABFIcxCgl3H0Zk/Sm67ZWBOs=,tag:mcQEwj49Di4R+Wm/tnJqLw==,type:str]
SECRET_NEXTCLOUD_ADMIN_PASSWORD=ENC[AES256_GCM,data:PsdeZgQ5hlCMcx5OFxbXyL4N8wlHFGwPE09LrVCSSgqbXrpTDAAkyFE7TAxuyLn8jvwhZtQOP+GpIpCpBjxmHmGHRlncNdRJXcWuMgQoby+BmemMhxgDbmKbZbU9hB8blf89XpRqhmvfY4N6xp9Oaj88z4epRy2lH/DRDk8GXRncZxqwNNcu1BzI25Wzhou9gMtpxq62tSalJ3PdmnQALPCxaVXVhEwrwdIoOzVXto+kXSzeRY/RAVq/JTq/aUAeS7quTHMc7k70CHZMyRfXIC/CQXt9ZD6ToDQMrw==,iv:aHyVv2oAAWt3Ti4+9pgGy7mCL63gBl0G7gmv4trYOHM=,tag:w32Jy68K/v4hKqdql5ZAAg==,type:str]
sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxalh5ckhGWGxFTmFqSDQv\ndXlPOUlyYVNkWHA5VGN2TERvaWtWMHlJdFRNCnQ1NlJldEgxb2E0VEdVSDVpbHp5\nZEpTMEQ5dWU0Q2ZWTFBOZFp5Ti95ejQKLS0tIDF0c3VlazRzVWtVQ1JXT3hyTWNN\nWXpUSUNydGY4V04xZ2dTSzlvWmNOTGsKQ3rimeB7zqB4dYMp1pR1AOltXk+GhGsb\ns0jDxr/SiPUaiYoVCY4fqu9geXNRDGlPh3T2Lhs9Siif4Vnc8qTQBw==\n-----END AGE ENCRYPTED FILE-----\n
sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdANDTQwVjZ/Ad3iqBe0LL2sGCrEvrl6W6VaMjFgJCUkzYw\nwASmi9Y/OqREXtEItA1rKZDTM38LuMfcU4vAeEV0SNWlW5CQquN8UpLwMATrBdXr\n0lwBcvIZFLbbnfqFAdJ1EzbRWvHuh+yn5DBMH+odm3ZLaJqiiV9EaWhfl2rdIOr4\nPJQf6Ev1hueWmc9H45a8nvwH8sOl9MH9hl3TW7o9JOOhGmZ4BBVaSJW6f0UiZw==\n=iSQg\n-----END PGP MESSAGE-----\n
sops_pgp__list_0__map_created_at=2023-06-01T18:01:07Z
sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
sops_lastmodified=2023-10-30T17:42:00Z
sops_unencrypted_suffix=_unencrypted
sops_lastmodified=2023-11-02T23:00:18Z
sops_mac=ENC[AES256_GCM,data:4v0Vzu3VDn5wVvYWKhDL4z9bSflcjTu3J+ozb5Fjw5FubgMgT39NUBAXs2y3VTgfrD9szTxW+xJon4wwCtuK7OjZpmwhJqjlMT+Gx0eMoBbNxV30kwDZSP9Jd1nPPF68I3ztvt44rKA6s7tRPYzF8TYxWt5hd2pPcqLZ200KMSY=,iv:jFF/mpgHB0JUeLZt8lL9z1NwSaYGJ5RT65Grx3Ecrms=,tag:VK8uRgcX62bhiFeJqTxxAg==,type:str]
sops_version=3.7.3
sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdANDTQwVjZ/Ad3iqBe0LL2sGCrEvrl6W6VaMjFgJCUkzYw\nwASmi9Y/OqREXtEItA1rKZDTM38LuMfcU4vAeEV0SNWlW5CQquN8UpLwMATrBdXr\n0lwBcvIZFLbbnfqFAdJ1EzbRWvHuh+yn5DBMH+odm3ZLaJqiiV9EaWhfl2rdIOr4\nPJQf6Ev1hueWmc9H45a8nvwH8sOl9MH9hl3TW7o9JOOhGmZ4BBVaSJW6f0UiZw==\n=iSQg\n-----END PGP MESSAGE-----\n

13
kube/clusters/biohazard/config/vars.sops.env
View File

@@ -57,6 +57,7 @@ DNS_OLD_DOCKER=ENC[AES256_GCM,data:9nDHAHXCge/1+Ht8ufHWbqCoCC61,iv:8OsS2kwc+wM91
PATH_NAS_MEDIA=ENC[AES256_GCM,data:ZpKa4xnMHKWOO9pDQ1b1NlHWQPfuybn81u4uQ409,iv:dB84+0jnUJDylWpOABTdylsT0gR10l2LNGE6trHZtNk=,tag:l/bt9asoFhEosRlpfLncgw==,type:str]
PATH_NAS_PERSIST_K8S=ENC[AES256_GCM,data:nS9umA3p29pVqWJoB5HpupInDSrg0N6GSvjEkM0l8uVaOcL2,iv:+3mMWya4stoQ3KHO1HmPUQ+Q4bq3y5farOhRJw5xPws=,tag:Jo9eSG8dfR1qn6mu6n7HDg==,type:str]
PATH_NAS_BACKUPS_K8S=ENC[AES256_GCM,data:XQiudCzciERVNC+EJ4pU/Y91Zp6MwEqleIjI57EUB/Ahb2hc,iv:EuOd7eXnKkpKBSZafcgnJxB6lZ7cKBIao/5IeabwBbs=,tag:BDHXnmljGz/7IjSuSo7IDg==,type:str]
PATH_NAS_BACKUPS_PGBACKREST=ENC[AES256_GCM,data:lii1cb4Uw7DIhZQ9tkBYvWWdJdBkiwafaQXEf2BbcB1RwY/N3gWJTut4Vg==,iv:FvJ7ONjjRhfLG6poEybYoAM4EZVf8jcwCMnUT37WTwM=,tag:7ZOoZkD9L+oLqBc/bOf6zQ==,type:str]
UID_NAS_BACKUPS_K8S=ENC[AES256_GCM,data:e5JN5w==,iv:bXwb5LuwvZyFhjhbpbnabvNKX03VPB/9XY402CoBwx0=,tag:hDXYQzou/ZPpEbLYkQDl+A==,type:str]
APP_IP_NGINX=ENC[AES256_GCM,data:Mdm/bUsZTsv9iQ==,iv:LIbtBukgaQBVkx+bIrMlIGH4OnuuQTPFDYoXhfElALE=,tag:nwhE5BSEFGlojABTYzfJsw==,type:str]
APP_IP_K8S_GATEWAY=ENC[AES256_GCM,data:mNfGiLFSLx4dpAo=,iv:CYo6xNLE+bunmdTbvCGMI86VXi4t9r+FMqCp6arFeYg=,tag:u8tTxJquRYb13UyiQXVSKQ==,type:str]
@@ -179,12 +180,12 @@ CONFIG_OVENMEDIAENGINE_NAME=ENC[AES256_GCM,data:58CuH8bcUHWXBZA=,iv:BN7x6aAJPbzI
CONFIG_THELOUNGE_USERNAME=ENC[AES256_GCM,data:+C2aABtqq8YG,iv:4DYpguAvmaqPedRgrflDlKfX5jJEhyWXKuRS+UVgHLo=,tag:vfJko+R2D8ct7KZC2Vnujw==,type:str]
CONFIG_THELOUNGE_JOIN=ENC[AES256_GCM,data:ocuC,iv:9Cn9zp2+iIVrEXYxklEtkpftmJwTGsWnff2xIG9KNec=,tag:3UL9Gn+kHoXu+40CFkP7sg==,type:str]
CONFIG_PSONO_TITLE=ENC[AES256_GCM,data:ORXmkTqtuka3l5M0pdu1NKxdX3Pes3xdEMw=,iv:Mbw/KUQJcIdYdcWby6qeCY4Q31Vc+dUOjLLprHL5P9E=,tag:HavoGugubPrunCoOkL40Mw==,type:str]
sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdAbA35718t0WVKrjQFYUPviCb0lVuh8NpfSdJCHjHcWWww\n8ak4q4VL69tZLSjQHx+VsMmKooknxWz6pw0lGxyDYlZMQ81bodInjaZGFZSz8Uuh\n0l4BhDCNDBBALTrnTliz6/DAHvmavI4UxMHost5alFio9JPkTDNmXZyvcy1/R6aw\n/uhQXLUBRvm0TSOhBZb7d0SLkLfe02Um40w1TibpKXsZz1GOMbPRNBMHHra0QIuQ\n=0jA+\n-----END PGP MESSAGE-----\n
sops_lastmodified=2023-10-28T13:13:13Z
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSXFvLzFQaFJ0OVJKUFV5\nTWh2OUltUlpJWFlVVytFYU9VajBHSnQ4SGdjCnRVbEVXdDVyUHJrR05Ba0xvUm1l\nTkt2YmNUZy90ZFA2b3QrODFKZ01EVG8KLS0tIEw2dkd1cnFCbnI5eWxKL2o1aDVB\nN0hveXZ2dWdxQ2k2L0pGR0ROMStVTmsK4dV/hNyDjsYnVUiFQ7kqdmcVHfYyVckz\nh/rwLjcZgsup72WDVP3v6Eul8B3LKFrSb8CDFA54tyQmSdFDCQC+Zg==\n-----END AGE ENCRYPTED FILE-----\n
sops_mac=ENC[AES256_GCM,data:Ilt385GSM0e/cW+MynLqWugyxSekTIs5Rzkq6NnREzdfYq9Kyna3gifDcxNcfKVJjEGIvq3E4yn1Z8sjnfNVDJ5lBxl/E7rSVML+B/cHzhOzljl2MCBjUFGF33XxCaaFDgIXCPdGugmlLBEJlt9l9MFhcUslieHynccvrAMeDps=,iv:cg/akeRuDl36cBKtD7TlLMGBJW2NejsRtUKx3yCWNKk=,tag:7o4hiwa7liuGLJso/XR3xw==,type:str]
sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
sops_pgp__list_0__map_created_at=2023-06-01T18:01:04Z
sops_unencrypted_suffix=_unencrypted
sops_pgp__list_0__map_created_at=2023-06-01T18:01:04Z
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSXFvLzFQaFJ0OVJKUFV5\nTWh2OUltUlpJWFlVVytFYU9VajBHSnQ4SGdjCnRVbEVXdDVyUHJrR05Ba0xvUm1l\nTkt2YmNUZy90ZFA2b3QrODFKZ01EVG8KLS0tIEw2dkd1cnFCbnI5eWxKL2o1aDVB\nN0hveXZ2dWdxQ2k2L0pGR0ROMStVTmsK4dV/hNyDjsYnVUiFQ7kqdmcVHfYyVckz\nh/rwLjcZgsup72WDVP3v6Eul8B3LKFrSb8CDFA54tyQmSdFDCQC+Zg==\n-----END AGE ENCRYPTED FILE-----\n
sops_lastmodified=2023-11-02T19:30:55Z
sops_mac=ENC[AES256_GCM,data:rRdhLEQ62Xma+xaXNx3of9wqPPqgdfgHIg/fhLh+tF/uP2xARvY+2A07iNeuAnZwsCKNSaJIeT7VDzVL1JqTxk47nZXC9eYKT+j6Z2RX75QhGBU36Elab2FPs7gePz52lDRX2l7S+FH/7NmBZZ4/qHs+ef/zddgRvipXD104tlw=,iv:7BbxQVzhNtaZFzNdZRO480qh/3OZP/TPftlV6kDotb0=,tag:T4mxvcz8SKg63SORVHnF9A==,type:str]
sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdAbA35718t0WVKrjQFYUPviCb0lVuh8NpfSdJCHjHcWWww\n8ak4q4VL69tZLSjQHx+VsMmKooknxWz6pw0lGxyDYlZMQ81bodInjaZGFZSz8Uuh\n0l4BhDCNDBBALTrnTliz6/DAHvmavI4UxMHost5alFio9JPkTDNmXZyvcy1/R6aw\n/uhQXLUBRvm0TSOhBZb7d0SLkLfe02Um40w1TibpKXsZz1GOMbPRNBMHHra0QIuQ\n=0jA+\n-----END PGP MESSAGE-----\n
sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
sops_version=3.7.3

227
kube/deploy/apps/nextcloud/app/hr.yaml
View File

@@ -5,6 +5,7 @@ metadata:
name: &app nextcloud
namespace: *app
spec:
timeout: 1h
chart:
spec:
chart: app-template
@@ -26,22 +27,34 @@ spec:
containers:
main:
image: &ncimg
repository: "public.ecr.aws/docker/library/nextcloud"
repository: "ghcr.io/jjgadgets/nextcloud"
tag: "27.1.3-fpm"
env:
TZ: "${CONFIG_TZ}"
NC_DOMAIN: "${APP_DNS_NEXTCLOUD}"
NC_DOMAIN: &host "${APP_DNS_NEXTCLOUD}"
NC_VERSION: "27.1.3"
# GTS_STORAGE_S3_ACCESS_KEY:
# valueFrom:
# secretKeyRef:
# name: "nextcloud-data-s3"
# key: "AWS_ACCESS_KEY_ID"
# GTS_STORAGE_S3_SECRET_KEY:
# valueFrom:
# secretKeyRef:
# name: "nextcloud-media-s3"
# key: "AWS_SECRET_ACCESS_KEY"
NEXTCLOUD_DATA_DIR: "/ncdata"
NEXTCLOUD_TRUSTED_DOMAINS: *host
POSTGRES_HOST:
valueFrom:
secretKeyRef:
name: &pgsec "pg-nextcloud-pguser-nextcloud"
key: "host"
POSTGRES_DB:
valueFrom:
secretKeyRef:
name: *pgsec
key: "dbname"
POSTGRES_USER:
valueFrom:
secretKeyRef:
name: *pgsec
key: "user"
POSTGRES_PASSWORD:
valueFrom:
secretKeyRef:
name: *pgsec
key: "password"
envFrom:
- secretRef:
name: "nextcloud-secrets"
@@ -50,6 +63,15 @@ spec:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
probes:
startup:
enabled: true
type: TCP
spec:
initialDelaySeconds: 15
timeoutSeconds: 1
periodSeconds: 1
failureThreshold: 7200 # 2 hours
resources:
requests:
cpu: 10m
@@ -80,22 +102,22 @@ spec:
memory: 32Mi
limits:
memory: 256Mi
# push:
# image: *ncimg
# command: ["/var/www/html/custom_apps/notify_push/bin/x86_64/notify_push", "/var/www/html/config/config.php"]
# env:
# NEXTCLOUD_URL: "https://${APP_DNS_NEXTCLOUD}"
# PORT: &push "7867"
# securityContext: *sc
# resources:
# requests:
# cpu: 10m
# memory: 32Mi
# limits:
# memory: 256Mi
push:
image: *ncimg
command: ["/var/www/html/custom_apps/notify_push/bin/x86_64/notify_push", "/var/www/html/config/config.php"]
env:
NEXTCLOUD_URL: "https://${APP_DNS_NEXTCLOUD}"
PORT: &push "7867"
securityContext: *sc
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
memory: 256Mi
statefulset:
volumeClaimTemplates:
- name: data
- name: "data"
accessMode: ReadWriteOnce
size: 100Gi
storageClass: block
@@ -105,12 +127,14 @@ spec:
path: /var/www/html
- subPath: data
path: /ceph
# push:
# - subPath: nextcloud
# path: /var/www/html
push:
- subPath: nextcloud
path: /var/www/html
readOnly: true
web:
- subPath: nextcloud
path: /var/www/html
readOnly: true
initContainers:
02-caddy:
image:
@@ -126,18 +150,20 @@ spec:
main:
ports:
http:
primary: false
port: 8080
fpm:
primary: true
port: 9000
# push:
# port: *push
push:
port: *push
ingress:
main: &ingress
enabled: true
primary: false
className: nginx
hosts:
- host: &host "${APP_DNS_NEXTCLOUD}"
- host: *host
paths:
- &path
path: /
@@ -164,33 +190,19 @@ spec:
service:
name: main
port: fpm
# fpm-legacy:
# <<: *ingress
# annotations:
# <<: *fpm-anno
# nginx.ingress.kubernetes.io/rewrite-target: "/index.php$request_uri"
# hosts:
# - host: *host
# paths:
# - path: |-
# /(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy)
# pathType: ImplementationSpecific
# service:
# name: main
# port: fpm
# push:
# <<: *ingress
# annotations:
# nginx.ingress.kubernetes.io/use-regex: "true"
# nginx.ingress.kubernetes.io/rewrite-target: "/$2"
# hosts:
# - host: *host
# paths:
# - path: "/push(/|$)(.*)"
# pathType: ImplementationSpecific
# service:
# name: main
# port: push
push:
<<: *ingress
annotations:
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: "/$2"
hosts:
- host: *host
paths:
- path: "/push(/|$)(.*)"
pathType: ImplementationSpecific
service:
name: main
port: push
dav:
<<: *ingress
annotations:
@@ -225,18 +237,16 @@ spec:
main:
- mountPath: "/var/www/html/config"
readOnly: true
# push:
# - mountPath: "/var/www/html/config"
# readOnly: true
push:
- mountPath: "/var/www/html/config"
readOnly: true
nas:
enabled: true
type: nfs
server: "${IP_TRUENAS}"
path: "${PATH_NAS_PERSIST_K8S}/nextcloud"
existingClaim: "nextcloud-nas-data"
advancedMounts:
main:
main:
- path: "/nas"
- path: "/ncdata"
tmp:
enabled: true
type: emptyDir
@@ -249,17 +259,22 @@ spec:
- &sockmnt
subPath: "sockets"
path: "/sockets"
# push:
# - subPath: "nextcloud"
# path: "/tmp"
redis:
- subPath: "redis"
push:
- subPath: "nextcloud"
path: "/tmp"
redis:
- subPath: "redis-tmp"
path: "/tmp"
- subPath: "redis-data"
path: "/data" # for interval RDB saving
- *sockmnt
web: &caddymnt
web:
- subPath: "caddy"
path: "/caddy"
readOnly: true
02-caddy:
- subPath: "caddy"
path: "/caddy"
02-caddy: *caddymnt
configMaps:
config:
enabled: true
@@ -267,7 +282,38 @@ spec:
config.php: |-
<?php
$CONFIG = array (
'instanceid' => getenv('NC_INSTANCEID'),
'passwordsalt' => getenv('NC_PASSWORDSALT'),
'secret' => getenv('NC_SECRET'),
'datadirectory' => '/ncdata',
'version' => getenv('NC_VERSION'),
'overwrite.cli.url' => 'https://' . getenv('NC_DOMAIN'),
'overwriteprotocol' => 'https',
'default_phone_region' => 'SG',
'dbtype' => 'pgsql',
'dbhost' => getenv('POSTGRES_HOST'),
'dbport' => '5432',
'dbname' => getenv('POSTGRES_DB'),
'dbuser' => getenv('POSTGRES_USER'),
'dbpassword' => getenv('POSTGRES_PASSWORD'),
'dbtableprefix' => 'oc_',
'memcache.local' => '\\OC\\Memcache\\APCu',
'memcache.distributed' => '\\OC\\Memcache\\Redis',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'redis' =>
array (
'host' => '/sockets/redis.sock',
'port' => 0,
),
'trusted_domains' =>
array (
0 => getenv('NC_DOMAIN'),
),
'trusted_proxies' =>
array (
0 => '${IP_POD_CIDR_V4}',
1 => '127.0.0.1',
),
'apps_paths' =>
array (
0 =>
@@ -283,40 +329,7 @@ spec:
'writable' => true,
),
),
'memcache.distributed' => '\\OC\\Memcache\\Redis',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'redis' =>
array (
'host' => '/sockets/redis.sock',
'port' => 0,
),
'instanceid' => getenv('NC_INSTANCEID'),
'passwordsalt' => getenv('NC_PASSWORDSALT'),
'secret' => getenv('NC_SECRET'),
'trusted_domains' =>
array (
0 => getenv('NC_DOMAIN'),
),
'trusted_proxies' =>
array (
0 => '${IP_POD_CIDR_V4}',
1 => '127.0.0.1',
),
'datadirectory' => '/nas',
'version' => getenv('NC_VERSION'),
'overwrite.cli.url' => 'https://' . getenv('NC_DOMAIN'),
'overwriteprotocol' => 'https',
'installed' => true,
'default_phone_region' => 'SG',
);
# test with SQLite first, then try CrunchyData Postgres
# 'dbtype' => 'pgsql',
# 'dbname' => getenv('INIT_POSTGRES_DBNAME'),
# 'dbhost' => getenv('INIT_POSTGRES_HOST'),
# 'dbport' => '5432',
# 'dbtableprefix' => 'oc_',
# 'dbuser' => getenv('INIT_POSTGRES_USER'),
# 'dbpassword' => getenv('INIT_POSTGRES_PASS'),
ingress-nginx-fastcgi:
enabled: true
data:
@@ -332,4 +345,4 @@ spec:
fsGroup: *uid
runAsNonRoot: false
seccompProfile: {type: "RuntimeDefault"}
fsGroupChangePolicy: Always
fsGroupChangePolicy: "Always"

2
kube/deploy/apps/nextcloud/app/secrets.yaml
View File

@@ -9,3 +9,5 @@ stringData:
NC_INSTANCEID: "${SECRET_NEXTCLOUD_INSTANCEID}"
NC_PASSWORDSALT: "${SECRET_NEXTCLOUD_PASSWORDSALT}"
NC_SECRET: "${SECRET_NEXTCLOUD_SECRET}"
NEXTCLOUD_ADMIN_USER: "${SECRET_NEXTCLOUD_ADMIN_USER}"
NEXTCLOUD_ADMIN_PASSWORD: "${SECRET_NEXTCLOUD_ADMIN_PASSWORD}"

22
kube/deploy/apps/nextcloud/ks.yaml
View File

@@ -8,5 +8,25 @@ spec:
path: ./kube/deploy/apps/nextcloud/app
dependsOn:
- name: 1-core-storage-rook-ceph-cluster
- name: 1-core-ingress-nginx-app
- name: 1-core-storage-volsync-app
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: nextcloud-db
namespace: flux-system
spec:
path: ./kube/deploy/core/db/pg/clusters/template
dependsOn:
- name: 1-core-db-pg-app
- name: 1-core-storage-rook-ceph-cluster
postBuild:
substitute:
PG_APP_NAME: &app "nextcloud"
PG_APP_NS: *app
PG_DB_NAME: *app
PG_DB_USER: *app
PG_REPLICAS: "3"
PG_SC: "block"
PG_CONFIG_VERSION: "15.2-11"
PG_CONFIG_SIZE: "20Gi"