From c2fc07aed0a3817cd760b01ac74be29c5cb6f15c Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Fri, 3 Nov 2023 07:31:41 +0800 Subject: [PATCH] feat(nextcloud): crunchy PG, admin creds, cleanup --- .../biohazard/config/secrets.sops.env | 15 +- kube/clusters/biohazard/config/vars.sops.env | 13 +- kube/deploy/apps/nextcloud/app/hr.yaml | 227 +++++++++--------- kube/deploy/apps/nextcloud/app/secrets.yaml | 2 + kube/deploy/apps/nextcloud/ks.yaml | 22 +- 5 files changed, 159 insertions(+), 120 deletions(-) diff --git a/kube/clusters/biohazard/config/secrets.sops.env b/kube/clusters/biohazard/config/secrets.sops.env index 0bec8754..f820daca 100644 --- a/kube/clusters/biohazard/config/secrets.sops.env +++ b/kube/clusters/biohazard/config/secrets.sops.env @@ -34,6 +34,7 @@ SECRET_VOLSYNC_PASSWORD=ENC[AES256_GCM,data:luZbC66TEN90ZeovPH9ycVVzvYiBk3x249sB SECRET_VOLSYNC_R2_REPO=ENC[AES256_GCM,data:mbO4iS61FII8EXfMcRRu6kK69pnbdCLLARPWmlt4ta5F/lq20Byl/0ZVojbRPHLMmivgb6+z3dlxALjjJTvZrLGOGDCc8+BmNHxFjialAm3aNPr9ept0HlD8k71tSf8CY/s=,iv:NYDLCCzZ35mpUZBjh+zEc8M0c58RcNdWNfvLzL9F6dM=,tag:RHQcR8Lwkr129jXwN1vhnA==,type:str] SECRET_VOLSYNC_R2_ID=ENC[AES256_GCM,data:MKOfV3t/LDQ0FUYXXcL3DzgMoCz9uGfJkkG3L+Zpmyk=,iv:591+OgMLhbU18DJmTgl494mLpEp2gWCpeWg84262N6M=,tag:cllraQY6pSZmAVIS42PbPA==,type:str] SECRET_VOLSYNC_R2_KEY=ENC[AES256_GCM,data:880BQx/r+lp73c2vqDgs7JCyQs58D2qpgU2/U6ekrD0KEv9vWOm9Xg3Sttkow11ZTr7QBZv6vJatRUSqjWsJ2Q==,iv:M2zvGkT/wfZYS8jp7FIa1UwsSMHJTd4M3hmqykPpU1Y=,tag:SnPuOnmpr4X0kciaGbdVFA==,type:str] +SECRET_PGBACKREST_WAL_ENCRYPT=ENC[AES256_GCM,data:FHrl/JouEsT5s2vNI+V+LCXFr15x3PCS3dO3HIkZKd4IGnjCXwyhU2ZlWujpn4/m4lmsMCGc8ZeeJlN741ZcVLIi2Bnaw40NMJyD08AoGYFmpyTZ0pMY8Fm9a2Ag5kuEKrTooF2gupOtJD1lIzPdh0p+zArlUpgowCOcuYzwstYvQ3DWxqNLqXbDPKr3ogz4lSXiYIz4t/smAdNSzy6Vooig2HntQSE+onETvU90TKn2aOMUxvOn5V7nOYqdU21J8vRosz5VkHBc23gwn9lCRrY2xuqCTz8fJCIgzV63LtxFhGH4Qq2nHICR3MgptZnPosbwZA2InGZrQBkDgQU3RygqauYN0UmpoJnV65ojl9ucbhsKINyjUDAsrgOnhwFUI0Y/NA/XjU6iqdzqkCSLjjevV1dLORg+2rAfEwrGo+Bvdof7gDbzRQ0HhouwSmz667YxgwdpyYobGMgDR7ZW8mVe2ak/rW3aqlQc2CCO7o/l46UFUAPZkHVLpqZQ8hGXDspBk24gY0hZ5J9vAgiy8f0LUCSrZDC5f+hYJEqW7ACqaIS1UB9iJuFm6R6afxYv4W8yLrN74VIjKtZG1GqDWAwJ5bXLTDlVXUkvL/67+VzAEq6ZUyQv6VJ0/f7QwnmCbsEQIquT3I+kE30wpYZKqqyuaQaF5Kq4svUT+SZQPDXYp4FGp2EeqbvdqCIyxxL2ybUnI8qXjURf9GXyNkIEHDa9ePHnRLTH9XEnfq6vIXwiaPAyfdF1ZtCKcVo/VqE0IFbj9loNYyvHpv7q7ho70rXFl11/xFVkmjcguAJKPBTA/msmeTqi6KEp8NEPswieAL78RC5jsQrPQ3qhJbvTFVQhSXyrnHdbslQ3Fsj/62Z+6uOJeLaSLIrKji/PU2RBDIk44IDTMCthTrDp,iv:krhhqhA5VIYrGSBTjZrD3RqRwGa1VbtekWJ1k21Kph8=,tag:vKHK6nFAw1YJ9B2ktVUjHQ==,type:str] SECRET_PGBACKREST_WAL_R2_ENDPOINT=ENC[AES256_GCM,data:oVzPxFx9vBzLSnrZrljmhw0yNZGF0HXPZ+iHP/q+44qF4Za2ji2zR8NoLZr5N3aPlwj1VP+J81ZT,iv:C5MoncOrM15ICnj1emUlx5jHi/xQqiMU5sZausuRpj0=,tag:xvRGlkWbsxN2skd1RwiS4g==,type:str] SECRET_PGBACKREST_WAL_R2_BUCKET=ENC[AES256_GCM,data:d9kUcQUHw44LsIEj1AK/WwC69eHIYp4oc04qCGI=,iv:+1PU0RiOb4Cynuo+8tb3oobdKBXdQ/R7QBClN8EvhKk=,tag:ZHLoK8iipapYF0oTnEAgvg==,type:str] SECRET_PGBACKREST_WAL_R2_CFAPI=ENC[AES256_GCM,data:9FoYBTzxtBDVi7JMkD4X04A2n85qTBSJNMHy0zJAWa2EzQ/+uQqPgA==,iv:whjTpY1ui7VBHMkb3d9q63eI25NbC+BE187WtwPYRu8=,tag:8jbF7gNdeLBwESfJeuWT0w==,type:str] @@ -152,12 +153,14 @@ SECRET_PAPERLESS_NGX_ADMIN_PASSWORD=ENC[AES256_GCM,data:6/PeN9+zK+viah9LcqaHYUbN SECRET_NEXTCLOUD_INSTANCEID=ENC[AES256_GCM,data:6liejBLYj4yuQvEA,iv:22EbF6M30G7ux+zQP5xnKrqFodaDc+6NVEn3cVD9Snc=,tag:HksD8O8DYZGyE23mYBjbKA==,type:str] SECRET_NEXTCLOUD_PASSWORDSALT=ENC[AES256_GCM,data:mdt1zy/RPMlBa+GMHmG3TB/ZMh61+ayVlVK4H6vQ,iv:Y0igq1UDHvYOmKKfvFi0IM6z5yG9vIpCwyaAmrj4NbI=,tag:f0il/GWunYfu2uwh5gdRGw==,type:str] SECRET_NEXTCLOUD_SECRET=ENC[AES256_GCM,data:ujfo1cqbLaL8u5y6FcQtgUw2NEupIlg5Bzc76LHJ7TZQRVOt6uHyVEfMof5WEnvE,iv:3Ke4VrRIVpdNxuh750SDiO1ocjB3BiGJfMp50Ne1yBU=,tag:FjV9v/P30NR5IVSNiIga6g==,type:str] -sops_pgp__list_0__map_created_at=2023-06-01T18:01:07Z -sops_mac=ENC[AES256_GCM,data:CgXiVUaCUz9WTi/2u8SYdiQBj/HUG5sof0XTYqB1E6BsCKCuJx+CUhYwDMrBxPMwNx4jgODHD9UYGSTobPPSKLk7DLJnl4u8Ix6K1Du3Fy3dF8qd6TblR/fbCGRE/kqk9EdOxcLxKjqePYCCjjOyDAUy/UIIRqT31XdSEy3GkOU=,iv:SSljgB124kMXJOzbUB5EQt7Lro3/bH/vBcsAKwPdV9k=,tag:zmLMAGDEdpuxp1AdMZVcRA==,type:str] -sops_unencrypted_suffix=_unencrypted -sops_version=3.7.3 +SECRET_NEXTCLOUD_ADMIN_USER=ENC[AES256_GCM,data:DPuZCJk8zKjZW+IM7ujaLg==,iv:aNM9RWMpuy3LSriNnojABFIcxCgl3H0Zk/Sm67ZWBOs=,tag:mcQEwj49Di4R+Wm/tnJqLw==,type:str] +SECRET_NEXTCLOUD_ADMIN_PASSWORD=ENC[AES256_GCM,data:PsdeZgQ5hlCMcx5OFxbXyL4N8wlHFGwPE09LrVCSSgqbXrpTDAAkyFE7TAxuyLn8jvwhZtQOP+GpIpCpBjxmHmGHRlncNdRJXcWuMgQoby+BmemMhxgDbmKbZbU9hB8blf89XpRqhmvfY4N6xp9Oaj88z4epRy2lH/DRDk8GXRncZxqwNNcu1BzI25Wzhou9gMtpxq62tSalJ3PdmnQALPCxaVXVhEwrwdIoOzVXto+kXSzeRY/RAVq/JTq/aUAeS7quTHMc7k70CHZMyRfXIC/CQXt9ZD6ToDQMrw==,iv:aHyVv2oAAWt3Ti4+9pgGy7mCL63gBl0G7gmv4trYOHM=,tag:w32Jy68K/v4hKqdql5ZAAg==,type:str] sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxalh5ckhGWGxFTmFqSDQv\ndXlPOUlyYVNkWHA5VGN2TERvaWtWMHlJdFRNCnQ1NlJldEgxb2E0VEdVSDVpbHp5\nZEpTMEQ5dWU0Q2ZWTFBOZFp5Ti95ejQKLS0tIDF0c3VlazRzVWtVQ1JXT3hyTWNN\nWXpUSUNydGY4V04xZ2dTSzlvWmNOTGsKQ3rimeB7zqB4dYMp1pR1AOltXk+GhGsb\ns0jDxr/SiPUaiYoVCY4fqu9geXNRDGlPh3T2Lhs9Siif4Vnc8qTQBw==\n-----END AGE ENCRYPTED FILE-----\n -sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdANDTQwVjZ/Ad3iqBe0LL2sGCrEvrl6W6VaMjFgJCUkzYw\nwASmi9Y/OqREXtEItA1rKZDTM38LuMfcU4vAeEV0SNWlW5CQquN8UpLwMATrBdXr\n0lwBcvIZFLbbnfqFAdJ1EzbRWvHuh+yn5DBMH+odm3ZLaJqiiV9EaWhfl2rdIOr4\nPJQf6Ev1hueWmc9H45a8nvwH8sOl9MH9hl3TW7o9JOOhGmZ4BBVaSJW6f0UiZw==\n=iSQg\n-----END PGP MESSAGE-----\n +sops_pgp__list_0__map_created_at=2023-06-01T18:01:07Z sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 -sops_lastmodified=2023-10-30T17:42:00Z +sops_unencrypted_suffix=_unencrypted +sops_lastmodified=2023-11-02T23:00:18Z +sops_mac=ENC[AES256_GCM,data:4v0Vzu3VDn5wVvYWKhDL4z9bSflcjTu3J+ozb5Fjw5FubgMgT39NUBAXs2y3VTgfrD9szTxW+xJon4wwCtuK7OjZpmwhJqjlMT+Gx0eMoBbNxV30kwDZSP9Jd1nPPF68I3ztvt44rKA6s7tRPYzF8TYxWt5hd2pPcqLZ200KMSY=,iv:jFF/mpgHB0JUeLZt8lL9z1NwSaYGJ5RT65Grx3Ecrms=,tag:VK8uRgcX62bhiFeJqTxxAg==,type:str] +sops_version=3.7.3 +sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdANDTQwVjZ/Ad3iqBe0LL2sGCrEvrl6W6VaMjFgJCUkzYw\nwASmi9Y/OqREXtEItA1rKZDTM38LuMfcU4vAeEV0SNWlW5CQquN8UpLwMATrBdXr\n0lwBcvIZFLbbnfqFAdJ1EzbRWvHuh+yn5DBMH+odm3ZLaJqiiV9EaWhfl2rdIOr4\nPJQf6Ev1hueWmc9H45a8nvwH8sOl9MH9hl3TW7o9JOOhGmZ4BBVaSJW6f0UiZw==\n=iSQg\n-----END PGP MESSAGE-----\n diff --git a/kube/clusters/biohazard/config/vars.sops.env b/kube/clusters/biohazard/config/vars.sops.env index 9e764593..6dbf3a03 100644 --- a/kube/clusters/biohazard/config/vars.sops.env +++ b/kube/clusters/biohazard/config/vars.sops.env @@ -57,6 +57,7 @@ DNS_OLD_DOCKER=ENC[AES256_GCM,data:9nDHAHXCge/1+Ht8ufHWbqCoCC61,iv:8OsS2kwc+wM91 PATH_NAS_MEDIA=ENC[AES256_GCM,data:ZpKa4xnMHKWOO9pDQ1b1NlHWQPfuybn81u4uQ409,iv:dB84+0jnUJDylWpOABTdylsT0gR10l2LNGE6trHZtNk=,tag:l/bt9asoFhEosRlpfLncgw==,type:str] PATH_NAS_PERSIST_K8S=ENC[AES256_GCM,data:nS9umA3p29pVqWJoB5HpupInDSrg0N6GSvjEkM0l8uVaOcL2,iv:+3mMWya4stoQ3KHO1HmPUQ+Q4bq3y5farOhRJw5xPws=,tag:Jo9eSG8dfR1qn6mu6n7HDg==,type:str] PATH_NAS_BACKUPS_K8S=ENC[AES256_GCM,data:XQiudCzciERVNC+EJ4pU/Y91Zp6MwEqleIjI57EUB/Ahb2hc,iv:EuOd7eXnKkpKBSZafcgnJxB6lZ7cKBIao/5IeabwBbs=,tag:BDHXnmljGz/7IjSuSo7IDg==,type:str] +PATH_NAS_BACKUPS_PGBACKREST=ENC[AES256_GCM,data:lii1cb4Uw7DIhZQ9tkBYvWWdJdBkiwafaQXEf2BbcB1RwY/N3gWJTut4Vg==,iv:FvJ7ONjjRhfLG6poEybYoAM4EZVf8jcwCMnUT37WTwM=,tag:7ZOoZkD9L+oLqBc/bOf6zQ==,type:str] UID_NAS_BACKUPS_K8S=ENC[AES256_GCM,data:e5JN5w==,iv:bXwb5LuwvZyFhjhbpbnabvNKX03VPB/9XY402CoBwx0=,tag:hDXYQzou/ZPpEbLYkQDl+A==,type:str] APP_IP_NGINX=ENC[AES256_GCM,data:Mdm/bUsZTsv9iQ==,iv:LIbtBukgaQBVkx+bIrMlIGH4OnuuQTPFDYoXhfElALE=,tag:nwhE5BSEFGlojABTYzfJsw==,type:str] APP_IP_K8S_GATEWAY=ENC[AES256_GCM,data:mNfGiLFSLx4dpAo=,iv:CYo6xNLE+bunmdTbvCGMI86VXi4t9r+FMqCp6arFeYg=,tag:u8tTxJquRYb13UyiQXVSKQ==,type:str] @@ -179,12 +180,12 @@ CONFIG_OVENMEDIAENGINE_NAME=ENC[AES256_GCM,data:58CuH8bcUHWXBZA=,iv:BN7x6aAJPbzI CONFIG_THELOUNGE_USERNAME=ENC[AES256_GCM,data:+C2aABtqq8YG,iv:4DYpguAvmaqPedRgrflDlKfX5jJEhyWXKuRS+UVgHLo=,tag:vfJko+R2D8ct7KZC2Vnujw==,type:str] CONFIG_THELOUNGE_JOIN=ENC[AES256_GCM,data:ocuC,iv:9Cn9zp2+iIVrEXYxklEtkpftmJwTGsWnff2xIG9KNec=,tag:3UL9Gn+kHoXu+40CFkP7sg==,type:str] CONFIG_PSONO_TITLE=ENC[AES256_GCM,data:ORXmkTqtuka3l5M0pdu1NKxdX3Pes3xdEMw=,iv:Mbw/KUQJcIdYdcWby6qeCY4Q31Vc+dUOjLLprHL5P9E=,tag:HavoGugubPrunCoOkL40Mw==,type:str] -sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdAbA35718t0WVKrjQFYUPviCb0lVuh8NpfSdJCHjHcWWww\n8ak4q4VL69tZLSjQHx+VsMmKooknxWz6pw0lGxyDYlZMQ81bodInjaZGFZSz8Uuh\n0l4BhDCNDBBALTrnTliz6/DAHvmavI4UxMHost5alFio9JPkTDNmXZyvcy1/R6aw\n/uhQXLUBRvm0TSOhBZb7d0SLkLfe02Um40w1TibpKXsZz1GOMbPRNBMHHra0QIuQ\n=0jA+\n-----END PGP MESSAGE-----\n -sops_lastmodified=2023-10-28T13:13:13Z -sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSXFvLzFQaFJ0OVJKUFV5\nTWh2OUltUlpJWFlVVytFYU9VajBHSnQ4SGdjCnRVbEVXdDVyUHJrR05Ba0xvUm1l\nTkt2YmNUZy90ZFA2b3QrODFKZ01EVG8KLS0tIEw2dkd1cnFCbnI5eWxKL2o1aDVB\nN0hveXZ2dWdxQ2k2L0pGR0ROMStVTmsK4dV/hNyDjsYnVUiFQ7kqdmcVHfYyVckz\nh/rwLjcZgsup72WDVP3v6Eul8B3LKFrSb8CDFA54tyQmSdFDCQC+Zg==\n-----END AGE ENCRYPTED FILE-----\n -sops_mac=ENC[AES256_GCM,data:Ilt385GSM0e/cW+MynLqWugyxSekTIs5Rzkq6NnREzdfYq9Kyna3gifDcxNcfKVJjEGIvq3E4yn1Z8sjnfNVDJ5lBxl/E7rSVML+B/cHzhOzljl2MCBjUFGF33XxCaaFDgIXCPdGugmlLBEJlt9l9MFhcUslieHynccvrAMeDps=,iv:cg/akeRuDl36cBKtD7TlLMGBJW2NejsRtUKx3yCWNKk=,tag:7o4hiwa7liuGLJso/XR3xw==,type:str] sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj -sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 -sops_pgp__list_0__map_created_at=2023-06-01T18:01:04Z sops_unencrypted_suffix=_unencrypted +sops_pgp__list_0__map_created_at=2023-06-01T18:01:04Z +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSXFvLzFQaFJ0OVJKUFV5\nTWh2OUltUlpJWFlVVytFYU9VajBHSnQ4SGdjCnRVbEVXdDVyUHJrR05Ba0xvUm1l\nTkt2YmNUZy90ZFA2b3QrODFKZ01EVG8KLS0tIEw2dkd1cnFCbnI5eWxKL2o1aDVB\nN0hveXZ2dWdxQ2k2L0pGR0ROMStVTmsK4dV/hNyDjsYnVUiFQ7kqdmcVHfYyVckz\nh/rwLjcZgsup72WDVP3v6Eul8B3LKFrSb8CDFA54tyQmSdFDCQC+Zg==\n-----END AGE ENCRYPTED FILE-----\n +sops_lastmodified=2023-11-02T19:30:55Z +sops_mac=ENC[AES256_GCM,data:rRdhLEQ62Xma+xaXNx3of9wqPPqgdfgHIg/fhLh+tF/uP2xARvY+2A07iNeuAnZwsCKNSaJIeT7VDzVL1JqTxk47nZXC9eYKT+j6Z2RX75QhGBU36Elab2FPs7gePz52lDRX2l7S+FH/7NmBZZ4/qHs+ef/zddgRvipXD104tlw=,iv:7BbxQVzhNtaZFzNdZRO480qh/3OZP/TPftlV6kDotb0=,tag:T4mxvcz8SKg63SORVHnF9A==,type:str] +sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdAbA35718t0WVKrjQFYUPviCb0lVuh8NpfSdJCHjHcWWww\n8ak4q4VL69tZLSjQHx+VsMmKooknxWz6pw0lGxyDYlZMQ81bodInjaZGFZSz8Uuh\n0l4BhDCNDBBALTrnTliz6/DAHvmavI4UxMHost5alFio9JPkTDNmXZyvcy1/R6aw\n/uhQXLUBRvm0TSOhBZb7d0SLkLfe02Um40w1TibpKXsZz1GOMbPRNBMHHra0QIuQ\n=0jA+\n-----END PGP MESSAGE-----\n +sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 sops_version=3.7.3 diff --git a/kube/deploy/apps/nextcloud/app/hr.yaml b/kube/deploy/apps/nextcloud/app/hr.yaml index feabf854..2fa9ca92 100644 --- a/kube/deploy/apps/nextcloud/app/hr.yaml +++ b/kube/deploy/apps/nextcloud/app/hr.yaml @@ -5,6 +5,7 @@ metadata: name: &app nextcloud namespace: *app spec: + timeout: 1h chart: spec: chart: app-template @@ -26,22 +27,34 @@ spec: containers: main: image: &ncimg - repository: "public.ecr.aws/docker/library/nextcloud" + repository: "ghcr.io/jjgadgets/nextcloud" tag: "27.1.3-fpm" env: TZ: "${CONFIG_TZ}" - NC_DOMAIN: "${APP_DNS_NEXTCLOUD}" + NC_DOMAIN: &host "${APP_DNS_NEXTCLOUD}" NC_VERSION: "27.1.3" - # GTS_STORAGE_S3_ACCESS_KEY: - # valueFrom: - # secretKeyRef: - # name: "nextcloud-data-s3" - # key: "AWS_ACCESS_KEY_ID" - # GTS_STORAGE_S3_SECRET_KEY: - # valueFrom: - # secretKeyRef: - # name: "nextcloud-media-s3" - # key: "AWS_SECRET_ACCESS_KEY" + NEXTCLOUD_DATA_DIR: "/ncdata" + NEXTCLOUD_TRUSTED_DOMAINS: *host + POSTGRES_HOST: + valueFrom: + secretKeyRef: + name: &pgsec "pg-nextcloud-pguser-nextcloud" + key: "host" + POSTGRES_DB: + valueFrom: + secretKeyRef: + name: *pgsec + key: "dbname" + POSTGRES_USER: + valueFrom: + secretKeyRef: + name: *pgsec + key: "user" + POSTGRES_PASSWORD: + valueFrom: + secretKeyRef: + name: *pgsec + key: "password" envFrom: - secretRef: name: "nextcloud-secrets" @@ -50,6 +63,15 @@ spec: allowPrivilegeEscalation: false capabilities: drop: ["ALL"] + probes: + startup: + enabled: true + type: TCP + spec: + initialDelaySeconds: 15 + timeoutSeconds: 1 + periodSeconds: 1 + failureThreshold: 7200 # 2 hours resources: requests: cpu: 10m @@ -80,22 +102,22 @@ spec: memory: 32Mi limits: memory: 256Mi - # push: - # image: *ncimg - # command: ["/var/www/html/custom_apps/notify_push/bin/x86_64/notify_push", "/var/www/html/config/config.php"] - # env: - # NEXTCLOUD_URL: "https://${APP_DNS_NEXTCLOUD}" - # PORT: &push "7867" - # securityContext: *sc - # resources: - # requests: - # cpu: 10m - # memory: 32Mi - # limits: - # memory: 256Mi + push: + image: *ncimg + command: ["/var/www/html/custom_apps/notify_push/bin/x86_64/notify_push", "/var/www/html/config/config.php"] + env: + NEXTCLOUD_URL: "https://${APP_DNS_NEXTCLOUD}" + PORT: &push "7867" + securityContext: *sc + resources: + requests: + cpu: 10m + memory: 32Mi + limits: + memory: 256Mi statefulset: volumeClaimTemplates: - - name: data + - name: "data" accessMode: ReadWriteOnce size: 100Gi storageClass: block @@ -105,12 +127,14 @@ spec: path: /var/www/html - subPath: data path: /ceph - # push: - # - subPath: nextcloud - # path: /var/www/html + push: + - subPath: nextcloud + path: /var/www/html + readOnly: true web: - subPath: nextcloud path: /var/www/html + readOnly: true initContainers: 02-caddy: image: @@ -126,18 +150,20 @@ spec: main: ports: http: + primary: false port: 8080 fpm: + primary: true port: 9000 - # push: - # port: *push + push: + port: *push ingress: main: &ingress enabled: true primary: false className: nginx hosts: - - host: &host "${APP_DNS_NEXTCLOUD}" + - host: *host paths: - &path path: / @@ -164,33 +190,19 @@ spec: service: name: main port: fpm - # fpm-legacy: - # <<: *ingress - # annotations: - # <<: *fpm-anno - # nginx.ingress.kubernetes.io/rewrite-target: "/index.php$request_uri" - # hosts: - # - host: *host - # paths: - # - path: |- - # /(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) - # pathType: ImplementationSpecific - # service: - # name: main - # port: fpm - # push: - # <<: *ingress - # annotations: - # nginx.ingress.kubernetes.io/use-regex: "true" - # nginx.ingress.kubernetes.io/rewrite-target: "/$2" - # hosts: - # - host: *host - # paths: - # - path: "/push(/|$)(.*)" - # pathType: ImplementationSpecific - # service: - # name: main - # port: push + push: + <<: *ingress + annotations: + nginx.ingress.kubernetes.io/use-regex: "true" + nginx.ingress.kubernetes.io/rewrite-target: "/$2" + hosts: + - host: *host + paths: + - path: "/push(/|$)(.*)" + pathType: ImplementationSpecific + service: + name: main + port: push dav: <<: *ingress annotations: @@ -225,18 +237,16 @@ spec: main: - mountPath: "/var/www/html/config" readOnly: true - # push: - # - mountPath: "/var/www/html/config" - # readOnly: true + push: + - mountPath: "/var/www/html/config" + readOnly: true nas: enabled: true - type: nfs - server: "${IP_TRUENAS}" - path: "${PATH_NAS_PERSIST_K8S}/nextcloud" + existingClaim: "nextcloud-nas-data" advancedMounts: main: main: - - path: "/nas" + - path: "/ncdata" tmp: enabled: true type: emptyDir @@ -249,17 +259,22 @@ spec: - &sockmnt subPath: "sockets" path: "/sockets" - # push: - # - subPath: "nextcloud" - # path: "/tmp" - redis: - - subPath: "redis" + push: + - subPath: "nextcloud" path: "/tmp" + redis: + - subPath: "redis-tmp" + path: "/tmp" + - subPath: "redis-data" + path: "/data" # for interval RDB saving - *sockmnt - web: &caddymnt + web: + - subPath: "caddy" + path: "/caddy" + readOnly: true + 02-caddy: - subPath: "caddy" path: "/caddy" - 02-caddy: *caddymnt configMaps: config: enabled: true @@ -267,7 +282,38 @@ spec: config.php: |- getenv('NC_INSTANCEID'), + 'passwordsalt' => getenv('NC_PASSWORDSALT'), + 'secret' => getenv('NC_SECRET'), + 'datadirectory' => '/ncdata', + 'version' => getenv('NC_VERSION'), + 'overwrite.cli.url' => 'https://' . getenv('NC_DOMAIN'), + 'overwriteprotocol' => 'https', + 'default_phone_region' => 'SG', + 'dbtype' => 'pgsql', + 'dbhost' => getenv('POSTGRES_HOST'), + 'dbport' => '5432', + 'dbname' => getenv('POSTGRES_DB'), + 'dbuser' => getenv('POSTGRES_USER'), + 'dbpassword' => getenv('POSTGRES_PASSWORD'), + 'dbtableprefix' => 'oc_', 'memcache.local' => '\\OC\\Memcache\\APCu', + 'memcache.distributed' => '\\OC\\Memcache\\Redis', + 'memcache.locking' => '\\OC\\Memcache\\Redis', + 'redis' => + array ( + 'host' => '/sockets/redis.sock', + 'port' => 0, + ), + 'trusted_domains' => + array ( + 0 => getenv('NC_DOMAIN'), + ), + 'trusted_proxies' => + array ( + 0 => '${IP_POD_CIDR_V4}', + 1 => '127.0.0.1', + ), 'apps_paths' => array ( 0 => @@ -283,40 +329,7 @@ spec: 'writable' => true, ), ), - 'memcache.distributed' => '\\OC\\Memcache\\Redis', - 'memcache.locking' => '\\OC\\Memcache\\Redis', - 'redis' => - array ( - 'host' => '/sockets/redis.sock', - 'port' => 0, - ), - 'instanceid' => getenv('NC_INSTANCEID'), - 'passwordsalt' => getenv('NC_PASSWORDSALT'), - 'secret' => getenv('NC_SECRET'), - 'trusted_domains' => - array ( - 0 => getenv('NC_DOMAIN'), - ), - 'trusted_proxies' => - array ( - 0 => '${IP_POD_CIDR_V4}', - 1 => '127.0.0.1', - ), - 'datadirectory' => '/nas', - 'version' => getenv('NC_VERSION'), - 'overwrite.cli.url' => 'https://' . getenv('NC_DOMAIN'), - 'overwriteprotocol' => 'https', - 'installed' => true, - 'default_phone_region' => 'SG', ); - # test with SQLite first, then try CrunchyData Postgres - # 'dbtype' => 'pgsql', - # 'dbname' => getenv('INIT_POSTGRES_DBNAME'), - # 'dbhost' => getenv('INIT_POSTGRES_HOST'), - # 'dbport' => '5432', - # 'dbtableprefix' => 'oc_', - # 'dbuser' => getenv('INIT_POSTGRES_USER'), - # 'dbpassword' => getenv('INIT_POSTGRES_PASS'), ingress-nginx-fastcgi: enabled: true data: @@ -332,4 +345,4 @@ spec: fsGroup: *uid runAsNonRoot: false seccompProfile: {type: "RuntimeDefault"} - fsGroupChangePolicy: Always + fsGroupChangePolicy: "Always" diff --git a/kube/deploy/apps/nextcloud/app/secrets.yaml b/kube/deploy/apps/nextcloud/app/secrets.yaml index bbd89506..0fb9d001 100644 --- a/kube/deploy/apps/nextcloud/app/secrets.yaml +++ b/kube/deploy/apps/nextcloud/app/secrets.yaml @@ -9,3 +9,5 @@ stringData: NC_INSTANCEID: "${SECRET_NEXTCLOUD_INSTANCEID}" NC_PASSWORDSALT: "${SECRET_NEXTCLOUD_PASSWORDSALT}" NC_SECRET: "${SECRET_NEXTCLOUD_SECRET}" + NEXTCLOUD_ADMIN_USER: "${SECRET_NEXTCLOUD_ADMIN_USER}" + NEXTCLOUD_ADMIN_PASSWORD: "${SECRET_NEXTCLOUD_ADMIN_PASSWORD}" \ No newline at end of file diff --git a/kube/deploy/apps/nextcloud/ks.yaml b/kube/deploy/apps/nextcloud/ks.yaml index 2315411b..e7cd1b0f 100644 --- a/kube/deploy/apps/nextcloud/ks.yaml +++ b/kube/deploy/apps/nextcloud/ks.yaml @@ -8,5 +8,25 @@ spec: path: ./kube/deploy/apps/nextcloud/app dependsOn: - name: 1-core-storage-rook-ceph-cluster - - name: 1-core-ingress-nginx-app - name: 1-core-storage-volsync-app +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: nextcloud-db + namespace: flux-system +spec: + path: ./kube/deploy/core/db/pg/clusters/template + dependsOn: + - name: 1-core-db-pg-app + - name: 1-core-storage-rook-ceph-cluster + postBuild: + substitute: + PG_APP_NAME: &app "nextcloud" + PG_APP_NS: *app + PG_DB_NAME: *app + PG_DB_USER: *app + PG_REPLICAS: "3" + PG_SC: "block" + PG_CONFIG_VERSION: "15.2-11" + PG_CONFIG_SIZE: "20Gi" \ No newline at end of file