From e425ce229df41af3c753d52fa7b30e1f6aa5309a Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Fri, 13 Dec 2024 18:27:25 +0800 Subject: [PATCH] feat(renovate): add GHCR private packages support --- .github/workflows/renovate.yaml | 7 +- kube/deploy/apps/nextcloud/app/hr.yaml | 428 +++++++++++++++++++++++++ 2 files changed, 434 insertions(+), 1 deletion(-) create mode 100644 kube/deploy/apps/nextcloud/app/hr.yaml diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml index 585063e0..7f682268 100644 --- a/.github/workflows/renovate.yaml +++ b/.github/workflows/renovate.yaml @@ -51,13 +51,18 @@ env: RENOVATE_AUTODISCOVER_FILTER: "${{ github.repository }}" # this is to prevent forks from running Renovate against upstream repo RENOVATE_USERNAME: "${{ secrets.BOT_USERNAME }}[bot]" RENOVATE_GIT_AUTHOR: "${{ secrets.BOT_USERNAME }} <${{ secrets.BOT_API_ID }}+${{ secrets.BOT_USERNAME }}[bot]@users.noreply.github.com>" # get $BOT_API_ID from `curl -s 'https://api.github.com/users/$(BOT_USERNAME)%5Bbot%5D' | yq .id` - RENOVATE_REPOSITORY_CACHE: "enabled" + RENOVATE_DETECT_HOST_RULES_FROM_ENV: true # private registries/repos + DOCKER_GHCR_IO_USERNAME: "${{ github.actor }}" + DOCKER_GHCR_IO_PASSWORD: "${{ secrets.GITHUB_TOKEN }}" + RENOVATE_REPOSITORY_CACHE: "enabled" # hopefully speed up Renovate GH_CACHE_DIR: "/tmp/renovate/cache/renovate/repository" jobs: renovate: name: Renovate runs-on: ubuntu-latest + permissions: + packages: read # for private GHCR packages steps: - name: "Generate Short Lived OAuth App Token (ghs_*)" uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 diff --git a/kube/deploy/apps/nextcloud/app/hr.yaml b/kube/deploy/apps/nextcloud/app/hr.yaml new file mode 100644 index 00000000..0266af36 --- /dev/null +++ b/kube/deploy/apps/nextcloud/app/hr.yaml @@ -0,0 +1,428 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: &app nextcloud + namespace: *app +spec: + timeout: 1h + chart: + spec: + chart: app-template + version: 2.6.0 + sourceRef: + name: bjw-s + kind: HelmRepository + namespace: flux-system + values: + controllers: + main: + type: statefulset + replicas: 1 + pod: + labels: + ingress.home.arpa/nginx-internal: "allow" + egress.home.arpa/world: "allow" # TODO: tighten this + # s3.home.arpa/store: "rgw-${CLUSTER_NAME}" + containers: + main: + image: &ncimg + repository: "ghcr.io/jjgadgets/nextcloud" + tag: "27.1.3-fpm" + env: &env + TZ: "${CONFIG_TZ}" + NC_DOMAIN: &host "${APP_DNS_NEXTCLOUD}" + NC_VERSION: "27.1.3" + NEXTCLOUD_DATA_DIR: "/ceph/data" + NEXTCLOUD_TRUSTED_DOMAINS: *host + POSTGRES_HOST: + valueFrom: + secretKeyRef: + name: &pgsec "pg-nextcloud-pguser-nextcloud" + key: "host" + POSTGRES_DB: + valueFrom: + secretKeyRef: + name: *pgsec + key: "dbname" + POSTGRES_USER: + valueFrom: + secretKeyRef: + name: *pgsec + key: "user" + POSTGRES_PASSWORD: + valueFrom: + secretKeyRef: + name: *pgsec + key: "password" + envFrom: &envFrom + - secretRef: + name: "nextcloud-secrets" + securityContext: &sc + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + probes: + startup: + enabled: true + type: TCP + spec: + initialDelaySeconds: 5 + timeoutSeconds: 1 + periodSeconds: 1 + failureThreshold: 7200 # 2 hours + resources: + requests: + cpu: 10m + memory: 128Mi + limits: + memory: 6000Mi + web: # just a static web server + image: + repository: "gcr.io/distroless/static-debian12" + tag: "latest" # screw version controlling a static web server, always tinfoil with latest version! + # command: ["/caddy/caddy", "file-server", "--listen", ":8080", "--root", "/var/www/html"] + command: ["/caddy/caddy", "run", "--config", "/Caddyfile"] + securityContext: *sc + resources: + requests: + cpu: 10m + memory: 32Mi + limits: + memory: 256Mi + redis: + image: + repository: "public.ecr.aws/docker/library/redis" + tag: "7.2.4-bookworm@sha256:8a4aaf84f31a637cb4e88b82f64d898448ed2e1eabbd8484eb202a492cc98c63" + command: ["redis-server", "--port", "0", "--bind", "127.0.0.1", "--unixsocket", "/sockets/redis.sock", "--unixsocketperm", "700"] + securityContext: *sc + resources: + requests: + cpu: 10m + memory: 32Mi + limits: + memory: 256Mi + # push: + # image: *ncimg + # command: ["/var/www/html/custom_apps/notify_push/bin/x86_64/notify_push", "/var/www/html/config/redis.php"] + # env: + # PORT: &push "7867" + # NEXTCLOUD_URL: "https://${APP_DNS_NEXTCLOUD}" + # DATABASE_PREFIX: "oc" + # DATABASE_URL: + # valueFrom: + # secretKeyRef: + # name: *pgsec + # key: "uri" + # securityContext: *sc + # resources: + # requests: + # cpu: 10m + # memory: 32Mi + # limits: + # memory: 256Mi + statefulset: + volumeClaimTemplates: + - name: "data" + accessMode: ReadWriteOnce + size: 100Gi + storageClass: block + advancedMounts: + main: + - subPath: nextcloud + path: /var/www/html + - subPath: config + path: /var/www/html/config + - subPath: data + path: /ceph + # push: + # - subPath: nextcloud + # path: /var/www/html + # readOnly: true + web: + - subPath: nextcloud + path: /var/www/html + readOnly: true + initContainers: + # 01-cp-config: + # image: *ncimg + # command: ["/bin/sh", "-c", "cp /nc-config/config.php /var/www/html/config/config.php; chmod 0400 /var/www/html/config/config.php"] + # securityContext: *sc + 02-caddy: + image: + repository: "public.ecr.aws/docker/library/caddy" + tag: "latest" + command: ["/bin/sh", "-c", "cp /usr/bin/caddy /caddy/caddy"] + securityContext: *sc + # 01-init-db: + # image: "ghcr.io/onedr0p/postgres-init:14.8" + # imagePullPolicy: IfNotPresent + # envFrom: [secretRef: {name: "nextcloud-pg-superuser"}] + service: + main: + ports: + http: + primary: false + port: 8080 + fpm: + primary: true + port: 9000 + # push: + # port: *push + ingress: + main: &ingress + enabled: true + primary: false + className: "nginx-internal" + hosts: + - host: *host + paths: + - &path + path: / + pathType: Prefix + service: + name: main + port: http + tls: + - hosts: + - *host + # fpm: + # <<: *ingress + # primary: true + # annotations: &fpm-anno + # nginx.ingress.kubernetes.io/use-regex: "true" + # nginx.ingress.kubernetes.io/backend-protocol: "FCGI" + # nginx.ingress.kubernetes.io/fastcgi-index: "index.php" + # nginx.ingress.kubernetes.io/fastcgi-params-configmap: "nextcloud/nextcloud-ingress-nginx-fastcgi" + # hosts: + # - host: *host + # paths: + # - path: "/.*\\.php(/|$)(.*)" + # pathType: ImplementationSpecific + # service: + # name: main + # port: fpm + # push: + # <<: *ingress + # annotations: + # nginx.ingress.kubernetes.io/use-regex: "true" + # nginx.ingress.kubernetes.io/rewrite-target: "/$2" + # hosts: + # - host: *host + # paths: + # - path: "/push(/|$)(.*)" + # pathType: ImplementationSpecific + # service: + # name: main + # port: push + dav: + <<: *ingress + annotations: + nginx.ingress.kubernetes.io/permanent-redirect: "/remote.php/dav/" + nginx.ingress.kubernetes.io/permanent-redirect-code: "301" + hosts: + - host: *host + paths: + - <<: *path + path: "/.well-known/carddav" + - <<: *path + path: "/.well-known/caldav" + well-known: + <<: *ingress + annotations: + nginx.ingress.kubernetes.io/permanent-redirect: "/index.php$request_uri" + nginx.ingress.kubernetes.io/permanent-redirect-code: "301" + hosts: + - host: *host + paths: + - <<: *path + path: "/.well-known" + persistence: + config: + enabled: true + type: configMap + name: "nextcloud-config" + advancedMounts: + main: + # 01-cp-config: + # - path: "/nc-config" + # readOnly: true + main: + # - path: "/nc-config" + - subPath: "config.php" + path: "/var/www/html/config/jj.config.php" + readOnly: true + # push: + # - path: "/var/www/html/config" + # readOnly: true + # caddy: + # enabled: true + # type: configMap + # name: "nextcloud-caddy" + # advancedMounts: + # main: + web: + - subPath: "Caddyfile" + path: "/Caddyfile" + readOnly: true + secrets: + enabled: true + type: secret + name: "nextcloud-secrets" + advancedMounts: + main: + main: + - subPath: "secrets.config.php" + path: "/var/www/html/config/secrets.config.php" + readOnly: true + nas: + enabled: true + existingClaim: "nextcloud-nas-data" + advancedMounts: + main: + # 01-cp-config: + # - subPath: "config" + # path: "/var/www/html/config" + main: + - subPath: "data" + path: "/nas" + # - subPath: "config" + # path: "/var/www/html/config" + tmp: + enabled: true + type: emptyDir + medium: Memory + advancedMounts: + main: + # 01-cp-config: + # - &cfgmnt + # subPath: "config" + # path: "/var/www/html/config" + main: + - subPath: "nextcloud" + path: "/tmp" + # - <<: *cfgmnt + # readOnly: true + - &sockmnt + subPath: "sockets" + path: "/sockets" + # push: + # - subPath: "nextcloud" + # path: "/tmp" + # - *sockmnt + redis: + - subPath: "redis-tmp" + path: "/tmp" + - subPath: "redis-data" + path: "/data" # for interval RDB saving + - *sockmnt + web: + - subPath: "caddy" + path: "/caddy" + readOnly: true + 02-caddy: + - subPath: "caddy" + path: "/caddy" + configMaps: + config: + enabled: true + data: + config.php: |- + '/ceph/data', + 'overwrite.cli.url' => 'https://${APP_DNS_NEXTCLOUD}', + 'overwriteprotocol' => 'https', + 'default_phone_region' => 'SG', + 'dbtype' => 'pgsql', + 'dbhost' => getenv('POSTGRES_HOST'), + 'dbport' => '5432', + 'dbname' => getenv('POSTGRES_DB'), + 'dbuser' => getenv('POSTGRES_USER'), + 'dbpassword' => getenv('POSTGRES_PASSWORD'), + 'dbtableprefix' => 'oc_', + 'memcache.local' => '\\OC\\Memcache\\APCu', + 'memcache.distributed' => '\\OC\\Memcache\\Redis', + 'memcache.locking' => '\\OC\\Memcache\\Redis', + 'redis' => + array ( + 'host' => '/sockets/redis.sock', + 'port' => 0, + ), + 'trusted_domains' => + array ( + 0 => '${APP_DNS_NEXTCLOUD}', + 1 => 'localhost', + 2 => '127.0.0.1', + ), + 'trusted_proxies' => + array ( + 0 => '${IP_POD_CIDR_V4}', + 1 => '127.0.0.1', + ), + 'apps_paths' => + array ( + 0 => + array ( + 'path' => '/var/www/html/apps', + 'url' => '/apps', + 'writable' => false, + ), + 1 => + array ( + 'path' => '/var/www/html/custom_apps', + 'url' => '/custom_apps', + 'writable' => true, + ), + ), + ); + # redis.php: | + # '\\OC\\Memcache\\APCu', + # 'memcache.distributed' => '\\OC\\Memcache\\Redis', + # 'memcache.locking' => '\\OC\\Memcache\\Redis', + # 'redis' => + # array ( + # 'host' => '/sockets/redis.sock', + # 'port' => 0, + # ), + # ); + # caddy: + # enabled: true + # data: + Caddyfile: | + { + http_port 8080 + https_port 8443 + } + ${APP_DNS_NEXTCLOUD}:8080 { + header Strict-Transport-Security "max-age=15768000;preload" + redir /.well-known/carddav /remote.php/dav 301 + redir /.well-known/caldav /remote.php/dav 301 + root * /var/www/html + encode zstd gzip + php_fastcgi 127.0.0.1:9000 { + root /var/www/html + env front_controller_active true + trusted_proxies ${IP_POD_CIDR_V4} + } + file_server + } + ingress-nginx-fastcgi: + enabled: true + data: + SCRIPT_FILENAME: "/var/www/html/$fastcgi_script_name" + PATH_INFO: "$fastcgi_path_info" + modHeadersAvailable: "true" + front_controller_active: "true" + defaultPodOptions: + automountServiceAccountToken: false + securityContext: + runAsUser: &uid 33 + runAsGroup: *uid + fsGroup: *uid + runAsNonRoot: false + seccompProfile: {type: "RuntimeDefault"} + fsGroupChangePolicy: "Always"