feat: migrate NextCloud
All checks were successful
Renovate / renovate (push) Successful in 18s

This commit is contained in:
Peter 2023-12-27 12:32:27 +01:00
parent 15ff43a7a5
commit 5e50ee634f
Signed by: prskr
GPG key ID: F56BED6903BC5E37
7 changed files with 226 additions and 0 deletions

1
nextcloud/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
charts/

View file

@ -0,0 +1,33 @@
imageRepository: code.icb4dc0.de/prskr/infrastructure/keydb
imageTag: v6.3.3
nodes: 3
podDisruptionBudget:
enabled: true
persistentVolume:
enabled: false
resources:
requests:
cpu: 50m
memory: 100Mi
limits:
cpu: 250m
memory: 256Mi
exporter:
enabled: true
imageTag: v1.51.0
resources:
requests:
cpu: 50m
memory: 50Mi
limits:
cpu: 150m
memory: 100Mi
serviceMonitor:
enabled: true
labels:
prometheus: default

View file

@ -0,0 +1,105 @@
image:
flavor: fpm
ingress:
enabled: true
nextcloud:
host: nextcloud.icb4dc0.de
existingSecret:
enabled: true
secretName: nextcloud-secrets
usernameKey: root-username
passwordKey: root-password
defaultConfigs:
redis.config.php: false
configs:
reverse-proxy.config.php: |-
<?php
$CONFIG = array (
"overwrite.cli.url" => "https://nextcloud.icb4dc0.de",
"overwriteprotocol" => "https",
);
logs.config.php: |-
<?php
$CONFIG = array (
"log_type" => "file",
"logfile" => "/dev/stdout",
"loglevel" => 1,
);
redis.config.php: |-
<?php
if (getenv('REDIS_HOST')) {
$CONFIG = array (
'memcache.distributed' => '\OC\Memcache\Redis',
'memcache.locking' => '\OC\Memcache\Redis',
'redis' => array(
'host' => getenv('REDIS_HOST'),
'port' => getenv('REDIS_HOST_PORT') ?: 6379,
),
);
}
extraVolumes:
- name: php-confd
emptyDir:
sizeLimit: 50Mi
extraVolumeMounts:
- mountPath: /usr/local/etc/php/conf.d/
name: php-confd
extraInitContainers:
- name: php-confd-init
image: nextcloud:27.1.2-fpm
command:
- /bin/bash
- -c
- --
args:
- cp -R /usr/local/etc/php/conf.d/* /data/
volumeMounts:
- mountPath: /data
name: php-confd
podSecurityContext:
fsGroup: 1001
extraEnv:
- name: REDIS_HOST
value: nextcloud-keydb
nginx:
enabled: true
redis:
enabled: false
cronjob:
enabled: true
internalDatabase:
enabled: false
externalDatabase:
enabled: true
type: postgresql
existingSecret:
enabled: true
secretName: default-cluster-pguser-nextcloud
usernameKey: user
passwordKey: password
hostKey: host
databaseKey: dbname
persistence:
enabled: true
storageClass: hcloud-volumes
size: 8Gi
nextcloudData:
enabled: true
storageClass: storage-box
accessMode: ReadWriteMany
size: 100Gi
metrics:
enabled: true
serviceMonitor:
enabled: true

View file

@ -0,0 +1,32 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: nextcloud
labels:
- includeSelectors: false
pairs:
app.kubernetes.io/instance: icb4dc0de
app.kubernetes.io/managed-by: kustomize
helmCharts:
- name: keydb
repo: https://enapter.github.io/charts/
releaseName: nextcloud-keydb
namespace: nextcloud
version: "0.48.0"
valuesFile: config/values.keydb.yaml
skipTests: true
- name: nextcloud
repo: https://nextcloud.github.io/helm/
releaseName: nextcloud
namespace: nextcloud
version: "4.5.10"
valuesFile: config/values.nextcloud.yaml
skipTests: true
resources:
- "resources/namespace.yaml"
generators:
- ./secret-generator.yaml

View file

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: nextcloud
labels:
prometheus: default

View file

@ -0,0 +1,37 @@
apiVersion: v1
kind: Secret
metadata:
name: nextcloud-secrets
type: Opaque
stringData:
root-username: ENC[AES256_GCM,data:bvXYQRg=,iv:uoGUcfHnxOpKjSslTLAW3yNglzR3UmVEjRiCxBP7ROE=,tag:blTERWxgF1IDbcPKyKjVow==,type:str]
root-password: ENC[AES256_GCM,data:r9TSvn71Ecg/eAsGXWtc6vWsyRnZcu01QQ==,iv:l7Fc7Yz8527EHQvX7dkkNJRfswR/eaqn913t4G+5mn8=,tag:evh5PmuuGhusPQMYxRY5WQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwRkVpUjZxVmF0SmRPdHJZ
cGcrWTRuZFhhZGRaSUY5SS9pQnpNUjk3d1dvCldVS2ZOUTlYKzBFcjhibi9qOWRw
R3NCRVk0NWVYSFVQTm16L08yaTZEUjQKLS0tIEFablpOME0xNEJDbksxWHZRZXUy
YnlhMitYajVtb0hRQ0dPUkU4a2E5SnMKqVV3/2d+p+yu6pV2TqUUIoaj6wulKkci
3G6hlQY7WSST04KT2kTYPqzA9cEQIXSktvsVKuYeRvhcHz7lSbYJRQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxWFV2OVVkQUtpSTBoaE5D
WFh2NllUZnBBMklOODlmVVQvTUVyUVdTazM4CnQzU1JDalhTcUVYKy9BQkFmMzZG
TFpGcGlpVE1uRjB6ZkdUeWk5eldGQlUKLS0tIHEwbHAzNFRDMjBRaHVjN0lwTGVV
MmpIaTVUcVJ4c1pFSkwyRWhHdStTbVEKm+JhVAwmzuvuAbph5ZAmqw+97YznBmpm
fdr2wsqIGJEG6EfWeYEsAHnCbqasxGJafYcJ2F3D1prJ5DE63OFXFg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-24T11:00:26Z"
mac: ENC[AES256_GCM,data:ntJWpg4t+ZMejPz/J204dPEW7x729yqqKjIeUOXoGHI0CM/GuFXNcPd2trQiaMzOjrVuQDRRPbKtXELxMwHThqttV7cc8b9sIS3ZZn1y/rEv3KJZjEMdnPcSSXDwdjm08IEixAzNHmdojg4mpQVKQveYzbGT80In26MhN+ZS9r8=,iv:naAAJ+tUz5l7I1rli0gbEUWbo0X33WORIxRSYvGjUV0=,tag:eTOwdvYTNEj53oAfRJ8VCA==,type:str]
pgp: []
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.8.1

View file

@ -0,0 +1,11 @@
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
# Specify a name
name: nextcloud-secret-generator
annotations:
config.kubernetes.io/function: |
exec:
path: ksops
files:
- ./resources/secrets.enc.yaml