ansible-role-eom/tasks/nextcloud.yaml

---
# tasks file for nextcloud
- name: Add NextCloud repo
  kubernetes.core.helm_repository:
    name: nextcloud
    repo_url: https://nextcloud.github.io/helm/
  register: repo

- name: Update Helm repos
  command: helm repo update
  when: repo.changed

- name: Deploy NextCloud
  kubernetes.core.helm:
    name: nextcloud
    chart_ref: nextcloud/nextcloud
    release_namespace: nextcloud
    create_namespace: true
    values:
      image:
        pullPolicy: IfNotPresent
        tag: latest
      nextcloud:
        host: nextcloud.eom.dev
        username: nextcloud_admin
        password: "{{ nextcloud_admin_password }}"
        configs:
          proxy.config.php: |-
            <?php
            $CONFIG = array (
              'overwriteprotocol' => 'https',
              'trusted_proxies' => array(
                0 => '127.0.0.1',
                1 => '10.0.0.0/8',
              ),
              'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),
            );            
      mail:
        enabled: true
        fromAddress: nextcloud
        domain: postfix.eom.dev
        smtp:
          host: postfix.eom.dev
          secure: ssl
          port: 587
          authtype: LOGIN
          name: nextcloud
          password: "{{ nextcloud_admin_password }}"
      persistence:
        enabled: true
        size: 8Ti
      metrics:
        enabled: true
      cronjob:
        enabled: true
      redis:
        enabled: true
        auth:
          password: "{{ redis_auth_password }}"
      ingress:
        enabled: true
        className: nginx
        annotations:
          #nginx.ingress.kubernetes.io/enable-cors: "true"
          #nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For"
          nginx.ingress.kubernetes.io/proxy-body-size: 4G
          kubernetes.io/tls-acme: "true"
          cert-manager.io/cluster-issuer: ca-issuer
          # Keep this in sync with the README.md:
          nginx.ingress.kubernetes.io/server-snippet: |-
            server_tokens off;
            proxy_hide_header X-Powered-By;
            rewrite ^/.well-known/webfinger /index.php/.well-known/webfinger last;
            rewrite ^/.well-known/nodeinfo /index.php/.well-known/nodeinfo last;
            rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
            rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json;
            location = /.well-known/carddav {
              return 301 $scheme://$host/remote.php/dav;
            }
            location = /.well-known/caldav {
              return 301 $scheme://$host/remote.php/dav;
            }
            location = /robots.txt {
              allow all;
              log_not_found off;
              access_log off;
            }
            location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
              deny all;
            }
            location ~ ^/(?:autotest|occ|issue|indie|db_|console) {
              deny all;
            }            
        tls:
          - hosts:
            - nextcloud.eom.dev
            secretName: nextcloud-tls
      internalDatabase:
        enabled: false
      externalDatabase:
        enabled: true
        type: postgresql
        host: postgresql
        user: nextcloud
        password: "{{ nextcloud_admin_password }}"
        database: nextcloud
      postgresql:
        enabled: true
        global:
          postgresql:
            auth:
              username: nextcloud
              password: "{{ nextcloud_admin_password }}"
              database: nextcloud
        primary:
          persistence:
            enabled: true
            size: 2Ti