feat(nextcloud): BREAKING CHANGE - rework fully (#9169)

**Description**
<!--
Please include a summary of the change and which issue is fixed. Please
also include relevant motivation and context. List any dependencies that
are required for this change.
-->
⚒️ Fixes  # <!--(issue)-->

**⚙️ Type of change**

- [x] ⚙️ Feature/App addition
- [x] 🪛 Bugfix
- [x] ⚠️ Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [x] 🔃 Refactor of current code

**🧪 How Has This Been Tested?**
<!--
Please describe the tests that you ran to verify your changes. Provide
instructions so we can reproduce. Please also list any relevant details
for your test configuration
-->

**📃 Notes:**
<!-- Please enter any other relevant information here -->

**✔️ Checklist:**

- [x] ⚖️ My code follows the style guidelines of this project
- [x] 👀 I have performed a self-review of my own code
- [x] #️⃣ I have commented my code, particularly in hard-to-understand
areas
- [ ] 📄 I have made corresponding changes to the documentation
- [x] ⚠️ My changes generate no new warnings
- [ ] 🧪 I have added tests to this description that prove my fix is
effective or that my feature works
- [x] ⬆️ I increased versions for any altered app according to semantic
versioning

** App addition**

If this PR is an app addition please make sure you have done the
following.

- [ ] 🪞 I have opened a PR on
[truecharts/containers](https://github.com/truecharts/containers) adding
the container to TrueCharts mirror repo.
- [ ] 🖼️ I have added an icon in the Chart's root directory called
`icon.png`

---

_Please don't blindly check all the boxes. Read them and only check
those that apply.
Those checkboxes are there for the reviewer to see what is this all
about and
the status of this PR with a quick glance._

---------

Signed-off-by: Stavros Kois <47820033+stavros-k@users.noreply.github.com>
Signed-off-by: Kjeld Schouten <kjeld@schouten-lebbing.nl>
Co-authored-by: Kjeld Schouten <kjeld@schouten-lebbing.nl>
This commit is contained in:
Stavros Kois
2023-06-17 00:10:56 +03:00
committed by GitHub
parent fde414e95b
commit 8dfaee1c9b
19 changed files with 4818 additions and 1 deletions
+1 -1
View File
@@ -1,6 +1,6 @@
remote: origin
target-branch: master
helm-extra-args: --timeout 180s
helm-extra-args: --timeout 240s
chart-yaml-schema: .github/chart_schema.yaml
chart-dirs:
- charts/incubator
+39
View File
@@ -4,6 +4,16 @@ function check_version() {
chart_path=${1:?"No chart path provided to [Version Check]"}
target_branch=${2:?"No target branch provided to [Version Check]"}
chart_dir=$(dirname "$chart_path")
# If only docs changed, skip version check
chart_changes=$(git diff "$target_branch" -- "$chart_dir" :^docs)
if [[ -z "$chart_changes" ]]; then
echo "Looks like only docs changed. Skipping chart version check"
echo -e "\t✅ Chart version: No bump required"
return
fi
new=$(git diff "$target_branch" -- "$chart_path" | sed -nr 's/^\+version: (.*)$/\1/p')
old=$(git diff "$target_branch" -- "$chart_path" | sed -nr 's/^\-version: (.*)$/\1/p')
@@ -63,6 +73,25 @@ function helm_lint(){
}
export -f helm_lint
function helm_template(){
chart_path=${1:?"No chart path provided to [Helm template]"}
# Print only errors and warnings
helm_template_output=$(helm template "$chart_path" 2>&1 >/dev/null)
helm_template_exit_code=$?
while IFS= read -r line; do
echo -e "\t$line"
done <<< "$helm_template_output"
if [ $helm_template_exit_code -ne 0 ]; then
echo -e "\t❌ Helm template: Failed"
curr_result=1
else
echo -e "\t✅ Helm template: Passed"
fi
}
export -f helm_template
function yaml_lint(){
file_path=${1:?"No file path provided to [YAML lint]"}
@@ -97,6 +126,16 @@ function lint_chart(){
echo "👣 Helm Lint - [$chart_path]"
helm_lint "$chart_path"
echo "👣 Helm Template - [$chart_path]"
helm_template "$chart_path"
for values in $chart_path/ci/*values.yaml; do
if [ -f "${values}" ]; then
echo "👣 Helm Template - [$values]"
helm_template "$chart_path" -f "$values"
fi
done
echo "👣 Chart Version - [$chart_path] against [$target_branch]"
check_version "$chart_path" "$target_branch"
+1
View File
@@ -75,6 +75,7 @@ jobs:
- name: Test and Fix Pre-Commit Issues
shell: bash
# TODO: Only run pre-commit on changed files
# TODO: Commit fixes
if: inputs.chartChangesDetected == 'true'
run: |
echo "Running pre-commit test-and-cleanup..."
+30
View File
@@ -0,0 +1,30 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
# OWNERS file for Kubernetes
OWNERS
# helm-docs templates
*.gotmpl
# docs folder
/docs
# icon
icon.png
File diff suppressed because it is too large Load Diff
+36
View File
@@ -0,0 +1,36 @@
apiVersion: v2
appVersion: "25.0.2"
dependencies:
- name: common
repository: https://library-charts.truecharts.org
version: 12.14.1
- condition: redis.enabled
name: redis
repository: https://deps.truecharts.org
version: 6.0.48
deprecated: false
description: A private cloud server that puts the control and security of your own data back into your hands.
home: https://truecharts.org/charts/stable/nextcloud
icon: https://truecharts.org/img/hotlink-ok/chart-icons/nextcloud.png
keywords:
- nextcloud
- storage
- http
- web
- php
kubeVersion: ">=1.16.0-0"
maintainers:
- email: info@truecharts.org
name: TrueCharts
url: https://truecharts.org
name: nextcloud
sources:
- https://github.com/truecharts/charts/tree/master/charts/stable/nextcloud
- https://github.com/nextcloud/docker
- https://github.com/nextcloud/helm
type: application
version: 20.0.0
annotations:
truecharts.org/catagories: |
- cloud
truecharts.org/SCALE-support: "true"
+106
View File
@@ -0,0 +1,106 @@
Business Source License 1.1
Parameters
Licensor: The TrueCharts Project, it's owner and it's contributors
Licensed Work: The TrueCharts "Blocky" Helm Chart
Additional Use Grant: You may use the licensed work in production, as long
as it is directly sourced from a TrueCharts provided
official repository, catalog or source. You may also make private
modification to the directly sourced licenced work,
when used in production.
The following cases are, due to their nature, also
defined as 'production use' and explicitly prohibited:
- Bundling, including or displaying the licensed work
with(in) another work intended for production use,
with the apparent intend of facilitating and/or
promoting production use by third parties in
violation of this license.
Change Date: 2050-01-01
Change License: 3-clause BSD license
For information about alternative licensing arrangements for the Software,
please contact: legal@truecharts.org
Notice
The Business Source License (this document, or the “License”) is not an Open
Source license. However, the Licensed Work will eventually be made available
under an Open Source License, as stated in this License.
License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved.
“Business Source License” is a trademark of MariaDB Corporation Ab.
-----------------------------------------------------------------------------
Business Source License 1.1
Terms
The Licensor hereby grants you the right to copy, modify, create derivative
works, redistribute, and make non-production use of the Licensed Work. The
Licensor may make an Additional Use Grant, above, permitting limited
production use.
Effective on the Change Date, or the fourth anniversary of the first publicly
available distribution of a specific version of the Licensed Work under this
License, whichever comes first, the Licensor hereby grants you rights under
the terms of the Change License, and the rights granted in the paragraph
above terminate.
If your use of the Licensed Work does not comply with the requirements
currently in effect as described in this License, you must purchase a
commercial license from the Licensor, its affiliated entities, or authorized
resellers, or you must refrain from using the Licensed Work.
All copies of the original and modified Licensed Work, and derivative works
of the Licensed Work, are subject to this License. This License applies
separately for each version of the Licensed Work and the Change Date may vary
for each version of the Licensed Work released by Licensor.
You must conspicuously display this License on each original or modified copy
of the Licensed Work. If you receive the Licensed Work in original or
modified form from a third party, the terms and conditions set forth in this
License apply to your use of that work.
Any use of the Licensed Work in violation of this License will automatically
terminate your rights under this License for the current and all other
versions of the Licensed Work.
This License does not grant you any right in any trademark or logo of
Licensor or its affiliates (provided that you may use a trademark or logo of
Licensor as expressly required by this License).
TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON
AN “AS IS” BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS,
EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND
TITLE.
MariaDB hereby grants you permission to use this Licenses text to license
your works, and to refer to it using the trademark “Business Source License”,
as long as you comply with the Covenants of Licensor below.
Covenants of Licensor
In consideration of the right to use this Licenses text and the “Business
Source License” name and trademark, Licensor covenants to MariaDB, and to all
other recipients of the licensed work to be provided by Licensor:
1. To specify as the Change License the GPL Version 2.0 or any later version,
or a license that is compatible with GPL Version 2.0 or a later version,
where “compatible” means that software provided under the Change License can
be included in a program with software provided under GPL Version 2.0 or a
later version. Licensor may specify additional Change Licenses without
limitation.
2. To either: (a) specify an additional grant of rights to use that does not
impose any additional restriction on the right granted in this License, as
the Additional Use Grant; or (b) insert the text “None”.
3. To specify a Change Date.
4. Not to modify this License in any other way.
+27
View File
@@ -0,0 +1,27 @@
# README
## General Info
TrueCharts can be installed as both *normal* Helm Charts or as Apps on TrueNAS SCALE.
However only installations using the TrueNAS SCALE Apps system are supported.
For more information about this App, please check the docs on the TrueCharts [website](https://truecharts.org/charts/stable/)
**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/truecharts/charts/issues/new/choose)**
## Support
- Please check our [quick-start guides for TrueNAS SCALE](https://truecharts.org/manual/SCALE%20Apps/Important-MUST-READ).
- See the [Website](https://truecharts.org)
- Check our [Discord](https://discord.gg/tVsPTHWTtr)
- Open a [issue](https://github.com/truecharts/charts/issues/new/choose)
---
## Sponsor TrueCharts
TrueCharts can only exist due to the incredible effort of our staff.
Please consider making a [donation](https://truecharts.org/sponsor) or contributing back to the project any way you can!
*All Rights Reserved - The TrueCharts Project*
@@ -0,0 +1,3 @@
nextcloud:
clamav:
enabled: true
Binary file not shown.

After

Width:  |  Height:  |  Size: 17 KiB

+580
View File
@@ -0,0 +1,580 @@
# Include{groups}
portals:
open:
# Include{portalLink}
questions:
# Include{global}
# Include{workload}
# Include{workloadDeployment}
# Include{replicas1}
# Include{podSpec}
# Include{containerMain}
# Include{containerBasic}
# Include{containerAdvanced}
# Include{containerConfig}
- variable: nextcloud
group: App Configuration
label: Nextcloud
schema:
additional_attrs: true
type: dict
attrs:
- variable: credentials
group: App Configuration
label: Initial Credentials
schema:
additional_attrs: true
type: dict
attrs:
- variable: initialAdminUser
label: Initial Admin User
description: Sets the initial admin username
schema:
type: string
required: true
default: ""
- variable: initialAdminPassword
label: Initial Admin Password
description: Sets the initial admin password
schema:
type: string
required: true
private: true
default: ""
- variable: general
group: App Configuration
label: General
schema:
additional_attrs: true
type: dict
attrs:
- variable: run_optimize
label: Run Optiomize Scripts
description: |
Runs the following commands at startup:</br>
occ db:add-missing-indices</br>
occ db:add-missing-columns</br>
occ db:add-missing-primary-keys</br>
yes | occ db:convert-filecache-bigint</br>
occ maintenance:mimetype:update-js</br>
occ maintenance:mimetype:update-db</br>
occ maintenance:update:htaccess</br>
schema:
type: string
required: true
default: ""
schema:
type: boolean
default: false
- variable: default_phone_region
label: Default Phone Region
description: |
Sets the default phone region in ISO_3166-1 format (e.g. US).</br>
https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements
schema:
type: string
valid_chars: '^[A-Z]{2}$'
required: true
default: ""
- variable: accessIP
label: Access IP
description: Set to the IP-Address used to reach Nextcloud.
schema:
type: string
required: true
$ref:
- "definitions/nodeIP"
- variable: files
group: App Configuration
label: Files Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: shared_folder_name
label: Shared Folder Name
schema:
type: string
required: true
default: Shared
- variable: max_chunk_size
label: Max Chunk Size
schema:
type: int
required: true
default: 10485760
- variable: expirations
group: App Configuration
label: Expirations Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: activity_expire_days
label: Activity Expire Days
schema:
type: int
required: true
default: 90
- variable: trash_retention_obligation
label: Trash Retention Obligation
schema:
type: string
required: true
default: auto
- variable: versions_retention_obligation
label: Versions Retention Obligation
schema:
type: string
required: true
default: auto
- variable: previews
group: App Configuration
label: Previews Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: enabled
label: Enable Previews
schema:
type: boolean
default: true
show_subquestions_if: true
subquestions:
- variable: imaginary
label: Enable imaginary
description: |
Enable imaginary to generate previews in the background.</br>
It will also deploy the needed container.
schema:
type: boolean
default: true
- variable: cron
label: Enable cron
description: |
Enable cron to generate previews in the background.
schema:
type: boolean
default: true
- variable: schedule
label: Cron Schedule
schema:
type: string
default: "*/30 * * * *"
- variable: max_x
label: Max X
schema:
type: int
required: true
default: 2048
- variable: max_y
label: Max Y
schema:
type: int
required: true
default: 2048
- variable: max_memory
label: Max Memory
schema:
type: int
required: true
default: 1024
- variable: max_file_size_image
label: Max File Size Image
schema:
type: int
required: true
default: 50
- variable: jpeg_quality
label: JPEG Quality
schema:
type: int
required: true
default: 60
- variable: square_sizes
label: Square Sizes
schema:
type: string
required: true
default: "32 256"
- variable: width_sizes
label: Width Sizes
schema:
type: string
required: true
default: "256 384"
- variable: height_sizes
label: Height Sizes
schema:
type: string
required: true
default: "256"
- variable: providers
label: Providers
schema:
type: list
empty: false
required: true
default:
- BMP
- GIF
- JPEG
- Krita
- MarkDown
- MP3
- OpenDocument
- PNG
- TXT
- XBitmap
items:
- variable: provider_entry
label: Provider Entry
schema:
type: string
required: true
default: ""
enum:
- value: BMP
description: BMP
- value: Font
description: Font
- value: GIF
description: GIF
- value: HEIC
description: HEIC
- value: Illustrator
description: Illustrator
- value: JPEG
description: JPEG
- value: Krita
description: Krita
- value: MarkDown
description: MarkDown
- value: Movie
description: Movie
- value: MP3
description: MP3
- value: MSOffice2003
description: MSOffice2003
- value: MSOffice2007
description: MSOffice2007
- value: MSOfficeDoc
description: MSOfficeDoc
- value: OpenDocument
description: OpenDocument
- value: PDF
description: PDF
- value: Photoshop
description: Photoshop
- value: PNG
description: PNG
- value: Postscript
description: Postscript
- value: StarOffice
description: StarOffice
- value: SVG
description: SVG
- value: TIFF
description: TIFF
- value: TXT
description: TXT
- value: XBitmap
description: XBitmap
- variable: Logging
group: App Configuration
label: Logging Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: log_level
label: Log Level
schema:
type: string
required: true
default: "2"
enum:
- value: "0"
description: Debug
- value: "1"
description: Info
- value: "2"
description: Warning
- value: "3"
description: Error
- value: "4"
description: Fatal
- variable: log_date_format
label: Log Date Format
schema:
type: string
required: true
default: d/m/Y H:i:s
- variable: notify_push
group: App Configuration
label: Notify Push Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: enabled
label: Enable Notify Push
description: |
Enable and Configure Notify Push.</br>
It will also deploy the needed container
schema:
type: boolean
default: true
- variable: clamav
group: App Configuration
label: ClamAV Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: enabled
label: Enable ClamAV
description: |
Enable and configure ClamAV.</br>
It will also deploy the needed container.</br>
Keep in mind that this will run as root.</br>
https://github.com/Cisco-Talos/clamav/issues/478
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: stream_max_length
label: Stream Max Length
schema:
type: int
required: true
default: 104857600
- variable: file_max_size
label: File Max Size
schema:
type: int
required: true
default: -1
- variable: infected_action
label: Infected Action
schema:
type: string
required: true
default: only_log
enum:
- value: delete
description: Delete
- value: only_log
description: Only Log
- variable: collabora
group: App Configuration
label: Collabora Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: enabled
label: Enable Collabora
description: |
Enable and configure Collabora.</br>
This will NOT deploy the needed container.</br>
You need to deploy it yourself.
schema:
type: boolean
default: true
show_subquestions_if: true
subquestions:
- variable: url
label: URL
schema:
type: string
required: true
default: ""
- variable: allow_list
label: Allow List
schema:
type: list
default: ["0.0.0.0/0"]
items:
- variable: allow_entry
label: Allow Entry
schema:
type: string
required: true
default: ""
- variable: onlyoffice
group: App Configuration
label: Only Office Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: enabled
label: Enable OnlyOffice
description: |
Enable and configure OnlyOffice.</br>
This will NOT deploy the needed container.</br>
You need to deploy it yourself.
schema:
type: boolean
default: true
show_subquestions_if: true
subquestions:
- variable: url
label: URL
schema:
type: string
required: true
default: ""
- variable: jwt
label: JWT
schema:
type: string
required: true
default: ""
- variable: jwt_header
label: JWT Header
schema:
type: string
required: true
default: Authorization
- variable: php
group: App Configuration
label: PHP Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: memory_limit
label: Memory Limit
schema:
type: string
required: true
default: 1G
- variable: upload_limit
label: Upload Limit
schema:
type: string
required: true
default: 10G
- variable: pm_max_children
label: Max Children
schema:
type: int
required: true
default: 180
- variable: pm_start_servers
label: Start Servers
schema:
type: int
required: true
default: 18
- variable: pm_min_spare_servers
label: Minimum Spare Servers
schema:
type: int
required: true
default: 12
- variable: pm_max_spare_servers
label: Maximum Spare Servers
schema:
type: int
required: true
default: 30
# Include{podOptions}
# Include{serviceRoot}
- variable: main
label: Main Service
description: The Primary service on which the healthcheck runs, often the webUI
schema:
additional_attrs: true
type: dict
attrs:
# Include{serviceSelectorLoadBalancer}
# Include{serviceSelectorExtras}
- variable: main
label: Main Service Port Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: port
label: Port
description: This port exposes the container port on the service
schema:
type: int
default: 12000
required: true
# Include{serviceExpertRoot}
# Include{serviceExpert}
# Include{serviceList}
# Include{persistenceRoot}
- variable: html
label: App HTML Storage
description: Stores the Application HTML.
schema:
additional_attrs: true
type: dict
attrs:
# Include{persistenceBasic}
- variable: config
label: App Config Storage
description: Stores the Application Config.
schema:
additional_attrs: true
type: dict
attrs:
# Include{persistenceBasic}
- variable: data
label: User Data Storage
description: Stores the User Data.
schema:
additional_attrs: true
type: dict
attrs:
# Include{persistenceBasic}
# Include{persistenceList}
# Include{ingressRoot}
- variable: main
label: Main Ingress
schema:
additional_attrs: true
type: dict
attrs:
# Include{ingressDefault}
# Include{ingressTLS}
# Include{ingressTraefik}
# Include{ingressList}
# Include{securityContextRoot}
- variable: runAsUser
label: runAsUser
description: The UserID of the user running the application
schema:
type: int
default: 568
- variable: runAsGroup
label: runAsGroup
description: The groupID of the user running the application
schema:
type: int
default: 568
# Include{securityContextContainer}
# Include{securityContextAdvanced}
# Include{securityContextPod}
- variable: fsGroup
label: fsGroup
description: The group that should own ALL storage.
schema:
type: int
default: 568
# Include{resources}
# Include{metrics}
# Include{prometheusRule}
# Include{advanced}
# Include{addons}
# Include{codeserver}
# Include{netshoot}
# Include{vpn}
# Include{documentation}
@@ -0,0 +1 @@
{{- include "tc.v1.common.lib.chart.notes" $ -}}
@@ -0,0 +1,387 @@
{{/* Define the configmap */}}
{{- define "nextcloud.configmaps" -}}
{{- $fullname := (include "tc.v1.common.lib.chart.names.fullname" $) -}}
{{- $urlNoProtocol := regexReplaceAll ".*://(.*)" .Values.chartContext.APPURL "${1}" -}}
{{- $protocolOnly := regexReplaceAll "(.*)://.*" .Values.chartContext.APPURL "${1}" -}}
{{- $redisHost := .Values.redis.creds.plainhost | trimAll "\"" -}}
{{- $redisPass := .Values.redis.creds.redisPassword | trimAll "\"" -}}
{{- $healthHost := "kube.internal.healthcheck" -}}
php-tune:
enabled: true
data:
zz-tune.conf: |
[www]
pm.max_children = {{ .Values.nextcloud.php.pm_max_children }}
pm.start_servers = {{ .Values.nextcloud.php.pm_start_servers }}
pm.min_spare_servers = {{ .Values.nextcloud.php.pm_min_spare_servers }}
pm.max_spare_servers = {{ .Values.nextcloud.php.pm_max_spare_servers }}
redis-session:
enabled: true
data:
redis-session.ini: |
session.save_path = {{ printf "tcp://%v:6379?auth=%v" $redisHost $redisPass | quote }}
redis.session.locking_enabled = 1
redis.session.lock_retries = -1
redis.session.lock_wait_time = 10000
hpb-config:
enabled: {{ .Values.nextcloud.notify_push.enabled }}
data:
NEXTCLOUD_URL: {{ printf "http://%v:%v" $fullname .Values.service.main.ports.main.port }}
HPB_HOST: {{ $healthHost }}
CONFIG_FILE: {{ printf "%v/config.php" .Values.persistence.config.targetSelector.notify.notify.mountPath }}
METRICS_PORT: {{ .Values.service.notify.ports.metrics.port | quote }}
clamav-config:
enabled: {{ .Values.nextcloud.clamav.enabled }}
data:
CLAMAV_NO_CLAMD: "false"
CLAMAV_NO_FRESHCLAMD: "true"
CLAMAV_NO_MILTERD: "true"
CLAMD_STARTUP_TIMEOUT: "1800"
nextcloud-config:
enabled: true
data:
{{/* Database */}}
POSTGRES_DB: {{ .Values.cnpg.main.database | quote }}
POSTGRES_USER: {{ .Values.cnpg.main.user | quote }}
POSTGRES_PASSWORD: {{ .Values.cnpg.main.creds.password | trimAll "\"" }}
POSTGRES_HOST: {{ .Values.cnpg.main.creds.host | trimAll "\"" }}
{{/* Redis */}}
NX_REDIS_HOST: {{ $redisHost }}
NX_REDIS_PASS: {{ $redisPass }}
{{/* Nextcloud INITIAL credentials */}}
NEXTCLOUD_ADMIN_USER: {{ .Values.nextcloud.credentials.initialAdminUser | quote }}
NEXTCLOUD_ADMIN_PASSWORD: {{ .Values.nextcloud.credentials.initialAdminPassword | quote }}
{{/* PHP Variables */}}
{{- if not (mustRegexMatch "^[0-9]+(M|G){1}$" .Values.nextcloud.php.memory_limit) -}}
{{- fail (printf "Nextcloud - Expected Memory Limit to be in format [1M, 1G] but got [%v]" .Values.nextcloud.php.memory_limit) -}}
{{- end -}}
{{- if not (mustRegexMatch "^[0-9]+(M|G){1}$" .Values.nextcloud.php.upload_limit) -}}
{{- fail (printf "Nextcloud - Expected Memory Limit to be in format [1M, 1G] but got [%v]" .Values.nextcloud.php.upload_limit) -}}
{{- end }}
PHP_MEMORY_LIMIT: {{ .Values.nextcloud.php.memory_limit | quote }}
PHP_UPLOAD_LIMIT: {{ .Values.nextcloud.php.upload_limit | quote }}
{{/* Notify Push */}}
NX_NOTIFY_PUSH: {{ .Values.nextcloud.notify_push.enabled | quote }}
{{- if .Values.nextcloud.notify_push.enabled }}
{{- $endpoint := .Values.chartContext.APPURL -}}
{{- if or (contains "127.0.0.1" $endpoint) (contains "localhost" $endpoint) -}}
{{- $endpoint = printf "http://%v:%v" $fullname .Values.service.main.ports.main.port -}}
{{- end }}
NX_NOTIFY_PUSH_ENDPOINT: {{ $endpoint }}/push
{{- end }}
{{/* Previews */}}
NX_PREVIEWS: {{ .Values.nextcloud.previews.enabled | quote }}
{{- if not (deepEqual .Values.nextcloud.previews.providers (uniq .Values.nextcloud.previews.providers)) }}
{{- fail (printf "Nextcloud - Expected preview providers to be unique but got [%v]" .Values.nextcloud.previews.providers) }}
{{- end }}
NX_PREVIEW_PROVIDERS: {{ join " " .Values.nextcloud.previews.providers }}
NX_PREVIEW_MAX_X: {{ .Values.nextcloud.previews.max_x | quote }}
NX_PREVIEW_MAX_Y: {{ .Values.nextcloud.previews.max_y | quote }}
NX_PREVIEW_MAX_MEMORY: {{ .Values.nextcloud.previews.max_memory | quote }}
NX_PREVIEW_MAX_FILESIZE_IMAGE: {{ .Values.nextcloud.previews.max_file_size_image | quote }}
NX_JPEG_QUALITY: {{ .Values.nextcloud.previews.jpeg_quality | quote }}
NX_PREVIEW_SQUARE_SIZES: {{ .Values.nextcloud.previews.square_sizes | quote }}
NX_PREVIEW_WIDTH_SIZES: {{ .Values.nextcloud.previews.width_sizes | quote }}
NX_PREVIEW_HEIGHT_SIZES: {{ .Values.nextcloud.previews.height_sizes | quote }}
{{/* Imaginary */}}
NX_IMAGINARY: {{ and .Values.nextcloud.previews.enabled .Values.nextcloud.previews.imaginary | quote }}
{{- if and .Values.nextcloud.previews.enabled .Values.nextcloud.previews.imaginary }}
NX_IMAGINARY_URL: {{ printf "http://%v-imaginary:%v" $fullname .Values.service.imaginary.ports.imaginary.port }}
{{- end }}
{{/* Expirations */}}
NX_ACTIVITY_EXPIRE_DAYS: {{ .Values.nextcloud.expirations.activity_expire_days | quote }}
NX_TRASH_RETENTION: {{ .Values.nextcloud.expirations.trash_retention_obligation | quote }}
NX_VERSIONS_RETENTION: {{ .Values.nextcloud.expirations.versions_retention_obligation | quote }}
{{/* General */}}
NX_RUN_OPTIMIZE: {{ .Values.nextcloud.general.run_optimize | quote }}
NX_DEFAULT_PHONE_REGION: {{ .Values.nextcloud.general.default_phone_region | quote }}
NEXTCLOUD_DATA_DIR: {{ .Values.persistence.data.targetSelector.main.main.mountPath }}
{{/* Files */}}
NX_SHARED_FOLDER_NAME: {{ .Values.nextcloud.files.shared_folder_name | quote }}
NX_MAX_CHUNKSIZE: {{ .Values.nextcloud.files.max_chunk_size | mul 1 | quote }}
{{/* Logging */}}
NX_LOG_LEVEL: {{ .Values.nextcloud.logging.log_level | quote }}
NX_LOG_FILE: {{ .Values.nextcloud.logging.log_file | quote }}
NX_LOG_FILE_AUDIT: {{ .Values.nextcloud.logging.log_audit_file | quote }}
NX_LOG_DATE_FORMAT: {{ .Values.nextcloud.logging.log_date_format | quote }}
NX_LOG_TIMEZONE: {{ .Values.TZ | quote }}
{{/* ClamAV */}}
NX_CLAMAV: {{ .Values.nextcloud.clamav.enabled | quote }}
{{- if .Values.nextcloud.clamav.enabled }}
NX_CLAMAV_HOST: {{ printf "%v-clamav" $fullname }}
NX_CLAMAV_PORT: {{ .Values.service.clamav.ports.clamav.targetPort | quote }}
NX_CLAMAV_STREAM_MAX_LENGTH: {{ .Values.nextcloud.clamav.stream_max_length | mul 1 | quote }}
NX_CLAMAV_FILE_MAX_SIZE: {{ .Values.nextcloud.clamav.file_max_size | quote }}
NX_CLAMAV_INFECTED_ACTION: {{ .Values.nextcloud.clamav.infected_action | quote }}
{{- end }}
{{- if and .Values.nextcloud.collabora.enabled .Values.nextcloud.onlyoffice.enabled -}}
{{- fail "Nextcloud - Expected only one of [Collabora, OnlyOffice] to be enabled" -}}
{{- end }}
{{/* Collabora */}}
NX_COLLABORA: {{ .Values.nextcloud.collabora.enabled | quote }}
{{- if .Values.nextcloud.collabora.enabled }}
NX_COLLABORA_URL: {{ .Values.nextcloud.collabora.url | quote }}
NX_COLLABORA_ALLOWLIST: {{ join "," .Values.nextcloud.collabora.allow_list | quote }}
{{- end }}
{{/* Only Office */}}
NX_ONLYOFFICE: {{ .Values.nextcloud.onlyoffice.enabled | quote }}
{{- if .Values.nextcloud.onlyoffice.enabled }}
NX_ONLYOFFICE_URL: {{ .Values.nextcloud.onlyoffice.url | quote }}
NX_ONLYOFFICE_JWT: {{ .Values.nextcloud.onlyoffice.jwt | quote }}
NX_ONLYOFFICE_JWT_HEADER: {{ .Values.nextcloud.onlyoffice.jwt_header | quote }}
{{- end }}
{{/* URLs */}}
NX_OVERWRITE_HOST: {{ $urlNoProtocol }}
NX_OVERWRITE_CLI_URL: {{ .Values.chartContext.APPURL }}
# Return the protocol part of the URL
NX_OVERWRITE_PROTOCOL: {{ $protocolOnly | lower }}
# IP (or range in this case) of the proxy(ies)
NX_TRUSTED_PROXIES: |
{{ .Values.chartContext.svcCIDR }}
# fullname-* will allow access from the
# other services in the same namespace
NX_TRUSTED_DOMAINS: |
127.0.0.1
localhost
{{ $fullname }}
{{ printf "%v-*" $fullname }}
{{ $healthHost }}
{{- if ne $urlNoProtocol "127.0.0.1" }}
{{- $urlNoProtocol | nindent 6 }}
{{- end -}}
{{- with .Values.nextcloud.general.accessIP }}
{{- . | nindent 6 }}
{{- end }}
# TODO: Replace locations with ingress
# like /push, /.well-known/carddav, /.well-known/caldav
# needs some work as nginx converts urls to pretty urls
# before matching them to locations, so ingress needs to
# take that into consideration.
nginx-config:
enabled: true
data:
nginx.conf: |
worker_processes auto;
error_log /var/log/nginx/error.log warn;
# Set to /tmp so it can run as non-root
pid /tmp/nginx.pid;
events {
worker_connections 1024;
}
http {
# Set to /tmp so it can run as non-root
client_body_temp_path /tmp/nginx/client_temp;
proxy_temp_path /tmp/nginx/proxy_temp_path;
fastcgi_temp_path /tmp/nginx/fastcgi_temp;
uwsgi_temp_path /tmp/nginx/uwsgi_temp;
scgi_temp_path /tmp/nginx/scgi_temp;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
# Prevent nginx HTTP Server Detection
server_tokens off;
keepalive_timeout 65;
#gzip on;
upstream php-handler {
server {{ printf "%v-nextcloud" $fullname }}:{{ .Values.service.nextcloud.ports.nextcloud.targetPort }};
}
server {
listen {{ .Values.service.main.ports.main.port }};
absolute_redirect off;
{{- if .Values.nextcloud.notify_push.enabled }}
# Forward Notify_Push "High Performance Backend" to it's own container
location ^~ /push/ {
# The trailing "/" is important!
proxy_pass http://{{ printf "%v-notify" $fullname }}:{{ .Values.service.notify.ports.notify.targetPort }}/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
{{- end }}
# HSTS settings
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
# Set max upload size
client_max_body_size {{ .Values.nextcloud.php.upload_limit | default "512M" }};
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Pagespeed is not supported by Nextcloud, so if your server is built
# with the `ngx_pagespeed` module, uncomment this line to disable it.
#pagespeed off;
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Path to the root of your installation
root {{ .Values.persistence.html.targetSelector.nginx.nginx.mountPath }};
# Specify how to handle directories -- specifying `/index.php$request_uri`
# here as the fallback means that Nginx always exhibits the desired behaviour
# when a client requests a path that corresponds to a directory that exists
# on the server. In particular, if that directory contains an index.php file,
# that file is correctly served; if it doesn't, then the request is passed to
# the front-end controller. This consistent behaviour means that we don't need
# to specify custom rules for certain paths (e.g. images and other assets,
# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
# `try_files $uri $uri/ /index.php$request_uri`
# always provides the desired behaviour.
index index.php index.html /index.php$request_uri;
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`.
location ^~ /.well-known {
# The rules in this block are an adaptation of the rules
# in `.htaccess` that concern `/.well-known`.
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
# According to the documentation these two lines are not necessary,
# but some users are still receiving errors
location = /.well-known/webfinger { return 301 /index.php$uri; }
location = /.well-known/nodeinfo { return 301 /index.php$uri; }
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 /index.php$request_uri;
}
# Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
# Required for legacy support
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
#fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
proxy_send_timeout 3600s;
proxy_read_timeout 3600s;
fastcgi_send_timeout 3600s;
fastcgi_read_timeout 3600s;
}
location ~ \.(?:css|js|svg|gif)$ {
try_files $uri /index.php$request_uri;
expires 6M; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
# Rule borrowed from `.htaccess`
location /remote {
return 301 /remote.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
}
}
}
{{- end -}}
@@ -0,0 +1,34 @@
{{- define "nextcloud.cronjobs" -}}
{{- range $cj := .Values.cronjobs }}
{{- $name := $cj.name | required "Nextcloud - Expected non-empty name in cronjob" -}}
{{- $schedule := $cj.schedule | required "Nextcloud - Expected non-empty schedule in cronjob" }}
{{ $name }}:
enabled: {{ $cj.enabled | quote }}
type: CronJob
schedule: {{ $schedule | quote }}
podSpec:
restartPolicy: Never
containers:
{{ $name }}:
enabled: true
primary: true
imageSelector: image
command:
- /bin/bash
- -c
- |
{{- range $cj.cmd }}
{{- . | nindent 12 }}
{{- else -}}
{{- fail "Nextcloud - Expected non-empty cmd in cronjob" -}}
{{- end }}
probes:
liveness:
enabled: false
readiness:
enabled: false
startup:
enabled: false
{{- end }}
{{- end -}}
@@ -0,0 +1,29 @@
{{- define "nextcloud.init.perms" -}}
{{- $uid := .Values.securityContext.container.runAsUser -}}
{{- $gid := .Values.securityContext.container.runAsGroup -}}
{{- $path := .Values.persistence.data.targetSelector.main.main.mountPath }}
enabled: true
type: install
imageSelector: alpineImage
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
capabilities:
disableS6Caps: true
add:
- DAC_OVERRIDE
- FOWNER
- CHOWN
command: /bin/sh
args:
- -c
- |
echo "Setting permissions to 700 on data directory [{{ $path }}] ..."
chmod 770 {{ $path }} | echo "Failed to set permissions on data directory [{{ $path }}]"
echo "Setting ownership to {{ $uid }}:{{ $gid }} on data directory [{{ $path }}] ..."
chown {{ $uid }}:{{ $gid }} {{ $path }} | echo "Failed to set ownership on data directory [{{ $path }}]"
echo "Finished."
{{- end -}}
@@ -0,0 +1,25 @@
{{- define "nextcloud.wait.nextcloud" -}}
{{- $fullname := (include "tc.v1.common.lib.chart.names.fullname" $) -}}
{{- $ncURL := printf "%v-nextcloud:%v" $fullname .Values.service.nextcloud.ports.nextcloud.targetPort }}
enabled: true
type: init
imageSelector: image
securityContext:
command: /bin/sh
args:
- -c
- |
echo "Waiting Nextcloud [{{ $ncURL }}] to be ready and installed..."
until \
REQUEST_METHOD="GET" \
SCRIPT_NAME="status.php" \
SCRIPT_FILENAME="status.php" \
cgi-fcgi -bind -connect "{{ $ncURL }}" | grep -q '"installed":true';
do
echo "Waiting Nextcloud [{{ $ncURL }}] to be ready and installed..."
sleep 3
done
echo "Nextcloud is ready and installed..."
echo "Starting Nginx..."
{{- end -}}
@@ -0,0 +1,57 @@
{{/* Make sure all variables are set properly */}}
{{- include "tc.v1.common.loader.init" . -}}
{{/* Render configmaps for all pods */}}
{{- $configmaps := include "nextcloud.configmaps" . | fromYaml -}}
{{- if $configmaps -}}
{{- $_ := mustMergeOverwrite .Values.configmap $configmaps -}}
{{- end -}}
{{/* Add [init perms] container to nextcloud */}}
{{- if not (get .Values.workload.main.podSpec "initContainers") -}}
{{- $_ := set .Values.workload.main.podSpec "initContainers" dict -}}
{{- end -}}
{{- $initPerms := (include "nextcloud.init.perms" . | fromYaml) -}}
{{- $_ := set .Values.workload.main.podSpec.initContainers "init-perms" $initPerms -}}
{{/* Add [wait nextcloud] container to nginx */}}
{{- if not (get .Values.workload.nginx.podSpec "initContainers") -}}
{{- $_ := set .Values.workload.nginx.podSpec "initContainers" dict -}}
{{- end -}}
{{- $waitNextcloud := (include "nextcloud.wait.nextcloud" . | fromYaml) -}}
{{- $_ := set .Values.workload.nginx.podSpec.initContainers "wait-nextcloud" $waitNextcloud -}}
{{/* Disable [notify push] if requested */}}
{{- if not .Values.nextcloud.notify_push.enabled -}}
{{- $_ := set .Values.workload.notify "enabled" false -}}
{{- $_ := set .Values.service.notify "enabled" false -}}
{{- else -}}
{{/* Add [wait nextcloud] container to notify push */}}
{{- if not (get .Values.workload.notify.podSpec "initContainers") -}}
{{- $_ := set .Values.workload.notify.podSpec "initContainers" dict -}}
{{- end -}}
{{- $waitNextcloud := (include "nextcloud.wait.nextcloud" . | fromYaml) -}}
{{- $_ := set .Values.workload.notify.podSpec.initContainers "wait-nextcloud" $waitNextcloud -}}
{{- end -}}
{{/* Disable [clamav] if requested */}}
{{- if not .Values.nextcloud.clamav.enabled -}}
{{- $_ := set .Values.workload.clamav "enabled" false -}}
{{- $_ := set .Values.service.clamav "enabled" false -}}
{{- end -}}
{{/* Disable [previews] if requested */}}
{{- if or (not .Values.nextcloud.previews.imaginary) (not .Values.nextcloud.previews.enabled) -}}
{{- $_ := set .Values.workload.imaginary "enabled" false -}}
{{- $_ := set .Values.service.imaginary "enabled" false -}}
{{- end -}}
{{/* Create [cronjobs] defined */}}
{{- $cronjobs := include "nextcloud.cronjobs" . | fromYaml -}}
{{- if $cronjobs -}}
{{- $_ := mustMergeOverwrite .Values.workload $cronjobs -}}
{{- end -}}
{{/* Render the templates */}}
{{- include "tc.v1.common.loader.apply" . -}}
+430
View File
@@ -0,0 +1,430 @@
image:
repository: tccr.io/truecharts/nextcloud-fpm
pullPolicy: IfNotPresent
tag: v2.0.0@sha256:c3ff63fa9613fbad94c7950743482c8bb2a2a659ac42b3daac8963e0bbaf5129
nginxImage:
repository: tccr.io/truecharts/nginx-unprivileged
pullPolicy: IfNotPresent
tag: v1.24.0@sha256:f6386a703b6a0679b6274cc366a6efe7a06b8b5b3391353465d9d1649b4584ef
imaginaryImage:
repository: tccr.io/truecharts/nextcloud-imaginary
pullPolicy: IfNotPresent
tag: v20230401@sha256:4f5e3895987a9d12336f772a64a77dd662c6c9bb2b96820b19ffbab58f3ff982
hpbImage:
repository: tccr.io/truecharts/nextcloud-push-notify
pullPolicy: IfNotPresent
tag: v0.6.3@sha256:25c0a2f0c3eeb64e26be102cc3be09d8ce19b8d05397e188f73f94de8359d339
clamavImage:
repository: tccr.io/truecharts/clamav
pullPolicy: IfNotPresent
tag: v1.1.0@sha256:ab196d867fcfddedc8dc965d67a2e6824ca65488cf616cc707e9c36efd54e086
nextcloud:
# Initial Credentials
credentials:
initialAdminUser: admin
initialAdminPassword: adminpass
# General settings
general:
# Custom Nextcloud Scripts
run_optimize: true
default_phone_region: GR
# IP used for exposing nextcloud,
# often the loadbalancer IP
accessIP: ""
# File settings
files:
shared_folder_name: Shared
max_chunk_size: 10485760
# Expiration settings
expirations:
activity_expire_days: 90
trash_retention_obligation: auto
versions_retention_obligation: auto
# Previews settings
previews:
enabled: true
# It will also deploy the container
imaginary: true
cron: true
schedule: "*/30 * * * *"
max_x: 2048
max_y: 2048
max_memory: 1024
max_file_size_image: 50
jpeg_quality: 60
square_sizes: 32 256
width_sizes: 256 384
height_sizes: 256
# Casings are important
# https://github.com/nextcloud/server/blob/master/config/config.sample.php#L1269
# Only the last part of the provider is needed
providers:
- PNG
- JPEG
# Logging settings
logging:
log_level: 2
log_file: /var/www/html/data/logs/nextcloud.log
log_audit_file: /var/www/html/data/logs/audit.log
log_date_format: d/m/Y H:i:s
# ClamAV settings
clamav:
# It will also deploy the container
# Note that this runs as root
enabled: false
stream_max_length: 26214400
file_max_size: -1
infected_action: only_log
# Notify Push settings
notify_push:
# It will also deploy the container
enabled: true
# Collabora settings
collabora:
# It will not deploy the container
# Only add the Collabora settings
enabled: false
url: ""
allow_list:
- 0.0.0.0/0
onlyoffice:
# It will not deploy the container
# Only add the OnlyOffice settings
enabled: false
url: ""
jwt: ""
jwt_header: Authorization
# PHP settings
php:
memory_limit: 1G
upload_limit: 10G
pm_max_children: 180
pm_start_servers: 18
pm_min_spare_servers: 12
pm_max_spare_servers: 30
# Do NOT edit below this line
workload:
# Nextcloud php-fpm
main:
type: Deployment
podSpec:
containers:
main:
enabled: true
primary: true
envFrom:
- configMapRef:
name: nextcloud-config
probes:
liveness:
enabled: true
type: exec
command: /healthcheck.sh
readiness:
enabled: true
type: exec
command: /healthcheck.sh
startup:
enabled: true
type: tcp
port: "{{ .Values.service.nextcloud.ports.nextcloud.targetPort }}"
nginx:
enabled: true
type: Deployment
strategy: RollingUpdate
replicas: 1
podSpec:
containers:
nginx:
enabled: true
primary: true
imageSelector: nginxImage
probes:
readiness:
enabled: true
path: /robots.txt
port: "{{ .Values.service.main.ports.main.port }}"
httpHeaders:
Host: kube.internal.healthcheck
liveness:
enabled: true
path: /robots.txt
port: "{{ .Values.service.main.ports.main.port }}"
httpHeaders:
Host: kube.internal.healthcheck
startup:
enabled: true
type: tcp
port: "{{ .Values.service.main.ports.main.port }}"
notify:
enabled: true
type: Deployment
strategy: RollingUpdate
replicas: 1
podSpec:
containers:
notify:
primary: true
enabled: true
imageSelector: hpbImage
envFrom:
- configMapRef:
name: hpb-config
probes:
readiness:
enabled: true
path: /push/test/cookie
port: 7867
httpHeaders:
Host: kube.internal.healthcheck
liveness:
enabled: true
path: /push/test/cookie
port: 7867
httpHeaders:
Host: kube.internal.healthcheck
startup:
enabled: true
type: tcp
port: 7867
imaginary:
enabled: true
type: Deployment
strategy: RollingUpdate
replicas: 1
podSpec:
containers:
imaginary:
primary: true
enabled: true
imageSelector: imaginaryImage
command: imaginary
args:
- -p
- "{{ .Values.service.imaginary.ports.imaginary.port }}"
- -concurrency
- "10"
- -enable-url-source
- -return-size
probes:
readiness:
enabled: true
path: /health
port: "{{ .Values.service.imaginary.ports.imaginary.port }}"
liveness:
enabled: true
path: /health
port: "{{ .Values.service.imaginary.ports.imaginary.port }}"
startup:
enabled: true
type: tcp
port: "{{ .Values.service.imaginary.ports.imaginary.port }}"
clamav:
enabled: true
type: Deployment
strategy: RollingUpdate
replicas: 1
podSpec:
containers:
clamav:
primary: true
enabled: true
imageSelector: clamavImage
# FIXME: https://github.com/Cisco-Talos/clamav/issues/478
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
envFrom:
- configMapRef:
name: clamav-config
probes:
readiness:
enabled: true
type: exec
command: clamdcheck.sh
liveness:
enabled: true
type: exec
command: clamdcheck.sh
startup:
enabled: true
type: tcp
port: "{{ .Values.service.clamav.ports.clamav.targetPort }}"
cronjobs:
# Don't change names, it's used in the persistence
- name: nextcloud-cron
enabled: true
schedule: "*/5 * * * *"
cmd:
- echo "Running [php -f /var/www/html/cron.php] ..."
- php -f /var/www/html/cron.php
- echo "Finished [php -f /var/www/html/cron.php]"
- name: preview-cron
enabled: "{{ .Values.nextcloud.previews.cron }}"
schedule: "{{ .Values.nextcloud.previews.schedule }}"
cmd:
- echo "Running [occ preview:pre-generate] ..."
- occ preview:pre-generate
- echo "Finished [occ preview:pre-generate]"
service:
# Main service links to ingress easier
# That's why the nginx is swapped with nextcloud
main:
targetSelector: nginx
ports:
main:
targetSelector: nginx
port: 8080
nextcloud:
enabled: true
targetSelector: main
ports:
nextcloud:
enabled: true
targetSelector: main
port: 9000
targetPort: 9000
notify:
enabled: true
targetSelector: notify
ports:
notify:
enabled: true
primary: true
port: 7867
targetPort: 7867
targetSelector: notify
metrics:
enabled: true
port: 7868
targetSelector: notify
imaginary:
enabled: true
targetSelector: imaginary
ports:
imaginary:
enabled: true
port: 9090
targetSelector: imaginary
clamav:
enabled: true
targetSelector: clamav
ports:
clamav:
enabled: true
port: 3310
targetPort: 3310
targetSelector: clamav
persistence:
php-tune:
enabled: true
type: configmap
objectName: php-tune
targetSelector:
main:
main:
mountPath: /usr/local/etc/php-fpm.d/zz-tune.conf
subPath: zz-tune.conf
readOnly: true
redis-session:
enabled: true
type: configmap
objectName: redis-session
targetSelector:
main:
main:
mountPath: /usr/local/etc/php/conf.d/redis-session.ini
subPath: redis-session.ini
readOnly: true
nginx:
enabled: true
type: configmap
objectName: nginx-config
targetSelector:
nginx:
nginx:
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
readOnly: true
nginx-temp:
enabled: true
type: emptyDir
targetSelector:
nginx:
nginx:
mountPath: /tmp/nginx
html:
enabled: true
targetSelector:
main:
main:
mountPath: /var/www/html
nextcloud-cron:
nextcloud-cron:
mountPath: /var/www/html
preview-cron:
preview-cron:
mountPath: /var/www/html
nginx:
nginx:
mountPath: /var/www/html
readOnly: true
config:
enabled: true
targetSelector:
main:
main:
mountPath: /var/www/html/config
nextcloud-cron:
nextcloud-cron:
mountPath: /var/www/html/config
preview-cron:
preview-cron:
mountPath: /var/www/html/config
notify:
notify:
mountPath: /var/www/html/config
readOnly: true
nginx:
nginx:
mountPath: /var/www/html/config
readOnly: true
data:
enabled: true
targetSelector:
main:
main:
mountPath: /var/www/html/data
init-perms:
mountPath: /var/www/html/data
nextcloud-cron:
nextcloud-cron:
mountPath: /var/www/html/data
preview-cron:
preview-cron:
mountPath: /var/www/html/data
nginx:
nginx:
mountPath: /var/www/html/data
readOnly: true
cnpg:
main:
enabled: true
user: nextcloud
database: nextcloud
redis:
enabled: true
username: default
portal:
open:
enabled: true
@@ -30,8 +30,38 @@
description: Automatically set permissions on install
schema:
show_if: [["type", "=", "hostPath"]]
hidden: true
type: boolean
default: false
- variable: autoPermissions
label: Automatic Permissions Configuration
description: Automatically set permissions
schema:
show_if: [["type", "!=", "pvc"]]
type: dict
additional_attrs: true
attrs:
- variable: chown
label: Run CHOWN
description: |
It will run CHOWN on the path with the given fsGroup
schema:
type: boolean
default: false
- variable: chmod
label: Run CHMOD
description: |
It will run CHMOD on the path with the given value
schema:
type: string
default: "775"
- variable: recursive
label: Recursive
description: |
It will run CHOWN and CHMOD recursively
schema:
type: boolean
default: false
- variable: readOnly
label: Read Only
schema: