From 5264bdbf4ff3be6317fa5df237965044499e0d49 Mon Sep 17 00:00:00 2001 From: Aner Zakobar Date: Mon, 3 Jun 2024 01:15:22 +0300 Subject: [PATCH] Temp and works? --- README.org | 10 + templates/auth.yaml | 467 ++++++++++---------------------------------- 2 files changed, 115 insertions(+), 362 deletions(-) diff --git a/README.org b/README.org index a7ee24a..d4b21b9 100644 --- a/README.org +++ b/README.org @@ -90,3 +90,13 @@ https://dev.to/ruanbekker/self-hosted-cicd-with-gitea-and-drone-ci-200l https://gitlab.com/davical-project/davical/-/blob/master/config/example-config.php Line 800 ish for auth from reverse proxy + +* NEXTCLOUD + +I ran THIS command inside +su www-data -s /bin/bash -c php occ ldap:promote-group "admins" + +* I UNDERSTAND + +I need to backup Chen's stuff +And... I need to Jellyfin diff --git a/templates/auth.yaml b/templates/auth.yaml index d78697a..bd71f87 100644 --- a/templates/auth.yaml +++ b/templates/auth.yaml @@ -1,4 +1,4 @@ - --- +--- apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -341,467 +341,210 @@ spec: port: number: 3000 --- - apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: davical-postgres-pvc + name: nextcloud-postgres-pvc spec: accessModes: - ReadWriteMany resources: requests: - storage: 1Gi + storage: 5Gi storageClassName: longhorn - --- -{{- $_ := set $ "homey_davical_postgres_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "davical-postgres-pass") $))}} -{{ include "homey.randomsecret" (merge (dict "secretname" "davical-postgres-pass" "secretval" .homey_davical_postgres_pass) $) }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nextcloud-data-pvc +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Ti + storageClassName: longhorn +--- +apiVersion: v1 +kind: Secret +metadata: + name: nextcloud-postgres-pass + annotations: + "helm.sh/resource-policy": "keep" +type: Opaque +data: + {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "nextcloud-postgres-pass") | default dict }} + {{- $secretData := (get $secretObj "data") | default dict }} + {{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }} + password: {{ $pass | quote }} +--- +{{- $_ := set $ "homey_nextcloud_postgres_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "nextcloud-postgres-pass") $))}} +{{ include "homey.randomsecret" (merge (dict "secretname" "nextcloud-postgres-pass" "secretval" .homey_nextcloud_postgres_pass) $) }} +--- +{{- $_ := set $ "homey_nextcloud_admin_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "nextcloud-admin-pass") $))}} +{{ include "homey.randomsecret" (merge (dict "secretname" "nextcloud-admin-pass" "secretval" .homey_nextcloud_admin_pass) $) }} --- -# apiVersion: extensions/v1beta1 apiVersion: v1 kind: ConfigMap metadata: - name: davical-postgres-config + name: nextcloud-postgres-config labels: - app: davical-postgres + app: nextcloud-postgres data: - POSTGRES_DB: postgres + POSTGRES_DB: nextcloud_db POSTGRES_USER: postgres --- apiVersion: apps/v1 kind: Deployment metadata: - name: davical-postgres + name: nextcloud-postgres labels: - app: davical-postgres + app: nextcloud-postgres spec: replicas: 1 selector: matchLabels: - app: davical-postgres + app: nextcloud-postgres template: metadata: labels: - app: davical-postgres - name: davical-postgres + app: nextcloud-postgres + name: nextcloud-postgres spec: containers: - - name: davical-postgres - image: postgres:10.4 + - name: nextcloud-postgres + image: postgres imagePullPolicy: "IfNotPresent" ports: - containerPort: 5432 envFrom: - configMapRef: - name: davical-postgres-config + name: nextcloud-postgres-config env: - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: - name: davical-postgres-pass + name: nextcloud-postgres-pass key: password volumeMounts: - mountPath: /var/lib/postgresql/data - subPath: data - name: davical-postgredb + subPath: nextcloud/db + name: nextcloud-postgredb volumes: - - name: davical-postgredb + - name: nextcloud-postgredb persistentVolumeClaim: - claimName: davical-postgres-pvc + claimName: nextcloud-postgres-pvc --- apiVersion: v1 kind: Service metadata: - name: davical-postgres + name: nextcloud-postgres labels: - app: davical-postgres + app: nextcloud-postgres spec: ports: - port: 5432 selector: - app: davical-postgres ---- -{{- $_ := set $ "homey_davical_admin_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "davical-admin-pass") $))}} -{{ include "homey.randomsecret" (merge (dict "secretname" "davical-admin-pass" "secretval" .homey_davical_admin_pass) $) }} + app: nextcloud-postgres --- apiVersion: v1 kind: ConfigMap metadata: - name: davical-conf + name: nextcloud-configmap + labels: + app: nextcloud data: - config.php: |- -{{ tpl (.Files.Get "files/davical-config.php" | indent 4) . }} + POSTGRES_HOST: nextcloud-postgres + OVERWRITEPROTOCOL: https + NEXTCLOUD_ADMIN_USER: admin + NEXTCLOUD_TRUSTED_DOMAINS: nextcloud.{{ .Values.homey.url }} nextcloud.admin.home --- apiVersion: apps/v1 kind: Deployment metadata: - name: davical + name: nextcloud labels: - app: davical + app: nextcloud spec: replicas: 1 selector: matchLabels: - app: davical + app: nextcloud template: metadata: labels: - app: davical + app: nextcloud + name: nextcloud spec: containers: - - name: davical - image: anerisgreat/davical-multiarch-docker:latest - imagePullPolicy: "Always" - ports: - - containerPort: 80 - name: dav - env: - - name: PGHOST - value: "davical-postgres" - - name: PGUSER - value: "postgres" - - name: PGPASSWORD - valueFrom: - secretKeyRef: - name: davical-postgres-pass - key: password - - name: PGDATABASE - value: "davical" - - name: PGPORT - value: "5432" - - name: HOST_NAME - value: - "dav.{{ .Values.homey.url }}" - - name: DAVICAL_ADMIN_PASS - valueFrom: - secretKeyRef: - name: davical-admin-pass - key: password - - name: ROOT_PGUSER - value: "postgres" - - name: ROOT_PGPASSWORD - valueFrom: - secretKeyRef: - name: davical-postgres-pass - key: password - - name: RUN_MIGRATIONS_AT_STARTUP - value: "true" + - name: nextcloud + image: nextcloud + imagePullPolicy: Always volumeMounts: - - name: davical-conf - mountPath: /etc/davical/config.php - subPath: config.php - readOnly: true - volumes: - - name: davical-conf - configMap: - name: davical-conf - items: - - key: config.php - path: config.php ---- -apiVersion: v1 -kind: Service -metadata: - name: davical -spec: - selector: - app: davical - ports: - - name: dav - protocol: TCP - port: 80 - targetPort: 80 - selector: - app: davical ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: davical - annotations: - kubernetes.io/ingress.allow-http: "false" - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-url: http://authelia.{{ .Release.Namespace }}.svc.cluster.local:9091/api/verify - nginx.ingress.kubernetes.io/auth-signin: https://auth.{{ .Values.homey.url }}?rm=$request_method - nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email - nginx.ingress.kubernetes.io/auth-snippet: | - proxy_set_header X-Forwarded-Method $request_method; - auth_request_set $user $upstream_http_remote_user; - auth_request_set $groups $upstream_http_remote_groups; - auth_request_set $name $upstream_http_remote_name; - auth_request_set $email $upstream_http_remote_email; - proxy_set_header Remote-User $user; - proxy_set_header Remote-Fullname $name; - proxy_set_header Remote-Email $email; - proxy_set_header Redirect-Remote-User $user; - proxy_set_header Redirect-Remote-Fullname $name; - proxy_set_header Redirect-Remote-Email $email; -spec: - ingressClassName: {{ .Values.homey.ingress_class }} - tls: - - hosts: - - dav.{{ .Values.homey.url }} - secretName: {{ .Values.homey.certname }} - rules: - - host: dav.{{ .Values.homey.url }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: davical - port: - number: 80 ---- ---- -apiVersion: v1 -kind: Secret -metadata: - name: sogo-db-pass -type: Opaque -data: - password: "sogo" ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: sogo-postgres-config - labels: - app: sogo-postgres -data: - POSTGRES_DB: sogo - POSTGRES_USER: sogo ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: sogo-postgres - labels: - app: sogo-postgres -spec: - replicas: 1 - selector: - matchLabels: - app: sogo-postgres - template: - metadata: - labels: - app: sogo-postgres - name: sogo-postgres - spec: - containers: - - name: postgres - image: postgres:10.4 - imagePullPolicy: "IfNotPresent" - ports: - - containerPort: 5432 + - name: nextcloud-volume + mountPath: "/var/www/html" + subPath: html envFrom: - configMapRef: - name: sogo-postgres-config + name: nextcloud-postgres-config + - configMapRef: + name: nextcloud-configmap env: - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: - name: sogo-db-pass + name: nextcloud-postgres-pass + key: password + - name: NEXTCLOUD_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: nextcloud-admin-pass key: password - volumeMounts: - - mountPath: /var/lib/postgresql/data - subPath: sogo/db/data - name: sogo-postgresdb volumes: - - name: sogo-postgresdb + - name: nextcloud-volume persistentVolumeClaim: - claimName: homey-pvc-longhorn + claimName: nextcloud-data-pvc --- apiVersion: v1 kind: Service metadata: - name: sogo-postgres - labels: - app: sogo-postgres + name: nextcloud spec: - ports: - - port: 5432 selector: - app: sogo-postgres ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: sogo-conf -data: - sogo.conf: |- - { - /* ********************* Main SOGo configuration file ********************** - * * - * Since the content of this file is a dictionary in OpenStep plist format, * - * the curly braces enclosing the body of the configuration are mandatory. * - * See the Installation Guide for details on the format. * - * * - * C and C++ style comments are supported. * - * * - * This example configuration contains only a subset of all available * - * configuration parameters. Please see the installation guide more details. * - * * - * ~sogo/GNUstep/Defaults/.GNUstepDefaults has precedence over this file, * - * make sure to move it away to avoid unwanted parameter overrides. * - * * - * **************************************************************************/ - - /* Database configuration (mysql:// or postgresql://) */ - SOGoProfileURL = "postgresql://sogo:sogo@sogo-postgres:5432/sogo/sogo_user_profile"; - OCSFolderInfoURL = "postgresql://sogo:sogo@sogo-postgres:5432/sogo/sogo_folder_info"; - OCSSessionsFolderURL = "postgresql://sogo:sogo@sogo-postgres:5432/sogo/sogo_sessions_folder"; - - /* Mail */ - SOGoDraftsFolderName = Drafts; - SOGoSentFolderName = Sent; - SOGoTrashFolderName = Trash; - //SOGoIMAPServer = localhost; - //SOGoSieveServer = sieve://127.0.0.1:4190; - //SOGoSMTPServer = smtp://domain:port/?tls=YES; - //SOGoMailDomain = acme.com; - SOGoMailingMechanism = smtp; - //SOGoForceExternalLoginWithEmail = NO; - //SOGoMailSpoolPath = /var/spool/sogo; - //NGImap4ConnectionStringSeparator = "/"; - - /* Notifications */ - //SOGoAppointmentSendEMailNotifications = NO; - //SOGoACLsSendEMailNotifications = NO; - //SOGoFoldersSendEMailNotifications = NO; - - /* Authentication */ - SOGoPasswordChangeEnabled = YES; - - SOGoUserSources = ( - { - type = ldap; - CNFieldName = cn; - UIDFieldName = uid; - IDFieldName = uid; // first field of the DN for direct binds - bindFields = (uid, mail); // array of fields to use for indirect binds - baseDN = "ou=users,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}"; - bindDN = "cn=readonly,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}"; - bindPassword = {{ include "homey.lookuprandomsecret" (merge (dict "secretname" "openldap-ro") $) }}; - canAuthenticate = YES; - displayName = "Shared Addresses"; - hostname = ldap://openldap:389; - id = public; - isAddressBook = YES; - } - ); - - /* Web Interface */ - //SOGoPageTitle = SOGo; - SOGoVacationEnabled = YES; - SOGoForwardEnabled = YES; - SOGoSieveScriptsEnabled = YES; - //SOGoMailAuxiliaryUserAccountsEnabled = YES; - //SOGoTrustProxyAuthentication = NO; - SOGoXSRFValidationEnabled = YES; - - /* General - SOGoTimeZone *MUST* be defined */ - SOGoLanguage = English; - SOGoTimeZone = Asia/Jerusalem; - //SOGoCalendarDefaultRoles = ( - // PublicDAndTViewer, - // ConfidentialDAndTViewer - //); - //SOGoSuperUsernames = (sogo1, sogo2); // This is an array - keep the parens! - SxVMemLimit = 384; - //WOPidFile = "/var/run/sogo/sogo.pid"; - SOGoMemcachedHost = "/var/run/memcached/memcached.sock"; - - /* Debug */ - //SOGoDebugRequests = YES; - //SoDebugBaseURL = YES; - //ImapDebugEnabled = YES; - //LDAPDebugEnabled = YES; - //PGDebugEnabled = YES; - //MySQL4DebugEnabled = YES; - //SOGoUIxDebugEnabled = YES; - //WODontZipResponse = YES; - //WOLogFile = /var/log/sogo/sogo.log; - } - ---- -apiVersion: v1 -kind: Service -metadata: - name: sogo - labels: - app: sogo -spec: + app: nextcloud ports: - port: 80 targetPort: 80 - selector: - app: sogo ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: sogo -spec: - # Stop old container before starting new one. - # No known upgrade policy know. Save to stop and start a new one. - strategy: - type: Recreate - rollingUpdate: null - selector: - matchLabels: - app: sogo - replicas: 1 - template: - metadata: - labels: - app: sogo - spec: - containers: - - name: sogo - image: effitient/sogo:5.1.0_7 - resources: - requests: - cpu: 100m - memory: 400Mi - ports: - - containerPort: 80 - volumeMounts: - - mountPath: /etc/sogo/sogo.conf - name: sogo-conf - subPath: sogo.conf - readOnly: true - volumes: - - name: sogo-conf - configMap: - name: sogo-conf - optional: false + name: nextcloud --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: sogo-ingress + name: nextcloud-ingress + annotations: + nginx.ingress.kubernetes.io/proxy-body-size: 5g + nginx.ingress.kubernetes.io/server-snippet: | + # Make a regex exception for `/.well-known` so that clients can still + # access it despite the existence of the regex rule + # `location ~ /(\.|autotest|...)` which would otherwise handle requests + # for `/.well-known`. + location = /.well-known/carddav { return 301 https://nextcloud.{{ .Values.homey.url }}/remote.php/dav/; } + location = /.well-known/caldav { return 301 https://nextcloud.{{ .Values.homey.url }}/remote.php/dav/; } spec: ingressClassName: {{ .Values.homey.ingress_class }} tls: - hosts: - - git.{{ .Values.homey.url }} + - nextcloud.{{ .Values.homey.url }} secretName: {{ .Values.homey.certname }} rules: - - host: sogo.{{ .Values.homey.url }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: soo - port: - number: 80 - + - host: nextcloud.{{ .Values.homey.url }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: nextcloud + port: + number: 80 ---