--- apiVersion: v1 kind: Secret metadata: name: nextcloud-postgres-pass annotations: "helm.sh/resource-policy": "keep" type: Opaque data: {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "nextcloud-postgres-pass") | default dict }} {{- $secretData := (get $secretObj "data") | default dict }} {{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }} password: {{ $pass | quote }} --- # apiVersion: extensions/v1beta1 apiVersion: v1 kind: ConfigMap metadata: name: nextcloud-postgres-config labels: app: nextcloud-postgres data: POSTGRES_DB: nextcloud_db POSTGRES_USER: postgres --- apiVersion: apps/v1 kind: Deployment metadata: name: nextcloud-postgres labels: app: nextcloud-postgres spec: replicas: 1 selector: matchLabels: app: nextcloud-postgres template: metadata: labels: app: nextcloud-postgres name: nextcloud-postgres spec: containers: - name: nextcloud-postgres image: postgres:10.4 imagePullPolicy: "IfNotPresent" ports: - containerPort: 5432 envFrom: - configMapRef: name: nextcloud-postgres-config env: - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: nextcloud-postgres-pass key: password volumeMounts: - mountPath: /var/lib/postgresql/data subPath: backup/nextcloud/db name: nextcloud-postgredb volumes: - name: nextcloud-postgredb persistentVolumeClaim: claimName: homey-pvc-nfs --- apiVersion: v1 kind: Service metadata: name: nextcloud-postgres labels: app: nextcloud-postgres spec: ports: - port: 5432 selector: app: nextcloud-postgres --- apiVersion: apps/v1 kind: Deployment metadata: name: nextcloud labels: app: nextcloud spec: replicas: 1 selector: matchLabels: app: nextcloud template: metadata: labels: app: nextcloud name: nextcloud spec: containers: - name: nextcloud image: nextcloud imagePullPolicy: Always volumeMounts: - name: nextcloud-volume mountPath: "/var/www/html" subPath: backup/nextcloud/html envFrom: - configMapRef: name: nextcloud-postgres-config env: - name: POSTGRES_HOST value: "nextcloud-postgres" - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: nextcloud-postgres-pass key: password - name: OVERWRITEPROTOCOL value: "https" volumes: - name: nextcloud-volume persistentVolumeClaim: claimName: homey-pvc-nfs --- apiVersion: v1 kind: Service metadata: name: nextcloud spec: selector: app: nextcloud ports: - port: 80 targetPort: 80 name: nextcloud --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: nextcloud-ingress annotations: nginx.org/server-snippets: | server_tokens off; proxy_hide_header X-Powered-By; proxy_hide_header Upgrade; # Rule borrowed from `.htaccess` to handle Microsoft DAV clients location = / { if ( $http_user_agent ~ ^DavClnt ) { return 302 /remote.php/webdav/$is_args$args; } } location = /robots.txt { allow all; log_not_found off; access_log off; } # Make a regex exception for `/.well-known` so that clients can still # access it despite the existence of the regex rule # `location ~ /(\.|autotest|...)` which would otherwise handle requests # for `/.well-known`. location ^~ /.well-known { # The rules in this block are an adaptation of the rules # in `.htaccess` that concern `/.well-known`. location = /.well-known/carddav { return 301 /remote.php/dav/; } location = /.well-known/caldav { return 301 /remote.php/dav/; } location /.well-known/acme-challenge { try_files $uri $uri/ =404; } location /.well-known/pki-validation { try_files $uri $uri/ =404; } # Let Nextcloud's API for `/.well-known` URIs handle all other # requests by passing them to the front-end controller. return 301 /index.php$request_uri; } # Rules borrowed from `.htaccess` to hide certain paths from clients location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } # Ensure this block, which passes PHP files to the PHP process, is above the blocks # which handle static assets (as seen below). If this block is not declared first, # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` # to the URI, resulting in a HTTP 500 error response. location ~ \.php(?:$|/) { # Required for legacy support rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; fastcgi_split_path_info ^(.+?\.php)(/.*)$; set $path_info $fastcgi_path_info; try_files $fastcgi_script_name =404; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $path_info; fastcgi_param HTTPS on; fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice fastcgi_param front_controller_active true; # Enable pretty urls fastcgi_pass php-handler; fastcgi_intercept_errors on; fastcgi_request_buffering off; fastcgi_max_temp_file_size 0; } location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ { try_files $uri /index.php$request_uri; add_header Cache-Control "public, max-age=15778463, $asset_immutable"; access_log off; # Optional: Don't log access to assets location ~ \.wasm$ { default_type application/wasm; } } location ~ \.woff2?$ { try_files $uri /index.php$request_uri; expires 7d; # Cache-Control policy borrowed from `.htaccess` access_log off; # Optional: Don't log access to assets } # Rule borrowed from `.htaccess` location /remote { return 301 /remote.php$request_uri; } spec: ingressClassName: {{ .Values.homey.ingress_class }} tls: - hosts: - nextcloud.{{ .Values.homey.url }} secretName: {{ .Values.homey.certname }} rules: - host: nextcloud.{{ .Values.homey.url }} http: paths: - path: / pathType: Prefix backend: service: name: nextcloud port: number: 80