feat(kubernetes): install nextcloud

kubernetes/apps/default/kustomization.yaml

@@ -12,3 +12,4 @@ resources:
   - ./kubernetes-schemas/ks.yaml
   - ./lldap/ks.yaml
   - ./minio/ks.yaml
+  - ./nextcloud/ks.yaml

kubernetes/apps/default/nextcloud/app/helmrelease.yaml

@@ -0,0 +1,184 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.18b.haus/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: nextcloud
+spec:
+  chart:
+    spec:
+      chart: nextcloud
+      version: 4.5.10
+      sourceRef:
+        kind: HelmRepository
+        name: nextcloud
+        namespace: flux-system
+  interval: 30m
+  install:
+    timeout: 60m
+  upgrade:
+    timeout: 60m
+  values:
+    deploymentAnnotations:
+      secret.reloader.stakater.com/reload: &secret nextcloud-secret
+    image:
+      repository: public.ecr.aws/docker/library/nextcloud
+      tag: 28.0.1-fpm-alpine
+    nextcloud:
+      host: &host cloud.18b.haus
+      securityContext:
+        runAsUser: 82
+        runAsGroup: 82
+        runAsNonRoot: true
+        readOnlyRootFilesystem: false
+      extraInitContainers:
+        - name: init-db
+          image: ghcr.io/onedr0p/postgres-init:16.1
+          envFrom:
+            - secretRef:
+                name: *secret
+      existingSecret:
+        enabled: true
+        secretName: *secret
+        usernameKey: ADMIN_USER
+        passwordKey: ADMIN_PASS
+        tokenKey: TOKEN
+      mail:
+        enabled: false
+    persistence:
+      enabled: true
+      existingClaim: nextcloud
+      nextcloudData:
+        enabled: true
+        existingClaim: nextcloud-nfs
+    resources:
+      requests:
+        cpu: 200m
+        memory: 300Mi
+      limits:
+        memory: 1Gi
+    startupProbe:
+      enabled: true
+      initialDelaySeconds: 5
+      periodSeconds: 10
+      timeoutSeconds: 5
+      failureThreshold: 360
+      successThreshold: 1
+    livenessProbe:
+      enabled: true
+      initialDelaySeconds: 5
+      periodSeconds: 10
+      timeoutSeconds: 5
+      failureThreshold: 3
+      successThreshold: 1
+    readinessProbe:
+      enabled: true
+      initialDelaySeconds: 5
+      periodSeconds: 10
+      timeoutSeconds: 5
+      failureThreshold: 3
+      successThreshold: 1
+    ingress:
+      enabled: true
+      className: internal
+      annotations:
+        hajimari.io/group: storage
+        hajimari.io/icon: simple-icons:nextcloud
+        nginx.ingress.kubernetes.io/server-snippet: |-
+          server_tokens off;
+          proxy_hide_header X-Powered-By;
+          rewrite ^/.well-known/webfinger /index.php/.well-known/webfinger last;
+          rewrite ^/.well-known/nodeinfo /index.php/.well-known/nodeinfo last;
+          rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+          rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json;
+          location = /.well-known/carddav {
+            return 301 $scheme://$host/remote.php/dav;
+          }
+          location = /.well-known/caldav {
+            return 301 $scheme://$host/remote.php/dav;
+          }
+          location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
+          }
+          location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
+            deny all;
+          }
+          location ~ ^/(?:autotest|occ|issue|indie|db_|console) {
+            deny all;
+          }
+      tls:
+        - hosts:
+            - *host
+    nginx:
+      enabled: true
+      image:
+        repository: public.ecr.aws/nginx/nginx
+      config:
+        default: true
+      securityContext:
+        runAsGroup: 82
+      resources:
+        requests:
+          cpu: 50m
+          memory: 20Mi
+        limits:
+          memory: 100Mi
+    internalDatabase:
+      enabled: false
+    externalDatabase:
+      enabled: true
+      type: postgresql
+      database: nextcloud
+      existingSecret:
+        enabled: true
+        secretName: *secret
+        hostKey: INIT_POSTGRES_HOST
+        databaseKey: INIT_POSTGRES_DBNAME
+        usernameKey: INIT_POSTGRES_USER
+        passwordKey: INIT_POSTGRES_PASS
+    redis:
+      enabled: true
+      architecture: standalone
+      auth:
+        enabled: true
+        existingSecret: *secret
+        existingSecretPasswordKey: REDIS_PASSWORD
+      master:
+        persistence:
+          enabled: false
+        resources:
+          requests:
+            cpu: 50m
+            memory: 50Mi
+          limits:
+            memory: 100Mi
+      commonConfiguration: |-
+        # Enable AOF https://redis.io/topics/persistence#append-only-file
+        appendonly yes
+        # Disable RDB persistence, AOF persistence already enabled.
+        save ""
+        maxmemory 94371840
+        maxmemory-policy allkeys-lru
+      metrics:
+        enabled: true
+        serviceMonitor:
+          enabled: true
+        resources:
+          requests:
+            cpu: 10m
+            memory: 10Mi
+          limits:
+            memory: 20Mi
+    metrics:
+      enabled: false
+      https: true
+      serviceMonitor:
+        enabled: false
+    cronjob:
+      enabled: true
+      securityContext:
+        runAsGroup: 82
+    securityContext:
+      fsGroupChangePolicy: OnRootMismatch

kubernetes/apps/default/nextcloud/app/kustomization.yaml

@@ -0,0 +1,9 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./secret.sops.yaml
+  - ./nfs-pvc.yaml
+  - ../../../../templates/volsync
+  - ./helmrelease.yaml

kubernetes/apps/default/nextcloud/app/nfs-pvc.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: nextcloud-nfs
+spec:
+  capacity:
+    storage: 1Mi  # Size does not matter
+  accessModes:
+    - ReadWriteMany
+  storageClassName: nextcloud-nfs
+  persistentVolumeReclaimPolicy: Retain
+  nfs:
+    server: diskstation.18b.lan
+    path: /volume1/nfs/nextcloud
+  # Note: The first two options are strictly for NFSv4.2
+  mountOptions:
+    - nfsvers=4.2
+    - nconnect=8
+    - hard
+    - noatime
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nextcloud-nfs
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: nextcloud-nfs
+  resources:
+    requests:
+      storage: 1Mi  # Size does not matter

kubernetes/apps/default/nextcloud/app/secret.sops.yaml

@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: nextcloud-secret
+stringData:
+    ADMIN_USER: ENC[AES256_GCM,data:KYzUko6BkA==,iv:GxQoLD8ywJymOVAWD9z4KylHuckCVsOGQuM6joHCmCQ=,tag:ZaZj+cnMn8FF3I/pvDTAtA==,type:str]
+    ADMIN_PASS: ENC[AES256_GCM,data:Rv39Mb8ZRNtxob7KxbuEkowtNh+uFbU6,iv:G7ZX2MP65MvWziBofvZWDzdJ1prDiKc1qm/+l1RJYa0=,tag:z/DI64H8zjx49PlYsLRllg==,type:str]
+    REDIS_PASSWORD: ENC[AES256_GCM,data:UNEb2EhEbC5oZ/dl+iES3h+Cgen2QMJr,iv:12cBrOOFPZFZ45JtLiPmQt6OnkZBVgGBQY4B1k4EEgA=,tag:T52CDpO4MWqnzwn+t8izVQ==,type:str]
+    TOKEN: ENC[AES256_GCM,data:NvCu11xfN0hSW+N5qMN9KbguYreMUuAnfPQL7pqwtZNNfl/+oXkjoY6pEzl8K7ZaZCb4rx/LqueGXN6hBmFjnPco/sXVIyIb9q/JgOe++M+Jen0x4wD0Y8iarx0xvJU/U00HggJqEn7JMWwGOqj9NrQeo5Bg1FmKko2/9d6rlPs=,iv:LZj2J4WcpBLcrv3eYcZXfLo3UAPWPxTSUnwTFjtXSq8=,tag:YU6290ofpwFuFgYwp9wZ3g==,type:str]
+    INIT_POSTGRES_DBNAME: ENC[AES256_GCM,data:w0Y4GmGjmqrJ,iv:HVymBjc/PNIe+YJyvD9m8XhaCaHrPKXJU2ZciSvNlNk=,tag:FTIOp+jpgAlMRkbQOMgR0A==,type:str]
+    INIT_POSTGRES_HOST: ENC[AES256_GCM,data:FREgsMq7m2NA/Ie9lAaZHYDBoEk0WSd2/YLS0JIvgpmcRRy1F04=,iv:FDKma7vVTTC5+tuJnnr9mJ6iRcuUNxcVlqzhxZ9PYFg=,tag:TpXeomiIdWVu4AYcVxOhcw==,type:str]
+    INIT_POSTGRES_USER: ENC[AES256_GCM,data:kb+VY73vUTAF,iv:a3aiSBSuGa4eqPbYN/29/3jsMzEru4JIypSQ177kYDc=,tag:c7ZPf8JnlQxei+6Xbfs2dg==,type:str]
+    INIT_POSTGRES_PASS: ENC[AES256_GCM,data:8p7b7jH8p0Tdtx59D7bF2ItKHpG28hZR,iv:7KySD3YDUuoSXT85zILJCgGKs/xgo+lfy/Oz2QfJ5uQ=,tag:4YSPVboUa7JqUg+UiW9nmw==,type:str]
+    INIT_POSTGRES_SUPER_PASS: ENC[AES256_GCM,data:ijgg7cq8owIuHaM0/Q/p9APDgfc1zf016ZUDu91TfjvN,iv:LF7gPCp7blRAZzYUFYH/05ItSGddEvVNYtmZcGedt+I=,tag:mmrI/srSBYL9cEh6db4i3w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1u79ltfzz5k79ddwgv59r76p2532xnaehzz7vggttctudr6gdkvhq33edn6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIRk5tdHZrSTJtQnFwc0xI
+            b09xdWdjSE14bGtBRmJkUHhHalJmYWRUSldJClZVWXlKbnRrdFIwSWtLRWV1cVlJ
+            NWRtQytUb0swMEk3anNFMHN5MHpKLzQKLS0tIGRlL24vamJWMTArNzY5R01jVEZq
+            dmlkR0oxVWxLM1RCbms3S0xRVGhmSFUKe4Me3LNNHQ2PXoyfa5R6BHZzkSuIIGq0
+            eZRlbFmYSPbGwriihaD0f9kb6qiJoABRLCEDZsyGw7tTfi/IHBQ6Ng==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-12-30T22:04:30Z"
+    mac: ENC[AES256_GCM,data:HHr3zg2VoIdz1/EsN/aMQ+NiIaYJk5GWXHZ0Gg0FlhBXeryHzK0ohip1C5Iaq+G1H+9HAXGB0relZLxSBMvDxIH5ffy0vrBZDCYdpG3uLSHWk8zGQCioh3hT+y9oN3Xa9xktJW2A7G9mgt5/p+k4cHxf/k//+yJ4qI3ZLPhe8tE=,iv:AkJJRuiJaeVRr2DSa2OENnVnK1F0Rk5afsd0j5ba8OE=,tag:UhO1H/BVxv0nEu2T9GaYpQ==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1

kubernetes/apps/default/nextcloud/ks.yaml

@@ -0,0 +1,31 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.18b.haus/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app nextcloud
+  namespace: flux-system
+spec:
+  targetNamespace: default
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: cloudnative-pg-cluster
+    - name: volsync
+  path: ./kubernetes/apps/default/nextcloud/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
+  postBuild:
+    substitute:
+      APP: *app
+      VOLSYNC_CAPACITY: 1Gi
+      VOLSYNC_MOVER_FS_GROUP: "82"
+      VOLSYNC_MOVER_GROUP: "82"
+      VOLSYNC_MOVER_USER: "82"