From d52e217a0f0f4213853d2c4933d3407121f1ed85 Mon Sep 17 00:00:00 2001 From: Thomas Blarre Date: Sat, 9 Nov 2024 22:09:30 +0000 Subject: [PATCH] Added nextcloud --- .../templates/nextcloud-main-chart.yaml | 101 ++++++++++++++++++ .../templates/thomflix-requirements-app.yaml | 48 +++++++++ nextcloud-syncthing-argocd-apps/values.yaml | 28 +++++ .../templates/encrypted-storage.yaml | 16 +++ .../templates/pvc-data.yaml | 2 +- .../templates/pvc-nextcloud-config.yaml | 2 +- .../templates/pvc-syncthing-config.yaml | 2 +- nextcloud-syncthing-requirements/values.yaml | 8 +- 8 files changed, 202 insertions(+), 5 deletions(-) create mode 100644 nextcloud-syncthing-argocd-apps/templates/nextcloud-main-chart.yaml create mode 100644 nextcloud-syncthing-argocd-apps/templates/thomflix-requirements-app.yaml create mode 100644 nextcloud-syncthing-requirements/templates/encrypted-storage.yaml diff --git a/nextcloud-syncthing-argocd-apps/templates/nextcloud-main-chart.yaml b/nextcloud-syncthing-argocd-apps/templates/nextcloud-main-chart.yaml new file mode 100644 index 0000000..6404df0 --- /dev/null +++ b/nextcloud-syncthing-argocd-apps/templates/nextcloud-main-chart.yaml @@ -0,0 +1,101 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: nextcloud-main-chart + namespace: {{ .Values.argocd.namespace }} + annotations: + argocd.argoproj.io/sync-wave: "0" + notifications.argoproj.io/subscribe.on-sync-succeeded.telegram: "-1002270587578" +spec: + project: {{ .Values.argocd.project }} + source: + repoURL: "https://nextcloud.github.io/helm" + chart: nextcloud + targetRevision: 6.x + helm: + releaseName: nextcloud + valuesObject: + image: + flavor: fpm + replicaCount: {{ .Values.nextcloud.replicaCount }} + ingress: + enabled: true + className: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt + nginx.ingress.kubernetes.io/server-snippet: |- + server_tokens off; + proxy_hide_header X-Powered-By; + rewrite ^/.well-known/webfinger /index.php/.well-known/webfinger last; + rewrite ^/.well-known/nodeinfo /index.php/.well-known/nodeinfo last; + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json; + location = /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + location = /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { + deny all; + } + location ~ ^/(?:autotest|occ|issue|indie|db_|console) { + deny all; + } + nginx.ingress.kubernetes.io/enable-cors: "true" + nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For" + tls: + - hosts: + - {{ .Values.nextcloud.url }} + secretname: nextcloud-cert + nextcloud: + host: {{ .Values.nextcloud.url }} + existingSecret: + enabled: true + secretName: nextcloud-user + usernameKey: nc-admin-username + passwordKey: nc-admin-password + trustedDomains: {{ .Values.nextcloud.trustedDomains }} + # extraInitContainers - might be useful to make sure the LUKS secret is present + nginx: + enabled: true + redis: + enabled: true + auth: + enabled: false + cronjob: + enabled: true + internalDatabase: + enabled: false + externalDatabase: + enabled: true + type: postgresql + host: "nextcloud-db-rw:5432" + existingSecret: + enabled: true + secretName: nextcloud-db-app + usernameKey: user + passwordKey: password + databaseKey: dbname + persistence: + enabled: true + existingClaim: {{ .Values.nextcloud.configPvc.name }} + nextcloudData: + enabled: true + existingClaim: {{ .Values.dataPvc.name }} + destination: + server: https://kubernetes.default.svc # Targeting the current Kubernetes cluster + namespace: {{ .Values.mainNamespace }} + syncPolicy: + automated: + prune: true # Automatically remove resources no longer in the repo + selfHeal: true # Automatically self-heal when drift is detected + syncOptions: + - ApplyOutOfSyncOnly=true + - ServerSideApply=true + - CreateNamespace=true diff --git a/nextcloud-syncthing-argocd-apps/templates/thomflix-requirements-app.yaml b/nextcloud-syncthing-argocd-apps/templates/thomflix-requirements-app.yaml new file mode 100644 index 0000000..c4659ba --- /dev/null +++ b/nextcloud-syncthing-argocd-apps/templates/thomflix-requirements-app.yaml @@ -0,0 +1,48 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: nc-syncthing-requirements + namespace: {{ .Values.argocd.namespace }} + annotations: + argocd.argoproj.io/sync-wave: "-1" + notifications.argoproj.io/subscribe.on-sync-succeeded.telegram: "-1002270587578" +spec: + project: {{ .Values.argocd.project }} + source: + repoURL: "https://git.blarre.net/thomas/helm-charts.git" + targetRevision: HEAD + path: nextcloud-syncthing-requirements + helm: + releaseName: nc-syncthing-requirements + valuesObject: + nextcloud: + enable: {{ .Values.nextcloud.enable }} + dbCluster: + numInstances: {{ .Values.nextcloud.dbCluster.numInstances }} + size: {{ .Values.nextcloud.dbCluster.size }} + configPvc: + name: {{ .Values.nextcloud.configPvc.name }} + storageClassName: {{ .Values.nextcloud.configPvc.storageClassName }} + size: {{ .Values.nextcloud.configPvc.size }} + syncthing: + enable: {{ .Values.syncthing.enable }} + configPvc: + name: {{ .Values.syncthing.configPvc.name }} + storageClassName: {{ .Values.syncthing.configPvc.storageClassName }} + size: {{ .Values.syncthing.configPvc.size }} + dataPvc: + name: {{ .Values.dataPvc.name }} + createEncryptedPvc: {{ .Values.dataPvc.createEncryptedPvc }} + storageClassName: {{ .Values.dataPvc.storageClassName }} + size: {{ .Values.dataPvc.size }} + destination: + server: {{ .Values.mainDestination }} + namespace: {{ .Values.mainNamespace }} + syncPolicy: + automated: + prune: true # Automatically remove resources no longer in the repo + selfHeal: true # Automatically self-heal when drift is detected + syncOptions: + - ApplyOutOfSyncOnly=true + - ServerSideApply=true + - CreateNamespace=true diff --git a/nextcloud-syncthing-argocd-apps/values.yaml b/nextcloud-syncthing-argocd-apps/values.yaml index e69de29..ac89981 100644 --- a/nextcloud-syncthing-argocd-apps/values.yaml +++ b/nextcloud-syncthing-argocd-apps/values.yaml @@ -0,0 +1,28 @@ +argocd: + namespace: argocd + project: default + +nextcloud: + enable: true + dbCluster: + numInstances: 3 + size: 4Gi + configPvc: + name: nextcloud-config-pvc + storageClassName: default + size: 1Gi + replicaCount: 1 + url: nextcloud.domain.net + trustedDomains: office.domain.net + +syncthing: + enable: true + configPvc: + storageClassName: default + size: 100Mi + +dataPvc: + name: data-pvc + createEncryptedPvc: true + storageClassName: linode-block-storage-retain-luks + size: 40Gi \ No newline at end of file diff --git a/nextcloud-syncthing-requirements/templates/encrypted-storage.yaml b/nextcloud-syncthing-requirements/templates/encrypted-storage.yaml new file mode 100644 index 0000000..dc6eec9 --- /dev/null +++ b/nextcloud-syncthing-requirements/templates/encrypted-storage.yaml @@ -0,0 +1,16 @@ +{{- if .Values.dataPvc.createEncryptedPvc -}} +allowVolumeExpansion: true +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: linode-block-storage-retain-luks + namespace: kube-system +provisioner: linodebs.csi.linode.com +reclaimPolicy: Retain +parameters: + linodebs.csi.linode.com/luks-encrypted: "true" + linodebs.csi.linode.com/luks-cipher: "aes-xts-plain64" + linodebs.csi.linode.com/luks-key-size: "512" + csi.storage.k8s.io/node-stage-secret-namespace: luks-keys + csi.storage.k8s.io/node-stage-secret-name: nc-syncthing-data-luks-key +{{- end }} \ No newline at end of file diff --git a/nextcloud-syncthing-requirements/templates/pvc-data.yaml b/nextcloud-syncthing-requirements/templates/pvc-data.yaml index 9663217..c061191 100644 --- a/nextcloud-syncthing-requirements/templates/pvc-data.yaml +++ b/nextcloud-syncthing-requirements/templates/pvc-data.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: data + name: {{ .Values.dataPvc.name }} spec: storageClassName: {{ .Values.dataPvc.storageClassName }} accessModes: diff --git a/nextcloud-syncthing-requirements/templates/pvc-nextcloud-config.yaml b/nextcloud-syncthing-requirements/templates/pvc-nextcloud-config.yaml index 95041d0..4790b75 100644 --- a/nextcloud-syncthing-requirements/templates/pvc-nextcloud-config.yaml +++ b/nextcloud-syncthing-requirements/templates/pvc-nextcloud-config.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: nextcloud-config-pvc + name: {{ .Values.nextcloud.configPvc.name }} spec: storageClassName: {{ .Values.nextcloud.configPvc.storageClassName }} accessModes: diff --git a/nextcloud-syncthing-requirements/templates/pvc-syncthing-config.yaml b/nextcloud-syncthing-requirements/templates/pvc-syncthing-config.yaml index 324109d..3f280f4 100644 --- a/nextcloud-syncthing-requirements/templates/pvc-syncthing-config.yaml +++ b/nextcloud-syncthing-requirements/templates/pvc-syncthing-config.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: syncthing-config-pvc + name: {{ .Values.syncthing.configPvc.name }} spec: storageClassName: {{ .Values.syncthing.configPvc.storageClassName }} accessModes: diff --git a/nextcloud-syncthing-requirements/values.yaml b/nextcloud-syncthing-requirements/values.yaml index d9feb44..369a150 100644 --- a/nextcloud-syncthing-requirements/values.yaml +++ b/nextcloud-syncthing-requirements/values.yaml @@ -4,15 +4,19 @@ nextcloud: numInstances: 3 size: 4Gi configPvc: + name: nextcloud-config-pvc storageClassName: default size: 1Gi syncthing: enable: true configPvc: + name: syncthing-config-pvc storageClassName: default size: 100Mi dataPvc: - storageClassName: default - size: 100Mi \ No newline at end of file + name: data-pvc + createEncryptedPvc: true + storageClassName: linode-block-storage-retain-luks + size: 40Gi \ No newline at end of file