wrenix/flux-charts
1
0
Fork 0
Code Issues 14 Pull requests 1 Projects Releases Packages Wiki Activity Actions

fix(mycloud-nextcloud): init

Browse source 
solves #1
This commit is contained in:
WrenIX 2023-12-02 13:34:12 +01:00
parent 226d0c88dd
commit 9291a88f04
Signed by: wrenix
GPG key ID: 7AFDB012974B1BB5
13 changed files with 720 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
base-values/mycloud-core.yaml
View file

@ -17,7 +17,7 @@ commons:
host: host:
username: username:
password: password:
from: from: "no-reply@example.org"
use_tls: false use_tls: false
use_ssl: false use_ssl: false

17
base-values/mycloud-nextcloud.yaml Normal file
View file

@ -0,0 +1,17 @@
##
# commons are from mycloud-core
##
components:
mycloud-services:
# patch mycloud-core to get another database
values:
databases:
nextcloud:
type: postgresql
mycloud-nextcloud:
enabled: true
namespace:
# current namespace
name:

1
docs/modules/components/nav.adoc
View file

@ -6,4 +6,5 @@
** xref:infra-monitoring.adoc[infra-monitoring] ** xref:infra-monitoring.adoc[infra-monitoring]
** xref:infra-trivy.adoc[infra-trivy] ** xref:infra-trivy.adoc[infra-trivy]
** xref:mycloud-authentik.adoc[mycloud-authentik] ** xref:mycloud-authentik.adoc[mycloud-authentik]
** xref:mycloud-nextcloud.adoc[mycloud-nextcloud]
** xref:mycloud-services.adoc[mycloud-services] ** xref:mycloud-services.adoc[mycloud-services]

1
docs/modules/components/pages/mycloud-nextcloud.adoc Symbolic link
View file

@ -0,0 +1 @@
../../../../mycloud-nextcloud/README.adoc

6
infra-monitoring/templates/grafana/authentik-application.yaml
View file

@ -42,9 +42,9 @@ spec:
clientSecret: {{ .Values.grafana.auth.authentik.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "grafana" "clientSecret") | quote }} clientSecret: {{ .Values.grafana.auth.authentik.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "grafana" "clientSecret") | quote }}
# signingKey: # signingKey:
scopes: scopes:
- openid - name: "authentik default OAuth Mapping: OpenID 'openid'"
- email - name: "authentik default OAuth Mapping: OpenID 'email'"
- profile - name: "authentik default OAuth Mapping: OpenID 'profile'"
groups: groups:
- slug: "app: infra" - slug: "app: infra"

23
mycloud-nextcloud/.helmignore Normal file
View file

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

9
mycloud-nextcloud/Chart.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v2
name: mycloud-nextcloud
description: myCloud component to setup nextcloud
type: application
maintainers:
- name: WrenIX
url: https://wrenix.eu
version: 0.1.0

230
mycloud-nextcloud/README.adoc Normal file
View file

@ -0,0 +1,230 @@
= mycloud-nextcloud
image::https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square[Version: 0.1.0]
image::https://img.shields.io/badge/Version-application-informational?style=flat-square[Type: application]
== Maintainers
.Maintainers
|===
| Name | Email | Url
| WrenIX
|
| <https://wrenix.eu>
|===
== Values
.Values
|===
| Key | Type | Default | Description
| adminPassword
| string
| `nil`
| generated by .Values.commons.masterPassword
| auth.clientID
| string
| `nil`
| generated by .Values.commons.masterPassword
| auth.clientSecret
| string
| `nil`
| generated by .Values.commons.masterPassword
| commons.auth.host
| string
| `nil`
| default auth.(.Values.commons.ingress.domain)
| commons.helm.release.install
| object
| `{}`
|
| commons.helm.release.test
| object
| `{}`
|
| commons.helm.release.upgrade
| object
| `{}`
|
| commons.ingress.annotations."cert-manager.io/cluster-issuer"
| string
| `"letsencrypt-prod"`
|
| commons.ingress.domain
| string
| `"wrenix.eu"`
|
| commons.ingress.tls.enabled
| bool
| `true`
| tls on every ingress
| commons.ingress.tls.override
| string
| `nil`
| use own definition of tls (e.g. for own or wildcard certificate)
| commons.mail.from
| string
| `nil`
|
| commons.mail.host
| string
| `nil`
|
| commons.mail.password
| string
| `nil`
|
| commons.mail.use_ssl
| bool
| `false`
|
| commons.mail.use_tls
| bool
| `false`
|
| commons.mail.username
| string
| `nil`
|
| commons.masterPassword
| string
| `"CHANGEME"`
|
| commons.persistence.hostPath.enabled
| bool
| `false`
|
| commons.persistence.hostPath.prefix
| string
| `"/var/lib/mycloud"`
|
| commons.persistence.storageClass
| string
| `nil`
|
| commons.prometheus.monitor.labels
| object
| `{}`
|
| commons.prometheus.rules.labels
| object
| `{}`
|
| commons.theme.favicon
| string
| `"/static/dist/assets/icons/icon.png"`
|
| commons.theme.logo
| string
| `"/static/dist/assets/icons/icon_left_brand.svg"`
|
| commons.theme.title
| string
| `"myCloud"`
|
| database.host
| string
| `"mycloud-services-postgresql"`
| default is from mysql-services
| database.name
| string
| `"nextcloud"`
|
| database.password
| string
| `nil`
| generated by .Values.commons.masterPassword (equal to mycloud-services)
| database.username
| string
| `"nextcloud"`
|
| ingress.annotations
| string
| `nil`
|
| ingress.host
| string
| `nil`
| default: fs.(Values.commons.ingress.domain)
| init.namespace
| string
| `"bases"`
|
| init.version
| int
| `0`
|
| mail.authtype
| string
| `"PLAIN"`
|
| mail.from
| string
| `nil`
| generade by Values.commons.mail.from
| mail.host
| string
| `nil`
| default Values.commons.mail.host
| persistence.data.pvc
| string
| `"nextcloud-data"`
|
| persistence.data.size
| string
| `"16Gi"`
|
| persistence.main.pvc
| string
| `"nextcloud"`
|
| persistence.main.size
| string
| `"8Gi"`
|
|===
Autogenerated from chart metadata using https://github.com/norwoodj/helm-docs[helm-docs]

68
mycloud-nextcloud/templates/authentik-application.yaml Normal file
View file

@ -0,0 +1,68 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: {{ .Release.Name }}-auth
spec:
chart:
spec:
sourceRef:
kind: GitRepository
name: "wrenix-helm-charts"
namespace: "flux-system"
chart: "./authentik-application"
reconcileStrategy: "Revision"
install:
{{- toYaml .Values.commons.helm.release.install | nindent 4 }}
test:
{{- toYaml .Values.commons.helm.release.test | nindent 4 }}
upgrade:
{{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
driftDetection:
{{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
interval: 10m
values:
{{- $host := .Values.ingress.host | default (printf "fs.%s" .Values.commons.ingress.domain) }}
blueprint:
authentik:
domain: "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}"
provider:
type: "oidc"
name: "Nextcloud"
oidc:
clientType: "confidential"
redirectURL: "https://{{ $host }}/apps/user_oidc/code"
clientID: {{ .Values.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "nextcloud" "auth.clientID") | quote }}
clientSecret: {{ .Values.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "nextcloud" "auth.clientSecret") | quote }}
# signingKey:
scopes:
- name: "authentik default OAuth Mapping: OpenID 'openid'"
- name: "authentik default OAuth Mapping: OpenID 'email'"
- name: "OAuth Mapping: Nextcloud Profile"
scope_name: profile
expression: |-
groups = [group.name for group in user.ak_groups.all()]
if user.is_superuser and "admin" not in groups:
groups.append("admin")
return {
"nickname": request.user.username,
"name": request.user.name,
"groups": groups,
"quota": user.group_attributes().get("nextcloud_quota", {{ with .Values.quota }}{{ . | quote }}{{ else }}None{{ end }})
}
groups:
- slug: "mycloud - users"
bindID: "cefc0c13-49fa-4374-a909-e201a88a473b"
application:
policyEngineMode: "any"
openInNewTab: true
publisher: "WrenIX's myCloud"
slug: "mycloud-nextcloud"
group: "Office"
name: "Nextcloud"
launchURL: "https://{{ $host }}/"
icon: "https://{{ $host }}/core/img/favicon-touch.png"
description: "📱☁️💻 A safe home for all your data community-driven, free & open source 👏"

29
mycloud-nextcloud/templates/pv.yaml Normal file
View file

@ -0,0 +1,29 @@
{{- if or
.Values.commons.persistence.hostPath.enabled
}}
{{- range $name, $config := .Values.persistence }}
{{- $pvcName := printf "%s-hr-%s" $.Release.Name $config.pvc }}
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: {{ $.Release.Namespace }}-{{ $pvcName }}
spec:
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
namespace: {{ $.Release.Namespace }}
name: {{ $pvcName }}
storageClassName: {{ $.Values.commons.persistence.storageClass }}
accessModes:
- "ReadWriteOnce"
capacity:
storage: "{{ $config.size }}"
{{- with $.Values.commons.persistence.hostPath }}
{{- if .enabled }}
hostPath:
path: {{ printf "%s/nextcloud/%s" .prefix $name }}
{{- end }}{{/* end-if .enabled */}}
{{- end }}{{/* end-with .hostPath */}}
{{- end }}{{/* end-range */}}
{{- end }}{{/* end-if */}}

212
mycloud-nextcloud/templates/release.yaml Normal file
View file

@ -0,0 +1,212 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: "{{ .Release.Name }}-hr"
spec:
chart:
spec:
sourceRef:
kind: GitRepository
name: "nextcloud"
chart: "./charts/nextcloud"
# TODO delete later
# https://codeberg.org/wrenix/flux-charts/issues/6
reconcileStrategy: "Revision"
install:
{{- toYaml .Values.commons.helm.release.install | nindent 4 }}
test:
{{- toYaml .Values.commons.helm.release.test | nindent 4 }}
upgrade:
{{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
driftDetection:
{{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
interval: 10m
values:
{{- $host := .Values.ingress.host | default (printf "fs.%s" .Values.commons.ingress.domain) }}
nextcloud:
username: nextcloud-admin
password: {{ .Values.adminPassword | default (derivePassword 1 "long" .Values.commons.masterPassword "nextcloud" "admin_password") | quote }}
host: {{ $host }}
mail:
enabled: true
fromAddress: {{ .Values.mail.from | default (printf "[%s] %s <%s>" .Values.commons.theme.title "nextcloud" .Values.commons.mail.from) | quote }}
domain: {{ .Values.mail.host | default .Values.commons.mail.host | quote }}
smtp:
host: {{ .Values.mail.host | default .Values.commons.mail.host | quote }}
port: 587
{{- if .Values.commons.mail.use_tls }}
secure: "tls"
{{- else if .Values.commons.mail.use_ssl }}
secure: "ssl"
{{- end }}
{{- if and .Values.commons.mail.username .Values.commons.mail.password}}
# there also "PLAIN" is supported
authtype: {{ .Values.mail.authtype }}
{{- end }}
name: {{ .Values.commons.mail.username | quote }}
password: {{ .Values.commons.mail.password | quote }}
configs:
proxy.config.php: |-
<?php
$CONFIG = array (
'allow_local_remote_servers' => true,
'trusted_proxies' => array(
0 => '127.0.0.1',
1 => '10.0.0.0/8',
),
'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),
);
custom-oidc.config.php: |-
<?php
$CONFIG = array(
'hide_login_form' => false,
'skeletondirectory' => '',
'lost_password_link' => 'https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}/if/flow/default-recovery-flow/',
);
{{- if or
.Values.commons.persistence.hostPath.enabled
}}
extraInitContainers:
- name: "take-ownership"
image: "alpine:3"
command: ["chown", "-R", "33:33", "/var/www/html/config" ]
volumeMounts:
- name: "nextcloud-main"
mountPath: /var/www/html/config
subPath: "config"
{{- end }}
appManagement:
enabled: true
apps:
user_oidc:
enabled: true
config:
allow_multiple_user_backends: "0"
# collabora
#richdocuments:
# enabled: true
# config: {}
{{- toYaml .Values.apps | nindent 10 }}
hooks:
before-starting:
# docu for theming: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/theming.html#configure-theming-through-cli
# /var/www/html/occ theming:config logo "{{ .Values.commons.theme.logo }}";
#
# TODO add group mapping after fix is there
# https://github.com/nextcloud/user_oidc/issues/744
# https://codeberg.org/wrenix/flux-charts/issues/7
shell: |-
#!/bin/sh
echo "setup theming":
/var/www/html/occ theming:config disable-user-theming yes;
/var/www/html/occ theming:config name "{{ .Values.commons.theme.title }}";
echo "setup oidc";
/var/www/html/occ user_oidc:provider mycloud \
--clientid {{ .Values.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "nextcloud" "auth.clientID") | squote }} \
--clientsecret {{ .Values.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "nextcloud" "auth.clientSecret") | squote }} \
--discoveryuri "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}/application/o/mycloud-nextcloud/.well-known/openid-configuration" \
--scope "openid email profile" \
--extra-claims=scope \
--mapping-uid={{ .Values.auth.idMapping }} \
--mapping-email=email \
--mapping-display-name=name \
--mapping-quota=quota \
--check-bearer=true \
--unique-uid=0;
phpClientHttpsFix:
enabled: true
image:
flavor: fpm
nginx:
enabled: true
metrics:
enabled: true
serviceMonitor:
enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
additionalLabels:
{{- toYaml .Values.commons.prometheus.monitor.labels | nindent 10 }}
rules:
enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }}
additionalLabels:
{{- toYaml .Values.commons.prometheus.rules.labels | nindent 10 }}
ingress:
enabled: true
annotations:
{{- with .Values.commons.ingress.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.ingress.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.commons.ingress.tls.enabled }}
tls:
{{- with .Values.commons.ingress.tls.override }}
{{- toYaml . | nindent 8 }}
{{- else }}
- secretName: "mycloud-nextcloud-cert"
hosts:
- "{{ $host }}"
{{- end }}
{{- end }}
cronjob:
enabled: true
redis:
enabled: true
replica:
# just one replica
replicaCount: 1
metrics:
enabled: true
serviceMonitor:
enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
additionalLabels:
{{- toYaml .Values.commons.prometheus.monitor.labels | nindent 12 }}
prometheusRule:
# empty rules
enabled: false
# {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }}
additionalLabels:
{{- toYaml .Values.commons.prometheus.rules.labels | nindent 12 }}
rules: []
{{- $pvHelper := (or .Values.commons.persistence.hostPath.enabled) }}
{{- $storageClass := $pvHelper | ternary "manual" .Values.commons.persistence.storageClass }}
persistence:
enabled: true
{{- if $storageClass }}
storageClass: {{ $storageClass }}
{{- end}}
size: {{ .Values.persistence.main.size }}
nextcloudData:
enabled: true
{{- if $storageClass }}
storageClass: {{ $storageClass }}
{{- end}}
size: {{ .Values.persistence.data.size }}
internalDatabase:
enabled: false
postgresql:
enabled: false
mariadb:
enabled: false
externalDatabase:
enabled: true
type: postgresql
host: {{ .Values.database.host | quote }}
database: {{ .Values.database.name | quote }}
user: {{ .Values.database.username | quote }}
password: {{ .Values.database.password | default (derivePassword 1 "long" .Values.commons.masterPassword "nextcloud" "database_password") | quote }}

10
mycloud-nextcloud/templates/repo.yaml Normal file
View file

@ -0,0 +1,10 @@
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: nextcloud
spec:
url: https://github.com/wrenix/nextcloud-helm.git
ref:
branch: main
interval: 10m

116
mycloud-nextcloud/values.yaml Normal file
View file

@ -0,0 +1,116 @@
init:
version: 0
namespace: "bases"
commons:
masterPassword: "CHANGEME"
auth:
# -- default auth.(.Values.commons.ingress.domain)
host:
theme:
title: myCloud
logo: /static/dist/assets/icons/icon_left_brand.svg
favicon: /static/dist/assets/icons/icon.png
mail:
host:
username:
password:
from:
use_tls: false
use_ssl: false
persistence:
storageClass:
hostPath:
enabled: false
prefix: "/var/lib/mycloud"
helm:
release:
install: {}
test: {}
upgrade: {}
driftDetection: {}
ingress:
domain: "wrenix.eu"
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
tls:
# -- tls on every ingress
enabled: true
# -- use own definition of tls (e.g. for own or wildcard certificate)
override:
prometheus:
monitor:
labels: {}
rules:
labels: {}
# -- generated by .Values.commons.masterPassword
adminPassword:
auth:
# -- generated by .Values.commons.masterPassword
clientID:
# -- generated by .Values.commons.masterPassword
clientSecret:
# -- oidc field which us used as id in nextcloud for username (for security reason it is sub, but could be overwritten by username)
# https://goauthentik.io/integrations/services/nextcloud/#provider-and-application
idMapping: sub
apps:
checksum:
enabled: true
contacts:
enabled: true
calendar:
enabled: true
notes:
enabled: true
deck:
enabled: true
# remove unneeded application
firstrunwizard:
enabled: false
dashboard:
enabled: false
memories:
enabled: false
# -- default quota for an user
quota:
ingress:
# -- default: fs.(Values.commons.ingress.domain)
host:
annotations:
database:
# -- default is from mysql-services
host: mycloud-services-postgresql
name: nextcloud
username: nextcloud
# -- generated by .Values.commons.masterPassword (equal to mycloud-services)
password:
mail:
# -- generade by Values.commons.mail.from
from:
# -- default Values.commons.mail.host
host:
authtype: PLAIN
# other settings are taken from commons
persistence:
main:
pvc: "nextcloud"
size: 8Gi
data:
pvc: "nextcloud-data"
size: 16Gi