--- apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: "{{ .Release.Name }}-hr" spec: chart: spec: sourceRef: name: "nextcloud" {{- if .Values.chart.ref }} kind: GitRepository chart: "./charts/nextcloud" reconcileStrategy: Revision {{- else }} kind: HelmRepository chart: "nextcloud" {{- end }} install: {{- toYaml .Values.commons.helm.release.install | nindent 4 }} test: {{- toYaml .Values.commons.helm.release.test | nindent 4 }} upgrade: {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }} driftDetection: {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }} interval: 10m values: replicaCount: {{ .Values.replica.nextcloud }} {{- $host := .Values.ingress.host | default (printf "fs.%s" .Values.commons.ingress.domain) }} nextcloud: update: true username: nextcloud-admin password: {{ .Values.adminPassword | default (derivePassword 1 "long" .Values.commons.masterPassword "nextcloud" "admin_password") | quote }} host: {{ $host }} mail: enabled: true fromAddress: {{ .Values.mail.from | default (printf "\"[%s] %s\" <%s>" .Values.commons.theme.title "nextcloud" .Values.commons.mail.from) | quote }} domain: {{ .Values.mail.host | default .Values.commons.mail.host | quote }} smtp: host: {{ .Values.mail.host | default .Values.commons.mail.host | quote }} port: 587 {{- if .Values.commons.mail.use_tls }} secure: "tls" {{- else if .Values.commons.mail.use_ssl }} secure: "ssl" {{- end }} {{- if and .Values.commons.mail.username .Values.commons.mail.password}} # there also "PLAIN" is supported authtype: {{ .Values.mail.authtype }} {{- end }} name: {{ .Values.commons.mail.username | quote }} password: {{ .Values.commons.mail.password | quote }} {{- if .Values.imaginary.enabled }} defaultConfigs: imaginary.config.php: true {{- end }} configs: proxy.config.php: |- true, 'trusted_proxies' => array( 0 => '127.0.0.1', 1 => '10.0.0.0/8', ), 'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'), ); custom-oidc.config.php: |- false, 'skeletondirectory' => '', 'lost_password_link' => 'https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}/if/flow/default-recovery-flow/', ); custom.config.php: |- {{ .Values.default.language | squote }}, 'default_phone_region' => {{ .Values.default.phoneRegion | squote }}, 'maintenance_window_start' => {{ .Values.default.maintenanceWindowStart }}, ); {{- if .Values.imaginary.enabled }} reviews.config.php: |- array( 'OC\Preview\Imaginary', 'OC\Preview\MP3', 'OC\Preview\MarkDown', 'OC\Preview\OpenDocument', ), ); {{- end }} {{- with .Values.config }} {{- toYaml . | nindent 8 }} {{- end }} {{- if or .Values.commons.persistence.hostPath.enabled }} extraInitContainers: - name: "take-ownership" image: "alpine:3" command: ["chown", "-R", "33:33", "/var/www/html/config" ] volumeMounts: - name: "nextcloud-main" mountPath: /var/www/html/config subPath: "config" {{- end }} extraEnv: - name: NC_HOOK_OIDC_CLIENT_ID valueFrom: secretKeyRef: name: {{ .Release.Name }}-auth-authentik-application key: clientID - name: NC_HOOK_OIDC_CLIENT_SECRET valueFrom: secretKeyRef: name: {{ .Release.Name }}-auth-authentik-application key: clientSecret - name: "NEXTCLOUD_MEMORY_LIMIT" value: "{{ .Values.limits.memory }}" - name: "PHP_MEMORY_LIMIT" value: "{{ .Values.limits.memory }}" - name: "PHP_UPLOAD_LIMIT" value: "{{ .Values.limits.upload }}" hooks: # docu for theming: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/theming.html#configure-theming-through-cli # /var/www/html/occ theming:config logo "{{ .Values.commons.theme.logo }}"; # # TODO add group mapping after fix is there # https://github.com/nextcloud/user_oidc/issues/744 # https://codeberg.org/wrenix/flux-charts/issues/7 before-starting: |- #!/bin/sh echo "update all apps:"; /var/www/html/occ app:update --all; {{- $app := "user_oidc" }} echo "=== manage: {{ $app }} ===" echo "--- install: {{ $app }} ---" /var/www/html/occ app:install {{ $app }}; /var/www/html/occ app:enable {{ $app }}; echo "--- configure: {{ $app }} ---" /var/www/html/occ config:app:set -n {{ $app }} allow_multiple_user_backends --value="0" /var/www/html/occ config:app:set -n {{ $app }} provider-1-groupProvisioning --value="1" /var/www/html/occ user_oidc:provider mycloud \ --clientid $NC_HOOK_OIDC_CLIENT_ID \ --clientsecret $NC_HOOK_OIDC_CLIENT_SECRET \ --discoveryuri "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}/application/o/mycloud-nextcloud/.well-known/openid-configuration" \ --scope "openid email profile" \ --extra-claims=scope \ --mapping-uid={{ .Values.auth.idMapping }} \ --mapping-email=email \ --mapping-display-name=name \ --mapping-quota=quota \ --mapping-groups=groups \ --check-bearer=true \ --unique-uid=0; {{- range $app,$appConfig := .Values.apps }} echo "=== manage app: {{ $app }} ==="; {{- if $appConfig.enabled }} echo "--- install: {{ $app }} ---" /var/www/html/occ app:install {{ $app }} /var/www/html/occ app:enable {{ $app }} # config of app echo "--- config: {{ $app }} ---" {{- range $key, $value := $appConfig.config }} /var/www/html/occ config:app:set -n {{ $app }} {{ $key }} --value={{ $value | quote }} {{- end}} {{- else }} echo "--- disable: {{ $app }} ---" /var/www/html/occ app:disable {{ $app }} {{- end }} {{- end }}{{/* end-range */}} {{- if .Values.apps.richdocuments.enabled }} echo "=== manage: richdocuments -> configure for mycloud-collabora ===" /var/www/html/occ config:app:set -n richdocuments wopi_url --value={{ get .Values.apps.richdocuments.config "wopi_url" | default (printf "https://collabora.%s" $.Values.commons.ingress.domain) | quote }} {{- end }}{{/* end-else-if richdocuments.enable */}} echo "refresh index:"; /var/www/html/occ db:add-missing-indices; echo "setup theming:"; /var/www/html/occ theming:config disable-user-theming yes; /var/www/html/occ theming:config name "{{ .Values.commons.theme.title }}"; {{- with .Values.theme.color }} /var/www/html/occ theming:config color {{ . | quote }}; /var/www/html/occ theming:config background backgroundColor; {{- end }} phpClientHttpsFix: enabled: true image: flavor: fpm nginx: enabled: true config: headers: "Strict-Transport-Security": "max-age=15768000; includeSubDomains; preload;" imaginary: enabled: {{ toYaml .Values.imaginary.enabled }} notifyPush: enabled: true autoSetup: true image: registry: "ghcr.io" metrics: enabled: true info: apps: true update: true prometheus: serviceMonitor: enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }} labels: {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 10 }} rules: enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }} labels: {{- toYaml .Values.commons.prometheus.rules.labels | nindent 10 }} ingress: enabled: true annotations: {{- with .Values.commons.ingress.annotations }} {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 8 }} {{- end }} {{- if .Values.commons.ingress.tls.enabled }} tls: {{- with .Values.commons.ingress.tls.override }} {{- toYaml . | nindent 8 }} {{- else }} - secretName: "mycloud-nextcloud-cert" hosts: - "{{ $host }}" {{- end }} {{- end }} cronjob: enabled: true redis: enabled: true replica: # just one replica replicaCount: {{ .Values.commons.redis.replicas }} metrics: enabled: true serviceMonitor: enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }} additionalLabels: {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 12 }} prometheusRule: # empty rules enabled: false # {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }} additionalLabels: {{- toYaml .Values.commons.prometheus.rules.labels | nindent 12 }} rules: [] networkPolicy: allowExternal: false allowExternalEgress: false metrics: allowExternal: false {{- with .Values.commons.networkpolicies.from.metrics }} {{- $nsMetrics := first . }} ingressNSMatchLabels: {{- toYaml $nsMetrics.namespaceSelector.matchLabels | nindent 12 }} ingressNSPodMatchLabels: {{- toYaml $nsMetrics.podSelector.matchLabels | nindent 12 }} {{- end }} {{- $pvHelper := (or .Values.commons.persistence.hostPath.enabled) }} {{- $storageClass := $pvHelper | ternary "manual" .Values.commons.persistence.storageClass }} persistence: enabled: true {{- if $storageClass }} storageClass: {{ $storageClass }} {{- end}} size: {{ .Values.persistence.main.size }} nextcloudData: enabled: true {{- if $storageClass }} storageClass: {{ $storageClass }} {{- end}} size: {{ .Values.persistence.data.size }} internalDatabase: enabled: false postgresql: enabled: false mariadb: enabled: false externalDatabase: enabled: true type: postgresql host: {{ .Values.database.host | quote }} database: {{ .Values.database.name | quote }} user: {{ .Values.database.username | quote }} password: {{ .Values.database.password | default (derivePassword 1 "long" .Values.commons.masterPassword "nextcloud" "database_password" | b64enc) | quote }}