--- apiVersion: helm.toolkit.fluxcd.io/v2beta2 kind: HelmRelease metadata: name: "{{ .Release.Name }}-hr" spec: chart: spec: sourceRef: kind: GitRepository name: "nextcloud" chart: "./charts/nextcloud" # TODO delete later # https://codeberg.org/wrenix/flux-charts/issues/6 reconcileStrategy: "Revision" install: {{- toYaml .Values.commons.helm.release.install | nindent 4 }} test: {{- toYaml .Values.commons.helm.release.test | nindent 4 }} upgrade: {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }} driftDetection: {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }} interval: 10m values: {{- $host := .Values.ingress.host | default (printf "fs.%s" .Values.commons.ingress.domain) }} nextcloud: update: true username: nextcloud-admin password: {{ .Values.adminPassword | default (derivePassword 1 "long" .Values.commons.masterPassword "nextcloud" "admin_password") | quote }} host: {{ $host }} mail: enabled: true fromAddress: {{ .Values.mail.from | default (printf "[%s] %s <%s>" .Values.commons.theme.title "nextcloud" .Values.commons.mail.from) | quote }} domain: {{ .Values.mail.host | default .Values.commons.mail.host | quote }} smtp: host: {{ .Values.mail.host | default .Values.commons.mail.host | quote }} port: 587 {{- if .Values.commons.mail.use_tls }} secure: "tls" {{- else if .Values.commons.mail.use_ssl }} secure: "ssl" {{- end }} {{- if and .Values.commons.mail.username .Values.commons.mail.password}} # there also "PLAIN" is supported authtype: {{ .Values.mail.authtype }} {{- end }} name: {{ .Values.commons.mail.username | quote }} password: {{ .Values.commons.mail.password | quote }} configs: proxy.config.php: |- true, 'trusted_proxies' => array( 0 => '127.0.0.1', 1 => '10.0.0.0/8', ), 'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'), ); custom-oidc.config.php: |- false, 'skeletondirectory' => '', 'lost_password_link' => 'https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}/if/flow/default-recovery-flow/', ); {{- if or .Values.commons.persistence.hostPath.enabled }} extraInitContainers: - name: "take-ownership" image: "alpine:3" command: ["chown", "-R", "33:33", "/var/www/html/config" ] volumeMounts: - name: "nextcloud-main" mountPath: /var/www/html/config subPath: "config" {{- end }} extraEnv: - name: NC_HOOK_OIDC_CLIENT_ID valueFrom: secretKeyRef: name: {{ .Release.Name }}-auth-authentik-application key: clientID - name: NC_HOOK_OIDC_CLIENT_SECRET valueFrom: secretKeyRef: name: {{ .Release.Name }}-auth-authentik-application key: clientSecret hooks: # docu for theming: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/theming.html#configure-theming-through-cli # /var/www/html/occ theming:config logo "{{ .Values.commons.theme.logo }}"; # # TODO add group mapping after fix is there # https://github.com/nextcloud/user_oidc/issues/744 # https://codeberg.org/wrenix/flux-charts/issues/7 before-starting: |- #!/bin/sh echo "update all apps:"; /var/www/html/occ app:update --all; echo "setup theming:"; /var/www/html/occ theming:config disable-user-theming yes; /var/www/html/occ theming:config name "{{ .Values.commons.theme.title }}"; {{- with .Values.theme.color }} /var/www/html/occ theming:config color {{ . | quote }}; {{- end }} echo "setup oidc:"; /var/www/html/occ user_oidc:provider mycloud \ --clientid $NC_HOOK_OIDC_CLIENT_ID \ --clientsecret $NC_HOOK_OIDC_CLIENT_SECRET \ --discoveryuri "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}/application/o/mycloud-nextcloud/.well-known/openid-configuration" \ --scope "openid email profile" \ --extra-claims=scope \ --mapping-uid={{ .Values.auth.idMapping }} \ --mapping-email=email \ --mapping-display-name=name \ --mapping-quota=quota \ --mapping-groups=groups \ --check-bearer=true \ --unique-uid=0; appManagement: enabled: true apps: user_oidc: enabled: true config: allow_multiple_user_backends: "0" provider-1-groupProvisioning: "1" ## # collabora ## {{- with .Values.apps.richdocuments }} {{- if .enabled }} richdocuments: enabled: true {{- with .config }} config: {{- with (get . "wopi_url") }} wopi_url: {{ . }} {{- else }} wopi_url: "https://collabora.{{ $.Values.commons.ingress.domain }}" {{- end }} {{- with (omit . "wopi_url") }} {{- toYaml . | nindent 14 }} {{- end }} {{- end }}{{/* with .config */}} {{- end }}{{/* end-if .enabled */}} {{- end }}{{/* end-with .richdocuments */}} {{- with (omit .Values.apps "richdocuments") }} {{- toYaml . | nindent 10 }} {{- end }} phpClientHttpsFix: enabled: true image: flavor: fpm nginx: enabled: true metrics: enabled: true serviceMonitor: enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }} additionalLabels: {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 10 }} rules: enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }} additionalLabels: {{- toYaml .Values.commons.prometheus.rules.labels | nindent 10 }} ingress: enabled: true annotations: {{- with .Values.commons.ingress.annotations }} {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 8 }} {{- end }} {{- if .Values.commons.ingress.tls.enabled }} tls: {{- with .Values.commons.ingress.tls.override }} {{- toYaml . | nindent 8 }} {{- else }} - secretName: "mycloud-nextcloud-cert" hosts: - "{{ $host }}" {{- end }} {{- end }} cronjob: enabled: true redis: enabled: true replica: # just one replica replicaCount: 1 metrics: enabled: true serviceMonitor: enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }} additionalLabels: {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 12 }} prometheusRule: # empty rules enabled: false # {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }} additionalLabels: {{- toYaml .Values.commons.prometheus.rules.labels | nindent 12 }} rules: [] {{- $pvHelper := (or .Values.commons.persistence.hostPath.enabled) }} {{- $storageClass := $pvHelper | ternary "manual" .Values.commons.persistence.storageClass }} persistence: enabled: true {{- if $storageClass }} storageClass: {{ $storageClass }} {{- end}} size: {{ .Values.persistence.main.size }} nextcloudData: enabled: true {{- if $storageClass }} storageClass: {{ $storageClass }} {{- end}} size: {{ .Values.persistence.data.size }} internalDatabase: enabled: false postgresql: enabled: false mariadb: enabled: false externalDatabase: enabled: true type: postgresql host: {{ .Values.database.host | quote }} database: {{ .Values.database.name | quote }} user: {{ .Values.database.username | quote }} password: {{ .Values.database.password | default (derivePassword 1 "long" .Values.commons.masterPassword "nextcloud" "database_password") | quote }}