sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 15:31:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(nextcloud): Replace community Nextcloud with openDesk Nextcloud

Browse Source
This commit is contained in:
Dominik Kaminski
2023-12-28 23:27:29 +01:00
committed by Thorsten Roßner
parent e1f63701f1
commit 813a2e29e9
18 changed files with 383 additions and 382 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/scaling.md
View File

@@ -46,7 +46,9 @@ marked with a gear.
| | `replicas.jvb ` | :x: | :x: |
| Keycloak | `replicas.keycloak` | :white_check_mark: | :gear: |
| Minio | `replicas.minioDistributed` | :white_check_mark: | :white_check_mark: |
| Nextcloud | `replicas.nextcloud` | :white_check_mark: | :gear: |
| Nextcloud | `replicas.nextcloudApache2` | :white_check_mark: | :white_check_mark: |
| | `replicas.nextcloudExporter` | :white_check_mark: | :white_check_mark: |
| | `replicas.nextcloudPHP` | :white_check_mark: | :white_check_mark: |
| OpenProject | `replicas.openproject` | :white_check_mark: | :white_check_mark: |
| Postfix | `replicas.postfix` | :x: | :gear: |
| XWiki | `replicas.xwiki` | :x: | :gear: |

18
docs/security.md
View File

@@ -27,9 +27,9 @@ Helm Charts which are released via openDesk CI/CD process are always signed. The
| intercom-service-repo | yes | :white_check_mark: |
| istio-resources-repo | yes | :white_check_mark: |
| jitsi-repo | yes | :white_check_mark: |
| keycloak-extensions-repo | no | :x: |
| keycloak-extensions-repo | yes | :white_check_mark: |
| mariadb-repo | yes | :white_check_mark: |
| nextcloud-repo | no | :x: |
| opendesk-nextcloud-repo | yes | :white_check_mark: |
| opendesk-certificates-repo | yes | :white_check_mark: |
| opendesk-dovecot-repo | yes | :white_check_mark: |
| opendesk-element-repo | yes | :white_check_mark: |
@@ -38,10 +38,10 @@ Helm Charts which are released via openDesk CI/CD process are always signed. The
| opendesk-open-xchange-bootstrap-repo | yes | :white_check_mark: |
| openproject-repo | yes | :white_check_mark: |
| openxchange-repo | yes | :x: |
| ox-connector-repo | no | :x: |
| ox-connector-repo | yes | :white_check_mark: |
| postfix-repo | yes | :white_check_mark: |
| postgresql-repo | yes | :white_check_mark: |
| ums-repo | no | :x: |
| univention-management-stack-repo | yes | :white_check_mark: |
| univention-keycloak-repo | yes | :white_check_mark: |
| univention-keycloak-bootstrap-repo | yes | :white_check_mark: |
| xwiki-repo | no | :x: |
@@ -52,7 +52,7 @@ This list gives you an overview of default security settings and if they comply
| Component | Process | = | allowPrivilegeEscalation (`false`) | capabilities (`drop: ALL`) | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
|-----------------------------|------------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
|-----------------------------|-------------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
| ClamAV | clamd | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | freshclam | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
| | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 |
@@ -74,9 +74,11 @@ This list gives you an overview of default security settings and if they comply
| MariaDB | mariadb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | 1001 | 1001 |
| Memcached | memcached | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1001 | - | 1001 |
| Minio | minio | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | 1000 |
| Nextcloud | nextcloud | :x: | :white_check_mark: | :x: (`NET_BIND_SERVICE`, `SETGID`, `SETUID`) | :white_check_mark: | :x: | :x: | - | - | 33 |
| | nextcloud-cron | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | - | - | 33 |
| | opendesk-nextcloud-bootstrap | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | - | - | 33 |
| Nextcloud | opendesk-nextcloud-apache2 | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 65532 | 65532 | 65532 |
| | opendesk-nextcloud-cron | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 65532 | 65532 | 65532 |
| | opendesk-nextcloud-exporter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 65532 | 65532 | 65532 |
| | opendesk-nextcloud-management | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 65532 | 65532 | 65532 |
| | opendesk-nextcloud-php | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 65532 | 65532 | 65532 |
| Open-Xchange | core-documentconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |
| | core-guidedtours | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1000 | 1000 | - |
| | core-imageconverter | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | 987 | 1000 | - |

5
helmfile/apps/element/values-synapse.yaml
View File

@@ -44,4 +44,9 @@ containerSecurityContext:
podSecurityContext:
enabled: true
fsGroup: 10991
readinessProbe:
initialDelaySeconds: 15
periodSeconds: 5
...

45
helmfile/apps/nextcloud/helmfile.yaml
View File

@@ -5,46 +5,41 @@ bases:
- "../../bases/environments.yaml"
---
repositories:
# openDesk Keycloak Bootstrap
# Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/sovereign-workplace-nextcloud-bootstrap
- name: "nextcloud-bootstrap-repo"
oci: {{ .Values.charts.nextcloudBootstrap.oci }}
keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
verify: {{ .Values.charts.nextcloudBootstrap.verify }}
username: {{ .Values.charts.nextcloudBootstrap.username | quote }}
password: {{ .Values.charts.nextcloudBootstrap.password | quote }}
url: "{{ .Values.charts.nextcloudBootstrap.registry }}/{{ .Values.charts.nextcloudBootstrap.repository }}"
# Nextcloud
# Source: https://github.com/nextcloud/helm/
# Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-nextcloud
- name: "nextcloud-management-repo"
oci: {{ .Values.charts.nextcloudManagement.oci }}
keyring: "../../files/gpg-pubkeys/opencode.gpg"
verify: {{ .Values.charts.nextcloudManagement.verify }}
username: {{ .Values.charts.nextcloudManagement.username | quote }}
password: {{ .Values.charts.nextcloudManagement.password | quote }}
url: "{{ .Values.charts.nextcloudManagement.registry }}/{{ .Values.charts.nextcloudManagement.repository }}"
- name: "nextcloud-repo"
oci: {{ .Values.charts.nextcloud.oci }}
keyring: "../../files/gpg-pubkeys/opencode.gpg"
verify: {{ .Values.charts.nextcloud.verify }}
username: {{ .Values.charts.nextcloud.username | quote }}
password: {{ .Values.charts.nextcloud.password | quote }}
url: "{{ .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"
releases:
- name: "opendesk-nextcloud-bootstrap"
chart: "nextcloud-bootstrap-repo/{{ .Values.charts.nextcloudBootstrap.name }}"
version: "{{ .Values.charts.nextcloudBootstrap.version }}"
wait: true
waitForJobs: true
- name: "opendesk-nextcloud-management"
chart: "nextcloud-repo/{{ .Values.charts.nextcloudManagement.name }}"
version: "{{ .Values.charts.nextcloudManagement.version }}"
values:
- "values-bootstrap.gotmpl"
- "values-bootstrap.yaml"
- "values-nextcloud-mgmt.yaml.gotmpl"
waitForJobs: true
wait: true
installed: {{ .Values.nextcloud.enabled }}
timeout: 900
- name: "nextcloud"
- name: "opendesk-nextcloud"
chart: "nextcloud-repo/{{ .Values.charts.nextcloud.name }}"
version: "{{ .Values.charts.nextcloud.version }}"
needs:
- "opendesk-nextcloud-bootstrap"
values:
- "values-nextcloud.gotmpl"
- "values-nextcloud.yaml"
- "values-nextcloud.yaml.gotmpl"
needs:
- "opendesk-nextcloud-management"
installed: {{ .Values.nextcloud.enabled }}
timeout: 900
commonLabels:
deploy-stage: "component-1"

82
helmfile/apps/nextcloud/values-bootstrap.gotmpl
View File

@@ -1,82 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: {{ .Values.global.domain | quote }}
istioDomain: {{ .Values.istio.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
registry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
config:
administrator:
password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
antivirus:
{{- if .Values.clamavDistributed.enabled }}
host: "clamav-icap"
{{- else if .Values.clamavSimple.enabled }}
host: "clamav-simple"
{{- end }}
apps:
integrationSwp:
password: {{ .Values.secrets.centralnavigation.apiKey | quote }}
userOidc:
password: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
realm: {{ .Values.platform.realm }}
database:
host: {{ .Values.databases.nextcloud.host | quote }}
name: {{ .Values.databases.nextcloud.name | quote }}
user: {{ .Values.databases.nextcloud.username | quote }}
password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
ldapSearch:
host: {{ .Values.ldap.host | quote }}
password: {{ .Values.secrets.univentionManagementStack.ldapSearch.nextcloud | quote }}
serverinfo:
token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
smtp:
host: {{ .Values.smtp.host | quote }}
port: {{ .Values.smtp.port | quote }}
username: {{ .Values.smtp.username | quote }}
password: {{ .Values.smtp.password | quote }}
cleanup:
deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
image:
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
registry: {{ .Values.global.imageRegistry | quote }}
repository: {{ .Values.images.nextcloud.repository | quote }}
tag: {{ .Values.images.nextcloud.tag | quote }}
persistence:
{{- if .Values.cluster.persistence.readWriteMany.enabled }}
accessModes:
- "ReadWriteMany"
storageClass: {{ .Values.persistence.storageClassNames.RWX | quote }}
{{- else }}
accessModes:
- "ReadWriteOnce"
storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
{{- end }}
size:
main: {{ .Values.persistence.size.nextcloud.main | quote }}
data: {{ .Values.persistence.size.nextcloud.data | quote }}
resources:
{{ .Values.resources.nextcloud | toYaml | nindent 2 }}
theme:
{{ .Values.theme | toYaml | nindent 2 }}
...

30
helmfile/apps/nextcloud/values-bootstrap.yaml
View File

@@ -1,30 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
config:
administrator:
username: "nextcloud"
apps:
integrationSwp:
username: "opendesk_username"
userOidc:
username: "opendesk-nextcloud"
userIdAttribute: "opendesk_useruuid"
cryptpad:
enabled: true
containerSecurityContext:
allowPrivilegeEscalation: false
enabled: true
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsNonRoot: false
podSecurityContext:
enabled: true
fsGroup: 33
fsGroupChangePolicy: "Always"
...

98
helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl Normal file
View File

@@ -0,0 +1,98 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
domain: {{ .Values.global.domain | quote }}
hosts:
{{ .Values.global.hosts | toYaml | nindent 4 }}
imageRegistry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
istioDomain: {{ .Values.istio.domain }}
additionalAnnotations:
intents.otterize.com/service-name: "opendesk-nextcloud-php"
configuration:
administrator:
username: "nextcloud"
password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
antivirus:
{{- if .Values.clamavDistributed.enabled }}
host: "clamav-icap"
{{- else if .Values.clamavSimple.enabled }}
host: "clamav-simple"
{{- end }}
cache:
auth:
enabled: true
username:
value: "default"
password:
value: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
host: {{ .Values.cache.nextcloud.host | quote }}
port: {{ .Values.cache.nextcloud.port | quote }}
database:
host: {{ .Values.databases.nextcloud.host | quote }}
port: {{ .Values.databases.nextcloud.port | quote }}
auth:
username:
value: "nextcloud_user"
password:
value: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
ldap:
host: {{ .Values.ldap.host | quote }}
password: {{ .Values.secrets.univentionManagementStack.ldapSearch.nextcloud | quote }}
objectstore:
auth:
accessKey:
value: "nextcloud_user"
secretKey:
value: {{ .Values.secrets.minio.nextcloudUser | quote }}
oidc:
username:
value: "opendesk-nextcloud"
password:
value: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
opendeskIntegration:
username:
value: "opendesk_username"
password:
value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
smtp:
auth:
username:
value: {{ .Values.smtp.username | quote }}
password:
value: {{ .Values.smtp.password | quote }}
host: {{ .Values.smtp.host | quote }}
port: {{ .Values.smtp.port | quote }}
serverinfo:
token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 65532
runAsGroup: 65532
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
runAsNonRoot: true
image:
repository: "{{ .Values.images.nextcloudManagement.repository }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.nextcloudManagement.tag | quote }}
theme:
{{ .Values.theme | toYaml | nindent 2 }}
resources:
{{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}
...

63
helmfile/apps/nextcloud/values-nextcloud.gotmpl
View File

@@ -1,63 +0,0 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
nextcloud:
host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
username: "nextcloud"
password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
externalDatabase:
database: {{ .Values.databases.nextcloud.name | quote }}
user: {{ .Values.databases.nextcloud.username | quote }}
host: {{ .Values.databases.nextcloud.host | quote }}
password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
extraEnv:
REDIS_HOST: {{ .Values.cache.nextcloud.host | quote }}
REDIS_HOST_PORT: {{ .Values.cache.nextcloud.port | quote }}
REDIS_HOST_PASSWORD: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
redis:
auth:
enabled: true
password: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
ingress:
enabled: {{ .Values.ingress.enabled }}
className: {{ .Values.ingress.ingressClassName | quote }}
tls:
- secretName: {{ .Values.ingress.tls.secretName | quote }}
hosts:
- "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.nextcloud.repository }}"
pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.nextcloud.tag | quote }}
pullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
metrics:
enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
https: true
token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
image:
repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.nextcloudExporter.repository }}"
pullPolicy: "{{ .Values.global.imagePullPolicy }}"
tag: {{ .Values.images.nextcloudExporter.tag | quote }}
pullSecrets:
{{- toYaml .Values.global.imagePullSecrets | nindent 4 }}
serviceMonitor:
enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
labels:
{{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
resources:
{{ .Values.resources.nextcloudMetrics | toYaml | nindent 4 }}
{{- if .Values.cluster.persistence.readWriteMany.enabled }}
replicaCount: {{ .Values.replicas.nextcloud }}
{{- else }}
replicaCount: 1
{{- end }}
resources:
{{ .Values.resources.nextcloud | toYaml | nindent 2 }}
...

77
helmfile/apps/nextcloud/values-nextcloud.yaml
View File

@@ -1,77 +0,0 @@
# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
persistence:
enabled: true
existingClaim: "nextcloud-main"
nextcloudData:
enabled: true
existingClaim: "nextcloud-data"
redis:
enabled: false
cronjob:
enabled: true
lifecycle:
postStartCommand:
- "sh"
- "-c"
- >
sed -i "s/\*\/5 \* \* \* \* php -f \/var\/www\/html\/cron.php/\*\/1 \* \* \* \* php -f
\/var\/www\/html\/cron.php/g" /var/spool/cron/crontabs/www-data
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
ingress:
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "4G"
nginx.org/client-max-body-size: "4G"
internalDatabase:
enabled: false
postgresql:
enabled: false
mariadb:
enabled: false
externalDatabase:
enabled: true
# The nextcloud helm chart provides a sub-chart for mariadb.
# If we use mariadb as a sub-chart it's linked to nextcloud,
# and it is not independent anymore. Since externalDatabase.type
# allows just mysql or postgres, mysql is chosen to connect
# to the mariadb:
type: "mysql"
nextcloud:
configs:
mimetypealiases.json: |-
{
"application/x-drawio": "image"
}
mimetypemapping.json: |-
{
"drawio": ["application/x-drawio"]
}
podSecurityContext:
fsGroup: 33
seccompProfile:
type: "RuntimeDefault"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
add:
- "NET_BIND_SERVICE"
- "SETGID"
- "SETUID"
# this is not documented but can be found in values.yaml
service:
port: "80"

124
helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl Normal file
View File

@@ -0,0 +1,124 @@
{{/*
SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
SPDX-License-Identifier: Apache-2.0
*/}}
---
global:
imageRegistry: {{ .Values.global.imageRegistry | quote }}
imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
exporter:
enabled: true
configuration:
token:
value: {{ .Values.secrets.nextcloud.metricsToken | quote }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 65532
runAsGroup: 65532
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
image:
repository: "{{ .Values.images.nextcloudExporter.repository }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.nextcloudExporter.tag | quote }}
prometheus:
serviceMonitor:
enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
labels:
{{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
prometheusRule:
enabled: {{ .Values.prometheus.prometheusRules.enabled }}
additionalLabels:
{{- toYaml .Values.prometheus.prometheusRules.labels | nindent 6 }}
replicas: {{ .Values.replicas.nextcloudExporter }}
resources:
{{ .Values.resources.nextcloudExporter | toYaml | nindent 4 }}
php:
additionalAnnotations:
intents.otterize.com/service-name: "opendesk-nextcloud-php"
configuration:
cache:
auth:
enabled: true
username:
value: "default"
password:
value: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
host: {{ .Values.cache.nextcloud.host | quote }}
port: {{ .Values.cache.nextcloud.port | quote }}
database:
host: {{ .Values.databases.nextcloud.host | quote }}
port: {{ .Values.databases.nextcloud.port | quote }}
auth:
username:
value: "nextcloud_user"
password:
value: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 65532
runAsGroup: 65532
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
image:
repository: "{{ .Values.images.nextcloudPHP.repository }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.nextcloudPHP.tag | quote }}
prometheus:
serviceMonitor:
enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
labels:
{{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
prometheusRule:
enabled: {{ .Values.prometheus.prometheusRules.enabled }}
additionalLabels:
{{- toYaml .Values.prometheus.prometheusRules.labels | nindent 6 }}
replicas: {{ .Values.replicas.nextcloudPHP }}
resources:
{{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}
apache2:
configuration:
php:
host: "opendesk-nextcloud-php.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}"
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
enabled: true
runAsUser: 65532
runAsGroup: 65532
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: true
runAsNonRoot: true
ingress:
enabled: {{ .Values.ingress.enabled }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
tls:
secretName: {{ .Values.ingress.tls.secretName | quote }}
image:
repository: {{ .Values.images.nextcloudApache2.repository | quote }}
imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
tag: {{ .Values.images.nextcloudApache2.tag | quote }}
replicas: {{ .Values.replicas.nextcloudApache2 }}
resources:
{{ .Values.resources.nextcloudApache2 | toYaml | nindent 4 }}
...

2
helmfile/apps/open-xchange/values-openxchange.yaml
View File

@@ -102,7 +102,7 @@ appsuite:
com.openexchange.mail.secondary.authType: "XOAUTH2"
com.openexchange.mail.transport.secondary.authType: "xoauth2"
# Nextcloud integration
com.openexchange.file.storage.nextcloud.oauth.url: "http://nextcloud/"
com.openexchange.file.storage.nextcloud.oauth.url: "http://opendesk-nextcloud-apache2/"
com.openexchange.file.storage.nextcloud.oauth.webdav.username.strategy: "user"
com.openexchange.nextcloud.filepicker.includeAccessToken: "false"
# GDPR

5
helmfile/apps/services/values-minio.yaml
View File

@@ -23,6 +23,11 @@ ingress:
annotations:
nginx.org/websocket-services: "minio"
apiIngress:
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "4G"
nginx.org/client-max-body-size: "4G"
networkPolicy:
enabled: false

37
helmfile/environments/default/charts.yaml
View File

@@ -346,29 +346,30 @@ charts:
nextcloud:
# renovate:
# registryUrl=https://nextcloud.github.io/helm
# packageName=nextcloud
# registryUrl=https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-nextcloud
# packageName=opendesk-nextcloud
# dataSource=helm
# dependencyType=supplier
registry: "https://nextcloud.github.io"
repository: "helm"
oci: false
name: "nextcloud"
version: "3.5.19"
# dependencyType=platform
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
oci: true
name: "opendesk-nextcloud"
version: "1.3.3"
verify: true
username: ~
password: ~
nextcloudBootstrap:
nextcloudManagement:
# renovate:
# registryUrl=https://registry.souvap-univention.de
# packageName=souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap/opendesk-nextcloud-bootstrap
# dataSource=docker
# registryUrl=https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-nextcloud
# packageName=opendesk-nextcloud-management
# dataSource=helm
# dependencyType=platform
registry: "external-registry.souvap-univention.de"
repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap"
name: "opendesk-nextcloud-bootstrap"
registry: "registry.opencode.de"
repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
oci: true
version: "3.2.6"
name: "opendesk-nextcloud-management"
version: "1.3.3"
verify: true
username: ~
password: ~
@@ -758,7 +759,7 @@ charts:
name: "stack-data-swp"
oci: true
verify: true
version: "0.41.2"
version: "0.41.4"
username: ~
password: ~
@@ -773,7 +774,7 @@ charts:
name: "stack-data-ums"
oci: true
verify: true
version: "0.41.2"
version: "0.41.4"
username: ~
password: ~

1
helmfile/environments/default/database.yaml
View File

@@ -17,6 +17,7 @@ databases:
nextcloud:
name: "nextcloud"
host: "mariadb"
port: 3306
username: "nextcloud_user"
password: ""
openproject:

34
helmfile/environments/default/images.yaml
View File

@@ -237,21 +237,35 @@ images:
# dependencyType=external
repository: "bitnami/minio"
tag: "2023@sha256:bced4f2f9fc48b755ebb3e1b35e76195a978d4331bf2d0c6699dab412d3c0be7"
# @supplier: "openDesk"
nextcloud:
# @supplier: "openDesk DevSecOps"
nextcloudApache2:
# renovate:
# registryUrl=https://docker.io
# dependencyType=supplier
repository: "nextcloud"
tag: "27.1.4-apache@sha256:bd277bec9a8cf7cc009865e15410c05e0f66ccb6269ed96841cc95dd37c214fe"
# @supplier: "Nextcloud"
# registryUrl=https://registry.opencode.de
# dependencyType=vendor
repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
tag: "1.1.7@sha256:f80bb93f0fda83143ebb35dab23dc02127609bed5dfa14bb659fc9ce6ebc6673"
# @supplier: "openDesk DevSecOps"
nextcloudExporter:
# renovate:
# registryUrl=https://docker.io
# dependencyType=external
repository: "xperimental/nextcloud-exporter"
tag: "0.6.2@sha256:4ef2555e74ad1dd1b7b7b0680ce85f2b9333f2c2301756582ff04ae97adf796f"
# @supplier: "openDesk"
repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-exporter"
tag: "1.0.0@sha256:a05b0f7d7e919320285d2808ebcc20a7b7163204a1001d7d9fb5a97d97194081"
# @supplier: "openDesk DevSecOps"
nextcloudPHP:
# renovate:
# registryUrl=https://registry.opencode.de
# dependencyType=vendor
repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
tag: "1.6.1@sha256:21e8584f10f19b263be76a93df2658e2e845e00548d1b176ee336eb1f0e15a50"
# @supplier: "openDesk DevSecOps"
nextcloudManagement:
# renovate:
# registryUrl=https://registry.opencode.de
# dependencyType=vendor
repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
tag: "1.0.11@sha256:969bdaaa24ef6091ecb8b63b4fb2f7925fa10eaf46d3997ec74f6414ac373a8d"
# @supplier: "openDesk DevSecOps"
openproject:
# renovate:
# registryUrl=https://docker.io

3
helmfile/environments/default/persistence.yaml
View File

@@ -11,9 +11,6 @@ persistence:
mariadb: "1Gi"
matrixNeoDateFixBot: "1Gi"
minio: "1Gi"
nextcloud:
main: "2Gi"
data: "10Gi"
postfix: "1Gi"
postgresql: "1Gi"
prosody: "1Gi"

4
helmfile/environments/default/replicas.yaml
View File

@@ -28,7 +28,9 @@ replicas:
# clamav-distributed
milter: 1
minioDistributed: 4
nextcloud: 1
nextcloudApache2: 1
nextcloudExporter: 1
nextcloudPHP: 1
openproject: 1
postfix: 1
synapse: 1

15
helmfile/environments/default/resources.yaml
View File

@@ -193,20 +193,27 @@ resources:
requests:
cpu: 0.25
memory: "256Mi"
nextcloud:
nextcloudApache2:
limits:
cpu: 99
memory: "1Gi"
memory: "256Mi"
requests:
cpu: 0.1
memory: "512Mi"
nextcloudMetrics:
memory: "128Mi"
nextcloudExporter:
limits:
cpu: 99
memory: "128Mi"
requests:
cpu: 0.1
memory: "32Mi"
nextcloudPHP:
limits:
cpu: 99
memory: "1Gi"
requests:
cpu: 0.1
memory: "512Mi"
openproject:
limits:
cpu: 99