{{ define "helm_keep_annotation" }} "helm.sh/resource-policy": keep {{ end }} {{/* Generated Postgres Config */}} {{ define "POSTGRES_NAME" }}{{ printf "%s-postgres" .Release.Name | lower }}{{ end }} {{ define "POSTGRES_DB" }}nextcloud{{ end }} {{ define "DATABASE_HOST" }}{{ .Release.Name }}-postgres{{ end }} {{ define "POSTGRES_USER" }}postgres{{ end }} {{ $POSTGRES_SECRETS := (lookup "v1" "Secret" .Release.Namespace ( include "POSTGRES_NAME" . )).data }} {{ $POSTGRES_PASSWORD := (ternary (dict "POSTGRES_PASSWORD" (randAlphaNum 64 | b64enc)) $POSTGRES_SECRETS (not $POSTGRES_SECRETS)).POSTGRES_PASSWORD }} {{/* Generated Nextcloud Config */}} {{ define "NEXTCLOUD_NAME" }}{{ printf "%s-nextcloud" .Release.Name | lower }}{{ end }} {{ define "ADMIN_USER" }}admin{{ end }} {{ $NEXTCLOUD_SECRETS := (lookup "v1" "Secret" .Release.Namespace ( include "NEXTCLOUD_NAME" . )).data }} {{/* ternary (create a dict with random NEXTCLOUD_ADMIN_PASSWORD) (actual dictionary) (test whether NEXTCLOUD_SECRETS exists) */}} {{ $NEXTCLOUD_ADMIN_PASSWORD := (ternary (dict "NEXTCLOUD_ADMIN_PASSWORD" (randAlphaNum 64 | b64enc)) $NEXTCLOUD_SECRETS (not $NEXTCLOUD_SECRETS)).NEXTCLOUD_ADMIN_PASSWORD }} {{/* Generated Redis Config */}} {{ define "REDIS_NAME" }}{{ printf "%s-redis" .Release.Name | lower }}{{ end }} {{ define "REDIS_HOST" }}{{ .Release.Name }}-redis{{ end }} {{ $REDIS_SECRETS := (lookup "v1" "Secret" .Release.Namespace ( include "REDIS_NAME" . )).data }} {{ $REDIS_PASSWORD := (ternary (dict "REDIS_PASSWORD" (randAlphaNum 64 | b64enc)) $REDIS_SECRETS (not $REDIS_SECRETS)).REDIS_PASSWORD }} {{/* Uncomment this and run with --debug to verify secrets are working # NEXTCLOUD_ADMIN_PASSWORD: {{ $NEXTCLOUD_ADMIN_PASSWORD | quote }} # POSTGRES_PASSWORD: {{ $POSTGRES_PASSWORD | quote }} # REDIS_HOST_PASSWORD: {{ $REDIS_PASSWORD | quote }} */}} --- apiVersion: v1 kind: ConfigMap metadata: name: {{ .Release.Name }}-postgres annotations: {{ include "helm_keep_annotation" . | nindent 4 }} data: POSTGRES_USER: postgres POSTGRES_DB: nextcloud --- apiVersion: v1 kind: Secret metadata: name: {{ .Release.Name }}-postgres annotations: {{ include "helm_keep_annotation" . | nindent 4 }} type: generic data: POSTGRES_PASSWORD: {{ $POSTGRES_PASSWORD | quote }} --- apiVersion: v1 kind: Secret metadata: name: {{ .Release.Name }}-postgres-init annotations: {{ include "helm_keep_annotation" . | nindent 4 }} stringData: init-user-db.sh: | #!/bin/bash set -e psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL CREATE USER nextcloud PASSWORD '{{ $POSTGRES_PASSWORD | b64dec }}'; GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud; GRANT USAGE, CREATE ON SCHEMA public TO nextcloud; EOSQL --- apiVersion: v1 kind: Secret metadata: name: {{ .Release.Name }}-redis annotations: {{ include "helm_keep_annotation" . | nindent 4 }} type: generic data: REDIS_PASSWORD: {{ $REDIS_PASSWORD | quote }} --- apiVersion: v1 kind: ConfigMap metadata: name: {{ .Release.Name }}-nextcloud annotations: {{ include "helm_keep_annotation" . | nindent 4 }} data: NEXTCLOUD_TRUSTED_DOMAINS: {{ .Values.nextcloud.domain }} OVERWRITEPROTOCOL: https OVERWRITECLIURL: https://{{ .Values.nextcloud.domain }} NEXTCLOUD_ADMIN_USER: admin POSTGRES_USER: nextcloud POSTGRES_HOST: {{ .Release.Name }} POSTGRES_DB: nextcloud REDIS_HOST: {{ .Release.Name }} PHP_UPLOAD_LIMIT: 1000000M PHP_MEMORY_LIMIT: 2048M TRUSTED_PROXIES: 10.42.0.1/24 APACHE_DISABLE_REWRITE_IP: "1" --- apiVersion: v1 kind: Secret metadata: name: {{ .Release.Name }}-nextcloud annotations: {{ include "helm_keep_annotation" . | nindent 4 }} type: generic data: NEXTCLOUD_ADMIN_PASSWORD: {{ $NEXTCLOUD_ADMIN_PASSWORD | quote }} POSTGRES_PASSWORD: {{ $POSTGRES_PASSWORD | quote }} REDIS_HOST_PASSWORD: {{ $REDIS_PASSWORD | quote }} SMTP_PASSWORD: {{ .Values.SMTP_PASSWORD | b64enc | quote }} --- apiVersion: apps/v1 kind: Deployment metadata: name: {{ .Release.Name }} spec: selector: matchLabels: app.kubernetes.io/name: nextcloud strategy: type: Recreate template: metadata: labels: app.kubernetes.io/name: nextcloud spec: containers: - name: nextcloud image: {{ .Values.nextcloud.image }} ports: - containerPort: 80 name: http envFrom: - configMapRef: name: {{ .Release.Name }}-nextcloud - secretRef: name: {{ .Release.Name }}-nextcloud volumeMounts: - mountPath: /var/www/html name: html - mountPath: /var/www/html/data name: data resources: requests: memory: "1Gi" cpu: "1m" limits: memory: "4Gi" cpu: "4" - name: postgres image: postgres:15 envFrom: - configMapRef: name: {{ .Release.Name }}-postgres - secretRef: name: {{ .Release.Name }}-postgres volumeMounts: - name: postgres mountPath: /var/lib/postgresql/data - name: postgres-init mountPath: /docker-entrypoint-initdb.d/init-user-db.sh subPath: init-user-db.sh ports: - containerPort: 5432 name: postgres resources: requests: memory: "1Gi" cpu: "1m" limits: memory: "4Gi" cpu: "4" - name: redis image: redis:7 ports: - containerPort: 6379 name: redis volumeMounts: - mountPath: /data name: redis command: - redis-server - --save - "60" - "1" - --loglevel - warning - --requirepass - {{ $REDIS_PASSWORD | b64dec | quote }} resources: requests: memory: "1Gi" cpu: "1m" limits: memory: "4Gi" cpu: "4" volumes: - name: html persistentVolumeClaim: claimName: {{ .Release.Name }}-html-iops - name: data persistentVolumeClaim: claimName: {{ .Release.Name }}-data - name: postgres persistentVolumeClaim: claimName: {{ .Release.Name }}-postgres-iops - name: redis persistentVolumeClaim: claimName: {{ .Release.Name }}-redis-iops - name: postgres-init secret: secretName: {{ .Release.Name }}-postgres-init --- apiVersion: batch/v1 kind: CronJob metadata: name: {{ .Release.Name }}-cron spec: schedule: "*/5 * * * *" failedJobsHistoryLimit: 1 successfulJobsHistoryLimit: 0 jobTemplate: spec: template: spec: securityContext: runAsUser: 33 runAsGroup: 33 containers: - name: nextcloud image: {{ .Values.nextcloud.image }} command: - php - -f - cron.php volumeMounts: - mountPath: /var/www/html name: html - mountPath: /var/www/html/data name: data envFrom: - configMapRef: name: {{ .Release.Name }}-nextcloud - secretRef: name: {{ .Release.Name }}-nextcloud resources: requests: memory: "1Gi" cpu: "1m" limits: memory: "4Gi" cpu: "4" volumes: - name: html persistentVolumeClaim: claimName: {{ .Release.Name }}-html-iops - name: data persistentVolumeClaim: claimName: {{ .Release.Name }}-data restartPolicy: OnFailure --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: {{ .Release.Name }}-data annotations: "helm.sh/resource-policy": keep spec: storageClassName: zfs-iscsi-enc0 accessModes: - ReadWriteOnce resources: requests: storage: 2Ti --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: {{ .Release.Name }}-html-iops annotations: "helm.sh/resource-policy": keep spec: storageClassName: zfs-iscsi-enc1 accessModes: - ReadWriteOnce resources: requests: storage: 16Gi --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: {{ .Release.Name }}-postgres-iops annotations: "helm.sh/resource-policy": keep spec: storageClassName: zfs-iscsi-enc1 accessModes: - ReadWriteOnce resources: requests: storage: 32Gi --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: {{ .Release.Name }}-redis-iops annotations: "helm.sh/resource-policy": keep spec: storageClassName: zfs-iscsi-enc1 accessModes: - ReadWriteOnce resources: requests: storage: 32Gi --- apiVersion: v1 kind: Service metadata: name: {{ .Release.Name }} spec: type: ClusterIP selector: app.kubernetes.io/name: nextcloud ports: - name: http protocol: TCP port: 80 targetPort: http - name: postgres protocol: TCP port: 5432 targetPort: postgres - name: redis protocol: TCP port: 6379 targetPort: redis --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: {{ .Release.Name }} annotations: cert-manager.io/cluster-issuer: letsencrypt kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/proxy-body-size: "0" nginx.org/client-max-body-size: "0" spec: rules: - host: {{ .Values.nextcloud.domain }} http: paths: - path: / pathType: Prefix backend: service: name: nextcloud port: name: http tls: - hosts: - {{ .Values.nextcloud.domain }} secretName: nextcloud-tls-cert