TrueChartsClone/charts/stable/nextcloud/values.yaml

image:
  repository: tccr.io/truecharts/nextcloud-fpm
  pullPolicy: IfNotPresent
  tag: 25.0.2@sha256:59e6d2be5139cdeb030a095fb92b97e01d7d53071dc34b487956065a385d3a32

nginxImage:
  repository: tccr.io/truecharts/nginx-unprivileged
  pullPolicy: IfNotPresent
  tag: 1.23.3@sha256:1a46c4845514d3f32debb53346f747f6a3be42ce5ae35138a8a99a88b075a1e9

imaginaryImage:
  repository: h2non/imaginary
  pullPolicy: IfNotPresent
  tag: 1.2.4@sha256:7facb4221047a5e79b9e902f380247f4e5bf4376400d0badbeb738d3e1c2f654

securityContext:
  readOnlyRootFilesystem: false
  runAsNonRoot: false

podSecurityContext:
  runAsUser: 0
  runAsGroup: 0
  fsGroup: 33

service:
  main:
    ports:
      main:
        port: 10020
        targetPort: 8080
  backend:
    enabled: true
    ports:
      hpb:
        enabled: true
        port: 7867
        targetPort: 7867
      hpb-metrics:
        enabled: true
        port: 7868
        targetPort: 7868
      fpm:
        enabled: true
        port: 9000
        targetPort: 9000
      imaginary:
        enabled: true
        port: 9090
        targetPort: 9090

hostAliases:
  - ip: '{{ .Values.env.AccessIP | default "127.0.0.1" }}'
    hostnames:
      - "{{ if .Values.ingress.main.enabled }}{{ with (first .Values.ingress.main.hosts) }}{{ .host }}{{ end }}{{ else }}placeholder.fakedomain.dns{{ end }}"

secretEnv:
  NEXTCLOUD_ADMIN_USER: "admin"
  NEXTCLOUD_ADMIN_PASSWORD: "adminpass"

probes:
  liveness:
    custom: true
    spec:
      initialDelaySeconds: 25
      httpGet:
        path: /status.php
        port: 8080
        httpHeaders:
          - name: Host
            value: "test.fakedomain.dns"

  readiness:
    custom: true
    spec:
      initialDelaySeconds: 25
      httpGet:
        path: /status.php
        port: 8080
        httpHeaders:
          - name: Host
            value: "test.fakedomain.dns"

  startup:
    custom: true
    spec:
      initialDelaySeconds: 25
      httpGet:
        path: /status.php
        port: 8080
        httpHeaders:
          - name: Host
            value: "test.fakedomain.dns"

initContainers:
  prestart:
    image: "{{ .Values.alpineImage.repository }}:{{ .Values.alpineImage.tag }}"
    securityContext:
      runAsUser: 0
      runAsGroup: 0
    command:
      - "/bin/sh"
      - "-c"
      - |
        /bin/sh <<'EOF'
        echo "Forcing permissions on userdata folder..."
        echo "Trying to override ownship using nfs4xdr_winacl..."
        /usr/sbin/nfs4xdr_winacl -a chown -G 33 -c '/var/www/html/data' -p '/var/www/html/data' || echo "Failed setting ownership..."
        chmod 770 /var/www/html/data || echo "Failed to chmod..."
        EOF

    volumeMounts:
      - name: data
        mountPath: "/var/www/html/data"
      - name: html
        mountPath: "/var/www/html"

env:
  # IP used for exposing nextcloud
  # Often the service or nodePort IP
  # Defaults to the main serviceName for CI purposes.
  AccessIP:
  NEXTCLOUD_INIT_HTACCESS: true
  PHP_MEMORY_LIMIT: 1G
  PHP_UPLOAD_LIMIT: 10G
  NEXTCLOUD_CHUNKSIZE: "31457280"
  TRUSTED_PROXIES: "172.16.0.0/16 127.0.0.1"
  POSTGRES_DB: "{{ .Values.postgresql.postgresqlDatabase }}"
  POSTGRES_USER: "{{ .Values.postgresql.postgresqlUsername }}"
  NC_check_data_directory_permissions: "true"
  POSTGRES_PASSWORD:
    secretKeyRef:
      name: dbcreds
      key: postgresql-password
  POSTGRES_HOST:
    secretKeyRef:
      name: dbcreds
      key: plainporthost
  REDIS_HOST:
    secretKeyRef:
      name: rediscreds
      key: plainhost
  REDIS_HOST_PASSWORD:
    secretKeyRef:
      name: rediscreds
      key: redis-password

envFrom:
  - configMapRef:
      name: nextcloudconfig

persistence:
  html:
    enabled: true
    mountPath: "/var/www/html"
  data:
    enabled: true
    mountPath: "/var/www/html/data"
  varrun:
    enabled: true
  cache:
    enabled: true
    type: emptyDir
    mountPath: /var/cache/nginx
    medium: Memory
  nginx:
    enabled: "true"
    mountPath: "/etc/nginx"
    noMount: true
    readOnly: true
    type: "custom"
    volumeSpec:
      configMap:
        name: '{{ include "tc.common.names.fullname" . }}-nginx'
        items:
          - key: nginx.conf
            path: nginx.conf

configmap:
  nginx:
    enabled: true
    data:
      nginx.conf: |-
        worker_processes auto;

        error_log  /var/log/nginx/error.log warn;
        pid        /var/run/nginx.pid;


        events {
            worker_connections  1024;
        }


        http {
            include       /etc/nginx/mime.types;
            default_type  application/octet-stream;

            log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                              '$status $body_bytes_sent "$http_referer" '
                              '"$http_user_agent" "$http_x_forwarded_for"';

            access_log  /var/log/nginx/access.log  main;

            sendfile        on;
            #tcp_nopush     on;

            # Prevent nginx HTTP Server Detection
            server_tokens   off;

            keepalive_timeout  65;

            #gzip  on;

            upstream php-handler {
                server 127.0.0.1:9000;
            }

            server {
                listen 8080;
                absolute_redirect off;

                # Forward Notify_Push "High Performance Backend"  to it's own container
                location ^~ /push/ {
                    proxy_pass http://127.0.0.1:7867/;
                    proxy_http_version 1.1;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection "Upgrade";
                    proxy_set_header Host $host;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                }

                # HSTS settings
                # WARNING: Only add the preload option once you read about
                # the consequences in https://hstspreload.org/. This option
                # will add the domain to a hardcoded list that is shipped
                # in all major browsers and getting removed from this list
                # could take several months.
                #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;

                # set max upload size
                client_max_body_size {{ .Values.env.PHP_UPLOAD_LIMIT | default "512M" }};
                fastcgi_buffers 64 4K;

                # Enable gzip but do not remove ETag headers
                gzip on;
                gzip_vary on;
                gzip_comp_level 4;
                gzip_min_length 256;
                gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
                gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

                # Pagespeed is not supported by Nextcloud, so if your server is built
                # with the `ngx_pagespeed` module, uncomment this line to disable it.
                #pagespeed off;

                # HTTP response headers borrowed from Nextcloud `.htaccess`
                add_header Referrer-Policy                      "no-referrer"   always;
                add_header X-Content-Type-Options               "nosniff"       always;
                add_header X-Download-Options                   "noopen"        always;
                add_header X-Frame-Options                      "SAMEORIGIN"    always;
                add_header X-Permitted-Cross-Domain-Policies    "none"          always;
                add_header X-Robots-Tag                         "none"          always;
                add_header X-XSS-Protection                     "1; mode=block" always;

                # Remove X-Powered-By, which is an information leak
                fastcgi_hide_header X-Powered-By;

                # Path to the root of your installation
                root /var/www/html;

                # Specify how to handle directories -- specifying `/index.php$request_uri`
                # here as the fallback means that Nginx always exhibits the desired behaviour
                # when a client requests a path that corresponds to a directory that exists
                # on the server. In particular, if that directory contains an index.php file,
                # that file is correctly served; if it doesn't, then the request is passed to
                # the front-end controller. This consistent behaviour means that we don't need
                # to specify custom rules for certain paths (e.g. images and other assets,
                # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
                # `try_files $uri $uri/ /index.php$request_uri`
                # always provides the desired behaviour.
                index index.php index.html /index.php$request_uri;

                # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
                location = / {
                    if ( $http_user_agent ~ ^DavClnt ) {
                        return 302 /remote.php/webdav/$is_args$args;
                    }
                }

                location = /robots.txt {
                    allow all;
                    log_not_found off;
                    access_log off;
                }

                # Make a regex exception for `/.well-known` so that clients can still
                # access it despite the existence of the regex rule
                # `location ~ /(\.|autotest|...)` which would otherwise handle requests
                # for `/.well-known`.
                location ^~ /.well-known {
                    # The rules in this block are an adaptation of the rules
                    # in `.htaccess` that concern `/.well-known`.

                    location = /.well-known/carddav { return 301 /remote.php/dav/; }
                    location = /.well-known/caldav  { return 301 /remote.php/dav/; }

                    # according to the documentation these two lines are not necessary, but some users are still recieving errors
                    location = /.well-known/webfinger   { return 301 /index.php$uri; }
                    location = /.well-known/nodeinfo   { return 301 /index.php$uri; }

                    location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
                    location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

                    # Let Nextcloud's API for `/.well-known` URIs handle all other
                    # requests by passing them to the front-end controller.
                    return 301 /index.php$request_uri;
                }

                # Rules borrowed from `.htaccess` to hide certain paths from clients
                location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
                location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }

                # Ensure this block, which passes PHP files to the PHP process, is above the blocks
                # which handle static assets (as seen below). If this block is not declared first,
                # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
                # to the URI, resulting in a HTTP 500 error response.
                location ~ \.php(?:$|/) {
                    # Required for legacy support
                    rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;

                    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
                    set $path_info $fastcgi_path_info;

                    try_files $fastcgi_script_name =404;

                    include fastcgi_params;
                    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                    fastcgi_param PATH_INFO $path_info;
                    #fastcgi_param HTTPS on;

                    fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
                    fastcgi_param front_controller_active true;     # Enable pretty urls
                    fastcgi_pass php-handler;

                    fastcgi_intercept_errors on;
                    fastcgi_request_buffering off;

                    proxy_send_timeout 300s;
                    proxy_read_timeout 300s;
                    fastcgi_send_timeout 300s;
                    fastcgi_read_timeout 300s;
                }

                location ~ \.(?:css|js|svg|gif)$ {
                    try_files $uri /index.php$request_uri;
                    expires 6M;         # Cache-Control policy borrowed from `.htaccess`
                    access_log off;     # Optional: Don't log access to assets
                }

                location ~ \.woff2?$ {
                    try_files $uri /index.php$request_uri;
                    expires 7d;         # Cache-Control policy borrowed from `.htaccess`
                    access_log off;     # Optional: Don't log access to assets
                }

                # Rule borrowed from `.htaccess`
                location /remote {
                    return 301 /remote.php$request_uri;
                }

                location / {
                    try_files $uri $uri/ /index.php$request_uri;
                }
            }
        }

cronjob:
  enabled: true
  generatePreviews: true
  schedule: "*/5 * * * *"
  annotations: {}
  failedJobsHistoryLimit: 5
  successfulJobsHistoryLimit: 2

hpb:
  enabled: true

nextcloud:
  # https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements
  default_phone_region: ""

imaginary:
  enabled: true
  preview_max_x: 2048
  preview_max_y: 2048
  preview_max_memory: 512
  preview_max_filesize_image: 150
  preview_png: true
  preview_jpeg: true
  preview_gif: true
  preview_bmp: true
  preview_xbitmap: true
  preview_mp3: true
  preview_markdown: true
  preview_opendoc: true
  preview_txt: true
  preview_krita: true
  preview_illustrator: false
  preview_heic: false
  preview_movie: false
  preview_msoffice2003: false
  preview_msoffice2007: false
  preview_msofficedoc: false
  preview_pdf: false
  preview_photoshop: false
  preview_postscript: false
  preview_staroffice: false
  preview_svg: false
  preview_tiff: false
  preview_font: false

collabora:
  enabled: false
  env:
    aliasgroup1:
      configMapRef:
        name: nextcloudconfig
        key: aliasgroup1
    dictionaries: "de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru"
    extra_params: "--o:welcome.enable=false --o:logging.level=information --o:user_interface.mode=notebookbar --o:ssl.termination=true --o:ssl.enable=false "
    server_name: ""
    DONT_GEN_SSL_CERT: true

postgresql:
  enabled: true
  existingSecret: "dbcreds"
  postgresqlUsername: nextcloud
  postgresqlDatabase: nextcloud

redis:
  enabled: true
  existingSecret: "rediscreds"

portal:
  enabled: true