image: repository: tccr.io/truecharts/nextcloud-fpm pullPolicy: IfNotPresent tag: 25.0.1@sha256:bb87b5d4a1148a6e16e36fef19c6ceb770318a9d4e064a9f4236b2a22c6a10d1 nginxImage: repository: tccr.io/truecharts/nginx-unprivileged pullPolicy: IfNotPresent tag: 1.23.2@sha256:f2beaccc87b13109dbd709c6cbf845f761d9ad1e6d43fcf6f01cd68a7339f567 imaginaryImage: repository: h2non/imaginary pullPolicy: IfNotPresent tag: 1.2.4@sha256:7facb4221047a5e79b9e902f380247f4e5bf4376400d0badbeb738d3e1c2f654 securityContext: readOnlyRootFilesystem: false runAsNonRoot: false podSecurityContext: runAsUser: 0 runAsGroup: 0 fsGroup: 33 service: main: ports: main: port: 10020 targetPort: 8080 backend: enabled: true ports: hpb: enabled: true port: 7867 targetPort: 7867 hpb-metrics: enabled: true port: 7868 targetPort: 7868 fpm: enabled: true port: 9000 targetPort: 9000 imaginary: enabled: true port: 9090 targetPort: 9090 hostAliases: - ip: '{{ .Values.env.AccessIP | default "127.0.0.1" }}' hostnames: - "{{ if .Values.ingress.main.enabled }}{{ with (first .Values.ingress.main.hosts) }}{{ .host }}{{ end }}{{ else }}placeholder.fakedomain.dns{{ end }}" secretEnv: NEXTCLOUD_ADMIN_USER: "admin" NEXTCLOUD_ADMIN_PASSWORD: "adminpass" probes: liveness: custom: true spec: initialDelaySeconds: 25 httpGet: path: /status.php port: 8080 httpHeaders: - name: Host value: "test.fakedomain.dns" readiness: custom: true spec: initialDelaySeconds: 25 httpGet: path: /status.php port: 8080 httpHeaders: - name: Host value: "test.fakedomain.dns" startup: custom: true spec: initialDelaySeconds: 25 httpGet: path: /status.php port: 8080 httpHeaders: - name: Host value: "test.fakedomain.dns" initContainers: prestart: image: '{{ include "tc.common.images.selector" . }}' securityContext: runAsUser: 0 runAsGroup: 0 privileged: true command: - "/bin/sh" - "-c" - | /bin/bash <<'EOF' echo "Forcing permissions on userdata folder..." if nfs4xdr_getfacl && nfs4xdr_getfacl | grep -qv "Failed to get NFSv4 ACL"; then echo "NFSv4 ACLs detected, Trying to override permissions using nfs4_setfacl..." nfs4_setfacl -R -a A:g:33:RWX "/var/www/html/data" else echo "No NFSv4 ACLs detected, trying to override permissions using chown/chmod..." echo "checking ownership..." if [ $(stat -c %g .) -eq 33 ]; then echo "Ownership already set to 33, skipping..." else echo "Changing ownership to group 33..." chown -R :33 "/var/www/html/data" fi chmod 770 /var/www/html/data fi EOF volumeMounts: - name: data mountPath: "/var/www/html/data" - name: html mountPath: "/var/www/html" env: # IP used for exposing nextcloud # Often the service or nodePort IP # Defaults to the main serviceName for CI purposes. AccessIP: NEXTCLOUD_INIT_HTACCESS: true PHP_MEMORY_LIMIT: 1G PHP_UPLOAD_LIMIT: 10G NEXTCLOUD_CHUNKSIZE: "31457280" TRUSTED_PROXIES: "172.16.0.0/16 127.0.0.1" POSTGRES_DB: "{{ .Values.postgresql.postgresqlDatabase }}" POSTGRES_USER: "{{ .Values.postgresql.postgresqlUsername }}" NC_check_data_directory_permissions: "true" POSTGRES_PASSWORD: secretKeyRef: name: dbcreds key: postgresql-password POSTGRES_HOST: secretKeyRef: name: dbcreds key: plainporthost REDIS_HOST: secretKeyRef: name: rediscreds key: plainhost REDIS_HOST_PASSWORD: secretKeyRef: name: rediscreds key: redis-password envFrom: - configMapRef: name: nextcloudconfig persistence: html: enabled: true mountPath: "/var/www/html" data: enabled: true mountPath: "/var/www/html/data" varrun: enabled: true cache: enabled: true type: emptyDir mountPath: /var/cache/nginx medium: Memory nginx: enabled: "true" mountPath: "/etc/nginx" noMount: true readOnly: true type: "custom" volumeSpec: configMap: name: '{{ include "tc.common.names.fullname" . }}-nginx' items: - key: nginx.conf path: nginx.conf configmap: nginx: enabled: true data: nginx.conf: |- worker_processes auto; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; # Prevent nginx HTTP Server Detection server_tokens off; keepalive_timeout 65; #gzip on; upstream php-handler { server 127.0.0.1:9000; } server { listen 8080; absolute_redirect off; # Forward Notify_Push "High Performance Backend" to it's own container location ^~ /push/ { proxy_pass http://127.0.0.1:7867/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } # HSTS settings # WARNING: Only add the preload option once you read about # the consequences in https://hstspreload.org/. This option # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; # set max upload size client_max_body_size {{ .Values.env.PHP_UPLOAD_LIMIT | default "512M" }}; fastcgi_buffers 64 4K; # Enable gzip but do not remove ETag headers gzip on; gzip_vary on; gzip_comp_level 4; gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # Pagespeed is not supported by Nextcloud, so if your server is built # with the `ngx_pagespeed` module, uncomment this line to disable it. #pagespeed off; # HTTP response headers borrowed from Nextcloud `.htaccess` add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; add_header X-XSS-Protection "1; mode=block" always; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; # Path to the root of your installation root /var/www/html; # Specify how to handle directories -- specifying `/index.php$request_uri` # here as the fallback means that Nginx always exhibits the desired behaviour # when a client requests a path that corresponds to a directory that exists # on the server. In particular, if that directory contains an index.php file, # that file is correctly served; if it doesn't, then the request is passed to # the front-end controller. This consistent behaviour means that we don't need # to specify custom rules for certain paths (e.g. images and other assets, # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus # `try_files $uri $uri/ /index.php$request_uri` # always provides the desired behaviour. index index.php index.html /index.php$request_uri; # Rule borrowed from `.htaccess` to handle Microsoft DAV clients location = / { if ( $http_user_agent ~ ^DavClnt ) { return 302 /remote.php/webdav/$is_args$args; } } location = /robots.txt { allow all; log_not_found off; access_log off; } # Make a regex exception for `/.well-known` so that clients can still # access it despite the existence of the regex rule # `location ~ /(\.|autotest|...)` which would otherwise handle requests # for `/.well-known`. location ^~ /.well-known { # The rules in this block are an adaptation of the rules # in `.htaccess` that concern `/.well-known`. location = /.well-known/carddav { return 301 /remote.php/dav/; } location = /.well-known/caldav { return 301 /remote.php/dav/; } # according to the documentation these two lines are not necessary, but some users are still recieving errors location = /.well-known/webfinger { return 301 /index.php$uri; } location = /.well-known/nodeinfo { return 301 /index.php$uri; } location /.well-known/acme-challenge { try_files $uri $uri/ =404; } location /.well-known/pki-validation { try_files $uri $uri/ =404; } # Let Nextcloud's API for `/.well-known` URIs handle all other # requests by passing them to the front-end controller. return 301 /index.php$request_uri; } # Rules borrowed from `.htaccess` to hide certain paths from clients location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } # Ensure this block, which passes PHP files to the PHP process, is above the blocks # which handle static assets (as seen below). If this block is not declared first, # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` # to the URI, resulting in a HTTP 500 error response. location ~ \.php(?:$|/) { # Required for legacy support rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; fastcgi_split_path_info ^(.+?\.php)(/.*)$; set $path_info $fastcgi_path_info; try_files $fastcgi_script_name =404; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $path_info; #fastcgi_param HTTPS on; fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice fastcgi_param front_controller_active true; # Enable pretty urls fastcgi_pass php-handler; fastcgi_intercept_errors on; fastcgi_request_buffering off; proxy_send_timeout 300s; proxy_read_timeout 300s; fastcgi_send_timeout 300s; fastcgi_read_timeout 300s; } location ~ \.(?:css|js|svg|gif)$ { try_files $uri /index.php$request_uri; expires 6M; # Cache-Control policy borrowed from `.htaccess` access_log off; # Optional: Don't log access to assets } location ~ \.woff2?$ { try_files $uri /index.php$request_uri; expires 7d; # Cache-Control policy borrowed from `.htaccess` access_log off; # Optional: Don't log access to assets } # Rule borrowed from `.htaccess` location /remote { return 301 /remote.php$request_uri; } location / { try_files $uri $uri/ /index.php$request_uri; } } } cronjob: enabled: true generatePreviews: true schedule: "*/5 * * * *" annotations: {} failedJobsHistoryLimit: 5 successfulJobsHistoryLimit: 2 hpb: enabled: true nextcloud: # https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements default_phone_region: "" imaginary: enabled: true preview_max_x: 2048 preview_max_y: 2048 preview_max_memory: 512 preview_max_filesize_image: 150 preview_png: true preview_jpeg: true preview_gif: true preview_bmp: true preview_xbitmap: true preview_mp3: true preview_markdown: true preview_opendoc: true preview_txt: true preview_krita: true preview_illustrator: false preview_heic: false preview_movie: false preview_msoffice2003: false preview_msoffice2007: false preview_msofficedoc: false preview_pdf: false preview_photoshop: false preview_postscript: false preview_staroffice: false preview_svg: false preview_tiff: false preview_font: false collabora: enabled: false env: aliasgroup1: configMapRef: name: nextcloudconfig key: aliasgroup1 dictionaries: "de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru" extra_params: "--o:welcome.enable=false --o:logging.level=information --o:user_interface.mode=notebookbar --o:ssl.termination=true --o:ssl.enable=false " server_name: "" DONT_GEN_SSL_CERT: true postgresql: enabled: true existingSecret: "dbcreds" postgresqlUsername: nextcloud postgresqlDatabase: nextcloud redis: enabled: true existingSecret: "rediscreds" portal: enabled: true