image: tag: 29-fpm pullPolicy: Always nextcloud: host: share.gnu.one extraEnv: - name: HTTP_PROXY value: http://proxy-squid.proxy.svc.cluster.local:3128 - name: HTTPS_PROXY value: http://proxy-squid.proxy.svc.cluster.local:3128 - name: NO_PROXY value: .cluster.local existingSecret: enabled: true secretName: nextcloud-user usernameKey: username passwordKey: password smtpUsernameKey: smtp_username smtpPasswordKey: smtp_password configs: proxy.config.php: |- 'proxy-squid.proxy.svc.cluster.local:3128', 'proxyexclude' => ['.cluster.local'], 'debug' => true, 'loglevel' => 1, ); extraSecurityContext: runAsUser: "33" runAsGroup: "33" runAsNonRoot: true readOnlyRootFilesystem: true # Needed for rootless: containerPort: 8080 extraVolumes: - name: nginx-cache emptyDir: {} - name: nginx-run emptyDir: {} extraVolumeMounts: - mountPath: /var/cache/nginx name: nginx-cache - mountPath: /var/run name: nginx-run phpConfigs: memory_limit.conf: | php_admin_value[memory_limit] = 512M tuning.conf: | pm = dynamic pm.max_children = 64 pm.start_servers = 12 pm.min_spare_servers = 8 pm.max_spare_servers = 24 pm.max_requests = 1000 # See: https://github.com/nextcloud/helm/issues/186 securityContext: runAsUser: 101 runAsGroup: 101 fsGroup: 101 fsGroupChangePolicy: "Always" runAsNonRoot: true ingress: enabled: true labels: environment: external annotations: nginx.ingress.kubernetes.io/proxy-body-size: 20G kubernetes.io/tls-acme: "true" cert-manager.io/cluster-issuer: letsencrypt traefik.ingress.kubernetes.io/router.tls: 'true' kubernetes.io/ingress.class: ingress-external external-dns.alpha.kubernetes.io/hostname: share.gnu.one external-dns.alpha.kubernetes.io/target: gnu.one external-dns.alpha.kubernetes.io/cloudflare-proxied: "false" nginx.ingress.kubernetes.io/server-snippet: |- server_tokens off; proxy_hide_header X-Powered-By; rewrite ^/.well-known/webfinger /index.php/.well-known/webfinger last; rewrite ^/.well-known/nodeinfo /index.php/.well-known/nodeinfo last; rewrite ^/.well-known/host-meta /public.php?service=host-meta last; rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json; location = /.well-known/carddav { return 301 $scheme://$host/remote.php/dav; } location = /.well-known/caldav { return 301 $scheme://$host/remote.php/dav; } location = /robots.txt { allow all; log_not_found off; access_log off; } location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { deny all; } location ~ ^/(?:autotest|occ|issue|indie|db_|console) { deny all; } tls: - secretName: nextcloud-tls hosts: - share.gnu.one nginx: enabled: true containerPort: 8080 cronjob: enabled: false curlInsecure: true internalDatabase: enabled: false externalDatabase: enabled: true type: postgresql host: nextcloud-db-rw.nextcloud.svc.cluster.local existingSecret: enabled: true secretName: nextcloud-db-superuser passwordKey: password usernameKey: username postgresql: enabled: false redis: enabled: false architecture: standalone auth: existingSecret: nextcloud-redis existingSecretPasswordKey: password replica: replicaCount: 1 rbac: create: false podSecurityPolicy: enabled: true create: true persistence: enabled: true storageClass: local-path size: 100Gi persistence: enabled: true rbac: enabled: true readinessProbe: initialDelaySeconds: 60 livenessProbe: initialDelaySeconds: 60 startupProbe: initialDelaySeconds: 60