feat: add nextcloud (#1609)

Author: pirosiki197

nextcloud/certificate.yaml

@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: nextcloud-tls
+spec:
+  secretName: nextcloud-tls
+  duration: 2160h0m0s # 90d
+  renewBefore: 720h0m0s # 30d
+  issuerRef:
+    kind: ClusterIssuer
+    name: dns-cluster-issuer
+  dnsNames:
+    - "drive.trap.jp"

nextcloud/config.yaml

@@ -0,0 +1,70 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nextcloud-config
+data:
+  base.config.php: |
+    <?php
+    $CONFIG = array (
+      'passwordsalt' => getenv('NEXTCLOUD_PASSWORDSALT'),
+      'secret' => getenv('NEXTCLOUD_SECRET'),
+      'instanceid' => getenv('NEXTCLOUD_INSTANCEID'),
+      'overwrite.cli.url' => 'https://drive.trap.jp',
+      'upgrade.disable-web' => true,
+      'trusted_domains' => ['drive.trap.jp'],
+      'apps_paths' => array (
+        0 => array (
+          'path' => '/var/www/html/apps',
+          'url' => '/apps',
+          'writable' => false,
+        ),
+        1 => array (
+          'path' => '/var/www/html/custom_apps',
+          'url' => '/custom_apps',
+          'writable' => true,
+        ),
+      ),
+
+      'mail_smtpmode' => 'smtp',
+      'mail_smtphost' => 'smtp.sendgrid.host',
+      'mail_smtpport' => '465',
+      'mail_smtpsecure' => 'ssl',
+      'mail_smtpauth' => true,
+      'mail_smtpauthtype' => 'LOGIN',
+      'mail_smtpname' => 'apikey',
+      'mail_smtppassword' => getenv('SMTP_PASSWORD'),
+      'mail_from_address' => 'drive.system',
+      'mail_domain' => 'trap.jp',
+
+      'memcache.local' => '\OC\Memcache\APCu',
+      'memcache.distributed' => '\OC\Memcache\Redis',
+      'memcache.locking' => '\OC\Memcache\Redis',
+      'redis' => array(
+        'host' => 'valkey',
+        'user' => 'default',
+        'password' => getenv('VALKEY_PASSWORD'),
+      ),
+
+      'objectstore' => array(
+        'class' => '\OC\Files\ObjectStore\S3',
+        'arguments' => array(
+          'bucket' => 'trap-nextcloud',
+          'region' => 'ap-northeast-1',
+          'hostname' => 's3.ap-northeast-1.wasabisys.com',
+          'use_ssl' => true,
+          'key' => getenv('S3_ACCESS_KEY'),
+          'secret' => getenv('S3_SECRET_KEY'),
+          'objectPrefix' => 'urn:oid:',
+          'autocreate' => false,
+          'use_path_style' => true,
+        ),
+      ),
+
+      'dbtype' => 'mysql',
+      'dbhost' => 'tailscale.kmbk.tokyotech.org',
+      'dbuser' => 'service_drive',
+      'dbpassword' => getenv('DB_PASSWORD'),
+      'dbname' => 'service_drive',
+      'dbtableprefix' => 'oc_',
+      'mysql.utf8mb4' => true,
+    );

nextcloud/deployment.yaml

@@ -0,0 +1,206 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: nextcloud
+  name: nextcloud
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: nextcloud
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: nextcloud
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: kubernetes.io/hostname
+                    operator: In
+                    values:
+                      - las211.tokyotech.org
+      containers:
+        - name: nextcloud
+          image: ghcr.io/traptitech/nextcloud:29.0.5
+          imagePullPolicy: IfNotPresent
+          resources:
+            limits:
+              cpu: 500m
+              memory: 256Mi
+            requests:
+              cpu: 50m
+              memory: 128Mi
+          env:
+            - name: VALKEY_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: valkey
+                  key: default
+          envFrom:
+            - secretRef:
+                name: secret-env
+          volumeMounts:
+            - mountPath: /var/www/
+              name: nextcloud-main
+              subPath: root
+            - mountPath: /var/www/html
+              name: nextcloud-main
+              subPath: html
+            - mountPath: /var/www/html/data
+              name: nextcloud-main
+              subPath: data
+            - mountPath: /var/www/html/config
+              name: nextcloud-main
+              subPath: config
+            - mountPath: /var/www/html/custom_apps
+              name: nextcloud-main
+              subPath: custom_apps
+            - mountPath: /var/www/tmp
+              name: nextcloud-main
+              subPath: tmp
+            - mountPath: /var/www/html/themes
+              name: nextcloud-main
+              subPath: themes
+            - mountPath: /var/www/html/config/base.config.php
+              name: base-config
+              subPath: base.config.php
+        - name: nextcloud-nginx
+          image: library/nginx:alpine
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              httpHeaders:
+                - name: Host
+                  value: drive.trap.jp
+              path: /status.php
+              port: 80
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 5
+          ports:
+            - containerPort: 80
+              name: http
+              protocol: TCP
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              httpHeaders:
+                - name: Host
+                  value: drive.trap.jp
+              path: /status.php
+              port: 80
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 5
+          resources:
+            limits:
+              cpu: 100m
+              memory: 128Mi
+            requests:
+              cpu: 10m
+              memory: 32Mi
+          volumeMounts:
+            - mountPath: /var/www/
+              name: nextcloud-main
+              subPath: root
+            - mountPath: /var/www/html
+              name: nextcloud-main
+              subPath: html
+            - mountPath: /var/www/html/data
+              name: nextcloud-main
+              subPath: data
+            - mountPath: /var/www/html/config
+              name: nextcloud-main
+              subPath: config
+            - mountPath: /var/www/html/custom_apps
+              name: nextcloud-main
+              subPath: custom_apps
+            - mountPath: /var/www/tmp
+              name: nextcloud-main
+              subPath: tmp
+            - mountPath: /var/www/html/themes
+              name: nextcloud-main
+              subPath: themes
+            - mountPath: /etc/nginx/conf.d/
+              name: nextcloud-nginx-config
+        - name: nextcloud-cron
+          command:
+            - /cron.sh
+          image: ghcr.io/traptitech/nextcloud:29.0.5
+          imagePullPolicy: IfNotPresent
+          resources:
+            limits:
+              cpu: 100m
+              memory: 128Mi
+            requests:
+              cpu: 10m
+              memory: 64Mi
+          env:
+            - name: VALKEY_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: valkey
+                  key: default
+          envFrom:
+            - secretRef:
+                name: secret-env
+          volumeMounts:
+            - mountPath: /var/www/
+              name: nextcloud-main
+              subPath: root
+            - mountPath: /var/www/html
+              name: nextcloud-main
+              subPath: html
+            - mountPath: /var/www/html/data
+              name: nextcloud-main
+              subPath: data
+            - mountPath: /var/www/html/config
+              name: nextcloud-main
+              subPath: config
+            - mountPath: /var/www/html/custom_apps
+              name: nextcloud-main
+              subPath: custom_apps
+            - mountPath: /var/www/tmp
+              name: nextcloud-main
+              subPath: tmp
+            - mountPath: /var/www/html/themes
+              name: nextcloud-main
+              subPath: themes
+            - mountPath: /var/www/html/config/base.config.php
+              name: base-config
+              subPath: base.config.php
+      securityContext:
+        fsGroup: 82
+      volumes:
+        - name: nextcloud-main
+          persistentVolumeClaim:
+            claimName: nextcloud-nextcloud
+        - name: nextcloud-nginx-config
+          configMap:
+            name: nextcloud-nginxconfig
+        - name: base-config
+          configMap:
+            name: nextcloud-config
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app.kubernetes.io/name: nextcloud
+  name: nextcloud-nextcloud
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 5Gi

nextcloud/ingress-route.yaml

@@ -0,0 +1,15 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nextcloud
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - kind: Rule
+      match: Host(`drive.trap.jp`)
+      services:
+        - name: nextcloud
+          port: 8080
+  tls:
+    secretName: nextcloud-tls

nextcloud/ksops.yaml

@@ -0,0 +1,12 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: ksops
+  annotations:
+    config.kubernetes.io/function: |
+      exec:
+        path: ksops
+
+files:
+  - ./secrets/secret-env.enc.yaml
+  - ./secrets/valkey.enc.yaml

nextcloud/kustomization.yaml

@@ -0,0 +1,21 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+helmCharts:
+  - repo: https://valkey.io/valkey-helm/
+    name: valkey
+    version: 0.9.4
+    namespace: nextcloud
+    releaseName: valkey
+    valuesFile: valkey-values.yaml
+
+resources:
+  - deployment.yaml
+  - service.yaml
+  - config.yaml
+  - nginx-config.yaml
+  - certificate.yaml
+  - ingress-route.yaml
+
+generators:
+  - ksops.yaml