storage normalization, security middlewares

.vscode/settings.json

@@ -0,0 +1,5 @@
+{
+    "cSpell.words": [
+        "authentik"
+    ]
+}

README.md

@@ -12,6 +12,8 @@ Using [NextCloud](https://nextcloud.com/)
   - [preview generator](#preview-generator)
   - [repair tree](#repair-tree)
   - [Repair AppData Cache (Fix App Store 500 Error)](#repair-appdata-cache-fix-app-store-500-error)
+  - [force create indexes](#force-create-indexes)
+  - [Mimetype migrations available](#mimetype-migrations-available)
   - [delete file locks](#delete-file-locks)
 - [Setup and Deploy](#setup-and-deploy)
   - [App](#app)
@@ -73,7 +75,7 @@ This procedure clears the broken cache and forces Nextcloud to rebuild it.
 
 ```bash
 # Enable maintenance mode
-sudo -u www-data php occ maintenance:mode --on
+su -s /bin/bash www-data -c "php occ maintenance:mode --on;"
 
 # Remove stale filecache entries (run inside MariaDB)
 mariadb -u root -p nextcloud -e "DELETE FROM oc_filecache WHERE path LIKE 'appdata_ocuihfjhxkga/appstore%';"
@@ -82,10 +84,26 @@ mariadb -u root -p nextcloud -e "DELETE FROM oc_filecache WHERE path LIKE 'appda
 rm -rf /var/www/html/data/appdata_*
 
 # Disable maintenance mode
-sudo -u www-data php occ maintenance:mode --off
+su -s /bin/bash www-data -c "php occ maintenance:mode --off"
 
 # Rebuild appdata and caches
-sudo -u www-data php occ maintenance:repair
+su -s /bin/bash www-data -c "php occ maintenance:repair"
+```
+
+### force create indexes
+
+```bash
+
+# Rebuild appdata and caches
+su -s /bin/bash www-data -c "php occ db:add-missing-indices"
+```
+
+### Mimetype migrations available
+
+```bash
+
+# Rebuild appdata and caches
+su -s /bin/bash www-data -c "php occ maintenance:repair --include-expensive"
 ```
 
 ### delete file locks

deploy/app/helm-values.yaml

@@ -118,25 +118,26 @@ nextcloud:
 
   extraVolumeMounts:
       - name: mf-nextcloud
-        mountPath: /var/www/html/data/marcio.fernandes/files
+        mountPath: /mnt/users/marcio.fernandes
 
       - name: mf-documents
-        mountPath: /var/www/html/data/marcio.fernandes/files/Documents
+        mountPath: /mnt/users/marcio.fernandes/Documents
       
       - name: mf-photos
-        mountPath: /var/www/html/data/marcio.fernandes/files/Photos
+        mountPath: /mnt/users/marcio.fernandes/Photos
 
       - name: media-gaming
-        mountPath: /var/www/html/data/marcio.fernandes/files/Gaming
+        mountPath: /mnt/shared/Gaming
 
       - name: media-music
-        mountPath: /var/www/html/data/marcio.fernandes/files/Music
+        mountPath: /mnt/shared/Music
 
       - name: media-videos
-        mountPath: /var/www/html/data/marcio.fernandes/files/Videos
+        mountPath: /mnt/shared/Videos
 
       - name: it-storage
-        mountPath: /var/www/html/data/marcio.fernandes/files/NeirdStorage
+        mountPath: /mnt/shared/NerdStuff
+
   configs:
     # appstore.override.config.php: |-
     #   <?php

deploy/infra/ingress.yaml

@@ -1,6 +1,5 @@
-
+apiVersion: traefik.io/v1alpha1
-apiVersion: networking.k8s.io/v1
+kind: IngressRoute
-kind: Ingress
 metadata:
   name: cloud-limbosolutions-com
   annotations:
@@ -8,19 +7,58 @@ metadata:
     kubernetes.io/ingress.class: traefik
     traefik.ingress.kubernetes.io/router.entrypoints: websecure, public-https
 spec:
-  ingressClassName: traefik
+  entryPoints:
-  rules:
+    - websecure
-    - host: cloud.limbosolutions.com
+
-      http:
-        paths:
-        - backend:
-            service:
-              name: nextcloud
-              port:
-                number: 8080
-          path: /
-          pathType: Prefix
   tls:
-    - secretName: cloud-limbosolutions-com-secret-tls
+    secretName: cloud-limbosolutions-com-tls
-      hosts:
+    domains:
-        - cloud.limbosolutions.com
+      - main: cloud.limbosolutions.com
+
+  routes:
+
+    # AUTHENTIK OUTPOST
+    - match: Host(`cloud.limbosolutions.com`)  && PathPrefix(`/outpost.goauthentik.io`)
+      kind: Rule
+      services:
+        - name: ak-outpost-authentik-embedded-outpost
+          namespace: id-limbosolutions-com
+          port: 9000
+
+
+    # 1) PUBLIC SHARES (NO SSO)
+    - match: Host(`cloud.limbosolutions.com`) && (PathPrefix(`/s/`) || PathPrefix(`/index.php/s/`) || PathPrefix(`/public.php/`) || PathPrefix(`/remote.php/dav/public-files/`))
+      kind: Rule
+      services:
+        - name: nextcloud
+          port: 8080
+      middlewares:
+        - name: rate-limit
+        - name: security-headers
+
+    # 2) WEBDAV / SYNC CLIENTS (NO SSO)
+    - match: Host(`cloud.limbosolutions.com`) && (PathPrefix(`/remote.php/dav`) || PathPrefix(`/remote.php/webdav`) || PathPrefix(`/remote.php/caldav`) || PathPrefix(`/remote.php/carddav`))
+      kind: Rule
+      services:
+        - name: nextcloud
+          port: 8080
+      middlewares:
+        - name: webdav-strip-auth
+        - name: rate-limit
+
+    # 3) EVERYTHING ELSE (SSO REQUIRED)
+    - match: Host(`cloud.limbosolutions.com`)
+      kind: Rule
+      services:
+        - name: nextcloud
+          port: 8080
+      middlewares:
+          # middleware managed by icarus
+         - name: authentik-forward-auth
+           namespace: kube-system
+         - name: security-headers
+         - name: rate-limit
+
+
+
+

deploy/infra/kustomization.yaml

@@ -3,6 +3,7 @@ kind: Kustomization
 resources:
   - namespace.yaml
   - cd-serviceaccount.yaml
+  - middlewares.yaml
   - ingress.yaml
   - storage-limbosolutions-com/pv.yaml
 generatorOptions:

deploy/infra/middlewares.yaml

@@ -0,0 +1,41 @@
+# Strip Authorization header for WebDAV so Authentik doesn't try to interpret Basic Auth
+
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: webdav-strip-auth
+spec:
+  headers:
+    customRequestHeaders:
+      Authorization: ""
+
+---
+# Rate limit to protect from brute force / bots
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: rate-limit
+spec:
+  rateLimit:
+    average: 50
+    burst: 100
+
+---
+# Optional: security headers for UI
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: security-headers
+spec:
+  headers:
+    stsSeconds: 31536000
+    stsIncludeSubdomains: true
+    stsPreload: true
+    browserXssFilter: true
+    contentTypeNosniff: true
+    frameDeny: true
+    referrerPolicy: "no-referrer"
+    customResponseHeaders:
+      X-Content-Type-Options: "nosniff"
+      X-Frame-Options: "DENY"
+      X-XSS-Protection: "1; mode=block"