From 58a26067fa5bb67f51ffd115d5af7c2be5c291f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A1rcio=20Fernandes?= Date: Wed, 8 Apr 2026 18:24:25 +0000 Subject: [PATCH] add onlyoffice, and ingress revision --- .vscode/settings.json | 3 ++- README.md | 11 +++++++++ deploy/app/helm-values.yaml | 18 +++++++++++++- deploy/app/kustomization.yaml | 1 + deploy/app/onlyoffice/.env.d/.gitignore | 2 ++ deploy/app/onlyoffice/deployment.yaml | 28 +++++++++++++++++++++ deploy/app/onlyoffice/kustomization.yaml | 17 +++++++++++++ deploy/app/onlyoffice/service.yaml | 10 ++++++++ deploy/infra/ingress.yaml | 7 +++--- deploy/infra/kustomization.yaml | 2 ++ deploy/infra/middlewares.yaml | 6 +++-- deploy/infra/onlyoffice/ingress.yaml | 24 ++++++++++++++++++ deploy/infra/onlyoffice/middlewares.yaml | 31 ++++++++++++++++++++++++ 13 files changed, 152 insertions(+), 8 deletions(-) create mode 100644 deploy/app/onlyoffice/.env.d/.gitignore create mode 100644 deploy/app/onlyoffice/deployment.yaml create mode 100644 deploy/app/onlyoffice/kustomization.yaml create mode 100644 deploy/app/onlyoffice/service.yaml create mode 100644 deploy/infra/onlyoffice/ingress.yaml create mode 100644 deploy/infra/onlyoffice/middlewares.yaml diff --git a/.vscode/settings.json b/.vscode/settings.json index e97c8c5..c8ad961 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,5 +1,6 @@ { "cSpell.words": [ - "authentik" + "authentik", + "onlyoffice" ] } \ No newline at end of file diff --git a/README.md b/README.md index 9ed2164..f0f5730 100644 --- a/README.md +++ b/README.md @@ -13,6 +13,7 @@ Using [NextCloud](https://nextcloud.com/) - [repair tree](#repair-tree) - [Repair AppData Cache (Fix App Store 500 Error)](#repair-appdata-cache-fix-app-store-500-error) - [force create indexes](#force-create-indexes) + - [documentserver repair](#documentserver-repair) - [Mimetype migrations available](#mimetype-migrations-available) - [delete file locks](#delete-file-locks) - [Setup and Deploy](#setup-and-deploy) @@ -98,8 +99,18 @@ su -s /bin/bash www-data -c "php occ maintenance:repair" su -s /bin/bash www-data -c "php occ db:add-missing-indices" ``` +### documentserver repair + +```bash +# Rebuild appdata and caches +su -s /bin/bash www-data -c "php occ onlyoffice:documentserver --clear" +su -s /bin/bash www-data -c "php occ maintenance:repair" +su -s /bin/bash www-data -c "php occ files:scan-app-data" +``` + ### Mimetype migrations available + ```bash # Rebuild appdata and caches diff --git a/deploy/app/helm-values.yaml b/deploy/app/helm-values.yaml index 584724a..4c5341d 100644 --- a/deploy/app/helm-values.yaml +++ b/deploy/app/helm-values.yaml @@ -157,7 +157,12 @@ nextcloud: 'overwritehost' => 'cloud.limbosolutions.com', 'overwrite.cli.url' => 'https://cloud.limbosolutions.com', 'overwriteprotocol' => 'https', - 'trusted_proxies' => array ( 0 => '127.0.0.1', 1 => '::1', 2 => '10.0.0.0'), + 'trusted_proxies' => + array ( + 0 => '127.0.0.1', + 1 => '::1', + 2 => '10.0.0.0/8', + ), ); # A value of 1 e.g. will only run these background jobs between 01:00am UTC and 05:00am UTC: @@ -167,6 +172,17 @@ nextcloud: $CONFIG = array ( 'maintenance_window_start' => 1, ); + + onlyoffice.config.php: |- + + array ( + 'verify_peer_off' => true, + 'allow_local_remote_servers' => true, + 'allow_external_storage' => true, + ), + ); ingress: enabled: false diff --git a/deploy/app/kustomization.yaml b/deploy/app/kustomization.yaml index 021782c..c7e6021 100644 --- a/deploy/app/kustomization.yaml +++ b/deploy/app/kustomization.yaml @@ -14,6 +14,7 @@ resources: - ./storage-limbosolutions-com/pvc.yaml - ./mariadb-deploy.yaml - ./backups/backup-pbs-cronjob.yaml + - ./onlyoffice generatorOptions: disableNameSuffixHash: true diff --git a/deploy/app/onlyoffice/.env.d/.gitignore b/deploy/app/onlyoffice/.env.d/.gitignore new file mode 100644 index 0000000..d29675e --- /dev/null +++ b/deploy/app/onlyoffice/.env.d/.gitignore @@ -0,0 +1,2 @@ +** +!.gitignore \ No newline at end of file diff --git a/deploy/app/onlyoffice/deployment.yaml b/deploy/app/onlyoffice/deployment.yaml new file mode 100644 index 0000000..3473b9e --- /dev/null +++ b/deploy/app/onlyoffice/deployment.yaml @@ -0,0 +1,28 @@ + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: onlyoffice +spec: + replicas: 1 + selector: + matchLabels: + app: onlyoffice + template: + metadata: + labels: + app: onlyoffice + spec: + containers: + - name: onlyoffice + image: onlyoffice/documentserver:latest + ports: + - containerPort: 80 + env: + - name: JWT_ENABLED + value: "true" + - name: JWT_SECRET + valueFrom: + secretKeyRef: + name: onlyoffice + key: secret diff --git a/deploy/app/onlyoffice/kustomization.yaml b/deploy/app/onlyoffice/kustomization.yaml new file mode 100644 index 0000000..48e0e4e --- /dev/null +++ b/deploy/app/onlyoffice/kustomization.yaml @@ -0,0 +1,17 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +secretGenerator: + - name: onlyoffice + envs: + - ./.env.d/onlyoffice.env + + +generatorOptions: + disableNameSuffixHash: true +namespace: cloud-limbosolutions-com + +resources: + - ./deployment.yaml + - ./service.yaml + - ./pvc.yaml diff --git a/deploy/app/onlyoffice/service.yaml b/deploy/app/onlyoffice/service.yaml new file mode 100644 index 0000000..703b6eb --- /dev/null +++ b/deploy/app/onlyoffice/service.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Service +metadata: + name: onlyoffice +spec: + ports: + - port: 80 + targetPort: 80 + selector: + app: onlyoffice \ No newline at end of file diff --git a/deploy/infra/ingress.yaml b/deploy/infra/ingress.yaml index dc63950..96b26eb 100644 --- a/deploy/infra/ingress.yaml +++ b/deploy/infra/ingress.yaml @@ -5,11 +5,10 @@ metadata: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod kubernetes.io/ingress.class: traefik - traefik.ingress.kubernetes.io/router.entrypoints: websecure, public-https spec: entryPoints: - websecure - + - public-https tls: secretName: cloud-limbosolutions-com-tls domains: @@ -34,7 +33,7 @@ spec: port: 8080 middlewares: - name: rate-limit - - name: security-headers + - name: nextcloud-security-headers # 2) WEBDAV / SYNC CLIENTS (NO SSO) - match: Host(`cloud.limbosolutions.com`) && (PathPrefix(`/remote.php/dav`) || PathPrefix(`/remote.php/webdav`) || PathPrefix(`/remote.php/caldav`) || PathPrefix(`/remote.php/carddav`)) @@ -56,7 +55,7 @@ spec: # middleware managed by icarus - name: authentik-forward-auth namespace: kube-system - - name: security-headers + - name: nextcloud-security-headers - name: rate-limit diff --git a/deploy/infra/kustomization.yaml b/deploy/infra/kustomization.yaml index 16db621..4eea909 100644 --- a/deploy/infra/kustomization.yaml +++ b/deploy/infra/kustomization.yaml @@ -6,5 +6,7 @@ resources: - middlewares.yaml - ingress.yaml - storage-limbosolutions-com/pv.yaml + - ./onlyoffice/ingress.yaml + - ./onlyoffice/middlewares.yaml generatorOptions: disableNameSuffixHash: true \ No newline at end of file diff --git a/deploy/infra/middlewares.yaml b/deploy/infra/middlewares.yaml index 9ff5ec2..d23b73a 100644 --- a/deploy/infra/middlewares.yaml +++ b/deploy/infra/middlewares.yaml @@ -25,7 +25,7 @@ spec: apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: - name: security-headers + name: nextcloud-security-headers spec: headers: stsSeconds: 31536000 @@ -38,4 +38,6 @@ spec: customResponseHeaders: X-Content-Type-Options: "nosniff" X-Frame-Options: "DENY" - X-XSS-Protection: "1; mode=block" \ No newline at end of file + X-XSS-Protection: "1; mode=block" + + diff --git a/deploy/infra/onlyoffice/ingress.yaml b/deploy/infra/onlyoffice/ingress.yaml new file mode 100644 index 0000000..713f4fa --- /dev/null +++ b/deploy/infra/onlyoffice/ingress.yaml @@ -0,0 +1,24 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: office-limbosolutions-com + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + kubernetes.io/ingress.class: traefik +spec: + entryPoints: + - websecure + - public-https + routes: + - match: Host(`office.limbosolutions.com`) + kind: Rule + services: + - name: onlyoffice + port: 80 + middlewares: + - name: onlyoffice-headers + - name: onlyoffice-security-headers + - name: rate-limit + + tls: + secretName: office-limbosolutions-com-tls \ No newline at end of file diff --git a/deploy/infra/onlyoffice/middlewares.yaml b/deploy/infra/onlyoffice/middlewares.yaml new file mode 100644 index 0000000..8445dc7 --- /dev/null +++ b/deploy/infra/onlyoffice/middlewares.yaml @@ -0,0 +1,31 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: onlyoffice-security-headers +spec: + headers: + stsSeconds: 31536000 + stsIncludeSubdomains: true + stsPreload: true + browserXssFilter: true + contentTypeNosniff: true + referrerPolicy: "no-referrer" + customResponseHeaders: + X-Content-Type-Options: "nosniff" + X-XSS-Protection: "1; mode=block" + X-Frame-Options: "ALLOW-FROM https://cloud.limbosolutions.com" + Content-Security-Policy: "frame-ancestors https://cloud.limbosolutions.com" + + +--- +# required because of only office, iframes being generated with http +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: onlyoffice-headers +spec: + headers: + customRequestHeaders: + X-Forwarded-Proto: "https" + X-Forwarded-Ssl: "on" + X-Forwarded-Port: "443" \ No newline at end of file