add onlyoffice, and ingress revision

deploy/app/helm-values.yaml

@@ -157,7 +157,12 @@ nextcloud:
           'overwritehost' => 'cloud.limbosolutions.com',
           'overwrite.cli.url' => 'https://cloud.limbosolutions.com',
           'overwriteprotocol' => 'https',
-          'trusted_proxies' => array ( 0 => '127.0.0.1', 1 => '::1', 2 => '10.0.0.0'),
+          'trusted_proxies' =>
+            array (
+              0 => '127.0.0.1',
+              1 => '::1',
+              2 => '10.0.0.0/8',
+            ),
         );
     
     # A value of 1 e.g. will only run these background jobs between 01:00am UTC and 05:00am UTC:
@@ -167,6 +172,17 @@ nextcloud:
         $CONFIG = array (
           'maintenance_window_start' => 1,
         );
+
+    onlyoffice.config.php: |-
+      <?php
+      $CONFIG = array (
+        'onlyoffice' =>
+        array (
+          'verify_peer_off' => true,
+          'allow_local_remote_servers' => true,
+          'allow_external_storage' => true,
+        ),
+      );        
 ingress:
   enabled: false
 

deploy/app/kustomization.yaml

@@ -14,6 +14,7 @@ resources:
   - ./storage-limbosolutions-com/pvc.yaml
   - ./mariadb-deploy.yaml
   - ./backups/backup-pbs-cronjob.yaml
+  - ./onlyoffice
 
 generatorOptions:
   disableNameSuffixHash: true

deploy/app/onlyoffice/.env.d/.gitignore

@@ -0,0 +1,2 @@
+**
+!.gitignore

deploy/app/onlyoffice/deployment.yaml

@@ -0,0 +1,28 @@
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: onlyoffice
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: onlyoffice
+  template:
+    metadata:
+      labels:
+        app: onlyoffice
+    spec:
+      containers:
+        - name: onlyoffice
+          image: onlyoffice/documentserver:latest
+          ports:
+            - containerPort: 80
+          env:
+            - name: JWT_ENABLED
+              value: "true"
+            - name: JWT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: onlyoffice
+                  key: secret

deploy/app/onlyoffice/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+secretGenerator:
+  - name: onlyoffice
+    envs:
+      - ./.env.d/onlyoffice.env
+
+
+generatorOptions:
+  disableNameSuffixHash: true
+namespace: cloud-limbosolutions-com
+
+resources:
+  - ./deployment.yaml
+  - ./service.yaml
+  - ./pvc.yaml

deploy/app/onlyoffice/service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: onlyoffice
+spec:
+  ports:
+    - port: 80
+      targetPort: 80
+  selector:
+    app: onlyoffice

deploy/infra/ingress.yaml

@@ -5,11 +5,10 @@ metadata:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
     kubernetes.io/ingress.class: traefik
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure, public-https
 spec:
   entryPoints:
     - websecure
-
+    - public-https
   tls:
     secretName: cloud-limbosolutions-com-tls
     domains:
@@ -34,7 +33,7 @@ spec:
           port: 8080
       middlewares:
         - name: rate-limit
-        - name: security-headers
+        - name: nextcloud-security-headers
 
     # 2) WEBDAV / SYNC CLIENTS (NO SSO)
     - match: Host(`cloud.limbosolutions.com`) && (PathPrefix(`/remote.php/dav`) || PathPrefix(`/remote.php/webdav`) || PathPrefix(`/remote.php/caldav`) || PathPrefix(`/remote.php/carddav`))
@@ -56,7 +55,7 @@ spec:
           # middleware managed by icarus
          - name: authentik-forward-auth
            namespace: kube-system
-         - name: security-headers
+         - name: nextcloud-security-headers
          - name: rate-limit
 
 

deploy/infra/kustomization.yaml

@@ -6,5 +6,7 @@ resources:
   - middlewares.yaml
   - ingress.yaml
   - storage-limbosolutions-com/pv.yaml
+  - ./onlyoffice/ingress.yaml
+  - ./onlyoffice/middlewares.yaml
 generatorOptions:
   disableNameSuffixHash: true

deploy/infra/middlewares.yaml

@@ -25,7 +25,7 @@ spec:
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-  name: security-headers
+  name: nextcloud-security-headers
 spec:
   headers:
     stsSeconds: 31536000
@@ -38,4 +38,6 @@ spec:
     customResponseHeaders:
       X-Content-Type-Options: "nosniff"
       X-Frame-Options: "DENY"
-      X-XSS-Protection: "1; mode=block"
+      X-XSS-Protection: "1; mode=block"
+
+

deploy/infra/onlyoffice/ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: office-limbosolutions-com
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    kubernetes.io/ingress.class: traefik
+spec:
+  entryPoints:
+    - websecure
+    - public-https
+  routes:
+    - match: Host(`office.limbosolutions.com`)
+      kind: Rule
+      services:
+        - name: onlyoffice
+          port: 80
+      middlewares:
+          - name: onlyoffice-headers
+          - name: onlyoffice-security-headers
+          - name: rate-limit
+
+  tls:
+    secretName: office-limbosolutions-com-tls

deploy/infra/onlyoffice/middlewares.yaml

@@ -0,0 +1,31 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: onlyoffice-security-headers
+spec:
+  headers:
+    stsSeconds: 31536000
+    stsIncludeSubdomains: true
+    stsPreload: true
+    browserXssFilter: true
+    contentTypeNosniff: true
+    referrerPolicy: "no-referrer"
+    customResponseHeaders:
+      X-Content-Type-Options: "nosniff"
+      X-XSS-Protection: "1; mode=block"
+      X-Frame-Options: "ALLOW-FROM https://cloud.limbosolutions.com"
+      Content-Security-Policy: "frame-ancestors https://cloud.limbosolutions.com"
+
+
+---
+# required because of only office, iframes being generated with http
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: onlyoffice-headers
+spec:
+  headers:
+    customRequestHeaders:
+      X-Forwarded-Proto: "https"
+      X-Forwarded-Ssl: "on"
+      X-Forwarded-Port: "443"