add onlyoffice, and ingress revision

2026-04-08 18:24:25 +00:00
parent 374f369ea2
commit 58a26067fa
13 changed files with 152 additions and 8 deletions
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,5 +1,6 @@
 {
    "cSpell.words": [
-        "authentik"
+        "authentik",
        "onlyoffice"
    ]
 }
--- a/README.md
+++ b/README.md
@@ -13,6 +13,7 @@ Using [NextCloud](https://nextcloud.com/)
  - [repair tree](#repair-tree)
  - [Repair AppData Cache (Fix App Store 500 Error)](#repair-appdata-cache-fix-app-store-500-error)
  - [force create indexes](#force-create-indexes)
  - [documentserver repair](#documentserver-repair)
  - [Mimetype migrations available](#mimetype-migrations-available)
  - [delete file locks](#delete-file-locks)
 - [Setup and Deploy](#setup-and-deploy)
@@ -98,8 +99,18 @@ su -s /bin/bash www-data -c "php occ maintenance:repair"
 su -s /bin/bash www-data -c "php occ db:add-missing-indices"
 ```
 ### documentserver repair
 ```bash
 # Rebuild appdata and caches
 su -s /bin/bash www-data -c "php occ onlyoffice:documentserver --clear"
 su -s /bin/bash www-data -c "php occ maintenance:repair"
 su -s /bin/bash www-data -c "php occ files:scan-app-data"
 ```
 ### Mimetype migrations available
 ```bash
 # Rebuild appdata and caches
--- a/deploy/app/helm-values.yaml
+++ b/deploy/app/helm-values.yaml
@@ -157,7 +157,12 @@ nextcloud:
          'overwritehost' => 'cloud.limbosolutions.com',
          'overwrite.cli.url' => 'https://cloud.limbosolutions.com',
          'overwriteprotocol' => 'https',
-          'trusted_proxies' => array ( 0 => '127.0.0.1', 1 => '::1', 2 => '10.0.0.0'),
+          'trusted_proxies' =>
            array (
              0 => '127.0.0.1',
              1 => '::1',
              2 => '10.0.0.0/8',
            ),
        );
    # A value of 1 e.g. will only run these background jobs between 01:00am UTC and 05:00am UTC:
@@ -167,6 +172,17 @@ nextcloud:
        $CONFIG = array (
          'maintenance_window_start' => 1,
        );
    onlyoffice.config.php: |-
      <?php
      $CONFIG = array (
        'onlyoffice' =>
        array (
          'verify_peer_off' => true,
          'allow_local_remote_servers' => true,
          'allow_external_storage' => true,
        ),
      );        
 ingress:
  enabled: false
--- a/deploy/app/kustomization.yaml
+++ b/deploy/app/kustomization.yaml
@@ -14,6 +14,7 @@ resources:
  - ./storage-limbosolutions-com/pvc.yaml
  - ./mariadb-deploy.yaml
  - ./backups/backup-pbs-cronjob.yaml
  - ./onlyoffice
 generatorOptions:
  disableNameSuffixHash: true
--- a/deploy/app/onlyoffice/.env.d/.gitignore
+++ b/deploy/app/onlyoffice/.env.d/.gitignore
@@ -0,0 +1,2 @@
 **
 !.gitignore
--- a/deploy/app/onlyoffice/deployment.yaml
+++ b/deploy/app/onlyoffice/deployment.yaml
@@ -0,0 +1,28 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: onlyoffice
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: onlyoffice
  template:
    metadata:
      labels:
        app: onlyoffice
    spec:
      containers:
        - name: onlyoffice
          image: onlyoffice/documentserver:latest
          ports:
            - containerPort: 80
          env:
            - name: JWT_ENABLED
              value: "true"
            - name: JWT_SECRET
              valueFrom:
                secretKeyRef:
                  name: onlyoffice
                  key: secret
--- a/deploy/app/onlyoffice/kustomization.yaml
+++ b/deploy/app/onlyoffice/kustomization.yaml
@@ -0,0 +1,17 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 secretGenerator:
  - name: onlyoffice
    envs:
      - ./.env.d/onlyoffice.env
 generatorOptions:
  disableNameSuffixHash: true
 namespace: cloud-limbosolutions-com
 resources:
  - ./deployment.yaml
  - ./service.yaml
  - ./pvc.yaml
--- a/deploy/app/onlyoffice/service.yaml
+++ b/deploy/app/onlyoffice/service.yaml
@@ -0,0 +1,10 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: onlyoffice
 spec:
  ports:
    - port: 80
      targetPort: 80
  selector:
    app: onlyoffice
--- a/deploy/infra/ingress.yaml
+++ b/deploy/infra/ingress.yaml
@@ -5,11 +5,10 @@ metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.entrypoints: websecure, public-https
 spec:
  entryPoints:
    - websecure
-
+    - public-https
  tls:
    secretName: cloud-limbosolutions-com-tls
    domains:
@@ -34,7 +33,7 @@ spec:
          port: 8080
      middlewares:
        - name: rate-limit
-        - name: security-headers
+        - name: nextcloud-security-headers
    # 2) WEBDAV / SYNC CLIENTS (NO SSO)
    - match: Host(`cloud.limbosolutions.com`) && (PathPrefix(`/remote.php/dav`) || PathPrefix(`/remote.php/webdav`) || PathPrefix(`/remote.php/caldav`) || PathPrefix(`/remote.php/carddav`))
@@ -56,7 +55,7 @@ spec:
          # middleware managed by icarus
         - name: authentik-forward-auth
           namespace: kube-system
-         - name: security-headers
+         - name: nextcloud-security-headers
         - name: rate-limit
--- a/deploy/infra/kustomization.yaml
+++ b/deploy/infra/kustomization.yaml
@@ -6,5 +6,7 @@ resources:
  - middlewares.yaml
  - ingress.yaml
  - storage-limbosolutions-com/pv.yaml
  - ./onlyoffice/ingress.yaml
  - ./onlyoffice/middlewares.yaml
 generatorOptions:
  disableNameSuffixHash: true
--- a/deploy/infra/middlewares.yaml
+++ b/deploy/infra/middlewares.yaml
@@ -25,7 +25,7 @@ spec:
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-  name: security-headers
+  name: nextcloud-security-headers
 spec:
  headers:
    stsSeconds: 31536000
@@ -38,4 +38,6 @@ spec:
    customResponseHeaders:
      X-Content-Type-Options: "nosniff"
      X-Frame-Options: "DENY"
-      X-XSS-Protection: "1; mode=block"
+      X-XSS-Protection: "1; mode=block"
--- a/deploy/infra/onlyoffice/ingress.yaml
+++ b/deploy/infra/onlyoffice/ingress.yaml
@@ -0,0 +1,24 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: office-limbosolutions-com
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/ingress.class: traefik
 spec:
  entryPoints:
    - websecure
    - public-https
  routes:
    - match: Host(`office.limbosolutions.com`)
      kind: Rule
      services:
        - name: onlyoffice
          port: 80
      middlewares:
          - name: onlyoffice-headers
          - name: onlyoffice-security-headers
          - name: rate-limit
  tls:
    secretName: office-limbosolutions-com-tls
--- a/deploy/infra/onlyoffice/middlewares.yaml
+++ b/deploy/infra/onlyoffice/middlewares.yaml
@@ -0,0 +1,31 @@
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: onlyoffice-security-headers
 spec:
  headers:
    stsSeconds: 31536000
    stsIncludeSubdomains: true
    stsPreload: true
    browserXssFilter: true
    contentTypeNosniff: true
    referrerPolicy: "no-referrer"
    customResponseHeaders:
      X-Content-Type-Options: "nosniff"
      X-XSS-Protection: "1; mode=block"
      X-Frame-Options: "ALLOW-FROM https://cloud.limbosolutions.com"
      Content-Security-Policy: "frame-ancestors https://cloud.limbosolutions.com"
 ---
 # required because of only office, iframes being generated with http
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: onlyoffice-headers
 spec:
  headers:
    customRequestHeaders:
      X-Forwarded-Proto: "https"
      X-Forwarded-Ssl: "on"
      X-Forwarded-Port: "443"