diff --git a/deploy/app/helm-values.yaml b/deploy/app/helm-values.yaml index 36102d2..7e7203d 100644 --- a/deploy/app/helm-values.yaml +++ b/deploy/app/helm-values.yaml @@ -84,10 +84,6 @@ resources: cronjob: enabled: true - # openssl.cafile = /etc/ssl/certs/ca-certificates.crt - #openssl.capath = /etc/ssl/certs - - nextcloud: extraInitContainers: @@ -191,17 +187,16 @@ nextcloud: mountPath: /mnt/shared/NerdStuff configs: - # appstore.override.config.php: |- - # true, - # 'appstoreurl' => 'https://apps.nextcloud.com/api/v1', - # ); global.config.php: |- true + 'allow_local_remote_servers' => true, ); + phone.config.php: |- + 'PT', + ); https.config.php: |- + 'onlyoffice' => array ( 'verify_peer_off' => true, 'allow_local_remote_servers' => true, diff --git a/deploy/infra/ingress-web-public.yaml b/deploy/infra/ingress-web-public.yaml index 3e96aca..bb05400 100644 --- a/deploy/infra/ingress-web-public.yaml +++ b/deploy/infra/ingress-web-public.yaml @@ -25,7 +25,6 @@ spec: - name: nextcloud-security-headers - name: rate-limit - # PUBLIC SHARES (NO SSO) - match: Host(`cloud.limbosolutions.com`) && (PathPrefix(`/s/`) || @@ -39,6 +38,7 @@ spec: middlewares: - name: rate-limit - name: nextcloud-security-headers + - name: nextcloud-deny-paths # Sync clients + mobile app (no SSO) - match: Host(`cloud.limbosolutions.com`) && @@ -58,6 +58,8 @@ spec: middlewares: - name: webdav-strip-auth - name: rate-limit + - name: nextcloud-deny-paths + - name: nextcloud-dav # 3) EVERYTHING ELSE (SSO REQUIRED) - match: Host(`cloud.limbosolutions.com`) @@ -69,7 +71,9 @@ spec: # - name: authentik-forward-auth - name: nextcloud-security-headers - name: rate-limit - + - name: nextcloud-deny-paths + - name: nextcloud-wellknown + - name: nextcloud-hostmeta diff --git a/deploy/infra/ingress-web.yaml b/deploy/infra/ingress-web.yaml index efe005e..037c1ff 100644 --- a/deploy/infra/ingress-web.yaml +++ b/deploy/infra/ingress-web.yaml @@ -22,6 +22,8 @@ spec: middlewares: - name: nextcloud-security-headers - name: rate-limit - - + - name: nextcloud-deny-paths + - name: nextcloud-wellknown + - name: nextcloud-hostmeta + - name: nextcloud-dav diff --git a/deploy/infra/middlewares.yaml b/deploy/infra/middlewares.yaml index 74d2eee..85a10d8 100644 --- a/deploy/infra/middlewares.yaml +++ b/deploy/infra/middlewares.yaml @@ -36,6 +36,7 @@ spec: stsIncludeSubdomains: true stsPreload: true customResponseHeaders: + X-Powered-By: "" X-Content-Type-Options: "nosniff" X-Frame-Options: "SAMEORIGIN" X-XSS-Protection: "1; mode=block" @@ -63,4 +64,59 @@ spec: - X-authentik-meta-provider - X-authentik-meta-app - X-authentik-meta-version ---- \ No newline at end of file +--- + + +piVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: nextcloud-deny-paths +spec: + redirectRegex: + regex: "^/(build|tests|config|lib|3rdparty|templates|data|autotest|occ|issue|indie|db_|console)" + replacement: "/" + permanent: false + +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: nextcloud-dav +spec: + redirectRegex: + regex: "^/.well-known/(carddav|caldav)$" + replacement: "/remote.php/dav" + permanent: true + +--- + +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: nextcloud-wellknown +spec: + redirectRegex: + regex: "^/.well-known/(webfinger|nodeinfo)$" + replacement: "/index.php/.well-known/${1}" + permanent: true +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: nextcloud-hostmeta +spec: + redirectRegex: + regex: "^/.well-known/host-meta$" + replacement: "/public.php?service=host-meta" + permanent: true +--- + +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: nextcloud-hostmeta-json +spec: + redirectRegex: + regex: "^/.well-known/host-meta.json$" + replacement: "/public.php?service=host-meta-json" + permanent: true \ No newline at end of file