add middlewares (source nginx template on source helm values), and default_phone_region

deploy/app/helm-values.yaml

@@ -84,10 +84,6 @@ resources:
 cronjob:
   enabled: true
 
-      # openssl.cafile = /etc/ssl/certs/ca-certificates.crt
-      #openssl.capath = /etc/ssl/certs
-
-
 nextcloud:
 
   extraInitContainers: 
@@ -191,17 +187,16 @@ nextcloud:
         mountPath: /mnt/shared/NerdStuff
 
   configs:
-    # appstore.override.config.php: |-
-    #   <?php
-    #   $CONFIG = array (
-    #     'appstoreenabled' => true,
-    #     'appstoreurl' => 'https://apps.nextcloud.com/api/v1',
-    #   );
     global.config.php: |-
      <?php
         $CONFIG = array (
-          'allow_local_remote_servers' => true
+          'allow_local_remote_servers' => true,
         );
+    phone.config.php: |-
+      <?php
+      $CONFIG = array (
+        'default_phone_region' => 'PT',
+      );
 
     https.config.php: |-
       <?php
@@ -228,7 +223,7 @@ nextcloud:
     onlyoffice.config.php: |-
       <?php
       $CONFIG = array (
-        'onlyoffice' =>
+       'onlyoffice' =>
         array (
           'verify_peer_off' => true,
           'allow_local_remote_servers' => true,

deploy/infra/ingress-web-public.yaml

@@ -25,7 +25,6 @@ spec:
           - name: nextcloud-security-headers
           - name: rate-limit
 
-
     # PUBLIC SHARES (NO SSO)
     - match: Host(`cloud.limbosolutions.com`) &&
             (PathPrefix(`/s/`) ||
@@ -39,6 +38,7 @@ spec:
       middlewares:
         - name: rate-limit
         - name: nextcloud-security-headers
+        - name: nextcloud-deny-paths
 
     # Sync clients + mobile app (no SSO)
     - match: Host(`cloud.limbosolutions.com`) &&
@@ -58,6 +58,8 @@ spec:
       middlewares:
         - name: webdav-strip-auth
         - name: rate-limit
+        - name: nextcloud-deny-paths
+        - name: nextcloud-dav
 
     # 3) EVERYTHING ELSE (SSO REQUIRED)
     - match: Host(`cloud.limbosolutions.com`)
@@ -69,7 +71,9 @@ spec:
         # - name: authentik-forward-auth
          - name: nextcloud-security-headers
          - name: rate-limit
-
+         - name: nextcloud-deny-paths
+         - name: nextcloud-wellknown
+         - name: nextcloud-hostmeta
 
 
 

deploy/infra/ingress-web.yaml

@@ -22,6 +22,8 @@ spec:
       middlewares:
          - name: nextcloud-security-headers
          - name: rate-limit
-
+         - name: nextcloud-deny-paths
-
+         - name: nextcloud-wellknown
+         - name: nextcloud-hostmeta
+         - name: nextcloud-dav
 

deploy/infra/middlewares.yaml

@@ -36,6 +36,7 @@ spec:
     stsIncludeSubdomains: true
     stsPreload: true
     customResponseHeaders:
+      X-Powered-By: ""
       X-Content-Type-Options: "nosniff"
       X-Frame-Options: "SAMEORIGIN"
       X-XSS-Protection: "1; mode=block"
@@ -64,3 +65,58 @@ spec:
       - X-authentik-meta-app
       - X-authentik-meta-version
 ---
+
+
+piVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: nextcloud-deny-paths
+spec:
+  redirectRegex:
+    regex: "^/(build|tests|config|lib|3rdparty|templates|data|autotest|occ|issue|indie|db_|console)"
+    replacement: "/"
+    permanent: false
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: nextcloud-dav
+spec:
+  redirectRegex:
+    regex: "^/.well-known/(carddav|caldav)$"
+    replacement: "/remote.php/dav"
+    permanent: true
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: nextcloud-wellknown
+spec:
+  redirectRegex:
+    regex: "^/.well-known/(webfinger|nodeinfo)$"
+    replacement: "/index.php/.well-known/${1}"
+    permanent: true
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: nextcloud-hostmeta
+spec:
+  redirectRegex:
+    regex: "^/.well-known/host-meta$"
+    replacement: "/public.php?service=host-meta"
+    permanent: true
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: nextcloud-hostmeta-json
+spec:
+  redirectRegex:
+    regex: "^/.well-known/host-meta.json$"
+    replacement: "/public.php?service=host-meta-json"
+    permanent: true