add dashboard and redis

deploy/app/kustomization.yaml

@@ -15,6 +15,7 @@ resources:
   - ./mariadb-deploy.yaml
   - ./backups/backup-pbs-cronjob.yaml
   - ./onlyoffice
+  - ./whiteboard
 
 generatorOptions:
   disableNameSuffixHash: true

deploy/app/nextcloud-helm-values.yaml

@@ -6,6 +6,9 @@ image:
   
 replicaCount: 1
 
+
+
+
 livenessProbe:
   initialDelaySeconds: 60
   periodSeconds: 60
@@ -77,6 +80,8 @@ resources:
     cpu: "0.5"
     memory: 512Mi
 
+redis:
+  enabled: false
 
 ## Cronjob to execute Nextcloud background tasks
 ## ref: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/background_jobs_configuration.html#cron
@@ -85,6 +90,15 @@ cronjob:
   enabled: true
 
 nextcloud:
+  extraEnv:
+    - name: REDIS_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: nextcloud-redis
+          key: redis-password
+
+  defaultConfigs:
+    redis.config.php: false
 
   extraInitContainers: 
     - name: data-folder-structure-fix
@@ -133,9 +147,8 @@ nextcloud:
   
   phpConfigs:
     php.ini: |-
-      memory_limit = 512M
+      memory_limit = 1024M
   extraVolumes:
-
     - name: mf-documents
       persistentVolumeClaim:
         claimName: mf-documents-limbosolutions-com
@@ -191,6 +204,7 @@ nextcloud:
      <?php
         $CONFIG = array (
           'allow_local_remote_servers' => true,
+          'loglevel' => 1
         );
     phone.config.php: |-
       <?php
@@ -220,6 +234,22 @@ nextcloud:
           'maintenance_window_start' => 1,
         );
 
+    redis.config.php: |-
+      <?php
+        $CONFIG = array (
+          'memcache.local' => '\OC\Memcache\APCu',
+          'memcache.distributed' => '\OC\Memcache\Redis',
+          'memcache.locking' => '\OC\Memcache\Redis',
+         
+          'redis' => array(
+            'host' => 'nextcloud-redis-master',
+            'port' => 6379,
+            'timeout' => 1.5,
+            'password' => getenv('REDIS_PASSWORD'),
+            'dbindex' => 0,
+          ),
+        );
+
     onlyoffice.config.php: |-
       <?php
       $CONFIG = array (

deploy/app/redis-helm-values.yaml

@@ -0,0 +1,12 @@
+architecture: standalone
+
+auth:
+  enabled: true
+
+
+master:
+  persistence:
+    enabled: false
+
+replica:
+  replicaCount: 0

deploy/app/whiteboard/.env.d/.gitignore

@@ -0,0 +1,3 @@
+**
+!*.example
+!.gitignore

deploy/app/whiteboard/.env.d/whiteboard.env.example

@@ -0,0 +1 @@
+JWT_SECRET_KEY= ????

deploy/app/whiteboard/deployment.yaml

@@ -0,0 +1,37 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nextcloud-whiteboard
+  labels:
+    app: nextcloud-whiteboard
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nextcloud-whiteboard
+  template:
+    metadata:
+      labels:
+        app: nextcloud-whiteboard
+    spec:
+      containers:
+        - name: whiteboard-ws
+          image: ghcr.io/nextcloud-releases/whiteboard:stable
+          ports:
+            - containerPort: 3002
+          env:
+            - name: NEXTCLOUD_URL
+              value: https://cloud.limbosolutions.com
+            - name: JWT_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: nextcloud-whiteboard
+                  key: JWT_SECRET_KEY
+          resources:
+            limits:
+              memory: "256Mi"
+              cpu: "200m"
+            requests:
+              memory: "64Mi"
+              cpu: "50m"
+ 

deploy/app/whiteboard/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+secretGenerator:
+  - name: nextcloud-whiteboard
+    envs:
+      - ./.env.d/whiteboard.env
+
+generatorOptions:
+  disableNameSuffixHash: true
+
+resources:
+  - ./deployment.yaml
+  - ./service.yaml

deploy/app/whiteboard/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nextcloud-whiteboard
+spec:
+  selector:
+    app: nextcloud-whiteboard
+  ports:
+    - name: ws
+      port: 3002
+      targetPort: 3002
+  type: ClusterIP

deploy/infra/ingress-web-public.yaml

@@ -61,6 +61,21 @@ spec:
         - name: nextcloud-deny-paths
         - name: nextcloud-dav
 
+    - match: Host(`cloud.limbosolutions.com`) && PathPrefix(`/whiteboard`)
+      kind: Rule
+      services:
+        - name: nextcloud-whiteboard
+          port: 3002
+      middlewares:
+         - name: nextcloud-security-headers
+         - name: rate-limit
+         - name: nextcloud-deny-paths
+         - name: nextcloud-wellknown
+         - name: nextcloud-hostmeta
+         - name: nextcloud-dav
+         - name: strip-whiteboard
+    
+    
     # 3) EVERYTHING ELSE (SSO REQUIRED)
     - match: Host(`cloud.limbosolutions.com`)
       kind: Rule

deploy/infra/ingress-web.yaml

@@ -27,3 +27,16 @@ spec:
          - name: nextcloud-hostmeta
          - name: nextcloud-dav
 
+    - match: Host(`cloud.limbosolutions.com`) && PathPrefix(`/whiteboard`)
+      kind: Rule
+      services:
+        - name: nextcloud-whiteboard
+          port: 3002
+      middlewares:
+         - name: nextcloud-security-headers
+         - name: rate-limit
+         - name: nextcloud-deny-paths
+         - name: nextcloud-wellknown
+         - name: nextcloud-hostmeta
+         - name: nextcloud-dav
+         - name: strip-whiteboard

deploy/infra/kustomization.yaml

@@ -9,5 +9,6 @@ resources:
   - storage-limbosolutions-com/pv.yaml
   - ./onlyoffice/ingress.yaml
   - ./onlyoffice/middlewares.yaml
+  - ./whiteboard/middlewares.yaml
 generatorOptions:
   disableNameSuffixHash: true

deploy/infra/network-policies.yaml

@@ -17,7 +17,7 @@ spec:
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
-  name: allow-traefik-ingress
+  name: allow-traefik-to-nextcloud-ingress
 spec:
   endpointSelector:
     matchLabels:
@@ -42,3 +42,61 @@ spec:
     
               protocol: TCP
 
+---
+
+
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-traefik-to-onlyoffice-ingress
+spec:
+  endpointSelector:
+    matchLabels:
+      app: onlyoffice
+
+  ingress:
+    # -------------------------------------------------------------
+    # Allow Traefik (internal and public) to reach onlyoffice web port
+    # -------------------------------------------------------------
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: traefik
+          matchExpressions:
+            - key: k8s:io.kubernetes.pod.namespace
+              operator: In
+              values:
+                - traefik
+                - traefik-public
+      toPorts:
+        - ports:
+            - port: "80"
+    
+              protocol: TCP
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-traefik-to-whiteboard-ingress
+spec:
+  endpointSelector:
+    matchLabels:
+      app: nextcloud-whiteboard
+
+  ingress:
+    # -------------------------------------------------------------
+    # Allow Traefik (internal and public) to reach whiteboard ws
+    # -------------------------------------------------------------
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: traefik
+          matchExpressions:
+            - key: k8s:io.kubernetes.pod.namespace
+              operator: In
+              values:
+                - traefik
+                - traefik-public
+      toPorts:
+        - ports:
+            - port: "3002"
+    
+              protocol: TCP

deploy/infra/onlyoffice/middlewares.yaml

@@ -28,4 +28,5 @@ spec:
     customRequestHeaders:
       X-Forwarded-Proto: "https"
       X-Forwarded-Ssl: "on"
-      X-Forwarded-Port: "443"
+      X-Forwarded-Port: "443"
+

deploy/infra/whiteboard/middlewares.yaml

@@ -0,0 +1,8 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: strip-whiteboard
+spec:
+  stripPrefix:
+    prefixes:
+      - "/whiteboard"