add dashboard and redis

2026-04-18 19:22:54 +00:00
parent 405763f158
commit a3b1c230c6
18 changed files with 251 additions and 10 deletions
--- a/.gitea/workflows/app-continuous-deploy.yaml
+++ b/.gitea/workflows/app-continuous-deploy.yaml
@@ -44,11 +44,13 @@ jobs:
          PBS_PASSWORD: ${{ secrets.PBS_PASSWORD }}
          PBS_FINGERPRINT: ${{ secrets.PBS_FINGERPRINT }}
          ONLYOFFICE_SECRET:  ${{ secrets.ONLYOFFICE_SECRET }}
+          WHITEBOARD_JWT_SECRET_KEY: ${{ secrets.WHITEBOARD_JWT_SECRET_KEY }}

          # used only on helm set values - only required as environment variables
          NEXTCLOUD_HOST: ${{ secrets.NEXTCLOUD_HOST }}
          NEXTCLOUD_USERNAME: ${{ secrets.NEXTCLOUD_USERNAME }}
          NEXTCLOUD_PASSWORD: ${{ secrets.NEXTCLOUD_PASSWORD }}
+          REDIS_PASSWORD: ${{ secrets.REDIS_PASSWORD }}

        run: |
          set -euo pipefail
@@ -57,6 +59,7 @@ jobs:
          trap '
          [ -d deploy/app/.env.d ] && rm -rf deploy/app/.env.d/*;
          [ -d deploy/app/onlyoffice/.env.d ] && rm -rf deploy/app/onlyoffice/.env.d/*;
+          [ -d deploy/app/whiteboard/.env.d ] && rm -rf deploy/app/whiteboard/.env.d/*;
          ' EXIT

          # setup secrets files
@@ -72,9 +75,12 @@ jobs:

          echo "secret=${ONLYOFFICE_SECRET:?Missing ONLYOFFICE_SECRET}" >> deploy/app/onlyoffice/.env.d/onlyoffice.env
          
+          echo "JWT_SECRET_KEY=${WHITEBOARD_JWT_SECRET_KEY:?Missing WHITEBOARD_JWT_SECRET_KEY}" >> deploy/app/whiteboard/.env.d/whiteboard.env
+
          # enforce secrets files security
          chmod 600 deploy/app/.env.d/*
          chmod 600 deploy/app/onlyoffice/.env.d/*
+          chmod 600 deploy/app/whiteboard/.env.d/*  
          
          # invoke deploy script
          ops-scripts/apply-app.sh
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,7 +1,11 @@
 {
    "cSpell.words": [
        "authentik",
+        "COLLAB",
+        "dbindex",
        "documentserver",
-        "onlyoffice"
+        "onlyoffice",
+        "overwritehost",
+        "overwriteprotocol"
    ]
 }
--- a/README.md
+++ b/README.md
@@ -6,6 +6,7 @@ Using [NextCloud](https://nextcloud.com/)

 - [Integrations](#integrations)
  - [OAuth2/OpenID Provider](#oauth2openid-provider)
+  - [whiteboard](#whiteboard)
 - [cli](#cli)
  - [maintenance mode](#maintenance-mode)
  - [scan files](#scan-files)
@@ -20,6 +21,7 @@ Using [NextCloud](https://nextcloud.com/)
 - [Setup and Deploy](#setup-and-deploy)
  - [App](#app)
  - [Infra](#infra)
+- [internal logs](#internal-logs)
 - [Database](#database)

 ## Integrations
@@ -30,6 +32,13 @@ Using [NextCloud](https://nextcloud.com/)
 - <https://github.com/nextcloud/user_oidc>
 - <https://apps.nextcloud.com/apps/user_oidc>

+### whiteboard
+
+``` bash
+php occ config:app:set whiteboard collabBackendUrl --value="https://cloud.limbosolutions.com/whiteboard"
+php occ config:app:set whiteboard jwt_secret_key --value="?????"
+```
+
 ## cli

 ``` bash
@@ -174,6 +183,13 @@ Can be executed in VS Code using the “Apply Infra” task.
 - services accounts:
  - Continuous deploy - Deployment RBAC (ServiceAccount + Role + RoleBinding)

+## internal logs
+
+``` bash
+POD_NAME=$(kubectl get pod -l 'app.kubernetes.io/name'=nextcloud -n cloud-limbosolutions-com -o jsonpath='{.items[0].metadata.name}')
+kubectl exec -it ${POD_NAME} -- cat /var/www/html/data/nextcloud.log
+```
+
 ## Database

 **Connect to db:**
--- a/deploy/app/kustomization.yaml
+++ b/deploy/app/kustomization.yaml
@@ -15,6 +15,7 @@ resources:
  - ./mariadb-deploy.yaml
  - ./backups/backup-pbs-cronjob.yaml
  - ./onlyoffice
+  - ./whiteboard

 generatorOptions:
  disableNameSuffixHash: true
--- a/deploy/app/nextcloud-helm-values.yaml
+++ b/deploy/app/nextcloud-helm-values.yaml
@@ -6,6 +6,9 @@ image:
  
 replicaCount: 1

+
+
+
 livenessProbe:
  initialDelaySeconds: 60
  periodSeconds: 60
@@ -77,6 +80,8 @@ resources:
    cpu: "0.5"
    memory: 512Mi

+redis:
+  enabled: false

 ## Cronjob to execute Nextcloud background tasks
 ## ref: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/background_jobs_configuration.html#cron
@@ -85,6 +90,15 @@ cronjob:
  enabled: true

 nextcloud:
+  extraEnv:
+    - name: REDIS_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: nextcloud-redis
+          key: redis-password
+
+  defaultConfigs:
+    redis.config.php: false

  extraInitContainers: 
    - name: data-folder-structure-fix
@@ -133,9 +147,8 @@ nextcloud:
  
  phpConfigs:
    php.ini: |-
-      memory_limit = 512M
+      memory_limit = 1024M
  extraVolumes:
-
    - name: mf-documents
      persistentVolumeClaim:
        claimName: mf-documents-limbosolutions-com
@@ -191,6 +204,7 @@ nextcloud:
     <?php
        $CONFIG = array (
          'allow_local_remote_servers' => true,
+          'loglevel' => 1
        );
    phone.config.php: |-
      <?php
@@ -220,6 +234,22 @@ nextcloud:
          'maintenance_window_start' => 1,
        );

+    redis.config.php: |-
+      <?php
+        $CONFIG = array (
+          'memcache.local' => '\OC\Memcache\APCu',
+          'memcache.distributed' => '\OC\Memcache\Redis',
+          'memcache.locking' => '\OC\Memcache\Redis',
+         
+          'redis' => array(
+            'host' => 'nextcloud-redis-master',
+            'port' => 6379,
+            'timeout' => 1.5,
+            'password' => getenv('REDIS_PASSWORD'),
+            'dbindex' => 0,
+          ),
+        );
+
    onlyoffice.config.php: |-
      <?php
      $CONFIG = array (
--- a/deploy/app/redis-helm-values.yaml
+++ b/deploy/app/redis-helm-values.yaml
@@ -0,0 +1,12 @@
+architecture: standalone
+
+auth:
+  enabled: true
+
+
+master:
+  persistence:
+    enabled: false
+
+replica:
+  replicaCount: 0
--- a/deploy/app/whiteboard/.env.d/.gitignore
+++ b/deploy/app/whiteboard/.env.d/.gitignore
@@ -0,0 +1,3 @@
+**
+!*.example
+!.gitignore
--- a/deploy/app/whiteboard/.env.d/whiteboard.env.example
+++ b/deploy/app/whiteboard/.env.d/whiteboard.env.example
@@ -0,0 +1 @@
+JWT_SECRET_KEY= ????
--- a/deploy/app/whiteboard/deployment.yaml
+++ b/deploy/app/whiteboard/deployment.yaml
@@ -0,0 +1,37 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nextcloud-whiteboard
+  labels:
+    app: nextcloud-whiteboard
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nextcloud-whiteboard
+  template:
+    metadata:
+      labels:
+        app: nextcloud-whiteboard
+    spec:
+      containers:
+        - name: whiteboard-ws
+          image: ghcr.io/nextcloud-releases/whiteboard:stable
+          ports:
+            - containerPort: 3002
+          env:
+            - name: NEXTCLOUD_URL
+              value: https://cloud.limbosolutions.com
+            - name: JWT_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: nextcloud-whiteboard
+                  key: JWT_SECRET_KEY
+          resources:
+            limits:
+              memory: "256Mi"
+              cpu: "200m"
+            requests:
+              memory: "64Mi"
+              cpu: "50m"
+ 
--- a/deploy/app/whiteboard/kustomization.yaml
+++ b/deploy/app/whiteboard/kustomization.yaml
@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+secretGenerator:
+  - name: nextcloud-whiteboard
+    envs:
+      - ./.env.d/whiteboard.env
+
+generatorOptions:
+  disableNameSuffixHash: true
+
+resources:
+  - ./deployment.yaml
+  - ./service.yaml
--- a/deploy/app/whiteboard/service.yaml
+++ b/deploy/app/whiteboard/service.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nextcloud-whiteboard
+spec:
+  selector:
+    app: nextcloud-whiteboard
+  ports:
+    - name: ws
+      port: 3002
+      targetPort: 3002
+  type: ClusterIP
--- a/deploy/infra/ingress-web-public.yaml
+++ b/deploy/infra/ingress-web-public.yaml
@@ -61,6 +61,21 @@ spec:
        - name: nextcloud-deny-paths
        - name: nextcloud-dav

+    - match: Host(`cloud.limbosolutions.com`) && PathPrefix(`/whiteboard`)
+      kind: Rule
+      services:
+        - name: nextcloud-whiteboard
+          port: 3002
+      middlewares:
+         - name: nextcloud-security-headers
+         - name: rate-limit
+         - name: nextcloud-deny-paths
+         - name: nextcloud-wellknown
+         - name: nextcloud-hostmeta
+         - name: nextcloud-dav
+         - name: strip-whiteboard
+    
+    
    # 3) EVERYTHING ELSE (SSO REQUIRED)
    - match: Host(`cloud.limbosolutions.com`)
      kind: Rule
--- a/deploy/infra/ingress-web.yaml
+++ b/deploy/infra/ingress-web.yaml
@@ -27,3 +27,16 @@ spec:
         - name: nextcloud-hostmeta
         - name: nextcloud-dav

+    - match: Host(`cloud.limbosolutions.com`) && PathPrefix(`/whiteboard`)
+      kind: Rule
+      services:
+        - name: nextcloud-whiteboard
+          port: 3002
+      middlewares:
+         - name: nextcloud-security-headers
+         - name: rate-limit
+         - name: nextcloud-deny-paths
+         - name: nextcloud-wellknown
+         - name: nextcloud-hostmeta
+         - name: nextcloud-dav
+         - name: strip-whiteboard
--- a/deploy/infra/kustomization.yaml
+++ b/deploy/infra/kustomization.yaml
@@ -9,5 +9,6 @@ resources:
  - storage-limbosolutions-com/pv.yaml
  - ./onlyoffice/ingress.yaml
  - ./onlyoffice/middlewares.yaml
+  - ./whiteboard/middlewares.yaml
 generatorOptions:
  disableNameSuffixHash: true
--- a/deploy/infra/network-policies.yaml
+++ b/deploy/infra/network-policies.yaml
@@ -17,7 +17,7 @@ spec:
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
-  name: allow-traefik-ingress
+  name: allow-traefik-to-nextcloud-ingress
 spec:
  endpointSelector:
    matchLabels:
@@ -42,3 +42,61 @@ spec:
    
              protocol: TCP

+---
+
+
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-traefik-to-onlyoffice-ingress
+spec:
+  endpointSelector:
+    matchLabels:
+      app: onlyoffice
+
+  ingress:
+    # -------------------------------------------------------------
+    # Allow Traefik (internal and public) to reach onlyoffice web port
+    # -------------------------------------------------------------
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: traefik
+          matchExpressions:
+            - key: k8s:io.kubernetes.pod.namespace
+              operator: In
+              values:
+                - traefik
+                - traefik-public
+      toPorts:
+        - ports:
+            - port: "80"
+    
+              protocol: TCP
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-traefik-to-whiteboard-ingress
+spec:
+  endpointSelector:
+    matchLabels:
+      app: nextcloud-whiteboard
+
+  ingress:
+    # -------------------------------------------------------------
+    # Allow Traefik (internal and public) to reach whiteboard ws
+    # -------------------------------------------------------------
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: traefik
+          matchExpressions:
+            - key: k8s:io.kubernetes.pod.namespace
+              operator: In
+              values:
+                - traefik
+                - traefik-public
+      toPorts:
+        - ports:
+            - port: "3002"
+    
+              protocol: TCP
--- a/deploy/infra/onlyoffice/middlewares.yaml
+++ b/deploy/infra/onlyoffice/middlewares.yaml
@@ -29,3 +29,4 @@ spec:
      X-Forwarded-Proto: "https"
      X-Forwarded-Ssl: "on"
      X-Forwarded-Port: "443"
+
--- a/deploy/infra/whiteboard/middlewares.yaml
+++ b/deploy/infra/whiteboard/middlewares.yaml
@@ -0,0 +1,8 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: strip-whiteboard
+spec:
+  stripPrefix:
+    prefixes:
+      - "/whiteboard"
--- a/ops-scripts/apply-app.sh
+++ b/ops-scripts/apply-app.sh
@@ -1,7 +1,6 @@
 #!/bin/bash
 set -e
 echo "Executing nextcloud app deploy."
-
 kubectl kustomize deploy/app | kubectl apply -f -

 load_env_file() {
@@ -17,13 +16,14 @@ load_env_file() {
    fi
 }    

-helm repo add nextcloud https://nextcloud.github.io/helm/ --force-update
+#helm repo add nextcloud https://nextcloud.github.io/helm/ --force-update

 load_env_file "deploy/app/.env.d/nextcloud-mariadb.env"
 load_env_file "deploy/app/.env.d/nextcloud-secrets.env"
+load_env_file "deploy/app/.env.d/redis.env"
 
-helm upgrade --install nextcloud nextcloud/nextcloud \
- --values ./deploy/app/helm-values.yaml \
+helm upgrade --install nextcloud nextcloud/nextcloud --version "9.0" \
+ --values ./deploy/app/nextcloud-helm-values.yaml \
 --set externalDatabase.user=${MARIADB_USER:?Missing MARIADB_USER} \
 --set externalDatabase.password=${MARIADB_PASSWORD:?Missing MARIADB_PASSWORD} \
 --set externalDatabase.database=${MARIADB_DATABASE:?Missing MARIADB_DATABASE} \
@@ -32,3 +32,12 @@ helm upgrade --install nextcloud nextcloud/nextcloud \
 --set nextcloud.password=${NEXTCLOUD_PASSWORD:?Missing NEXTCLOUD_PASSWORD} \
 --namespace cloud-limbosolutions-com

+helm repo add bitnami https://charts.bitnami.com/bitnami
+
+helm upgrade --install nextcloud-redis bitnami/redis --version "25.3" \
+ --values ./deploy/app/redis-helm-values.yaml \
+ --set auth.password="${REDIS_PASSWORD:?Missing REDIS_PASSWORD}" \
+ --namespace cloud-limbosolutions-com
+
+
+