diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 665e7f0..7d9acc7 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -17,7 +17,6 @@ "ms-kubernetes-tools.vscode-kubernetes-tools", "redhat.ansible", "mtxr.sqltools-driver-mysql", - "stateful.runme", "yzhang.markdown-all-in-one", "davidanson.vscode-markdownlint", "eamodio.gitlens", @@ -28,7 +27,10 @@ "eamodio.gitlens", "shd101wyy.markdown-preview-enhanced", "bierner.markdown-mermaid", - "bierner.markdown-preview-github-styles" + "bierner.markdown-preview-github-styles", + "sycl.markdown-command-runner", + "jeepshen.vscode-markdown-code-runner", + "batyan-soft.fast-tasks" ] } } diff --git a/.gitea/workflows/app-continuous-deploy.yaml b/.gitea/workflows/app-continuous-deploy.yaml index 75957b0..fd5affb 100644 --- a/.gitea/workflows/app-continuous-deploy.yaml +++ b/.gitea/workflows/app-continuous-deploy.yaml @@ -35,6 +35,7 @@ jobs: - name: Deploy shell: bash env: + # used by kustomization requires env files MARIADB_USER: ${{ secrets.MARIADB_USER }} MARIADB_PASSWORD: ${{ secrets.MARIADB_PASSWORD }} MARIADB_ROOT_PASSWORD: ${{ secrets.MARIADB_ROOT_PASSWORD }} @@ -42,6 +43,8 @@ jobs: PBS_REPOSITORY: ${{ secrets.PBS_REPOSITORY }} PBS_PASSWORD: ${{ secrets.PBS_PASSWORD }} PBS_FINGERPRINT: ${{ secrets.PBS_FINGERPRINT }} + ONLYOFFICE_SECRET: ${{ secrets.ONLYOFFICE_SECRET }} + # used only on helm set values - only required as environment variables NEXTCLOUD_HOST: ${{ secrets.NEXTCLOUD_HOST }} NEXTCLOUD_USERNAME: ${{ secrets.NEXTCLOUD_USERNAME }} @@ -51,23 +54,27 @@ jobs: set -euo pipefail # ensure cleanup always runs - trap 'rm -f \ - deploy/app/.env.d/*' EXIT + trap ' + [ -d deploy/app/.env.d ] && rm -rf deploy/app/.env.d/*; + [ -d deploy/app/onlyoffice/.env.d ] && rm -rf deploy/app/onlyoffice/.env.d/*; + ' EXIT # setup secrets files - echo "MARIADB_USER=${MARIADB_USER}" >> deploy/app/.env.d/nextcloud-mariadb.env - echo "MARIADB_PASSWORD=${MARIADB_PASSWORD}" >> deploy/app/.env.d/nextcloud-mariadb.env - echo "MARIADB_ROOT_PASSWORD=${MARIADB_ROOT_PASSWORD}" >> deploy/app/.env.d/nextcloud-mariadb.env - echo "MARIADB_DATABASE=${MARIADB_DATABASE}" >> deploy/app/.env.d/nextcloud-mariadb.env + echo "MARIADB_USER=${MARIADB_USER:?Missing MARIADB_USER}" >> deploy/app/.env.d/nextcloud-mariadb.env + echo "MARIADB_PASSWORD=${MARIADB_PASSWORD:?Missing MARIADB_PASSWORD}" >> deploy/app/.env.d/nextcloud-mariadb.env + echo "MARIADB_ROOT_PASSWORD=${MARIADB_ROOT_PASSWORD:?Missing MARIADB_ROOT_PASSWORD}" >> deploy/app/.env.d/nextcloud-mariadb.env + echo "MARIADB_DATABASE=${MARIADB_DATABASE:?Missing MARIADB_DATABASE}" >> deploy/app/.env.d/nextcloud-mariadb.env - echo "PBS_REPOSITORY=${PBS_REPOSITORY}" >> deploy/app/.env.d/pbs.env - echo "PBS_PASSWORD=${PBS_PASSWORD}" >> deploy/app/.env.d/pbs.env - echo "PBS_FINGERPRINT=${PBS_FINGERPRINT}" >> deploy/app/.env.d/pbs.env + echo "PBS_REPOSITORY=${PBS_REPOSITORY:?Missing PBS_REPOSITORY}" >> deploy/app/.env.d/pbs.env + echo "PBS_PASSWORD=${PBS_PASSWORD:?Missing PBS_PASSWORD}" >> deploy/app/.env.d/pbs.env + echo "PBS_FINGERPRINT=${PBS_FINGERPRINT:?Missing PBS_FINGERPRINT}" >> deploy/app/.env.d/pbs.env + echo "secret=${ONLYOFFICE_SECRET:?Missing ONLYOFFICE_SECRET}" >> deploy/app/onlyoffice/.env.d/onlyoffice.env # enforce secrets files security chmod 600 deploy/app/.env.d/* - + chmod 600 deploy/app/onlyoffice/.env.d/* + # invoke deploy script ops-scripts/apply-app.sh diff --git a/.vscode/settings.json b/.vscode/settings.json index c8ad961..47499bf 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,6 +1,7 @@ { "cSpell.words": [ "authentik", + "documentserver", "onlyoffice" ] } \ No newline at end of file diff --git a/.vscode/tasks.json b/.vscode/tasks.json new file mode 100644 index 0000000..8f5e839 --- /dev/null +++ b/.vscode/tasks.json @@ -0,0 +1,19 @@ +{ + // See https://go.microsoft.com/fwlink/?LinkId=733558 + // for the documentation about the tasks.json format + "version": "2.0.0", + "tasks": [ + { + "label": "Apply Infra", + "type": "shell", + "command": "./ops-scripts/apply-infra.sh", + "problemMatcher": [], + }, + { + "label": "Apply App", + "type": "shell", + "command": "./ops-scripts/apply-app.sh", + "problemMatcher": [] + } + ] +} \ No newline at end of file diff --git a/README.md b/README.md index e572fab..4dce4ca 100644 --- a/README.md +++ b/README.md @@ -117,7 +117,6 @@ su -s /bin/bash www-data -c "php occ files:scan-app-data" ### Mimetype migrations available - ```bash # Rebuild appdata and caches @@ -139,8 +138,12 @@ su -s /bin/bash www-data -c "php occ maintenance:repair --include-expensive" This script is intended to be executed only by low‑privilege deployment identities, such as the **continuous‑deploy** ServiceAccount or an application maintainer with equivalent permissions. +Can be executed in VS Code using the “Apply App” task. + ```bash +#!/bin/bash ./ops-scripts/apply-app.sh + ``` **Responsibilities:** @@ -158,6 +161,7 @@ This script is intended to be executed only by low‑privilege deployment identi **Security context:** This script requires elevated cluster‑level permissions and must be executed only by platform maintainers, not by the continuous‑deploy identity. +Can be executed in VS Code using the “Apply Infra” task. ```bash ./ops-scripts/apply-infra.sh @@ -178,6 +182,7 @@ This script requires elevated cluster‑level permissions and must be executed o kubectl exec -it nextcloud-mariadb-0 -- mariadb -u nextcloud -h nextcloud-mariadb.cloud-limbosolutions-com.svc.cluster.local -p ``` + **Restore database:** ``` bash diff --git a/deploy/app/kustomization.yaml b/deploy/app/kustomization.yaml index 1b0705e..c7e6021 100644 --- a/deploy/app/kustomization.yaml +++ b/deploy/app/kustomization.yaml @@ -14,7 +14,7 @@ resources: - ./storage-limbosolutions-com/pvc.yaml - ./mariadb-deploy.yaml - ./backups/backup-pbs-cronjob.yaml - # - ./onlyoffice - enable to execute manually, required cicd revision to be enable by default + - ./onlyoffice generatorOptions: disableNameSuffixHash: true diff --git a/deploy/app/onlyoffice/deployment.yaml b/deploy/app/onlyoffice/deployment.yaml index 3473b9e..c2eadba 100644 --- a/deploy/app/onlyoffice/deployment.yaml +++ b/deploy/app/onlyoffice/deployment.yaml @@ -26,3 +26,25 @@ spec: secretKeyRef: name: onlyoffice key: secret + + resources: + limits: + memory: "2048Mi" + cpu: "1000m" + requests: + memory: "256Mi" + cpu: "250m" + + volumeMounts: + - name: onlyoffice-data + mountPath: /var/www/onlyoffice/Data + - name: onlyoffice-logs + mountPath: /var/log/onlyoffice + + volumes: + - name: onlyoffice-data + persistentVolumeClaim: + claimName: onlyoffice-data + - name: onlyoffice-logs + persistentVolumeClaim: + claimName: onlyoffice-logs diff --git a/deploy/app/onlyoffice/kustomization.yaml b/deploy/app/onlyoffice/kustomization.yaml index 29b5942..4fbb15a 100644 --- a/deploy/app/onlyoffice/kustomization.yaml +++ b/deploy/app/onlyoffice/kustomization.yaml @@ -6,7 +6,6 @@ secretGenerator: envs: - ./.env.d/onlyoffice.env - generatorOptions: disableNameSuffixHash: true namespace: cloud-limbosolutions-com @@ -14,3 +13,4 @@ namespace: cloud-limbosolutions-com resources: - ./deployment.yaml - ./service.yaml + - ./pvc.yaml diff --git a/deploy/app/onlyoffice/pvc.yaml b/deploy/app/onlyoffice/pvc.yaml new file mode 100644 index 0000000..cc6d7b4 --- /dev/null +++ b/deploy/app/onlyoffice/pvc.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: onlyoffice-data +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 8Gi +--- + +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: onlyoffice-logs +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi \ No newline at end of file diff --git a/deploy/infra/ingress.yaml b/deploy/infra/ingress.yaml index 96b26eb..0395124 100644 --- a/deploy/infra/ingress.yaml +++ b/deploy/infra/ingress.yaml @@ -54,7 +54,7 @@ spec: middlewares: # middleware managed by icarus - name: authentik-forward-auth - namespace: kube-system + namespace: traefik-common - name: nextcloud-security-headers - name: rate-limit diff --git a/ops-scripts/apply-app.sh b/ops-scripts/apply-app.sh index 9d40e2d..78371d3 100755 --- a/ops-scripts/apply-app.sh +++ b/ops-scripts/apply-app.sh @@ -1,6 +1,6 @@ #!/bin/bash set -e -echo "Executing app deploy." +echo "Executing nextcloud app deploy." kubectl kustomize deploy/app | kubectl apply -f - @@ -21,15 +21,14 @@ helm repo add nextcloud https://nextcloud.github.io/helm/ --force-update load_env_file "deploy/app/.env.d/nextcloud-mariadb.env" load_env_file "deploy/app/.env.d/nextcloud-secrets.env" - helm upgrade --install nextcloud nextcloud/nextcloud \ --values ./deploy/app/helm-values.yaml \ - --set externalDatabase.user=${MARIADB_USER} \ - --set externalDatabase.password=${MARIADB_PASSWORD} \ - --set externalDatabase.database=${MARIADB_DATABASE} \ - --set nextcloud.host=${NEXTCLOUD_HOST} \ - --set nextcloud.username=${NEXTCLOUD_USERNAME} \ - --set nextcloud.password=${NEXTCLOUD_PASSWORD} \ + --set externalDatabase.user=${MARIADB_USER:?Missing MARIADB_USER} \ + --set externalDatabase.password=${MARIADB_PASSWORD:?Missing MARIADB_PASSWORD} \ + --set externalDatabase.database=${MARIADB_DATABASE:?Missing MARIADB_DATABASE} \ + --set nextcloud.host=${NEXTCLOUD_HOST:?Missing NEXTCLOUD_HOST} \ + --set nextcloud.username=${NEXTCLOUD_USERNAME:?Missing NEXTCLOUD_USERNAME} \ + --set nextcloud.password=${NEXTCLOUD_PASSWORD:?Missing NEXTCLOUD_PASSWORD} \ --namespace cloud-limbosolutions-com \ No newline at end of file diff --git a/ops-scripts/apply-infra.sh b/ops-scripts/apply-infra.sh index 91c06ec..0412589 100755 --- a/ops-scripts/apply-infra.sh +++ b/ops-scripts/apply-infra.sh @@ -3,5 +3,3 @@ set -e echo "Executing infra deploy." kubectl kustomize deploy/infra | kubectl -n cloud-limbosolutions-com apply -f - - -