marcio.fernandes/nextcloud
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

public egress and internal one
All checks were successful
/ continuous-deploy (push) Successful in 22s
Details

Browse Source
This commit is contained in:
Márcio Fernandes
2026-04-12 13:02:57 +00:00
parent a9e368beb1
commit ac0d92654a
4 changed files with 116 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
deploy/infra/ingress-web-public.yaml Normal file
View File

@@ -0,0 +1,72 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: nextcloud-web-public
annotations:
kubernetes.io/ingress.class: traefik-public
spec:
entryPoints:
- websecure
tls:
secretName: cloud-limbosolutions-com-tls
domains:
- main: cloud.limbosolutions.com
routes:
# AUTHENTIK OUTPOST
- match: Host(`cloud.limbosolutions.com`) && PathPrefix(`/outpost.goauthentik.io`)
kind: Rule
services:
- name: ak-outpost-authentik-embedded-outpost
namespace: id-limbosolutions-com
port: 9000
# PUBLIC SHARES (NO SSO)
- match: Host(`cloud.limbosolutions.com`) &&
(PathPrefix(`/s/`) ||
PathPrefix(`/index.php/s/`) ||
PathPrefix(`/public.php/`) ||
PathPrefix(`/remote.php/dav/public-files/`))
kind: Rule
services:
- name: nextcloud
port: 8080
middlewares:
- name: rate-limit
- name: nextcloud-security-headers
# Sync clients + mobile app (no SSO)
- match: Host(`cloud.limbosolutions.com`) &&
(PathPrefix(`/remote.php/dav`) ||
PathPrefix(`/remote.php/webdav`) ||
PathPrefix(`/remote.php/caldav`) ||
PathPrefix(`/remote.php/carddav`) ||
PathPrefix(`/ocs/v1.php`) ||
PathPrefix(`/ocs/v2.php`) ||
PathPrefix(`/status.php`) ||
PathPrefix(`/index.php/login/v2`) ||
PathPrefix(`/index.php/login/v2/poll`))
kind: Rule
services:
- name: nextcloud
port: 8080
middlewares:
- name: webdav-strip-auth
- name: rate-limit
# 3) EVERYTHING ELSE (SSO REQUIRED)
- match: Host(`cloud.limbosolutions.com`)
kind: Rule
services:
- name: nextcloud
port: 8080
middlewares:
- name: authentik-forward-auth
- name: nextcloud-security-headers
- name: rate-limit

29
deploy/infra/ingress.yaml → deploy/infra/ingress-web.yaml
View File

@@ -1,14 +1,13 @@
apiVersion: traefik.io/v1alpha1 apiVersion: traefik.io/v1alpha1
kind: IngressRoute kind: IngressRoute
metadata: metadata:
name: cloud-limbosolutions-com name: nextcloud-web
annotations: annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod cert-manager.io/cluster-issuer: letsencrypt-prod
kubernetes.io/ingress.class: traefik kubernetes.io/ingress.class: traefik
spec: spec:
entryPoints: entryPoints:
- websecure - websecure
- public-https
tls: tls:
secretName: cloud-limbosolutions-com-tls secretName: cloud-limbosolutions-com-tls
domains: domains:
@@ -25,8 +24,12 @@ spec:
port: 9000 port: 9000
# 1) PUBLIC SHARES (NO SSO) # PUBLIC SHARES (NO SSO)
- match: Host(`cloud.limbosolutions.com`) && (PathPrefix(`/s/`) || PathPrefix(`/index.php/s/`) || PathPrefix(`/public.php/`) || PathPrefix(`/remote.php/dav/public-files/`)) - match: Host(`cloud.limbosolutions.com`) &&
(PathPrefix(`/s/`) ||
PathPrefix(`/index.php/s/`) ||
PathPrefix(`/public.php/`) ||
PathPrefix(`/remote.php/dav/public-files/`))
kind: Rule kind: Rule
services: services:
- name: nextcloud - name: nextcloud
@@ -35,8 +38,17 @@ spec:
- name: rate-limit - name: rate-limit
- name: nextcloud-security-headers - name: nextcloud-security-headers
# 2) WEBDAV / SYNC CLIENTS (NO SSO) # Sync clients + mobile app (no SSO)
- match: Host(`cloud.limbosolutions.com`) && (PathPrefix(`/remote.php/dav`) || PathPrefix(`/remote.php/webdav`) || PathPrefix(`/remote.php/caldav`) || PathPrefix(`/remote.php/carddav`)) - match: Host(`cloud.limbosolutions.com`) &&
(PathPrefix(`/remote.php/dav`) ||
PathPrefix(`/remote.php/webdav`) ||
PathPrefix(`/remote.php/caldav`) ||
PathPrefix(`/remote.php/carddav`) ||
PathPrefix(`/ocs/v1.php`) ||
PathPrefix(`/ocs/v2.php`) ||
PathPrefix(`/status.php`) ||
PathPrefix(`/index.php/login/v2`) ||
PathPrefix(`/index.php/login/v2/poll`))
kind: Rule kind: Rule
services: services:
- name: nextcloud - name: nextcloud
@@ -52,12 +64,9 @@ spec:
- name: nextcloud - name: nextcloud
port: 8080 port: 8080
middlewares: middlewares:
# middleware managed by icarus #- name: authentik-forward-auth
- name: authentik-forward-auth
namespace: traefik-common
- name: nextcloud-security-headers - name: nextcloud-security-headers
- name: rate-limit - name: rate-limit

3
deploy/infra/kustomization.yaml
View File

@@ -4,7 +4,8 @@ resources:
- namespace.yaml - namespace.yaml
- cd-serviceaccount.yaml - cd-serviceaccount.yaml
- middlewares.yaml - middlewares.yaml
- ingress.yaml - ingress-web.yaml
- ingress-web-public.yaml
- storage-limbosolutions-com/pv.yaml - storage-limbosolutions-com/pv.yaml
- ./onlyoffice/ingress.yaml - ./onlyoffice/ingress.yaml
- ./onlyoffice/middlewares.yaml - ./onlyoffice/middlewares.yaml

23
deploy/infra/middlewares.yaml
View File

@@ -40,4 +40,27 @@ spec:
X-Frame-Options: "DENY" X-Frame-Options: "DENY"
X-XSS-Protection: "1; mode=block" X-XSS-Protection: "1; mode=block"
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: authentik-forward-auth
spec:
forwardAuth:
address: "http://ak-outpost-authentik-embedded-outpost.id-limbosolutions-com.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik"
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-entitlements
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
---